Robots will make humans their pets - Says Steve Wozniak

I don't think much about AI but, I admire the thought process of other people.


From the article:

They're going to be smarter than us and if they're smarter than us then they'll realise they need us," he said 

This is a change of view and a change of mind for industry veteran Wozniak, who previously called the growth of such smart technology ‘scary'.



For more information:
http://www.v3.co.uk/v3-uk/news/2415054/steve-wozniak-says-robots-will-make-humans-their-pets

Security is a process, not a product. - 05/2000 Article from Bruce Schneier

The article is 14 Years old but it still makes sense why?
Because, the answer is in the title of this Blog.



From the article:

Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products. The trick is to reduce your risk of exposure regardless of the products or patches.

Most products that use security are not designed by anyone with security expertise. Even security products are generally designed and implemented by people who have only limited security expertise. 

Software manufacturers don't have to produce a quality product because there is no liability if they don't. And the effect of this for security products is that manufacturers don't have to produce products that are actually secure, because no one can sue them if they make a bunch of false claims of security.

Security does not have to be perfect, but the risks have to be manageable.



Here are two examples of how to focus on process in enterprise network security:

1. Watch for known vulnerabilities. 
2. Continuously monitor your network products

For more information:
https://www.schneier.com/crypto-gram/archives/2000/0515.html#1

Document - Implementing SHA-2 in Active Directory

Detailed article from Microsoft


From the article:

Note: Even with appropriate SHA-2 patches applied to Windows Server 2003, Certificate Services on 2003 cannot create SHA-2-signed digital certificates or CRLs. 

Even if Microsoft Windows supports SHA-2 digital certificates, it is still up to individual applications on whether to use Microsoft Windows built-in cryptographic processes for digital certificate inspection and verification. Each application using digital certificates should be tested, end-to-end, to ensure that it supports SHA-2 hashes.

For more information:

http://social.technet.microsoft.com/wiki/contents/articles/31296.implementing-sha-2-in-active-directory-certificate-services.aspx

LG Smartphones - Actually, not so smart. Man-in-the-Middle attack possible

Apparently the apps (or their programmers) are too lazy to perform integrity checks

If this does not surprise you, check how the vendor plans to resolve this issue.

From the article:

“When fetching new applications, the client looks for the ‘appUrl’ field, which holds a base64 encoded, encrypted URL. The encryption key is symmetric, it is based on the certKey field, which is part of the same message. Since there is no integrity protection applied to the messages, an attacker can intercept the update response and replace the value of appUrl with any arbitrary URL pointing to a potentially malicious APK,” the researchers said. 

The vendor plans to fix the bug only in new handsets and won’t push a fix to existing phones. As a workaround, they recommend turning off the “Auto app update” function on affected LG handsets. 

For more information:

https://threatpost.com/researcher-says-lg-app-update-mechanism-doesnt-verify-ssl-cert/113522

Default Authorized SSH Key - in Cisco "Security" Appliances - Allows attacker full control

Are you kidding me?
On "SECURITY" Appliances?



From the article:

The company said that all of its Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances are affected by the vulnerability.


The company said that all of its Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances are affected by the vulnerability. 

Occasionally  vendors mistakenly ship a single default SSH key across an entire product line. While it’s better than telnet, all it takes for an attacker to compromise these devices is to get a hold of one of them (or an Internet mirror of the firmware), extract the key, and then go to town,” said Tod Beardsley, security engineering manager at Rapid7.

Cisco says there is no workaround for the vulnerability, but it has released patches for all of the affected software versions


For more information:
https://threatpost.com/default-ssh-key-found-in-many-cisco-security-appliances/113480

6 ways to screw up a SIEM implementation

Perfect  headline and I like #1 and #6.
Short and sweet article



From the article:

1. Collect everything
2. Poor source data health
3. Overcomplicated network models
4. Too much focus on top 10
5. Lost in compliance
6. Using a SIEM (disproportionately) as a log search too

For more info:
http://h30499.www3.hp.com/t5/HP-Security-Products-Blog/6-ways-to-screw-up-a-SIEM-implementation/ba-p/6758713

Hotels.com phishing scam

Not much details but , at least the site is warning customers.

