Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
Multiple vulnerabilities found in Wireless IP Camera (P2P) WIFICAM cameras and vulnerabilities in custom http server
https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html
Vulnerabilities Summary
The Wireless IP Camera (P2) WIFICAM is a camera overall badly designed with a lot of vulnerabilities. This camera is very similar to a lot of other Chinese cameras.
It seems that a generic camera is being sold by a Chinese company in bulk (OEM) and the buyer companies resell them with custom software development and specific branding. Wireless IP Camera (P2) WIFICAM is one of the branded cameras.
So, cameras are sold under different names, brands and functions. The HTTP interface is different for each vendor but shares the same vulnerabilities. The OEM vendors used a custom version of GoAhead and added vulnerable code inside.
Because of code reusing, the vulnerabilities are present in a huge list of cameras (especially the InfoLeak and the RCE), which allow to execute root commands against 1250+ camera models with a pre-auth vulnerability.
these cameras are likely affected by a pre-auth RCE as root
Tomi Engdahl says:
Google Has Few Leads As It Starts Investigation Into Huge Leak Of CIA Android Hacks
https://www.forbes.com/sites/thomasbrewster/2017/03/08/google-android-wikileaks-cia-cyber-attacks/#5b67ec375496
It’s been less than 24 hours since Wikileaks released files it claims contain information on the myriad tools used by the Central Intelligence Agency (CIA) used to hack and surveil Android cellphones, as well as iPhones, TVs, cars and more. Google is yet to officially comment, but Forbes understands the company’s researchers are busy scouring the 8,000-page data dump as they try to determine if they need to get working on patches.
It’s not yet clear how bad the damage is. Exacerbating Google’s pain is the knowledge that any triage and subsequent patching will be extraordinarily difficult, given the lack of any code showing just where weaknesses lie. So whilst the Wikileaks release has made it apparent there are multiple, possibly previously-unknown vulnerabilities (known as zero-days) that now need fixing, Google staff have few leads to go on.
Alongside exploits for Apple’s iOS, there are many named CIA Mobile Device Branch tools specifically for breaking Android security with little detail on how they might work. For instance, there are at least 10 remote code execution bugs, the most critical weaknesses where a hacker can run malicious code from anywhere on the planet. There’s the BaronSamedi hack, which targeted a specific code library that Google can at least investigate. Then there’s the EggsMayhem hack created by the NSA and GCHQ that appears to target the Chrome browser. Or the Dragonfly attack, for which there’s next to no information available. Going right to the heart of Android, there’s an exploit called Sulfur for the operating system’s kernel to force it into leaking information, affecting versions 3.10 and later.
There’s slightly more comprehensive information on a tool called RoidRage, a malware that appears to allow some remote control over Android devices.
Paying for Android vulnerabilities
Android security expert at CloudFlare, Tim Strazzere, said the more interesting aspect of the Wikileaks release was the number of exploits the CIA purchased. Such vulnerabilities can fetch upwards of $1 million per bug, though only iOS hacks have been known to cost so much. As with Apple’s OS, the CIA ostensibly used codenames for its cyberarms dealers, including Anglerfish and Fangtooth, or just simply called them a partner.
“The bulk are bought, and bought from one source,” he said. “One could assume everyone else has also bought these.” The implication from Strazzere is that the CIA has access to the same Android attack code as other government buyer around the world.
Tomi Engdahl says:
Two Factors Are Better Than One
http://www.linuxjournal.com/content/two-factors-are-better-one?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+linuxjournalcom+%28Linux+Journal+-+The+Original+Magazine+of+the+Linux+Community%29
Although I’ve always been interested in security, there are just some security measures I’ve never liked. SSH brute-force attacks end up being a major way that attackers compromise Linux systems, but when it comes to securing SSH, I’ve never been a fan of changing your SSH port to something obscure, nor have I liked scripts like fail2ban that attempt to detect brute-force attacks and block attackers with firewall rules. To me, those measures sidestep the real issue: brute-force attacks require password authentication. If you disable password authentication (set PasswordAuthentication to no in your sshd_config) and use only SSH keys, you can relax about all those brute-force attacks knocking on your door.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Researchers find ephemeral messaging app Confide doesn’t provide true end-to-end encryption
Dear Confide: “We would never” isn’t the same as “we can’t”
Confidential messenger service provides no authentication or integrity assurances.
https://arstechnica.com/security/2017/03/unfixed-weaknesses-in-confide-stoke-doubts-about-end-to-end-crypto-claims/
A pair of damning advisories independently published Wednesday raise serious questions about the security assurances of Confide, a messaging app that’s billed as providing “battle tested, military grade” end-to-end encryption and is reportedly being used by individuals inside the US government.
One of the bulletins, published by security firm Quarkslab, warned that current versions of Confide—including those available for Macs, PCs, iPhones, Android devices, and Apple Watches—don’t provide true end-to-end encryption at all, at least as that term is commonly defined. Unlike competing secure messaging app Signal—which prevents even authorized insiders from accessing the keys needed to decrypt messages—Confide engineers, or people who hack the Confide service, can easily create keys that can be used to decrypt messages as they’re sent in real time.
Tomi Engdahl says:
We Talked to the Hacker Who Took Down a Fifth of the Dark Web
https://motherboard.vice.com/en_us/article/talking-to-the-hacker-who-took-down-a-fifth-of-the-dark-web
On Friday, a hacker took down a huge chunk of the dark web. Visitors to over 10,000 Tor hidden services running on Freedom Hosting II—a hosting provider for dark web sites—were greeted with a perhaps surprising message, The Verge reported.
Tomi Engdahl says:
Ron Amadeo / Ars Technica:
Google’s new invisible reCAPTCHAs automatically distinguish humans from bots, don’t need to use a checkbox — Google says it can separate man from machine without any tricky tests or checkboxes. — Google’s reCAPTCHA is the leading CAPTCHA service (that’s “Completely Automated Public Turing test …
Google’s reCAPTCHA turns “invisible,” will separate bots from people without challenges
Google says it can separate man from machine without any tricky tests or checkboxes.
https://arstechnica.com/gadgets/2017/03/googles-recaptcha-announces-invisible-background-captchas/
Tomi Engdahl says:
New York Times:
Sources: Russian security services used infrastructure created by criminal hackers, like Evgeniy Bogachev’s ZeuS botnet, to gather intelligence — To the F.B.I., Evgeniy M. Bogachev is the most wanted cybercriminal in the world. The bureau has announced a $3 million bounty for his capture …
Russian Espionage Piggybacks on a Cybercriminal’s Hacking
https://www.nytimes.com/2017/03/12/world/europe/russia-hacker-evgeniy-bogachev.html
To the F.B.I., Evgeniy M. Bogachev is the most wanted cybercriminal in the world. The bureau has announced a $3 million bounty for his capture, the most ever for computer crimes, and has been trying to track his movements in hopes of grabbing him if he strays outside his home turf in Russia.
He has been indicted in the United States, accused of creating a sprawling network of virus-infected computers to siphon hundreds of millions of dollars from bank accounts around the world, targeting anyone with enough money worth stealing — from a pest control company in North Carolina to a police department in Massachusetts to a Native American tribe in Washington.
