Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
Will World War III be fought in the cyber world?
Cyber-psychologist Dr. Mary Aiken explains the current threats to cybersecurity.
https://www.designnews.com/cyber-security/will-world-war-iii-be-fought-cyber-world/187678036757628?ADTRK=UBM&elq_mid=1481&elq_cid=876648
Tomi Engdahl says:
Security Researchers Hacked a Bluetooth-Enabled Butt Plug
The quest for a secure wireless sex toy continues.
https://motherboard.vice.com/en_us/article/ne788b/hackable-bluetooth-buttplug-hush-lovense
The rectums of the world are clenched in fear after Italian infosec researcher Giovanni Mellini revealed just how easy it is to hack a Bluetooth-enabled butt plug in a blog post on Tuesday.
As detailed by Mellini in his blog post, he was able to hack the butt plug using a Bluetooth Low Energy (BLE) scanner developed by Simone Margaritelli and freely available on Github. Bluetooth is considered to not be the most secure way to send information wirelessly, but its low energy version is even more vulnerable to attacks. Still, it has found wide use in Internet of Things (IoT) devices because it drains less battery to use.
Hack a BT Low Energy (BLE) butt plug
https://scubarda.wordpress.com/2017/10/17/hacking-a-bt-low-energy-ble-butt-plug/
Few weeks ago I bought a Bluetooth Low Energy (BLE) butt plug to test the (in)security of BLE protocol.
This caught my attention after researchers told us that a lot of sex toys use this protocol to allow remote control that is insecure by design.
Tomi Engdahl says:
Unpatched Microsoft Word DDE Exploit Being Used In Widespread Malware Attacks
Thursday, October 19, 2017 Swati Khandelwal
https://thehackernews.com/2017/10/ms-office-dde-malware-exploit.html
Tomi Engdahl says:
FBI couldn’t access nearly 7K devices because of encryption
http://www.nydailynews.com/newswires/news/business/fbi-couldn-access-7k-devices-encryption-article-1.3581176
The FBI hasn’t been able to retrieve data from more than half of the mobile devices it tried to access in less than a year, FBI Director Christopher Wray said Sunday, turning up the heat on a debate between technology companies and law enforcement officials trying to recover encrypted communications.
In the first 11 months of the fiscal year, federal agents were unable to access the content of more than 6,900 mobile devices, Wray said in a speech at the International Association of Chiefs of Police conference in Philadelphia.
“To put it mildly, this is a huge, huge problem,” Wray said. “It impacts investigations across the board — narcotics, human trafficking, counterterrorism, counterintelligence, gangs, organized crime, child exploitation.”
Tomi Engdahl says:
IT TAKES JUST $1,000 TO TRACK SOMEONE’S LOCATION WITH MOBILE ADS
https://www.wired.com/story/track-location-with-mobile-ads-1000-dollars-study/
A team of security-focused researchers from the University of Washington has demonstrated just how deeply even someone with modest resources can exploit mobile advertising networks. An advertising-savvy spy, they’ve shown, can spend just a grand to track a target’s location with disturbing precision, learn details about them like their demographics and what apps they have installed on their phone, or correlate that information to make even more sensitive discoveries
Tomi Engdahl says:
Big data meets Big Brother as China moves to rate its citizens
http://www.wired.co.uk/article/chinese-government-social-credit-score-privacy-invasion
The Chinese government plans to launch its Social Credit System in 2020. The aim? To judge the trustworthiness – or otherwise – of its 1.3 billion residents
a radical idea. What if there was a national trust score that rated the kind of citizen you were?
Imagine a world where many of your daily activities were constantly monitored and evaluated: what you buy at the shops and online; where you are at any given time; who your friends are and how you interact with them; how many hours you spend watching content or playing video games; and what bills and taxes you pay (or not). It’s not hard to picture, because most of that already happens, thanks to all those data-collecting behemoths like Google, Facebook and Instagram or health-tracking apps such as Fitbit. But now imagine a system where all these behaviours are rated as either positive or negative and distilled into a single number, according to rules set by the government. That would create your Citizen Score and it would tell everyone whether or not you were trustworthy. Plus, your rating would be publicly ranked against that of the entire population and used to determine your eligibility for a mortgage or a job, where your children can go to school – or even just your chances of getting a date.
Tomi Engdahl says:
Booz Allen to Acquire AI-based Morphick
http://www.securityweek.com/booz-allen-acquire-ai-based-morphick
Contracting giant Booz Allen is to acquire cybersecurity firm Morphick. Few details have been made public — there is no statement on the price involved nor the future of existing Morphick staff. Nevertheless, this seem to be a good fit for both companies, with Morphick gaining access to more customers, and Booz Allen moving further along its published plan to expand its commercial presence.
“The acquisition bolsters Booz Allen’s growth strategy in its U.S. Commercial business, where the focus is on expanding clients’ access to scalable, on-demand managed threat services. The addition of the Morphick team and technology further solidifies the firm’s ability to solve increasingly advanced cyber challenges,”
Booz Allen is moving straight to ‘next-gen’ threat detection with AI and machine-learning detection capabilities rather than signature-based detection — and calls it ‘an adaptive approach to threat detection’.
Tomi Engdahl says:
Energy Regulator Acts to Improve Power Grid Security
http://www.securityweek.com/energy-regulator-acts-improve-power-grid-security
With growing concern over nation-state cyber attacks comes an increasing need to secure the critical infrastructure. In the Quadrennial Energy Review published in January 2017, the U.S. Energy Department wrote, “Cyber threats to the electricity system are increasing in sophistication, magnitude, and frequency.” The reliability of the electric system underpins virtually every sector of the modern U.S. economy, it warned.
In response to such concerns, the Federal Energy Regulatory Commission (FERC) yesterday proposed new cyber security management controls to enhance the reliability and resilience of the nation’s bulk electric system.
“FERC proposes to approve Critical Infrastructure Protection (CIP) Reliability Standard CIP-003-7 (Cyber Security ñ Security Management Controls), which is designed to mitigate cyber security risks that could affect the reliable operation of the Bulk-Power System,” it announced.
The new standard will particularly improve on existing standards for access control, “by clarifying the obligations that pertain to electronic access control for low-impact cyber systems; adopting mandatory security controls for transient electronic devices, such as thumb drives and laptop computers; and requiring responsible entities to have a policy for declaring and responding to CIP exceptional circumstances related to low-impact cyber systems.”
