Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.
Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.
Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.
SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices. Good idea to test your devices against it.
There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.
Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.
Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.
Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.
Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.
Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.
Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.
Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.
European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.
1,930 Comments
Tomi says:
Online there is no safe countries – only one way to protect
Unencrypted files and messages are also at risk in Europe, and the United States only to the services. The only way to protect yourself from surveillance is the encryption of messages.
All kinds of internet traffic is listened to all over the world, so trade secrets or proprietary information should not be sent without any encryption, say 3T’s interviewed by security experts.
Outside your organization outgoing messages must be encrypted if there is anything worthy of protection, advises the Security Service Deputy Director Erka Koivunen Communications Regulatory Authority.
“Risk assessment is to be assumed that the signal intelligence are widely in the world. It is committed by criminals and the authorities. ”
uss viranomaisurkinnasta online services are focused too much on the United States, says the war Doctor Jarno Limnéll.
“Just be sure to at least the biggest ones will do the same as the United States, and this mode of operation is increasing,” says Limnéll, who works cyber security director security company Stonesoft.
Finnish encrypt email very rarely, experts say.
E-mail the protection using PGP encryption method works for a long way.
“If you put your trade secrets or information about the private matters of the cloud, it is advisable to hide from end to end.”
“The only sure way to prevent the information from reaching the U.S. safety authorities should be to avoid the U.S. servers for service providers,” says EK’s corporate security office Jyrki Hollmén.
Hollmén believe in the Finnish operators’ services to be more safe and secure.
“Each company has to decide how to deal with the matter.”
Safety checklist:
1 Drag the border to where and how to store the information.
2 Encrypt files and messages, as the case requires privacy.
3 Avoid foolish perusmokat. Do not pick up guests from the street usb stick.
4 Security requires constant updating.
Source: http://www.3t.fi/artikkeli/uutiset/teknologia/verkossa_ei_ole_turvallisia_maita_vain_yksi_tapa_suojaa_urkinnalta
Tomi Engdahl says:
Hongkongers don’t want Snowden handed over to the US, according to poll
http://www.scmp.com/news/hong-kong/article/1261483/one-2-hongkongers-say-snowden-should-not-be-surrendered-us
Exclusive survey reveals that half of Hong Kong people believe the government should reject any formal US request to return whistle-blower
Half of Hong Kong people believe that cyberspying whistle-blower Edward Snowden should not be handed over if Washington makes a formal request for his return, according to an exclusive opinion poll commissioned by the Sunday Morning Post.
Snowden also said the US was “trying to bully” Hong Kong over his possible surrender, but last night a government source said: “Under no circumstances can the US bully Hong Kong in any way.”
The telephone poll, conducted in Chinese on Thursday and Friday, found that 33 per cent of people regarded Snowden as a hero; 12.8 per cent described him as a traitor; and 23 per cent felt “something in between”. The rest said they could not comment.
Tomi says:
AutoRun. Reloaded
https://www.securelist.com/en/blog/8107/AutoRun_Reloaded
Recent months have produced little of interest among worms written in Java and script languages
However, a couple of malware samples grabbed our attention; their complexity is testimony to the fact that professionals sometimes get involved as well.
Kaspersky Lab’s products detect these special worms as Worm.JS.AutoRun and Worm.Java.AutoRun.
These two worms have three key features in common: heavy obfuscation, backdoor-type essential payloads, and similar methods of propagation. Both worms spread by copying themselves and the configuration file autorun.inf into the root folders of logical volumes of removable storage media and network disks. If these infected storages are opened on other computers, the infection can spread.
For months, the number of AutoRun worms detected on Kaspersky Lab users’ computers remained essentially unchanged. According to Kaspersky Security Network data, half of all script worms spread themselves this way. As for Java worms, this is not their usual method of propagation.
Worm.Java.AutoRun
There are not many Java-based resident malware programs for PC, and worms are especially rare.
According to Kaspersky Security Network, the worm is most widely distributed in India and Malaysia.
Worm.JS.AutoRun
The distribution model of this worm not only uses the above method with autorun.inf, but also FTP-servers, file share sites, shared folders and CD/DVDs burned on the infected computers.
