#cybersécurité

  • Zeynep Tufekci : Get a red team to ensure AI is ethical | Verdict
    https://www.verdict.co.uk/zeynep-tufekci-ai-red-team

    In cybersecurity, red team professionals are tasked with finding vulnerabilities before they become a problem. In artificial intelligence, flaws such as bias often become apparent only once they are deployed.

    One way to catch these AI flaws early is for organisations to apply the red team concept when developing new systems, according to techno-sociologist and academic Zeynep Tufekci.

    “Get a read team, get people in the room, wherever you’re working, who think about what could go wrong,” she said, speaking at Hitachi Vantara’s Next conference in Las Vegas, US, last week. “Because thinking about what could go wrong before it does is the best way to make sure it doesn’t go wrong.”

    Referencing Hitachi CEO and president Toshiaki Higashihara description of digitalisation as having “lights and shadows”, Tufekci warned of the risks associated with letting the shadowy side go unchecked.
    AI shadows

    One of these “shadows” is when complex AI systems become black boxes, making it difficult even for the AI’s creators to explain how it made its decision.

    Tufekci also cited the example of YouTube’s recommendation algorithm pushing people towards extremism. For example, a teenager could innocently search ‘is there a male feminism’ and then be nudged towards misogynistic videos because such controversial videos have received more engagement.

    And while data can be used for good, it can also be used by authoritarian governments to repress its citizens, or by election consultancies to manipulate our votes.

    Then there are the many instances of human bias finding their way into algorithms. These include AI in recruitment reflecting the sexism of human employers or facial recognition not working for people with darker skin.

    “If the data can be used to fire you, or to figure out protesters or to use for social control, or not hire people prone to depression, people are going to be like: ‘we do not want this’,” said Tufekci, who is an associate professor at the UNC School of Information and Library Science.

    “What would be much better is to say, what are the guidelines?”
    Using a red team to enforce AI ethics guidelines

    Some guidelines already exist. In April 2018, the European Union’s High-Level Expert Group on AI presented seven key requirements for trustworthy AI.

    These requirements include human oversight, accountability and technical robustness and safety. But what Tufekci suggests is having a team of people dedicated to ensuring AI ethics are adhered to.
    3 Things That Will Change the World Today
    Get the Verdict morning email

    “You need people in the room, who are going to say there’s light and there are shadows in this technology, and how do we figure out to bring more light into the shadowy side, so that we’re not blindsided, so that we’re not just sort of shocked by the ethical challenges when they hit us,” she explained.

    “So we think about it ahead of time.”

    However, technology companies often push back against regulation, usually warning that too much will stifle innovation.

    “Very often when a technology is this new, and this powerful, and this promising, the people who keep talking about what could go wrong – which is what I do a lot – are seen as these spoilsport people,” said Tufekci.

    “And I’m kind of like no – it’s because we want it to be better.”

    #Intelligence_artificielle #Zeynep_Tufekci #Cybersécurité #Biais #Big_data

  • Websites have been quietly hacking iPhones for years, says Google - MIT Technology Review
    https://www.technologyreview.com/s/614243/websites-have-been-quietly-hacking-iphones-for-years-says-google

    Websites delivered iOS malware to thousands of visitors in the biggest iPhone hack ever. There’s no telling who was infected—or who was behind it.
    by Patrick Howell O'Neill
    Aug 30, 2019
    Malware could steal passwords, encrypted messages and contacts
    It’s not clear who was behind the hacking campaign or who was targeted
    If you have updated your iPhone you are protected
    The largest ever known attack against iPhone users lasted at least two years and hit potentially thousands of people, according to research published by Google. 

    The malware could ransack the entire iPhone to steal passwords, encrypted messages, location, contacts, and other extremely sensitive information. The data was then sent to a command and control server which the hackers used to run the operation. The scope, execution, and persistence of the unprecedented hacking campaign points to a potential nation-backed operation but the identity of both the hackers and their targets is still unknown. 

    “The data taken is the ‘juicy’ data," says Jonathan Levin, a researcher who has written books on Apple’s operating system. “Take all the passwords from the keychain, location data, chats/contacts/etc, and build a shadow network of connections of all your victims. Surely by six degrees of separation you’ll find interesting targets there.”

    Sign up for The Download — your daily dose of what’s up in emerging technology

    Also stay updated on MIT Technology Review initiatives and events?YesNo

    Apple patched the bugs quickly in February 2019 so everyone who has updated their iPhone since then is protected. Rebooting the iPhone wiped the malware but the data had already been taken. Exactly who was infected remains an open question. iPhone users themselves likely wouldn’t know because the malware runs in the background with no visual indicator and no way for an iOS user to view the processes running on the device. 

    In January 2019, Google’s Threat Analysis Group (TAG), the tech giant’s counterespionage specialists, first found hacked websites that were delivering malware to thousands of visitors per week. The tactic is known as a watering-hole attack: attackers lace carefully selected websites with malware and wait for expected visitors to arrive to be infected. Just visiting the site was enough to download the malware.

    Google’s discovery included, over a period of years, five so-called “exploit chains” with 14 vulnerabilities including at least one active zero-day vulnerability, the term used to describe an exploitable bug undiscovered by a company like Apple. When one exploit chain was rendered useless by an Apple patch, the hacker quickly implemented the next one.

    TAG passed the intelligence to Apple, who issued iOS patch 12.1.4 on February 7 with a fix, as well as to others within Google. Google’s Project Zero, the company’s security analysis team, has spent the last seven months dissecting these bugs.

    “There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week,” Google’s Ian Beer wrote.

    It’s not clear who was infected. Google’s Project Zero did not release key information including which websites were infected. It seems likely that neither Apple nor Google would have a full accounting of victims but there could be other clues, including which populations typically visit the infected website. 

    So, who is behind it? There is an entire offensive hacking industry that creates and sells hacking tools to governments and companies around the world. NSO Group is the most famous but their tools have reportedly been tightly targeted. But Levin thinks the signs point to a nation state being behind this attack, as the model used is not something a typical hacker or small company could afford to run. 