FERC Proposes New Security Management Controls for Grid Cyber Systems
https://www.ferc.gov/media/news-releases/2017/2017-4/10-19-17-E-1.asp#.Wei8GVtSwUF
Today’s Notice of Proposed Rulemaking also proposes to direct the North American Electric Reliability Corp. (NERC) to develop modifications to provide clear, objective criteria for electronic access controls for low-impact cyber systems and to address the need to mitigate the risk of malicious code that could result from third-party transient electronic devices. These modifications will address potential gaps and improve the cyber security posture of entities that must comply with the CIP standards.
In a separate order, the Commission accepted NERC’s preliminary geomagnetic disturbance (GMD) research work plan and directed that NERC file a final plan within six months.
Tomi Engdahl says:
Nearly 100 Whole Foods Locations Affected by Card Breach
http://www.securityweek.com/nearly-100-whole-foods-locations-affected-card-breach
Amazon-owned Whole Foods Market informed customers last week that a recent hacker attack aimed at its payment systems affected nearly 100 locations across the United States.
Whole Foods has set up a webpage where customers are being provided some details about the breach. The page allows users to check if the store they made purchases in has been hit.
According to the company, cybercriminals may have stolen payment cards used at taprooms and full table-service restaurants in various cities in Alabama, Arizona, Arkansas, California, Colorado, District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Kansas, Maine, Michigan, Minnesota, Missouri, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, Ohio, Oregon, Pennsylvania, Tennessee, Texas, Virginia, Washington and Wisconsin. The largest number of affected locations is in California.
Tomi Engdahl says:
Kaspersky Aims to Clear Its Name With New Transparency Initiative
http://www.securityweek.com/kaspersky-aims-clear-its-name-new-transparency-initiative
Kaspersky Lab announced on Monday the launch of a new Global Transparency Initiative whose goal is to help the company clear its name following recent reports about its inappropriate ties to the Russian government.
There have been several media reports analyzing the company’s alleged connection to the Kremlin, which has led to many U.S. officials raising concerns regarding the use of Kaspersky products. It all culminated last month when the Department of Homeland Security (DHS) ordered all government agencies to identify and remove the firm’s security products.
The latest report on Kaspersky’s ties with Russia came from the Wall Street Journal, which claimed that Russian hackers had exploited Kaspersky software to steal NSA exploits. The news article did not provide too many details, but the main possible scenarios were that either Kaspersky colluded with the Russian government or that the hackers exploited vulnerabilities in the company’s products to access the NSA exploits.
http://www.securityweek.com/russian-hackers-exploited-kaspersky-software-steal-nsa-exploits-report
Tomi Engdahl says:
EU ePrivacy Regulation Edges Closer to Fruition
http://www.securityweek.com/eu-eprivacy-regulation-edges-closer-fruition
The proposed European Union ePrivacy Regulation is on the verge of entering Trilogue. Trilogue is the series of informal discussions involving the European Parliament, the Council of Europe (that is, representatives from each member state), and the European Commission. It is Trilogue that defines the final shape of the legislation.
Tomi Engdahl says:
Russian Spies Lure Targets With NATO Cybersecurity Conference
http://www.securityweek.com/russian-spies-lure-targets-nato-cybersecurity-conference
A cyber espionage group linked to Russia has been trying to deliver malware to targeted individuals using documents referencing a NATO cybersecurity conference, Cisco’s Talos research team reported on Monday.
The attack has been linked to the notorious threat actor known as APT28, Pawn Storm, Fancy Bear, Sofacy, Group 74, Sednit, Tsar Team and Strontium.
Tomi Engdahl says:
Websites Increasingly Use HTTPS: Google
http://www.securityweek.com/websites-increasingly-use-https-google
Over 60% of Sites Loaded via Chrome Use HTTPS, Says Google
The number of websites that protect traffic using HTTPS has increased considerably in the past months, according to data shared by Google last week.
The tech giant says 64% of websites loaded via Chrome on Android are now protected by HTTPS, up from 42% one year ago. There is also a significant improvement in the case of Mac and Chrome OS – in both cases, 75% of Chrome traffic is protected, up from 60% and 67%, respectively.
Data from Google shows that 67% of Chrome traffic on Windows goes through an HTTPS connection, up from 40% in July 2015 and nearly 50% in July 2016.
Tomi Engdahl says:
Mitre ATT&CK Matrix Used to Evaluate Endpoint Detection and Response Product
http://www.securityweek.com/mitre-attck-matrix-used-evaluate-endpoint-detection-and-response-product
The growing acceptance that it is impossible to detect and block all malware at the perimeter requires some form of response to malware post-breach. Endpoint Detection and Response (EDR), using machine learning behavioral rules to detect an intrusion, is the security industry’s reply.
Anti-malware testing, however, is still largely predicated on malware detection, leaving the efficiency of the response side of EDR less well understood. EDR firm Endgame has sought to address this by using the Mitre ATT&CK Matrix to emulate the post-breach tactics used by the China-based APT3 group.
The ATT&CK categories comprise persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, and execution.
“To best understand what an adversary can do post-exploit,” explains Mitre’s Frank Duff, “we released the ATT&CK framework. The next logical step is to show how ATT&CK can be actionable, and we have done so with ATT&CK-based adversary emulations. These emulations provide a method to prove the effectiveness of security solutions against known threats.”
Tomi Engdahl says:
Five People Who Can Benefit from Thinking about Intelligence Differently
http://www.securityweek.com/five-people-who-can-benefit-thinking-about-intelligence-differently
Business Risk Intelligence (BRI) Expands the Scope of Intelligence Beyond Technical Indicators
Threats that originate on the Internet but can result in damage across the entire enterprise have become an all-too-familiar phenomenon in recent years. Indeed, the days of cybersecurity issues that solely impact cybersecurity teams are far behind us — a fact that is further solidified by the industry-wide shift away from indicator-centric cyber threat intelligence (CTI) and towards the more strategic, cross-functional nature of Business Risk Intelligence (BRI). BRI not only transcends the boundaries of CTI use cases, it necessitates a change in how all business units and, more specifically, decision-makers, perceive the value and function of intelligence.
As leaders of business units to which BRI can provide immense value, the following five decision-makers in particular can avail themselves of a broader approach to intelligence:
VP of Fraud
Head of Physical Security
VP of Business Development
Insider Threat Specialist
Chief Risk Officer
Tomi Engdahl says:
The K-dealer is a mumble – a forgotten device disturbs passers-by from the competitor’s premises
Jouni Tuominen, the seller of K-supermarket at Kamppi, received remarkable contacts on Friday. It was rumored that the business had begun to impractantly and unlawfully impede coffee ads for the passers-by of mobile phones.
