Security trends 2017

Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.

Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.

There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.

SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.

There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.

The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.

Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.

Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.

Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.

Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.

Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.

The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.

In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.

In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.

Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.

In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.

Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.

Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.

Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.

 

Other prediction articles worth to look:

What Lies Ahead for Cybersecurity in 2017?

Network Infrastructure, Visibility and Security in 2017

DDoS in 2017: Strap yourself in for a bumpy ride

Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online

IBM’s Cybersecurity Predictions for 2017 – eForensics

https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/

Top 5 Cybersecurity Threats to Watch Out for in 2017

Experts Hopeful as Confidence in Risk Assessment Falls

 

 

3,151 Comments

  1. Tomi Engdahl says:

    Hacked Websites Mine Cryptocurrencies
    https://blog.sucuri.net/2017/09/hacked-websites-mine-crypocurrencies.html

    Cryptocurrencies are all the rage now. Bitcoin, altcoins, blockchain, ICO, mining farms, skyrocketing exchange rates – you see or hear this everyday in news now. Everyone seems to be trying to jump on this bandwagon.

    This trend resulted in emergence of online platforms that allow webmasters to install coin miners into their websites as an alternative means of monetization. The most notable platforms that provide JavaScript cryptocurrency miners for web sites are JSE Coin and Coinhive .
    Controversy Around JavaScript Miners

    Both of these platforms allow webmasters to register and obtain a snippet of JavaScript code that they can install on their sites. This code will work in the background of visitors’ browsers, mining coins by utilizing excess CPU power of their computer.

    CBS’s Showtime caught mining crypto-coins in viewers’ web browsers
    Who placed the JavaScript code on two primetime dot-coms? So far, it’s a mystery
    https://www.theregister.co.uk/2017/09/25/showtime_hit_with_coinmining_script/

    Reply
  2. Tomi Engdahl says:

    When filters fail: These cases show we can’t trust algorithms to clean up the internet
    https://juliareda.eu/2017/09/when-filters-fail/

    Today, the European Commission announced its silver-bullet solution to illegal content online: Automated upload filters!

    It has already been pushing filters to try to prevent copyright infringement – in its communication on ‘tackling illegal content online’, it is going ever further.

    The Commission now officially “strongly encourages online platforms to […] step up investment in, and use of, automatic detection technologies”. It wants platforms to make decisions about the legality of content uploaded by users without requiring a court order or even any human intervention at all: “online platforms should also be able to take swift decisions […] without being required to do so on the basis of a court order or administrative decision”.

    Installing censorship infrastructure that surveils everything people upload and letting algorithms make judgement calls about what we all can and cannot say online is an attack on our fundamental rights.

    Reply
  3. Tomi Engdahl says:

    Agile Security Manifesto
    https://www.synopsys.com/software-integrity/resources/ebooks/agile-security-manifesto.html?cmp=em-sig-eloqua&utm_medium=email&utm_source=eloqua&elq_mid=224&elq_cid=166673

    The Agile Manifesto was created in 2001 to provide an alternative to document-heavy software development practices.

    Now we’ve created our own set of principles to complement the Agile Manifesto by addressing similar inefficiencies plaguing application security. These four principles are meant to guide and inspire us to build secure software in an agile way.

    Rely on developers and testers more than security specialists.
    Secure while we work more than after we’re done.
    Implement features securely more than adding on security features.
    Mitigate risks more than fix bugs.

    Reply
  4. Tomi Engdahl says:

    Power meltdown ‘fries’ SourceForge, knocks site’s servers titsup
    Total Inability To Support Unusual Projects
    https://www.theregister.co.uk/2017/09/27/faulty_data_center_takes_out_sourceforge/

    A crippling data center power failure knackered SourceForge’s equipment yesterday and earlier today, knocking the site offline.

    The code repository for free and open-source software projects crashed yesterday morning (around 0645 Pacific Time) after unspecified “issues” hit its hosting provider’s power distribution unit, redundancies failed, and its equipment was “completely fried,” Logan Abbot, SourceForge president, told The Register today.

    The site supremo said the damaged gear was replaced by staff, with the work completed by around midnight US West Coast time, returning the website to the internet. However, around 0645 PT today, the site stumbled offline again, seemingly from more power supply problems hampering connections to its servers.

    “SourceForge is experiencing connectivity issues. We are working with our upstream provider,”

    Reply
  5. Tomi Engdahl says:

    10 critical security skills every IT team needs
    https://www.cio.com/article/3228965/it-skills-training/10-critical-security-skills-every-it-team-needs.html

    Focus on hiring talent with the following security skills and your team will be equipped to prevent, protect and mitigate the damage of cybersecurity attacks — and speed recovery efforts.

    Following are 10 security skills your organization should focus on when staffing up or upskilling your security teams.
    1. Security tools expertise
    2. Security analysis
    3. Project management
    4. Incident response
    5. Automation/devops
    6. Data science and data analytics
    7. Scripting
    8. Soft(er) skills
    9. Post-mortem deep forensics
    10. Passion

    Finally, good security talent has a passion for their work and a desire to share that knowledge, says Antoniewicz. That can manifest itself in various ways, from picking up a new programming language to taking courses to actively sharing knowledge across their organization or at community meetups, he says.

    “A good security person will have a major passion for sharing, learning and growing their knowledge all the time,”

    If you already professionals like this on board, do whatever you can to encourage and support them. “Develop teambuilding exercises, knowledge-sharing sessions, get-togethers, hack-a-thons, demos of new products or solutions, bug bounties — any way you can continue their engagement and add fuel to their fire,” he says.

    Reply
  6. Tomi Engdahl says:

    Denuvo Crisis After Total Warhammer 2 Gets Pirated in Hours
    https://torrentfreak.com/denuvo-crisis-after-total-warhammer-2-gets-pirated-in-hours-170929/?utm_source=dlvr.it&utm_medium=twitter

    Denuvo, the world’s most feared gaming anti-piracy mechanism, was deployed yesterday on the brand new Total War: Warhammer 2. Instead of the months, weeks, or even days of protection usually offered by the system, the whole thing collapsed within hours.

    Needing little introduction, the anti-piracy system sold by Denuvo Software Solutions of Austria is probably the most well-known product of its type of the planet.

    For years, Denuvo was considered pretty much impenetrable, with its presence a virtual stamp of assurance that a game being protected by it would not fall victim to piracy, potentially for years. In recent times, however, things have begun to crumble.

    Reply
  7. Tomi Engdahl says:

    A Shift in the ATM Malware Landscape: From Physical to Network-based Attacks
    https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shift-in-atm-malware-landscape-to-network-based-attacks?ClickID=a9wpnwyaspnaalslwrtzv5y95lnvznzt9rl

    There is no way around it: Compromising automated teller machines (ATMs) could be seen by criminals as hitting the mother lode. Oftentimes there would be reports of unauthorized cash-outs, and upon investigation, skimmers and other attacks by physical means would be the usual suspects.

    Over the years, ATM thefts have been undertaken in a variety of ways: from blowing up safes to gluing on skimmers and attaching fake keypads to installing malware executables. In particular, the use of malware in attacking ATMs has seen considerable adoption among cybercriminals, and one of the primary factors contributing to its sustained use is the fact that many of the targeted machines still use outdated operating systems. Such systems no longer receive critical security updates, so in the most basic sense, system vulnerabilities are not addressed, let alone resolved.

    Reply
  8. Tomi Engdahl says:

    THL’s data leak could have been easily blocked – more and more need to be invested in T & T monitoring

    Public administration and businesses should invest more in accessing sensitive information and business secrets and in controlling improper use, says IT Service Provider, Markus Melin, Tekniikka & Taloudelle, Senior Vice President, Tieto Security Services Unit.