    The revelation instantly made waves throughout the cybersecurity industry. "This is the first time evidence has been found of such exploits being used massively, indiscriminately as ‘net fishing’ against whatever unsuspecting individuals end up visiting the infected websites," says Levin.

    One of the most notable victims of iPhone malware ever is Ahmed Mansoor. Mansoor, a world-renowned human rights activist imprisoned for criticizing the United Arab Emirates government, is nicknamed “the million dollar dissident” because of the high cost of the malware used to hack his iPhone and spy on him.

    Until now, the implication of the high prices had been that deploying these weapons is rare and tightly targeted. Exploiting Apple’s iOS operating system, the software that powers both the iPhone and iPad, is a complex and expensive process. “iOS exploitation requires sidestepping and bypassing Apple’s formidable defenses, in multiple layers ,” says Levin. Google’s discovery throws some of those assumptions in the air.

    It will also upend perceptions of the security of iPhones. High-risk individuals including journalists, lawyers, activists, and more use iPhones in the hope that the devices will provide a real defense against hackers who, in some cases, can be a genuine life or death threat.

    “Real users make risk decisions based on the public perception of the security of these devices,” Beer wrote. “The reality remains that security protections will never eliminate the risk of attack if you’re being targeted."

    #Cybersécurité #iPhone

  • GitHub sued for aiding hacking in Capital One breach | ZDNet
    https://www.zdnet.com/article/github-sued-for-aiding-hacking-in-capital-one-breach

    Capital One and GitHub have been sued this week as part of a class-action lawsuit filed in California on allegations of failing to secure or prevent a security breach during which the personal details of more than 106 million users were stolen by a hacker.

    While Capital One is named in the lawsuit because it was its data that the hacker stole, GitHub was also included because the hacker posted details about the hack on the code-sharing site.
    Lawsuit claims GitHub failed to detect stolen data

    The lawsuit claims that “decisions by GitHub’s management [...] allowed the hacked data to be posted, displayed, used, and/or otherwise available.” According to the lawsuit, details about the Capital One hack were available from April 21, 2019, to mid-July before they were taken down.

    “GitHub knew or should have known that obviously hacked data had been posted to GitHub.com,” the lawsuit claims.

    The lawsuit said GitHub had an obligation under California law and industry standards to keep off or remove the Social Security numbers and personal information from its site. The plaintiffs believe that because Social Security numbers had a fixed format, GitHub should have been able to identify and remove this data, but they chose not to and allowed the stolen information to be available on its platform for three months until a bug hunter spotted the stolen data and notified Capital One.

    The lawsuit alleges that by allowing the hacker to store information on its servers, GitHub violated the federal Wiretap Act.

    However, spokespersons from both Capital One and GitHub have told ZDNet that the data uploaded on GitHub by the hacker did not contain any personal information.

    “The file posted on GitHub in this incident did not contain any Social Security numbers, bank account information, or any other reportedly stolen personal information,” a GitHub spokesperson told us. “We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving their request.”
    Lawsuit claims GitHub actively encouraged hacking

    The lawsuit also makes a bold claim that “GitHub actively encourages (at least) friendly hacking.” It then links to a GitHub repository named “Awesome Hacking.”

    Plaintiffs might have a hard time proving that GitHub promoted hacking as this repository is not associated with GitHub staff or management, but owned by a user who registered on the platform and claims to live in India.

    There are thousands of similar GitHub repositories hosting hacking, pen-testing, cyber-security, and reverse engineering resources and tutorials — all of which are not illegal.

    Furthermore, other sites like Pastebin or AnonFile are also abused in a similar way that GitHub was during the Capital One breach, with hackers uploading stolen information on their respective servers, or hosting hacking tutorials.

    The lawsuit seems to gloss over the fact that users are responsible for abiding by a platform’s rules and terms of service, and not the platform itself.

    All in all, the chances of GitHub being found guilty are slim, as this just just another classic case of “guns don’t kill people; people kill people.” Otherwise, Apple might be similarly held accountable when someone uses an iPhone to commit a crime.

    But while Microsoft might have a case to convince the court to drop GitHub out of the lawsuit, Capital One does not, and will have to defend its cyber-security lapses in court.

    The lawsuit pointed out that Capital One had suffered previous security breaches before in November 2014, July 2017, and September 2017.

    The class-action lawsuit complaint is available here. Newsweek and Business Insider first reported the lawsuit.

    The hacker responsible for the Capital One breach, Paige Thompson, was arrested earlier this week. She is believed to have hacked multiple other companies, besides Capital One. The list includes Unicredit, Vodafone, Ford, Michigan State University, and the Ohio Department of Transportation.

    #Git_hub #Hacking #Cybersécurité #Plateformes

  • Baltimore paralysée par un virus informatique en partie créé par la NSA
    https://www.lemonde.fr/pixels/article/2019/05/29/la-ville-de-baltimore-paralysee-par-un-virus-informatique-en-partie-cree-par

    Le problème, c’est que, trois semaines plus tard, l’affaire n’est toujours pas résolue. Les serveurs et les e-mails de la ville restent désespérément bloqués. « Service limité », indiquent les écriteaux à l’entrée les bâtiments municipaux. Les équipes municipales, le FBI, les services de renseignement américains et les firmes informatiques de la Côte ouest s’y sont tous mis : impossible de débarrasser les dix mille ordinateurs de la ville de ce virus, un rançongiciel. Et pour cause : selon le New York Times, l’un des composants de ce programme virulent a été créé par les services secrets américains, la National Security Agency (NSA), qui ont exploité une faille du logiciel Windows de Microsoft. L’ennui, c’est que la NSA s’est fait voler en 2017 cette arme informatique devenue quasi impossible à contrôler.