An interesting turn is that the lighthouse with its advertisements is dating back to 2011. It is still a bit odd that the device seems to work from the premises of a former competitor.
“Originally, the device had to ask if the customer would want to bid through Bluetooth. Only after giving the answer he would have received an offer on the phone, “says Tuominen.
“The device vendor disappeared right after the installation and also my device included the device at that time” Tuominen continues. “Certainly, someone has put the forgotten device on the wall in the case of remodeling, and it has awakened to life.”
Kamp’s K-supermarket has commissioned experts to locate and destroy the device.
Source: http://www.tivi.fi/Kaikki_uutiset/k-kauppias-aiman-kakena-unohdettu-laite-hairikoi-ohikulkijoita-kilpailijan-tiloista-6683382
Tomi Engdahl says:
Hospital districts can not testify about cybercrime
Hospital districts do not report any cyber attacks or crimes to the police in Finland. It is difficult to prove them, revealing the current dissertation.
The dissertation is under preparation examining the evidence of cyber crime in eight Finnish hospital districts. Work time has come to light that security has focused too much on prevention.
Lännen Media says Heikki Kamppuri has worked out his job electronic evidence process. According to him, none of the hospital districts will be able to testify to an external data breach. When data is only copied, it is more difficult to prove the crime as if a physical object disappears.
Collecting evidence that is held by Kamppur is essential to eradicating cybercrime and punishing offenders.
Source: http://www.tivi.fi/Kaikki_uutiset/lm-sairaanhoitopiirit-eivat-pysty-itse-todistamaan-kokemiaan-kyberrikoksia-6683632
Tomi Engdahl says:
https://hackaday.com/2017/10/12/untether-from-your-location-with-a-vpn/
Tomi Engdahl says:
The Keys to Unlocking Security in a Virtual World
http://www.securityweek.com/keys-unlocking-security-virtual-world
Consider your data – your computer, network and online presence – as your virtual home.
So what can you do to keep yourself as safe as possible in the virtual world?
Set up a secure perimeter
Install an alarm system
Use a safe for your most valued possessions
Answer your door selectively
Tomi Engdahl says:
Canada’s CSE Spy Agency Releases Malware Analysis Tool
http://www.securityweek.com/canadas-cse-spy-agency-releases-malware-analysis-tool
Canada’s Communications Security Establishment (CSE) agency announced this week that the source code for one of its malware detection and analysis tools has been made public.
The Python-based tool released as open source by the spy agency is named Assemblyline and it was created within the CSE’s Cyber Defence program. The organization says this is one of the tools it uses to protect the country’s computer systems against advanced cyber threats.
Assemblyline allows defenders to automate the analysis of malicious files. The analysis process, which has been compared to a conveyor belt, involves assigning a unique identifier to files as they travel through the system, looking for signs of malicious functionality and extracting features for further analysis, generating alerts for malicious files and assigning them a score, and sending data to other protection systems so that identified threats can be neutralized.
Users can also add their own analytics, including custom-built software and antiviruses, to enhance Assemblyline’s capabilities.
https://www.cse-cst.gc.ca/en/assemblyline
Tomi Engdahl says:
New Mirai-Linked IoT Botnet Emerges
http://www.securityweek.com/new-mirai-linked-iot-botnet-emerges
A new, massive botnet is currently recruiting improperly secured Internet of Things (IoT) devices such as IP wireless cameras, Check Point warns.
Some of the technical aspects of the botnet, the security researchers say, reveal a possible connection to Mirai, which stormed the world a year ago. However, this is an entirely new threat and the campaign that is rapidly spreading worldwide is much more sophisticated.
To compromise devices, the malware attempts to exploit a large number of vulnerabilities commonly found in various IP camera models. Targeted vendors include GoAhead, D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, Synology and others.
Because the attempted attacks were coming from different sources and a variety of IoT devices, the researchers concluded that the compromised devices themselves were spreading the malware.
Tomi Engdahl says:
G7 to Put Squeeze on Internet Giants at Terror Talks
http://www.securityweek.com/g7-put-squeeze-internet-giants-terror-talks
Tech giants including Google, Facebook and Twitter will come under pressure in Italy this week to go further and faster in helping G7 powers tackle the ever-greater threat of extremists online.
Tomi Engdahl says:
Russian Hackers Exploit Recently Patched Flash Vulnerability
http://www.securityweek.com/russian-hackers-exploit-recently-patched-flash-vulnerability
The Russia-linked cyber espionage group known as APT28 has been using a recently patched Adobe Flash Player vulnerability in attacks aimed at government organizations and aerospace companies, security firm Proofpoint reported on Thursday.
The Flash Player flaw in question, CVE-2017-11292, was patched by Adobe on October 16. At the time when the patch was released, the vulnerability had a zero-day status, as it had been exploited in targeted attacks by a Middle Eastern threat actor named BlackOasis to deliver FinFisher spyware.
APT28, which is also known as Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit and Tsar Team, started launching attacks using CVE-2017-11292 on October 18, Proofpoint said. It’s unclear if APT28 discovered the exploit on its own, purchased it, or reverse engineered the one used in the BlackOasis attack.
Tomi Engdahl says:
Maybe We Should Strive for Cyber Security Unawareness
http://www.securityweek.com/maybe-we-should-strive-cyber-security-unawareness
Tomi Engdahl says:
Sockbot Ensnares Android Devices into Botnet
http://www.securityweek.com/sockbot-ensnares-android-devices-botnet
A newly discovered Android malware has the ability to add the compromised devices to a botnet that could potentially launch distributed denial-of-service (DDoS) attacks, Symantec warns.
Dubbed Sockbot, the highly prevalent threat was found masquerading as legitimate apps in Google Play. Symantec has discovered eight such applications and says that they have been downloaded between 600,000 and 2.6 million times.
The malware is mainly targeting users in the United States, but some of the infected devices are located in Russia, Ukraine, Brazil, and Germany, the security researchers say.
Tomi Engdahl says:
Authentication now comes with a wave of your hand
https://techcrunch.com/2017/10/23/authentication-now-comes-with-a-wave-of-your-hand/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&sr_share=facebook
You can think about the palm as a very large fingerprint,” says Kontsevich. “It has a rich structure and can be captured by any camera touchlessly.”
