Security  Articles -  H  2020  1  2  3  4  5  6  7  8  9  10  Security  List -  H  2021  2020  2019  2018  1  Security blog  Security blog


FBI Director — You Should Cover Your Webcam With Tape
15.9.2016 thehackernews Security

Should you put a tape or a sticker over the lens of your laptop's webcam?
Yes, even Facebook CEO Mark Zuckerberg and FBI Director James Comey do that.
Covering your laptop's webcam might be a hell cheap and good idea to guard against hackers and intruders who might want to watch your private life and environment through your devices.
In fact, Comey recently came out defending his own use of tape to cover his personal laptop's webcam.
People Are Responsible for Their Safety, Security & Privacy
During a conference at the Center for Strategic and International Studies, when Comey was asked that he still put tape over his cameras at home, he replied:
"Heck yeah, heck yeah. And also, I get mocked for a lot of things, and I am much mocked for that, but I hope people lock their cars… lock your doors at night. I have an alarm system. If you have an alarm system you should use it, I use mine."
Comey went on to explain that it was common practice at the FBI and other government offices to cover computers and laptops' webcams with tape or any physical cover.
"It’s not crazy that the FBI Director cares about personal security as well," he continued. "If you go into any government office, we all have our little camera things that sit on top of the screen, they all have a little lid that closes down on them, you do that, so people who do not have authority don’t look at you, I think that’s a good thing."
Comey believes that putting a cover over webcams is one of the "sensible things" that everyone should be doing to "take responsibility for their own safety and security."
While this practice is often made fun of, tapping your device's webcams is a good take away for you to adopt. We know the FBI and NSA's ability to spread malware and turn on device's webcam to spy on targets.
Edward Snowden Leaks revealed the NSA's Optic Nerve operation that was carried out to capture webcam images every 5 minutes from random Yahoo users, and in just six months, images of 1.8 Million users' were captured and stored on the government servers in 2008.
Internet of Things: Security Nightmare
However, putting a tape over the lens of your computer's webcam would not solve the problem, especially in this era when we are surrounded by so many Internet-connected devices that are a security nightmare.
Due to the insecure implementation, these Internet-connected or Internet of Things (IoTs) devices, including Security Cameras, are so vulnerable that hackers are routinely hijacking them and using them as weapons in cyber attacks.
So, it is far more easy for hackers to hack your security cameras, instead of your laptop's webcam, to keep track on you and your environment.
Do you feel the need to use a tape over your webcam? Let us know down in the comments.


PCI PIN Transaction Security requests upgradeable credit card readers

13.9.2016 securityaffairs Security

The Payment Card Industry Security Standards Council (PCI Council) updates its standard to reduce fraudulent activities against PoS systems.
The number of credit card frauds involving Point-of-Sale continues to increase, in the last months, numerous attacks targeted retails and hotels worldwide.

The Payment Card Industry Security Standards Council (PCI Council) has responded with the definition of a new standard to reduce fraudulent phenomena, the organization plan to improve the security of PoS systems by making them upgradeable in an easy way.

Last week, the PCI council issued the version 5.0 of the PCI PIN Transaction Security (PTS) Point-of-Interaction (POI) Modular Security Requirements.

pci-pos-standard

A close look at the standard allowed the experts to notice the new requirements for the payment industry, in particular:

The adoption of a new control that allows the upgrade of the firmware running on PoS readers. “The device must support firmware updates. The device must cryptographically authenticate the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted”
Core Physical Security Requirements also include Tamper-proofing items so that the device can become inoperable in response to an attack. “The device uses tamper-detection and response mechanisms that cause it to become immediately inoperable and result in the automatic and immediate erasure of any sensitive data that may be stored in the device, such that it becomes infeasible to recover the sensitive data. These mechanisms protect against physical penetration of the device by means of (but not limited to) drills, lasers, chemical solvents, opening covers, splitting the casing (seams), and using ventilation openings.”;
The devices have to be immune to side-channel attacks (i.e. monitoring of electromagnetic emanations) that could result to leaking keys;
The device must execute self-test upon start-up to verify anomalies that could bring it in a compromised state. “The device performs a self-test, which includes integrity and authenticity tests upon start-up and at least once per day to check whether the device is in a compromised state. In the event of a failure, the device and its functionality fail in a secure manner. The device must reinitialize memory at least every 24 hours.”
The new standard aims to contrast the intensification of card skimming attacks and intends to improve the security of the payment industry.

Banks are observing a similar trend, the popular investigator Brian Krebs recently published an interesting post that warns about an alarming increase of skimming attacks for both American and European banks.

“Skimming attacks on ATMs increased at an alarming rate last year for both American and European banks and their customers, according to recent stats collected by fraud trackers.” wrote Krebs. “The trend appears to be continuing into 2016, with outbreaks of skimming activity visiting a much broader swath of the United States than in years past.”

The FICO Card Alert Service issued several warnings about a spike in ATM skimming attacks.

On April 8, FICO noted that its fraud-tracking service recorded a 546 percent increase in ATM skimming attacks from 2014 to 2015.

PoS devices that are hard to upgrade represent a serious problem for the payment industry. Upgradeable card-reading kit are expensive and the lack of proper security posture retards the adoption of necessary countermeasures. Making card readers upgradeable should mean a significant improvement of the point of sale security.

The banking industry continues to be under attack, recently chip-and-PIN technology started to be adopted in the US because it would improve the security of the customers, merchants, and financial institutions.

The new standard will be effective from September 2017 and will replace the current version 4.1.


Dutch Police Seize Two VPN Servers, But Without Explaining... Why?
3.9.2016 thehackernews Security
Recently, two European countries, France and Germany, have declared war against encryption with an objective to force major technology companies to built encryption backdoors in their secure messaging services.
However, another neighborhood country, Netherlands, is proactively taking down cyber criminals, but do you know how?
Dutch Police has seized two servers belonging to Virtual Private Network (VPN) provider Perfect Privacy, as part of an investigation, without even providing any reason for seizures.
Switzerland-based VPN provider said they came to know about the servers seizure from I3D, the company that provides server hosting across Rotterdam.
For those unfamiliar, Virtual Private Networks or VPNs are easy security and privacy tools that route your Internet traffic through a distant connection, protecting your browsing, hiding your location data and accessing restricted resources.
VPNs have now become a great tool not just for large companies, but also for individuals to improve their privacy and security online, dodge content restrictions and counter growing threat of cyber attacks.
While many people, including digital activists, journalists, and protesters, use them for legitimate purposes, VPNs are also used by criminals and black hat hackers to protect their nefarious activities from prying eyes and stay anonymous online.
This is why VPN services are frequently targeted by police and law enforcement while investigating crimes, and this is what appears to have happened with two servers belonging to Perfect Privacy.
The VPN provider informed its customers that two of its servers in Rotterdam, Netherlands had been seized by the Dutch police on Thursday, August 24, without even contacting the company to inform about a possible investigation or the reason why their servers were brought down.
The VPN provider says the authorities went directly to I3D with a subpoena requesting the hardware.
"Currently, we have no further information since the responsible law enforcement agency did not get in touch with us directly, we were merely informed by our hoster," Perfect Privacy explains. "Since we are not logging any data there is currently no reason to believe that any user data was compromised."
Perfect Privacy confirms that the company was back up and running the following day after I3D provided two replacement servers, meaning that the seizures did not result in any significant outage.
In April, Dutch Police seized Ennetcom servers based in the Netherlands and Canada to shut down their operations during a criminal investigation. Ennetcom was a company that sold customized Blackberry Phones with the secure PGP-encrypted network.
Dutch authorities accused Ennetcom of helping criminals protect their communications to carry out crimes, involving drug trafficking, assassinations, and other serious offenses.


SWIFT discloses more cyber attacks on its bank members and urges more security
2.9.2016 securityaffairs Security

SWIFT discloses more attacks against banks worldwide, pressures banks on security and urged member banks to implement the new SWIFT software by November 19.
In the last months, a worrisome string of attacks against banks worldwide through the SWIFT system has alarmed the banking industry. The so-called “SWIFT hackers” have conducted multiple cyber attacks against financial institutions. We reported the successful cyber heists on the Bangladesh bank, against a Ukrainian bank, and the Ecuadorian bank, meanwhile, a Vietnam bank reported to have blocked an ongoing cyber heist.

In May, a fourth Bank in the Philippines was a victim of the SWIFT hackers and the experts at Symantec confirmed the malware used by the crooks shares code with tools used by the notorious Lazarus group linked to the North Korean Government.

According to the Reuters agency, the SWIFT issued a new warning urging member banks to implement the new SWIFT software by 19 November.

The latest version of SWIFT’s software implements new security features specifically designed to defeat such kind of attacks.The authentication processes have been improved such as the implementation of mechanisms to early detect fraudulent activities.

“Customers’ environments have been compromised, and subsequent attempts (were) made to send fraudulent payment instructions. The threat is persistent, adaptive and sophisticated – and it is here to stay.” states the SWIFT.

The organization hasn’t provided further details on the alleged additional cyber attacks against banks worldwide.

“All the victims shared one thing in common,” says Reuters: “Weaknesses in local security that attackers exploited to compromise local networks and send fraudulent messages requesting money transfers.”

The SWIFT logo is pictured in this photo illustration taken April 26, 2016. REUTERS/Carlo Allegri/Illustration/File Photo

SWIFT told banks that it might report the incident to regulators and banking partners if they failed to adopt the new SWFT software.

Despite the efforts of the SWIFT, many experts speculate that the new security features are not enough to consider completely secure the banking systems.

Of course, the cyber attacks have prompted regulators globally to press financial institution to bolster their security defenses.


The Network of NewSat satellite telco firm was the ‘most corrupted’ of ever
29.8.2016 securityaffeirs Security

The Network of NewSat satellite firm was the ‘most corrupted’ of ever, it was hacked by foreign hackers and it had interception kit in its data centre.
The story demonstrates the high interest of spy agencies in hacking communication systems.

Once upon a time, the Australian satellite company was deeply hacked by cyber spies that completely corrupted its network. The company is not out of the business, its assets were sold off last year after it went into administration.

According to a former staffer that has spoken on condition of anonymity to the Australian Broadcasting Corporation, it was ‘the most corrupted’ network the nation’s intelligence had encountered.

According to the ABC broadcast, the news of the hack was already reported in 2013, when the company reported the security breach to the Australian Signals Directorate. The Chinese nation-state hackers made the organization “the most corrupted network [the Directorate had ever seen”, the ABC reports.

Former Central Intelligence Agency Chief Michael Hayden declared that the China’s efforts against Australia aimed at “the theft of information, and really by and large the theft of information for commercial profit.”

According to the official hackers were interested in sensitive information such as the plans for a Lockheed Martin-designed satellite dubbed Jabiru-1.

“Given we were up against China, state-sponsored, a lot of money behind them and a lot of resources and we were only a very small IT team, it certainly wasn’t a fair fight for us,” Newsat’s former IT manager Daryl Peter said.

The issue had come to the headlines because the Newsat company was planning to install a restricted encryption tool to allows the NSA to spy on satellite communications, so it notified its intent to the ASD.

The Australian Signals Directorate refused to release the encryption tool to Newsat until it was able to eradicate the intruders from its systems. intelligence officials replied to the company telling its networks were “the most corrupted” they had seen.

NewSat satellite communications
Australian satellite company Newsat Ltd was forced to rebuild its entire network in secret. (Four Corners)

Intelligence officials who examined the Newsat infrastructure confirmed it was “the most corrupted” they had seen.

“They actually said to us that we were the worst,” Mr Peter said.

“What came out of that meeting was we had a serious breach on our network and it wasn’t just for a small period of time, they’d been inside our network for a long period, so maybe about two years. And the way it was described to us was they are so deep inside our network it’s like we had someone sitting over our shoulder for anything we did.”

According to the anonymous source that has revealed the story to the ABC, the Newsat network was completely rebuilt.

Anyway the NewSat company installed an Australian Government communications interception system in its data centre, but the Australian Government had refused to deploy the restricted NSA encryption tool due to the security breach it discovered.

“They (NewSat) had a lot of dealings with Middle East organisations,” the source said.

Let me suggest reading a detailed analysis published by the ABC’s Four Corners that confirms Australian Government computer networks were breached by hackers.


IT threat evolution in Q2 2016. Statistics
28.8.2016 Kaspersky Security

All the statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity.

Q2 figures

According to KSN data, Kaspersky Lab solutions detected and repelled 171,895,830 malicious attacks from online resources located in 191 countries all over the world.
54,539,948 unique URLs were recognized as malicious by web antivirus components.
Kaspersky Lab’s web antivirus detected 16,119,489 unique malicious objects: scripts, exploits, executable files, etc.
Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 1,132,031 user computers.
Crypto ransomware attacks were blocked on 311,590 computers of unique users.
Kaspersky Lab’s file antivirus detected a total of 249,619,379 unique malicious and potentially unwanted objects.
Kaspersky Lab mobile security products detected:
3,626,458 malicious installation packages;
27,403 mobile banker Trojans (installation packages);
83,048 mobile ransomware Trojans (installation packages).
Mobile threats

In Q2 2016, Kaspersky Lab detected 3,626,458 malicious installation packages – 1.7 times more than in the previous quarter.

Number of detected malicious installation packages (Q3 2015 – Q2 2016)

Distribution of mobile malware by type

As of this quarter, we will calculate the distribution of mobile malware by type based on the number of detected malicious installation packages rather than modifications, as was the case in earlier reports.

Distribution of new mobile malware by type (Q1 2016 and Q2 2016)

In Q2 2016, RiskTool software, or legal applications that are potentially dangerous to users, topped the ranking of detected malicious objects for mobile devices. Their share increased from 31.6% in Q1 to 45.1% this quarter.

Adware occupies second place. The share of these programs fell 1.4 p.p. compared to the previous quarter, and accounted for 14.2%.

The share of SMS Trojans fell from 18.5% to 10.8%, pushing this category of malicious programs down from second to third place in the ranking. Trojan-SMS.AndroidOS.Agent.qu and Trojan-SMS.AndroidOS.Agent.f accounted for most of the detected SMS Trojans, with both accounting for approximately 30% of all malicious files in this category.

The Trojan-Dropper share also fell – from 14.5% in Q1 to 9.2%. Trojan-Dropper.AndroidOS.Agent.v led the way: we detected more than 50,000 installation packages related to this Trojan.

TOP 20 mobile malware programs

Please note that this ranking of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware.

Name % of attacked users*
1 DangerousObject.Multi.Generic 80.87
2 Trojan.AndroidOS.Iop.c 11.38
3 Trojan.AndroidOS.Agent.gm 7.71
4 Trojan-Ransom.AndroidOS.Fusob.h 6.59
5 Backdoor.AndroidOS.Ztorg.a 5.79
6 Backdoor.AndroidOS.Ztorg.c 4.84
7 Trojan-Ransom.AndroidOS.Fusob.pac 4.41
8 Trojan.AndroidOS.Iop.t 4.37
9 Trojan-Dropper.AndroidOS.Gorpo.b 4.3
10 Trojan.AndroidOS.Ztorg.a 4.30
11 Trojan.AndroidOS.Ztorg.i 4.25
12 Trojan.AndroidOS.Iop.ag 4.00
13 Trojan-Dropper.AndroidOS.Triada.d 3.10
14 Trojan-Dropper.AndroidOS.Rootnik.f 3.07
15 Trojan.AndroidOS.Hiddad.v 3.03
16 Trojan-Dropper.AndroidOS.Rootnik.h 2.94
17 Trojan.AndroidOS.Iop.o 2.91
18 Trojan.AndroidOS.Rootnik.ab 2.91
19 Trojan.AndroidOS.Triada.e 2.85
20 Trojan-SMS.AndroidOS.Podec.a 2.83
* Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab’s mobile security product that were attacked.

First place is occupied by DangerousObject.Multi.Generic (80.87%), the classification used for malicious programs detected by cloud technologies. Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program, but the cloud of the antivirus company already contains information about the object. This is basically how the very latest malware is detected.

As in the previous quarter, 16 Trojans that use advertising as their main means of monetization (highlighted in blue in the table) made it into the TOP 20. Their goal is to deliver as many adverts as possible to the user, employing various methods, including the installation of new adware. These Trojans may use superuser privileges to conceal themselves in the system application folder, from which it will be very difficult to delete them.

Trojan.AndroidOS.Iop.c (11.38%) moved from third to second in the TOP 20 and became the single most popular malicious program of the quarter. Over the reporting period we detected this Trojan in 180 countries, but the majority of attacked users were in Russia, India and Algeria. Iop.c can exploit a variety of vulnerabilities in the system to gain superuser privileges. The main method of monetization is displaying advertising and installing (usually secretly) various programs on the user’s device, including other malicious programs.

Q2’16, @kaspersky repelled 172M malicious attacks via online resources located in 191 countries #KLreport #Infosec
Tweet
Representatives of the Trojan-Ransom.AndroidOS.Fusob ransomware family claimed fourth and seventh places. These Trojans demand a ransom of $100-200 from victims to unblock their devices. Attacks using this Trojan were registered in over 120 countries worldwide in Q2, with a substantial number of victims located in Germany and the US.

Trojan-SMS.AndroidOS.Podec.a (2.83%) has now spent over a year in the mobile malware TOP 20, although it is starting to lose ground. It used to be an ever-present in the TOP 5 mobile threats, but for the second quarter in a row it has only made it into the bottom half of the ranking. Its functionality has remained practically unchanged; its main means of monetization is to subscribe users to paid services.

The geography of mobile threats

The geography of attempted mobile malware infections in Q2 2016 (percentage of all users attacked)

TOP 10 counties attacked by mobile malware (ranked by percentage of users attacked)

Country* % of users attacked **
1 China 36.31
2 Bangladesh 32.66
3 Nepal 30.61
4 Uzbekistan 22.43
5 Algeria 22.16
6 Nigeria 21.84
7 India 21.64
8 Indonesia 21.35
9 Pakistan 19.49
10 Iran 19.19
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country.

China topped the ranking, with more than 36% of users there encountering a mobile threat at least once during the quarter. China also came first in this ranking in Q1 2016.

In all the countries of this ranking, except China, the most popular mobile malware was the same – advertising Trojans that appeared in the TOP 20 mobile malware, and AdWare. The most popular malicious program was Trojan.AndroidOS.Iop.c. In China, a significant proportion of attacks also involved advertising Trojans, but the majority of users there encountered the Backdoor.AndroidOS.GinMaster and Backdoor.AndroidOS.Fakengry families, while Trojan.AndroidOS.Iop.c only occupied sixteenth place.

Russia (10.4%) was 26th in this ranking, Germany (8.5%) 38th, Italy (6.2%) 49th, and France (5.9%) 52th. The US (5.0%) came 59th and the UK (4.6%) 64th.

The safest countries were Austria (3.6%), Sweden (2.9%) and Japan (1.7%).

Mobile banking Trojans

As of this quarter, we will calculate the distribution of mobile malware by type based on the number of detected malicious installation packages rather than modifications, as was the case in earlier reports. Over the reporting period, we detected 27,403 mobile Trojans, which is 1.2 times less than in Q1.

Number of mobile banking Trojans detected by Kaspersky Lab solutions (Q3 2015 – Q2 2016)

The TOP 5 most popular mobile banking Trojans in Q2 consisted of representatives from just two families – Trojan-Banker.AndroidOS.Asacub and Trojan-Banker.AndroidOS.Svpeng.

Trojan-Banker.AndroidOS.Asacub.i was the most popular mobile banking Trojan of the quarter. It uses different methods to trick users and bypass system constraints. In Q1 we identified a modification of this mobile Trojan that overlaid the regular system window requesting device administrator privileges with its own window containing buttons. The Trojan thereby conceals the fact that it is gaining elevated privileges in the system from the user, and tricks the user into approving these privileges. In Q2, we detected a modification that requested the user’s permission to become the main SMS application.

Dialog window of Trojan-Banker.AndroidOS.Asacub.i asking for the user’s approval to become the main SMS application

This allows the Trojan to bypass the system constraints introduced in Android 4.4, and to hide incoming SMSs from the user (as a rule, it hides messages from banks and payment systems). In order to make users save this malicious program in the settings as the main SMS application, the Trojan authors had to, among other things, implement a messenger interface.

The Trojan-Banker.AndroidOS.Asacub.i interface used to create and send messages

Asacub is actively distributed via SMS spam.

Russia and Germany lead in terms of the number of users attacked by mobile banking Trojans:

Geography of mobile banking threats in Q2 2016 (percentage of all users attacked)

The number of attacked users depends on the overall number of users within each individual country. To assess the risk of a mobile banker Trojan infection in each country, and to compare it across countries, we created a country ranking according to the percentage of users attacked by mobile banker Trojans.

TOP 10 counties attacked by mobile banker Trojans (ranked by percentage of users attacked)

Country* % of users attacked**
1 Russia 1.51
2 Australia 0.73
3 Uzbekistan 0.45
4 Korea 0.35
5 China 0.34
6 Ukraine 0.33
7 Denmark 0.28
8 Germany 0.24
9 Turkey 0.23
10 Kyrgyzstan 0.17
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country.

In Q2 2016, first place was occupied by Russia (1.51%) where the majority of affected users encountered the Trojan-Banker.AndroidOS.Asacub, Trojan-Banker.AndroidOS.Svpeng and Trojan-Banker.AndroidOS.Faketoken families of mobile banker Trojans.

China, last quarter’s leader, fell to fifth place this quarter.

In second place again was Australia where the Trojan-Banker.AndroidOS.Acecard family was replaced by the Trojan-Banker.AndroidOS.Marcher family as the most popular threat.

Banking Trojans were especially popular with attackers in Russia and Australia. The percentage of users attacked by this malware in the two countries relative to all attacked users accounted for 14%.

Mobile Trojan-Ransomware

As of this quarter, we will calculate the distribution of mobile malware by type based on the number of detected malicious installation packages rather than modifications, as was the case in earlier reports.

In Q2 2016, we detected 83,048 mobile Trojan-Ransomware installation packages, which is about the same number as the previous quarter and seven times more than in Q4 2015.

Number of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab
(Q3 2015 – Q2 2016)

The sharp rise in the number of mobile Trojan-Ransomware installation packages in 2016 was caused by the active proliferation of the Trojan-Ransom.AndroidOS.Fusob family of Trojans. In the first quarter of 2016, this family accounted for 96% of users attacked by mobile ransomware. In Q2 its share was 85%.

In Q2 2016, 54.5M unique malicious URLs were recognized by @kaspersky web antivirus components #KLreport #IT
Tweet
Trojan-Ransom.AndroidOS.Fusob.h became the most popular mobile Trojan-Ransomware in the second quarter – it accounted for nearly 60% of users attacked by mobile ransomware. Once run, the Trojan requests administrator privileges, collects information about the device, including the GPS coordinates and call history, and downloads the data to a malicious server. After that, it may get a command to block the device. In the second quarter we registered a growth in the number of installation packages related to Trojan-Ransom.AndroidOS.Congur.b: their share grew from 0.8% to 8.8%. This Trojan, targeting Chinese-speaking users, changes the system password (PIN), or installs it if no password was installed earlier, thus making it impossible to use the device. The notification containing the ransom demand is displayed on the screen of the blocked device.

Germany, the US and Russia had the highest number of users attacked by Trojan-Ransomware this quarter:

Geography of mobile Trojan-Ransomware in Q2 2016 (percentage of all users attacked)

To assess the risk of a mobile banker Trojan infection in each country, and to compare it across countries, we created a country ranking according to the percentage of users attacked by mobile Trojan-Ransomware.

TOP 10 counties attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked)

Country* % of users attacked**
1 Canada 2.01
2 Germany 1.89
3 US 1.66
4 Switzerland 1.63
5 Mexico 1.55
6 UK 1.51
7 Denmark 1.35
8 Italy 1.35
9 Kazakhstan 1,35
10 Netherlands 1.15
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab’s mobile security product in the country.

In all the countries of the TOP 10, except for Kazakhstan, the most popular Trojan-Ransom family was Fusob. In the US, the Trojan-Ransom.AndroidOS.Svpeng family was also popular. These Trojans demand a ransom of $100-500 from victims to unblock their devices.

In Kazakhstan and Uzbekistan, the main threat to users originated from representatives of the Small mobile Trojan-Ransom family. This is a fairly simple ransomware program that blocks operation of a device by overlaying all the windows on the device with its own window and demanding $10 to unblock it.

