Giant Fighting Robot Makers Open Up the Cockpit
09/17/2016
The US MegaBots have challenged the Japanese Kuratas to a
duel:
______________________________________________________________________________
Justice Dept. group studying national security threats of internet-linked devices
09/09/2016
DOJ forming IoT team:
If they name themselves anything that includes the phrase “cyber
justice” they’ll need capes.
______________________________________________________________________________
The US-CERT
has issued a warning for high-risk network infiltration vulnerabilities in
Cisco devices.
This is
fallout from last month’s “Shadow Brokers” release of NSA exploits.
September 07, 2016
______________________________________________________________________________
An Old Trojan has been
revived with bonus ransom-ware:
______________________________________________________________________________
MS Word docs – like resumes – carry macros that plant the
Trojan. It steals those strong passwords you spent weeks perfecting, sends them
back home, and then locks your computer and demands a ransom.
You might want to request resumes and other docs in PDF form
for a while (yes, PDFs have problems, but no major scam running at the moment).
It would also be logical to make sure Word & Excel
macros are disabled by default. Unfortunately, that process is not clear.
You’ll have to Google your particular version of Office and chase it down. My
up-to-the-minute copy of Word 2016, with the built-in “Tell me what you want to
do” search bar, keeps taking me to documentation for Office 2007. I hope you
have better luck.
Symantec / Norton Antivirus Allows Security Exploits:
July 06, 2016
______________________________________________________________________________
Attackers can become root / system admin. The holes exist across all platforms
Millions of Hacked LinkedIn Id’s advertised “For Sale
______________________________________________________________________________
A hacker is advertising what he says is more
than one hundred million LinkedIn logins for sale.
The IDs were reportedly sourced from a breach four years ago, which had
previously been thought to have included a fraction of that number.
At the time, the business-focused social network said it had reset the
accounts of those it thought had been compromised.
LinkedIn now plans to repeat the measure on a much larger scale.
One expert said the service should have reset all its accounts the first
time round.
LinkedIn is often used to send work-related messages and to find career
opportunities - activities its members would want to stay private.
Criminals could make use of this information or see if its subscribers had
used the same passwords elsewhere.
"We are taking immediate steps to invalidate the passwords of the
accounts impacted, and we will contact those members to reset their
passwords," a spokeswoman for the California-based firm told the BBC.
"We have no indication that this is a result of a new security breach.
"We encourage our members to visit our safety
centre to ensure they have two-step verification authentication and to use
strong passwords in order to keep their accounts as safe as possible."
Login leak
Details of the sale were first reported by
the news site Motherboard.
It said the details were being advertised on at least two hacking-related
sites.
A total of 117 million passwords are said to be included.
The passcodes are encoded, but in a form that appears to have been
relatively easy to reverse-engineer.
LinkedIn had about 165 million accounts at the time of the breach, but the
discrepancy in the figures might be explained by the fact that some of its
users logged in via Facebook.
Invalidated IDs
After the breach first occurred, a file containing 6.5 million encrypted
passwords was posted to an online forum in Russia.
LinkedIn reacted by
saying it had invalidated all the accounts it believed had been compromised
and emailed affected members saying they needed to register new passwords.
But Motherboard has tracked down one user, whose details are in the batch
currently on sale, and found that the password listed for him was still active.
A security researcher who has also been given access to about one million of
the advertised IDs said he believed it was "highly likely" that the
leak was real.
"I've personally verified the data with multiple subscribers [of my own
site] 'Have I been pwned'," Troy Hunt told the BBC.
"They've looked at the passwords in the dump and confirmed they're
legitimate."
Another expert noted that the problem stemmed from the fact that LinkedIn
had originally "hashed" its passwords but not "salted" them
before storing them.
Hashing involves using an algorithm to convert passwords into a long string
of digits. Salting is an additional step meant to stop unauthorised parties
from being able to work around the process.
"A salt involves adding a few random characters, which are different on
a per-user basis, to the passwords [before they are hashed]," explained
Rik Ferguson, chief technology officer at the cybersecurity firm Trend Micro.
By doing this, he added, you prevent hackers from being able to refer to
so-called "rainbow tables" that list commonly-used passwords and the
various hashes they produce, and then see if any of the hashes match those in
the stolen database.
LinkedIn introduced salting after the attack, but that only benefits the
login databases it generated afterwards.
"Using salting is absolutely best practice for storing passwords under
any circumstances and was the case back in 2012 as well," Mr Ferguson
said.
