Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
Hackers Sell Celebrity Info Obtained in Instagram Hack
http://www.securityweek.com/hackers-sell-celebrity-info-obtained-instagram-hack
Hackers claim to have obtained the personal details of millions of Instagram users, including celebrities, after exploiting a vulnerability in the Facebook-owned photo-sharing service.
The data is sold on a website named DoxAGram, which is available both via regular Web access and over the Tor network. The site’s operators, allegedly based in Russia, claim to possess information on more than 200 million of Instagram’s 700 million users.
The full database is allegedly only available to people who spend at least $5,000 on their website. However, anyone can buy the phone number and/or email address of more than 6 million celebrities and other high profile users for $10 worth of bitcoin per record. Discounts have been offered for bulk purchases.
The Daily Beast obtained a sample of data from the operators of DoxAGram and determined that email addresses allegedly belonging to celebrities are indeed associated with Instagram accounts and they are not publicly available.
DoxAGram claims it’s a “100% legal service” that serves as a data broker. “We don’t sell anything illegal only phone numbers as in phone books,” they said in a post on a Bitcoin forum.
Hackers Make Searchable Database to Dox Instagram Celebs
http://www.thedailybeast.com/hackers-make-searchable-database-to-dox-instagram-celebs
The flaw that hackers used around the time someone targeted Selena Gomez and Justin Bieber has been fixed—but not in time to protect the privacy of thousands of Instagrammers.
Tomi Engdahl says:
Fake Chrome Font Update Attack Distributes Backdoor
http://www.securityweek.com/fake-chrome-font-update-attack-distributes-backdoor
A malicious campaign targeting users of the Chrome web browser on Windows systems recently started distributing a remote access Trojan, security researchers have discovered.
First spotted in December 2016, the attack is tied to the EITest compromise chain, and has been observed distributing the Fleercivet ad fraud malware and ransomware variants such as Spora and Mole. Initially targeting only Chrome, the campaign was expanded earlier this year to target Firefox users as well.
Tomi Engdahl says:
Apache Struts you’re stuffed: Vuln allows hackers to inject evil code into biz servers
All versions of app framework since 2008 affected – so patch!
https://www.theregister.co.uk/2017/09/05/apache_struts_vuln/
Tomi Engdahl says:
Aw, bless EU! Give staff privacy at work, human rights court tells bosses
Can’t fire folk for using personal comms at work. Another great reason for Brexit, eh?
https://www.theregister.co.uk/2017/09/06/eu_rights_court_limits_workplace_surveillance/
Companies operating in the European Union must balance workplace surveillance with employees’ privacy rights, the European Court of Human Rights has ruled.
The decision reverses a 2016 ruling by a lower chamber of the court that found no privacy issue with workplace communication monitoring. It marks the first time Europe’s top human rights body has addressed the monitoring of electronic communication at a private company.
There’s also the Court of Justice of the European Union, the chief arbiter of EU law; the ECHR is a separate institution that oversees the application of the European Convention on Human Rights.
Tomi Engdahl says:
Two-Thirds of Tech Workers Now Use a VPN, Survey Finds
https://tech.slashdot.org/story/17/09/05/2017218/two-thirds-of-tech-workers-now-use-a-vpn-survey-finds
According to a survey, 65% of U.S. tech sector workers now use a virtual private network (VPN) on either work devices, personal ones or both. While much of that usage will be because it’s installed as standard on work devices, a growing number of people are choosing to use a VPN on their own devices in response to past and proposed legislative changes. The Wombat Security survey found that 41% of those surveyed use a VPN on their personal laptop, with 31% doing so on mobile devices.
Almost 2/3rds of tech workers now use a VPN, leading supplier reports 300% growth
https://9to5mac.com/2017/09/04/vpn-usage/
Tomi Engdahl says:
Simulated business espionage revealed a “frostbite” result for Finnish companies’ security
The cyber attack company Silverskin Information Security’s corporate espionage simulation revealed bad gaps in corporate security. Silverskin Information Security carried out simulations at the customer’s request. The target was listed companies, the financial sector, SMEs and public administrations. Simulations tested companies’ ability to detect and combat business espionage.
“Many companies think that no one is interested in their business secrets. This is reflected in the fact, for example, that supervision of product development is extremely weak. ”
Business espionage simulation used both cyber attack and physical infiltration into companies. Cyber attacks sent so-called fatal e-mail messages to companies and utilized social media.
Almost 60 per cent of the e-mails targeted for staff were opened. As an enthusiastic message, internal organizational systems or other information were mentioned that would win the employee’s trust. One-fifth of the mail forwarders clicked on a link through which the company’s information system could penetrate.
In addition to the cyber attack, spy simulation Silverskin Information Security employees went to businesses by, for example, becoming a maintenance man. Some of the items were accessed by appearing as a service provider.
“The physical penetration rate was exactly one hundred. Our employees managed to reach only the very sensitive premises for staff, such as product development and financial administration facilities, and premises where senior management worked, “Savolainen says.
Source: http://www.tivi.fi/Kaikki_uutiset/simuloitu-yritysvakoilu-paljasti-jaatavan-tuloksen-suomalaisyritysten-tietoturvasta-6673598
Tomi Engdahl says:
50 ways to avoid getting hacked in 2017
https://opensource.com/article/17/1/yearbook-50-ways-avoid-getting-hacked?sc_cid=701600000011jJaAAI
Paul Simon outlined “50 Ways to Leave Your Lover,” whereas we present 50 ways to secure your systems.
Tomi Engdahl says:
The Great Tech Panic: The Inevitability of Porn
https://www.wired.com/2017/08/kids-and-porn/
WIRED: Are all the kids watching it?
The first thing I recognized when I started working on the new book was that the question to ask boys is not whether or if they watch porn. The question is, when was the first time they saw it? The most typical answer I get is 11, sometimes 13, sometimes younger.
How do they come across it?
Sometimes they felt they needed to know what people were talking about, or an older boy had said, “Hey, look at this.” Boys will say things to me like “When I was 11, I looked up ‘big boobies.’”
What’s the effect on those boys?
Research suggests a positive correlation between heterosexual guys who look at porn regularly and those who support same-sex marriage.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Symantec: Dragonfly group of hackers has penetrated operational networks of multiple US and European energy companies that control key parts of the power grid — Intrusion into power companies’ operational networks is a dramatic
Hackers lie in wait after penetrating US and Europe power grid networks
Intrusion into power companies’ operational networks is a dramatic escalation.
https://arstechnica.com/information-technology/2017/09/hackers-lie-in-wait-after-penetrating-us-and-europe-power-grid-networks/
Nation-sponsored hackers have penetrated the operational networks multiple US and European energy companies use to control key parts of the power grid that supplies electricity to hundreds of millions of people, researchers warned Wednesday.
The incursions detected by security firm Symantec represent a dramatic escalation by a hacking group dubbed Dragonfly, which has been waging attacks against US and European energy companies since at least 2011. In 2014, Symantec reported that Dragonfly was aggressively establishing beachheads in a limited number of target networks, mainly by stealing the user names and passwords used to restrict access to legitimate personnel. Over the past year, the hacking group has managed to compromise dozens of energy firms and, in a handful of cases, install backdoors in the highly sensitive networks the firms use to supply power to the grid.
