Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
New Verizon data leak, the second one in a few months
http://securityaffairs.co/wordpress/63304/breaking-news/new-verizon-data-leak.html
It has happened again, security researchers with Kromtech Security Research Center discovered a new Verizon leak exposed confidential and sensitive data on internal systems.
Leaked data includes server logs and credentials for internal systems, the huge trove of documents was found on an unprotected Amazon S3 bucket.
The Amazon cloud storage contained several files, mostly scripts and server logs that included some login credentials to internal systems, some folders contained internal Verizon confidential documents, another folder contained 129 Outlook messages with internal communications within Verizon Wireless domain.
Tomi Engdahl says:
Viacom left the keys of its digital kingdom on a publicly exposed AWS S3 bucket
http://securityaffairs.co/wordpress/63201/data-breach/viacom-data-leak.html
The security researcher Chris Vickery discovered that Media giant Viacom left sensitive data and secret access key on unsecured Amazon AWS S3 bucket.
Media giant Viacom left sensitive data and secret access key on unsecured Amazon AWS S3 bucket, a gift for hackers. Viacom controls Paramount Pictures, MTV, Comedy Central and Nickelodeon.
Tomi Engdahl says:
Zack Whittaker / ZDNet:
Ex-NSA hacker and chief security researcher at Synack reveals High Sierra zero-day flaw that exposes Keychain contents to exfiltration by malicious apps
Ex-NSA hacker drops macOS High Sierra zero-day hours before launch
http://www.zdnet.com/article/apple-macos-high-sierra-password-vulnerable-to-password-stealing-hack/?loc=newsletter_large_thumb_related&ftag=TREc64629f&bhid=21018946672900879251366930285668
The vulnerability lets an attacker steal the contents of a Keychain — without needing a password
Just hours before Apple is expected to roll out the new version of its desktop and notebook operating system, macOS High Sierra, a security researcher dropped a zero-day.
Patrick Wardle, a former NSA hacker who now serves as chief security researcher at Synack, posted a video of the hack — a password exfiltration exploit — in action.
Passwords are stored in the Mac’s Keychain, which typically requires a master login password to access the vault.
But Wardle has shown that the vulnerability allows an attacker to grab and steal every password in plain-text using an unsigned app downloaded from the internet, without needing that password.
Tomi Engdahl says:
Josh Horwitz / Quartz:
China’s coders increasingly use Shadowsocks, an open source proxy tool, to bypass the Great Firewall as government cracks down on VPNs
Meet Shadowsocks, the underground tool that China’s coders use to blast through the Great Firewall
https://qz.com/1072701/meet-shadowsocks-the-underground-tool-that-chinas-coders-use-to-blast-through-the-great-firewall/
This summer Chinese authorities deepened a crackdown on virtual private networks (VPNs)—tools that help internet users inside the mainland access the open, uncensored web. While not a blanket ban, the new restrictions are shifting the services out of their legal grey area and further toward a black one. In July alone, one popular made-in-China VPN abruptly ceased operations, Apple removed dozens of VPN apps from its China-facing app store, and some international hotels stopped offering VPN services as part of their in-house wifi.
In response to these difficulties, China’s tech-savvy programmers have been relying on another, lesser-known tool to access the open internet. It’s called Shadowsocks, and it’s an open-source proxy built for the specific purpose of jumping China’s Great Firewall. While the government has made efforts to curb its spread, it’s likely to remain difficult to suppress.
Shadowsocks is based on a technique called proxying. Proxying grew popular in China during the early days of the Great Firewall—before it was truly “great.” In this setup, before connecting to the wider internet, you first connect to a computer other than your own. This other computer is called a “proxy server.” When you use a proxy, all your traffic is routed first through the proxy server, which could be located anywhere. So even if you’re in China, your proxy server in Australia can freely connect to Google, Facebook, and the like.
But the Great Firewall has since grown more powerful. Nowadays, even if you have a proxy server in Australia, the Great Firewall can identify and block traffic it doesn’t like from that server.
That’s where Shadowsocks comes in. It creates an encrypted connection between the Shadowsocks client on your local computer and the one running on your proxy server, using an open-source internet protocol called SOCKS5.
Chinese censors have been able to use machine learning to find “fingerprints” that identify traffic from VPNs using these protocols. These tactics don’t work so well on Shadowsocks, since it is a less centralized system.
Each Shadowsocks user creates his own proxy connection, and so each looks a little different from the outside. As a result, identifying this traffic is more difficult for the Great Firewall
“Each person can configure it to look like their own thing. That way everybody’s not using the same protocol.”
What’s more, tech-savvy Shadowsocks users often customize their settings, making it even harder for the Great Firewall to detect them wholesale.
Tomi Engdahl says:
Krebs on Security:
Global accounting firm Deloitte confirms report that it was breached, downplays impact; source: it affected all company email, admin accounts, occurred in 2016
Source: Deloitte Breach Affected All Company Email, Admin Accounts
http://krebsonsecurity.com/2017/09/source-deloitte-breach-affected-all-company-email-admin-accounts/
Deloitte, one of the world’s “big four” accounting firms, has acknowledged a breach of its internal email systems, British news outlet The Guardian revealed today. Deloitte has sought to downplay the incident, saying it impacted “very few” clients. But according to a source close to the investigation, the breach dates back to at least the fall of 2016, and involves the compromise of all administrator accounts at the company as well as Deloitte’s entire internal email system.
In a story published Monday morning, The Guardian said a breach at Deloitte involved usernames, passwords and personal data on the accountancy’s top blue-chip clients.
“The Guardian understands Deloitte clients across all of these sectors had material in the company email system that was breached,” The Guardian’s Nick Hopkins wrote. “The companies include household names as well as US government departments. So far, six of Deloitte’s clients have been told their information was ‘impacted’ by the hack.”
In a statement sent to KrebsOnSecurity, Deloitte acknowledged a “cyber incident” involving unauthorized access to its email platform.
information shared by a person with direct knowledge of the incident said the company in fact does not yet know precisely when the intrusion occurred, or for how long the hackers were inside of its systems.
the breach focused their attention on a company office in Nashville known as the “Hermitage,” where the breach is thought to have begun.
Indeed, it appears that Deloitte has known something was not right for some time. According to this source, the company sent out a “mandatory password reset” email on Oct. 13, 2016 to all Deloitte employees in the United States.