    Melan says that a 6000-citizen data leak revealed on Tuesday, the Health and Welfare Institute (THL), would have been avoided if the public administration had used the data leakage detection and detection dlp system.

    The letter combination dlp mentioned by Melin comes from data leakage / loss prevention and means data blocking.

    “When a user is sending such information even though email, the workstation monitoring agent declares that he or she is acting in violation of the organization’s security policy.”

    Source: http://www.tivi.fi/Kaikki_uutiset/thl-n-tietovuoto-olisi-voitu-estaa-helposti-t-t-valvontaan-pitaa-panostaa-enemman-6679488

    Reply
  9. Tomi Engdahl says:

    Cisco: “Cyber ​​Criminals still ahead researchers”

    Cisco’s security business in northern Europe, Jan Bau, says cybercriminals still have security experts. However, the gap is constantly decreasing.

    “We are heading in the right direction, but we are not yet aware. Much has to be done in the fact that we are more closely part of a common ecosystem with companies in the various sectors and public administration.”

    About two months a month, Jan Bau, speaking in Finland at the Cyber ​​Security Nordic event at the Helsinki Fair Center, spoke about the nature of the security attacks on Wednesday.

    When Cisco first sold switches, routers, and other corporate network devices, customers now require expertise in industry-specific applications and environments, and it has to act as a close partner of a partner network.

    He said security experts are still struggling with cyber criminals because networked devices have become more commonplace both within organizations and in public networks. Cisco estimates that there are already billions of networked devices, and in just three years they can already be 50 billion.

    At present, businesses do not have enough visibility for their networks. “We do not see all our equipment enough to protect them.”

    Very often, the international business network is not segmented enough, and the network can move too freely.

    “Networks should be segmented (i.e., partitioned), they should be visibility, and the malicious devices should be able to be removed from the network.”

    However, this is technically demanding, requires resources, and therefore often does, he estimates.

    “Security is very often communication between people, and how does this work with information systems.”

    Still, the general attack is a fatal e-mail, so-called phishing phenomenon, even though fraudulent messages have been alerted to ordinary citizens for many years. How is this possible?

    According to Jan Baun, this is because the cheating messages are even wider and better prepared. The criminal will find out about the victim’s social media contacts, colleagues, ongoing projects, and domains that he trusts.

    Source: http://www.tivi.fi/Kaikki_uutiset/cisco-kyberrikolliset-viela-tutkijoita-edella-6680058

    Reply
  10. Tomi Engdahl says:

    Security
    Patch alert! Easy-to-exploit flaw in Linux kernel rated ‘high risk’
    Urgent security triage needed
    https://www.theregister.co.uk/2017/09/28/linux_kernel_vuln/

    A flaw has been found in the way the Linux kernel loads ELF files.

    If a malicious program is built as a Position Independent Executable (PIE), the loader can be exploited to map part of that application’s data segment over the memory area reserved for its stack. This can result in memory corruption and possible local privilege escalation.

    Red Hat and Debian are among Linux distros affected by the CVE-2017-1000253 vulnerability, which was discovered by cloud security firm Qualys.

    Red Hat’s advisory is here. Debian’s list of affected releases – which have largely already been fixed – can be found here. Just run your usual package management tools to install the patched kernels and reboot.

    Red Hat warned: “An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.”

    CVE-2017-1000253
    https://access.redhat.com/security/cve/CVE-2017-1000253

    A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application’s data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.

    Reply
  11. Tomi Engdahl says:

    Have Some Candy While I Steal Your Cycles
    https://hackaday.com/2017/09/27/have-some-candy-while-i-steal-your-cycles/

    Distributed computing is an excellent idea. We have a huge network of computers, many of them always on, why not take advantage of that when the user isn’t? The application that probably comes to mind is Folding@home, which lets you donate your unused computer time to help crunch the numbers for disease research. Everyone wins!

    But what if your CPU cycles are being used for profit without your knowledge? Over the weekend this turned out to be the case with Showtime on-demand sites which mined Monero coins while the users was pacified by video playback. The video is a sweet treat while the cost of your electric bill is nudged up ever so slightly.

    https://www.theregister.co.uk/2017/09/25/showtime_hit_with_coinmining_script/?mt=1506379755407

    Reply
  12. Tomi Engdahl says:

    M-Files seminar: The Internet of Things requires better information management

    In the future, Hyppönen says that hardware manufacturers gather data on people’s practices – whether we wanted it or not.

    “Organizational data must be safe, manageable, and readily available. Knowledge is useless until it has been refined and mined, ” Hyppönen said in a relatively informative way about oil.

    ” With the help of artificial intelligence, GDPR, and paralyzing virus attacks, information becomes even more valuable. Therefore, future information management should be at the heart of business and management, “Hyppönen said.

    Source: https://www.uusiteknologia.fi/2017/09/28/m-files-seminaari-esineiden-internet-vaatii-parempaa-tiedonhallintaa/

    Reply
  13. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Researchers find alarming number of Macs remain vulnerable to stealthy hacks due to outdated EFI firmware; Windows and Linux PCs are also likely at risk — At-risk EFI versions likely put Windows and Linux PCs at risk, too. — An alarming number of Macs remain vulnerable to known exploits …

    An alarming number of patched Macs remain vulnerable to stealthy firmware hacks
    At-risk EFI versions likely put Windows and Linux PCs at risk, too.
    https://arstechnica.com/information-technology/2017/09/an-alarming-number-of-macs-remain-vulnerable-to-stealthy-firmware-hacks/

    An alarming number of Macs remain vulnerable to known exploits that completely undermine their security and are almost impossible to detect or fix even after receiving all security updates available from Apple, a comprehensive study released Friday has concluded.

    The exposure results from known vulnerabilities that remain in the Extensible Firmware Interface, or EFI, which is the software located on a computer motherboard that runs first when a Mac is turned on. EFI identifies what hardware components are available, starts those components up, and hands them over to the operating system.

    An analysis by security firm Duo Security of more than 73,000 Macs shows that a surprising number remained vulnerable to such attacks even though they received OS updates that were supposed to patch the EFI firmware.

    Hard to detect (almost) impossible to disinfect

    Attacks against EFI are considered especially potent because they give attackers control that starts with the very first instruction a Mac receives. What’s more, the level of control attackers get far exceeds what they gain by exploiting vulnerabilities in the OS or the apps that run on it.

    Attacks on the bleeding edge

    People with out-of-date EFI versions should know that pre-boot firmware exploits are currently considered to be on the bleeding edge of computer attacks. They require large amounts of expertise, and, in many—but not all—cases, they require brief physical access to the targeted computer. This means that someone who uses a Mac for personal e-mail, Web browsing, and even online banking probably isn’t enough of a high-profile user to be targeted by an attack this advanced. By contrast, journalists, attorneys, and people with government clearances may want to include EFI attacks in their threat modeling.

    Reply
  14. Tomi Engdahl says:

    Chris O’Brien / VentureBeat:
    EU regulators say tech giants are still not doing enough to voluntarily remove hate speech and terrorist content, will review rules in six months

    EU tells tech companies to ‘step up’ fight against hate speech and terrorist content
    https://venturebeat.com/2017/09/28/eu-tells-tech-companies-to-step-up-fight-against-hate-speech-and-terrorist-content/

    European regulators are giving Microsoft, Facebook, Twitter, and YouTube six months to voluntarily get more aggressive about blocking and removing hate speech and terrorist-related content. If they fail to do so, they could face possible new regulations next year.

