Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
What More Does It Take to Make Cyber Security a Top Priority?
http://www.securityweek.com/what-more-does-it-take-make-cyber-security-top-priority
It has been yet another busy month in the world of cyber security news. What does it mean when breaches reach private sector and public institutions that are supposed to be experts in risk oversight? It means that security is hard even when it is treated as a priority, let alone when it is an afterthought, as it is in most institutions.
Until there is real motivation that elevates cyber security as a priority in public and private entities, we will continue to see a less than stellar effor
t at its implementation. Despite many executives losing their jobs, the long term inherent cost of these breaches is not significant enough to motivate the right behavior. Unfortunately, regulation and associated fines are likely the only way. One only has to look at the mania of activity and concern surrounding Europe’s Global Data Protection Regulation (“GDPR”) and its potential material fines of up to four percent of global revenue.
What the risk based approach does not directly consider are the resulting impacts that are outside the business. Despite the significant momentary effect of major breaches on profits, stock prices and the personal careers of company executives, most breaches to date have not had a long term financial effect on the businesses in question. Equifax may be the first major exception to the rule, and as attacks increasingly cut into operational capabilities, the dollar impacts will grow (see FedEx’s $300 million cost attributed to the disruption caused by the NotPetya ransomware this past summer). However, most businesses are still inclined, by decision or passivity, to roll the dice that the cost of a cyber event will be less than the business cost of preventing one. Cyber insurance just raises the bar on the dollar threshold required to motivate boards and executives to pay attention and adjust how they do business to better protect themselves and their customers. Unfortunately, undesired outcomes that do not significantly impact the bottom line in the long term, like exposure of customer data, will not drive the attention required to make a dent in the matter.
The only way this formula changes is when the cost of weak security exceeds the cost of putting the right people, process and technologies in place to raise the bar. That’s not to say that being motivated to improve security posture will magically prevent attacks from being successful. But it is to say that without a direct driver, we will continue to see preventable breaches that result in the exposure of personal data and disruption to services.
Tomi Engdahl says:
Pull Passwords Out of Silicon
https://hackaday.com/2017/10/30/pull-passwords-out-of-silicon/
http://blog.dragonsector.pl/2017/10/pwn2win-2017-shift-register.html
Tomi Engdahl says:
Fingerprint identification will be on the debit card
NXP and Swedish Fingerprint Cards are jointly developing a solution where fingerprint-based biometric recognition comes to payment cards. Planting a detector inside a debit card
There are about four billion smart payment cards in the world, half of which are uninitiated, meaning a local payment. NXP and Fingerprint Cards aim to make fully secure payment cards, which keep the number and speed of the current card readable.
Fingerprint fingerprint sensors are already widely used on laptops, tablets and smartphones. NXP chose the Swedish sensor, above all because of its very low power consumption. With a bank card, the power supply is a big challenge for card design: there is no room for the battery.
A payment card equipped with a fingerprint sensor must match EMVco-defined payment terminals, so it must be thin enough.
Source: http://www.etn.fi/index.php/13-news/7081-sormenjaeljen-tunnistus-tulee-pankkikortille
Tomi Engdahl says:
2017 Coverity Scan Report
Open Source Software—The Road Ahead
https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/SCAN-Report-2017.pdf?cmp=em-sig-eloqua&utm_medium=email&utm_source=eloqua&elq_mid=264&elq_cid=166673
Tomi Engdahl says:
Is Anyone Listening When We Talk About Cybersecurity?
https://www.designnews.com/electronics-test/anyone-listening-when-we-talk-about-cybersecurity/104595267057713?ADTRK=UBM&elq_mid=1808&elq_cid=876648
Op-Ed: Cybersecurity was a part of most discussions at this year’s Arm TechCon. But are the warnings, and even the solutions, falling on deaf ears?
Tomi Engdahl says:
Google: Chrome is backing away from public key pinning, and here’s why
http://www.zdnet.com/article/google-chrome-is-backing-away-from-public-key-pinning-and-heres-why/
Google wrote the HTTP public key pinning standard but now considers the web security measure harmful.
Google has announced plans to deprecate Chrome support for HTTP public key pinning (HPKP), an IETF standard that Google engineers wrote to improve web security but now consider harmful.
HPKP, as described in IETF 7469, was designed to reduce the risk of a compromised Certificate Authority misissuing digital certificates for a site, allowing an attacker to perform a man-in-the-middle attack on encrypted Transport Layer Security (TLS) connections.
Using HPKP, any website can tell browsers to remember, or ‘pin’, which public keys belong to a specific web server for a set period of time. After that, the browser ignores all other public keys for the set duration.
Currently Chrome, Firefox, and Opera are the only browsers that support HPKP, but Google’s Chrome security team have announced plans to remove support for HPKP in Chrome 67, which is due for stable release around May 29, 2018.
Security researchers have highlighted a number of problems with HPKP, including the possibility for an attacker to install malicious pins or for a site operator to accidentally block visitors.
Tomi Engdahl says:
Yubico launches YubiHSM 2: The smallest, cheapest Hardware Security Module (HSM)
http://www.zdnet.com/article/yubico-launches-yubihsm-2-the-smallest-cheapest-hardware-security-module-hsm/
The YubiHSM 2 is the world’s smallest and cost-effective hardware security module, allowing for a root of trust for all servers, IoT gateways, and computing devices.
