Monthly Archives: October 2017

Mastercard Inc. is doing away with a rule requiring merchants to get signatures for transactions made with its credit and debit cards in the United States and Canada.

Announced early Thursday, Mastercard’s rule change goes into effect April 13, 2018, allowing issuers, merchants, and processors time to make adjustments, though merchants can adopt the change sooner, Mastercard says. Mastercard also issued a bulletin about the matter Wednesday afternoon. The new rule does not affect interchange, and applies only to point-of-sale transactions.

A majority of consumers believe that it would be easier to pay and that checkout lines would move faster if they didn’t have to sign for purchases, Mastercard says.

Six decades ago, when credit cards debuted, checking the signature on the card against another piece of cardholder identification was necessary. Today, more than 80% of Mastercard in-store transactions in the United States and Canada do not need a cardholder signature, Linda Kirkpatrick, Mastercard executive vice president of U.S. market development, tells Digital Transactions News.

“We’re putting the power of the point of sale into the hands of the merchant to decide if they want to prompt or not,” Kirkpatrick says. “Now is the right time because from the digital-transformation perspective and payments perspective we’re at an inflection point.”

Two years have passed since the U.S. EMV liability shift went into effect, and new payments products that are safe and secure are available, Kirkpatrick says. “We want to recognize that consumers and merchants have evolved,” she says. “We want to make it easier for consumers and merchants to get in and out and on with their days.”

The change does not alter Mastercard’s stance on securing its transactions, she says. “Mastercard has a long history of innovation and investments in all layers of security,” Kirkpatrick notes in a blog post.  “Recently we introduced an Early Detection System to help financial institutions proactively and quickly pre-empt serious attacks. This new service provides issuers with a unique advanced alert for cards and accounts at a heightened risk of fraudulent use based on their exposure in security incidents or data breaches.”

Kirkpatrick says the rule change has been vetted with issuers, processors, and merchants. “Reaction has been neutral to positive,” she says. “From the issuer perspective, all are aligned around improving the experience at the point of sale.” The idea, she says, is that an easier checkout experience leads to increased card use. “This is an area where all of our interests are aligned, merchants, issuers, and our network,” she says.

The world’s largest retailer, Wal-Mart Stores Inc., praised the decision. “Removing this step at the checkout will save time for our customers and decrease the expense associated with storing and presenting signatures back to the issuer, all while preserving security for customers,” a Walmart spokesperson said in a statement. “We anticipate this will result in savings that can be used to continue to lower prices for our customers.”

Mark Horwedel, chief executive of the Merchant Advisory Group, also lauded the change. “The signature-optional requirement is a big opportunity for our merchant members to enjoy the effects of quicker checkout lines and returning customers who appreciate a frictionless payment experience,” Horwedel says in a statement.

The Minneapolis-based trade group says it has been working over the course of several years with its network partners to eliminate the signature requirement. “This step will improve the customer experience and eliminate inefficient, ineffective, and costly processes for the retail merchant community,” says Laura Townsend, MAG senior vice president of operations, in a statement. “As commerce experiences continue to expand, new and improved digital authentication methods are available which bring better security innovations to the payments ecosystem.”

Others echoed the move. “This is an important symbolic step putting signature into its rightful place in the trash heap of payments history,” says Steve Mott, principal at BetterBuyDesign, a Stamford, Conn.-based payments consultancy, in an email message. “Next step is for them to come out from Visa’s shadow and support PIN as the only current multi-factor authenticated payment available today, under open standards.”

via:  digitaltransactions

During suspension, IRS says it will review “Equifax systems and security.”

Recently, the Internal Revenue Service awarded a $7.2 million contract to Equifax to allow Equifax to “verify taxpayer identity.” The contract was awarded days after Equifax announced it had exposed the personal data, including Social Security numbers, of about 145 million people.

The tax-collecting agency is now temporarily suspending the contract because of another Equifax snafu. The Equifax site was maliciously manipulated again, this time to deliver fraudulent Adobe Flash updates, which, when clicked, infected visitors’ computers with adware that was detected by just three of 65 antivirus providers. The development means that at least for now, taxpayers cannot open new Secure Access accounts with the IRS. Secure Access allows taxpayers to retrieve various online tax records and provides other “tax account tools” to those who have signed up.

An “alert” on the IRS website says the Secure Access service “is unavailable for new users at this time.” The alert notes that taxpayers who already have an account can “continue the login process.”

