Security trends for 2012

849 Comments

1. March 22, 2012 at 12:29 pm

   Tomi Engdahl says:

   Disaster Strikes Norwegian Government Web Portal
   http://it.slashdot.org/story/12/03/22/0133237/disaster-strikes-norwegian-government-web-portal

   Altinn.no is a web service run by the Norwegian government

   This year, as every year, the site was unable to cope with the traffic generated from everyone wanting to check their taxes at the same time. New this year, however, was that once people were finally able to log in, a significant amount of people were logged in as someone else.

   Disaster strikes Norwegian government web portal
   http://icrontic.com/article/altinn-goes-down

   It is not known how many people got access to this information, or if any data were copied or downloaded.

   It is unknown how long Altinn will be down, and what is being done to prevent this from happening again.

   Brønnøysundregisteret, the company responsible for the web portal, were assembled for a crisis meeting at 11:00 PM. To make matters worse, DNV, a Norwegian company responsible for quality assessment and certification, published a report in the beginning of 2012, stating:

   “Altinn is a rushed solution, testing has been lackluster at best, the service has very few options for future upgrades and the overall quality is considered to be below average. Furthermore, we question the competence and preparation of the publisher to manage such a complex system as Altinn.”

   Reply
2. March 22, 2012 at 2:00 pm

   Tomi Engdahl says:

   Hacktivists nicked more data than CYBER-CRIMINALS in 2011
   http://www.theregister.co.uk/2012/03/22/verizon_security_breach_trends/

   Hacktivism had a massive effect on the overall data breach scene last year.

   More than half (58 per cent) of data stolen last year can be attributed to hacktivism – hacking to advance political and social objectives – according to the latest edition of the Data Breach Investigations report from Verizon.

   Seventy-nine per cent of attacks covered by Verizon’s report were opportunistic. Only 4 per cent of the overall total were rated as particularly challenging for hackers to carry out. In addition, an estimated 97 per cent of breaches might have been avoidable without recourse to difficult or expensive countermeasures.

   Hacktivism by groups like Anonymous and LulzSec figured in many data breaches last year. Wade reckons recent arrests might reverse this trend, but he’s far from sure on this point.

   “Anonymous is a movement. It’s hard to stop a movement by taking out individuals,” he said.

   Hacking appeared in 81 per cent of breaches (compared with 50 per cent in 2010) and malware featured in 69 per cent of breaches last year (also up from the 49 per cent recorded in 2010).

   The increase is easily explained: hacking and malware offer outsiders an easy way to exploit security flaws and gain access to confidential data. The ready availability of easy-to-use hacking tools also contributes to this effect.

   Social engineering (tricking end users into doing something stupid or handing over information to attackers) and SQL injection attacks against vulnerable webservers also figured as a factor in many attacks.

   Another important factor in attacks is the slow speed at which organisations patch up vulnerable systems and the length of time between a successful compromise and its discovery, which is most often measured in months or even years. Third parties continue to detect the majority of breaches (92 per cent).

   The US Secret Service and the Met Police’s Central e-Crime Unit collaborated with Verizon in preparing the report,

   Reply
3. March 22, 2012 at 4:17 pm

   Tomi Engdahl says:

   Power your mobile strategy with a cloud
   Use a private cloud to handle security, management and data access for your mobile workforce
   http://www.networkworld.com/research/2012/032012-power-your-mobile-strategy-with-257451.html?page=1

   Mobile devices will soon be driving cloud computing — and vice versa. Here’s why: It’s very sensible to use a private cloud for security, management and other aspects of mobile applications. But getting there will require planning and investment by IT.

   Some have already moved in this direction. In a December 2011 survey of 3,645 IT decision-makers in eight countries, a third of the respondents said that providing information access to multiple devices was their top reason for implementing cloud computing.

   Why adopt a cloud? Top motivating factors. Accessibility to information via multiple devices – 33% Accelerating business speed – 21 % Cutting costs – 17% Source: TNS/CSC survey, December 2011; 3,645 respondents

   “The nice part of this is that we get automatic rendering of content to all mobile devices, removing or eliminating the need to write device-specific apps” for iPhone or Android devices, among others, Peltz explains. After the CMS is fully implemented, “it will allow all of our content to be managed by end users or departments or business units,” he says.

   Among the issues his group has wrestled with are whether to build a Web portal that adapts itself based on the device that is coming into it, or to go with a device-specific app. Today the firm is using both approaches.
   But the company also has a web portal “where I can do the exact same thing,” Miller says. The goal is to have “inputs coming in from just about any mobile device.”

   Although mobile computing and mobile cloud computing may sound the same, they are in fact very different. In “regular” mobile computing, applications run on a mobile device in native mode, with the application and data all stored on the device.

   Running a mobile application in native mode has some advantages — most important, no latency or network bandwidth problems. But applications that run on mobile devices are often limited in functionality and are generally not business-class applications; it’s very rare to find native smartphone apps used as serious front ends for database queries, for instance.

   In contrast, mobile cloud computing applications run on servers that reside in the cloud. Application data also lives in the cloud and results are fed back to the mobile device via an over-the-air network such as 3G or 4G. Users access apps and data via the browser on their mobile devices.

   Because data (and some applications) move between mobile devices and the cloud via off-premises networks, security is a major consideration.

   Jeff Deacon, director of corporate strategy at Verizon Business, says that in most organizations today, mobile devices are coming in straight across the Internet, and this is not a good idea. “If you poke a hole in your firewall for access from a mobile device you have effectively poked a hole in your firewall for anyone in the world. Securing a gateway specific to mobile devices that can support various operating systems — iOS, Android, Windows — is very important.”

   Deacon says that many companies do not allow access to back-office data across the Internet. Access to secured data with smartphones or tablets should be done via a VPN.

   “The usability group wants to make it easier for people to use the phone, while the security folks want to make it more difficult,” says Eric Miller, CIO at Erie Insurance.

   “We rely on the security of the phone to allow people to get into the app, but then you have to authenticate yourself against our back-end system,” he says.

   Reply
4. March 23, 2012 at 12:38 pm

   Tomi Engdahl says:

   Scores of US federal agencies still open to 2008 cache attack
   http://www.theregister.co.uk/2012/03/23/dnssec_roll_out/

   US federal agencies are still struggling to roll out mandated technology that would make it much harder for attackers to spoof their websites.

   The Federal Information Security Management Act set a December 2010 deadline to deploy DNSSEC, or DNS Security Extensions, on federal domains. However a survey by Domain Name System vendor Secure64 found that only 57 per cent of the federal agencies (205 out of 359) have introduced DNSSEC technology into their environments, defined as DNS digital signing happening on at least one of their name servers.

   DNSSEC uses public key encryption and digital authentication to guard against the cache poisoning attack highlighted by researcher Dan Kaminsky back in 2008. Cryptographic checks make it a hell of a lot more difficult for attackers to spoof the address look-up servers that translate domain names into numerical IP addresses.

   Reply
5. March 23, 2012 at 12:40 pm

   Tomi Engdahl says:

   DoD Networks Completely Compromised, Experts Say
   http://blogs.cio.com/security/16923/dod-networks-completely-compromised-experts-say

   A group of U.S. federal cybersecurity experts recently blasted the Defense Department’s network security efforts and called for a completely new and different model for DoD cybersecurity in the future.

   The Defense Department’s (DoD) computer networks have been totally compromised by foreign spies, according to federal cybersecurity experts. The experts, speaking before the Senate Armed Services Subcommittee on Emerging Threats and Capabilities, say current efforts to protect those networks are misguided at best.

   Those expert claim that the billions spent by the government on cybersecurity have provided only a limited increase in protection; attackers can penetrate DoD networks; and the defense supply chain and physical systems are at high risk of attack.

   “DoD is capability-limited in cyber, both defensively and offensively,” Gabriel told the panel. “We need to change that.”

   So, the DoD can’t protect its networks but we’re supposed to think the Department of Homeland Security (DHS) will be able to protect those in the private sector? That legislation is still out there, and it’s making me more nervous every day.

   Reply
6. March 24, 2012 at 1:57 pm

   Tomi says:

   The Translucent Cloud: Balancing Privacy, Convenience
   http://www.wired.com/cloudline/2012/03/the-translucent-cloud/

   As we migrate personal data to the cloud, it seems that we trade convenience for privacy. It’s convenient, for example, to access my address book from any connected device I happen to use. But when I park my address book in the cloud in order to gain this benefit, I expose my data to the provider of that cloud service.

   When the service is offered for free, supported by ads that use my personal info to profile me, this exposure is the price I pay for convenient access to my own data. The provider may promise not to use the data in ways I don’t like, but I can’t be sure that promise will be kept.

   Is this a reasonable trade-off?

   For many people, in many cases, it appears to be.

   Consider a social app that enables parents to find available babysitters. A conventional implementation would store sensitive data — identities and addresses of parents, identities and schedules of babysitters — as cleartext. If evildoers break into the service, there will be another round of headlines and unsatisfying apologies.

   A translucent solution encrypts the sensitive data so that it is hidden even from the operator of the service, while yet enabling the two parties (parents, babysitters) to rendezvous.

   How many applications can benefit from translucency? We won’t know until we start looking. The translucent approach doesn’t lie along the path of least resistance, though. It takes creative thinking and hard work to craft applications that don’t unnecessarily require users to disclose, or services to store, personal data. But if you can solve a problem in a translucent way, you should.

