Security trends 2017

Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.

Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.

There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.

SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.

There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.

The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.

Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.

Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.

Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.

Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.

Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.

The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.

In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.

In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.

Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.

In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.

Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.

Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.

Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.

 

Other prediction articles worth to look:

What Lies Ahead for Cybersecurity in 2017?

Network Infrastructure, Visibility and Security in 2017

DDoS in 2017: Strap yourself in for a bumpy ride

Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online

IBM’s Cybersecurity Predictions for 2017 – eForensics

https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/

Top 5 Cybersecurity Threats to Watch Out for in 2017

Experts Hopeful as Confidence in Risk Assessment Falls

 

 

3,151 Comments

  1. Tomi Engdahl says:

    DOJ: Strong Encryption That We Don’t Have Access To Is ‘Unreasonable’
    https://it.slashdot.org/story/17/11/09/235253/doj-strong-encryption-that-we-dont-have-access-to-is-unreasonable

    Just two days after the FBI said it could not get into the Sutherland Springs shooter’s seized iPhone, Politico Pro published a lengthy interview with a top Department of Justice official who has become the “government’s unexpected encryption warrior.” According to the interview, which was summarized and published in transcript form on Thursday for subscribers of the website, Deputy Attorney General Rod Rosenstein indicated that the showdown between the DOJ and Silicon Valley is quietly intensifying. “We have an ongoing dialogue with a lot of tech companies in a variety of different areas,”

    In the interview, Rosenstein also said he “favors strong encryption.” “I favor strong encryption, because the stronger the encryption, the more secure data is against criminals who are trying to commit fraud,” he explained. “And I’m in favor of that, because that means less business for us prosecuting cases of people who have stolen data and hacked into computer networks and done all sorts of damage. So I’m in favor of strong encryption.”

    People want to secure their houses, but they still need to get in and out. Same issue here.” He later added that the claim that the “absolutist position” that strong encryption should be by definition, unbreakable, is “unreasonable.” “And I think it’s necessary to weigh law enforcement equities in appropriate cases against the interest in security,” he said.

    DOJ: Strong encryption that we don’t have access to is “unreasonable”
    Rod Rosenstein: We should weigh “law enforcement equities” against security.
    https://arstechnica.com/tech-policy/2017/11/doj-strong-encryption-that-we-dont-have-access-to-is-unreasonable/

    Just two days after the FBI said it could not get into the Sutherland Springs shooter’s seized iPhone, Politico Pro published a lengthy interview with a top Department of Justice official who has become the “government’s unexpected encryption warrior.”

    According to the interview, which was summarized and published in transcript form on Thursday for subscribers of the website, Deputy Attorney General Rod Rosenstein indicated that the showdown between the DOJ and Silicon Valley is quietly intensifying.

    “We have an ongoing dialogue with a lot of tech companies in a variety of different areas,” he told Politico Pro. “There’s some areas where they are cooperative with us. But on this particular issue of encryption, the tech companies are moving in the opposite direction. They’re moving in favor of more and more warrant-proof encryption.”

    Reply
  2. Tomi Engdahl says:

    Intel’s super-secret Management Engine firmware now glimpsed, fingered via USB
    As creator of OS on the chips calls out Chipzilla
    https://www.theregister.co.uk/2017/11/09/chipzilla_come_closer_closer_listen_dump_ime/

    Positive Technologies, which in September said it has a way to drill into Intel’s secretive Management Engine technology buried deep in its chipsets, has dropped more details on how it pulled off the infiltration.

    The biz has already promised to demonstrate a so-called God-mode hack this December, saying they’ve found a way for “an attacker of the machine to run unsigned code in the Platform Controller Hub on any motherboard.”

    For those who don’t know, for various processor chipset lines, Intel’s Management Engine sits inside the Platform Controller Hub, and acts as a computer within your computer. It runs its own OS, on its own CPU, and allows sysadmins to remotely control, configure and wipe machines over a network. This is useful when you’re managing large numbers of computers\, especially when an endpoint’s operating system breaks down and the thing won’t even boot properly.

    Getting into and hijacking the Management Engine means you can take full control of a box, underneath and out of sight of whatever OS, hypervisor or antivirus is installed. This powerful God-mode technology is barely documented and supposedly locked down to prevent miscreants from hijacking and exploiting the engine to silently spy on users or steal corporate data. Positive says it’s found a way to commandeer the Management Engine, which is bad news for organizations with the technology deployed.

    For some details, we’ll have to wait, but what’s known now is bad enough: Positive has confirmed that recent revisions of Intel’s Management Engine (IME) feature Joint Test Action Group (JTAG) debugging ports that can be reached over USB.

    With knowledge of the firmware internals, security vulnerabilities can be found and potentially remotely exploited ta a later date.

    Reply
  3. Tomi Engdahl says:

    “Tick” Cyber Espionage Group Employs Steganography
    http://www.securityweek.com/tick-cyber-espionage-group-employs-steganography

    The cyber espionage group known as “Tick” is using steganography to conceal their backdoor Trojan better, according to analysis from security firm Trend Micro.

    Also referred to as Bronze Butler and REDBALDKNIGHT and believed to be based in China, the group is mainly targeting Japanese organizations, including biotechnology, electronics manufacturing, and industrial chemistry entities and government agencies. Although the first report on the group was published only last year, the hackers might have been active for at least a decade, Trend Micro’s researchers say.

    Malicious tools preferred by the threat actors include a downloader tracked as Gofarer and a data-stealing Trojan dubbed Daserf, which can execute shell commands and download and upload data. Now, Trend Micro says that variants of Daserf were used against entities outside Japan as well, including organizations in South Korea, Russia, Singapore, and China.

    Reply
  4. Tomi Engdahl says:

    Twilio Credentials Hardcoded in Mobile Apps Expose Calls, Texts
    http://www.securityweek.com/twilio-credentials-hardcoded-mobile-apps-expose-calls-texts

    Hundreds of mobile applications that use the Twilio SDK or REST API include hardcoded credentials that could be abused to access millions of calls and text messages, researchers warned on Thursday.

    Appthority’s Mobile Threat Team has analyzed more than 1,100 iOS and Android applications that use Twilio, a cloud communications platform designed for developing voice and messaging apps.

    Twilio’s documentation provides guidance on best security practices, but researchers found that 686 apps from 85 developers exposed Twilio account IDs and access tokens (i.e. passwords). Roughly one-third of the applications containing hardcoded Twilio credentials are business-related, and the ones designed for Android have been downloaded between 40 and 180 million times.

    Reply
  5. Tomi Engdahl says:

    Day Trader Indicted for Hacking, Securities Fraud
    http://www.securityweek.com/day-trader-indicted-hacking-securities-fraud

    A day trader has been indicted on four counts for his alleged role in a scheme that involved hacking into online brokerage accounts and using them to make fraudulent transactions.