The message ends by saying “We apologize for any inconvenience.”

The IRS said it is investigating the security of Equifax’s systems during this suspension, which could be lifted if Equifax gets a clean bill of health. “During this suspension, the IRS will continue its review of Equifax systems and security. The IRS emphasized that there is still no indication of any compromise of the limited IRS data shared under the contract,” Matthew Leas, an IRS spokesperson, said in a statement. “The contract suspension is being taken as a precautionary step as the IRS continues its review.”

IRS Deputy Commissioner for Operations Jeffrey Tribiano told Congress last week that the bureau was obligated, because of federal contracting rules, to award the contract to Equifax because Equifax had objected to losing the contract to another company.

Tribiano last week said that the IRS either had to shutter the Secure Access service or grant Equifax a so-called “bridge contract” to give the Government Accountability Office (GAO) time to investigate Equifax’s protest.

The GAO, however, said that federal contracting rules gave the IRS some flexibility and that it did not need to grant the contract to Equifax. “Congress gave agencies, like IRS, the tools to move forward under appropriate situations. They appear to be electing not to use it,” Chuck Young, a GAO spokesperson, told The Hill last week.

In his testimony before the House Ways and Means Committee, Tribiano said that the Secure Access service was critical to taxpayers “in the hurricane disaster areas.” Secure Access allowed hurricane victims, if they already had enrolled in the program, to access their tax documents online if they lost their documents in the storms.

Via:  arstechnica

Yet another software supply-chain attack hits popular applications.

Hackers managed to compromise the website of a company that develops several popular apps for Apple computers, distributing malware-infected versions of those apps to hundreds of users.

Security researchers from antivirus firm ESET reported Friday that the free version ofElmedia Player distributed from Eltima Software’s website contained a macOS information stealing trojan known as OSX/Proton. The same malware was distributed earlier this year through another trojanized version of a popular macOS application called HandBrake.

Eltima stated that hackers also managed to trojanize one of the company’s other applications, an internet download manager called Folx that also acts as a BitTorrent client.

The Proton malware is capable of stealing a lot of data from infected computers including history, cookies, bookmarks, and log-in data from browsers; cryptocurrency wallets; SSH authentication keys; macOS keychain data; Tunnelblick VPN configuration data; PGP encryption keys and data stored in 1Password, a password management application.

Elmedia Player has 1 million users as of August, according to Eltima. The company provides free and paid versions of its software programs and distributes them through its website and through the Mac App Store.

Only the installers for Elmedia Player and Folx downloaded by users from the company’s website contained the Proton trojan, an Eltima spokeswoman stated. “The built-in automatic update mechanism [of the applications] seems to be unaffected.”

The security breach happened Thursday and was discovered relatively fast by ESET who reported the incident to the software developer. The malicious installers were available on Eltima’s website for around 24 hours and were downloaded by almost 1,000 users.

“Users who downloaded and executed the software on October 19 before 3:15 PM EDT, are likely compromised,” the ESET researchers said.

On Friday morning, Eltima announced that both apps are now “safe to install and malware-free.”

The attackers don’t appear to have compromised the company’s development infrastructure, as happened recently with the developer of a Windows application called CCleaner. Instead, the hackers just managed to hack into Eltima’s website through a vulnerability in a JavaScript-based library called TinyMCE.

The malicious installers were not digitally signed with Eltima’s Apple developer certificate, but with a different developer ID under the name Clifton Grimm. It’s not clear if this certificate was obtained from Apple by using a fake identity or if it was stolen from another developer.

Gatekeeper, Apple’s first line of defense against malware, allows signed binaries to execute without warning by default, Patrick Wardle, director of research at Synack and a macOS security expert, stated in a Twitter direct message. Because of this, most Mac malware is now signed with stolen or fraudulently obtained Apple developer IDs, with the latter being much more likely, he said.

“It appears Apple has a problem with ensuring only legitimate developer IDs are given out,” Wardle said.

Apple revoked the misused Clifton Grimm certificate after being alerted by ESET and Eltima, but users who downloaded and executed the rogue Elmedia Player and Folx installers before this happened didn’t get a Gatekeeper warning.

At installation, Proton displays a fake password authorization window in order to gain system administrator privileges. It’s not unusual for legitimate applications to request such access, so users might easily be tricked into inputting their password.

There is some evidence that this new attack might have been perpetrated by the same attackers who compromised a legitimate download server for the HandBrake video converter application in May and distributed a malicious version of that program to macOS users.

