Security trends 2017

Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.

Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.

There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.

SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.

There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.

The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.

Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.

Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.

Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.

Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.

Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.

The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.

In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.

In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.

Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.

In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.

Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.

Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.

Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.

 

Other prediction articles worth to look:

What Lies Ahead for Cybersecurity in 2017?

Network Infrastructure, Visibility and Security in 2017

DDoS in 2017: Strap yourself in for a bumpy ride

Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online

IBM’s Cybersecurity Predictions for 2017 – eForensics

https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/

Top 5 Cybersecurity Threats to Watch Out for in 2017

Experts Hopeful as Confidence in Risk Assessment Falls

 

 

3,151 Comments

  1. Tomi Engdahl says:

    A messed up Google Home Mini recorded a tech reporter 24/7
    https://techcrunch.com/2017/10/10/google-home-mini-recorded-24-7-androidpolice/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&sr_share=facebook

    The idea of inviting an always-on recording device into our bedrooms would have once seemed beyond creepy, but now most consumers hardly give it a second thought.

    As Android Police reports, a small number of Google Home Mini review units given to tech reviewers malfunctioned, persistently recording audio in the background without being activated by a hotword. The Home Mini units gave no indication they were recording beyond silently flashing their four display lights — a notification that you’d only notice if you were looking directly at the device.

    Google is nerfing all Home Minis because mine spied on everything I said 24/7 [Update]
    http://www.androidpolice.com/2017/10/10/google-nerfing-home-minis-mine-spied-everything-said-247/

    Without fail, every time a new listening device comes to market, some tinfoil hat-wearer points out how perfect they would be as modern-day Trojan horses for any of the three-letter acronym organizations – NSA, CIA, FBI – you name it. Manufacturers, on their part, assure us their devices are perfectly safe and only listen when prompted. We brush the concerns off and move on with our lives

    That is until last week, when a 4th case came along – 24/7 recording, transmission to Google’s servers, and storing on them of pretty much everything going on around my Home Mini, which I had just received at the Made by Google October 4th launch event.

    As you can see, the Home Mini quietly turns on, flashes its lights, then shuts off after recording every sound. When the volume increases, it actually attempts to respond to random queries. I was even able to get it to turn on just by knocking on the wall.

    Google has just published a support page to address the reported issue. The company assures pre-order customers that their units won’t be affected, and the defect should be limited to the batches given out at Made by Google events, which presumably includes 4,000 Home Minis distributed at the donut pop-up events as well as the ones from the October 4th press event.

    Additionally, Google has removed all existing activity generated by long pressing the top of a Mini from their servers.

    It’s still unclear at this point what the fate of the long-press feature is in the long term.

    Reply
  2. Tomi Engdahl says:

    The Truman Show Will Not Be Televised, or How We Learned to Stop Worrying and Give up Our Privacy
    https://medium.com/@Bitdefender/the-truman-show-will-not-be-televised-or-how-we-learned-to-stop-worrying-and-give-up-our-privacy-b02a72767bf8

    “You never had a camera inside my head.” – Truman Burbank
    It’s been almost 20 years since Truman Burbank escaped the simulated reality set that made him a star for millions of television viewers. In the 1998 satire, Jim Carrey portrays a man who discovers his life is a set-up, and wakes up to the fact that his improbably ideal world is a carefully crafted construct from which privacy has been banished. A couple of decades later — and I’m not talking about fiction anymore — anyone can become the star of their very own Truman Show. All it takes is an Internet connection.

    Reply
  3. Tomi Engdahl says:

    Everyone bored to death by DoJ’s latest call for crypto backdoors
    https://techcrunch.com/2017/10/11/everyone-bored-to-death-by-dojs-latest-call-for-crypto-backdoors/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    The U.S. Department of Justice’s deputy attorney general, Rod Rosenstein, gave a speech on encryption yesterday and boy was it a snoozer. It’s almost as if all those decades of crypto wars never happened.

    How many data breaches and ransomware attacks will it take before we don’t have to hear reheated and rehashed arguments against strong encryption?

    Rosenstein’s premise in his “remarks on encryption” was that there has never been a secure form of communication in human history prior to end-to-end encryption (er, what about person to person speech, as the EFF points out).

    And that this “warrant-proof encryption” is akin to a magical immunity cloak for criminals

    Rosenstein went on to call out — though mostly not by name — U.S. tech giants for being unwilling to hand over data that they don’t have access to.

    Rosenstein also criticized tech giants for being unwilling to deliberately weaken the security of their systems in order to afford such access.

    not-so-subtle call was for legislation to force unwilling tech companies to backdoor their systems

    Though he euphemistically termed this “responsible encryption”.

    And tried to claim it would not, in fact, be a backdoor. (“Responsible encryption is achievable. Responsible encryption can involve effective, secure encryption that allows access only with judicial authorization,” er, so a backdoor then?)

    So what were Rosenstein’s examples of “responsible encryption”?

    “The central management of security keys and operating system updates; the scanning of content, like your e-mails, for advertising purposes; the simulcast of messages to multiple destinations at once; and key recovery when a user forgets the password to decrypt a laptop.”

    EFF neatly sums up in its takedown of the speech as “nerd harder“.

    Thing is, maths is immune to nerding harder — howsoever many people claim it’s not.

    Reply
  4. Tomi Engdahl says:

    Wall Street Journal:
    US officials say Kaspersky antivirus tool was modified for espionage purposes to search for terms like “top secret” and that the firm must have known

    Russia Has Turned Kaspersky Software Into Tool for Spying
    https://www.wsj.com/articles/russian-hackers-scanned-networks-world-wide-for-secret-u-s-data-1507743874

    Searches exploited popular Russian-made antivirus software to seek classified material, officials say

    Reply
  5. Tomi Engdahl says:

    New York Times:
    Sources: after hacking Kaspersky’s network in 2014, Israel told NSA that it found Russian spies using Kaspersky software to search for US intel docs — It was a case of spies watching spies watching spies: Israeli intelligence officers looked on in real time as Russian government hackers …

    How Israel Caught Russian Hackers Scouring the World for U.S. Secrets
    https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html

    It was a case of spies watching spies watching spies: Israeli intelligence officers looked on in real time as Russian government hackers searched computers around the world for the code names of American intelligence programs.

    What gave the Russian hacking, detected more than two years ago, such global reach was its improvised search tool — antivirus software made by a Russian company, Kaspersky Lab, that is used by 400 million people worldwide, including by officials at some two dozen American government agencies.

    The Israeli officials who had hacked into Kaspersky’s own network alerted the United States to the broad Russian intrusion, which has not been previously reported, leading to a decision just last month to order Kaspersky software removed from government computers.

    The Russian operation, described by multiple people who have been briefed on the matter, is known to have stolen classified documents from a National Security Agency employee who had improperly stored them on his home computer, on which Kaspersky’s antivirus software was installed.

    Like most security software, Kaspersky Lab’s products require access to everything stored on a computer in order to scour it for viruses or other dangers. Its popular antivirus software scans for signatures of malicious software, or malware, then removes or neuters it before sending a report back to Kaspersky. That procedure, routine for such software, provided a perfect tool for Russian intelligence to exploit to survey the contents of computers and retrieve whatever they found of interest.

    Kaspersky Lab denied any knowledge of, or involvement in, the Russian hacking. “Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage efforts,” the company said in a statement Tuesday afternoon.

    Reply
  6. Tomi Engdahl says:

    Accenture – Embarrassing data leak business data in a public Amazon S3 bucket
    http://securityaffairs.co/wordpress/64150/data-breach/accenture-data-leak.html

    The leading global professional services company Accenture exposed its business data in a public Amazon S3 bucket. Disconcerting!

    Another Tech giant has fallen victim of an embarrassing data leak, this time the leading global professional services company Accenture exposed its business data in a public Amazon S3 bucket.

    The incident exposed internal Accenture private keys, secret API data, and other information, a gift for attackers that want to target the firm or its clients

    The unsecured Amazon S3 bucket was discovered by researchers at UpGuard that privately reported to Accenture on Sept. 17. The company solved the problem in one day.

    Reply
  7. Tomi Engdahl says:

    Israel and Russia’s overlapping hacks of Kaspersky complicate espionage narrative
    https://techcrunch.com/2017/10/11/nyt-kaspersky-israel-intelligence-duqu-2-0/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&sr_share=facebook

    The drama between Russian cybersecurity firm Kaspersky and the U.S. government just doesn’t quit, but a new report may answer some longstanding questions.

    This week, The New York Times revealed that U.S. intelligence was actually tipped off about the Russian government hacking Kaspersky Lab software by Israeli intelligence officers who observed Russia in action during the course of their own spying efforts.