But it is clear that for Russia, he is more than just a criminal. At one point, Mr. Bogachev had control over as many as a million computers in multiple countries, with possible access to everything from family vacation photographs and term papers to business proposals and highly confidential personal information. It is almost certain that computers belonging to government officials and contractors in a number of countries were among the infected devices. For Russia’s surveillance-obsessed intelligence community, Mr. Bogachev’s exploits may have created an irresistible opportunity for espionage.
The Russians were particularly interested, it seems, in information from military and intelligence services regarding fighting in eastern Ukraine and the war in Syria, according to law enforcement officials and the cybersecurity firm Fox-IT.
The Russian government has plenty of its own cyberspace tools for gathering intelligence. But the piggybacking on Mr. Bogachev’s activities offers some clues to the breadth and creativity of Russia’s espionage efforts at a time when the United States and Europe are scrambling to counter increasingly sophisticated attacks capable of destroying critical infrastructure, disrupting bank operations, stealing government secrets and undermining democratic elections.
From Thief to Russian Asset?
His involvement with Russian intelligence may help explain why Mr. Bogachev, 33, is hardly a man on the run. F.B.I. officials say he lives openly in Anapa, a run-down resort town on the Black Sea in southern Russia.
Tomi Engdahl says:
Thomas Fox-Brewster / Forbes:
Sources: Microsoft and Google haven’t been contacted by Assange, two days after he said WikiLeaks would share details of CIA hacking tools with tech firms
Google, Microsoft Still Waiting On Wikileaks To Deliver CIA Hacking Tools
https://www.forbes.com/sites/thomasbrewster/2017/03/11/google-microsoft-waiting-on-wikileaks-cia-exploits/#9fab44254c99
It’s been two days since Julian Assange promised Wikileaks would hand over more information on Central Intelligence Agency (CIA) hacker tools to tech giants. That pledge followed a leak of nearly 9,000 documents that Wikileaks claimed belonged to CIA hacking units.
But while that altruistic move should help protect every one of their users from cyberattack, neither Google nor Microsoft had received details from Wikileaks on vulnerabilities in their software by Saturday morning, according to sources familiar with the companies’ security teams.
Google did not offer official comment, but two sources close to the company’s security staff said there had been no contact. One said there was now concern Wikileaks had duped the public with a PR move of little to no substance, though on Thursday one external Android security expert who’d reviewed the CIA files said it appeared there were multiple vulnerabilities Google would need to address.
“We’ve seen Julian Assange’s statement and have not yet been contacted,” a Microsoft spokesperson said in an emailed statement Friday, originally sent to press on Thursday, the same day Assange claimed Wikileaks would help provide “antidotes” for CIA exploits before publishing them. As of Saturday, Microsoft had not provided any further update, after Forbes’ enquiries. Wikileaks had not returned requests for comment.
While the Wikileaks Vault 7 leak also affected Apple products, from iPhones to Macs, the Cupertino firm had not provided any comment at the time of publication.
Wikileaks ‘should publish malware’
And while there were few examples of actually usable code in the CIA Vault 7 leak, some Windows malware was uncovered by security expert Marc Maiffret, indicating Wikileaks may have mistakenly left it unredacted.
He urged Wikileaks to publish all malware code, however, and should “help defenders and work with technology companies affected by the vulnerabilities and exploits to produce patches for customers.”
“It is of course very time consuming and not always easy to analyze all of this technical data to figure out what parts are malware and implants vs. vulnerabilities and exploits. This is why they seemingly redacted all of that type of data in general except for this mistake here that I wrote about.”
Tomi Engdahl says:
The new shell to protect integrated circuits against attacks
French research center for microelectronics Leti has developed a new kind of physical protection against the penetration of micro circuits. It is the rear side of the circuit mounted in the casing, which prevents the reading circuit, for example an infrared laser.
Physical protection is needed when the attacker is a circuit or device in their hands.
A let researchers developed micro-circuits a new shell. It consists of a sinuous metal layer between the two polymer. One of these prevents the penetration of infrared and ionic radii.
Another polymer film circuit is directly related to the surface, making it detects chemical attacks.
Any changes in the structure of the circuit will remove all sensitive data.
Source: http://www.etn.fi/index.php/13-news/5988-uusi-kuori-suojaa-mikropiireja-hyokkayksilta
Tomi Engdahl says:
Liam Tung / ZDNet:
Analysis of 133K+ sites shows 37% of them use at least one JavaScript library with a known vulnerability, including 21 sites in the Alexa 100
An insecure mess: How flawed JavaScript is turning web into a hacker’s playground
http://www.zdnet.com/article/an-insecure-mess-how-flawed-javascript-is-turning-web-into-a-hackers-playground/
Researchers say tens of thousands of sites are using JavaScript libraries that are years old and contain publicly known vulnerabilities.
An analysis of over 133,000 websites has found that 37 percent of them have at least one JavaScript library with a known vulnerability.
Researchers from Northeastern University have followed up on research in 2014 that drew attention to potential security risks caused by loading outdated versions of JavaScript libraries, such as such as jQuery, and the AngularJS framework in the browser.
As the Northeastern researchers highlight in a new paper, vulnerable libraries can be dangerous under the right conditions, pointing to an old cross-site scripting bug in jQuery, which will allow an attacker to inject malicious scripts into a vulnerable site.
http://www.ccs.neu.edu/home/arshad/publications/ndss2017jslibs.pdf
Tomi Engdahl says:
Kate Conger / TechCrunch:
Under pressure from ACLU, Facebook updates its platform policies to explicitly prohibit devs from using Facebook or Instagram data in surveillance tools — In response to pressure from the American Civil Liberties Union, Color of Change and the Center for Media Justice …
Facebook tells developers to not use data for surveillance
https://techcrunch.com/2017/03/13/facebook-tells-developers-not-use-data-for-surveillance/
In response to pressure from the American Civil Liberties Union, Color of Change and the Center for Media Justice, Facebook announced today that it will clarify its developer policy to explicitly prohibit the use of Facebook or Instagram data in surveillance tools.
The ACLU has revealed several instances of developers using information gleaned from Facebook’s APIs to create surveillance tools for law enforcement, and each time, Facebook has decided to revoke access to its data. In October, reporting by the ACLU uncovered the use of data from Facebook, Instagram and Twitter in the surveillance software Geofeedia, which culled protesters’ posts from the social media platforms and sold them to law enforcement. Twitter also cut access last year to social media monitoring firms Snaptrends and Media Sonar, the latter of which tracked hashtags like #BlackLivesMatter and #IAmMikeBrown to identify activists.
Facebook has contended that this kind of surveillance is already against its policies. But its policy was revamped today to state that developers can’t “use data obtained from us to provide tools that are used for surveillance.” Twitter made a similar declaration in November.
Facebook has cut ties with a few developers that make surveillance tools, and worked with several others to bring their apps into compliance with the policy.
“Social media platforms are a powerful tool for Black people to draw attention to the injustices our community faces,” said Color of Change’s campaign director Brandi Collins.
Tomi Engdahl says:
Kim Zetter / The Intercept:
RAND study: 200 privately discovered zero-day flaws lasted an average of 6.9 years before public disclosure
Malware Attacks Used by the U.S. Government Retain Potency for Many Years, New Evidence Indicates
https://theintercept.com/2017/03/10/government-zero-days-7-years/
A new report from Rand Corp. may help shed light on the government’s arsenal of malicious software, including the size of its stockpile of so-called “zero days” — hacks that hit undisclosed vulnerabilities in computers, smartphones, and other digital devices.