    Joseph Willner, 42, of Ambler, Pennsylvania, has been charged with conspiracy to commit wire fraud, conspiracy to commit securities fraud and computer intrusions, securities fraud, and conspiracy to commit money laundering.

    Charges were first brought against Willner late last month by the U.S. Securities and Exchange Commission (SEC), which claimed the man made at least $700,000 through unauthorized trades involving more than 100 hacked brokerage accounts. The U.S. Attorney’s Office for the Eastern District of New York and the Department of Justice Criminal Division’s Fraud Section announced bringing charges against Willner this week.

    After purchasing stock through victims’ accounts at above-market prices, they repurchased the stock at below-market prices. These activities took place within minutes and the operators of the scheme quickly made a profit, which they laundered by acquiring bitcoins.

    Reply
  6. Tomi Engdahl says:

    Poland Eyes Cybersecurity in Skies
    http://www.securityweek.com/poland-eyes-cybersecurity-skies

    Poland on Wednesday agreed to test a cybersecurity pilot program for the aviation sector as Europe’s EASA civil aviation authority tackles the potential threats posed by hackers to air traffic.

    “We want to have a single point in the air transport sector that will coordinate all cybersecurity activities… for airlines, airports and air traffic,” Piotr Samson, head of Poland’s ULC civil aviation authority, said in Krakow, southern Poland, at a two-day conference co-hosted with the EASA.

    While insisting that air travel is currently safe from cyber attacks, EASA executive director Patrick Ky told AFP it was incumbent on aviation authorities to take preventative measures to mitigate potential cyber-threats.

    Polish officials attending the “Cybersecurity in Civil Aviation” conference also announced the creation of a “rapid reaction unit” for cybersecurity incidents.

    Reply
  7. Tomi Engdahl says:

    Microsoft Issues Advisory for Mitigating DDE Attacks
    http://www.securityweek.com/microsoft-issues-advisory-mitigating-dde-attacks

    A security advisory published by Microsoft on Wednesday provides information on how users can protect themselves against recent attacks abusing the Dynamic Data Exchange (DDE) protocol.

    DDE is designed for data exchanges between Office and other Windows applications. Researchers warned recently that the way DDE fields are processed could be abused by hackers to create documents that load malicious resources from an external server. The technique can be used as a substitute for macros in attacks involving documents.

    DDE has been abused in attacks by various types of threat actors, including by cybercriminals who are trying to make a profit using the Locky ransomware and Russia-linked cyberspies known for targeting high-profile organizations.

    Reply
  8. Tomi Engdahl says:

    Many Vulnerabilities Found in Linux USB Subsystem
    http://www.securityweek.com/many-vulnerabilities-found-linux-usb-subsystem

    A Google researcher has found a significant number of vulnerabilities in the Linux kernel USB subsystem using the Syzkaller fuzzer.

    The fuzzing tool developed by Google helped Andrey Konovalov find tens of bugs, including 22 security flaws that have been assigned CVE identifiers. In an advisory published this week, the expert detailed 14 of the vulnerabilities he discovered.

    The vulnerabilities have been described as use-after-free, general protection fault, out-of-bounds read, and NULL pointer dereference issues that can be exploited to cause a denial-of-service (DoS) condition. The expert said some of the flaws might have a different impact as well, which typically means they could allow arbitrary code execution.

    Konovalov pointed out that an attacker needs to have physical access to the targeted system and connect a malicious USB device in order to exploit the vulnerabilities. Others suggested that an attacker who has remote access to a machine may be able to update the firmware on connected USB drives to plant exploits for these flaws and create malicious devices.

    Fixes for many of the vulnerabilities found by Konovalov are included in Linux kernel versions 4.13.4 and later, but many of the issues remain unpatched.

    Reply
  9. Tomi Engdahl says:

    WikiLeaks Says CIA Impersonated Kaspersky Lab
    http://www.securityweek.com/wikileaks-says-cia-impersonated-kaspersky-lab

    WikiLeaks has resumed its CIA leaks and it has now started publishing source code and other files associated with tools allegedly developed by the intelligence agency.

    In March, WikiLeaks began publishing documentation files describing what appeared to be CIA hacking tools as part of a leak dubbed Vault 7. Roughly two dozen tools and projects were disclosed over the course of several months.

    Now, after a two-month break, WikiLeaks announced a new round of leaks dubbed Vault 8, which provides source code and analysis for CIA tools. The organization pointed out that, similar to Vault 7, Vault 8 will not expose any zero-day or other vulnerabilities that could be used for malicious purposes.

    Reply
  10. Tomi Engdahl says:

    NATO to Increase Cyber Weaponry to Combat Russia
    http://www.securityweek.com/nato-increase-cyber-weaponry-combat-russia

    NATO members agreed Wednesday to increase the use of cyber weaponry and tactics during military operations, with the alliance also upgrading other capabilities to combat a resurgent Russia.

    The changes are part of the alliance’s biggest shakeup since the Cold War, with defence ministers backing the creation of two new command centres to help protect Europe.

    The revamp reflects the “changed security environment” of recent years, NATO chief Jens Stoltenberg said at a meeting of defence ministers in Brussels.

    The threat to the alliance’s eastern flank has grown as a concern after Russia’s annexation of Crimea in 2014.

    “We are now integrating cyber effects into NATO missions and operations to respond to a changed and new security environment where cyber is part of the threat picture we have to respond to,” Stoltenberg said.

    - NATO hit by cyber attacks -

    The creation of a new NATO cyber operations hub comes as the alliance faces hundreds of attacks on its networks every month and fears grow over the Kremlin’s electronic tactics.

    NATO declared cyber — where attackers disrupt websites, intercept communications and sabotage technologies used in combat — as a conflict domain last year, putting it on a par with land, sea and air.

    “We have seen a more assertive Russia, we have seen a Russia which has over many years invested heavily in their military capabilities,” Stoltenberg said.

    “NATO has to be able to respond to that. We are constantly adapting and what we are doing in Europe now is part of that adaptation.”

    Reply
  11. Tomi Engdahl says:

    Where DevOps Could Be Increasing The Attack Surface
    http://www.securityweek.com/where-devops-could-be-increasing-attack-surface

    Survey Finds That DevOps Often Improves IT Efficiency While Weakening IT Security

    The basic premise behind DevOps is that combining the development team and the operations team into a single cohesive unit will improve efficiency. It’s all about breaking down silos. But there is one silo that frequently remains excluded: security. The obvious solution is to adopt DevSecOps rather than just DevOps; that is, remove another silo in the name of greater overall IT efficiency.

    It doesn’t seem to be happening. Early details from CyberArk’s Advanced Threat Landscape 2018 report, due to be released in January, show that in at least one area, DevOps is increasing the attack surface — privileged accounts. Privileged accounts are essential within DevOps, but CyberArk’s figures suggest that they are not well protected.

    The greatest knowledge gap is with source code repositories such as GitHub. Eighty-four percent of the respondents failed to recognize GitHub as a location for privileged accounts. This is followed by microservices (80%), cloud environments (78%), and continuous integration and continuous deployment (CI/CD) tools used by DevOps (76%).

