Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
Sopranica: Text And Call Using This Open Source Cellular Network For Complete Anonymity
https://fossbytes.com/sopranica-open-source-free-cellular-network/
New York-based programmer named Denver Gingerich has worked hard to develop an open source cellular network named Sopranica. This DIY network lets one make phone calls, communicate via texts, and browser the web. All this with total privacy and anonymity.
According to a report by Motherboard, Gingerich published the open source code of Sopranica’s first phase named JMP in January. JMP is basically a way to use XMPP to communicate over an anonymous phone number. You can think of JMP as using a free VOIP number with Google Voice and using that for registering with Signal.
Tomi Engdahl says:
The Cumulative Effect of Major Breaches: The Collective Risk of Yahoo & Equifax
http://www.securityweek.com/cumulative-effect-major-breaches-collective-risk-yahoo-equifax
Until quite recently, people believed that a dizzying one billion accounts were compromised in the 2013 Yahoo! breach… and then it was revealed that the real number is about three billion accounts.
That raises the question: so what? Isn’t all the damage from a four-year-old breach already done?
The answer: not at all. For those who have taken control of the compromised accounts, or who possess confidential information about a billion or more individuals, the Yahoo! breach is the gift that will keep on giving.
First of all, the consequences of the breach are not yet fully realized. Criminals have only recently started using compromised email accounts to spread ransomware and spam. As email service providers increasingly use the age of the sending account as an indicator of risk, the value to criminals of long-established but compromised accounts has started to increase. These accounts become a circumvention strategy for criminals wishing to reliably deliver malicious emails. As the value of an established account goes up, the damage that can be done by using the compromised accounts does, too.
Second, criminals have only recently started to mine the contents of compromised accounts to identify promising opportunities – but that is increasingly happening now, and is becoming another source of value to the Yahoo! attackers (and anybody who has already purchased compromised accounts from them.) To a large extent, we are still in the “manual effort” phase of this type of attack, wherein attackers have not yet understood exactly what they are looking for, and therefore, have not yet written scripts to automate the task. Once their understanding matures and they automate the process, the vast volumes of compromised accounts will turn into new criminal opportunities.
Tomi Engdahl says:
The Worst Password Offenders of 2017
http://www.securityweek.com/worst-password-offenders-2017
Password management firm Dashlane has published a list of what it believes are the top ten password offenders for 2017. It comprises six ‘government’ entries (including the President of the United States and the entire UK Government), and four organizations. Topping the list is Donald Trump, joined by Paul Manafort at #9 and Sean Spicer at #10.
To be fair, it is as much Trump the administration as it is Trump the person that is being called out. Dashlane points to a Channel 4 News investigation in January 2017 that said “Passwords used by Donald Trump’s incoming cyber security advisor Rudy Giuliani and 13 other top staff members have been leaked in mass hacks.”
In reality, the majority of people have had at least one password exposed by the many mass hacks that have plagued the internet this decade, so the biggest problem is not whether a password appears in the dark web listings, but whether it is still being used by the user of that password. Dashlane comments, “many of the top staff members Trump handpicked, including multiple cabinet secretaries, senior policy directors — even cybersecurity advisor Rudy Giuliani — were reusing insecure, simple passwords.”
Tomi Engdahl says:
‘Process Doppelgänging’ Helps Malware Evade Detection
http://www.securityweek.com/process-doppelg%C3%A4nging-helps-malware-evade-detection
Researchers at enSilo have identified a new method that can be used by hackers to execute a piece of malware on any supported version of Windows without being detected by security products.
The new technique, dubbed “Process Doppelgänging,” is similar to process hollowing, a code injection method that involves spawning a new instance of a legitimate process and replacing the legitimate code with malicious one. This technique has been used by threat actors for several years and security products are capable of detecting it.
enSilo says it has now come up with a similar but more efficient method for executing malicious code, including ransomware and other types of threats, in the context of a legitimate process. Process Doppelgänging abuses the Windows loader to execute code without actually writing it to the disk, which makes it more difficult to detect an attack.
According to researchers, when Process Doppelganging is used, the malicious code is correctly mapped to a file on the disk, just like in the case of a legitimate process – modern security solutions typically flag unmapped code. The method can also be leveraged to load malicious DLLs.
Tomi Engdahl says:
Apple Patches Vulnerabilities in macOS, watchOS, and tvOS
http://www.securityweek.com/apple-patches-vulnerabilities-macos-watchos-and-tvos
Apple this week released security updates for macOS, watchOS, and tvOS, as well as updated versions of the Safari browser and the iTunes for Windows application.
The company addressed a total of 22 vulnerabilities with the release of macOS High Sierra 10.13.2 this week (some of the patches were also included in Security Update 2017-002 Sierra and Security Update 2017-005 El Capitan).
Affected components included apache, curl, Directory Utility, Intel Graphics Driver, IOAcceleratorFamily, IOKit, Kernel, Mail, Mail Drafts, OpenSSL, and Screen Sharing Server. Kernel was impacted the most, with 8 bugs addressed in it.
Tomi Engdahl says:
Two Vulnerabilities Patched in OpenSSL
http://www.securityweek.com/two-vulnerabilities-patched-openssl
The OpenSSL Project announced on Thursday the availability of OpenSSL 1.0.2n, a version that patches two vulnerabilities discovered by a Google researcher.
The flaws were identified by Google’s David Benjamin using the search giant’s OSS-Fuzz fuzzing service
One of the security holes, CVE-2017-3737, is related to an “error state” mechanism introduced with OpenSSL 1.0.2b. The mechanism is designed to trigger an immediate failure if there is an attempt to continue a handshake after a fatal error has occurred. The problem is that if the SSL_read() or SSL_write() functions are called directly, the mechanism doesn’t work properly.
While this vulnerability could have serious implications, it has only been rated “moderate severity” due to the fact that the targeted application would need to have a bug that causes a call to SSL_read() or SSL_write() after getting a fatal error.
CVE-2017-3738 affects both the 1.0.2 and 1.1.0 branches of OpenSSL. However, because it’s low severity, OpenSSL 1.1.0 has not been updated on this occasion. The vulnerability will be patched in OpenSSL 1.1.0h when it becomes available.
Tomi Engdahl says:
Keylogger Found on 5,500 WordPress Sites
http://www.securityweek.com/keylogger-found-5500-wordpress-sites
Thousands of WordPress sites have been infected with a piece of malware that can log user input, Sucuri warns.
The infection is part of a campaign the security researchers detailed in April, when they revealed that websites were being infected with a piece of malware called cloudflare.solutions. The malware packed cryptominers at the time, and is now adding keyloggers to the mix as well.
At the moment, the cloudflare.solutions malware is present on 5,496 websites, and the number appears to be going up.
The injected Cloudflare[.]solutions scripts are added to a queue to WordPress pages using the theme’s function.php, and a fake CloudFlare domain is used in the URLs. One of the URLs loads a copy of a legitimate ReconnectingWebSocket library.
