Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.
Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.
Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.
SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices. Good idea to test your devices against it.
There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.
Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.
Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.
Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.
Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.
Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.
Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.
Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.
European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.
1,930 Comments
Tomi Engdahl says:
NSA Leaks Present a Business and Ethics Crisis for Silicon Valley
http://www.wired.com/wiredenterprise/2013/06/prism/
Late last week, as revelations about the National Security Agency’s telephone and internet data gathering programs splashed across the news, attorney Michael Overly heard from one of his clients, a consumer product company that had been looking at moving email systems to a cloud service provider. They’d decided to put their cloud project on hold.
“They are simply concerned about their data being accessed by a third party without their knowledge or consent,” says Overly, a partner in the information technology practice at the Los Angeles firm Foley & Lardner. “They have all kinds of things that they’re working on, and they don’t want that information used unless they understand who’s using it.”
Nevertheless, the Prism and other NSA surveillance revelations, has caused angst amongst Silicon Valley’s technologically literate and privacy sensitive workers. For much of Sunday and Monday, the NSA’s surveillance program was the top topic on Hacker News, the web site that serves as both sounding board and news site for the tech industry’s geek community.
“Everybody is just kind of wait-and-see right now,” says Alex Stamos, chief technology officer with security consultancy Artemis Internet. He says that many tech industry friends are concerned about Prism and the level of the NSA’s surveillance. “If it comes out that their employers were doing more than the minimum legal environment, then that’s going to be problematic.”
Reached Monday, an employee of one of the companies named in the NSA slides said he was too paranoid about government surveillance to say how he felt — even anonymously. “Do you really think I feel comfortable giving my opinion?” he said before declining to comment further.
Tomi Engdahl says:
ACLU Sues NSA Over Mass Phone Spying
http://www.wired.com/threatlevel/2013/06/nsa-spygate-lawsuits-growing/
A second lawsuit challenging the constitutionality of the NSA’s dragnet phone surveillance program was lodged today in a New York federal court by the American Civil Liberties Union, calling the spying “one of the largest surveillance efforts ever launched by a democratic government.”
Tomi Engdahl says:
Mozilla and 85 others send an anti-PRISM letter to Congress
http://www.theinquirer.net/inquirer/news/2274194/mozilla-and-85-others-send-an-antiprism-letter-to-congress
A LARGE ASSORTMENT OF INTERNET and software firms as well as civil liberties groups including the Electronic Frontier Foundation (EFF) have expressed their firm opposition to Orwellian US National Security Agency (NSA) PRISM surveillance of the internet.
Tomi Engdahl says:
Majority Views NSA Phone Tracking as Acceptable Anti-terror Tactic
Public Says Investigate Terrorism, Even If It Intrudes on Privacy
http://www.people-press.org/2013/06/10/majority-views-nsa-phone-tracking-as-acceptable-anti-terror-tactic/
A majority of Americans – 56% – say the National Security Agency’s (NSA) program tracking the telephone records of millions of Americans is an acceptable way for the government to investigate terrorism, though a substantial minority – 41% – say it is unacceptable. And while the public is more evenly divided over the government’s monitoring of email and other online activities to prevent possible terrorism, these views are largely unchanged since 2002, shortly after the 9/11 terrorist attacks.
Young Differ on Principle, but Less on Practice
Younger Americans are more likely than older age groups to prioritize protecting personal privacy over terrorism investigations. Among people ages 18-29, 45% say it is more important 6-10-13 #6for the federal government NOT to intrude on personal privacy, even if that limits its ability to investigate possible terrorist threats. That view falls to 35% among those ages 30-49 and just 27% among those ages 50 and older.
Tomi Engdahl says:
Global awareness of PRISM would be good for promoting end-to-end encryption (instead of trusting Skype/Facebook), but I see no activity.
Source: https://kfalck.net/
Tomi Engdahl says:
Patch Tuesday: And EVERY version of IE needs fixing AGAIN
Adobe, VMware join Microsoft in the stocks this month
http://www.theregister.co.uk/2013/06/12/ms_june_patch_tuesday/
June’s Black Tuesday patch update from Microsoft has rolled into town with five bulletins, including a solitary critical update that tackles flaws in all supported versions of Internet Explorer.
The IE update (MS13-047) grapples with 19 vulnerabilities and covers all versions of IE, from IE6 to IE10, on all supported versions of Windows, from XP to RT. It’s just the sort of thing that might be latched onto by hackers as part of drive-by-download attacks, based on malicious scripts on compromised websites, and therefore needs to be patched sooner rather than later.
Tomi Engdahl says:
NSA PRISM deepthroat VANISHES as pole-dance lover cries into keyboard
Blogging bikini babe blubs about ‘the ones I never got to bid adieu’
http://www.theregister.co.uk/2013/06/11/nsa_surveillance_whistleblower_disappears/
Whistleblower Edward Snowden, who blew the lid off the US government’s massive internet surveillance project PRISM, has vanished from his Hong Kong hideout.
Word of his disappearance came as it emerged that the 29-year-old’s girlfriend is apparently a pole-dancing blogger who yesterday wrote: “Sometimes life doesn’t afford proper goodbyes.”
Tomi Engdahl says:
Cyber researcher: Cloud services it is not worth believing big secrets
Cloud services offer a lot of nifty tools, but are also linked to security risks, which is good to know, says kyber researcher Kiravuo Timo from Aalto University.
- All data is in someone else’s control, and we do not know, see if any of it. I would say that the well-known service providers offer a fairly good level of security, but if the National Security Agency will say that we are there, then probably they have access.
Kiravuo of all the countries engaged in the best of nettiurkintaa, so the last few days, such revelations can be expected to continue.
- A significant part of the net for the content of either the USA or passing through it, so at the moment the U.S. has the best resources, the best access to the data. I do not know what our intelligence community is doing, but yes, I suppose that Finland will act like this, but pretty insignificant.
Sweden has already announced will ask the network traffic. Finnish network traffic passing through Sweden to a large extent, so the Finnish e-mails may be read next door.
Cloud services can be divided into two groups – one with a person to buy a Personal (Facebook) or storage space (Dropbox).
Kiravuo that the common man can identify with some confidence premium cloud services, as an ordinary person of ordinary secrets, photos or letters of no interest to the intelligence services. Instead, companies should be careful about what the deposit of the cloud.
Facebook sees ordinary users as the raw material, which is sold to advertisers. The company does not benefit from any particularly good security, as long as users are least deterred.
- For Facebook we have cattle, and Facebook’s business model is to get as much milk and as little as possible noise. There I would put anything that I would not be prepared to see the Journal the next day.
Source: http://yle.fi/uutiset/kybertutkija_pilvipalveluille_ei_kannata_uskoa_suuria_salaisuuksia/6679824
Tomi Engdahl says:
Edward Snowden: US government has been hacking Hong Kong and China for years
http://www.scmp.com/news/hong-kong/article/1259508/edward-snowden-us-government-has-been-hacking-hong-kong-and-china
Former CIA operative makes more explosive claims and says Washington is ‘bullying’ Hong Kong to extradite him
US whistle-blower Edward Snowden yesterday emerged from hiding in Hong Kong and revealed to the South China Morning Post that he will stay in the city to fight likely attempts by his government to have him extradited for leaking state secrets.