    This doesn’t mean that DevOps is unaware of the security issue. Thirty-seven percent of DevOps professionals using the cloud said compromised DevOps tools and environments represent one of their organization’s greatest security vulnerabilities. The main problem is the discontinuity between the security and DevOps teams. About 75% of security teams do not have a privileged account security strategy for the organization’s DevOps, while there is no integration at all between security and DevOps in almost two-thirds of occasions.

    Reply
  12. Tomi Engdahl says:

    There’s a particularly nasty Netflix email scam doing the rounds claiming your account has been suspended
    http://www.alphr.com/netflix/1007607/netflix-email-scam-targets-millions-of-subscribers

    Beware of an email that has ‘Your suspension notification’ in the subject line

    A “well designed” scan email has been landing in the inboxes of millions of Netflix subscribers, asking them to update their billing information as part of a large-scale phishing operation.

    The email, which has the subject line: ‘Your suspension notification’, includes a link that takes readers to a convincing, fake Netflix home page. Once there, readers are prompted to enter private information, under the auspice of updating their billing details.

    UK cyber-fraud centre, Action Fraud, claims that the email has been sent to around 110 million Netflix subscribers across the globe.

    Reply
  13. Tomi Engdahl says:

    How Journalists Fought Back Against Crippling Email Bombs
    https://www.wired.com/story/how-journalists-fought-back-against-crippling-email-bombs/

    I was chagrined but not surprised. Lauren had been harassed all weekend, a result of an article we had coauthored about companies such as PayPal, Newsmax, and Amazon whose technologies enabled extremist websites to profit from their hateful views. Simply in the interest of journalistic fairness, Lauren had sought comment from about 70 websites designated as hateful by the Southern Poverty Law Center and the Anti-Defamation League.

    In return, her voicemail and her email inbox were filled with threats and insults.

    But then I looked at my inbox and realized that something troubling was happening to me too: 360 emails had poured in while I was pretzeling myself. Every single one was a confirmation of a newsletter subscription or account signup from a website I’d never heard of.

    “Thanks for signing up, here is your coupon!” an email from the Nature Hills Nursery said. “Please Confirm Subscription” Fintirement said. “Account details for xvwgnagycdm 1992 at ami-forum.org are pending admin approval,” a Montessori organization in Australia said.

    “I am under some kind of email attack as well. Jesus,”

    “Hey Twitter—any advice on what to do when somebody malevolent signs you up for a thousand email subscriptions, making your email unusable?” I tweeted.

    At first it seemed like a funny prank, like ordering pizza delivered to an ex-boyfriend’s house. “TBH [to be honest] it’s kind of a clever attack,” I tweeted again.

    But as the emails continued to roll in, my sense of humor faded. By noon, the entire email system at our employer, ProPublica, was overwhelmed. Most of my colleagues could not send or receive messages because of the backlog of emails to me, Jeff, and Lauren that were clogging the spam filters.

    The tech team advised that it would likely have to block all incoming emails to our inboxes—bouncing them back to senders—to save the rest of the organization. A few hours later, when ProPublica pulled the plug on our email accounts, I realized that what our attackers did was no joking matter; they had cut off our most important avenue of communication with the world. “Preparing to say goodbye forever to my inbox,” I tweeted. “It does seem like killing a reporter’s email account is the definition of a chilling effect, no?”

    Later I learned that the type of attack aimed at me and my colleagues is often called “email bombing” or “subscription bombing.” It’s clever jujitsu that turns one of the hallmarks of spam prevention—the confirmation email—into a spam generator. It works like this: The attacker uses an automated program to scan the web for any signup form that asks for an email address, from a newsletter subscription to an account registration. It then inserts the target’s email address into each of the forms, flooding the victim with confirmation emails.

    It’s laughably easy to launch an email bomb. Anyone with decent technical skills can set up an automated program to enter email addresses across the web. Or they can buy a service that will automate the attack for $5 per 1,000 emails sent to an address, according to ads on online hacker forums.

    Reply
  14. Tomi Engdahl says:

    New Hope for Digital Identity
    http://www.linuxjournal.com/content/new-hope-digital-identity?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+linuxjournalcom+%28Linux+Journal+-+The+Original+Magazine+of+the+Linux+Community%29

    Identity is personal. You need to start there.

    Much of that coping is done by Steve not identifying himself unless he needs to, and then by not revealing more than what’s required.

    Steve’s identity can also be a claim that does not require proof, or even need to be accurate.

    How we create and cope with identity in the natural world has lately come to be called self-sovereign, at least among digital identity obsessives such as myself. Self-sovereign identity starts by recognizing that the kind of naming we get from our parents, tribes and selves is at the root level of how identity works in the natural world, and needs to frame our approaches in the digital one as well.

    Our main problem with identity in the digital world is that we understand it entirely in terms of organizations and their needs. These approaches are administrative rather than personal or social. They work for the convenience of organizations first. In administrative systems, identities are just records, usually kept in databases. Aside from your business card, every name imprinted on a rectangle in your wallet was issued to you by some administrative system: the government, the Department of Motor Vehicles, the school, the drug store chain. None are your identity. All are identifiers used by organizations to keep track of you.

    For your inconvenience, every organization’s identity system is also a separate and proprietary silo, even if it is built with open-source software and methods. Worse, an organization might have many different silo’d identity systems that know little or nothing about each other. Even an organization as unitary as a university might have completely different identity systems operating within HR, health care, parking, laundry, sports and IT—as well as within its scholastic realm, which also might have any number of different departmental administrative systems, each with its own record of students past and present.

    While ways of “federating” identities between silos have been around since the last millennium, there is still no standard or open-source way for you to change, say, your surname or your mailing address with all the administrative systems you deal with, in one move. In fact, doing so is unthinkable as long as our understanding of identity remains framed inside the norms of silo’d administrative systems and thinking.

    Administrative systems have been built into civilized life for as long as we’ve had governments, companies and churches, to name just three institutions. But every problem we ever had with any of those only got worse once we had ways to digitize what was wrong with them, and then to network the same problems.

    Unfortunately, the internet was first provisioned to the mass market over dial-up lines, and both ISPs and website developers made client-server the defaulted way to deal with people.

    True, a website works (or ought to work) by answering client requests for files. But we see how much respect that gets by looking at the history of Do Not Track. Originally meant as a polite request by clients for servers to respect personal privacy, it was opposed so aggressively by the world’s advertisers and commercial publishers that people took matters into their own hands by installing browser extensions for blocking ads and tracking. Then the W3C itself got corrupted by commercial interests, morphing Do Not Track into “tracking preference expressions”

    So we won’t solve forever-standing identity problems with client-server, any more than we would have solved the need for personal computing with more generous mainframes.