    Today, the European Union issued new guidelines, saying it “invites online platforms to step up their efforts to remove illegal content online.” Those four companies had signed a Code of Conduct back in 2016, pledging to combat such content.

    European officials feel that while some progress has been made, it hasn’t gone as far or as fast as they’d hoped. And so with the new guidelines, the EU is also giving companies a deadline of next May, at which time there will be a review of progress and consideration as to whether new legislation is needed to force the companies to comply.

    Stepping up the EU’s efforts to tackle illegal content online
    http://europa.eu/rapid/press-release_MEMO-17-3522_en.htm

    What are the main actions expected from the online platforms?

    The Communication invites online platforms step up their efforts to remove illegal content online and proposes a number of practical measures to ensure faster detection and removal of illegal content online:

    Establishing easily accessible mechanisms to allow users to flag illegal content and to invest in automatic detection technologies, including to prevent the re-appearance of illegal content online;
    Cooperate with law enforcement and other competent authorities, including by sharing evidence;
    Allow trusted flaggers, i.e. specialised entities with specific expertise in identifying illegal content, and dedicated structures for detecting and identifying such content online, to have a privileged relationship, while ensuring sufficient standards as regards training, quality assurance and safeguards;
    Use voluntary, proactive measures to detect and proactively remove illegal content and step up cooperation and the use of automatic detection technologies;
    Take measures against repeat infringers;
    Develop and use automatic technologies to prevent the re-appearance of illegal content online.

    The Communication also calls for broader transparency measures (including on the number and speed of take-downs), as well as complaint mechanisms and other safeguards to prevent the over-removal of content.

    Reply
  15. Tomi Engdahl says:

    Kate Taylor / Business Insider:
    Whole Foods says it is investigating credit card security breach in some taprooms and restaurants in some of its stores

    Whole Foods is investigating a credit card security breach
    http://nordic.businessinsider.com/whole-foods-credit-card-breach-2017-9?op=1&r=US&IR=T

    Reply
  16. Tomi Engdahl says:

    Facebook tests facial recognition for account recovery
    https://techcrunch.com/2017/09/29/facebook-face-id/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    Facebook has its own version of Apple’s Face ID. If you get locked out of your Facebook account, the company is testing a way to regain access by using your face to verify your identity.

    Reply
  17. Tomi Engdahl says:

    Bloomberg:
    Sources: Google to launch Advanced Protection Program marketed at high-profile users that replaces 2-factor auth with physical keys, blocks all third party apps

    Google Will Retool User Security in Wake of Political Hack
    https://www.bloomberg.com/news/articles/2017-09-29/google-is-said-to-retool-user-security-in-wake-of-political-hack

    Google is preparing to upgrade its security tools for online accounts to better insulate users from cyberattacks and politically motivated hacks, according to two people familiar with the company’s plan.

    The Alphabet Inc. company next month will begin offering a service called the Advanced Protection Program that places a collection of features onto accounts such as email, including a new block on third-party applications from accessing data. The program would effectively replace the need to use two-factor authentication to protect accounts with a pair of physical security keys. The company plans to market the product to corporate executives, politicians and others with heightened security concerns, these people said.

    The Gmail messages of John Podesta, Hillary Clinton’s 2016 campaign chairman, were famously hacked last year, along with the databases of the Democratic National Committee.

    Google released software in 2014 for a USB Security Key, a device designed to improve existing security measures, like two-factor authentication.

    The new service will block all third-party programs from accessing a user’s emails or files stored on Google Drive

    Over the past year, Google has refurbished its account security systems several times. The upgrades come as the company pitches its Gmail and document apps to business clients.

    Reply
  18. Tomi Engdahl says:

    Tony Romm / Recode:
    Sources: Facebook is sharing its data with Google as the search giant reviews potential Russian meddling in the 2016 election

    Facebook is sharing its data with Google as the search giant reviews potential Russian meddling in the 2016 election
    https://www.recode.net/2017/9/29/16385458/facebook-google-russia-influence-ads-2016-election-house-senate-investigation

    Google is also set to meet with congressional investigators in the coming weeks.

    Reply
  19. Tomi Engdahl says:

    This Is Not a Post About BLE, Introducing BLEAH
    https://www.evilsocket.net/2017/09/23/This-is-not-a-post-about-BLE-introducing-BLEAH/

    This is not a post about BLE, but rather on how to hack it … well, to be honest, BLE devices are usually very easy to hack, so it’s just a quick intro to it, I’ll also take the chance to open source

    Bluetooth Low Energy – the honest version.

    BLE is a cheap and very insecure version of Bluetooth, in which you have no channel hopping (all hail easy sniffing and MITM!) and no builtin protocol security (fuzzing like there’s no tomorrow dudez!), it is mostly used for two reasons:

    Decent batteries are expensive.
    Decent batteries are big.
    If you wanna build and sell some IoT-smart-whatever crap, and you wanna do it quickly because your competitor is about to go on the market with the same shit, you take Bluetooth, you strip it from the very few close-to-decent things it has and voilà, you have its retarded little brother which won’t bother the battery too much but will be functional enough to burp random data at you from time to time … easy win, litte R&D efforts, very small production costs.

    Being the retarded little brother of BT, it doesn’t really take too long to explain how to hack it.

    Find the mobile app (they always have one, they’re smart toys after all), reverse it to find the right characteristics to use for your goal and then just blow the thing up. My point is that you’ll end up reversing “something” anyway, so let it be cheap and effective, right?

    Reply
  20. Tomi Engdahl says:

    Citrix patches Netscaler hole, ARM TrustZone twisted, Android Dirty COW exploited – and more security fails
    The good, the bad and the weird from this week
    https://www.theregister.co.uk/2017/09/29/weekly_security_roundup/

    Cloudflare opens up protection

    Among the good news, Cloudflare said it will give all customers “Unmetered Mitigation” against DDoS attacks, meaning anyone who subscribes will now get the full protection afforded by the edge network provider, rather than having to pay based on volume of protected traffic.

    Cloudflare CEO Matthew Prince reasons it’s wrong of his firm to charge users based on the size of the person attacking them, or let them get knocked offline because they can’t afford to guard against huge volumes.

    “DDoS attacks are, quite simply, a plague on the Internet and it’s wrong to surprise customers with higher bills when they are targeted by one,” Prince said.

    Malware mutterings

    In malware news Trend Micro spotted the first Android malware sample that tries to exploit the Dirty COW Linux kernel vulnerability that emerged last December. The ZNIU malware popped up across the world installed in over 300,000 apps that were spammed out to stores around the world.

    In all around 5,000 unlucky and unpatched Android users got a taste of ZNIU, but it was Chinese users suffered most.

    Bugs bork apps n’chips

    Citrix said on Monday the Netscaler and SD-WAN issue that prompted it to halt software downloads last week was an authentication bypass in its management interface.

    Cisco also had issues with its Umbrella Virtual Appliance Version 2.0.3 software, after an undocumented encrypted remote support tunnel (SSH) was found in the code.
    Cisco said that it had been put there for remote support by its staff

    Also this week an interesting side-channel attack against ARM’s TrustZone popped up. The TrustZone is the chip firm’s supposedly secure data haven contained on its latest silicon. Usually side-channel attacks need physical access to the target device, but not all the time.

    Researchers subverted the energy management systems of a Nexus 6 phone and were able to read data moving in TrustZone just by measuring power output.