The report also provides evidence that such vulnerabilities are long lasting. The findings are of particular interest because not much is known about the U.S. government’s controversial use of zero days. Officials have long refused to say how many such attacks are in the government’s arsenal or how long it uses them before disclosing information about the vulnerabilities they exploit so software vendors can patch the holes.
Rand’s report is based on unprecedented access to a database of zero days from a company that sells them to governments and other customers on the “gray market.” The collection contains about 200 entries — about the same number of zero days some experts believe the government to have. Rand found that the exploits had an average lifespan of 6.9 years before the vulnerability each targeted was disclosed to the software maker to be fixed, or before the vendor made upgrades to the code that unwittingly eliminated the security hole.
Some of the exploits survived even longer than this. About 25 percent had a lifespan of a decade or longer. But another 25 percent survived less than 18 months before they were patched or rendered obsolete through software upgrades.
“The relatively long life expectancy of 6.9 years means that zero-day vulnerabilities — in particular the ones that exploits are created for [in the gray market] — are likely old,”
Tomi Engdahl says:
Michael Liedtke / Associated Press:
On February 1, Verizon sought a $925M discount on Yahoo purchase, before settling for a $350M price cut, according to a regulatory filing
Verizon sought $925 million penalty for Yahoo’s lax security
http://customwire.ap.org/dynamic/stories/U/US_TEC_YAHOO_EXECUTIVES?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2017-03-13-13-49-37
erizon initially thought the biggest data breaches in internet history merited a $925 million discount on its acquisition of Yahoo’s online services, nearly three times more than the two companies finally agreed upon.
Yahoo disclosed new details about its negotiations with Verizon in a regulatory filing Monday. The filing doesn’t say why Verizon relented on its original demand, issued on Feb. 1. Verizon ultimately accepted Yahoo’s offer to trim the sale price by $350 million instead.
The companies struck a $4.83 billion deal last July, but re-opened talks after Yahoo revealed that personal information had been stolen from more than 1 billion of its users in two separate hacking attacks in 2013 and 2014. The discount reflect concerns that people might decrease their use of Yahoo email and other digital services that Verizon is buying, reducing opportunities to show ads.
Tomi Engdahl says:
New Malware Variants Near Record-Highs: Symantec
http://www.securityweek.com/new-malware-variants-near-record-highs-symantec
The number of new malware variants that emerged in February 2017 was three times higher compared to January, nearly reaching the record-high levels registered in October 2016, Symantec reports.
Last month the security company registered 94.1 million malware variants, which marks a worrying increase when compared to the 32.9 million seen in January and only 19.5 million in December. Furthermore, Symantec’s Latest Intelligence for February 2017 reveals that the Kovter malware family is the driving force behind this uptick.
https://www.symantec.com/connect/blogs/latest-intelligence-february-2017
Tomi Engdahl says:
UK Intelligence Agency Warns of Russian Political Hacking Capabilities
http://www.securityweek.com/uk-intelligence-agency-warns-russian-political-hacking-capabilities
he UK’s National Cyber Security Center (NCSC, part of GCHQ) has written to the British political parties to warn about “the potential for hostile action against the UK political system.” Without confirming that the main threat is from Russia, the letter makes it clear that the primary threat is considered to be that country.
In a similar vein, the British Foreign Secretary Boris Johnson said on national television Sunday, “We have no evidence the Russians are actually involved in trying to undermine our democratic processes at the moment. We don’t actually have that evidence. But what we do have is plenty of evidence that the Russians are capable of doing that.”
Tomi Engdahl says:
Post Breach Identity Theft Monitoring: Too Little Too Late
http://www.securityweek.com/post-breach-identity-theft-monitoring-too-little-too-late
Breached Companies Must get Ahead of Attacks and Provide Security that Protects Victims Before they are Victimized Again
We have all seen this story play out so many times: A company suffers a massive breach exposing thousands or millions of their customer’s personal information, which effectively compromises trust in the organization and their established security methods. The company responds by talking about how incredibly sophisticated the attackers were, and then they offer identity or credit monitoring services to the victims. Providing this service makes the company look like it is taking care of its customers, but it is really just a cheap PR ploy with little effect. I rant and rave in my cubicle every time this happens.
First, we all know that the company’s information was actually taken by a basic phishing attack using well-known exploits. Second, we know, and they know, that the protection the company is offering will do almost nothing to help their affected customers. The public should demand more.
Consider what these monitoring services actually do. While there are many different vendors, they all provide the same basic set of services: monitoring and insurance. In some cases, they partner with major security companies to provide the same protection that you can usually get for free elsewhere.
The real problem is that credit-based attacks are infrequent when compared to other crimes following a major breach. Use of stolen credit cards, phishing, and account takeover are far more prevalent, yet, are essentially invisible from the monitoring program.
Tomi Engdahl says:
Big Data: Noise, or Actionable Cyber Security Info?
http://www.securityweek.com/big-data-noise-or-actionable-cyber-security-info
You Can’t Respond to Big Data with Big Collection…
What do we know for certain? We know that today’s security tools are detecting huge numbers of potential security events, culling massive amounts of data that analysts are expected to then comb through and utilize to connect the dots.
Security analysts are collecting all events, but are struggling to filter out non-relevant signals in an attempt to isolate the important events from the rest of the noise.
Bad idea.
Large organizations continue to be breached, with slow-moving investigations taking even 100 days or more just to recognize the initial breach. Bottom line: organizations have labored for years now to address Big Data’s implications –with too few effective results to show for it.
You just can’t respond to Big Data with Big Collection. Why? The problem with collecting and analyzing everything is that it requires huge amounts of computerized resources, which dramatically slows down the analyses of these systems. The unintended consequence: more false positives, because when a system needs to work with so much noise, its error rate increases.
There is simply no way to “carefully” select the relevant data and then analyze it
What’s more – even if a head-count is at all effective, the sheer number of people necessary to analyze these inputs is extremely expensive and far from cost effective. Without scaling, there’s no effective way to analyze so much information in real-time. What that means is important security events or threats are routinely missed – drowned out in the sea of information generated by all the data.
As real attacks go unnoticed, and analysis and overall response time are slowed, organizations are typically investigating the past, rather than tackling the present.
CSOs are frustrated. Their CEOs insist that they identify all possible threats to their business, mitigate them in real-time, and do so within budget constraints. It’s a seemingly impossible mission.
The New Paradigm
In truth, some security tools are suited for certain types of attack vectors and are dysfunctional when it comes to others. For example, don’t count on IDS devices and reputation systems capabilities from a sandbox tool (many sandbox products have integrated IDS and reputation feeds which are far from best of breed in these areas). The reverse is also true – don’t trust IPS devices for all cases, as some are better for privileges escalation because their research teams have been more focused on these threat vectors, while others are better at DoS Buffer overflow attack vectors.
The key is to understand and rate the capabilities of each security tool, including their detection capabilities, investigation functions, and mitigation/remediation capabilities.
Once this has been ascertained, a layer of intel that allows each step of an attack to be identified and its intent understood – and then correlating them with the most optimal security response (i.e., the features within the best-rated tools) becomes possible… and would go a long way towards solving the Big Data problem of plenty.