In both cases, the trojanized installers infected computers with Proton and in both cases the malware’s command-and-control servers used domain names similar to those of the compromised software. The difference is that the rogue HandBrake installer was not digitally signed, meaning that users would have had to override Gatekeeper manually in order to install it.

To determine if they’ve been infected users can search their systems for the presence of the following files or directories:

/tmp/Updater.app/, /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist, /Library/.rand/ and /Library/.rand/updateragent.app/.

If any of them exist, Proton was installed, according to ESET.

“As with any compromise with an administrator account, a full OS reinstall is the only sure way to get rid of the malware,” the ESET researchers said. “Victims should also assume that the secrets outlined in the previous section are compromised and take appropriate measures to invalidate them.”

Software supply-chain attacks pose a very serious danger because they abuse the existing trust relationship between users and software developers. These attacks can happen in several ways and can be very hard to detect and prevent.

Attackers recently managed to distribute infected versions of CCleaner—a Windows system optimization tool—to over 2.2 million users after hacking into the program developer’s infrastructure. Last year, attackers hacked into the website of popular open-source Transmission BitTorrent client on two separate occasions and distributed infected installers to macOS users.

In order to compromise Macs, attackers need a way to get malicious applications onto them, and hacking into a legitimate developer’s website to surreptitiously trojanize a popular app is a great way to achieve this, Wardle said. We’ve seen attackers use this mechanism before, so it won’t be surprising if they continue to rely on this attack vector, he said.

via:  motherboard.vice.com

Once unthinkable, tuition-free college has become a reality.

Four states and one city have enacted measures in the past three years. And lawmakers in several other places across the country are considering similar programs.

More than 30,000 Tennesseans and 7,000 Oregonians have gone to community college tuition free already. Students in New York and San Francisco are set to start on the same path this fall. And it’s picking up steam, with lawmakers in several other places across the country considering similar programs.

The issue started drawing attention in 2015, when President Obama proposed making community college free nationwide. At the time, the idea sounded far-fetched to many — but Tennessee had already approved the Tennessee Promise scholarship, which made community college free for students graduating high school that year. (The state is now expanding the program to all adults.)

The idea generated even more buzz during the 2016 presidential election when both Bernie Sanders and Hillary Clinton threw in their support. Obama, Sanders and Clinton wanted both the federal and state governments to split the tab. But the idea has not gained support from Republicans on the federal level.

States — both blue and red — have forged ahead, though, touting free tuition as a way to create a strong workforce.

How the plan works

In most states, it’s given in the form of scholarships that cover the remaining cost of tuition after using other needs-based grants. Some plans have an income cap and others are limited to recent high school graduates.

Free tuition doesn’t mean there aren’t any costs to the student. Students who live on campus also need to pay for room and board themselves. Sometimes there are additional fees that colleges charge for technology use, orientation, or other items, that aren’t covered.

And yes, somebody’s got to pay for it. Taxpayers are on the hook in most states, but Tennessee’s program is fully funded by the state lottery.

Here’s where tuition-free college stands nationwide:

Rhode Island

Recent high school grads who enroll at Rhode Island Community College don’t have to pay anything for tuition or fees starting in the fall of 2017. They must maintain a 2.5 GPA in college while remaining enrolled full-time, and are required to live, work, or continue their education in state after finishing their degree.

The Promise Scholarship was approved as a four-year pilot program and is expected to cost $2.8 million in its first year.

A broader proposal from Governor Gina Raimondo failed to pass. It would have made two years at four-year colleges tuition-free as well.

Tennessee

Starting in 2018, all students in Tennessee including adults will become eligible for free tuition at the state’s community colleges and technical schools as long as they don’t already have an associate’s or bachelor’s degree. It is an expansion of a program that began in 2015 offering free tuition to students who had graduated high school the previous spring.

Students must be state residents for at least a year before applying. To keep the scholarship, they have to enroll at least part-time, maintain a 2.0 GPA and complete eight hours of community service each semester.

The program cost the state lottery fund about $12 million in the first year and is expected to cost an additional $10 million a year to include adults.

San Francisco

All 28,000 students at City College of San Francisco won’t have to pay for their tuition, starting in the fall of 2017. The program is one of the most progressive because every resident is eligible no matter when they finished high school. And unlike other plans, it doesn’t matter whether you’re pursuing a degree or simply want to take one class. It also offers the poorest students additional money to help pay for these other expenses.