The researchers also discovered two cdnjs.cloudflare.com URLs with long hexadecimal parameters, with both of them belonging to CloudFlare. However, they are not legitimate and one doesn’t even exist, but link to payloads delivered in the form of hexadecimal numbers after the question mark in the URLs.
The script was designed to decode the payloads and inject the result into web pages, which results in the aforementioned keylogger.
“This script adds a handler to every input field on the websites to send its value to the attacker (wss://cloudflare[.]solutions:8085/) when a user leaves that field,” Sucuri explains.
Tomi Engdahl says:
Iranian Cyberspies Exploit Recently Patched Office Flaw
http://www.securityweek.com/iranian-cyberspies-exploit-recently-patched-office-flaw
A cyber espionage group linked to Iran has been using a recently patched Microsoft Office vulnerability to deliver malware to targeted organizations, FireEye reported on Thursday.
The threat actor, tracked as APT34 by FireEye and OilRig by other companies, has been active since at least 2014, targeting organizations in the financial, government, energy, telecoms and chemical sectors, particularly in the Middle East.
Back in April, researchers noticed that APT34 had started exploiting an Office vulnerability (CVE-2017-0199) in attacks aimed at Israeli organizations shortly after Microsoft released a patch.
The cyberspies have now also started leveraging CVE-2017-11882, an Office vulnerability patched by Microsoft on November 14. FireEye said it had spotted an attack exploiting this flaw less than a week after the fix was released.
Tomi Engdahl says:
Chrome Improves Security for Enterprise Use
http://www.securityweek.com/chrome-improves-security-enterprise-use
Chrome’s Site Isolation Feature Renders Each Web Site in a Separate Process
Google is boosting the security of its browser with the release of Chrome 63, which brings a host of enhancements aimed at enterprises and also addresses 37 vulnerabilities.
The new browser iteration, Google says, can better protect enterprises from potential dangers like ransomware, malware, and other vulnerabilities. This is possible because of better process isolation, support for more advanced security standards, and the adoption of new policies.
One of the major enhancements Chrome 63 introduces is Site Isolation, where content for each open website is rendered in a separate process, isolated from the processes of other websites. The browser already includes sandboxing technology, but the new feature should deliver stronger security boundaries between websites.
Tomi Engdahl says:
Zac Hall / 9to5Mac:
Zero-day flaw allowed unauthorized remote access to HomeKit products via iOS 11.2; fix made that limits some functionality, full fix coming in update next week — A HomeKit vulnerability in the current version of iOS 11.2 has been demonstrated to 9to5Mac that allows unauthorized control …
Zero-day iOS HomeKit vulnerability allowed remote access to smart accessories including locks, fix rolling out
https://9to5mac.com/2017/12/07/homekit-vulnerability/
Tomi Engdahl says:
Lauren Etter / Bloomberg:
How Philippines’ President Duterte utilized Facebook, used by 97% of Filipino internet users, to spread his message before weaponizing it to target dissent — Rodrigo Duterte walked down the aisle of a packed auditorium at De La Salle University in downtown Manila, shaking hands and waving …
What Happens When the Government Uses Facebook as a Weapon?
https://www.bloomberg.com/news/features/2017-12-07/how-rodrigo-duterte-turned-facebook-into-a-weapon-with-a-little-help-from-facebook
It’s social media in the age of “patriotic trolling” in the Philippines, where the government is waging a campaign to destroy a critic—with a little help from Facebook itself.
The Philippines is prime Facebook country—smartphones outnumber people, and 97 percent of Filipinos who are online have Facebook accounts. Ressa’s forum introduced Duterte to Filipino millennials on the platform where they live. Duterte, a quick social media study despite being 71 at the time of the election, took it from there. He hired strategists who helped him transform his modest online presence, creating an army of Facebook personalities and bloggers worldwide. His large base of followers—enthusiastic and often vicious—was sometimes called the Duterte Die-Hard Supporters, or simply DDS. No one missed the reference to another DDS: Duterte’s infamous Davao Death Squad, widely thought to have killed hundreds of people.
“At the beginning I actually loved it because I felt like this was untapped potential,” Ressa says. “Duterte’s campaign on social media was groundbreaking.”
Until it became crushing. Since being elected in May 2016, Duterte has turned Facebook into a weapon. The same Facebook personalities who fought dirty to see Duterte win were brought inside the Malacañang Palace. From there they are methodically taking down opponents, including a prominent senator and human-rights activist who became the target of vicious online attacks and was ultimately jailed on a drug charge.
As the campaign for the 2016 Philippine presidential election got under way, Facebook began receiving inquiries from candidates on how they could best use the platform.
Armed with new knowledge, Duterte’s people constructed a social media apparatus unlike that of any other candidate in the race.
Facebook initially started receiving complaints about inauthentic pages. It seemed harmless enough—they supported a range of candidates, and most of them appeared to originate from zealous fans. Soon, however, there were complaints about Duterte’s Facebook army circulating aggressive messages, insults, and threats of violence. Then the campaign itself began circulating false information.
Duterte ended up dominating the political conversation so thoroughly that in April, a month before the vote, a Facebook report called him the “undisputed king of Facebook conversations.” He was the subject of 64 percent of all Philippine election-related conversations on the site.
After Duterte won, Facebook did what it does for governments all over the world—it began deepening its partnership with the new administration, offering white-glove services to help it maximize the platform’s potential and use best practices. Even as Duterte banned the independent press from covering his inauguration live from inside Rizal Ceremonial Hall, the new administration arranged for the event to be streamed on Facebook
But authoritarian regimes are now embracing social media, shaping the platforms into a tool to wage war against a wide range of opponents—opposition parties, human-rights activists, minority populations, journalists.
The phenomenon, sometimes referred to as “patriotic trolling,” involves the use of targeted harassment and propaganda meant to go viral and to give the impression that there is a groundswell of organic support for the government. Much of the trolling is carried out by true believers, but there is evidence that some governments, including Duterte’s, pay people to execute attacks against opponents. Trolls use all the social media platforms—including Twitter, Instagram, and YouTube, in addition to the comments sections of news sites. But in the Philippines, Facebook is dominant.
Ressa exposed herself to this in September 2016, a little more than three months after the election. On a Friday night, a bomb ripped through a night market in Davao City, Duterte’s hometown, killing 14 and injuring dozens more. Within hours, Duterte implemented a nationwide state of emergency.
This, and another earlier incident, became the basis of the article that altered Ressa’s relationship with her government. She titled it “Propaganda War: Weaponizing the Internet.” Within hours of publication, she and Rappler were being attacked through Facebook. She began receiving rapid-fire hate messages. “Leave our country!!!! WHORE!!!!!!” read one.