“What’s most concerning is we now see them intruding on operational networks of energy companies,” Eric Chien, technical director of Symantec’s security response and technology division, told Ars. “Before, we were talking about them being one step away, and what we see now is that they are potentially in those networks and are zero steps away. There are no more technical hurdles for them to jump over.”
The escalation is troubling because operational networks—sometimes called electronic security perimeters in the energy industry—can often wield significant influence over the stability of the electric grid they’re responsible for. In the Northeast Blackout of 2003, a contributing cause was the failure of a system in an operational network that tracked the health of the grid in real time. When a separate fault occurred, the grid supplying electricity to 55 million people shut down.
At a minimum, attackers who have control of a company’s operational network could use it to become de facto operators of the company’s energy assets. That control includes the ability to turn on or off breakers inside the companies’ infrastructure and hijack systems that monitor the health of the grid. That’s an unsettling scenario, but there’s a more troubling one still: the attackers might also be able to use their control of multiple grid-connected operational networks to create the kinds of failures that led to the Northeast Blackout of 2003.
Wouldn’t be the first time
If Symantec’s worst fears were to materialize, it wouldn’t be unprecedented. In December 2015, a hack attack on a power distribution center just outside Kiev, the capital of Ukraine, caused about 225,000 people to lose power for as long as six hours. It was the world’s first known instance of someone using hacking to generate a real-world power outage. Almost to the day one year later, a hack attack on a Ukrainian power transmission facility caused a smaller number of Kiev residents to lose power for about an hour. Researchers have attributed the attacks to a hacking group dubbed Sandworm.
In the 2015 attack, Sandworm used a revamped version of a tool known as BlackEnergy to break into the corporate network of the targeted power companies and from there to collect passwords and other data that would allow the hackers to penetrate the supervisory control and data acquisition systems the companies used to generate and transmit electricity.
Dragonfly, by contrast, uses a completely different set of tools, leading Chien to believe the two groups are completely separate.
Tomi Engdahl says:
Mark Wilson / Co.Design:
Researchers find all popular voice assistants, like Siri or Alexa, can be controlled via verbal commands emitted on ultrasonic frequencies over ~$3 of hardware
A Simple Design Flaw Makes It Astoundingly Easy To Hack Siri And Alexa
https://www.fastcodesign.com/90139019/a-simple-design-flaw-makes-it-astoundingly-easy-to-hack-siri-and-alexa
Hackers can take control of the world’s most popular voice assistants by whispering to them in frequencies humans can’t hear.
Chinese researchers have discovered a terrifying vulnerability in voice assistants from Apple, Google, Amazon, Microsoft, Samsung, and Huawei. It affects every iPhone and Macbook running Siri, any Galaxy phone, any PC running Windows 10, and even Amazon’s Alexa assistant.
Using a technique called the DolphinAttack, a team from Zhejiang University translated typical vocal commands into ultrasonic frequencies that are too high for the human ear to hear, but perfectly decipherable by the microphones and software powering our always-on voice assistants. This relatively simple translation process lets them take control of gadgets with just a few words uttered in frequencies none of us can hear.
The researchers didn’t just activate basic commands like “Hey Siri” or “Okay Google,” though. They could also tell an iPhone to “call 1234567890” or tell an iPad to FaceTime the number. They could force a Macbook or a Nexus 7 to open a malicious website. They could order an Amazon Echo to “open the backdoor.” Even an Audi Q3 could have its navigation system redirected to a new location. “Inaudible voice commands question the common design assumption that adversaries may at most try to manipulate a [voice assistant] vocally and can be detected by an alert user,” the research team writes in a paper just accepted to the ACM Conference on Computer and Communications Security.
In other words, Silicon Valley has designed human-friendly UI with a huge security oversight. While we might not hear the bad guys talking, our computers clearly can. “From a UX point of view, it feels like a betrayal,”
To hack each voice assistant, the researchers used a smartphone with about $3 of additional hardware, including a tiny speaker and amp. In theory, their methods, which are now public, are duplicatable by anyone with a bit of technical know-how and just a few bucks in their pocket.
In some cases, these attacks could only be made from inches away, though gadgets like the Apple Watch were vulnerable from within several feet.
The exploit is enabled by a combination of hardware and software problems, the researchers explain in their paper. The microphones and software that power voice assistants like Siri, Alexa, and Google Home can pick up inaudible frequencies–specifically, frequencies above the 20KhZ limits of human ears.
“Microphones’ components themselves vary in type, but most use air pressures that probably cannot be blocked from ultrasounds,”
In theory, Apple or Google could just command their assistants to never obey orders from someone speaking at 20kHz with a digital audio filter:
But according to what the Zhejiang researchers found, every major voice assistant company exhibited vulnerability with commands stated above 20kHz.
But at least two theories are perfectly plausible, and both come down to making voice assistants more user-friendly.
The first is that voice assistants actually need ultrasonics just to hear people well, compared to analyzing a voice without those high frequencies.
The second is that some companies are already exploiting ultrasonics for their own UX, including phone-to-gadget communication. Most notably, Amazon’s Dash Button pairs with the phone at frequencies reported to be around 18kHz, and Google’s Chromecast uses ultrasonic pairing, too.
User-friendliness is increasingly at odds with security. Our web browsers easily and invisibly collect cookies, allowing marketers to follow us across the web. Our phones back up our photos and contacts to the cloud, tempting any focused hacker with a complete repository of our private lives. It’s as if every tacit deal we’ve made with easy-to-use technology has come with a hidden cost: our own personal vulnerability. This new voice command exploit is just the latest in a growing list of security holes caused by design, but it is, perhaps, the best example of Silicon Valley’s widespread disregard for security in the face of the new and shiny.
Tomi Engdahl says:
Injection Attacks Common in Energy and Utilities Sector: IBM
http://www.securityweek.com/injection-attacks-common-energy-and-utilities-sector-ibm
The energy and utilities sector has seen an increasing number of cybersecurity incidents and attacks, according to a new IBM X-Force report published on Wednesday.
IBM reported late last year that the number of attacks aimed at industrial control systems (ICS) had increased by 110 percent in 2016. Data from IBM Managed Security Services for the first half of 2017 shows that more than 2,500 attacks have already been detected against the company’s customers, compared to 2,788 attacks identified in the entire last year.
When it comes to the energy and utilities industry, IBM says this sector has fallen just shy of the top 5 most targeted sectors in the first half of 2017. Last year, the company detected more than 39 million security events, 382 attacks, and 66 security incidents that were deemed worthy of further investigation.
Of all the attacks observed by IBM, 60 percent of unintentional and malicious attacks came from outside the organization, and the rest were caused by insiders. Insiders include both malicious actors (16%) and employees who unknowingly opened malicious files (24%), giving attackers remote access to the organization.
Sixty percent of the 2016 attacks against this sector involved some sort of injection method, including OS command injections (29%) and SQL injections (17%). In comparison, injection-type attacks accounted for only 42 percent of incidents across all the other industries monitored by IBM.