Vulnerable applications exploited by cybercriminals

In Q2 2016, exploits for Adobe Flash Player remained popular. During the reporting period two new vulnerabilities were discovered in this software:

СVE-2016-4117
CVE-2016-4171
An exploit for CVE-2016-4117 was added to the Magnitude and Neutrino exploit kits. The CVE-2016-4171 vulnerability was used by the ScarCruft group to carry out targeted attacks. We wrote a more detailed account of this group’s activities in a blog published in mid-June.

In Q2 2016, @kaspersky web #antivirus detected 16,119,489 unique malicious objects #KLreport #netsec
Tweet
The main event this quarter was the demise of the long-term market leaders – the Angler and Nuclear exploit kits. Angler’s departure resulted in market players shifting to other kits to distribute malware. In particular, we registered a dramatic growth in the popularity of the Neutrino exploit kit.

This is how the overall picture for the use of exploits in the second quarter looks:

Distribution of exploits used in attacks by the type of application attacked, Q2 2016

The chart shows that despite the exit of the market leaders the breakdown of exploits was almost unchanged from the previous quarter: the proportion of exploits for Microsoft Office (14%) and Java (7%) fell by 1 p.p., while the share for Android grew 2 p.p. and reached 24%. This suggests that demand for exploit kits has been spread among the remaining players: RIG, Magnitude and Neutrino. The latter was the undisputed leader this quarter in terms of the number of attempts to download malware.

Online threats (Web-based attacks)

The statistics in this section were derived from web antivirus components that protect users from attempts to download malicious objects from a malicious/infected website. Malicious websites are created deliberately by malicious users; infected sites include those with user-contributed content (such as forums), as well as compromised legitimate resources.

In the second quarter of 2016, Kaspersky Lab’s web antivirus detected 16,119,489 unique malicious objects: scripts, exploits, executable files, etc. 54,539,948 unique URLs were recognized as malicious by web antivirus components.

Online threats in the banking sector

These statistics are based on the detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.

Number of users attacked by malware targeting finances<

Due to the constant emergence of new representatives of banking Trojans and functional changes in existing banking Trojans, in the second quarter of 2016 we have significantly updated the list of verdicts classed as banking risks. This means the number of financial malware victims has changed significantly compared to the data published in previous quarters. As a comparison, we have recalculated the statistics for the previous quarter, taking into account all the malware from the updated list.

Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on 1,132,031 computers in Q2 2016. The quarter saw an increase in financial malware activity: the figure for Q2 is 15.6% higher than that for the previous quarter (979, 607).

Number of users attacked by malware targeting finances, Q2 2016

Geography of attack

To evaluate and compare the risk of being infected by banking Trojans worldwide, we calculate the percentage of Kaspersky Lab product users who encountered this type of threat during the reporting period in the country, relative to all users of our products in the county.

Geography of banking malware attacks in Q2 2016 (percentage of attacked users)

TOP 10 countries by percentage of attacked users

Country* % of attacked users**
1 Turkey 3.45
2 Russia 2.92
3 Brazil 2.63
4 Pakistan 2.60
5 Venezuela 1.66
6 Tunisia 1.62
7 Japan 1.61
8 Singapore 1.58
9 Libya 1.57
10 Argentina 1.48
These statistics are based on the detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000).
** Unique users whose computers have been targeted by banking Trojan attacks as a percentage of all unique users of Kaspersky Lab products in the country.

The highest percentage of Kaspersky Lab users attacked by banking Trojans was in Turkey. One of the reasons for the growth in financial threats there was a burst of activity by the Gozi banking Trojan whose developers have joined forces with the creators of the Nymaim Trojan.

In Russia, 2.92% of users encountered a banking Trojan at least once in Q2, placing it second in this ranking.

Brazil rounds off the top three. We expect a surge in financial threats in Latin America in the next quarter due to the Olympic Games in Brazil. This event is just too tempting for cybercriminals to ignore – they regularly use the theme of major sporting events in their attacks to lure potential victims.

The top five countries where users were least affected by banking Trojans were Canada (0.33%), the US (0.4%), the UK (0.4%), France (0.43%) and the Netherlands (0.5%).

The percentage of banking Trojan victims in Italy was 0.62%, in Spain it was 0.83%, while in Germany the figure was 1.03%.

The TOP 10 banking malware familie>

The table below shows the top 10 malware families most commonly used in Q2 2016 to attack online banking users (as a percentage of users attacked):

Name* Percentage of users attacked**
1 Trojan-Spy.Win32.Zbot 15.72
2 Trojan-Banker.Win32.Gozi 3.28
3 Trojan.Win32.Qhost 2.35
4 Trojan-Banker.Win32.Shiotob 2.27
5 Trojan-Banker.Win32.BestaFera 2.12
6 Trojan.Win32.Nymaim 1.98
7 Trojan-Banker.Win32.ChePro 1.90
8 Trojan-Banker.Win32.Banbra 1.77
9 Trojan.Win32.Neurevt 0.67
10 Backdoor.Win32.Shiz 0.66
* The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware.

Trojan-Spy.Win32.Zbot in first place is a permanent fixture in the leading positions of this ranking, and it is no coincidence: the source codes of this Trojan became publicly available back in 2012. This has resulted in the emergence of new banking Trojans that have adopted fragments of the Zbot code.

The second quarter of 2016 saw a surge in malicious activity by Trojan.Win32.Nymaim. As a result, this Trojan made it into the top 10 for the first time, going straight in at sixth place. Nymaim was initially designed to block access to valuable data and then demand a ransom (ransomware) to unblock it, but the latest version now also includes banking Trojan functionality for stealing financial information. This can be explained by the fact that the creators of Nymaim and Gozi (which also appears in the Q2 TOP 10 financial risks) have joined forces. Nymaim’s source code now includes fragments of Gozi code that provide attackers with remote access to infected computers.

In Q2 2016, Attempted infections by financial #malware were registered on 1.1M user computers #KLreport #banking
Tweet
A permanent resident in this ranking and one of the reasons financial threats are so prominent in Brazil is the Trojan-Banker.Win32.ChePro family. This banking malware lets cybercriminals take screenshots, register keystrokes, and read the contents of the clipboard, i.e., it possess functionality capable of attacking almost any online banking system. Criminals are trying to implement new techniques to avoid detection for as long as possible. Some of the Trojans from this family use geolocation or ask for the time zone and the Windows version from the system in order to infect users in a particular region.

Yet another newcomer to the top 10 most active financial threats in Q2 was the Trojan.Win32.Neurevt family. Representatives of this family were first discovered in 2013 and are used by cybercriminals not only to steal user payment data in online banking systems but also to send out spam (some versions, for example, sent spam messages on Skype) and implement DDoS attacks (with the addition of functionality capable of performing the Slowloris HTTP flooding scenario).

Ransomware Trojans

The overall number of cryptor modifications in our virus collection to date is approximately 26,000. A total of 28 new cryptor families and 9,296 new modifications were detected in Q2.

The following graph shows the rise in the number of newly created cryptor modifications over the last two quarters.

Number of Trojan-Ransom cryptor modifications (Q1 2016 vs Q2 2016)

Some of the more high-profile or unusual Trojans detected in Q2 2016 are listed below:

CryptXXX (Trojan-Ransom.Win32.CryptXXX)

This cryptor has been widely distributed via exploit kits since April 2016. Its earlier versions contained gaps in the file encryption algorithm which allowed Kaspersky Lab to release a utility to decrypt them. Unfortunately, the attackers have made adjustments to subsequent versions, making it impossible to decrypt the files affected by later CryptXXX modifications.

ZCryptor (Trojan-Ransom.MSIL.Zcryptor)

This malware combines cryptor functionality and a worm distribution method. Trojan ransomware does not usually include tools for self-propagation, and ZCryptor just happens to be an exception to this rule. Like a classic worm, while infecting, it creates copies of its body on removable media and generates the autorun.inf file to implement the automatic launch of its executable file once the media is connected to another system (if, of course, autorun is not disabled).

RAA (Trojan-Ransom.JS.RaaCrypt)

Sometimes we come across cryptors that differ from their peers in terms of functionality, and sometimes an unusual implementation will catch the attention of an analyst. In the case of RAA, the choice of programming language was curious: it was written entirely in JavaScript. The whole body of the program was included in a single .js file delivered to the victim as an attachment in a spam message. When run, it displays a fake error message, and in the meantime, encrypts the user’s files.

Bart (Trojan-Ransom.Win32.Bart)

This cryptor puts the victim’s files in password-protected ZIP archives; and it creates passwords using the Diffie-Hellman algorithm on an elliptic curve. The design of the ransom note and the payment site is an exact copy of that used by the notorious Locky.

Satana (Trojan-Ransom.Win32.Satan)

This is a combination of MBR blocker and file cryptor, probably inspired by similar functionality in the notorious Petya + Mischa Trojans. Satana, unlike Petya, does not encrypt MFT; in fact, its MBR module is obviously incomplete because the process of checking the password entered by the victim results in nothing more than a continuous cycle. Below is a fragment of the code demonstrating this.

The number of users attacked by ransomware

Number of users attacked by Trojan-Ransom cryptor malware (Q2 2016)

In Q2 2016, 311,590 unique users were attacked by cryptors, which is 16% less than the previous quarter. Approximately 21% of those attacked were in the corporate sector.

It is important to keep in mind that the real number of incidents is several times higher: the statistics reflect only the results of signature-based and heuristic detections, while in most cases Kaspersky Lab products detect encryption Trojans based on behavior recognition models and issue the Generic verdict, which does not distinguish the type of malicious software.

Top 10 countries attacked by cryptors

Country* % of users attacked by cryptors**
1 Japan 2.40
2 Italy 1.50
3 Djibouti 1.46
4 Luxembourg 1.36
5 Bulgaria 1.34
6 Croatia 1.25
7 Maldives 1.22
8 Korea 1.21
9 Netherlands 1.15
10 Taiwan 1.04
* We excluded those countries where the number of Kaspersky Lab product users is relatively small (less than 10,000).
** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country.

In Q2, half of the top 10 were European countries – one less than the previous quarter.

Japan, which came ninth in Q1, topped the ranking of countries attacked by cryptors with 2.40%: the most widespread cryptor families in the country were Teslacrypt, Locky and Cryakl.

Newcomers to this ranking were Djibouti (1.46%), Korea (1.21%) and Taiwan (1.04%).

Top 10 most widespread cryptor families

Name Verdict* Percentage of users**
1 CTB-Locker Trojan-Ransom.Win32.Onion/Trojan-Ransom.NSIS.Onion 14.59
2 Teslacrypt Trojan-Ransom.Win32.Bitman 8.36
3 Locky Trojan-Ransom.Win32.Locky 3.34
4 Shade Trojan-Ransom.Win32.Shade 2.14
5 Cryrar/ ACCDFISA Trojan-Ransom.Win32.Cryrar 2.02
6 Cryptowall Trojan-Ransom.Win32.Cryptodef 1.98
7 Cryakl Trojan-Ransom.Win32.Cryakl 1.93
8 Cerber Trojan-Ransom.Win32. Zerber 1.53
9 Scatter Trojan-Ransom.BAT.Scatter/Trojan-Downloader.JS.Scatter/Trojan-Dropper.JS.Scatter/Trojan-Ransom.Win32.Scatter 1.39
10 Rakhni Trojan-Ransom.Win32.Rakhni/Trojan-Downloader.Win32.Rakhni 1.13
* These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware.

First place in Q2 was occupied by the CTB-Locker (Trojan-Ransom.Win32/NSIS.Onion) family. In second place was the TeslaCrypt family represented by one verdict: Trojan-Ransom.Win32.Bitman. The Trojan-Ransom.JS.Cryptoload verdict, which in the past downloaded malware and was associated with TeslaCrypt, is no longer characteristic of this family only. TeslaCrypt was earlier a major contributor to the statistics, but fortunately ceased to exist in May 2016 – the owners disabled their servers and posted a master key to decrypt files.

In Q2 2016, #crypto #ransomware attacks were blocked on 311,590 computers of unique users #KLreport
Tweet
Cerber and Cryrar are the only changes to this ranking compared to the previous quarter.

The Cerber cryptor spreads via spam and exploit kits. The cryptor’s site on the Tor network is translated into lots of languages. Cerber’s special features include the following:

It explores the infected system meticulously: checks for the presence of an antivirus, if it is running under a virtual machine (Parallels, VmWare, QEMU, VirtualBox) or Wine, checks for utilities from various researchers and analysts (it does this by searching for certain processes and files on the disk drive), it even has a blacklist of system drive serial numbers.
It checks the keyboard layout and the IP address of the infected system. If it detects that the machine is located in a CIS country, it stops infecting it.
It attempts to bypass antivirus protection by terminating their processes, interrupting services, deleting files.
In addition to notifying users about encryption in the form of TXT and HTML files, as is the case with other families, it also runs the VBS script which reproduces the following voice message: “Attention! Attention! Attention! Your documents, photos, databases and other important files have been encrypted!”
The Cryrar cryptor also known as the Anti Cyber Crime Department of Federal Internet Security Agency (ACCDFISA), Anti-Child Porn Spam Protection, etc. first appeared back in 2012. It has the distinctive feature of placing the victim’s files in password-protected self-extracting RAR archives. According to KSN statistics, it shows no signs of conceding its position to newer rivals.

Top 10 countries where online resources are seeded with malware

The following statistics are based on the physical location of the online resources that were used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks.

In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q2 2016, Kaspersky Lab solutions blocked 171,895,830 attacks launched from web resources located in 191 countries around the world. 54,539,948 unique URLs were recognized as malicious by web antivirus components.

81% of notifications about blocked web attacks were triggered by attacks coming from web resources located in 10 countries.

Distribution of web attack sources by country, Q2 2016

The US (35.44%) returned to the top of this ranking in the second quarter. Russia (10.28%) moved up one place to second. The previous quarter’s leader, the Netherlands, dropped to fourth place after its share fell by 17.7 percentage points. Germany completed the Top 3 with a share of 8.9%. Bulgaria left the Top 10, while Canada was a newcomer in ninth place with 0.96%.

Countries where users faced the greatest risk of online infection

In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries.

Country* % of unique users attacked**
1 Azerbaijan 32.10
2 Russia 30.80
3 China 29.35
4 Slovenia 27.54
5 Ukraine 27.46
6 Kazakhstan 27.03
7 Vietnam 26.02
8 Algeria 25.63
9 Armenia 25.09
10 Belarus 24.60
11 Brazil 24.05
12 France 22.45
13 Moldova 22.34
14 Kyrgyzstan 22.13
15 Bulgaria 22.06
16 Italy 21.68
17 Chile 21.56
18 Qatar 20.10
19 India 20.00
20 Portugal 19.84
These statistics are based on the detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.

* These calculations excluded countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
** Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country.

In Q2, Azerbaijan moved up from fourth to first place and became the new leader of this ranking with 32.1%. Russia (30.8%) dropped from first to second, while Kazakhstan (27.03%) fell from second to sixth place.

Since the previous quarter, Spain, Lithuania, Croatia and Turkey have all left the TOP 20. The newcomers to this ranking were Bulgaria (22.06%), Chile (21.56%), Qatar (20.10%) and Portugal (19.84%).

The countries with the safest online surfing environments included Canada (15%), Romania (14.6%), Belgium (13.7%), Mexico (13.2%), the US (12.8%), Switzerland (12. 4%), New Zealand (12.1%), Czech Republic (12%), Argentina (9.9%), Japan (9.5%), the Netherlands (8.3), Sweden (8.2%) and Germany (8%).

On average, 19.4% of computers connected to the Internet globally were subjected to at least one web attack during the three months. This is a fall of 1.8 p.p. compared to Q1 2016.

Local threats

Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q2 2016, Kaspersky Lab’s file antivirus detected 249,619,379 unique malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each of the countries, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.

Top 20 countries with the highest levels of computer infection

Country* % of unique users**
1 Somalia 65.80
2 Vietnam 63.33
3 Tajikistan 62.00
4 Russia 61.56
5 Kyrgyzstan 60.80
6 Bangladesh 60.19
7 Afghanistan 60.00
8 Armenia 59,74
9 Ukraine 59.67
10 Nepal 59.66
11 Ethiopia 59.63
12 Laos 58.43
13 Kazakhstan 57.72
14 Rwanda 57.33
15 Djibouti 56.07
16 Yemen 55.98
17 Venezuela 55.76
18 Algeria 55.58
19 Cambodia 55.56
20 Iraq 55.55
These statistics are based on the detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.

* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
** The percentage of unique users in the country with computers that blocked local threats as a percentage of all unique users of Kaspersky Lab products.

Somalia remained the leader of this ranking in Q2 2016 with 65.8%. Yemen (55.98%) fell from second to sixteenth place, while Vietnam (63.33%) jumped from eighth to second. Tajikistan (62%) rounded off the TOP 3. Russia moved up one place from fifth to fourth, although the figure for that country declined by 2.62 percentage points to 61.56%.

In Q2 2016, 27,403 #mobile #banking Trojans were detected by @kaspersky mobile security products #KLreport
Tweet
Newcomers to this ranking are Djibouti in fifteenth place (56.07%), Venezuela in seventeenth (55.76%), and Cambodia in nineteenth (55.56%).

The safest countries in terms of local infection risks were Croatia (29%), Singapore (28.4%), Germany (28.1%), Norway (27.6%), the US (27.1%), Switzerland (26.3%), Japan (22.1%), Denmark (21.4%) and Sweden (21.3%).

An average of 43.3% of computers globally faced at least one local threat during Q2 2016, which is 1.2 p.p. less than in the previous quarter.


Unknown Bidder Buys 2,700 Bitcoins (worth $1.6 million) at US Government Auction
23.8.2016 thehackernews Security
A winning anonymous bidder bought 2,700 Bitcoins (worth roughly $1.6 Million) in an auction held by the United States Marshals Service (USMS) on Monday.
The US government announced at the beginning of this month its plans to auction 2,719 Bitcoins that were seized during several criminal, civil and administrative cases like Silk Road.
The US Marshals confirmed to CoinDesk that four bids were received in the auction that took place between 13:00 and 19:00 UTC on August 22.
The majority of the Bitcoins in the auction were stemmed from investigations of the Silk Road online black marketplace.
Included 2,719 Bitcoins in the auction were:
Around 1,300 Bitcoins seized from a civil case related to Matthew Gillum, a Silk Road drug dealer, who was sentenced to nine years in prison in 2015.
Only 2.8 Bitcoins directly came from Silk Road founder Ross Ulbricht, who was found guilty of operating Silk Road for illegal goods and handed two life sentences.
Some 65 Bitcoins came from Carl Force, a former Drug Enforcement Administration agent, who was sentenced for stealing Bitcoins during the Silk Road investigation.
Around 665 Bitcoins came from the case of Sean Roberson, a Florida man who allegedly created an online shop for selling stolen credit and debit cards.
The last date for registration was 18 August and only five bidders registered to claim the 2,700 BTC block, according to the agency.
However, this is not the first Bitcoin auction conducted by the US Marshals Service. The federal law enforcement agency has been selling off Bitcoins in a series of auctions.
The last USMS auction took place on November 15, when 11 bidders, including bitcoin exchange itBit, over-the-counter trading firm Cumberland Mining, and investor Tim Draper, bought 44,000 Bitcoins, worth $14.6 Million.


IoT – Shocking : How your home sockets could aid in Cyber attacks
23.8.2016 securityaffairs Security

IoT devices are dramatically enlarging our surface of attack, hackers can exploit smart sockets to shut down Critical Systems.
I love some of the gangster nicknames people come up with. Knuckles, Fat Tony , Stab Happy or even Bambi. Names are characteristic of their personality and attitude. It’s time to add Toaster Socket to the name as in the age of Smart Grid, criminals are getting updated.

The Internet of Things (IoT) ,which soon may become the “Internet of Everything,” is something that has made every security professional reanalyse all his security strategies. Security has been a challenge when it came to handling our basic Information and Communication Technology (ICT) systems. With the disruptive and highly welcomed IoT age upon us we may soon have larger challenges.

A recent research by Bitdefender found that smart electrical sockets can be exploited easily and be made a zombie on a bot network.

“The vulnerable device is a smart electrical switch that plugs into any wall socket and enables users to schedule a connected electronic device on and off from their smartphone. It can power any gadget – thermostats, smart TVs, coffee makers, security cameras, garage doors, and medical devices and so on.” states BitDefender.

IoT hacking critical systems

For those who know the challenges an enterprise can face while fending off attacks from such botnets, would realize we are adding ammunition to the cyber criminal’s arsenal.

Other than exploiting the inbuilt Operating System to execute commands it can affect the user by gaining access to his email, gain login credentials to his other wireless systems, cause overheating and hence create fire “accidents” . The possibilities are endless.

Electrical and electronic appliances have had their recent fair share of negative media when it comes to being actors in cyber attacks. Surveillance cameras could be recruited in powerful botnets, smart LED light bulbs giving away WiFi passwords or refrigerators launching DDoS attacks.

A common issue found in the power outlet by security researchers is the lack of robust password and username combination security strength, the lack of encrypted configuration mechanism when joining your personal network (Eg.: Home WiFi network)and weak encoded information sharing between vendor servers and appliance.

Based on the above discoveries Bitdefender outlined some ways of launching attacks and compromising your system where the attack vector is your smart socket.

First, gain access to your email and hence disable your two factor authentication process (Great security measure by the way) .
Second, use a ill-filtered password checking system to in a way inject codes to pretty much reset your entire system.
Well coming to the meat of the matter, an attacker always wants to gain root access to a system . These few stated methods and a little effort could give them that. Hence your socket may end up being weaponized for cyber attacks, be used to monitor and harm you (the user) , gain access to other systems in your network and a major overlooked issue affect your privacy.

The solution is evident. You the user has to demand security as a basic need while buying such systems or you may have to have bail money for your toaster switch a.k.a. cyber criminal.

It is time to purchase a security solution specifically designed for IoT devices.


Threat intelligence report for the telecommunications industry
22.8.2016 Kaspersky Security

The telecommunications industry keeps the world connected. Telecoms providers build, operate and manage the complex network infrastructures used for voice and data transmission – and they communicate and store vast amounts of sensitive data. This makes them a top target for cyber-attack.

According to PwC’s Global State of Information Security, 2016, IT security incidents in the telecoms sector increased 45% in 2015 compared to the year before. Telecoms providers need to arm themselves against this growing risk.

In this intelligence report, we cover the main IT security threats facing the telecommunications industry and illustrate these with recent examples.

Our insight draws on a range of sources. These include:

The latest telecoms security research by Kaspersky Lab experts.
Kaspersky Lab monitoring systems, such as the cloud antivirus platform, Kaspersky Security Network (KSN), our botnet tracking system and multiple other internal systems including those used to detect and track sophisticated targeted (advanced persistent threat, APT) attacks and the corresponding malware.
Underground forums and communities.
Centralized, specialized security monitoring systems (such as Shodan).
Threat bulletins and attack reports.
Newsfeed aggregation and analysis tools.
Threat intelligence is now a vital weapon in the fight against cyber-attack. We hope this report will help telecoms providers to better understand the cyber-risk landscape so that they can develop their security strategies accordingly.

We can provide more detailed sector and company-specific intelligence on these and other threats. For more information on our Threat Intelligence Reporting services please email intelligence@kaspersky.com.

Executive summary

Telecommunications providers are under fire from two sides: they face direct attacks from cybercriminals intent on breaching their organization and network operations, and indirect attacks from those in pursuit of their subscribers. The top threats currently targeting each of these frontlines feature many classic attack vectors, but with a new twist in terms of complexity or scale that place new demands on telecoms companies.