"If LinkedIn is saying now that it didn't know which accounts had been
affected by the breach, then the sensible thing to have done at the time would
have been a system-wide forced reset of every password."
______________________________________________________________________________
Paying Not an Option When Ransomware Hits
The rapid rise of ransomware has made it the latest marquee
threat in cybersecurity. The growth in victims and damages has been widely
reported, with successful attacks being waged against organizations of all
sizes and stripes. However, this trend has had a disproportionate impact on
small and medium-sized businesses.
To get a fresh, direct line on the effect ransomware is
having on these organizations we surveyed members of Spiceworks, a IT
community site numbering well over a million account holders geared to IT administrators
and managers in the SMB. We asked respondents whether they had been victims of
ransomware, how they responded (or how they thought they would respond), and
how the threat of ransomware has affected their organization. Their answers
were consistent and described a common frustration, resignation, and
uncomfortable urgency with the issue.
When they get hit, they disconnect
Most ransomware
does not hide the fact it has just locked down your system or encrypted your
critical files. It alerts you. As a result, a majority of survey respondents
said they were aware they had been compromised within an hour of the event. 90%
were aware of the attack within 24 hours.
This is very different from traditional data breaches, where
the average time of discovery is measured in months, not hours, according (PDF) to research from Ponemon Institute.
Unfortunately, the mission of the ransomware attack is
accomplished in a much shorter period. Typical lockdown or encryption of a
system happens within a minute or two of the ransomware’s execution. At that
point, there are only two choices left: pay or start cleaning up. Regardless,
the very first task most survey respondents focus on is isolating the
infection. 75% of the victims pull the machines as soon as possible and begin
some form of restoration process.
Common Ground: Don’t Pay
The most surprising response was the near unanimous
resistance of these IT professionals to pay the ransom. Reporting on attacks at
places like Hollywood Presbyterian Hospital in California and others have shown
the willingness of organizations to pay. Back in 2014, Kent University reported that 40% of CryptoLocker victims had chosen to
pay, and more recently the US DoJ reported on millions spent on ransomware and
recovery efforts since 2005.
Both of the respondent groups (prospective and actual
victims) agreed that paying was not a viable option, as 95% of ransomware
victims refused to pay the ransom. Over 80% of the not-yet victims also
indicated they wouldn’t pay if they were attacked. Their reasons were mixed,
but most were unconvinced paying would result in them actually getting their
data back. Others felt that they would do well enough by restoring from their
own backups.
Lessons Learned: Backups Can Come Up Short
The most common mitigation for these organizations was to
restore their affected systems from backup. The unaffected groups indicated
that they were backing up almost 100% of their data, and 81% felt that these
backups would allow them to completely recover. Unfortunately, among the
victims, only 42% were able to recover all of their data during the restoration
process. They were able to make substantial progress in recovery, but their
comments highlighted gaps that included unmonitored and failed backups,
accessible backup drives which were also encrypted, and the loss of between
1-24 hours of data from their last incremental snapshot.
An effective backup strategy is the most common
recommendation for organizations looking to blunt the effect of ransomware.
Surprisingly, when these administrators were asked what changes they made to
their security in the wake of the attack, only 8% of the victims reported
improving their backup strategies. Instead, the majority focused on increased
restrictions of access and content through technology (63%) and providing
additional awareness training in hopes of changing user behavior (47%).
Looking Ahead
The market forces driving ransomware are still in their
infancy. The business models, tools, and actors are evolving, and defensive
strategies need to do so as well.
Even now, existing ransomware tools like Teslacrypt
and Locky
are emerging with new techniques and improved abilities to hide themselves and
spread. This survey helps highlight three key areas where the actual victims
and targets of ransomware see the need to improve:
● They want new tools that will help to prevent them from
becoming victims.
● They want to help their users understand the threats that
they are under to make them a defensive asset and not a vulnerability.
● They want to be able to broadly recover without paying the
criminals.
If they can accomplish these three things, the profit motive
driving the growth in ransomware will begin to erode. Then organizations can
turn their focus to addressing whatever new criminal trend will be waiting
around the corner.
By: Jack Danahy
______________________________________________________________________________
Report on Cyber Insurance
From
a report on cyber insurance that forecasts a booming market:
“Year-over-year
increases in the frequency and cost of cyber incidents – nearly doubling since
2010 -- coupled with heightened regulatory scrutiny and growing litigation, are
causing a surge in demand for cyber liability insurance.”
The
company that wrote it is a “wholesale property and casualty insurance broker”:
First Electric Utility Hit by Ransomware?