    Alors, beaucoup de bruit pour rien ? Non, à cause du rôle trouble de la NSA. Selon le New York Times, celle-ci a développé un outil, EternalBlue (« bleu éternel »), en cherchant pendant plus d’une année une faille dans le logiciel de Microsoft.

    L’ennui, c’est que l’outil a été volé par un groupe intitulé les Shadow Brokers (« courtiers de l’ombre »), sans que l’on sache s’il s’agit d’une puissance étrangère ou de hackeurs américains. Les Nord-Coréens l’ont utilisé en premier en 2017 lors d’une attaque baptisée Wannacry, qui a paralysé le système de santé britannique et touché les chemins de fer allemands. Puis ce fut au tour de la Russie de s’en servir pour attaquer l’Ukraine : code de l’opération NotPetya. L’offensive a atteint des entreprises, comme l’entreprise de messagerie FedEx et le laboratoire pharmaceutique Merck, qui auraient perdu respectivement 400 millions et 670 millions de dollars.

    Depuis, EternalBlue n’en finit pas d’être utilisé, par la Chine ou l’Iran, notamment. Et aux Etats-Unis, contre des organisations vulnérables, telle la ville de Baltimore, mais aussi celles de San Antonio (Texas) ou Allentown (Pennsylvanie). L’affaire est jugée, à certains égards, plus grave que la fuite géante d’informations par l’ancien informaticien Edward Snowden en 2013.

    Le débat s’ouvre à nouveau sur la responsabilité de la NSA, qui n’aurait informé Microsoft de la faille de son réseau qu’après s’être fait voler son outil. Trop tard. En dépit d’un correctif, des centaines de milliers d’ordinateurs n’ayant pas appliqué la mise à jour restent non protégés. Un de ses anciens dirigeants, l’amiral Michael Rogers, a tenté de dédouaner son ancienne agence en expliquant que, si un terroriste remplissait un pick-up Toyota d’explosifs, on n’allait pas accuser Toyota. « L’outil qu’a développé la NSA n’a pas été conçu pour faire ce qu’il a fait », a-t-il argué.

    Tom Burt, responsable chez Microsoft de la confiance des consommateurs, se dit « en total désaccord » avec ce propos lénifiant : « Ces programmes sont développés et gardés secrètement par les gouvernements dans le but précis de les utiliser comme armes ou outils d’espionnage. Ils sont, en soi, dangereux. Quand quelqu’un prend cela, il ne le transforme pas en bombe : c’est déjà une bombe », a-t-il protesté dans le New York Times.

    #Virus #NSA #Baltimore #Cybersécurité

  • The Terrifying Potential of the 5G Network | The New Yorker
    https://www.newyorker.com/news/annals-of-communications/the-terrifying-potential-of-the-5g-network

    Two words explain the difference between our current wireless networks and 5G: speed and latency. 5G—if you believe the hype—is expected to be up to a hundred times faster. (A two-hour movie could be downloaded in less than four seconds.) That speed will reduce, and possibly eliminate, the delay—the latency—between instructing a computer to perform a command and its execution. This, again, if you believe the hype, will lead to a whole new Internet of Things, where everything from toasters to dog collars to dialysis pumps to running shoes will be connected. Remote robotic surgery will be routine, the military will develop hypersonic weapons, and autonomous vehicles will cruise safely along smart highways. The claims are extravagant, and the stakes are high. One estimate projects that 5G will pump twelve trillion dollars into the global economy by 2035, and add twenty-two million new jobs in the United States alone. This 5G world, we are told, will usher in a fourth industrial revolution.

    A totally connected world will also be especially susceptible to cyberattacks. Even before the introduction of 5G networks, hackers have breached the control center of a municipal dam system, stopped an Internet-connected car as it travelled down an interstate, and sabotaged home appliances. Ransomware, malware, crypto-jacking, identity theft, and data breaches have become so common that more Americans are afraid of cybercrime than they are of becoming a victim of violent crime. Adding more devices to the online universe is destined to create more opportunities for disruption. “5G is not just for refrigerators,” Spalding said. “It’s farm implements, it’s airplanes, it’s all kinds of different things that can actually kill people or that allow someone to reach into the network and direct those things to do what they want them to do. It’s a completely different threat that we’ve never experienced before.”

    Spalding’s solution, he told me, was to build the 5G network from scratch, incorporating cyber defenses into its design.

    There are very good reasons to keep a company that appears to be beholden to a government with a documented history of industrial cyber espionage, international data theft, and domestic spying out of global digital networks. But banning Huawei hardware will not secure those networks. Even in the absence of Huawei equipment, systems still may rely on software developed in China, and software can be reprogrammed remotely by malicious actors. And every device connected to the fifth-generation Internet will likely remain susceptible to hacking. According to James Baker, the former F.B.I. general counsel who runs the national-security program at the R Street Institute, “There’s a concern that those devices that are connected to the 5G network are not going to be very secure from a cyber perspective. That presents a huge vulnerability for the system, because those devices can be turned into bots, for example, and you can have a massive botnet that can be used to attack different parts of the network.”

    This past January, Tom Wheeler, who was the F.C.C. chairman during the Obama Administration, published an Op-Ed in the New York Times titled “If 5G Is So Important, Why Isn’t It Secure?” The Trump Administration had walked away from security efforts begun during Wheeler’s tenure at the F.C.C.; most notably, in recent negotiations over international standards, the U.S. eliminated a requirement that the technical specifications of 5G include cyber defense. “For the first time in history,” Wheeler wrote, “cybersecurity was being required as a forethought in the design of a new network standard—until the Trump F.C.C. repealed it.” The agency also rejected the notion that companies building and running American digital networks were responsible for overseeing their security. This might have been expected, but the current F.C.C. does not consider cybersecurity to be a part of its domain, either. “I certainly did when we were in office,” Wheeler told me. “But the Republicans who were on the commission at that point in time, and are still there, one being the chairman, opposed those activities as being overly regulatory.”

