Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
Novelty and Outlier Detection
http://www.linuxjournal.com/content/novelty-and-outlier-detection
Just as clustering can be used to divide data into a number of coherent groups, it also can be used to decide which data points belong inside a group and which don’t. In “novelty detection”, you have a data set that contains only good data, and you’re trying to determine whether new observations fit within the existing data set. In “outlier detection”, the data may contain outliers, which you want to identify.
Where could such detection be useful? Consider just a few questions you could answer with such a system:
Are there an unusual amount of login attempts from a particular IP address?
Are any customers buying more than the typical number of products at a given hour?
Which homes are consuming above-average amounts of water during a drought?
Which judges convict an unusual number of defendants?
Should a patient’s blood tests be considered normal, or are there outliers that require further checks and examinations?
In all of those cases, you could set thresholds for minimum and maximum values and then tell the computer to use those thresholds in determining what’s suspicious. But machine learning changes that around, letting the computer figure out what is considered “normal” and then identify the anomalies, which humans then can investigate. This allows people to concentrate their energies on understanding whether the outliers are indeed problematic, rather than on identifying them in the first place.
Tomi Engdahl says:
Following Las Vegas shooting, Facebook’s Safety Check page filled with scammers and hoaxes
Con artists are targeting the heavily trafficked service
https://www.theverge.com/2017/10/2/16401562/facebook-safety-check-las-vegas-shooting-scam-hoax-newsfeed
Since 2014, Facebook has offered a service called Safety Check in the wake of dangerous incidents. If you have the Facebook mobile app and are in an area hit by something like a natural disaster, Facebook may trigger a push notification asking you to verify your status. If you mark yourself as safe, the system will automatically add a post to your News Feed with that message, so anyone checking on you can see quickly that you’re okay.
Facebook also creates a dedicated page where users can check in on friends in the affected area and see breaking news. That last feature has become a vector for scammers and con artists looking to drive traffic to their services and sites. This morning, the Facebook Safety Check page for the deadly mass shooting in Las Vegas featured a video soliciting donations to a Bitcoin wallet, photos from the AANR Midwest American Association for Nude Recreation, and a story (since retracted), that described the shooter as a “Trump-hating Rachel Maddow fan.”
Tomi Engdahl says:
UK asks for ways to destroy contraband drones heading to prisons
The MOJ competition is asking for solutions to eradicate contraband delivery drones.
http://www.zdnet.com/article/uk-asks-you-to-destroy-contraband-drones-heading-to-prisons/
The UK Ministry of Justice (MOJ) has launched a competition asking for ideas to stop drones from dropping contraband into prisons.
Drones delivering everything from weapons to drugs and mobile phones are proving to be a serious issue for today’s prison services in the UK.
Prison employees already have to cope with high numbers of inmates, drug usage, and a lack of both funding and staff — and so adding contraband falling from the sky is potentially more than prison operators can cope.
The MOJ wants technological solutions to this problem and has earmarked a total of £950,000 for ideas.
The aim of the competition is to develop “novel detection techniques” to identify contraband in prisons.
Funding competition SBRI competition: Detecting security threats and contraband in prisons
https://apply-for-innovation-funding.service.gov.uk/competition/66/overview
Businesses can apply for a share of £950,000. This is to work with the Ministry of Justice on technological solutions to the problems that drones, drugs, mobile phones, and other contraband, pose within a prison environment.
Tomi Engdahl says:
GDPR – Not Just a European Concern
http://www.securityweek.com/gdpr-not-just-european-concern
The recent Equifax breach that has been all over the news raises an interesting question: How would the situation have played out if it was after May 25, 2018 when the new General Data Protection Regulations (GDPR) are due to come into force? While none of us has a crystal ball, we can bet the outcome for Equifax would be even worse.
This report (PDF) provides comprehensive information on the GDPR but, in brief, the GDPR is a new set of regulations to protect the personal data and privacy of citizens of EU countries. It will affect any company that processes personal data of EU citizens – even if that company doesn’t have a presence in an EU country – making this legislation more than a European concern. To begin with, the regulations set a high standard for the speed with which businesses are required to report data breaches, in some cases within 72 hours after becoming aware of the breach. Companies also have to comply with each of these rights, transparently and without cost to EU citizens:
• Right of data portability – if a customer asks for their data you are required to provide it
• Right of removal – if a customer requests that their information be removed from your systems you are required to do so
• Data transfer notification – prior to sharing customer data with a third party, you must notify the customer and gain explicit consent to share it
• Customer access requests – if a customer asks whether or not you hold data on them, you are obligated to let them know
To satisfy the GDPR regulations, companies will likely need additional processes, technology and personnel in place. In a survey by PwC (PDF) of U.S. companies, nearly 70% of respondents said they plan to spend between $1 million and $10 million to address GDPR obligations. While that may sound like a lot, it could pale in comparison to fines. Failure to comply with the GDPR can result in hefty financial penalties of up to 4 percent of global turnover or 20 million Euros (more than $23 million), whichever is greater in certain instances. For companies operating with razor-thin margins, profits could easily evaporate into thin air.
https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/bird–bird–guide-to-the-general-data-protection-regulation.pdf?la=en
Tomi Engdahl says:
Crafting Your Cyber Threat Intelligence Driven Playbook
http://www.securityweek.com/crafting-your-cyber-threat-intelligence-driven-playbook
The concept around cyber threat intelligence is that it should be used to drive better security decisions and as a result better outcomes.
Intel provides insights so that decision-makers are well-informed of their risk, relevant impending threats, the potential impact and the best course of action to take to ensure the best cyber defense. There are many different approaches to threat intelligence, from the type (strategic, operational, tactical/technical) to the delivery (feed, software, full-service solution) to the processes and people involved to create and consume the intel.
Tomi Engdahl says:
Business Risk Intelligence: The New Industry Standard
http://www.securityweek.com/business-risk-intelligence-new-industry-standard
Intelligence in its various forms has long served as the foundation for many organizations’ cybersecurity strategies. And yet, only in recent years has the industry begun to recognize that certain types of intelligence — namely that which is relevant, actionable, and gleaned from high-value sources — can and should be applied to support not just cybersecurity teams, but all business functions across the enterprise.
Indeed, I’m talking about Business Risk Intelligence (BRI). Often considered the more strategic and cross-functional counterpart to its predecessor, cyber threat intelligence (CTI), BRI surpasses CTI’s relatively limited applications to inform decision-making, improve preparation, and mitigate a broad spectrum of cyber and physical risks. As someone who’s faced the limitations of CTI firsthand, I wanted to reflect on my experience with BRI to shed some light on why it’s quickly becoming the new industry standard.
BRI addresses overall risk
Just as its name implies, BRI focuses on addressing business risks — not just threats. To understand the difference, let’s look at a basic formula for risk:
Risk = threat x likelihood x impact
As you can see, threat is one component of risk. While most cybersecurity teams focus largely on detecting cyber threats, such an approach should really be just the beginning. Doing more than that requires assessing the likelihood that any given threat will target an organization and, if it does, what the potential impact could be. Even though countless threats exists, they’re not all relevant to all organizations. Evaluating a threat’s relevancy effectively requires visibility into the full context surrounding that threat.
The challenge is that the context surrounding many threats can be difficult to ascertain given that the nature of CTI is largely focused on detecting threats — but not much else.
Tomi Engdahl says:
Websites Hacked via Zero-Day Flaws in WordPress Plugins
http://www.securityweek.com/websites-hacked-zero-day-flaws-wordpress-plugins
Zero-day flaws affecting several WordPress plugins have been exploited by malicious actors to plant backdoors and take control of vulnerable websites.
The attacks have been spotted by Wordfence, a company that specializes in protecting WordPress websites.
The firm’s investigation revealed that attackers had been exploiting previously unknown vulnerabilities in three WordPress plugins. The flaws, described as critical PHP object injection issues, affect the Appointments, Flickr Gallery, and RegistrationMagic-Custom Registration Forms plugins.
Attacks exploiting the zero-day vulnerability involved the creation of a file on targeted websites, but logs only showed a POST request to /wp-admin/admin-ajax.php, which made it look as if the file appeared out of nowhere, researchers said.