These threats include:

Distributed Denial of Service (DDoS) attacks. DDoS attacks continue to increase in power and scale and, according to the 2016 Data Breach Investigations Report, the telecommunications sector is hit harder than any other. Kaspersky Lab’s research reveals that in Q2, 2016, the longest DDoS attack lasted for 291 hours (or 12.1 days) – significantly longer than the previous quarter’s maximum (8.2 days), with vulnerable IoT devices increasingly used in botnets. Direct DDoS attacks can reduce network capacity, degrade performance, increase traffic exchange costs, disrupt service availability and even bring down Internet access if ISPs are hit. They can be a cover for a deeper, more damaging secondary attack, or a route into a key enterprise subscriber or large-scale ransomeware attack.
The exploitation of vulnerabilities in network and consumer devices. Our intelligence shows that vulnerabilities in network devices, consumer or business femtocells, USBs and routers, as well as root exploits for Android phones, all provide new channels for attacks – involving malware and technologies that individuals, organisations and even basic antivirus solutions cannot always easily remove.
Compromising subscribers with social engineering, phishing or malware. These classic techniques remain popular and can easily be mastered by entry-level cybercriminals, although 2016 sees changes in how more sophisticated attackers conduct their campaigns. Growing numbers of cyber-attackers now combine data sets from different sources, including open sources, to build up detailed pictures of potential targets for blackmail and social engineering purposes.
Insider threat is growing. Detailed profiles of targets are also used to recruit insiders to help perpetrate cybercrime. Some insiders help voluntarily, others are cooerced through blackmail. Insiders from cellular service providers are recruited mainly to provide access to data, while staff working for Internet service providers are chosen to support network mapping and man-in-the-middle attacks.
Other threats facing telecommunications companies include targeted attacks; poorly configured access controls, particularly where interfaces are publicly available to any Internet user; inadequate security for 2G/3G communications; and the risk of telecoms providers being drawn into unrelated attacks that exploit telecoms resources, and suffering collateral damage as a result.

Typical threats targeting telecoms

Overview

We can divide the main threats facing the telecommunications industry into two, interrelated, categories:

Threats targeting telecommunication companies directly. These include DDoS attacks, targeted attacks (APT campaigns), network device vulnerabilities and human-related threats like insider access, social engineering and the risk of allowing third parties to access information.
Threats targeting subscribers of telecoms services – particularly the customers of cellular service providers (CSPs) and Internet service providers (ISPs). These include malware for mobile devices, subscriber data harvesting, end-user device vulnerabilities, and more.
Threats directed at telecoms companies

DDoS

DDoS (distributed denial of service) attacks remain a serious threat to telecoms providers around the world as attackers discover ever more ways of boosting the power and scale of attacks. Kaspersky Lab’s DDoS intelligence report for Q2, 2016 notes that websites in 70 countries were targeted with attacks. By far the most affected country was China, with South Korea and the US also among the leaders. 70.2% of all detected attacks were launched from Linux botnets, with cybercriminals paying close attention to financial institutions working with cryptocurrency. Another trend observed in Q2 was the use of vulnerable IoT devices in botnets to launch DDoS attacks.

The telecommunications sector is particularly vulernable to DDoS attacks. According to the 2016 Data Breach Investigations Report, the telecommunications sector was hit around twice as hard as the second placed sector (financial exchanges), with a median DDoS packet count of 4.61 million packets per second (compared to 2.4 Mpps for exchanges.)

The impact of a DDoS attack should not be underestimated. Direct attacks can reduce network capacity, degrade performance, increase traffic exchange costs, disrupt service availability and even bring down Internet access if ISPs are affected. With a growing number of connected devices and systems supporting mission-critical applications in areas such as healthcare and transport, unexpected downtime could be life threatening.

Further, DDoS attacks can be a cover for a deeper, more damaging secondary attack, or a route into a key enterprise subscriber or large-scale ransomeware attack.

A good example of the first is the 2015 cyber-attack on the UK telecoms company, TalkTalk. The hack, alledgedly perpetrated by a couple of teenagers, resulted in the loss of around 1.2 million customers’ email addresses, names and phone numbers, as well as many thousands of customer dates of birth and financial information – all ideal for use in financially-motivated social engineering campaigns. The forensic investigation revealed that the hackers had used a smokescreen DDoS attack to conceal their main activities.

DDoS attacks are also evolving. 2015 saw attackers amplify the power of DDoS attacks by turning them into DrDoS (Distributed reflection Denial of Service) attacks through the use of standard network protocols like NTP, RIPv1, NetBIOS (Network Basic Input/Output System) and BGP (Border Gateway Patrol). Another approach that is becoming more commonplace is the compromise of end-user routers via network-scanning malware and firmware vulnerabilities. Today’s faster mobile data transfer speeds and the growing adoption of 4G are also making smartphone-based botnets more useful for implementing DDoS attacks.

The worrying thing is that even inexperienced attackers can organize quite an effective DDoS campaign using such techniques.

Targeted attacks

The core infrastructure of a telecommunications company is a highly desirable target for cybercriminals, but gaining access is extremely difficult. Breaking into the core requires a deep knowledge of GSM architecture, rarely seen except among the most skilled and resourced cybercriminals. Such individuals can generally be found working for advanced, international APT groups and nation-state attackers, entities that have a powerful interest in obtaining access to the inner networks of telecommunication companies. This is because compromised network devices are harder to detect by security systems and they offer more ways to control internal operations than can be achieved through simple server/workstation infiltration.

Once inside the core infrastructure, attackers can easily intercept calls and data, and control, track and impersonate subscibers.

Other APTs with telecommunications on their radar

The Regin APT campaign, discovered in 2014, remains of the most sophisticated ever seen and has the ability to infiltrate GSM networks, while the Turla group, has developed the ability to hijack satellite-based Internet links as part of it’s Command & Control process, successfully obscuring its actual location.

Others, such as Dark Hotel and a new cyber-espionage threat actor likely to be of Chinese origin, exploit telecoms networks in their targeted campaigns. In these cases, the telecoms providers often suffer collateral damage even though they are not directly related to the attack. Further details on these can be found on Kaspersky Lab’s expert Securelist blog or through a subscription to the Kaspersky APT Threat Intelligence Reporting service.

Unaddressed software vulnerabilities

Despite all the high profile hacks and embarrassing data leaks of the last 12 months, attackers are still breaching telecoms defenses and making off with vast quantities of valuable, personal data. In many cases, attackers are exploiting new or under-protected vulnerabilities. For example, in 2015, two members of the hacker group, Linker Squad gained access to Orange Spain through a company website vulnerable to a simple SQL injection, and stole 10 million items of customer and employee data.

SQL injection vulnerability on Orange Spain web site

The impact of service misconfiguration

In many cases, the hardware used by by the telecommunications industry carries configuration interfaces that can be accessed openly via HTTP, SSH, FTP or telnet. This means that if the firewall is not configured correctly, the hardware in question becomes an easy target for unauthorized access.

The risk presented by publicly exposed GTP/GRX (GPRS Tunneling Protocol/GPRS Roaming Exchange) ports on devices provides a good example of this.

As CSPs encrypt the GPRS traffic between the devices and the Serving GPRS Support Node (SGSN), it is difficult to intercept and decrypt the transferred data. However, an attacker can bypass this restriction by searching on Shodan.io for devices with open GTP ports, connecting to them and then encapsulating GTP control packets into the created tunnel.

Table 1. Top 10 countries with GTP/GRX ports exposed to Internet access

# Country Number of GTP/GRX
1 China 52.698
2 Turkey 8.591
3 United States of America 6.403
4 Canada 5.807
5 Belgium 5.129
6 Colombia 2.939
7 Poland 2.842
8 Morocco 1.585
9 Jamaica 862
10 United Arab Emirates 808
The Border Gateway Protocol (BGP) is the routing protocol used to make decisions on routing between autonomous systems. Acceptance and propagation of routing information coming from other peers can allow an attacker to implement man-in-the-middle (MITM) attacks or cause denial of service. Any route that is advertised by a neighboring BGP speaker is merged in the routing database and propagated to all the other BGP peers.

Table 2. Top five countries with BGP protocol exposed to Internet access

# Country Number of devices
(end of 2015)
1 Republic of Korea 16.209
2 India 8.693
3 United States of America 8.111
4 Italy 2.909
5 Russian Federation 2.050
An example of such an attack took place in March 2015, when Internet traffic for 167 important British Telecom customers, including a UK defense contractor that helps to deliver the country’s nuclear warhead program, was illegally diverted to servers in Ukraine before being passed along to its final destinations.

To avoid probable attacks against BGP from unauthorized remote malefactors, we recommend that companies provide network filtering, allowing only a limited number of authorized peers to connect to BGP services. To protect against malicious re-routing and hijacking initiated through authorized autonomous systems we recommend that they monitor anomalies in BGP communications (this can be done through specialized software solutions or by subscribing to alerts from vendors providing this kind of monitoring.)

Vulnerabilities in network devices

Routers and other network devices are also primary targets for attacks against telecommunications companies.

In September 2015, FireEye researchers revealed the router malware “SYNful knock”, a combination of leaked privilege (root) credentials and a way of replacing device firmware that targets Cisco 1841, 2811 and 3825 routers (see Cisco advisory here).

Put simply, SYNful knock is a modified device firmware image with backdoor access that can replace the original operating system if the attacker has managed to obtain privileged access to the device or can physically connect to it.

SYNful is not a pure software vulnerability, but a combination of leaked privileged credentials combined with a certain way of replacing device firmware. Still, it is a dangerous way of compromising an organization’s IT infrastructure.

SYNful knock backdoor sign-in credentials request

Worldwide distribution of devices with the SYNful knock backdoor

The latest information on the number of potentially compromised devices is available through the link https://synfulscan.shadowserver.org/stats/.

A second Cisco vulnerability, CVE-2015-6389 enables attackers to access some sensitive data, such as the password file, system logs, and Cisco PCA database information, and to modify data, run internal executables and potentially make the system unstable or inaccessible. Cisco Prime Collaboration Assurance Software releases prior to 11.0 are vulnerable. Follow this Cisco bulletin for remediation actions.

For further information on Cisco fixes for its devices see https://threatpost.com/cisco-warning-of-vulnerabilities-in-routers-data-center-platforms/115609.

Juniper, another network device manufacturer has been found to carry vulnerabilities in its operating system for its NetScreen VPN appliances, enabling third-party access to network traffic. The issue was reported by the vendor in the security advisory JSA10713 on December 18th, 2015, along with the release of the patch.

It appears that the additional code with hardcoded password was planted in the source code in late 2013. The backdoor allows any user to log in with administrator privileges using hard-coded password “<<< %s(un=’%s’) = %u”.This vulnerability has been identified as CVE-2015-7755 and is considered highly critical.

Top countries where ScreenOS devices are used are the Netherlands, the United States, China, Italy and Mexico.

Juniper ScreenOS-powered devices worldwide

Another Juniper backdoor, CVE-2015-7756, affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 and allows a third party to monitor traffic inside VPN connections due to security flaws in the Dual_EC PRNG algorithm for random number generation.

To protect the organization from misconfiguration and network device vulnerabilitiy, Kaspresky Lab recommendats that companies pay close attention to vulnerabilities in the network services of telecommunication equipment, establish effective vulnerability and configuration management processes, and regularly perform security assessments, including penetration testing for different types of attackers (a remote intruder, a subscriber, a contractor, etc.).

Malicious insiders

Even if you consider your critical systems and devices protected and safe, it is difficult to fully control some attack vectors. People rank at the very top of this list. Their motivations are often hard to predict and anticipate, ranging from a desire for financial gain to disaffection, coercion and simple carelessness.

While insider-assisted attacks are uncommon, the impact of such attacks can be devastating as they provide a direct route to the most valuable information.

Examples of insider attacks in recent years include:

A rogue telecoms employee leaking 70 million prison inmate calls, many breaching client-attorney privilege.
An SMS center support engineer who had intercepted messages containing OTP (One-Time Passwords) for the two-step authentication required to login to customer accounts at a popular fintech company. The engineer was found to be freely offering his services on a popular DarkNet forum.
For attackers, infiltrating the networks of ISPs and CSPs requires a certain level of experience – and it is often cheaper and easier to stroll across the perimeter with the help of a hired or blackmailed insider. Cybercriminals generally recruit insiders through two approaches: enticing or coercing individual employees with relevant skills, or trawling around underground message boards looking for an appropriate employee or former employee.

Employees of cellular service providers are in demand for fast track access to subscriber and company data or SIM card duplication/illegal reissuing, while staff working for Internet service providers are needed for network mapping and man-in-the-middle attacks.

A particularly promising and successful attack vector for recruiting an insider for malicious intrusion is blackmail.

Data breaches, such as the 2015 Ashley Madison leak reveal information that attackers can compare with other publically available information to track down where people work and compromise them accordingly. Very often, these leaked databases contain corporate email addresses, including those of telecommunication companies.

Further information on the emerging attack vectors based on the harvesting of Open Source Intelligence (OSINT) can be obtained using Kaspersky Lab’s customer-specific Intelligence Reporting services.

Threats targeting CSP/ISP subscribers

Overview

Attacks targeting the customers of cloud and Internet service providers remain a key area of interest for cybercriminals. We’ve revealed a number of malware activities and attack techniques based on internal information and incidents that were caught in our scope. As a result of analyzing this data the following main threats were identified:

Obtaining subscribers’ credentials. This is growing in appeal as consumers and businesses undertake ever more activity online and particularly on mobile. Further, security levels are often intentionally lowered on mobile devices in favor of usability, making mobile attacks even more attractive to criminals.
Compromising subscribers’ devices. The number of mobile malware infections is on the rise, as is the sophistication and functionality of the malware. Experienced and skilled programmers are now focusing much of their attention on mobile – looking to exploit payment services as well as low-valued assets like compromised Instagram or Uber accounts, collecting every piece of data from the infected devices.
Compromising small-scale telecoms cells used by consumers and businesses. Vulnerabilities in CSP-provided femtocells allow criminals to compromise the cells and even gain access to the entire cloud provider’s network.
Successful Proof-Of-Concept attacks on USIM cards. Recent research shows that the cryptography of 3G/4G USIM cards is no longer unbreakable. Successful attacks allow SIM card cloning, call spoofing and the interception of SMS.
Social engineering, phishing and other ways in

Social engineering and phishing remain popular activities and they continues to evolve and improve, targeting unaware or poorly aware subscribers and telecoms employees.

The attackers exploit trust and naiivity. In 2015, the TeamHans hacker group penetrated one of Canada’s biggest communications groups, Rogers, simply by repeatedly contacting IT support and impersonating mid-ranking employees, in order to build up enough personal information to gain access to the employee’s desktop. The attack provided hackers with access to contracts with corporate customers, sensitive corporate e-mails, corporate employee IDs, documents, and more.

Both social engineering and phishing approaches are worryingly successful. The Data Breach Investigations Report 2016 found that 30% of phishing emails were opened, and that 12% clicked on the malicious attachment – with the entire process taking, on average, just 1 minute and 40 seconds.

Social engineers and phishers also use multiple ways for increasing the likeness of authenticity in their attacks, enriching their data with leaked profiles, or successfully impersonating employees or contractors. Recently criminals have successfully stolen tens of thousands of euros from dozens of people across Germany after finding a way around systems that text a code to confirm transactions to online banking users. After infecting their victims with banking malware and obtaining their phone numbers, they called the CSP’s support and, impersonating a retail shop, asked for a new SIM card to be activated, thus gaining access to OTP (One Time Passwords) or “mTan’s” used for two-factor authentication in online banking.

Kaspersky Lab recommends that telecommunications providers implement notification services for financial organizations that alert them when a subscriber’s SIM card has been changed or when personal data is modified.

Some CSPs have also implemented a threat exchange service to inform financial industry members when a subscriber’s phone is likely to have been infected with malware.

Vulnerable kit

USBs, modems and portable Wi-Fi routers remain high-risk assets for subscribers, and we continue to discover multiple vulnerabilities in their firmware and user interfaces. These include:

Vulnerabilities in web interfaces designed to help consumers configure their devices. These can be modified to trick a user into visiting a specially crafted page.
Vulnerabilities that result from insufficient authentication. These can allow for the modification of device settings (like DNS server addresses), and the interception, sending and receiving of SMS messages, or USSD requests, by exploiting different XSS and CSRF vulnerabilities.
RCE (Remote Code Execution) vulnerabilities based on different variants of embedded Linux that can enable firmware modification and even a complete remote compromise.

Built-in “service” backdoor allowing no-authentication access to device settings

Examples of these kind of vulnerabilities were demonstrated in research by Timur Yunusov from the SCADAStrangeLove team. The author assessed a number of 3G/4G routers from ZTE, Huawei, Gemtek and Quanta. He has reported a number of serious vulnerabilities:

Remote Code Execution from web scripts.
Arbitrary device firmware modification due to insufficient consistency checks.
Cross Site Request Forgert and Cross Site Scripting attacks.
All these vectors can be used by an external attacker for the following scenarios:

Infecting a subscriber’s computer via PowerShell code or badUSB attack.
Traffic modification and interception.
Subscriber account access and device settings modification.
Revealing subscriber location.
Using device firmware modification for APT attack persistence.
Most of these issues exist due to web interface vulnerabilities (like insufficient input validation or CSRF) or modifications made by the vendor during the process of branding its devices for a specific telecommunications company.

The risk of local cells

Femtocells, which are essentially a personal NodeB with an IP network connection, are growing in popularity as an easy way to improve signal coverage inside buildings. Small business customers often receive them from their CSPs. However, unlike core systems, they are not always submitted to suitably thorough security audits.

ktt_2016_eng_6

Femtocell connection map

Over the last year, our researchers have found a number of serious vulnerabilities in such devices that could allow an attacker to gain complete control over them. Compromising a femtocell can lead to call interception, service abuse and even illegal access to the CSP’s internal network.

At the moment, a successful attack on a femtocell requires a certain level of engineering experience, so risks remain low – but this is likely to change in the future.

USIM card vulnerabilities

Research presented at BlackHat USA in 2015 revealed successful attacks on USIM card security. USIMs had previously been considered unbreakable thanks to the AES-based MILENAGE algorithm used for authentication. The reseachers conducted differential power analysis for the encryption key and secrets extraction that allowed them to clone the new generation of 3G/4G SIM cards from different manufacturers.

Right byte guess peak on differential power analysis graph

Conclusion

Telecommunications is a critical infrastructure and needs to be protected accordingly. The threat landscape shows that vulnerabilities exist on many levels: hardware, software and human, and that attacks can come from many directions. Telecoms providers need to start regarding security as a process – one that encompasses threat prediction, prevention, detection, response and investigation.

A comprehensive, multi-layered security solution is a key component of this, but it is not enough on its own. It needs to be complemented by collaboration, employee education and shared intelligence. Many telecommunications companies already have agreements in place to share network capability and capacity in the case of disruption, and now is the time to start reaping the benefit of shared intelligence.

Our Threat Intelligence Reporting services can provide customer-specific insight into the threats facing your organization. If you’ve ever wondered what your business looks like to an attacker, now’s the time to find out.


Bitcoins move from the seized SilkRoad wallet to the ShadowBrokers
21.8.2016 securityaffairs Security

A security expert noticed strange transactions from the Bitcoin wallet of the SilkRoad (now in the hands of Feds) to the ShadowBrokers ‘ wallet.
I was surfing the Internet searching for interesting data about the ShadowBrokers group that leaked exploits and hacking tools belonging to the NSA Equation Group.

I have found a very intriguing analysis of the popular security researcher krypt3ia that has analyzed the Bitcoin transactions linked to the #ShadowBrokers account. It seems that the account is receiving small amounts of money (at about $990.00 a couple of days ago), but the real surprise is that some of the payments are coming from the seized Silk Road bitcoins and account.  Bitcoin The ShadowBroker account

Hey, wait a moment, the Silk Road Bitcoin are under the control of the FBI after the seizure of the popular black market.

krypt3ia decided to investigate the overall transactions and discovered that also the US Marshall service was involved in the transfers.

“So, is this to say that these coins are still in the coffers of the feds and they are being sent to ShadowBrokers to chum the water here? Maybe get a conversation going? Maybe to get the bitcoins flying so others can trace some taint? Of course once you start to look at that address and the coins in and out there you get some other interesting hits. Suddenly you are seeing US Marshall service as well being in that loop. Which makes sense after the whole thing went down with the theft of coins and such by rogue agents of the USSS and DEA.” wrote krypt3ia in a blog post.

Analyzing the transactions the expert noticed transactions of 0,001337 BTC for the for ShadowBrokers. Bitcoin The ShadowBroker account 2

We are aware that Silk Road coins are in the hands of the US GOV, but someone is sending ShadowBrokers fractions of them.

“What if, and you can see this once you start to dig around with Maltego, the coins being paid to the account so far also come from other accounts that are, shall we call them cutout accounts for the government?” added the experts.

At this point, the researcher invited readers to analyze transactions involving all the accounts that passed money to Bitcoin Wallets used by the Government and that were used to transfer money to the ShadowBrokers.

At the time I’m writing the ShadowBroker wallet was involved in 41 transactions for a total of 1.738 BTC, and the highest bidder is of 1.5 bitcoin, or around $850.


Australian Police obtained access to the Love Zone Child Porn Site and Got 30 IPs from US
20.8.2016 securityaffairs Security

The Australian police had targeted the Love Zone child porn site, ran it for a while and managed to gain access at least to 30 US IPs.
Apart from FBI, there are other organizations that have tried to identify the participants of child porn websites, so that they could get their hands on them and make them pay. In fact, recently the Australian police managed to access a website called The Love Zone.

This is where they got to 30 US IPs at least. So, instead of Americans revealing IPs overseas and prosecuting them, it is the other way around here.

The website was in the dark web and used Tor. It was based in the US, which means that the Australian police (Queensland Police Service’s Task Force Argos, to be specific) had to hack them and access their sensitive data. At some point, over 29,000 members had already subscribed to the site, which is shocking news!

In order to lure the members of the site, the police sent a video file. The members wanted to open it, of course; it was relevant to their own preferences, after all!

More analytically:

“When a user clicked on that hyperlink, the user was advised that the user was attempting to open a video file from an external website. If the user chose to open the file, a video file containing images of child pornography began to play, and the [foreign law enforcement agency] captured and recorded the IP address of the user accessing the file. FLA configured the video file to open an Internet connection outside of the Network software, thereby allowing FLA to capture the user’s actual IP address, as well as a session identifier to tie the IP address to the activity of a particular user account.”

The whole investigation is not the same as that of the FBI and its 135 US cases. Yet, the Aussies handed over the evidence they had collected to the FBI. In this way, justice would finally emerge. It is worth pointing out that the owner of the Love Zone, Shannon McCoole, is serving a 35-year sentence for child sexual abuse.

It remains unclear whether or not the investigation of the Australian police was just against US targets.

As for the FBI, the only comments about the operation of the Love Zone were the following: “The FBI, led by its Legal Attaches in numerous countries around the world, seeks to foster strategic partnerships with foreign law enforcement, intelligence, and security services as well as with other US government agencies by sharing knowledge, experience, capabilities and by exploring joint operational opportunities.”


Omegle, the Popular 'Chat with Strangers' Service Leaks Your Dirty Chats and Personal Info
20.8.2016 thehackernews Security
Ever since the creation of online chat rooms and then social networking, people have changed the way they interact with their friends and associates.
However, when it comes to anonymous chatting services, you don't even know what kinds of individuals you are dealing with.
Sharing identifiable information about yourself with them could put you at risk of becoming a victim of stalking, harassment, identity theft, webcam blackmail, and even phishing scams.
Have you heard of Omegle? The popular, free online anonymous chat service that allows you to chat with random strangers, without any registration. The service randomly pairs you in one-on-one chat window where you can chat anonymously over text or webcam.
But, are your chats actually Anonymous?
No, all your chats are recorded and saved by the service. So, if you have shared your personal details such as your name, phone number, or email address, with anyone over the service, you are no more anonymous.
Even the website describes its service as, "When you use Omegle, we pick someone else at random and let you talk one-on-one. To help you stay safe, chats are anonymous unless you tell someone who you are (not suggested!), and you can stop a chat at any time."
And here comes the worst part:
The recorded online conversations are saved in such a way that anyone with a little knowledge of hacking can pilfer them, revealing your personal information along with those dirty chats that could be used to harass or blackmail you.
Indrajeet Bhuyan (@Indrajeet_b), a young Indian bug hunter, has shown The Hacker News that how Omegle is saving screenshots of every 'so-called' anonymous chat session at a specific location on their web server, which could be downloaded by anyone with little knowledge of website structure.
omegle-online-chat-hack
Bhuyan wrote a simple python script, Omegle-Chat-Hack, that automatically downloads the saved screenshots from the website.
As a proof-of-concept, he also published some of those screenshots, showing how easily people, especially teenagers, share their personal details and contact info with strangers on a service, where they are supposed to stay anonymous.
"People on Omegle often think their chats are private and automatically get deleted once they disconnect from the conversation," Bhuyan told me. "Due to this false sense of security, people often share their sensitive information on the service. Omegle-Chat-Hack is a tool that demonstrates how insecure these online chat services are and how one can read your private messages sent over the service."
So, you should be careful with what identifiable information you are sharing over such online service while chatting with strangers. The more personal information you share, the more chances there are for others to misuse your information.
Frankly, you should take your online privacy very seriously.