   Reply
7. March 26, 2012 at 9:38 am

   Tomi Engdahl says:

   Microsoft Raids Tackle Net Crime
   http://www.nytimes.com/2012/03/26/technology/microsoft-raids-tackle-online-crime.html?pagewanted=all

   Microsoft has a big interest in making the Internet a safer place. Despite inroads made by Apple and others in some parts of the technology business, Microsoft’s Windows operating system still runs the vast majority of the computers connected to the Internet. The prevalence of its software has made Windows the most appealing target for online criminals, and the security holes they discover in the software are a persistent nuisance for Windows users.

   Microsoft’s involvement in what had been considered largely a law enforcement function — fighting computer crime — is the brainchild of Richard Boscovich, a former federal prosecutor who is a senior lawyer in Microsoft’s digital crimes unit. That group watches over fraud that could affect the company’s products and reputation.

   Among other things, he argued that the culprits behind botnets were violating Microsoft’s trademarks through fake e-mails they used to spread their malicious software.

   Before Friday’s sweep, Microsoft attacked three botnets in the last couple of years through civil suits. In each case, Microsoft obtained court orders that permitted it to seize Web addresses and computers associated with the botnets without first notifying the owners of the property.

   Some security experts said Microsoft’s tactics had been effective, even if they had not eradicated the scourge of botnets.

   “Taking the disruption into the courthouse was a brilliant idea and is helping the rest of the industry to reconsider what actions are possible, and that action is needed and can succeed,”

   After an earlier action against a botnet known as Waledac, for example, the software behind it was modified slightly to create a new botnet.

   “You can take out a botnet, but unless you take down the coders and put the clients behind bars, they’re just going to go ahead and do this again,” Mr. Nazario said.

   Reply
8. March 26, 2012 at 10:04 am

   Tomi Engdahl says:

   Amid Privacy Concerns, Apple Has Started Rejecting Apps That Access UDIDs
   http://techcrunch.com/2012/03/24/apple-udids/

   Amid extra scrutiny from Congress around privacy issues, Apple this week has started rejecting apps that access UDIDs, or identification numbers that are unique to every iPhone and iPad.

   Apple had already given developers a heads-up about the change more than six months ago when it said in some iOS documentation that it was going to deprecate UDIDs. But it looks like Apple is moving ahead of schedule with pressure from lawmakers and the media.

   A few weeks ago, some of the bigger mobile-social developers told me that Apple had reached out and warned them to move away from UDIDs.

   But this is the first time Apple has issued outright rejections for using UDIDs.

   Playhaven, which helps developers monetize more than 1,200 games across iOS and Android, said several of its customers had been rejected in the last week. The company’s chief executive Andy Yang says that developers should try and stay as flexible as possible by supporting multiple ID systems until there’s a clear replacement.

   “This is definitely happening,” Yang said. “In the next month or two, this is going to have an impact on all ad networks and apps using advertising. Everybody’s trying to make their own choices about what to use instead.”

   This is a big deal because mobile ad networks use these ID numbers to make their advertising better targeted. Using UDIDs, mobile ad networks can track consumers from app to app to understand more about ads they respond to and apps they use most often.

   “The UDID is essential for managing the conversion loop,”

   “All the performance dollars that are spent on mobile are going to impacted by this not being there.”

   At the same time, however, there are very real privacy risks tied to the widespread use of UDIDs. They’re more sensitive than cookies on the web because they can’t be cleared or deleted. And they’re tied to the most personal of devices — the phones we carry with us everywhere.

   Reply
9. March 26, 2012 at 12:21 pm

   Tomi Engdahl says:

   Experts Tell Senate: Government Networks Owned, Resistance Is Futile
   http://threatpost.com/en_us/blogs/experts-tell-senate-government-networks-owned-resistance-futile-032112

   Network security experts from across the U.S. government told a U.S. Senate Armed Services Subcommittee Tuesday that federal networks have been thoroughly penetrated by foreign spies, and that current perimeter-based defenses that attempt to curb intrusions are outdated and futile.

   “We’ve got the wrong mental model here,” Dr. James S. Peery, director of the Information Systems Analysis Center at Sandia National Laboratories, testified. “I don’t think that we would think that we could keep spies out of our country. And I think we’ve got this model for cyber that says, ‘We’re going to develop a system where we’re not attacked.’ I think we have to go to a model where we assume that the adversary is in our networks. It’s on our machines, and we’ve got to operate anyway. We have to protect the data anyway.”

   “We can do things to make it more costly for them to hack into our systems…,” Senator Rob Portman (R-OH), ranking member of the Emerging Threats and Capabilities subcommittee said as a point of clarification, “but you didn’t say we can stop them.”

   Finally, the U.S. education system is failing to produce the number people with the advanced skills and degrees that are needed.

   “The production of computer scientists is on the decline,” NSA Director Wertheimer, the gloomiest of the group explained. “We are not recruiting and retaining them… I am concerned also that the investments from the Congress and the people is almost all period of performance of one year or less. It’s to build tools. It’s to be a rapid deployment of capability. I rarely get the opportunity to think 3 years down the line even, in research. The money that comes to us has a very directed purpose… I feel the nation is frightened to think much beyond one or two years.”

   DoD Networks Completely Compromised, Experts Say
   http://blogs.cio.com/security/16923/dod-networks-completely-compromised-experts-say

   A group of U.S. federal cybersecurity experts recently blasted the Defense Department’s network security efforts and called for a completely new and different model for DoD cybersecurity in the future.

   The DoD has layered security onto a uniform architecture which only protects against known threats and doesn’t adapt to new ones, according to Acting Director of the Defense Advanced Research Projects Agency (DARPA) Kaigham Gabriel. The offensive situation is no better, he warned, because the DoD has merely tried to scale up its intelligence-based cyber capability–which is a long way from actually giving the Pentagon an offensive threat.

   “DoD is capability-limited in cyber, both defensively and offensively,” Gabriel told the panel. “We need to change that.”

   So, the DoD can’t protect its networks but we’re supposed to think the Department of Homeland Security (DHS) will be able to protect those in the private sector?

   Reply
10. March 26, 2012 at 2:54 pm

    Tomi Engdahl says:

    Microsoft and Financial Services Industry Leaders Target Cybercriminal Operations from Zeus Botnets
    http://blogs.technet.com/b/microsoft_blog/archive/2012/03/25/microsoft-and-financial-services-industry-leaders-target-cybercriminal-operations-from-zeus-botnets.aspx

    In our most complex effort to disrupt botnets to date, Microsoft’s Digital Crimes Unit – in collaboration with Financial Services – Information Sharing and Analysis Center (FS-ISAC) and NACHA – The Electronic Payments Association, as well as Kyrus Tech Inc. – has executed a coordinated global action against some of the worst known cybercrime operations fueling online fraud and identity theft today. With this legal and technical action, a number of the most harmful botnets using the Zeus family of malware worldwide have been disrupted in an unprecedented, proactive cross-industry operation against this cybercriminal organization.

    Cybercriminals have built hundreds of botnets using variants of Zeus malware. For this action – codenamed Operation b71 – we focused on botnets using Zeus, SpyEye and Ice-IX variants of the Zeus family of malware, known to cause the most public harm and which experts believe are responsible for nearly half a billion dollars in damages.

    As alleged in the complaint, Zeus malware uses a tactic called keylogging, which records a person’s every computer keystroke to monitor online activity and gain access to usernames and passwords in order to steal victims’ identities, withdraw money from their bank accounts and make online purchases. Microsoft researchers found that once a computer is infected with Zeus, the malware automatically starts keylogging when a person types in the name of a financial or e-commerce institution, allowing criminals to gain access to people’s online accounts from that point forward.

    Zeus is especially dangerous because it is sold in the criminal underground as a crimeware kit, which allows criminals to set up new command and control servers and create their own individual Zeus botnets. These crimeware kits sell for anywhere between $700 to $15,000, depending on the version and features of the kit. Overall, Microsoft has detected more than 13 million suspected infections of this malware worldwide, with more than 3 million in the United States alone.

    We don’t expect this action to have wiped out every Zeus botnet operating in the world. However, together, we have proactively disrupted some of the most harmful botnets

    This is the fourth high-profile takedown operation in Microsoft’s Project MARS (Microsoft Active Response for Security) initiative

    There are steps people and businesses can take to better protect themselves from becoming victims of malware, fraud and identity theft. Everyone who uses a computer should exercise safe practices, such as running up to date and legitimate software, firewall protection and anti-virus and anti-malware protection. People should also exercise caution when surfing the Web or clicking on ads or e-mail attachments that may prove to be malicious.

    Reply
11. March 26, 2012 at 3:46 pm

    Tomi Engdahl says:

    Compromised Websites An Owner’s Perspective
    http://www.stopbadware.org/pdfs/compromised-websites-an-owners-perspective.pdf

    Compromised (stolen or hacked) websites continue to be an attractive target for cybercriminals who benefit primarily from the misuse of reputable domains.
    Cybercriminals are also able to make use of resources like processing power, bandwidth, and the hosting available via compromised web servers.

    StopBadware and Commtouch surveyed over 600 website owners and administrators whose sites had been compromised. This document reviews the survey and its results, and includes tips to help website owners prevent their sites from being hacked or compromised.