“Either they’re negligent or they’re complicit in state-sponsored hate”
Even in the U.S., where Facebook has been hauled before Congress to explain its role in a Russian disinformation campaign designed to influence the U.S. presidential election, the company doesn’t have a clear answer for how it will stem abuse. It says it will add 10,000 workers worldwide to handle security issues, increase its use of third-party fact-checkers to identify fake news, and coordinate more closely with governments to find sources of misinformation and abuse. But the most challenging questions—such as what happens when the government itself is a bad actor and where to draw the line between free speech and a credible threat of violence—are beyond the scope of these fixes.
Facebook is inherently conflicted. It promises advertisers it will deliver interested and engaged users—and often what is interesting and engaging is salacious, aggressive, or simply false. “I don’t think you can underestimate how much of a role they play in societal discourse,”
Propaganda war: Weaponizing the internet
https://www.rappler.com/nation/148007-propaganda-war-weaponizing-internet
In the Philippines, paid trolls, fallacious reasoning, leaps in logic, poisoning the well – these are only some of the propaganda techniques that have helped shift public opinion on key issues
Tomi Engdahl says:
Blair Hanley Frank / VentureBeat:
AWS announces a free single sign-on service for logging in to multiple AWS accounts and other applications, currently only available in Northern Virginia region
AWS’s free single sign-on launch shows expanisonist tendencies in SaaS market
https://venturebeat.com/2017/12/08/awss-free-single-sign-on-launch-shows-expanisonist-tendencies-in-saas-market/
Tomi Engdahl says:
Major Banking Applications were found vulnerable to MiTM attacks over SSL
http://securityaffairs.co/wordpress/66456/hacking/banking-applications-mitm-ssl.html
Security experts discovered a critical vulnerability in major mobile banking applications that left banking credentials vulnerable to hackers.
The list of affected banking apps includes Allied Irish bank, Co-op, HSBC, NatWest, and Santander.
An attacker sharing the same network segment of the victim could intercept SSL connection and retrieve the user’s banking credentials even if the apps are using SSL pinning feature.
“If a single CA acted maliciously or were compromised, which has happened before (see e.g. DigiNotar in 2011 [15]), valid certificates for any domain could be generated allowing an attacker to Man-in-the-Middle all apps trusting that CA certificate.” states the research paper.
Researchers found that due to the wrong implementation of the authentication process the apps were vulnerable to MITM attacks. The lack of hostname verification left many banking applications open to attacks because they were not able to check if they connected to a trusted source.
The apps fail to check that they connect to a URL having the hostname that matches the hostname in the digital certificate that the server exposes.
“Automated tools do exist to test a variety of TLS flaws. Lack of certificate signature verification can be tested
The experts created a new automated tool, dubbed Spinner, to test hundreds of banking apps quickly and without requiring purchasing certificates.
The tool leverages Censys IoT search engine for finding certificate chains for alternate hosts that only differ in the leaf certificate.
Tomi Engdahl says:
Censys is a new Search Engine for devices exposed on the Internet, it could be used by experts to assess the security they implement.
http://securityaffairs.co/wordpress/42725/hacking/censys-search-engine.html
Now the hackers and experts have a new powerful tool for their analysis, it is Censys, a search engine quite similar to the most popular Shodan. Censys is a free search engine that was originally released in October by researchers from the University of Michigan, it is currently powered by Google.
https://www.censys.io
Tomi Engdahl says:
OpenSSL patches for the fourth time in 2017 its library, and it will likely be the last one
http://securityaffairs.co/wordpress/66469/hacking/openssl-flaw-2.html
THE OPENSSL PROJECT RELEASED THE OPENSSL 1.0.2N VERSION THAT ADDRESSES TWO VULNERABILITIES DISCOVERED BY THE GOOGLE RESEARCHER DAVID BENJAMIN.
Benjamin discovered the vulnerabilities using the OSS-Fuzz fuzzing service.
The first “moderate severity” issue, tracked as CVE-2017-3737, is related to an “error state” mechanism implemented since OpenSSL 1.0.2b.
http://securityaffairs.co/wordpress/65097/hacking/openssl-google-oss-fuzz-fuzzing.html
Tomi Engdahl says:
ClusterFuzz
https://github.com/google/oss-fuzz/blob/master/docs/clusterfuzz.md
ClusterFuzz is the distributed fuzzing infrastructure behind OSS-Fuzz. It was initially built for fuzzing Chrome at scale
Tomi Engdahl says:
Russia is subject to massive cyber attack
There has been much talk of the West over Russian troop and cyber terrorism. Interestingly, now Russia is itself in the pit of a massive cyber terrorism wave.
The attack began in September two days before the closely followed Zapad 2017 exercise. The authorities received reports of hiding bombs, had to evacuate the object and investigate it for the bomb. No bomb has been found, but understandably the threshold of ignoring the alerts is high – so that threat was taken seriously.
The issue is a massive terrorist wave, even though no bombs can be found. In the first month, more than 1 million people were evacuated from 2300 sites. And the pace continues. A few weeks ago it was announced that Putin’s visit to St. Petersburg was mined, a couple of days ago, FSB headquarters was evacuated because of a bomb attack and on Thursday the Russian Duma was on duty.
Bomb threats are targeted at civilized civilian sites, not so much on infrastructure such as power plants or factories. Airports, shopping centers, colleges, hospitals, government buildings, railway stations, churches, cinemas.
The authorities are at the limit of their resilience. When bomb threats come to different cities, the resources of the target city are inadequate. When rescue authorities spin buildings for bombs, no normal rescue work can be done.
Since there are hundreds or thousands of threats going on, this is not a schoolgirl’s pity or a few badminton campaign. The FSB, which has the enormously expensive SORM-5 tracking system, has been unable to say anything other than the calls coming from abroad for three weeks. The systematisation of the mission is frightening: the playing waves first went systematically across the country’s cities in order of magnitude, and now they are attacking a couple of cities at once, causing their rescue operations to stall.
The good question is how many players in the world are both motivated to harm Russia and being able to keep up for such a well-planned, massive anonymous operation for three months
Source: http://kaarinarantala.puheenvuoro.uusisuomi.fi/247285-venaja-kyberterrorismin-kourissa
Russian cities targeted by mystery bomb threats
http://www.bbc.com/news/world-europe-41251684
Tomi Engdahl says:
Russia gripped by hoax bomb threats, thousands evacuated
http://www.dw.com/en/russia-gripped-by-hoax-bomb-threats-thousands-evacuated/a-40512660
For days, a wave of anonymous hoax bomb threats has been sweeping through cities across Russia. The telephone calls have led to the evacuation of tens of thousands. But the reason for the threats remains a mystery.
Russia Sees ‘Full-Scale Cyberwar’ as Bomb-Threat Wave Continues
https://www.bloomberg.com/news/articles/2017-09-22/russia-sees-full-scale-cyberwar-as-bomb-threat-wave-continues
300,000 evacuated across country as attacks enter second week
Foreign source seen as internet phones make tracing difficult
A wave of fake bomb threats across Russia has entered its second week in what a senior lawmaker called a “full-scale cyberwar” against the country that authorities are ill-equipped to fight.