Tomi Engdahl says:
Hackers Target Control Systems in U.S. Energy Firms: Symantec
http://www.securityweek.com/hackers-target-control-systems-us-energy-firms-symantec
A group of cyberspies believed to be operating out of Russia has been observed targeting energy facilities in the United States and other countries, and the attackers appear to be increasingly interested in gaining access to the control systems housed by these organizations.
However, the most “concerning evidence” presented by the security firm involves screen captures taken by the group’s malware. Some screen capture files analyzed by researchers had names containing the location and a description of the infected machine and the targeted organization’s name. Some of the machine descriptions included the string “cntrl,” which may mean that the compromised machine had access to control systems.
Experts previously linked Dragonfly to Russia. Symantec has not made any clear statements regarding the threat actor’s location
The FBI and the DHS recently issued a joint report to warn manufacturing plants, nuclear power stations and other energy facilities in the U.S. of attacks that may have been launched by Dragonfly. However, the U.S. Department of Energy said only administrative and business networks were impacted, not systems controlling the energy infrastructure.
Template Injection Used in Attacks on U.S. Critical Infrastructure
http://www.securityweek.com/template-injection-used-attacks-us-critical-infrastructure
The recent attacks aimed at energy facilities and other critical infrastructure organizations in the United States have leveraged a technique called template injection, according to Cisco’s Talos intelligence and research group.
Tomi Engdahl says:
Get Security and Business Teams Aligned by Assuming You’ve Been Hacked
http://www.securityweek.com/get-security-and-business-teams-aligned-assuming-youve-been-hacked
Security Organizations and Businesses Must Plan and Prepare for Information Security Incidents and Breaches Together as One Team
Operating with the assumption that you’ve already been hacked makes security incident response planning a priority for the organization. Security professionals know that, but it is not a perspective shared by the business. Business leaders aim to avoid negative news, make business as frictionless as possible and spend as little as possible on security. Telling them that a hack is a matter of “when” not “if” could be a career-endangering conversation.
Yet, for all the resources spent on security ($86.5 billion worldwide in 2017 according to Gartner), we are constantly reminded that users are the weakest link and privileged users pose a significant threat. Security incidents and breaches continue to make headlines, and criminals are constantly evolving their attack methods. Even independent businesses are finding themselves in the line of fire for nation-state attacks. Only the most myopic would think it can’t happen to them.
Getting business leaders to think from the mindset of “already hacked” starts with a conversation that can then lead to a path of increased alignment with security priorities. Assuming that you are already hacked will not only require involvement from your security team, but active participation from business partners as well. Consider these approaches together with your business partners.
Tomi Engdahl says:
Secure microkernel in a KVM switch offers spook-grade application virtualization
Need a few air-gapped apps on one screen? Here’s how
https://www.theregister.co.uk/2017/09/07/cross_domain_desktop_compositor_vdi_for_the_paranoid/
Researchers at Australian think tank Data61 and the nation’s Defence Science and Technology Group have cooked up application publishing for the paranoid, by baking an ARM CPU and secure microkernel into a KVM switch.
To make things a little less cluttered on the physical desktop , keyboard, video and mouse (KVM) switches mean users can share one set of human interface peripherals among multiple PCs.
While KVM switches save clutter, users only see one app at a time. Which isn’t great given that sharing data from diverse sources can help the kind of people who need these rigs to do their jobs.
Hence Data61′s newly-revealed “Cross-Domain Desktop Compositor” (CDDC), a small piece of hardware that offers the same peripheral-aggregating functionality as a KVM switch but can also publish applications from different machines onto one screen and even allow cut and paste between windows.
The CCDC uses the seL4 microkernel, code that has been mathematically proven free of error and is therefore deployed in environments where reliability and resilience are at a premium.
The CCDC’s field-programmable gate array contains seL4 and code to scrape apps from different PCs and publish them into a single screen.
Murray said Data61 built the CCDC because while commercial products can publish apps securely, there are known problems with general-purpose hypervisors. He mentioned Xen’s recent woes as one reason sensitive users aren’t keen on commercial products.
Tomi Engdahl says:
Robin Emmott / Reuters:
EU defense ministers tested cyberattack response in first ever cyber war game on Thursday, simulating naval vessel sabotage and social campaign to stir protests
Cyber alert: EU ministers test responses in first computer war game
http://www.reuters.com/article/us-eu-defence-cyber/cyber-alert-eu-ministers-test-responses-in-first-computer-war-game-idUSKCN1BI0HR
Tomi Engdahl says:
Robin Emmott / Reuters:
EU defense ministers tested cyberattack response in first ever cyber war game on Thursday, simulating naval vessel sabotage and social campaign to stir protests
Cyber alert: EU ministers test responses in first computer war game
http://www.reuters.com/article/us-eu-defence-cyber/cyber-alert-eu-ministers-test-responses-in-first-computer-war-game-idUSKCN1BI0HR
TALLINN (Reuters) – European Union defense ministers tested their ability to respond to a potential attack by computer hackers in their first cyber war game on Thursday, based on a simulated attack on one of the bloc’s military missions abroad.
In the simulation, hackers sabotaged the EU’s naval mission in the Mediterranean and launched a campaign on social media to discredit the EU operations and provoke protests.
Each of the defense ministers tried to contain the crisis over the course of the 90-minute, closed-door exercise in Tallinn that officials sought to make real by creating mock news videos giving updates on an escalating situation.
Tomi Engdahl says:
Chaos Computer Club:
White hat hacker group warns that German election vote tabulating software has serious vulnerabilities, with some scenarios letting hackers change vote tallies — The Chaos Computer Club is publishing an analysis of software used for tabulating the German parliamentary elections (Bundestagswahl).
Software to capture votes in upcoming national election is insecure
http://ccc.de/en/updates/2017/pc-wahl
The Chaos Computer Club is publishing an analysis of software used for tabulating the German parliamentary elections (Bundestagswahl). The analysis shows a host of problems and security holes, to an extent where public trust in the correct tabulation of votes is at stake. Proof-of-concept attack tools against this software are published with source code.
Hackers of the Chaos Computer Club (CCC) have studied a software package used in many German states to capture, aggregate and tabulate the votes during elections, to see if this software was secure against external attack. The analysis showed a number of security problems and multiple practicable attack scenarios. Some of these scenarios allow for the changing of vote totals across electoral district and state boundaries.
The result of this analysis is somewhat of a „total loss“ for the software product. The CCC is publishing its findings in a report of more than twenty pages. [0] The technical details and the software used to exploit the weaknesses are published in a repository. [1]
„Elementary principles of IT-security were not heeded to. The amount of vulnerabilities and their severity exceeded our worst expectations“, says Linus Neumann, a speaker for the CCC that was involved in the study.
A depressing finding of the study is that a state-funded team of hackers is not even necessary to control the tabulation of the votes. The broken software update mechanism of „PC-Wahl“ allows for one-click compromise.
„A whole chain of serious flaws, from the update server, via the software itself through to the election results to be exported allows for us to demonstrate three practical attack scenarios in one“, Neumann continues.