    COMPROMISED WEBSITES: A VALUABLE PRIZE
    Most current Internet security suites include tools for Web security. Compromising a known clean site therefore gives a cybercriminal a platform to perpetrate any number of activities with the reassurance that the site is less likely to be blocked by Web security software.

    In addition, the hacker gets free hosting and all the associated resources, such as bandwidth and computing power.

    WHICH WEBSITE SOFTWARE IS TARGETED?
    Do website hackers target specific website software? Is there a particular
    Content Management System (CMS) that is more vulnerable than others?
    The answers received seem to identify WordPress (28%) as a strong favorite for cybercriminals. On the other hand, WordPress is the most commonly used CMS, so statistically it was expected to feature prominently. In addition, WordPress has an extensive plugin culture – and in many cases, security flaws within these plugins are the attack vectors in site compromises.

    Respondents who listed “Other” described their use of: numerous roprietary systems, ZenPhoto, vBulletin, and Movable Type (predecessor of WordPress).

    Notably, nearly 20% of respondents didn’t know what CMS was used in their websites.

    Although WordPress represents 54% of known CMSs, it only featured in 28% of the hacks.

    HOW ARE WEBSITES COMPROMISED?
    Malicious hackers are a devious bunch – always looking for new flaws, exploits and social engineering tricks that will allow them to compromise a website. With this in mind, it comes as no surprise that most website owners (63%) simply don’t know how their sites were compromised.

    20% of respondents admitted that their failure to update website software and/or plugins had likely left them open to attack

    WHAT ARE THE COMPROMISED WEBSITES USED FOR?
    As described in the introduction, the compromised website provides a useful platform for a range of illicit activities. These activities include:

    Hosting malware– this may take the form of complex scripts that infect any visiting PC.

    URL redirect – thousands of compromised sites may perform simple redirects to a few “master” URLs. This is accomplished with a few lines of HTML code hidden in the compromised site, forcing the site to act as a “front door” to the badware

    Hosting phishing, spam pages, pornography – one or two static pages on the compromised site may advertise spam products (pharmaceuticals, replicas, enhancers, etc.), act as phishing pages for banks, PayPal, Gmail, etc., or offer explicit (sometimes illegal) content.

    Vandalism – the aim of the compromise might be to embarrass the site
    owner or, alternatively, to make some political point – generally known as
    “hacktivism.”

    Other content or activity – some fairly complex forms of site misuse have been recorded. The spam-sending script described in the introduction is one example.

    The results of the survey reveal that many website owners (36%) who became aware of a compromise did not know what their site was (mis)used for. The remaining 64% observed the complete range of activities described above; the largest group (25%) believed their sites were used to host malware.

    HOW DO WEBSITE OWNERS BECOME AWARE OF THE COMPROMISE?
    In rare cases of site vandalism, the malicious actors make it plainly obvious to the site owner (and the rest of the world) that the site has been compromised

    So how are website owners to know that there is a problem? It turns out that in nearly half of the cases, owners were alerted by a browser, search engine or other warning when they tried to visit their own sites.

    Alternatively, colleagues, friends, web hosting providers, or security organizations (such as StopBadware) let the owner know there was something amiss. This group collectively accounts for 35% of the notifications

    Notably, only 6% of website owners were able to detect an issue based on strange or increased activity within their sites.

    HOW DO WEBSITE OWNERS REGAIN CONTROL OF THEIR SITES?
    Having established that their sites have been compromised, website owners chose various corrective courses of action. 46% of respondents fixed the compromise themselves after consulting various online resources

    most website owners (58%) chose to resolve the problem themselves.

    HOW DID THE EXPERIENCE CHANGE THE ATTITUDE OF WEBSITE
    OWNERS TOWARD THEIR HOSTING PROVIDERS?
    Forty percent of survey respondents changed their opinion of their web hosting providers following the experience of a hacked site. The default association seems to be negative, as 58 respondents (nearly 10%) indicated they are thinking about leaving their providers even though they had no interaction with the providers during the experience.

    Webmasters were three times as likely to consider leaving providers that charged extra or refused to provide support for remediation than those that offered free support.

    Preventing compromised Websites
    Many website owners who responded to this survey seemed to be unaware that their websites could be compromised and unsure of how they might clean up their sites and keep them secure. Even so, 40% of survey respondents believed their websites were infected through software vulnerabilities, stolen credentials, and/or via an infected machine

    Reply
12. March 27, 2012 at 10:04 am

    Tomi Engdahl says:

    FTC Calls for “Privacy by Design”
    http://allthingsd.com/20120326/ftc-calls-for-privacy-by-design/

    The U.S. Federal Trade Commission today released a set of recommendations for businesses and Congress about the collection and use of consumers’ personal data.

    This framework (PDF) has been in the works for years, and in the meantime there has been considerable progress on many of its final recommendations, both proactively by businesses themselves and through privacy investigations and settlements the FTC had with companies like Google and Facebook.

    The FTC calls for “privacy by design,” simplified choices and greater transparency.

    The report includes indications that the FTC is concerned about comprehensive tracking — the sort of stuff that companies like Google and Facebook are moving toward — though that’s one of the less-developed recommendations.

    There are five main action items in the framework:

    Do Not Track: This is probably the furthest along. Browser vendors are now offering do-not-track options for consumers to limit data collection, the Digital Advertising Alliance is committed to respecting them, and standards bodies are working to standardize.
    Mobile: The FTC wants to make mobile privacy protections “short, effective and accessible to consumers on small screens.”
    Data Brokers: This is a bigger one. The FTC wants a centralized Web site where data brokers identify themselves and disclose how they collect data. It also supports Congress’s efforts to give consumers access to data about them held by brokers.
    Comprehensive Tracking: The FTC is concerned about ISPs, operating systems, browsers and social networks comprehensively tracking users’ online activities, but it won’t address this until a public workshop in the second half of this year.
    Enforcing Self-Regulatory Codes: The FTC said it will help enforce industry-specific codes of conduct.

    FTC REPORT:
    Protecting Consumer Privacy in an Era of Rapid Change
    http://www.ftc.gov/os/2012/03/120326privacyreport.pdf

    In today’s world of smart phones, smart grids, and smart cars, companies are collecting, storing, and sharing more information about consumers than ever before. Although companies use this information to innovate and deliver better products and services to consumers, they should not do so at the expense of consumer privacy.

    With this Report, the Commission calls on companies to act now to implement best practices to protect consumers’ private information. These best practices include making privacy the “default setting” for commercial data practices and giving consumers greater control over the collection and use of their personal data through simplified choices and increased transparency. Implementing these best practices will enhance trust and stimulate commerce.

    FTC releases final privacy report, says ‘Do Not Track’ mechanism may be available by end of year
    http://www.washingtonpost.com/business/technology/ftc-releases-final-privacy-report-says-do-not-track-mechanism-may-be-available-by-end-of-year/2012/03/26/gIQAzi23bS_story.html

    The Federal Trade Commission on Monday outlined a framework for how companies should address consumer privacy, pledging that consumers will have “an easy to use and effective” “Do Not Track” option by the end of the year.

    The FTC’s report comes a little over a month after the White House released a “privacy bill of rights” that called on companies to be more transparent about privacy and grant consumers greater access to their data but that stopped short of backing a do-not-track rule.

    The FTC also said it plans to work with Web companies and advertisers to implement an industry-designed do-not-track technology so as to avoid a federal law that mandates it. The Digital Advertising Alliance, which represents 90 percent of all Web sites with advertising, is working with the Commerce Department and FTC to create an icon that would allow users an easy way to stop online tracking.

    “Although some companies have excellent privacy and data securities practices, industry as a whole must do better,” the FTC said.

    The 73-page report focuses heavily on mobile data, noting that the “rapid growth of the mobile marketplace” has made it necessary for companies to put limits on data collection, use and disposal. According to a recent report from Nielsen, 43 percent of all U.S. mobile phone subscribers own a smartphone.

    “Unfairness is an elastic and elusive concept,” Rosch wrote, saying that it is difficult to determine how consumers feel about privacy.

    Generation App: 62% of Mobile Users 25-34 own Smartphones
    http://blog.nielsen.com/nielsenwire/online_mobile/generation-app-62-of-mobile-users-25-34-own-smartphones/

    Reply
13. March 27, 2012 at 10:33 am

    Tomi Engdahl says:

    Murdoch firm used hacker site to target pay-TV rival
    http://www.bbc.co.uk/news/uk-17494723

    A News Corporation company recruited a pay-TV “pirate” to post hacked details of a rival’s secret codes online, BBC Panorama has found.

    Lee Gibling set up a website in the late 1990s known as The House of Ill-Compute or Thoic.

    He said NDS, a pay-TV smartcard maker, then funded expansion of the Thoic site and later had him distribute the set-top pay-TV codes of rival ITV Digital.

    NDS denied this and said Thoic was only used to gather intelligence on hackers.

    ITV Digital was first launched as “On Digital” and was set up as a rival to News Corporation’s Sky TV in 1998.

    But the widespread availability of the secret codes meant ITV Digital’s services could be accessed for free by pirates. The company went bust in 2002.

    ITV Digital’s former chief technical officer, Simon Dore, told the programme that piracy was “the killer blow for the business, there is no question”.

    Lee Gibling told Panorama the codes on the Thoic site originated from NDS.

