02-01-2019

Trends & Threats Briefing, January 2019

Welcome to your source for January 2019's news about TLS, SSL, PKI, IoT, encryption, identity and digital certificates.

Click on any headline below to jump to its summary and external news source.

If you’d prefer having this news presented to you, view/hear the on-demand recorded webcast here.  Also check out the rest of our webinars and videos on DigiCert’s channel on the BrightTalk network.

A co-brandable .MP4 version (focusing on TLS & SSL, financial impacts and miscellaneous news) is available to our Certified Partners for marketing purposes here.

If you have any corrections or suggestions, please contact us.

TLS & SSL

Chrome sets security sights on solving for suspicious URLs

QUICkly moving past HTTP/2

Let's Encrypt deprecates TLS-SNI-01 validation

PKI & IoT

Report sounds alarm bells re: IoT data security

Japan plans to hack its citizens' IoT devices

$€¢ure£¥ - the financial impact of (in)security

Brand & valuation damage send avg. cyberattack cost soaring to >US$1.6M

Ransomware victim’s corporate claim denied as insurer “declares” war

Global firms face US$5T in cybercrime losses

Inside-trading hackers made >US$4M on stolen filings/reports

Hash – more news of mutual interest

US DHS emergency directive on DNS hijacking threat

Firefox 65 bolsters anti-tracking & privacy controls

New breed of cryptomining malware uninstalls cloud infrastructure security tools

Data & cyber risks are 2 of top 5 “most likely” to impact businesses & governments in 2019

Stranger Than Fiction!

Smartphones beget Satan?

Chinese province launches deadbeat debtor detector

Good News

International takedown of the xDedic Marketplace for PII and hacked computers

Gov’t-compelled biometric phone unlocking ruled unconstitutional

UK unis cyber attacking each other

Girl Scouts of America Offering Cybersecurity Badges

 

TLS & SSL

Chrome sets security sights on solving for suspicious URLs

Google’s Chrome browser security team is looking for ways to make it difficult for cybercriminals and bad actors to capitalize on friendly-looking-but-false URLs which confuse users about the true identity of a website. They’re considering modifications to the presentation of URLs as we know (or perhaps, more accurately, see) them, such that users don’t have to untangle long or tricky URLs – and it’s those URLs which provide effective cover fraudsters’ scams. (A good example would be spelling “good example” as “g00d exаmp1e” with zeros instead of O’s, a number 1 instead of a lower-case L, and a different alphabet’s character which looks exactly like a lower case “A”.) Emily Stark, of the Chrome team, commented, "What we’re really talking about is changing the way site identity is presented… People should know easily what site they’re on, and they shouldn’t be confused into thinking they’re on another site." One way Chrome might do this is leveraging Google Safe Browsing to flag questionable URLs. By comparing characters which look similar to one other (or domains which vary from one other just by a small number of characters), Chrome can push “attackers away from extremely misleading URLs. Of course, a key challenge is to avoid false positives, like legitimate domains which use suspicious substitutions."

https://www.wired.com/story/google-chrome-kill-url-first-steps/

QUICkly moving past HTTP/2

Now in development, HTTP/3 is already in draft form via an RFC of the Internet Engineering Task Force (IETF). HTTP/3 is sometimes referred-to as HTTP-over-QUIC, as it takes advantage of Quick UDP Internet Connections (QUIC). An experimental protocol for now, QUIC is poised to replace TCP. Although QUIC tolerates data loss during transmission and does not provide error-free transmission like TCP, QUIC incorporates TLS 1.3, so therefore it’s encrypted by default, faster and more secure than HTTP/2. The intention seems to be for HTTP/3 to be finalized when all of the major browsers support TLS 1.3.

https://tools.ietf.org/html/draft-ietf-quic-http-18

Let's Encrypt deprecates TLS-SNI-01 validation

After learning last year that users could abuse the TLS-SNI-01 validation method to obtain certificates for domains they do not own, Let’s Encrypt began acting recently to deprecate the method. However, the provider of free but arguably minimally validated SSL certificates faces a significant challenge, based on its own use of the ACME TLS-SNI-01 challenge type for domains on a shared hosting infrastructure – in turn effectively compelling the CA to allow users to test the change via staging in order to determine the impact of the method’s retirement. Users will “be able to run certbot renew dry-run… If the dry run succeeds, you’ll know that you’re ready for the deprecation date,” Let’s Encrypt’s Jacob Hoffman-Andrews commented. Let’s Encrypt will support now just 3 validation methods (DNS-01, HTTP-01, TLS-ALPN-01).