Like the Java worm, this malware is most widespread in Southeast Asia, though this variant is more active in Vietnam and Indonesia.
According to Kaspersky Security Network data, Windows XP is widely used in those countries with large numbers of malware detections. More recent Microsoft versions ask users to confirm autorun execution, which decreases the chances of getting infected.
Tomi says:
Snowden NSA Claims Partially Confirmed:
NSA admits listening to U.S. phone calls without warrants
http://news.cnet.com/8301-13578_3-57589495-38/nsa-admits-listening-to-u.s-phone-calls-without-warrants/
National Security Agency discloses in secret Capitol Hill briefing that thousands of analysts can listen to domestic phone calls. That authorization appears to extend to e-mail and text messages too.
NSA Director Keith Alexander says his agency’s analysts, which until recently included Edward Snowden among their ranks, take protecting “civil liberties and privacy and the security of this nation to their heart every day.”
The National Security Agency has acknowledged in a new classified briefing that it does not need court authorization to listen to domestic phone calls.
Rep. Jerrold Nadler, a New York Democrat, disclosed this week that during a secret briefing to members of Congress, he was told that the contents of a phone call could be accessed “simply based on an analyst deciding that.”
If the NSA wants “to listen to the phone,” an analyst’s decision is sufficient, without any other legal authorization required, Nadler said he learned. “I was rather startled,” said Nadler, an attorney and congressman who serves on the House Judiciary committee.
Not only does this disclosure shed more light on how the NSA’s formidable eavesdropping apparatus works domestically, it also suggests the Justice Department has secretly interpreted federal surveillance law to permit thousands of low-ranking analysts to eavesdrop on phone calls.
The disclosure appears to confirm some of the allegations made by Edward Snowden, a former NSA infrastructure analyst who leaked classified documents to the Guardian. Snowden said in a video interview that, while not all NSA analysts had this ability, he could from Hawaii “wiretap anyone from you or your accountant to a federal judge to even the president.”
There are serious “constitutional problems” with this approach, said Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation who has litigated warrantless wiretapping cases. “It epitomizes the problem of secret laws.”
Earlier reports have indicated that the NSA has the ability to record nearly all domestic and international phone calls — in case an analyst needed to access the recordings in the future.
Brewster Kahle, a computer engineer who founded the Internet Archive, has vast experience storing large amounts of data. He created a spreadsheet this week estimating that the cost to store all domestic phone calls a year in cloud storage for data-mining purposes would be about $27 million per year, not counting the cost of extra security for a top-secret program and security clearances for the people involved.
NSA’s annual budget is classified but is estimated to be around $10 billion.
Documents that came to light in an EFF lawsuit provide some insight into how the spy agency vacuums up data from telecommunications companies.
Tomi says:
This information iPhone, Lumia and Android phones transmit the United States
Calls, text messages, location information – a lot of things, including U.S. intelligence agencies can apparently be accessed. Also the Finnish smartphone data is likely to be achieved if desired.
The U.S. intelligence community NSA can get your hands on the most popular smartphone data. About a week ago revealed that, among other things, Microsoft, Google and Apple have given the NSA for information about users of their services.
Leak shows that NSA has a firm grip on smartphones, as Apple, Google and Microsoft share the majority of the smartphone market.
What information you can get from the mobile phone?
1 Who is calling you, and because
Google can store your data on Android phones for calls.
2 Address and credit card number
If you register as Apple, Google or Microsoft’s application store, he must notify his name and address, phone and other contact details and credit card numbers.
3 With your contact information
The companies also offer cloud services, which can back up your phone content.
4 Your text message
Google can save Android users, at least for SMS routing information. Windows Phone 8, Phone users can activate the automatic backup,
Apple again seeks to replace the text in their own iMessage service.
US-based servers.
5 Where you are and move
As well as Google, Apple and Microsoft for example, store a user’s location from the map or the other Services.
6 Your photos
Photos may also include location information, so they can be transmitted with the data, where they were taken.
7 Web browsing and search
The companies will also record the websites you visit to your phone’s browser. Google will also save your searches times. So does Microsoft’s Bing search service.