Yubico, the leading provider of authentication and encryption hardware devices, has today unveiled the YubiHSM 2, a new, cost-effective Hardware Security Module (HSM) for servers and IoT gateways.
But the YubiHSM 2 is different to existing HSM devices in that it is an ultra-slim “nano” USB key that slots inside a USB port, doing away with the need for bulky additional hardware, and offers flexibility for offline key transfer or backup.
Tomi Engdahl says:
Software code signing certificates worth more than guns on the Dark Web
http://www.zdnet.com/article/illicit-certificates-worth-more-than-guns-on-the-dark-web/
Digital code signing certificates are more expensive than credit cards or weapons.
Researchers have discovered that digital code signing certificates are being sold for more than is required to buy a gun in the web’s underground markets.
On Tuesday, security researchers from Venafi said there is a flourishing trade in the sale of digital code signing certificates, which can be used to verify software applications.
These certificates are a fundamental way of ensuring software and apps are legitimate, but if compromised, can be used to install malware on networks and devices while avoiding detection.
A single certificate can fetch up to $1,200. Credit cards can go for as little as a few dollars, while US passports can be picked up for roughly $850 — and a handgun may only set buyers back $600.
“We’ve known for a number of years that cybercriminals actively seek code signing certificates to distribute malware through computers,” said Peter Warren, chairman of the CSRI. “The proof that there is now a significant criminal market for certificates throws our whole authentication system for the internet into doubt and points to an urgent need for the deployment of technology systems to counter the misuse of digital certificates.”
Tomi Engdahl says:
The nasty future of ransomware: Four ways the nightmare is about to get even worse
http://www.zdnet.com/article/the-nasty-future-of-ransomware-four-ways-the-nightmare-is-about-to-get-even-worse/
WannaCry, NotPetya, Bad Rabbit, and others have demonstrated the power of ransomware — and new sneaky tricks are only going to make it an even bigger problem.
2017 has been the year of ransomware. While the file-encrypting malware has existed in one form or another for almost three decades, over the last few months it’s developed from a cybersecurity concern to a public menace. The term even made it into the dictionary in September.
In particular, 2017 had its own summer of ransomware: while incidents throughout 2016 showed the potential damage — both operational and financial — ransomware can cause to organisations, it was in the space of six weeks during May and June this year that the impact of ransomware really became apparent.
First WannaCry hit hundreds of thousands of systems around the globe
Weeks later came another global ransomware epidemic in the form of Petya, equipped with similar worm-like features, plus the ability to irrecoverably wipe data from infected machines.
But what both WannaCry and Petya outbreaks managed to do was make it clear just how much of a problem ransomware has become. And it hasn’t gone away again either with the recent Bad Rabbit ransomware attacks in Russia and Ukraine showing that malware writers are still working on new versions.
Ransomware that blackmails you too
“How else might someone use access to a computer to make money? I think we might see more cases of ransomware which aren’t just about data encryption and ‘pay me and get it back’ but more about doxxing — gathering sensitive information and threatening to release it if you don’t pay up,” says Mark Dufresne, director of threat research and adversary prevention at security company Endgame.
This tactic has already been adopted by some families of ransomware.
Enterprise ransomware
Another potential tactic could see criminals go after enterprise infrastructure. Locking users out of PCs is bad, but getting ransomware onto critical systems could be highly disruptive to businesses and highly lucrative for crooks.
New network attacks
But not every cybercriminal operation is going to spend time and resources in order to go after specific targets — ransomware will continue to be randomly distributed in spam emails because that still works.
And as demonstrated throughout 2017, the use of SMB exploits like EternalBlue or EternalRomance can aid that by helping ransomware easily spread itself across a network with minimal effort.
Tomi Engdahl says:
Malaysia data breach comprises 46.2M mobile numbers
http://www.zdnet.com/article/malaysia-data-breach-comprises-46-2m-mobile-numbers/
Suspected to have originated from a 2014 attack, the breach is estimated to affect 46.2 million mobile numbers and compromise data such as home addresses and SIM card information.
Tomi Engdahl says:
Bad Rabbit ransomware spread using leaked NSA EternalRomance exploit, researchers confirm
http://www.zdnet.com/article/bad-rabbit-ransomware-spread-using-leaked-nsa-eternalromance-exploit-researchers-confirm/
An SMB vulnerability helped propagate BadRabbit, but not the one first suspected — security researchers have tentatively linked it to the mystery group behind NotPetya.
Tomi Engdahl says:
A flaw in Google’s bug database exposed private security vulnerability reports
http://www.zdnet.com/article/google-bug-tracker-flaw-exposed-sensitive-security-vulnerability-reports/
The bug allowed the researcher to see the most sensitive vulnerabilities in Google’s services.
A series of flaws in Google’s internal bug tracker let a security researcher gain access to some of the company’s most critical and dangerous vulnerabilities.
The company’s internal bug reporting system, known as the Issue Tracker (or the “Buganizer”), is used by security researchers and bug finders to submit issues, problems, and security vulnerabilities with Google’s software, services and products.