“This vulnerability allowed attackers to cause a vulnerable website to fetch a remote file (a PHP backdoor) and save it to a location of their choice. It required no authentication or elevated privileges. For sites running Flickr Gallery, the attackers only had to send the exploit as POST request to the site’s root URL. For the other two plugins, the request would go to admin-ajax.php,” Wordfence explained in a blog post.
3 Zero-Day Plugin Vulnerabilities Being Exploited In The Wild
https://www.wordfence.com/blog/2017/10/3-zero-day-plugin-vulnerabilities-exploited-wild/
Tomi Engdahl says:
US Telco Fined $3 Million in Domain Renewal Blunder
https://www.bleepingcomputer.com/news/technology/us-telco-fined-3-million-in-domain-renewal-blunder/
Sorenson Communications, a Utah-based telecommunications provider, received a whopping $3 million fine from the Federal Communications Commission (FCC) on Friday for failing to renew a crucial domain name used by a part of the local 911 emergency service.
The affected service was the Video Relay System (VRS), a video calling service that telecommunication firms must provide to deaf people and others people with vocal disabilities so they can make video calls to 911 services and use sign language to notify operators of an emergency or crime.
According to the FCC, on June 6, Sorenson failed to notice that the domain name on which the VRS 911 service ran had expired, leading to the entire system collapsing shortly after.
Utah residents with disabilities were unable to reach 911 operators for almost three days, the FCC discovered. Sorensen noticed its blunder and renewed the domain three days later, on June 8.
FCC found the outage was preventable
“The Commission’s investigation found the outage was preventable,” the FCC wrote in a settlement it reached with Sorensen last week.
The settlement sum is massive, but of it, only $252,000 is an actual fine, going to the FCC. The rest of the fee — $2.7 million — is a restitution Sorensen must give back to the FCC’s TRSF division.
Sorensen is by no stretch of the imagination the first company to forget to renew a domain name.
Samsung left millions of users exposed to hacking after it forgot to renew a domain name
Online marketing giant Marketo also forgot to renew its main domain, causing huge and costly downtimes to many of its customers.
Tomi Engdahl says:
Former Equifax CEO says breach boiled down to one person not doing their job
https://techcrunch.com/2017/10/03/former-equifax-ceo-says-breach-boiled-down-to-one-person-not-doing-their-job/?utm_source=tcfbpage&sr_share=facebook
In a continued effort to pass on any responsibility for the largest data breach in American history, Equifax’s recently departed CEO is blaming it all on a single person who failed to deploy a patch.
Smith testified the Struts vulnerability had been discussed when it was first announced by CERT on March 8th.
Smith said when he started with Equifax 12 years ago there was no one in cybersecurity. The company has poured a quarter of a billion dollars into cybersecurity in the last three years and today boasts a 225 person team.
However, Smith had an interesting explainer for how this easy fix slipped by 225 people’s notice — one person didn’t do their job.
“The human error was that the individual who’s responsible for communicating in the organization to apply the patch, did not,” Smith, who did not name this individual, told the committee.
The notion that just one person didn’t do their job and led to the biggest breach in history is quite an amazing claim and shows a fundamental lack of good security practices. But that’s what Smith says led to this disaster.
Equifax sent out an internal email on March 9th to deploy the Apache Struts update within 48 hours. However, Smith said, the system failed to identify any vulnerabilities.
Equifax is still investigating the details of what happened and Smith said providing consumers with adequate information in the aftermath was “challenging.”
Smith stepped down as CEO last week, shortly after the company’s chief security officer and chief information officer also exited the company.
Tomi Engdahl says:
“Our inability to act in a responsible manner is a deeply rooted artifact of our corporate structure and every single person from an individual security engineer up to me was culpable.”
It’s hard to imagine a worse defense.
Tomi Engdahl says:
There was definitely a failure within IT, but one person? Are there procedures for constant vigilance, updating, and patching? Are there internal audits to ensure that’s being done? That’s more than one person.
Tomi Engdahl says:
US Studying Ways To End Use of Social Security Numbers For ID
https://yro.slashdot.org/story/17/10/03/2046247/us-studying-ways-to-end-use-of-social-security-numbers-for-id
U.S. officials are studying ways to end the use of social security numbers for identification following a series of data breaches compromising the data for millions of Americans, Rob Joyce, the White House cybersecurity coordinator, said Tuesday. Joyce told a forum at the Washington Post that officials were studying ways to use “modern cryptographic identifiers” to replace social security numbers. “I feel very strongly that the social security number has outlived its usefulness,” Joyce said. “It’s a flawed system.”
US Reviewing Better Tech Identifiers After Hacks: Trump Aide
http://www.securityweek.com/us-reviewing-better-tech-identifiers-after-hacks-trump-aide
US officials are studying ways to end the use of social security numbers for identification following a series of data breaches compromising the data for millions of Americans, a Trump administration official said Tuesday.
Rob Joyce, the White House cybersecurity coordinator, told a forum at the Washington Post that officials were studying ways to use “modern cryptographic identifiers” to replace social security numbers.
Joyce’s comments come after news that some 145 million Americans may have had personal information leaked, including the important social security numbers, in a breach at Equifax, one of three big US firms which collect data for credit applications.
“I feel very strongly that the social security number has outlived its usefulness,” Joyce said.
“It’s a flawed system.”
For years, social security numbers have been used by Americans to open bank accounts or establish their identity when applying for credit. But stolen social security numbers can be used by criminals to open bogus accounts or for other types of identity theft.
“If you think about it, every time we use the social security number we put it at risk,” Joyce said.
“That is the identifier that connects you to all sort of credit and digital and information online.”
The official spoke as US lawmakers opened hearings on the Equifax breach, believed to be one of the worst because of the sensitivity of data leaked.
Tomi Engdahl says:
Oath-my-God: THREE! BILLION! Yahoo! accounts! hacked! in! 2013! – not! ‘just!’ 1bn!
Every user pwned, how’s that $4bn looking now, Verizon?
https://www.theregister.co.uk/2017/10/03/yahoo_says_one_beeelion_user_hack_figure_wrong_its_three/
With Equifax testifying in US Congress today about its own massive security failings, someone at Yahoo! presumably thought now would be a good time to bury bad news – but some things are too large to hide.
In a filing on Tuesday to America’s financial watchdogs, Yahoo!, now owned by Verizon under the Oath brand, admitted the total number of user accounts illegally accessed by hackers in 2013 wasn’t the 500 million earlier reported, nor the one billion it later confessed, but all of them – all three billion accounts.
The miserable web giant said that following its 2016 takeover by Verizon – which has its own security consultancy – it “recently obtained new intelligence” that indicated that the network intrusion was much larger than had previously been thought. In fact, it was as large as it could be.
That means account records – including names, addresses, phone numbers, and weakly hashed passwords – for three billion accounts worldwide were exposed to hackers. In its statement today to the SEC, Yahoo! admitted
Despite their words, Verizon management are most likely seething about the news. When the initial hack was disclosed, the telco managed to knock $350m off the $4.8bn asking price for the company. Had it known about the size of the actual hack it could have got a considerably bigger discount.
As for the hackers themselves, the US authorities have indicted four men over the infiltration. American prosecutors claim the hack was ordered by the Russian intelligence services and carried out by hackers-for-hire.
Tomi Engdahl says:
Websites Hacked via Zero-Day Flaws in WordPress Plugins
http://www.securityweek.com/websites-hacked-zero-day-flaws-wordpress-plugins
Zero-day flaws affecting several WordPress plugins have been exploited by malicious actors to plant backdoors and take control of vulnerable websites.
The attacks have been spotted by Wordfence, a company that specializes in protecting WordPress websites.
The firm’s investigation revealed that attackers had been exploiting previously unknown vulnerabilities in three WordPress plugins. The flaws, described as critical PHP object injection issues, affect the Appointments, Flickr Gallery, and RegistrationMagic-Custom Registration Forms plugins.
Attacks exploiting the zero-day vulnerability involved the creation of a file on targeted websites, but logs only showed a POST request to /wp-admin/admin-ajax.php, which made it look as if the file appeared out of nowhere, researchers said.