The city makes one year free for students at the state’s 114 community colleges, so long as they are residents and new students who are enrolled full-time.

The city is increasing a real estate transfer tax on luxury properties to pay for the scholarship, which is expected to cost $5.4 million over the first two years.

New York

In April, New York became the first state to make tuition free for both two- and four- year colleges beginning this fall. Eligible undergraduate students won’t have to pay anything for tuition at a State University or City University of New York school.

But students whose families earn more than $125,000 a year won’t be eligible. Even though you don’t need to be a recent high school grad, you cannot already have a degree. You also must enroll as a full-time student and are required to live and work in New York for the same number of years you received the scholarship.

The program is expected to cost the state $163 million a year.

Oregon

Students who started community college in the fall of 2016 were the first to benefit from the Oregon Promise scholarship, which covers most of tuition for recent high school graduates and GED recipients. Adults returning to school are not eligible.

Students must be a state resident for at least a year before applying, earned a minimum of 2.5 GPA in high school, and enroll at least part time.

The program cost the state $10.9 million during the first year.

Because of a state budget shortfall, the state was forced to limit eligibility for the 2017-2018 school year. Starting this fall, students from high-income families will be excluded.

Arkansas, Minnesota, South Dakota focus on high-demand areas

In Arkansas, a new grant will make tuition free for certain students at community colleges and technical schools starting this fall. Students must be enrolled in a high-demand field of study, such as computer science or welding. It’s similar to programs in South Dakota and Minnesota that makes tuition free for students studying in fields where there is a high demand for workers.

Louisiana

Louisiana’s Taylor Opportunity Program has covered tuition for students who meet certain academic standards for decades. It covers the entire cost of tuition as long as students graduated from high school in-state and met two academic requirements: a 2.5 high school GPA in core classes and at least an average standardized test score.

But, for the first time, the cash-strapped state could not afford to fund the scholarships fully for the 2016-2017, leaving some students scrambling. Funding has been restored for the upcoming school year.

via:  money.cnn

A new proposed bill could make it legal for companies to retaliate against hackers.

Dubbed the “hack back” bill, it was introduced last week to allow businesses to hack the hackers who’ve infiltrated their computer networks.

Called the Active Cyber Defense Certainty (ACDC) Act, it amends the Computer Fraud and Abuse Act anti-hacking law so a company can take active defensive measures to access an attacker’s computer or network to identify the hackers, as well as find and destroy stolen information. It was introduced by two U.S. Representatives, Tom Graves, a Georgia Republican, and Kyrsten Sinema, an Arizona Democrat.

“I’ve heard folks say this is like the Wild West what we might be proposing, but in fact it’s not,” Graves told CNN Tech’s Samuel Burke in an interview. “We are already dealing with the Wild West and there’s a lot of outlaws out there but we don’t have a sheriff, we don’t have a deputy and all we were asking for is a neighborhood watch.”

But security experts warn the legislation could have serious consequences if passed.

According to digital forensics expert Lesley Carhart, the fundamental problem with the idea is that a majority of organizations who would want to hack back aren’t qualified to do so responsibly. It often takes a long time to correctly identify who was responsible for a hack.

“In cybercrime and in nation state attacks, there are often lots of attempts to mislead and confuse researchers analyzing the attack timeline or malware,” Carhart said. “A savvy bad guy could fairly easily emulate an innocent third party, and draw down the wrath of unskilled analysts on them.”

One way researchers place blame on a person or group for a hack is by looking at the evidence left in code. For example, researchers found similarities between the WannaCry code and malware created by Lazarus group, a hacking operation that has been linked to North Korea, earlier this year. Intelligence agencies later connected the country to the massive ransomware attack.

But it’s not uncommon for hackers to spoof that evidence and try and trick analysts into thinking it came from somewhere else, such as putting code from known hacking groups, or innocent third-parties, into their malware.

The bill says active defense measures could only be taken inside the U.S., which means it would have limited benefit. A majority of attacks are based outside the country or route their attacks through servers overseas so it looks like they’re coming from overseas, said Amanda Berlin, author of the Defensive Security Handbook.

Companies would also be required to alert the National Cyber Investigative Joint Task Force, an organization led by the FBI, before trying to hack their hackers. The agency could also review active defensive measures before they’re taken.