Tomi Engdahl says:
IoTroop Botnet: The Full Investigation
https://research.checkpoint.com/iotroop-botnet-full-investigation/
Tomi Engdahl says:
Google Docs Is Randomly Flagging Files for Violating Its Terms of Service
Let this serve as a reminder that you have less control over your stuff online than it often appears.
https://motherboard.vice.com/en_us/article/zmz3yw/why-is-my-google-doc-locked-terms-of-service-bug
A Google spokesperson reached out via email with the following statement saying that the bug has been fixed: “This morning, we made a code push that incorrectly flagged a small percentage of Google Docs as abusive, which caused those documents to be automatically blocked. A fix is in place and all users should have full access to their docs. Protecting users from viruses, malware, and other abusive content is central to user safety. We apologize for the disruption and will put processes in place to prevent this from happening again.”
Tomi Engdahl says:
Firefox to Block Canvas-based Browser Fingerprinting
http://www.securityweek.com/firefox-block-canvas-based-browser-fingerprinting
Firefox will soon provide users with increased privacy by blocking browser fingerprinting performed through the HTML5 canvas element.
With the release of Firefox 58, users will have the option to block websites’ requests to retrieve information through canvas, which is currently used as a cookie-less method of tracking users on the web. Websites using this technique extract data from HTML elements silently.
Tomi Engdahl says:
Life Between Absolutes – The Challenge of a Security Professional
http://www.securityweek.com/life-between-absolutes-challenge-security-professional
Security has never been about being ‘secure’ or ‘insecure’; I think we as an industry of professionals can broadly agree on this. What we don’t seem to agree on, pretty much ever, is how to strike the balance of good enough security.
In what feels like a never-ending struggle, I bear witness to the results of this on a daily basis working on the provider side of the problem. Over-engineering solutions leads to resentment and distrust from the business side. Under-engineering leads to situations of blame and catastrophe. I don’t think either end is a good result.
So, where’s the middle?
That, my friends, is the billion-dollar question. The magic formula for figuring out what is “good enough” is nowhere to be found. In fact, what we’ve been seeing is the result of a lot of trial and error—and it’s not been good. And yet, I still hear of security professionals talking in absolutes. Phrases like “that project was not secure” or “doing this makes us insecure” and so on. Frankly, it’s time to face the music.
There is no “secure.” The minute you think you can reach that place, you’re already wrong. Worse, you’d doing yourself and your organization a disservice.
Tomi Engdahl says:
Mozilla Raises Concerns Over DigiCert Acquiring Symantec CA
http://www.securityweek.com/mozilla-raises-concerns-over-digicert-acquiring-symantec-ca
Mozilla has raised some concerns regarding DigiCert acquiring Symantec’s website security and related public key infrastructure (PKI) solutions after major web browser vendors announced that certificates issued by the security firm would no longer be trusted.
Due to a series of incidents involving mississued TLS certificates, Mozilla and Google want Symantec and its partners to replace all existing certificates within a year. Furthermore, new certificates will need to be issued through the infrastructure of a subordinate certificate authority (CA).
Microsoft and Apple have yet to make any public comments on the matter, but they will likely follow in the footsteps of Mozilla and Google.
Instead of finding a subordinate CA to help it issue new certificates, Symantec has decided to sell its certificate business to DigiCert for $950 million in cash and a stake of roughly 30 percent in common stock equity of the DigiCert business. The companies announced on Tuesday that the acquisition has been completed.
DigiCert has reached out to Mozilla to see if the organization has any concerns over the acquisition. Mozilla is primarily concerned that while the new certificates will be issued under DigiCert’s name, Symantec will be involved in the process and it will introduce the problematic practices that led to the current situation.
Comodo Sells Certificate Business to Private Equity Firm
http://www.securityweek.com/francisco-partners-acquires-comodo-ca
Francisco Partners Acquires Comodo’s Certifiate Authority Business
Tech-focused private equity firm Francisco Partners announced on Tuesday that it has acquired Comodo CA Limited, Comodo’s certificate authority business, for an undisclosed amount.
Comodo CA is the world’s largest provider of SSL certificates, with more than 91 million certificates issued to over 200,000 customers in 150 countries. Francisco Partners has acquired a majority stake in the company and says the investment will help support Comodo CA’s accelerated growth; the firm consistently reported double-digit revenue growth in the past several years.
Tomi Engdahl says:
A draft US law to secure election computers that isn’t braindead. Well, I’m stunned! I gotta lie down
Some good ideas sneak into the Senate
https://www.theregister.co.uk/2017/10/31/us_election_hacking_law/
A law bill was introduced today to the US Senate designed to safeguard American elections from hacking by miscreants or manipulation by Russian or other foreign agents.
The Securing America’s Voting Equipment (SAVE) Act [PDF] would designate elections systems as part of the US national critical infrastructure, task the Comptroller General of the United States with checking the integrity of voting machines, and sponsor a “Hack the election” competition to find flaws in voting machines.