Deloitte hit by cyber-attack revealing clients’ secret emails
https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails
Exclusive: hackers may have accessed usernames, passwords and personal details of top accountancy firm’s blue-chip clients
The source told KrebsOnSecurity they were coming forward with information about the breach because, “I think it’s unfortunate how we have handled this and swept it under the rug. It wasn’t a small amount of emails like reported. They accessed the entire email database and all admin accounts. But we never notified our advisory clients or our cyber intel clients.”
“Cyber intel” refers to Deloitte’s Cyber Intelligence Centre, which provides 24/7 “business-focused operational security” to a number of big companies, including CSAA Insurance, FedEx, Invesco, and St. Joseph’s Healthcare System, among others.
This same source said forensic investigators identified several gigabytes of data being exfiltrated to a server in the United Kingdom. The source further said the hackers had free reign in the network for “a long time” and that the company still does not know exactly how much total data was taken.
One of the largest private firms in the US, which reported a record $37bn (£27.3bn) revenue last year, Deloitte provides auditing, tax consultancy and high-end cybersecurity advice to some of the world’s biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies.
Tomi Engdahl says:
In 2012, Deloitte, which has offices all over the world, was ranked the best cybersecurity consultant in the world.
Source: https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails
Tomi Engdahl says:
Louise Matsakis / Motherboard:
Cloudflare debuts Unmetered Mitigation service for free protection against large DDoS attacks
Cloudflare CEO: DDoS Attacks Will Now Be ‘Something You Only Read About In The History Books’
https://motherboard.vice.com/en_us/article/59dd5q/cloudflare-ceo-ddos-attacks-will-now-be-something-you-only-read-about-in-the-history-books
Starting today, Cloudflare is making protection against DDoS attacks free, regardless of how bad they are.
Cloudflare, a major internet security firm, is on a mission to render distributed denial-of-service (DDoS) attacks useless. The company announced Monday that every customer—including those who only use its free services—will receive a new feature called Unmetered Mitigation, which protects against every DDoS attack, regardless of its size.
Cloudflare believes the move is set to level the internet security playing field: Now every website will be able to fight back against DDoS attacks for free. But the illegal practice has been a hallmark of digital activism since the 1990s. What will happen to it now?
Previously, customers who purchased less expensive plans from Cloudflare (or another security firm) were still vulnerable to larger scale DDoS attacks. Now, Cloudflare will utilize its resources to help everyone fight an attack, regardless of how much they pay.
“The standard practice in the industry for some time has been to charge more if you come under attack,” Matthew Prince, the CEO of Cloudflare, told me on a phone call last week. Firms often “fire you as a customer if you’re not sort of paying enough and you get a large attack,” he explained. “That’s kind of gross.”
Though illegal, groups like Anonymous and other hacktivists have argued DDoS attacks are a form of digital protest.
Prince agreed that Unmetered Mitigation has the power to render DDoS an activist tool of the past. It “will make DDoSing people not an effective protest mechanism,” he told me. “The best way to counter speech is with more speech not with silencing or censoring someone.”
Prince sees the playing field of DDoS attacks as fundamentally uneven. “We should not create a system of vigilante justice where a single individual—because they are upset with someone—can shut them down,” he said. “What we are trying to do is say ‘regardless of what your resources are, we will keep you online.’”
He has a point: Most corporate giants like Facebook have invested enough in security that they are unlikely to be affected by a DDoS attack. Smaller organizations and individuals have historically been far more at risk.
“We can now absorb anything that the internet throws at us,” he said. DDoS attacks are going to become “something you only read about in the history books.”
Tomi Engdahl says:
Creepy Broadcasts Warning of “Violent Times” Interrupt TV Stations In California
http://www.iflscience.com/technology/creepy-broadcasts-warning-of-violent-times-interrupt-tv-stations-in-california/
So, umm, this is kind of creepy. People in Orange County, California were treated to a rather odd surprise last week, when they’re regular TV programming was interrupted with ominous messages suggesting the end was nigh.
Viewers on Cox Communications and Spectrum on Thursday, September 21 were subjected to the odd event. Their regular broadcasts, including the channels HGTV and Bravo, were replaced with a screen displaying the words “EMERGENCY ALERT”, with some panicked audio playing over the top.
No one seems to know what exactly was going on. An educated guess, however, would suggest some pranksters managed to access the Emergency Alert System (EAS), which allows authorities to take over TV and radio stations to display important emergency alerts, like severe weather warnings.
If that’s the case, that’s probably not a good thing.
Tomi Engdahl says:
Exposure of your sensitive data isn’t a bug, it’s a feature
https://techcrunch.com/2017/09/25/exposure-of-your-sensitive-data-isnt-a-bug-its-a-feature/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
Another day, another breach. Equifax, SEC, Deloitte and the next one is coming soon. Nothing surprising there anymore, not for customers, not for the breached companies. So why does this keep happening and why isn’t there a change in how we treat our own information, personal or business?
Consider that 4.2 BILLION personal records were breached last year alone.
It is reasonable to calculate that the Equifax breach did not introduce much fresh value for cybercriminals nor fresh risk for consumers. The real impact of this specific incident is tied to the freshest data breached — the driver license numbers. However, it is unlikely that the Equifax information is new to those who mine personally identifiable information (PII) for financial gain. The bottom line is: we are in the unfortunate state where the exposure of 143 million records is pedestrian. Or as I explained to my neighbor, “Equifax failed to patch their systems, now the bad guys probably have your Social Security number… again.”
WannaCry and Equifax have made it clear that simple patching of known systems remains dark art for many large organizations. Most companies struggle to simply build a reliable inventory of their externally facing assets — not to mention orchestrating processes to protect them.
Some voiced optimism that in the wake of Sony, Home Depot, Target, Slack, WebEx, Atlassian and Yahoo, the C-Suite will take notice and act to protect their systems. And they had already taken notice and acted. Just not to protect consumers.
If exposing consumer information in the largest breaches in the history of computing results in losses that are immaterial, why do we expect investments in protecting consumer information?
The C-Suite has always been driven by risk and profitability, not patching vulnerabilities. So it is not surprising that companies turn to underwriting when they can’t reliably protect — or even identify — their digital assets and liabilities.
According to the chairman of the US Securities and Exchange Commission, in the latest breach, PII wasn’t stolen, but the non-public information obtained from missing laptops and non-secure personal email accounts may have been exploited for stock trading.