Omegle, the Popular 'Chat with Strangers' Service Leaks Your Dirty Chats and Personal Info
20.8.2016 thehackernews Security
Ever since the creation of online chat rooms and then social networking, people have changed the way they interact with their friends and associates.
However, when it comes to anonymous chatting services, you don't even know what kinds of individuals you are dealing with.
Sharing identifiable information about yourself with them could put you at risk of becoming a victim of stalking, harassment, identity theft, webcam blackmail, and even phishing scams.
Have you heard of Omegle? The popular, free online anonymous chat service that allows you to chat with random strangers, without any registration. The service randomly pairs you in one-on-one chat window where you can chat anonymously over text or webcam.
But, are your chats actually Anonymous?
No, all your chats are recorded and saved by the service. So, if you have shared your personal details such as your name, phone number, or email address, with anyone over the service, you are no more anonymous.
Even the website describes its service as, "When you use Omegle, we pick someone else at random and let you talk one-on-one. To help you stay safe, chats are anonymous unless you tell someone who you are (not suggested!), and you can stop a chat at any time."
And here comes the worst part:
The recorded online conversations are saved in such a way that anyone with a little knowledge of hacking can pilfer them, revealing your personal information along with those dirty chats that could be used to harass or blackmail you.
Indrajeet Bhuyan (@Indrajeet_b), a young Indian bug hunter, has shown The Hacker News that how Omegle is saving screenshots of every 'so-called' anonymous chat session at a specific location on their web server, which could be downloaded by anyone with little knowledge of website structure.
omegle-online-chat-hack
Bhuyan wrote a simple python script, Omegle-Chat-Hack, that automatically downloads the saved screenshots from the website.
As a proof-of-concept, he also published some of those screenshots, showing how easily people, especially teenagers, share their personal details and contact info with strangers on a service, where they are supposed to stay anonymous.
"People on Omegle often think their chats are private and automatically get deleted once they disconnect from the conversation," Bhuyan told me. "Due to this false sense of security, people often share their sensitive information on the service. Omegle-Chat-Hack is a tool that demonstrates how insecure these online chat services are and how one can read your private messages sent over the service."
So, you should be careful with what identifiable information you are sharing over such online service while chatting with strangers. The more personal information you share, the more chances there are for others to misuse your information.
Frankly, you should take your online privacy very seriously.


Information warfare – The Rise of the Cyber Offense
12.8.2016 securityaffairs Security

Information warfare – The development of cyber capabilities is strategic for any governments, computer systems and Internet of Things even more at risk.
By the mid-1990’s the US intelligence agencies, especially the NSA, were beginning to wake up to a grim reality – the world was quickly becoming connected and the tools to connect that world were no longer confined to the government and universities, but now were in the hands of smart and very capable people outside of academia and government snoops.

In 1998, Richard A. Clarke, then Security Advisor the Clinton administration, took a quick flight from D.C. up to Cambridge, Massachusetts to meet with a team of hackers that would change forever, the way the US government looked at the world.

Clarke’s contact in Cambridge was to be a hacker known as “Mudge.” Mudge was the mouthpiece for a hacker group known as the L0pht. After about an hour of waiting patiently in a local bar, Clarke grew tired thinking Mudge got cold feet. As he started to get up from the table, the gentle next to him introduced himself as Mudge, who had been sitting beside Clarke the whole time. Not only was Mudge observing Clarke from afar, but so was the entire L0pht team: Brain Oblivion, tan, Kingpin, Weld Pond, Space Rogue, and Stefan Von Neuman, who later would drive right on through the gate of the NSA parking lot with nothing more than a salute!

After small talk, Mudge took Clarke to “the L0pht”, the second floor of a Cambridge warehouse where the L0pht team kludged and cobbled together an impressive arsenal of computing power capable of doing some serious damage if the team so desired.

Clarke left that night with more than an uneasy feeling. Though not a cyber security person himself, he knew damn well that if a group of college students and geeks could dumpster dive enough equipment to be a serious threat, so could a nation-state actor! Clarke invited L0pht to testify to Congress. Though Congress was certainly concerned, little changed in the way Congress went about its business but for the Department of Defense, FBI, CIA, and especially the NSA, the situation couldn’t have been bleaker – unfortunately, the prognosis has changed little.

Over the past decade, the offensive capabilities of nation-state actors has grown exponentially. China, Israel, and Russia all of whom have had robust offensive capabilities for years have become efficient and well manage espionage machines likely equal to that of the United States. Other countries are quickly catching up: Syria, Iran, and a rabble of former Soviet States, have formidable offensive expertise. It’s not just governments either, hacking tools and techniques are becoming so ubiquitous it is nearly impossible for anyone to keep up.

Of particular concern is the world’s critical infrastructure. The last couple of years has been earmarked with attacks on power plants, distribution systems, and even water treatment facilities. More recently, a report surfaced that the world’s Global Positioning System (GPS), the space-based navigational system the world’s relies on is now at risk of illegal jamming.

Information Warfare
Information Warfare (Source Akamai)

Experts have warned for years the GPS system is vulnerable to attack not just to jamming but to spoofing as well – though encryption is provided for the military’s use only. Great, but it won’t help the wave of new and next generation devices that will be part of the so-called Internet of Things (IOT).

The everyday devices that power our lives will soon be connected to the Internet – refrigerators, dish washers, in-home camera systems, and even the watering bowl for your dog will be connected to the web where Fido’s water can be refreshed by simply tapping an app on your cellphone. So who cares is a hacker gets my carpet wet? It’s a fair question, but if a hacker can exploit the insecure code on the dog’s watering bowl, it likely will act as a portal to more important areas of our life, like our bank accounts!

The real takeaway from the GPS jamming device and precisely what worried Richard Clarke on that fateful night in Cambridge, was the reality that offensive capabilities were being wrestled out of the realm, and control, of the spooks and the military. Simple jamming techniques have been used to disable key fobs, popular in today’s new automobiles. On a larger scale, jamming devices were used to steal a truck full of pharmaceuticals in Florida. Even the North Koreans are in on the act, recently jamming the GPS of about 280 South Korean vessels.

On a larger scale, jamming devices were used to steal a truck full of pharmaceuticals in Florida. Even the North Koreans are in on the act, recently jamming the GPS of about 280 South Korean vessels.

L0pht’s contributions to the history of the security of the United States shouldn’t be diminished by the fact that we have seemingly seen little progress. In fact, they should be applauded for taking the risk of going to D.C. in the first place, particularly in the late nineties where computer geeks were just that – geeks! Perhaps the team’s biggest contribution is killing the myth that only a well-funded government can wreak havoc; clearly, not true. Mudge knew it, Clarke knew it, and now we’re all waking up to this new reality.


Over 300 new cyber threats pop up on underground markets each week

10.8.2016 helpsecuritynet Security

Approximately 305 new cyber threats are added each week on cybercrime markets and forums, mostly located on dark nets and the deep web.

The threats include information on newly developed malware and exploits that have not yet been deployed in a cyber-attack – information that could be very useful for cyber defenders.

cyber threats underground markets

The discovery was made by Arizona State University researchers, who have developed and deployed a system for cyber threat intelligence gathering and used it on 27 marketplaces and 21 hacking forums.

The group, some members of which have also recently released the results of an investigation into the supply on 17 underground hacker markets, also noted that, in a period spanning four weeks, 16 exploits for zero-day vulnerabilities had been offered for sale.

Among these was an exploit for a remote code execution flaw in Internet Explorer 11 (priced at a little over 20 BTC), and for a RCE flaw in Android Web View (price: nearly 41 BTC).

“The Android WebView zero-day affects a vulnerability in the rendering of web pages in Android devices. It affects devices running on Android 4.3 Jelly Bean or earlier versions of the operating system. This comprised of more than 60% of the Android devices in 2015,” they explained.

“After the original posting of this zero-day, a patch was released in Android KitKit 4.4 and Lollipop 5.0 which required devices to upgrade their operating system. As not all users have/will update to the new operating system, the exploit continues to be sold for a high price. Detection of these zero-day exploits at an earlier stage can help organizations avoid an attack on their system or minimize the damage. For instance, in this case, an organization may decide to prioritize patching, updating, or replacing certain systems using the Android operating system.”

Not to mention that the vendors whose software is obviously vulnerable could try to come up with a patch or at least temporary mitigations that could minimize the risk of these exploits being leveraged against users.

The researchers’ system has also shown some promise when it comes to mapping the underlying social network of vendors.

The group is currently in the process of transitioning the system to a commercial partner, but the database they created by using it has been made available to security professionals, to help them identify emerging cyber threats and capabilities.


China – Authorities arrested 10 members of the Wooyun ethical hacking group
1.8.2016 securityaffairs.co Security

The Chinese authorities have arrested 10 members of the popular Wooyun ethical hacking community, including the founder Fang Xaiodun.
Chinese authorities have arrested popular white hats operating in the country, including the founder of one of the larger online ethical hacker community. The reason behind the arrest is still a mystery, the news was reported first by the Chinese website Caixinwang and spread by the Hong Kong Free Press (HKFP).

Fang Xaiodun founder Wooyun

The young hacker, Fang Xaiodun, is the founder of the Wooyun community, he was arrested with other ten senior members of the group on July 22, a couple of weeks after the group held its annual convention in Beijing. The convention is considered one of the most interesting in the country and attracted that captured the interest of high-profile organizations.

“Around ten senior members of Wooyun – including Fang – were taken away by police without specific charges being made a week ago, according to a source cited by Caixinwang.” reported the Hong Kong Free Press.

“Everything happened very abruptly, even members within Wooyun were kept in the dark,” said the source. “People from Wooyun said there was no administrative procedures nor prior notice for the arrest,” the source added.”

Fang founded the hacking community in 2010, previously he was the head of security at Chinese search engine Baidu.

The Wooyun was known for its bug hunting activity, as similar groups worldwide its members only disclosed vulnerabilities if they were unable to receive a satisfactory answer from the vulnerable system operators.

Xaiodun is literally disappeared since July 18, he hasn’t posted any content to his WeChat account, and the official website of the Wooyun group has been suspended since July 20.

The Hong Kong Free Press speculates that the Wooyun group has shut down the website as a precaution fearing possible repercussions.

At the time I was writing there is no official statement of the case, experts speculate the members of the Wooyun group may have targeted a government entity for testing purpose, causing the reaction of the authorities.

“Multiple theories regarding the arrest have surfaced in the community. Some speculate that Wooyun was involved in legal issues after publicising certain websites’ system loopholes shortly before they were hacked by a third-party. Others suspect that Wooyun members were involved in testing the vulnerabilities of government networks without authorisation.”

The Internet Society of China’s legal consultant Zhao Zhanling told HKFP the Wooyun site was used only as the disclosure platform.


Torrentz.eu Shuts Down Forever! End of Biggest Torrent Search Engine
5.8.2016 thehackernews Security
Over two weeks after the shutdown of Kickass Torrents and arrest of its admin in Poland, the world's biggest BitTorrent meta-search engine Torrentz.eu has apparently shut down its operation.
The surprise shutdown of Torrentz marks the end of an era.
Torrentz.eu was a free, fast and powerful meta-search engine that hosted no torrents of its own, but combined results from dozens of other torrent search engine sites including The Pirate Bay, Kickass Torrents and ExtraTorrent.
The meta-search engine has announced "farewell" to its millions of torrent users without much fanfare, suddenly ceasing its operation and disabling its search functionality.
At the time of writing, the Torrentz.eu Web page is displaying a message that reads in the past tense:
"Torrentz was a free, fast and powerful meta-search engine combining results from dozens of search engines."
When try to run any search or click any link on the site, the search engine refuses to show any search result, instead displays a message that reads:
"Torrentz will always love you. Farewell."
Launched back in 2003, Torrentz has entertained the torrent community for more than 13 years with millions of visitors per day.
However, today, the popular meta-search engine has shut down its operation from all Torrentz domains, including the main .EU domain (both HTTP and HTTPS version) as well as other backups such as .ME, .CH, and .IN.
Although many copyright holders were not happy with the site with both RIAA and MPAA have reported the site to the U.S. Government in recent years, says TorrentFreak, there is no news of any arrest or legal takedown of the site in this case.
Still, it would be fair enough to wait for an official announcement from the site owners.


Analyzing CIA Director BRENNAN’s talk at Council on Foreign Relations (CFR)
5.8.2016 securityaffeirs Security

We bring to the attention of the Security Affairs readers the interesting speech and interview dated 29/06/2016 of CIA Director John O. BRENNAN at the Council on Foreign Relations (CFR). The main themes addressed are:

Relations with the European partners in the USA and after BREXIT-axis ENGLAND
Terrorism, DAESH, the situation in Syria and Iraq
CYBERSECURITY
Geoengineering and SAI program
Cia Director BRENNAN email hacked

Brennan interviewed by journalist Judy Woodruff of the PBS “NewsHour” has pointed out that Europe must forge better than the request for a referendum by the Eurosceptics after the UK exit. The Brexit, however, will not affect the collaboration of intelligence between the US and the UK in the months and years to come, rather it will be strengthened. The effects of global instability and conflict scenarios are producing movements of displaced persons of the order of 65 million units.

In the Middle East, the geographic borders and national identities are constantly being redefined. The real threat of the ISIL than Al-Qaeda is that it has gone from a few hundred fighters to tens of thousands also improved their ability to conceal their communications.

As for the environment, Brennan estimates that $ 10 billion a year for the next government intervention limiting SAI programs of global warming or sowing methods with stratospheric particles that can help reflect the sun’s heat more or less in the same way in which volcanic eruptions do.

With respect to this last issue, there are questions with concern if behind these operations do not conceal stratosphere military domain. Global warming and the reduction of CO2 could be addressed without introducing potentially harmful elements as in the example of volcanic eruptions but more simply and at lower cost with the repopulation of the great forests.

Another concern for Brennan is the North Korea and the nuclear threat from Kim Jung with its continuous and frantic search of military capabilities in the nuclear field. We come now to the point that concerns us more closely, or the threat cyber, on this issue there is strong concern as to the public and private companies attacks are still rising and are becoming more sophisticated; here is the thought and words of Brennan:

Regarding the domain of Cyber threat here is the thought and words of Brennan:

“Another strategic challenge is dealing with the tremendous power, potential, opportunities, and risks resident in the digital domain. No matter how many geopolitical crises one sees in the headlines, the reliability, security, vulnerability, and the range of human activity taking place within cyberspace are constantly on my mind.

On the cybersecurity front, organizations of all kinds are under constant attack from a range of actors—foreign governments, criminal gangs, extremist groups, cyber-activists, and many others. In this new and relatively uncharted frontier, speed and agility are king. Malicious actors have shown that they can penetrate a network and withdraw in very short order, plundering systems without anyone knowing they were there until maybe after the damage is already done.

While I served at the White House, cyber was part of my portfolio, and it was always the subject that gave me the biggest headache. Cyber-attackers are determined and adaptive. They often collaborate and share expertise, and they come at you in so many different ways, with an ever-changing array of tools, tactics, and techniques.

Moreover, our laws have not yet adequately adapted to the emergence of this new digital frontier. Most worrisome from my perspective is that there is still no political or national consensus on the appropriate role of the government—law enforcement, homeland security, and intelligence agencies—in safeguarding the security, the reliability, the resiliency, and the prosperity of the digital domain.

The intelligence community is making great strides in countering cyber-threats, but much work needs to be done. As we move forward on this issue, one thing we know is that private industry will have a huge role to play as the vast majority of the Internet is in private hands. Protecting it is not something the government can do on its own.

Right up there with terrorism, global instability, and cybersecurity is nuclear proliferation and the accompanying development of delivery systems, both tactical and strategic, that make all too real the potential for a nuclear event.

Unsurprisingly, top of my list of countries of concern is North Korea, whose authoritarian and brutal leader has wantonly pursued a nuclear-weapons program to threaten regional states and the United States instead of taking care of the impoverished and politically repressed men, women, and children of North Korea.

So what else is there besides terrorism, global instability, cybersecurity, and nuclear proliferation that worries the CIA director and keeps CIA officers busy around the clock and around the globe? Well, as a liberal-arts guy from the baby-boomer generation, the rapid pace of technological change during my lifetime has been simply dizzying. Moreover, as we have seen with just about every scientific leap forward, new technologies often carry substantial risks, to the same degree that they hold tremendous promise…”


Also the Giant Google has recently faced a data breach via benefits provider
14.5.2016 Security

Google started sending out notifications to employees about a data breach that occurred at a third party company that operates as a benefits provider.
We all make mistakes, sometime they are small, some other big. But what if the mistake is so important to indirectly affect one the biggest companies in the world? “Oooops!” This is what happened to an employee working on a benefits management service provider, a company Google has partnered with to provide its employee comprehensive benefits packaged, had discovered.

On May 8th, 2016, Google Inc started notifying affected stakeholders of a breach of data that contain their personal sensitive information due to an email “fumble” —a mistake of email (recipient) identify where the email client auto-complete address resolver feature may have played a part. The disclosure came after a vendor, specializing in employee/staff benefits management services, realized that an email that

The disclosure came after a vendor, specializing in employee/staff benefits management services, realized that an email that contains sensitive private information on Google employees have been inadvertently sent to the “wrong person”. In a notice filed with the Attorney-General’s office in California, Teri Wisness, Benefits Director of United States at Google, said Google had been notified immediately of the data breach by the sender themselves and appreciates the efforts of disclosing this leak as quickly as possible.

“We recently learned that a third-party vendor that provides Google with benefits management services mistakenly sent a document containing certain personal information of some of our Googlers to a benefits manager at another company. Promptly upon viewing the document, the benefits manager deleted it and notified Google’s vendor of the issue. After the vendor informed us of the issue, we conducted an investigation to determine the fact” reads the notice.

The email contains a document with an undisclosed number of Google’s staff names and US Social Security Numbers (SSN). Acknowledging the mishap, Google dispatched its incident responders to investigate and mitigate; however, from initial reports, no misuse, abuse or malicious intent was discovered. Also, logs from both parties indicate nobody else had viewed this document nor intentionally saved elsewhere locally or remotely or disclosed to another party. In fact, the unintended recipient simply deleted the email and its contents upon having it viewed once and contacted the sender. Google will offer a three-year credit monitoring and protection for the affected employees, and recommends its employees to producing a credit rating score report.


Mozilla asks Court to disclose Firefox Exploit used by FBI to hack Tor users
13.5.2016 Security
Mozilla has filed a brief with a U.S. District Court asking the FBI to disclose the potential vulnerabilities in its Firefox browser that the agency exploited to unmask TOR users in a criminal investigation.
Last year, the FBI used a zero-day flaw to hack TOR browser and de-anonymize users visiting child sex websites.
Now, Mozilla is requesting the government to ask the FBI about the details of the hack so that it can ensure the security of its Firefox browser.
TOR is an anonymity software that provides a safe haven to human rights activists, government, journalists but also is a place where drugs, child pornography, assassins for hire and other illegal activities has allegedly been traded.
TOR Browser Bundle is basically an Internet browser based on Mozilla Firefox configured to protect the user's anonymity via Tor and Vidalia.
In 2015, the FBI seized computer servers running the world’s largest dark web child pornography site ‘Playpen’ from a web host in Lenoir, North Carolina. However, after the seizure, the site was not immediately shut down.
Instead, the FBI agents continued to run Playpen from its own servers in Newington, Virginia, from February 20 to March 4. During that period, the agency deployed its so-called Network Investigative Technique (NIT) to identify the real IP addresses of users visiting this illegal site.
Recently, an investigation revealed that Matthew J. Edman, a former employee of TOR Project, created malware for the FBI that has been used by US law enforcement and intelligence agencies in several investigations to unmask Tor users.
The FBI hacked more than a thousand computers in the US alone and over three thousand abroad. The Internet Service Providers (ISPs) were then forced to hand over the target customer’s details, following their arrest.
Two months back, a judge ordered the FBI to reveal the complete source code for the TOR exploit that not only affected the Tor Browser, which would have likely been used to hack visitors of PlayPen, but also Firefox.
Here’s what Mozilla’s top lawyer Denelle Dixon-Thayer explained in a blog post:
"The Tor Browser is partially based on our Firefox browser code. Some have speculated, including members of the defense team, that the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor Browser. At this point, no one (including us) outside the government knows what vulnerability was exploited and whether it resides in any of our code base."
Mozilla has now filed a motion with a US district court in Washington, asking the government to disclose the vulnerability within 14 days before any disclosure to the Defendant requiring the FBI to hand over the source code of the exploit to the defense team.
It is because Mozilla wants time to analyze the vulnerability, prepare a patch, and update its products before any malicious actor could exploit the flaw to compromise its Firefox browser, which is being used by millions of people.


British Hacker Wins Legal Battle Over Encryption Keys
11.5.2016 Security

Britain's top crime fighting force has failed in a legal attempt to force alleged hacker Lauri Love to hand over his hard disk's encryption keys. In a landmark case, District Judge Nina Tempia said the investigative agency should have used the normal police powers rather than a civil action to obtain the evidence. Lauri Love, a 31-year-old hacker, has been accused of aiding cyber-attacks against U.S. targets, including NASA, FBI, US Army and US Federal Reserve networks.
The National Crime Agency (NCA) has failed in a legal attempt to force the British citizen and political hacktivist Lauri Love to hand over the keys to encrypted data that has been seized from his home two years ago.
At a Tuesday hearing in Court Seven at Westminster Magistrates' Court, the NCA's application to make Love disclose his encrypted computer passwords was refused by the judge.
Hacker Fighting Extradition to U.S.
Love, 31, is currently fighting extradition to the United States where he faces up to 100 years in prison for allegedly hacking into the Federal Bureau Investigation (FBI), the National Aeronautics and Space Administration (NASA), the US Missile Defence Agency, and Federal Reserve Bank of New York during 2012 and 2013.
United States Prosecutors claim that Love was allegedly involved in the online protest #OpLastResort linked with the Anonymous group, following the untimely death of online activist Aaron Swartz, who committed suicide in 2013 while under federal charges of data theft.
Love was initially arrested from his home in Stradishall, England back in October 2013, when the British police seized his encrypted computers and hard drives. The NCA later asked the courts to force Love to turn over keys to decrypt his computer's hard drives.
The files that authorities say could contain data from the US Senate and the Department of Energy on Love's computer has been encrypted with Truecrypt, a popular software for encrypting data.
Initially, the British agency attempted to compel Love to hand over his encryption keys and passwords under Section 49 of the Regulation of Investigatory Powers Act (RIPA) 2000, but was failed after his refusal.
British Govt vs. Lauri Love
Love, who is currently on bail, launched a legal action against the NCA to return his computer equipment. However, the agency refused, claiming the devices could contain data that he did not legally belongs to him – for example, hacked files.
So, as part of those civil proceedings, the agency made an application to force Love to hand over his "encryption key or password" for the encrypted data found on his computer and hard drives.
However, Judge Nina Tempia of Westminster Magistrates' Court in London ruled in favor of Love, saying the NCA can not force Love to disclose his passwords and encryption keys to prove his ownership of the data.
Tempia also said the NCA has attempted to "circumvent" the RIPA act, which she described as the "specific legislation that has been passed to deal with the disclosure sought."
"I am not granting the application because to obtain the information sought the correct procedure to be used, as the NCA did two-and-a-half years ago, is under section 49 RIPA, with the inherent HRA safeguards incorporated therein," Tempia wrote in her ruling on Tuesday.
The NCA has yet to comment on the court proceedings. However, Love was "happy" with the result. Speaking outside court, he said: "It is a victory, although it is a more an avoidance of disaster."
The court hearing revolving around the return of Love's computer equipment is scheduled for July 28.