“Our democracy hinges on protecting Americans’ ability to fairly choose our own leaders. We must do everything we can to protect the security and integrity of our elections,” said cosponsor Senator Martin Heinrich (D-NM).
https://regmedia.co.uk/2017/10/31/saveact.pdf
Tomi Engdahl says:
Disney-branded internet filter had Mickey Mouse security
23 vulnerabilities let rats run riot, even as kids’ eyes were kept innocent
https://www.theregister.co.uk/2017/11/01/23_vulnerabilities_found_in_disney_branded_internet_content_filter/
A Disney-branded home internet filtering device might keep bad content out, but it was an open door to bad actors until earlier this month.
That’s what Cisco Talos’s William Largfent found when he took a look at “Circle with Disney”, a Circle Media parental control device on which the entertainment giant slapped its brand.
Whatever its qualities in filtering an screen time management, the US$99 box is riddled with 23 vulns, as the Talos post discloses.
The good news is that Talos described Circle Media as “exemplary to work with”, which is just as well when you’ve got to deal with backdooring, privilege escalation, remote code execution, authentication bypass, firmware substitution, certificate impersonation and more.
The backdoor arises in CVE-2017-12084
Vulnerability Spotlight: The Circle of a Bug’s Life
http://blog.talosintelligence.com/2017/10/vulnerability-spotlight-circle.html
Tomi Engdahl says:
How to secure a software-driven technology stack in a cloud of moving parts
Automate all the things
https://www.theregister.co.uk/2017/11/01/how_to_secure_a_softwaredriven_technology_stack_in_a_cloud_of_moving_parts/
Another day, another cloud security mishap. Some company exposes recordings of your kids to the Internet and then comes under Senatorial scrutiny. A security firm managing security clearance information turns out to be insecure.
Well, this cloud business is hard, isn’t it? There are lots of moving parts and they’re all buried under lots of other moving parts, so that you can’t even see half of them! We’re not sure that excuses a cloud-native firm getting its account hijacked so badly that it goes out of business, though.
It’s easy for admins to avoid anything other than basic configuration, or to assume that their cloud provider has them covered. It’s not actually Amazon’s fault if you leave an S3 bucket spilling your data all over the Internet, though. They just provide the infrastructure. What you do with it is up to you, and it’s important to understand where the cloud service provider’s responsibility ends and yours begins.
How can you manage a cloud technology stack properly and keep its various parts humming along securely, amid all this complexity?
The stack becomes more complex as the industry invents more layers in the cake. “Some of the new layers on top of that are serverless, like containerization,” he says. Then, let’s not forget the various shared storage components and databases that these layers use.
“The layers of abstraction are all about simplifying activities for developers, operations and management,”
Say hi to your API
Instead of handling these lower levels of the cloud directly, the API becomes an important tool in accessing different layers of the stack. It’s the lingua franca for developers and operators that want to manipulate infrastructure, and as such it’s the key to the kingdom.
That makes securing the APIs important. Start by authenticating the client, and then enforce SSL encryption to ensure that the client is talking to an authenticated server.
Commercial identity and access management (IAM) tools can handle authentication, meaning that you don’t have to code it directly into the API. This has two advantages. The first is that you don’t have to maintain authentication code that has been implemented in duplicate across a range of applications and interfaces. The second is that you can fold the client/server authentication process into a broader user identification system.
Finally, on the API security side proper vulnerability management and patching of the infrastructure hosting the API is a crucial part of the security process. While APIs may be the major touchpoints for developers and operations staff in a cloud environment, it’s still important to understand and secure each of the layers on which they rely.
Putting a hard shell around each component
Hardening components at each layer of the technology stack is important. Virtual machines should be security hardened, as should containers.
Other aspects of the cloud stack that should be hardened include your servers, applications and underlying databases. Automate compliance by codifying the rules for hardening your system as configuration parameters into your software. This will be more efficient than imposing security rules as written policies that business departments can ignore.
Tomi Engdahl says:
Tech Sector Must Uphold the Digital Social Contract says Arm CEO
https://community.arm.com/company/b/blog/posts/tech-sector-must-uphold-the-digital-social-contract
Cybercrime costs the global economy an estimated half a trillion dollars a year in economic losses, ransom payments and dealing with the resulting chaos. But while the advantages of a fully-connected world vastly outweigh the threats, achieving a digital world anchored in security needs all companies to accept their share of the responsibility to create a foundation of trust. In effect, all companies need to sign up to the Digital Social Contract (Social Contract) that obliges them to protect users.
IoT Security Manifesto
Exploring new Human-centered approaches to security
http://pages.arm.com/iot-security-manifesto.html
Tomi Engdahl says:
PSA: Beware the Image Downloader Chrome Adware Extension
http://www.download-freemaps.com/index.jhtml?partner=^BXV^xdm003&s1=google_dlbanner
This is a public service announcement that everyone should be careful when installing extensions from the Chrome Web Store. While most extensions are perfectly harmless, it is starting to become more and more common for unwanted and malicious extensions to be uploaded to the store and not be removed for quite a while.
For example, today I was told about a new Chrome extension called Image Downloader
When the browser starts, the extension will connect to two sites to download configuration information that is needed to operate properly. This information will then be used by the extension to inject ads
As a tip, only download extensions you really need and always check the extensions permissions before allowing it to install. Malicious extensions will typically try and get full permissions to modify any web traffic, which most extensions do not need. Also make sure to have an up-to-date security program installed.