Tomi Engdahl says:
Todd Bishop / GeekWire:
Microsoft drops suit against the US DoJ after the department announced new policy to limit use of gag orders by prosecutors for accessing customer data — Microsoft says it’s dropping a suit against the U.S. Justice Department that targeted a tactic commonly used by prosecutors …
Microsoft drops suit over U.S. secrecy rules after DOJ limits use of gag orders by prosecutors
https://www.geekwire.com/2017/microsoft-drops-lawsuit-u-s-gag-orders-justice-department-changes-policy/
“This new policy limits the overused practice of requiring providers to stay silent when the government accesses personal data stored in the cloud. It helps ensure that secrecy orders are used only when necessary and for defined periods of time,” said Brad Smith, Microsoft president and chief legal officer, in a blog post. “This is an important step for both privacy and free expression. It is an unequivocal win for our customers, and we’re pleased the DOJ has taken these steps to protect the constitutional rights of all Americans.”
DOJ acts to curb the overuse of secrecy orders. Now it’s Congress’ turn.
https://blogs.microsoft.com/on-the-issues/?p=55096
Tomi Engdahl says:
Tim Fernholz / Quartz:
GPS, used both for tracking location and tracking time, by global finance, telco, and transport networks, is vulnerable to jamming and spoofing
The entire global financial system depends on GPS, and it’s shockingly vulnerable to attack
https://qz.com/1106064/the-entire-global-financial-system-depends-on-gps-and-its-shockingly-vulnerable-to-attack/
There is an enormous, invisible clock that keeps ultra-precise time, can be checked from anywhere on earth, and is free for everyone to use. This technological gift to mankind was built by the US government. It is called the Global Positioning System (GPS), it lives in space, and you use it every time you check the map on your phone.
What you may not know is that you rely on it far more often than that. Cell towers use it to route your phone calls, ATMs and cash registers use it for your transactions, electrical grids use it to send power to your house, and stock exchanges use it to regulate the trades that go into your stock portfolio or investment fund. And it is far more vulnerable to attack and disruption than most people know or are willing to admit.
“When we talk about economic infrastructure, I don’t think the general public realizes the extent to which the Global Positioning System’s timing signal is critical for these ATM transactions and every other point-of-sale transaction conducted in the United States and throughout most of the world,”
Putting a little clock in the credit-card machines wouldn’t work, because over time, even the most precise clocks start to differ from one another.
What makes the Global Positioning System so crucial, then, isn’t in fact the “positioning” part; it’s the ability to make machines all over the planet agree on exactly what time it is.
Developed and launched by the US military in the 1980s, GPS became fully operational in 1993. Today it consists of 31 satellites. Each satellite contains an atomic clock, which is synced regularly with high-precision timing devices at the US Naval Observatory. Phones, ATMs and other devices can pick up the timing signals from three or four satellites, and use the knowledge of exactly when each signal was sent to triangulate their position on earth.
While the US GPS constellation is the preeminent source of this data, other nations have launched similar constellations: Russia’s GLONASS, China’s BeiDou and Europe’s Galileo, along with smaller regional services, offer a similar signal under the rubric of “GNSS”—Global Navigation Satellite System.
It’s hard to find important digital infrastructure that doesn’t rely on GNSS.
The New York Stock Exchange relies on a set of GNSS antennae on the roof of its New Jersey server farm to time financial transactions, including those performed automatically by computers. Investors have spent millions improving their algorithms and communications systems to execute trades a few microseconds faster than their competitors, but all that would be for nought if they couldn’t agree on precisely what time each trade happened.
Even the modern electrical grid relies on ultra-precise synchronization to deliver power to high-demand areas at just the right time to prevent a blackouts without causing a dangerous power surge.
Though it is illegal, it takes only a little tech savvy to build a device that broadcasts powerfully enough on the GNSS frequency to drown it out, and almost none to purchase an (illegal) jammer online for a few hundred dollars.
In 2008, Newark International Airport in the US began using GPS to help its air traffic controllers guide jets. Almost immediately, they noticed interference from passing vehicles on the nearby Interstate 95
The contractor was fined $32,000. That same year, the London Stock Exchange noticed that it was losing access to timing data for about 10 minutes a day, likely because of a driver using a jammer.
These accidental interferences didn’t cause disaster because the home-built jammers have limited range. But there are more pernicious outcomes. In the UK, criminals have been found stealing luxury cars and using jammers to disrupt tracking systems.
And for more sophisticated entities, it’s possible to go beyond GNSS jamming to GNSS spoofing—not blocking the signal, but manipulating it to create different results. This is something that governments, particularly Russia’s and North Korea’s, do in warfare.
A year ago the Resilient Navigation and Timing Foundation published an analysis of the biggest threats to GPS (pdf), ranking them by vulnerability, potential damage, and the intent and capacity to carry them out. The top three threats were on-going “accidental” jamming like the truck at Newark airport and the potential use of powerful jamming devices by either a rival military or terrorist groups.
Intentional or unintentional jamming could cause millions, even billions of dollars in damage; it could also lead to the loss of life.
https://rntfnd.org/wp-content/uploads/12-7-Prioritizing-Dangers-to-US-fm-Threats-to-GPS-RNTFoundation.pdf
Tomi Engdahl says:
Veracode: 75% Of Apps Have at Least One Vulnerability on Initial Scan
https://www.darkreading.com/application-security/veracode-75–of-apps-have-at-least-one-vulnerability-on-initial-scan/d/d-id/1330188
Application security continues to stink at many organizations, a new report from Veracode shows. But developers are not the only ones to blame.
A failure by organizations to provide adequate security training and by operational teams to address vulnerabilities in the production environment have a big impact on application safety as well
Veracode’s 2017 analysis found applications riddled with the same vulnerabilities that it uncovered last year. Information leakage flaws were most common and were present in more than 65% of the applications in which a security bug was found on initial scan. About 62% had cryptographic flaws while 56% had what Veracode described as code quality issues.
The Top 10 list of most frequent vulnerabilities on initial scan this year was identical to the list of top flaws last year
There was also evidence that findings, which are prioritized by a policy, for instance higher severity findings, get fixed about twice as often as do findings not prioritized by policy
We see evidence that scan frequencies are increasing, with a 3% to 4% increase in applications scanning at least daily
It’s time to put the lazy developer trope to bed
Operational teams for instance have a part in undermining application security as well.
nearly 25% of the sites operating on web servers with one or more vulnerabilities with a CVSS rating of 6 or higher. Nearly 19% had web servers that were at least a decade old.