    Lee Gibling said NDS paid for Thoic’s servers and was across all of its hacking and TV piracy.

    “Everything that was in the closed area of Thoic was totally accessed by any of the NDS representatives,” he said.

    “Clearly allegations of TV hacking are far more serious than phone hacking,” he said.

    Reply
14. March 27, 2012 at 2:47 pm

    Tomi Engdahl says:

    Goldman Sachs in email muppet hunt
    ‘Toxic and destructive’ leak sparks grep binge
    http://www.theregister.co.uk/2012/03/27/goldman_sachs_email_audit/

    Spencer Allingham, technical director at IT optimisation specialist Condusiv Technologies, commented: “While investigating emails to tap into corporate culture will undoubtedly be revealing for the organisation, the sheer amount of work to recover past or deleted emails will be a vast drain on time and money if appropriate technology is not in place.

    “For many IT departments it is a constant struggle to find the budget to update systems and improve efficiency, and it is at times like these that poor infrastructures are exposed, and can cause reputational damage, even putting companies head to head with legislation, if the investigation is a legal requirement.”

    Allingham said that tighter financial regulations meant that email trawls like the one Goldman Sachs has been obliged to undertake are likely to become more commonplace in future. Failure to put a strategy in place that can accommodate such investigations could prove to be expensive if anything goes awry, he warned.

    “The recent climate of Big Data and virtualisation has only extrapolated the issue of controlling the data deluge common to most corporate environments. Data now varies in content, sensitivity, form and also in how it’s stored, but as investigations such as the Goldman Sachs case proves, speed is key and access to data needs to occur irrelevant of changes in the IT infrastructure.

    Reply
15. March 28, 2012 at 8:24 am

    Tomi Engdahl says:

    Former cybersecurity czar: Every major U.S. company has been hacked by China
    Richard Clarke says evidence ‘pretty strong’ that China is stealing commercial secrets
    http://www.itworld.com/security/262616/former-cybersecurity-czar-every-major-us-company-has-been-hacked-china

    Former White House cybersecurity advisor Richard Clarke has made a career out of issuing security warnings.

    His most famous, of course, was his alert to Bush Administration officials in July 2001 — 10 weeks before 9/11 — that “something really spectacular is going to happen here, and it’s going to happen soon.”

    Now Clarke, author of the book Cyber War, is issuing an alert via Smithsonian magazine that the U.S. is defenseless against a cyberattack which could take down major parts of the nation’s infrastructure, including civilian, military and commercial networks.

    What makes the U.S. especially vulnerable, Clarke says, is that its aggressive “cyberoffense” — “the U.S. government is involved in espionage against other governments,” he tells Smithsonian — isn’t matched by an effective, or even competent, cyberdefense, making the nation particularly vulnerable to blowback.

    Clarke says he’s concerned that hackers on the Chinese government payroll are threatening the U.S. economy.

    “I’m about to say something that people think is an exaggeration, but I think the evidence is pretty strong. Every major company in the United States has already been penetrated by China,” Clarke says in the Smithsonian interview

    Reply
16. March 28, 2012 at 9:15 am

    Tomi Engdahl says:

    Political Party’s Leadership Election Hit By DDoS Attack
    http://politics.slashdot.org/story/12/03/27/1934210/political-partys-leadership-election-hit-by-ddos-attack

    “Saturday’s electronic leadership vote for Canada’s New Democratic Party was plagued by delays caused by a botnet DDoS attack, coming from over 10,000 machines. Details are still scarce, but Scytl, who provided electronic voting services, will have to build more robust systems in the future in anticipation of such attacks.

    Reply
17. March 28, 2012 at 10:25 am

    Tomi Engdahl says:

    Here’s How Law Enforcement Cracks Your iPhone’s Security Code (Video)
    http://www.forbes.com/sites/andygreenberg/2012/03/27/heres-how-law-enforcement-cracks-your-iphones-security-code-video/

    Set your iPhone to require a four-digit passcode, and it may keep your private information safe from the prying eyes of the taxi driver whose cab you forget it in. But if law enforcement is determined to see the data you’ve stored on your smartphone, those four digits will slow down the process of accessing it by less than two minutes.

    Set your iPhone to require a four-digit passcode, and it may keep your private information safe from the prying eyes of the taxi driver whose cab you forget it in. But if law enforcement is determined to see the data you’ve stored on your smartphone, those four digits will slow down the process of accessing it by less than two minutes.

    “It’s a massive boom industry, the growth in evidence from mobile phones,” says Dickinson. “After twenty years or so, people understand they shouldn’t do naughty things on their personal computers, but they still don’t understand that about phones. From an evidential point of view, it’s of tremendous value.”

    “If they’ve done something wrong,” he adds.

    “If police have a warrant to be in the phone, this is just a way to get access to what they’re legally allowed to,” Fakhoury says of the XRY tool.

    Reply
18. March 28, 2012 at 4:26 pm

    Tomi Engdahl says:

    European hackers will face two years in prison
    Europe votes in favour of strict sentencing
    http://www.theinquirer.net/inquirer/news/2164249/european-hackers-prison

    HACKING INFORMATION SYSTEMS could become a criminal offense worthy of two years imprisonment after a vote in the European Parliament.

    A Civil Liberties Committee vote yesterday supported a draft law proposal that would bring down a steel capped boot on anyone carrying out or associated with hacking.

    The proposals would make possessing or distributing hacking software and tools an offence under law, and interestingly would make companies liable for cyber attacks that are committed for their benefit.

    The proposal got overwhelming support among committee members

    There would be a set way of dealing with hacking crimes, and a strong idea of what constitutes an attack. For example, accessing a network, database or web site without permission would be an offence, as would interfering with or intercepting data.

    “We are dealing here with serious criminal attacks, some of which are even conducted by criminal organisations. The financial damage caused for companies, private users and the public side amounts to several billions each year,” said rapporteur Monika Hohlmeier, who will oversee the discussions.

    Hacking attacks of the above nature would get a maximum two year penalty, according to MEPs, but this can scale up to five years if a large scale botnet is used, or more, if an industrial or other powerful system is the target.

    Three year sentences will be reserved for anyone that uses IP spoofing to pretend to be another user to cover up their own crimes.

    Reply
19. March 28, 2012 at 5:01 pm

    Tomi Engdahl says:

    From the Eye of a Legal Storm, Murdoch’s Satellite-TV Hacker Tells All
    http://www.wired.com/politics/security/news/2008/05/tarnovsky

    Christopher Tarnovsky feels vindicated. The software engineer and former satellite-TV pirate has been on the hot seat for five years, accused of helping his former employer, a Rupert Murdoch company, sabotage a rival to gain the top spot in the global pay-TV wars.

    But two weeks ago a jury in the civil lawsuit against that employer, NDS Group, largely cleared the company — and by extension Tarnovsky — of piracy, finding NDS guilty of only a single incident of stealing satellite signals, for which Dish was awarded $1,500 in damages.

    “I knew this was going to come,” Tarnovsky says. “They didn’t have any proof or evidence.”

    His story sheds new light on the murky, morally ambiguous world of international satellite pirates and those who do battle with them.

    Reply
20. March 29, 2012 at 9:06 am

    Tomi Engdahl says:

    European Law Could Give Hackers Mimimum Two-Year Sentence
    http://yro.slashdot.org/story/12/03/28/2315210/european-law-could-give-hackers-mimimum-two-year-sentence

    “A proposed European law would apply a minimum two-year prison sentence for hacking across the region. This is a step up for nations including Britain, whose Computer Misuse Act currently has a two-year maximum sentence.”

    The article is not entirely clear on the minimum sentence part

    Judges hate minimum sentences. Legislators should stop making them.

    Yeah, you can see how this will go wrong. Someone finds an open facebook at a netcafe, and decide to post some dopey comment on the unsuspecting security-ignoramasus page. The person flips out and calls the cops, and the cops charge him, because technically it is hacking.

    The judge hears the case and goes “Well I have to find this guy guilty, and normally I’d give him a $50 fine and tell him to quit being a dick, but instead he’s going to jail for 2 years and having the rest of his life ruined because of a harmless prank.

    Yes indeed, theres a very good reason judges hate mandatory minimums.

    Simpletons are the only ones who like mandatory minimums. You have a mechanism to investigate crimes on a case-by-case basis, looking at all the evidence, the factors that went into the crime, and setting the punishment to fit the case. That’s the job of the courts. It’s not perfect, but one-size-fits-all justice is usually not justice. The mandatory minimum sentence should be zero in ALL crimes.

    Reply
21. March 30, 2012 at 10:19 am

    Tomi Engdahl says:

    DHS: Cybersecurity plays into online voting
    http://news.cnet.com/8301-1023_3-57406830-93/dhs-cybersecurity-plays-into-online-voting/

    With the November presidential election just months away, the debate over whether voting on the Internet can be safe from cyberattacks is heating up.

    As the 2012 presidential election revs up, 33 states now permit some form of Internet ballot casting. However, a senior cybersecurity adviser at the U.S. Department of Homeland Security warned today that online voting programs make the country’s election process vulnerable to cyberattacks.

    “It is premature to deploy Internet voting in real elections at this time,” DHS cybersecurity adviser Bruce McConnell said at a meeting of the Election Verification Network, which is a group that works to ensure every vote is counted. He explained that all voting systems are susceptible to attacks and bringing in Internet voting invites added risk.