The advantages of this process are enormous. It allows for the collection of data from tools that are best able to triumph over the most pressing threats. This means rather than blindly collecting all data points – which does nothing to reduce the noise level – we should be gathering higher quality data.
Tomi Engdahl says:
The Connected Toy Conundrum Is Beginning to Boil
http://www.securityweek.com/connected-toy-conundrum-beginning-boil
The prediction business is a tricky thing. You can be right, but until you are proven right, you’re either early or wrong. Being early feels just like being wrong—up until the moment you are right.
When toymaker VTech announced in November 2015 that nearly five million customer records had been leaked (including pictures of and data about children), I predicted that the breach would be a tipping point for security and privacy issues with connected toys. My thesis was based on the notion that nothing stirs the emotions faster than concerns over the privacy and safety of children.
My prediction didn’t get any traction. Just as I was beginning to embrace the notion that I was wrong, a string of recent events may prove that I was just early.
Smart toy security troubles are on the rise
In mid-February, it was reported that Germany’s Federal Network Agency issued a warning to parents about the “My Friend Cayla” doll. The agency, which oversees telecommunications in Germany, advised parents to destroy the doll because it collects and transmits conversations with children.
In early March, it was reported that toymaker Spiral Toys had been hacked, exposing data from over 800,000 users. The data contained personalized voice messages, pictures, and other data collected via Internet-connected teddy bears and the associated smartphone apps.
Securing smart devices goes beyond toy manufacturers
As I have said repeatedly, the term “connected device” should immediately provoke questions such as “to what?”, “for what purpose?”, and “with what level of protection for the data?”
I do not believe that there is malicious intent on the part of the toy manufacturers. They are looking for an angle to sell toys, and IoT and connected devices are hot topics.
It’s time to take IoT security and privacy seriously
Privacy is an ephemeral subject, particularly in the United States. Other countries take a much more pronounced interest in privacy, where I believe Americans have become numb to the subject after selling our privacy souls for free cell phones. However, the basic, immutable law is simple and must be recognized by consumers: If something is IoT or connected it collects data and that data goes somewhere and is stored. While seemingly benign, that data may combine sensitive information—which can be stolen.
The tipping point may have just arrived. On March 6, Consumer Reports announced that they are “launching the first phase of a collaborative effort to create a new standard that safeguards consumers’ security and privacy”. Consumer Reports hopes to push a new open-source standard that addresses privacy and security concerns for connected consumer devices.
Consumer Reports to Begin Evaluating Products, Services for Privacy and Data Security
CR partners with other cyber experts, creating a new open-source industry standard to make connected devices safer
http://www.consumerreports.org/privacy/consumer-reports-to-begin-evaluating-products-services-for-privacy-and-data-security/
Tomi Engdahl says:
A Map Of Wireless Passwords From Airports And Lounges Around The World (Updated Regularly)
https://foxnomad.com/2016/04/26/map-wireless-passwords-airports-lounges-around-world-updated-regularly/
Finding an open wireless connection in many airports isn’t always easy, or possible, without a password (or local phone number which is stupid). The difficulty of getting online is why I asked you for and created an always-up-to-date list of airport wireless passwords around the world. You’ve been sending me your tips regularly and I post on the foXnoMad Facebook page when there’s a new password or airport added.
https://www.google.com/maps/d/viewer?mid=1Z1dI8hoBZSJNWFx2xr_MMxSxSxY&ll=16.914334595056097%2C43.70741135000003&z=2
Tomi Engdahl says:
Hack targets a Canadian government website
Sensitive data was safe, but the timing couldn’t have been much worse.
https://www.engadget.com/2017/03/13/hack-targets-canadian-government-website/
The Canadian government just suffered an embarrassing online security breach… although it wasn’t as bad as it could have been. Officials temporarily took down key parts of two government websites, the tax-oriented Canada Revenue Agency and Statistics Canada, for days after discovering that an unknown entity hacked the statistics bureau’s website. The intruders took advantage of a recent vulnerability in Apache web server software to get in. While the CRA site wasn’t attacked, it shared the same vulnerabilities — the government took down its pages (including online filing and payment systems) as a precaution while applying patches.
The government stresses that the culprit didn’t take any personal or secret information, which would have been extremely damaging for the CRA given its tax role. However, the downtime resulting from the attack couldn’t have come at a worse time for the government and residents alike. The Canadian government’s fiscal year wraps up at the end of March, and most people have to file taxes a month later. If you needed to file taxes early or were hunting for stats to finish a report, you were stuck until officials gave the all clear.
Tomi Engdahl says:
The Most Striking Thing About the WikiLeaks CIA Data Dump Is How Little Most People Cared
https://politics.slashdot.org/story/17/03/13/1840200/the-most-striking-thing-about-the-wikileaks-cia-data-dump-is-how-little-most-people-cared
Last week, WikiLeaks released a trove of web pages describing sophisticated software tools and techniques used by the C.I.A to break into smartphones, computers, and IoT devices including smart TVs. Despite the initial media coverage, it appears normal people don’t really care much about it, reports Quartz.
“There’s also one other big difference between now and 2013. Snowden’s NSA revelations sent shockwaves around the world. Despite WikiLeaks’ best efforts at theatrics — distributing an encrypted folder and tweeting the password “SplinterItIntoAThousandPiecesAndScatterItIntoTheWinds” — the Vault 7 leak has elicited little more than a shrug from the media and the public,”
The most striking thing about the WikiLeaks CIA data dump is how little most people cared
https://qz.com/930512/the-most-striking-thing-about-the-wikileaks-cia-data-dump-is-how-little-most-people-cared/
Tomi Engdahl says:
Brit infosec’s greatest threat? Thug malware holding nation’s devices to ransom – report
And cheap IoT kit’s not helping matters
https://www.theregister.co.uk/2017/03/14/cyber_security_agencies_ransomware_warning/
The National Crime Agency and newly formed National Cyber Security Centre joint report on cybercrime unsurprisingly names ransomware as the top internet menace.
The report notes that ransomware is a “significant and growing” risk, with file-encrypting malware poses a threat to a greater range of kit beyond PCs. Smartphones, connected devices, wearables and even TVs are also at risk. Distributed Denial of Service (DDoS) attacks are also becoming more aggressive.
David Mount, director, security consulting EMEA at Micro Focus, said: “As this report demonstrates, the IoT is ushering in a new era in security terms. It’s positive that issues like ransomware and IoT security are now part of the national conversation, but we still have a long way to go to encourage connected tech companies to build security into IoT products from the start. All too often device vendors prioritise usability and customer experience over security, and that is putting consumers and businesses at risk. Quite simply, IoT security can no longer be treated as an afterthought.”
Malcolm Murphy, technology director Western Europe at Infoblox, added: “Ransomware was a dominating trend in cyber-crime in 2016 and is only set to increase, with its commoditisation through cyber-crime toolkits allowing even the most novice criminal to deploy it.”
“Many Internet of Things manufacturers may be contributing to this rise by not prioritising security when building their devices [for example] many are being produced with predictable passwords that cannot easily be changed.”