    Opening up new spectrum is crucial to achieving the super-fast speeds promised by 5G. Most American carriers are planning to migrate their services to a higher part of the spectrum, where the bands are big and broad and allow for colossal rivers of data to flow through them. (Some carriers are also working with lower-spectrum frequencies, where the speeds will not be as fast but likely more reliable.) Until recently, these high-frequency bands, which are called millimetre waves, were not available for Internet transmission, but advances in antenna technology have made it possible, at least in theory. In practice, millimetre waves are finicky: they can only travel short distances—about a thousand feet—and are impeded by walls, foliage, human bodies, and, apparently, rain.

    Deploying millions of wireless relays so close to one another and, therefore, to our bodies has elicited its own concerns. Two years ago, a hundred and eighty scientists and doctors from thirty-six countries appealed to the European Union for a moratorium on 5G adoption until the effects of the expected increase in low-level radiation were studied. In February, Senator Richard Blumenthal, a Democrat from Connecticut, took both the F.C.C. and F.D.A. to task for pushing ahead with 5G without assessing its health risks. “We’re kind of flying blind here,” he concluded. A system built on millions of cell relays, antennas, and sensors also offers previously unthinkable surveillance potential. Telecom companies already sell location data to marketers, and law enforcement has used similar data to track protesters. 5G will catalogue exactly where someone has come from, where they are going, and what they are doing. “To give one made-up example,” Steve Bellovin, a computer-science professor at Columbia University, told the Wall Street Journal, “might a pollution sensor detect cigarette smoke or vaping, while a Bluetooth receiver picks up the identities of nearby phones? Insurance companies might be interested.” Paired with facial recognition and artificial intelligence, the data streams and location capabilities of 5G will make anonymity a historical artifact.

    To accommodate these limitations, 5G cellular relays will have to be installed inside buildings and on every city block, at least. Cell relays mounted on thirteen million utility poles, for example, will deliver 5G speeds to just over half of the American population, and cost around four hundred billion dollars to install. Rural communities will be out of luck—too many trees, too few people—despite the F.C.C.’s recently announced Rural Digital Opportunity Fund.

    Deploying millions of wireless relays so close to one another and, therefore, to our bodies has elicited its own concerns. Two years ago, a hundred and eighty scientists and doctors from thirty-six countries appealed to the European Union for a moratorium on 5G adoption until the effects of the expected increase in low-level radiation were studied. In February, Senator Richard Blumenthal, a Democrat from Connecticut, took both the F.C.C. and F.D.A. to task for pushing ahead with 5G without assessing its health risks. “We’re kind of flying blind here,” he concluded. A system built on millions of cell relays, antennas, and sensors also offers previously unthinkable surveillance potential. Telecom companies already sell location data to marketers, and law enforcement has used similar data to track protesters. 5G will catalogue exactly where someone has come from, where they are going, and what they are doing. “To give one made-up example,” Steve Bellovin, a computer-science professor at Columbia University, told the Wall Street Journal, “might a pollution sensor detect cigarette smoke or vaping, while a Bluetooth receiver picks up the identities of nearby phones? Insurance companies might be interested.” Paired with facial recognition and artificial intelligence, the data streams and location capabilities of 5G will make anonymity a historical artifact.

    #Surveillance #Santé #5G #Cybersécurité

  • Branle-bas de combat sur touiteur !
    Le compte officiel D’EMA, l’Etat-Major des Armées (pas En MArche, nop) a déclenché son opération annuelle #DEFNET.
    C’est la 6e edition de cet « exercice annuel interarmées » d’entraînement « à la gestion de crise cyber »
    Pensant à un bug je me suis moquée en imaginant la panique chez les conspis à l’avant-veille de l’acte 18 des Gilets Jaunes :

    Les français parlent aux français...
    Je répète : les français parlent aux français...
     ???♨ ????

    https://twitter.com/ValKphotos/status/1106164986898984961
    Mais grand merci à la personne qui m’a fait découvrir ce qui est, en même temps, un grand exercice de communication :

    #DEFNET 2018 : plus forts ensemble.
    310 militaires de 7 nations, 250 étudiants, plus de 50 réservistes et les partenaires industriels réunis.

    https://twitter.com/EtatMajorFR/status/971716870456868864

    Voir aussi :

    http://www.defnet-etn.eu

    https://www.defense.gouv.fr/terre/actu-terre/defnet-l-exercice-d-une-cyber-armee-operationnelle

    #sécurité #cybersecurite #armée

  • « Le parlement thaïlandais a voté à l’unanimité une nouvelle loi sur la #cybersécurité ce jeudi 28 février 2019. Les agences gouvernementales dirigées par la junte militaire détiennent désormais des pouvoirs très étendus pour accéder aux données des réseaux informatiques ou saisir tout type d’appareil numérique en cas de "cybermenace". Les défenseurs des libertés civiles qualifient cette réglementation de "loi martiale numérique". »

    https://information.tv5monde.com/info/thailande-la-loi-martiale-numerique-votee-l-unanimite-288113

    #Thaïlande #sécurité_et_liberté

  • 40% of malicious URLs were found on good domains - Help Net Security
    https://www.helpnetsecurity.com/2019/03/01/malicious-urls-good-domains

    40 percent of malicious URLs were found on good domains. Legitimate websites are frequently compromised to host malicious content. To protect users, cybersecurity solutions need URL-level visibility or, when unavailable, domain-level metrics, that accurately represent the dangers.

    Home user devices are more than twice as likely to get infected as business devices. Sixty-eight percent of infections are seen on consumer endpoints, versus 32 percent on business endpoints.

    Phishing attacks increased 36 percent, with the number of phishing sites growing 220 percent over the course of 2018. Phishing sites now use SSL certificates and HTTPS to trick internet users into believing they are secure, legitimate pages. Seventy-seven percent of phishing attacks impersonated financial institutions, and were much more likely to use HTTPS than other types of targets. In fact, for some of the targeted financial institutions, over 80 percent of the phishing pages used HTTPS. Google was found to be the most impersonated brand in phishing overall.