8 Your speech, your nickname and family tree
Apple iPhone’s Siri voice-hour service for the spoken word will be sent to Apple. At the same time Apple Siri can be stored in the interest of users and nicknames, address book contacts, nicknames, as well as the relations between persons.
Also, Windows Phone, voice recognition
9 Your phone’s model and the unique identifier
10, Almost everything else
If Apple’s iPhone, the user accepts the diagnostics and user data collection
Source: http://www.digitoday.fi/tietoturva/2013/06/15/nama-tiedot-iphone–lumia–ja-android-puhelimet-valittavat-yhdysvaltoihin/20138379/66?rss=6
Tomi Engdahl says:
Source: Obama Considering Releasing NSA Court Order
http://www.npr.org/blogs/thetwo-way/2013/06/14/191822828/source-obama-considering-releasing-nsa-court-order
NPR has learned that the Obama administration, under pressure to lift a cloak of secrecy, is considering whether to declassify a court order that gives the National Security Agency the power to gather phone call record information on millions of Americans.
The document, known as a “primary order,” complements a shorter Foreign Intelligence Surveillance court document leaked to The Guardian newspaper .
Tomi Engdahl says:
3 NSA veterans speak out on whistle-blower: We told you so
http://www.usatoday.com/story/news/politics/2013/06/16/snowden-whistleblower-nsa-officials-roundtable/2428809/
In a roundtable discussion, a trio of former National Security Agency whistle-blowers tell USA TODAY that Edward Snowden succeeded where they failed.
When a National Security Agency contractor revealed top-secret details this month on the government’s collection of Americans’ phone and Internet records, one select group of intelligence veterans breathed a sigh of relief.
Thomas Drake, William Binney and J. Kirk Wiebe belong to a select fraternity: the NSA officials who paved the way.
For years, the three whistle-blowers had told anyone who would listen that the NSA collects huge swaths of communications data from U.S. citizens. They had spent decades in the top ranks of the agency, designing and managing the very data-collection systems
To the intelligence community, the trio are villains who compromised what the government classifies as some of its most secret, crucial and successful initiatives. They have been investigated as criminals and forced to give up careers, reputations and friendships built over a lifetime.
Today, they feel vindicated.
They say the documents leaked by Edward Snowden, the 29-year-old former NSA contractor who worked as a systems administrator, proves their claims of sweeping government surveillance of millions of Americans not suspected of any wrongdoing. They say those revelations only hint at the programs’ reach.
Tomi Engdahl says:
GCHQ intercepted foreign politicians’ communications at G20 summits
http://www.guardian.co.uk/uk/2013/jun/16/gchq-intercepted-communications-g20-summits
Exclusive: phones were monitored and fake internet cafes set up to gather information from allies in London in 2009
Foreign politicians and officials who took part in two G20 summit meetings in London in 2009 had their computers monitored and their phone calls intercepted on the instructions of their British government hosts, according to documents seen by the Guardian. Some delegates were tricked into using internet cafes which had been set up by British intelligence agencies to read their email traffic.
The revelation comes as Britain prepares to host another summit on Monday – for the G8 nations
The disclosure raises new questions about the boundaries of surveillance by GCHQ and its American sister organisation, the National Security Agency
There have often been rumours of this kind of espionage at international conferences, but it is highly unusual for hard evidence to confirm it and spell out the detail. The evidence is contained in documents – classified as top secret – which were uncovered by the NSA whistleblower Edward Snowden and seen by the Guardian.
Tomi Engdahl says:
How Canada’s shadowy metadata-gathering program went awry
http://www.theglobeandmail.com/news/national/how-canadas-shadowy-metadata-gathering-program-went-awry/article12580225/?page=all
A week ago, most Canadians were unlikely to have heard of Communications Security Establishment Canada (CSEC) and its program gathering “metadata” on untold numbers of global phone calls and online messages. But on Monday, The Globe and Mail reported that the agency’s operations, meant to collect foreign intelligence, also at least “incidentally” intercept the communications of Canadians. Many people were left to wonder: Is Ottawa invading our privacy?