The FBI and other law enforcement agencies are already involved in investigating and prosecuting cybercrime. They work closely with major security firms and companies impacted by breaches. However, a relatively low number of businesses in the private sector report ransomware, a common and lucrative cyberattack.

Carhart says poking around in a hacker’s network could impede law enforcement investigations and court proceedings by potentially contaminating evidence.

The FBI defense review also introduces some thorny foreign retaliation issues. Kristen Eichensehr, assistant professor at UCLA School of Law, explained in Just Security, a national security publication.

“The FBI’s participation in the review process may trigger the U.S. government’s international legal responsibility for actions of private actors,” she wrote.

However, some firms already engage in hacking back, despite the illegality. Graves said the bill could put some parameters on that behavior.

“Word on the street is many companies are already doing some of these things,” Graves told Burke in an interview. “They know, you know, and I know that they are doing is illegal. What we would be doing is bringing clarity to what some might already be doing and what tools might be successful.”

He also said he hopes additional tools will be developed by the security community that can protect people from hackers.

Some experts believe resources may be better spent elsewhere than through retaliation.According to Berlin, companies should invest in their existing infrastructure to prevent hacks in the first place.

“So many corporations get the basics wrong, or skip steps to spend money on some fancy blinky box that’s supposed to protect them from everything,” Berlin said.

This year’s most serious hack was not sophisticated. Equifax failed to patch a software hole despite a fix existing for months before hackers compromised data on 145.5 million people.

To keep systems secure, Berlin advised companies to remove non-essential machines from direct internet access, and patch early and often to prevent hackers from exploiting known holes. If something can’t be updated or fixed, it should be separated from other networks.

Experts warn that hacking back could also hurt innocent third-parties.

Consider Mirai, a massive botnet that turned connected home devices into an army of zombie computers controlled by one attacker. If a company was attacked by a botnet like Mirai and tried to hack back, they could be hitting an innocent family’s network connected to a security camera, instead of the real person behind the attack.

“I’m afraid it will take us back to ancient Babylon and Hammurabi code which called for an eye for an eye and a tooth for a tooth,” said Bassel Ojjeh, cofounder and CEO of security firm LigaData. “And everyone at this rate will go blind.”

via:  money.cnn

New European Patent Office chairman gets in on it.

The issue of falling patent quality at the European Patent Office (EPO) has again reared its head, this time thanks to German intellectual property lawyers.

Following a testy exchange last week at an official meeting of the EPO’s Administrative Council where staff aired their grievances and were attacked by EPO president Benoit Battistelli in response, companies are now raising their concerns.

According to German newspaper Heise, a meeting at the Max Planck Institute in Munich grew heated when a group of patent lawyers used a presentation by new EPO chairman Christoph Ernst to make their views known about the “System Battistelli”.

For several years Battistelli has been aggressively pushing changes at the EPO aimed at increasing the number of patents that are reviewed and approved. The result of that drive has been a complete breakdown in communications between EPO staff and management – but that is something many consider a price worth paying in order to “modernize” the EPO and keep it in line with other competing patent authorities in the US and Japan.

The problem, as the patent attorneys told Ernst, is that despite official EPO claims stating the opposite, quality is starting to fall as a result of the changes.

Happy talk

Ernst gave an optimistic presentation to the group about the future of the European patent system in which he painted the rising patent numbers as a positive development and noted that advances in a common European patent system was going to benefit everyone. (Although the Unitary Patent Court is currently on hold in part because of structural changes forced through by Battistelli.)

Attendees were less enamored and noted that greater patent numbers were coming as a result of overworking examiners. A representative of the Grünecker law firm, Gero Maatz-Jansen, warned that the heavy workload combined with pressure by management to hit performance targets was having perverse knock-on impacts.

Patent filings were being approved or rejected much faster but patent lawyers have noticed that more mistakes were being made, the room heard. That could end up undermining the entire system, Maatz-Jansen warned – and his comments were reportedly met with a round of applause. Others made broadly the same point using their own recent experiences as evidence.

In order to turnaround filings much faster, examiners were rejecting applications for minor procedural errors, another lawyer claimed. Others said that EPO reports and comments on their patent applications were not as considered or in-depth, and research into prior art was slammed as being “superficial”. Efficiency was taking priority over quality.

That point was also made last week by a Reg commenter who complained that even though his patent application had been noted as valid by the EPO, “the brief comments given provide just one reference to another document – and that one has very little to do with the subject of my invention. Seems that a poor soul under heavy pressure to close as many open cases as quickly as possible just did that.”

