Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
Cybersecurity Lessons From Kung Fu
http://www.securityweek.com/cybersecurity-lessons-kung-fu
Blocking is very much like conventional security approaches where we try to detect the attack and prevent it from causing damage. It is common to fail at detecting incoming attacks or malware. When we fail, we miss the block.
Dodging an attack means that we prevent an attack from impacting our infrastructure. If the exploit coming at you cannot execute, it cannot cause damage or establish a foothold.
Dodging is not a perfect strategy. The attacker may adapt, or you might not succeed in avoiding the impact. Keeping out of range is more effective.
In kung fu, an attacker is limited by the length of their limbs and the speed with which they can advance. As long as you are far enough away you cannot be hit. Similarly, we can move our vulnerable attack surfaces farther from our valuable data and infrastructure.
Avoiding the attack completely can be as tricky on-line as it is on the streets. Many of the most damaging cyber attacks are highly targeted. The attackers have selected their target based on a combination of value and apparent vulnerability. They try to reach out and hit their identified target while avoiding bystanders.
Whether in a bar or in public, on the dark-web or a major news site, the lesson my Kung Fu instructor taught me on that first day can go a long way to keeping you safe. Avoid the attack completely if possible. Prevent targeted attacks by not looking like a victim. Keep your distance by moving the available attack surface away from your data and infrastructure. Dodge the attack by presenting an attack surface that is not vulnerable to the malware, exploits and other attacks that you will encounter. Only if all this fails will you need to rely on those blocks I practiced until I was a quivering blob on the floor. Detection and malware blocking / removing tools can be your last line of defense, needed only if all the other strategies fail.
Tomi Engdahl says:
Bryan Clark / The Next Web:
Google gives devs until March 15 to provide a valid privacy policy for apps or risk administrative action including removal of apps from the Play Store
Millions of apps could soon be purged from Google Play Store
https://thenextweb.com/google/2017/02/08/millions-apps-soon-purged-google-play-store/
Over the last 24 hours, Google has been sending notices to developers worldwide stating its intention to “limit visibility” or remove apps from the Play Store that violate the company’s User Data policy. For most devs, the violation seems to be a simple one: lack of a privacy policy.
https://play.google.com/about/privacy-security/user-data/
Tomi Engdahl says:
Dublin court to decide EU’s future relationship with Trump’s America
Three-week hearing expected, and yes, it is about the NSA’s mass surveillance activities
https://www.theregister.co.uk/2017/02/08/dublin_court_to_decide_eus_future_relationship_with_trumps_america/
The future of the relationship between the European Union and President Trump’s United States is being decided in a Dublin court hearing which is expected to continue for the next three weeks.
Tomi Engdahl says:
Why has Cameroon blocked the internet?
http://www.bbc.com/news/world-africa-38895541
Three weeks after reports that Cameroon had blocked the internet in English-speaking parts of the country, residents say services have yet to be restored. So what is going on?
Cameroonians have little doubt that pulling the plug on internet services for about 20% of the population is an intentional act by the government.
Just a day before services disappeared, the Ministry of Posts and Telecommunications issued a statement in which it warned social media users of criminal penalties if they were to “issue or spread information, including by way of electronic communications or information technology systems, without any evidence”.
Tomi Engdahl says:
As Valve eradicates serious bug in Steam, here’s what you need to know
Booby-trapped profiles could be used to spend visitors’ market funds, experts warn.
https://arstechnica.com/security/2017/02/as-valve-eradicates-serious-bug-in-steam-heres-what-you-need-to-know/
Steam, an online game platform with more than 125 million active accounts, is in the process of fixing a serious security hole that opens users to hacks that could redirect them to attack sites, spend their market funds, or possibly make malicious changes to their user profiles.
Tomi Engdahl says:
Malware distributors are switching to less suspicious file types
Recent email-based malware distribution campaigns have used malicious LNK and SVG attachments instead of JavaScript
http://www.csoonline.com/article/3166152/security/malware-distributors-are-switching-to-less-suspicious-file-types.html
After aggressively using JavaScript email attachments to distribute malware for the past year, attackers are now switching to less suspicious file types to trick users.
Last week, researchers from the Microsoft Malware Protection Center warned about a new wave of spam emails that carried malicious .LNK files inside ZIP archives. Those files had malicious PowerShell scripts attached to them
PowerShell is a scripting language for automating Windows system administration tasks. It has been abused to download malware in the past and there are even malware programs written entirely in PowerShell.
Tomi Engdahl says:
Understanding Firewalld in Multi-Zone Configurations
http://www.linuxjournal.com/content/understanding-firewalld-multi-zone-configurations?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+linuxjournalcom+%28Linux+Journal+-+The+Original+Magazine+of+the+Linux+Community%29
Tomi Engdahl says:
The TSA knows its screening methods are unscientific and unreliable, says ACLU report
http://www.theverge.com/2017/2/9/14558298/tsa-screening-unscientific-unreliable-aclu-report
The ACLU has released a report criticizing the passenger screening techniques used by the US Transportation Security Administration, after it obtained documents that showed the TSA itself determined its methods were unreliable and not based in science. The report comes almost three years after the ACLU submitted a FOIA request to the TSA asking for any records, training requirements, and any scientific background that proves that its passenger screening system worked.
The TSA has used a process called SPOT — Screening Passengers by Observation Techniques — to select people for additional questioning as they pass through airport security since 2007.
This week’s report concludes that the TSA introduced the SPOT system without validating its effectiveness.
TSA’s files actually showed people trained to identify the 92 supposedly suspicious behaviors were actually worse at detecting lies than people who had not been trained at all.
Bad Trip: Debunking the TSA’s ‘Behavior Detection’ Program
https://www.aclu.org/report/bad-trip-debunking-tsas-behavior-detection-program?redirect=bad-trip
Under the government’s “behavior detection” program, thousands of TSA officers at airports around the country watch passengers for behaviors that the TSA claims are associated with stress, fear, or deception. The officers then flag certain people for additional inspection and questioning.
The program has long been criticized as unscientific, ineffective, and wasteful, and it has been blamed by passengers and TSA officers themselves for racial and religious profiling – but still it continues.
Tomi Engdahl says:
Invisible Malware Found in Banking Systems in over 40 Countries
A new Kaspersky report talks about at least 140 banks
http://news.softpedia.com/news/invisible-malware-found-in-banking-systems-in-over-40-countries-512740.shtml
Banks, telcos, and even governmental agencies in the United States, South America, Europe, and Africa are being targeted by hackers in a series of ongoing attacks that are extremely difficult to detect.
According to a new Kaspersky Lab report, at least 140 banks and other enterprises have been infected by malware that’s nearly invisible. Although this is the official number as of right now, given the difficulties involved in spotting this malware, the number could be much, much higher, Kaspersky specialists warn.