Chaos Theory of Standardization in IOT
7.5.2016 Security

There are numerous standards being followed currently in the IOT space to connect various devices but no single global framework is followed.
As Chaos theory focuses on the initial condition of every event meaning that their future behavior is fully determined by their initial conditions, I feel that the IOT scenario is also currently at an initial juncture where we have an opportunity to control the situation before it goes out of hand. There are numerous standards being followed currently in the IOT space to connect various devices but no single global framework is followed.

Like the TCP for internet or the IPV4/6 for connectivity which has become the global standard. We have seen the telecommunication and internet revolution simultaneously happening which has fueled various innovations and has made life much more convenient. Even though 2G, 3G, 4G, 5G technologies along with Internet have been globally standardized, the IOT which uses internet as a platform has not yet been standardized. The objective of IOT standardization is to create one language for IOT communication. Even though historically many technological standards have been standardized to a global standard, the IOT world is in a state of chaos and is actually diverging into many individual standard formats than converging into one. Think of the data that were recorded in the cassette tapes and VCR system. Their formats are not compatible in today’s data format and hence obsolete. This will “distinguish past from the future, by marching away from the chaos, the randomness, and moving towards stability. This is why standards are necessary”. (Campbell, J., 1983. Grammatical Man, A Touchstone Book, Simon & Schuster, Inc., page 265.)

The way hierarchy structure in an organization reduces the data analytics time as only the managers data have to be analyzed as each manager manages few associates. Therefore less data analysis saves time and hence cost. Most economics theory is based on saving time. Most of the ecommerce startup like online grocery (Food tech startup) or cab aggregators like Uber focus on saving time using mobile apps hence save effort and cost.

Standardization will in turn save enormous amount of time and cost. One of the major changes in this space has been triggered due to the declining cost of sensors and cloud storage.

In the world of standardization in IOT, there are many wicked problems. To make people accountable and fix the issues, one standard is imperative. There has been very significant shift in new technology adoption. From innovation to adoption of a technology there are series of events that unfold. Before I explain this shift, let me start with a ‘why’ by asking why IOT standardization now? There are 3 reasons why there is a need for standardization of IOT now.

99% devices in the world are not connected. This means that the timing is perfect. Timing was the key for Uber and Airbnb launch and hence the success factor.
50 billion connected devices by 2020 and 2 trillion in revenue means that demand will only rise and hence streamlining is the key.
In 2013-14, approximately 2 billion USD invested in IOT startups in Silicon Valley alone. This only shows that the IOT industry is going to be in the early adopter stage. Hence early adopters of common universal standard is crucial right now as the timing is perfect as 1% of devices in the world is currently connected.
Protocols for interoperability have to be standardized for ease of communication. Each sensor generates data which has to communicate with every other device. Different naming and addressing standards will lead to device searching issues. Hence talking to each other in the same language is of prime importance. The narrative of the English language gaining dominance as the global language supports my argument of having a universal IOT language for communication.

Now talking about the power game of who can influence the standardization process. How standardization will work? Or probably should we be asking will it ever work? To kick start this complex initiative I strongly propose a global campaign for ‘IOTism’. Currently we are witnessing an IOT ecosystem which lacks strong global IPR rules, neutral governance and a balanced participation or representation. The solution to this problem would come from game theory. Without an unbiased authority or a policy maker, it will be impossible to have a truly global IoT ecosystem.

How and what would the governance of the IoT be like? Will it be a state-led agency, or a group under the supervision of the UN, or an industrial consortium? Currently the various power players in the standards world like ITU, ICANN, IEEE, OIC, W3C, ISO, ITEF and industry verticals standard are present who wants to influence a larger pie. Applying Game theory to IOTism for adoption of ONE universal theory – If everyone adopts the standard at the same time, it will be successful. Need of the hour is to bring all institutions together and frame an IOT standard together.
IOT Chaos Theory

Currently by the end of 2015, IOT Industry market is around 0.8 Trillion USD. The true market value of the IOT industry would be created only if there is integration of all IOT standards into just one. If I assume approx. 400 current standards, then IOT standardization values= 0.8/400= 2 Billion. This per capita or per standard value bring down the efficiency of the IOT industry as a whole. Therefore if and only if the IOT standard share is 1, then the IOT market value can be maximized.

The way a Governance Risk and Compliance (GRC) Automation platform or tool in Cyber security space has a basic foundation which has workflow, dashboard, application linking, access and role management etc and any use case or application module can sit on top of it. Similarly IOT TRUST foundation could be common globally. Any organization/industry is free to map their customized processes on top of the base foundation framework. This will control the input and output of data. Hence achieving a universal standard and a contextual technology layer wrapped on top of it.

Also it is imperative to understand that once the IOT standardization is achieved, there should be a smooth transition strategy like a migration roadmap plan for the previous standards (currently approximately 450 IOT standards exists) and not just leave on the market to decide the adoption. The responsibility of this group would be to think ahead of the curve and make the necessary changes to the framework to be compatible and accommodative for future innovations. IOT is an extension to human organs and hence the game of IOTism to ORGANism should be played very responsibly. We should keep in mind what happens to humanity when there is technological singularity! Else the next world war could be fought over standard Information of Things!


Swiss defense department victim of cyber espionage
6.5.2016 Security

The Swiss Defense Department was recently victim of a cyber attack, the offensive has come after a presentation on cyber espionage to the FIS.
The Swiss Defense Department was recently a victim of a cyber attack, the offensive has come after a presentation on cyber espionage to the Federal Intelligence Service. The cyber attack was announced by the Swiss defense minister Guy Parmelin that explained that the Federal Department of Defence, Civil Protection and Sports was targeted by hackers.

The Vaud SVP politician Guy Parmelin heads the Department of Defence, Civil Protection and Sport (VBS).

Of course, the attribution of the attack is very hard, but Government experts have found many similarities with another cyber attack that hit the government-owned Ruag firm.

Swiss Department Defense

The Ruag firm is a technology company, based in Bern, that supplies the country’s military with munitions, government experts believe it was a victim of a cyber espionage campaign. The hackers exfiltrated data from the systems of the firm, which is wholly owned by the Swiss government, though the extent of the theft was unknown.

Below a portion of the interview released by Parmelin to the Swiss daily Tages-Anzeiger.

“According Tagesanzeiger.ch/Newsnet-Informationen hang the attacks against the VBS with a major cyber attack on the defense group RUAG together, behind Russia is suspected. Is become active in this matter, the Federal Council?
The Federal Council has been informed. He has proposed several measures that are now being implemented. The Attorney General has instituted a process.

What were these attacks?
The attacks were of industrial espionage. Because Ruag working for the army and the federal government and 100 percent of the federal government is one, it is very important for us to minimize risks.”

Parmelin pointed out industrial espionage has the root cause of the cyber attack and said his department was able to mitigate the attack and restore normal operations. He hasn’t provided further details on the attack that hit the Swiss Defense Department.

The Ruag has announced the institution of additional security measures in order to repel further cyber attacks.

The cyber espionage represents one of the most worrying problems for the Federal Intelligence Service (FIS) , as reported in the “Management Report 2016″.

Hackers continuously target both Swiss SMEs and larger companies, Parmelin highlighted that similar cyber attacks could have significant consequences of the Swiss Government.


Google is bringing HTTPS to all blogspot domain blogs
4.5.2016 Security

Google decided to switch on default HTTPS for its free domain service provider Blogspot, the migration will be easy and transparent for the users.
After WordPress also Google decided to switch on default HTTPS for its free domain service provider Blogspot. The measure will impact millions of users of the popular platform. Since September 2015 Google had introduced HTTPS support for Blogspot domains as an option, now it is announcing the extension to every Blogspot domain blog.
The adoption of encryption will provide more security to the end-users, in the recent months, many companies have pushed the security measures, including WhatsApp and Viber.

In April WordPress announced that it has partnered with the Let’s Encrypt project in order to offer free HTTPS support for all of its users on WordPress.com blogs, that means over 26% of websites based on the most popular CMSs on the web will be secured (Statistics by W3techs).

“As part of this launch, we’re removing the HTTPS Availability setting. Even if you did not previously turn on this setting, your blogs will have an HTTPS version enabled.” Google informed users. “We’re also adding a new setting called HTTPS Redirect that allows you to opt-in to redirect HTTP requests to HTTPS. While all blogspot blogs will have an HTTPS version enabled, if you turn on this new setting, all visitors will be redirected to the HTTPS version of your blog at https://<your-blog>.blogspot.com even if they go to http://<your-blog>.blogspot.com. If you choose to turn off this setting, visitors will have two options for viewing your blog: the unencrypted version at http://<your-blog>.blogspot.com or the encrypted version at https://<your-blog>.blogspot.com”

Google blogspot HTTPS

HTTPS will make impossible for attackers to eavesdrop connections between the user’s browser and web server. The adoption of HTTPS will help visitors to check that they open the correct website and aren’t being redirected to a malicious site, and it helps detect if an attacker tries to change any data sent from Blogger to the visitor.

The HTTP version of the blogs will remain accessible by the users anyway, anyway, that can use the new setting called HTTPS Redirect that redirects HTTP requests to HTTPS. Google implemented the technical implementation in order to avoid forcing its users to use the HTTPS and avoid problems with the bloggers.

Some blogs on Blogspot, in fact, contains “mixed content” such as images and scripts incompatible with the HTTPS protocol. Google intends to support its bloggers by offering tools and porting services to overwhelm the difficulties related to the migration of this mix content.


Air Force Intranet Control, the first Cyberspace Weapon System is operative
29.4.2016 Security

The Air Force earlier this month announced the launch of its first cyberspace weapon system, the Air Force Intranet Control (AFINC).
The Air Force continues to invest to increase its cyber capabilities and earlier this month announced the launch of its first cyberspace weapon system, code-named Air Force Intranet Control (AFINC).

The Air Force Intranet Control is a defensive system that analyzes all traffic coming in the service’s network, it receives data from more than 100 entry points on regionally managed Air Force networks into 16 centrally managed access points that cover all traffic on the Air Force Information Network.

Air Force Intranet Control AFINC

The AFINC weapon system is composed of 16 Gateway Suites that allows the Air Force to monitor all the external traffic and the traffic routed between its bases.

Air Force Intranet Control is also composed of 15 nodes on the Secret Internet Protocol Router Network, aka SIPRnet, which is an architecture used by the U.S. Department of Defense and the U.S. Department of State to share classified information.

More than 2000 service delivery points and two integrated management suites complete the structure controlled by the 26th Network Operations Squadron (26th NOS) manages it.

“Achieving FOC means the AFINC weapon system is fully capable to serve as the top-level defensive boundary and entry point for all network traffic into the Air Force Information Network. The AFINC weapon system controls the flow of all external and inter-base traffic through standard, centrally managed gateways.” states the Air Force’s announcement.

The system is considered a great achievement for the Air Force, it is a technological jewel that will serve more than 1 million users at 237 sites around the world.

“As the first line of defense for our network, the 26th NOS team is responsible for more than one billion firewall, Web, and email blocks per week from suspicious and adversarial sources,” said Col. Pamela Woolley, commander of the 26th Cyberspace Operations Group. “Our network is under constant attack and it is a testament to the dedication of our 26th NOS team that our network reliability and traffic flow remains consistently high.”

The Air Force is spending a significant effort to integrate cyber and the electromagnetic spectrum into its operations.

“The reason why we need fusion warfare is exactly to maintain our tactical edge. And when I say our tactical edge, I mean the outer boundary of warfight – not just today, but specifically in 2035,” said Maj. Gen. VeraLinn “Dash” Jamieson, director of intelligence at the Air Combat Command. “By then, our competitors will probably be near-peer technologically and some will have advanced us technologically.”

Information warfare is overlapping traditional military domains, in order to conduct a fight in the air it is possible to use new hacking techniques as the US Air Force demonstrated.

In October 2015, the Maj. Gen. Burke Wilson, the commander of the 24th Air Force, announced the US Air Force modified EC-130 Compass Call aircraft, normally used to jam enemy transmissions, to hack enemy networks.

“We’ve conducted a series of demonstrations,” “Lo and behold! Yes, we’re able to touch a target and manipulate a target, [i.e.] a network, from an air[craft].” Said the official.

In December, the US Air Force activated five new cyber squadrons involving more than 500 personnel.


The Former Tor developer is the author of Torsploit used by the Feds
28.4.2016 Security

Matt Edman is the security expert and former employee of the Tor Project that helped the FBI to hack and de-anonymize Tor users developing the Torsploit.
Matt Edman is the cyber security expert and former employee of the Tor Project that helped the FBI to hack and de-anonymize Tor users in several court cases, including the clamorous Operation Torpedo and Silk Road.

According to an investigation by the Daily Dot, Edman helped the Feds in developing of a custom malware, also known Cornhusker or Torsploit malware, to unmask Tor users.

matt edman Torsploit author

Edman worked closely with the FBI Special Agent Steven A. Smith to develop and deploy the exploit that allowed law enforcement to identify Tor users.

Edman joined the Tor Project in 2008, he worked on the as a developer to work on Vidalia that is a cross-platform GUI for controlling Tor. One year later he was hired by a Defense contractor working for intelligence agencies and the FBI. In that period he focused its efforts in the development of an exploit to unmask Tor users.

“It has come to our attention that Matt Edman, who worked with the Tor Project until 2009, subsequently was employed by a defense contractor working for the FBI to develop anti-Tor malware,” Tor Project confirmed in a statement to the Daily Dot.

The Tor Project has also confirmed the same, saying, “It has come to our attention that Matt Edman, who worked with the Tor Project until 2009, subsequently was employed by a defense contractor working for the FBI to develop anti-Tor malware.”Moreover, the team said Edman worked only on the Vidalia project that Tor dropped in 2013 and replaced it with other tools designed to improve the user experience.

Since 2012, Edman has been working at Mitre Corporation, he his member of the Remote Operations Unit, which is an FBI internal team that evaluates and develops exploits and hacking tools for the US Government.

During the same period, he was assigned to the investigation under the Operation Torpedo, a hacking campaign aimed to identify owners and operators behind illegal hidden services hosted in the Tor network. He worked with the FBI to dismantle a ring of child pornography in the Dark Web and to shut down the popular black market Silk Road. The operation allowed the FBI to identify and arrest the creator and owner of Silk Road, Mr. Ross Ulbricht.

The DailyDot, citing a testimony, reported that Edman was a key figure in the Ulbricht’s arrest. He traced $13.4 million in bitcoins from Silk Road to Ulbricht’s laptop.

“According to testimony, it was Edman who did the lion’s share of the job tracing $13.4 million in bitcoins from Silk Road to Ulbricht’s laptop, which played a key role in Ulbricht being convicted and sentenced to two life terms in federal prison. Edman worked as a senior director at FTI Consulting at the time.” continues the DailyDot.

The law enforcement deployed the Cornhusker on three servers that were hosting several anonymous child pornography websites. The Torsploit was designed to trigger flaws in the Flash component inside the Tor Browser.

According to the documents obtained by the DailyDot, Cornhusker is no longer in use, it was replaced by the “Network Investigative Technique” (NIT) to obtain IP and MAC addresses of Tor users.

Unfortunately, the NIT usage was not considered legitimate by the court during a hearing on the shut down of the world’s largest dark web child pornography site, PlayPen.


In-Brief: Spotify Hack, Secret of Chrome OS, MIT Bug Bounty, Nanowire Batteries
26.4.2016 Security

1. Spotify Hacked! Change your Password ASAP
If you are one of the millions of people around the world who love to listen to music on Spotify, you may need to change your password immediately.
Has Spotify been hacked? The company says no, but some Spotify users have claimed their profiles were hijacked, and details were changed without knowledge, including passwords and email addresses
Spotify apparently suffered a security breach that leaked hundreds of Spotify accounts details, including emails, usernames, passwords and account type, which was published last week to the popular anonymous file sharing website Pastebin.
Spotify is investigating the Pastebin leaks of Spotify user information.
2. Over 1 Million Android Apps Are Coming to Chrome OS
Google is ready to integrate millions of Android applications onto its Chrome OS platform by bringing the entire Play Store to it.
Redditor 'TheWiseYoda' first spotted a new option to "Enable Android Apps to run on your Chromebook" on the developer version of Chrome OS, though the option popped up for an instant and then disappeared.
After hunting in the source code of the operating system, the Redditor discovered a couple of references to the feature that indicate the arrival of Google Play on Chrome OS.
3. MIT University Launches Bug Bounty Program
The Massachusetts Institute of Technology (MIT) launches its experimental bug bounty program this week, which aims at encouraging university students and security enthusiasts to find and responsibly report vulnerabilities in its official websites.
"As thanks for helping keep the community safe, we are offering rewards in TechCASH for the responsible disclosure of severe vulnerabilities," program website explains.
TechCASH is money that can be used for purchasing goods and services at restaurants and grocery stores around the University Cambridge area.
The MIT becomes the first academic institution to reward hackers, open only for university affiliates with valid certifications, such as undergraduate and graduate students.
4. Never Ending Nanowire Batteries — The Future Of Electronics
Researchers at the University of California at Irvine (UCI) accidentally discovered that batteries build using a Nanowire-based material, a tiny conductor, can be recharged for hundreds of thousands of times.
A typical Lithium-ion battery, used in most smartphones and laptops, expected to have charge cycles between 2000-3000.
However, this innovation could lead to vastly longer lifespans for batteries in smartphones, computers, appliances, cars and spacecraft.
In early testing of the component, this last-longing battery was recharged more than 200,000 times over a three-month span, and no loss of capacity or power was recorded.
5. Edward ‪‎Snowden‬ Sues Norway to prevent Extradition
Global Surveillance Whistleblower Edward Snowden has filed a lawsuit against the Norwegian government to ensure his travel to Oslo for picking up an award without any risk of being extradited to the United States.
Snowden has been invited to Norway to receive a Freedom of Speech Award from PEN International – the local branch of writers' group – but he is worried that he would be extradited to the United States because of the country's close diplomatic ties with the US.
6. Nearly 93.4 Million Mexican Voter Data Leaked Online
A hacker discovered over 100 gigabytes of an extensive database completely open on the Internet for anyone to download while the hacker was browsing Shodan – a search engine for servers and Internet-connected devices.
The database turned out to be a voter registration database for the country of Mexico that contained the personal information, including full names, residential addresses, and national identification numbers, of virtually all registered voters with 93.4 Million entries.


DARPA calls for a hacker-proof encryption App, and it will pay it

25.4.2016 Security

The Defense Advanced Research Projects Agency is calling for the development of a hacker-proof encryption App for the U.S. military.
The US Defense Advanced Research Projects Agency (DARPA) is calling security experts to create a hacker-proof “messaging and transaction platform.” The project for a hacker-proof encryption App was proposed under the rules of the Small Business Technology Transfer (STTR) program that expands funding opportunities in the federal innovation research and development (R&D) arena.

The hacker-proof encryption App has to be designed to use the standard encryption already implemented by most popular messaging apps, including WhatsApp, Signal, or Ricochet.

DARPA

The Government Agency is also requesting that the solution is based on the Blockchain technology that can provide security and non-repudiation.

“OBJECTIVE: Create a secure messaging and transaction platform that separates the message creation, from the transfer (transport) and reception of the message using a decentralized messaging backbone to allow anyone anywhere the ability to send a secure message or conduct other transactions across multiple channels traceable in a decentralized ledger.” states the announcement published on the SBIR / STTR Web Portal.

The DARPA distinguishes two phases of the project:
PHASE I: Create a specific decentralized messaging platform built on the framework of an existing blockchain framework.
PHASE II: Develop, test and evaluate a working prototype with the following features.
PHASE III: Commercialize and full-scale implementation of the platform.
The Agency will reward successful applicants at Phase I with more than $150,000 for one year and push them in the Phase II of the project that awards of up to $1 million for two years.

In the Phase III the solution will be proposed on the market and applicants will receive no funds from the DARPA.

The choice of the existing blockchain framework is not casual, it is a decentralized technology that could prevent any manipulation from threat actors.

The issues related to the adoption of such a technology are related mainly to its latency that requests a careful design in order to respond the project requirements in term of performance.

The solicitation will open on May 23, 2016 and will close on June 22, 2016.

Last month the DARPA launched another interesting project codenamed “Improv,” that aims to develop new techniques to hack into everyday technology.


Viber adds End-to-End Encryption and PIN protected Hidden Chats features
20.4.2016 Security

Viber, the popular mobile messaging app announced Tuesday that it has added full end-to-end encryption for video, voice and text message services for its millions of users.
Here, the end-to-end encryption means only you and the person you are communicating with can read the content, and nobody in between, not even the company and if court orders company to provide user data, they will get only the heaps of encrypted data.
Viber is the latest messaging platform to join WhatsApp, Telegram, and Apple iMessage, who strengthened their default privacy features in recent times.
Founded in 2010 and acquired by Japanese e-commerce titan Rakuten for $900 Million in 2014, Viber is currently being used by more than 700 Million users globally across Android, iOS, Windows Phone, and desktop, the company claimed in a blog post published today.
The move comes just a couple of weeks after Facebook-owned Whatsapp messaging app implemented full end-to-end encryption by default for its one billion users.
Also Read: Cryptocat offers end-to-end encryption For Facebook Messenger.
Besides offering end-to-end encryption on all communication, the company will also provide a new PIN-protected hidden chat feature to help its users hide conversations from the main chat list, as well as Contact Authentication feature to verify contacts you're talking to.
All users need to update their app with the latest version of the company's software, Viber 6.0, take advantage of the features.
Once installed, your Viber app will now show you a padlock in conversations to confirm that your one-to-one and group messages are end-to-end encrypted.
Recommended Read: The Best Way to Send and Receive End-to-End Encrypted Emails.
However, users will probably need to wait few weeks before everyone's app updates to add the new end-to-end encryption on Android and iOS.
In the wake of Apple’s months-long battle with the Federal Bureau of Investigation (FBI) over an iPhone used by a San Bernardino terrorist, it seems like end-to-end encryption has become a trend and you’ll continue to see this in more applications and services.


“Restricted” NATO manual accidentally leaked to boat operators
20.4.2016 Security

Incredible, secret plans for NATO exercise Joint Warrior 161 were accidentally sent to Scottish fishermen and ferry operators emails.
During the First World War, allied forces were able to read a lot of German radio traffic because of codebooks falling into allied hands. Eerily reminiscent of those days, NATO forces recently ran into a similar scenario, however, through their own missteps.

Instead of being retrieved during a state of war and capture, plans for NATO exercise Joint Warrior 161 were accidentally sent to Scottish fishermen and ferry operators emails.

In an age where tensions are rising, justifiably or not, between NATO and Russia, the loss of the information teaches us lessons.

Security personnel needs to be especially concerned when transmitting sensitive information. In the case of Joint Warrior 161, codewords, ciphers, coordinates, and radio frequencies were released. Security experts need to assume there is someone attempting to gain access to sensitive information. Whether that information is security secrets of a country/alliances military or the intellectual property associated with a new product coming to market, there is always someone attempting to get that information.

Despite a Ministry of Defence (MoD) spokesperson claiming there was “no impact to the public, military personnel, or units participating in the exercise”, at what point does one ask if other potential breaches have gone unreported or even undiscovered? Reports show there is an under-reporting of breaches of sensitive information. While we see the major scenarios like the Office of Personnel Management (OPM), Target, or Home Depot, most breaches go unreported because of concerns over company reputation.

NATO microsoft

All personnel of an organization needs to understand they have a part to play in the security of sensitive information – whether military secrets or company intellectual property. Security personnel has a major role in ensuring the culture at an organization understands the procedures and levels of sensitive information that needs to be protected. While humans are our weakest link in the security chain, learning from incidents and regularly reviewing procedures and identifying sensitive information for protection.

Dave Snell, a retired naval officer, is a Security Professional with twenty years of experience working cyber intelligence, project management, and counter-terrorism operations.


MIT builds Artificial Intelligence system that can detect 85% of Cyber Attacks
19.4.2016 Security

What if we could Predict when a cyber attack is going to occur before it actually happens and prevent it? Isn't it revolutionary idea for Internet Security?
Security researchers at MIT have developed a new Artificial Intelligence-based cyber security platform, called 'AI2,' which has the ability to predict, detect, and stop 85% of Cyber Attacks with high accuracy.
Cyber security is a major challenge in today's world, as government agencies, corporations and individuals have increasingly become victims of cyber attacks that are so rapidly finding new ways to threaten the Internet that it's hard for good guys to keep up with them.
A group of researchers at MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL) are working with machine-learning startup PatternEx to develop a line of defense against such cyber threats.
The team has already developed an Artificial Intelligence system that can detect 85 percent of attacks by reviewing data from more than 3.6 Billion lines of log files each day and informs anything suspicious.
The new system does not just rely on the artificial intelligence (AI), but also on human input, which researchers call Analyst Intuition (AI), which is why it has been given the name of Artificial Intelligence Squared or AI2.
How Does AI2 Work?
The system first scans the content with unsupervised machine-learning techniques and then, at the end of the day, presents its findings to human analysts.
The human analyst then identifies which events are actual cyber attacks and which aren't. This feedback is then incorporated into the machine learning system of AI2 and is used the next day for analyzing new logs.