    If we want fully human digital identity to work on the internet, we have to respect the deeply human need for self-determination. That requires means for individuals to assert self-sovereign identities, and for systems to require only verified claims when they need useful identity information. Anything else will be repeating mistakes of the past.

    In “Rebooting the Web of Trust”, Joe Andrieu says “Identity is how we keep track of people and things and, in turn, how they keep track of us.”

    A Primer on Functional Identity
    https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-fall2017/blob/master/topics-and-advance-readings/functional-identity-primer.md

    Reply
  15. Tomi Engdahl says:

    MongoDB update plugs security hole and sets sights on the enterprise
    Co-founder Eliot Horowitz chats to El Reg about a decade in the NoSQL space
    https://www.theregister.co.uk/2017/11/09/mongodb_emits_new_database_plugs_security_hole_and_aims_at_the_enterprise/

    Document database-flinger MongoDB has long positioned itself as the dev’s best friend, but after ten years it is now fluffing itself up for the enterprise.

    The firm, which went public just last month and hopes to earn up to $220m, has now launched the latest version of its database, which aims to appeal to these bigger customers.

    As part of this, the latest release, MongoDB 3.6, gives a nod to increasing demand for real-time updates, improved data visualisation tools and greater automation.

    It’s also taking a greater interest in the growing trend towards the democratisation of data – the increasing demand from companies that all staff have access to, and make better use of, the data they hold.

    ‘It definitely didn’t help our reputation’

    Perhaps more crucial for making itself a viable option for enterprise customers is the move to close off a less than ideal security hole, which exposed data in MongoDB to the public internet.

    That led to a spate of ransomware attacks and data breaches – not to mention negative headlines – at the start of the year.

    The change means users will have to explicitly turn on remote networking, which Horowitz said might be “a little annoying to upgrade, but at least you have to think about what you’re doing a little more”.

    “I think most people who understand databases are of the opinion you should be running databases behind firewalls and with security on,” he told The Reg. “It definitely didn’t help our reputation, but I don’t think it’s been a big problem.”

    Reply
  16. Tomi Engdahl says:

    US government seizes Texas gun mass murder to demand backdoors
    Too early to talk gun control, not too early to bork iPhone security
    https://www.theregister.co.uk/2017/11/09/us_government_texas_shooting_iphone_backdoor/

    While US President Donald Trump thinks it’s too early to discuss gun control in the wake of Sunday’s Texas church massacre – America’s latest mass shooting – his Deputy Attorney General Rod Rosenstein is just fine exploiting the murder-suicide of 26 people to push for backdoors.

    Specifically, a backdoor so investigators can forcibly and easily unlock devices, decrypting and presenting the information they contain on demand.

    Speaking at a breakfast meeting with biz leaders in Linthicum, Maryland, Rosenstein said the FBI had the shooter’s phone, understood to be an iPhone, in their possession but were unable to unlock it to view the contents. Preventing agents from accessing devices in criminal investigations should not be allowed, he argued.

    “No reasonable person questions our right, and obligation, to access the phone,” Rosenstein said today.

    “But the company that built it purposely designed the operating system so that we cannot access it. Maybe we will find a way to get into that phone, as we did in the San Bernardino case, but it’s going to cost a great deal of time and money, and in some cases it costs us lives. We need to find a solution to deal with warrant-proof encryption.”

    Reply
  17. Tomi Engdahl says:

    Review by many eyes does not always prevent buggy code
    https://opensource.com/article/17/10/many-eyes?sc_cid=7016000000127ECAAY

    There is a view that because open source software is subject to review by many eyes, all the bugs will be ironed out of it. This is a myth

    Reply
  18. Tomi Engdahl says:

    Website Blindspots Show GDPR is a Global Game Changer
    http://www.securityweek.com/website-blindspots-show-gdpr-global-game-changer

    One of the less publicized features of the European General Data Protection Regulation (GDPR) is that US companies can be held liable even if they do not actively trade with Europe. This is because the regulation is about the collection and storage of European personal information, not about business.

    Any U.S. company that operates a website that collects user information (a log-in form, or perhaps a subscription application) could unwittingly collect protected European PII. That makes the company liable — there are GDPR requirements over how it is collected (including explicit user consent, secure collection, and limitations on what is collected). Whether European regulators could do anything about that liability if the US company has no physical presence in Europe is a different matter.

    Reply
  19. Tomi Engdahl says:

    How AV Can Open You To Attacks That Otherwise Wouldn’t Be Possible
    https://it.slashdot.org/story/17/11/10/116224/how-av-can-open-you-to-attacks-that-otherwise-wouldnt-be-possible

    On Friday, a researcher documented a vulnerability he had found in about a dozen name-brand AV programs that allows attackers who already have a toehold on a targeted computer to gain complete system control. AVGater, as the researcher is calling the vulnerability, works by relocating malware already put into an AV quarantine folder to a location of the attacker’s choosing.

    How AV can open you to attacks that otherwise wouldn’t be possible
    New AVGater flaw provided key ingredient for hacker to hijack computer.
    https://arstechnica.com/information-technology/2017/11/how-av-can-open-you-to-attacks-that-otherwise-wouldnt-be-possible/

    Antivirus programs, in many cases, make us safer on the Internet. Other times, they open us to attacks that otherwise wouldn’t be possible. On Friday, a researcher documented an example of the latter—a vulnerability he found in about a dozen name-brand AV programs that allows attackers who already have a toehold on a targeted computer to gain complete system control.

    AVGater, as the researcher is calling the vulnerability, works by relocating malware already put into an AV quarantine folder to a location of the attacker’s choosing. Attackers can exploit it by first getting a vulnerable AV program to quarantine a piece of malicious code and then moving it into a sensitive directory such as C:\Windows or C:\Program Files, which normally would be off-limits to the attacker. Six of the affected AV programs have patched the vulnerability after it was privately reported. The remaining brands have yet to fix it, said Florian Bogner, a Vienna, Austria-based security researcher who gets paid to hack businesses so he can help them identify weaknesses in their networks.

    The attack worked first by getting Bogner’s malicious file quarantined by the AV program running on the targeted computer. The pentester then exploited vulnerabilities in the AV programs that allowed unprivileged users to restore the quarantined files. He further abused a Windows feature known as NTFS file junction point to force the restore operation to put his malicious file into a privileged directory of Bogner’s choosing. The technique took advantage of another Windows feature known as Dynamic Link Library search order. With that, Bogner’s malware ran with full privileges.

    Reply
  20. Tomi Engdahl says:

    Andy Greenberg / Wired:
    How Mimikatz, a tool coded by a French government IT manager in his spare time, became a ubiquitous password stealer for hackers globally — FIVE YEARS AGO, Benjamin Delpy walked into his room at the President Hotel in Moscow, and found a man dressed in a dark suit with his hands on Delpy’s laptop.