This, in combination with a mathematical impossibility to protect high-target information when we as consumers have no way of controlling who has access to our data and corporations understanding that protecting customers’ PII is not a financially sound investment explains why we will continue to see more incidents and increasingly sensitive data exposed. In this race to the bottom, there are no winners. When information exists with undefined access points, it will be compromised.
Tomi Engdahl says:
THL apologizes: 6,000 Finnish confidential personal information spread to the network
THL Director-General Juhani Eskola regrets data leakage.
Data leakage is a result of THL’s mistake in processing personal data.
According to the Health and Welfare Institute (THL), in August, data from the Office of the Data Protection Ombudsman informed them that they have leaked confidential personal information from Finland. No specific details are disclosed for privacy reasons. This is to prevent any potential damage to the data subject.
As a result of the data leak, almost 6,000 people’s name, personal ID, and one laboratory result came to the public. According to THL, the information was not accompanied by addresses or medical reports.
- I apologize for the fact that confidential information has come to the grid, and this is a concern for the data leaks. Responsibility for the event is THL.
As it turned out, THL immediately extracted the data from two different online services where the information could be found. THL is a human error in the processing of personal data. An error occurred when a person used a personal data file in error when preparing a presentation report.
According to THL, web search engine administrators removed links from search engine memory to those data.
On Monday, September 25, a letter was sent to the subjects of data leakage, telling about what happened and giving instructions. As a precautionary measure, those who received the letter have been instructed to follow their billing, credit and debit card information.
Source: http://www.is.fi/kotimaa/art-2000005383125.html
Tomi Engdahl says:
RedBoot Ransomware Modifies Master Boot Record
http://www.securityweek.com/redboot-ransomware-modifies-master-boot-record
A newly discovered ransomware family has the ability to replace the Master Boot Record and modify the partition table, allowing the malware to function as a wiper.
Dubbed RedBoot, the malware was clearly designed for destructive purposes, as even the file-encryption operation is of a similar nature: it encrypts executables and DLLs along with normal data files, thus rendering the infected machine useless. Furthermore, by replacing the MBR, it prevents the computer from loading Windows.
The malware’s operations are similar to those of the Petya-Mischa pair – Petya would replace the MBR while Mischa would encrypt users’ files – which later evolved into the Goldeneye variant. This year, a global attack was using a destructive wiper masquerading as Petya.
Tomi Engdahl says:
DHS Notifies States Targeted by Russia in Election Hacks
http://www.securityweek.com/dhs-notifies-states-targeted-russia-election-hacks
The U.S. Department of Homeland Security (DHS) has finally notified the states whose systems were targeted by hackers before last year’s presidential election.
DHS officials told the Senate Intelligence Committee in June that a threat group believed to be working for the Russian government had targeted websites and other voting-related systems in 21 states.
The agency said at the time that only a small number of networks were actually breached, and it did not find any evidence that vote tallies had been altered. Nevertheless, many officials agree that Russia did at least try to influence the outcome of the election.
Tomi Engdahl says:
Unsigned Apps Can Steal macOS Keychain Passwords
http://www.securityweek.com/unsigned-apps-can-steal-macos-keychain-passwords
Just as Apple launched the latest version of macOS, High Sierra 10.13, a researcher published a video to show how unsigned applications can steal data from the operating system’s Keychain password management system.
Patrick Wardle, director of research at Synack, revealed on Monday that High Sierra and previous versions of macOS are vulnerable. The video made by the expert shows how an unsigned application can programmatically dump and exfiltrate sensitive data from the Keychain, including plaintext passwords, without needing the master password.
Tomi Engdahl says:
Deloitte Says ‘Very Few’ Clients Hit by Hack
http://www.securityweek.com/deloitte-says-very-few-clients-hit-hack
Deloitte said Monday that “very few” of the accounting and consultancy firm’s clients were affected by a hack after a news report said systems of blue-chip clients had been breached.
Deloitte said it immediately contacted government authorities and the affected clients after discovering the hack, which stemmed from a breach in an email platform, the firm said in a statement.
“Only very few clients were impacted,” the company said. “No disruption has occurred to client business, to Deloitte’s ability to continue to serve, or to consumers.”
“Deloitte remains deeply committed to ensuring that its cyber-security defenses are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cyber security,” the company said.
The Guardian reported Monday that six Deloitte clients had information breached by a sophisticated attack and hackers potentially had access to usernames, passwords, IP addresses, architectural diagrams for business.
Deloitte discovered the attack in March, but the hackers may have had access to the information since October or November 2016, the newspaper reported.
The Guardian described the breach as a “deep embarrassment” for the company in part because it advises clients on cybersecurity.
Tomi Engdahl says:
Verizon Engineer Exposes Internal System Data
http://www.securityweek.com/verizon-engineer-exposes-internal-system-data
Researchers discovered an unprotected Amazon Web Services (AWS) S3 bucket containing potentially sensitive information associated with a system used internally by Verizon.
The cloud container, discovered by Kromtech Security on September 20, stored roughly 100 Mb of data from a system called Distributed Vision Services (DVS), which is used to retrieve and update billing data on all Verizon Wireless front-end applications.
While the S3 bucket did not store any Verizon customer information, it did contain usernames, passwords, and 129 Outlook messages representing internal communications.
The security firm also reported finding information that could have been used to access parts of Verizon’s internal network, B2B payment server details, PowerPoint presentations describing Verizon’s infrastructure, and global router hosts.
An investigation by Verizon revealed that the storage container was owned and operated by one of its engineers and not the company itself. Access to the files was restricted shortly after Kromtech sent a notification to Verizon on September 21.
Kromtech was told that the storage container did not hold any confidential data, but experts are not convinced.
“Verizon had $126.0 billion in consolidated revenues in 2016 and it seems like they would not leave the keys to the front door of their data servers or network out for anyone. In the corporate world any bad news can affect stock prices or other aspects of the business. However, if these files were not sensitive, why not make this information open source or publically available?” explained Bob Diachenko, chief security communications officer at Kromtech.
“As security researchers we often hear that data was not sensitive or that it was production or test data, when it is clearly not,” Diachenko added.
This was not the first time Verizon data was exposed via a misconfigured AWS S3 bucket. Back in mid-July, cyber resilience firm UpGuard reported that one of the company’s partners in Israel had exposed information on millions of Verizon customers.