Tomi Engdahl says:
Windows 10 Exploit Guard Boosts Endpoint Defenses
http://www.securityweek.com/windows-10-exploit-guard-boosts-endpoint-defenses
Courtesy of the Windows Defender Exploit Guard that ships with Windows 10 Fall Creators Update, systems running Microsoft’s Windows 10 operating system can fend off emerging threats, Microsoft says.
In June this year, Microsoft revealed that Windows Defender Exploit Guard will make the Enhanced Mitigation Experience Toolkit (EMET) native to Windows 10, and that it would also provide users with additional vulnerability mitigations.
Tomi Engdahl says:
Facebook’s Zuckerberg Says Security Costs Will Hurt Profits
http://www.securityweek.com/facebook%E2%80%99s-zuckerberg-says-security-costs-will-hurt-profits
Facebook Chief Says Protecting Community is More Important Than Maximizing Profits
Social media giant Facebook said on Wednesday that significant investments by the company to secure its platform will impact its profitability.
The company announced its financial results for Q3 2017 after the bell on Wednesday, noting that capital expenditures for quarter were $1.76 billion. The company reported more than $10.3 billion in revenue during the quarter, and a profit of $4.7 billion.
“Our community continues to grow and our business is doing well,” Mark Zuckerberg, Facebook founder and CEO, said in a statement. “But none of that matters if our services are used in ways that don’t bring people closer together. We’re serious about preventing abuse on our platforms. We’re investing so much in security that it will impact our profitability. Protecting our community is more important than maximizing our profits.”
33 year-old Zuckerberg did not detail any planned security investments or estimated costs.
Tomi Engdahl says:
Wall Street Journal:
Sources: US DoJ identified more than six members of the Russian government involved in hacking the DNC and could charge them next year, but arrests are unlikely — At least six Russian government officials are identified as part of ongoing investigation — The Justice Department …
More: CNET and Engadget
U.S. Prosecutors Consider Charging Russian Officials in DNC Hacking Case
At least six Russian government officials are identified as part of ongoing investigation
https://www.wsj.com/articles/prosecutors-consider-bringing-charges-in-dnc-hacking-case-1509618203
Tomi Engdahl says:
Associated Press:
Secureworks finds data showing Russian Fancy Bear targeted 4.7K Gmail users worldwide using 19K malicious links mostly generated during Moscow office hours — WASHINGTON (AP) — The hackers who disrupted the U.S. presidential election had ambitions well beyond Hillary Clinton’s campaign …
https://www.apnews.com/3bca5267d4544508bb523fa0db462cb2
Tomi Engdahl says:
F-Secure Hyppönen’s new project: “Traditional security training does not work”
Superstore of Finnish security, F-Secure’s research director, Mikko Hyppönen, has started the startup of the Finnish industry as a scientific adviser to HoxHunt
Hyppönen has been using HoxHunt’s product for over a year now. It is a software that simulates security attacks and teaches employees of employees to identify fraudsters.
“There are two basic issues to be solved in security: technical problems and problem workers. Technical problems are difficult but they can be solved. But we can not update the problems in the brain, “says Hyppönen, according to the company’s announcement.
The main cause for the spread of malware is man-made mistakes. Businesses are trying to educate their employees, but often you learn to forget quickly and people do not change their behavior.
HoxHunt’s solution to the problem is a gaming solution that supports the teaching of information security.
“Traditional security training does not work. Again, it feels tense, that gives people good motivation and makes it possible to get rid of it. People want to be successful and be better than others,
Source: http://www.tivi.fi/Kaikki_uutiset/f-securen-hypposen-uusi-projekti-perinteinen-tietoturvakoulutus-ei-toimi-6685176
Tomi Engdahl says:
Firefox Implements Another Privacy-Preserving Feature Taken From the Tor Browser
https://www.bleepingcomputer.com/news/software/firefox-implements-another-privacy-preserving-feature-taken-from-the-tor-browser/
Mozilla engineers have borrowed yet another feature from the Tor Browser and starting with version 58 Firefox will block attempts to fingerprint users using the HTML5 canvas element.
Canvas blocking is an important addition to Firefox’s user privacy protection measures, as canvas fingerprinting has been used for a long time by the advertising industry to track users.
Canvas fingerprinting has become widespread in recent years
The method has become widespread in recent years after the EU has forced websites to show cookie popups. Because canvas fingerprinting doesn’t need to store anything in the user’s browser, there are very few legal complications that come with it and this user tracking/fingerprinting solution has become a favorite among ad networks.
Canvas fingerprinting works by loading a canvas HTML tag inside a hidden iframe and making the user’s browser draw a series of elements and texts. The resulting image is converted into a file hash.
Because each computer and browser draws these elements differently, ad networks can reliably track the user’s browser as he accesses various sites on the Internet.
Tomi Engdahl says:
Russian ‘Fancy Bear’ Hackers Abuse Blogspot for Phishing
http://www.securityweek.com/russian-fancy-bear-hackers-abuse-blogspot-phishing
The cyber espionage group known as Fancy Bear, which is widely believed to be backed by the Russian government, has been abusing Google’s Blogspot service in recent phishing attacks.
Threat intelligence firm ThreatConnect spotted the use of the blogging service while analyzing attacks aimed at Bellingcat, a group of investigative journalists that uses open source information to report on various events taking place around the world.