This is the same type of infection that Kaspersky found on its own corporate network a couple of years ago, an infection unlike anything they’d seen before. Duqu 2.0, as it was dubbed, was believed to be derived from Stuxnet,
“New attacks”
Now, a similar infection is spreading like wildfire among countless companies, including many banks. These hard-to-detect infections use legitimate system admin and security tools, such as PowerShell, Metasploit, and Mimikatz to inject malware into computer memory.
Kaspersky has chosen not to name the institutions that are currently under attack
Fileless attacks against enterprise networks
https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-networks/
This threat was originally discovered by a bank’s security team, after detecting Meterpreter code inside the physical memory of a domain controller (DC).
Tomi Engdahl says:
Police Department Loses Years Worth of Evidence in Ransomware Incident
https://www.bleepingcomputer.com/news/security/police-department-loses-years-worth-of-evidence-in-ransomware-incident/
Police in Cockrell Hill, Texas admitted yesterday in a press release that they lost years worth of evidence after the department’s server was infected with ransomware.
Lost evidence includes all body camera video, some in-car video, some in-house surveillance video, some photographs, and all Microsoft Office documents.
Eight years worth of evidence lost
“It is [...] unknown how many videos or photographs that could have assisted newer cases will not be available, although the number of affected prosecutions should remain relatively small,” the press release reads.
Police department most likely infected with Locky
The department says the infection was discovered on December 12, last year, and the crooks asked for a $4,000 ransom fee to unlock the files.
Cockrell Hill police lose years worth of evidence in ransom hacking
http://www.wfaa.com/news/local/cockrell-hill-police-lose-years-worth-of-evidence-in-ransom-hacking/392673232
Stephen Barlag, Cockrell Hill’s police chief, said the incident was not the work of hackers, but acknowledged that the incident included a computer-generated ransom demand.
“This was not a hacking incident,” Barlag said in a news release Wednesday evening. “No files or confidential information was breached or obtained by any outside parties.”
The malware, which most likely originated from either Russia or Ukraine, gained access to the department’s computer servers after someone clicked on a cloned email made to look like it was sent from a department email address, Barlag said. Messages generated by the computer virus demanded $4,000 worth of internet currency known as Bitcoin as ransom for the return of the files, he said.
Tomi Engdahl says:
Data security company F-Secure, the world such as in Finland has been revealed of industrial automation equipment open to public networks.
F-Secure’s Chief Research Officer Mikko Hyppönen says that the devices are also attacked, but so far, Finland has a serious disturbance apparently avoided. Or at least those have been kept hidden from the public.
Warning examples from around the world already have. In Ukraine, cybercriminals caused a serious power outage. United States San Francisco again confused the buses and streetcars money transactions.
Home Users directed against malware have become more popular ransomware malware which locks the machine and require, for example, a few tens of bitcoins to get back on their files.
Why, then, a security leak?
Hypponen estimated that the industrial automation plc devices are still basically the same structure as Linux devices in use at home, camera, storage, and networking.
“Therefore, the automation of these weaknesses are the same as home devices.”
Hypponen estimated the lack of security due to the fact that the equipment was originally designed for closed-production environments
Second, the factory security is not as easy solution.
“Security is first and foremost a process, and security solutions are tailor-made.”
Sonera in Finland, inter alia, have been told that the customer connections were temporarily restrict, for example, air-source heat pumps, milking robot and home entertainment devices have been used as part of a Denial of Service or dissemination of malware and spam. This can be done when the machines have remote access to the network open, and the default password is not changed.
F-Secure’s introducing a new security appliance to protect the Internet of Things homes.
Source: http://www.tivi.fi/Kaikki_uutiset/asiantuntija-varoittaa-kiristyshaitake-voi-pysayttaa-tehtaan-maksa-100-bitcoinia-6618395
Tomi Engdahl says:
Clusters f**ked: Insecure Hadoop file systems wiped by miscreants
Weak default settings attract data deletion attacks despite warnings
https://www.theregister.co.uk/2017/02/09/hadoop_clusters_fked/
Administrators of Hadoop Distributed File System (HDFS) clusters have evidently not heeded warnings that surfaced last month about securing software with insecure default settings.
Attacks on Hadoop clusters have wiped the data of at least 165 installations, according to GDI Foundation security researchers Victor Gevers, Niall Merrigan, and Matt Bromiley. The trio report that 5,300 Hadoop clusters are presently exposed to the internet, some of which may be vulnerable.
“The default installation for HDFS Admin binds to the IP address 0.0.0.0 and allows any unauthenticated user to perform super user functions to a Hadoop cluster,” the group’s report states. “These functions can be performed via a web browser, and do not prevent an attacker from destructive actions. This may include destroying data nodes, data volumes, or snapshots with terabytes of data in seconds.”
They advise turning on Hadoop Secure Datanode, Safemode, and service level authentication (via Kerberos). They also recommend blocking port 50070 from untrusted IPs, adding IAM control and network segmentation via some form of OpenVPN, and implementing a reverse proxy, such as Knox, to defend against unauthorized access.
Tomi Engdahl says:
Clusters f**ked: Insecure Hadoop file systems wiped by miscreants
Weak default settings attract data deletion attacks despite warnings
https://www.theregister.co.uk/2017/02/09/hadoop_clusters_fked/
Administrators of Hadoop Distributed File System (HDFS) clusters have evidently not heeded warnings that surfaced last month about securing software with insecure default settings.
Attacks on Hadoop clusters have wiped the data of at least 165 installations, according to GDI Foundation security researchers Victor Gevers, Niall Merrigan, and Matt Bromiley. The trio report that 5,300 Hadoop clusters are presently exposed to the internet, some of which may be vulnerable.
Tomi Engdahl says:
IT guy checks to see if PC is virus-free, with virus-ridden USB stick
Same org saw users catch ransomware twice. In one day. After being warned
https://www.theregister.co.uk/2017/02/10/on_call/
“After a couple of days everyone’s PC slowly ran out of executables and became useless,” Dirk recalls, adding that “My favourite moment was when an IT support guy went into the SCADA control room to check on the SCADA operator GUI PCs. Up until then the SCADA system was fine because it was on a separate firewalled LAN. But this genius plugged in his USB stick with some GUI-based network monitoring tools to make sure the SCADA LAN was OK.”
You can guess what happened next: the USB stick had been infected and the SCADA system came down too. Two weeks and another new Windows standard operating environment later, the company was back on its feet.
Tomi Engdahl says:
Attacks On WordPress Sites Intensify As Hackers Deface Over 1.5 Million Pages
https://it.slashdot.org/story/17/02/10/0110245/attacks-on-wordpress-sites-intensify-as-hackers-deface-over-15-million-pages
“Attacks on WordPress sites using a vulnerability in the REST API, patched in WordPress version 4.7.2, have intensified over the past two days, as attackers have now defaced over 1.5 million pages, spread across 39,000 unique domains,”
four groups of attackers defaced over 67,000 pages. The number grew to over 100,000 pages the next day,
Attacks on WordPress Sites Intensify as Hackers Deface Over 1.5 Million Pages
https://www.bleepingcomputer.com/news/security/attacks-on-wordpress-sites-intensify-as-hackers-deface-over-1-5-million-pages/
Mass defacements started this week
The vulnerability at the core of these series of attacks is a bug discovered by Sucuri researchers, which the WordPress team fixed with the release of WordPress 4.7.2, on January 26.