A week since revelations that the US has been secretly collecting phone and online data of its citizens, he said he will stay in the city “until I am asked to leave”
“People who think I made a mistake in picking HK as a location misunderstand my intentions. I am not here to hide from justice, I am here to reveal criminality,” he said.
Snowden believed there had been more than 61,000 NSA hacking operations globally, with hundreds of targets in Hong Kong and on the mainland.
“We hack network backbones – like huge internet routers, basically – that give us access to the communications of hundreds of thousands of computers without having to hack every single one,” he said.
“Last week the American government happily operated in the shadows with no respect for the consent of the governed, but no longer. Every level of society is demanding accountability and oversight.”
Tomi Engdahl says:
NSA revelations only ‘the tip of the iceberg,’ says Dem lawmaker
http://thehill.com/video/house/305047-dem-rep-lawmakers-learned-significantly-more-about-surveillance-programs-in-nsa-briefing
The federal surveillance programs revealed in media reports are just “the tip of the iceberg,” a House Democrat said Wednesday.
“What we learned in there,” Sanchez said, “is significantly more than what is out in the media today.”
Lawmakers are barred from revealing the classified information they receive in intelligence briefings
Tomi Engdahl says:
Feds hunted for Snowden in days before NSA programs went public
http://www.reuters.com/article/2013/06/12/us-usa-security-snowden-hunt-idUSBRE95B1A220130612
U.S. government investigators began an urgent search for Edward Snowden several days before the first media reports were published on the government’s secret surveillance programs, people familiar with the matter said on Wednesday.
Tomi Engdahl says:
Hong Kong to Handle NSA Leaker Extradition Based on Law
http://www.bloomberg.com/news/2013-06-12/alleged-nsa-leaker-says-he-will-fight-u-s-from-hong-kong.html
“We’ll handle the case according to our law.”
At least 14 Hong Kong civic groups plan to march in support of Snowden on June 15 at the U.S. consulate in Hong Kong and the city government headquarters.
“We ask the U.S. government not to seek extradition of Snowden because he isn’t an offender,
Snowden’s disclosures, made to the U.K.’s Guardian newspaper and the Washington Post, have triggered a criminal investigation by the Justice Department, calls for the surveillance to be limited, and a lawsuit accusing the government of violating the privacy and free-speech rights of its citizens.
As he spoke to the media, lawmakers on Capitol Hill braced for possible further disclosures of U.S. intelligence secrets, after receiving classified briefings about the programs yesterday from FBI, legal and intelligence officials.
Saxby Chambliss of Georgia, the top Republican on the Senate Intelligence Committee, said he expects Snowden to release more classified data.
“Apparently he’s got a thumb drive,” Chambliss said, though its contents are unknown. “He’s already exposed part of it and I guess he’s going to expose the rest of it.”
Tomi Engdahl says:
NSA Leader Seeks Openness on Secret Surveillance Orders
http://www.businessweek.com/news/2013-06-12/trust-us-nsa-leader-says-after-leaks-of-surveillance-programs
The head of the National Security Agency said he would seek to make more information public about electronic surveillance of citizens while emphasizing that disclosure of the programs has done “great harm” to the U.S.
Information that could be made public includes secret court orders authorizing the collection of phone records and Internet communications, General Keith Alexander said yesterday.
Alexander said he has “grave concerns” about Snowden’s access to top-secret material.
“This individual was a system administrator with access to key parts of the network,” Alexander said. “We’ve got to address that. That is of serious concern to us and something that we have to fix.”
Snowden said in the interview that he hasn’t committed any crime
“I’m neither traitor nor hero,” Snowden said. “I’m an American.”
Tomi Engdahl says:
NSA: ‘Dozens of attacks’ prevented by snooping
Spy chief defends data slurping
http://www.theregister.co.uk/2013/06/12/nsa_snooping_terror/
The National Security Agency has defended its slurping of phone records and other business data on the grounds the information contained has helped it fight terrorism.
In a congressional hearing on cybersecurity and government surveillance on Tuesday, NSA Director General Keith Alexander said the NSA’s data slurping had let it avert terror attacks.
“It’s dozens of terrorist events that these have helped prevent,” Alexander said.
The phone records were crucial for “disrupting or contributing to the disruption of terrorist attacks” both in the US and abroad, Alexander said,.
Tomi Engdahl says:
Europe rallies against PRISM
Incensed by US surveillance
http://www.theinquirer.net/inquirer/news/2274533/europe-rallies-against-prism
EUROPEAN POLITICAL LEADERS are demanding answers and reform from the US government with regard to its panoptican PRISM surveillance programme that invades individuals’ privacy.
In an op-ed in Spiegel Online German Justice Minister Sabine Leutheusser-Schnarrenberger characterised PRISM as “dangerous”.
US President Obama will travel to Germany next week, but his visit is not likely to be all smiles and rainbows when the conversation turns to PRISM.
“On the weekend, President Obama reacted by saying that it is impossible to have 100 percent security and 100 percent privacy and zero inconvenience,” she wrote.
Tomi Engdahl says:
Neglected Privacy Board to Probe Spygate Scandal
http://www.wired.com/threatlevel/2013/06/privacy-board-spygate/
A neglected and overlooked federal oversight board hit the limelight today when NSA chief Keith Alexander agreed publicly to cooperate with an investigation into the spygate scandal by the Privacy and Civil Liberties Oversight Board.
The board was subsequently transformed into an independent agency, with the power of subpoena and to review classified material. But the board was virtually idle from 2008 until last year
The spygate investigation, proposed by Sen. Tom Udall (D-New Mexico), will peer into one of the biggest privacy scandals in the nation’s history. The board’s chairman, confirmed last month, is David Medine, a former associate director of the Federal Trade Commission.
Because there was no chairman, the board has done little. It has no website.
Tomi Engdahl says:
Also Revealed by Verizon Leak: How the NSA and FBI Lie With Numbers
http://www.wired.com/threatlevel/2013/06/nsa-numbers/
Here’s a seemingly comforting statistic: In all of 2012, the Obama administration went to the secretive Foreign Intelligence Surveillance Court only 200 times to ask for Americans’ “business records” under the USA Patriot Act.
Every year, the Justice Department gives Congress a tally of the classified wiretap orders sought and issued in terrorist and spy cases – it was 1,789 last year. At the same time, it reports the number of demands for “business records” in such cases, issued under Section 215 of the USA Patriot Act. And while the number of such orders has generally grown over the years, it has always managed to stay relatively low. In 2011, it was 205. There were 96 orders in 2010, and only 21 in 2009.
Thanks to the Guardian’s scoop, we now know definitively just how misleading these numbers are. You see, while the feds are required to disclose the number of orders they apply for and receive (almost always the same number, by the way), they aren’t required to say how many people are targeted in each order. So a single order issued to Verizon Business Solutions in April covered metadata for every phone call made by every customer. That’s from one order out of what will probably be about 200 reported in next year’s numbers.
Tomi Engdahl says:
The Secret War
http://www.wired.com/threatlevel/2013/06/general-keith-alexander-cyberwar/
INFILTRATION. SABOTAGE. MAYHEM. FOR YEARS FOUR-STAR GENERAL KEITH ALEXANDER HAS BEEN BUILDING A SECRET ARMY CAPABLE OF LAUNCHING DEVASTATING CYBERATTACKS. NOW IT’S READY TO UNLEASH HELL.