    He Perfected a Password-Hacking Tool—Then the Russians Came Calling
    https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/

    In the years since, Delpy has released that code to the public, and Mimikatz has become a ubiquitous tool in all manner of hacker penetrations, allowing intruders to quickly leapfrog from one connected machine on a network to the next as soon as they gain an initial foothold.

    Most recently, it came into the spotlight as a component of two ransomware worms that have torn through Ukraine and spread across Europe, Russia, and the US: Both NotPetya and last month’s BadRabbit ransomware strains paired Mimikatz with leaked NSA hacking tools to create automated attacks whose infections rapidly saturated networks, with disastrous results. NotPetya alone led to the paralysis of thousands of computers at companies like Maersk, Merck, and FedEx, and is believed to have caused well over a billion dollars in damages.

    Those internet-shaking ripples were enabled, at least in part, by a program that Delpy coded on a lark. An IT manager for a French government institution that he declines to name, Delpy says he originally built Mimikatz as a side project, to learn more about Windows security and the C programming language—and to prove to Microsoft that Windows included a serious security flaw in its handling of passwords.

    Google Online Security Blog:
    Google and UCB study: from March 2016 to March 2017, 788K credentials were stolen via keyloggers, 12M credentials via phishing, and 3.3B via 3rd-party breaches

    New research: Understanding the root cause of account takeover
    http://security.googleblog.com/2017/11/new-research-understanding-root-cause.html

    Reply
  21. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Vulnerability present in many now-patched antivirus products including Malwarebytes allowed malware to leave quarantine and gain full system control

    How AV can open you to attacks that otherwise wouldn’t be possible
    New AVGater flaw provided key ingredient for hacker to hijack computer.
    https://arstechnica.com/information-technology/2017/11/how-av-can-open-you-to-attacks-that-otherwise-wouldnt-be-possible/

    Reply
  22. Tomi Engdahl says:

    Ron Amadeo / Ars Technica:
    Pixel and Nexus devices won’t get KRACK patch until December, which shouldn’t matter much since Android doesn’t rely on WPA2 for security

    Pixel won’t get KRACK fix until December, but is that really a big deal?
    Android never relied on WPA2 for security, so breaking it shouldn’t matter much.
    https://arstechnica.com/gadgets/2017/11/pixel-wont-get-krack-fix-until-december-but-is-that-really-a-big-deal/

    In October, security researchers discovered a major vulnerability in a Wi-Fi’s WPA2 security called “KRACK.” This “Key Reinstallation Attack” can disrupt the initial encryption handshake that happens when an access point and a device first connect, allowing an attacker to read information assumed to be securely encrypted. It’s possible to totally defeat WPA2 encryption using KRACK, allowing a third party to sniff all the Wi-Fi packets you’re sending out. Any device that uses Wi-Fi and WPA2 is most likely vulnerable to the bug, which at this point is basically every wireless gadget on Earth.

    Google and the rest of the OEMs are working to clean up Android’s KRACK epidemic, and, on Monday, Google addressed the bug in the November Android Security Bulletin. A patch was posted this week to the Android Open Source Project (AOSP) repository, and, at the same time, Google started rolling out a November security update to Google Pixel and Nexus devices. But if you read the bulletin closely, you’ll see the November security patch for Google devices does not contain the KRACK fix.

    How whack is KRACK on Android, really?

    The KRACK vulnerability affects nearly all Wi-Fi devices, but the researchers put a big target on Android specifically when they said the attack was “exceptionally devastating against Linux and Android 6.0 or higher.” The reasoning the post laid out was that because Android could be tricked via KRACK into installing an all-zero encryption key, the researchers claimed it was “trivial to intercept and manipulate traffic sent by these Linux and Android devices.”

    KRACK can essentially completely break WPA2 security, but the thing is, while Android does use WPA2 for encryption where available, Android doesn’t rely on WPA2 for security. Android is used to running on a variety of networks. It has to deal with hundreds of carrier configurations around the world, that random coffee shop hot spot that you share with a bunch of strangers, and sometime just connecting to an unencrypted, open Wi-Fi connection. Android already assumes the network is hostile, so even if you break WPA2 security, you’re only treated to a stream of individually encrypted connections. All the Google apps come with their own encryption, and Google’s development documents tell developers to “Send all network traffic from your app over SSL.” Connecting to websites with HTTPS (like Ars Technica!) will still be secure, and all of Android’s back-end Play Services stuff, like the 24/7 connection to Google, is also encrypted.

    Reply
  23. Tomi Engdahl says:

    DOJ: Strong encryption that we don’t have access to is “unreasonable”
    Rod Rosenstein: We should weigh “law enforcement equities” against security.
    https://arstechnica.com/tech-policy/2017/11/doj-strong-encryption-that-we-dont-have-access-to-is-unreasonable/

    Just two days after the FBI said it could not get into the Sutherland Springs shooter’s seized iPhone, Politico Pro published a lengthy interview with a top Department of Justice official who has become the “government’s unexpected encryption warrior.”

    According to the interview, which was summarized and published in transcript form on Thursday for subscribers of the website, Deputy Attorney General Rod Rosenstein indicated that the showdown between the DOJ and Silicon Valley is quietly intensifying.

    Reply
  24. Tomi Engdahl says:

    Don’t worry about those 40 Linux USB security holes. That’s not a typo
    https://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/

    Move along. Nothing to see here. By the way, try this flash drive in your laptop, ta

    The Linux kernel USB subsystem has more holes than a donut shop. On Monday, Google security researcher Andrey Konovalov disclosed 14 Linux USB flaws found using syzkaller, a kernel fuzzing tool developed by another Google software engineer, Dmitry Vyukov.

    That’s just the tip of the iceberg. In an email to The Register, Konovalov said he asked for CVEs for another seven vulnerabilities on Tuesday, and noted there are something like 40 that have not been fixed or triaged.

    Konovalov downplayed the risk posed by the flaws, based on the fact that physical access is a prerequisite to an attack. In other words, to exploit these vulnerabilities and potentially hijack a machine or infect it with spyware, you have to be be able to actually insert a malicious USB gadget into a Linux-powered system.

    Still, there are plenty of these ports around

    Reply
  25. Tomi Engdahl says:

    Hacker Hijacks North Korean Radio Station, Plays ‘The Final Countdown’
    https://www.theepochtimes.com/hacker-hijacks-north-korean-radio-station-plays-the-final-countdown_2354373.html

    An unknown hacker has allegedly hijacked North Korean short-wave radio station, 6400kHz, and is broadcasting the 1986 hit song from ’80s Swedish rock band Europe, “The Final Countdown.”

    News of the incident was posted on Twitter by vigilante hacker, “The Jester,” who has in the past gained fame by hacking jihadist websites, and who in October 2016 defaced the website of the Russian Ministry of Foreign Affairs with the message, “Stop attacking Americans.”

    “A god among us has hijacked 6400kHz (North Korean station) and is playing the Final Countdown,”

    previously, North Korea made broadcasts two days before conducting a nuclear test, one day before a ballistic missile test, and one day before Japanese flyovers.