Tomi Engdahl says:
Facebook, Instagram: No, you can’t auto-slurp our profiles (cough, cough, border officials)
Mining social media accounts is our job, Uncle Sam
https://www.theregister.co.uk/2017/03/13/facebook_social_media_surveillance/
Facebook and its snap-sharing app Instagram have updated their terms and conditions to bar developers from scanning profiles for surveillance purposes.
On Friday a report from the US Department of Homeland Security (DHS) showed that border patrol officers had tried automatically scanning visa applicants’ social media profiles to catch terrorists. The DHS boffins admitted their software didn’t work properly, and that it was looking for companies to help improve the system.
With all that government contractor cash floating around, development outfits are no doubt gearing up to cash in. But they’ll have to do it without Facebook and Instagram’s data feeds.
“Developers cannot ‘use data obtained from us to provide tools that are used for surveillance.’ Our goal is to make our policy explicit,” Facebook said.
Tomi Engdahl says:
Amar Toor / The Verge:
Germany’s justice minister introduces draft law proposing fines of up to $53M on social media companies that fail to remove hate speech — Justice ministry says Facebook and Twitter are still failing to quickly remove illegal content reported by users — The German Justice Ministry …
Germany considers 50 million euro fines for social media companies that fail to remove hate speech
http://www.theverge.com/2017/3/14/14920812/germany-facebook-twitter-hate-speech-fine-law
Justice ministry says Facebook and Twitter are still failing to quickly remove illegal content reported by users
Tomi Engdahl says:
MAC randomization: A massive failure that leaves iPhones, Android mobes open to tracking
Security flaws smash worthless privacy protection
http://www.theregister.co.uk/2017/03/10/mac_address_randomization/
To protect mobile devices from being tracked as they move through Wi-Fi-rich environments, there’s a technique known as MAC address randomization. This replaces the number that uniquely identifies a device’s wireless hardware with randomly generated values.
In theory, this prevents scumbags from tracking devices from network to network
Tomi Engdahl says:
Cybercriminals Hijack Magento Extension to Steal Card Data
http://www.securityweek.com/cybercriminals-hijack-magento-extension-steal-card-data
Cybercriminals have been abusing a payment module to steal credit card data from online shops powered by the Magento ecommerce platform, web security firm Sucuri reported on Friday.
The targeted module is the Realex Payments Magento extension (SF9), which integrates with the Realex Realauth Remote payment gateway. The Realex Payments extension allows Magento store owners to process mail and telephone orders by entering the payment details themselves.
Tomi Engdahl says:
Researchers Infiltrate C&C Server Behind CryptoBlock Ransomware
http://www.securityweek.com/researchers-infiltrate-cc-server-behind-cryptoblock-ransomware
A command and control (C&C) server used for operating the CryptoBlock ransomware family has also been hosting stolen user credentials and other malware families, researchers say.
According to researchers from Malwarebytes Labs, who managed to gain access to the malicious server, the ransomware appears to still be under development at the moment, but is believed to have the potential of becoming a major threat. The malicious operation could even evolve into a RaaS (Ransomware as a Service), the researchers believe.
Tomi Engdahl says:
Enterprises Infected By Pre-installed Android Malware
http://www.securityweek.com/enterprises-infected-pre-installed-android-malware
Android devices containing pre-installed malware were recently discovered on 38 mobile devices belonging to two large companies, according to security firm Check Point.
A new report from Check Point reveals that a variety of malware, mostly comprised of info-stealers and sketchy ad networks, though a mobile ransomware family was also discovered among them. What’s also interesting, is that the malware was present on the infected devices before the users received them, although it wasn’t part of the official ROM the vendors supplied.
Tomi Engdahl says:
Financial Attackers as Sophisticated as Nation-State Groups: FireEye
http://www.securityweek.com/financial-attackers-sophisticated-nation-state-groups-fireeye
Financially motivated attackers have become just as sophisticated as threat actors sponsored by nation states, according to the 2017 M-Trends report published on Tuesday by FireEye-owned Mandiant.
The report, which is based on data from actual incidents investigated by the company, shows that profit-driven cybercriminals have become increasingly sophisticated over the past few years.
Until 2013, cybercriminals mostly launched what experts described as “smash and grab” attacks – little effort was put into hiding their actions and maintaining access to the breached system. In the following years, the line between the level of sophistication exhibited by financial attackers and nation-state actors became increasingly blurry, and now researchers say that line no longer exists.
Financially motivated hackers went from using web shells and Perl2Exe compiled binaries with a limited command and control (C&C) infrastructure to using custom backdoors tailored to the targeted system and leveraging legitimate websites for C&C communications.
Retailers can be highly lucrative targets, especially since many of them fail to ensure that their networks are segmented, allowing attackers to breach the entire PCI environment once they have gained access to PoS systems in one location.
Since these attacks can be lucrative, cybercriminals put a lot of effort into them.
Cybercriminals also leveraged sophisticated techniques to evade detection and ensure persistence.
“With an increased willingness of both nation-state and financial threat actors to operate increasingly blatant business disruption, extortion, and public disclosure attacks, fundamental protections such as data and key application segregation, network segmentation, and continuous visibility and monitoring of critical systems have returned to prominence and should remain a primary focus for many IT and security teams,” experts said in the report.
Tomi Engdahl says:
Home Depot to Pay Banks $25 Million for 2014 Breach
http://www.securityweek.com/home-depot-pay-banks-25-million-2014-breach
Home Depot has agreed to pay $25 million to the financial institutions affected by the massive data breach suffered by the retailer in 2014, when cybercriminals managed to steal email addresses and payment card data belonging to more than 50 million customers.
The retail giant will create a $25 million settlement fund that will be distributed among affected financial institutions.
Organizations that submit claims can receive $2 for each of the payment cards for which they received alerts as a result of the breach, without providing any documentation. Companies that do provide documentation can recover up to 60 percent of losses.
Tomi Engdahl says:
Google Blocks Sophisticated Android Botnet
http://www.securityweek.com/google-blocks-sophisticated-android-botnet
Google recently discovered and blocked a sophisticated fraud botnet that was being distributed through multiple channels and which employed several methods to avoid detection.
Dubbed Chamois, the botnet is was one of the largest Potentially Harmful Application (PHA) families seen on Android to date, and could remain persistent on infected devices by not showing in the application list at all. The malicious program was also capable of generating revenue by engaging into numerous activities, Google says.
The malicious apps based on Chamois that Google analyzed could generate invalid traffic through ad pop-ups by displaying deceptive graphics inside the ads; could perform artificial app promotion by automatically installing apps in the background; could perform telephony fraud by sending premium text messages; and could also download and execute additional plugins on the compromised devices.
Tomi Engdahl says:
This WAV File Can Confuse Your Fitbit
http://hackaday.com/2017/03/15/this-wav-file-can-confuse-your-fitbit/
As the devices with which we surround ourselves become ever more connected to the rest of the world, a lot more thought is being given to their security with respect to the internet. It’s important to remember though that this is not the only possible attack vector through which they could be compromised. All devices that incorporate sensors or indicators have the potential to be exploited in some way, whether that is as simple as sniffing the data stream expressed through a flashing LED, or a more complex attack.
Researchers at the University of Michigan and the University of South Carolina have demonstrated a successful attack against MEMS accelerometers such as you might find in a smartphone. They are using carefully crafted sound waves, and can replicate at will any output the device should be capable of returning.