About 400,000 people have been evacuated from more than 1,000 shopping malls, airports, and government and other buildings around the country since the surge in hoaxes began last week, according to the official Tass news agency. RIA Novosti said more than 100,000 people were affected on Monday alone. The calls are coming from outside Russia using the Internet, making them difficult to trace, officials said.
Tomi Engdahl says:
Do not be afraid of GDPR – The EU’s privacy policy is a big business opportunity for well-behaved companies
The EU Data Protection Regulation, which entered into force in May 2018, has been widely seen as the public, threatening companies with sanctions and public shame. For pioneering companies, GDPR can, however, also be a major business power with the core of trust.
“A significant part of the public debate about GDPR is a panic attack. The original purpose of the reform has been left unreasonable, “says Tarmo Hassinen .
Hassinen works for Telia’s team of experts and focuses on security issues. He stresses that the guiding idea of the EU Data Protection Regulation is to build trust with a consistent and transparent practice throughout the EU. It will improve the preconditions for growth in the digital economy by protecting personal data mobility within the EU and by strengthening human rights management data.
“The GDPR Regulation has been originally dealt with precisely because it is seen as the cornerstone and facilitator of the EU’s digital business development.
Many companies are particularly worried about the sanctions provided for failure to comply with the EU’s privacy policy, which may reach up to EUR 20 million or 4 percent of the company’s annual turnover. Hassinen, however, reminds GDPR that it will also increase confidence in business relations.
“The much bigger the sanction is the fake carpet that is generated if the information comes out in the wrong hands. It also shakes the company economically. For example, some of the biggest stock price gains in recent years have been due to the fact that the company has been cracking down on customer leakage. Fulfilling EU privacy standards makes the company a more credible partner and a more attractive investment. ”
Source: https://studio.kauppalehti.fi/telia/ala-pelkaa-gdpr-asetusta
Tomi Engdahl says:
Lily Hay Newman / Wired:
A look at APT 34, a hacking group targeting Middle Eastern critical infrastructure companies; FireEye says APT 34 has hallmarks of Iranian hacking activity
Iranian Hackers Have Been Infiltrating Critical Infrastructure Companies
https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/
The international intelligence agency always has a keen interest in Iran’s hacking activity. And new research published by the security firm FireEye on Thursday indicates the country’s efforts show no signs of slowing. In fact, a new network reconnaissance group— FireEye calls them Advanced Persistent Threat 34—has spent the last few years burrowing deep into critical infrastructure companies.
Given how aggressively Iran has pursued infrastructure hacking, previously targeting the financial sector and even a dam in upstate New York, the new findings serve as a warning, and highlight the evolving nature of the threat.
FireEye researchers tracked 34 of the group’s attacks on institutions in seven Middle Eastern countries between 2015 and mid-2017, but says APT 34 has been operational since at least 2014.
There isn’t definitive evidence of a direct link between APT 34 and APT 33, an Iranian hacking group and malware distributor FireEye published findings on in September. But researchers have seen APT 34 operating concurrently inside many of the same target networks as other Iranian hackers.
‘The more we divulge things we know about them, the more they’ll shift and change.’
Jeff Bardin, Treadstone 71
While the APT 34 Iranian hacking activity doesn’t appear to target the United States, any Iranian efforts in that space are noteworthy. The countries have a long history of cyber antagonism, which includes the deployment of Stuxnet
‘A Multilayered Approach’
APT 34 uses malicious Excel macros and PowerShell-based exploits to move around networks. The group also has fairly extensive social media operations, deploying fake or compromised accounts to scope out high-profile targets, and using social engineering to get closer to particular organizations.
Tomi Engdahl says:
Microsoft Patches Critical Vulnerability in Malware Protection Engine
http://www.securityweek.com/microsoft-patches-critical-vulnerability-malware-protection-engine
Microsoft this week released an update for the Microsoft Malware Protection Engine (MPE) to address a critical severity remote code execution (RCE) vulnerability in it.
The flaw could lead to memory corruption and allow an attacker to execute arbitrary code to take control over a vulnerable machine. Discovered by UK’s National Cyber Security Centre (NCSC), the bug is tracked as CVE-2017-11937.
Because code can be executed in the security context of the LocalSystem account, the attacker could take control of the system and install programs; view, change, or delete data; or create new accounts with full user rights.
Tomi Engdahl says:
Onapsis Helps SAP Customers Check GDPR Compliance
http://www.securityweek.com/onapsis-helps-sap-customers-check-gdpr-compliance
Onapsis, a company that specializes in securing SAP and Oracle business-critical applications, announced this week that it has added automated GDPR compliance capabilities to the Onapsis Security Platform.
The new functionality allows organizations using SAP products to quickly determine if they meet data protection requirements. The system is capable of identifying SAP systems that need to be compliant with the General Data Protection Regulation (GDPR), specifically systems that process or store user data. Onapsis believes a majority of SAP systems fall into this category.
Tomi Engdahl says:
IoT Botnet Used in Website Hacking Attacks
http://www.securityweek.com/iot-botnet-used-website-hacking-attacks
Embedded Malware Launches SOCKS Proxy Server on Infected IoT Devices
A botnet of Linux-based Internet of Things (IoT) devices is currently being used in a campaign attempting to hack websites, Doctor Web security researchers warn.
Called Linux.ProxyM, the malware has been around since February of this year, and was previously used in spam campaigns. The Trojan was designed to launch a SOCKS proxy server on infected devices and allows attackers to leverage the proxy to perform nefarious operations while hiding their tracks.
To date, the malware has been observed targeting devices with the following architectures: x86, MIPS, MIPSEL, PowerPC, ARM, Superh, Motorola 68000, and SPARC. Basically, it can infect “almost any Linux device, including routers, set-top boxes, and other similar equipment,” the researchers say.
Previous malicious campaigns leveraging the botnet were sending spam emails, with each infected device generating around 400 messages per day in September, Doctor Web says.
Tomi Engdahl says:
NIST Publishes Second Draft of Cybersecurity Framework
http://www.securityweek.com/nist-publishes-second-draft-cybersecurity-framework
The National Institute of Standards and Technology (NIST) announced this week that it has published a second draft of a proposed update to the “Framework for Improving Critical Infrastructure Cybersecurity,” better known as the NIST Cybersecurity Framework.
Introduced in 2014, the framework is designed to help organizations, particularly ones in the critical infrastructure sector, manage cybersecurity risks.
The Cybersecurity Framework was developed based on an executive order issued by former U.S. president Barack Obama. A cybersecurity executive order issued by the current administration of Donald Trump also requires federal agencies and critical infrastructure operators to use the framework.
Tomi Engdahl says:
Rockwell Automation Patches Serious Flaw in FactoryTalk Product
http://www.securityweek.com/rockwell-automation-patches-serious-flaw-factorytalk-product
ICS-CERT informed organizations this week that Rockwell Automation has patched a high severity denial-of-service (DoS) vulnerability in one of its FactoryTalk products.