Fancy Bear, also known as Pawn Storm, APT28, Sofacy, Sednit, Strontium and Tsar Team, was first seen targeting Bellingcat in 2015 as part of a campaign aimed at entities investigating Russia’s involvement in the downing of Malaysia Airlines flight MH17 in July 2014 as it was crossing a conflict zone in Ukraine.
The latest attacks aimed at Bellingcat involved fake emails instructing users to change their Gmail passwords as a result of unauthorized activity on their account, and Dropbox invitations to view shared folders.
Tomi Engdahl says:
Estonia Blocks Electronic ID Cards Over Identity-Theft Risk
http://www.securityweek.com/estonia-blocks-electronic-id-cards-over-identity-theft-risk
Cyber-savvy Estonia said on Thursday it would suspend security certificates for up to 760,000 state-issued electronic ID-cards with faulty chips as of Friday midnight to mitigate the risk of identity theft.
Dubbed E-stonia for being one of the world’s most wired nations, the Baltic eurozone state of 1.3 million people issues electronic ID cards giving citizens online access to virtually all public services at a special “e-government” state portal.
IT security experts recently discovered a flaw in the Swiss-made chips used in the cards that makes them vulnerable to malware.
“The functioning of an e-state is based on trust and the state cannot afford identity theft happening to the owner of an Estonian ID card,” Prime Minister Juri Ratas said Thursday as he announced the decision to suspend security certificates for cards until their owners download an update to patch the flaw.
“By blocking the certificates of the ID cards at risk, the state is ensuring the safety of the ID card,” Ratas said.
Tomi Engdahl says:
SSH-based Hijacker Targeting Ethereum Miners
http://www.securityweek.com/ssh-based-hijacker-targeting-ethereum-miners
Crypto-currency miners represent an easy solution when it comes to taking advantage of a system’s computing power to earn some money, but can result in no gain if the mined coins are going to someone else’s wallet.
In a recent example of how users could end up with no cash despite putting their computers to work, Ethereum-mining farms are at the receiving end of an attack involving a hijacker that simply attempts to replace the user’s wallet with an unknown actor’s.
Tomi Engdahl says:
Gangs, States and ‘Geeks’ Behind Canada Cyberattacks: Minister
http://www.securityweek.com/gangs-states-and-geeks-behind-canada-cyberattacks-minister
Cyberattacks on Canadian government computers by what a minister described Tuesday as gangsters, rogue states and “geeks in basements” are on the rise, but are also failing more, according to a report.
The nation’s ultra-secretive eavesdropping agency or Communications Security Establishment (CSE) however concluded that Canada is not doing enough to fend off intruders.
“Some of it is just nuisance,” Public Safety Minister Ralph Goodale told reporters. “Some of it is criminal in intent.”
“It comes from organized crime. It comes from rogue states. It comes from foreign militaries. It comes from geeks in the basement,” he said.
In the report, the CSE found that the government blocks more than 600 million attempts each day to identify or exploit system vulnerabilities.
Tomi Engdahl says:
Tech Investor VT Partners Aims to Fuel Cybersecurity Firms in Europe
http://www.securityweek.com/tech-investor-vt-partners-aims-fuel-cybersecurity-firms-europe
Newly Formed VT Partners Seeks to Combine International Finance, American Adventure, and European Innovation
A recently formed venture capital investment firm aims to feed European technology companies and seed a new entrepreneurial approach to cybersecurity businesses in Europe. Formed earlier this year and now partnered by cybersecurity investment specialist Paladin Capital Group, VT Partners came out of the shadows last week.
Tomi Engdahl says:
Analysis of 3,200 Phishing Kits Sheds Light on Attacker Tools and Techniques
http://www.securityweek.com/analysis-3200-phishing-kits-sheds-light-attacker-tools-and-techniques
Phishing kits are used extensively by cybercriminals to increase the efficiency of stealing user credentials. The basic kit comprises an accurate clone of the target medium’s login-in page (Gmail, Facebook, Office 365, targeted banks, etc), and a pre-written php script to steal the credentials — both bundled and distributed as a zip file. Successfully phished credentials are mailed by the script to the phisher, or gathered in a text file for later collection. This is commodity phishing; not spear-phishing.
Tomi Engdahl says:
Hacker Falsely Claiming to Breach FireEye Arrested, CEO Says
http://www.securityweek.com/hacker-falsely-claiming-breach-fireeye-arrested-ceo-says
The hacker who falsely claimed to have breached FireEye — it was just the personal online accounts of one employee — was arrested by international law enforcement and taken into custody on October 26, FireEye CEO Kevin Mandia said Wednesday.
“These attackers rarely, if ever get caught and therefore I’m pleased, that in this case we’re able to impose repercussions for the attacker and achieve a small victory for the good guys,” Mandia said during a conference call.
He did not provide the name for the hacker, nor the location for the arrest. In July 2017, the hacker made grandiose claims that he was part of a new LeakTheAnalyst operation aimed at doxing the security professionals who hunt hackers. “Let’s trash their reputation in the field,” he posted to Pastebin. In reality, he had little of any value, taken from the online accounts of one FireEye employee.