AI2 system detect cyber attacks
It's simple:
"The more data it analyzes, the more accurate it becomes."
In its test, the team demonstrated that AI2 is roughly 3 times better than similar automated cyber attack detection systems used today. It also reduces the number of false positives by a factor of five.

You can also watch the video for a quick overview of the way AI2 works.

According to Nitesh Chawla, computer science professor at Notre Dame University, AI2 "continuously generates new models that it can refine in as little as a few hours, meaning it can improve its detection rates significantly and rapidly. The more attacks the system detects, the more analyst feedback it receives, which, in turn, improves the accuracy of future predictions – that human-machine interaction creates a beautiful, cascading effect."
The team presented their work in a paper titled, AI2: Training a big data machine to defend [PDF], last week at the IEEE International Conference on Big Data Security in New York City.
So, let's see how AI2 helps create The Internet the safer place and how long it will take to be implemented into large-scale security platforms in the near future.


Google makes it mandatory for Chrome Apps to tell Users what Data they collect
19.4.2016 Security

Chrome apps and extensions make things easier, but they can also do terrible things like spy on web users and collect their personal data.
But, now Google has updated its browser’s User Data Policy requiring all Chrome extension and app developers to disclose what data they collect.
Furthermore, developers are prohibited from collecting unnecessary browsing data and must also use encryption when handling sensitive information from users.
Around 40 percent of all Google Chrome users have some kind of browser extensions, plugins or add-ons installed, but how safe are they?
The company plans to enforce developers starting this summer, to "ensure transparent use of the data in a way that is consistent with the wishes and expectations of users."
Google is making its Chrome Web Store safer for its users by forcing developers to disclose how they handle customers' data.
Google’s new User Data Policy will now force app developers, who use the Chrome Web Store to distribute their products, to be more transparent about their data collection practices.
In other words, the company wants its Chrome users to know what's happening when they use third-party apps and services that rely on its browser.
Also Read: Adware Companies buying popular Chrome extensions to inject Ads and Malware
According to Google, "Protecting our users is our key priority, and we believe this change will make sure users are better informed and allow them to choose how their user data is handled."
Here's the list of new requirements for developers:

Be transparent about the handling of user's data and disclose privacy practices.
Post a privacy policy as well as use encryption for handling personal or sensitive information of users.
Ask users to consent to the collection of their personal or sensitive data via a prominent disclosure, when the use of the data is not related to a prominent feature.
Besides this, developers are also restricted from collecting user's Web browsing activity that is not at all required for their app's main functionality.
Google has already started notifying app developers about the change in its privacy policy and is giving them 3 months from now to comply.
From July 15, 2016, any app or extension that violates any of the requirements mentioned above will be discarded from the Chrome Web Store. So the only way to be restored will be to comply with the new policies.


Is there electronic warfare behind the block of Swedish air traffic control systems?
13.4.2016 Security

Swedish experts warned of an electronic warfare attack on its air traffic control systems occurred in November. Is it electronic warfare?
Swedish experts suspect that the attack on its air traffic control systems last November was operated by Russian nation-state hackers, the Arlanda, Landvetter and Bromma airport reported the major problems.

The Swedish experts believe the cyber attacks were carried out by an elite hacking crew linked to the Russian military intelligence service GRU (Main Intelligence Directorate).

The attack had a significant impact on the country, the national air traffic control systems were unavailable on November 4, 2015. The air traffic controllers were unable to use their computers resulting in the cancellation of several domestic and international flights.

The official cause of the problems provided by the Swedish Civil Aviation Administration is a solar storm, but according to the Norwegian news agency aldrimer.no, Swedish experts notified NATO about a series of serious cyber attacks targeting the country.

A solar storm was really observed in the same period, but experts believe the Russians military might have been using it as a cover to test their electronic warfare capabilities on a live target.

“The message was passed on to NATO either by Sweden’s National Defence Radio Establishment (Försvarets radioanstalt, FRA) or the Swedish Military Intelligence and Security Service (Militära underrättelse- och säkerhetstjänsten, MUST),” a senior NATO source (who unsurprisingly asked to remain anonymous) told aldrimer.no.

Despite The Swedish Government is not in the NATO, the information about the attacks was shared with the organizations with representatives of neighboring countries (Norway and Denmark).

“… sources tell aldrimer.no that Swedish authorities at the same time sent urgent messages to NATO saying Sweden, which is not a member of the alliance, was under a serious cyber attack. Two separate warnings are thought to have been issued, then relayed to several NATO allies, including Norway and Denmark. The information provided by Sweden indicated that the Swedes believed the cyber attack was led by a so-called APT group (Advanced Persistent Threat) which previously has been linked to the Russian military intelligence service GRU.” states the aldremer.

The experts expressed their concerns about the possible further cyber attacks on that state power company Vattenfall.

The incident occurred in Sweden reportedly coincided with Russian electronic warfare activity in the Baltic Sea region. The activities included jamming attacks originated in Kaliningrad, in the south of Lithuania.

sweden air traffic control systems

The jamming activities also targeted air traffic communication channels that might have resulted in the block of the Swedish air traffic control systems.

“At the time Sweden is believed to have issued a cyber attack warning, NATO reportedly detected Russia electronic warfare activity in the Baltic Sea region. Sources tell aldrimer.no that the activity included jamming of air traffic communication channels. The signals were reportedly traced to a large and fairly new radio tower located in the Russian enclave of Kaliningrad, south of Lithuania.

When aldrimer.no contacted national Computer Emergency Response Team (CERT) centres in Norway, Denmark, Finland, Estonia, Latvia and Lithuania about the possible cyber attack, they all declined to comment.”

The Sweden’s civil aviation administration is currently still investigating the event.


WebUSB API — Connect Your USB Devices Securely to the Internet
13.4.2016 Security
Two Google engineers have developed a draft version of an API called WebUSB that would allow you to connect your USB devices to the Web safely and securely, bypassing the need for native drivers.
WebUSB – developed by Reilly Grant and Ken Rockot – has been introduced to the World Wide Web Consortium's Web Incubator Community Group (W3C WICG), is build to offer a universal platform that could be adopted by browser makers in future versions of their software.
Connecting USB Devices to the Web
WebUSB API allows USB-connected devices, from keyboards, mice, 3D printers and hard drives to complex Internet of Things (IoTs) appliances, to be addressed by Web pages.
The aim is to help hardware manufacturers have their USB devices work on any platform, including Web, without having any need to write native drivers or SDKs for a dedicated platform.
Besides controlling the hardware, a Web page could also install firmware updates as well as perform other essential tasks.
However, the draft API (Application Program Interface) is not meant to be used for transferring files to or from flash drives.
"With this API hardware manufacturers will have the ability to build cross-platform JavaScript SDKs for their devices," Google engineers wrote in the draft project description.
"This will be good for the Web because, instead of waiting for a new kind of device to be popular enough for browsers to provide a specific API, new and innovative hardware can be built for the Web from day one."
Privacy and Security Concerns
The Google engineers also outlined security concerns.
WebUSB will include origin protections, like a type of the Cross-Origin Resource Sharing (CORS), to restrict the Web pages from requesting data from other domains except the one from where they originate.
This means a Web page could not be able to exploit your USB device to access your PC, or your important files or any files that your computer or the USB device itself may hold.
To address the issue of USB devices leaking data, WebUSB will always prompt the user to authorize a website or web page in order to detect the presence of a device and connect to it.
For now, the WebUSB is only a draft of a potential specification, which hasn't been officially adopted by W3C. WebUSB remains a work in progress at the current, though you can check out the full WebUSB codebase on GitHub.


How Certificate Transparency Monitoring Tool Helped Facebook Early Detect Duplicate SSL Certs
12.4.2016 Security
certificate-transparency-log-monitoring-service
Earlier this year, Facebook came across a bunch of duplicate SSL certificates for some of its own domains and revoked them immediately with the help of its own Certificate Transparency Monitoring Tool service.
Digital certificates are the backbone of our secure Internet, which protects sensitive information and communication, as well as authenticate systems and Internet users.
The Online Privacy relies heavily on SSL/TLS Certificates and encryption keys to protect millions of websites and applications.
As explained in our previous article on The Hacker News, the current Digital Certificate Management system and trusted Certificate Authorities (CAs) are not enough to prevent misuse of SSL certificates on the internet.
In short, there are hundreds of Certificate Authorities, trusted by your web browsers and operating systems, that has the ability to issue certificates for any domain, despite the fact you already have one purchased from another CA.
An improperly issued certificate could be used in man-in-the-middle (MITM) attacks to compromise encrypted HTTPS connections, putting millions of users' privacy at risk.
To solve CA trust issues, Google had launched 'Certificate Transparency' project in the year 2013, enabling anyone to detect easily fraudulent and stolen certificates.
Explained — What is Certificate Transparency

what-is-certificate-transparency
Before proceeding you should read: What is Certificate Transparency and how it could help individuals and companies to quickly identify if any Certificate Authority has issued forged certificates for their domains, mistakenly or maliciously.
Are you Back? OK.
First, let's talk about how Facebook and other large organizations manage their multiple subdomains, blogs, marketing and events websites?
Typically, these sites are built and hosted separately from the company’s core platform. For example, the portal for Facebook Live (https://live.fb.com/) is hosted and managed by WordPress VIP services.
How Facebook Early Detected Duplicate SSL Certificates

facebook-forged-SSL-certificate
Facebook security team shared an incident with The Hacker News:
Earlier this year, Let's Encrypt issued some duplicate digital certificates signed for multiple fb.com subdomains, and the Facebook’s own-developed Certificate Transparency monitoring service immediately detected those certificates within an hour.
However, later the Facebook’s core security team found that those certificates were actually requested by one of its hosting vendors, employed for managing fb.com subdomains for several of its microsites.
"The vendor had authorization from another Facebook team to use Let's Encrypt, but that was not communicated to our security team," David Huang and Brad Hill, Security Engineers at Facebook explain in a blog post.
"The investigation was completed in a matter of hours, and the certificates were revoked. We found no indications that these certificates were ever controlled by unauthorized parties, and we were able to respond before they had been deployed on the production hosts."
That's how Certificate Transparency and its monitoring service helps Facebook to manage all of its active digital certificates efficiently and quickly respond to such threats.
It is worth noting that Certificate Transparency system does not come with any in-built monitoring, and alert service i.e. CT do not automatically notify domain owners if any new certificate (legitimate/forged) has been issued for their domain.
So, the domain owners are themselves responsible for remaining vigilant and checking the logs regularly. Otherwise, if no one checks, suspicious behaviors will go undetected.
However, the Facebook security team was able to immediately detect fraudulent certificates with the help of its experimental monitoring tool.
Also Read: How Certificate Transparency helps to Detect Forged SSL Certificates
How Does Facebook Certificate Transparency Monitoring Tool Work?
Simply… It continuously scans all public Certificate Transparency logs and alerts when any CA issues a new certificate for root domain and subdomains of facebook.com and fb.com.
"Facebook advocates for CT because it offers the ability to know the certificates a CT-enforcing browser will trust," the Facebook engineer says.
"We recommend other organizations start monitoring CT logs to understand issuance for domains they control."
Certificate Transparency overall is an open framework that involves browser vendors, monitors, as well as Certificate Authorities. Whereas, Facebook's CT Monitoring Service works independently and does not require additional participation from browser vendors or CAs.
Though Facebook's Certificate Transparency Monitoring service does not provide an option to revoke detected forged certificates, it provides information required to revoke rogue certs.
"The process for revoking them still requires that you ask the issuing CA to revoke them or ask the browser vendors to blacklist them," Facebook Spokesperson told The Hacker News via email.
On asking, Is it possible to monitor rogue certificates issued by CAs, who have not yet adopted CT, Facebook spokesperson replied:
"Technically, yes. Plenty of certs in the CT logs are uploaded by web crawlers (3rd-party) rather than by the issuing CAs themselves, so it is already possible to monitor certs issued by non-participating CAs."
For now, Facebook's Certificate Transparency Monitoring service is only being used for company's own domains.
But, Facebook confirmed that it would soon make its experimental Certificate Transparency Monitoring Service available to everyone for free in the coming months.
certificate-transparency-monitoring-service
Certificate Transparency project aims to mitigate flaws in the structure of the SSL certificate system by introducing an extra layer of verification.
With Certificate Transparency, Digital signature itself will not be enough, and the web server also has to prove that the certificate is registered with CT log before it can be trusted.
Despite Google's hard effort on pushing every CA to adopt Certificate Transparency, its adoption is still in a very early stage.
Facebook Spokesperson says:
Currently, Google's Root Certificate Policy requires that EV (Extended Validation) certificates must be logged to CT. This means that CAs must log EV certs to CT (whether they like it or not). Otherwise, their EV certs won't work in modern browsers. However, CAs can still issue DV (Domain Validation) certs without logging them to CT.
Chrome is working on a short-term solution with a new "expect-ct" feature that will allow sites to detect any certificates seen by browsers that are hidden from CT logs. Long term, browsers may require CT for all certs, which will address this problem.
The idea behind this design is to encourage all Certificate Authorities to log every certificate before issuing them.
Stay Tuned to our Facebook and Twitter Page. Stay Secure.


What is Certificate Transparency? How It helps to Detect Fake SSL Certificates
11.4.2016 Security
what-is-certificate-transparency-log
Do you know there is a huge encryption backdoor still exists on the Internet that most people don't know about?
I am talking about the traditional Digital Certificate Management System… the weakest link, which is completely based on trust, and it has already been broken several times.
To ensure the confidentiality and integrity of their personal data, billions of Internet users blindly rely on hundreds of Certificate Authorities (CA) around the globe.
In this article I am going to explain:
The structural flaw in current Digital Certificate Management system.
Why Certificate Authorities (CA) have lost the Trust.
How Certificate Transparency (CT) fixes issues in the SSL certificate system.
How to early detect every SSL Certificates issued for your Domain, legitimate or rogue?
First, you need to know Certificate Authority and its role:
Certificate Authority and its Role
Rogue-SSL-Certificate-Authority
A Certificate Authority (CA) is a third-party organization that acts as a central trusted body designed to issue and validate digital SSL/TLS certificates.
There are hundreds of such trusted organizations that have the power to issue valid SSL certificate for any domain you own, despite the fact you already have one purchased from another CA.
...and that's the biggest loophole in the CA system.
SSL Chain-of-Trust is Broken!

Last year, Google discovered that Symantec (one of the CAs) had improperly issued a duplicate certificate for google.com to someone else, apparently mistakenly.
This was not the first time when the power of CA was abused or mistakenly used to issue forged digital certificates that put millions of Internet users' privacy at risk.
In March 2011, Comodo, a popular Certificate Authority, was hacked to issue fraudulent certificates for popular domains, including mail.google.com, addons.mozilla.org, and login.yahoo.com.
In the same year, the Dutch certificate authority DigiNotar was also compromised and issued massive amounts of fraudulent certificates.
Since the chain of trust has been broken, millions of users were subject to the man-in-the-middle attack.
Further, the documents leaked by Edward Snowden revealed that the NSA (National Security Agency) intercepted and cracked massive numbers of HTTPS encrypted web sessions, indicating that some so-called trusted CAs are widely suspected to be controlled or under the authority of Governments.
What if, Government asks any of these ‘trusted-turn-evil’ certificate authorities to issue duplicate SSL certificates for secure and popular websites like, Facebook, Google or Yahoo?
That's not just my speculation; it has already happened in the past when Government organizations and state-sponsored hackers have abused trusted CAs to get fake digital certs for popular domains to spy on users.
Examples of Incidents that involved Governments

1.) In 2011, forged digital certificates issued by DigiNotar CA were used to hack Gmail accounts of approximately 300,000 Iranian users.
2.) In late 2013, Google discovered fake digital certificates for its domains were being used by the French government agency to perform man-in-the-middle attacks.
forged or fake SSL certificates
3.) In mid-2014, Google identified another incident: National Informatics Centre (NIC) of India was using unauthorized digital certificates for some its domains.
You can see here, how easy it is to compromise the security of HTTPS websites protected by other well-behaved CAs.
Do you still Blindly Trust CA Organizations?
The DigiNotar and Comodo incidents worked as a wake-up call, ending an era of blindly trusting CAs to issue digital certificates.
Problem: How are you supposed to check whether a rogue certificate for your domain has been issued to someone else, probably a malicious attacker?
Solution: Certificate Transparency or CT, a public service that allows individuals and companies to monitor how many digital security certificates have been issued secretly for their domains.
In 2013, Google started an industry-wide initiative, called Certificate Transparency (CT), an open framework to log, audit, and monitor certificates that CAs have issued.
What is Certificate Transparency system?
What is Certificate Transparency system
The Certificate Transparency (CT) framework includes:
Certificate Logs
Certificate Monitors
Certificate Auditors
Certificate Transparency requires CAs to publicly declare (to Certificate Log) every digital certificate they have generated.
Certificate Log offers users a way to look up all of the digital certificates that have been issued for a given domain name.
It is worth noting that Certificate Transparency model does not replace traditional CA-based authentication and verification procedure though it is an additional way to verify that your certificate is unique.
Certificate logs have three important qualities:
1. Append-only: Certificates records can only be added to a log. They can not be deleted, modified, or retroactively inserted into a log.
2. Cryptographically assured: Certificates Logs use a special cryptographic mechanism known as ‘Merkle Tree Hashes’ to prevent tampering.
3. Publicly auditable: Anyone can query a log and verify its behavior, or verify that an SSL certificate has been legitimately appended to the log.
In CT, Digital Certificate contains a Signed Certificate Timestamp (SCT), which proves that it has been submitted to the log before being issued.
Google, DigiCert, Symantec, and a few other CAs are currently hosting public logs.
Facebook-Certificate-Transparency-Monitoring-Service
Although CT does not prevent CA from issuing forged certificates, it makes the process of detecting rogue certificates much easier.
Such transparency offers them the ability to quickly identify digital certificates that have been issued mistakenly or maliciously and help them mitigate security concerns, such as man-in-the-middle attack.
Earlier this year, Certificate Transparency system and monitoring service helped Facebook security team to early detect duplicate SSL certificates issued for multiple fb.com subdomains.
In a separate article, I have provided details about Facebook’s Certificate Transparency Monitoring Service that is designed to discover SSL issues instantly and automatically.
Facebook confirmed to The Hacker News (THN) that it will soon make its experimental Certificate Transparency Monitoring Service available for free to the broader community in the coming months.
Certificate Transparency Search tool
Sounds interesting?
Comodo has launched a Certificate Transparency Search tool that lists all issued certificates for any given domain name.
If you find a fraud certificate issued for your domain, report respective CA and address it immediately.


WordPress enables Free HTTPS Encryption for all Blogs with Custom Domain
9.4.2016 Security
WordPress enables Free HTTPS Encryption for all Blogs with Custom Domains
Do you own a custom domain or a blog under the wordpress.com domain name?
If yes, then there is good news for you.
WordPress is bringing free HTTPS to every blog and website that belongs to them in an effort to make the Web more secure.
WordPress – free, open source and the most popular a content management system (CMS) system on the Web – is being used by over a quarter of all websites across the world, and this new move represents a massive shift over to a more secure Internet
WordPress announced on Friday that it has partnered with the Electronic Frontier Foundation's "Let's Encrypt" project, allowing it to provide reliable and free HTTPS support for all of its customers that use custom domains for their WordPress.com blogs.
Now every website hosted on wordpress.com has an SSL certificate and will display a green lock in the address bar.
"For you, the users, that means you'll see secure encryption automatically deployed on every new site within minutes. We are closing the door to unencrypted web traffic (HTTP) at every opportunity," Wordpress said in its blog post.
HTTPS has already been available for all sub-domains registered on wordpress.com, but with the latest update, the company will soon offer free SSL certs for its custom domains that just use the WordPress backend.
In short, users with custom domains (https://abcdomain.com) will now receive a free SSL certificate issued by Let's Encrypt and on behalf of Wordpress, and have it automatically deployed on their servers with minimal effort.
Until now, switching web server from HTTP to HTTPS is something of a hassle and expense for website operators and notoriously hard to install and maintain it.
However, with the launch of Let's Encrypt, it is now easier for anyone to obtain Free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates for his/her web servers and set up HTTPS websites in a few simple steps.
Now WordPress is also taking advantage of this free, open source initiative for its websites.
So you might have a question in your mind:
What do I need to do to activate HTTPS on my WordPress blog?
You do not need to worry about this at all. WordPress.com is activating HTTPS on all of its millions websites without having you to do anything.
Let's Encrypt is trusted and recognized by all major browsers, including Google's Chrome, Mozilla's Firefox and Microsoft's Internet Explorer, so you need not worry about its authenticity.
However, in case you don't own a WordPress blog, but you want a free SSL certificate from Let's Encrypt, here is a step-by-step guide on How to Install Let's Encrypt Free SSL Certificate On Your Website.


The Open-source vulnerabilities database (OSVDB) shuts down permanently
9.4.2016 Security

,The Open Sourced Vulnerability Database (OSVDB) shut down permanently in response to the lack of assistance from the industry.
The Open Sourced Vulnerability Database (OSVDB) shut down permanently, the news was reported in a blog post published by the maintainers of the project. The decision was made in response to the lack of assistance from the industry.

“As of today, a decision has been made to shut down the Open Sourced Vulnerability Database (OSVDB), and will not return. We are not looking for anyone to offer assistance at this point, and it will not be resurrected in its previous form.This was not an easy decision, and several of us struggled for well over ten years trying to make it work at great personal expense.” wrote Brian Martin (aka Jericho), one of the leaders of the OSVDB project.

“The industry simply did not want to contribute and support such an effort. The OSVDB blog will continue to be a place for providing commentary on all things related to the vulnerability world”

OSVDB shutdown

The maintainers highlighted that the project will not be resurrected, the group behind the OSVDB will keep alive their blog for providing commentary on all things related to the vulnerability world.

The OSVDB was founded in 2002 and launched in March 2004, it is an open-source project that catalogued more than 100,000 computer security vulnerabilities over the time, among its founders there was the popular HD Moore who developed the Metasploit framework.

The OSVDB was free for non-commercial use, its first sponsor and commercial partner was the Risk Based Security, the project also received donations from the security company High-Tech Bridge.

The project was an amazing repository for security experts and hackers, but many vendors were not happy for its activity.

One of the reasons behind the project shutdown is the impossibility to make bulk downloads of the content for no paying users, the website was deployed in the CloudFlare network in order to prevent scrapers’ activity.

Due to the impossibility to download a large volume of data from the DB, the archive did lose interest in the project by companies and users.

What will happen to OSVDB data?

According to HD Moore, the data will not be made available.


One Billion WhatsApp Users are now protected by End-to-End Encryption
6.4.2016 Security

Whatsapp now implements end-to-end encryption for all versions of the most popular messaging and voice calling application.
Great news for privacy advocates and WhatsApp users, the software now implements end-to-end encryption for all versions of the most popular messaging and voice calling application. On Tuesday, the company announced the significant improvement to its 1 billion users with a blog post and also published a white paper the technical details for its end-to-end encryption system.

“WhatsApp has always prioritized making your data and communication as secure as possible. And today, we’re proud to announce that we’ve completed a technological development that makes WhatsApp a leader in protecting your private communication: full end-to-end encryption.” states the company blog post.

The paper highlights that the encryption protocol implements by Whatsapp uses perfect forward secrecy, this means that “even if encryption keys from a user’s device are ever physically compromised, they cannot be used to go back in time to decrypt previously transmitted messages.”

It was a necessary improvement to improve the privacy and security of its users.