At many organizations developers also simply don’t get the security training they require. Few managers consider a software developer’s security skills as an important metric when evaluating performance
Some 76% in that survey said they had not been required to take a single security course in college.
only 18% said security was the most important metric for measuring developers’ performance
Tomi Engdahl says:
10-steps-to-writing-and-developing-secure-applications
https://medium.com/@makash/10-steps-to-writing-and-developing-secure-applications-bda22090fb1c?lipi=urn%3Ali%3Apage%3Ad_flagship3_feed%3BN9vjtQLHRWiLGa0P2AONVw%3D%3D
Tomi Engdahl says:
Kaspersky Lab to open software to review, says nothing to hide
http://www.reuters.com/article/us-usa-security-kaspersky-russia/kaspersky-lab-to-open-software-to-review-says-nothing-to-hide-idUSKBN1CS0Y1
Moscow-based Kaspersky Lab said on Monday it will ask independent parties to review the security of its anti-virus software, which the U.S. government has said could jeopardize national security, citing concerns over Kremlin influence and hijacking by Russian spies.
Tomi Engdahl says:
Worms can easily penetrate data centers via physical infrastructure: Report
http://www.cablinginstall.com/articles/pt/2017/10/how-worms-get-inside-data-centers-and-what-can-be-done-about-them.html?cmpid=enl_cim_cim_data_center_newsletter_2017-10-24
WannaCry and Petya demonstrate that worms have come into their own, and keeping systems patched only goes so far from protecting your data center against them. Data centers need to have multiple points of connection to the internet, each a potential access point for malware.
“As modern events show, if any connected appliance or software on the perimeter can be openly found through the internet, it can have vulnerabilities which [can] be exploited maliciously,”
How Worms Get inside Data Centers and What Can Be Done about Them
http://www.datacenterknowledge.com/security/how-worms-get-inside-data-centers-and-what-can-be-done-about-them
WannaCry and Petya demonstrate that worms have come into their own, and keeping systems patched only goes so far from protecting your data center against them
But they’ve really come into their own this year, with the rapid spread of WannaCry and Petya — and the associated damage costs.
“Traditional network log or behavioral analysis tools may not detect this kind of infection,” said Ambuj Kumar, co-founder and CEO at Fortanix, a Mountain View, California-based security firm. “Keeping systems patched helps to a certain extent, but they are useless if worms exploit zero-day vulnerabilities.”
“As modern events show, if any connected appliance or software on the perimeter can be openly found through the internet, it can have vulnerabilities which [can] be exploited maliciously,” said Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies.
That includes devices used to manage physical infrastructure, she added.
Positive Technologies has found weaknesses in data center infrastructure management platforms, she said.
“This vulnerability in DCIM systems allowed attackers to remotely access unencrypted information on data center support systems such as fire suppression, backup generators, and others,” she said. “This could be used in targeted incursions or wider attacks and could make life very difficult for the companies relying on data centers for business critical functions.”
Restrict Access
“If you disable SMBv1, you stand a much better chance of not getting infected,” said Simon Gibson, fellow security architect at Gigamon.
It can be hard to keep up with data center changes, he admitted.
“The rate of change and churn is staggering,” he said. “Most companies build networks and by the time they’re deployed, they’ve already changed.”
But it’s important to understand how their networks work, what’s running on them, and how they’re all connected, he said.
“Then, when outbreaks hit you’ll understand your risk profile,” he said. “Simple — not easy.”
Limit Applications
One security advantage that data center servers have over desktop machines is that they typically run a very specific set of applications. Anything that falls outside this set can be blocked without hurting user productivity.
Some data centers have an additional advantage if they are running software developed in-house.
Software-as-a-service providers, for example, have access to their own source code and can create custom software agents designed around the specific security needs of that software, said Manish Gupta, co-founder and CEO at ShiftLeft.
“Traditional security solutions are threat-based, because the onus of protecting applications is on the customers buying and deploying third-party applications, such as Microsoft Exchange or Oracle CRM, in their data centers,” he said. “Without access to the source code of the software, however, data center managers have no choice but to treat the software as black boxes and protect it from the one thing that they can understand – known threats.”
Assume Compromise
No security is perfect, said Fortanix’s Kumar, so security leaders need to start out with the assumption that the attacker has already gotten in.
“They need to keep the data secure even after the system is already infected,” he said.
That includes keeping data encrypted while both in transit and at rest.
Tomi Engdahl says:
Cosmetics Brand Tarte Exposed Personal Information About Nearly 2 Million Customers
https://gizmodo.com/cosmetics-brand-tarte-exposed-personal-information-abou-1819723431
Tarte Cosmetics, a cruelty-free cosmetics brand carried by major retailers like Sephora and Ulta, exposed the personal information of nearly two million customers in two unsecured online databases.
The databases were publicly accessible and included customer names, email addresses, mailing addresses, and the last four digits of credit card numbers, according to the Kromtech Security Center, the firm that discovered the exposed data.
“At Tarte, keeping customer information fully secure is our No. 1 priority. We are aware of this potential issue, which we are actively investigating,”
There’s some indication that Kromtech’s researchers weren’t the only ones to stumble on the data—according to the security firm, the database included a ransom note from a group known to seize unsecured databases.
“Databases also contained a ‘WARNING’ folder left by ransomware group CRU3LTY with its standard note demanding 0.2 bitcoins for recovering the database,” Kromtech’s chief security communications officer Bob Diachenko said. Although Cru3lty typically wipes data and demands a ransom to return it, the Tarte data appeared to be intact.
The data includes customers who apparently shopped on Tarte’s website between 2008 and 2017, Diachenko explained.
Tarte appears to have managed its customer information with open-source database program MongoDB, which has been a popular target for ransomware attacks. Older versions of MongoDB didn’t require a password by default, and so databases were sometimes accidentally set up without any password.
New York Based Cosmetic Company Leaks 2 Million Customer Details Online
https://mackeepersecurity.com/post/cosmetic-company-leaks-2-million-customer-details-online
Tomi Engdahl says:
Could your coffee machine be a cyber security risk?
http://www.businesscloud.co.uk/opinion/could-your-coffee-machine-be-a-cyber-security-risk
As part of National Cyber Security Awareness Month, Secarma MD Paul Harris offers advice on how companies can better protect themselves
This month is National Cyber Security Awareness Month, which encourages companies and individuals to make better cyber security choices. With this in mind I want to emphasise the dangers of the Internet of Things.
IoT is all about sharing information across numerous connected devices, so that everything works seamlessly and in harmony. With this convenience comes vulnerability.