https://www.securityweek.com/lets-encrypt-begins-retirement-tls-sni-01-validation

Back to top

PKI & IoT

Report sounds alarm bells re: IoT data security

Just over 50%: that’s the percentage of consumers who fear a lack of privacy with Internet of Things devices – but also the percentage of companies which can't detect IoT breaches. These and other not-so-comforting numbers come from Gemalto's State of IoT Security report, which also points out that only 59% of companies encrypt all their IoT-related data. That amounts to a lot of machines talking to each other and those conversations possibly include your organization's sensitive data or even aspects of your own digital identity. It’s no surprise that securing IoT products and services is a big hurdle and consumers are aware of the repercussions: remembering that we are all individual consumers, too, 62% of consumers believe the security of their IoT devices needs improvement. The identified solutions range widely – from calls for government intervention, or first-mover advantages for industries or organizations to agree upon better guidelines for securing IoT products and services, or the possibility of solutions residing in blockchain technology.

https://www.pcmag.com/news/365994/iot-security-is-still-a-gigantic-mess

Japan plans to hack its citizens' IoT devices

Fearing that hackers might abuse IoT devices to attack the upcoming Tokyo 2020 Summer Olympics, Japan’s National Institute of Communications Technology (NICT) announced on January 25th that it plans to pre-emptively hack into citizens' IoT devices. Via a legislatively approved amendment, NICT was empowered to conduct the white-hat hacktion, which was explained to be part of an unprecedented survey of insecure IoT devices. The hacktion would be carried out by NICT employees under the supervision of the Ministry of Internal Affairs and Communications. Targeting over 200 million IoT devices, beginning with routers and web cameras but expanding to devices in both the consumer and corporate sectors, the hacktion must rely upon using default passwords and password dictionaries to attempt to log into Japanese consumers' IoT devices. When a connection is successful, that device and login would be compiled into a list of insecure devices which use both default and easily-guessable passwords; that *very hot* data would then be passed onwards to authorities and respective ISPs, who would be counted upon to alert affected consumers to secure the devices. Not surprisingly, the plan sparked outrage in Japan, with many arguing about its necessity; those in opposition explained that the same results could be achieved non-intrusively by sending a security alert to all users, moreover that there’s no guarantee that users with default or weak passwords would change their passwords after being notified in private anyway.

https://www.zdnet.com/article/japanese-government-plans-to-hack-into-citizens-iot-devices/

Back to top

$€¢ure£¥

Brand & valuation damage send avg. cyberattack cost soaring to >US$1.6M

A recent survey found that the average actual cost of a cyberattack soars to nearly US1.7M when calculating-in collateral effects of productivity losses, brand damage, and decline in company valuation. According to Radware’s 2018 –2019 Global Application and Network Security Report, “Quantifiable monetary losses can be directly tied to the aftermath of cyberattacks in lost revenue, unexpected budget expenditures and drops in stock values… Protracted repercussions are most likely to emerge as a result of negative customer experiences, damage to brand reputation and loss of customers.” The vendor-neutral survey reported that, of 790 IT executives, 45% reported attacks which had the goal of service degradation or a complete outage, but 78% reported that such happened regardless of the goal. And demonstrating that “breach du jour” doesn’t just describe mega breaches. The report documented that most respondents’ organizations have experienced some type of attack within the course of a year – in fact, only 7% of respondents claiming not to have experienced an attack at all.

https://threatpost.com/threatlist-cost-cyber-attack/140870/

Ransomware victim’s corporate claim denied as insurer “declares” war

Last year’s outbreak of the NotPetya ransomware hit cookie corporation and candy confectioner Mondelez pretty hard, leading them to file an insurance claim with their insurer, Zurich. However, Zurich subsequently declined to pay the claim, citing that NotPetya was an act of war. And that’s because several Western governments blame Russia as the source of the code and the outbreak – and therefore country-vs.-country stuff effectively is the stuff of acts of war. Mondelez, the US food company famous for brands, such as Cadbury and Nabisco, Oreo, Milka, and several brands of chewing gum, is now suing Zurich for US$100 million. This makes security case attribution a tricky thing, as all manner of insurance policies typically exclude coverage for acts of war.

https://www.informationsecuritybuzz.com/expert-comments/zurich-sued-for-100-million-following-notpetya-attack/