    After 12 months of security awareness training, end users are 70 percent less likely to fall for a phishing attempt. Webroot found that organizations that combine phishing simulation campaigns with regular training saw a 70 percent drop in phishing link click-through.

    Nearly a third of malware tries to install itself in %appdata% folders. Although malware can hide almost anywhere, Webroot found several common locations, including %appdata% (29.4 percent), %temp% (24.5 percent), and %cache% (17.5 percent), among others. These locations are prime for hiding malware because these paths are in every user directory with full user permissions to install there. These folders also are hidden by default on Windows Vista and up.

    Devices that use Windows 10 are at least twice as secure as those running Windows 7. Webroot has seen a relatively steady decline in malware on Windows 10 machines for both consumer and business.

    “We wax poetic about innovation in the cybersecurity field, but you only have to take one look at the stats in this year’s report to know that the true innovators are the cybercriminals. They continue to find new ways to combine attack methods or compromise new and existing vectors for maximum results. My call to businesses today is to be aware, assess your risk, create a layered approach that protects multiple threat vectors and, above all, train your users to be an asset—not a weak link—in your cybersecurity program,” said Hal Lonas, CTO, Webroot.

    malicious URLs good domains

    Despite the decrease in cryptocurrency prices, cryptomining and cryptojacking are on the rise. The number of cryptojacking URLs Webroot saw each month in the first half of the year more than doubled in the period from September through December 2018. These techniques can be more lucrative than ransomware attacks, since they don’t require waiting for the user to pay the ransom, and they have a smaller footprint. As far as web-based cryptojacking, Coinhive still dominates with more than 80 percent market share, though some new copycat cryptojacking scripts are gaining in popularity.

    While ransomware was less of a problem in 2018, it became more targeted. We expect major commodity ransomware to decline further in 2019; however, new ransomware families will emerge as malware authors turn to more targeted attacks, and companies will still fall victim to ransomware. Many ransomware attacks in 2018 used the Remote Desktop Protocol (RDP) as an attack vector, leveraging tools such as Shodan to scan for systems with inadequate RDP settings. These unsecured RDP connections may be used to gain access to a given system and browse all its data as well as shared drives, providing criminals enough intel to decide whether to deploy ransomware or some other type of malware.

    #Cybersécurité #Phishing #Malware

  • How Libertarian theology and Trump are destroying the Internet — and America – Alternet.org
    https://www.alternet.org/2019/01/how-libertarian-theology-and-trump-are-destroying-the-internet-and-america

    With speeds up to 100 times faster than current 4G cellular data, 5G will make possible everything from driverless cars to cell-connected long-distance drones to precision remote surgery. The amount of data flowing through our cellular systems will explode, along with places it can be used and the uses to which it can be applied.

    Remote applications that are currently too difficult to wire for high-speed internet or won’t work well at 4G speeds will easily become remotely controlled, spreading the internet revolution to every device in the home, office, and even remote workplaces.

    Along with all this data will, inevitably, come hackers, both criminal and state-sponsored. The amount of data that it now takes a third of a year to harvest with 4G can be scooped up in a single day using 5G.

    Given that the U.S. government invented the internet (yes, Al Gore did co-author the legislation) and has a huge stake in its security, doesn’t it make sense that our government should provide, at least in framework and standards, for its security?

    But, no. Trump and Pence want to do to the FCC what they’ve done to the EPA, the Department of the Interior, the FDA, and to oversight of our banking systems.

    According to Trump and his billionaire libertarian owners, the safety and security of America is not the proper role of government. Not our air, our water, our public lands, or even our internet.

    “Just turn it all over to the billionaires,” they say. “What could possibly go wrong?”

    FCC Chairman Ajit Pai, the former Verizon lawyer, even went so far as to say that “the market, not government, is best positioned to drive innovation and leadership” with regard to internet security.

    Meanwhile, the President’s National Security Telecommunications Advisory Committee—after looking at how 5G will blow open data operations across the country—wrote just three months ago that “the cybersecurity threat now poses an existential threat to the future of the nation.”

    #Cybersécurité #Libertariens #Idéologie_californienne #5G #Normalisation

  • Le livre de Stéphane Bortzmeyer « Cyberstructure : L’Internet, un espace politique » obtient le prix du livre Cybersécurité délivré par le Forum FIC 2019.

    Cette semaine se tient à Lille le Forum International de la Cybersécurité (#FIC2019). Ce forum regroupe plus de 8600 participants venant de 80 pays, pour trois jours de débats et d’interventions, tantôt politiques et militaires, tantôt techniques (https://www.forum-fic.com/accueil.htm)

    Comme chaque année, le Forum compose un jury d’experts pour décerner des prix aux livres les plus importants dans le domaine. Cette année, il y avait 42 ouvrages en compétition, et 4 livres primés (voir infra).

    Dont le livre « Cyberstructure : L’Internet, un espace politique » de Stéphane Bortzmeyer publié par C&F éditions
    (https://cfeditions.com/cyberstructure)

    Il faut dire que celui-ci possède un attrait particulier :

    – il s’agit d’un ouvrage très précis techniquement ; une qualité qui lui permet également de ne pas se perdre dans des explications touffues, et au final de produire un livre très pédagogique. Tout étudiant en informatique devrait avoir lu un tel ouvrage pour comprendre la structure de l’internet, les enjeux de la cryptographie ou la blockchain, sans se noyer dans trop de détails, ni se contenter de visions superficielles, ou mal informées ;

    – Cyberstructure fait aussi le pont entre les enjeux techniques de l’Internet et les questions politiques fondamentales, notamment les droits humains. Comment des interprétations du code informatique peuvent réduire les capacités d’expression et de vie privée des internautes ; et comment ces questions doivent être présentes dans l’esprit de tout développeur informatique, pour inscrire la défense des droits humains dans le code et l’architecture du numérique.