    Right now, 33 states allow completed ballots to be sent via the Web, typically through e-mail and efax. The main voting contingent that uses this cyber-feature are people in the military and those living overseas.

    Reply
22. March 30, 2012 at 10:51 am

    Tomi Engdahl says:

    McAfee talks angry robots and rotten apples at Design West
    http://www.eetimes.com/electronics-news/4370104/McAfee-talks-angry-robots-and-rotten-apples-at-Design-West?cid=EDNToday_20120329

    McAfee expects mobile threats to continue along the trends set in the PC world, moving from simple monetary gain towards deep privacy loss, corporate espionage and cyber war, according to a company representative.

    Speaking at a Design West panel entitled “Angry Robots and Rotten Apples,” McAfee engineer Ryan Permeh said the threats affecting mobile devices are “real and serious” and are moving beyond the simple malware seen in the space thus far.

    “They can listen in, collect all sorts of sensitive data, and use the mobile phone as a bridge into sensitive networks,” he said, adding that current protection strategies from Apple and Google just did not go deep enough to stop the threats.

    “Smartphones have become extensions to our lives, both in work and play. They are our constant companions and keepers of our secrets,”

    In terms of relative security, iOS was by far the more secure platform, said Permeh, admitting that “Apple is blowing Android out of the water,” and that Google needed a much better bouncer to reduce “evil apps” and other threat vectors.

    “Historically, Android has been beaten up more than Apple, because it’s open and that unfortunately makes it more susceptible to malware,”

    There are also, said Permeh, “Ddive-by exploits” which exploit webkits and app related bugs.
    “Premium SMS is by far the most lucrative malware scheme,”

    “You have to think like a bad guy,”

    “Intel is very serious about becoming a major Android player, and as such, both Intel and McAfee are having to take a fresh new look at how to deal with Malware,” he concluded.

    Reply
23. March 30, 2012 at 11:17 am

    Tomi Engdahl says:

    Hacktivists and cybercriminals: Is there really a difference?
    http://blogs.csoonline.com/malwarecybercrime/2098/hacktivists-and-cybercriminals-there-really-difference?source=ifwartcso

    I always look at security reports with skepticism. It’s too easy to spin the numbers and motives in ways that distort the true meaning of what’s been found. That’s why I find Verizon’s latest 2012 Data Breach Investigation Report hard to swallow.

    After all, aren’t hacktivists criminals, too?

    True, when it comes to motivation, there is a difference.

    But the tactics and results are the same. For the targeted organization, that’s what really matters. There shouldn’t be any difference in the defenses you put in place for a hacktivist or common thief.

    Reply
24. March 30, 2012 at 12:42 pm

    Tomi Engdahl says:

    How to Be Ready for Big Data
    http://www.cio.com/article/702467/How_to_Be_Ready_for_Big_Data?page=1&taxonomyId=3002

    Big Data is coming, but for most organizations it’s three-to-five years away. That doesn’t mean you shouldn’t prepare now. Analyzing Big Data will require reference information like that provided by a semantic data model. And once you mine the data, you need to secure it.

    One of the keys to taking unstructured data—audio, video, images, unstructured text, events, tweets, wikis, forums and blogs—and extracting useful data from it is to create a semantic data model as a layer that sits on top of your data stores and helps you make sense of everything.

    “We have to put data together from disparate sources and make sense of it,” says David Saul, chief scientist at State Street, a financial services provider that serves global institutional investors.

    But collecting all this data and making it more accessible also means organizations need to be serious about securing it. And that requires thinking about security architecture from the beginning, Saul says.

    “I believe the biggest mistake that most people make with security is they leave thinking about it until the very end, until they’ve done everything else: architecture, design and, in some cases, development,” Saul says. “That is always a mistake.”

    Saul says that State Street has implemented an enterprise security framework in which every piece of data in its stores includes with it the kind of credentials required to access that data.

    “By doing that, we get better security,” he says. “We get much finer control. We have the ability to do reporting to satisfy audit requirements. Every piece of data is considered an asset. Part of that asset is who’s entitled to look at it, who’s entitled to change it, who’s entitled to delete it, etc. Combine that with encryption, and if someone does break in and has free reign throughout the organization, once they get to the data, there’s still another protection that keeps them from getting access to the data and the context.”

    Gazzang’s Warnock agrees, noting that companies that collect and leverage Big Data very quickly find that they have what Forrester calls ‘toxic data’ on their hands. For instance, imagine a wireless company that is collecting machine data—who’s logged onto which towers, how long they’re online, how much data they’re using, whether they’re moving or staying still—that can be used to provide insight to user behavior.

    “Downstream analytics is the reason you gather all this data in the first place,” he says. But organizations should then follow best practices by encrypting it.

    “Over time, just as it’s best practice to protect the perimeter with firewalls, it will be best practice to encrypt data at rest,” he says.

    Reply
25. March 30, 2012 at 12:56 pm

    Tomi Engdahl says:

    Cyber-crime a major adverse financial sector

    Cyber-crime is the field of accounting offenses, fraud, corruption and money laundering even bigger problem, and huge losses, the report states.

    PwC’s report shows that only 18 percent of companies in the financial sector is prepared to cyber threads sufficiently.

    Many companies, however, continue tohide cyber-attacks and concealing their financial losses caused by the fear that they would allow customers to understand that the company is some way behind technologically.

    Source:
    http://www.tietoviikko.fi/kaikki_uutiset/kyberrikollisuus+merkittava+haitta+finanssisektorille/a794781?s=r&wtm=tietoviikko/-30032012&

    Reply
26. April 2, 2012 at 10:52 am

    Tomi Engdahl says:

    Police Are Using Phone Tracking as a Routine Tool
    http://www.nytimes.com/2012/04/01/us/police-tracking-of-cellphones-raises-privacy-fears.html?_r=1&pagewanted=all

    WASHINGTON — Law enforcement tracking of cellphones, once the province mainly of federal agents, has become a powerful and widely used surveillance tool for local police officials, with hundreds of departments, large and small, often using it aggressively with little or no court oversight, documents show.

    The practice has become big business for cellphone companies, too, with a handful of carriers marketing a catalog of “surveillance fees” to police departments to determine a suspect’s location, trace phone calls and texts or provide other services.

    With cellphones ubiquitous, the police call phone tracing a valuable weapon in emergencies like child abductions and suicide calls and investigations in drug cases and murders. One police training manual describes cellphones as “the virtual biographer of our daily activities,” providing a hunting ground for learning contacts and travels.

    But civil liberties advocates say the wider use of cell tracking raises legal and constitutional questions, particularly when the police act without judicial orders.

    “It’s terribly confusing, and it’s understandable, when even the federal courts can’t agree,” said Michael Sussman, a Washington lawyer who represents cell carriers. The carriers “push back a lot” when the police urgently seek out cell locations or other information in what are purported to be life-or-death situations, he said. “Not every emergency is really an emergency.”

    “And the advances in technology are rapidly outpacing the state of the law.”

    Reply
27. April 2, 2012 at 10:54 am

    Tomi Engdahl says:

    UK ‘to announce’ real-time phone, email, Web traffic monitoring
    http://www.zdnet.com/blog/london/uk-8216to-announce-real-time-phone-email-web-traffic-monitoring/3751

    UK government plans to allow the intelligence services analyse call, email and Web traffic in “real-time” could be announced by the Queen as early as May.
    Editors note: Despite this being April 1, or ‘April Fools Day’, this story is not a fabrication nor a joke.

    “It is vital that police and security services are able to obtain communications data in certain circumstances to investigate serious crime and terrorism and to protect the public,” a spokesperson said in an emailed statement.

    “Communications data includes time, duration and dialling numbers of a phone call, or an email address. It does not include the content of any phone call or email and it is not the intention of Government to make changes to the existing legal basis for the interception of communications.”

    Reply
28. April 2, 2012 at 3:15 pm

    Tomi Engdahl says:

    Hacking IT systems to become a criminal offence
    http://www.europarl.europa.eu/news/fi/pressroom/content/20120326IPR41843/html/Hacking-IT-systems-to-become-a-criminal-offence

    Cyber attacks on IT systems would become a criminal offence punishable by at least two years in prison throughout the EU under a draft law backed by the Civil Liberties Committee on Tuesday. Possessing or distributing hacking software and tools would also be an offence, and companies would be liable for cyber attacks committed for their benefit.

    “We are dealing here with serious criminal attacks, some of which are even conducted by criminal organisations. The financial damage caused for companies, private users and the public side amounts to several billions each year” said rapporteur Monika Hohlmeier (EPP, DE).

    The proposal would establish harmonised penal sanctions against perpetrators of cyber attacks against an information system – for instance a network, database or website. Illegal access, interference or interception of data should be treated as a criminal offence, MEPs say.

    The proposal also targets tools used to commit offences: the production or sale of devices such as computer programs designed for cyber-attacks, or which find a computer password by which an information system can be accessed, would constitute criminal offences.

    Reply
29. April 3, 2012 at 8:47 pm

    Tomi says:

    Mozilla Blocks Vulnerable Java Versions In Firefox
    http://developers.slashdot.org/story/12/04/03/1350223/mozilla-blocks-vulnerable-java-versions-in-firefox

    Mozilla has made a change in Firefox that will block all of the older versions of Java that contain a critical vulnerability that’s being actively exploited. The decision to add these vulnerable versions of Java to the browser’s blocklist is designed to protect users who may not be aware of the flaw and attacks.