Tomi Engdahl says:
Adobe Accidentally Posts Private PGP Key
http://www.securityweek.com/adobe-accidentally-posts-private-pgp-key
Adobe’s product security incident response team (PSIRT) accidentally published a private PGP key on its blog. The compromised key was quickly revoked and a new key was generated after the incident came to light.
Adobe PSIRT updated its PGP key on Friday and published the new public key, which should have been valid until September 2018, on its blog. However, Finland-based security researcher Juho Nurminen noticed that scrolling down in the blog post also revealed the private PGP key, which Adobe, obviously, should have kept private.
https://twitter.com/jupenur/status/911286403434246144
Tomi Engdahl says:
Docs ran a simulation of what would happen if really nasty malware hit a city’s hospitals. RIP
Equipment still taking too long to patch, leaving systems exposed
https://www.theregister.co.uk/2017/09/26/malware_hospital_simulation/
DerbyCon Electronic medical equipment is supposed to help humans save lives, but their lamentable security could result in considerable death, we were warned over the weekend.
Speaking at DerbyCon in Kentucky, USA, on Saturday, two infosec experts and two doctors who have a side interest in hacking gave an update on their work analyzing security flaws in medical machinery. And, reader, the results weren’t good. On average, a connected device had about 1,000 exploitable CVE flaws, with some going over the 1,400 mark, it was claimed.
Not all of these flaws are remotely exploitable, but many are, “and it only takes one,” said Joshua Corman, director of the Atlantic Council’s Cyber Statecraft Initiative and one of the aforementioned speakers. “Governments aren’t ready for this and hospitals certainly aren’t – 85 per cent of US hospitals don’t have any IT security staff,” he added.
Dr Daneff highlighted the effects of the WannaCry ransomware epidemic on the UK healthcare system, and said the US had been very, very lucky not to have similar infections of malware. The main fear is a software nasty disrupting computers and network-connected equipment to the point where patients are prevented from receiving vital treatment in time.
“When you look at stroke or heart attack victims you’ve got a very small time window to medicate and avoid further damage,” Dr Daneff explained. “A serious delay might not kill people but can certainly leave them crippled. I’m pretty confident someone died due to this [WannaCry] attack.”
The group ran a simulation exercise with the authorities in Phoenix, Arizona, that revealed alarming results. The three-day simulated cyber-disaster involved one hospital in the city being infected by destructive malware that crippled essential services, followed by other digital assaults on hospitals across the city on the second day, and then a physical attack similar to the 2013 Boston marathon bombing on day three.
To their surprise, the simulations calculated deaths would occur almost immediately on day one.
By day two, doctors switched from standard to disaster triage due to the sheer volume of patients not being treated.
All of these deaths, in the simulation, were caused by simple hacking, usually not even requiring physical contact with the devices to exploit their weaknesses, we’re told. Many older medical machines can’t be patched at all to secure them, making it pretty easy to pwn them once you’re on the network or find them on the public internet, while the makers of newer systems are proving frustratingly slow to respond to security vulnerabilities.
A case in point is the St Jude pacemaker case. It took a year after a security firm pointed out the failings of the pacemaker’s firmware for the health biz to release a patch and get it approved for use, and that isn’t uncommon.
Tomi Engdahl says:
T316 Anatomy of a Medical Device Hack Doctors vs Hackers in a Clinical Simulation Cage Match Joshua
https://www.youtube.com/watch?v=FnvcocyI4pI
Derbycon 2017 Videos
http://www.irongeek.com/i.php?page=videos/derbycon7/mainlist
Tomi Engdahl says:
CBS’s Showtime caught mining crypto-coins in viewers’ web browsers
Who placed the JavaScript code on two primetime dot-coms? So far, it’s a mystery
https://www.theregister.co.uk/2017/09/25/showtime_hit_with_coinmining_script/
The websites of US telly giant CBS’s Showtime contained JavaScript that secretly commandeered viewers’ web browsers over the weekend to mine cryptocurrency.
The flagship Showtime.com and its instant-access ShowtimeAnytime.com sibling silently pulled in code that caused browsers to blow spare processor time calculating new Monero coins – a privacy-focused alternative to the ever-popular Bitcoin. The hidden software typically consumed as much as 60 per cent of CPU capacity on computers visiting the sites.
The scripts were written by Code Hive, a legit outfit that provides JavaScript to website owners: webmasters add the code to their pages so that they can earn slivers of cash from each visitor as an alternative to serving adverts to generate revenue. Over time, money mined by the Code-Hive-hosted scripts adds up and is transferred from Coin Hive to the site’s administrators. One Monero coin, 1 XMR, is worth about $92 right now.
Tomi Engdahl says:
Oulu has a cybercrime center – the United States involved
Finland and the United States will start cybercrime co-operation. In practice, research co-operation is being established between the Kybert Security Research Center and the United States National Science Foundation (I / UCRC) and the University University Cooperative Research Center (I / UCRC).
The Kybert Research Program Co-operation Agreement is today signed today as a research community in the Finnish industry at the Dimec’s Cyber Trust Program Final Seminar at the Helsinki Fair Center.
The Cyber Security and Software Engineering Research Site, founded by the University of Oulu, is open to all Finnish universities and research institutes. The unit is designed to function as part of the US Security and Software Engineering Research Center. It has been studying the security of software and systems by 13 universities and over 20 industrial and public-sector partners since 2010.
Source: https://www.uusiteknologia.fi/2017/09/26/ouluun-kyberturvakeskus-yhdysvallat-mukana/
Tomi Engdahl says:
Lockheed Martin’s laser weapon takes down 5 drones in live-fire demonstration
http://newatlas.com/lockheed-martin-athena-laser-seapon-test/51429/
In a video released by Lockheed, the transportable, ground-based ATHENA system shot down the five 10.8-ft (3.3-m) wingspan Outlaws by focusing its 30 kW Accelerated Laser Demonstration Initiative (ALADIN) laser at the aircraft’s stern control surfaces until they burned off, sending the drones crashing into the desert floor.
Tomi Engdahl says:
[Report] Cyber Attack Landscape of 2017, So Far
How does the cyber attack landscape of 2017 look so far, and what do you need to keep in mind to best protect your business?
https://business.f-secure.com/report-cyber-attack-landscape-of-2017-so-far
Tomi Engdahl says:
Zack Whittaker / ZDNet:
Ex-NSA hacker and security researcher at Synack reveals macOS zero-day flaw that exposes Keychain contents to exfiltration by apps, demos it in High Sierra — The vulnerability lets an attacker steal the contents of a Keychain — without needing a password.