“Some of CSEC’s metadata activities raise issues that make us question whether CSEC is always in compliance with the limits,”
The government seems to have acted pre-emptively ahead of the report: Other records show that some surveillance activities by CSEC (“see-seck”) were put on hiatus from April, 2007, until October, 2008, when they were resumed with new rules under Defence Minister Peter MacKay.
But the suspension showed that this shadowy program had gone awry
This week’s revelations have made it clearer to the public that Canada, like other governments, is voraciously scouring the globe for telecommunications data trails – phone logs, Internet protocols and other “routing” information.
The idea is that this “metadata” will help them map out social networks that could point to security threats.
“Metadata is the envelope information,” surveillance czar John Adams would tell his counterparts during briefings, sources say. Sometimes, the major-general-turned-mandarin would even wave a paper envelope to make his point that the metadata program is far from the digital equivalent of steaming open letters. Citizens’ communications contents were, are and would forever be sacrosanct inside the envelope, and off-limits. CSEC merely wanted a better glimpse at the address, return address and other routing information.
Tomi Engdahl says:
A Call to Arms for Banks
Regulators Intensify Push for Firms to Better Protect Against Cyberattacks
http://online.wsj.com/article_email/SB10001424127887324049504578545701557015878-lMyQjAxMTAzMDEwNDExNDQyWj.html
U.S. regulators are stepping up calls for banks to better-arm themselves against the growing online threat hackers and criminal organizations pose to individual institutions and the financial system as a whole.
Tomi Engdahl says:
U.S. Government Denies Reports That NSA Listens To Domestic Calls Without Legal Authorization
http://techcrunch.com/2013/06/16/u-s-government-denies-reports-that-nsa-analysts-can-listen-to-domestic-calls-without-legal-authorization/
Tomi Engdahl says:
Officials: NSA programs broke plots in 20 nations
http://bigstory.ap.org/article/officials-nsa-programs-broke-plots-20-nations
WASHINGTON (AP) — Top U.S. intelligence officials said Saturday that information gleaned from two controversial data-collection programs run by the National Security Agency thwarted potential terrorist plots in the U.S. and more than 20 other countries — and that gathered data is destroyed every five years.
Last year, fewer than 300 phone numbers were checked against the database of millions of U.S. phone records gathered daily by the NSA in one of the programs, the intelligence officials said in arguing that the programs are far less sweeping than their detractors allege.
No other new details about the plots or the countries involved were part of the newly declassified information released to Congress on Saturday and made public by the Senate Intelligence Committee.
Tomi Engdahl says:
After Profits, Defense Contractor Faces the Pitfalls of Cybersecurity
http://www.nytimes.com/2013/06/16/us/after-profits-defense-contractor-faces-the-pitfalls-of-cybersecurity.html?pagewanted=all&_r=0
When the United Arab Emirates wanted to create its own version of the National Security Agency, it turned to Booz Allen Hamilton to replicate the world’s largest and most powerful spy agency in the sands of Abu Dhabi.
It was a natural choice: The chief architect of Booz Allen’s cyberstrategy is Mike McConnell, who once led the N.S.A. and pushed the United States into a new era of big data espionage.
“They are teaching everything,” one Arab official familiar with the effort said. “Data mining, Web surveillance, all sorts of digital intelligence collection.”
Yet as Booz Allen profits handsomely from its worldwide expansion, Mr. McConnell and other executives of the government contractor — which sells itself as the gold standard in protecting classified computer systems and boasts that half its 25,000 employees have Top Secret clearances — have a lot of questions to answer.
Among the questions: Why did Booz Allen assign a 29-year-old with scant experience to a sensitive N.S.A. site in Hawaii, where he was left loosely supervised as he downloaded highly classified documents about the government’s monitoring of Internet and telephone communications, apparently loading them onto a portable memory stick barred by the agency?
The results could be disastrous for a company that until a week ago had one of the best business plans in Washington, with more than half its $5.8 billion in annual revenue coming from the military and the intelligence agencies. Last week, the chairwoman of the Senate Intelligence Committee, Dianne Feinstein, whom Mr. McConnell regularly briefed when he was in government, suggested for the first time that companies like Booz Allen should lose their broad access to the most sensitive intelligence secrets.
“We will certainly have legislation which will limit or prevent contractors from handling highly classified and technical data,” said Ms. Feinstein, a California Democrat. Senior White House officials said they agreed.