    To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox’s blocklist.

    Reply
30. April 4, 2012 at 10:38 am

    Tomi Engdahl says:

    FTC Fines RockYou $250,000 For Storing User Data In Plain Text
    http://it.slashdot.org/story/12/04/03/219212/ftc-fines-rockyou-250000-for-storing-user-data-in-plain-text

    RockYou suffered a serious SQL injection flaw on its flagship website. Worse, the company was storing user details in plain text. As a result, tens of millions of login details, including those belonging to minors, were stolen and published online. Now, RockYou has finally settled with the Federal Trade Commission.

    COMMENTS:
    “As a refresher, here were the top 10 passwords used by RockYou users: 123456 12345 123456789 Password iloveyou princess rockyou 1234567 12345678 abc123″ Very original!

    I suspect that whilst websites have user/password control, and whilst it is common to encrypt passwords in a database, most other database records are mostly in plain text

    There are perfectly legitimate reasons to maintain user account information in the clear: Namely, that you can’t one-way hash anything except the login credentials and have it remain useful. So storing something in plaintext, or not, is not something worth suing and fining someone over. That said, storing the passwords in the clear is almost always a bad idea; and in this day and age, everyone should be using password hashes, preferably with a salt as well, as rainbow tables are increasingly common and accessible as storage costs decrease.

    So just want that out there: There are some limited cases where storing login credentials in the clear is a necessity. But that’s no excuse for not sanitizing the data… SQL injection attacks are stupidly easy to prevent, and the web designer who wrote the code that allowed it should probably be censured. If you’re going to fine a company — fine them for the injection attack… but leaving data in plain text is not a problem per se.

    RockYou did the best they could by using double ROT13 encryption of these files. So sad to see them get fined.

    Reply
31. April 4, 2012 at 10:47 am

    Tomi Engdahl says:

    ARM, security firms form joint venture for mobile
    http://www.edn.com/article/521379-ARM_security_firms_form_joint_venture_for_mobile.php?cid=EDNToday_20120403

    ARM, Gemalto and Giesecke & Devrient have announced the creation of a joint venture (JV) chartered with delivering secure environments in which to run services such as financial payments on mobile equipment including tablet computers, smart-TVs, games consoles and smartphones.

    “The new venture will combine the security operations from three leading organizations,”

    The three companies are investing in a joint venture to accelerate adoption of a common security standard based on ARM’s TrustZone security technology, which is included in every ARM Cortex-A family processor. All three companies will contribute assets to the new venture, including patents, software, people, cash and capital equipment.

    The JV will develop a Trusted Execution Environment (TEE) for smart connected devices based on TrustZone. This common, secure environment for software execution will utilize advanced hardware security coupled with industry standard software interfaces, such as those from the GlobalPlatform industry association. This secure environment will be offered to silicon, software, and equipment partners.

    “The integration of the hardware, software and services necessary for system-wide security has been slow,” said Warren East, CEO of ARM, in a statement. “This will be of significant step in terms of improved consumer trust in secure transactions on connected devices,” East added.

    Reply
32. April 4, 2012 at 11:04 am

    Tomi Engdahl says:

    These Are The Prices AT&T, Verizon and Sprint Charge For Cellphone Wiretaps
    http://www.forbes.com/sites/andygreenberg/2012/04/03/these-are-the-prices-att-verizon-and-sprint-charge-for-cellphone-wiretaps/

    If Americans aren’t disturbed by phone carriers’ practices of handing over cell phone users’ personal data to law enforcement en masse–in many cases without a warrant–we might at least be interested to learn just how much that service is costing us in tax dollars: often hundreds or thousands per individual snooped.

    Here are a few of the highlights from the fee data.

    Wiretaps cost hundreds of dollars per target every month, generally paid at daily or monthly rates. To wiretap a customer’s phone, T-Mobile charges law enforcement a flat fee of $500 per target.

    Data requests for voicemail or text messages cost extra. AT&T demands $150 for access to a target’s voicemail, while Verizon charges $50 for access to text messages.

    All four telecom firms also offer so-called “tower dumps” that allow police to see the numbers of every user accessing a certain cell tower over a certain time at an hourly rate. AT&T charges $75 per tower per hour, with a minimum of two hours. Verizon charges between $30 and $60 per hour for each cell tower. Sprint demands $150 per cell tower per hour, and Sprint charges $50 per tower, seemingly without an hourly rate.

    For location data, the carrier firms offer automated tools that let police track suspects in real time. Sprint charges $30 per month per target to use its L-Site program for location tracking. AT&T’s E911 tool costs $100 to activate and then $25 a day. T-Mobile charges a much pricier $100 per day.

    Reply
33. April 10, 2012 at 10:39 am

    Tomi Engdahl says:

    Feds Want Way to Hack Xboxes and Wiis for Evidence
    http://www.wired.com/threatlevel/2012/04/game-console-hack/

    Think twice if you live outside the U.S. and plan to sell your used gaming console.

    The Department of Homeland Security has launched a research project to find ways to hack into gaming consoles to obtain sensitive information about gamers stored on the devices.

    One of the first contracts for the project was awarded last week to Obscure Technologies, based in California, to devise a forensic tool that will siphon data from the Xbox 360, Wii, PlayStation 3 and other consoles.

    Parker Higgins, a spokesman for the Electronic Freedom Foundation, expressed concern that users might not know what data is created and stored on their gaming devices.

    “These consoles are being used as general-purpose computers,” he told the Foreign Policy. “And they’re used for all kinds of communications. The Xbox has a very active online community where people communicate. It stands to reason that you could get sensitive and private information stored on the console.”

    Although reformatting a device before selling it should erase such data, researchers at Drexel University have recently claimed they could extract credit card information and a billing address from the hard drive of an XBox 360 even after it was reformatted.

    Reply
34. April 10, 2012 at 11:06 am

    Tomi Engdahl says:

    Anonymous hacks into tech and telecom sites
    http://news.cnet.com/8301-1023_3-57411619-93/anonymous-hacks-into-tech-and-telecom-sites/?part=rss&subj=news&tag=title

    Two trade association sites that boast members such as Apple, Microsoft, IBM, AT&T, and Verizon come under attack by hackers for supporting cybersecurity legislation.

    USTelecom represents telecom companies, including AT&T, Verizon, and CenturyLink; and TechAmerica’s members include tech companies such as IBM, Microsoft, and Apple.

    TechAmerica President Shawn Osborne said his organization will continue to support the legislation.

    “These types of strong-arm tactics have no place in the critical discussions our country needs to be having about our cybersecurity, they just underscore the importance of them,” Osborne told Bloomberg.

    Reply
35. April 10, 2012 at 2:42 pm

    Tomi Engdahl says:

    Verizon: 97% of 2011 Data Breaches Were Avoidable
    http://www.tomsguide.com/us/verizon-breaches-2012-DDoS-LulzSec,news-14733.html

    A report issued by Verizon Communications (pdf) claims that 97-percent of data breaches in 2011 were caused by hackers using relatively simple methods of intrusion. Thus, these breaches could have been avoided without the need for difficult or expensive countermeasures by using “simple or intermediate” controls. Even more, 79-percent of the victims were targets of opportunity and 96-percent of the attacks weren’t even highly difficult.

    “Findings from the past year continue to show that target selection is based more on opportunity than on choice,” the report states.

    The report also states that 94-percent of all data compromised involved servers (that should be a given), and that 85-percent of the breaches took weeks or more to discover.

    92-percent of the beach incidents were discovered by third parties

    81-percent of the beaches that took place in 2011 utilized some form of hacking, but 69-percent also incorporated malware. Only 10-percent of the breaches involved physical attacks, and only 7-percent employed social tactics. 5-percent of the breaches resulted from privilege misuse.

    For small organizations, the report suggests that they implement a firewall or ACL on remote access services. They should also change default credentials of POS systems and other Internet-facing devices. If a third party vendor is handling the two previously-mentioned items, then make sure they’ve actually made those changes.

    2011 showed that hackers are highly unpredictable.

    Reply
36. April 10, 2012 at 2:51 pm

    Tomi Engdahl says:

    CIOs Plan to Increase Cloud Spending
    An exclusive survey finds that many CIOs say cloud services are a plus for business continuity and speedy deployment. But they still worry about security.
    http://www.cio.com/article/702623/CIOs_Plan_to_Increase_Cloud_Spending

    Six out of 10 U.S. companies already have at least one application in the cloud

    In fact, 84 percent of the survey respondents cited business continuity as the top business driver for their cloud investments.

    “The comfort of having completely redundant servers is very, very attractive,”

    But putting data in the cloud also carries risks: 70 percent of the respondents said security concerns are the top barrier to their adoption of cloud computing.

    Reply
37. April 11, 2012 at 1:39 pm

    Tomi Engdahl says:

    McAfee Claims Successful Insulin Pump Attack
    http://science.slashdot.org/story/12/04/10/2139226/mcafee-claims-successful-insulin-pump-attack
    “Intel security subsidiary McAfee has claimed a successful wireless attack on insulin pumps that diabetics rely on to control blood sugar. While previous attempts to attack insulin pumps have met with mixed success, McAfee’s Barnaby Jack says he has persuaded an insulin pump to deliver 45 days worth of insulin in one go, without triggering the pump’s vibrating alert safety feature. All security experts still say that surgical implants are a benefit overall.”