Ex-NSA hacker drops macOS High Sierra zero-day hours before launch
The vulnerability lets an attacker steal the contents of a Keychain — without needing a password.
http://www.zdnet.com/article/apple-macos-high-sierra-password-vulnerable-to-password-stealing-hack/?loc=newsletter_large_thumb_related&ftag=TREc64629f&bhid=21018946672900879251366930285668
Tomi Engdahl says:
Dirty Cow vulnerability discovered in Android malware campaign for the first time
http://www.zdnet.com/article/dirty-cow-vulnerability-discovered-in-android-malware-campaign-for-the-first-time/
The bug has been found in malware designed to root and install backdoors into Android handsets.
Tomi Engdahl says:
Brian Heater / TechCrunch:
Apple starts collecting Safari browsing data in macOS High Sierra using differential privacy tech that will help it identify problematic websites — Today’s public release ofmacOS High Sierra brings with it some key updates to Safari — including the ability to disable cross-site cookie tracking and turn off autoplaying ads.
Apple starts collecting browsing data in Safari using its differential privacy tech
https://techcrunch.com/2017/09/25/apple-starts-collecting-browsing-data-in-safari-using-its-differential-privacy-tech/
Today’s public release of macOS High Sierra brings with it some key updates to Safari — including the ability to disable cross-site cookie tracking and turn off autoplaying ads. Arriving alongside those features is a less publicized new addition to Apple’s proprietary browser: data collection. The company is using its newly implemented differential privacy technology to gather information from user habits that will help it identify problematic websites.
This form of data collection is the first of its kind for Safari, aimed at identifying sites that use excessive power and crash the browser by monopolizing too much memory. Apple is also documenting the popularity of these problematic domains, in order to prioritize which sites it addresses first.
Tomi Engdahl says:
GPS jamming
Out of sight
Satellite positioning-data are vital—but the signal is surprisingly easy to disrupt
https://www.economist.com/news/international/21582288-satellite-positioning-data-are-vitalbut-signal-surprisingly-easy-disrupt-out
EVERY day for up to ten minutes near the London Stock Exchange, someone blocks signals from the global positioning system (GPS) network of satellites. Navigation systems in cars stop working and timestamps on trades made in financial institutions can be affected. The incidents are not a cyber-attack by a foreign power, though. The most likely culprit, according to Charles Curry, whose firm Chronos Technology covertly monitors such events, is a delivery driver dodging his bosses’ attempts to track him.
The signals are weak. Mr Curry likens them to a 20-watt light bulb viewed from 12,000 miles (19,300 km).
Texas students fake GPS signals and take control of an $80 million yacht
http://blog.chron.com/sciguy/2013/07/texas-students-fake-gps-signals-and-take-control-of-an-80-million-yacht/?cmpid=hpfc
Tomi Engdahl says:
2017-005A-GPS Interference-Black Sea
https://www.marad.dot.gov/msci/alert/2017/2017-005a-gps-interference-black-sea/
A maritime incident has been reported in the Black Sea in the vicinity of position 44-15.7N, 037-32.9E on June 22, 2017 at 0710 GMT. This incident has not been confirmed. The nature of the incident is reported as GPS interference. Exercise caution when transiting this area.
Ships fooled in GPS spoofing attack suggest Russian cyberweapon
https://www.newscientist.com/article/2143499-ships-fooled-in-gps-spoofing-attack-suggest-russian-cyberweapon/
Tomi Engdahl says:
Thieves drain 2fa-protected bank accounts by abusing SS7 routing protocol
https://www.google.fi/amp/s/arstechnica.com/information-technology/2017/05/thieves-drain-2fa-protected-bank-accounts-by-abusing-ss7-routing-protocol/%3famp=1
A known security hole in the networking protocol used by cellphone providers around the world played a key role in a recent string of attacks that drained bank customer accounts, according to a report published Wednesday.
The unidentified attackers exploited weaknesses in Signalling System No. 7,
Tomi Engdahl says:
Avast Threat Labs analysis of CCleaner incident
https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident
Experts at Avast Threat Labs have been analyzing the CCleaner advanced persistent threat (APT) continuously for the past few days and apart from the information in recent blog posts (Piriform and Avast posts), we are starting a series of technical blog posts describing details and technical information that we encountered during our analysis. Today, we will cover the ongoing analysis of the CnC server and the 2nd stage payload.
Tomi Engdahl says:
Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy ‘login details leaked’
Yes, that’s Gartner’s security consultancy of the year
https://www.theregister.co.uk/2017/09/26/deloitte_leak_github_and_google/?mt=1506487729872
Monday’s news that multinational consultancy Deloitte had been hacked was dismissed by the firm as a small incident.
Now evidence suggests it’s no surprise the biz was infiltrated: it appears to be all over the shop, security wise.
On Tuesday, what seemed to be a collection of Deloitte’s corporate VPN passwords, user names, and operational details were found lurking within a public-facing GitHub-hosted repository. These have since been removed in the past hour or so. In addition, it appears that a Deloitte employee uploaded company proxy login credentials to his public Google+ page. The information was up there for over six months – and was removed in the past few minutes.
On top of these potential leaks of corporate login details, Deloitte has loads of internal and potentially critical systems unnecessarily facing the public internet with remote-desktop access enabled. All of this gear should be behind a firewall and/or with two-factor authentication as per industry best practices. And likely the best practices Deloitte recommends to its clients, ironically.
“Just in the last day I’ve found 7,000 to 12,000 open hosts for the firm spread across the globe,” security researcher Dan Tentler, founder of Phobos Group, told The Register today. “We’re talking dozens of business units around the planet with dozens of IT departments showing very different aptitude levels. The phrase ‘truly exploitable’ comes to mind.”
Tomi Engdahl says:
Security
Sensitive client emails, usernames, passwords exposed in Deloitte hack
Oops, did someone forget to turn on 2FA?
https://www.theregister.co.uk/2017/09/25/deloitte_email_breach/
Deloitte, one of the world’s “big four” accountancy firms, has fallen victim to a cyberattack that exposed sensitive emails to hackers.