Global firms face US$5T in cybercrime losses

According to a new survey and study of over 1700 C-level executives by Accenture, global firms could lose over US $5 trillion to cybercrime over the next five years. While nearly 80% of respondents said their organizations are adopting new technologies faster than they can secure them, the same number believe that the digital economy’s growth would be subdued unless internet security is dramatically improved. Worse, nearly 60% expressed doubt about how they’d take action regarding such instability. Only 30% of those polled said they were very confident in their own cybersecurity with the vertical seen to be at highest risk is the tech sector, which could face losses of US $753B if worse comes to worst. The study called for both CEOs and CISOs to escalate above executive leadership onward to board-level action, argued Accenture’s Omar Abbosh, who continued, “To become a cyber-resilient enterprise, companies need to start by bringing [their] expertise to the board, ensuring security is built-in from the initial design stage and that all business managers are held responsible for security and data privacy.” This was confirmed by the report, in which 75% claimed that addressing security concerns will require a group effort.

https://www.infosecurity-magazine.com/news/global-firms-face-5tr-in/

Inside-trading hackers made >US$4M on stolen filings/reports

Attorneys and law enforcement officials of the United States government announced charges against seven American, Russian and Ukrainian hackers in early January, accusing them of an international stock-trading scheme which allowed them to access and utilize insider trading information from the US Securities Exchange Commission’s corporate filing database, known as EDGAR. That information, from 157 pre-released corporate reports and announcements, gave the hackers the inside edge to net US$4.1 million. "After hacking into the EDGAR system, they stole drafts of [these] reports before the information was disseminated to the general public.” This is according to Craig Carpenito, U.S. Attorney for the District of New Jersey. Those documents included quarterly earnings, mergers and acquisitions plans and other sensitive news that the criminals knew to act upon before the public could. One inside trader made $270,000 in a single day.

https://www.cnbc.com/2019/01/15/international-stock-trading-scheme-hacked-into-sec-database-justice-dept-says.html

Back to top

Hash

US DHS emergency directive on DNS hijacking threat

On Tuesday January 22, Director Christopher Krebs of the United States Department of Homeland Security issued its first Emergency Directive, in response to a global Domain Name System (DNS) hijacking campaign. It was the first Emergency Directive issued by the Cybersecurity and Infrastructure Security Agency (CISA) and is thus noteworthy as it compels all non-Federal security agencies (like state and local agencies) to act. At the time, the concern was over a cyber-hijacking campaign which private-sector researchers suggested was the work of the Islamic Republic of Iran and had affected “multiple executive branch” agencies by redirecting and intercepting Web and email traffic. Although other officials stated that no intelligence, Defense or classified networks were impacted, one industry source reported that at least six civilian agencies were affected. The alarm-worthy campaign was first spotted last fall by private-sector firms such as Cisco and FireEye, which detected malicious DNS activity in the Middle East. It targeted the Domain Name System (DNS) which translates Web or domain names into IP addresses, and involved the covert changing of a destination IP address so that any data (especially logins) entered by a user passes through the hacker’s server before being forwarded onward to its intended, legitimate destination.

https://cyber.dhs.gov/ed/19-01/

https://www.washingtonpost.com/world/national-security/dhs-issues-emergency-order-to-civilian-agencies-to-squelch-cyber-hijacking-campaign-that-private-analysts-say-could-be-linked-to-iran/2019/01/22/40a3fce2-1eab-11e9-8e21-59a09ff1e2a1_story.html

https://www.cyberscoop.com/rep-langevin-need-dhs-briefing-understand-extent-dns-hijacking-threat/

Firefox 65 bolsters anti-tracking & privacy controls

Mozilla has unveiled version 65 of its Firefox browser, arming it with redesigned privacy controls for the Content Blocking section, where users can select their desired level of privacy protection. Nick Nguyen, Firefox VP of Product at Mozilla, said “We’ve always made privacy for our users a priority, and we saw the appetite for more privacy-focused features that protect our users’ data and put them in control… So, we knew it was a no-brainer for us to meet this need. It’s one of the reasons we broadened our approach to anti-tracking.” The standard or default setting of the new Content Blocking controls allows users to block known trackers in Private Browsing Mode and, in the future, third-party tracking cookies. Users can throttle up the setting to block all known trackers by Firefox in all windows. These controls, and new privacy policies which were rolled out in tandem, hail from Mozilla’s announcement in August 2018 that they’d steadily bolster Firefox’s anti-tracking efforts, which includes removing cross-site tracking by stripping cookies and blocking storage access from third-party tracking content. Mr. Nguyen continued, “Some sites will continue to want user data in exchange for content, but now they will have to ask for it… (this is) a positive change for people who up until now had no idea of the value exchange they were asked to make.” This steady rollout, plus Mozilla’s stand against tracking techniques like super cookies and browser fingerprinting, has met with praise by engineers and researchers in the security and privacy spaces.