Using IoT devices is like opening a can of worms when it comes to cyber security. I’ve come across numerous clients who have suffered a security breach because their IoT device wasn’t set up correctly. This connected ecosystem means that if an attacker gains access to one, they can actually gain access every other device in your business. Scary right?
With so much excitement and buzz around IoT, it’s easy to want this shiny new tech and let it loose within your organisation without considering the potential drawbacks.
We are all used to scrutinising the security of websites before they are launched, and ensuring that employees are clued up on potential online security risks. But, would you consider doing the same when you are adding a new coffee machine to your office kitchen? Yup, believe it or not, your smart coffee machine or kettle could be compromised and used to spy on you.
Tomi Engdahl says:
New Ransomware Linked to NotPetya Sweeps Russia and Ukraine
https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/
Just four months ago, a massive ransomware attack known as NotPetya ripped through Ukraine, Russia, and some multinational companies, infecting thousands of networks and eventually causing hundreds of millions of dollars in damages. Now, an apparent aftershock of that attack is reverberating through the region, as a new variant of that code locks up hundreds of machines and handicaps infrastructure.
On Tuesday, the security community began tracking a new outbreak of ransomware tied to NotPetya’s authors. Known as BadRabbit, the the strain has infected hundreds of computers—mostly in Russia, but with some victims in Ukraine, Turkey, Bulgaria, and Germany—according to security firms including ESET and Kaspersky. For now, the outbreak remains only a small fraction of the size of the NotPetya epidemic. But it has nonetheless hit several Russian media outlets, including the newswire Interfax, according to the Russian security firm Group-IB, and also infected Ukraine’s Odessa airport and Kiev subway system, partially paralyzing their IT systems and disabling the subway system’s credit card payments, according to one Ukrainian government official.
Tomi Engdahl says:
DUHK Crypto Attack Recovers Encryption Keys, Exposes VPN Connections
https://it.slashdot.org/story/17/10/25/0047224/duhk-crypto-attack-recovers-encryption-keys-exposes-vpn-connections
After last week we had the KRACK and ROCA cryptographic attacks, this week has gotten off to a similarly “great” start with the publication of a new crypto attack known as DUHK (Don’t Use Hard-coded Keys). The issue at the heart of the DUHK attack is a combination of two main factors. The first is the usage of the ANSI X9.31 Random Number Generator (RNG). This is an algorithm that takes random data and generates encryption keys used to secure VPN connections, browsing sessions, and other encrypted traffic/data. The second factor needed for a DUHK attack is when hardware vendors use a hardcoded “seed key” for the ANSI X9.31 RNG algorithm. When these two conditions take place, an attacker can brute-force encrypted data to discover the rest of the encryption parameters and deduce the master encryption key used to encrypt web sessions or VPN connections.
DUHK Crypto Attack Recovers Encryption Keys, Exposes VPN Connections, More
https://www.bleepingcomputer.com/news/security/duhk-crypto-attack-recovers-encryption-keys-exposes-vpn-connections-more/
Tomi Engdahl says:
White House official: Let’s replace Social Security numbers
https://www.cnet.com/google-amp/news/equifax-trump-white-house-official-replace-social-security-numbers/
A Trump cybersecurity adviser says alternatives to the numbers could include a cryptographic key.
After the massive data breach at Equifax, it would be fair to ask what your Social Security number is even good for anymore.
It’s no longer really a secret form of identification, so let’s think of something else. White House cybersecurity coordinator Rob Joyce, speaking Tuesday at the Washington Post’s Cybersecurity Summit, said that’s what the government should do.
“I feel very strongly that the Social Security number has outlived its usefulness,” Joyce said.
Major data breaches often spur complaints that the Social Security number was never intended to be a universal form of identification. But it appears Joyce isn’t just speculating. He said Tuesday the Trump administration has asked federal government departments and agencies to come up with ideas for a new form of personal identification.
If the idea goes any further, it’ll be one more way that the Equifax breach has touched every corner of our financial lives. So far, lawmakers have jumped on the opportunity to introduce bills that would tighten regulations on the companies that hold onto and sell consumer information. What’s more, other financial companies will likely consider changes to their practices as Equifax continues to take blows in public for its actions leading up to and after the data breach.
If we phase out Social Security numbers, though, we’ll need something that won’t just get compromised all over again.
“It’s a flawed system that we can’t roll back that risk after we know we’ve been compromised,” said Joyce, who acknowledged his own Social Security number has been compromised four times that he knows of.
The solution, he said, might be in cryptography —
You enter your password when you create your bank account, and the bank’s system runs some complex math wizardry to turn your password into a long string of numbers and letters that it then stores to identify you later. If the cryptography is good, criminals can’t ever turn that string back into your password and use it to log in to your accounts.
Joyce proposed a similar system to replace Social Security numbers. It’s known as a public-private key system, and it means you never have to trust someone else to take care of that identifying information for you.
Tomi Engdahl says:
Watership downtime: BadRabbit encrypts Russian media, Ukraine transport hub PCs
Ransomware breeds through Windows networks via SMB, fake Flash
https://www.theregister.co.uk/2017/10/24/badrabbit_ransomware/
Computers at Russian media outlets and Ukraine’s transport hubs were among Windows PCs infected and shut down today by another fast-spreading strain of ransomware.
Corporate systems within Interfax and two other major Russian news publishers had their files encrypted and held to ransom by malware dubbed BadRabbit. In Ukraine, Odessa airport, the Kiev metro, and the Ministry of Infrastructure were also hit by the extortionware, which demands Bitcoins to restore scrambled documents.
BadRabbit may also have spread to Turkey, Bulgaria and beyond, and is a variant of Diskcoder, according to researchers at ESET. Antivirus maker Avast detected it in Poland and South Korea, too.
Tomi Engdahl says:
Family’s legal battle over YouTube’s role in Paris terror murders is paused
Judge gives victim’s relatives two weeks to come up with new claims or give up
https://www.theregister.co.uk/2017/10/24/google_youtube_paris_terror_lawsuit/
A lawsuit accusing YouTube of playing a key role in the November 2015 Paris terror attacks has been all but thrown out of court.
Northern California District Judge Donna Ryu ruled [PDF] this week that the Mountain View ads broker could not be held liable for killings apparently inspired by terror bastards’ propaganda videos on YouTube.
Tomi Engdahl says:
Security
IETF mulls adding geoblock info to ‘Bradbury’s code’
Proposal to extend Error 451
https://www.theregister.co.uk/2017/10/25/ietf_mulls_adding_geoblock_info_to_error_code_451/
After a long campaign, the Internet Engineering Task Force (IETF) has decided that users deserve to know why pages were blocked and created HTML error 451. Now the body will consider a proposal to extend it to give users more information.