Tens of thousands of people move through more than 50 buildings
This is the undisputed domain of General Keith Alexander, a man few even in Washington would likely recognize. Never before has anyone in America’s intelligence sphere come close to his degree of power, the number of people under his command, the expanse of his rule, the length of his reign, or the depth of his secrecy.
Alexander runs the nation’s cyberwar efforts, an empire he has built over the past eight years by insisting that the US’s inherent vulnerability to digital attacks requires him to amass more and more authority over the data zipping around the globe. In his telling, the threat is so mind-bogglingly huge that the nation has little option but to eventually put the entire civilian Internet under his protection, requiring tweets and emails to pass through his filters, and putting the kill switch under the government’s forefinger. “What we see is an increasing level of activity on the networks,” he said at a recent security conference in Canada. “I am concerned that this is going to break a threshold where the private sector can no longer handle it and the government is going to have to step in.”
In its tightly controlled public relations, the NSA has focused attention on the threat of cyberattack against the US—the vulnerability of critical infrastructure like power plants and water systems, the susceptibility of the military’s command and control structure, the dependence of the economy on the Internet’s smooth functioning. Defense against these threats was the paramount mission trumpeted by NSA brass at congressional hearings and hashed over at security conferences.
But there is a flip side to this equation that is rarely mentioned: The military has for years been developing offensive capabilities, giving it the power not just to defend the US but to assail its foes. Using so-called cyber-kinetic attacks, Alexander and his forces now have the capability to physically destroy an adversary’s equipment and infrastructure, and potentially even to kill.
Tomi Engdahl says:
Symantec claims a Linux kernel exploit has been ported to Android
Older versions might be at risk
http://www.theinquirer.net/inquirer/news/2274519/symantec-claims-a-linux-kernel-exploit-has-been-ported-to-android
SECURITY VENDOR Symantec has warned that a Linux kernel exploit that allows user privileges to be escalated has been ported to Android.
Google’s Android operating system runs on top of the Linux kernel, and while Android 4.2 Jelly Bean uses Linux 3.0, previous versions of Android used Linux 2.6.
Symantec said of the vulnerability, “The Android operating system normally sandboxes every application so they cannot perform sensitive system operations or interfere with other installed applications. In the past, we have seen malware use privilege escalation exploits to access data from other applications, prevent uninstall, hide themselves, and also bypass the Android permissions model to enable behaviors such as sending premium SMS messages without user authorization.”
Since Google has made it easy for Android users to download and install apps from third party sources, Android has become a target for malware. Symantec recommends that Android users running older versions stick to trusted sources of Android apps, such as the Google Play store.
Tomi Engdahl says:
To hack back or not to hack back?
http://www.net-security.org/article.php?id=1850
If you think of cyberspace as a new resource for you and your organization, it makes sense to protect your part of it as best you can. You build fences to keep your cattle in, and the horse thieves out. You train your cowboys to ride and shoot well, and to recognize newcomers for what they are. And you accept the fact that your government is the one that will pursue and prosecute the thief that stole one or more of your horses.
The challenge arises when you (possibly rightfully so) perceive that your government is not able to deal with the horse thief. In the Wild West, you would have your cowboys string him up and hang him.
In cyberspace, you demand to be allowed to “hack back”. You want your government to delegate the legal persecution, judging and execution to you, because (you claim) you know the situation better.
You may find yourself saying something along the lines of: “Our cyberjockeys are highly skilled, quick to shoot and fully capable of taking down any trespassing hacker. I must have the right to defend myself, and attack is the best defense. Because, my dear government, if I do nothing, it will only be a matter of time before they enter my premises and run me over.”
From your narrow and personal perspective, this kind of reasoning may make sense at first glance. This is the same kind of reasoning that feeds blood feuds through the principle of “an eye for an eye”
Without an overarching governing body, instability, violence and uncertainty become the rule of thumb.
A gut response to direct threat is retaliation (or you may choose to run and hide). Consider that we are all part of a global community these days. It is not only you and that horse thief anymore. It is you, your employees, your country, your country´s trade partners, and so forth.
The implications of hacking back are much larger than you and your organization. What you think of as a simple retaliation operation may quickly evolve into a geopolitical situation with multilateral impact.
Yes, the current laws and legal systems are a major challenge to cybersecurity. History has shown us that allowing every man his own justice system simple does not scale well. We do not need a granulated “hack back” retaliation regime.
We need a new system, and that system must be larger than each individual, organization and nation-state. Obviously, the creation and implementation of such a multilateral governing body will take time and effort.
Every single one of us can look beyond mere self-interest, and look for common ground where workable, realistic solutions can grow and operate.
Tomi Engdahl says:
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
http://www.theregister.co.uk/2013/06/13/snowden_nsa_hacking_china_2009/
PRISM snitch Edward Snowden now claims to have data which proves the NSA has been hacking hundreds of civilian targets in China and Hong Kong since 2009.
Public officials, businesses and students as well as the Chinese University of Hong Kong were among the targets in the former British colony, Snowden told the South China Morning Post.
The former information security engineer at defence contractor Booz Allen Hamilton (the firm just fired him) showed the paper unverified documents purporting to reveal attacks on Hong Kong and mainland targets.
“We hack network backbones – like huge internet routers, basically – that give us access to the communications of hundreds of thousands of computers without having to hack every single one,” he told the paper.
Snowden claimed his new revelations were designed to expose “the hypocrisy of the US government when it claims that it does not target civilian infrastructure, unlike its adversaries”.
Tomi Engdahl says:
Obama-Chinese premier summit achieves little on cyber-security
‘Nothing to do with the-NSA-program-which-shall-not-be-named’
http://www.theregister.co.uk/2013/06/11/obamaxi_presidential_summit_fails_to_make_much_progress_on_cybersecurity/
A summit meeting between Chinese President Xi Jinping and US President Barack Obama last week due to tackle the issue of cyber espionage failed to result in any agreement, perhaps partially because it was overshadowed by controversy over the NSA’s controversial PRISM surveillance programme.
Tomi Engdahl says:
My bleak tech reality: You can’t trust anyone or anything, anymore
Two-factor authentication? Fine, if you trust the Feds
http://www.theregister.co.uk/2013/06/03/trust_nobody_with_your_personal_data_ever/
Virtually everything we work with on a day-to-day basis is built by someone else. Avoiding insanity requires trusting those who designed, developed and manufactured the instruments of our daily existence.
All these other industries we rely on have evolved codes of conduct, regulations, and ultimately laws to ensure minimum quality, reliability and trust. In this light, I find the modern technosphere’s complete disdain for obtaining and retaining trust baffling, arrogant and at times enraging.
A simple problem
Let’s use authentication systems as a fairly simple example. Passwords suck, we all know they suck, and yet the majority of us still try to use easy to remember (and thus easy to crack) passwords for virtually everything.
The use of password managers and two-factor authentication is on the rise, but we have once more run into a classic security versus usability issue with both technologies.
Two-factor authentication is a pain.
The other alternative is a password manager. Password managers come in two basic types: ones that live on your local system and ones that store their information on a remote system.