The documented attacks have the potential to permanently impact public trust in the democratic process – even in cases where an actual manipulation would be discovered in hours or days. Whether an actual manipulation is discovered at all depends on the procedures followed in the various state
„It is simply not the right millenium to quietly ignore IT-security problems in voting“, says Linus Neumann. „Effective protective measures have been available for decades, there is no conceivable reason not to use them.“
A government that prides itself on „Industry 4.0“ and „Crypto made in Germany“ should promote and use software in the election process that has publicly readable source code.
Tomi Engdahl says:
Equifax data leak could involve 143 million consumers
https://techcrunch.com/2017/09/07/equifax-data-leak-could-involve-143-million-consumers/
Data leaks have become so commonplace that it’s to become numb to them, but credit reporting service Equifax announced a doozy today that when all is said and done could involve 143 million consumers. This is bad.
It was a treasure trove of information for the bad guys out there and included Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. As though that weren’t bad enough, 209,000 people had their credit card info leak and the breach also included dispute documents with personally identifying information from 182,000 consumers.
The information came mostly from US residents, but a percentage also involved UK and Canadian citizens and the company is working with authorities from all of these companies.
Equifax reports that it discovered the leak on July 29th and took steps to stop the intrusion.
Tomi Engdahl says:
Todd Haselton / CNBC:
Credit reporting firm Equifax says breach potentially affecting 143M customers found on 7/29; 209K US credit card numbers, 182K docs with personal info obtained
Credit reporting firm Equifax says data breach could potentially affect 143 million US consumers
https://www.cnbc.com/2017/09/07/credit-reporting-firm-equifax-says-cybersecurity-incident-could-potentially-affect-143-million-us-consumers.html
Equifax said data on 143 million U.S. customers was obtained in a breach.
The breach was discovered July 29.
Personal data including birth dates, credit card numbers and more were obtained in the breach.
Equifax, which supplies credit information and other information services, said Thursday that a data breach could have potentially affected 143 million consumers in the United States.
The population of the U.S. was about 324 million as of Jan. 1, 2017, according to the U.S. Census Bureau, which means the Equifax incident affects a huge portion of the United States.
Equifax said it discovered the breach on July 29. “Criminals exploited a U.S. website application vulnerability to gain access to certain files,” the company said.
Shares of Equifax fell more than 5 percent during after-hours trading.
Leaked data includes names, birth dates, Social Security numbers, addresses and some driver’s license numbers. The company added that 209,000 U.S. credit card numbers were also obtained, in addition to “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”
The company said it would offer free identity theft protection and credit file monitoring to all customers in the U.S.
Tomi Engdahl says:
Equifax execs dumped stock before the hack news went public
https://techcrunch.com/2017/09/07/equifax-managers-dumped-stock/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
MenuTechCrunch
Search
SEARCH
Equifax execs dumped stock before the hack news went public
Posted 5 hours ago by Taylor Hatmaker (@tayhatmaker), John Mannes (@JohnMannes)
In today’s edition of unfettered corporate greed, we bring you the Equifax managers who apparently sold almost $1.8 million in stock after the company became aware that it had a big problem on its hands.
As Bloomberg reports, three of the company’s senior executives sold nearly $1.8 million in shares after the company learned internally that it had exposed the private data, including social security and driver’s license numbers, of as many as 143 million people in the U.S.
Tomi Engdahl says:
Improving Data Security
Why hardware encryption is so important for embedded storage.
https://semiengineering.com/improving-data-security/
For industrial, military and a multitude of modern business applications, data security is of course incredibly important. While software based encryption often works well for consumer and some enterprise environments, in the context of the embedded systems used in industrial and military applications, something that is of a simpler nature and is intrinsically more robust is usually going to be needed.
Self encrypting drives utilize on-board cryptographic processors to secure data at the drive level. This not only increases drive security automatically, but does so transparently to the user and host operating system. By automatically encrypting data in the background, they thus provide the simple to use, resilient data security that is required by embedded systems.
Embedded vs. enterprise data security
Both embedded and enterprise storage often require strong data security. Depending on the industry sectors involved this is often related to the securing of customer (or possibly patient) privacy, military data or business data. However that is where the similarities end. Embedded storage is often used in completely different ways from enterprise storage, thereby leading to distinctly different approaches to how data security is addressed.
Tomi Engdahl says:
How to Protect Yourself From That Massive Equifax Breach
https://www.wired.com/story/how-to-protect-yourself-from-that-massive-equifax-breach
No data breach is good, but some are more palatable than others. We would all rather hear that our florist got hacked than, say, our bank. And the most painful breaches, like the Office of Personnel Management or Anthem health insurance incidents that involved stolen Social Security numbers and other hard-to-change personal data, are naturally the most valuable targets for attackers. We can now add the massive credit reporting agency Equifax to that list.
On Thursday, the company disclosed that a data breach it discovered on July 29 may have impacted as many as 143 million consumers in the United States. Equifax is one of the three main organizations in the US that calculates credit scores, so it has access to an extraordinary amount of personal and financial data for virtually every American adult. The company says that hackers accessed data between mid-May and July through a vulnerability in a web application.
There are some things you can do to protect yourself. Equifax is offering a website—www.equifaxsecurity2017.com—where you can check whether you are one of the 143 million people whose data may have been compromised.
You should also keep a close eye on your finances. “Consumers should remain calm and be cognizant of their personal credit report and activity,” says Mark Testoni, the president of SAP National Security Services. “Check for notifications to see if new credit applications have been filed on your behalf, and monitor your accounts for adverse action. If your details are circulated on the black market, the big risks are fraudulent credit applications on your behalf and bad actors trying to find ways to take advantage of your personal [data].”
Equifax hasn’t indicated who was behind the breach and says a law enforcement probe is ongoing.
Tomi Engdahl says:
Hack Brief: Patch Your Android Phone To Block An Evil ‘Toast’ Attack
https://www.wired.com/story/hack-brief-patch-your-android-phone-to-block-an-evil-toast-attack
Modern smartphones take pains to “sandbox” apps, keeping them carefully segregated so that no mischievous program can meddle in another app’s sensitive business. But security researchers have found an unexpected feature of Android that can surreptitiously grant an app the permission to not merely reach outside its sandbox but fully redraw the phone’s screen while another part of the operating system is running, tricking users into tapping on fake buttons that can have unexpected consequences. And while that hijacking of your finger inputs isn’t a new feat for Android hackers, a fresh tweak on the attack makes it easier than ever to pull off.
Tomi Engdahl says:
AI that can determine a person’s sexuality from photos shows the dark side of the data age
https://techcrunch.com/2017/09/07/ai-that-can-determine-a-persons-sexuality-from-photos-shows-the-dark-side-of-the-data-age/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
AI that can determine a person’s sexuality from photos shows the dark side of the data age
We count on machine learning systems for everything from creating playlists to driving cars, but like any tool, they can be bent toward dangerous and unethical purposes, as well. Today’s illustration of this fact is a new paper from Stanford researchers, who have created a machine learning system that they claim can tell from a few pictures whether a person is gay or straigh
Tomi Engdahl says:
Oops: An Instagram bug let a hacker access phone numbers and email addresses
http://mashable.com/2017/08/30/instagram-hacked-verified-accounts/?utm_cid=hp-r-1#JjqsJ_SIlaqB
What’s shady, possibly wearing a hoodie, and is currently sitting on the stolen personal information of an untold number of high-profile Instagram users?