“Error 451” entered the canon in December 2015, with the name honouring Ray Bradbury’s “Fahrenheit 451” and a rationale that users deserved to know if legal constraints (such as censorship) were being applied to pages they wished to view.
The original spec provided only minimal information: if used, it would return a status code stating a resource was unavailable for legal reasons, and the response should include a reason.
His suggestions in this draft are that the protocol elements include:
A header field that identifies the “blocking authority”;
A response element that indicates to users if they’re geo-blocked from a particular site.
The suggestions are the result of an implementation report that’s been looking at Error 451 since it was adopted as a standard in February 2016.
That report, published in July 2017, noted that geoblocking was primarily associated with gambling sites.
There’s another reason the IETF would consider encouraging the use of 451, and enhancing it: since it’s machine readable, it provides a potentially-useful research tool (for example, to answer “how much content is blocked for reasons pertaining to intellectual property rights ?”), and it can be returned by encrypted Web pages.
Tomi Engdahl says:
Dell Lost Control of Key Customer Support Domain for a Month in 2017
https://krebsonsecurity.com/2017/10/dell-lost-control-of-key-customer-support-domain-for-a-month-in-2017/?utm_content=bufferd921f
A Web site set up by PC maker Dell Inc. to help customers recover from malicious software and other computer maladies may have been hijacked for a few weeks this summer by people who specialize in deploying said malware, KrebsOnSecurity has learned.
There is a program installed on virtually all Dell computers called “Dell Backup and Recovery Application.” It’s designed to help customers restore their data and computers to their pristine, factory default state should a problem occur with the device. That backup and recovery program periodically checks a rather catchy domain name — DellBackupandRecoveryCloudStorage.com — which until recently was central to PC maker Dell’s customer data backup, recovery and cloud storage solutions.
Sometime this summer, DellBackupandRecoveryCloudStorage.com was suddenly snatched away from a longtime Dell contractor for a month and exposed to some questionable content. More worryingly, there are signs the domain may have been pushing malware before Dell’s contractor regained control over it.
Tomi Engdahl says:
Thirty Percent of CEO Email Accounts Exposed in Breaches: Study
http://www.securityweek.com/thirty-percent-ceo-email-accounts-exposed-breaches-study
Thirty percent of CEOs from the world’s largest organizations have had their company email address and password stolen from a breached service. Given the continuing tendency for users to employ simple passwords and reuse the same passwords across multiple accounts, the implication is that at least some of these CEOs are at risk of losing their email accounts to cyber criminals or foreign nation state hacking groups.
The statistic comes from a report (PDF) published today by F-Secure, whose researchers checked the email addresses of 200 CEOs from the world’s largest organizations against a database of leaked credentials. It notes that the 30% figure increases to 63% for tech companies.
Email accounts are highly valuable to cybercriminals, often containing sensitive information. A case in point is the hack and breach of Colin Powell’s Gmail account in 2016 and the public exposure of his candid thoughts during the presidential campaign.
Business email compromise (BEC) attacks also become very compelling if the finance director receives a transfer instruction that originates from the CEO’s genuine email account.
F-Secure found, unsurprisingly, that the top breached services to which CEOs linked their company email addresses were the professional networking site, LinkedIn, and Dropbox. Together they account for 71% of the CEOs.
But it’s not just email addresses and password hashes that are exposed in leaked breaches. Eighty-one percent of the CEOs, say the researchers, “have their emails and other details such as physical addresses, birthdates and phone numbers exposed in the form of spam lists and leaked marketing databases.” A mere 18% of CEO email addresses are not associated with any leak or hack.
http://images.news.f-secure.com/Web/FSecure/%7Be64e0f8f-f24a-4a64-9a07-48264cbafe61%7D_CEO-Email-Exposure-REPORT.pdf
Tomi Engdahl says:
Legal Hack Back Lets You Go After Attackers In Your Network
https://it.slashdot.org/story/17/10/24/2056214/legal-hack-back-lets-you-go-after-attackers-in-your-network
Security startup Cymmetria has a new offering for customers: “legal hack back.” The hack back tools have been added to the company’s MazeHunter deception technology and will enable “tracking down the attack servers and wiping data originally stolen from their servers, probing the attack infrastructure for weaknesses to exploit, disabling the systems controlling malware, looking for information about the attackers to use in attribution, and launching distributed denial-of-service attacks to slow down criminal operations,” but security teams are restricted to taking these actions on systems within their organizations, writes Fahmida Rashid in CSO Online.
Legal hack back lets you go after attackers in your network
https://www.csoonline.com/article/3234661/hacking/legal-hack-back-lets-you-go-after-attackers-in-your-network.html
Security startup Cymmetria has put together a tool and a framework to help security defenders hack back legally as part of incident response activities.
Hack back doesn’t need to be a dirty word. According to security startup Cymmetria, organizations and individuals can employ a number of attack tools to disrupt attacker operations, as long as the security teams stay within their own network. There is no need to go after attacker infrastructure on foreign servers when the attackers set shop right in the organization’s infrastructure.
“I can’t attack the attacker where he lives, but I don’t have to. I can stop him while he is in my network,” said Gadi Evron, founder and CEO of Cymmetria.
Cymmetria has added “legal hack back” tools to its deception technology platform MazeHunter and published a framework that security professionals can use to discuss with their legal teams the what types of actions and tools can be performed. Security teams can perform actions such as delivering a payload, wiping data, and setting up a beacon to see what attackers are doing next.
It’s an open secret that some companies already hack back. However, hacking back can impact these innocent users more than the attackers themselves. Attribution is extremely hard, and there is no room for getting it wrong in a hack back scenario. Even if the security team gets it right, hacking back can escalate the situation, with attackers responding with more advanced payloads.
Hack back as incident response
Evron said there is a middle ground between not going after the attackers and what the industry calls hack back, and that middle ground has to do with where the security defenders engage with the attackers. Most hack back operations involve security teams tracking down the attack servers and wiping data originally stolen from their servers, probing the attack infrastructure for weaknesses to exploit, disabling the systems controlling malware, looking for information about the attackers to use in attribution, and launching distributed denial-of-service attacks to slow down criminal operations.