    Reply
  8. Tomi Engdahl says:

    How Israel Caught Russian Hackers Scouring the World for U.S. Secrets
    https://mobile.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html?smid=tw-nytimes&smtyp=cur&referer=http://m.facebook.com/

    It was a case of spies watching spies watching spies: Israeli intelligence officers looked on in real time as Russian government hackers searched computers around the world for the code names of American intelligence programs.

    What gave the Russian hacking, detected more than two years ago, such global reach was its improvised search tool — antivirus software made by a Russian company, Kaspersky Lab, that is used by 400 million people worldwide, including by officials at some two dozen American government agencies.

    The Israeli officials who had hacked into Kaspersky’s own network alerted the United States to the broad Russian intrusion, which has not been previously reported, leading to a decision just last month to order Kaspersky software removed from government computers

    Reply
  9. Tomi Engdahl says:

    Security-Oblivious Design Makes TrustZone Vulnerable to Attack
    http://www.electronicdesign.com/automotive/security-oblivious-design-makes-trustzone-vulnerable-attack?NL=ED-004&Issue=ED-004_20171012_ED-004_287&sfvc4enews=42&cl=article_2_b&utm_rid=CPG05000002750211&utm_campaign=13510&utm_medium=email&elq2=7f9526f10dba40c28a757146735ad8d4

    Many automotive SoCs take advantage of ARM’s TrustZone. But researchers at Columbia Univ. succeeded in attacking a security-oblivious design by compromising the DVFS SoC support.

    Creating advanced driver-assistance systems (ADAS) and self-driving cars is a substantial technical challenge. Securing these designs is also challenging, but security hardware can make this task much easier—if it works.

    Typically, the root of trust starts in hardware with keys that must be protected and security hardware that provides secure boot support. ARM’s TrustZone is one implementation that provides this support. TrustZone technology is at the center of ARM’’s security message, so compromising this system would have a significant impact on automotive security.

    On that front, researchers at Columbia University succeeded in attacking a security-oblivious design of a TrustZone-based ARM system-on-chip (SoC) implementation by compromising the Dynamic Voltage and Frequency Scaling (DVFS) support

    Reply
  10. Tomi Engdahl says:

    Spy vs Spy vs Spy as Israel Watches Russian Hackers: NYT
    http://www.securityweek.com/spy-vs-spy-vs-spy-israel-watches-russian-hackers-nyt

    Israeli spies observed Russian government hackers in real time as they scoured computers around the world for the codenames of US intelligence programs, The New York Times reported Tuesday night.

    The Russian intrusion detected more than two years ago used anti-virus software manufactured by the Russian firm Kaspersky Lab as an ad hoc global search tool, the Times said, quoting current and former government officials.

    Reply
  11. Tomi Engdahl says:

    Kaspersky in Focus as US-Russia Cyber-Tensions Rise
    http://www.securityweek.com/kaspersky-focus-us-russia-cyber-tensions-rise

    The security software firm Kaspersky has become the focal point in an escalating conflict in cyberspace between the United States and Russia.

    The Russian-based company has been accused of being a vehicle for hackers to steal security secrets from the US National Security Agency, and was banned by all American government agencies last month.

    But it remains unclear if Kaspersky was part of a scheme or an unwilling accomplice in an espionage effort.

    Reply
  12. Tomi Engdahl says:

    F-35 Stealth Fighter Data Stolen in Australia Defence Hack
    http://www.securityweek.com/f-35-stealth-fighter-data-stolen-australia-defence-hack

    Sensitive data about Australia’s F-35 stealth fighter and P-8 surveillance aircraft programmes were stolen when a defence subcontractor was hacked using a tool widely used by Chinese cyber criminals, officials said Thursday.

    The 50-person aerospace engineering firm was compromised in July last year but the national cyber security agency, the Australian Signals Directorate (ASD), only became aware of the breach in November, technology website ZDNet Australia reported.

    Some 30GB of “sensitive data” subjected to restricted access under the US government’s International Traffic in Arms Regulations rules were stolen, ASD’s Mitchell Clarke told a security conference Wednesday according to ZDNet.

    Reply
  13. Tomi Engdahl says:

    Akamai to Acquire DNS Security Firm Nominum
    http://www.securityweek.com/akamai-acquire-dns-security-firm-nominum

    Akamai Technologies announced on Wednesday that it has agreed to acquire Nominum, a privately-held provider of DNS security solutions for carriers and enterprises.

    Terms of the deal were not disclosed, but the all-cash transaction is scheduled to close in Q4 2017, Akamai said.

    “By combining Nominum’s carrier-grade cybersecurity solutions with Akamai’s enterprise security offerings and threat intelligence, Akamai intends to serve a larger base of carrier and enterprise customers with more comprehensive security products,” Akamai explained. “These products will be designed to more effectively identify, block, and mitigate cybersecurity threats such as malware, ransomware, phishing, and data exfiltration.”

    In early 2017, Akamai lauched a new offering designed to protect enterprises against malware, phishing and data exfiltration attempts through the analysis of DNS requests.

    Reply
  14. Tomi Engdahl says:

    High-Tech Bridge Launches Free Service for Testing Mobile Apps
    http://www.securityweek.com/high-tech-bridge-launches-free-service-testing-mobile-apps

    Web security company High-Tech Bridge announced on Thursday the launch of a free online service that allows mobile application developers to test their iOS and Android apps.

    Mobile X-Ray can test native and hybrid applications, including security and privacy aspects, using dynamic application security testing (DAST), static application security testing (SAST), data encryption testing for communications with APIs and web services, and behavioral analysis.

    The service looks for the most common types of vulnerabilities, including ones covered by the OWASP Mobile Top Ten, and provides a user-friendly report that includes remediation guidance. The test results include examples of both insecure and secure code.

    In the case of Android apps, developers can upload the APK to Mobile X-Ray, but iOS apps can only be tested if they are compiled as a Simulator app in Xcode.

    The assessment can take less than a minute, but it can also take up to a couple of hours, depending on application complexity and overall system workload.

    “Mobile applications have become an inseparable part of everyday business and private life. In light of skyrocketing data breaches, many different research reports urge the enhancement of mobile application security and privacy,” said Ilia Kolochenko, CEO and founder of High-Tech Bridge. “Unfortunately, most developers just don’t have enough resources, time or budget to properly test their mobile app before going to production. At High-Tech Bridge, we are excited to fulfil this gap and offer a unique online service for the benefit of the cybersecurity community and independent developers.”

    While the Mobile X-Ray tool can be highly useful for application developers, many critical vulnerabilities exist in backend systems, for which High-Tech Bridge recommends its ImmuniWeb Mobile product.

    https://www.htbridge.com/mobile/?id=WHd2AY1j

    Reply
  15. Tomi Engdahl says:

    Malicious Redirects on Equifax, TransUnion Sites Caused by Third-Party Script
    http://www.securityweek.com/malicious-redirects-equifax-transunion-sites-caused-third-party-script

    Two of the “Big Three” U.S. credit reporting agencies, Equifax and TransUnion, were hit by a cybersecurity incident caused by the use of a third-party web analytics script.

    Independent security analyst Randy Abrams noticed recently that an Equifax service designed for obtaining free and discounted credit reports had been redirecting users to a website set up to serve adware disguised as a Flash Player installer.

    While initially it appeared that Equifax’s website had been hacked, the company’s investigation revealed that the malicious redirects occurred due to a third-party vendor’s script.

    “Despite early media reports, Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal,” Equifax stated.

    The redirection chain, often seen in malvertising attacks, results in users being taken to a scammy or malicious website, depending on their geographical location and the type of device they use to access the affected webpage.

    Researchers at Malwarebytes have analyzed the incident and determined that the redirection occurs due to a web analytics script from Digital River-owned Fireclick. A search for the script involved in the attack (fireclick.js) revealed that it had also been used on the Central America website of TransUnion, whose customers were also redirected to shady sites.

    Both Equifax and TransUnion have removed the problematic script from their websites. Equifax took the affected service offline and had not restored it at the time of writing.

    Reply
  16. Tomi Engdahl says:

    Security Concerns Hamper Migration to Office 365: Report
    http://www.securityweek.com/security-concerns-hamper-migration-office-365-report

    An increasing number of organizations have started using Microsoft’s Office 365 platform, but many haven’t migrated due to security concerns, according to a report published on Thursday by Barracuda Networks.

    The study is based on a survey of more than 1,100 organizations of all sizes from North America, Europe, Africa and the Middle East. Nearly two-thirds of respondents said they are using Office 365 and 49% of the remaining organizations plan on migrating. While the number of organizations that started using Office 365 has increased, the adoption rate has declined compared to 2015-2016, when the number of subscriptions doubled.

    Nearly 44% of organizations that haven’t moved to Office 365 decided against migrating due to security concerns. Of the companies that plan on migrating, more than 73% said they were concerned about advanced threats in their future Office 365 environment. Nearly 70% of those that have already started using Office 365 are also concerned about sophisticated threats.