The vulnerability affects version 2.90 and earlier of FactoryTalk Alarms and Events (FTAE), a FactoryTalk Services Platform component installed by the Studio 5000 Logix Designer PLC programming and configuration tool, and the FactoryTalk View SE HMI software.
The security hole, reported to Rockwell Automation by an unnamed company in the oil and gas sector, is tracked as CVE-2017-14022 and it has been assigned a CVSS score of 7.5. It allows an unauthenticated attacker with remote access to the product to cause its history archiver service to stall or terminate by sending specially crafted packets to TCP port 403.
Tomi Engdahl says:
Fighting Back Against the Cyber Mafia
http://www.securityweek.com/fighting-back-against-cyber-mafia
Four distinct groups of cybercriminals have emerged, serving as the new syndicates of cybercrime: traditional gangs, state-sponsored attackers, ideological hackers and hackers-for-hire. This is the central thesis of a new report titled ‘The New Mafia: Gangs and Vigilantes’. In this report, the gangs are the criminals and the vigilantes are consumers and businesses — and the vigilantes are urged to ‘fight back’.
The report (PDF) is compiled by endpoint protection firm Malwarebytes. It is designed to explain the evolution of cybercrime from its earliest, almost innocuous, beginnings to the currently dangerous ‘endemic global phenomenon’; and to suggest to consumers and businesses they don’t need to simply accept the current state. They can fight back.
Fighting back, however, is not hacking back — or in the more politically acceptable euphemism, active defense.
The report explains the evolution and operational context of the four ‘mafia’ gangs. It should be noted, however, that this is a broad brush view — the lines of distinction between the different groups is often and increasingly blurred.
Traditional gangs “have taken the motivations and acts of traditional organized crime gangs, theft and the sale of drugs, guns and stolen goods, to the online world.” This is organized cybercrime: organized street crime co-opting tech savvy hackers. “The people at the top may be the same individuals leading drug cartels or pre-existing gangs,” suggests the report; “or new kingpins that have risen to the top of organizations as the internet has grown.” These people remain invisible — if anything, it is the hackers who get caught.
https://www.malwarebytes.com/pdf/white-papers/Cybercrime_NewMafia.pdf
Tomi Engdahl says:
Dormant Keylogging Functionality Found in HP Laptops
http://www.securityweek.com/dormant-keylogging-functionality-found-hp-laptops
A researcher has discovered that a touchpad driver present on hundreds of HP laptops includes functionality that can be abused for logging keystrokes. The vendor has released patches for a vast majority of affected devices.
Michael Myng was looking for ways to control the keyboard backlight functionality on HP laptops when he noticed that the driver from Synaptics (SynTP.sys) included keylogging functionality.
Myng informed HP of his findings and the company released updates that remove the problematic debugging functionality for nearly all impacted products.
Tomi Engdahl says:
Orcus RAT Campaign Targets Bitcoin Investors
http://www.securityweek.com/orcus-rat-campaign-targets-bitcoin-investors
In an attempt to benefit from the recent spike in the value of Bitcoin, the authors of a remote access Trojan have started targeting Bitcoin investors with their malicious software, Fortinet has discovered.
The attack starts with phishing emails marketing a relatively new Bitcoin trading bot application called “Gunbot” developed by GuntherLab or Gunthy. However, the email actually delivers the Orcus RAT to the Bitcoin investors instead.
The phishing emails contain a .ZIP attachment that includes a simple VB script designed to download a binary masquerading as a JPEG image file. According to Fortinet, the attackers made no attempt in hiding their intentions, either because they didn’t want to or because they lack the technical knowledge to do so.
Tomi Engdahl says:
Organizations Getting Better at Detecting Breaches: Report
http://www.securityweek.com/organizations-getting-better-detecting-breaches-report
Organizations have become slightly better at detecting cyber intrusions, but malicious actors are constantly working on improving their tactics and techniques, according to CrowdStrike’s 2017 Cyber Intrusion Services Casebook.
The report is based on data collected by the security firm from more than 100 investigations. Four of these cases are analyzed in detail in the report, including a SamSam ransomware attack on a commercial services organization, a cybercrime operation aimed at a manufacturer’s e-commerce application, a PoS malware incident targeting a large retailer, and a NotPetya infection.
CrowdStrike has determined that organizations continue to improve their ability to detect intrusions on their own. The percentage of firms that self-detected a breach increased to 68 percent, up from 57 percent in the previous year.
Tomi Engdahl says:
Fighting Automation with Automation
http://www.securityweek.com/fighting-automation-automation
Disruptions Caused by Autonomous Malware Could Have Devastating Implications
Organizations and consumers alike have a growing expectation for instant access to personalized information and services through an increasingly complex array of interconnected devices and networks. It is this demand that is driving the digital transformation of our economy.
Businesses that want to succeed need to not only stay ahead of demand from consumers and employees, but also the growing criminal element looking to exploit these new opportunities.
The proliferation of online devices accessing personal and financial information, the adoption of virtualized and multi-cloud environments, and the growing connection of everything – from armies of IoT devices and critical infrastructure in cars, homes, offices, and industry, to the rise of smart cities – have combined to create new destructive opportunities for cybercriminals.
Cybercriminals have begun to leverage automation and machine learning in their attack tactics, techniques, and procedures (TTP).
It is essential, therefore, that AI and automation begin to fill this gap by replacing basic security functions and day-to-day tasks currently being performed by people with integrated expert security systems and automated processes that are able to do such things as:
1. Keep a running inventory of all devices connected to the network, analyze and determine device vulnerabilities, apply patches and updates to devices, flag devices for replacement, and automatically apply a security protocol or IPS policy to protect those vulnerable devices until an update or replacement is available. They also need to be able to isolate compromised devices to stop the spread of infection and initiate remediation.
2. Device misconfiguration is another huge problem many organizations face. Expert systems need to be able to automatically review and update security and network devices, monitor their configurations, and make appropriate changes as the network environments they operate in continue to shift, all without human intervention.
3. Automated systems also need to be able to rank devices based on levels of trust and indicators of compromise, and dynamically segment traffic, especially that coming from the growing number IoT devices. And it needs to be able to do this in even in the most highly elastic environments at digital speeds. Automation will soon reduce offense vs. defense (time to breach vs time to protect) to a matter of milliseconds rather than the hours or days it does today, and to be able to successfully counter this evolution, human beings need to be able to get out of the way.
Tomi Engdahl says:
The Cumulative Effect of Major Breaches: The Collective Risk of Yahoo & Equifax
http://www.securityweek.com/cumulative-effect-major-breaches-collective-risk-yahoo-equifax
Until quite recently, people believed that a dizzying one billion accounts were compromised in the 2013 Yahoo! breach… and then it was revealed that the real number is about three billion accounts.
That raises the question: so what? Isn’t all the damage from a four-year-old breach already done?
The answer: not at all. For those who have taken control of the compromised accounts, or who possess confidential information about a billion or more individuals, the Yahoo! breach is the gift that will keep on giving.