Yet cutting contractors out of classified work is a lot harder in practice than in theory. Booz Allen is one of many companies that make up the digital spine of the intelligence world, designing the software and hardware systems on which the N.S.A. and other military and intelligence agencies depend.
Booz Allen is saying little about Mr. Snowden’s actions or the questions they have raised about its practices.
“This has to hurt Mike’s relationship with the N.S.A.,” said a business associate of Mr. McConnell’s who requested anonymity. “He helped set up those contracts and is heavily engaged there.”
In Washington he is often Booz Allen’s public face, because of his ties to the intelligence agencies and his extensive and loyal network of federal intelligence officials who once worked with him.
The company’s profits are up almost eightfold since it went public in late 2010. Its majority shareholder is the Carlyle Group, which matches private equity with a lot of Washington power, and its executives, chief among them Mr. McConnell, drum up business by warning clients about the potential effects of cyberweapons.
“The digital capabilities are a little bit like W.M.D.’s,” Mr. McConnell said in the interview last year.
terror groups have been slow to master the technology. “The people that would do us harm aren’t yet in possession of them,”
Only last month, the Navy awarded Booz Allen, among others, the first contracts in a billion-dollar project to help with “a new generation of intelligence, surveillance and combat operations.”
Tomi Engdahl says:
U.S. surveillance architecture includes collection of revealing Internet, phone metadata
http://www.washingtonpost.com/investigations/us-surveillance-architecture-includes-collection-of-revealing-internet-phone-metadata/2013/06/15/e9bf004a-d511-11e2-b05f-3ea3f0e7bb5a_story.html
The U.S. government is accessing top Internet companies’ servers to track foreign targets. Reporter Barton Gellman talks about the source who revealed this top-secret information and how he believes his whistleblowing was worth whatever consequences are ahead.
Tomi Engdahl says:
Secret to Prism program: Even bigger data seizure
http://bigstory.ap.org/article/secret-prism-success-even-bigger-data-seizure
Tomi Engdahl says:
REVEALED: The gizmo leaker Snowden used to smuggle out NSA files
You probably have one in your pocket
http://www.theregister.co.uk/2013/06/14/nsa_whistleblower_used_usb_thumb_drive/
Whistleblower Edward Snowden apparently used a USB thumb-drive to smuggle out hundreds of top-secret documents before he blew the lid off the NSA’s web-spying project PRISM. This is despite the Pentagon’s clampdown on the gadgets.
Unnamed officials told the Los Angeles Times that they were well on the way to figuring out which sensitive files the ex-CIA technician obtained, and which servers he swiped them from. Snowden left Hawaii, where he was working for a defence contractor, with four laptops that “enabled him to gain access to some of the US government’s most highly-classified secrets”, The Guardian added.
Only a small proportion of this confidential information has made its way into the public domain
Computer usage at the National Security Agency is tightly controlled. But Snowden was a systems administrator employed by contractor Booz Allan Hamilton to maintain the spooks’ network, and thus had sufficient privileges to use flash drives as part of his job.
The chairman of the US House of Representative’s select intelligence committee Mike Rogers (R-Michigan) said Snowden “attempted to go places that he was not authorised to go” on the NSA’s network and that a damage assessment was underway to determine whether any other data was lifted, The New York Times reported.
The Pentagon banned thumb drives
in 2008. The ban was later rescinded
However, the rules were once again tightened in December 2010 after American army intelligence analyst Bradley Manning used removable media to smuggle out confidential diplomatic and military reports
Restrictions were placed on portable storage technology across all the arms of the US military and intelligence community
But such blanket bans have been hard to maintain in practice. The NSA uses auditing software that records every keystroke and other computer activities, but Snowden evidently found a way around these watchdogs.
Staff wandering off with critical data is not just a problem for US military chiefs and spymasters: just a few months ago another sysadmin, this time working for a Swiss intelligence service, was implicated in a similar though far less high-profile database breach.