    More than 86% of respondents are concerned about phishing, impersonation and social engineering attacks, while 92% are concerned about ransomware.

    “The very high rates of concern about security—including worries about latent threats, advanced malware, phishing and spear phishing, and especially ransomware—may be the single most important contributing factor to the overall decline in the rate of adoption that the survey revealed,” Barracuda said in its report.

    Despite the fact that email has been one of the main ransomware delivery vectors, more than half of respondents don’t use DMARC or DKIM/SPF, protocols designed to detect and prevent email spoofing.

    https://blog.barracuda.com/2017/10/12/office-365-active-usage-soars-some-still-unclear-on-security/

    Reply
  17. Tomi Engdahl says:

    Answering the Call for an Architectural Approach to Security
    http://www.securityweek.com/answering-call-architectural-approach-security

    Most of us are familiar with the adage: “the best defense is a good offense.” It’s used when talking about sports, military strategy, and business – and it holds true for cybersecurity as well. But the reality is that with respect to cybersecurity, organizations have traditionally taken a defensive tact only.

    The best of breed approach has ruled the day and now many organizations have a patchwork of product platforms from various security companies. A firewall from company A, intrusion detection/prevention from company B, endpoint protection from company C, and the list goes on and on. The challenge is that these disparate solutions can’t and don’t work together and have to be managed independently. Depending on an organization’s needs, security teams are grappling with anywhere from five to as many as 50 different security vendors and solutions that can’t keep up as business models shift, the attack surface expands, and threats evolve. In other words, they’re experiencing a security effectiveness gap, where the security capability each new product adds is overshadowed by the additional complexity it piles on.

    To close this gap enterprises are now re-thinking the way they purchase and deploy security technologies. New research from ESG found that 62 percent of security professionals surveyed are actively consolidating their cybersecurity vendors and 82 percent are using an architectural approach to guide this consolidation – integrating multiple individual products and platforms. But to get the operational efficiencies and better protection they seek, they need to do it the right way.

    Reply
  18. Tomi Engdahl says:

    Will World War III be fought in the cyber world?
    Cyber-psychologist Dr. Mary Aiken explains the current threats to cybersecurity.
    https://www.designnews.com/cyber-security/will-world-war-iii-be-fought-cyber-world/187678036757628?ADTRK=UBM&elq_mid=1442&elq_cid=876648

    Hacking has become a full-time career option, a weapon of mass disruption and a way of compromising privacy on a global scale. The billions of connected devices being bought by businesses and consumers every year is expanding the attack surface at a rapid rate. So, are individuals and industry dealing with the challenge of protecting their devices from cradle to grave? If not, what needs to change and how quickly? Do we now need a more human-centered approach to how we design and engage with technology that reduces our vulnerability to threats and makes us more empowered?

    Design News: Could you describe what it means to be a cyber-psychologist?

    Aiken: Cyberpsychology is the study of the impact of technology on humankind. This involves everything from virtual environments to Internet psychology. My specialist area is Forensic Cyberpsychology, which focuses on abnormal and criminal behavior online. Cyberpsychology has been described as the “new psychology” and as a discipline is expected to enjoy exponential growth due to continued rapid acceleration of Internet technologies, and the unprecedentedly pervasive and profound influence of digital connectivity on human beings.

    Aiken: The one phenomenon that is most alarming is the increase in the number of young people engaging in cybercriminal activity – everything from hacking to cyber fraud. The Australian Bureau of Crime Statistics and Research recently reported a surge in cyber fraud offences committed by people under 18 years.

    In a recent survey, roughly one in six teenagers in the US, and one in four teenagers in the UK, reported that they had tried some form of Internet hacking. Law enforcement have noted that young people, particularly IT literate boys, are increasingly committing cybercrime offences ranging from money laundering for criminal gangs, to hacking, to use of remote access trojans (RATs) – that is, malware that can log keystrokes, lift passwords, encrypt files and hold them for ransom, and is used for everything from blackmail to financial fraud.

    Youth involvement in cybercrime points to developmental aspects of cyber criminality, and therefore requires urgent investment in educational and intervention programs designed to address evolving cyber juvenile delinquency.

    Design News: Have you also seen a change in the way people and organizations are protecting themselves from cybercrime?

    Aiken: Recent reports have highlighted the vulnerability of insecure Internet of Things (IoT) devices. In 2016 we had the first massive attack originating from connected devices, as the Mirai malware transformed around 150 000 routers and CCTV cameras into a DDoS botnet. This botnet was involved in several attacks, including one targeting internet infrastructure on the West Coast of the United States.

    The sheer volume, velocity and variety of cyber-criminal activity online from large-scale data breaches to ransomware attacks means that increasingly organizations will need to deploy artificial intelligence solutions in order to protect themselves.

    Design News: Do you see developments in cybersecurity sufficient to keep up with advances in cyber-attacks?

    Aiken: There has been some interesting work undertaken in terms of comparing how the human immune system operates, and how a defensive network policing the Internet of Things might operate. A technological immune system would aim to detect illness in edge devices through sensors. The system would have the ability to quarantine unhealthy devices and deliver automatic treatment.

    Design News: Should governments get more involved in cyber protection of its citizens and organization?

    Aiken: Government does have a role to play in terms of determining policy regarding cyber security – individual organizations and enterprises are at present responsible for their own security – when it comes to citizens I believe that cyber security starts at home.

    Reply
  19. Tomi Engdahl says:

    Homeland Security CTO Gets IT
    Software entrepreneur tackles cybersecurity
    https://www.eetimes.com/document.asp?doc_id=1332427&

    Michael Hermus left the software startup world two-and-a-half years ago to help the U.S. government get smarter about information technology. The chief technology officer of the Department of Homeland Security (DHS) sees progress in cybersecurity, but there’s still a long road ahead.

    “It’s a national security priority for the government to get better at tech, and I don’t think everyone understands that yet…We are living in a world where it’s an arms race in an asymmetric situation where the attacker only has to succeed once, but we have to succeed every time,” Hermus said in a fireside chat at an even sponsored by the Consumer Technology Association.

    DHS has a particularly broad attack surface because it is a mélange of as many as 22 federal entities with 250,000 employees and a $60 billion budget. It oversees cybersecurity in law enforcement as well as government systems, customs, airport security, disaster relief, border patrol and more.

    Reply
  20. Tomi Engdahl says:

    Intercontinental earlier this year and now Hyatt…when will hotels take customer data seriously ?

    Hyatt breach exposed customer payment data at 41 hotels
    https://techcrunch.com/2017/10/12/hyatt-breach-exposed-customer-payment-data-at-41-hotels/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    Hyatt announced today that its payment systems were breached, exposing credit card data from 41 hotels in 11 countries. The hack was discovered in July and the investigation only just recently concluded.

    Over 1,000 Intercontinental hotels hit by a data breach
    https://www.google.fi/amp/s/www.engadget.com/amp/2017/04/20/intercontinental-data-breach/
    Intercon thought only 12 hotels were affected until an investigation revealed otherwise.

    Reply
  21. Tomi Engdahl says:

    Make sure not to mix up ‘Identification’ with ‘Authentication’
    https://pentestmag.com/make-sure-not-mix-identification-authentication/

    Tech media seem busy arguing on which biometrics is better than the others. But it is all nonsense from security’s point of view. All of them provide the level of security lower than that of a password-alone authentication in cyberspace. We should instead ask why security-lowering measures have been touted as security-enhancing solutions.

    Whether dead or alive, conscious or unconscious, individuals could be identified by biometrics. It often leads people to take it for granted that a good identification of individuals makes a valid authentication of our identity.

    Caveats! It is not the case.

    Therefore, so long as the biometrics is backed up by a fallback password, irrespective of which are more accurate than the others, its security is lower than that of a password-only authentication

    Reply
  22. Tomi Engdahl says:

    Millions of high-security crypto keys crippled by newly discovered flaw
    https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/

    Factorization weakness lets attackers impersonate key holders and decrypt their data.

    0

    Search…
    BIZ & IT
    TECH
    SCIENCE
    POLICY
    CARS
    GAMING & CULTURE
    FORUMS
    VIEW FULL SITE DISABLE FLOATING NAV
    ARS TECHNICA

    ARS TECHNICA UK
    DARK ON LIGHT
    LIGHT ON DARK
    LOG IN REGISTER
    Forgot your password?

    Resend activation e-mail
    BIZ & IT / INFORMATION TECHNOLOGY

    Millions of high-security crypto keys crippled by newly discovered flaw
    Factorization weakness lets attackers impersonate key holders and decrypt their data.

    by Dan Goodin – Oct 16, 2017 2:00pm EEST
    Login to bookmark
    20

    750,000 Estonian cards that look like this use a 2048-bit RSA key that can be factored in a matter of days.
    Steve Jurvetson
    A crippling flaw in a widely used code library has fatally undermined the security of millions of encryption keys used in some of the highest-stakes settings, including national identity cards, software- and application-signing, and trusted platform modules protecting government and corporate computers.