That would be — SURPRISE! — a random hacker. Or several of them.
“We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information — specifically email address and phone number — by exploiting a bug in an Instagram API,” an Instagram spokesperson told Mashable via email. “No account passwords were exposed. We fixed the bug swiftly and are running a thorough investigation.”
Notably, news of this hack comes on the heels of an embarrassing moment for the company. Selena Gomez, who with 125 million followers has one of the most popular accounts on Instagram, had her account hacked just a few days ago.
Hackers Make Searchable Database to Dox Instagram Celebs
http://www.thedailybeast.com/hackers-make-searchable-database-to-dox-instagram-celebs
The flaw that hackers used around the time someone targeted Selena Gomez and Justin Bieber has been fixed—but not in time to protect the privacy of thousands of Instagrammers.
Tomi Engdahl says:
Here comes the class action lawsuit after Equifax’s massive hack
https://techcrunch.com/2017/09/08/here-comes-the-class-action-lawsuit-after-equifaxs-massive-hack/?utm_source=tcfbpage&sr_share=facebook
Yesterday, Equifax announced that a hacker obtained information about 143 million consumers. This data included Social Security numbers, birth dates, addresses and, in some cases, driver’s license numbers. Equifax customers are obviously really, really mad. So it’s not surprising that Bloomberg discovered that a class action lawsuit was filed against Equifax.
Customers say that Equifax has been negligent when it comes to information security.
Other users have reported that they could check if they’ve been compromised without agreeing to those new terms of services.
Comment:
So we consumers get to choose between suing for negligence or trying to protect ourselves by giving more data to a company which has just proven that it is incapable of protecting our data.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
The Equifax breach, affecting ~44% of US population, is possibly the worst leak of personal information ever, and was handled poorly by the company — Consumer’s most sensitve data is now in the open and will remain so for years to come. — It’s a sad reality in 2017 …
Why the Equifax breach is very possibly the worst leak of personal info ever
Consumers’ most sensitive data is now in the open and will remain so for years to come.
https://arstechnica.com/information-technology/2017/09/why-the-equifax-breach-is-very-possibly-the-worst-leak-of-personal-info-ever/
It’s a sad reality in 2017 that a data breach affecting 143 million people is dwarfed by other recent hacks—for instance, the ones hitting Yahoo in 2013 and 2014, which exposed personal details for 1 billion and 500 million users respectively; another that revealed account details for 412 million accounts on sex and swinger community site AdultFriendFinder last year; and an eBay hack in 2014 that spilled sensitive data for 145 million users.
The breach Equifax reported Thursday, however, very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals. By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be. The theft, by criminals who exploited a security flaw on the Equifax website, opens the troubling prospect the data is now in the hands of hostile governments, criminal gangs, or both and will remain so indefinitely.
What’s more, the 143 million US people Equifax said were potentially affected accounts for roughly 44 percent of the population. When children and people without credit histories are removed, the proportion becomes even bigger.
That means well more than half of all US residents who rely the most on bank loans and credit cards are now at a significantly higher risk of fraud and will remain so for years to come. Besides being used to take out loans in other people’s names, the data could be abused by hostile governments to, say, tease out new information about people with security clearances, especially in light of the 2015 hack on the US Office of Personnel Management, which exposed highly sensitive data on 3.2 million federal employees, both current and retired.
Amateur response
Besides the severity and scope of the pilfered data, the Equifax breach also stands out for the way the company has handled the breach once it was discovered. For one thing, it took the Atlanta-based company more than five weeks to disclose the data loss. Even worse, according to Bloomberg News, three Equifax executives were permitted to sell more than $1.8 million worth of stock in the days following the July 29 discovery of the breach.
What’s more, the website http://www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn’t provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn’t perform proper revocation checks. Worse still, the domain name isn’t registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people’s details. It’s no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.
Meanwhile, in the hours immediately following the breach disclosure, the main Equifax website was displaying debug codes, which for security reasons, is something that should never happen on any production server, especially one that is a server or two away from so much sensitive data.
Todd Haselton / CNBC:
Credit agency Equifax says breach affecting up to 143M US consumers found 7/29; sensitive data exposed included DOB, SSN, and 209K credit card numbers — Equifax Inc., which supplies credit information and other information services, said Thursday that a cybersecurity incident …
https://www.cnbc.com/2017/09/07/credit-reporting-firm-equifax-says-cybersecurity-incident-could-potentially-affect-143-million-us-consumers.html
Tomi Engdahl says:
Equifax’s stock is plummeting after it reported a massive security breach
https://techcrunch.com/2017/09/08/equifaxs-stock-is-plummeting-after-it-reported-a-massive-security-breach/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
Shares of credit reporting service Equifax are collapsing — down more than 13 percent — in the morning trading hours after the company reported a security breach yesterday that could involve 143 million customers.
That breach included sensitive data like Social Security numbers, dates of birth, addresses
All in all, this is a gold mine of information for potential fraud or identity theft.
In all, it’s going to be an expensive process that may include a lot of things well beyond the initial impact crater and investigation, like offering credit monitoring services.
That’s going to do a lot of things to a company like Equifax: erode confidence in the team, company and management; bake in all potential scenarios and risks that accompany a massive breach like this; and envision a future with fewer customers or more expensive efforts to win them back, to just name a few. It means that Wall Street, which has traditionally looked at a company like Equifax will have to reassess what it is going forward.
In all, Equifax isn’t a huge company — and while a drop like today’s sheds more than $1 billion in market cap, it’s still worth less than $15 billion.
Tomi Engdahl says:
It’s time to build our own Equifax with blackjack and crypto
https://techcrunch.com/2017/09/08/its-time-to-build-our-own-equifax-with-blackjack-and-crypto/?utm_source=tcfbpage&sr_share=facebook
The private data of 143 million Equifax “customers” is now available for download. Have no doubt: This means you will be hacked. This means your SIM card can be spoofed. This means someone will try to get into your email and online accounts. This means someone will try to open a credit card in your name. This crass, callow, and lazy treatment of our digital data cannot stand. Equifax – and every company that dumps data like an airplane toilet dumps chunks of frozen urine – must face a reckoning.
First, we cannot allow our most precious data to be accessible via the last four digits of our social security number. Any new company that does this should be shut down. Once I tell a customer service representative the last four digits of my SSN – I just did it a moment ago with an insurance company and it sprang open my personal data like a cheap padlock – I’ve lost all security.
Entering my SSN into a random form field on some well-meaning site means I’ve essentially written the password to most of my personal data on a busy highway overpass. These places are that insecure.
We must look outside the US for leadership. Estonia, for example, has already released a number of solutions to this problem including a cryptographically secure ID card.