Tomi Engdahl says:
Synopsys to Pay $565 Million for Security Software Firm
https://www.eetimes.com/document.asp?doc_id=1332553&
EDA and IP vendor Synopsys said it would pay about $565 million to acquire Black Duck Software, a Massachusetts-based provider of technology for securing and managing open source software.
Synopsys (Mountain View, Calif.) said the move would broaden its product offering and expand its customer reach in the software security market.
“Development processes continue to evolve and accelerate, and the addition of Black Duck will strengthen our ability to push security and quality testing throughout the software development lifecycle, reducing risk for our customers,” said Andreas Kuehlmann, senior vice president and general manager of Synopsys’ Software Integrity Group, in a press statement.
Tomi Engdahl says:
Palo Alto Networks buys LightCyber for $105m
No, not the fictional energy sword, the machine learning hacker sniffer
https://www.theregister.co.uk/2017/03/01/palo_alto_buys_lightcyber/
Palo Alto Networks has acquired smaller cyber security firm LightCyber for $105m in cash.
LightCyber has developed technology that uses machine learning to identify hacker and malware-based attacks based on identifying behavioural anomalies inside deployed networks.
Palo Alto Networks plans to integrate LightCyber’s technology into its security platform by the end of the calendar year.
Tomi Engdahl says:
Official Secrets Act alert went off after embassy hired local tech support
https://www.theregister.co.uk/2017/11/03/on_call/
Diplomatic sysadmin shares stories from the field, like the monkey that ate a USB drive containing classified files
Tomi Engdahl says:
Half of all internet traffic comes from bots
https://www.axios.com/half-internet-traffic-from-bots-2504285553.html
What’s the difference between “good” bots and “bad” bots? And why doesn’t Snapchat have a fake news problem? Here’s a quick guide to some of the discussions that might come up during the hearings this week.
More than half of internet traffic is bots. Bots have always played a major role in our internet ecosystem, although not all bots are bad. (Some, for example, are used to make our search experiences more accurate.) But the bots used to spread fake news are usually bad, and bad bots make up roughly 29% of internet traffic.
Accessibility attracts bots and fake accounts: Google, Facebook and Twitter want to make it easy for users all over the world to get on their platforms, because they believe in free speech and open access. But this level of openness means the barrier to entry on these platforms isn’t just low for users, but for bots and bad actors as well.
Bots are programmed to perform simple internet tasks repeatedly: You can program a bot to like, share, or comment on something. Fake news perpetrators create fake stories that are often amplified by a network of bots that automatically like, share or comment on the content. Algorithms elevate content that is popular, further amplifying the effect.
The Internet Research Agency is the source of many Russian bots: It employs a large staff to spread fake news and disinformation and has been using bots to spread Russian propaganda for years.
Tomi Engdahl says:
Bot Traffic Report 2016
https://www.incapsula.com/blog/bot-traffic-report-2016.html
This consistently dominant position is the result of the following two factors:
1. Impersonation is easy and worthwhile
2. Impersonators are perfect for DDoS attacks
94.2 Percent of Websites Experienced a Bot Attack
Tomi Engdahl says:
Chinese Android handhelds are not used in security companies – “the easiest way to reduce security risks”
The security of mobile phones in the Android platform continues to question IT specialists and other security managers at the company.
Finnish F-Secure does not currently allow any Chinese Android phone for work use.
F-Secure Cyber Security Director Erka Koivunen says that the company has a limited range of allowed phones because the updates for all devices and the privacy practices are not at a high enough level.
“We’ve been stepping up controls because we want everyone to have phones that get the latest updates fast.”
According to Koivusen, there are currently no Chinese smartphone manufacturers in the list of allowed phones. If the security practices of Chinese manufacturers improve, they may also get access to the allowed list, says Koivunen.
Some of the cheaper Android phones have not come up with operating system updates after Android 4.0. This security expert is particularly worried.
The F-Secure is licensed on iPhone phones and some Android models. “Apple iPhone is the best option when it comes to security.”
Source: http://www.tivi.fi/Kaikki_uutiset/kiinalaiset-android-luurit-ovat-tietoturvayhtioissa-pannassa-helpoin-tapa-vahentaa-tietoturvariskeja-6685661
Tomi Engdahl says:
HS: Finnish huge register passes to the block chain – “Stone Age to Digital”
At the bank’s vault or at the home in a drawers box, the stock-ownership books are finally moving to history. Helsingin Sanomat says that in Finland a new block-based electronic system will be introduced in 2019.
The system has been developed by OP and Nordea together with the Finnish Tomorrow Labs. There has also been a National Surveying Office. Housing Director’s Program Manager Jorma Turunen describes HS for the system of “Reaching Stone of the Stone Age”.
Information on ownership of housing shares is stored in the block chain. Sami Honkonen, Managing Director of Tomorrow Labs, maintains a block-based system even more convenient than a traditional centralized software project that should build integration into the systems of every bank and the authorities.
According to HS, however, Honkonen sees the greatest benefit in the so-called smart agreements. They can simultaneously transfer the money, the ownership of the apartment, such as the transfer tax information to the taxpayer.