“We live in a world where more of our data is digitized than ever before,” explained Jan Koum, a WhatsApp co-founder.”Every day we see stories about sensitive records being improperly accessed or stolen. And if nothing is done, more of people’s digital information and communication will be vulnerable to attack in the years to come. Fortunately, end-to-end encryption protects us from these vulnerabilities.”

WhatsApp uses the Axolotl protocol, aka known as Signal protocol or double ratchet that is a key management algorithm developed by Trevor Perrin with support from Moxie Marlinspike in 2013. The protocol is also used by the popular Signal encrypted messaging and voice app.

“As of today, the integration is fully complete. Users running the most recent versions of WhatsApp on any platform now get full end to end encryption for every message they send and every WhatsApp call they make when communicating with each other. This includes all the benefits of the Signal Protocol — a modern, open source, forward secure, strong encryption protocolfor asynchronous messaging systems, designed to make end-to-end encrypted messaging as seamless as possible.” Moxie wrote on its blog.

From now every message, file, photo, video, and voice and chat message user sends, is end-to-end encrypted by default.

In November 2014, WhatsApp implemented the encryption by default on Android OS with the collaboration of the Open Whisper company announcing the plan to extend it to all the other platforms, that is exactly what the company have done.

The implementation was applauded by privacy advocates and civil libertarians, including the popular Christopher Soghoian of the American Civil Liberties Union.


WhatsApp turns on End-to-End Encryption by default for its 1 Billion Users
5.4.2016 Security
WhatsApp Just Switched on End-to-End Encryption by Default for its One billion Users
WhatsApp is updating its messaging app so that every text message and voice call will be encrypted for the company’s one billion users.
Yes, Whatsapp has finally implemented full end-to-end encryption, as promised a year ago.
This means, from now every message, image or voice call you made will be secured by end-to-end encryption so that only you and the person you're communicating with can read the content of the message, and nobody in between, not even WhatsApp.
In other words, this also means that WhatsApp would not be able to comply with any court order that demands access to the content of any conversation happens over its service.
Starting today, you will see a notification on your WhatsApp conversation screen as your messenger becomes end-to-end encrypted, as shown in the screenshot.
"This is because your messages are secured with a lock, and only the recipient and you have the special key needed to unlock and read them," Whatsapp says.
Also Read: The Best Way to Send and Receive End-to-End Encrypted Emails
Additionally, you will be able to see a small lock icon below the profile of the recipient that ensures your conversation is secured with encryption.
"All of this happens automatically: no need to turn on settings or set up special secret chats to secure your messages," the company adds.
How to verify if someone is trying to spy on your conversation?

Well, the latest version of WhatsApp mobile application offers you an option to verify the keys of the other users with whom you are communicating, ensuring prevention from the man-in-the-middle attack.
Whatsapp key verification can be done by scanning a QR code, or by comparing a 60-digit number, under newly introduced "verify security code" option in the WhatsApp.
"WhatsApp users can opt in to a preference which notifies them every time the security code for a contact changes."
verify the keys
About a year ago, Facebook partnered with ‘Open Whisper System’, company behind the popular Signal and TextSecure encryption apps, to integrate the Signal's Open source strong encryption protocol into WhatsApp messaging app.
However, there is one point to be noted that if several users are sending texts in a group chat and one of the users is running an older version of WhatsApp that doesn’t support encrypted messages, all the conversation going through that group chat will remain unencrypted.


US and UK Will Simulate a Cyber Attacks on nuclear plants in 2016
4.4.2016  Security

US and UK are planning to simulate a cyber attacks on nuclear plants, to test their resilience in the light of the nuclear security summit.
In the light of the recent events with the terrorist attacks in Europe, the fear of other similar threats becomes greater by the minute. Coordinates cyber attacks on nuclear plants would have dramatic repercussion on the Homeland security of any government that needs to address this risk in the national cyber stratgy.

This has led the governments of the US and the UK to take measures, as well as try to prepare as best as they can. As part of this preparation, the two countries have decided to simulate cyber attacks on nuclear plants to test how safe this environment is proven to be.

The nuclear security summit was hosted in Washington, governments need to enhance the security measures and address the fears regarding the protection of critical infrastructure in Europe.

Cyber Attacks on nuclear plants

A similar simulation was held last year, with the countries testing out how banks would react against a cyber-attack.

However, alongside the simulation, there are many other details to take care of. Among them, the exchange of nuclear waste between the UK and the US is something that needs to discuss. According to this deal, Euratom is going to be turned into a place where cancer is diagnosed and treated. So, this is a deal that will improve the life in Europe and will offer a way towards progressing in Medicine.

The White House has issued an announcement, related to the upcoming nuclear security summit. In this announcement, they refer to the importance of boosting security:

“We all need to do more together to enhance nuclear security performance, to dissuade and apprehend nuclear traffickers, to eliminate excess nuclear weapons and material, to avoid production of materials we cannot use, to make sure our facilities can repel the full range of threats we have already seen in our neighbourhoods, to share experiences and best practices, and to do so in ways that are visible to friends, neighbours, and rivals – and thereby provide assurance that we are effectively executing our sovereign responsibility,”

Cooperation between nations seems like the best way to handle a threat as substantial as nuclear terrorism.

So, the UK is going to commit towards cooperating with other countries and sharing the knowledge acquired with them. This is definitely a great step ahead!


5 Things Google has Done for Gmail Privacy and Security
29.3.2016 Security
Over the past few years, Google has increasingly improved the online security and protections of its Gmail users.
Besides two-factor authentication and HTTPS, Google has added new tools and features to Gmail that ensures users security and privacy, preventing cyber criminals and intelligence agencies to hack email accounts.
1. Enhanced State-Sponsored Attack Warnings
Enhanced State-Sponsored Attack Warnings
Apple vs. FBI case urged every company to beef up the security parameters to prevent their services from not just hackers but also the law enforcement.
Google for a while now has the capability to identify government-backed hackers, and notify potentially affected Gmail users so they can take action as soon as possible.
Google recently announced on its blog post that it will alert Gmail users about the possibility of any state-sponsored attack by showing them a full-page warning with instructions about how to stay safe — very hard to miss or neglect.
Meanwhile, the company revealed that over 1 Million Gmail accounts may have been targeted by government-backed hackers so far.
Although Google has warned Gmail users of state-sponsored attackers since 2012, the company neither disclosed the exact number nor explained how it knows of such hacking attacks.
However, Google said that it knows who the targets are – the list often includes "activists, journalists, and policy-makers taking bold stands around the world."
2. SMTP Strict Transport Security (SMTP STS)
SMTP Strict Transport Security (SMTP STS)
A new security feature dubbed "SMTP STS" has been on the bench of the Internet Engineering Task Force (IETF) to obtain a green signal.
This new email standard is developed in a joint effort by the engineers of top email services including Google, Microsoft, Yahoo!, Comcast, LinkedIn, and 1&1 Mail & Media Development.
SMTP STS has been designed to enhance the email security by preventing Man-in-the-Middle (MitM) and encryption downgrade attacks that have compromised past efforts like STARTTLS at making SMTP a more secure protocol.
SMTP Strict Transport Security (SMTP STS) runs on top of the STARTTLS feature to strengthen SMTP standard.
SMTP STS will check if recipient supports SMTP STS and has valid and up-to-date encryption certificate. If everything goes well, it allows your message to go through. Otherwise, it will stop the email from sending and will notify you of the reason.
3. End-to-End Encryption (via Chrome Extension Only)
Google announced the End-To-End encryption for its users almost two years ago, but still, the novel feature is yet to release.
The idea is to develop a browser extension that ensures its users Privacy by implementing the complex, yet secure PGP (Pretty Good Privacy) encryption in an attempt to fully encrypt messages that even Google can not read, nor anyone else other than the users exchanging the emails.
With this goal in mind, the browser extension will let users create their private and public encryption keys within their browsers. The public key will be uploaded to Google's servers, while the private key will be stored locally in the browser.
How the End-to-End Chrome Extension Works:
gmail-end-to-end-encryption
When a user sends an email to the other user with a PGP key, his or her browser will automatically download the other user's public key from the server and encrypt the content of the email.
However, the work is still in progress, and the company has not revealed that when it is planning to release the browser extension.
Although Google made the source code for its End-to-End Chrome extension open source via GitHub almost a year ago, so that researchers can review it, the stable version is yet to release.
For now, you can try an alternative method to send encrypted emails. We have written a step-by-step tutorial article on how to send end-to-end encrypted emails to others.
If difficult, you can try a Swiss-based, ProtonMail, a free, open source and end-to-end encrypted email service that offers the simplest and best way to maintain secure communications to keep user's personal data safe.
4. Gmail's Red Padlock Alert
gmail-red-padlock-alert
Previously there was no method to ensure whether the received email had been traversed via an encrypted channel or not, which could be subjected to scrambling or Man-in-the-Middle (MiTM) attacks.
But last month, Google introduced a security measure in Gmail service in the form of a small Red Padlock next to a sender's email address in an effort to highlight users if the message has been sent through an unencrypted channel.
If a Gmail user receives an email from other services that don't support TLS encryption, the feature gives warning by showing an open red lock next to the sender’s email address (as shown).
These unencrypted emails then went to spam, increasing Gmail security of its users.
5. Google Safe Browsing For A Quick Malware Check
Google Safe Browsing For A Quick Malware Check
One of Google's recent changes is the expansion of its 'Safe Browsing' notifications.
The malicious links spread via emails are an easy hit method to infect a large number of users after forcing them to visit malicious web pages controlled by hackers.
However, the Safe Browsing feature protects Gmail users by identifying potentially dangerous links in emails.
The automated agents in the mail scan the content of emails for spam and malware detection. And before opening the link, Gmail inspects the complete mail and prevents the user to open the malicious links in the main upon a quick scan.
The features that are being added by Google helps the privacy of Gmail users and stricken the email confidential policies.


Tor Project and the new anti-tampering measures for its software
22.3.2016 Security

Tor Project revealed how the organization has conducted a three-year long work to improve its ability to detect fraudulent software.
The experts at the Tor Project are working to improve the resilience of the anonymizing network to cyber attacks, in particular, they aim to quickly detect any surveillance activity conducted by tempering the Tor system.

The researchers fear that the US Government could interfere with the Tor project by requesting the organization to turn over critical information that would compromise the security of the network and cause in de-anonymization of the users.

Mike Perry from the Tor Project, highlighted that the organization has never received a legal demand to place a backdoor in its source code, nor have we received any requests to hand over cryptographic signing material.

directory authorities Tor network 2Tor Project

The Tor Browser is an open source, this means that everyone could analyze it, the organization also implements several mechanisms to ensure the security and integrity of its software.

Now the experts want more, they are exploring further improvements to eliminate single points of failure, so that even if a threat actor obtains our cryptographic keys, the anonymizing network would be able to detect the anomalous activity. The development team behind the Tor Project is designing the system in such a way to make visible any change to the original source code.

“For this reason, regardless of the outcome of the Apple decision, we are exploring further ways to eliminate single points of failure, so that even if a government or a criminal obtains our cryptographic keys, our distributed network and its users would be able to detect this fact and report it to us as a security issue.” wrote Mike Perry.

“From an engineering perspective, our code review and open source development processes make it likely that such a backdoor would be quickly discovered.” he added.

To distribute a tampered version of the Tor Browser it would be required the access to two cryptographic keys:

the SSL/TLS key that secures the connection between a user and Tor Project servers; plus the key used to sign a software update.
the key used to sign a software update;
“Right now, two keys are required, and those keys are not accessible by the same people,” explained Perry. “They are also secured in different ways.”

Even if a persistent attacker is able to obtain the two keys, in theory, users would be able to check the software’s hash and discover any modification by checking it.


Redaction error reveals Feds ordered Lavabit to spy on Snowden
20.3.2016 Security

A redaction error in court-ordered release of the Lavabit case files confirmed that Edward Snowden was the target of the FBI.
Lavabit was an encrypted webmail service founded in 2004 by Ladar Levison, it closed on August 8, 2013 after the US authorities ordered it to turn over its Secure Sockets Layer (SSL) private keys to order government surveillance activities. The US Government was interested in spying on the Edward Snowden‘s emails.

Now a redaction error in court-ordered release of Lavabit case files confirmed that Edward Snowden was the target of the FBI that caused the termination of the secure email service.

We have now the certainty that Snowden was using the Lavabit email service and that FBI drove the company into closure because it refused to serve the US Government’s requests.

The US Government ordered to install a surveillance implant on the Lavabit servers and later to turn over Lavabit’s encryption keys allowing the Feds to access Snowden’s messages. The court order also revealed that the US Government ordered not to disclose the surveillance activity to third-party entities.

After a few weeks of legal dispute, Levison shuttered Lavabit refusing to become not become complicit in criminal surveillance operated by the US Government.

“After 38 days of legal fighting, a court appearance, subpoena, appeals and being found in contempt of court, Levison abruptly shuttered Lavabit citing government interference and stating that he would not become “complicit in crimes against the American people”.” reported the Guardian.

US authorities recently revealed the mysterious circumstances behind the Lavabit shut down by publishing a collection of case files that were not correctly redacted allowing to discover the target of the FBI activity, the email address Ed_Snowden@lavabit.com.

The document was integrally published by Cryptome, it is visible the Snowden’s email address was left unredacted.

Lavabit shuttered Edward Snowden email

The documents were publicly disclosed in the result of Levison’s battle against the US Government, he filed a motion in December that prompted the court to order the release of files related the Lavabit case.

The Lavabit founder plans to reveal what it really happened, but he is still under order not to reveal the facts … meantime the redaction error leaves no doubt about the real intent of the FBI in the Lavabit case.


The Best Way to Send and Receive End-to-End Encrypted Emails
19.3.2016 Security
How many of you know the fact that your daily e-mails are passaged through a deep espionage filter?
This was unknown until the whistleblower Edward Snowden broke all the surveillance secrets, which made privacy and security important for all Internet users than ever before.
I often get asked "How to send encrypted email?", "How can I protect my emails from prying eyes?" and "Which is the best encrypted email service?".
Although, there are a number of encryption tools that offers encrypted email service to ensure that no one can see what you are sending to someone else.
One such tool to send encrypted emails is PGP (Pretty Good Privacy), an encryption tool designed to protect users’ emails from snooping.
However, setting up a PGP Environment for non-tech users is quite a difficult task, so more than 97% of the Internet users, including government officials, are still communicating via unencrypted email services i.e. Gmail, Yahoo, and other.
But here is good news for all those non-techies, but privacy-conscious Internet users, who wish to use encrypted e-mail communication without any hassle.
Solution — ProtonMail.
ProtonMail, developed by CERN and MIT scientists, is a free, open source and end-to-end encrypted email service that offers the simplest and best way to maintain secure communications to keep user's personal data secure.
ProtonMail Now Available for iOS and Android Users
secure-encrypted-email-service-providers
ProtonMail has been invite-only since 2014, but now the email service has made itself available to everyone and launched new mobile apps.
If you opt for a free account, you'll get all of the basic features including:
A smart-looking app to access your end-to-end encrypted emails easily
500MB of storage capacity
Sending 150 Messages per day
Two-factor authentication to access your encrypted email inbox
To increase storage capacity, you can purchase ProtonMail's paid accounts.
NOTE – Always remember your password to decrypt the email inbox. Once forgot, you would no longer retrieve your encrypted emails.
Key Features:
secure-encrypted-email-service-providers-security
Even if someone intercepts your communication, he/she can not read your conversations because all emails you send or receive with other ProtonMail users are automatically encrypted end-to-end by the service.
In addition, for communicating with non-ProtonMail email addresses i.e. Gmail users, all you need to do is:
Create a message
Just click the encryption button
Set a random password
Once done, your encrypted email recipient will get a link to the message with a prompt to enter his/her same password in order to read it.
Another friendly feature that ProtonMail offers is Self-destructing emails. All you need to do is set an expiration date for an encrypted email you send, and it will get self-deleted from the recipient’s inbox once the date arrives.
Why ProtonMail won't have to comply with American Laws?
In a previous article, I explained that ProtonMail is based in Switzerland, so it won't have to comply with American courts’ demands to provide users data.
In worst case, if a Swiss court ordered ProtonMail to provide data, they will get only the heaps of encrypted data as the company doesn’t store the encryption keys.
ProtonMail has gained an enormous amount of popularity during its developing stages.
ProtonMail encrypts the data on the browser before it communicates with the server, therefore only encrypted data is stored in the email service servers, making it significantly more secure for those looking for an extra layer of privacy.
Feel free to email our team at thehackernews@protonmail.com.


American Express issued a notice of data breach
17.3.2016 Security

American Express is informing cardholders that their payment card data may have been exposed after a third-party service provider suffered a security breach.
Another illustrious victim of a data breach is in the headlines, this time, American Express is warning Cardholders of a possible incident occurred to a third party service provider. The name of the affected service provider has not been made public.

According to the American Express, data associated with current or previously issued American Express cards might have been stolen by hackers. The information obtained by unauthorized parties includes account numbers, names, and expiration dates.

“We became aware that a third party service provider engaged by numerous merchants experienced unauthorized access to its system. Account information of some of our Card Members, including some of your account information, may have been involved. It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure.” states a data breach notice published by the Office of the Attorney General of the State of California DoJ.

American Express highlighted that its financial systems were not affected by the incident, in order to prevent abuse the company is monitoring of fraudulent activities that might affect cardholders.

American Express Co. credit cards are arranged for a photograph in New York, U.S., on Monday, April 15, 2013. American Express Co., the biggest U.S. credit-card issuer by purchases, named Edward P. Gilligan to become its president, effective immediately. Photographer: Scott Eells/Bloomberg via Getty Images

American Express confirmed that cardholders are not liable for any fraudulent charges, at the same time is inviting them to monitor their account for fraud.

American Express suggests cardholders enabling instant notifications of a potentially fraudulent activity, the company offers it by enabling notifications in the American Express Mobile app, or signing up for email or text messaging at americanexpress.com/accountalerts

“WHAT YOU CAN DO. We ask that you carefully review your account for fraudulent activity. Below are some steps you can take to protect your account. Login to your account at americanexpress.com/MYCA to review your account statements carefully and remain vigilant in doing so, especially over the next 12 to 24 months. If your card is active, sign up to receive instant notifications of potential suspicious activity by enabling Notifications in the American Express Mobile app, or signing up for email or text messaging at americanexpress.com/accountalerts. Please make sure your mobile phone number and email address are also on file for us to contact you if needed. OTHER IMPORTANT INFORMATION. Included with this letter are some additional helpful tips and steps you can take to protect yourself against the risks of fraud and identity theft.” states the notice.

Incidents like this remark the importance of cyber security for the entire chain of custody with sensitive data, an incident at some point in the chain could compromise the entire process.

In this specific case, American Express relies on a third party service that has been breached causing the exposure of the confidential information.

If you are an AMEX cardholder remain vigilant.


Fujitsu targets payment industry with PalmSecure Technology
15.3.2016 Security

Fujitsu has announced plans to launch its digital payment system PalmSecure Technology in Europe that is a security solution for biometric identification
Fujitsu has announced plans to launch its digital payment system PalmSecure in Europe that is a security solution for biometric identification, which is offering the perfect user authentication for payment scenarios. It operates touchless, highly reliable, hygienic, and super-fast. The biometric authentication based on Palm vein recognition takes less than one second and can definitely enter the next level of payments soon.

PalmSecure Technology 1

Cash could well be a thing of the past in the not-so-distant future and it is becoming clearly obvious that the time, where Credit cards and pin codes have been used for payments has come to an that means more innovative and highly secure solutions are entering the banking technology. In the UK, 59% of consumers have made a purchase through a smart device, and 12% are more likely to make a purchase using their smartphone than they were 12 months ago. And with more and more people interested in mobile and digital payments, brands are racing to create ever-more secure ways to pay. As a case in point, MasterCard has created a secure way to pay that allows users to identify themselves using a selfie taken on their smartphone.

Fujitsu has announced plans to roll out its digital payment system PalmSecure in Europe that is a security solution for biometric identification, which is offering the perfect user authentication for payment scenarios. It operates touchless, hygienic, highly reliable and super-fast. The biometric authentication based on Palm vein recognition takes less than 1 second and can definitely enter the next level of payments soon.

PalmSecure Technology 2

The PalmSecure sensor captures more than five million reference points from someone’s palm-vein pattern to confirm their identity and allows them to pay for goods by just touching one of its sensors – no cash or credit cards needed here. The image capture and matching processes work without the need to touch the sensor’s surface, making it very hygienic. A person’s palm vein pattern remains the same throughout their life. Every palm-vein pattern is also unique. Individuals have different patterns in their left and their right hands, and even twins have different patterns. The palm vein device works by capturing a person’s vein pattern image while radiating it with near-infrared rays. The deoxidized haemoglobin in the palm vein absorbs these rays, thereby reducing the reflection rate and causing the veins to appear as a black pattern. This vein pattern is then verified against a pre-registered pattern to authenticate the individual.

In the graph below, Fujitsu compares some of the most common technologies by the criteria “accuracy” and “practicality”.

PalmSecure Technology 3

The following table ranks biometric methods on their False Acceptance Rate (FAR) and False Rejection Rate (FRR). These indicators define the security level of a biometric system (FAR) and the usability of a biometric system (FRR).

PalmSecure Technology 4

The way that people pay is changing; technology is advancing to a level that people might not have to carry credit cards ever again, let alone cash. Brands should be keeping abreast of these technological changes and consumers’ increasing interest in the quickest and easiest way for them to pay; after all the easier it is for people to buy, the more they will.


More than 1 Million Websites Install Free SSL Certificate (and Counting...)
9.3.2016 Security
Let's Encrypt has achieved another big milestone by issuing 1 million free Transport Layer Security (TLS) SSL Certificates to webmasters who wish to secure the communications between their users and domains.
Let's Encrypt – operated by the Internet Security Research Group (ISRG) – is an absolutely free, and open source certificate authority recognized by all major browsers, including Google's Chrome, Mozilla's Firefox and Microsoft's Internet Explorer.
It is just three months and five days since Let's Encrypt launched a beta version of the service, and the group has crossed 1 Million certificates in use across the Web, Let's Encrypt said in a blog post on Tuesday.
Let's Encrypt allows anyone to obtain Free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates for their web servers.
Backed by companies including EFF, Akamai and Mozilla, the Let's Encrypt project started offering Free HTTPS certs to everyone from last December.
Let's Encrypt certificates are configured with cross-signatures from SSL cert provider IdenTrust, making its free certs trustworthy and allowing users to browse more securely on the Internet.
With Let's Encrypt, it is very easy for anyone to set up an HTTPS website in a few simple steps (Here's How to Install Free SSL Cert).
Here's what Let's Encrypt says in its post:
"Much more work remains to be done before the Internet is free from insecure protocols, but this is substantial and rapid progress. It is clear that the cost and bureaucracy of obtaining certificates was forcing many websites to continue with the insecure HTTP protocol, long after we've known that HTTPS needs to be the default.
We're very proud to be seeing that change, and helping to create a future in which newly provisioned websites are automatically secure and encrypted."
Let's Encrypt had signed its First free HTTPS certificate in September, and its client software emerged in early November.
Also Read: Hackers Install Free SSL Certs from Let's Encrypt On Malicious Web Sites.
So, now it's time for the Internet to take a significant step forward towards security and privacy. With Let's Encrypt, the team wants HTTPS becomes the default and to make that possible for everyone, it had built Let's Encrypt in such a way that it is easy to obtain and manage.


Let’s Encrypt has already issued one Million certificates
9.3.2016 Security

The Electronic Frontier Foundation announced that the Let’s Encrypt Certificate Authority issued its millionth certificate.
The open Certificate Authority (CA) Let’s Encrypt seems to be a success, the EFF is reaching its goals with the creation of this new certificate authority run by Internet Security Research Group (ISRG).

IT giants like Mozilla, Cisco, Akamai, Automattic and IdenTrust joined the initiative with the support of the Linux Foundation. The principal goal is to create a more secure web by encrypting website traffic using Transport Layer Security (TLS) and improve users’ privacy online.

The Let’s Encrypt CA issued its first certificate in September 2015, and today the EFF is proud to announce that Let’s Encrypt has issued its first million certificates.

“At 9:04am GMT today, the Let’s Encrypt Certificate Authority issued its millionth certificate. This is an amazing success, coming only 3 months and 5 days since a beta version of the service became publicly available. We’re very excited to be building a more secure and fully encrypted future for the World Wide Web.” states the Electronic Frontier Foundation.