Further, we must also outlaw SMS two-factor authentication. In fact, thanks to the data stolen from Equifax, that process can be easily broken by (you guessed it) telling a CSR the last four digits of our Social Security Number.
Ultimately we must hold these companies accountable.
We must create new, secure methods for cryptographically securing our data. We must make it so that a hacker with a fast connection and knowledge of the tar command cannot drag our data off of a secure server.
This kind of technical incompetence is disgusting.
Mistakes happen. Unfortunately, they tend to matter more at the very organizations where time, ineptitude, and complacence have reduced data security to a tertiary concern, well under “deciding what’s for lunch” and “increasing shareholder value.”
These old organizations – Equifax was founded in 1899 and hasn’t changed much since inception – must die, to be replaced
There is precedent for this sort of technological shift. Twenty years ago if you told a CTO that she would one day pick a homegrown operating system full of bugs and spaghetti code over Microsoft she would have laughed you out of the office.
In short, it’s time for those who are careless big data to die.
Tomi Engdahl says:
Voting without a paper trail risks dangerous errors. Virginia’s Department of Elections agrees.
Virginia bars voting machines considered top hacking target
http://www.politico.com/story/2017/09/08/virginia-election-machines-hacking-target-242492
Virginia’s election supervisors on Friday directed counties to ditch touchscreen voting machines before November’s elections, saying the devices posed unacceptable digital risks.
The move represents one of the most dramatic actions taken to help secure elections since a 2016 presidential race rife with concerns about digital meddling and vote tampering. Election security experts have long warned that such machines are a top target for hackers.
The decision forces Virginia counties to swiftly replace any touchscreen devices with machines that produce a paper trail, ensuring the state can audit its closely watched gubernatorial race this November between Democrat Ralph Northam and Republican Ed Gillespie.
Tomi Engdahl says:
Kavita Kumar / Star Tribune:
Best Buy pulls Kaspersky security software off its shelves amid outside concerns that Kaspersky could have ties to the Russian government
Best Buy stops selling security software made by Russian firm
Reports of Kremlin ties led retailer to pull the product.
http://www.startribune.com/best-buy-stops-selling-security-software-made-by-russian-firm/443279653/
Best Buy is pulling internet security software from a Russian company off its shelves and from its website amid outside concerns that Kaspersky Lab could have links to the Russian government.
The decision was prompted by media reports, congressional testimony and industry discussion raising questions about Moscow-based Kaspersky, a respected cybersecurity firm. The Richfield-based retailer, which has not conducted its own investigation, felt there were too many unanswered questions and so has decided to discontinue selling the products, according to a person familiar with the decision.
At the same time, some federal lawmakers are pressing for legislation that would ban the U.S. government from using Kaspersky’s software. They are on heightened alert about Russian hackers in the wake of their interference in the U.S. presidential election.
Tomi Engdahl says:
Steve Dent / Engadget:
AT&T, Sprint, T-Mobile, and Verizon form Mobile Authentication Taskforce to create new open standard and fix security flaws present in current SMS-based 2FA — Two-factor authentication (2FA) via SMS and a smartphone provides a heavy dose of additional security for your data …
US carriers partner on a better mobile authentication system
AT&T, Sprint, T-Mobile and Verizon formed a taskforce to create a new open standard.
https://www.engadget.com/2017/09/08/mobile-authentication-taskforce-att-verizon-tmobile-sprint/?sr_source=Twitter
Two-factor authentication (2FA) via SMS and a smartphone provides a heavy dose of additional security for your data, but as the US government declared last year, it’s not without its flaws. To fix that, the big four US mobile operators, Sprint, T-Mobile, Verizon and AT&T have formed a coalition called the Mobile Authentication Taskforce to come up with a new system. Working with app developers and others, they’ll explore the use of SIM card recognition, network-based authentication, geo-location, and other carrier-specific capabilities.
The idea is to marry current 2FA with systems that “reduce mobile identity risks by analyzing data and activity patterns on a mobile network to predict, with a high degree of certainty, whether the user is who they say they are,” according to the news release.
The problem with SMS authentication is that skilled hackers have successfully hijacked SMS codes in the past, often simply by contacting the carrier and impersonating the victim. It also falls apart if thieves grab your smartphone along with your PC, gain access to your phone via malware, or just steal a glance at a 2FA message on your lockscreen.
The goal to improve 2FA security sounds like a noble one, but Congress, at the urging of carriers and ISPs, recently eliminated certain customer privacy protection rules. As such, consumer protection groups might have concerns about 2FA systems that could be used by operators to track customers, for example.
Tomi Engdahl says:
Nectar Gan / South China Morning Post:
Weibo orders users to verify their real names by September 15 following China’s new restrictions on anonymous online conversation
China’s Twitter-like Weibo orders users to register their real names
http://www.scmp.com/news/china/policies-politics/article/2110400/chinas-twitter-weibo-orders-users-register-their-real
Deadline comes as government seeks to tighten its grip on online speech ahead of next month’s Communist Party congress
Tomi Engdahl says:
Lily Hay Newman / Wired:
Equifax breach exposes the problems with using social security numbers as a unique identifiers in the digital age
The Equifax Breach Exposes America’s Identity Crisis
https://www.wired.com/story/the-equifax-breach-exposes-americas-identity-crisis
One of the most shocking things about Thursday’s announcement of the Equifax data breach is the sheer scale of the numbers involved. Particularly the Social Security numbers. Yes, there have been plenty of large data breaches before—5 million SSNs revealed in a Kansas Department of Commerce leak in July, 80 million in the notorious 2015 Anthem health insurance breach—but with Equifax’s revelation that 143 million Americans may have had their SSNs stolen (along with other sensitive personal information), security experts are pressing for a fundamental reassessment in how, and why, we identify ourselves.
Considered along with the data stolen from various other breaches, hacks, and leaks, “it’s a safe assumption that everyone’s Social Security number has been compromised and their identity data has been stolen,” says Jeremiah Grossman, the chief of security strategy at the defense and threat monitoring firm SentinelOne. “While it may not be explicitly true, we have to operate under that assumption now.”
SSNs, which have been around since the 1930s, have only one intended purpose: to track US citizens’ earnings and contributions to the Social Security program.
Omnipresence Issues
Problems stem from a number of places. Your Social Security number is supposed to be kept secret, which is an increasing challenge in the digital era. And unlike other, similar secrets (like credit card numbers and passwords), SSNs are extremely difficult to change. The Social Security Administration can issue you a new one in extreme cases of identity theft or abuse.
“The SSN is used for purposes entirely unrelated to its original purpose. That almost always leads to problems,”
Tomi Engdahl says:
Shadow Brokers Leaks Another Windows Hacking Tool Stolen from NSA’s Arsenal
http://thehackernews.com/2017/09/shadowbrokers-unitedrake-hacking.html?lipi=urn:li:page:d_flagship3_feed;9gNfr80RS5%2BfjhAa9L%2BMpg%3D%3D&m=1
The Shadow Brokers, a notorious hacking group that leaked several hacking tools from the NSA, is once again making headlines for releasing another NSA exploit—but only to its “monthly dump service” subscribers.