From the article:

The company said some customers were recently tricked into disclosing their names, phone numbers, email addresses and travel bookings. 

The site is encouraging users that may have been duped into giving their payment information away to contact their banks for further guidance

An individual was reportedly able to convince customers that they represented either Hotels.com or the hotel where they booked a stay through phony emails and SMS messages, according to an email sent to travelers this morning.

For more info:

https://threatpost.com/hotels-com-phishing-scam-duping-travelers/113457

UBER wants to track you - Is it OK?

All free apps want to get something back in return. 
UBER is not free it is an app for using its service but, it wants your information anyway.


From the article:

Uber announced plans to update its privacy policy, controversially allowing it to track passengers and access additional personal information, even after users have exited the mobile app and turned off location sharing

“Even if a user disables the GPS location services on their phone, the company may still derive approximate location from riders’ IP addresses,” the complaint states.

For more info:
http://www.tripwire.com/state-of-security/latest-security-news/ubers-updated-policy-could-allow-it-to-track-you-247/

Windows 10 adds new Antimalware Scan Interface (AMSI)

Nice to know Microsoft is getting better with security



From the article:

The goal of the new Antimalware Scan Interface (AMSI) is to let applications send content to the locally installed antivirus product to be checked for malware.

According to Microsoft, this can have important benefits when dealing with script content in particular, because malicious scripts are commonly obfuscated to bypass antivirus detection. Scripts also typically get executed in the memory of the applications that are designed to interpret them, so they don't create files on disk for antivirus programs to scan.

Scripting is not the only type of content that can be scanned with this new feature. Communication apps could scan instant messages for viruses before displaying them to users and games could scan plugins before installing them

For more info:
http://www.csoonline.com/article/2934872/application-security/windows-10-will-allow-apps-to-actively-scan-their-content-for-malware.html

DDoS Attack and Flight Plan modified?

I understand DDoS Attack but, I feel bad and insecure that (if it is true that) the hackers were able to modify the flight plans

From the article:

On Sunday someone was able to infiltrate the computer system of the Polish airline LOT and successfully cancel 10 of the carrier’s flights. A dozen other flights were reportedly delayed, according to Reuters. 

“Initially, it seems that flight’s plan couldn’t be generated which may indicate that key nodes in the back office were compromised,” Santamarta said Monday. “On the other hand the inability to perform or validate data loading on aircraft (including flight plans), using the standard procedures, should make us think of another attack vector, possibly against the ground communication devices.”

“What if the incident was just a training action or reconnaissance operation before a more massive cyber-attack on a much busier airport like Charles de Gaulle in Paris or JFK in New York?” Nikishin said. “Regardless of the reason and the threat actors, we can see how our life depends on computers and how vulnerable to cyber-threats national critical infrastructure objects have become.” 

For More info

https://threatpost.com/polish-planes-grounded-after-airline-hit-with-ddos-attack/113412

Apple's Keychain hacked

Nothing is unbreakable so, we better have plans on what to do and how to detect/suspect if our accounts are compromised.

After all we are responsible for securing our stuff

From the article

Six university researchers have revealed deadly zero-day flaws in Apple’s iOS and OS X, claiming it is possible to crack Apple’s password-storing keychain, break app sandboxes, and bypass its App Store security checks.

The team was able to upload malware to the Apple app store, passing the vetting process without triggering alerts. That malware, when installed on a victim’s device, raided the keychain to steal passwords for services including iCloud and the Mail app, and all those stored within Google Chrome

The sad part is, Apple was notified about this 6 months ago and still haven’t fixed it – the only fast moving response came from Google’s Chromium security team who removed keychain integration for Chrome, noting that it could likely not be solved at the application level.

For more details

http://www.darknet.org.uk/2015/06/apples-password-storing-keychain-cracked-on-ios-os-x/

600 million Samsung devices could be vulnerable

Security - What is it ?, who needs it?