Tomi Engdahl says:
Many Companies Unprepared for DNS Attacks: Survey
http://www.securityweek.com/many-companies-unprepared-dns-attacks-survey
Many companies are not prepared to deal with DNS attacks, and a quarter of the ones that have already been hit reported significant losses, according to a survey conducted by Dimensional Research on behalf of network security firm Infoblox.
Attacks on Domain Name System (DNS) services can have serious consequences, as demonstrated by the attack on Dyn last year. The attack, powered by the Mirai botnet, led to service disruptions for several major websites, including Twitter, GitHub, Etsy, Soundcloud, PagerDuty, Spotify and Airbnb.
The study from Dimensional Research and Infoblox, based on a survey of over 1,000 IT and security professionals worldwide, revealed that 3 out of 10 companies have already experienced DNS attacks and in most cases it resulted in downtime.
As for the financial losses caused by DNS attacks, 3% of respondents said they had lost more than $1 million, and nearly a quarter reported losses exceeding $100,000.
The research has not found any link between the type of DNS service used and the risk of attacks. Companies that used a cloud DNS service, a third-party service or their own service were attacked roughly the same.
According to the report, 22% of companies don’t have a backup DNS service, and 63% of them are not capable of defending against all common DNS attacks, such as hijacking, exploits, cache poisoning, protocol anomalies, reflection, NXDomain and amplification.
Tomi Engdahl says:
The Challenge of Training AI to Detect Unique Threats
http://www.securityweek.com/challenge-training-ai-detect-unique-threats
In a previous column, I discussed how traditional endpoint security fails because it focuses on detecting known bad instances. As evidenced by the rapid rise of email-based attacks, this is a losing proposition. That is because advanced threats and targeted email attacks change rapidly as attackers dodge detection. While bad changes on a daily basis, good does not. Therefore, modeling what is good and detecting deviations from the good offers a better solution than identifying bad does.
Tragically, many security vendors are hesitant to recognize the inherent drawbacks of blacklisting, which is the detection of known bad. Instead, they are embracing artificial intelligence with the hope that this will help them keep up with adversarial changes.
While machine learning can significantly speed up the reaction to changes by identifying similarities and generalizing, it requires reasonably large training sets to do so. But these often take time to establish, which means that attacks will always remain one step ahead. This is particularly worrisome for low-volume targeted attacks.
Tomi Engdahl says:
The Increasing Effect of Geopolitics on Cybersecurity
http://www.securityweek.com/increasing-effect-geopolitics-cybersecurity
Cyber Warfare Can be Exerted by Any Nation With an Actual or Perceived Grievance Against Any Other Nation
The effect of geopolitics on cybersecurity can be seen daily – from Chinese cyber espionage to Russian attacks on the Ukraine and North Korea’s financially-motivated attacks against SWIFT and Bitcoins – and, of course, Russian interference in western elections and notably the US 2016 presidential election.
The primary cause is political mistrust between different geopolitical regions combined with the emergence of cyberspace as a de facto theater of war.
“Of course there is a connection between cybersecurity and geopolitics,” Ilia Kolochenko, CEO of High-Tech Bridge, told SecurityWeek. “Hackers are now acting as soldiers, and it’s difficult to find a country that has never used a cyber weapon.”
A current example of geopolitical tensions can be seen in the recent ban on U.S. government agencies using a much-respected antivirus and endpoint protection product produced by Russian firm Kaspersky Lab
Kaspersky Lab has continually denied any inappropriate ties to the Russian intelligence services; and there is no public evidence to suggest otherwise.
Cyber as a Theater of War
Although not necessarily recognized at government level, few people involved with cybersecurity have any doubt that cyber warfare is current and ongoing. Governments are reluctant to openly acknowledge this reality for fear that recognition will require retaliation – and the big fear then is that it could escalate into kinetic warfare. Kinetic provocation leads to kinetic responses; cyber provocation tends not to. Consider, for example, the U.S. response to North Korea’s missile tests compared to the response to North Korea’s cyber attacks against Sony and SWIFT.
Cyber warfare has further advantages: the difficulty of attribution provides plausible deniability.
Attribution
Attribution is a major problem in cyberspace. Attackers can compromise servers in any part of the world. They can limit their activities to the working day of any geographical area. They can code in foreign languages; and they can reuse code snippets first used by different hacking groups. Such misdirection (false flags) is used by both nation state actors and cyber criminals.
Plausible deniability
When it is impossible to openly prove the culprit, it is easy for the suspect to deny all knowledge. Following repeated denials of involvement in the US 2016 election hacks, Vladimir Putin finally suggested that it could have been ‘patriotic Russian hackers’.
“They got up today and read that something is going on internationally. If they are feeling patriotic they will start contributing, as they believe, to the justified fight against those speaking ill of Russia,” he said. But at the same time, he stressed that it had nothing to do with the Russian government.
Escalation
Given the ease and success of cyber warfare attacks, it’s only natural that we see an escalation in its use. “In 2007, in Estonia,” explains Kenneth Geers, senior research scientist at Comodo and NATO Cyber Center Ambassador, “a distributed denial of service campaign primarily targeted online services. A decade later, in Ukraine, we have seen a far higher number and variety of attacks, spanning the political, diplomatic, business, military, critical infrastructure, and social media domains.”
The use of the internet as a means of disseminating political propaganda has also increased. Public awareness initially focused on Anonymous hacktivism, where the Anonymous group would deface or take down the websites of organizations or companies to which it objected.
The Effect of Geopolitics on Cybersecurity
The fundamental cause of cyber warfare is international political mistrust. As this escalates, so international cyber incidents increase – and there is little doubt that political mistrust is as high as it has ever been since the end of the Cold War. Sino-American tensions remain high, complicated by the unpredictability of a newly nuclear North Korea. The War on Terror that replaced the Cold War has seen the emergence of Iran as a sponsor of terror; both on the streets and in cyberspace. And Russia’s new found energy wealth sees Putin apparently determined to make the Russian Federation as powerful as the old Soviet Union.
Kinetically, the United States is probably the world’s sole Super Power; perhaps followed by China. Cyberspace, however, is a huge leveler. “What you’re seeing today is technology straining and sometimes eclipsing the ability of traditional constraints and institutions to keep them in check,” Christopher Bray, SVP/GM Consumer at Cylance Inc, told SecurityWeek. “It’s also resulting in smaller nations punching above their weight when it comes to cyber defensive and offensive capabilities, and exerting these new-found technological powers in advancing their geopolitical agendas as well as their desire to monitor their own populations to various degrees. This monitoring is always done in the interest of ‘national security’, but depending on the government in question, it can also lead into a more Orwellian direction.”
In short, cyber warfare can be exerted by any nation with an actual or perceived grievance against any other nation; and the implication of that is that it will continue to grow. This is likely to have several negative effects on cyberspace.
Balkanization
The first negative effect is already being felt: it is the balkanization of the internet. There are two aspects to this: the first is to protect the national internet from the global internet; and the second is to promote the use of locally produced products over foreign-produced, and therefore suspect, products. The Iranian, North Korean and Chinese intranets are the best known examples. China has embarked on a locally-produced product policy (China’s Cybersecurity Law) which will see 80% of large Chinese business security expenditure will be on locally produced products.
Other countries are embarking on different routes towards the same end: banning or at least deprecating the use of foreign-produced products (China’s Huawei and perhaps Russia’s Kaspersky in the U.S., for example), or using internet censorship and press restraint to limit the citizen’s access to foreign or distrusted information sources (as increasingly happens in the UK).
The problem with this effect of geopolitics is that it increases rather than decreases mistrust – and this ‘balkanization’ will likely, but not necessarily, have further negative effects on both cyber and national security.
Weakened cybersecurity
It is not at all clear that a ‘local product only’ policy can work. “Most major software products are written by personnel in numerous countries, and parent companies subcontract out much of the labor to coders whom they only know tenuously,” explains Geers. “Often, we have little choice but to use, for example, Chinese hardware, American software, French routers, and Israeli security applications… Are there spies working in many of the best-known software companies? Without a doubt. But in most cases, the companies in question do not know about them.”