    Reply
  21. Tomi Engdahl says:

    Dildon’ts of Bluetooth: Pen test boffins sniff out Berlin’s smart butt plugs
    You’ve heard of wardriving – say hello to screwdriving
    https://www.theregister.co.uk/2017/09/29/ble_exploits_screwdriving/

    Security researchers have figured out how to locate and exploit smart adult toys.

    Various shenanigans are possible because of the easy discoverability and exploitability of internet-connected butt plugs and the like running Bluetooth’s baby brother, Bluetooth Low Energy (BLE), a wireless personal area network technology. The tech has support for security but it’s rarely implemented in practice, as El Reg has noted before.

    The shortcoming allowed boffins at Pen Test Partners to hunt for Bluetooth adult toys, a practice it dubbed screwdriving,

    BLE devices also advertise themselves for discovery. The Lovense Hush, an IoT-enabled butt plug, calls itself LVS-Z001. Other Hush devices use the same identifier.

    The Hush, like every other sex toy tested by PTP (the Kiiroo Fleshlight, Lelo, Lovense Nora and Max), all lacked adequate PIN or password protection. If the devices did have a PIN it was generic (0000 / 1234 etc).

    The only protection is that BLE devices will generally only pair with one device at a time and their range is limited.

    PTP’s research on BLE device insecurity – together with recommendations on how to shore them up – can be found here.

    BLE advertises its presence. As a result, these toys can be located fairly accurately using triangulation. The potential privacy issues this throws up might be mitigated by using a generic BLE device name for, ahem, adult toys and other kit people might not necessarily want world+dog to stumble on.

    Screwdriving. Locating and exploiting smart adult toys
    https://www.pentestpartners.com/security-blog/screwdriving-locating-and-exploiting-smart-adult-toys/

    Reply
  22. Tomi Engdahl says:

    JS code at the network edge. Oh, you’re still here and not running, screaming? Read on
    Cloudflare Workers offered to customize content
    https://www.theregister.co.uk/2017/09/30/cloudflare_workers_carry_code_to_the_network_edge/

    Bit caching biz Cloudflare on Friday teased website publishers with the prospect of being able to run JavaScript at the edge of its content delivery network, a capability that promises performance, security, and reliability improvements.

    The outfit puts copies of customers’ websites and content at various locations around the globe to enable speedy delivery and provides an efficient path to customer servers. It also does other things, like protect against malicious web traffic.

    Making its edge points programmable would be appealing to customers, because it would allow them to run code designed to address local issues that aren’t necessarily relevant elsewhere.

    One way to do this, explained Cloudflare tech lead Kenton Varda, would be to run virtual machines or containers for every customer endpoint, but that would be expensive and complicated.

    Instead, Varda has developed a scheme to run JavaScript using the Service Worker API, which runs code as a background processes.

    “Service Workers were designed to run in browsers, but it turns out that the Service Worker API is a perfect fit for what we wanted to support on the edge,” he explained in a blog post.

    These Service Workers intercept incoming HTTP requests sent to a customer’s domain and can return an HTTP response or make outbound HTTP requests to any other public internet address.

    They allow site publishers to do things like put HTML templates at the edge of Cloudflare’s CDN and only fetch dynamic content from company servers, or craft custom security rules, or implement customized load balancing and failover logic.

    Reply
  23. Tomi Engdahl says:

    Home> Community > Blogs > Measure of Things
    Who cares that we no longer have privacy?
    https://www.edn.com/electronics-blogs/measure-of-things/4458888/Who-cares-that-we-no-longer-have-privacy-

    They know where you are. They know where your car is parked. They know who you’re with. They know your credit rating. If they don’t already, they’ll soon know your pulse rate, whether or not you’re awake, and someday even your electro-encephalogram (EEG).

    Whether or not you care probably depends on who has the information and how they’ll use it. Pick your bogeyman—the government, huge corporations, your life/health/car insurance company, your bank, your spouse’s private investigator—they can all get your information.

    Reply
  24. Tomi Engdahl says:

    Karen DeYoung / Washington Post:
    Sources: under the President’s directive, US Cyber Command performed DDoS attacks against hackers in North Korea’s military spy agency

    Trump signed presidential directive ordering actions to pressure North Korea
    https://www.washingtonpost.com/world/national-security/trump-signed-presidential-directive-ordering-actions-to-pressure-north-korea/2017/09/30/97c6722a-a620-11e7-b14f-f41773cd5a14_story.html?utm_term=.7415dde9ff02

    Early in his administration, President Trump signed a directive outlining a strategy of pressure against North Korea that involved actions across a broad spectrum of government agencies and led to the use of military cyber-capabilities, according to U.S. officials.

    As part of the campaign, U.S. Cyber Command targeted hackers in North Korea’s military spy agency, the Reconnaissance General Bureau, by barraging their computer servers with traffic that choked off Internet access.

    Trump’s directive, a senior administration official said, also included instructions to diplomats and officials to bring up North Korea in virtually every conversation with foreign interlocutors and urge them to sever all ties with Pyongyang.

    The Cyber Command operation, which was due to end Saturday, was part of the overall campaign set in motion many months ago. The effects were temporary and not destructive, officials said. Nonetheless, some North Korean hackers griped that lack of access to the Internet was interfering with their work, according to another U.S. official, who also spoke on the condition of anonymity to discuss a secret operation.

    Cyber Command and the White House had no comment. But the senior administration official said, “What I can tell you is that North Korea has itself been guilty of cyberattacks, and we are going to take appropriate measures to defend our networks and systems.”

    Eric Rosenbach, who led the Pentagon’s cyber-efforts as assistant secretary of defense in the Obama administration, said the operation “could have the advantage of signaling to the North Koreans a more aggressive posture. However, there’s accompanying risk of an escalation and a North Korean cyber-counterattack.”

    “I wonder what the disruptive payoff is that we’re getting that’s worth even a marginal extra chance of nuclear war?”

    Reply
  25. Tomi Engdahl says:

    Equifax CEO: All Companies Get Breached
    https://news.slashdot.org/story/17/09/30/2036215/equifax-ceo-all-companies-get-breached

    There are two kinds of companies, according to a saying that former Equifax CEO Rick Smith shared in a speech at the University of Georgia on August 17. “There’s those companies that have been breached and know it, and there are those companies that have been breached and don’t know it,” he said. Though it was still 21 days before his company would reveal that it had been massively hacked, Equifax, at that time, had been breached and knew it…

    After Equifax’s Data Breach, Its CEO Gave a Speech Saying a Hack Was His ‘No. 1 Worry’
    http://fortune.com/2017/09/29/equifax-ceo-hack-worry/

    There are two kinds of companies, according to a saying that former Equifax CEO Rick Smith shared in a speech at the University of Georgia on Aug. 17. “There’s those companies that have been breached and know it, and there are those companies that have been breached and don’t know it,” he said. Though it was still 21 days before his company would reveal that it had been massively hacked, Equifax, at that time, had been breached and knew it.

    The speech, given by Smith to students and faculty at the university’s Terry College of Business, covered a lot of ground, but it frequently returned to security issues that kept the former CEO awake at night—foremost among them was the company’s large database.

    “When you have the size database we have, it’s very attractive for others to try to get into our database,” said Smith. “So that is a huge priority for us.”

    Smith elaborated on what hackers can do with consumers’ personal information, including selling it on the Dark Web. “It is a very lucrative way to make money,” he said.

    Smith’s fastest growing area of security concern was state-sponsored hacking and espionage, he said. “It’s countries you’d expect—you know it’s China, Russia, Iran, and Iraq—and they’re being very aggressive trying to get access to the know-how about how companies have built their capabilities, and transport that know-how back to their countries,” said Smith. “It’s my number one worry.” he added.