Much to both Microsoft and Apple’s dismay, the era of individuals using only one device is long over.
This means that in the real world the system-local password manager is completely useless.
The first option is to use a cloud-based service like LastPass. LastPass is amazing – simple to use and effective. It has browser plug-ins for all major browsers that can autocomplete your passwords for sites you have to go to, and it generally makes the whole process of logging in as unobtrusive as possible.
The basics of the service are that you put all of your passwords into LastPass and it stores them in the LastPass cloud. You then log in once (per browser) and LastPass handles your authentication to all websites you visit.
Trust factors into authentication
Both these options have their own significant problems. The centralised LastPass store is an unbelievably tempting target for every ne’er-do-well on the planet. Although it is defended by a team of über cyber ninjas, if LastPass should fall, everyone who uses it is screwed.
The US government has been pretty open over the past decade about the fact that it simply does not care one whit for privacy, civil liberties and other such petty concerns. Certainly, the US PATRIOT Act ensured that non-US citizens have even fewer rights than the (already heavily degraded) few that remain to Americans, something that has been upheld in court but which remains contentious
Assuming that there was a Last-Pass-Alike that I could install on my own servers, I could solve one trust issue
A centralised cloud service like LastPass defended by the top industry experts in the field is going to be far more secure than anything I run on my own servers.
There are solutions
The ultimate solution to this problem would be a virtual appliance that I could install on my network which would stream updates and security configuration changes from a centralised cloud service. Here I could tap the expertise of a group like LastPass while still ensuring that the information I care about is subject only to the laws of my nation.
Trust as a design principle
The technosphere doesn’t think like this. Very few design their products around trust, or the lack thereof. We’ve become obsessed with how the technology works and what that technology can enable; technology is easy, people are hard. How the technology we create integrates into the larger reality of politics, law, emotion and the other people-centric elements, is often overlooked.
In some cases it is simply a matter of having a limited target audience; American firms designing for American users, for example.
The 2000s saw “secure by design” become a catchphrase as the exponential spread of always-on internet connectivity made remote attacks from random hostiles a part of everyday life. This decade seems to have latched on to “integrated by design” – a marriage of hardware, software, networking and cloud services under banners ranging from DevOps to Software Defined Networking/Storage/etc.
“Trustworthy by design” has been completely ignored, quietly brushed under the rug as inconvenient and bad for business.
Demand change
We need a new movement in computing
As technologists, we must stop looking at user data as one more thing to monopolise and monetise; we need to treat data as sacrosanct.
We, as users, must not allow our data to be used to lock us into “solutions”, or be mined by corporations or governments.
We need to demand this of the companies that create our applications. We must demand this of our governments and even the companies we work for. The alternative is a world without secrets; a world where one mistake – no matter how minor – can haunt us for a lifetime.
Tomi Engdahl says:
How NSA spooks spaffed my DAD’S DATA ALL OVER THE WEB
TV star plundered for key PRISM asset without so much as a thank-you
http://www.theregister.co.uk/2013/06/12/nsa_logo_scandal/
Shock, horror, scandal! America’s NSA secretly took data from my website for its fiendish PRISM web-snooping project – and it ended up blasted all over the internet!
Top-secret slides detailing the massive electronic surveillance programme were leaked last week by ex-CIA techie Edward Snowden.
The NSA may have set aside a paltry annual budget of $20m for its internet-data hoovering program (we’re doomed, doomed, I tell you), but that didn’t stretch as far as bunging over some loose change for using my dad’s prism photo for its creepy PRISM logo
Tomi Engdahl says:
Microsoft beefs up Windows Azure with optional multi-factor verification via mobile app, phone call, or SMS
http://thenextweb.com/microsoft/2013/06/12/microsoft-beefs-up-windows-azure-with-optional-multi-factor-verification-via-mobile-app-phone-call-or-sms/
Microsoft says Active Authentication is built on the technology from authentication vendor PhoneFactor, which the company acquired in October.
Automated Enrollment: Windows Azure AD users enroll their own phone numbers and set authentication preferences during the standard sign in process. There are no tokens to provision and ship, so you can quickly enable the service for users around the globe.
Unfortunately, all of this will cost you
Tomi Engdahl says:
How the NSA Could Get So Smart So Fast
http://online.wsj.com/article_email/SB10001424127887324049504578541271020665666-lMyQjAxMTAzMDEwMjExNDIyWj.html
Modern Computing Is Helping Companies and Governments Accurately Parse Vast Amounts of Data in a Matter of Minutes
Five years ago it would have been unimaginable for a government agency such as the National Security Agency to efficiently parse millions of phone, text and online conversations for keywords that could have warned of an impending terrorist attack. Today, a set of new technologies make it relatively affordable and manageable for it do so.
These technologies can store vastly different types of data in a single database, and can be processed rapidly using inexpensive hardware, without an analyst having to formulate a hypothesis. “They’ve substantially reduced the cost and greatly increased the [government's] ability to analyze this type of data,” says Tom Davenport, an expert on analytics and a visiting professor at Harvard Business School. The technology needed to outfit data centers to perform these tasks has become “orders of magnitude” less expensive than in the past, he said.
Database systems
New types of databases that emerged beginning in late 2009, known collectively as NoSQL (for “not only SQL”), such as MongoDB, Cassandra and Simple DB, don’t have these limitations, and allow analysts to create queries against all these types of data.
NoSQL databases can make a huge difference to companies analyzing very large data sets, even if they’re fairly conventional.
Machine learning
Machine learning, also known as cognitive analytics, allows queries to continually “tune themselves,” Gartner Inc. analyst Douglas Laney explains
Hadoop
The ability to distribute complex queries to a large number of inexpensive computers helps people get very quick responses to complicated questions with a large number of variables.
Tomi says:
Mobile Boom Turns BYOD Into Unmanaged Risk, Check Point Finds
http://www.cio.com/article/734606/Mobile_Boom_Turns_BYOD_Into_Unmanaged_Risk_Check_Point_Finds
The challenge of securing mobile technology is starting to overwhelm some IT departments, with many BYOD smartphones and tablets left in an unmanaged state despite the risk of data loss, a global survey by Check Point has found.
t would be easy to dismiss yet another survey on mobile data security as ambulance chasing by a security firm, but Check Point’s interrogation of 790 IT professionals in the US, Canada, UK, Germany and Japan (of different sizes) revealed a plausible degree of chaos.
The bottom line is that networks are suddenly inundated with mobile devices, particularly the harder-to-manage ones such as tablets and smartphones.
The survey found clear evidence that security incidents on mobile devices can be expensive
This probably isn’t as alarming it sounds; any large organisation is going to face significant costs from the loss, damage or theft of mobile devices.
Most of the time, employee incompetence was seen as a greater risk than that of cybercriminals.
“Without question, the explosion of BYOD, mobile apps, and cloud services, has created a herculean task to protect corporate information for businesses both large and small,” said Check Point’s security researcher, Tomer Teller.
Tomi says:
NSA chief drops hint about ISP Web, e-mail surveillance
http://news.cnet.com/8301-13578_3-57589078-38/nsa-chief-drops-hint-about-isp-web-e-mail-surveillance/
A secret interpretation of the Patriot Act led to the National Security Agency vacuuming up all of Verizon’s phone logs. The NSA may be doing the same for e-mail and Web-browsing logs too.