Wednesday April 27, 2016
______________________________________________________________________________
Lansing’s public power electricity and water supply utility, the Lansing
Board of Water & Light, is currently crippled by a Ransomware attack on its
corporate computer network for the last two days. Press reports by
the Lansing State Journal, WILX-TV and WLNS-TV indicate the attack started on
the morning of the April 25.
While the electricity and water supply are still running in Lansing, MI,
Lansing BWL personnel don’t have access to their corporate server computer
files and their telephone system. The attack caused the BWL’s files on
its corporate server to become encrypted and some criminal is apparently
demanding money for the key to unlock the system.
BWL reports that customer data is not affected or compromised.
The FBI and Michigan State Police have been called in to investigate the
attack.
Here are the press reports and video reporting this event:
www.wilx.com/…
Hackers who create Ransomware often demand payment in order to decrypt the
files. Peffley wouldn't confirm early Tuesday afternoon if BWL will have
to pay a ransom to hackers so all services can be restored safely. Amy
Adamy, a BWL spokesperson, said Tuesday afternoon in a voicemail left for the
LSJ that the utility could have a press conference Wednesday with more
details about the cyberattack.
"We’re just trying to figure out what it will take to get our system
decrypted," Peffley said. "We’re essentially locked out of our own
system."
www.lansingstatejournal.com/…
The attack occurred while Lansing Mayor, Virg Bernaro, is on a travel on
trade mission:
www.lansingstatejournal.com/...
New Global Security Intelligence Platform for
Industrial Control Systems
Monday April 04, 2016
_______________________________________________________________________________
New Portal Launched For ICS/SCADA Threat
Intelligence-Sharing Among Nations
The EastWest
Institute teamed up with the US ICS-ISAC to create a platform for critical
infrastructure operators worldwide to share threat data.
In the aftermath of
the unprecedented cyberattack that led to a blackout in Ukraine last December,
members of the US ICS-CERT team flew to Kiev to get debriefed by their
Ukrainian counterparts. It was a crucial information-gathering trip as
well as a reality-check for US critical infrastructure operators, according to
US Department of Homeland Security officials, that such an attack could be
pointed at power grids anywhere in the world.
More SSL Vulnerabilities
More SSL
vulnerabilities have been disclosed. First, QUIC is unlikely to be exploited on
your sites, as the cost to run it is nation-state level ($9M). However, like
DROWN, it’s an exploit against SSL v2. SSLv2 is old and deprecated, but
companies sometimes fail to update “unimportant” sites and leave old technology
in place. Swiss banks were recently victimized this way: crack the overlooked,
boring site; plant phishing malware; take over executive’s computers; steal
millions of $$.
The reason SSLv2
attacks are news at all is because the hacker community has recently discovered
that penetrating boring, unimportant sites frequently reveals info and/or
creates a platform to attack the interesting sites. It’s a leg up, an attack
advantage. Bottom line: audit your servers to ensure none of them allow SSL
versions less than TLS 1.2.
Original Article:
The Internet of
Things Will Be the World's Biggest Robot
Tuesday February
23, 2016
_______________________________________________________________________________
Probably
not a serious threat, more of an admonition to IoT designers. In a more serious
vein, there’s an essay below on the IoT from Bruce Schneier, cybersecurity’s
version of Chuck Norris.
The
Internet of Things is the name given to the computerization of everything in
our lives. Already you can buy Internet-enabled thermostats, light bulbs,
refrigerators, and cars. Soon everything will be on the Internet: the things we
own, the things we interact with in public, autonomous things that interact
with each other.
These
"things" will have two separate parts. One part will be sensors that
collect data about us and our environment. Already our smartphones know our
location and, with their onboard accelerometers, track our movements. Things
like our thermostats and light bulbs will know who is in the room.
Internet-enabled street and highway sensors will know how many people are out
and about -- and eventually who they are. Sensors will collect environmental
data from all over the world.
The
other part will be actuators. They'll affect our environment. Our smart
thermostats aren't collecting information about ambient temperature and who's
in the room for nothing; they set the temperature accordingly. Phones already
know our location, and send that information back to Google Maps and Waze to
determine where traffic congestion is; when they're linked to driverless cars,
they'll automatically route us around that congestion. Amazon already wants
autonomous drones to deliver packages. The Internet of Things will increasingly
perform actions for us and in our name.