Cymmmetria’s MazeHunter will let security teams perform any of these actions, but the activities are restricted to systems within the organization’s the attackers had compromised as part of their operations. There is less chance of collateral damage, since the incident responders know without a doubt that a machine, which belongs to the organization, is being used in the attack. “Hacking back is actually incident response,” Evron said. “It’s not hacking if I am in my network and on my computer. I am closing the hole the attacker used.”
Tomi Engdahl says:
Security executives on the move and in the news
Find up-to-date news of CSO, CISO and other senior security executive appointments.
https://www.csoonline.com/article/3204008/it-careers/security-executives-on-the-move-and-in-the-news.html
The upper ranks of corporate security are seeing a high rate of change as companies try to adapt to the evolving threat landscape. Many companies are hiring a chief security officer (CSO) or chief information security officer (CISO) for the first time to support a deeper commitment to information security.
As data protection officer (DPO) at the cloud provider of smart content collaboration and governance, Lahiri will be responsible for continuously monitoring Egnyte’s regulatory compliance with the new General Data Protection Regulation (GDPR). He will act as the main point of contact for the EU Commission during any audits or reviews.
Tomi Engdahl says:
IT’s 9 biggest security threats
https://www.csoonline.com/article/3215111/security/security-it-s-9-biggest-security-threats.html
Hacking has evolved from a one-person crime of opportunity to an open market of sophisticated malware backed by crime syndicates and money launderers
Years ago the typical hacking scenario involved a lone attacker and maybe some buddies working late at night on Mountain Dew, looking for public-facing IP addresses. When they found one, they enumerated the advertising services (Web server, SQL server and so on), broke in using a multitude of vulnerabilities, then explored the compromised company to their heart’s content. Often their intent was exploratory. If they did something illegal, it was typically a spur-of-the-moment crime of opportunity.
My, how times have changed.
When describing a typical hacking scenario, these days you must begin well before the hack or even the hacker, with the organization behind the attack. Today, hacking is all crime, all the time, complete with bidding markets for malware, crime syndicates, botnets for hire, state actors, and cyber warfare gone amok.
Threat No. 1: Cyber crime syndicates
Threat No. 2: Small-time cons — and the money mules and launderers supporting them
Threat No. 3: Hacktivists
Threat No. 4: Intellectual property theft and corporate espionage
Threat No. 5: Malware mercenaries
Threat No. 6: Botnets as a service
Threat No. 7: All-in-one malware
Threat No. 8: The increasingly compromised web
Threat No. 9: Cyber warfare
Crime and no punishment
Some victims never recover from exploitation. Their credit record is forever scarred by a hacker’s fraudulent transaction, the malware uses the victim’s address book list to forward itself to friends and family members, victims of intellectual property theft spend tens of millions of dollars in repair and prevention.
The worst part is that almost none of those who use the above malicious attacks are successfully prosecuted. The professional criminals on the Internet are living large because the Internet isn’t good at producing court-actionable evidence. Even if it could, the suspects are living outside the victim’s court jurisprudence. Most hacking is anonymous by default, and tracks are lost and covered up in milliseconds. Right now, we live in the “wild, wild west” days of the internet. As it matures, the criminal safe havens will dry up. Until then, IT security pros have their work cut out for them.
Tomi Engdahl says:
When Russian Trolls Attack
https://www.wired.com/2017/10/russian-trolls-attack/
Anna Zhavnerovich knew she was taking a risk when she publicized the details of her assault online. But in doing so, she joined a growing movement of survivors fighting back against Russia’s Kremlin-influenced trolling machine.
Tomi Engdahl says:
Artificial Intelligence protects the systems within 5 to 10 years
Artificial intelligence will inevitably change the control of cybersecurity. – When a human produces information, artificial intelligence applications are able to capture, record and remember it. Why spend time on routine googlassing when artificial intelligence brings the data to a chew, says Esa Törölä, Sales Director of Combitech, a company specializing in security solutions.
Artificial intelligence can be used to collect a central database of malware related security information, such as the use of IP addresses by the criminals or typical attack methods. All organizations need this information to hedge, so global cooperation is essential.
In the future, artificial intelligence will help identify suspicious activity of users before the damage has occurred. For example, in application development, artificial intelligence can analyze and repair new programs even before they are in production and use by users. Risk management, on the other hand, can take advantage of the cognitive skills of artificial intelligence, that is, the ability to understand the natural language by harnessing it to look for sensitive data in organizational systems. When exploring vulnerable information, the program can hide or remove sensitive sections so that potential attackers can not exploit them, delete the image.
Artificial intelligence brings the scope and regularity of the cyber threat analysis to which manual handling is not maintained. – The big changes are, of course, slow, as they are always subject to change responses. However, I estimate that within 5 to 10 years, it is self-evident that artificial intelligence is used to protect systems.
However, development takes time
Source: http://www.etn.fi/index.php/13-news/7049-tekoaely-suojaa-jaerjestelmiae-5-10-vuoden-kuluessa
Tomi Engdahl says:
Please activate the anti-ransomware protection in your Windows 10 Fall Creators Update PC. Ta
Plus: Azure gets all Cray-cray
https://www.theregister.co.uk/2017/10/23/fyi_windows_10_ransomware_protection/
A below-the-radar security feature in the Windows 10 Fall Creators Update, aka version 1709 released last week, can stop ransomware and other file-scrambling nasties dead.
Though controlled folder access has been known about for months – it surfaced with Insider builds earlier this summer – the feature is only now being thrust into the spotlight with the general public release of the Fall Creators Update for Windows 10.
The feature can be enabled through the Windows Defender Security Center App for most users, and is accessed by opening the virus & threat protection screen within Defender. From there, users switch on the controlled folder access option to activate controlled folders.
For enterprise users and administrators, controlled folder access can also be activated through PowerShell, Group Policy, and MDM configurations.
Once the feature has been activated, essential directories like the user’s documents folder are locked off from any malicious applications that seek to encrypt files to hold them to ransom, or scramble them to destroy them. Users can also designate additional folders to be protected from unauthorized changes.
The idea is to safeguard data from any ransomware infections that manage to give your third-party antivirus, if present, the slip.
Stopping ransomware where it counts: Protecting your data with Controlled folder access
https://blogs.technet.microsoft.com/mmpc/2017/10/23/stopping-ransomware-where-it-counts-protecting-your-data-with-controlled-folder-access/
Tomi Engdahl says:
NIST Special Publication 800-63-3
Digital Identity Guidelines
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf
Tomi Engdahl says:
Agile Security Manifesto
https://www.synopsys.com/content/dam/synopsys/sig-assets/ebooks/agile-security-manifesto.pdf