“I don’t want to make a mistake” and reveal too much, Alexander said, adding that disclosing details about such surveillance would cause “our country to lose some sort of protection.” It would be appropriate, he said, to discuss e-mail and other metadata surveillance in a “classified session” that senators are scheduled to attend Thursday.
Among the small circle of outsiders who closely follow the NSA, the agency’s close, long-standing relationship with AT&T, Verizon, and other telecommunications providers is an open secret — so it would come as little surprise to find they’re serving up exabytes of daily e-mail and Web-browsing logs as well.
The document, an internal Justice Department chart marked “law enforcement use only,” reveals that Verizon Wireless keeps “IP destination information,” meaning records of what Internet Protocol addresses are visited, for 90 days. Sprint keeps connection logs for 60 days. T-Mobile, AT&T, and Virgin Mobile do not retain connection logs at all.
Tomi says:
NSA revelations only ‘the tip of the iceberg,’ says Dem lawmaker
http://thehill.com/video/house/305047-dem-rep-lawmakers-learned-significantly-more-about-surveillance-programs-in-nsa-briefing
The federal surveillance programs revealed in media reports are just “the tip of the iceberg,” a House Democrat said Wednesday.
Rep. Loretta Sanchez (D-Calif.) said lawmakers learned “significantly more” about the spy programs at the National Security Agency (NSA) during a briefing on Tuesday with counterterrorism officials.
“What we learned in there,” Sanchez said, “is significantly more than what is out in the media today.”
Tomi says:
How the NSA Could Get So Smart So Fast
http://online.wsj.com/article_email/SB10001424127887324049504578541271020665666-lMyQjAxMTAzMDEwMjExNDIyWj.html
Modern Computing Is Helping Companies and Governments Accurately Parse Vast Amounts of Data in a Matter of Minutes
Tomi Engdahl says:
Smile! Hackers Can Silently Access Your Webcam Right Through The Browser (Again)
http://techcrunch.com/2013/06/13/smile-hackers-can-silently-access-your-webcam-right-through-the-browser-again/
You know those people who put tape over their laptop’s webcam to keep digital peeping toms at bay? They’re not crazy.
A new proof of concept is making the rounds today that demonstrates how a hacker can snap pics off your webcam, right through the browser, with no consent required.
Well, technically, you are giving consent. You just wouldn’t know it.
Without going into to much detail, the demo uses a bunch of fancy CSS/HTML trickery to render Flash’s permission prompt in a transparent layer, placing the now invisible “Allow” button directly above something the user is likely to click — like, say, the “Play” button on a video.
The basic technique, dubbed Clickjacking, is nothing new.
And yet… it still works. We tested the proof of concept on the latest build of Chrome for Mac, and it pulled from our webcam without issue or any visible prompt. Others have found the exploit to work on IE10, but it seems to be patched on the most recent releases of Safari and Firefox.
Tomi Engdahl says:
NSA Leak Inquiry to Explore Whether Snowden Had China Tie
http://www.bloomberg.com/news/2013-06-13/snowden-links-being-probed-by-congress-focusing-on-china.html
Counterintelligence and criminal investigators are examining whether Edward Snowden, the technology contractor who leaked details about classified U.S. spy programs, might have been recruited or exploited by China.
To pursue that question, investigators will use the very surveillance tools revealed by Snowden to probe his own phone calls and online communications to see whether he’s had any contact with Chinese or other foreign agents, as well as whether security officials missed any signs that he might be a security risk, said two U.S. officials briefed on the matter.
The 29-year-old fled to Hong Kong last month before revealing himself as the source, and U.S. lawmakers said they want to know more about what led him to act.
Inquiry Path
In addition to interviews with Snowden’s relatives and co-workers, the investigation will include a review of all of his available e-mails, text messages, online postings, telephone calls and other communications, said the two U.S. officials and two former officials familiar with counterintelligence investigative procedures.
Mueller, who will depart the FBI in September after 12 years on the job, told the panel that the collection of data under the two programs was fully legal.
“The legality has been assured by the Department of Justice,” Mueller said in his first public comments on the disclosures. The FISA court “has ruled on these two programs, monitors these two programs and has assured the legality of the efforts undertaken in these two programs.”
U.S. intelligence agencies are also concerned about additional classified information Snowden has with him on a thumb drive, laptops or other devices, and also about more mundane matters that could be useful to foreign spy services.
Tomi Engdahl says:
U.S. Agencies Said to Swap Data With Thousands of Firms
http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap-data-with-thousands-of-firms.html
Thousands of technology, finance and manufacturing companies are working closely with U.S. national security agencies, providing sensitive information and in return receiving benefits that include access to classified intelligence, four people familiar with the process said.
These programs, whose participants are known as trusted partners, extend far beyond what was revealed by Edward Snowden, a computer technician who did work for the National Security Agency. The role of private companies has come under intense scrutiny since his disclosure this month that the NSA is collecting millions of U.S. residents’ telephone records and the computer communications of foreigners from Google Inc (GOOG). and other Internet companies under court order.
Many of these same Internet and telecommunications companies voluntarily provide U.S. intelligence organizations with additional data, such as equipment specifications, that don’t involve private communications of their customers, the four people said.
Makers of hardware and software, banks, Internet security providers, satellite telecommunications companies and many other companies also participate in the government programs.
Microsoft Corp. (MSFT), the world’s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.
Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials
Some U.S. telecommunications companies willingly provide intelligence agencies with access to facilities and data offshore that would require a judge’s order if it were done in the U.S., one of the four people said.
The extensive cooperation between commercial companies and intelligence agencies is legal and reaches deeply into many aspects of everyday life, though little of it is scrutinized by more than a small number of lawyers, company leaders and spies. Company executives are motivated by a desire to help the national defense as well as to help their own companies
In addition to private communications, information about equipment specifications and data needed for the Internet to work — much of which isn’t subject to oversight because it doesn’t involve private communications — is valuable to intelligence, U.S. law-enforcement officials and the military.
Typically, a key executive at a company and a small number of technical people cooperate with different agencies and sometimes multiple units within an agency
If necessary, a company executive, known as a “committing officer,” is given documents that guarantee immunity from civil actions resulting from the transfer of data
Tomi Engdahl says:
Secret Court Ruling Put Tech Companies in Data Bind
http://www.nytimes.com/2013/06/14/technology/secret-court-ruling-put-tech-companies-in-data-bind.html?pagewanted=all
In a secret court in Washington, Yahoo’s top lawyers made their case. The government had sought help in spying on certain foreign users, without a warrant, and Yahoo had refused, saying the broad requests were unconstitutional.
The judges disagreed. That left Yahoo two choices: Hand over the data or break the law.
So Yahoo became part of the National Security Agency’s secret Internet surveillance program, Prism, according to leaked N.S.A. documents, as did seven other Internet companies.
It also highlights a paradox of Silicon Valley: while tech companies eagerly vacuum up user data to track their users and sell ever more targeted ads, many also have a libertarian streak ingrained in their corporate cultures that resists sharing that data with the government.