It’s Possible to Hack a Phone With Sound Waves, Researchers Show
https://www.nytimes.com/2017/03/14/technology/phone-hacking-sound-waves.html?_r=0
A security loophole that would allow someone to add extra steps to the counter on your Fitbit monitor might seem harmless. But researchers say it points to the broader risks that come with technology’s embedding into the nooks of our lives.
On Tuesday, a group of computer security researchers at the University of Michigan and the University of South Carolina will demonstrate that they have found a vulnerability that allows them to take control of or surreptitiously influence devices through the tiny accelerometers that are standard components in consumer products like smartphones, fitness monitors and even automobiles.
In their paper, the researchers describe how they added fake steps to a Fitbit fitness monitor and played a “malicious” music file from the speaker of a smartphone to control the phone’s accelerometer. That allowed them to interfere with software that relies on the smartphone, like an app used to pilot a radio-controlled toy car.
“It’s like the opera singer who hits the note to break a wine glass, only in our case, we can spell out words”
With dozens of start-ups and large transportation companies pushing to develop self-driving cars and trucks, undetected vulnerabilities that might allow an attacker to remotely control vehicles are an unnerving possibility.
Tomi Engdahl says:
Thou Shalt Not Depend on Me: Analysing the Use
of Outdated JavaScript Libraries on the Web
http://www.ccs.neu.edu/home/arshad/publications/ndss2017jslibs.pdf
Web developers routinely rely on third-party Java-
Script libraries such as jQuery to enhance the functionality of
their sites. However, if not properly maintained, such dependen-
cies can create attack vectors allowing a site to be compromised.
In this paper, we conduct the first comprehensive study of
client-side JavaScript library usage and the resulting security
implications across the Web. Using data from over 133 k websites,
we show that 37 % of them include at least one library with a
known vulnerability; the time lag behind the newest release of
a library is measured in the order of years.
Tomi Engdahl says:
Someone made a smart vibrator, so of course it got hacked
https://www.theguardian.com/technology/2016/aug/10/vibrator-phone-app-we-vibe-4-plus-bluetooth-hack
The We-Vibe 4 Plus is a vibrator with a computer inside it – but hackers say it also phones home, telling its makers when it’s being used
The Internet of Things That Can Be Hacked grows daily. Lightbulbs, trucks, and fridges all have computers inside them now, and all have been hacked by someone. But at least you don’t put those inside your body.
Two years ago, someone had the good idea to put a bluetooth connection inside a vibrator, and the We-Vibe 4 Plus was born. The vibrator can connect with a smartphone app that its makers say “allows couples to keep their flame ignited – together or apart”: that is, it can be controlled remotely, while, say, making a video call.
But at the Def Con hacking conference in Las Vegas, two independent hackers from New Zealand, who go by the handles goldfisk and follower, revealed that the way the vibrator speaks with its controlling app isn’t really secure at all – making it possible to remotely seize control of the vibrator and activate it at will.
Smart sex toy maker that collected vibrator usage habits without consent to pay customers $10,000 each
http://www.independent.co.uk/life-style/gadgets-and-tech/news/sex-toy-maker-we-vibe-smart-vibrators-pays-compensation-customers-for-data-collection-without-a7629071.html
Standard Innovation secretly gathered potentially sensitive information, including dates and times of use, temperature levels and changes in intensity
A sex toy maker has agreed to pay customers up to $10,000 each after allegations that it had collected data about its customers’ We-Vibe vibrator usage habits without their consent.
a demonstration at the Def Con hacking conference in August last year showed that the firm was secretly gathering potentially sensitive information about We-Vibe’s users, including dates and times of use, temperature levels and changes in intensity.
What’s more, this information was being stored on Standard Innovation’s servers, alongside customer’s email addresses.
At the time, the company claimed to have gathered the information for “market research purposes”
The company has now settled a class-action lawsuit filed by two anonymous women in the aftermath of the Def Con presentation, agreeing to destroy the information already collected through the vibrator and to stop collecting such data in the future.
Under the terms of the settlement, Standard Innovation will pay out $2.9 million, with customers who bought a We-Vibe before 26 September 2016 and used it with the app eligible to receive up to $10,000, and those who used it without the app entitled to $199.
Tomi Engdahl says:
Brian Womack / Bloomberg:
Source: Department of Justice to indict four people, one in Canada and three in Russia, in connection with 2013 Yahoo data breach
U.S. Plans to Charge Four People Over Yahoo Hacking
https://www.bloomberg.com/news/articles/2017-03-14/u-s-is-said-to-plan-indictments-related-to-yahoo-hacking
U.S. officials are planning to charge four people abroad related to the hacking attacks against Yahoo! Inc., according to a person briefed on the matter.
The Justice Department is accusing them of participating in massive online security breaches that compromised hundreds of millions of user accounts, said the person, who asked not to be identified because it was a sensitive legal matter. The hacks came to light last year and threatened to derail the sale of Yahoo’s web operations to Verizon Communications Inc.
Yahoo has been afflicted by two major breaches in recent years.
The company hasn’t been able to identify the intruders associated with the 2013 breach, according to a filing this month. Yahoo also has said it believes the thief in the 2014 hack was a “state-sponsored actor,” though two people familiar with the matter have said it wasn’t certain a nation-state was involved.
The hacks recently led to management changes at Yahoo.
Tomi Engdahl says:
Shona Ghosh / Business Insider:
Apple, Amazon, Microsoft, Cisco file amicus brief to help Google in its fight against a court order to hand over emails stored on a foreign server
Apple, Amazon, and Microsoft are helping Google fight an order to hand over foreign emails
http://www.businessinsider.com/apple-amazon-and-microsoft-are-helping-google-fight-an-order-to-hand-over-foreign-emails-2017-3?op=1&r=US&IR=T&IR=T
Apple, Microsoft, Amazon, and Cisco have filed an amicus brief in support of Google, after a Pennsylvania court ruled that the company had to hand over emails stored overseas in response to an FBI warrant.
An amicus brief is filed by people or companies who have an interest in the case, but aren’t directly involved. In this case, it’s in Silicon Valley’s interest to keep US law enforcement from accessing customer data stored outside the US.
In the brief, the companies argue: “When a warrant seeks email content from a foreign data center, that invasion of privacy occurs outside the United States — in the place where the customers’ private communications are stored, and where they are accessed, and copied for the benefit of law enforcement, without the customer’s consent.”
They claim that handing over foreign data “invites” other countries to demand emails from US citizens, stored on US soil, in the same way.
Tomi Engdahl says:
Nicole Casal Moore / University of Michigan News:
Researchers show how sound waves can exploit accelerometer vulnerabilities in a wide range of tech including IoT, cars, medical devices, and phones
Sonic cyber attack shows security holes in ubiquitous sensors
http://ns.umich.edu/new/multimedia/videos/24664-sonic-cyber-attack-shows-security-holes-in-ubiquitous-sensors
Sound waves could be used to hack into critical sensors in a broad array of technologies including smartphones, automobiles, medical devices and the Internet of Things, University of Michigan research shows.
The inertial sensors involved in this research are known as capacitive MEMS accelerometers. They measure the rate of change in an object’s speed in three dimensions.