https://threatpost.com/mozilla-firefox-65-anti-tracking/141281/

New breed of cryptomining malware uninstalls cloud infrastructure security tools

New malware was found which gains full admin rights on specific cloud platforms, then uninstalls those platforms’ cloud-security products. Researchers Xingyu Jin and Claud Xiao at Palo Alto Networks’ Unit 42 discovered the malware, which interestingly doesn’t attack or sidestep the products developed by Tencent Cloud and Alibaba Cloud (Aliyun) – it simply uninstalls them from the compromised Linux servers, and in turn eliminates those servers’ AI-based trojan detection and removal, logging activity audits, and vulnerability management. Tencent and Aliyun are industry-leading cloud providers in China which are expanding their business globally. It’s supposed that the malware stops at security tool removal and doesn’t do further damage or data compromise because it needs the horsepower and scale of the cloud infrastructures: the active user of malware is the Rocke threat group whose motivations are to infect vulnerable systems with Monero-based cryptomining malware – as evidenced by the malware not just killing off security products, but by doing same to other cryptomining processes on the servers. The researchers report explained that “the variant of the malware used by Rocke group is an example that demonstrates that the agent-based cloud security solution may not be enough to prevent evasive malware targeted at public cloud infrastructure… We believe this unique evasion behavior will be the new trend for malwares which target at public cloud infrastructure.”

https://threatpost.com/cryptomining-malware-uninstalls-cloud-security-products/140959/

Data & cyber risks are 2 of top 5 “most likely” to impact businesses & governments in 2019

The World Economic Forum’s (WEF) annual "Global Risks Report" ranks the top 10 concerns that businesses and governments around the globe will face in the ensuing year. For 2019, the WEF predicts that only climate change and natural disasters (including earthquakes and tsunamis) will outrank cyberattacks and data theft as the biggest obstacles for businesses and governments. Specifically, “Massive incident of data fraud/theft” is 4th on the list, and “Large scale cyberattacks” is right behind it as 5th most likely. The report, issued in mid-January, stems from the WEF's annual Global Risks Perception Survey, which polled about 1,000 experts and decision makers regarding their greatest concerns for the coming year. Over the last year, a number of different incidents had these experts – and citizens around the world – thinking more and more about cybersecurity. People readily recall those headlines and their lasting impacts, like the attack against India's ID database, the continuing problems at social media companies, like Facebook, and widespread issues, such as the Spectre and Meltdown side-channel vulnerabilities. The WEF report also found heightened concern over artificial intelligence and machine learning, as 32% of survey respondents believe that AI will cause harm to human society.

https://www.securitynow.com/author.asp?doc_id=748884

Back to top

Stranger Than Fiction!

Smartphones foreshadow the Antichrist?

The leader of the Russian Orthodox Church, Patriarch Kirill, has warned that societal dependence on smartphones might signal the coming of the Antichrist. In an interview with a state-owned Russian TV channel, the Patriarch explained that the "worldwide web of gadgets" could serve as the devil’s "opportunity to gain global control over mankind." Continuing, the Patriarch explained that as smartphones follow and document your identity, habits, location, interests and fears, “methods and technology could appear that will not just provide access to all information but will also allow the use of this information.” Since information is power, then the concentration of both information and power could provide foreboded control, and therefore, “Such control from one place forebodes the coming of the Antichrist.“

https://www.theregister.co.uk/2019/01/09/smartphones_gateway_to_the_antichrist_says_leader_of_russian_orthodox_church/

Chinese province launches deadbeat debtor detector

The China Daily reported that the Higher People’s Court of the Hebei province in China has launched a mini-app on the popular WeChat platform which displays the locations of anyone within a half-kilometer radius who’s in debt to you. The mini-app also displays each debtor’s personal information including their name, national ID number and why they’re on a debt blacklist. The Chinese state Xinhua News Agency had reported about 15 months ago that the ‘deadbeat shaming’ system would be on the way from the Chinese government. While the court took the high road in explaining-away the system and mini-app as “part of our measures to enforce our rulings and create a socially credible environment," China Daily was much more straightforward about it, saying that it makes it “easier for people to whistle-blow on debtors capable of paying their debts.”