According to Sucuri, attackers can craft simple HTTP requests that allow them to bypass authentification systems and edit the titles and content of WordPress pages. This vulnerability only affects sites running on WordPress version 4.7.0 and 4.7.1.
Initially, the vulnerability was deemed of a very high-risk, and the WordPress security team kept it a secret for almost a week, allowing a large number of WordPress site owners to update their CMS without being in peril from impending attacks.
Nonetheless, WordPress and Sucuri experts realized they couldn’t keep this a secret, and after a week, both teams revealed to the world that the WordPress 4.7.2 release included a secret fix for the WordPress REST API.
Tomi Engdahl says:
Republicans Are Reportedly Using a Self-Destructing Message App To Avoid Leaks
https://it.slashdot.org/story/17/02/09/2247240/republicans-are-reportedly-using-a-self-destructing-message-app-to-avoid-leaks
Trump administration members and other Republicans are using the encrypted, self-destructing messaging app Confide to keep conversations private in the wake of hacks and leaks, according to Jonathan Swan and David McCabe at Axios. Axios writes that “numerous senior GOP operatives and several members of the Trump administration” have downloaded Confide, which automatically wipes messages after they’re read.
Republicans are reportedly using a self-destructing message app to avoid leaks
http://www.theverge.com/2017/2/9/14561786/confide-messaging-republican-gop-trump-administration-leaks
One operative told Axios that the app “provides some cover” for people in the party. He ties it to last year’s hack of the Democratic National Committee, which led to huge and damaging information dumps of DNC emails leading up to the 2016 election. But besides outright hacks, the source also said he liked the fact that Confide makes it difficult to screenshot messages, because only a few words are shown at a time. That suggests that it’s useful not just for reducing paper trails, but for stopping insiders from preserving individual messages — especially given the steady flow of leaks that have come out since Trump took office.
Tomi Engdahl says:
Hundreds of Arby’s Restaurants Hit by Card Breach
http://www.securityweek.com/hundreds-arbys-restaurants-hit-card-breach
Arby’s Restaurant Group, one of the largest fast food sandwich restaurant chains in the United States, admitted this week that its payment processing systems had been breached by cybercriminals.
Arby’s told journalist Brian Krebs, who learned about the incident from sources in the financial industry, that it was alerted to the breach in mid-January by industry partners. The company said it had not disclosed the incident to the public at the FBI’s request.
The fast food chain said it immediately brought in Mandiant and other security experts to remove the malware from its systems and investigate the incident. The company is confident that the compromised systems have been cleaned up.
Fast Food Chain Arby’s Acknowledges Breach
https://krebsonsecurity.com/2017/02/fast-food-chain-arbys-acknowledges-breach/
A spokesperson for Atlanta, Ga.-based Arby’s said the company was first notified by industry partners in mid-January about a breach at some stores, but that it had not gone public about the incident at the request of the FBI.
Tomi Engdahl says:
jQuery Mobile Can Expose Websites to XSS Attacks
http://www.securityweek.com/jquery-mobile-can-expose-websites-xss-attacks
A Google security engineer discovered that jQuery Mobile can expose websites to cross-site scripting (XSS) attacks if an open redirect vulnerability is also present.
According to BuiltWith, jQuery Mobile is currently used on more than 150,000 active websites.
According to BuiltWith, jQuery Mobile is currently used on more than 150,000 active websites.
There may be many websites vulnerable to such attacks considering that some organizations, including Google, don’t treat open redirects as vulnerabilities. Open redirects can be found on major websites such as Google, YouTube, Facebook, Baidu and Yahoo.
The expert reported his findings to jQuery Mobile developers, but the problem will not be addressed any time soon due to concerns that changing the current behavior could break existing applications. The jQuery team has admitted that developers should be warned about the risks.
https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
Tomi Engdahl says:
Firms Increasingly Interested in Cyber Insurance: Study
http://www.securityweek.com/firms-increasingly-interested-cyber-insurance-study
Companies in the United States, the United Kingdom and Germany are increasingly interested in taking out cyber insurance, according to a new study commissioned by insurance provider Hiscox.
The cyber security readiness study, which involved 3,000 businesses from the three countries, shows that 30% of companies in Germany, 36% in the U.K. and 55% in the U.S. already have cyber insurance. Roughly 30% of the firms that don’t have insurance plan on getting insured in the next 12 months.
The top reasons for taking out cyber insurance are related to the cost of a potential breach and the need for peace of mind, data security concerns, the possibility of customer action, and new data regulations. In roughly one-quarter of cases, cyber insurance is a legal requirement.
More than half of the respondents reported being hit by at least one cyberattack in the last 12 months and the cost of dealing with an incident has been significant. On average, companies in the United States with over 1,000 employees said the largest cyber incident had cost them more than $100,000.
In the case of small U.S. firms, with less than 100 employees, the average cost was roughly $35,000.
In the U.K. and Germany, organizations reported spending between approximately $32,000 and $67,000, respectively between $24,000 and $48,000, depending on their size.
The study shows that larger organizations are more likely to be interested in cyber insurance, and financial services is the most insurance-aware sector, with more than half of respondents already having cyber insurance.
Tomi Engdahl says:
Rockwell Automation Teams With Claroty on Industrial Network Security
http://www.securityweek.com/rockwell-automation-teams-claroty-industrial-network-security
Rockwell Automation this week announced that it teaming up with industrial cybersecurity startup Claroty to combine their security products and services into future, combined security offerings.
Claroty exited stealth mode in September 2016 to announce a security platform designed to provide “extreme visibility” into Operational Technology (OT) environments and protect critical infrastructure from cyber threats.
Claroty has built a platform that provides broad support for control system manufacturers and employs “high-fidelity models and advanced algorithms” to monitor industrial control systems (ICS) communications and provide security and process integrity alerts. The platform can inspect a large number of industrial control protocols; with support for both open and proprietary protocols from vendors including Siemens, Rockwell Automation/Allen Bradley, Yokogawa, Emerson, GE, Schneider Electric, Mitsubishi, Honeywell, ABB and more.
“The Claroty platform can detect a bad actor’s activities at any stage, whether they’re trying to gain a foothold on a network, conduct reconnaissance or inflict damage,”
Tomi Engdahl says:
Man sues Uber for allegedly ruining his marriage
https://www.cnet.com/roadshow/news/man-sues-uber-for-allegedly-ruining-his-marriage/
Commentary: A Frenchman is suing Uber for $48 million, after he claims a technical problem with the app informed his wife of his movements.