    The weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. The five-year-old flaw is also troubling because it’s located in code that complies with two internationally recognized security certification standards that are binding on many governments, contractors, and companies around the world. The code library was developed by German chipmaker Infineon and has been generating weak keys since 2012 at the latest.

    The flaw is the one Estonia’s government obliquely referred to last month when it warned that 750,000 digital IDs issued since 2014 were vulnerable to attack. Estonian officials said they were closing the ID card public key database to prevent abuse. Last week, Microsoft, Google, and Infineon all warned how the weakness can impair the protections built into TPM products that ironically enough are designed to give an additional measure of security to high-targeted individuals and organizations.

    Reply
  23. Tomi Engdahl says:

    Home> Community > Blogs > Eye on IoT
    IoT: We aren’t as ready as we think
    https://www.edn.com/electronics-blogs/eye-on-iot-/4458947/IoT–We-aren-t-as-ready-as-we-think?utm_content=bufferfb949&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

    Are you really ready for the Internet of Things? While some say 95% of industrial companies will be using the IoT within the next three years and we’re ready to move to managing the data deluge, others say we still need to do work on the basics.

    Some of that basic work includes security, which is still being ignored due to management pressure to get products to market. “Some managers or companies just don’t think their products will be the target of an attack,” said Jacob Beningo, founder of Beningo Embedded Group, an embedded design consultancy. “Dev says yes [to security], management says no, so it gets ignored.”

    The implications of poorly implemented security are enormous, especially given the number of industrial companies about to move to IoT. In its annual Trends Watch report, National Instruments quoted numbers from Accenture that predict that 95% of industrial companies will be using IoT in some form within the next three years.

    First optimize the IoT system and secure the data

    However, the old adage “garbage in, garbage out” applies, and for designers of IoT systems, that garbage can mean inaccurate data, unsecured data, or no data at all, due to a poor connection or battery failure.

    According to Beningo, there are a lot more “connected” designs underway, and while security is often overlooked entirely, other parameters, such as architectural and power optimization and on-device data management can also be optimized better.

    Reply
  24. Tomi Engdahl says:

    Getting started with “IoT Security” – Mapping the attack surface
    https://www.peerlyst.com/posts/getting-started-with-iot-security-mapping-the-attack-surface-aditya-gupta?utm_source=linkedin&utm_medium=social&utm_content=peerlyst_post&utm_campaign=peerlyst_resource

    To assess the security of IoT devices, we must first understand the various components involved in it, and then identify what kind of security issues could affect each component and then look into each of them. That is exactly the approach we will be taking in this series of “Offensive IoT Exploitation”.

    The Internet of Things device #infrastructure could be divided into three major categories:

    embedded devices‍
    software application‍
    Radio communications‍

    Reply
  25. Tomi Engdahl says:

    It’s just gotten a lot easier to reprint keys from photographs
    https://techcrunch.com/2017/10/16/its-just-gotten-a-lot-easier-to-reprint-keys-from-photographs/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&sr_share=facebook

    It’s just gotten a lot easier to reprint keys from photographs
    Posted 16 hours ago by John Biggs (@johnbiggs)

    If you’re in the business of opening locked doors for business or pleasure, it just got a little easier. Using a parametric file for SCAD, you can easily recreate a Kwikset key with a few keystrokes.

    Kwikset is particularly vulnerable because it has only five pins and five positions – 1 being not cut at all and 5 being cut very deeply. This means you can look at an image of a Kwikset key and estimate how deep or shallow a key cut is

    Reply
  26. Tomi Engdahl says:

    China to build giant facial recognition database to identify any citizen within seconds
    http://m.scmp.com/news/china/society/article/2115094/china-build-giant-facial-recognition-database-identify-any?utm_source=Direct

    Project aims to achieve an accuracy rate of 90 per cent but faces formidable technological hurdles and concerns about security

    China is building the world’s most powerful facial recognition system with the power to identify any one of its 1.3 billion citizens within three seconds.

    Reply
  27. Tomi Engdahl says:

    The Trump team has failed to address the nation’s mounting cybersecurity threats
    https://techcrunch.com/2017/10/17/the-trump-team-has-failed-to-address-the-nations-mounting-cybersecurity-threats/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&sr_share=facebook

    The Trump administration is already developing a pattern of being long on oratory but short on tangible action, and, sad to say, the President’s cybersecurity Executive Order is following the script.

    No matter, it seems, that massive and increasing cyberattacks domestically and internationally are shredding confidence in the ability of major institutions to protect sensitive, typically consumer-centric data.

    The latest addition to the list of gargantuan cyber casualties is Equifax
    145 million Americans

    Yahoo four years ago actually impacted not 1 billion Yahoo accounts but 3 billion

    Government civilian and military agencies had a 90-day deadline to review and assess their cybersecurity status and propose improvements.

    Eight deadlines related to this have come and gone, and more are approaching. Why the sluggish performance?

    Senator John McCain put it succinctly. “Unfortunately, leadership from the executive branch on cybersecurity has been weak,” he recently said.

    The Trump cybersecurity Executive Order was built largely on existing policies and initiatives, but it nonetheless was the first formal cybersecurity policy — or at least the skeleton of a policy — issued by a U.S. president.

    Reply
  28. Tomi Engdahl says:

    Disable flash – used for attacks
    http://www.independent.co.uk/life-style/gadgets-and-tech/news/adobe-flash-player-how-to-delete-disable-plugin-blackoasis-kaspersky-labs-a8004596.html

    The software is being killed off in 2020, but for many that date can’t come soon enough

    A “critical” security issue in Adobe Flash Player is putting computer users at risk.

    The vulnerability is being exploited by a group called BlackOasis, which is using Microsoft Office “lure documents” to attack people all over the world, including in the UK.

    Reply
  29. Tomi Engdahl says:

    The World Once Laughed at North Korean Cyberpower. No More.
    https://mobile.nytimes.com/2017/10/15/world/asia/north-korea-hacking-cyber-sony.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=first-column-region&region=top-news&WT.nav=top-news&_r=0&referer=https%3A%2F%2Fwww.is.fi%2Fulkomaat%2Fart-2000005410383.html

    When North Korean hackers tried to steal $1 billion from the New York Federal Reserve last year, only a spelling error stopped them. They were digitally looting an account of the Bangladesh Central Bank, when bankers grew suspicious about a withdrawal request that had misspelled “foundation” as “fandation.”

    Even so, Kim Jong-un’s minions still got away with $81 million in that heist.

    Then only sheer luck enabled a 22-year-old British hacker to defuse the biggest North Korean cyberattack to date, a ransomware attack last May that failed to generate much cash but brought down hundreds of thousands of computers across dozens of countries — and briefly crippled Britain’s National Health Service.

    Their track record is mixed, but North Korea’s army of more than 6,000 hackers is undeniably persistent, and undeniably improving

    Reply
  30. Tomi Engdahl says:

    Tinker, Torrentor, Streamer, Spy: VPN privacy alert
    https://blog.csiro.au/tinker-torrentor-streamer-spy-vpn-privacy-alert/

    Have you ever been spied on? Or worse, maybe you have and don’t even know it.

    Whether it’s the Peeping Tom lurking in the bushes or Big Brother monitoring our every move, the thought of being followed makes us uncomfortable (and a tad paranoid).

    Privacy is important to us – both our physical and virtual privacy that is.

    may have heard of this thing called a VPN – Virtual Private Network?

    But now that mobile phones are essentially mobile computers, millions of users worldwide are turning to mobile VPN apps to hide their browsing activity, access region-restricted content and ensure their data is secure when using public Wi-Fi networks.

    We recently published a report with the University of New South Wales and the University of Berkeley has revealed that these apps are not as secure as they make out to be.

    Alarmingly, the report uncovered that not only did 18 per cent of the apps fail to encrypt users’ traffic but 38 per cent injected malware or malvertising – software designed to damage or gain access to the users’ information. The very reason users install these apps – to protect their data – is the very function they are not performing and these apps have been installed by tens of millions of users.

    And what’s more, the report found that over 80 per cent of apps requested to access sensitive data such as user accounts and text messages.

    Reply
  31. Tomi Engdahl says:

    Forget KRACK Attack, 5 Year Old Encryption Bug Returns For Google And Microsoft
    https://fossbytes.com/roca-encryption-bug-infineon-chips/

    While we were still finding it difficult to forget the Krack attack, a five-year-old bug has resurfaced in a new form to haunt Google and Microsoft. Known as ROCA (Return of Coppersmith’s Attack), the encryption key-related exploit is named after the Coppersmith’s attack.