    Reply
  26. Tomi Engdahl says:

    Security News This Week: The Deloitte Breach Was Worse Than We Thought
    https://www.wired.com/story/security-news-of-the-week-deloitte-sonic-whole-foods-breach

    News about the massive Equifax credit bureau hack was finally winding down this week, offering space for reflection on all the ways the company utterly botched its response to the incident. The respite also gives US consumers the opportunity to finally figure out what the heck they’re going to do to protect themselves.

    In good news, the robust end-to-end encrypted messaging app Signal introduced a method of protecting users’ mobile address book data using a technological trick that may be adopted by other privacy and security-focused products. And the internet infrastructure company Cloudflare pledged to offer unlimited DDoS protection to all of its customers (even free accounts) for no additional charge, no matter the size of the barrage.

    eloitte Breach Was Likely More Critical Than the Firm Claims

    Hackers infiltrated the sensitive internal email service of the prominent accounting firm Deloitte, potentially exposing a large range of data about the company and its high-profile clients. First reported by The Guardian, the breach likely occurred in October or November 2016, but wasn’t discovered by Deloitte until March. Deloitte notified six clients that their data had been “impacted” by the breach, but the company is continuing to investigate, and a source with knowledge of the inquiry told Krebs on Security that the damage may be far more extensive than Deloitte has indicated.

    Attackers gained access to an administrator account of the email service, which is hosted in Microsoft’s Azure cloud, granting extensive control and access to data. The account apparently was not protected by two-factor authentication, hinging on a single password. Deloitte offers accounting, tax work, audits, and other types of consulting and had $37 billion in revenue last year, so the contents of its internal communications would be potentially extremely valuable. The firm works with governments and top players in numerous industries, and the breach may have exposed IP addresses, health data, usernames, passwords, and other sensitive file attachments in addition to emails themselves.

    Reply
  27. Tomi Engdahl says:

    Can Equifax’s Offerings Actually Protect Your Identity?
    https://www.wired.com/story/equifax-identity-protection-offerings

    News about the massive Equifax data breach has been unrelenting since the credit bureau publicly disclosed its lapse at the beginning of September. It’s difficult to keep up with all the company’s blunders, not to mention the complicated fiscal policy and regulatory debates the incident has fueled. But weeks later, most consumers in the United States are still just trying to figure out what the whole thing means for them, and how to steel themselves against identity theft and fraud.

    To this end, Equifax’s interim CEO Paulino do Rego Barros Jr. (former CEO Richard F. Smith “retired” on Tuesday) published an update to consumers in The Wall Street Journal on Wednesday humbling himself before Equifax’s critics and announcing an additional identity protection service that the company will give consumers for life beginning in January. At this point, Equifax has at least three similar-sounding identity protection offerings as part of its breach response. But there’s always that pesky question in security that has plagued the company before—do they work?

    “In the event something goes wrong, which unfortunately is inevitable, companies need to respond urgently, transparently, and empathetically—none of which Equifax did,” says Adam Levin

    Experts maintain that Equifax’s offerings are ultimately productive, but caution that consumers need to really understand what the choices are so they can make the right defense decisions for themselves long-term.

    Regos Barros announced in his public letter that Equifax will be extending the enrollment period for its credit monitoring and freezing services through January.

    Credit monitoring sends you alerts so you can catch any suspicious activity early, while credit freezes actually lock down your credit files so institutions you don’t already do business with can’t access your data without specific permission from you and special PIN numbers. A freeze significantly reduces the chance that a fraudster will be able to do things like take out a line of credit in your name. Personal identity security advocates have long favored freezes, but acknowledge that the measure isn’t necessarily for everyone (say, someone who anticipates applying for student loans) since it is fairly rigid and restrictive.

    The free monitoring and freezes have a short timespan, perhaps because they are services Equifax wants to resume capitalizing on as quickly as possible.

    The third service Regos Barros mentioned on Wednesday, a so-called “credit lock” tool, will debut in January, and will be a more flexible option through which consumers can lock and unlock access to their credit data whenever they want.

    Experts agree that to protect themselves, consumers need to see past the gimmicks and noise to the long game of utilizing what Equifax and other companies that have experienced data breaches provide while planning to supplement as needed. If your data is compromised in multiple breaches over time you may be able to daisy chain years of free services together.

    And everyone can pull and review one complete credit report per year for free from AnnualCreditReport.com. Additionally, consumers need to be aware that credit monitoring, locks, and freezes alike don’t protect against things like tax fraud and medical fraud, in which identity thieves can file bogus tax returns on your behalf to claim your refund or jeopardize your insurance coverage by scamming your provider.

    Consumers also may have more resources available to them for free than they realize

    Reply
  28. Tomi Engdahl says:

    Oracle promises ‘highly automated’ security in self-driving database
    Larry Ellison is keen on ‘Anything we can possibly do to reduce human intervention’
    https://www.theregister.co.uk/2017/10/02/oracle_openworld_2017_larry_ellison_keynote_day_one/

    OPENWORLD 2017 Oracle has kicked off its annual OpenWorld conference with a pledge to automate in the company’s “autonomous” database, plus plenty of snark directed at Amazon Web Services.

    Jeans-toting CTO Larry Ellison kicked off Big Red’s four-day San Franciscan extravaganza with a not-so-slick presentation that had no real big surprises.

    The main item on the agenda was the firm’s upcoming autonomous database, with Ellison offering up a smidge more detail than he did when teasing it during a recent announcement on cloud pricing.

    “If you eliminate human behaviour, you eliminate human error,” the CTO said. “My autopilot flies my plan a lot better than I do,” he added, in a bid to make sure we all know he has a jet.

    The planned cyber security offering – details of which attendees were told will emerge on Tuesday – will see the database use machine learning technologies to detect when it is being attacked.

    It will then automatically patch itself, rather than waiting for a human to schedule downtime.

    “It’s our computer versus their computers in cyber warfare, and we have to have a lot better computers, and more automation if we’re going to defend our data,” Ellison said.

    In a dig at the recent Equifax scandal, Ellison said: “The worst data thefts in history have occurred after a patch was available to prevent the theft. The patches just weren’t applied; how is that possible.”

    He later said that in that situation, “someone lost their job”, before adding that it wasn’t just the CEO in the firing line: “Nobody is safe.”

    Reply
  29. Tomi Engdahl says:

    Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy ‘login details leaked’
    Yes, that’s Gartner’s security consultancy of the year
    https://www.theregister.co.uk/2017/09/26/deloitte_leak_github_and_google/

    Monday’s news that multinational consultancy Deloitte had been hacked was dismissed by the firm as a small incident.

    Now evidence suggests it’s no surprise the biz was infiltrated: it appears to be all over the shop, security wise.

    On Tuesday, what seemed to be a collection of Deloitte’s corporate VPN passwords, user names, and operational details were found lurking within a public-facing GitHub-hosted repository. These have since been removed in the past hour or so. In addition, it appears that a Deloitte employee uploaded company proxy login credentials to his public Google+ page. The information was up there for over six months – and was removed in the past few minutes.

    Reply
  30. Tomi Engdahl says:

    Internet-wide security update put on hold over fears 60 million people would be kicked offline
    ICANN delays KSK rollover after new data derails plans
    https://www.theregister.co.uk/2017/09/28/internet_update_on_hold/

    A multi-year effort to update the internet’s overall security has been put on hold just days before it was due to be introduced, over fears that as many as 60 million people could be forced offline.