    Hack Attacks Warning On Medical Implants
    Insulin pumps and pacemakers can be turned off by radio control warn researchers
    http://www.techweekeurope.co.uk/news/hack-warning-on-medical-implants-72025

    Security firms have warned hackers could use radio signals to attack pacemakers and other medical implants, potentially killing people.

    Researchers from McAfee have shown they can take control of insulin pumps implanted inside diabetes patients, while scientists at the University of Massachussetts have shown they can use radio attacks to turn off defibrillators inside heart patients.

    Hackers could kill

    Implants such as pacemakers and insulin pumps, sit within patients and keep them alive. They are increasingly being given radio communications so they can be remotely controlled and updated, minimising the number of times they need to be accessed through surgery, and allowing information to be sent and received.

    The problem is that the security on the radio link is breakable, and the implants’ operation can be remotely over-ridden.

    “We can influence any pump within a 300ft [91m] range,” Jack told the BBC. McAfee has previously announced products to secure embedded devices, which could include implants.

    Attacks on surgical implants have been known about for some time.

    Reply
38. April 12, 2012 at 1:22 pm

    Tomi Engdahl says:

    End of Windows XP Support Era Signals Beginning of Security Nightmare
    http://tech.slashdot.org/story/12/04/12/020224/end-of-windows-xp-support-era-signals-beginning-of-security-nightmare

    Microsoft’s recent announcement that it will end support for the Windows XP operating system in two years signals the end of an era for the company, and potentially the beginning of a nightmare for everyone else. When Microsoft cuts the chord on XP in two years it will effectively leave millions of existing Windows-based computers vulnerable to continued and undeterred cyberattacks

    Sarwate says many SCADA systems for industrial networks still run a modified version of XP, and are not in a position to upgrade. Because much of the software running on SCADA systems is not compatible with traditional Microsoft OS capabilities, an OS upgrade would entail much more work than it would for a home or corporate system

    End of Windows XP support era signals beginning of security nightmare
    http://www.networkworld.com/community/blog/end-windows-xp-support-era-signals-beginning-security-nightmare

    Consumer, corporate and even SCADA systems could be at risk when Microsoft stops supporting Windows XP.

    Jason Miller, manager of research and development at VMware, says the introduction of Windows XP “was the hey-dey of buying computers,” with markets having become familiar with Windows 95 or 98 and manufacturers like Dell releasing affordable options. With such an influx of new users, it comes as no surprise that Windows XP remains one of the most common operating systems despite the introduction of two entirely new versions in the decade since it hit shelves. In fact, March 2012 statistics from NetMarketShare.com show XP in the lead for operating system market share, at 43.09%.

    Although that number is on a steady decline, its high volume just two years before support is cutoff is cause for concern, Qualys CTO Wolfgang Kandek says. Most enterprises are likely to upgrade their operating systems in the wake of the announcement that XP support would be cutoff.

    Remaining consumers, though, will be much less inclined to make an upgrade.

    At-home computer users who are still content with XP are unlikely to purchase a new operating system without any financial incentive, especially considering that many of the features for Windows 7 require hardware upgrades. Try telling someone who uses their home computer to just check their email and read the latest Yahoo News headlines that they need to spend $500 for a new one.

    How many at-home consumer users will even know that Microsoft will be cutting off XP support? How many will know what “the end of support” means for them at the user level, and how many will actually care?

    “If I have a Windows XP machine and I go buy a new tablet, for most of my needs I will use my tablet, but I still keep my XP machine for doing some chores that only a desktop can do. So that could also play a role here,” Sarwate says.

    “Where do you think all these botnets are set up? They’re not set up on the corporate computers,” Miller says. “They’re set up on my grandmother’s computer, my mother’s computer, and they don’t even know its running because they’re running vulnerable software out there.”

    Even scarier, Sarwate says many SCADA systems for industrial networks still run a modified version of XP, and are not in a position to upgrade. Because much of the software running on SCADA systems is not compatible with traditional Microsoft OS capabilities, an OS upgrade would entail much more work than it would for a home or corporate system.

    “A lot of these systems are connected to critical infrastructure and that particular SCADA software running on Windows XP has to be first upgraded to a new operating system,” Sarwate says. “So there is a SCADA vendor also in this picture and some SCADA software and hardware which is already configured in plants, factories or critical infrastructure. So in the typical SCADA environment I don’t think Microsoft could encourage people to upgrade because the problems there are completely different.”

    In a blog post, Sarwate also highlighted the dangers inherent in many SCADA systems stemming from an inadvertent connection to the public internet. Many companies are under the impression that their SCADA networks are disconnected from others, Sarwate wrote, when in fact they may be just as susceptible to malware as corporate or at-home desktops.

    “A search for ‘data presentation and control’ software on the internet yields SCADA systems with management services exposed to the internet,” Sarwate wrote. “If an organization’s SCADA network is not securely connected with the IT network, worms can jump from the HR desktops or reception kiosk into the SCADA network.”

    Six Ways to Improve SCADA Security
    https://community.qualys.com/blogs/securitylabs/2012/03/29/six-ways-to-improve-scada-security

    Reply
39. April 12, 2012 at 1:31 pm

    Tomi Engdahl says:

    HP Ships Switches With Malware Infected Flash Cards
    http://news.slashdot.org/story/12/04/11/2114256/hp-ships-switches-with-malware-infected-flash-cards

    “HP has warned of a security vulnerability associated with its ProCurve 5400 zl switches that contain compact flash cards that the company says may be infected with malware. The company warned that using one of the infected compact flash cards in question on computer could result in the system being compromised.”

    “This issue once again brings attention to the security of the electronics supply chain which has been a hot topic as of late.”

    Reply
40. April 13, 2012 at 4:08 pm

    Tomi Engdahl says:

    InfoSec’s misunderstanding of business.
    http://blog.uncommonsensesecurity.com/2011_07_01_archive.html

    You have heard it ad nauseum, “if we as security practitioners want to be taken seriously, we need to understand the businesses we support and speak to the values of the business, blah, blah, blah”. And that, my friends, is bullshit. Still steaming in the pasture on a spring morning bullshit.

    Want to move your objectives forward? You need to understand greed and fear, the greed and fear of the people who control the resources.

    Don’t believe me? Take a look at the banking industry, or the US auto industry, or whatever area you know about. People who understood the business saw the train wrecks coming, and they tried to warn people about them- but they were ignored or worse. Understanding the business can only lead to frustration because the people running the business either don’t understand the business

    If you want to improve security in your organization, you need to understand how your organization works, not how it should work. You need to know what feeds it and what scares it. Sadly, that may have no relation to the business your organization is in.

    Reply
41. April 13, 2012 at 4:10 pm

    Tomi Engdahl says:

    WorkiLeaks: How to Be a Workplace Leaker Without Getting Caught
    http://www.wired.com/threatlevel/2012/04/workileaks/

    In the interest of protecting future moles and whistleblowers, we’ve assembled a list of Dos and Don’ts for leaking safely

    Reply
42. April 13, 2012 at 4:41 pm

    Tomi Engdahl says:

    Emirates wedges national ID cards inside NFC phones
    ID-by-handset to become norm after gov inks deal with Etisalat
    http://www.theregister.co.uk/2012/04/12/uae_nfc_id/

    The United Arab Emirates has signed up local operator Etisalat with a view to getting the national ID card embedded into mobile phones.

    The memorandum of understanding, signed by the Emirates Identity Authority and Etisalat, sets out a plan for both parties to examine the feasibility of implementing the existing ID Card as an NFC application installed on a mobile phone, meaning that forgetting one’s handset wouldn’t just be inconvenient, it would be illegal too.

    The existing card, which arrived in 2004, uses an ISO7816 chip (same as a credit card) to store encrypted credentials including the holder’s name, birthday, gender and photograph, and the 15-digit key to the Population Register which was set up at the same time. Also stored on the chip, but not printed on the card, are the holder’s fingerprints.

    A phone wouldn’t have all those details in human-readable form, printed on the outside, but it would have a short-range radio for relaying them to a reader (complying with the NFC standard), so we’d assume that Etisalat will be pricing up the cost of those readers for the government.

    Carrying an ID card in the UAE is mandatory at all times, so once the card is in a mobile then one will have no excuse not to have one handy. That might sound draconian, but it’s worth remembering that failing to carry a mobile has already prompted arrests in Germany and France (on the grounds that one must be hiding something).

    Once one has digital ID cards, then pushing them into mobile phones is a logical evolution, and the induction-powered NFC (which works when the phone’s battery is dead) is a suitable technology, as UAE residents should soon find out.

    Reply
43. April 15, 2012 at 10:14 pm

    Tomi says:

    The 10 baddest IT pros
    BOFHs who got caught
    http://www.theregister.co.uk/2012/04/09/worst_10_rogue_employees_in_it/

    In 2008 a survey of 300 sysadmins by Cyber-Ark grabbed a lot of press coverage when a whopping 88 per cent of respondents said they would steal company information if fired.

    One quarter said their organisations had suffered internal sabotage and security fraud, and one third believed that industrial espionage and data leakage had occurred within their company.