Let's Encrypt has issued its first million certificates
The result is rousing if we consider that 90 percent of the 2.5 million domain names that take advantage of digital certificates issued by Let’s Encrypt had never been reachable by browser-valid HTTPS before.

The principal problems in implementing a HTTPs for each domain are the costs and the effort necessary to install the certificate. The Let’s Encrypt initiative aims to overwhelm these issues by issuing free digital certificates and by automating each phase of the lifecycle of a digital certificate.

The Let’s Encrypt has been a driving force for other similar initiatives, Amazon also started offering free certificates too.

There are other aspects to consider when dealing with Let’s Encrypt certificates, certificates are valid for only 90 days, this means that some website operators might forget to renew their certificates in due time.
“Unlike other CAs that issue certificates that don’t expire for years, LE is issuing short-lived certificates (90 days). All certificates are being published to the Certificate Transparency (CT) project, and you can see them at the crt.sh site.” explained David Holmes from F5 Networks.

Anyway let me say that I’m very happy for the results obtained by the Let’s Encrypt initiative, this is the evidence that we are converging to greater awareness of the risks and the need to take the necessary measures to protect our security and privacy.


Subgraph OS — Secure Linux Operating System for Non-Technical Users
4.3.2016 Security
Information security and privacy are consistently hot topics after Edward Snowden revelations of NSA's global surveillance that brought the world's attention towards data protection and encryption as never before.
Moreover, just days after Windows 10's successful launch last summer, we saw various default settings in the Microsoft's newest OS that compromise users' privacy, making a large number of geeks, as well as regular users, migrate to Linux.
However, the problem is that majority of users are not friendly to the Linux environment. They don't know how to configure their machine with right privacy and security settings, which makes them still open to hacking and surveillance.
However, this gaping hole can be filled with a Debian-based Security-focused Linux operating system called Subgraph OS: A key solution to your Privacy Fear.
Subgraph OS is a feather weighted Linux flavor that aims to combat hacking attacks easier, even on fairly low-powered computers and laptops.
Subgraph OS comes with all the privacy and security options auto-configured, eliminating the user's manual configuration.
Security-focused operating systems do exist, but they are often very resource intensive and can be run only on specific hardware. They are also a real technical challenge for users who don't know the advanced techniques required to get a secure operating system running.
Why Should You Install Subgraph Linux OS?
Subgraph OS — Secure Linux Operating System for Non-Technical Users
Subgraph OS offers more than just kernel security. The Linux-based operating system comes with a slew of security and privacy features that its developers believe will be more accessible to non-technical users.
The OS also includes several applications and components that reduce the user's attack surface. Let's have a close look on important features Subgraph OS provides.
1. Automated Enhanced Protection with Application Sandboxing using Containers
A security feature called Oz is possibly the most interesting feature of Subgraph OS. Oz is a system for isolating programs so that if an attacker exploits an application security vulnerability, the rest of your machine and your network will remain largely unaffected.
'Oz' makes this possible by delimiting the permission applications have to other parts of the computer, so that when an attacker compromises the security hole in any application it does not allow any malicious activities to take place.
2. Mandatory Full Disk Encryption (FDE)
Subgraph OS offers Full Disk Encryption by default; thus making it a mandatory step for its users to cling on to the security.
Full disk encryption enables a shadow of encryption to protect your hard disks, preventing your data even if your hard drive got misplaced or fell into the wrong hands.
Additionally, Subgraph OS also wipe off the memory when the system is shutdown in an effort to defend the Cold Boot Attacks.
Cold Boot Attacks are a type of side channel attacks that take the advantage of data that resides in the DRAM and SRAM cells for few seconds soon after Power OFF.
3. Online Anonymity — Everything through Tor
secure-operating-system
Subgraph OS routes all your traffic through the TOR anonymity network by default, making it difficult for attackers to figure out the actual physical location of their targets. This would ensure the endpoint security.
Also More: Is This Security-Focused Linux Kernel Really UnHackable?
4. Advanced Proxy Setting
Secure Linux Operating System
Application's transmission to the outside world is carried out via Metaproxy application, which would facilitate to identify the legitimate connections.
Since every application does not come preconfigured to communicate through TOR, Metaproxy relays outgoing connections via TOR without having to configure proxy settings for each application.
5. System and Kernel Security
Subgraph OS is also hardened by Grsecurity – a set of patches that are designed to make Linux kernel's security vulnerabilities like memory corruption flaws far more difficult to exploit.
Support of 'PaX' would be an extra topping of security that aid with least privilege protection for memory pages. This would make security vulnerabilities such as buffer overflow and memory corruption flaws in applications and the operating system kernel difficult to exploit.
6. Secure Mail Services
Secure Mail Services
As everything is concerned, Subgraph OS includes Subgraph Mail that integrates OpenPGP to let users send and receive encrypted/signed messages using PGP/MIME.
Subgraph Mail service is designed in such a way that makes PGP key management and sending/receiving of encrypted email easy for everybody.
Subgraph Mail is also secure – Unlike Data security, authentication and integrity verification are implemented in such a way that even if some parts of the application are compromised, a hacker still would not have access to the rest of your emails or encryption keys.
Additionally, there is no need to execute commands in a terminal window or install plug-ins. Web browser support is deliberately left out of the mail client to eliminate Web exploits from within mail.
7. Package Integrity

Subgraph OS also provides an alternative way to trust the downloaded packages. The packages are to be matched against the binaries present in the operating system's distributed package list, thus becoming a finalizer.
Recently Backdoored Linux Mint hacking incident is an example to this.
Thus, Subgraph OS eliminates the usage of any tampered or malicious downloaded packages.
Comparison Between Subgraph OS and Qubes OS
most-secure-operating-system
Subgraph OS has some similarities to Qubes OS – Another Linux-based security-oriented operating system for PCs.
Unlike Subgraph OS that isolates individual applications on a more granular level, Qubes OS typically runs different isolated domains inside different virtual machines – one for your work, one for your personal use and more.
Subgraph OS doesn't isolate networking and USB stacks or other devices and drivers, but Qubes OS does.
Also, Subgraph OS uses Xpra for GUI virtualization, which is less secure than Qubes GUI protocol, but has some usability advantages like seamless working clipboard.
Subgraph makes use of Netfilter hooks to redirect app-generated traffic into TOR network and to allow the user to see and control app-generated traffic, but Qubes OS uses separate service Virtual Machines (Proxy VMs like TorVM) to intercept traffic.
As the list goes on... Subgraph would be a treasure for the privacy lovers.
How to Download Subgraph Os?
Subgraph Os will be available for download via its offical website. Let's wait for the operating system to get unveiled in Logan CIJ Symposium conference in Berlin on March 11-12 to experience the Cyber Isolation!!!


RSA Conference Badge Scanning App has a default password hardcoded
3.3.2016 Security

Researchers at Bluebox Security discovered that the badge scanning application used at the RSA Conference 2016 includes a hardcoded default password.
This year participants at the 2016 RSA Conference will have an ugly surprise, many vendors were provided with Samsung Galaxy S4 smartphones that run a special Android app, available on the Google Play, that allows them to keep track of visitors by scanning their badges.

The mobile scanning cannot be used for anything except scanning badges, unless the administrator unlocks it using a password. This working mode is also note as “kiosk mode.”

Security experts at Bluebox Security downloaded analyzed the scanning app and discovered that authors embedded the default password in the source code in plain text.

“When we used that passcode we were able to gain access to the kiosk app’s settings. This, in turn, let us gain access to the device’s system settings, which then enabled us to put the device into developer mode to gain full access to the device,” Bluebox Security researchers told Securityweek.com. “This is concerning because if we can do this, an attacker can too, letting them root the device, pull any data off of it, or install malware to steal even more data.”

“We speculate that the default code embedded in the app is there as a mechanism so that the device can still be managed even if the admin’s custom passcode is lost. However, it is a poor developer practice to embed passwords into an app’s shipped code, especially un-encrypted and un-obfuscated,” experts noted.

RSA Conference 2016

In this specific there aren’t serious risks for end-users, but it is quite common find mobile apps with hardcoded credentials. Hackers could exploit the embedded password to gain control of the device, at that point it a joke use it to spy on victims or to recruit is in a mobile botnet.

Something similar has already happened in 2014 when experts at IOActive uncovered a number of flaws affecting the RSA Conference Android app, such as information disclosure issues.

Security by design have to be a must for mobile app development, unfortunately due to the rapid diffusion of Rapid Application Mobile Development Tools is it quite easy to publish a mobile app, but in most cases the security requirements are totally ignored.

It is curious that this thing happened at a conference followed by most important experts in the security field.


Using the Microsoft EMET security tool to hack itself
29.2.2016 Security

The security researchers at FireEye Abdulellah Alsaheel and Raghav Pande have found a way to exploit Microsoft EMET (Enhanced Mitigation Experience Toolkit) to hack itself.
The security researchers at FireEye security Abdulellah Alsaheel and Raghav Pande have found a way to exploit the Microsoft security tool Enhanced Mitigation Experience Toolkit to hack itself. The Enhanced Mitigation Experience Toolkit was introduced by Microsoft to raise the cost of exploit development, it cannot be considered a solution that is able to protect systems from any malicious exploit.

The experts elaborated a technique to disable the Microsoft Enhanced Mitigation Experience Toolkit using the tool itself.

EMET Enhanced Mitigation Experience Toolkit

The Enhanced Mitigation Experience Toolkit was designed to protect systems against attackers by identifying patterns of cyber attacks.

“EMET anticipates the most common actions and techniques adversaries might use in compromising a computer, and helps protect by diverting, terminating, blocking, and invalidating those actions and techniques. EMET helps protect your computer systems even before new and undiscovered threats are formally addressed by security updates and antimalware software.” is the description provided by Microsoft for its tool.

The Enhanced Mitigation Experience Toolkit works by injecting anti-malware library in into applications in the attempt of early detect any suspicious activity by hooking process in execution and analyzing any calls in critical APIs .

“EMET injects emet.dll or emet64.dll (depending upon the architecture) into every protected process, which installs Windows API hooks (exported functions by DLLs such as kernel32.dll, ntdll.dll, and kernelbase.dll). These hooks provide EMET the ability to analyze any code calls in critical APIs and determine if they are legitimate. If code is deemed to be legitimate, EMET hooking code jumps back into the requested API. Otherwise it triggers an exception.” wrote the security duo.

The researchers focused their efforts in disabling the Enhanced Mitigation Experience Toolkit, this means that an attacker could include in his application the code that invokes a function within the tool that disable it.

The exit “feature” is implemented in the emet.dll for cleanly exiting from a process.

“However, there exists a portion of code within EMET that is responsible for unloading EMET. The code systematically disables EMET’s protections and returns the program to its previously unprotected state. One simply needs to locate and call this function to completely disable EMET. In EMET.dll v5.2.0.1, this function is located at offset 0x65813. Jumping to this function results in subsequent calls, which remove EMET’s installed hooks.”

The unique problem for the researchers was to retrieve the base address of emet.dll to invoke the function to arrest it. The experts used the GetModuleHandleW function that is not hooked by the Microsoft Enhanced Mitigation Experience Toolkit to retrieve the address.

This is not the first time that security experts find a way to bypass the Enhanced Mitigation Experience Toolkit, but differently from the past, the technique proposed by the duo doesn’t rely on vulnerabilities or missing features.

“This new technique uses EMET to unload EMET protections. It is reliable and significantly easier than any previously published EMET disabling or bypassing technique. The entire technique fits within a short, straightforward ROP chain. It only needs to leak the base address of a DLL importing GetModuleHandleW (such as mshtml.dll), instead of full read capabilities over the process space. Since the DllMain function of emet.dll is exported, the bypass does not require hard-coded version-specific offsets, and the technique works for all tested versions of EMET (4.1, 5.1, 5.2, 5.2.0.1).” explained the security duo.


Pay-by-Selfie – MasterCard is replacing the customer password with his selfie
23.2.2016 Security

MasterCard announced the extension of the ‘pay-by-selfie’ facial recognition technology to 14 countries this summer, this means no more passwords.
The giant multinational financial services corporation MasterCard announced the extension of the ‘pay-by-selfie’ facial recognition technology to 14 countries this summer. In October Mastercard announced the creation of a new payment method based on the Identity Check App which lets users complete financial transactions by using their face.

Mastercard wants to increase the security with biometric technology and improve the user experience making easy to authenticate users for ordinary operations like payments.

“As the world gets increasingly digital, this will be the next wave of technology that will change the consumer experience of shopping digitally,” Ajay Bhalla, president of enterprise security solutions for MasterCard told to USAToday. “It’s all part of our role in making commerce available anywhere, any time, on any digital device.”

Pay-by-Selfie
Pay-by-Selfie – Mastercard

How does it work?

The pay-by-selfie’ facial recognition technology is simple to use, a customer only needs to download the Identity Check app. When a merchant requires identifying the user before purchase, the customer will get a push notification to his mobile device which triggers the mobile app. At this point, it is enough to take a selfie to authorize the purchase.

Mastercard conducted tests in several countries before the introduction of the technology, and now it considers it as a mature technology to be introduced in strategic market like the British one.

The technology will drastically reduce the risk of identity fraud because it will be harder for hackers to take a victim’s pictures without the users’ interaction. Data provided by Get Safe Online, revealed that the top 10 internet fraud campaigns between September 2014 and August 2015 cost the UK over £268 million.

The company is proud to have reduced the attack surface if the customers don’t rely on the user inputting passwords that could be easily phished by fraudsters.

I had no opportunity to test the technology, but the first attack scenario that I have in mind is the infection of a mobile device that is able to steal a customer selfie end submit it in stealth way when a transaction must be authorized. A similar malware needs to have access to the camera, the local storage, the applications and needs the ability to intercept the push notifications.

Mastercard is investing in the biometric authentication, including iris and voice recognition technologies, most advanced studies are pushing the use of heartbeat via a connected bracelet device.

According to Fortune, other banks are introducing biometric technology to improve security of their customers, HSBC is working on the voice recognition and touch identification, meanwhile Barclays introduced voice recognition to its private banking division in 2013.


ENCRYPT Act of 2016 — Proposed Bill Restricts States to Ban Encryption
11.2.2016 Security
The last year's ISIS-linked terror attacks in Paris and California has sparked debate on Encryption, and the intelligent agencies started reviving their efforts to weaken encryption on various encrypted products and services.
But, there is some Good News!
California Congressman and Texas Republican are now challenging state-level proposals to restrict US citizens' ability to encrypt their smartphones.
On Wednesday, California Congressman Ted Lieu, one of four members of Congress, and Texas Republican Blake Farenthold, a member of the House Oversight and House Judiciary committees, introduced a new bill in Congress that…
…attempts to ban states efforts to implement their own anti-encryption policies at a state level while a national debate on Encryption is ongoing.
The bill, called "Ensuring National Constitutional Rights for Your Private Telecommunications Act of 2016" – in short, "ENCRYPT Act of 2016" – would stop states from individually trying to make major companies change their technology to fulfil law enforcement requirements.
The bill comes almost a month after two state bills in California and New York proposed to ban the sale of smartphones equipped with strong cryptography that cannot be unlocked and accessed by the manufacturer.
ENCRYPT ACT of 2016
Here's what the "ENCRYPT Act of 2016" reads [PDF]:
A State or political subdivision of a State may not order or request that a manufacturer, seller, developer, or provider of covered products or services:
Design, alter or modify the security features in its product or service in an effort to allow the surveillance of its users, or to allow the physical search of such product or service by any federal agency or instrumentality of a State, a political subdivision of a State, or, of course, the United States.
Have the ability to decrypt or otherwise provide intelligible information that is encrypted or otherwise rendered unintelligible using its product or service.
Although the privacy advocates have largely applauded the new bill, it would need to pass both the House of Representatives as well as the Senate, and signed by the President in order to take effect.
However, many federal officers, including FBI Director James Comey, would not be so happy with the proposed bill, as they forced major companies to provide backdoor access to their services.
As Comey previously stressed, "There're plenty of companies today that [offer] secure services to their customers and still comply with court orders. There are plenty of folks who make good phones [and can] unlock them in response to a court order."
But in my opinion, no backdoors can help law enforcement, and intelligence agencies tackle terrorism.
Would Handing Over a Backdoor to the Federal Agencies Help?
As I previously said, "Technically, there is no such backdoor that only the government can access. If surveillance tools can exploit the vulnerability by design, then an attacker who gained access to it would enjoy the same privilege."
Even if these backdoors are not creating vulnerabilities for hackers to attack, we do not trust the government asking for backdoor encryption keys.
Recently Department of Justice or DoJ got hacked by an unknown hacker who leaked personal data belonging to roughly 20,000 FBI agents and 9,000 DHS employees on Monday.
A similar thing happened last year when the US Office of Personnel Management (OPM) got hacked multiple times, exposing extremely sensitive security records of over 21.5 Million government employees.
These incidents prove that the government agencies fail to protect its most sensitive data, so can't be trusted to keep these backdoor encryption keys safe from hackers.


Windows 10 Sends Your Data 5500 Times Every Day Even After Tweaking Privacy Settings
10.2.2016 Security
Myth: By disabling all privacy compromising and telemetry features on Windows 10 will stop Microsoft to track your activities.
Fact: Even after all telemetry features disabled, Windows 10 is phoning home more than you could ever think of.1
Ever since the launch of Microsoft's newest operating system, Windows 10 is believed to be spying on its users. I wrote a number of articles to raise concern about Windows 10 privacy issues, including its controversial data mining features and privacy invasion features.
The only solution believed to cope up with these issues is to disable all the telemetry features or use an automated tool to disable all privacy-infringing features in just one click.
But unfortunately, all these efforts got wasted because Microsoft still tracks you, even after you tighten your Windows 10 privacy to an extreme level, claims the recent analysis conducted by a Voat user CheesusCrust.
Traffic Analysis Reveals Extent of Windows 10 Spying
Curious to know the extent of Windows 10 spying, CheesusCrust set up his Linux laptop with a Windows 10 Enterprise virtual machine as well as a DD-WRT router that was being utilized to monitor traffic.
CheesusCrust also disabled every single tracking and telemetry features in the operating system. He then left the machine running Windows 10 overnight in an effort to monitor the connections the OS is attempting to make.
The results are not so surprising:
Eight hours later, he found that the idle Windows 10 box had tried over 5,500 connections to 93 different IP addresses, out of which almost 4,000 were made to 51 different IP addresses belonging to Microsoft.
After leaving the machine for 30 hours, Windows 10 expanded that connection to 113 non-private IP addresses, potentially allowing hackers to intercept this data.
DisableWinTracking
Taking his test to a step further, CheesusCrust again installed Windows 10 Enterprise virtual machine on his laptop, disabled all tracking features and enabled a third-party tool known as DisableWinTracking.
After this, the number was reduced to 2758 connections to 30 different IP addresses in the period of 30 hours.
The interesting fact here is: This analysis was conducted on Windows 10 Enterprise Edition that comes with the most granular level of user control, far more than the standard Windows 10 Home Edition used by a sizable audience.
The Greatest Cost to Owning 'Free' Windows 10
However, based on these logs, it would be inaccurate to say that Windows 10 is sending your personal data to Microsoft's servers. But, thousands of connection attempts in the period of 8 hours just to check for updates or adjust the time, sounds more complicated than thought.
A September 2015 blog from Terry Myerson, head of the Windows team, explained that while Windows 10 does send some of your data to the company, everything is encrypted and doesn't include any of your personal details.1
Here's what Microsoft says about the Windows 10 Spying concerns:
"We collect a limited amount of information to help us provide a secure and reliable experience. This includes data like an anonymous device ID, device type, and application crash data which Microsoft and our developer partners use to continuously improve application reliability. This doesn't include any of your content or files, and we take several steps to avoid collecting any information that directly identifies you, such as your name, email address or account ID."
While this research doesn't provide what details Windows 10 is sending to the company even after disabling the telemetry features, you have to keep this in mind that Nothing comes for FREE. "Free" is just a relative term. May be you are paying the greatest cost to owning Windows 10.


Safe Harbor replaced with Privacy Shield
4.2.2016 Security

The alleged Privacy Shield deal swaps the Safe Harbor arrangement that remained for over fifteen years before being smash down by a court in October
United States and European administrators have pounded out a very late arrangement to permit data streams across the Atlantic to proceed without violating the law.

“Surprisingly, the US has given the EU compulsory assurances that the access of public establishments for national safety purposes will be liable to clear protections, limitations and oversight devices,” said Europe’s justice Chief Vìra Jourová.

“Additionally, EU nationals will profit by redress mechanisms around there. In the setting of the arrangements for this contract, the United States has guaranteed that it doesn’t lead mass or aimless surveillance of Europeans. We have built up a yearly joint survey with a specific end goal to closely monitor the execution of these assurances.”

Under the terms of the new arrangement, which has yet to be approved by EU individuals, the United States will give a yearly written commitment that it won’t enjoy mass surveillance of EU residents, and this will be reviewed by both sides once per year. .

United States organizations wanting to import EU nationals’ information must give “strong requirements on how private data is handled,” and implement same principles as European data protection laws. In the event that EU natives need to protest how their data is being utilized, organizations must react within time and at no cost to the pursuer.

Chief Jourova and her associate Andrus Ansip, vice president for the Digital Single Market on the European Commission, will now make draft on “adequacy decision” comprising the new standards for states member to approve. The United States will likewise keep on getting its administrative structure altered to lodge the new agreement.

“Our public can make sure that their data is completely secured. Our organizations, particularly the small ones, have the legal guarantee they have to build up their actions across the Atlantic,” said Ansip.

“We have an obligation to check and we will thoroughly monitor the new procedure to ensure it keeps delivering. Today’s choice helps us construct a Digital Single Market in the EU, a dynamic and trusted online environment; additionally it reinforces our close partnership with the United State.

Three months of desperate rewriting

The alleged Privacy Shield deal swaps the Safe Harbor arrangement that remained for over fifteen years before being smash down by a court in October. It’s the aftereffect of 3 months of desperate and sometimes tense consultations between the two trade giants, with tech companies in both regions pushing hard for an arrangement.

The DPAs will now dedicate the following couple of days pounding out the points of interest. There might at present be some individual staying focuses, yet the requirement for activity is moving Europe’s typically massive controllers more rapidly than expected, because of industry pressure.

“We request that Europe’s National data protection authorities DPAs to view this sign from the European Commission as an indication conviction and to hold off with any potential implementation activity until the new arrangement has been completely executed,” said John Higgins, executive general of industry pressure DigitalEurope.

“While they are evaluating the swap for Safe Harbor, we urge Europe’s DPAs to keep on regarding the utilization of other transfer systems, for example, contract clauses (MCCs) and binding corporate rules (BCRs), so information exchanges to the United States can proceed unrestricted.”

But then again there are as of now inquiries being raised about the new arrangement. The language utilized as a part of the official declaration is woolly, best case scenario and there are reasons for alarm that the arrangement struck might be excessively broad for a few, making it impossible to swallow.

safe harbor

“The aftereffects of months of intervention seems weak, and if implemented we are expected to see additional legal trial in the European courts,” stated Ashley Winton, UK head of data protection and privacy at Paul Hastings LLP.

“The European Commission still needs to put forth the case that the United States arrangements of protection laws are basically identical, that data subjects have genuine rights against unbalanced handling in the United States, and that if there is illegal processing then people can have their own information erased and at last change in a appropriate court.”

“With all due appreciation, however a few letters by the Obama organization is in no way, shape or form a legal base to ensure the basic rights of five hundred million European clients over the long run, when there is clear US law permitting mass surveillance,” stated Max Schrems, the Austrian student who bring down the Safe Harbor agreement for a case against Facebook.

“We don’t have the clear idea about the legal structure, yet this could clearly neglect the Court’s verdict. The Court has simply indicated that the United States needs to “guarantee” appropriate security by means of international commitments or domestic law. I question that a European can go to a United States court and claim his basic rights.”

He indicated that the arrangement could likewise come unstuck because of the NSA‘s PRISM plan, which permits the intelligence agencies to take advantage of the data streams for partners such as Microsoft, Google, Apple or Facebook. This would seem to break the contract and the courts are sure to get involved.

There’s additionally the matter of legitimate workarounds. At present Microsoft is battling the United States Department of Justice over the agency’s claims that it can summon data on European servers without a warrant.