It turns out they can be tricked. Led by Kevin Fu, U-M associate professor of computer science and engineering, the team used precisely tuned acoustic tones to deceive 15 different models of accelerometers into registering movement that never occurred. The approach served as a backdoor into the devices—enabling the researchers to control other aspects of the system.
“The fundamental physics of the hardware allowed us to trick sensors into delivering a false reality to the microprocessor,” Fu said. “Our findings upend widely held assumptions about the security of the underlying hardware.
The researchers performed several proof-of-concept demonstrations: They used a $5 speaker to inject thousands of fictitious steps into a Fitbit. They played a malicious music file from a smartphone’s own speaker to control the phone’s accelerometer trusted by an Android app to pilot a toy remote control car. They used a different malicious music file to cause a Samsung Galaxy S5′s accelerometer to spell out the word “WALNUT” in a graph of its readings.
All accelerometers have an analog core—a mass suspended on springs
“Analog is the new digital when it comes to cybersecurity,” Fu said. “Thousands of everyday devices already contain tiny MEMS accelerometers. Tomorrow’s devices will aggressively rely on sensors to make automated decisions with kinetic consequences.”
“If autonomous systems can’t trust their senses, then the security and reliability of those systems will fail.”
The trick Trippel and Fu introduced exploits the same phenomenon behind the legend of the opera singer breaking a wine glass. Key to that process is hitting the right note—the glass’ resonant frequency.
The researchers recommend ways to adjust hardware design to eliminate the problems. They also developed two low-cost software defenses that could minimize the vulnerabilities, and they’ve alerted manufacturers to these issues.
The paper is titled “WALNUT: Waging Doubt on the Integrity of MEMS Accelerometers with Acoustic Injection Attacks.”
Tomi Engdahl says:
Tess Townsend / Recode:
Google fixes an Allo glitch that let Google Assistant reveal to friends your previous searches
Google’s Allo app can reveal to your friends what you’ve searched
The mobile messaging app lets you include Google Assistant in conversations.
http://www.recode.net/2017/3/13/14912394/google-allo-search-history-privacy-messaging-app
Tomi Engdahl says:
Joe Rossignol / MacRumors:
Apple hires respected forensics and security expert Jonathan Zdziarski for its Security Engineering and Architecture team
Apple Hires iPhone Security Expert Jonathan Zdziarski
https://www.macrumors.com/2017/03/14/apple-hires-jonathan-zdziarski/
iPhone forensics expert, security researcher, and former jailbreak community developer Jonathan Zdziarski today announced he has accepted a position with Apple’s Security Engineering and Architecture team. He did not reveal his official starting date or responsibilities at the company.
Tomi Engdahl says:
Hacking Victim Can’t Sue Foreign Government For Hacking Him On US Soil, Says Court
https://yro.slashdot.org/story/17/03/15/0521225/hacking-victim-cant-sue-foreign-government-for-hacking-him-on-us-soil-says-court
According to Motherboard, a court of appeals in Washington D.C. ruled that an American citizen can’t sue the Ethiopian government for hacking into his computer and monitoring him with spyware. “The decision on Tuesday is a blow to anti-surveillance and digital rights activists who were hoping to establish an important precedent in a widely documented case of illegitimate government-sponsored hacking.”
In late 2012, the Ethiopian government allegedly hacked the victim, an Ethiopian-born man who goes by the pseudonym Kidane for fear for government reprisals. Ethiopian government spies from the Information Network Security Agency (INSA) allegedly used software known as FinSpy to break into Kidane’s computer, and secretly record his Skype conversations and steal his emails
Court Says Hacking Victim Can’t Sue a Foreign Government For Hacking Him on US Soil
https://motherboard.vice.com/en_us/article/judge-says-hacking-victim-cant-sue-a-foreign-government-for-hacking-him-on-us-soil
Digital rights activists sued Ethiopia in what they hoped could become a landmark case against government spyware.
A court of appeals in Washington D.C. ruled that an American citizen can’t sue the Ethiopian government for hacking into his computer and monitoring him with spyware.
The decision on Tuesday is a blow to anti-surveillance and digital rights activists who were hoping to establish an important precedent in a widely documented case of illegitimate government-sponsored hacking. Kidane, an Ethiopian dissident, is just one of many cases where governments have used spyware created by Western companies to target activists or journalists.
“This opinion gives foreign governments complete immunity for whatever their robots do within the United States.”
“If a foreign government can send a robot via software or physical [means] into the United States,” Cardozo said, paraphrasing something the EFF director Cindy Cohn said, “this opinion gives foreign governments complete immunity for whatever their robots do within the United States.”
The U.S. Court of Appeals for the District of Columbia Circuit ruled that Kidane didn’t have jurisdiction to sue the Ethiopian government in the United States.
For Cardozo and the EFF, the court is simply wrong.
“Our client was in the United States the whole time. What Ethiopia did to my client, they did to him in his living room in Maryland. They didn’t do it in Ethiopia, they didn’t do it in London. They did it in Maryland,” Cardozo said.
Tomi Engdahl says:
More Brits’ IDs stolen than ever before
And the fraudsters making bank applications are doing so online
https://www.theregister.co.uk/2017/03/15/uk_id_theft_surge/
UK identity fraud has hit its highest recorded levels, according to a new report.
Fraud prevention service Cifas recorded 172,919 identity frauds in 2016 more than in any other previous year. Identity fraud now represents over half 53.3 per cent) of all fraud recorded by the UK’s not-for-profit fraud data sharing organisation.
Nine out of 10 fraudulent applications for bank accounts and other financial services were made online, Cifas reports.
Identity fraud happens when a fraudster poses as the innocent victim and attempts to buy a product or take out a loan in their name. Often victims do not even realise that they have been targeted until a bill arrives for something they did not buy or they experience problems with their credit rating.
Cifas reports a growing numbers of young people are falling victim to identity theft. Last year brought in 25,000 ID theft victims under 30, and a 34 per cent increase in under 21s. The fraud prevention service has repeated its call for better education around fraud and financial crime as well as urging young people to be vigilant about protecting their personal data.
It’s not only young people at risk. Last year saw increases in ID theft from victims aged over 40, with 1,869 more victims recorded by Cifas members.
“Identity fraud is the key to unlocking your valuables. Things like weak passwords or not updating your software are the same as leaving a window or door unlocked,”
Tomi Engdahl says:
Twitter app pwned by pro-Turkey hackers: Users’ accounts sling ‘Nazi’ slurs
Something Erdogan, something something cardigan
https://www.theregister.co.uk/2017/03/15/twitter_app_hack/
A hack against the Counter third-party Twitter app was used to push propaganda messages containing swastikas through numerous high profile accounts on Wednesday.
The propaganda messages (screenshot below) labelled both Germany and the Netherlands as “Nazis” over the two European nations’ recent dealings with Turkey. Both countries have denied permission for Turkish ministers to speak about a forthcoming Turkish referendum on presidential powers at local rallies of Turkish expatriates.
Twitter Counter – a third-party app which licenses the Twitter name – admitted that a breach to its service was likely behind the trolling incident.
“We’re aware that our service was hacked and have started an investigation into the matter. We’ve already taken measures to contain such abuse,”
Victims of purloined access to their account include infosec pundit Graham Cluley, Germany football club Borussia Dortmund and numerous others.