Technically Incorrect offers a slightly twisted take on the tech that’s taken over our lives.
A businessman from the Côte d’Azur in France, though, believes technology has destroyed his marriage. Specifically, Uber’s technology.
As Le Figaro reports, he claims there was a bug in the Uber app, one that enabled others to view his comings and goings. Actually, it was a very significant other, he says, who knew where he’d been — his wife.
The man claims that he borrowed his then wife’s iPhone and logged into the Uber app.
He says that after he logged off, his Uber activity was still relayed via helpful notifications on her phone.
Tomi Engdahl says:
Cisco Launches “Umbrella” Secure Internet Gateway
http://www.securityweek.com/cisco-launches-umbrella-secure-internet-gateway
Cisco announced this week the launch of Umbrella, a cloud-based Secure Internet Gateway (SIG) solution designed to provide visibility and protection for devices on and outside the corporate network.
Organizations are increasingly relying on software-as-a-service (SaaS) products, such as WebEx, Office 365, Google Docs, Salesforce and Box. While these applications can significantly improve productivity, they are often used over untrusted Internet connections without being protected by a VPN.
Cisco wants to address this problem with the launch of Umbrella. The new cloud service aims to provide safe and secure access from anywhere, even if a VPN is not used.
The networking giant obtained the Umbrella technology when it acquired OpenDNS in 2015.
“Umbrella was built upon the OpenDNS platform, a platform that has been delivered from the cloud since its inception. Then we integrated technology from across the Cisco security portfolio, including capabilities from the Cloud Web Security proxy, and the Advanced Malware Protection (AMP) file inspection,”
Tomi Engdahl says:
WordPress blogs defaced in hack attacks
http://www.bbc.com/news/technology-38930428
A security flaw in the WordPress blogging software has let hackers attack and deface tens of thousands of sites.
One estimate suggests more than 1.5 million pages on blogs have been defaced.
The security firm that found the vulnerability said some hackers were now trying to use it to take over sites rather than just spoil pages.
WordPress urged site owners to update software to avoid falling victim.
Security firm WordFence said it had seen evidence that 20 hacker groups were trying to meddle with vulnerable sites. About 40,000 blogs are believed to have been hit.
“Attackers are starting to think of ways to monetise this vulnerability,” wrote Sucuri founder Daniel Cid. “Defacements don’t offer economic returns, so that will likely die soon.”
Tomi Engdahl says:
Run this in April: UPDATE Azure SET SQLthreat_detection = ‘generally available’
https://www.theregister.co.uk/2017/02/10/microsoft_adding_security_for_sql_databases/
Microsoft says it will fully power up its Azure SQL Database Threat Detection service this spring.
This technology, which has been in preview mode for the past year or so, monitors for suspicious database activities, and raises the alarm if malicious access is detected. It has been two years in the making, and will enter general availability in April, we’re told.
This feature is supposed to reassure Azure subscribers that their information is protected on remote servers. Microsoft is keen to stress to businesses that it is safe to run their applications on its infrastructure.
The Azure service will continuously monitor and profile customers’ application behavior to detect suspicious database activities and identify potential mischief, using machine learning algorithms written in R, which is now supported by SQL Server 2016 running on Azure’s back-end.
“We get 300 billion authentication requests each month,”
There are 1.3 billion calls to Azure Active Directory daily, and Microsoft scans more than 200 billion emails for malware and phishing attacks each month. Microsoft collects between 600 and 700TB of telemetry data on a daily basis, not all of which is collected for security purposes, but “a significant proportion” of which is used to create the models that will be used with the threat detection service.
Tomi Engdahl says:
Nicole Perlroth / New York Times:
Restricted spyware from government cyberarms dealer NSO Group found on the phones of advocates for Mexico’s 2014 soda tax — SAN FRANCISCO — Last summer, Dr. Simón Barquera’s phone started buzzing with a series of disturbing text messages from unknown numbers. One said his daughter had been in a serious accident.
Spyware’s Odd Targets: Backers of Mexico’s Soda Tax
https://www.nytimes.com/2017/02/11/technology/hack-mexico-soda-tax-advocates.html
Last summer, Dr. Simón Barquera’s phone started buzzing with a series of disturbing text messages from unknown numbers.
The messages Mr. Encarnación received were identical to a series of texts sent to Alejandro Calvillo
What the men had in common was this: All were vocal proponents of Mexico’s 2014 soda tax
The links sent to the men were laced with an invasive form of spyware developed by NSO Group, an Israeli cyberarms dealer that sells its digital spy tools exclusively to governments and that has contracts with multiple agencies inside Mexico, according to company emails leaked to The New York Times last year.
Spyware makers like NSO Group, Hacking Team in Italy and Gamma Group in Britain insist they sell tools only to governments for criminal and terrorism investigations.
But it is left to government agents to decide whom they will and will not hack with spying tools that can trace a target’s every phone call, text message, email, keystroke, location, sound and sight.
One week after health researchers and advocates announced their campaign in a news conference last summer, their phones began to buzz with the spyware-laced messages.
NSO Group’s motto is “Make the World a Safer Place.” But its spyware is increasingly turning up on the phones of journalists, dissidents and human rights activists.
The NSO emails leaked to The Times
Mexico was listed as the biggest client of Hacking Team, the Italian cyber-surveillance firm, which was itself hacked in 2015.
Tomi Engdahl says:
Daqri is not as high-profile as its would-be competitor Magic Leap, the super secretive VR company that’s raised nearly $1.4 billion in investment, is valued at $4.5 billion and is still working on its prototypes.
African Nations Increasingly Silence Internet to Stem Protests
https://www.nytimes.com/2017/02/10/world/africa/african-nations-increasingly-silence-internet-to-stem-protests.html?_r=0
All three have been thwarted by Cameroon’s government, which is the latest in sub-Saharan Africa to switch off the internet in parts or all of a nation, or to put other limits on online communication in hopes of snuffing out protests and other opposition.
Officials in Cameroon and elsewhere say internet blackouts are a security measure. But they are also a hit to the fragile economies of developing nations that are increasingly reliant on online business transactions as internet access and cellphone use have exploded in recent years.
Authoritarian regimes have long limited communication with the outside world during tense times.