    Appuyé sur une longue expérience d’ingénieur et écrit par un ardent défenseur de la liberté d’expression et du commun de la communication numérique, Cyberstructure est un livre qui s’adresse à de nombreux publics.

    Les premiers lecteurs sont unanimes : un livre à conseiller sans arrière-pensées pour comprendre internet et pour agir en défense des droits humains dans le monde numérique.

    Et ils/elles sont nombreuses : en un mois et demi, le premier tirage a été épuisé. Le deuxième tirage arrive vendredi, donc vous pouvez dès maintenant commander sans hésiter, auprès de votre libraire favori ou en ligne sur notre site : https://cfeditions.com

    Résultats du concours de livres FIC2019
    –--------------------------------------
    https://www.forum-fic.com/accueil/prix/prix-du-livre.htm

    1/ L’ouvrage consacré à Louis Pouzin a été classé « hors concours ».

    Louis Pouzin recevra un hommage particulier en présence des auteurs lors de l’intervention de madame Parly, le mardi 22 janvier après-midi.

    2/ Ont été primés (42 ouvrages candidats)

    Prix « Grand public » : Gilles Fontaine, Dans le cyberespace, personne ne vous entend crier, éditions Jean-Claude Lattes

    Prix « Cybersecurité » : Stéphane Bortzmeyer, Cyberstructure, l’internet un espace politique, C&F Éditions

    Prix « Cyberdéfense » : Stéphane Taillat, Amaël Cattaruzza, Didier Danet, La Cyberdéfense, politique de l’espace numérique, éditions Armand Colin.

    « Coup de cœur du Jury » : Stéphane Mallard, Disruption, préparez-vous à changer le monde, éditions Dunod.

    #Cyberstructure #Stéphane_Bortzmeyer #FIC_2019 #Cybersécurité

  • Les grandes tendances de la mode 2019 en #cybersécurité
    (article d’il y a un mois (5/12/18)

    « Name and shame », « spear phishing »... les cybermenaces à craindre en 2019
    https://www.latribune.fr/technos-medias/name-and-shame-spear-phishing-les-menaces-cyber-a-craindre-en-2019-799827.

    2019 devrait voir se multiplier les cyberattaques contre les réseaux matériels (routeurs, modems...) et l’Internet des objets, selon les prédictions du spécialiste russe de la cybersécurité, Kaspersky Lab. Retour sur les principales cybermenaces à venir pour l’année prochaine.
    […]
    [Attaque des routeurs]
    […]
    Cyberattaques à visée géopolitique
    […]
    Le « spear phishing », « infection la plus efficace »
    […]
    Asie et Moyen-Orient, terreaux de nouveaux pirates
    […]
    « La marche à l’entrée n’a jamais été aussi faible, avec des centaines d’outils très efficaces et des exploits de fuites re[c]ensés », estime Vicente Diaz [de Kaspersky Lab]. Et de poursuivre : « Et comme avantage supplémentaire, de tels outils rendent l’attribution (de cyberattaques) presque impossible et peuvent facilement être personnalisés. »

  • Première (?) BD à parler de #cybersécurité et de #cyberguerre, « #Cyberfatale » est une bonne introduction au monde de la lutte « cyber » entre États.

    C’est plutôt bien documenté et on y trouve très peu de bêtises ou d’erreurs. (En plus, c’est amusant.)

    http://www.editions-ruedesevres.fr/cyberfatale

    Un interview des auteurs :

    http://www.editions-ruedesevres.fr/la-cybercom%C3%A9die-au-c%C5%93ur-de-l%C3%A9tat-major

  • Beaucoup de gens croient que, contrairement au WiFi, les techniques de la téléphonie mobile (GSM, 3G, 4G, etc) sont sûres et (j’ai entendu ça dans une réunion pourtant sérieuse) « non piratables ».

    C’est évidemment tout à fait faux, comme le rappelle l’#EFF, qui demande une prise de conscience et une action sérieuse contre ces failles de sécurité.

    https://www.nytimes.com/2018/12/26/opinion/cellphones-security-spying.html

    #cybersécurité #SS7 #IMSI_catcher

  • The CIA’s communications suffered a catastrophic compromise
    https://www.yahoo.com/tech/cias-communications-suffered-catastrophic-compromise-started-iran-090018710.h

    #Espionnage et #cybersécurité : des dizaines d’agents de la #CIA arrêtés ou exécutés... sur simple clic #Google !
    https://information.tv5monde.com/info/espionnage-et-cybersecurite-des-dizaines-d-agents-de-la-cia-ar

    Au moins 30 agents « neutralisés », des dizaines d’autres démasqués. La CIA a payé un lourd tribut au renseignement entre 2009 et 2013. L’Agence américaine possédait des serveurs de communication « cachés » sur #Internet. Les services iraniens et chinois avaient trouvé la « formule magique » pour récupérer leurs adresses. Explications

    #Etats-Unis #Iran #Chine

  • Google va fermer Google + après la découverte d’une faille de sécurité ayant affecté les données d’au moins 500 000 utilisateurs
    https://abonnes.lemonde.fr/pixels/article/2018/10/08/google-va-fermer-google-apres-la-decouverte-d-une-faille-de-securite ?

    Le Wall Street Journal a révélé, lundi 8 octobre, qu’une faille de sécurité du réseau social Google +, lancé par Google en 2011 pour concurrencer Facebook, a mis en danger les données personnelles de ses utilisateurs. Selon l’article du quotidien américain, des informations personnelles des comptes étaient accessibles de manière non prévue, par l’interface de programmation du service (API, un ensemble de règles et de logiciels qui permettaient à des services extérieurs de se « brancher » sur Google +, par exemple pour se connecter.

    Ce « bug » inscrit dans le code de Google + est resté en ligne durant trois ans, entre 2015 et 2018, selon le Wall Street Journal, avant que Google ne découvre le problème en mars de cette année lors d’un audit interne, et décide de le corriger sans prévenir ni les autorités de régulation ni ses utilisateurs.