“Even though they have an awful reputation on consumer privacy issues, when it comes to government privacy, they generally tend to put their users first,”
For many of the requests to tech companies, the government relies on a 2008 amendment to FISA. Even though the FISA court requires so-called minimization procedures to limit incidental eavesdropping on people not in the original order, including Americans, the scale of electronic communication is so vast that such information — say, on an e-mail string — is often picked up, lawyers say.
Tomi Engdahl says:
PRISM fears give private search engine DuckDuckGo its best week ever
http://venturebeat.com/2013/06/13/prism-fears-give-private-search-engine-duckduckgo-its-best-week-ever/
If you want to know just how crazy fear over PRISM-like surveillance has made the Internet, take a look at DuckDuckGo.
Thanks to the National Security Agency leaks and some well-timed media appearances, the private search engine is having its best traffic week ever. Visitors to the site made a record 2.35 million direct searches on Wednesday — a 26 percent increase over the previous week.
Tomi Engdahl says:
The domestic IT is not a guarantee of security services, security authority believes Cert-Fi Manager Erka Koivunen.
“You have to remember that it is a little myth that if a mere importer of domestic security. Remembered even by spy scandal in Finland, ie Finnish Finnish firms and individuals in the hands of the services. Yes, this thing foundered in the choice of all the action according to the rules, “Koivunen said to Yle.
Source: http://www.tietoviikko.fi/kaikki_uutiset/yle+kotimaisuus+ei+kerro+itpalvelun+luotettavuudesta/a909224?s=r&wtm=tietoviikko/-14062013&
Tomi Engdahl says:
NSA Surveillance May Have Dealt Major Blow To Global Internet Freedom Efforts
http://www.forbes.com/sites/tarunwadhwa/2013/06/13/with-nsa-surveillance-us-government-may-have-dealt-major-blow-to-global-internet-freedom-efforts/
The internet has never been a perfect tool for advancing democracy and human rights.
Despite the most optimistic techno-utopian projections, the internet has yet to set us free and rid the world of dictators. Critics have been right to warn us of the dangers of a single-minded approach
As the internet has grown in usage and importance in our daily lives, so too has the difficulty of keeping it “free” from censorship and control. This struggle was important enough to 29-year-old former Booz Allen employee Edward Snowden for him to give up his life, career, and freedom to leak a historic amount of classified information about the shocking size and depth of the American surveillance state. The fallout is just beginning – and as of now, there are far more questions than answers.
One thing has become clear though: the credibility of the idea that the internet can be a positive, freedom-promoting global force is facing its largest challenge to date. And it comes directly from one of its most outspoken supporters: the US government.
Simply put, the US government has failed in its role as the “caretaker” of the internet. Although this was never an official designation, America controls much of the infrastructure, and many of the most popular services online are provided by a handful of American companies.
Reasonable minds can disagree over the necessity of these programs and how to strike the proper balance between security and privacy.
In the court of global public opinion, America may have tarnished its moral authority to question the surveillance practices of other nations – whether it be Russia on monitoring journalists, or China on conducting cyber espionage.
The costs of surveillance and data storage technologies are plummeting — these will no longer be prohibitive factors. Diplomatic pressures and legal barriers that had also once served as major deterrents will soon fade away. The goal has been to promote internet freedom around the world, but we may have also potentially created a blueprint for how authoritarian governments can store, track, and mine their citizens’ digital lives.
Tomi Engdahl says:
EU signs off on eCall emergency-phone-in-every-car plan
GPS and a mobe in every car – do you suppose the NSA would fancy that?
http://www.theregister.co.uk/2013/06/14/eu_signs_off_on_ecall_plan/
The European Union’s plan to insist every new car on the road by 2015 includes a mobile device that phones home after a crash is set to become reality, after the European Commission signed off draft legislation to enact the scheme. Assent from the European Parliament and Council of the European Union is now required, but little opposition is expected.
The idea behind the scheme, known as eCall, is simple: when a car crashes, an on-board device that combines a GPS and mobile communications device will contact Europe’s ‘112′ emergency services number. By automating that call, legislators expect emergency services response will be faster, which will mean lives will be saved.
The EU says “Taking into account economies of scale, installation of the eCall in-vehicle system is estimated to cost much less than €100 per new car.”
As we’ve previously noted, the idea is noblebut with 250m cars in the EU multiplied by 100 Euros, the bill gets very large over time.
The upside is an expected 2,500 lives saved over ten years and a likely boost for sim-free devices on mobile networks, which should please those keen on an internet of things and more machine-to-machine communications.
the spec means eCall units are “… not traceable and when there is no emergency (its normal operational status) it is not subject to any constant tracking.”
The EU also says “As it is not permanently connected to mobile networks, hackers cannot take control of it.”
Tomi says:
Thousands of American companies to disclose sensitive information about U.S. security authorities, and in exchange for, among other things, a classified intelligence information. One of the most enthusiastic participants is Intel’s McAfee (which is buying Stonesoft), writes Bloomberg.
As part of the example of the program, Microsoft will notify the NSA Internet Explorer browser security holes before they fill the gap, so that the Agency can choose to break into users’ machines.
The arrangements between the companies and the authorities are so sensitive that they know only the highest management. If necessary, they shall be granted immunity from prosecution.
According to Bloomberg, the processor manufacturer Intel-owned security company McAfee makes a regular basis such as the NSA, the FBI and the CIA, and is a valued partner, because it is closely monitoring the network of malicious traffic, including foreign governments pursued espionage.
McAfee firewalls, for example, collect information about hackers who use attacking legitimate servers.
Source: http://www.tietoviikko.fi/kaikki_uutiset/stonesoftia+ostava+mcafee+aktiivisesti+mukana+nsan+tietojenkeruussa/a909452?s=r&wtm=tietoviikko/-15062013&
Tomi says:
Not just telcos, THOUSANDS of companies share data with US spies
It’s all perfectly legal, trust us
http://www.theregister.co.uk/2013/06/14/companies_share_data_with_spies/
The slides leaked by NSA whistleblower Edward Snowden named nine companies that allegedly share data with US intelligence agencies, but according to a new report, the actual number of firms that collaborate with US spies may be much larger. Try thousands of them.
Citing anonymous sources, Bloomberg reports that information sharing between private tech companies and US intelligence agencies is virtually routine, even though very few people within the participating companies are likely to know that it’s going on.
Sometimes that information is used to shore up domestic security, the report states, but other times it’s used to allow intelligence agencies to exploit flaws in software sold to foreign governments.
Similarly, a spokesman for Intel security subsidiary McAfee said the US government is a key customer of the data it compiles on computer security threats.
“McAfee’s function is to provide security technology, education, and threat intelligence to governments,” the company said in a statement. “This threat intelligence includes trending data on emerging new threats, cyber-attack patterns and vector activity, as well as analysis on the integrity of software, system vulnerabilities, and hacker group activity.”
Tomi says:
U.S. Agencies Said to Swap Data With Thousands of Firms
http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap-data-with-thousands-of-firms.html
Thousands of technology, finance and manufacturing companies are working closely with U.S. national security agencies, providing sensitive information and in return receiving benefits that include access to classified intelligence, four people familiar with the process said.
These programs, whose participants are known as trusted partners, extend far beyond what was revealed by Edward Snowden
Many of these same Internet and telecommunications companies voluntarily provide U.S. intelligence organizations with additional data, such as equipment specifications, that don’t involve private communications of their customers, the four people said.