    The range of affected devices – released as early as – includes a large number of Chromebooks, and Windows laptops manufactured by Fujitsu, HP, and Lenovo which feature the hardware chips created by Infineon.

    “The currently confirmed number of vulnerable keys found is about 760,000 but possibly up to two to three magnitudes more are vulnerable,”

    Researchers calculated the cost of performing the attack via Amazon cloud servers. It would require around $76 to crack a 1024-bit key while more funds would be needed for a 2048-bit key.

    Jake Williams, an ex-NSA staffer and the owner of the cybersecurity company RenditionSec, calls ROCA issue more severe than KRACK, Forbes reports. Williams suggests two ROCA attack scenarios; one involves the attacker compromising the digital signature certificate used to validate a software’s source. An attack can use the published public key to reverse engineer the private key to sign the software and impersonate the victim.

    Second, the attacker can run malicious code by fooling the Trusted Platform Module (TPM) chip which stores the RSA encryption keys.

    The TPM is used to ensure the code used to boot the kernel is valid.

    The vulnerability was first spotted in January this year, and Infineon was notified in February. The researcher had an agreement to wait for 8 months before making it public. Software updates and mitigation guidelines have been released by Microsoft, Google, HP Lenovo, Fujitsu. Researchers have provided detection tools to check whether the keys are vulnerable.

    Reply
  32. Tomi Engdahl says:

    FBI ASKS BUSINESSES TO SHARE DETAILS ABOUT DDOS ATTACKS
    https://threatpost.com/fbi-asks-businesses-to-share-details-about-ddos-attacks/128523/

    The FBI has made an appeal to organizations victimized by DDoS attacks to share details and characteristics of those incidents, echoing a similar plea made last year in the throes of a relentless wave of ransomware attacks.

    The bureau said victims should contact local field offices regardless of the scale of attack or financial impact to the organization. The information law enforcement is seeking includes the traffic protocol used in the attack as well as any extortion or ransom demands made by attackers.

    Reply
  33. Tomi Engdahl says:

    Megha Rajagopalan / BuzzFeed:
    Interviews reveal how Chinese authorities surveil citizens of its Xinjiang region using AI, iris scanning, and more developed by private firms

    This Is What A 21st-Century Police State Really Looks Like
    https://www.buzzfeed.com/meghara/the-police-state-of-the-future-is-already-here?utm_term=.tnKqWV9zxw#.ma7o9nm0V1

    Far from the booming metropolis of Beijing, China is building a sprawling system that combines dystopian technology and human policing. “It’s a kind of frontline laboratory for surveillance.”

    Taken along with government and corporate records, their accounts paint a picture of a regime that at once recalls the paranoia of the Mao era and is also thoroughly modern, marrying heavy-handed human policing of any behavior outside the norm with high-tech tools like iris recognition and apps that eavesdrop on cell phones.

    China’s government says the security measures are necessary in Xinjiang because of the threat of extremist violence by Uighur militants — the region has seen periodic bouts of unrest, from riots in 2009 that left almost 200 dead

    Public security and propaganda authorities in Xinjiang did not respond to requests for comment. China’s Foreign Ministry said it had no knowledge of surveillance measures put in place by the local government.

    “I want to stress that people in Xinjiang enjoy a happy and peaceful working and living situation,” said Lu Kang, a spokesperson for China’s Foreign Ministry, when asked why the surveillance measures are needed. “We have never heard about these measures taken by local authorities.”

    China’s government has invested billions of renminbi into top-of-the-line surveillance technology for Xinjiang, from facial recognition cameras at petrol stations to surveillance drones that patrol the border.

    China is not alone in this — governments from the United States to Britain have poured funds into security technology and know-how to combat threats from terrorists. But in China, where Communist Party–controlled courts convict 99.9% of the accused and arbitrary detention is a common practice, digital and physical spying on Xinjiang’s populace has resulted in disastrous consequences for Uighurs and other ethnic minorities. Many have been jailed after they advocated for more rights or extolled Uighur culture and history, including the prominent scholar Ilham Tohti.

    China has gradually increased restrictions in Xinjiang for the past decade in response to unrest and violent attacks,

    In an August speech, Meng Jianzhu, China’s top domestic security official, called for the use of a DNA database and “big data” in keeping Xinjiang secure.

    It’s a corner of the country that has become a window into the possible dystopian future of surveillance technology, wielded by states like China that have both the capital and the political will to monitor — and repress — minority groups. The situation in Xinjiang could be a harbinger for draconian surveillance measures rolled out in the rest of the country, analysts say.

    “It’s an open prison,” said Omer Kanat, director of the Washington-based Uyghur Human Rights Project, an advocacy group that conducts research on life for Uighurs in Xinjiang. “The Cultural Revolution has returned [to the region], and the government doesn’t try to hide anything. It’s all in the open.”

    Security has become a big business opportunity for hundreds of companies, mostly Chinese, seeking to profit from the demand for surveillance equipment in Xinjiang.

    Researchers have found that China is pouring money into its budget for surveillance. Zenz, who has closely watched Xinjiang’s government spending on security personnel and systems, said its investment in information technology transfer, computer services, and software will quintuple this year from 2013. The growth in the security industry there reflects the state-backed surveillance boom, he said.

    He noted that a budget line item for creating a “shared information platform” appeared for the first time this year. The government has also hired tens of thousands more security personnel.

    Armed police, paramilitary forces, and volunteer brigades stand on every street in Kashgar, stopping pedestrians at random to check their identifications, and sometimes their cell phones, for banned apps like WhatsApp as well as VPNs and messages with religious or political content.

    Other equipment, like high-resolution cameras and facial recognition technology, is ubiquitous. In some parts of the region, Uighurs have been made to download an app to their phones that monitors their messages.

    The internet is painfully slow in the region. Maya Wang, a China researcher for Human Rights Watch, has also documented the use of a DNA database targeting Uighurs as well as political dissidents and migrants, along with the use of voice pattern recognition.

    The government relies on contracting with companies like Beijing Wanlihong Technology Company, which produces an iris-recognition system that it says is more accurate than facial and fingerprint scanning techniques. Wanlihong is involved in a pilot project in Kashgar that includes providing equipment and training.

    “The goal of the system is to build a powerful and extensive identity verification system to identify key suspects and initiate an emergency response mechanism in a timely way,” the company says on its website.

    The data could be collected and used to monitor the physical movements of suspicious people on roads, it adds, or combined with their SMS and browsing data obtained from cellular carriers.

    Urumqi-based Leon Technology — a company that integrates artificial intelligence into its security services and then provides those services to telecommunications companies and government agencies in Xinjiang and elsewhere in China — saw its earnings grow by 260% in the first quarter of 2017.

    “The Xinjiang government is bound to spend large sums of money to safeguard people’s property and the safety of their lives, protecting the region’s peace, development and stability,” it said in an article posted on its website.

    “Marketers in Shanghai are calling it the golden era of investment in security in Xinjiang,”

    “In some ways it’s like a high-tech version of the Cultural Revolution, like the social intrusion aspect and the regulations on religious behavior,”

    “This is entirely top-down control,”

    State-owned companies are using Xinjiang as a testing ground for big data, Zenz said, and Xinjiang has historically been used to test out surveillance technology that is later rolled out in other parts of the country. Many companies have set up R&D labs in the region for this purpose with government backing.

    “It’s a kind of frontline laboratory for surveillance,” Zenz said. “Because it’s a bit outside of the public eye, there can be more experimentation there.”

    At a beer festival in the seaside city of Qingdao in August, 49 people found themselves arrested when cameras matched their faces with a national police database that showed they were suspected of crimes like theft and drug use.

    But beyond digital surveillance, many said the government has simply flooded the region with personnel dedicated to tracking residents’ every move.

    The police would dispense warnings to anyone whose phone carried banned apps like WhatsApp and Facebook. Sometimes, he said, police would come to some people’s homes and businesses to check their computers for banned software and content.

    “If they find anything in there, it’ll be trouble for you,” he said. “It was a new kind of police — the internet police.”

    Reply
  34. Tomi Engdahl says:

    Reshaping the Personal Data Economy
    http://eureka.eu.com/reshaping-personal-data-economy/

    A new era for personal data
    On May 25, 2018 new European legislation will change the way companies handle personal data. The General Data Protection Regulation aims to harmonise data protection legislation across the continent and safeguard consumers from the damage of corporate data breaches.

    “When it comes to data breaches, GDPR will raise the stakes for organisations,”

    Under GDPR, the consequences for inappropriately handling customer data will be much steeper than ever before. Companies that are found to have misused data can expect fines of up to €20 million or 4% of global annual turnover (whichever is greater).