A further warning was relayed by another German IP lawyer who was present at the meeting. Thorsten Bausch warned in a blog post that there is also a “catastrophic backlog of EPO appeal cases” and argued – in all caps – that “URGENT ACTION IS REQUIRED HERE! This matter should not be allowed to wait until the next EPO President takes over.”

Evidence?

Although Ernst has been a frequent critic of some of Battistelli’s reforms in recent years (and the German government’s representative on the EPO for longer), he pushed back on the idea that quality was deteriorating.

There is no solid evidence of a fall in quality, he countered, and pointed out that the number of appeals had actually fallen. “The mere fact that more patents are granted does not mean that the quality suffers,” he argued.

However, Elizabeth Hardon, an EPO staffer who was controversially fired by Battistelli for resisting his reforms, was also present at the meeting and said that it is going to take a few years for a decline in quality to be officially recognized as poor patents are challenged in nullity actions.

via:  theregister

Three-quarters of the federal government uses encryption. Homeland Security says that isn’t enough.

Homeland Security is ordering federal agencies to deploy basic web and email security features in an effort to boost cybersecurity across government.

Up until now, Homeland Security had been pushing businesses and enterprise customers to enable HTTPS web encryption across the board, which helps secure data in transit but also ensures that nobody can alter the contents of the website you’re visiting. The agency has also pushed DMARC, an email validation system used to verify the identity of an email sender, which helps to protect against inbound spoofed emails and phishing attacks.

Now, the Homeland Security has set its sights on government agencies, which have for years fallen behind.

The agency has issued a binding operational directive, giving all federal agencies three months to roll out DMARC across their networks. Enabling that email policy will prevent spammers from impersonating federal email addresses to send spoofed email.

The agency is also requiring within the next four months for all federal agencies to employ HTTPS.

If you thought the government already had that policy, you’re not wrong.

In 2015, the Obama administration issued a directive that all federal government sites should be HTTPS by default by the end of 2016. More than two years later, about one-quarter of all federal sites still don’t support basic website encryption.

Perhaps ironically, only 70 percent of all Homeland Security domains support HTTPS. Even fewer enforce the encryption by default.

The agency hopes that the remaining non-encrypted sites can get up to speed by early next year.

The order also asks that government agencies use other kinds of encryption, such as STARTTLS, a protocol that sends email over an encrypted channel when it’s available, on their email servers.

News of the announcement was lauded by one privacy-minded senator, who’s been on a crusade to get federal agencies up to speed on security.

Wyden called today’s move a “good, basic step,” in a statement to ZDNet.

“STARTTLS encryption and anti-phishing technologies like DMARC are two cheap, effective ways to secure email from being intercepted or impersonated by bad guys,” he said. “It’s my hope that other government agencies recognize the clear security benefits of strong encryption, and that private sector companies move quickly to upgrade their own email security.”

via:  zdnet

DDoS attacks on two separate days have brought down several IT systems employed by Sweden’s transport agencies, causing train delays in some cases.

The incidents took place early in the mornings of Wednesday and Thursday, October 11 and 12, this week.

The first attack hit the Sweden Transport Administration (Trafikverket) on Wednesday. According to local press, the attack brought down the IT system that manages train orders. The agency had to stop or delay trains for the time of the attack.

Trafikverket’s email system and website also went down, exacerbating the issue and preventing travelers from making reservations or getting updates on the delays. The agency used Facebook to manage the crisis and keep travelers informed.

Road traffic maps were also affected, an issue that lingers even today, at the time of publishing, according to the agency’s website.

Three Swedish transportation agencies targeted

Speaking to local media, Trafikverket officials said the attack was cleverly aimed at TDC and DGC, the agency’s two service providers, but they were both aimed in such a way to affect the agency’s services.

Trafikverket was able to restore service in a few hours, but the delays affected the entire day’s train operations.

While initially, some might have thought this was a random incident, the next day, a similar DDoS attack hit the website of another government agency, the Sweden Transport Agency (Transportstyrelsen), and public transport operator Västtrafik, who provides train, bus, ferry, and tram transport for parts of Western Sweden.

Cyber-warfare implications

In perspective, both incidents give the impression of someone probing various parts of Sweden’s transportation system to see how the country would react in the face of a cyber-attack and downtime.

The DDoS attacks come a week after a report that Russia was testing cyber-weapons in the Baltic Sea region.