More complex business security
Concern over geopolitical influence on cybersecurity products simply makes a difficult job even more difficult. Steven Lentz, CSO at Samsung Research America, told SecurityWeek, “It’s sad that we have to be aware of vendors like this, but that’s the environment. Politics finds a way into everything nowadays. I just want a solution that does what it says and fits our environment. Now, with all the press of certain vendors in possible collusion with governments that may spy on the U.S., it makes it more complicated. I may like the vendor’s solution, but now I have to worry about possible malware or back doors,. It’s sad.”
Tomi Engdahl says:
Google Patches Critical Android Flaws With October 2017 Updates
http://www.securityweek.com/google-patches-critical-android-flaws-october-2017-updates
Google this week released its October 2017 Android patches, which address a total of 14 vulnerabilities in the mobile platform, including five rated Critical severity.
Split in two, the Android Security Bulletin—October 2017 resolves issues affecting various platform iterations, ranging from Android 4.4.4 to Android 8.0. The most severe of these could lead to arbitrary code execution or to applications being able to gain additional permissions without user interaction.
Tomi Engdahl says:
Enterprises Blacklist iOS Apps Due to Data Leakage: Report
http://www.securityweek.com/enterprises-blacklist-ios-apps-due-data-leakage-report
A report published on Tuesday by mobile security firm Appthority reveals which Android and iOS applications are most frequently blacklisted by enterprises.
According to data collected by Appthority, iOS apps are typically blacklisted due to the fact that they leak data. The most commonly blacklisted iOS app is WhatsApp, which has a high risk rating due to the fact that it sends information from the device’s address book to a remote server.
Tomi Engdahl says:
2013 Hack Hit All 3 Billion Yahoo Accounts: Company
http://www.securityweek.com/2013-hack-hit-all-3-billion-yahoo-accounts-company
A 2013 hack affected all three billion accounts at Yahoo, triple the original estimate, the online giant’s parent company said Tuesday following a new analysis of the incident.
The disclosure from Verizon, which acquired Yahoo’s online assets earlier this year, revised upward the initial estimate of one billion accounts affected.
The statement said the estimate is based on “new intelligence” following an investigation with the assistance of outside forensic experts into the incident in August 2013.
“While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts,” said a statement issued by Verizon’s internet unit known as Oath.
“The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement.”
Tomi Engdahl says:
IRS awards multimillion-dollar fraud-prevention contract to Equifax
http://www.politico.com/story/2017/10/03/equifax-irs-fraud-protection-contract-243419
The no-bid contract was issued last week, as the company continued facing fallout from its massive security breach.
The IRS will pay Equifax $7.25 million to verify taxpayer identities and help prevent fraud under a no-bid contract issued last week, even as lawmakers lash the embattled company about a massive security breach that exposed personal information of as many as 145.5 million Americans.
A contract award for Equifax’s data services was posted to the Federal Business Opportunities database Sept. 30 — the final day of the fiscal year. The credit agency will “verify taxpayer identity” and “assist in ongoing identity verification and validations” at the IRS, according to the award.
The notice describes the contract as a “sole source order,” meaning Equifax is the only company deemed capable of providing the service. It says the order was issued to prevent a lapse in identity checks while officials resolve a dispute over a separate contract.
Lawmakers on both sides of the aisle blasted the IRS decision.
Tomi Engdahl says:
White House plan to nuke social security numbers is backed by Equifax’s ex-top boss
We meant it, nothing matters any more. Nothing at all
https://www.theregister.co.uk/2017/10/04/white_house_plans_to_ditch_social_security_numbers_as_ids/
White House cybersecurity coordinator Rob Joyce has won the backing of Equifax’s ex-CEO for a plan to stop using social security numbers as personal identifiers in the US.
We have no idea of Joyce’s opinion of the endorsement, but what we do know is that he floated the notion in a speech given to a Washington Post-sponsored cybersecurity conference on Tuesday. Joyce suggested using a “modern cryptographic identifier” – presumably a hash or public-private key pair or something – to identify individual US taxpayers rather than the usual nine digits.
Former Equifax CEO Richard Smith followed a similar path, but in a less-favorable forum – on Tuesday, he was giving testimony to the US House committee investigating the litany of failures that led to his credit-check agency leaking 145 million Americans’ social security numbers and other sensitive personal data. The same biz that just won a US$7.5 million contract to help Uncle Sam identify taxpayers, funnily enough.
“The concept of a Social Security number in this environment being private and secure – I think it’s time as a country to think beyond that,” Smith told politicians. No kidding, Dick, you just lost 145 million of the numbers to hackers.
Meanwhile, arguing the social security number has “outlived its usefulness” for citizen-government interactions, Joyce said that “every time we use the Social Security number you put it at risk.” Again, no kidding, thanks to organizations like Equifax.
Tomi Engdahl says:
Yahoo Triples Estimate of Breached Accounts to 3 Billion
Company disclosed late last year that 2013 hack exposed private information of over 1 billion users
https://www.wsj.com/articles/yahoo-triples-estimate-of-breached-accounts-to-3-billion-1507062804
A massive data breach at Yahoo in 2013 was far more extensive than previously disclosed, affecting all of its 3 billion user accounts, new parent company Verizon Communications Inc. said on Tuesday.
Tomi Engdahl says:
Crafting Your Cyber Threat Intelligence Driven Playbook
http://www.securityweek.com/crafting-your-cyber-threat-intelligence-driven-playbook
The concept around cyber threat intelligence is that it should be used to drive better security decisions and as a result better outcomes.
So how do you go about halting payload delivery by disabling a tool that is barely used by your user population? Easy – you push a GPO that has been around for a while. You can refer to this post: For users that have a need to use macro’s, generate a digital signature for that user base and digitally sign them so they are trusted.
If you understand what these threats are exploiting, and know your environment, you should be able to map out the most effective countermeasures. Each organization should look at countermeasures in terms of what is relevant to them. The level of effort and cost to implement as well as the threat impact potential may be different per organization. Mapping this out though can help you prioritize the countermeasures to deploy. In this scenario the play called had a high level of impact to the threat, a low impact to the user, and a low cost to deploy.
Additionally, your playbook should go beyond countermeasures to proactively prevent bad things from happening… it should also include incident and breach response process because ultimately you cannot prevent every threat. Having intel play a role in your IR/BR process can help speed the response, improve the effectiveness of that response and also loop back into your countermeasures to help prevent future attacks. Run through the different scenarios and options to consider so that it is well-thought out, agreed upon and reacted to as quickly and effectively as possible.
With sound cyber threat intelligence informing these plays in your book, you have practical methodologies to both proactively mitigate and more quickly and effectively respond to specific threats.
Tomi Engdahl says:
Oracle Announces New Cloud Security Services
http://www.securityweek.com/oracle-announces-new-cloud-security-services
Oracle announced this week at the company’s OpenWorld convention the launch of new cloud security services and improvements to existing products.
One of the new offerings is the Oracle Identity Security Operations Center (SOC), a context-aware intelligence and automation solution designed to help organizations detect and respond to sophisticated threats targeting users, applications, data and cloud workloads.
The Identity SOC leverages the newly released Oracle Security Monitoring and Analytics Cloud Service, which provides security incident and event management (SIEM) and user and entity behavioral analytics (UEBA) capabilities.
Two other major components of the Identity SOC are the Oracle CASB (Cloud Access Security Broker) Cloud Service, which enables organizations to protect business-critical cloud infrastructure and data, and the Oracle Identity Cloud Service, described by the company as a “next-generation comprehensive security and identity platform.”
Tomi Engdahl says:
Free Tool Detects, Exploits DLL Hijacking Vulnerabilities
http://www.securityweek.com/free-tool-detects-exploits-dll-hijacking-vulnerabilities
DLL hijacking is not a new attack vector. It’s been around for 20 years or more. It’s not easy, but it’s very effective. Once achieved it provides stealth and persistence — precisely those attributes sought by advanced and state actors.
Forrest Williams, senior security researcher at Cybereason, spotted an incidence of DLL hijacking on a customer’s network; and decided to tackle the problem. His solution was to develop a new scanner, a tool he calls Siofra, that will both detect a hijacking vulnerability and also provide an automated method of exploiting the vulnerability.