Dubbed UNITEDRAKE, the implant is a “fully extensible remote collection system” that comes with a number of “plug-ins,” enabling attackers to remotely take full control over targeted Windows computers.
Tomi Engdahl says:
Equifax Breach Provokes Calls For Serious Data Protection Reforms
https://it.slashdot.org/story/17/09/10/195230/equifax-breach-provokes-calls-for-serious-data-protection-reforms
Equifax’s data breach was colossal — but what should happen next? The Guardian writes:
The problem is that companies like Equifax are able to accumulate — essentially, without limit — as much sensitive, personal data as they can get their hands on. There is an urgent need for strict regulations on what types of data companies can collect and how much data a company can possess, both in aggregate and about individuals. At the very least, this will lessen the severity and size of (inevitable) data breaches… Without putting hard limits on the data capitalists who extract and exploit our personal information, they will continue to reap the benefit while we bear the risks.
Why do big hacks happen? Blame Big Data
https://www.theguardian.com/commentisfree/2017/sep/08/why-do-big-hacks-happen-blame-big-data
Equifax, one of the largest credit reporting agencies, revealed on Thursday that it was hacked back in May, exposing the personal data of up to 143 million people. The data accessed by hackers contains extremely sensitive information like social security numbers, birth data, consumer’s names, driver’s license numbers and credit card numbers.
This breach is a monumental failure of cybersecurity, which raises many pressing privacy concerns. However, beyond those issues, it also illustrates a fundamental problem of the data economy as a whole: databanks like Equifax are too big.
Consumer credit agencies like Equifax are part of the multi-billion dollar data broker industry, which is based on collecting, analyzing, and selling thousands of data points about individual people. They paint a detailed picture of a person’s life and that profile is used to make decisions with direct impacts on, as I have written elsewhere, “many facets of our lives, from obtaining a loan to finding a job to renting a home.” As a company adds to its hoard of data, the value grows exponentially; so, the imperative for data brokers is to continuously accumulate as much data as possible.
As epic as Equifax’s hack was, things can get a lot worse. The credit reporting agencies Experian and TransUnion are data giants on par with Equifax and there are thousands of other data brokers that also possess large databanks. Data breaches like this one are not bugs, but rather features of a system that centralizes immense amounts of valuable personal data in one place.
The vaults of these databanks are impossible to secure, in large part, because the wealth of information they hold is a beacon for hackers. Even the most impenetrable cybersecurity will eventually fail under the pressure of dogged hackers probing for weaknesses to exploit. Better cybersecurity is important, but it is not a solution. It only postpones catastrophic failure.
Indeed, after the hack of infidelity website Ashley Madison in 2015, security experts warned of an event exactly like the Equifax hack – one that would make Ashley Madison “look like a footnote by comparison”.
Tomi Engdahl says:
Microsoft says it won’t fix kernel flaw: It’s not a security issue. Suuuure
So stopping antivirus software from spotting malware is now a feature?
https://www.theregister.co.uk/2017/09/08/microsoft_says_it_wont_fix_kernel_flaw_its_not_a_security_issue_apparently/
A design flaw within the Windows kernel that could stop antivirus software from recognizing malware isn’t going to be fixed, Microsoft has said.
The issue, spotted this week by enSilo security researcher Omri Misgav, lies within the system call PsSetLoadImageNotifyRoutine, which has been part of Microsoft’s operating system since Windows 2000 and is still active in the latest builds.
Antivirus tools use PsSetLoadImageNotifyRoutine to check if malicious code has been loaded into memory, but Misgav found that a cunning attacker could use poor coding behind the API to smuggle malware past scanners.
Essentially, malware can use the above API to trick the OS into giving malware scanners other files – such as benign executables – to inspect rather than their own malicious code. This would allow software nasties to evade antivirus packages.
“Our engineers reviewed the information and determined this does not pose a security threat and we do not plan to address it with a security update.”
Tomi Engdahl says:
When one size doesn’t fit all in cloud security
‘You can have any colour you want, as long as it’s ours’
https://www.theregister.co.uk/2017/09/08/when_one_size_doesnt_fit_all_in_cloud_security/
Tomi Engdahl says:
The Equifax Breach Exposes America’s Identity Crisis
https://www.wired.com/story/the-equifax-breach-exposes-americas-identity-crisis
Considered along with the data stolen from various other breaches, hacks, and leaks, “it’s a safe assumption that everyone’s Social Security number has been compromised and their identity data has been stolen,” says Jeremiah Grossman, the chief of security strategy at the defense and threat monitoring firm SentinelOne. “While it may not be explicitly true, we have to operate under that assumption now.”
Problems stem from a number of places. Your Social Security number is supposed to be kept secret, which is an increasing challenge in the digital era. And unlike other, similar secrets (like credit card numbers and passwords), SSNs are extremely difficult to change.
Tomi Engdahl says:
FBI asked Durov and developer for Telegram backdoor
https://www.neowin.net/news/fbi-asked-durov-and-developer-for-telegram-backdoor
It’s public knowledge that intelligence agencies in the US routinely try to add “we have a backdoor” to their arsenals of gathering data on unsuspecting users. Pavel Durov, the CEO at Telegram, revealed that he and another Telegram developer were both approached and offered a bribe by the FBI to give the agency backdoor access to the popular messaging app but refused to do so at every turn.
Since 2014, Durov claims that he has been quizzed at the US border several times but on his more recent visits the focus has shifted from Vkontakte, which he used to run, to Telegram which he currently runs; questions include things like where Telegram was based, how it worked, and how the agents could contact Durov in the future – he claims that they later sent emails asking him to reach out to them if he had any trouble or needed help with anything.
Tomi Engdahl says:
Best Buy pulls Kaspersky Lab products after concerns over ties to the Russian government
Too many unanswered questions
https://www.theverge.com/2017/9/9/16280728/best-buy-pulls-kaspersky-lab-products-russia-cybersecurity
Tomi Engdahl says:
Hackers Can Remotely Access Syringe Infusion Pumps to Deliver Fatal Overdoses
Saturday, September 09, 2017 Swati Khandelwal
http://thehackernews.com/2017/09/hacking-infusion-pumps.html
Internet-of-things are turning every industry into the computer industry, making customers think that their lives would be much easier with smart devices. However, such devices could potentially be compromised by hackers.
There are, of course, some really good reasons to connect certain devices to the Internet.
But does everything need to be connected? Of course, not—especially when it comes to medical devices.
Medical devices are increasingly found vulnerable to hacking. Earlier this month, the US Food and Drug Administration (FDA) recalled 465,000 pacemakers after they were found vulnerable to hackers.
Now, it turns out that a syringe infusion pump used in acute care settings could be remotely accessed and manipulated by hackers to impact the intended operation of the device, ICS-CERT warned in an advisory issued on Thursday.
An independent security researcher has discovered not just one or two, but eight security vulnerabilities in the Medfusion 4000 Wireless Syringe Infusion Pump, which is manufactured by Minnesota-based speciality medical device maker Smiths Medical.
The devices are used across the world for delivering small doses of medication in acute critical care, such as neonatal and pediatric intensive care and the operating room.