Tomi Engdahl says:
Jamming WiFi by Jumping on the ACK
http://hackaday.com/2017/02/03/jamming-wifi-by-jumping-on-the-ack/
As we fill our airwaves with more and more wirelessly connected devices the question of what could disrupt this systems becomes more and more important. Here’s a particularly interesting example because the proof of concept shows that you don’t need specialized hardware to pull it off. [Bastian Bloessl] found an interesting tweak to previous research that allows an Atheros WiFi card to jam WiFi by obscuring ACK frames.
https://www.bastibl.net/jamming-wifi/
Tomi Engdahl says:
Researchers warn peace sign photos could expose fingerprints
But the likelihood of anyone actually using images to recreate prints is pretty slim.
https://www.engadget.com/2017/01/13/peace-sign-pics-fingerprints/?mid=6158450&lgid=3441165&mailing_id=2688968&list=it-reg&mailing=manualoffers&tfso=147434&engine_id=1
As if the constant data breaches that threaten to expose the one password you use for absolutely everything weren’t enough, apparently you now need to start worrying about posting that cute selfie. The peace sign is many people’s go-to picture pose, and it’s particularly popular in East Asia, but according to researchers it’s also the perfect way to expose your fingerprints online. In a study conducted at Japan’s National Institute of Informatics (NII), investigators found that, if the focus and lighting was right, they could recreate fingerprints from images shot up to 3 meters (nearly 10 feet) from the subject.
Fingerprint authentication is now the norm on smartphones and common enough on some other devices like laptops. What’s more, phone cameras are consistently improving and there are more ways than ever to share your snaps online.
The sheer amount of effort required to just get into someone’s phone is likely why we’ll never see this successfully executed outside of a Mission Impossible flick. The Japanese researchers’ claims aren’t exactly groundbreaking, either. Back in 2014, a German hacker claimed to have cloned a politician’s thumbprint using close-ups taken at a press conference with a standard digital camera and off-the-shelf software. The following year, he also demonstrated an iris spoof using only a high-res image and a laser printer.
Tomi Engdahl says:
DHS Uses Cyber Kill Chain to Analyze Russia-Linked Election Hacks
http://www.securityweek.com/dhs-uses-cyber-kill-chain-analyze-russia-linked-election-hacks
The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) on Friday published a new report providing additional indicators of compromise (IOC) and analysis using the cyber kill chain to detect and mitigate threats from the Russia-linked “GRIZZLY STEPPE” hackers.
On Dec. 29, 2016, the DHS and FBI published an initial Joint Analysis Report (JAR) detailing the tools and infrastructure used by Russian hackers designated by DHS as “GRIZZLY STEPPE” in attacks against the United States election. The previous report, however, didn’t deliver on its promise, security experts argued.
DHS analysts leveraged the Cyber Kill Chain framework created by Lockheed Martin that describes the phases of an attack. The report summarizes the activity of the campaign using each phase of the Cyber Kill Chain, which are Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on the Objective.
Enhanced Analysis of GRIZZLY STEPPE
Original release date: February 10, 2017
https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE
Tomi Engdahl says:
Thousands of Android Devices Infected by Marcher Trojan
http://www.securityweek.com/thousands-android-devices-infected-marcher-trojan
Researchers at Dutch security firm Securify have conducted a detailed analysis of the Android banking Trojan known as Marcher and discovered that a single botnet has managed to steal a significant number of payment cards.
The malware has been disguised as various popular apps, including Netflix, WhatsApp and Super Mario Run.
Tomi Engdahl says:
Kelihos Becomes King of the Malware Mountain
http://www.securityweek.com/kelihos-becomes-king-malware-mountain
The beginning of 2017 has brought a series of changes on the malware charts, as the Kelihos botnet managed to climb to the top position, while the Conficker worm dropped to fourth on the list.
An eight-year old threat, Conficker managed to remain one of the most active malware families out there last yearl, although it didn’t make it to the headlines as often as other threats. In 2015, however, the malware returned to focus briefly, after security researchers found that it had infected police body cameras.
The current leader, Kelihos, is yet another long-standing threat, one that managed to withstand several takedown attempts.
Tomi Engdahl says:
Turkish Man Sent to Prison in U.S. for $55M Cyber Heist
http://www.securityweek.com/turkish-man-sent-prison-us-55m-cyber-heist
Turkish citizen Ercan Findikoglu, aged 35, was sentenced on Friday by a New York court to 8 years in prison for his leadership role in a cybercriminal organization that caused significant losses to banks worldwide.
According to authorities, between 2011 and 2013, the criminal gang Findikoglu was part of carried out three major campaigns that resulted in losses totaling more than $55 million.
Tomi Engdahl says:
Potentially Serious DoS Flaw Patched in BIND
http://www.securityweek.com/potentially-serious-dos-flaw-patched-bind
A potentially serious denial-of-service (DoS) vulnerability was patched this week by the Internet Systems Consortium (ISC) in the BIND DNS software.
The flaw, tracked as CVE-2017-3135, affects BIND 9.8.8, all 9.9 releases since 9.9.3, all 9.10 releases, and all 9.11 releases.
In the case of servers with specific configurations, the vulnerability is remotely exploitable and rated as “high severity” with a CVSS score of 7.5.
Servers that don’t use RPZ and DNS64 at the same time are not affected by the security hole.
Tomi Engdahl says:
Online: The Other Side of Terrorism
http://www.securityweek.com/online-other-side-terrorism
No Physical Barrier is Capable of Restricting the Robust, Influential, and Dangerous Online Presence of Terrorist Groups like ISIS
Terrorism remains one of the major physical security threats of our time.
Propaganda Disseminating and Recruitment
Building on its predecessors, ISIS in particular has distinguished itself from other terrorist groups by way of its use of social media for purposes of propaganda dissemination and recruitment.
Indeed, al-Qaida became known for delivering propaganda via poor-quality VHS videos and sending pre-recorded tapes to news outlets. ISIS, however, is the first terrorist group to effectively harness the viral power that came with the growth of social media giants in the early 2010s.
However, attempts to contain ISIS by restricting the group’s access to social media have had mixed results. In 2016, Twitter became the first platform to enact sweeping measures that blocked access to over 200,000 user accounts based on suspicions of ties with terrorism. Unfortunately, ISIS adapted to these restrictions and in response, shifted the bulk of their online and social media operations to different, more-private platforms. In particular, Telegram
Inciting and launching attacks
In additional to leveraging the cyber realm for propaganda and recruiting, ISIS’s use of the Internet for inciting and launching terror attacks is one such characteristic that physical security measures can entirely derail.
Financing
Combatting terrorist financing has long been considered one of the most persistent challenges in the war against terror; and for ISIS, its cyber operations have presented unprecedented difficulties for those seeking to restrict the group’s access to funds.
Final Notes
In short, while enhancing physical security in the face of terrorism should undoubtedly remain a priority for policymakers, military leaders, and civilians alike, it’s crucial to understand that no physical barrier is capable of restricting the robust, influential, and dangerous online presence of terrorist groups like ISIS.
Tomi Engdahl says:
Cybersecurity: Learning from the Future
http://www.securityweek.com/cybersecurity-learning-future
Cybersecurity demands the impossible: that we look into the future to see where hackers are heading and what tactics they are brewing up. Of course there is no such crystal ball, so instead we focus on strategies hackers have carried out in the past and try to make predictions about future moves.
But as generals are always accused of fighting the last war, there is a similar problem with cybersecurity – threats of the past, while edifying, will not necessarily be the threats of the future. So while learning from the past is valid, it is simply not sufficient for combatting future cyber threats.