It is a drastic solution, and one that leaves him and his company open to criticism in the same way that Metasploit is criticized: it can help bad guys attack good guys. Williams first approached Microsoft and was told, this attack “is predicated on the attacker having written a malicious binary to the directory where the application is launched from. As described in the Windows library search order process, loading binaries from the application directory is by design. This does not meet the bar for security servicing.”
DLL hijacking occurs when a modified and weaponized DLL is called by an application instead of the original DLL. It is neither an easy nor a common attack; but a hijacked DLL can be left behind after a network compromise, allowing the attacker to withdraw while leaving a stealthy, persistent and dangerous malware behind. Because of the inherent difficulties, it is primarily used by advanced or state actors.
And it does happen. It happened with the recent CCleaner compromise, now thought to have been conducted by a Chinese state actor.
For the moment, it appears that Microsoft is unwilling to address the problem. “The only real solution from Microsoft would be whitelisting or code signing so that no DLL is ever loaded into a Microsoft process unless it is digitally signed,” explained Williams. “Thing is, they don’t do this; and I think the reason they don’t do this is because they won’t be able to do backwards compatibility. Also,” he added, “some Microsoft code is designed with ‘just-in-time-compiling’. It’s compiled as the code is run — and there’s no way to sign it. So there’s no real way to create a whitelist. Windows simply wasn’t designed with this issue in mind — so it is design flaws that have prevented them fixing the issue to this day.”
The design flaws will need to be designed out of Windows — but it will take a lot of development effort from Microsoft. “It wouldn’t be an easy fix,” said Williams. “If attacks become more prevalent — and right now they’re not very common — I think that Microsoft would definitely do something. After the release of the Mimikatz tool to steal credentials, making credential stealing much easier, Microsoft has now changed their design.”
Williams has little doubt that DLL hijacking will continue and become a growing problem from advanced attackers. The problem is that the vulnerability is everywhere. “When I tested Siofra,” he told SecurityWeek, “I did not find a single application that did not include at least one vulnerable DLL.” This isn’t limited to Microsoft applications, although it includes Windows Defender, Internet Explorer and WMI — none of which were previously known to be vulnerable. But it also includes applications like Adobe Reader and Firefox. “No defensive software wants to delete high-trust applications like these.” As a result, a hijacked DLL simply flies under the radar of anti-malware software.
Tomi Engdahl says:
New Microsoft Tool Analyzes Memory Corruption Bugs
http://www.securityweek.com/new-microsoft-tool-analyzes-memory-corruption-bugs
A newly released analysis tool from Microsoft helps security engineers and developers investigate memory corruption bugs.
Called VulnScan, the tool has been designed and developed by the Microsoft Security Response Center (MSRC) to help determine the vulnerability type and root cause of memory corruption flaws. The utility was built on top of two internally developed tools, namely Debugging Tools for Windows (WinDbg) and Time Travel Debugging (TTD), the tech giant says.
WinDbg was created as a Windows debugger that has recently received a user interface makeover, while Time Travel Debugging is an internally developed framework designed to record and replay execution of Windows applications.
“By leveraging WinDbg and TTD, VulnScan is able to automatically deduce the root cause of the most common types of memory corruption issues. Application Verifier’s mechanism called PageHeap is used to trigger an access violation closer to the root cause of the issue,” Mateusz Krzywicki from MSRC explains.
VulnScan – Automated Triage and Root Cause Analysis of Memory Corruption Issues
https://blogs.technet.microsoft.com/srd/2017/10/03/vulnscan-automated-triage-and-root-cause-analysis-of-memory-corruption-issues/
For these reasons, MSRC has made significant investments over the course of many years to build tooling that helps us automate the root cause analysis process. VulnScan is a tool designed and developed by MSRC to help security engineers and developers determine the vulnerability type and root cause of memory corruption bugs. It is built on top of two internally developed tools: Debugging Tools for Windows (WinDbg) and Time Travel Debugging (TTD).
WinDbg is Microsoft’s Windows debugger that has recently received a user interface makeover to make it even easier to use. You can find more information about the new WinDbg Preview version here.
Time Travel Debugging is an internally developed framework that records and replays execution of Windows applications. This technology was released during CPPCon 2017.
Classes of memory corruption issues supported by VulnScan:
Out of bounds read/write
Use after free
Type confusion
Uninitialized memory use
Null/constant pointer dereference
MSRC uses VulnScan as part of our automation framework called Sonar. It automatically processes externally reported proof of concept files on all supported platforms and software versions. Sonar is used to both reproduce and to perform the root cause analysis. To this end, we employ multiple different environments and try to reproduce the issue multiple times with different configurations.
VulnScan is planned for inclusion in Microsoft Security Risk Detection service (Project Springfield), where it is used to de-duplicate crashes and provide extended analysis of vulnerabilities found through fuzzing.
Tomi Engdahl says:
Code Execution Flaws Patched in Apache Tomcat
http://www.securityweek.com/code-execution-flaws-patched-apache-tomcat
Several vulnerabilities, including ones that allow remote attackers to execute arbitrary code, have been patched in recent weeks in Apache Tomcat.
Developed by The Apache Software Foundation, Apache Tomcat is an open source implementation of the Java Servlet, JavaServer Pager (JSP), Java WebSocket and Java Expression Language technologies. Tomcat is said to be the most widely used web application server, with a presence in more than 70% of enterprise data centers.
Apache Tomcat developers informed users on Tuesday that the product is affected by a remote code execution vulnerability.Apache Tomcat vulnerabilities
The flaw, tracked as CVE-2017-12617 and classified as “important” severity, has been addressed with the release of versions 9.0.1, 8.5.23, 8.0.47 and 7.0.82. All previous 9.x, 8.5.x, 8.0.x and 7.0.x versions are impacted.
The vulnerability affects systems that have the HTTP PUT method enabled and it allows attackers to upload a malicious JSP file to a targeted server using a specially crafted request. The server would then execute the code in the JSP file when the file was requested. A proof-of-concept (PoC) exploit is publicly available.
While this sounds like a serious vulnerability, in only affects systems that have the default servlet configured with the readonly parameter set to false or the WebDAV servlet enabled with the readonly parameter set to false.
Summary: Apache Tomcat Remote Code Execution via JSP Upload bypass
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
Tomi Engdahl says:
NIST Readies to Tackle Internet’s Global BGP Vulnerabilities
http://www.securityweek.com/nist-readies-tackle-internets-global-bgp-vulnerabilities
NIST has published an update on its work on the new Secure Internet Domain Routing (SIDR) standards designed to provide the internet the security that is currently lacking from the Border Gateway Protocol (BGP).
BGP was designed in 1989 as a short-term fix for the earlier Exterior Gateway Protocol that could no longer handle the rapidly increasing size of the internet, and was in imminent danger of meltdown. The problem is that BGP was designed without any security, despite it being fundamental to the operation of the internet.
BGP controls the route that data takes from source to destination. It does this by keeping tabs on the availability of local stepping stones along that route. The availability of those stepping stones is maintained in regularly updated routing tables held locally. The problem is that there is no security applied to those tables — in effect, the entire map of the internet is built on trust; and trust is in short supply in today’s internet. Whole swathes of traffic can be hijacked.
“BGP forms the technical glue holding the internet together,” explains NIST in Tuesday’s post; “but historically, its lack of security mechanisms makes it an easy target for hacking.”
The trust model underpinning BGP is easily abused, and has frequently been abused. Generally speaking, most abuse is thought to have be accidental — but there have been enough suspicious incidents to demonstrate that the theoretic concern over BGP’s security is not unfounded.
“As a result,” warns NIST in a separate publication (SIDR, Part 1: Route Hijacks– PDF)
New Network Security Standards Will Protect Internet’s Routing
https://www.nist.gov/news-events/news/2017/10/new-network-security-standards-will-protect-internets-routing
Tomi Engdahl says:
Attribution Hell: Cyberspies Hacking Other Cyberspies
http://www.securityweek.com/attribution-hell-cyberspies-hacking-other-cyberspies
Cyber espionage attribution is almost never easy, but it becomes even more complicated when threat actors hack other threat actors and they start using each other’s tools and infrastructure in their operations.