    Reply
  35. Tomi Engdahl says:

    Security
    Your data will get hacked anyway so you might as well give up protecting it
    Spend the money on freezing your brain
    https://www.theregister.co.uk/2017/10/20/your_data_will_get_hacked_anyway_so_you_may_as_well_give_up_protecting_it/

    My advice: give up now. Give up before it kills you and you’re forced to have your own head squeezed in between the Birds Eye peas and chicken nuggets.

    As a problem-solving management technique, “giving up” has a long and respectable pedigree. I observe that it remains very much in fashion at the moment. PwC Global State of Information Survey figures indicate that British companies have been cutting their expenditure on IT security by a third over the last year.

    Why would a company cut costs on security at a time when security breaches are at an all-time high? Well, it’s obvious, isn’t it: the millions they’ve been pouring into protecting data has been proven to be an utter waste. Hackers break in regardless.

    One moment you’re signing off on a contract to surround your organisation’s data with a ring of steel, the next moment one of the contractor’s employees has wandered off with all your data on a CD crudely hand-labelled Madonna’s Greatest Hits. You may as well allow the security breaches to continue unchecked rather than fooling yourself that flushing cash down the toilet of IT security offered you some sort of protection.

    Oh, and once you suffer massive irretrievable data loss, do what the professionals do: blame someone else.

    Alternatively, take some advice from Gojko Adzic, author of Humans vs. Computers, who proposes five cost-free ways to avoid IT mishaps in the first place. Allow me to save you time looking these up by summarising them as follows:

    Don’t do any work on the last day of February in a leap year.
    Don’t trust anything with a repeating reference number such as 1-1-1-1-1 or 222222.
    Don’t trust anything with a date stamp of 1 January 1970.
    Always total percentages to see if they come to 100, thereby exposing rounding errors.
    Print everything out.

    There: all your IT problems sorted. None of this solves your security problems but hey, no data is safe, so why worry? Indeed, most hackers don’t really care what data they hack and are content simply to amass useless detail about human activity so they can blackmail you or sell you stuff you don’t want.

    Reply
  36. Tomi Engdahl says:

    Hack apps, attack code drawbacks for cash stacks, Google yaks
    An attempt was made
    https://www.theregister.co.uk/2017/10/20/google_play_bug_bounty/

    Google is offering cash to those who can find, exploit and report bugs in its Android apps, or similarly hack other programs in its Play Store.

    The goal is to get a large number of people and developers working together on improving security in the Android world. The advertising giant is very familiar with bug bounties, and has paid out big bucks to the research community over the past couple of years for discovering and detailing flaws in Chrome, the Android operating system, and its websites.

    On Thursday this week, Google announced it was extending this to third-party apps in its official Android software store, and its own app offerings, with a new bounty program run by HackerOne called the Play Security Reward Program.

    Google Play Security Reward Program Rules
    https://www.google.com/about/appsecurity/play-rewards/index.html

    Reply
  37. Tomi Engdahl says:

    Windows 10 Fall Creators Update tackles IT’s true menace: Cheating gamers
    Also some security stuff, too
    https://www.theregister.co.uk/2017/10/20/windows_10_creators_update_tackles_its_true_menace_cheating_gamers/

    Microsoft’s latest major Windows 10 release prides itself on keeping out those who want to meddle with your code, be they malicious hackers or lazy gamers looking for an easy leg up.

    The new protections will be targeted both at Enterprise customers and Home and small business users.

    The Redmond software titan has outlined a handful of key security features in its Windows 10 Fall Creators Update release, including strengthening Bitlocker PINs to six digits, the introduction of Windows Device Guard, Application Guard, and Exploit Guard as well as expansions for Advanced Threat Protection, Information Protection (integrating with Office and Azure), and new features for Windows Hello, the multi-factor authentication software for enterprise users.

    In many cases, the new Windows takes various security features and rebrands them under a single new label, such as with the Windows Windows Defender. Microsoft is also releasing a new set of Security Baselines, or recommended security configurations, for both Windows 10 machines and Windows Server boxes.

    Reply
  38. Tomi Engdahl says:

    A New IoT Botnet Storm is Coming
    https://blog.checkpoint.com/2017/10/19/new-iot-botnet-storm-coming/

    A massive Botnet is forming to create a cyber-storm that could take down the internet.
    An estimated million organizations have already been infected.
    The Botnet is recruiting IoT devices such as IP Wireless Cameras to carry out the attack.

    New cyber-storm clouds are gathering. Check Point Researchers have discovered of a brand new Botnet evolving and recruiting IoT devices at a far greater pace and with more potential damage than the Mirai botnet of 2016.

    While some technical aspects lead us to suspect a possible connection to Mirai, this is an entirely new and far more sophisticated campaign that is rapidly spreading worldwide. It is too early to guess the intentions of the threat actors behind it, but with previous Botnet DDoS attacks essentially taking down the Internet, it is vital that organizations make proper preparations and defense mechanisms are put in place before an attack strikes.

    Ominous signs were first picked up via Check Point’s Intrusion Prevention System (IPS) in the last few days of September. An increasing number of attempts were being made by hackers to exploit a combination of vulnerabilities found in various IoT devices.

    With each passing day the malware was evolving to exploit an increasing number of vulnerabilities in Wireless IP Camera devices such as GoAhead, D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, Synology and others. It soon became apparent that the attempted attacks were coming from many different sources and a variety of IoT devices, meaning the attack was being spread by the IoT devices themselves.

    So far we estimate over a million organizations have already been affected worldwide, including the US, Australia and everywhere in between, and the number is only increasing.

    Reply
  39. Tomi Engdahl says:

    Unpatched Microsoft Word DDE Exploit Being Used In Widespread Malware Attacks
    https://thehackernews.com/2017/10/ms-office-dde-malware-exploit.html?m=1

    A newly discovered unpatched attacking method that exploits a built-in feature of Microsoft Office is currently being used in various widespread malware attack campaigns.

    The DDE exploitation technique displays no “security” warnings to victims, except asking them if they want to execute the application specified in the command—although this popup alert could also be eliminated “with proper syntax modification.”

    Reply
  40. Tomi Engdahl says:

    You’re doing open source wrong, Microsoft tsk-tsk-tsks at Google: Chrome security fixes made public too early
    https://www.theregister.co.uk/2017/10/19/microsoft_google_security_chrome/

    Redmond wags its finger

    A few weeks ago, Google paid Microsoft $7,500 after Redmond’s security gurus found, exploited and reported a vulnerability in the Chrome browser – a flaw that would allow malicious webpages to run malware on PCs.

    Now Microsoft isn’t entirely happy with the way Google handled it, and having been schooled a few times on security by the web giant, the Windows goliath has taken the opportunity to turn the tables and do a little finger wagging of its own.

    Google fixed the issue within days of being alerted to the bug by Microsoft, and paid a bug bounty to the researchers, along with another $8,337 for other uncovered blunders.

    But while the problem was easy enough to fix, it was what happened next that had the Microsofties raising their eyebrows.

    The team sent its bug report to Chrome engineers on September 14 and it was acknowledged and fixed within a week. The fix was pushed out to the public Chrome GitHub source code repository days before new builds featuring the security patch were released to the world. This approach, this delay between security fixes appearing in the GitHub repo and updated binaries going out to the public, Redmond felt, poses a real danger.

    Reply
  41. Tomi Engdahl says:

    Google says 64% of Chrome traffic on Android now protected with HTTPS, 75% on Mac, 66% on Windows
    https://techcrunch.com/2017/10/20/https-is-booming-says-google/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    MenuTechCrunch
    Google says 64% of Chrome traffic on Android now protected with HTTPS, 75% on Mac, 66% on Windows
    Posted 12 hours ago by Sarah Perez (@sarahintampa)

    Google’s push to make the web more secure by flagging sites using insecure HTTP connections appears to be working. The company announced today that 64 percent of Chrome traffic on Android is now protected, up 42 percent from a year ago. In addition, over 75 percent of Chrome traffic on both ChromeOS and Mac is now protected, up from 60 percent on Mac and 67 percent on ChromeOS a year ago. Windows traffic is up to 66 percent from 51 percent.

    Google also notes that 71 of the top 100 websites now use HTTPS by default, up from 37 percent a year ago.

    Reply
  42. Tomi Engdahl says:

    7 tips for Linux cluster admins to help keep auditors happy
    https://opensource.com/article/17/9/7-ways-linux-cluster-admin?sc_cid=7016000000127ECAAY

    Try these strategies to satisfy auditors’ requirements without wasting your time or testing your patience.

    The beauty of building extra-large Linux clusters is it’s easy. Hadoop, OpenStack, hypervisor, and high-performance computing (HPC) installers enable you to build on commodity hardware and deal with node failure reasonably simply. Learning and managing Linux administration on a small scale involves basic day-to-day tasks; however, when planning and scaling production to several thousand node clusters, it can take over your life, including your weekends and holidays.