The IT security breach dates back to November 2016 but was only discovered in March this year, according to The Guardian, which broke the news in an exclusive on Monday. Deloitte has reportedly informed six of its clients that their information was “impacted.” The firm’s internal review into the incident is ongoing.
Hackers gained access to Deloitte’s email system through an administrative account that was not secured using two-factor authentication, The Guardian reports. Emails to and from Deloitte staff were hosted on Microsoft’s Azure cloud service. As well as email, hackers may have had access to “usernames, passwords, IP addresses, architectural diagrams for businesses and health information.”
Tomi Engdahl says:
Ransomware keeping cops, NHS and local UK gov bods awake at night
Biggest threat next year, Met Police cybercrime boss says
https://www.theregister.co.uk/2017/09/28/ransomware_biggest_threat_to_uk_public_sector_2018/
Cybersecurity bods at the Met Police, NHS and the Local Government Association in the UK believe ransomware will be one of the biggest threats facing the British public sector next year.
Speaking at the Cyber Security in Healthcare event in London, the public sector heads discussed the predicted cybersecurity threats to health and care services in 2018 and how are they evolving.
DCI Gary Miles, from the SC07 Organised Crime Command at the Metropolitan Police, who is responsible for complex fraud and cybercrime, said: “Three years ago [the main threat] was the inception of DDoS attacks or the criminal damage of computers; two years ago it was data breaches like TalkTalk, this year its been the use of ransomware attacks on individuals and corporate systems. Next year it will be more of the same.”
Tomi Engdahl says:
Worldwide airport chaos after computer check-in systems crash – latest news
http://www.telegraph.co.uk/news/2017/09/28/worldwide-airport-chaos-check-in-computer-systems-crash/
Passengers struggle to check-in due to systems failure
‘Glitch’ with software used by 125 airlines around world
Delays at airports including Heathrow and Gatwick
Problems also appear to affect some online check-ins
Software firm confirms ‘network issue causing disruption’
Services ‘gradually being restored’, it says in midday update
Air passengers are suffering major disruption at airports around the world after computer check-in systems crashed.
Problems have been reported at airports including London’s Heathrow and Gatwick, Charles de Gaulle in Paris, Zurich, Melbourne, Johannesburg, Changi in Singapore and Washington DC’s Reagan Airport.
The problem has been affecting Amadeus Altea software used by 125 airlines and appeared to also have hit some online check-ins.
Gatwick described the situation as a “momentary IT glitch” and said it was not causing flight delays, adding that it believed the system was “back up and running” after about 15 minutes.
Amadeus, the company that provides the software, confirmed a “network issue that is causing disruption”.
Tomi Engdahl says:
Don’t fall for this Netflix phishing scam
http://mashable.com/2017/09/27/netflix-phishing-email-scam/#C5Zsmyd9l5qi
oday’s big phishing scam: Netflix accounts. In the past 24 hours, customers have been receiving emails purporting to be from Netflix soliciting their account information.
WGN reports the scam emails inform users their accounts have been disabled, and it recommends they update their payment details.
“We’re having some trouble with your current billing information,” the emails read. “We’ll try again, but in the meantime you may want to update your payment details.”
The email is signed by “Aleksandar.” No Netflix executive with that name exists.
If you get an email like this, don’t click the link. And report the email to Netflix immediately.
Tomi Engdahl says:
Internet Explorer bug leaks whatever you type in the address bar
All your private addresses and search queries are belong to us.
https://arstechnica.com/information-technology/2017/09/bug-in-fully-patched-internet-explorer-leaks-text-in-address-bar/
There’s a bug in the latest version of Internet Explorer that leaks the addresses, search terms, or any other text typed into the address bar.
The bug allows any currently visited website to view any text entered into the address bar as soon as the user hits enter. The technique can expose sensitive information a user didn’t intend to be viewed by remote websites, including the Web address the user is about to visit. The hack can also expose search queries, since IE allows them to be typed into the address bar and then retrieved from Bing or other search services.
The flaw was disclosed Tuesday by security researcher Manuel Caballer
Revealing the content of the address bar (IE)
http://www.brokenbrowser.com/revealing-the-content-of-the-address-bar-ie/
Hello fellow bug hunter! Today we are going back to Internet Explorer which despite getting old, tons people still use it. I am much happier with MSRC lately, they are really moving forward regarding Edge, design bugs, and they even extended its bug bounty, which seems to be permanent now.
In my opinion, Microsoft is trying to get rid of IE without saying it. It would be easier, more honest to simply tell users that their older browser is not being serviced like Edge. Current browser stats, according to Netmarketshare show that IE is still more popular than Edge: 17% vs 6%.
Tomi Engdahl says:
THL’s data leak could have been easily blocked – more and more need to be invested in T & T monitoring
Public administration and businesses should invest more in accessing sensitive information and business secrets and in controlling improper use, says IT Service Provider, Markus Melin, Tekniikka & Taloudelle, Senior Vice President, Data Security Services Unit.
Melan says that a 6000-citizen data leak revealed on Tuesday, the Health and Welfare Institute (THL), would have been avoided if the public administration had used the data leakage detection and detection dlp system.
The letter combination dlp mentioned by Melin comes from data leakage / loss prevention and means the prevention of data flows.
This is typically a hardware and software combination that identifies, by means of predefined criteria, the kind of data that the organization can not move outward via e-mail, web browser, or external mass storage. Such data may be, for example, personal identification numbers, credit card numbers, or documents that are classified as confidential.
“When a user is sending such information even though email, the workstation monitoring agent declares that he or she is acting in violation of the organization’s security policy.”
Source: http://www.tivi.fi/Kaikki_uutiset/thl-n-tietovuoto-olisi-voitu-estaa-helposti-t-t-valvontaan-pitaa-panostaa-enemman-6679488
Tomi Engdahl says:
Europol Warns Banks ATM Cyber Attacks on the Rise
http://www.securityweek.com/europol-warns-banks-atm-cyber-attacks-rise
Cyber criminals are increasingly accessing ATM machines through the banks’ networks, with squads of money mules standing by ready to pick up the stolen cash, Europe’s policing agency warned Tuesday.
“The malware being used has evolved significantly and the scope and scale of the attacks have grown proportionately,” said Steven Wilson, who head’s Europol’s EC3 cyber crime centre.