    Could this be why BOFH (the Bastard Operator from Hell), Simon Travaglia’s long-running column about a fictional psychopathic sysadmin-cum master of social engineering, is so popular?

    We can speculate – but we can tell you about the worst ones who got caught – all except one ended up in court.

    Reply
44. April 15, 2012 at 10:17 pm

    Tomi says:

    FCC Wants To Fine Google $25K For WiFi Investigation
    http://yro.slashdot.org/story/12/04/15/177215/fcc-wants-to-fine-google-25k-for-wifi-investigation

    It’s good and bad news for Google. The FCC has ruled that Google did nothing wrong when it accidentally collected WIFI data with its Street View cars.

    However, they want to fine the company $25,000 because it ‘deliberately impeded and delayed the investigation.

    Reply
45. April 16, 2012 at 1:25 pm

    Tomi Engdahl says:

    Anonymous denial of service attacks see mixed results
    Some web sites went down, but not others
    http://www.theinquirer.net/inquirer/news/2167841/anonymous-denial-service-attacks-mixed-results

    Reply
46. April 16, 2012 at 3:40 pm

    Tomi Engdahl says:

    The Cybercrime Wave That Wasn’t
    http://www.nytimes.com/2012/04/15/opinion/sunday/the-cybercrime-wave-that-wasnt.html?_r=1

    IN less than 15 years, cybercrime has moved from obscurity to the spotlight of consumer, corporate and national security concerns. Popular accounts suggest that cybercrime is large, rapidly growing, profitable and highly evolved; annual loss estimates range from billions to nearly $1 trillion. While other industries stagger under the weight of recession, in cybercrime, business is apparently booming.

    Yet in terms of economics, there’s something very wrong with this picture.

    We have examined cybercrime from an economics standpoint and found a story at odds with the conventional wisdom. A few criminals do well, but cybercrime is a relentless, low-profit struggle for the majority.

    Structurally, the economics of cybercrimes like spam and password-stealing are the same as those of fishing.

    How do we reconcile this view with stories that cybercrime rivals the global drug trade in size? One recent estimate placed annual direct consumer losses at $114 billion worldwide. It turns out, however, that such widely circulated cybercrime estimates are generated using absurdly bad statistical methods, making them wholly unreliable.

    Most cybercrime estimates are based on surveys of consumers and companies.

    For one thing, in numeric surveys, errors are almost always upward

    Among dozens of surveys, from security vendors, industry analysts and government agencies, we have not found one that appears free of this upward bias. As a result, we have very little idea of the size of cybercrime losses.

    A cybercrime where profits are slim and competition is ruthless also offers simple explanations of facts that are otherwise puzzling. Credentials and stolen credit-card numbers are offered for sale at pennies on the dollar for the simple reason that they are hard to monetize. Cybercrime billionaires are hard to locate because there aren’t any. Few people know anyone who has lost substantial money because victims are far rarer than the exaggerated estimates would imply.

    Profit estimates may be enormously exaggerated, but it would be a mistake not to consider cybercrime a serious problem.

    Surveys that perpetuate the myth that cybercrime makes for easy money are harmful because they encourage hopeful, if misinformed, new entrants, who generate more harm for users than profit for themselves.

    Reply
47. April 16, 2012 at 4:39 pm

    Tomi Engdahl says:

    IT Protects the Company. Who Protects IT?
    http://professional.wsj.com/article/SB10001424052970203753704577255723326557672.html#articleTabs%3Darticle

    Companies’ IT staffs often hold the keys to the castle. And that’s the problem.

    At many companies, the people in the IT department pose the biggest risks to data security. They can access nearly anything on the network, usually with no one looking over their shoulders. What’s more, outside hackers increasingly are targeting IT administrators’ profiles to gain access to a system without being detected.

    To combat this threat, more companies are taking extra care to screen their IT staff and make sure there are checks and balances in place once they’re on the job. Some organizations are using monitoring software that tracks the network activity of the staff, quickly flagging anything unusual. Some are even using new technology to look at the language of their IT staff’s emails to determine whether their behavior or mind-set has changed.

    “It has gotten to the point where we have to monitor everything everybody does, especially those working with sensitive data like the IT staff,”

    Many organizations perform tougher background checks on potential IT employees than on others, making sure the job candidates can be trusted to carry out critical security tasks.

    And once candidates are hired, their actions typically are scrutinized more closely than those of others on the network.

    “If you start to feel differently about the company you work for and the people you work with, you’d be surprised how your language changes,”

    Common red flags include a dramatic change in the length of a person’s emails. For example, someone may start writing emails of half a dozen words when their messages used to read like novels. Other tip-offs: a rise in the number of anger-related phrases, greater use of the word “me,” and signs of more-polarized thinking, like the words “never” and “always.”

    The checks and balances represent “best practices in network security,” says Daniel Galik, HHS chief information-security officer.

    Without such safeguards, he says, system administrators with special privileges would be able “to cover their tracks if maliciously accessing systems.”

    “Where people are given more responsibilities and have authority to perform actions or grant privileges,” Mr. Galik says, “a little more attention has to be paid to those individuals.”

    Reply
48. April 17, 2012 at 3:38 pm

    Tomi Engdahl says:

    Mobile Device Management: a Necessary Cost Or a Cost Saver?
    http://www.cio.com/article/703871/Mobile_Device_Management_a_Necessary_Cost_Or_a_Cost_Saver_?page=1&taxonomyId=3061

    This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach

    IT has been handed the responsibility of adapting security and access policies to accommodate our mobile phones and tablets. The expense of mobile device management (MDM) has become another accepted cost of doing business. But what if MDM was a cost saver?

    Security was the impetus for the first MDM solutions. Companies recognized the need to protect corporate assets on the devices, and witnessed the headlines and damages to company reputation that could result from a malicious phone app stealing employee contact information or worse. With liability at stake, securing mobile devices became the top priority.

    Basic MDM solutions still focus on preventing unauthorized access to corporate data and avoiding the risk of a public relations fiasco around data breaches or thefts. However, an MDM solution can do a lot more.

    A holistic device management platform can merge two previously distinct areas: mobile device management (MDM) and telecom expense management (TEM).

    Besides broad support for the various types of devices, IT should look for a solution that can cover both company-owned and “bring-your-own devices” (BYODs).

    Starting with purchases, a device lifecycle management platform can introduce and automate a hierarchical approval process for devices and service plans.

    Businesses also need the ability to track and correlate employee, device and service plan status.

    Real-time visibility makes it possible to identify and flag devices that do not meet the company’s requirements in terms of minimum hardware and software levels, or those devices that are eligible for upgrades or plan adjustments.

    While it is true that some of the enterprise-class MDM and TEM solutions require substantial getting-started investments, both for the software and for the required server platforms, there are cost-effective software-as-a-service (SaaS) offerings available at price points that offer very attractive ROI to businesses of all sizes.

    Businesses should also look for a solution with lightweight agents for the devices being managed.

    The attractive ROI and minimized impact on the devices themselves are compelling factors in the business case for a device lifecycle management solution.

    Tracking real-time patterns ultimately shifts device management from a reactive to a proactive activity

    Reply
49. April 18, 2012 at 10:52 am

    Tomi Engdahl says:

    3 million bank accounts hacked in Iran
    http://www.zdnet.com/blog/security/3-million-bank-accounts-hacked-in-iran/11577

    Summary: First, he warned of the security flaw in Iran’s banking system. Then he provided them with 1,000 bank account details. When they didn’t listen, he hacked 3 million accounts across at least 22 banks.

    After finding a security vulnerability in Iran’s banking system, Khosrow Zarefarid wrote a formal report and sent it to the CEOs of all the affected banks across the country. When the banks ignored his findings, he hacked 3 million bank accounts, belonging to at least 22 different banks, to prove his point.

    It does not appear as if Zarefarid stole money from the accounts; he merely dumped the account details of around 3 million individuals, including card numbers and PINs, on his blog: ircard.blogspot.ca. I found the link via his Facebook account, along with the question “Is your bank card between thease 3000000 cards?”

    At least three Iranian banks (Saderat, Eghtesad Novin, and Saman) have already sent text messages to their clients, warning them to change their debit card PINs. Furthermore, the Central Bank of Iran (CBI) issued a statement announcing that millions of ATM cards have been hacked and urged all card holders to change their PINs, especially if they haven’t done so in the last few months. The warning was repeated on state TV channels.

    Zarefarid is reportedly no longer in Iran, though it is unclear when he left. He insists he hacked the accounts to highlight the vulnerability in Iran’s banking system.

    Reply
50. April 18, 2012 at 2:03 pm

    Tomi Engdahl says:

    Iltalehti claims:

    TeliaSonera will assist the KGB to persecute citizens – “There is no limit”

    Telecommunications company TeliaSonera is collusion between a number of dictatorships, SVT (OSF) says.

    TeliaSonera’s subsidiary companies willingly assist the security services, such as the Belarusian KGB.

    The KGB security service uses ruthlessly operator assisted intercept services to the critics of the government.

    Operators let the security services, such as the KGB directly to the telephone systems at the heart of which they are free to choose who to follow and eavesdrop.

    - There is no limit to how much tapping can be done, TeliaSonera says the employee.

    TeliaSonera’s Communications Director Cecilia Edström sees the situation as problematic.

    Source: http://www.iltalehti.fi/ulkomaat/2012041815466923_ul.shtml

    Reply