Tomi Engdahl says:
Facebook, Google slammed for ‘commercial prostitution’
MPs accuse social media firms of profiting from hate
https://www.theregister.co.uk/2017/03/15/twitter_facebook_and_google_slammed_for_commercial_prostitution_by_mps/
Google, Twitter and Facebook were hauled over the coals by MPs yesterday in a select committee hearing in where they were accused of “having no shame” and engaging in “commercial prostitution”.
The hearing was on the topic of online hate and what the social media/advertising platforms are doing to combat its proliferation online.
Labour MP Chuka Umunna noted that last year Google made $34bn in operating profit, adding that a person who posts a video makes $7.6 per 1,000 views.
He said: “Supporters of Isis have been posting videos and tagging the option of making money from ads alongside videos, which makes them and you money.”
Umunna said: “There are not many business actives where someone would openly give evidence to committee that they are making, and the people who use their platform are making, money out of hate… you as an outfit are not working nearly hard enough to deal with that.”
Tomi Engdahl says:
Hyper-V guest escape, drive-by PDF pwnage, Office holes, SMB flaws – and more now patched
Secure programming is hard, kids
https://www.theregister.co.uk/2017/03/15/microsoft_massive_patch_tuesday_bundle/
After taking a month off, Microsoft’s Patch Tuesday is back – and it’s a blockbuster edition. There are 18 bundles of patches covering 140 separate security vulnerabilities.
These flaws range from a hypervisor escape in Hyper-V, remote-code execution via PDF and Office files and malicious SMB traffic, to the usual barrage of information leaks and privilege escalations.
This follows Microsoft postponing its February Patch Tuesday due to problems within its build system: Microsoft is consolidating more and more of its Windows code – from Server and client to mobile – into one source base, dubbed OneCore. Issuing security patches last month proved problematic enough to delay their distribution, El Reg understands.
Tomi Engdahl says:
UK to block Kodi pirates in real-time: Saturday kick-off
But will it work? We’re about to find out
https://www.theregister.co.uk/2017/03/14/uk_new_realtime_live_server_blocking_order/
Last week in the High Court, Justice Arnold agreed to a request from the Football Association and the Premier League, and supported by the BBC, amongst others, that broke new ground, technically and legally.
The order, which has the support of the major UK ISPs, is unusual in several ways. It permits the ISPs to block access to servers (such as those accessed by third-party software addons), rather than a website.
The blocking occurs in real-time, for a few minutes at a time: the duration of a football match. And the order expires in May – when the English football season ends.
It’s also the first time the major ISPs here have agreed to an extension of content-blocking without a fight: BT/EE, Sky and Virgin Media approved the request, and TalkTalk and BT’s PlusNet did not contest the request.
At £10m per Premier League game, the buyers are strongly incentivised not to see unlicensed streaming options, such as modified Kodi-based USB sticks, become more commonplace.
Arnold was convinced of the argument for harm from this:
“There is increasing evidence of football fans turning to streaming devices which access infringing streams as a substitute for paid subscriptions to services such as those offered by Sky and BT. This undermines the value of FAPL’s rights and, if unchecked, is likely to reduce the revenue returned by FAPL to football clubs, sports facilities and the wider sporting community,”
In addition, the offshore operators ignore infringement notifications.
Tomi Engdahl says:
Facebook, Twitter and Google grilled by MPs over hate speech
http://www.bbc.com/news/uk-39272261
Social media giants should “do a better job” to protect users from online hate speech, MPs have said.
Executives from Facebook, Twitter and Google were asked by the Home Affairs select committee why they did not police their content more effectively, given the billions they made.
They were told they had a “terrible reputation” for dealing with problems.
The firms said they worked hard to make sure freedom of expression was protected within the law.
Social media firms accused of ‘commercial prostitution’
http://www.telegraph.co.uk/news/2017/03/14/social-media-firms-accused-commercial-prostitution/
Social media companies have been accused of “commercial prostitution” and having “no shame” after being grilled by MPs over their failure to take down abusive content.
“You all have a terrible reputation among users for dealing swiftly with problems in content even against your own community standards”Yvette Cooper
Ms Cooper told the three social media giants that she found none of their responses “particularly convincing”.
“Surely when you manage to have such a good reputation with advertisers for targeting content and for doing all kinds of sophisticated things with your platforms, surely you should be able to do a better job in order to be able to keep your users safe online and deal with this kind of hate speech.”
She added: “Don’t you feel any sense of responsibility as a multi-billion pound organisation to at least check that you are not distributing material from proscribed organisations?”
Simon Milner, of Facebook, said the social media site spends a lot of time, effort and resource to tackling the problem.
Tomi Engdahl says:
France Abandons Plans for Internet Voting
https://www.schneier.com/blog/archives/2017/03/france_abandons.html
Some good election security news for a change: France is dropping its plans for remote Internet voting, because it’s concerned about hacking.
Tomi Engdahl says:
Why are creepy SS7 cellphone spying flaws still unfixed after years, ask Congresscritters
And why won’t the NSA open up about Section 702 spying?
https://www.theregister.co.uk/2017/03/15/ss7_cellphone_spying_flaw_still_unfixed/
Two of the most technically literate US politicians want to know why America’s Homeland Security is dragging its feet over SS7 security flaws in our mobile phone networks.
The Signaling System 7 protocol is used to, among other things, interconnect cellphone networks. It was developed in the 1980s and has virtually no security defenses built in. Exploiting its design weaknesses to obtain a victim’s location, harvest their messages, and listen in on calls was demonstrated in 2014 – although, like similar attacks, it requires access to a telco’s internal infrastructure.
That raises the barrier of entry for attackers, but not high enough to shut out state-level spies, determined miscreants with similar resources, or corrupt insiders. It essentially means, for example, a carrier in Africa or the Middle East could compromise networks in Europe and America, and vice-versa.
Last year, a security firm successfully demonstrated how SS7 could be manipulated using a low-cost Linux-based computer and a publicly available SDK – although, again, you need to be inside the telecoms infrastructure to do this [white paper PDF p5].
Speaking of spying
Senator Wyden also took to the floor of the US Senate today to ask why he’s still waiting to find out how many Americans have been caught up in the surveillance dragnet being run by the NSA, six years after he first asked for the information.
SIGNALING SYSTEM 7 (SS7) SECURITY REPORT
https://www.ptsecurity.com/upload/ptcom/SS7_WP_A4.ENG.0036.01.DEC.28.2014.pdf
Tomi Engdahl says:
Australian Taxation and Immigration depts fail infosec audits
They’ve had years to fix things up, but they can’t even deliver on known best practice
https://www.theregister.co.uk/2017/03/15/anao_report_on_aps_security_fails_agencies/
Australia’s Taxation Office, Department of Human Services and Department of Immigration and Border Protection are heavyweights of the public service, but only one has managed basic infosec protections on its systems.
The audit recommends better self-assessment and better governance
Tomi Engdahl says:
NSA hacking chief’s mission impossible: Advising White House on cybersecurity
Rob Joyce is heading to US National Security Council
https://www.theregister.co.uk/2017/03/15/white_house_cyberczar/
NSA hacking crew bossman Rob Joyce is set to join US President Donald Trump’s National Security Council as a cybersecurity adviser.
Joyce headed up the NSA’s Tailored Access Operations division, the spy agency’s elite computer exploitation squad.