What we have learned is that state-sponsored hackers, with their enormous experience, successes and unlimited resources, are often one step ahead, waiting silently inside of porous firewalls, integrated into strategic junctions where they can assess information, learning which data to target to achieve their goals. Political organizations’ data centers, politicians’ and business leaders’ personal or work accounts… all are fair game for hackers, and their targets will only expand in the future.
With ominous state-sponsored hackers like the Syrian Electronic Army – who have successfully attacked The Washington Post, CNN and other outlets – businesses and governments alike must be sufficiently prepared to prevent malicious attacks of any kind that may come their way.
A Silent Enemy
Zero-day, targeted hacking and other advanced methodologies employed by state-sponsored hackers present many difficulties for defenders. Hackers employ these approaches and then wait for the data they require, collect it and use it against the target for strategic (often political) purposes.
Pro-active Defense
If there is suspicion that data has been compromised, we must immediately stop communicating valuable information via that channel. There are two general techniques that aim to uncover these silent, patient probes: “Indication of compromise patterns” (IOCs) and “indication of attacks” (IOA’s), which typically follow IOCs.
Silent Discovery – a Future Advantage
Discovering an enemy’s presence without their knowledge creates a strong strategic advantage. Instead of smoking out the hackers and either publicly or privately exposing them, this knowledge can be used to turn the tables. We can then choose what the enemy receives – i.e. feed them with fake information per our own strategic goals.
Tomi Engdahl says:
Survey Examines Cybersecurity Perception in U.S.
http://www.securityweek.com/survey-examines-cybersecurity-perception-us
Survey Highlights Widely Divergent Views on State of Cyber Security in America
A new survey of American adults’ perceptions of cybersecurity and hackers shows both a generational and a gender divide in attitudes. Young adults often display a more pragmatic approach compared to a more hardline attitude from older Americans, while there is a frequent difference between the genders.
5000 American adults aged 16+ responded to an online survey conducted by Opinion Matters for HackerOne and Kaspersky Lab during December 2016.
The generational divide is clearly shown in the respondents’ attitude towards hacker motivation. Fifty-two percent of respondents aged 45-55+ believe that hacker motivation is to be malicious, and 59% believe the motivation is to create problems. Only 35% of those aged 16-24 think hackers hack with malicious intentions.
However, far fewer Americans believe in ‘good intentions’: 15% believe hackers hack to report vulnerabilities, and only 14% believe they are motivated by ‘good feeling’ in helping companies and government understand security weaknesses.
Knowledge of bug bounty and pentesting operations seems to make little difference to Americans’ buying behavior. Only 22% say they are more likely to make a purchase from companies that use these to protect their services, while 54% say it will make no difference.
“Do you think North America will be more vulnerable to cyber-espionage or nation-sponsored cyberattacks with Donald Trump as President of the United States?” Only 28% believed in December 2016 that Trump policies will definitely make the US more vulnerable. Sixteen percent thought it possible, but 56% didn’t “think the risk will be any higher than before.”
This seems to be in sharp contrast to current thinking from the government agencies tasked with protecting the US.
The implication is that the American people had greater trust in Trump’s national security in December 2016 than the US intelligence community has in February 2017.
Men are less concerned than women (60% vs 52%) about the state of cybersecurity under the new administration
Particularly concerning, however, is that the majority of consumers do not trust their own employers. “Only 36% of U.S. adults,” says the report, “said that they would choose to be a customer of their own employer knowing what they know about their company’s cybersecurity program and ability to protect customers from cyber criminals.”
Tomi Engdahl says:
Watson for Cyber Security in Action
https://www.youtube.com/watch?v=MYZOIdK4o1M&cm_mc_uid=95081546755514865448655&cm_mc_sid_50200000=
A tremendous amount of security knowledge is unstructured — created by humans, for humans — making it inaccessible to traditional systems. Cognitive systems bridge this knowledge gap, unlocking a new partnership between security analysts and technology to outthink and outpace threats.
In this short demo, Watson for Cyber Security helps a security analyst investigate a particular incident to uncover new patterns and security context never before seen. The result: Watson arms the security analyst with the collective knowledge to respond to the offense with greater confidence, at speed and scale.
For more information, please visit: http://ibm.co/28Qc69M
Tomi Engdahl says:
WTF is up with the W3C, DRM and security bods threatened – we explain
Five years on, attempts at compromise on web standards still fueling fights
https://www.theregister.co.uk/2017/02/13/w3c_drm_security_battle/
A lengthy battle over the inclusion of digital rights management as a Web standard is coming to a head, with a set of new guidelines planned for early March.
Those guidelines will include the latest attempt at compromise between pragmatists and idealists over how to allow control of content online without undermining the central concept of a free and open internet.
On March 2, the World Wide Web Consortium (W3C) will publish details of its new vulnerability disclosure program, closely followed by a “call for review” from its director, Tim Berners-Lee, that intends to protect security researchers from being sued if they dig into the black box of code that makes digital rights management (DRM) possible.
It is a messy compromise, and one that some are still not happy with, but it is progress on an issue that has set the W3C against itself for five years.
It is also a proxy for a much broader fight: between corporations that want to be able to protect their content, and internet engineers opposed to commercialization of the internet who want to protect the open internet in an era of closed systems.
Tomi Engdahl says:
Snowden-era paranoia creeps into new data center networking startups
http://www.cablinginstall.com/articles/pt/2017/02/snowden-era-paranoia-creeps-into-new-data-center-networking-startups.html?cmpid=enl_cim_cimdatacenternewsletter_2017-02-14
Of all the lasting effects of Edward Snowden’s leaks, there’s one photo that leaves a particularly strong mark. In it, U.S. federal employees in T-shirts and blue jeans are seen intercepting network equipment from Cisco Systems Inc. at a shipping facility.
a deeply held paranoia within Silicon Valley’s biggest internet companies: In an era of increasingly sophisticated nation-state hacking, how can we trust that network infrastructure isn’t compromised before it’s dropped off at the company loading docks?
This fear has created a sense of urgency for Apple Inc., Google, Facebook Inc. and other technology giants that have been devising their own alternatives to Cisco, which controls more than half of the market for network equipment.
Snowden-Era Paranoia Fuels Data Center Networking Startup Boom
http://www.datacenterknowledge.com/archives/2017/02/07/snowden-era-paranoia-fuels-data-center-networking-startup-boom/
This fear has created a sense of urgency for Apple Inc., Google, Facebook Inc. and other technology giants that have been devising their own alternatives to Cisco, which controls more than half of the market for network equipment. After the photo was published, Cisco filed a public complaint with the White House, arguing that spying by the National Security Agency was hurting U.S. companies. Cisco told Bloomberg it doesn’t work with governments on backdoors for its products and maintains tight checks on its processes and supply chain to assure customers of their security.