    Reply
  43. Tomi Engdahl says:

    Targeted Fuzzing Is Improving Linux Security, Linus Torvalds Says
    https://m.slashdot.org/story/332591

    On the sidelines of announcing the fifth release candidate for the Linux kernel version 4.14, Linus Torvalds said fuzzing, which involves stress testing a system by generating random code to induce errors, is helping the community find and fix a range of security vulnerabilities.

    Reply
  44. Tomi Engdahl says:

    Lauren Kirchner / ProPublica:
    Federal judge unseals source code for disputed DNA analysis software developed by New York City’s crime lab after motion by ProPublica

    Federal Judge Unseals New York Crime Lab’s Software for Analyzing DNA Evidence
    https://www.propublica.org/article/federal-judge-unseals-new-york-crime-labs-software-for-analyzing-dna-evidence

    We asked the judge to make the source code public after scientists and defense attorneys raised concerns that flaws in its design may have resulted in innocent people going to prison.

    “Everybody who has been the subject of an FST report now gets to find out to what extent that was inaccurate,” said Christopher Flood, a defense lawyer who has sought access to the code for several years. “And I mean everybody — whether they pleaded guilty before trial, or whether it was presented to a jury, or whether their case was dismissed. Everybody has a right to know, and the public has a right to know.”

    Caproni’s ruling comes amid increased complaints by scientists and lawyers that flaws in the now-discontinued software program may have sent innocent people to prison. Similar legal fights for access to proprietary DNA analysis software are ongoing elsewhere in the U.S.

    Reply
  45. Tomi Engdahl says:

    Peter Loftus / Wall Street Journal:
    Some doctors are wary of applying security update to St. Jude pacemakers, which are now owned by Abbott Labs, due to malfunction risk, thus hampering adoption

    Hacking Is a Risk for Pacemakers. So Is the Fix
    https://www.wsj.com/articles/hacking-is-a-risk-for-pacemakers-so-is-the-fix-1508491802

    Some doctors are wary of software patch that prevents unauthorized access to Internet-connected devices, worried about risk of malfunction

    A new software patch to fix a cybersecurity weakness in hundreds of thousands of implanted heart devices has raised a dilemma among doctors and patients: Is the fix worth the risk?

    The software update that Abbott Laboratories ABT 0.57% released in late August is supposed to reduce the risk that someone with malicious intent could gain unauthorized remote access to a patient’s pacemaker. Abbott issued the update after outside security researchers identified vulnerabilities in the devices.

    But Abbott has said the update itself—administered in a doctor’s office or hospital—carries a slight risk of causing a malfunction in the pacemakers, which are implanted in patients’ chests to correct abnormal heart rhythms.

    The dilemma underscores the limits of technology as medical devices increasingly are connected to the internet. The connections help doctors remotely catch problems that might otherwise go undetected—such as irregular heart rhythm or dwindling battery life—but they theoretically can expose devices to hackers. And yet, when companies offer fixes, the decision to adopt them isn’t easy.

    There are no known reports of patients being harmed by hacking of the pacemakers, according to the U.S. Food and Drug Administration. A hacker would have to be within close proximity to a person to gain unauthorized access

    Since Abbott released the software update, the FDA has received at least 12 reports claiming malfunctions of pacemakers during the updates

    None of the reports cited any serious harm to patients.

    Abbott spokeswoman Candace Steele Flippin said ​​the company​ wasn’t aware of any reports of patient harm from the updates. The company designed the update so that pacemakers would temporarily operate in backup- pacing mode, with life-sustaining features remaining available, and revert to pre-update settings once it is complete.

    Suzanne B. Schwartz, associate director for science and strategic partnerships at the FDA, said in an interview the cybersecurity vulnerabilities in the Abbott devices posed an “unacceptable” risk, and the agency felt strongly that the company make a fix available. She said the FDA isn’t in a position to mandate that patients get the updates, but she cautioned against doctors assuming that the risk of hacking is so low that the update isn’t worth it.

    The Abbott pacemakers in questions are implanted in about 465,000 people in the U.S.

    Some doctors and institutions, such as the cardiology department at NewYork-Presbyterian/Weill Cornell Medical Center, aren’t recommending the Abbott software update. “It’s not really a risk we’re willing to take at this point,” said Bruce Lerman, chief of cardiology at the hospital. “We don’t feel the benefit at this point necessarily outweighs the potential risk of uploading this software.”

    There were no known reports of these devices being hacked, according to an arm of the Department of Homeland Security that monitors cyberthreats.

    In 2007, doctors disabled the wireless features of then-Vice President Dick Cheney’s implanted heart device to guard against an attack by a hacker, according to “Heart,” a book Mr. Cheney co-wrote with his doctor.

    Abbott declined to say how many patients have received the cybersecurity update.

    The update, designed to ward off hacking, ​was for a type of software known as firmware.

    The FDA said in August that vulnerabilities in the pacemakers could allow an unauthorized user to modify program commands, which could hurt patients by causing rapid battery depletion or inappropriate pacing.

    The Abbott software update takes a few minutes. It involves a doctor or technician placing a tethered wand over the site of the pacemaker.

    “If there’s a patient dependent on the device and it loses functionality because of a firmware update, you now take this patient who was doing just fine, who had a one-in-a-billion chance of having their device hacked, now you’ve done some harm to them,” Dr. Zweibel said.

    Some doctors who don’t think the software update is necessary say they’re avoiding bringing it up with patients.

    Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott’s (formerly St. Jude Medical’s) Implantable Cardiac Pacemakers: FDA Safety Communication
    https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm

    Reply
  46. Tomi Engdahl says:

    ‘KnockKnock’: New Attack on Office 365 Discovered
    https://www.tripwire.com/state-of-security/featured/knockknock-new-attack-on-office-365-discovered/

    Microsoft’s Office 365 suite of cloud applications is now the most popular cloud service in the world by user count. While this has fast-tracked Microsoft’s path to becoming a cloud-first enterprise software company, it has also put a bulls-eye on Office 365, making it a target of choice for hackers. Given the fact that enterprises store a significant volume of business-critical data in Office 365, the stakes for keeping data safe are high.

    Dubbed as ‘KnockKnock,’ the botnet attack was designed to predominantly target Office 365 system accounts.

    Once the botnet successfully gains access to the targeted account, data is exfiltrated from the inbox while a new inbox rule is created that hides and diverts incoming messages. The attack will then initiate an enterprise-wide phishing attack and spread the infection throughout the organization.

    KnockKnock has been active since May 2017 and is currently still active. To go undetected, the hacking activity occurs in short stints, averaging 3-5 attempts of guessing the password of the system account before moving on to a different account within an organization.

    If an organization isn’t aware of how their cloud infrastructure works, a hacker’s entry into a single system account can have a dire domino effect.

    an entry into the Exchange Online system account could also give the hacker access to the entire CRM and marketing automation systems of the organization

    Reply
  47. Tomi Engdahl says:

    ‘KnockKnock’: New Attack on Office 365 Discovered
    https://www.tripwire.com/state-of-security/featured/knockknock-new-attack-on-office-365-discovered/

    Microsoft’s Office 365 suite of cloud applications is now the most popular cloud service in the world by user count. While this has fast-tracked Microsoft’s path to becoming a cloud-first enterprise software company, it has also put a bulls-eye on Office 365, making it a target of choice for hackers. Given the fact that enterprises store a significant volume of business-critical data in Office 365, the stakes for keeping data safe are high.

    Dubbed as ‘KnockKnock,’ the botnet attack was designed to predominantly target Office 365 system accounts.

    Reply
  48. Tomi Engdahl says:

    Kim Zetter / The Intercept:
    How Russian hackers could have used Kaspersky’s “silent signatures” method for detecting and analyzing malware to steal NSA docs without Kaspersky’s knowledge — Kaspersky Lab has come under intense scrutiny after its antivirus software was linked to the breach …

    How Russian Firm Might Have Siphoned Tools From the NSA
    https://theintercept.com/2017/10/20/kaspersky-software-russia-nsa/

    Kaspersky Lab has come under intense scrutiny after its antivirus software was linked to the breach of an NSA employee’s home computer in 2015 by Russian government hackers; U.S. government sources, quoted in news reports, suggested the Moscow-based company colluded with the hackers to steal classified documents or tools from the worker’s machine, or at least turned a blind eye to this activity. The Department of Homeland Security banned Kaspersky products from civilian government systems, and Best Buy has removed the software from computers it sells based on concerns that the software can be used to spy on customers.

    But a closer look at the allegations and technical details of how Kaspersky’s products operate raises questions about the accuracy of the narrative being woven in news reports and suggests that U.S. officials could be technically correct in their statements about what occurred, while also being incorrect about collusion on the part of Kaspersky.