In April 2016, Swedish officials blamed Russia for carrying out cyber-attacks on the country’s air traffic control infrastructure that grounded flights for a day in November 2015.

via:  bleepingcomputer

Pretty sneaky, Microsoft. While some vendors were scrambling to release updates to fix the KRACK Attack vulnerability released today, Microsoft, quietly snuck the fix into last week’s Patch Tuesday.

While Windows users were dutifully installing October 10th’s Patch Tuesday security updates, little did they know they were also installing a fix for the KRACK vulnerability that was not publicly disclosed until today. This fix was installed via a cumulative update that included over 25 other updates, but didn’t provide any useful info until you visited the associated knowledge basic article.

Windows 10 October Cumulative Update

Even if you were bored enough to actually click on the More info button, you would have had to be REALLY bored to even spot a reference to a vague mention of a wireless security update in the last bullet item of the knowledge base article.

Reference to Wireless Networking Security Update

A Microsoft spokesperson told BleepingComputer that “Microsoft released security updates on October 10th and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.”

While, I am not typically a fan of sneaky updates, I understand why it was necessary to fix the vulnerability while keeping information about it secret until it was officially disclosed.

Did Microsoft do the right thing quietly patching the update or is full disclosure the only way to go? I will let you decide.

The researcher who found the flaws doesn’t appear to think silent patches are a good idea. OpenBSD did the same thing and here is what he said in the FAQ on the KRACK website:

“Why did OpenBSD silently release a patch before the embargo?

OpenBSD was notified of the vulnerability on 15 July 2017, before CERT/CC was involved in the coordination. Quite quickly, Theo de Raadt replied and critiqued the tentative disclosure deadline: “In the open source world, if a person writes a diff and has to sit on it for a month, that is very discouraging”. Note that I wrote and included a suggested diff for OpenBSD already, and that at the time the tentative disclosure deadline was around the end of August. As a compromise, I allowed them to silently patch the vulnerability. In hindsight this was a bad decision, since others might rediscover the vulnerability by inspecting their silent patch. To avoid this problem in the future, OpenBSD will now receive vulnerability notifications closer to the end of an embargo.”

via:  bleepingcomputer

On social media right now, strong rumors are spreading that the WPA2 encryption scheme has been broken in a fundamental way. What this means: the security built into WiFi is likely ineffective, and we should not assume it provides any security.

The current name I’m seeing for this is “KRACK”: Key Reinstallation Attack. If this is true, it means third parties will be able to eavesdrop on your network traffic: what should be a private conversation could be listened in to.

This has happened before with WiFi: who remembers WEP passwords? However, what is different this time around: there is no obvious, easy, replacement ready and waiting. This is suddenly a very big deal.

In truth, WPA2 has been suspect for some time now. A number of attacks against WPA2-PSK have been shown to be successful to a limited degree, WPA2-Enterprise has shown itself to be slightly more resilient (but doesn’t protect you from these problems).

This is a story that is unfolding as I write. Please be aware:

• I’m not one of the researchers here: credit for this goes to Mathy Vanhoef and Frank Piessens at KU Leuven, who have a great track record of discovering problems here. I want to be clear about this as I’ve be quoted incorrectly in a couple of places!
  
• www.krackattacks.com is now up! There is a list of vendor announcements being written, but remember all vendors are potentially affected. Few vendors appear to have updates ready
  
• Attacks against Android Phones are very easy! Oh dear Best to turn off wifi on these devices until fixes are applied.
  
• Windows and Mac OS users are much safer. Updates for other OSes will come quite quickly, the big problem is embedded devices for whom updates are slow / never coming
  
• For the very technical, the CVE list is at the bottom of this post.
  
• The main attack is against clients, not access points. So, updating your router may or may not be necessary: updating your client devices absolutely is! Keep your laptops patched, and particularly get your Android phone updated
  
• Correction: I’ve highlighted specifically that WPA2-Enterprise is vulnerable.
  
• If you have some great advice to share or corrections to this, please let me know!

Information here is good as of 2017-10-16 16:00 UTC.

So, this is going to be a horrible Monday morning for IT admins across the world. The practical question is: what now?

Keep Calm

Remember, there is a limited amount of physical security already on offer by WiFi: an attack needs to be in proximity. So, you’re not suddenly vulnerable to everyone on the internet. It’s very weak protection, but this is important when reviewing your threat level.