https://thenextweb.com/asia/2019/01/18/chinese-province-launches-an-app-to-highlight-debtors-around-you/

Back to top

Good News

International takedown of the xDedic Marketplace for PII and hacked computers

The xDedic Marketplace, a website that was used to sell access to compromised computers worldwide and to people’s personally identifiable information (or PII) has been taken down and its site has been seized, according to the United States Federal Bureau of Investigation. But it wasn’t just the US involved: the takedown was an international operation featuring substantial support and cooperation from Europol and the Ukrainian cyber police, as XDedic's infrastructure had been located mostly in Belgium and Ukraine. xDedic is thought to have enabled over $68 million in fraud in operating across its broadly distributed network, using Bitcoin to hide its server locations and the identities of its administrators, buyers and sellers. Buyers could search for compromised credentials on xDedic by desired criteria like geographic location and operating system, getting the PII of eventual victims or access details to computers across all industries, including local, state and federal government infrastructure, hospitals, 911 and emergency services, call centers, major metropolitan transit authorities, accounting and law firms, pension funds and universities.

https://www.justice.gov/usao-mdfl/pr/xdedic-marketplace-website-involved-illicit-sale-compromised-computer-credentials-and

https://www.europol.europa.eu/newsroom/news/xdedic-marketplace-shut-down-in-international-operation

https://twitter.com/CyberpoliceUA/status/1089935007764893698

Gov’t-compelled biometric phone unlocking ruled unconstitutional

Earlier this year, the US Supreme Court ruled in Carpenter vs. United States that law enforcement must obtain a warrant to access mobile phone tower records, which would allow tracking of a citizen’s location over time. Now, a US District Court judge in California ruled that law enforcement can’t compel people to unlock their mobile devices using biometrics; warrant or not, forcing such an unlock would be an unconstitutional violation of the person’s 4th and 5th amendment rights. “The Court finds that the government’s request runs afoul of the(se) amendments, and the search-warrant applications must be denied,” ruled Judge Kandis Westmore. (The US Constitution’s 4th Amendment protects citizens against unreasonable searches; the 5th Amendment protects a citizen’s right against self-incrimination.)

https://threatpost.com/judge-law-iphone-unlock-faceid/140856/

UK unis cyber attacking each other

Twenty universities in the UK have come together to prepare their individual infrastructures to resist hacking – by hacking one another. By means of a competition they’re calling Exercise Mercury, the universities are benchmarking their own security postures in the higher education sector and contributing collective learnings for one another’s benefit. In the mutual hackathon, universities are paired up for two weeks; in the first week, select students *and* staff of one university get to attack the other, then reverse roles from attacker to attacked during the ensuing week. Of course, no damage or defacement is done – but vulnerabilities in processes, policies, procedures and tech infrastructure are spotted and noted. But it’s not all simulated blood-and-gore once the week begins: teams usually take a day or two to identify what’s most important to the opposing university, like sensitive research, for example; then it’s all-appropriate-guns-blazing as the balance of the week is spent detailing how to cause the most damage. And it wouldn’t be a competition if there wasn’t a winner: the team which would have inflicted the most negative impact is declared the winner. The competition began in late 2018 and will conclude once all 20 universities have had their chances to hack and be hacked; the data will then be collected and analyzed, and the entirety of the UK higher educational system will benefit from the common vulnerabilities.

https://www.ukauthority.com/articles/universities-cyber-attack-each-other-to-test-defences/

Girl Scouts of America Offering Cybersecurity Badges

The Girl Scouts of America is now offering a cybersecurity badge. To get more girls involved in science, technology, engineering and mathematics (STEM) from age 5 upward, the pursuit of the badge offers scouts the chance to learn about data privacy, online safety, coding and even how to become a white-hat hacker. According to Cristina Roa from Securonix, “The Girl Scouts initiative …will help to boost interest and participation in an industry in which women are …traditionally underrepresented.” Continuing, Ms. Roa says the effort will “encourage more females to get into the industry.”

https://www.bbc.com/news/av/technology-46911157/girl-scouts-of-the-usa-offer-badges-in-cyber-security

Back to top

UP NEXT

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

Featured Stories

VMC Blog Featured Image

Getting Your Logo in Your User's Inbox: Tips Learned from the VMC Gmail Pilot

What Makes Digital Signatures Secure

How Vaccine Passports Could Change Digital Identity