From the article:

NowSecure estimates that 600 million devices could be vulnerable, including the Samsung Galaxy S5 on Verizon and the S4 Mini on AT&T. Newer devices are also still affected, despite patches pushed out by Samsung. 

The Swift keyboard updates (generally language pack updates) are sent over HTTP, and therefore an attacker with network access is able to access the update and inject a malicious app or tamper with other resources on the phone, giving him access to email, contacts, images and other personal data stored on the phone. A more sophisticated actor could also eavesdrop on phone calls or steal text messages from the device.

(More bad news)

“To date, we’re not seeing devices patched,” Hoog said. “Samsung said the Galaxy 6 running on Android 5 (Lollipop) were not vulnerable. On a pure whim, we spent $1,000 on new devices last week in order to verify and we were surprised to see the vulnerability still there. Even though it’s been patched since March by Samsung, it has not made it to new devices.” 

For more details:

https://threatpost.com/samsungs-swift-keyboard-update-mechanism-exposes-600m-devices/113348

User credentials stored in plaintext in GmbH Nova-Wind Turbine - Can cause a loss of power for all attached systems

Lazy programmer + Bad Tester (if there was any testing at all)


From the article:

Researcher Maxim Rupp discovered the vulnerability in the Nova-Wind Turbine HMI and reported it to the vendor. However, the vendor has been unresponsive

The vulnerability results from the fact that the software stores user credentials in plain text.

“Successful exploitation of this vulnerability allows the ID to be retrieved from the browser and will allow the default ID to be changed. This exploit can cause a loss of power for all attached systems,” an advisory from ICS-CERT says. 

For more details:
https://threatpost.com/plaintext-credentials-threaten-rle-wind-turbine-hmi/113354

Cloud based Password Manager - Really do people trust the Cloud so much, Anyway they were breached

I am not against cloud.
But, I won't trust  (at least, for now) the cloud t to the point of saving my passwords in the cloud .
Looks like they had multi-factor authentication. (At least, they have it NOW)

They claim to have strong encryption but, TRUST without VERIFY is not RELIABLE.



From the article

Password manager LastPass disclosed today that its network was breached and advised users to change their master passwords and enable multifactor authentication.

Tod Beardsley, security engineering manager at Rapid7, pointed out that since the attackers don’t seem to have access to the passwords encrypted with the master, the stolen account email addresses may pose a more immediate risk. 

For more info:

https://threatpost.com/lastpass-network-breached-calls-for-master-password-reset/113324

Duqu v2 - Using stolen certs, what's even more scary is the attackers might have more stolen certs

Attackers are getting smarter. A attack like this can be detected but, validating it is hard as they are

1. Using stolen certs
2. Use different certs at different times

From the Article.
The way that the certificates are used by the Duqu attackers is somewhat unusual. Rather than using one certificate for multiple modules or drivers, the group seems to have access to a sizable cache of stolen certificates and use each one just once

Another interesting observation is that besides these Duqu drivers we haven’t uncovered any other malware signed with the same certificates. That rules out the possibility that the certificates have been leaked and are being used by multiple groups. It also seems to indicate the Duqu attackers are the only ones who have access to these certificates, which strengthens the theory they hacked the hardware manufacturers in order to get these certificates,

Duqu attackers are also careful enough not to use same digital certificate twice
For more info:https://threatpost.com/duqu-2-0-attackers-used-stolen-foxconn-certificate-to-sign-driver/113315

You know the history of Internet - Do you know the history of Internet (In)Security?

Here is a two part series from Washington Post.
It is a wonderful read.


Part-1
http://www.washingtonpost.com/sf/business/2015/05/30/net-of-insecurity-part-1/


Part-2
http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-2/

Hacked data on millions of US gov't workers is bad news, "Data was NOT encrypted" - this is very very bad

Encryption  - One of the important layer for Security - Why are people still not doing it.

From the Article:

Cox wrote in the letter, a copy of which was provided to IDG News Service. "Worst, we believe that Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous."