    Reply
  26. Tomi Engdahl says:

    North Korea calls UK WannaCry accusations ‘wicked’
    http://www.bbc.com/news/world-asia-41816958

    North Korea has hit back at the UK government for accusing it of being behind a massive ransomware attack that badly affected the National Health Service (NHS).

    A UK government minister last week told the BBC he was “as sure as possible” North Korea was behind the attack.

    But a North Korean spokesman called the accusations “groundless speculation”.

    A spokesman for the North’s Korea-Europe Association called the UK’s accusation “a wicked attempt” to tighten international sanctions on the country.

    Reply
  27. Tomi Engdahl says:

    Boeing 757 Testing Shows Airplanes Vulnerable to Hacking, DHS Says
    http://www.aviationtoday.com/2017/11/08/boeing-757-testing-shows-airplanes-vulnerable-hacking-dhs-says/

    A team of government, industry and academic officials successfully demonstrated that a commercial aircraft could be remotely hacked in a non-laboratory setting last year, a U.S. Department of Homeland Security (DHS) official said Wednesday at the 2017 CyberSat Summit in Tysons Corner, Virginia.

    “We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration,” said Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate.

    Homeland Security team remotely hacked a Boeing 757
    A DHS official admitted that a team of experts remotely hacked a Boeing 757 parked at an airport.
    https://www.csoonline.com/article/3236721/security/homeland-security-team-remotely-hacked-a-boeing-757.amp.html

    During a keynote on Nov. 8 at the 2017 CyberSat Summit, a DHS official admitted that he and his team of experts remotely hacked into a Boeing 757.

    This hack was not conducted in a laboratory, but on a 757 parked at the airport in Atlantic City, New Jersey. And the actual hack occurred over a year ago; we are only now hearing about it thanks to a keynote delivered by Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate.

    “We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration,” Hickey said. According to Avionics Today, he added, “[Which] means I didn’t have anybody touching the airplane, I didn’t have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft.”

    While the details of the hack are classified, Hickey admitted that his team of industry experts and academics pulled it off by accessing the 757’s “radio frequency communications.”

    We’ve been hearing about how commercial airliners could be hacked for years.

    “FAA must focus on aircraft certification standards that would prevent a terrorist with a laptop in the cabin or on the ground from taking control of an airplane through the passenger Wi-Fi system.”

    Reply
  28. Tomi Engdahl says:

    US Airports Still Fail New Security Tests
    https://tech.slashdot.org/story/17/11/12/1734228/us-airports-still-fail-new-security-tests?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    In recent undercover tests of multiple airport security checkpoints by the Department of Homeland Security, inspectors said screeners, their equipment or their procedures failed more than half the time, according to a source familiar with the classified report.

    TSA fails most tests in latest undercover operation at US airports
    http://abcnews.go.com/US/tsa-fails-tests-latest-undercover-operation-us-airports/story?id=51022188

    Troubling results from undercover operation at US airports

    Email

    In recent undercover tests of multiple airport security checkpoints by the Department of Homeland Security, inspectors said screeners, their equipment or their procedures failed more than half the time, according to a source familiar with the classified report.

    When ABC News asked the source if the failure rate was 80 percent, the response was, “You are in the ballpark.”

    Reply
  29. Tomi Engdahl says:

    Parity’s $280m Ethereum wallet freeze was no accident: It was a HACK, claims angry upstart
    And we have evidence to prove it, says biz stiffed out of $1m
    https://www.theregister.co.uk/2017/11/10/parity_280m_ethereum_wallet_lockdown_hack/

    A crypto-currency collector who was locked out of his $1m Ethereum multi-signature wallet this week by a catastrophic bug in Parity’s software has claimed the blunder was not an accident – it was “deliberate and fraudulent.”

    On Tuesday, Parity confessed all of its multi-signature Ethereum wallets – which each require multiple people to sign-off transactions – created since July 20 were “accidentally” frozen, quite possibly permanently locking folks out of their cyber-cash collections. The digital money stores contained an estimated $280m of Ethereum; 1 ETH coin is worth about $304 right now. The wallet developer blamed a single user who, apparently, inadvertently triggered a software flaw that brought the shutters down on roughly 70 crypto-purses worldwide.

    That user, known as devops199 on GitHub although has since deleted their account, claimed they created a buggy wallet and tried to delete it. Thanks to a programming blunder in Parity’s code, that act locked down all wallets created after July 20, when Parity updated the multi-signature wallet software following a $30m robbery.

    Reply
  30. Tomi Engdahl says:

    North Korean Hackers Are Targeting US Defense Contractors
    https://tech.slashdot.org/story/17/11/12/2044255/north-korean-hackers-are-targeting-us-defense-contractors?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    North Korean hackers have stepped up their attacks on U.S. defense contractors in an apparent effort to gain intelligence on weapon systems and other assets that might be used against the country in an armed conflict with the United States and its allies, The Security Ledger is reporting. Security experts and defense industry personnel interviewed by The Security Ledger say that probes and attacks by hacking groups known to be associated with the government of the Democratic People’s Republic of Korea (DPRK) have increased markedly as hostilities between that country and the United States have ratcheted up in the last year. The hacking attempts seem to be aimed at gaining access to intellectual property belonging to the companies, including weapons systems deployed on the Korean peninsula.

    Exclusive: Eye on Weapons Systems, North Korean Hackers target US Defense Contractors
    https://securityledger.wpengine.com/2017/11/exclusive-eye-weapons-systems-north-korean-hackers-target-us-defense-contractors/

    North Korean hackers have stepped up their attacks on U.S. defense contractors in an apparent effort to gain intelligence on weapon systems and other assets that might be used against the country in an armed conflict with the United States and its allies, The Security Ledger has learned.

    “As the situation between the DPRK and the US has become more tense, we’ve definitely seen an increase in number of probe attempts from cyber actors coming out of the DPRK,”

    All signs point North

    While attribution of cyber attacks is difficult, the official said his employer felt confident that the perpetrators were operating out of North Korea and that the attempted hacks were directed at information the company had on weapons systems it had deployed in South Korea. “We saw that there was some correlation there,” the official said.

    Security experts at the firm FireEye have also seen a group of hackers known as the Lazarus Group and believed to be affiliated with North Korea target defense industrial base firms in the U.S., Ben Read, the Manager of Cyber Espionage Intelligence at the firm FireEye told The Security Ledger. Read said that a hacking crew that FireEye has internally designated with the code name “Temp.Hermit,” a part of The Lazarus Group, has carried out a campaign of spear phishing and targeted attacks against defense firms. The attacks began in early August and have increased in recent months.

    A tactical shift from mayhem to missiles

    North Korea is recognized as one of the few countries internationally with potent cyber offensive capabilities alongside the U.S., China, Russia and Iran.