On Wednesday, at the Virus Bulletin conference in Madrid, Spain, Kaspersky researchers Juan Andrés Guerrero-Saade and Costin Raiu pointed out that cyberspies hacking other cyberspies, which they call “fourth-party data collection,” is the worst case scenario when trying to link an attack to a certain actor.
Fourth-party collection takes place when a competent entity (Agency-A) actively or passively harvests information related to a foreign intelligence service’s (Agency-B) computer network exploitation activity.
Active collection involves Agency-A breaking into the C&C servers or backend-collection nodes of Agency-B. This can be achieved either by using stolen credentials or by exploiting vulnerabilities to plant a backdoor on the server – the latter scenario can be more efficient as it provides persistent access without raising suspicion.
Once it gains access to Agency-B’s systems, Agency-A can adopt its tools and infrastructure to launch attacks in their name. According to Guerrero-Saade and Raiu, Kaspersky Lab has investigated several campaigns that could involve fourth-party collection.
Benefits of fourth-party collection
According to Guerrero-Saade and Raiu, the byproducts and benefits of fourth-party collection include tasking-by-proxy, code reuse, and learning from adversaries.
As for code reuse, the experts pointed out that there can be numerous benefits to obtaining a different group’s tools and implants. They noted that a piece of code found in two different malware families does not necessarily mean they were made by the same developers; it’s possible that the developers of one tool used code that they had stolen from another threat actor.
Tomi Engdahl says:
The Disturbing Rise of Cyberattacks Against Abortion Clinics
https://www.wired.com/story/cyberattacks-against-abortion-clinics
Later that day, Whole Woman’s Health noticed a surge in hacking attempts through routine monitoring of web activity. A few days after, the staff couldn’t log into the website. One of the intrusive efforts had succeeded, and shut the website down for a week.
It was just the beginning of the onslaught of cyberattacks that Whole Woman’s Health would experience between June 2013 and April 2016, as the organization continued to fight a legal battle over abortion that went all the way to the Supreme Court.
The battle lines around abortion in the US have been clearly drawn for decades. Protesters, ranging from handfuls to hundreds, stake territory outside clinics to pray, wave signs, and yell into loudspeakers.
Over the past few years, though, a new front has emerged that many reproductive healthcare organizations struggle to deal with. Cyberattacks and threats, as well as internet harassment, have escalated, aiming to disrupt services, intimidate providers and patients, and prevent women from getting the care they need.
After the initial attack, Whole Woman’s Health hired a cybersecurity specialist to remove the malware and repair the damage that had been done. Still, Hagstrom Miller says, the site suffered more than 500 hacking attempts each day in the wake of Gifford’s testimony. About a month later, hackers found and exploited a vulnerability in the Whole Woman’s Health blog, which gave them a backdoor to the entire website.
The second successful attack shut down the site for a month. Without it, potential patients were unable to find the clinics, make appointments, identify hours, locations, and services provided, and ask questions.
“The damage was awful,” Gifford said. “Our phones literally stopped ringing. It was devastating. Most of our patients find us online, so with no website and no Google advertising, it made day-to-day awareness nearly impossible.”
After that attack, Whole Woman’s Health switched to a more secure hosting provider, and rebuilt every single page on its website, around 100 in all. These measures allowed the organization to better track the cyberthreats as they came in, but didn’t stop them.
The high-profile of Whole Woman’s Health may have made the organization a unique target, but anti-abortion cyber warfare is part of a larger trend.
Hackers targeted Whole Woman’s Health and Planned Parenthood because they are prominent, nationally recognized organizations that advocate for abortion rights, but the threats can be localized as well.
“It happens pretty regularly and we have had to spend way too much money to fix it,” Hales says. “To be honest, I’m surprised by how tech-savvy they are.”
“Anyone that knows how to type a word document or a simple email can go on the dark web with malicious intent to find what they are after,” Petronella says. “The simplicity of it is scary.”
Many hospitals, clinics, and private practices operate on older technology and equipment and have limited resources to devote to state-of-the-art IT.
“Healthcare is such low-hanging fruit,” Petronella says. “Hackers know their defenses are weak and they are limited on budget, without a lot of sophistication with cybersecurity. They also know that a healthcare practice needs their computer systems and are sensitive to downtime. They can do a lot of damage.”
And then there are the threats that exist in gray area. APWHC does not have Wi-Fi, because they ask their patients to stay off their phones for privacy purposes. Hales said one local anti-abortion group sends over a van that parks outside the clinic with a Wi-Fi node that broadcasts a network called Abortion Info. When patients connect to the network, they are taken to a website that looks like APWHC’s, but isn’t.
“People automatically log in and the website looks exactly like our website,” Hales says. “It has all these cartoon videos that say things like ‘I’m going to stick in the speculum and rip the arm off.’ It’s creepy as shit.”
Massachusetts recently banned this practice, but it demonstrates how the anti-abortion movement has embraced digital tools can to circumvent barriers they face in the physical world.
The attacks against Whole Woman’s Health have since subsided, but who knows when they might strike again? There is no such thing as “perfect” cybersecurity
Tomi Engdahl says:
Russian intelligence reportedly breached the NSA in 2015, stealing cybersecurity strategy
https://techcrunch.com/2017/10/05/russian-intelligence-reportedly-breached-the-nsa-in-2015-stealing-cybersecurity-strategy/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
MenuTechCrunch
Russian intelligence reportedly breached the NSA in 2015, stealing cybersecurity strategy
Posted 45 minutes ago by Devin Coldewey
The NSA suffered a serious breach in 2015, exposing the agency’s cyberwarfare strategy, including its own defenses and methods of attacking foreign networks, reports The Wall Street Journal today. Russian intelligence is said to be behind the attack, and software from Russia-based Kaspersky labs is suggested to have been their vector.
Amazingly, the data in question is reported to have been taken home by an NSA contractor, who was somehow compromised through their use of Kaspersky’s antivirus software. How exactly this would work is not explained, although it is speculated that it may be related to the practice of downloading and storing files it thought were suspicious (e.g. malware executables) on its servers. We’ve contacted the company for more information.
https://www.wsj.com/articles/russian-hackers-stole-nsa-data-on-u-s-cyber-defense-1507222108
Tomi Engdahl says:
Russian Hackers Stole NSA Data on U.S. Cyber Defense
https://www.wsj.com/articles/russian-hackers-stole-nsa-data-on-u-s-cyber-defense-1507222108
The breach, considered the most serious in years, could enable Russia to evade NSA surveillance and more easily infiltrate U.S. networks
Tomi Engdahl says:
Cloudflare Bans Sites For Using Cryptocurrency Miners
https://torrentfreak.com/cloudflare-bans-sites-for-using-cryptocurrency-miners-171004/
BY ANDY ON OCTOBER 4, 2017 C: 19
Web-based cryptocurrency miners became a big thing recently when The Pirate Bay trialed one to generate extra revenue. Now, however, TorrentFreak has learned that Cloudflare has banned at least one torrent proxy site for deploying a miner on its platform. According to Cloudflare, unannounced miners are considered malware.
Tomi Engdahl says:
Apple Releases macOS High Sierra 10.13 Supplemental Update With Fix for APFS Disk Utility Bug and Keychain Vulnerability
https://www.macrumors.com/2017/10/05/apple-releases-macos-high-sierra-10-13-supplemental-update/
Apple today released a supplemental update to macOS High Sierra 10.13, the first update to the macOS High Sierra operating system that was released to the public in late September. The macOS High Sierra 10.13 update comes just over one week after the release of macOS High Sierra.
The new version of macOS High Sierra 10.13 is a free update for all customers who have a compatible machine. The update can be downloaded using the Software Update function in the Mac App Store.
Tomi Engdahl says:
Another W3C API exposing users to browser snitching
Web Payments API bugs, or perhaps features, can be abused: Lukasz Olejnik
https://www.theregister.co.uk/2017/10/06/another_w3c_api_exposing_users_to_browser_snitching/
Yet another W3C API can be turned against the user, privacy boffin Lukasz Olejnik – this time, it’s in how browsers store and check credit card data.