    Initial reports suggested the Russian hackers siphoned the files by hijacking Kaspersky software installed on the NSA employee’s machine — without the antivirus firm’s knowledge.

    “There is no way, based on what the software was doing, that Kaspersky couldn’t have known about this,” an anonymous former U.S. official told the Journal.

    Kaspersky denied any collusion and said last week it “was not involved in and does not possess any knowledge of the situation in question.”

    The stories don’t say how the Israelis knew the searches were conducted by Russian government hackers and not Kaspersky employees. Some have speculated that the Russians provided the search terms to Kaspersky or to a mole or liaison inside the company who initiated the searches for Russia’s Federal Security Service, or FSB, or that Russian hackers hijacked the software to search customer computers on their own. The NSA and Britain’s GCHQ spy agency have themselves studied Kaspersky software extensively since at least 2008 with an eye toward subverting it for their own ends to track users and infiltrate networks.

    But there is another possible explanation that would make both U.S. officials and Kaspersky accurate in their claims and potentially absolve Kaspersky of collusion. It involves a technique commonly used by the antivirus community called “silent signatures.”

    In this scenario, it’s possible Kaspersky learned the NSA code names on its own and created silent signatures — essentially commands — to search for files or documents on customer computers that it believed contained malicious code.

    This could happen if Kaspersky’s software detected what it thought was known NSA malware on a customer’s computer, but that turned out to be a document or file containing something different and new, yet still related to previously uncovered malware.

    This scenario could explain why Israel saw someone using the software to search computers and also explain how Russian hackers got hold of files the software collected from machines.

    Signatures are essentially search terms that antivirus companies program into their scanners to search for known or suspected malicious files on customer machines. There are two types of signatures: overt and silent. An overt signature can be the name of a malicious file or its associated hash — a sort of mathematically-derived representation of the contents of a file — or it can be keywords and snippets of code found in the malware. When antivirus software like Kaspersky’s finds a file that matches a signature or search parameters, it quarantines or deletes the file and alerts the customer, or at least records the finding in a log the customer can view.

    Silent signatures serve the same function but without an alert to customers. And instead of simply zapping or quarantining the file, they send the file back to the antivirus company for analysis. Companies like Kaspersky use silent signatures to collect files when they want to see if their overt signatures are producing false positives, when they want to collect additional samples of known malware to see if attackers have altered their techniques in new versions of their code, or when they’ve found a component of what appears to be a new attack or suite of attack tools and want to find other malicious files that are related to it.

    “Silent detection is a widely-adopted cybersecurity industry practice used to verify malware detections and minimize false positives,” Kaspersky noted in a statement it released last week.

    Kaspersky isn’t alone in using silent signatures; publicly traded American software company Symantec uses them, as do a few others.

    “Kaspersky is just the most aggressive,”

    Kaspersky software began using silent signatures in this way in 2008

    Silent signatures can lead to the discovery of new attack operations and have been used by Kaspersky to great success to hunt state-sponsored threats, sometimes referred to as advanced persistent threats, or APTs. If a Kaspersky analyst suspects a file is just one component in a suite of attack tools created by a hacking group, they will create silent signatures to see if they can find other components related to it. It’s believed to be the method Kaspersky used to discover the Equation Group — a complex and sophisticated NSA spy kit that Kaspersky first discovered on a machine in the Middle East in 2014.

    Kaspersky has become a hot target of various spy agencies due to its success in discovering and exposing sophisticated attack tools belonging to the NSA, the Israeli signals intelligence agency Unit 8200 (Israel’s counterpart to the NSA), and Britain’s GCHQ.

    This same silent signature functionality is almost certainly how they were collecting the NSA tools that the press is talking about right now.”

    According to the Washington Post, the NSA worker whose files were stolen was helping to develop new hacking tools for the NSA to replace others that had been compromised after agency contractor Edward Snowden leaked NSA documents to journalists. Many in the information security community believe that the NSA worker, who was targeted in 2015, may have been developing new tools to replace the Equation Group tools, which were partially exposed in 2013 in an NSA hacking catalogue published by Der Spiegel.

    The NSA has long been aware of the potential risk Kaspersky’s cloud capability and silent signatures pose to its own operations.

    One, dated February 2012, instructs NSA hackers that “no new implants [should be installed] on Kaspersky 2010+ [machines]. This is because Kaspersky 2010+ products have been updated to include the cloud functionality.”

    “The reason the government doesn’t want Kaspersky on [U.S.] government machines is because they can and will suck up files they find interesting. They will say it’s to protect people and only will analyze threats, but that’s a moral limitation, not a technical one,” said the former intelligence analyst, indicating the only thing preventing Kaspersky — or any other antivirus firm — from collecting other files is professional ethics.

    The question now is whether Russian intelligence hijacked the Kaspersky software to send silent signatures to the NSA worker’s computer or supplied the code names and instructed Kaspersky to write the silent signatures, or whether Kaspersky discovered the code names on its own in the course of its normal activity.

    “If you’re Kaspersky, that’s what your job is — to find APTs,”

    there are good reasons to collect documents that match a silent signature.

    “[D]ocuments can contain malware — when you have things like macros and zero-days inside documents, that is relevant to a cybersecurity firm,”

    If Kaspersky was searching for “top secret” documents that contained no malicious code, then Tait said the company’s actions become indefensible.

    Kaspersky said in a statement to The Intercept that it “has never created any detection in its products based on keywords like ‘top secret’, or ‘classified.’”

    The company also wrote that “it is quite normal that malware samples contain codenames and unusual keywords, which have been added there by accident or by their authors as a means to identify it. … It is a normal practice for antivirus researchers to create detection records based on unique keywords.”

    Fourth-party collection is a spy term that describes when one intelligence agency steals data from another intelligence agency or hacking group that has already stolen it from a victim, allowing them to benefit from the other party’s efforts. The practice is described in an NSA document leaked by Snowden, titled “I Drink Your Milkshake.”

    There are two types of fourth-party collection: active and passive. Passive collection involves stealing stolen data after it leaves the victim’s computer and as it traverses undersea cables and routers on its way to the hackers’ infrastructure. This kind of interception requires access to internet infrastructure and also requires the ability to decrypt the stolen traffic if the thieves have encrypted it.

    Active collection, by contrast, involves hacking the infrastructure — command-and-control servers or staging servers and collection nodes — of the other hackers, where data they have stolen from victims may be stored unencrypted or with the decryption keys.

    Reply
  49. Tomi Engdahl says:

    Attacking a co-hosted VM: A hacker, a hammer and two memory modules
    https://thisissecurity.stormshield.com/2017/10/19/attacking-co-hosted-vm-hacker-hammer-two-memory-modules/

    Row-hammer is hardware bug that can cause bit-flips in physical RAM. Mark Seaborn and Thomas Dullien were the first to exploit the DRAM row-hammer bug to gain kernel privileges. Kaveh Razavi et al. pushed the exploitation of row-hammer bugs to the next level. They abused an OS feature – memory de-duplication – to surgically flip bits in a controlled way. They succeeded in flipping bits in memory loaded sensitive files (e.g. authorized_keys) assuming they know their contents. By weakening RSA moduli in authorized_keys file, they were able to generate corresponding private keys and authenticate on a co-hosted victim VM.

    we aim to showcase a different attack scenario. Instead of corrupting memory loaded files, we chose to corrupt the state of a running program. The libpam is an attractive target since it provides authentication mechanisms on widely deployed *nix systems.

    Reply
  50. Tomi Engdahl says:

    That laptop ban may soon get a whole lot worse for plane passengers
    FAA suggests a worldwide ban on laptops in checked bags
    https://www.digitaltrends.com/computing/airline-laptop-ban-extension/

    Laptop Flipflop: Now U.S. Tries To Ban Laptops In Checked, Not Carry-On, Luggage
    https://www.forbes.com/sites/martinrivers/2017/10/21/laptop-flipflop-now-u-s-tries-to-ban-laptops-in-checked-not-carry-on-luggage/2/#1b63c2c5245f

    Seven months after America banned laptops from the passenger cabins of flights from the Arab World – forcing travelers to check them into cargo holds – the Federal Aviation Administration (FAA) wants global airlines to ban the very practice its government had previously imposed on them.

    The FAA’s advice is based on new safety tests showing that the rechargeable lithium-ion batteries found in laptops could bring down an aircraft if they overheat when packed next to flammable items in checked luggage.

    ts findings are published in a paper submitted to the International Civil Aviation Organization (ICAO), the UN agency that issues non-binding air safety guidance to the international community. The proposed ban has already won the backing of the European Aviation Safety Agency (EASA) and Airbus, the European aircraft manufacturer, establishing a consensus that ICAO is unlikely to overrule. Even after it weighs in, though, individual governments will retain the final say on ratifying any measures.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*