    Researchers at Kaspersky Lab have been tracking the outfit known as The Lazarus Group since 2009, according to Juan Guerrero, a principle security researcher at the firm. The group has become more “prolific” during that time, he said. “We’re seeing more malware and different types of campaigns. They’re ramping up in a lot of ways,” Guerrero said. Like FireEye, Kaspersky has observed different groups spin-off from the main Lazarus group, suggesting that the country’s cyber ranks are growing and diversifying. “They’re going after some very different targets,” he said.

    Among them: defense industrial base firms. “We’ve definitely seen them target plenty of defense industrial base companies in South Korea,” Guerrero said. Among the targeted firms have been those dealing in nuclear weapons and aviation. Still, “most of it revolves around South Korea,” Guerrero said, citing the prevalence of phishing documents using Korean language or targeting Hangul, a popular word processing platform used in South Korea.

    North Korea’s fast-expanding cyber capabilities

    Historically, the DPRK has limited its offensive campaigns to its main rival: South Korea and other perceived enemies of the regime. In recent years, the country’s hacking units have been linked to attacks on South Korean media outlets, banks and government agencies. North Korea is also believed to have carried out the devastating hack of Sony Pictures Entertainment in 2014, purportedly in retaliation for its role in making the movie The Interview, a comedy that imagined a plot to assassinate North Korean leader Kim Jong Un. More recently, North Korea is suspected of involvement in the WannaCry wiper malware attack that paralyzed scores of hospitals operated by the UK National Health Service in May.

    Reply
  31. Tomi Engdahl says:

    New York Times:
    Inside NSA’s Tailored Access Operations group and the investigation into Shadow Brokers, a hack of NSA now considered much more damaging than Snowden leak — A serial leak of the agency’s cyberweapons has damaged morale, slowed intelligence operations and resulted in hacking attacks on businesses and civilians worldwide.
    https://www.nytimes.com/2017/11/12/us/nsa-shadow-brokers.html

    Reply
  32. Tomi Engdahl says:

    Microsoft president says the world needs a digital Geneva Convention
    Mr Smith goes to Switzerland
    https://www.theregister.co.uk/2017/11/10/microsoft_president_calls_for_digital_geneva_convention/

    Microsoft president Brad Smith appeared before the UN in Geneva to talk about the growing problem of nation-state cyber attacks on Thursday.

    Smith, also Redmond’s chief legal officer, last month publicly accused North Korea of the WannaCry ransomware attack.

    During the UN session on internet governance challenges, Smith made the case for a cyber equivalent of the Geneva Convention. He started off by noting the sorry state of IoT security before arguing that tech firms and government each have a role to play in reining in the problem.

    “If you can hack your way into a thermostats you can hack your way into the electric grid,” Smith said, adding that the tech sector has the first responsibility for improving internet security because “after all we built this stuff”.

    Microsoft is doing its bit by using a combination of technology and legal action to seize hacked domains at the centre of attacks. Redmond has helped customers in 91 countries by seizing 75 such domains, Smith said.

    Reply
  33. Tomi Engdahl says:

    Linux 4.14 arrives and Linus says it should have fewer 0-days
    Which is nice as it’s the next long-term release and gets Linux into the GPU game
    https://www.theregister.co.uk/2017/11/12/linux_4_14_released/

    Reply
  34. Tomi Engdahl says:

    Stop your moaning, says maker of buggy Bluetooth sex toy
    Companion app recorded audio you while you – ahem – played, but it never left your phone
    https://www.theregister.co.uk/2017/11/13/lovesense_fixes_audio_recording_bug_in_adult_toy/

    Sex-toy maker Lovsense has told its customers to stop moaning about one of its products, which recorded audio of users as they – ahem – played, and stored it on their Android phones.

    News of the recording emerged on Reddit where an entity by the name of “tydoctor” wrote “control vibrator app (used to control remote control sex toys made by Lovense, such as this one) seems to be recording while the vibrator is on. I was going through my phone media to prepare it for a factory reset and came across a .3gp file named ‘tempSoundPlay.3gp’ in the folder for the App.”

    “The file was a FULL audio recording six minutes long of the last time I had used the app to control my [significant other's] SO’s remote control vibrator (We used it at a bar while playing pool).”

    “The app permissions allow for mic and camera use, but this was supposed to be for use with the in-app chat function to send voice clips on command. At no time had I wanted the app to record entire sessions using the vibrator.”

    Lovesense’s response says “Regarding the sound file in question, it has already been confirmed that this is a minor bug – a temporary file that is created when someone uses the Sound Control feature. Your concern is completely understandable. But rest assured, no information or data is sent to our servers.”

    “This cache file currently remains on you phone instead of deleting itself once your session is finished. Also, when the file is created it overwrites itself (no new files are created).”

    Reply
  35. Tomi Engdahl says:

    pfSense: Not Linux, Not Bad
    http://www.linuxjournal.com/content/pfsense-not-linux-not-bad

    It’s not that pfSense is better than a Linux solution, but rather, it feels more focused. It seems like many of the firewall/router solutions out there try too hard to be everything for your network. pfSense offers services like DNS, DHCP, SNMP and so on, but out of the box, it just routes traffic and does it very well. Another thing that makes pfSense worth checking out is that there’s no “premium” version of it. What you download is the full, complete pfSense product. The only thing you can pay for is support. That model has been around for a long time in the Open Source world, but lately it’s been outmoded by the “freemium”-type offerings.

    If you’re looking for a firewall/router/NAT solution for your network, and you’re not afraid to use a non-Linux product, I can’t recommend pfSense enough.

    Reply
  36. Tomi Engdahl says:

    Estonian Postmees tells of the Russian spy who was captured by this attempt to return home through Narva’s border town. The Estonians believe that a man came to the country for espionage.

    The man is believed to have moved to Estonia and tried to intimidate the traffic of wireless networks. The security police had been sorry for the man’s activities and followed that. Eventually he was caught.
    Estonians believe that a 20-year-old man is an agent trained by the Russian intelligence service FSB.

    Source: http://www.tivi.fi/Kaikki_uutiset/kybervakooja-lahti-liikkeelle-viro-nappasi-venalaismiehen-rajalla-6687051

    Reply
  37. Tomi Engdahl says:

    Face ID beaten by mask, not an effective security measure
    http://www.bkav.com/d/top-news/-/view_content/content/103968/face-id-beaten-by-mask-not-an-effective-security-measure

    Q: Is 3D creation and printing difficult?

    A: Not at all. It is quite simple, will be even more simple in the future. We might use smartphones with 3D scanning capabilities (like Sony XZ1); or set up a room with a 3D scanner, a few seconds is enough for the scanning (here’s an example of a 3D scanning booth).

    An easier way is photograph-based, artists craft a thing from its photos. Take the nose of our mask for example, its creation is not complicated at all. We had an artist make it by silicone first. Then, when we found that the nose did not perfectly meet our demand, we fixed it on our own, then the hack worked. That’s why there’s a part on the nose’s left side that is of a different color (photo attached). So, it’s easy to make the mask and beat Face ID. Here, I want to repeat that our experiment is a kind of Proof of Concept, the purpose of which is to prove a principle, other issues will be researched later.