As is so often the case, a feature created for convenience can be abused in implementation. To save users from the tedious task of entering the 16 characters of their credit card numbers, four for date, and three for CCV number, the Web Payments API lets Websites pull numbers stored in browsers.
Olejnik, security and privacy researcher, writes that even without a full privacy assessment, it was easy to discover some serious vectors for misuse: fingerprinting, a frequent interest of Olejnik’s; and in Chrome, he found a way to reliably detect users in “incognito” mode, “a thing that generally should not be possible”.
Web Payments API is supported in Chrome and Edge, and is on the real-soon-now list in Firefox and WebKit.
Privacy of Web Request API
https://blog.lukaszolejnik.com/privacy-of-web-request-api/
Simple payment standard will be the new cool thing web browsers can do. This happens thanks to W3C Payment Request API. Early on it has been even featured in the New York Times and rightly so, as it has a big potential. Why?
Web Payment API works as follows:
payment process is initiated by the site
browser takes control; the user either can provide payment method such as a credit card, then a CVV number, and that’s it.
All using a standard, intuitive, browser-supported display messages. Payment Request API is now supported in Chrome and Edge, and will soon ship to Firefox and WebKit.
A lot of thought and resources went into the development of Payment Request API, including considering its security and privacy aspects. Still, it’s often difficult to design things considering all possible misuse scenarios. In this post, I’m including just a small addition. I’m not providing a comprehensive privacy review of the specification. My focus is put on a particular and possibly most troubling aspect
This aspect enables:
In general, fingerprinting and possibly profiling, and…
In Chrome browser – detecting incognito (a.k.a. private browsing mode) mode reliably, a thing that generally should not be possible
Tomi Engdahl says:
Dumb bug of the week: Apple’s macOS reveals your encrypted drive’s password in the hint box
High Sierra update derided by devs as half-baked
https://www.theregister.co.uk/2017/10/05/apple_patches_password_hint_bug_that_revealed_password/
Apple on Thursday released a security patch for macOS High Sierra 10.13 to address vulnerabilities in Apple File System (APFS) volumes and its Keychain software.
Matheus Mariano, a developer with Brazil-based Leet Tech, documented the APFS flaw in a blog post a week ago, and it has since been reproduced by another programmer, Felix Schwartz.
The bug (CVE-2017-7149) undoes the protection afforded to encrypted volumes under the new Apple File System (APFS).
Tomi Engdahl says:
Russian spies used Kaspersky AV to hack NSA contractor, swipe exploit code – new claim
https://www.theregister.co.uk/2017/10/05/anonymous_report_russian_spies_used_kaspersky_lab_software_to_steal_nsa_secrets/
Russian government spies extracted NSA exploits from a US government contractor’s home PC using Kaspersky Lab software, anonymous sources have claimed.
The clumsy snoop broke regulations by taking the classified code, documentation and other materials home to work on using his personal computer, which was running Kaspersky’s antivirus, sources told the Wall Street Journal. It is alleged Kremlin hackers exploited the security package in one way or another to identify those sensitive files and exfiltrate them.
In effect, it means the Russian government has copies of the NSA’s tools used to exploit vulnerabilities in computer systems and equipment to spy on other nations and targets. It also means Russia can turn the cyber-weapons on American corporations, government agencies and other networks, and steal secrets, cause merry havoc, and so on.
The theft, reported today, is said to have occurred in 2015, but apparently wasn’t discovered until earlier this year.
The allegedly stolen NSA code and dossiers sound an awful lot like the Shadow Brokers archive of stolen agency spyware. The brokers’ pilfered exploits dates back to 2013, though.
Russian Hackers Stole NSA Data on U.S. Cyber Defense
The breach, considered the most serious in years, could enable Russia to evade NSA surveillance and more easily infiltrate U.S. networks
https://www.wsj.com/articles/russian-hackers-stole-nsa-data-on-u-s-cyber-defense-1507222108
Tomi Engdahl says:
The NSA Officially Has a Rogue Contractor Problem
https://www.wired.com/story/nsa-contractors-hacking-tools
The NSA is one of the world’s most notoriously secretive and powerful government agencies, guarding its powerful hacking tools and massive caches of collected data under layers of security clearances and world-class technical protections. But it turns out that three times in three years, that expensive security has been undone by one of its own contract employees simply carrying those secrets out the door.
In 2013, an NSA contractor named Edward Snowden walked out of the agency’s building in Oahu, Hawaii, carrying a USB drive full of thousands of top-secret documents. Last year, a 53-year-old Booz Allen contractor for the NSA named Hal Martin was arrested last year for taking 50 terabytes out of the agency over a period as long two decades. And Thursday, the Wall Street Journal reported that in 2015, a third contract employee of the NSA in as many years took home a trove of classified materials that included both software code and other information that the agency uses in its offensive hacking operations, as well as details of how it protects US systems from hacker adversaries.
That classified data, which wasn’t authorized to be removed from the perimeter of the facility where that contractor worked, was then stolen from the contractor’s home computer by Russian spies, who exploited the unnamed employee’s installation of antivirus software from Kaspersky, a Russian company. And while that revelation has raised yet another round of serious concerns and unanswered questions about Kremlin spying and the role of Kaspersky’s widely used commercial software, it also points to a more fundamental security problem for the NSA: The own-goals it has committed, as a series of its paid employees spill some of its most sensitive secrets—including its intensely guarded and dangerous hacking techniques.
Going Rogue
The revelation of the latest unidentified contractor, whose employer also hasn’t been publicly named, comes a year after Martin was caught leaving sensitive data on hard drives in his home and car, a collection that included 75 percent percent of the hacking tools used by the NSA’s elite hacking team, known as Tailored Access Operations, according to the Washington Post. Prosecutors in Martin’s case have said the data also contained the highly secret identities of undercover agents.
It’s not yet clear if either Martin or the most recent contractor to breach the agency’s secrecy rules had any intention of selling or exploiting the documents they took. The latest incident in particular seems to be a case of carelessness, rather than profit or malice, according to the Wall Street Journal’s reporting. Both of those leaks contrast with the whistleblowing-motivated data thefts of Edward Snowden—another Booz Allen contractor—who stole his thousands of top secret files with the intention of giving them to media.
Tomi Engdahl says:
John Kelly’s personal cellphone was compromised, White House believes
http://www.politico.com/story/2017/10/05/john-kelly-cell-phone-compromised-243514
White House tech support discovered the suspected breach after Kelly turned his phone in to tech support staff this summer.
White House officials believe that chief of staff John Kelly’s personal cellphone was compromised, potentially as long ago as December, according to three U.S. government officials.
The discovery raises concerns that hackers or foreign governments may have had access to data on Kelly’s phone while he was secretary of Homeland Security and after he joined the West Wing.
Tech support staff discovered the suspected breach after Kelly turned his phone in to White House tech support this summer complaining that it wasn’t working or updating software properly.
Kelly told the staffers the phone hadn’t been working properly for months, according to the officials.
White House aides prepared a one-page September memo summarizing the incident, which was circulated throughout the administration.
A White House spokesman said Kelly hadn’t used the personal phone often since joining the administration. This official said Kelly relied on his government-issued phone for official communications.
The official, who did not dispute any of POLITICO’s reporting on the timeline of events or the existence of the memo, said Kelly no longer had possession of the device but declined to say where the phone is now.
Tomi Engdahl says:
Amber Rudd: viewers of online terrorist material face 15 years in jail
https://www.theguardian.com/uk-news/2017/oct/03/amber-rudd-viewers-of-online-terrorist-material-face-15-years-in-jail?CMP=share_btn_fb
Tightening of law around viewing terrorist material is response to increasing frequency of UK attacks
People who repeatedly view terrorist content online could face up to 15 years behind bars in a move designed to tighten the laws tackling radicalisation the home secretary, Amber Rudd, is to announce on Tuesday.
A new maximum penalty of 15 years’ imprisonment will also apply to terrorists who publish information about members of the armed forces, police and intelligence services for the purposes of preparing acts of terrorism.