Tomi Engdahl says:
Android App Siphons Data on 200 Million Users
http://www.securityweek.com/android-app-siphons-data-200-million-users
A popular Android keyboard application with over 200 million downloads was found gathering user information sending the data a remote server, Adguard reveals.
The offending application, GO Keyboard, has two versions available in Google Play, namely GO Keyboard – Emoji keyboard, Swipe input, GIFs and GO Keyboard – Emoticon keyboard, Free Theme, GIF, each with over 100 million downloads to date.
The keyboard is developed by Chinese firm GOMO, which has numerous applications in the mobile app store, under two developer accounts, namely GOMO Dev Team and GOMO Apps.
According to Adguard security researchers, the applications were designed to siphon a large amount of user data, including Google account emails, device language, IMSI, location, network type, screen size, Android version and build, and device model.
Tomi Engdahl says:
Breach at Fast Food Chain Sonic Could Impact Millions: Report
http://www.securityweek.com/breach-fast-food-chain-sonic-could-impact-millions-report
Sonic Drive-In, a fast food restaurant chain with more than 3,500 locations across the United States, has apparently suffered a data breach that may have resulted in the theft of millions of payment cards.
The company confirmed to SecurityWeek that it has launched an investigation, but it has not provided any information on the possible number of affected restaurants and customers.
“Our credit card processor informed us last week of unusual activity regarding credit cards used at SONIC,” Sonic said in an emailed statement.
Tomi Engdahl says:
Flaws Expose FLIR Thermal Cameras to Remote Attacks
http://www.securityweek.com/flaws-expose-flir-thermal-cameras-remote-attacks
Researchers have disclosed the details of several potentially serious vulnerabilities affecting thermal security cameras from FLIR Systems, said to be the world’s largest provider of thermal imaging cameras, components and imaging sensors.
The flaws were discovered by Gjoko Krstic of Zero Science Lab and were disclosed over the weekend by Beyond Security. The issues were reported to FLIR on June 27 and while the company responded to Beyond Security’s emails, it did not provide an estimated date for workarounds or patches.
Krstic found various types of vulnerabilities in FLIR’s FC-Series S, FC-Series ID and PT-Series thermal security cameras, including information disclosure, authenticated and unauthenticated remote code execution, and hardcoded credentials issues. The researcher also found a vulnerability that allows an unauthenticated attacker to access a camera’s live feed.
Tomi Engdahl says:
Seoul Says North Korean Hackers Tried to Steal Bitcoins: Yonhap
http://www.securityweek.com/seoul-says-north-korean-hackers-tried-steal-bitcoins-yonhap
Police investigations have pointed to North Korea as responsible for recent attempts to hack South Korea’s virtual currency exchanges, a report said Wednesday.
They reached the conclusion after investigating cyber-attacks on dozens of email accounts of employees at four local bitcoin exchanges, Yonhap news agency said.
North Korea is heavily sanctioned by the United Nations for its nuclear and missile programs and speculation has been mounting that the cash-strapped regime is turning to digital currency to obtain funds.
Tomi Engdahl says:
Two-Year Old Vulnerability Patched in Linux Kernel
http://www.securityweek.com/two-year-old-vulnerability-patched-linux-kernel
A high risk security vulnerability that could be exploited to escalate privileges has been patched in Linux kernel after being initially discovered more than two years ago.
Discovered by Qualys Research Labs, the bug affects all Linux distributions that have not fixed their long-term kernels after a commit released on April 14, 2015. However, because the bug wasn’t recognized as a security threat at the time, the fix wasn’t backported to Linux 3.10.77 in May 2015.
Because of that, “all versions of CentOS 7 before 1708 (released on September 13, 2017), all versions of Red Hat Enterprise Linux 7 before 7.4 (released on August 1, 2017), and all versions of CentOS 6 and Red Hat Enterprise Linux 6 are exploitable,” Qualys says.
Tracked as CVE-2017-1000253, the vulnerability has a CVSS3 Base Score of 7.8. The issue resides in the manner in which the Linux kernel loads ELF executables and is triggered by applications that have been built as Position Independent Executables (PIEs).
https://security-tracker.debian.org/tracker/CVE-2017-1000253
Tomi Engdahl says:
Researchers Use Heart Rhythms for Continuous Authentication
http://www.securityweek.com/researchers-use-heart-rhythms-continuous-authentication
Researchers from the University at Buffalo SUNY, and the Department of Electrical and Computer Engineering at Texas Tech University have proposed a novel new continuous user authentication method using cardiac motion (a heart-based function determined by users’ unique heart geometry). Their paper, ‘Cardiac Scan: A Non-Contact and Continuous Heart-Based User Authentication System’ (PDF), will be presented at MobiCom, Utah, October 16-20.
Unlike other methods of measuring cardiac motion, this method (called Cardiac Scan) functions without physical contact or intervention by the user. The intention is to be able to recognize a unique user based on a stored template, to know when that user is in front of the computer or other device, and know when that authorized user leaves the device. While present, the session is maintained; but as soon as the user is no longer present, the session can be closed (with precise details governed by corporate policy).
Tomi Engdahl says:
Google, Facebook, Twitter Asked to Testify in Russia Probe
http://www.securityweek.com/google-facebook-twitter-asked-testify-russia-probe
The Senate Intelligence Committee has asked top tech companies Google, Facebook and Twitter to testify about Russian interference in US politics, a Senate aide confirmed Wednesday.
The three internet and online social media giants are expected to appear on November 1 in an open hearing on the rising evidence that they were covertly manipulated in a campaign to help Donald Trump win the presidency.
Before that they could also testify in the House Intelligence Committee: Representatives Mike Conaway and Adam Schiff, who lead the committee’s Russia probe, announced late Wednesday they too had invited representatives of technology firms to testify on Russian manipulation.
“Congress and the American people need to hear this important information directly from these companies,” they said.
Tomi Engdahl says:
Critical IOS Flaws Expose Cisco Devices to Remote Attacks
http://www.securityweek.com/critical-ios-flaws-expose-cisco-devices-remote-attacks
Cisco has released updates for its IOS software to address more than a dozen critical and high severity vulnerabilities that expose the company’s switches and routers to remote attacks.
One of the critical flaws is CVE-2017-12229, a REST API issue that allows a remote attacker to bypass authentication and gain access to the web-based user interface of devices running vulnerable versions of the IOS software.