While Cisco’s dominance isn’t in danger of slipping any time soon, the industry’s creeping concerns over cybersecurity have created an opening for new businesses and equipment-design skunkworks inside large companies. In the three years since the Snowden leaks, networking software and equipment startups raised $6.35 billion, a 47 percent increase over the prior three years, according to researcher CB Insights. “We’ve lost confidence in the vendors in the wake of the Snowden revelations, and that is a weakness and an opportunity,” John Kindervag said in an interview last month as a vice president at Forrester Research. (He recently left the market analysis firm to become an executive at Palo Alto Networks Inc.)
One company that’s benefiting is SnapRoute Inc., which was founded by a former manager of Apple’s global data center network. The startup makes a cheaper, simpler network switch than the ones Cisco sells. And unlike most switches, it’s open-source, allowing customers to look for bugs, performance glitches or backdoors that might allow a government to peek inside.
Facebook is also a founding member of the Open Compute Project, which develops and shares open-source data center designs.
The high cost of traditional networking products was the main reason for Amazon.com Inc.’s investment into creating its own equipment. “It was cost that caused us to head down our own path,”
Besides looking to save a lot of money on premium equipment, companies are placing a higher value on transparency. Cisco guards its code and designs, making them difficult to repair when things break. A web hosting company filed for bankruptcy protection after a series of Cisco switches failed and a major customer left, while Cisco worked for months on a fix. Cisco has declined to comment on that case, saying only that it tries to fix problems quickly.
By 2020, spending on open-source and self-built switches and other network technologies will account for at least 20 percent of the global data center market, up from less than 2 percent last year, according to researcher Gartner Inc. Big Switch Networks Inc., Cumulus Networks Inc., Pluribus Networks Inc. and SnapRoute are among the companies cultivating a niche that’s putting pressure on leaders Cisco and Juniper Networks Inc. and their proprietary code, said Naresh Singh, an analyst at Gartner.
The giants are already under pressure from software-based networking alternatives like SnapRoute’s, and the adoption of open-source tools from mega users, such as Facebook and Goldman Sachs, poses an even bigger threat to their businesses, Singh said. Cisco said some companies balk at using open-source network equipment, citing maintenance “complexity and hidden costs.”
whereas switches from Cisco and other big suppliers can have tens of millions of lines of code, SnapRoute’s has just 22,000
Tomi Engdahl says:
WordPress Bug Allows Hackers to Alter Website Content
http://www.datacenterknowledge.com/archives/2017/02/07/wordpress-bug-allows-hackers-alter-website-content/?utm_source=internal-link&utm_medium=foot-link&utm_campaign=next
A WordPress bug called REST API Endpoint allowed more than 67,000 websites to be hacked over the past two weeks, but the company has since rolled out a new version of the content management software with a patch to fix the problem, according to bleepingcomputer.com. The bug enabled hackers to infiltrate back end systems and change or inject words within content.
Although web security firm Sucuri informed WordPress back on Jan. 20 about the vulnerability to sites using 4.7 and 4.71 versions, the two companies decided to wait until last week to publicly announce the bug until it could successfully roll out a fix in WordPress 4.72, said Sucuri security researcher Marc-Alexandre Montpas in a blog post. If your website is one of the 27 percent of all sites that use WordPress–Data Center Knowledge being one–Sucuri highly recommends that you update to 4.7.2 as soon as possible.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Security researchers uncover new macOS malware Xagent, a modular backdoor from the Russian group APT28 that’s been linked to last year’s DNC hacks
New Mac malware pinned on same Russian group blamed for election hacks
Xagent for Macs steals passwords, grabs screenshots, and exfiltrates iPhone backups.
https://arstechnica.com/security/2017/02/new-mac-malware-pinned-on-same-russian-group-blamed-for-election-hacks/
APT28, the Russian hacking group tied to last year’s interference in the 2016 presidential election, has long been known for its advanced arsenal of tools for penetrating Windows, iOS, Android, and Linux devices. Now, researchers have uncovered an equally sophisticated malware package the group used to compromise Macs.
Like its counterparts for other platforms, the Mac version of Xagent is a modular backdoor that can be customized to meet the objectives of a given intrusion, researchers from antivirus provider Bitdefender reported in a blog post published Tuesday. Capabilities include logging passwords, snapping pictures of screen displays, and stealing iOS backups stored on the compromised Mac.
New Xagent Mac Malware Linked with the APT28
https://labs.bitdefender.com/2017/02/new-xagent-mac-malware-linked-with-the-apt28/
Tomi Engdahl says:
Andy Greenberg / Wired:
Open Whisper Systems announces beta rollout of video calling feature for Signal app, which comes with new privacy tradeoffs
The Best Encrypted Chat App Now Does Video Calls Too
https://www.wired.com/2017/02/encryption-app-signal-enables-video-calls-new-privacy-tradeoff/
Even as the encryption app Signal became the go-to private communications channel for activists, journalists, politicians, and more, its encrypted calling feature remained less than perfect. It lacks video, often drops calls, and doesn’t always integrate with your phone’s existing features. A Signal update gradually rolling out now upgrades the calling features and adds video, too—but might require its most privacy-sensitive users to take an extra step to protect themselves.
On Tuesday, Signal’s creators at the non-profit Open Whisper Systems announced a beta version of the update that, in addition to video calling, adds the ability to answer calls from a locked screen, and what they promise will be better call quality.
The beta upgrade to Signal will use CallKit, Apple’s framework for allowing VoIP calls like Signal’s, to be integrated more completely into the calling functionality of the phone. But that also means calls will be recorded in the iPhone’s call log and, for iCloud users, shared with Apple’s server.
Signal’s popularity grew in part because it has long made certain privacy tradeoffs to make the app more usable. It integrates a phone’s existing contacts for convenience, for instance, but requires that a number be added to a phone’s contact list before it can be called. That means if the phone backs its contacts up to the cloud, some sensitive details could be leaked.
And Signal has avoided a “federation” feature that would allow Signal users to set up their own server to communicate over, rather than use Signal’s more centralized system.
Tomi Engdahl says:
Larry Dignan / ZDNet:
IBM integrates Watson into its security operations platform
IBM integrates Watson into its security operations platform
http://www.zdnet.com/article/ibm-integrates-watson-into-its-security-operations-platform/
IBM’s Watson has ingested more than 1 million security documents and been tested by about 40 customers in a bid to make the cognitive technology a sidekick to cybersecurity analysts.
Tomi Engdahl says:
Rishika Sadam / Reuters:
Cisco reports Q2 revenue of $11.6B, down 2% YoY but beating estimates, as core businesses decline
Cisco profit beats on strong demand for security products
http://www.reuters.com/article/us-cisco-systems-results-idUSKBN15U2O6
Cisco Systems Inc (CSCO.O) reported higher-than-expected quarterly revenue and profit, helped mainly by strong demand for its security products.