Tomi says:
Critical Java SE update due Tuesday fixes 40 flaws
And yes, most are remotely exploitable
http://www.theregister.co.uk/2013/06/14/java_june_critical_patch_update/
Thought your Java security woes were behind you? Think again. Oracle is planning to release a Critical Patch Update on Tuesday that affects multiple versions of Java, and it’s another doozy.
According to Oracle’s security announcement, the patch pack addresses 40 different vulnerabilities. All update levels of Java SE 5, 6, and 7 are affected by the flaws, as are all versions of JavaFX.
Of the 40 bugs, all but three are remotely exploitable over a network without the need for a username or password.
Yes, that’s bad. Oracle ranks the severity of its flaws using the Common Vulnerability Scoring System (CVSS), and the top-ranked bug in this particular update rates a 10.0 – the highest possible score.
Tomi says:
We’re losing the battle with a government seduced by surveillance
And a hearty ‘Screw you!’ to the cynical cowards
http://www.theregister.co.uk/2013/06/07/hold_the_death_of_conspiracy_theory_for_conspiracy_science/
As Scott McNealy – always a man who deliberately gives good quote – famously said in 1999, “You have zero privacy anyway. Get over it.” On Thursday night he tweeted “Wow! I was righter than I ever thought I would be as an American. You have no privacy but this is hard to get over.”
It really is, but it shouldn’t be. Anyone who has been around the block in the IT security industry knows deep down that the government was probably doing this kind of stuff. For years such discussions have been dismissed as conspiracy theories by some, but it’s terribly galling both to have it confirmed, and then have the politicians supposed to enforce proper oversight line up to defend the practice with such blind loyalty.
This is not a new problem; the battle between privacy and security is as old as humankind.
Whatever the rights and wrongs of the PRISM case in which the US National Security Agency is said to be tapping into the servers of major service providers, the message from the executive and the legislature on the NSA slurping all mobile metadata is clear – “Get over it.” If you use a mobile in the US, expect the number, location, handset signifier, and possibly IP address to get fed into the NSA’s Maryland and Utah repositories.
This is bad practice and bad security, and the US needs to get a handle on just how far its government is willing to go in The War Against Terror (TWAT).
As the most technologically advanced society of the 20th century, one with a constitution guaranteeing certain privacy rights, and a thriving legal trade, the US was one of the first states to confront government snooping in a public fashion.
The subject of government intrusion into private communications is a tricky one. Ask any government security employee about spying on American citizens and they’ll deny it vigorously. But it’s not spying if it’s legal.
Under Section 215 of the act that has been used by the NSA in the Verizon case, it’s open season on mobile data
It’s already being reported that the NSA is getting the same data from AT&T, Sprint, and presumably other mainstream mobile carriers. But is such data trawling really essential, or merely convenient for the authorities?
Now it appears the NSA has caught the Big Data bug.
First off, it doesn’t work. Human motivations are too complex to identify by computer algorithms
Secondly, the intelligence gained from this kind of surveillance is largely reactive rather than proactive.
The vast amounts of information that modern communications devices can provide about an individual can be used in beneficial ways, but only with smart targeting and non-partisan oversight.
Simply saying that this NSA spying is about terrorism and that trumps all else is a canard, and one that deserves to be shot down.
Tomi says:
June 13, 2013
Trading Privacy for Convenience
http://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html
Ray Wang makes an important point about trust and our data:
This is the paradox. The companies contending to win our trust to manage our digital identities all seem to have complementary (or competing) business models that breach that trust by selling our data.
…and by turning it over to the government.
The current surveillance state is a result of a government/corporate partnership, and our willingness to give up privacy for convenience.
If the government demanded that we all carry tracking devices 24/7, we would rebel. Yet we all carry cell phones. If the government demanded that we deposit copies of all of our messages to each other with the police, we’d declare their actions unconstitutional. Yet we all use Gmail and Facebook messaging and SMS. If the government demanded that we give them access to all the photographs we take, and that we identify all of the people in them and tag them with locations, we’d refuse. Yet we do exactly that on Flickr and other sites.
We’re living in a world of feudal security.
Tomi says:
US FDA calls on medical device makers to focus on cybersecurity
http://www.networkworld.com/news/2013/061313-us-fda-calls-on-medical-270819.html
The agency’s new recommendations follow reports of vulnerabilities in some medical devices, the FDA says
edical device makers should take new steps to protect their products from malware and cyberattacks or face the possibility that U.S. Food and Drug Administration won’t approve their devices for use, the FDA said.
The FDA issued new cybersecurity recommendations for medical devices on Thursday, following reports that some devices have been compromise.
Recent vulnerabilities involving Philips fetal monitors and in Oracle software used in body fluid analysis machines are among the incidents that prompted the FDA to issue the recommendations, a spokeswoman for the agency said.
“Many medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity breaches,” the FDA said in its recommendations. “As medical devices are increasingly interconnected, via the Internet, hospital networks, other medical device, and smartphones, there is an increased risk of cybersecurity breaches, which could affect how a medical device operates.”
The FDA has seen medical devices infected or disabled by malware, and the presence of malware on hospital computers, smartphones and tablets, the agency said.
The agency has also found health care providers with “uncontrolled distribution of passwords”
Tomi says:
Quality Magazines corrective scoops: NSA does not have a direct link with the network data
On Thursday night The Washington Post and British newspaper The Guardian simultaneously revealed evidence of a top secret National Security Agency program called PRISM which supplies the federal intelligence agency “direct access” to major Silicon Valley corporations such as Google GOOG -0.26%, Apple AAPL -1.37%, Yahoo YHOO -0.38%, Microsoft, and Skype. The Post and Guardian broke the story after publishing sections of a classified NSA PowerPoint presentation document.
The NSA spying scandal revealed in The Guardian and The Washington Times have corrected the claims. Initially, newspapers reported that the U.S. Internal Security Agency should direct access to Facebook, Microsoft and Google’s servers.
By Friday afternoon many companies had time to issue official comments, all denying knowledge and participation.
Once PRISM became public knowledge outrage and vitriol sprung forth on Twitter, national news outlets jumped into action and picked up the story, and the Director of National Intelligence James Clapper delivered a heavily worded response. On Friday morning the Beltway ground into momentum finally resulting in a televised statement by President Barack Obama while he was paying visit to California.
Only three groups–the federal government, the reporters at The Washington Post and The Guardian, and the leaker–know what the slides say (in so far as only 4 of 41 slides have been released) and how deep a connection the program has to Silicon Valley.
The Washington Post corrected the false information on the British release faster. Both the original magazine story was modified several times, and was on the follow-up stories, which in the end was correctly found that the network giants provide information to the Agency or to NSA direct access to the servers.
Other media and online conversations have been criticized by both the magazine to precipitation. Information spy system was based on leaked documents, including the film set, with the PRISM system was introduced. Portions of a film refers to “direct access to the servers,” which leaves the nature of the system more open to interpretation than a fast one might think.