More information:

http://www.computerworld.com/article/2935132/cybercrime-hacking/hacked-data-on-millions-of-us-govt-workers-was-unencrypted.html

Crowti - Is it a new Opensource software? - Nope - just Cryptowall 3.0

Looks like the Ransomware team has released a new version.

From the Article:

Version 3.0 is the latest iteration of Cryptowall, which is also known as Crowti. Like other ransomware families, Cryptowall 3.0 encrypts files stored on a compromised computer and demands a ransom, usually $500 payable in Bitcoin, in exchange for the encryption key. The malware uses numerous channels to communicate and send stolen traffic to its keepers, including I2P and Tor anonymity networks.

The spam campaign uses Yahoo email addresses to send Cryptowall 3.0 via attachments. The attachments are called my_resume.zip and contain an HTML file called my_resume.svg. Duncan said the attackers have begun appending numbers to the file names, such as resume4210.html or resume9647.html.

“Opening the attachment and extracting the malicious file gives you an HTML document. If you open one of these HTML files, your browser will generate traffic to a compromised server,” Duncan wrote. “The return traffic is gzip compressed, so you won’t see it in the TCP stream from Wireshark

Cryptowall is hosted on a number of different docs.google.com URLs

For More Details:

https://threatpost.com/cryptowall-3-0-infections-spike-from-angler-ek-malicious-spam-campaigns/113272

Finally - Microsoft adds HSTS support for IE in Windows 7 and 8.1

Better late than never.
This feature was made available in other browsers a few years back.


From the article:

Short for HTTP Strict Transport Security, HSTS is a browser header that forces any sessions sent over HTTP to be sent instead over HTTPS based on a preloaded list of sites supporting the protocol. HSTS encrypts communication to and from a website, and puts a dent in attempts to man-in-the-middle web sessions. According to OWASP, HSTS also stops attackers who use invalid digital certificates. The protocol denies users the ability to override invalid certificate messages. HSTS also protects users from HTTPS websites that also may include HTTP links or serve content unencrypted.

The addition of HSTS was included in a cumulative update for Internet Explorer released yesterday. 


Click below for more info:
https://threatpost.com/microsoft-brings-hsts-to-windows-7-and-8-1/113258

BrainPrint - Sounds like a new Silicon Valley startup? . No, it is a new kind of Biometrics.(research)

So, does this mean, dump people's Brainprints can be easily stolen (jk)

From the article

You might not need to remember those complicated e-mail and bank account passwords for much longer. According to a new study, the way your brain responds to certain words could be used to replace passwords

For further reading:

https://machineslikeus.com/news/brains-reaction-certain-words-could-replace-passwords

How did I miss this - Nmap 6 has been released

Being a big fan of Nmap, I am not sure how I missed this .


If you are Nmapper then check the link below


http://nmap.org/6/

Watch Out Skype Users - Think Before you click

Well  - I guess we should always think before we click on any link


From the article:

There are nefarious links being spread around through Skype, and if you click them you will be presented with a lot of adware.

The attacker was trying to call with a username that also contains a link to a domain, www.viewror[d]com. Once clicked, a voice directs the user to click the download link and install a "proprietary" video player in order to play the video.

The researchers contacted Microsoft as well as Amazon, which was hosting some of the domains where the attacks and spam were coming from.

Together, the two companies are disrupting this scheme by nuking the Skype accounts involved and going after the IP addresses used.

Click below for more details
http://betanews.com/2015/06/08/adware-spreading-through-skype-links/

If you own D-Links storage - you need to read this

From the Article

The affected devices include the D-Link DNS-320, 320L, 326, 327L, 320B, 345, 325, and 322L.

Researchers have identified dozens of vulnerabilities in several D-Link products, some of which allow attackers to bypass authentication requirements or upload arbitrary files to target devices

The Search-Lab researchers also found what they termed a backdoor on some of the D-Link devices. 

“So a new admin session was created without requiring username and password. After it, the attacker had to do only to set the Cookie to username=admin and full access to the device was obtained.”

For More Information check the link below

https://threatpost.com/slew-of-vulnerabilities-foud-in-d-link-storage-devices/113091