Source: http://www.tivi.fi/Kaikki_uutiset/hs-suomalainen-jattirekisteri-siirtyy-lohkoketjuun-kivikaudelta-digiaikaan-6685497
Tomi Engdahl says:
Browsers have a lot of unnecessary holes
Internet browsers are constantly adding more features and features. According to the University of Illinois, some of the features are both unnecessary and security risks.
The study examined 74 different web programming interfaces. It measured how often these activities were used on web sites and how likely it was to create a risk for the user’s security.
A good example is an interface that allows low-level graphing in a browser.
The researchers also found a code that allows the browser to detect light levels in the room, perform very accurate timings for different operations, or make audio synthesis. As a test browser, researchers used Firefox, but almost the same functionality is also found in the popularity of Chrome and Internet Explorer.
According to the study, about 25 percent of all Web API interfaces constitute a major security risk. These could be well blocked without the functionality of the sites being affected. The site is roughly the safer the less the code interface is allowed to pass through.
Source: http://etn.fi/index.php/13-news/7108-selaimissa-paljon-turhia-reikiae
Tomi Engdahl says:
Detecting the Cyber Enemy Within
Once the firewalls are up, it’s time to seek out the latent cyber bug.
https://www.designnews.com/automation-motion-control/detecting-cyber-enemy-within/3726883557751?ADTRK=UBM&elq_mid=1863&elq_cid=876648
“There are two kinds of companies: those that know they’ve been hacked and those that don’t know they’ve been hacked.”
I heard these chilling words a couple years ago at an IoT conference. The implication is there may be bugs inside a company’s network that are laying low, collecting vital information and waiting for an opportune time to attack.
While much of the cybersecurity attention is focused on preventing unwanted entry, companies also need to scrub the inside of their networks to make sure they’re free of latent malicious threats that entered before the firewall was strong enough to withstand attack. To help with this effort, Rockwell Automation has introduced threat-detection services to monitor the insides of the control system for the presence of unwanted intruders.
Tomi Engdahl says:
After Mirai: The new IoT scare ‘Reaper’ and what we can do about it
https://www.wespeakiot.com/mirai-new-iot-scare-reaper-can/
Mirai was just the beginning
Users probably wouldn’t even find out that their devices were being hacked. And there lies the danger: If you’re not aware that your device is doing something it shouldn’t do, you probably don’t bother much about securing your IT enviroment. While you think that everything is fine, it is actually not.
Reaper focuses on wireless IP cameras – for now
So far, Reaper has not carried out any attacks on the net. However, we shouldn’t wait until it happens. Unlike Mirai, that used weak password cracking, Reaper infects IoT devices by exploiting multiple IoT device vulnerabilities, mainly on wireless IP cameras. So as a user it’s mandatory to keep your network and IoT devices up-to-date. Security specialists at Netlab 360 identified several IoT vulnerability exploits integrated in the malware so far and published a list of affected vendors.
As a great weakness in the design of IoT devices Krebs mentions the inclusion of so called peer-to-peer (P2P) networking capabilities that are being implemented in countless security cameras, digital video recorders (DVRs) and various other gear.
Krebs even suggests not to use any hardware that advertises P2P functionality.
Manufacturers need easy remote maintenance
Keeping the Internet safe is a constant arms race. New technologies bring new vulnerabilities. Consumers should not install and forget. Keeping systems constantly up-to-date is mandatory.
But it’s also the duty (and challenge) of manufacturers to keep their devices easy to use but hard to hack. Unfortunately, many still tend to avoid a product design that allows painless over-the-air updates like consumers know it from smartphones or TV Set-Top-Boxes. But what is common there, should be common on every IoT device.
If all manufactures would design their products in a matter so they can be updated automatically while in service, the internet could become a lot safer place.
Tomi Engdahl says:
https://www.av-test.org/en/antivirus/
Tomi Engdahl says:
Revenge porn: Facebook teaming up with Government to stop nude photos ending up on Messenger, Instagram
http://mobile.abc.net.au/news/2017-11-02/facebook-offers-revenge-porn-solution/9112420?pfmredir=sm
Key points:
Facebook working with e-Safety Commissioner to block image sharing
You could flag photos of you don’t want circulated, then they cannot be uploaded again
Images sent to database won’t be stored
Tomi Engdahl says:
And it seems clear that cybersecurity threats develop much faster than Congress can move (the bill suggests updating the criteria every two years), making many of the benchmarks obsolete even before they’re established.
https://www.networkworld.com/article/3235518/internet-of-things/is-the-u-s-finally-about-to-take-iot-security-seriously.html
Tomi Engdahl says:
Putin outlaws the use of VPNs throughout Russia
https://amp.businessinsider.com/ap-law-outlawing-use-of-vpns-comes-into-effect-in-russia-2017-11
The law, the latest in a spate of legislation stifling internet freedoms in Russia, was pushed by authorities who cited concerns about the spread of extremist materials.
Tomi Engdahl says:
What’s worse than having your data stolen?
https://perspectives.tieto.com/blog/2017/01/whats-worse-than-having-your-data-stolen/?utm_source=gmoa&utm_medium=facebook-paid&utm_campaign=tieto100&utm_content=kyberrikollisuus-blogi
The modern society is built on data. Having data stolen or taken hostage isn’t the biggest threat, however. If malicious attackers manage to manipulate our data without us noticing, we’re in deep trouble.