    DNS overseer ICANN announced on Thursday it had postponed the rollout of a new root zone “key signing key” (KSK) used to secure the internet’s foundational servers after it received fresh information that indicated its deployment would be more problematic than expected.

    The KSK acts as an anchor for the global internet: it builds a chain of trust from the root zone down through the whole domain name system so that DNS resolvers – software that turns addresses like theregister.com into network addresses like 159.100.131.165 – can verify they’re getting good valid results to their queries.

    Internet engineers knew that introducing a longer and hence more secure public-private key pair would cause some old and poorly configured systems to throw out errors, and so have embarked on a slow rollout that started back in May 2016.

    Valid concerns

    More than half of the internet’s critical root servers have been reporting that a large number of validators on the internet – between five and eight per cent – report only having the 2010 version of the KSK key in their systems, as opposed to reporting both the 2010 version and the new 2017 version. This data also only comes from machines running the most recent versions of DNS software BIND, so the real problem may be even larger.

    What this means is that when the internet is “rolled over” to the 2017 version, the validators without that key will not resolve domain names correctly, and people relying on those systems will find themselves effectively kicked off the ‘net, unable to connect to websites and other online services.

    How many people? ICANN estimates that the rollover will impact one quarter of all internet users – so roughly 750 million people. And taking the high-end data reports of eight percent failures, that means the rollover could risk effectively kicking no fewer than 60 million people off the internet in a single day.

    Unsurprisingly, ICANN has decided that was not a great plan and so has postponed the rollout until the first quarter of next year at the earliest.

    What does ICANN propose to do about the problem? Name and shame.

    The organization is planning to publish a full list of resolvers that listed having only the 2010 KSK key, and then ask the internet community to help identify where they are and figure out what the problem is, and how to update them.

    Reply
  31. Tomi Engdahl says:

    US yanks staff from Cuban embassy over sonic death ray fears
    Advises US citizens to avoid Castroland
    https://www.theregister.co.uk/2017/09/29/us_yanks_staff_from_cuban_embassy/

    The US State Department on Friday announced that it is pulling all non-essential staff and their families out of its embassy in Cuba following reports of a secret weapon being deployed against employees there.

    Reply
  32. Tomi Engdahl says:

    Who cares that we no longer have privacy?
    https://www.edn.com/electronics-blogs/measure-of-things/4458888/Who-cares-that-we-no-longer-have-privacy-

    They know where you are. They know where your car is parked. They know who you’re with. They know your credit rating. If they don’t already, they’ll soon know your pulse rate, whether or not you’re awake, and someday even your electro-encephalogram (EEG).

    Whether or not you care probably depends on who has the information and how they’ll use it. Pick your bogeyman—the government, huge corporations, your life/health/car insurance company, your bank, your spouse’s private investigator—they can all get your information.

    Always assume that you’re being watched.

    That sentence might send chills down your spine, especially if you’re an old geezer who thinks that going incognito is the best way to go.

    Reply
  33. Tomi Engdahl says:

    Google Plans Upgrade of Two-Factor Authentication For Politicians and CEOs
    https://tech.slashdot.org/story/17/10/01/2130249/google-plans-upgrade-of-two-factor-authentication-for-politicians-and-ceos

    Google plans on upgrading its two-factor authentication tool with an improved, physical security measure aimed at protecting high-profile users from politically motivated cyberattacks, according to a report from Bloomberg. The new service, to be called Advanced Protection Program and potentially slated to launch next month, will trade out the standard authentication process for services like Gmail and Google Drive with physical USB security keys. The service would also restrict the types of third-party apps and services that could connect to a user’s Google account.

    Google plans to upgrade two-factor authentication tool after high-profile hacks
    The new service will be aimed at politicians, executives, and other vulnerable targets
    https://www.theverge.com/2017/9/29/16388374/google-gmail-cybersecurity-email-hacks-two-factor-authentication

    Reply
  34. Tomi Engdahl says:

    The Hybrid Disaster Control Center will be opened in Helsinki

    The center has been praised as a concrete step in co-operation between the EU and NATO.

    The European Center for the Hybrid Threat Control Center will be officially opened today in Helsinki. The purpose of the center is to raise awareness of the hybrid threat and societal vulnerabilities related to internet and social media.

    There are 12 countries involved in the Strategic Analysis Center.
    The center has a seven-person secretariat.

    Source: http://www.ts.fi/uutiset/kotimaa/3674996/Hybridiuhkien+torjunnan+osaamiskeskus+avataan+Helsingissa

    Reply
  35. Tomi Engdahl says:

    This is how the big brother supervises the Moscow model: 170,000 cameras identify the walkers

    In Moscow, the authorities have linked artificial intelligence to the city’s extensive surveillance cameras network. The authorities have 170,000 surveillance cameras available.

    The amount is quite plush, for example, in the whole of Britain, a few years ago, the number of surveillance cameras used by authorities was estimated at 70,000.

    Citizens’ cameras have got a new breeze on their sails now that technology makes it possible for people to have a reliable auto-identification.

    The Face Detection Method used in Moscow has been developed by Ntechlab. A “digital fingerprint” is compiled from the faces, compared to the police archives. During a two-month trial period, camera surveillance helped find six search-off criminals.

    For reasons of cost, authorities do not associate their entire camera arsenal with the identification system, it will only be used as the most critical sites, Bloomberg writes.

    Source: http://www.tivi.fi/Kaikki_uutiset/nain-isoveli-valvoo-moskovan-malliin-170-000-kameraa-tunnistaa-kulkijat-6680360

    Reply
  36. Tomi Engdahl says:

    How Cisco Fixed An Undocumented SSH Support Tunnel In Umbrella
    https://hardware.slashdot.org/story/17/10/02/0254237/how-cisco-fixed-an-undocumented-ssh-support-tunnel-in-umbrella

    Described by a recent security blog post, Cisco hid a SSH backdoor in its Cisco Umbrella product, which they were using for support. Affected organizations can install version 2.1.0 of their virtual appliance which has the backdoor removed.

    Cisco has described Umbrella as “the first Secure Internet Gateway in the cloud,” though the now-closed tunnel “auto-initiated from the customer’s appliance to Cisco’s SSH Hubs in the Umbrella datacenters.” Cisco adds that it “did not require explicit customer approval before establishment.”

    Virtual Appliance – Vulnerability due to always-on SSH Tunnel – RESOLVED – 2017-09-15
    https://support.umbrella.com/hc/en-us/articles/115004752143-Virtual-Appliance-Vulnerability-due-to-always-on-SSH-Tunnel-RESOLVED-2017-09-15

    Reply
  37. Tomi Engdahl says:

    Could Tube Wifi Data Be Used To Identify And Track Individuals?
    http://www.gizmodo.co.uk/2017/09/could-tube-wifi-data-be-used-to-identify-and-track-individuals/

    A few days earlier, Transport for London (TfL) – the body which runs the Tube – happened to release an intriguing report, looking into the findings of a trial in which, for a month at the end of last year, wifi signals were used to track passenger journeys across the network. The idea is that as we travel across the Tube network, wifi beacons in stations would detect the unique ID – the MAC address – of our phones, tablets and other devices – even if we’re not connected to the Tube’s wifi network. (It’s nothing to do with Apple Macs – MAC simply stands for “media access control”, and every wifi device has one.)

    As we explained in detail, the hope for transport planners is that this data can then be analysed in order to better understand the journeys people make on the tube, and this can then inform how demand is managed in the future (for example, with route-planning apps recommending passengers take less crowded routes). Judging by the results, the technology has the potential to be genuinely transformative – and could enable London to squeeze even more capacity out of its existing transport infrastructure. And anyone who has ever caught the Tube at rush hour can appreciate that.