Tomi Engdahl says:
Some HP laptops are hiding a deactivated keylogger
https://techcrunch.com/2017/12/11/some-hp-laptops-are-hiding-a-deactivated-keylogger/
Researcher Michael Myng found a deactivated keylogger in a piece of software found on over 460 HP laptop models. A full list of affected laptops is here. The keylogger is deactivated by default but could represent a privacy concern if an attacker has physical access to the computer.
HPSBHF03564 rev 1 – Synaptics Touchpad Driver Potential, Local Loss of Confidentiality
https://support.hp.com/us-en/document/c05827409
A potential security vulnerability has been identified with certain versions of Synaptics touchpad drivers that impacts all Synaptics OEM partners. A party would need administrative privileges in order to take advantage of the vulnerability. Neither Synaptics nor HP has access to customer data as a result of this issue.
Tomi Engdahl says:
New Android vulnerability allows attackers to modify apps without affecting their signatures
https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures
A serious vulnerability (CVE-2017-13156) in Android allows attackers to modify the code in applications without affecting their signatures. The root of the problem is that a file can be a valid APK file and a valid DEX file at the same time. We have named it the Janus vulnerability, after the Roman god of duality.
The Janus vulnerability stems from the possibility to add extra bytes to APK files and to DEX files. On the one hand, an APK file is a zip archive, which can contain arbitrary bytes at the start, before its zip entries (actually more generally, between its zip entries). The JAR signature scheme only takes into account the zip entries.
On the other hand, a DEX file can contain arbitrary bytes at the end, after the regular sections of strings, classes, method definitions, etc.
A file can, therefore, be a valid APK file and a valid DEX file at the same time.
In practice, the virtual machine can load and execute both APK files and DEX files. When it gets an APK file, it still looks at the magic bytes in the header to decide which type of file it is. If it finds a DEX header, it loads the file as a DEX file. Otherwise, it loads the file as an APK file containing a zip entry with a DEX file. It can thus misinterpret dual DEX/APK files.
An attacker can leverage this duality. He can prepend a malicious DEX file to an APK file, without affecting its signature. The Android runtime then accepts the APK file as a valid update of a legitimate earlier version of the app. However, the Dalvik VM loads the code from the injected DEX file.
Tomi Engdahl says:
Event Logs Manipulated With NSA Hacking Tool Recoverable
http://www.securityweek.com/event-logs-manipulated-nsa-hacking-tool-recoverable
Researchers at security firm Fox-IT have developed a tool that allows investigators to detect the use of specific NSA-linked malware and recover event log data it may have deleted from a machine.
The group calling itself Shadow Brokers has published several tools and exploits stolen from the Equation Group, cyberspies believed to be working for the U.S. National Security Agency (NSA). One of the tools leaked by the Shadow Brokers in April is DanderSpritz, a post-exploitation framework that allows hackers to harvest data, bypass and disable security systems, and move laterally within a compromised network.
An interesting DanderSpritz plugin is EventLogEdit, which is designed for manipulating Windows Event Log files to help attackers cover their tracks. While hacker tools that modify event logs are not unheard of, EventLogEdit is more sophisticated compared to others as it allows removal of individual entries from the Security, Application and System logs without leaving any obvious clues that the files had been edited.
“While we understand that event logs can be cleared and event logging stopped, surgically editing event logs is usually considered to be a very advanced capability (if possible at all),” Jake Williams, founder of Rendition Infosec and an expert in Shadow Broker leaks, said after news of the tool emerged. “Knowing that some attackers apparently have the ability to edit event logs can be a game changer for an investigation.”
Tomi Engdahl says:
Synopsys Completes $550 Million Acquisition of Black Duck Software
http://www.securityweek.com/synopsys-completes-550-million-acquisition-black-duck-software
Synopsys, a company that provides tools and services for designing chips and electronic systems, has completed its acquisition of Black Duck Software, a privately held company that offers solutions for securing and managing open source software.
Tomi Engdahl says:
Facing Dissent From Abroad, Ethiopia Turns to Spyware
http://www.securityweek.com/facing-dissent-abroad-ethiopia-turns-spyware
Ethiopia’s government has been increasingly on the defensive since the country’s two largest ethnic groups, the Oromos and Amharas, began protesting in 2015.
Hundreds died in the violence and tens of thousands were rounded up in sweeping arrests, among them opposition political activists and journalists.
But many of Ethiopia’s fiercest critics are outside the country, and thus beyond the immediate reach of its security apparatus, particularly among its diaspora population in the USA.
To counter that, researchers and a lawyer who spoke to AFP say Ethiopia has ramped up the use of computer spyware, as well as employing traditional physical surveillance, going so far as to potentially stalk dissidents on US soil.
Carte blanche for cyber attacks
Human Rights Watch has accused Ethiopia of using evidence from spyware intercepts against dissidents within the country, in addition to easily intercepted phone calls and text messages sent over the single, government-owned phone company.
In 2014 one US-based dissident whose computer had been infected sued Ethiopia in a Washington federal court, under the pseudonym Kidane.
That case ended earlier this year, when the court ruled Ethiopia wasn’t liable because the hacking took place outside the US.
“Foreign governments have carte blanche to launch cyber attacks against American citizens in their own homes with complete immunity from US courts,” said Nate Cardozo, a lawyer with the Electronic Frontier Foundation, a San Francisco-based digital rights group who supported the case.
Cutting edge spyware isn’t the only tool Ethiopia deploys against opponents in the US, activists believe.
Tomi Engdahl says:
Malware Isolation Firm Menlo Security Raises $40 Million
http://www.securityweek.com/malware-isolation-firm-menlo-security-raises-40-million
Menlo Security, a provider of malware isolation technology, announced on Monday that it has closed a $40 million Series C funding round, bringing the total amount raised by the company to $85 million.
Menlo Security LogoThe Menlo Park, Calif.-based company pushes the fact that its offerings do not provide malware detection or classification. Instead, the company’s cloud-based security platform takes all active content—including potentially malicious files—and executes it in the cloud, giving malware no path to reach an endpoint via compromised or malicious web sites, e-mail, or documents.
Tomi Engdahl says:
‘MoneyTaker’ Hackers Stole Millions from Banks: Report
http://www.securityweek.com/moneytaker-hackers-stole-millions-banks-report
A group of Russian-speaking cybercriminals has launched over 20 successful attacks against financial institutions and legal firms in the US, UK and Russia over the past two years, according to cybecrime research firm Group-IB.
Called “MoneyTaker” by Group-IB, the group has been focused on card processing systems, such as the AWS CBR (Russian Interbank System) and SWIFT (US). The fraudsters might soon switch interest to financial institutions in Latin America, given the wide usage of STAR in the region, Group-IB researchers believe.
The attacks caused losses of roughly $500,000 per attack on average, according to Group-IB’s analysis.
The hackers managed to fly under the radar for so long by constantly changing tools and tactics and carefully eliminating traces after completing their operations.
“MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise. In addition, incidents occur in different regions worldwide and at least one of the US banks targeted had documents successfully exfiltrated from their networks, twice. Group-IB specialists expect new thefts in the near future,” Dmitry Volkov, Group-IB Co-Founder and Head of Intelligence, says.
The first US attack attributed to the group was conducted in the spring of 2016.
A total of 10 attacks were attributed to the group in 2016: 6 attacks on banks in the US, 1 attack on a US service provider, 1 attack on a company in the UK, and 2 attacks on Russian banks. In 2017, the group hit 8 US banks and 1 law firm and 1 bank in Russia.
MoneyTaker uses a distributed infrastructure that features a persistence server designed to deliver payloads only to victims with IP addresses in MoneyTaker’s whitelist.
The hackers use a pentest framework server with Metasploit installed on it. The hackers compromise a computer at the targeted organization, then leverage the pentesting framework for network reconnaissance, finding vulnerable applications, exploiting flaws, escalating systems privileges, and information collection.
Courtesy of fileless malware, MoneyTaker can easily hide tracks. When persistence is needed, the group uses PowerShell and VBS scripts, which are difficult to detect and easy to modify. The researchers also observed the group making changes to source code ‘on the fly’ during the attack.
Tomi Engdahl says:
MoneyTaker: in pursuit of the invisible
Group-IB has uncovered a hacker group
https://www.group-ib.com/blog/moneytaker
In less than two years, this group has conducted over 20 successful attacks on financial institutions and legal firms in the USA, UK and Russia. The group has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) and purportedly SWIFT (US). Given the wide usage of STAR in LATAM, financial institutions in LATAM could have particular exposure to a potential interest from the MoneyTaker group.
Although the group has been successful at targeting a number of banks in different countries, to date, they have gone unreported. In addition to banks, the MoneyTaker group has attacked law firms and also financial software vendors. In total, Group-IB has confirmed 20 companies as MoneyTaker victims, with 16 attacks on US organizations, 3 attacks on Russian banks and 1 in the UK.
“MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise,”
https://www.group-ib.com/resources/reports/money-taker.html
Tomi Engdahl says:
Database of 1.4 Billion Credentials Found on Dark Web
http://www.securityweek.com/database-14-billion-credentials-found-dark-web
Researchers have found a database of 1.4 billion clear text credentials in what appears to be the single largest aggregate database yet found on the dark web. These are not from a new breach, but a compilation of 252 previous breaches, including the previous largest combo list, Exploit.in.
The database was found by 4iQ on 5 December 2017. Announcing the discovery, the firm’s founder and CTO Julio Casal, said, “This is not just a list. It is an aggregated, interactive database that allows for fast (one second response) searches and new breach imports… The database was recently updated with the last set of data inserted on 11/29/2017. The total amount of credentials (usernames/clear text password pairs) is 1,400,553,869.”
It is a database designed to be used. It includes search tools and insert scripts explained in a README file. Another file called ‘imported.log’ lists the breach sources
1.4 Billion Clear Text Credentials Discovered in a Single Database
https://medium.com/4iqdelvedeep/1-4-billion-clear-text-credentials-discovered-in-a-single-database-3131d0a1ae14
A Massive Resource for Cybercriminals Makes it Easy to Access Billions of Credentials.
Now even unsophisticated and newbie hackers can access the largest trove ever of sensitive credentials in an underground community forum. Is the cyber crime epidemic about become an exponentially worse?
While scanning the deep and dark web for stolen, leaked or lost data, 4iQ discovered a single file with a database of 1.4 billion clear text credentials — the largest aggregate database found in the dark web to date.
None of the passwords are encrypted, and what’s scary is the we’ve tested a subset of these passwords and most of the have been verified to be true.
The breach is almost two times larger than the previous largest credential exposure, the Exploit.in combo list that exposed 797 million records. This dump aggregates 252 previous breaches
Tomi Engdahl says:
How Safe Are Your Assets in the Cloud?
http://www.securityweek.com/how-safe-are-your-assets-cloud
When Migrating to Cloud Environments, Visibility is a Must-Have
The cloud environment is elastic and moves fast. That elasticity applies to cyberattacks just as much, so it is critical for enterprises to have visibility into all the data that crosses its network. While moving workloads and applications to the cloud brings flexibility and agility, it also introduces multiple points of attack. Enterprises need to now monitor public cloud providers in addition to their internal private cloud network.
From a security perspective, the cloud adds complexity. It doesn’t matter if an enterprise is moving a web server or critical business applications, they must ensure the same level of performance, security and compliance. In a traditional data center, these needs are met with robust tools that provide a zero-packet loss, application aware visibility network.
As more enterprises become “cloud-first” in their business strategies, their thinking is shifting to figuring out their security policy before migration — because they are realizing in the cloud exactly how much they can’t see.
Migration madness: Why you need full visibility
When migrating to cloud environments, visibility is not just a nice-to-have, but a must-have for all organizations. Cloud computing is not a simple IT initiative — the move oftentimes leads to ubiquitous access that introduces risk to information being stored in cloud environments.
When IT teams have to shift between several different infrastructures to accommodate the cloud, it is likely that they will run into additional security roadblocks.
Grab your cloud-ready tools and get the job done
As enterprises make their move to the cloud, their security teams need to get involved early. As security tools are chosen, packet-level access and auto-scaling are critical features that cannot be overlooked. The last thing an enterprise wants is cloud visibility that needs constant reconfiguration every time traffic capacity grows. Believe it or not, many cloud visibility products in the market do not scale automatically.
Put your money where your cloud is
Cloud environments provide flexibility, speed and scalability to vital applications and services — which is critical in today’s digital economy. Almost fully secure is the same as not secure. Without visibility into all the data flowing in these environments, both security and application performance will suffer.
Tomi Engdahl says:
Archive of 1.4 BEEELLION credentials in clear text found in dark web archive
Find shows people still suck at passwords
https://www.theregister.co.uk/2017/12/12/archive_of_14_beeelion_credentials_in_clear_text_found_in_dark_web_archive/
A data dump containing over 1.4 billion email addresses, passwords, and other credentials, all in clear text, has been found online by security shop @4iQ.
The 41-gigabyte file was discovered on December 5 and had been updated at the end of last month, indicating the data is both current and being used by third parties. The identity of the collator isn’t known but the miscreant left Bitcoin and Dogecoin wallet details for donations.
Tomi Engdahl says:
Google Releases Tool To Help iPhone Hackers
Google’s elite team of hackers released a much-anticipated tool to help security researchers hack and jailbreak the iPhone.
https://motherboard.vice.com/en_us/article/d3x3dw/google-releases-iphone-ios-jailbreak-tool
Tomi Engdahl says:
6 hard truths IT must learn to accept
https://www.cio.com/article/3233244/it-strategy/6-hard-truths-it-must-learn-to-accept.html
The rise of shadow IT, shortcomings in the cloud, security breaches — IT leadership is all about navigating hurdles and deficiencies, and learning to adapt to inevitable setbacks.