    D’après un mémorandum interne consulté par le Wall Street Journal, Google aurait hésité à rendre publique la découverte de cette faille. Et aurait finalement décidé de la corriger tout en gardant son existence secrète, afin d’éviter « d’être mis sous le feu des projecteurs avec ou à la place de Facebook ».

    Au moment de la découverte de la faille, Facebook était en effet au cœur d’un vaste scandale lié à l’utilisation par l’entreprise Cambridge Analytica de données personnelles captées sur des comptes du réseau social fondé par Mark Zuckerberg. Ces données avaient été utilisées à des fins politiques, pour soutenir la campagne présidentielle de Donald Trump en 2016 ou, la même année, la campagne du Brexit au Royaume-Uni. Elles avaient été collectées en utilisant une fonctionnalité de Facebook qui les rendait facilement accessibles, et l’entreprise avait été vivement critiquée, y compris par plusieurs gouvernements et commissions parlementaires aux Etats-Unis et en Europe.

    A quelques semaines près, Google n’aurait eu aucun choix en la matière : en Europe, le règlement général sur la protection des données (RGPD) impose de communiquer aux régulateurs de la vie privée la découverte d’une faille de ce type. Mais aussi d’informer les utilisateurs concernés par une fuite de données, le cas échéant. Le texte est entré en vigueur en mai 2018. Aux Etats-Unis, les grandes entreprises ne sont tenues d’annoncer la découverte de ce type de failles que si des données ont effectivement été dérobées.

    #Google #Cybersécurité #Données_personnelles

  • #Cybersécurité, #Reconnaissance_faciale et #Réseaux_Sociaux :
    Social Mapper, quand la reconnaissance faciale devient trop accessible… voire un danger
    https://www.presse-citron.net/social-mapper-quand-la-reconnaissance-faciale-devient-trop-accessible

    Ce petit logiciel permet en effet de faire du tracking à travers différents réseaux sociaux. LinkedIn, Facebook, Twitter, Instagram…peu ou prou tous les réseaux sociaux sont au menu. Il suffit d’un nom et d’une photo. Ce petit logiciel permet de retrouver n’importe qui sur les différentes plateformes de façon automatique.

    Ce logiciel est en open-source, sous licence gratuite, il est disponible sur GitHub sans aucune limitation ou presque quant à son usage. Ce sont les chercheurs de Trustedwave SpiderLabs qui l’ont mis en ligne. L’idée est bien sûr d’aider les chercheurs en sécurité.

    Complément : Un outil de reconnaissance faciale traque les profils sur les réseaux sociaux
    https://siecledigital.fr/2018/08/09/un-outil-de-reconnaissance-faciale-traque-les-profils-sur-les-reseaux-

    Sur son blog officiel, #Trustwave a déclaré : « Et si cela pouvait être automatisé et réalisé à grande échelle avec des centaines ou des milliers de personnes ? »

  • #Cybersécurité : une faille découverte sur la #messagerie instantanée #WhatsApp
    https://www.rtbf.be/info/medias/detail_cybersecurite-une-faille-decouverte-sur-la-messagerie-instantanee-whatsa

    Selon [le spécialiste israélien de la Cybersécurité] CheckPoint, d’éventuels pirates pourraient agir sur les conversations de trois manières différentes : en modifiant les messages publiés par une personne, en publiant un message dans un groupe en se faisant passer pour un des participants, ou en envoyant un message spécifique à un membre de groupe en le faisant passer pour un message groupé.

  • Russian agents allegedly used Bitcoin to fund the DNC hack - MIT Technology Review
    https://www.technologyreview.com/the-download/611648/russian-agents-allegedly-used-bitcoin-to-fund-the-dnc-hack

    Among the many new details in today’s indictment (PDF) of 12 Russian intelligence officers for cyberattacks meant to interfere with the US presidential election in 2016, one in particular should stand out to techies: the defendants allegedly used Bitcoin to fund the operation.

    A web of dark money: According to the US Department of Justice’s indictment, the defendants “conspired to launder” more than $95,000 “through a web of transactions structured to capitalize on the perceived anonymity of cryptocurrencies such as Bitcoin.” They allegedly mined coins and acquired them “through a variety of means to obscure the origin of the funds,” which were used to finance cyberattacks against Democratic party officials, members of Hillary Clinton’s campaign, and others.

    Cat and mouse: Though the indictment says they used hundreds of different e-mail accounts with fake names to handle Bitcoin payments and cover their tracks, investigators linked messages from “several dedicated email accounts” to corresponding transactions on the Bitcoin blockchain. According to the indictment, the defendants also sometimes facilitated Bitcoin payments on the same computers they used to “conduct their hacking activity.”

    The takeaway: If you weren’t convinced that cryptocurrencies are a magnet for would-be money launderers, this should help. Beyond that, though: Bitcoin is not anonymous! Using clues from outside the internet, which the Mueller team clearly had, it’s quite possible to follow the money on the blockchain and root out individuals behind the transactions (see “Criminals thought Bitcoin was a perfect hiding place, but they thought wrong”).

    #Bitcoin #Argent_sale #Cybersécurité

  • The percentage of open source code in proprietary apps is rising - Help Net Security
    https://www.helpnetsecurity.com/2018/05/22/open-source-code-security-risk

    Compiled after examining the findings from the anonymized data of over 1,100 commercial codebases audited in 2017 by the Black Duck On-Demand audit services group, the report revealed that:

    96 percent of the scanned applications contain open source components, with an average 257 components per application, and that
    The average percentage of open source in the codebases of the applications scanned grew from 36% last year to 57%, suggesting that a large number of applications now contain much more open source than proprietary code.

    “Today, open source use is pervasive across every industry and is used by organizations of all sizes. The reasons are straightforward—open source lowers development costs, speeds time to market, and accelerates innovation and developer productivity,” analysts with the Synopsys Center for Open Source Research & Innovation (COSRI) have noted.