    London Underground Wifi Tracking: Here’s Everything We Learned From TfL’s Official Report
    http://www.gizmodo.co.uk/2017/09/london-underground-wifi-tracking-heres-everything-we-learned-from-tfls-official-report/

    Reply
  38. Tomi Engdahl says:

    Microsoft CEO Satya Nadella: We will regret sacrificing privacy for national security
    http://www.businessinsider.com/microsoft-ceo-satya-nadella-regret-sacrificing-privacy-for-security-2017-9?r=US&IR=T&IR=T

    Microsoft CEO Satya Nadella has warned that society could regret sacrificing privacy for law enforcement, as his company fights a long-running battle with the US Department of Justice over accessing customer emails.

    Microsoft has been fighting the US government since 2014, when the justice department served the company with a subpoena for emails stored in Irish servers. Microsoft has refused, arguing that permission to access data stored abroad needs to be given by the overseas government.

    Nadella said tech companies understood the need for national security, but added: “If in that context we sacrifice our enduring value around privacy, then I think as a society we will regret it.”

    Reply
  39. Tomi Engdahl says:

    New “Illusion Gap” Attack Bypasses Windows Defender Scans
    https://www.bleepingcomputer.com/news/security/new-illusion-gap-attack-bypasses-windows-defender-scans/

    Security researchers from CyberArk have discovered a new technique that allows malware to bypass Windows Defender, the standard security software that comes included with all Windows operating systems.

    The technique — nicknamed Illusion Gap — relies on a mixture of both social engineering and the use of a rogue SMB server.

    The attack exploits a design choice in how Windows Defender scans files stored on an SMB share before execution.

    For Illusion Gap to work, the attacker must convince a user to execute a file hosted on a malicious SMB server under his control. This is not as complex as it sounds, as a simple shortcut file is all that’s needed.

    The problems occur after the user double-clicks this malicious file. By default, Windows will request from the SMB server a copy of the file for the task of creating the process that executes the file, while Windows Defender will request a copy of the file in order to scan it.

    SMB servers can distinguish between these two requests, and this is a problem because an attacker can configure their malicious SMB server to respond with two different files.

    Microsoft does not view this as a security issue

    CyberArk says it notified Microsoft but the company did not view it as a security issue. Researchers included the Microsoft reply in their Illusion Gap paper.

    Reply
  40. Tomi Engdahl says:

    Trump signed presidential directive ordering actions to pressure North Korea
    https://www.washingtonpost.com/world/national-security/trump-signed-presidential-directive-ordering-actions-to-pressure-north-korea/2017/09/30/97c6722a-a620-11e7-b14f-f41773cd5a14_story.html?utm_term=.bcab55839304

    Early in his administration, President Trump signed a directive outlining a strategy of pressure against North Korea that involved actions across a broad spectrum of government agencies and led to the use of military cyber-capabilities, according to U.S. officials.

    As part of the campaign, U.S. Cyber Command targeted hackers in North Korea’s military spy agency, the Reconnaissance General Bureau, by barraging their computer servers with traffic that choked off Internet access.

    Others said they would be cautious about using even minor ­cyber-capabilities against North Korea and doing it openly because of the risk of retaliation.

    “I wonder what the disruptive payoff is that we’re getting that’s worth even a marginal extra chance of nuclear war?”

    Reply
  41. Tomi Engdahl says:

    BYOD might be a hipster honeypot but it’s rarely worth the extra hassle
    Security, compatibility, control… we enter another world of pain
    https://www.theregister.co.uk/2017/10/02/falling_out_of_love_with_byod/

    I have a confession: I’ve fallen out of love with Bring Your Own Device.

    Over the years, I’ve worked with, and administered, a number of BYOD schemes. I’ve even written positive things about BYOD.

    After all, what was not to love? Users providing the mobile equipment and the company not needing to worry about maintaining the kit while at the same time treating them like company property, being able to manage device and content securely.

    Just four years ago, Gartner reckoned by 2017 half of employers would be leaning on staff to supply their own smartphones or tablets. Somehow, this would let us deliver all kinds of business apps at the touch of a screen. Things like self-service HR or mobile CRM.

    Some ludicrous statements started being made: BYOD had become a critical plank in attracting millennials – a generation addicted to mobiles and social media – to your place of work. If you didn’t have a BYOD programme and the competition did, well, guess where that potential new, hire wearing the chin thatch and lumberjack shirt would choose to work.

    The kit belongs to the user

    On the face of it, users owning the kit is a great idea. When they sign up to the scheme they’re agreeing that the equipment is their responsibility. It’s up to them to have a warranty that’ll get it fixed if it breaks. If it doesn’t work, that’s their problem. Well worth the price we paid to help fund the kit.

    Except it doesn’t work like that. Unless they’ve paid for a stonkingly expensive maintenance contract their kit will likely be on a collect-and-repair scheme, which means that if it exudes blue smoke (or simply goes silent on them) they’re without it for a few days while the vendor wrangles with it, bangs it with a hammer, and so on. So what do they do in the meantime? At the very least you’ll need to have a small stock of spare kit

    And even when the equipment is alive, this doesn’t mean it won’t get sick once in a while. Even my own kit has a bit of a hiccup sometimes…

    The next question is how you give the users connectivity into your systems. Connecting stuff you don’t own into the corporate network is a security nightmare – you absolutely don’t want to hook it in directly, because one outdated anti-malware package can wreak havoc with your world. So you have a number of options.

    First is the concept of a “quarantine” VLAN. The idea’s simple: when anything accesses the network for the first time in a session, the infrastructure puts it in a VLAN that can’t see much – generally it can’t see anything but the internet and a server that deals with network admission. The admission server won’t let the device join the proper LAN unless it’s convinced that the device’s OS is up-to-date with patches, that it’s running a suitable anti-malware package, and that the latter is also current with regard to its patches and virus signature files. Now, although it’s a simple idea it’s also relatively complex to implement and has a non-trivial cost: so unless your BYOD world is extensive, it may not be worth it.

    An alternative is to decide that anything BYOD needs to stay outside the network completely, and act simply as a dumb terminal to the corporate system. You generally achieve this using some kind of virtual desktop à la Citrix or VMware.

    Reply
  42. Tomi Engdahl says:

    UK lotto players quids in: Website knocked offline by DDoS attack
    It could be you*
    https://www.theregister.co.uk/2017/10/02/lottery_ddos/

    The UK National Lottery has apologised for a website outage that left money in their pockets of punters unable to play games on Saturday evening.

    “We’re very sorry that many players are currently unable to access The National Lottery website or app. Our 46,000 retailers are unaffected,” it said on Twitter before adding “please accept our sincere apologies if you were unable to play tonight’s games due to the website issue that affected many players.”

    By Sunday the National Lottery confirmed that outage was the result of a denial of service attack.

    On Saturday 30 September, a DDoS extortion group called Phantom Squad sent out a ransom demand to companies all over the world, threatening denial-of-service attacks.

    Reply
  43. Tomi Engdahl says:

    Java security plagued by crappy docs, complex APIs, bad advice
    Boffins bash stale Stack Overflow fixes and lazy developers
    https://www.theregister.co.uk/2017/09/29/java_security_plagued_stack_overflow/

    Relying on search engines to find answers to coding problems has become so common that two years ago it was suggested computer programming be renamed “googling Stack Overflow,” in reference to the oft-visited coding community website.