Increasingly,
human intervention will be unnecessary. The sensors will collect data. The
system's smarts will interpret the data and figure out what to do. And the
actuators will do things in our world. You can think of the sensors as the eyes
and ears of the Internet, the actuators as the hands and feet of the Internet,
and the stuff in the middle as the brain. This makes the future clearer. The
Internet now senses, thinks, and acts.
We're
building a world-sized robot, and we don't even realize it.
I've
started calling this robot the World-Sized Web.
The
World-Sized Web -- can I call it WSW? -- is more than just the Internet of
Things. Much of the WSW's brains will be in the cloud, on servers connected via
cellular, Wi-Fi, or short-range data networks.
It's
mobile, of course, because many of these things will move around with us, like
our smartphones. And it's persistent. You might be able to turn off small
pieces of it here and there, but in the main the WSW will always be on, and
always be there.
None
of these technologies are new, but they're all becoming more prevalent. I
believe that we're at the brink of a phase change around information and
networks. The difference in degree will become a difference in kind. That's the
robot that is the WSW.
This
robot will increasingly be autonomous, at first simply and increasingly using
the capabilities of artificial intelligence. Drones with sensors will fly to
places that the WSW needs to collect data.
Vehicles
with actuators will drive to places that the WSW needs to affect. Other parts
of the robots will "decide" where to go, what data to collect, and
what to do.
We're
already seeing this kind of thing in warfare; drones are surveilling the
battlefield and firing weapons at targets. Humans are still in the loop, but
how long will that last? And when both the data collection and resultant
actions are more benign than a missile strike, autonomy will be an easier sell.
By
and large, the WSW will be a benign robot. It will collect data and do things
in our interests; that's why we're building it. But it will change our society
in ways we can't predict, some of them good and some of them bad. It will
maximize profits for the people who control the components. It will enable
totalitarian governments. It will empower criminals and hackers in new and
different ways. It will cause power balances to shift and societies to change.
These
changes are inherently unpredictable, because they're based on the emergent
properties of these new technologies interacting with each other, us, and the
world. In general, it's easy to predict technological changes due to scientific
advances, but much harder to predict social changes due to those technological
changes. For example, it was easy to predict that better engines would mean
that cars could go faster. It was much harder to predict that the result would
be a demographic shift into suburbs. Driverless cars and smart roads will again
transform our cities in new ways, as will autonomous drones, cheap and
ubiquitous environmental sensors, and a network that can anticipate our needs.
Maybe
the WSW is more like an organism. It won't have a single mind. Parts of it will
be controlled by large corporations and governments. Small parts of it will be
controlled by us. But writ large its behavior will be unpredictable, the result
of millions of tiny goals and billions of interactions between parts of itself.
We
need to start thinking seriously about our new world-spanning robot.
The
market will not sort this out all by itself. By nature, it is short-term and
profit-motivated -- and these issues require broader thinking. University of
Washington law professor Ryan Calo has proposed a Federal Robotics Commission
as a place where robotics expertise and advice can be centralized within the
government. Japan and Korea are already moving in this direction.
Speaking
as someone with a healthy skepticism for another government agency, I
think we need to go further. We need to create agency, a Department of
Technology Policy that can deal with the WSW in all its complexities. It needs
the power to aggregate expertise and advice other agencies, and probably the
authority to regulate when appropriate. We can argue the details, but there is
no existing government entity that has the either the expertise or authority to
tackle something this broad and far reaching. And the question is not about
whether government will start regulating these technologies; it's about how
smart they'll be when they do it.
The
WSW is being built right now, without anyone noticing, and it'll be here before
we know it. Whatever changes it means for society, we don't want it to take us
by surprise.
A zero day
exploit has been found in the Linux kernel
Wednesday January
20, 2016
_______________________________________________________________________________
A
zero day exploit has been found in the Linux kernel. It affects kernel versions
3.8 (circa 2012) onward, both 32- and 64-bit, and includes most Android devices
as well. No attacks have been noticed in the wild, but a reference attack has
been published. The exploit allows local users to become root. All Linux and
Android systems from 2012 on should be patched.
Open SSH has
announced a security flaw and corresponding patch
Tuesday January
19, 2016
_______________________________________________________________________________
OpenSSH
has announced a security flaw and corresponding patch. It is not an easy attack
to execute, but OpenSSH (a.k.a. OpenBSD Secure Shell) is in numerous products.
If you’re running an SSH client or server in your product or system, and you
didn’t write it yourself, it’s probably OpenSSH. Check the startup log for its
version display; versions 5.4 – 7.1 are affected. This exploit reveals private
keys to the attacker, which enables more and deeper attacks.