    #Logiciels_libres #Open_source #Cybersécurité

  • Huawei and ZTE Targeted While Security Ban Advances at U.S. FCC - Bloomberg
    https://www.bloomberg.com/news/articles/2018-04-17/huawei-zte-targeted-as-security-ban-advances-at-u-s-fcc

    U.S. regulators moved to extend a crackdown on China equipment makers as security risks, backing a ban on federal subsidies to buy networking gear from manufacturers such as Huawei Technologies Co. and ZTE Corp.

    The Federal Communications Commission voted 5-0 on Tuesday in favor of banning federal funds from being spent with companies determined to be a risk to U.S. national security. The ban won’t be final until a second vote by the FCC, which in a draft order noted congressional scrutiny of Huawei and ZTE as possible security threats.

    “For years, U.S. government officials have expressed concern about the national security threats posed by certain foreign communications equipment providers in the communications supply chain," FCC Chairman Ajit Pai said. "Hidden ‘backdoors’ to our networks in routers, switches, and other network equipment can allow hostile foreign powers to inject viruses and other malware, steal Americans’ private data, spy on U.S. businesses, and more.”

    #Commerce_international #OMC #Cybersécurité #Cyberwarfare #Surveillance

  • Hackers once stole a casino’s high-roller database through a thermometer in the lobby fish tank
    http://www.businessinsider.fr/us/hackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-

    LONDON — Hackers are increasingly targeting “internet of things” devices to access corporate systems, using things like CCTV cameras or air-conditioning units, according to the CEO of a cybersecurity firm.

    The internet of things refers to devices hooked up to the internet, and it has expanded to include everything from household appliances to widgets in power plants.

    Nicole Eagan, the CEO of Darktrace, told the WSJ CEO Council Conference in London on Thursday: “There’s a lot of internet-of-things devices, everything from thermostats, refrigeration systems, HVAC systems, to people who bring in their Alexa devices into the offices. There’s just a lot of IoT. It expands the attack surface, and most of this isn’t covered by traditional defenses.”

    Eagan gave one memorable anecdote about a case Darktrace worked on in which a casino was hacked via a thermometer in an aquarium in the lobby.

    “The attackers used that to get a foothold in the network,” she said. “They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud.”

    Robert Hannigan, who ran the British government’s digital-spying agency, Government Communications Headquarters, from 2014 to 2017, appeared alongside Eagan on the panel and agreed that hackers’ targeting of internet-of-things devices was a growing problem for companies.

    “With the internet of things producing thousands of new devices shoved onto the internet over the next few years, that’s going to be an increasing problem,” Hannigan said. “I saw a bank that had been hacked through its CCTV cameras, because these devices are bought purely on cost.”

    He called for regulation to mandate safety standards.

    “It’s probably one area where there’ll likely need to be regulation for minimum security standards, because the market isn’t going to correct itself,” he said. “The problem is these devices still work — the fish tank or the CCTV camera still work.”

    #Cybersécurité #Internet_Objets

  • They forked this one up: Microsoft modifies open-source code, blows hole in Windows Defender • The Register
    https://www.theregister.co.uk/2018/04/04/microsoft_windows_defender_rar_bug

    A remote-code execution vulnerability in Windows Defender – a flaw that can be exploited by malicious .rar files to run malware on PCs – has been traced back to an open-source archiving tool Microsoft adopted for its own use.

    The bug, CVE-2018-0986, was patched on Tuesday in the latest version of the Microsoft Malware Protection Engine (1.1.14700.5) in Windows Defender, Security Essentials, Exchange Server, Forefront Endpoint Protection, and Intune Endpoint Protection. This update should be installed, or may have been automatically installed already on your device.

    The vulnerability can be leveraged by an attacker to achieve remote code execution on a victim’s machine simply by getting the mark to download – via a webpage or email or similar – a specially crafted .rar file while the anti-malware engine’s scanning feature is on. In many cases, this analysis set to happen automatically.

    When the malware engine scans the malicious archive, it triggers a memory corruption bug that leads to the execution of evil code smuggled within the file with powerful LocalSystem rights, granting total control over the computer.

    The screwup was discovered and reported to Microsoft by legendary security researcher Halvar Flake, now working for Google. Flake was able to trace the vulnerability back to an older version of unrar, an open-source archiving utility used to unpack .rar archives.

    Apparently, Microsoft forked that version of unrar and incorporated the component into its operating system’s antivirus engine. That forked code was then modified so that all signed integer variables were converted to unsigned variables, causing knock-on problems with mathematical comparisons. This in turn left the software vulnerable to memory corruption errors, which can crash the antivirus package or allow malicious code to potentially execute.

    In other words, Redmond pulled a fork-and-bork.

    #Logiciel_libre #Microsoft #Cybersécurité

    • Je quote la phrase essentielle :

      Apparently, Microsoft forked that version of unrar and incorporated the component into its operating system’s antivirus engine. That forked code was then modified so that all signed integer variables were converted to unsigned variables, causing knock-on problems with mathematical comparisons. This in turn left the software vulnerable to memory corruption errors, which can crash the antivirus package or allow malicious code to potentially execute.

  • Les autorités russes demandent à Telegram de livrer des clés de chiffrement
    http://abonnes.lemonde.fr/pixels/article/2018/03/20/les-autorites-russes-demandent-a-telegram-de-livrer-des-cles-de-cryp

    C’est un nouvel épisode dans le bras de fer qui oppose le FSB (services de sécurité russes) à l’application de messagerie Telegram. L’agence fédérale de régulation des télécoms Roskomnadzor a sommé, mardi 20 mars, la messagerie de fournir sous quinze jours au FSB les clés de chiffrement permettant de lire « les messages électroniques reçus, transmis, en cours d’envoi », sous peine de blocage.

    Il n’y a pas que le gouvernement « socialiste » de France sur ce terrain. Etonnant non ?

    #Chiffrement #Telegram #Cybersécurité #Liberté_expression