    But researchers from Virginia Tech contend more care needs to be taken when copying code from accepted Stack Overflow answers, at least in the context of Java.

    n a paper released on Thursday titled “Secure Coding Practices in Java: Challenges and Vulnerabilities” [PDF], five computer boffins – Na Meng, Stefan Nagy, Daphne Yao, Wenjie Zhuang and Gustavo Arango Argoty – analyzed Stack Overflow posts related to Java security.

    They found that many developers don’t understand security well enough to implement it properly, that the overly complicated APIs in the Spring security framework and other libraries lead to frustration and errors, and that some popular Stack Overflow answers are unsafe and outdated.

    “The significance of this work is that we provided empirical evidence for a significant number of alarming secure coding issues, which have not been previously reported,” the paper says.

    https://arxiv.org/pdf/1709.09970.pdf

    Reply
  44. Tomi Engdahl says:

    Did You Know: Browsing the Internet is a Risk to the M&A Process?
    http://www.securityweek.com/did-you-know-browsing-internet-risk-ma-process

    While mergers and acquisitions (M&A) are generally known for bringing economic growth and opportunity, people are beginning to realize that the process also brings serious cybersecurity risks. For example, along with the acquired company’s valuable assets, buyers also inherit all previous and current vulnerabilities and breach history. But there are also risks that exist for buyers before they sign on the dotted line or take action to merge technologies, processes and resources – during the M&A process, an organization is vulnerable from the moment they set out to do online research.

    If done without caution, just the act of online fact-finding and information gathering on target companies poses risks to potential buyers. Aside from the potential security risks that may be introduced, the acquiring company faces the risk of tipping its hat or showing its hand. If the target or the acquisition learns of the buyer’s intent and desires, it may help their negotiating position. The target could open up parallel discussions, initiate their own research and monitoring activities, and take other steps that may result in a higher cost of acquisition or even derail the opportunity. The acquisition process requires substantial time and energy that could end up being wasted if the process of preliminary due diligence is not protected.

    M&A research leaves a very clear fingerprint. Visits to the target come from unusual sources like senior management, the company’s law firm, specialist consultants, and investment banks. The visits do not follow typical customer patterns, focusing on the management, public financials, and technical details. A company can easily detect this research through monitoring their own web logs.

    Obfuscating the origin and identity of a search is not easy, there are several different ways to be tracked or identified online. As I discussed in a previous SecurityWeek article, the moment a search is initiated on the public internet, all interested parties can recognize and react to actions, behaviors and patterns.

    Understanding Looming Threats and the Need to Hunt With Anonymity
    http://www.securityweek.com/understanding-looming-threats-and-need-hunt-anonymity

    Reply
  45. Tomi Engdahl says:

    U.S. Cyber Command Launched DDoS Attack Against North Korea: Report
    http://www.securityweek.com/us-cyber-command-launched-ddos-attack-against-north-korea-report

    The United States Cyber Command has reportedly been engaged in offensive activity, namely a DDoS attack, against North Korea’s military spy agency, the Reconnaissance General Bureau (RGB). The attack is thought to have commenced on September 22, and continued until September 30.

    The attack occurred just five weeks after President Trump elevated U.S. Cyber Command to a Unified Combatant Command. At the time, Trump said, “The elevation of United States Cyber Command demonstrates our increased resolve against cyberspace threats and will help reassure our allies and partners and deter our adversaries. Through United States Cyber Command, we will tackle our cyberspace challenges in coordination with like-minded allies and partners as we strive to respond rapidly to evolving cyberspace security threats and opportunities globally.”

    The action seems to be partly in response to North Korean cyberattacks, and partly an aspect of a wide-ranging diplomatic offensive led by Secretary of State Rex Tillerson, who was in Beijing on Saturday.

    That this cyber attack was non-destructive and temporary suggests it could be considered more as a warning than a punishment. It is Cyber Command telling North Korea that it has its range and is capable of much stronger action. By being non-destructive it is probably hoped that it won’t provoke kinetic retaliation; although it is quite likely to provoke cyber retaliation from North Korean hacking groups.

    Reply
  46. Tomi Engdahl says:

    Three in Four DDoS Targets Hit Multiple Times: Imperva
    http://www.securityweek.com/three-four-ddos-targets-hit-multiple-times-imperva

    Amid an increase in frequency of repeat application layer distributed denial of service (DDoS) attacks during the second quarter of the year, over 75% of targets were hit multiple times, according to statistics from Imperva.

    The company’s Global DDoS Threat Landscape for Q2 2017 shows an increase in the amount of persistent application layer assaults over a one-year period. Thus, while only 43.2% of targets were subjected to multiple attacks in the second quarter of 2016, the percentage increased to 75.8% during the same three-month window this year.

    The number of application layer attacks observed each week has reached 973 in Q2 2017, down from 1,099 per week in the previous quarter. The number of mitigated network assaults decreased as well, falling from 296 per week in the prior quarter to only 196 per week.

    The largest network layer attack that Imperva mitigated during the quarter peaked at 350 Gbps (gigabit per second) and employed a new tactic called a pulse wave attack. First described in August, this method of launching DDoS attacks can be used to pin down multiple targets with alternating high-volume bursts.

    Imperva’s report also reveals that United States websites were hit the most with repeat application layer attacks. While the global percentage of targets hit multiple times is of 75.8%, it reaches 80.3% when U.S. websites are considered. Furthermore, the majority of targets that suffered 50 or more attacks were hosted in the US.

    Reply
  47. Tomi Engdahl says:

    Google Finds Flaws in Dnsmasq Network Services Tool
    http://www.securityweek.com/google-finds-flaws-dnsmasq-network-services-tool

    Google employees have identified a total of seven vulnerabilities, including ones that allow remote code execution, in the Dnsmasq network services software.

    Written and maintained by Simon Kelley, Dnsmasq is a lightweight tool designed to provide DNS, DHCP, router advertisement and network boot services for small networks. Dnsmasq is used by Linux distributions, routers, smartphones and many Internet of Things (IoT) devices. A scan for “Dnsmasq” using the Internet search engine Shodan reveals over 1.1 million instances worldwide.

    An analysis of Dnsmasq conducted by Google’s security team revealed seven issues, including remote code execution, information disclosure, and denial-of-service (DoS) flaws that can be exploited via DNS or DHCP.

    Reply
  48. Tomi Engdahl says:

    FBI Can Keep Details of iPhone Hack Secret: Judge
    http://www.securityweek.com/fbi-can-keep-details-iphone-hack-secret-judge

    A federal judge ruled last week that the U.S. Federal Bureau of Investigation (FBI) is not obligated to disclose the details of a hacking tool used to access data stored on an iPhone belonging to the man behind the 2015 mass shooting in San Bernardino, California.

    Reply
  49. Tomi Engdahl says:

    Critical Code in Millions of Macs Isn’t Getting Apple’s Updates
    https://www.wired.com/story/critical-efi-code-in-millions-of-macs-is-not-getting-apple-updates/

    As any nagging cybersecurity expert will tell you, keeping your software up to date is the brushing and flossing of digital security. But even the most meticulous practitioners of digital hygiene generally focus on maintaining the updates of their computer’s operating system and applications, not its firmware. That obscure, reptile-brain code controls everything from a PC’s webcam to its trackpad to how it finds the rest of its software as it boots up. Now one new study has found that the most critical elements of millions of Macs’ firmware aren’t getting updates. And that’s not because lazy users have neglected to install them, but because Apple’s firmware updates frequently fail without any notice to the user, or simply because Apple silently stopped offering those computers firmware updates—in some cases even against known hacking techniques.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*