The last security hole rated critical, CVE-2017-12240, affects the DHCP relay subsystem in IOS and IOS XE software. A remote and unauthenticated attacker can execute arbitrary code and gain full control of the targeted system or cause it to enter a denial-of-service (DoS) condition by triggering a buffer overflow via specially crafted DHCPv4 packets.
Cisco has also patched a total of 11 high severity flaws affecting various components of the IOS and/or IOS XE software. This includes DoS vulnerabilities affecting Catalyst switches, Integrated Services routers, industrial ethernet switches, ASR 1000 series routers, and cBR-8 Converged Broadband routers.
Tomi Engdahl says:
Ransomware Attacks ‘Global Epidemic’, Says Europol
http://www.securityweek.com/ransomware-attacks-global-epidemic-says-europol
An “epidemic” has erupted in global ransomware attacks, taking over computers as well as internet-linked devices like routers and CCTV cameras to turn them into tools for criminals, Europe’s police agency said Wednesday.
“Ransomware attacks have eclipsed most other global cybercrime threats, with the first half of 2017 witnessing ransomware attacks on a scale previously unseen,” Europol said, as it released its latest annual report on internet organised crime.
https://www.europol.europa.eu/iocta/2017/index.html
Tomi Engdahl says:
DDoS Attacks More Likely to Hit Critical Infrastructure Than APTs: Europol
http://www.securityweek.com/ddos-attacks-more-likely-hit-critical-infrastructure-apts-europol
While critical infrastructure has been targeted by sophisticated threat actors, attacks that rely on commonly available and easy-to-use tools are more likely to occur, said Europol in its 2017 Internet Organised Crime Threat Assessment (IOCTA).
The report covers a wide range of topics, including cyber-dependent crime, online child exploitation, payment fraud, criminal markets, the convergence of cyber and terrorism, cross-cutting crime factors, and the geographical distribution of cybercrime. According to the police agency, we’re seeing a “global epidemic” in ransomware attacks.
When it comes to critical infrastructure attacks, Europol pointed out that the focus is often on the worst case scenario – sophisticated state-sponsored actors targeting supervisory control and data acquisition (SCADA) and other industrial control systems (ICS) in power plants and heavy industry organizations.
However, these are not the most likely and most common types of attacks – at least not from a law enforcement perspective as they are more likely to be considered threats to national security. More likely attacks, based on reports received by law enforcement agencies in Europe, are ones that don’t require attackers to breach isolated networks, such as distributed denial-of-service (DDoS) attacks, which often rely on easy-to-use and widely available tools known as booters or stressers.
While these types of attacks may not lead to a shutdown of the power grid, they can still cause serious disruptions to important utilities and services.
“While DDoS is often a tool for extortion, the lack of communication from the attackers may suggest that these attacks were of an ideological nature,” Europol said in its report. “Although European law enforcement recorded an increasing number of these attacks last year, they also note that they only had moderate, short-lived impact.”
Internet Organised Crime Threat Assessment (IOCTA) 2017
https://www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-assessment-iocta-2017
Tomi Engdahl says:
Microsoft downplays alarm over Windows Defender ‘flaw’
Says you’d hafta click through a *boatload* of warnings
https://www.theregister.co.uk/2017/09/28/windows_defender_flaw/
Security researchers have uncovered what they believe is a vulnerability that allows malware to completely bypass Windows Defender. Microsoft dismissed the report as of “limited practical applicability” in practice (i.e. a low-risk threat).
The team at CyberArk Labs nonetheless claims the security shortcoming could impact tens of millions of devices running on Windows 10 and 8.1.
“In order to abuse Windows Defender,” the researchers write, “an attacker would have to implement the SMB protocol and create a ‘pseudo-server’ that can differentiate Windows Defender’s request from normal requests.”
https://www.cyberark.com/threat-research-blog/illusion-gap-antivirus-bypass-part-1/
Tomi Engdahl says:
NSA Targeted 106,000 Foreigners In Spy Program Up For Renewal
https://yro.slashdot.org/story/17/09/26/0413201/nsa-targeted-106000-foreigners-in-spy-program-up-for-renewal
The U.S. National Security Agency conducted targeted surveillance over the past year against 106,000 foreigners suspected of being involved in terrorism and other crimes, using powers granted in a controversial section of law that’s set to expire at the end of this year. The number of foreigners targeted under Section 702 of the Foreign Intelligence Surveillance Act rose from 94,000 in fiscal year 2015, according to U.S. intelligence officials, who asked not to be identified discussing the information.
NSA Targeted 106,000 Foreigners in Spy Program Up for Renewal
https://www.bloomberg.com/news/articles/2017-09-25/nsa-targeted-106-000-foreigners-in-spy-program-up-for-renewal
Tomi Engdahl says:
Cyber Blog – Julkaistu 26.9.2017
Cyber Vulnerabilities and Risks in the Healthcare Ecosystem
http://cybersecuritynordic.messukeskus.com/2017/09/26/varaus-aapo-cederberg-terveysblogi/?lang=fi
Critical infrastructure is the backbone of modern society. Healthcare infrastructure and services are part of critical infrastructure and they could even be called super critical, because well-functioning health care is needed in our everyday life but more importantly in every crisis situation. It should be part of the national plan of Critical Infrastructure Protection (CIP). Modern cyber-attacks are based on vulnerabilities – it is impossible to protect the healthcare ecosystem without knowing the vulnerabilities. The key question is do we know the vulnerabilities in our healthcare ecosystem, if not what should be done?
All the involved parties should understand the risk and threat these vulnerabilities can create for the whole healthcare ecosystem. In the headlines, we have this as a rising risk in the light of some recent cyberattacks1 and data breaches2. It is probably right to claim that cyber-attacks or data breaches are going to happen more and more in the near future. The question is when and at what cost? Lloyd´s of London estimates that a major cyber-attack could cost as much as a super storm Sandy to the global economy, roughly $53 billion3.
To fully perceive the big picture and to be able to make reasonable decisions it is important to define vulnerabilities and risks in all levels of the ecosystem covering people, process, technology and data, and in addition governance, where the prerequisite for success or failure originally is laid down. Identifying the need for a common understanding of existing threats, regulations, standards, risks and complexities are essential for securing the healthcare ecosystem in the future. It is very much up to the national authorities to decide who is overlooking the security of the whole healthcare ecosystem. A comprehensive situational awareness is needed to be able to prevent and protect cyber-attacks.