The most critical vulnerability (CVE-2017-12725) has been given a CVSS score of 9.8 and is related to the use of hard-coded usernames and passwords to automatically establish a wireless connection if the default configuration is not changed.
These vulnerabilities impact devices that are running versions 1.1, 1.5 and 1.6 of the firmware, and Smiths Medical has planned to release a new product version 1.6.1 in January 2018 to address these issues.
But in the meantime, healthcare organizations are recommended to apply some defensive measures including assigning static IP addresses to pumps, monitoring network activity for malicious servers, installing the pump on isolated networks, setting strong passwords, and regularly creating backups until patches are released.
Advisory (ICSMA-17-250-02)
Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump Vulnerabilities
https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-02
Tomi Engdahl says:
Windows Kernel Bug Hinders Malware Detection: Researchers
http://www.securityweek.com/windows-kernel-bug-hinders-malware-detection-researchers
Windows Kernel Bug Has Existed Since Windows 2000, Researchers Say
A kernel bug that impacts Windows versions released over the past decade and a half remains unpatched, enSilo security researchers claim.
The security researchers claim to have discovered a Windows kernel bug created as the result of a programming error and which prevents security vendors from identifying modules that have been loaded at runtime.
The issue, they say, impacts PsSetLoadImageNotifyRoutine, a function that should notify of module loading. However, the researchers discovered that, “after registering a notification routine for loaded PE images with the kernel, the callback may receive invalid image names.”
Tomi Engdahl says:
Hackers Exploit Recently Patched Apache Struts Flaw
http://www.securityweek.com/hackers-exploit-recently-patched-apache-struts-flaw
A critical remote code execution vulnerability patched earlier this week in the Apache Struts 2 open-source development framework is already being exploited in the wild.
The flaw, tracked as CVE-2017-9805, affects applications that use the REST plugin with the XStream handler for XML payloads, and it exists due to the way Struts deserializes untrusted data. An exploit and a Metasploit module for the vulnerability were created within hours after the patch was released.
Tomi Engdahl says:
EU Defense Ministers Put to Test in Mock Cyberattack
http://www.securityweek.com/eu-defense-ministers-put-test-mock-cyberattack
A major cyberattack targets European Union military structures, with hackers using social media and “fake news” to spread confusion, and governments are left scrambling to respond as the crisis escalates.
This was the scenario facing a gathering of EU defence ministers in Tallinn on Thursday as they undertook a exercise simulating a cyber assault on the bloc — the first mock drill of its kind at such a senior level in Europe.
Tomi Engdahl says:
SentinelOne Enables IOC Search and Threat Hunting for Endpoints
http://www.securityweek.com/sentinelone-enables-ioc-search-and-threat-hunting-endpoints
SentinelOne Launches Deep Visibility Module to Discover Indicators of Compromise (IOCs) on Endpoints
Malware increasingly uses encryption to hide its activities. If defenders cannot see what is inside encrypted traffic, they can have no idea of whether it is malicious or benign. Since more than half, and growing, of all traffic is now encrypted, it is increasingly important for defenders to gain visibility into that traffic.
Next-gen AI-powered endpoint protection and response firm SentinelOne yesterday launched a new module to provide that visibility. Called Deep Visibility, it uses the kernel hooks already present in the SentinelOne Endpoint Protection Platform to see the cleartext traffic at the point of encryption, and again at the point of decryption. Detecting the presence of malware through recognition of malicious encrypted traffic then allows the security team to pivot to the response part of the SentinelOne platform and take remedial action.
Tomi Engdahl says:
Smiths Medical to Patch Serious Flaws in Syringe Infusion Pumps
http://www.securityweek.com/smiths-medical-patch-serious-flaws-syringe-infusion-pumps
Minnesota-based speciality medical device manufacturer Smiths Medical is working to address several potentially serious vulnerabilities affecting some of the company’s wireless syringe infusion pumps.
According to an advisory published on Thursday by ICS-CERT, Smiths Medical’s Medfusion 4000 wireless syringe infusion pumps, which are used worldwide to deliver small doses of medication from a syringe in acute care settings, are affected by eight vulnerabilities that can be exploited remotely
https://www.smiths-medical.com/products/infusion/syringe-infusion/syringe-infusion-pumps/medfusion-4000-wireless-syringe-infusion-pump
Tomi Engdahl says:
Samsung Offers Up to $200,000 in Bug Bounty Program
http://www.securityweek.com/samsung-offers-200000-bug-bounty-program
Samsung on Thursday announced the official launch of the Samsung Mobile Security Rewards Program, which promises bug bounties of up to $200,000 for Critical vulnerabilities in Samsung mobile devices and associated software.
The new vulnerability rewards program is open to members of the security community interested in assessing the integrity of Samsung’s mobile devices and associated software, the company says.
Depending on the severity level of the disclosed vulnerabilities, bug bounties will range between $200 and $200,000. Should vulnerability reports be submitted without a valid Proof-of-Concept, Samsung will decide the qualification for a reward according to reproducibility and severity of the issue, and might significantly reduce the reward amount.
Tomi Engdahl says:
Why “Have a Safe Trip” is Taking on Greater Meaning
http://www.securityweek.com/why-have-safe-trip-taking-greater-meaning
Have a safe trip! Typically, when we wish someone well before they leave on a journey we are referring to their physical safety while in transit. But, increasingly, there’s another consideration – their online security.
Over the past year, compromises of payment card data from Point-of-Sale (POS) systems, network intrusions against third-party suppliers, and cyber espionage campaigns against visitors using hotel Wi-Fi networks have plagued the travel and hospitality industries. In the spirit of “forewarned is forearmed,” let’s take a closer look at some of the most notable examples of each of these types of threats and how firms in these industries can mitigate risk.
Tomi Engdahl says:
Scotiabank internet whizzkids screw up their HTTPS security certs
Not exactly a move designed to inspire confidence
https://www.theregister.co.uk/2017/09/08/scotiabank_security_whiz_kids_screw_up_security_certs/
The team behind Scotiabank’s Digital Banking Unit isn’t impressing some customers, after forgetting to renew the security certificates for their own website.
The DBU was set up last year to sell “world class digital solutions” to electronic banking customers around the world. But Jason Coulls, CTO of food safety testing company Tellspec and a former banking software developer, tipped off The Register that the bank’s hipster factory certificates had expired nearly five months ago.
“Tuesday next week is the five month anniversary of the certificate expiring and no one has noticed,” he said. “This from a group supposed to showcase how smart the bank’s IT people are. The irony is strong in this one.”
Coulls said he tried to warn the team that their SSL certificates were out of order, but has received no response from them. Then again, that appears to be par for the course for the Canadian bank.
In 2016 he spotted that the bank’s mobile app had some rather unusual features – notably that the programmers had laden the code with f‑bombs. He informed the bank in April and got no response, so let the regulators know. Scotiabank fixed the code within 24 hours.
The latter incident was particularly concerning, because under banking law – specifically PCI compliance rule 16.3.4 – banks are required to inspect their code carefully to make sure it is secure.