The tightening of the law around viewing terrorist material is part of a review of the government’s counter-terrorism strategy following the increasing frequency of terrorist attacks in Britain this year.
Tomi Engdahl says:
Russian Hackers Stole NSA Hacking Tools Using Kaspersky Software
https://gbhackers.com/nsa-hacking-tools/
Russian Government Hackers are using Kaspersky software to stole NSA Advance cyber Weapons such as secret spying tools from NSA Contractor Personal Home Computer who has been used the Russian Based Kaspersky Security Products.
This Incident reported by The Wall Street Journal says, Stolen Information are Highly Sensitive Data such as how the NSA penetrates foreign computer networks.
Tomi Engdahl says:
Dustin Volz / Reuters:
US House Committee on Science, Space and Technology sets hearing on Kaspersky Lab for Oct. 25
U.S. House committee calls new hearing on Kaspersky software
http://www.reuters.com/article/us-usa-kaspersky-hearing/u-s-house-committee-calls-new-hearing-on-kaspersky-software-idUSKBN1CB2K6
WASHINGTON (Reuters) – A U.S. House of Representatives committee said on Friday that it has scheduled a new hearing on Kaspersky Lab software as lawmakers review accusations that the Kremlin could use its products to conduct espionage.
Kaspersky Lab has strongly denied those allegations, which last month prompted the Trump administration to order civilian government agencies to purge the software from its networks, and agreed to send Chief Executive Eugene Kaspersky to Washington to testify before Congress.
Tomi Engdahl says:
Activism on digital AR space:
Jeff Koons’ augmented reality Snapchat artwork gets ‘vandalized’
https://techcrunch.com/2017/10/08/jeff-koons-augmented-reality-snapchat-artwork-gets-vandalized/?utm_source=tcfbpage&sr_share=facebook
Earlier this week, Snapchat launched a new augmented reality art exhibiting feature as part of a collaboration with the artist Jeff Koons. ART, as it’s called, will plaster the digital artwork and sculptures of artists into geo-tagged physical locations across the world that viewers can see as a Lens inside the Snapchat app.
The group didn’t hack Snap’s servers to vandalize the sculpture, the work is more simply a 3D digital recreation of the work placed on top of a photo of the same geo-tagged location as Koons’ work.
Tomi Engdahl says:
Did you know that it’s National Cyber Security Awareness Month? It is!
https://staysafeonline.org/ncsam/
Tomi Engdahl says:
Cyberstalking Suspect Arrested After VPN Providers Shared Logs With the FBI
https://yro.slashdot.org/story/17/10/08/029217/cyberstalking-suspect-arrested-after-vpn-providers-shared-logs-with-the-fbi
“VPN providers often advertise their products as a method of surfing the web anonymously, claiming they never store logs of user activity,” writes Bleeping Computer, “but a recent criminal case shows that at least some do store user activity logs.” According to the FBI, VPN providers played a key role in identifying an aggressive cyberstalker by providing detailed logs to authorities, even if they claimed in their privacy policies that they don’t.
Cyberstalking Suspect Arrested After VPN Providers Shared Logs With the FBI
https://www.bleepingcomputer.com/news/security/cyberstalking-suspect-arrested-after-vpn-providers-shared-logs-with-the-fbi/
VPN providers often advertise their products as a method of surfing the web anonymously, claiming they never store logs of user activity, but a recent criminal case shows that at least some, do store user activity logs.
The case in question is of Ryan Lin, a 24-year-old man from Newton, Massachusetts, arrested on Thursday, October 5, on charges of cyberstalking.
According to an FBI affidavit published by the US Department of Justice, Lin is accused of harassing and cyberstalking an unnamed 24-year-old woman — referred to under the generic name of Jennifer Smith — between April 2016 and up until his arrest.
Suspect hid behind VPNs, Tor, ProtonMail
For all of these actions, the suspect used ProtonMail, VPN clients, and Tor to hide his identity. After local police investigated all the victim’s complaints for almost a year, they called in the FBI to help.
The FBI found their first evidence at one of Lin’s former employers. The company had reinstalled Lin’s work computer after he left, but the FBI was able to find various artifacts in the hard drive’s unallocated disk space.
VPN activity logs tie Lin to Smith’s harassment
Yet, the most conclusive evidence came after the FBI managed to obtain logs from two VPN providers — PureVPN and WANSecurity.
Ironically, FBI agents also found tweets in which Lin was warning other users that VPN providers store activity logs, advice he didn’t follow himself.
Tomi Engdahl says:
SSH 7.6 drops support for SSHv1, splats bugs
Sysadmins and developers alike, pay heed: the folk who tend SSH have pushed out a new version with a bunch of security patches and bug fixes.
Calling the release “primarily a bugfix”, the maintainers also note that OpenSSH 7.6 “contains substantial internal refactoring”.
Those deploying or writing to 7.6 are given notice of five details that might break existing implementations: SSHv1 support is gone, as is support for the hmac-ripemd160 message authentication code (MAC).
The deprecated arcfour, blowfish and CAST ciphers have been consigned to memory, RSA keys less than 1,024 bits long will be refused, and CBC (cipher block chaining) will no longer be offered by default.
Source:
https://www.theregister.co.uk/2017/10/06/security_roundup/
Tomi Engdahl says:
In recent months, Deloitte has introduced multi-factor authentication and encryption software to try to stop further hacks.
Dmitri Sirota, co-founder and CEO of the cybersecurity firm BigID, warned that many companies had failed to use such methods because they were inconvenient and complex.
“Privileged accounts are like keys that unlock everything, from the castle to the treasury. They provide unfettered access to all systems, which is why they are so valuable.
“Organisations are monitoring databases, not the data in it. It’s hard to detect changes, prevent incidents or compare your data to notice breached information unless you have an inventory of what you have.”
Source: https://www.theguardian.com/business/2017/oct/10/deloitte-hack-hit-server-containing-emails-from-across-us-government
Tomi Engdahl says:
Researcher finds OnePlus’ OxygenOS does not anonymize telemetry data, lacks an opt-out setting — OxygenOS, a custom version of the Android operating system that comes installed on all OnePlus smartphones, is tracking users actions without anonymizing data, allowing OnePlus to connect each phone to its customer.
OxygenOS Telemetry Lets OS Maker Tie Phones to Individual Users
https://www.bleepingcomputer.com/news/mobile/oxygenos-telemetry-lets-os-maker-tie-phones-to-individual-users/
OxygenOS, a custom version of the Android operating system that comes installed on all OnePlus smartphones, is tracking users actions without anonymizing data, allowing OnePlus to connect each phone to its customer.
A security researcher going by the pseudonym of Tux discovered the abusive tracking in July 2016, but his tweet went largely unnoticed in the daily sea of security tweets sent out each day.
The data collection issue was brought up to everyone’s attention again, today, after British security researcher Christopher Moore published the results of a recent study on his site.
OnePlus caught collecting trove of sensitive details
Just like Tux, Moore discovered that OxygenOS was sending regular telemetry to OnePlus’ servers. This is no issue of concern, as almost all applications these days collect telemetry data for market analytics and to identify and debug application flaws.
In almost all cases, when vendors collect this data, they make sure not to include details that may reveal information about the user’s real-world identity.
The problem is that OnePlus is not anonymizing this information.
OnePlus OxygenOS built-in analytics
https://www.chrisdcmoore.co.uk/post/oneplus-analytics/
Tomi Engdahl says:
Melanie Ehrenkranz / Gizmodo:
In the wake of Las Vegas shooting, YouTube has blocked some videos showing how to modify guns to fire more rapidly and updated its guidelines
YouTube Bans Some Gun Modification Tutorials, But Plenty Remain
https://gizmodo.com/youtube-bans-some-gun-modification-tutorials-but-plent-1819278915
Fifty-eight people were killed in the Las Vegas massacre last week, the deadliest mass shooting in modern US history. Seventeen guns were found in gunman Stephen Paddock’s hotel room, including a dozen that had been modified with a “bump stock,” an added part that allowed the guns to fire more rapidly. And up until today, anyone with access to YouTube could watch a tutorial on how to modify their guns in the exact same way. Now those videos are not allowed.