    Q: Are the dimensions of a person’s face needed? How would those be obtained without a target sitting for them?

    A: The 1st point is, everything went much more easily than you expect. You can try it out with your own iPhone X, the phone shall recognize you even when you cover a half of your face. It means the recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID’s AI. We just need a half face to create the mask. It was even simpler than we ourselves had thought.

    Reply
  38. Tomi Engdahl says:

    This animation shows the chaos a drone caused at a London airport
    https://www.dpreview.com/videos/6901092572/this-animation-shows-the-chaos-a-drone-caused-at-a-london-airport

    The sequence of diversions and re-routing caused when a drone was sighted close to one of London’s busiest airports has been turned into an amazing animated map by the UK’s National Air Traffic Service (NATS), to demonstrate the level of disruption even short airport closures can create.

    The video map shows what happens to normal air traffic at Gatwick airport when the runway was closed in response to a drone in the vicinity. The closure lasted only nine minutes, but in that time two holding areas away from the airport became congested and some aircraft had to divert to alternative airports over fuel concerns.

    In all, four holding areas had to be used, and four planes needed to land at different airports because it wasn’t clear how long the closure would last.

    “The disruption was significant and took hours to clear; it was around midnight before everything was fully ‘back to normal’ and even then, hundreds of passengers had ended up away from their intended airport and thousands of passengers had been delayed,” reports the NATS blog. “All as a result of one drone pilot flouting the rules. “

    Reply
  39. Tomi Engdahl says:

    Inside an Amateur Bugging Device
    https://hackaday.com/2017/11/12/inside-an-amateur-bugging-device/

    [Mitch] got interested in the S8 “data line locator” so he did the work to tear into its hardware and software. If you haven’t seen these, they appear to be a USB cable. However, inside the USB plug is a small GSM radio that allows you to query the device for its location, listen on a tiny microphone, or even have it call you back when it hears something. The idea is that you plug the cable into your car charger and a thief would never know it was a tracking device. Of course, you can probably think of less savory uses despite the warning on Banggood:

    Please strictly abide by the relevant laws of the state, shall not be used for any illegal use of this product, the consequences of the use of self conceit.

    Inside a low budget consumer hardware espionage implant
    https://ha.cking.ch/s8_data_line_locator/

    Reply
  40. Tomi Engdahl says:

    Topic: “S8 Data Line Locator” covert cell phone device teardown (Read 1044 times)
    https://www.eevblog.com/forum/reviews/%27s8-data-line-locator%27-covert-cell-phone-device-teardown/

    Reply
  41. Tomi Engdahl says:

    Zen Soo / South China Morning Post:
    Chinese online lender WeLab, which tracks users’ mobile data including number and nature of apps installed to determine creditworthiness, raises $220M Series B+

    Higher rates for addresses in caps – online lender WeLend reveals how it determines your creditworthiness
    http://www.scmp.com/tech/start-ups/article/2119209/higher-rates-addresses-caps-online-lender-welend-reveals-how-it

    Proprietary big data and AI tech helps company whittle down delinquency rates

    Reply
  42. Tomi Engdahl says:

    Containers and microservices complicate cloud-native security
    http://www.theserverside.com/feature/Containers-and-microservices-complicate-cloud-native-security?utm_campaign=Black%20Duck%20Press&utm_content=60709505&utm_medium=social&utm_source=facebook

    There’s not much new in the world of malicious hackers raiding online software. Most attacks follow the same basic approach, and software developers are leaving their applications open to being blindsided in the most benign and boring of ways. Developing applications with microservices and containers may be a modern approach to software design, but traditional software flaws still remain a problem when addressing cloud-native security.

    Reply
  43. Tomi Engdahl says:

    Theresa May accuses Vladimir Putin of election meddling
    http://www.bbc.com/news/uk-politics-41973043

    Theresa May has launched her strongest attack on Russia yet, accusing Moscow of meddling in elections and carrying out cyber espionage.

    Addressing leading business figures at a banquet in London, the prime minister said Vladimir Putin’s government was trying to “undermine free societies”.

    Mrs May said it was “planting fake stories” to “sow discord in the West”.

    While the UK did not want “perpetual confrontation” with Russia, it would protect its interests, she added.

    Her comments are in stark contrast to those of US President Donald Trump, who last week said he believed his Russian counterpart’s denial of intervening in the 2016 presidential election.

    Reply
  44. Tomi Engdahl says:

    Sure, Face ID is neat, but it cannot replace a good old fashioned passcode
    Facial recognition isn’t the most reliable authentication right now
    https://www.theregister.co.uk/2017/11/14/is_facial_recognition_good_enough/

    Apple’s iPhone X is one of several technologies bringing facial biometrics into the mainstream. It seems to have everything bar a heat scanner; the TrueDepth camera projects an impressive-sounding 30,000 infrared dots on to your phiz, scanning every blackhead in minute 3D detail.

    The company claims some impressive figures, and it isn’t the only one touting facial recognition as a mainstream solution. Others include Microsoft, with Windows Hello, and Google, with the Trusted Face technology it released in Android Lollipop. Just how secure are these technologies, and should we rely on them?

    Reply
  45. Tomi Engdahl says:

    Think the US is alone? 18 countries had their elections hacked last year
    Less than a quarter of world has freeish internet communication
    https://www.theregister.co.uk/2017/11/14/think_the_us_is_alone_18_countries_had_their_elections_hacked_last_year/

    While America explores quite how much its election was interfered with by outsiders, the news isn’t good for the rest of us, according to independent watchdog Freedom House.

    In its annual Freedom of the Net [PDF] report on the state of the internet and democracy, the group surveyed 65 nation states comprising 87 per cent of internet users and found 18 where either governments or outside bodies had tried to influence an election by restricting or interfering with internet use.

    “The use of paid commentators and political bots to spread government propaganda was pioneered by China and Russia but has now gone global,” said Michael Abramowitz, president of Freedom House. “The effects of these rapidly spreading techniques on democracy and civic activism are potentially devastating.”

    https://regmedia.co.uk/2017/11/14/fotn.pdf

    Reply
  46. Tomi Engdahl says:

    Dustin Volz / Reuters:
    DHS official tells congress about 15% of US agencies reported Kaspersky software on internal networks

    About 15 percent of U.S. agencies found Kaspersky Lab software: official
    http://www.reuters.com/article/us-usa-cyber-kaspersky-congress/about-15-percent-of-u-s-agencies-found-kaspersky-lab-software-official-idUSKBN1DE28P?il=0

    About 15 percent of U.S. government agencies have detected some trace of Russian company Kaspersky Lab’s software on their systems in a review prompted by concerns the antivirus firm is vulnerable to Kremlin influence, a security official told Congress on Tuesday.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*