Revenue in the security business, which offers firewall protection and breach detection systems, rose 14 percent to $528 million.
Revenue in the legacy switching business, still by far its largest, fell 5 percent to $3.31 billion in the second quarter
Tomi Engdahl says:
Synopsys’ Robert Vamosi says that major software vulnerabilities are becoming less frequent, in spite of hype surrounding named bugs.
Ticketbleed: The Next Black Swan
Posted by Robert Vamosi on February 13, 2017
https://blogs.synopsys.com/software-integrity/2017/02/13/ticketbleed-the-next-black-swan/
Last week a researcher disclosed a software vulnerability in a feature of the TLS/SSL stack that allowed a remote attacker to extract sensitive information. Sound familiar? In 2014, the Heartbleed vulnerability in the OpenSSL implementation of the heartbeat function in SSL affected some 600,000 websites worldwide and risked exposing passwords and other private keys. Ticketbleed, announced last Wednesday, has some similarity, but, at the end of the day, is no Heartbleed.
Software vulnerabilities really should not be surprising. But the big events are becoming as rare as black swans. So why are we still focusing on the next big event?
Researcher Filippo Valsorda, from Cloudflare, coined the name Ticketbleed, which refers to the information leakage vulnerability in the implementation of a session ticket within TLS/SSL. Valsorda said he was resolving a bug report from a Cloudflare customer who was using a F5 webserver product when he first noticed an incompatibility between the Cloudflare TLS stack and the F5 one.
Differences
Ticketbleed can only siphon data at 1 byte per session vs the more than 64 kilobytes obtained through Heartbleed). With Ticketbleed, an attacker would need several rounds of 1 byte data before it becomes significant. With Heartbleed, you could get several kilobytes of sensitive data in one shot.
The Ticketbleed vulnerability is limited to certain F5 products using the BIG-IP SSL virtual server. Heartbleed affected open source software found on more than 600,000 IP addresses across the internet.
Like Heartbleed, the Ticketbleed vulnerability is not in the original RFP for TLS/SSL but in the F5 implementation. Heartbleed wasn’t in SSL, only its implementation of OpenSSL.
The software industry is maturing
The lack of significant new software vulnerabilities does suggest a growing maturity in the software industry. The most egregious coding errors are being caught early in the software development lifecycle. Even diverse industries such as Automotive and medical are starting to recognize the need for secure coding standards.
Out of sight, out of mind
The lack of big profile vulnerabilities can lull organizations into a state of complacency. If we’re not at a risk today, then why spend the effort? The software threat landscape becomes background noise. That doesn’t mean the threats go away, only that they are internally demoted. “If no one complains, why should we mitigate this?”
There’s also the issue of coordinated disclosure. Some organizations resist going public with a software flaw, particularly when the vendor lacks a security team to work with the researcher.
Misprioritization
Finally, the fact Tickebleed has a logo and a website might seem significant. It’s not.
Plenty of work ahead
Our continuing efforts to end all coding flaws to some degree will be asymptotic, never reaching 100%. But the effort will always be worth every penny we spend toward that goal in quality and safety.
Finding Ticketbleed
https://blog.filippo.io/finding-ticketbleed/
Ticketbleed (CVE-2016-9244) is a software vulnerability in the TLS stack of certain F5 products that allows a remote attacker to extract up to 31 bytes of uninitialized memory at a time, which can contain any kind of random sensitive information, like in Heartbleed.
Tomi Engdahl says:
Most common mobile device malware in January 2017:
1. Triada
2. HummingBad
3. Hiddad
Source: http://www.uusiteknologia.fi/2017/02/16/triada-tarttuu-nyt-android-laitteisiin/
Tomi Engdahl says:
Please stop charging your phone in public ports
http://money.cnn.com/2017/02/15/technology/public-ports-charging-bad-stop/
I know the feeling: Your battery is low, but you have to keep tweeting. You see a USB port or an outlet in public, plug in your device and feel the sweet relief of your phone charging.
That comfort could be shattered by an invisible attacker collecting information while your phone is plugged in to a hacked outlet.
“Just by plugging your phone into a [compromised] power strip or charger, your device is now infected, and that compromises all your data,” Drew Paik of security firm Authentic8 explained. Authentic8 makes Silo, a secure browser that anonymizes web activity.
Public charging stations and wi-fi access points are found in places like airports, planes, conference centers and parks, so people can always have access to their phones and data. But connecting your phone to an unknown port has its risks.
The cord you use to charge your phone is also used to send data from your phone to other devices.
If a port is compromised, there’s no limit to what information a hacker could take, Paik explained.
And yet despite the risks, people do it all the time. Even at prominent security conferences.
The company ran an informal social experiment to see how many people would use the public charging stations. Paik said an overwhelming number of attendees — about 80% — connected their phones without asking about the security.
“The majority are plugging in no problem. They are at a security conference and they should know better, but they probably feel safe,” he said. “The others are making fun of them. They just walk by and say, ‘Do people really do that?’”
Tomi Engdahl says:
F-Secure has bought Italian Inverse Path, which provides security services for the aircraft industry, the automotive industry and industrial control industry.
“Inverse Path is one of the first companies, which announced the launch of information security survey vehicles, and now this knowledge is used for securing automotive telematics and vehicle manufacturers. With the acquisition, we strengthen F-Secure’s position as a global leader in cyber security renowned expertise and know-how, “says F-Secure’s strategy and development Jyrki Newbie release.
Source: http://www.tivi.fi/Kaikki_uutiset/f-secure-ostaa-tietoturvafiman-italiasta-6625247
Tomi Engdahl says:
Yahoo warning users that hackers forged cookies to access accounts
The news comes off the back of Verizon dropping $250 million from its Yahoo purchase price.
http://www.zdnet.com/article/yahoo-warning-users-that-hackers-forged-cookies-to-access-accounts/
Yahoo is warning some customers that state-sponsored attackers have accessed their accounts by using a sophisticated cookie forging attack, which doesn’t require obtaining user passwords.
The notice is a continuation of the company’s response to a series of historic data breaches announced last year.
An email from Yahoo forwarded to ZDNet said:
“Our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.”
A handful of others on Twitter also confirmed they had received an identical email notification.
Yahoo confirmed the notifications were genuine.
“The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders,”
Yahoo revealed in September the theft of 500 million records, then thought to be the largest theft of records in history, only to reveal in December a separate theft of one billion records.
Tomi Engdahl says:
ITU ponders whether blockchain belongs in its security standards
Security working group has decided it wants to know what it needs to know
https://www.theregister.co.uk/2017/02/16/itu_investigates_blockchain/
The International Telecommunication Union has decided the time has come to consider whether Blockchain deserves its attention so it can be considered for future security standards.
Study Group 17 of the Union’s Standardization Sector (ITU-T), which is dedicated to security, has scheduled a workshop in March to “examine blockchain’s potential to build trust into a wider variety of our interactions online”.