1. Shadow IT has come out of the shadows
2. You can’t do everything in the cloud
3. Your systems have already been hacked
4. Your software is unpatched and insecure
5. You’ll never have enough bandwidth
6. IT is still relevant — but only if it adapts
Tomi Engdahl says:
Shadow IT: How today’s CIOs grapple with unsanctioned tech
https://www.cio.com/article/3240987/it-strategy/shadow-it-real-world-stories-of-unsanctioned-tech.html
Thanks to the cloud and mobile devices, ‘shadow IT’ has become a key concern for CIOs in every industry. Here, CIOs share their real-world experiences reining in tech outside their formal control.
Tomi Engdahl says:
Jailed Russian hacker: I hacked Democrats ‘under the command’ of Russian intelligence agents
http://nordic.businessinsider.com/russian-hacker-democrats-dnc-intelligence-2017-12?r=US&IR=T
A Russian hacker told a Moscow court in August that he was ordered to hack the Democratic National Committee by Russian intelligence agents at the FSB.
The hacker was arrested in mid-2016 on charges relating to his work with a notorious hacking collective.
Kozlovsky’s work with the FSB could undermine the Kremlin’s repeated claims that it had nothing to do with DNC hacks in late 2015.
The hacker, Konstantin Kozlovsky, told a Moscow court in August of this year that his nine-member hacking group – which has been accused of stealing over $17 million from Russia’s largest financial institutions since 2013 – has been cooperating with the FSB for several years, according to the independent Russian news outlet The Bell. Part of that cooperation included hacking the DNC, he said.
Kozlovsky said during a hearing on August 15 that he “performed various tasks under the supervision of FSB officers,” including a DNC hack and cyberattacks on “very serious military enterprises of the United States and other organizations.”
Minutes from the hearing, as well as an audio recording, were posted on Kozlovsky’s Facebook page.
The cybersecurity firm CrowdStrike publicly concluded in June 2016 that hackers associated with the FSB breached the DNC in late 2015. WikiLeaks published internal committee emails during the Democratic National Committee in July 2016.
He ‘did everything they said’
Kozlovsky also named Ruslan Stoyanov, a key cybercrime investigator at the Russian cybersecurity firm Kaspersky who was arrested last December along with Dokuchaev and Sergei Mikhailov, the deputy head of the information security department of the FSB.
Mikhailov has been accused of giving US intelligence officials information about a server-rental company, King Servers, through which Russian hackers have been known to attack the US, Russian newspaper Novaya Gazeta reported last December. The Bell reported earlier this month that he could soon be charged with treason.
“Russian government recruiters have scouted a wide range of programmers, placing prominent ads on social media sites, offering jobs to college students and professional coders, and even speaking openly about looking in Russia’s criminal underworld for potential talent.”
Tomi Engdahl says:
Juniper squeezes vulns that allow total p0wnage
NorthStar WAN SDN Controller has 28 nasties, half a dozen critical
https://www.theregister.co.uk/2017/12/12/juniper_patches/
Juniper admins using the company’s NorthStar WAN SDN Controller Application, hop to it: the company’s just dropped fixes to 28 security vulnerabilities.
The bugs apply to version 2.1.0 Service Pack 1 and newer versions of the application.
With such a crop available, here are the most severe bugs, some of them internal to the application, others inherited from third-party libraries.
Juniper has issued fixes for all the vulnerabilities.
Tomi Engdahl says:
3 keys to making any small business wireless network more secure
http://www.cablinginstall.com/articles/pt/2017/12/3-keys-to-making-any-small-business-wireless-network-more-secure.html?cmpid=enl_cim_cim_data_center_newsletter_2017-12-11
So here’s what you can do:
Use encryption — Possibly the most important measure you can take to protect your network is to use encryption [...]
Use a firewall — Hardware firewalls provide the first line of defence against attacks coming from outside of the network, and most routers have firewalls built into them, which check data coming into and going out and block any suspicious activity [...]
Use secure router settings — Change the router’s access name and password. It is all too easy to set up any equipment with its default settings, especially as the default admin name and password are often printed on the router itself to allow quick access and setup [...]
How to make a wireless network more secure
http://www.techradar.com/news/how-to-make-a-wireless-network-more-secure
When setting up a wireless network for your small business, it can be all too tempting to leave any security functions switched off. It may seem at the time that getting work done is much more important than worrying about a threat that probably won’t ever materialise.
Encrypting a network involves creating a password or passphrase that is difficult to guess. But note here that, while there are different forms of encryption available to wireless networks, not all of them are secure.
WPA and WPA2
Developed to overcome the weaknesses in WEP, WPA and WPA2 (Wi-Fi Protected Access) are the encryption modes now most widely used in wireless networks.
They use both passwords and passphrases to secure networks.
Use a firewall
Hardware firewalls provide the first line of defence against attacks coming from outside of the network, and most routers have firewalls built into them, which check data coming into and going out and block any suspicious activity. The devices are usually set with reasonable defaults that ensure they do a decent job.
Router settings
Change the router’s access name and password
Change the default network ID
Stop your router broadcasting its network ID
Enable MAC authentication for your users
Create a separate wireless network for your customers.
Tomi Engdahl says:
There’s A Disturbing Reason Why These Children’s Toys Are Swearing Their Asses Off
http://www.iflscience.com/technology/theres-a-disturbing-reason-why-these-childrens-toys-are-swearing-their-asses-off/
There’s a funny piece of footage circulating the internet at the moment of a children’s toy robot rocking back and forth and swearing its ass off. The toucan-shaped toy is from Teksta and is heard to say “wanker” and “twat” over and over again as it nods and waves its wings around.
In the UK, those are pretty bad swear words.
It’s not the only toy that’s doing it.
So far, so funny. But why are they doing this?
Well, the answer is that they are surprisingly easy to hack. So much so, in fact, that those responsible for hacking the Toucan are warning parents to return it to the manufacturer post-haste. Not only can you hack its output, it’s possible to gain access to its internal microphone, theoretically making it useful to anyone wishing to spy on your home.
Security researchers at Pen Tech Partners hacked the toys to highlight the flaws in their design.
Tomi Engdahl says:
Synopsys Named a Leader in The Forrester Wave™: Static Application Security Testing, Q4 2017
https://www.synopsys.com/software-integrity/resources/analyst-reports/2017-sast-forrester-wave.html?cmp=em-sig-eloqua&utm_medium=email&utm_source=eloqua&elq_mid=322&elq_cid=166673
Static application security testing (SAST) is an important part of prerelease application testing that can identify tricky dataflow issues. It can also catch issues such as cross-site request forgery (CSRF) that other tools, including dynamic application security testing (DAST), have trouble finding. According to The Forrester Wave™: Static Application Security Testing, Q4 2017, SAST remains critical to eliminate proprietary software vulnerabilities so attackers can’t exploit them in production.