Sources:
Laatulehdet korjaavat skuuppejaan: NSA:lla ei ole suoraa yhteyttä verkkopalvelujen tietoihin
http://www.tietoviikko.fi/kaikki_uutiset/laatulehdet+korjaavat+skuuppejaan+nsalla+ei+ole+suoraa+yhteytta+verkkopalvelujen+tietoihin/a909447?s=r&wtm=tietoviikko/-15062013&
Fulsome Prism Blues: The Guardian Offers 2nd-Worst Clarification Ever On NSA Story
http://www.mediaite.com/online/fulsome-prism-blues-the-guardian-offers-2nd-worst-clarification-ever-on-nsa-story/
Washington Post Updates, Hedges On Initial PRISM Report
http://www.forbes.com/sites/jonathanhall/2013/06/07/washington-post-updates-hedges-on-initial-prism-report/
Tomi says:
Secret to Prism program: Even bigger data seizure
http://bigstory.ap.org/article/secret-prism-success-even-bigger-data-seizure
In the months and early years after 9/11, FBI agents began showing up at Microsoft Corp. more frequently than before, armed with court orders demanding information on customers.
The agents wanted email archives, account information, practically everything, and quickly. Engineers compiled the data, sometimes by hand, and delivered it to the government.
Often there was no easy way to tell if the information belonged to foreigners or Americans. So much data was changing hands that one former Microsoft employee recalls that the engineers were anxious about whether the company should cooperate.
Inside Microsoft, some called it “Hoovering” — not after the vacuum cleaner, but after J. Edgar Hoover, the first FBI director, who gathered dirt on countless Americans.
The revelation of Prism this month by the Washington Post and Guardian newspapers has touched off the latest round in a decade-long debate over what limits to impose on government eavesdropping, which the Obama administration says is essential to keep the nation safe.
Whether by clever choice or coincidence, Prism appears to do what its name suggests.
The fact that it is productive is not surprising; documents show it is one of the major sources for what ends up in the president’s daily briefing. Prism makes sense of the cacophony of the Internet’s raw feed. It provides the government with names, addresses, conversation histories and entire archives of email inboxes.
Deep in the oceans, hundreds of cables carry much of the world’s phone and Internet traffic. Since at least the early 1970s, the NSA has been tapping foreign cables. It doesn’t need permission. That’s its job.
But Internet data doesn’t care about borders. Send an email from Pakistan to Afghanistan and it might pass through a mail server in the United States, the same computer that handles messages to and from Americans. The NSA is prohibited from spying on Americans or anyone inside the United States. That’s the FBI’s job and it requires a warrant.
Tapping into those cables allows the NSA access to monitor emails, telephone calls, video chats, websites, bank transactions and more.
“You have to assume everything is being collected,” said Bruce Schneier
The New York Times disclosed the existence of this effort in 2005.
Unlike the recent debate over Prism, however, there were no visual aids, no easy-to-follow charts explaining
The Bush administration shut down its warrantless wiretapping program in 2007 but endorsed a new law, the Protect America Act, which allowed the wiretapping to continue with changes: The NSA generally would have to explain its techniques and targets to a secret court in Washington, but individual warrants would not be required.
Protect America Act gave birth to a top-secret NSA program, officially called US-98XN.
It was known as Prism. Though many details are still unknown, it worked like this:
Every year, the attorney general and the director of national intelligence spell out in a classified document how the government plans to gather intelligence on foreigners overseas.
By law, the certification can be broad. The government isn’t required to identify specific targets or places.
A federal judge, in a secret order, approves the plan.
With that, the government can issue “directives” to Internet companies to turn over information.
With Prism, the government gets a user’s entire email inbox. Every email, including contacts with American citizens, becomes government property.
“You can’t have 100 percent security and also then have 100 percent privacy and zero inconvenience,” the president said.
Obama’s administration, echoing his predecessor’s, credited the surveillance with disrupting several terrorist attacks.
Tomi says:
Facebook, Microsoft release NSA stats to reassure users
http://news.cnet.com/8301-13578_3-57589461-38/facebook-microsoft-release-nsa-stats-to-reassure-users/
In an effort to reassure users, Facebook discloses it has received legal orders to turn over details on about one-thousandth of one percent of user accounts. So does Microsoft, and Google plans to do the same.
Facebook and Microsoft on Friday became the first Internet companies to disclose the total number of legal orders they receive for user data, including ones from the National Security Agency and from state, local, and federal police performing criminal investigations.
The total for Facebook: About 18,000 accounts over a six month period, or one-thousandth of one percent of user accounts.
Microsoft’s total was about 31,000 accounts over the same six month period ending December 31, 2012. A Google representative told CNET this evening that the search company is working on disclosing the same type of statistics
Ted Ullyot, Facebook’s general counsel, disclosed the figures Friday in an effort to lay to rest privacy concerns after a pair of articles last week incorrectly reported that a “program” called PRISM provided the NSA with “direct access” to Internet companies’ servers.
Tomi says:
Source: Obama Considering Releasing NSA Court Order
http://www.npr.org/blogs/thetwo-way/2013/06/14/191822828/source-obama-considering-releasing-nsa-court-order
NPR has learned that the Obama administration, under pressure to lift a cloak of secrecy, is considering whether to declassify a court order that gives the National Security Agency the power to gather phone call record information on millions of Americans.
The document, known as a “primary order,” complements a shorter Foreign Intelligence Surveillance court document leaked to The Guardian newspaper . That document revealed the U.S. government had been asking Verizon Business Network Services Inc. to turn over, on a daily basis, phone call records for its subscribers, for 90 days.
Tomi says:
A Call to Arms for Banks
Regulators Intensify Push for Firms to Better Protect Against Cyberattacks
http://online.wsj.com/article_email/SB10001424127887324049504578545701557015878-lMyQjAxMTAzMDEwNDExNDQyWj.html
U.S. regulators are stepping up calls for banks to better-arm themselves against the growing online threat hackers and criminal organizations pose to individual institutions and the financial system as a whole
The push comes as government officials grow increasingly concerned about the ability of a cyber attack to cause significant disruptions to the financial system. Banks such as J.P. Morgan Chase & Co., Bank of America Corp. BAC -1.06% and Capital One Financial Corp. COF -2.15% have been targeted by cyber assaults in recent years, including potent “denial-of-service” strikes that took down some bank websites off-and-on for days, frustrating customers. Banks have spent millions of dollars responding to or protecting against such attacks
A banking industry official said the onus can’t just be on banks to combat cyber attacks. “It needs to be collaborative; the industry can’t take on foreign countries alone,” the official said.
The U.S. has increasingly adopted a hard line toward firms whose systems are violated, holding companies more accountable for protecting themselves.
Regulators and the banking industry are coordinating efforts to respond to the growing threat, including a major cyber “war game” exercise slated for later this month
Officials from the Treasury Department and other financial regulators have been conducting regular classified and non-classified briefings with bank officers about the increased likelihood banks of all sizes could come under attack.
The Financial Stability Oversight Council, which Mr. Lew leads, cited cyber security as one of its key “emerging threats” this year.
While no specific incident is behind the focus on cyber security, regulators are concerned that the number of cyber attacks spawned by increasingly sophisticated hackers, criminal organizations, hactivist groups and nation-states is going to rise. The OCC said in its presentation to bankers that cyber attacks overall, including on banks, increased 42% in 2012, ranging from malicious software or phishing attacks, to well-publicized denial-of-service attacks.