Additionally, it’s likely that you don’t have too many protocols relying on WPA2 security. Every time you access an https site – like this one – your browser is negotiating a separate layer of encryption. Accessing secure websites over WiFi is still totally safe. Hopefully – but there is no guarantee – you don’t have much information going over your network that requires the encryption WPA2 provides.

So, we’re alright?

In a word, No. There are plenty of nasty attacks people will be able to do this. They may be able to disrupt existing communications. They may be able to pretend to be other nodes on the network. This could be really bad – again, they won’t be able to pretend to be a secure site like your bank on the wifi, but they can definitely pretend to be non-secure resources. Almost certainly there are other problems that will come up, especially privacy issues with cheaper internet-enabled devices that have poor security.

You can think of this a little bit like your firewall being defeated. WiFi encryption mainly functions to keep other devices from talking on your network (the security otherwise has been a bit suspect for a while). If that no longer works, it makes the devices on your network a lot more vulnerable – attackers in proximity will now be able to talk to them.

Story for your boss

Keep it simple, and ideally get ahead of the game by communicating now. Re-iterate:

• this won’t let people who are not physically present into your networks;
  (Mobile phones with WiFI are an attack vector (that does not require physical presence)
• it’s unlikely any data is protected by the encryption WPA2 provides; in particular, accessing secure websites is still fine;
  
• think about increasing the level of security of the nodes on your network if possible – make sure your AV is up-to-date, firewalls turned on, etc.;
  
• if you’re paranoid about certain data or systems, turn off WiFi and switch to one of an internal VPN, a wired ethernet connection or mobile data (for WAN access);
  
• that you are on top of the situation and monitoring the best next steps.

In terms of what to do, in many ways, we’re at the behest of our vendors. If you have a high quality vendor (I would include companies like Ruckus and Cisco in this bracket, for example) I expect new firmware to be available very shortly to mitigate these problems. This may well result in incompatibility with existing devices: as a business, you will need to make a decision in that case (unless you need compliance with PCI-DSS or similar, in which case you likely have little choice).

Story for friends / family

This is where it gets really sucky. Lots of us have old routers at home, which have no chance of a firmware upgrade, and lots of WiFi equipment that may well not get a protocol upgrade if one is required. Right now, it sounds like all this stuff is going to be worthless from the perspective of encryption.

Reiterate the same points as above:

• secure websites are still secure, even over WiFi;
  
• think about setting your computers to “Public Network” mode – that increases the level of security on the device relative to “Private / Home Network” modes. Remember, if third parties can get onto our home networks, they’re no longer any safer than an internet café;
  
• if you’re paranoid about your mobile, turn off WiFi and use mobile data when necessary;
  
• it sounds like no similar attack against ethernet-over-mains power line is possible, so home networks based on mains plugs are problem still ok;
  
• keep computers and devices patched and up-to-date.

What for the future?

As I said before, this is a big problem, but not one that was unexpected. A number of encryption protocols have been problematic over the years; many of the implementations of those protocols have been even worse.

It’s clear to me that “Internet of Things” type devices will be the hardest hit. Devices with embedded WiFi for secondary functional purposes, like TVs and baby monitors, are unlikely to get proper updates. As a protocol problem, it’s possible we will be forced to choose between security and functionality, and many users will choose the latter – it’s a difficult problem to weigh.

I would love to say there’s an easy answer. I think it’s important that networks become increasingly software-defined, and that it makes sense that future standards focus on that runtime rather than the protocol itself. We cannot rely on vendors to keep devices up-to-date either (for many reasons), but previous attempts at standardizing a runtime (like UEFI) aren’t promising, either technically or security-wise.

As consumers, we have to continually question the security credentials of devices we buy, and demand the best evidence of their security. This is a tough ask; even in the IT world, buying “secure” is difficult. In tech we must strive for better.

CVEs involved

If you don’t know what these are, don’t worry – they are the “official notifications” of a problem, if you like. If you have a vendor of WiFi equipment, you will want to ask them if they’re affected by any of these, and if so, what the solutions are:

• CWE-323
  
• CVE-2017-13077
  
• CVE-2017-13078
  
• CVE-2017-13079
  
• CVE-2017-13080
  
• CVE-2017-13081
  
• CVE-2017-13082
  
• CVE-2017-13083
  
• CVE-2017-13084
  
• CVE-2017-13085
  
• CVE-2017-13086
  
• CVE-2017-13087

via:  alexhudson