“There is an important lesson to be learnt here on the vast power entrusted to employees and the potential damage that can ensue if these internal privileges are misused. Regardless of whether or not you agree with Snowden’s actions and his political motivations, organisations should not lose sight of the fundamental truth that he was exposed to this highly sensitive information via the internal privileged credentials that he was privy to.”
“There’s almost an unfortunate sense of déjà vu here as well”
“Systems administrators in particular, although low level, typically have the highest access to systems and data, given they manage those systems. Without implementing adequate role-based access controls based on least-privileged access, companies and organisations are granting god-like access to their systems administrators.”
Tomi Engdahl says:
Rally supports Snowden amid claims GCHQ tapped G20 summit
NSA accused of ops on UK soil
http://www.theregister.co.uk/2013/06/17/snowden_rally_hong_kong_extradition/
Over 900 Hong Kong-ers braved torrential rain on Saturday to march on the US Consulate and HK government in support of infamous PRISM whistle-blower Edward Snowden
The Observer, which on Sunday reported that US operatives in the UK intercepted the communications of then-Russian president Dmitry Medvedev during the 2009 G20 summit staged in London.
Such revelations are problematic for Snowden because although they promote him as a more valuable asset for China to hang on to, they would also seem to strengthen the case for his extradition – as he is now exposing large chunks of classified intelligence on US operations abroad.
Tomi Engdahl says:
Fake internet cafes and keyloggers: British intelligence reportedly spied on major world leaders during 2009 G20 summit
http://www.theverge.com/2013/6/16/4436120/british-gchq-world-leader-surveillance-program-2009-g20-summit
Using tactics that included luring diplomats into fake internet cafes, The Guardian reports that British intelligence spied on major world leaders during the 2009 G20 summit in London. The revelation is based on documents provided by whistleblower Edward Snowden
The G20 summit in London included President Obama as well as 20 other heads of state and governing bodies. During the summit, the GCHQ reportedly monitored the foreign politicians’ computers and phone calls, and had direct permission to do so from high-level officials in then-PM Gordon Brown’s administration.
The intent of the alleged spying was to gain an edge in negotiations against other countries
The GCHQ managed to tap into phones and computers by establishing internet cafes with built-in key logging and email intercepting software, as well as by hacking delegates’ BlackBerrys to monitor messages and phone calls.
The key logging reportedly may also have provided the GCHQ with online login details
The NSA, which shares information with the GCHQ, was allegedly gathering information during the summit as well
Tomi Engdahl says:
Only half of the Finnish people who use computers at work will always adhere to their job security guidelines, says security company Check Point survey.
On the other hand the bad is to follow the instructions that are not familiar with. Only 60 per cent of job security guidelines and practices of the content and know how to act in different situations. Almost 30 per cent know that the company has security guidelines, but it is not exactly aware of their content. One in ten admits he does not know the instructions at all, or they are not.
Of the respondents, only half will always observe the security instructions. Almost 40 per cent grant is acting sometimes in different ways as specified.
“Companies can hardly be fully understood how great a security risk to their own staff behavior can be established. It is not enough that the guidelines are in place, if people feel that they are too difficult to follow, “Check Point’s Vice President Jukka Saaremaa says.
Source: http://www.tietokone.fi/artikkeli/uutiset/joka_toinen_luistelee_tyopaikan_tietoturvaohjeista
Tomi Engdahl says:
2013 Internet Security Report
Based on research of nearly 900 companies and 120,000 hours of monitored traffic, the 2013 Check Point Security Report reveals major security risks organizations are exposed to on a daily basis. Most importantly, the report provides security recommendations on how to protect against these threats.
http://www.checkpoint.com/campaigns/security-report/index.html
Tomi Engdahl says:
This phenomenon came to Finland: a new source of information for burglars
Traditionally takes place during the summer months a lot of burglaries.
Security provider G4S that social media has become the burglars latest wink source.
- Internationally generalized trend of burglars might apply also on Facebook and elsewhere on social media tips suitable unoccupied sites. Oh, think about how much would a holiday temp and long absences from home. It is good to take care of Facebook’s privacy settings and think about what you would like to share with strangers, G4S home security expert Kari Tenhunen tells the magazine release.
- Good relations with its neighbors during the holidays to take care of the house keeping inhabited the sidelines.
Source: http://www.iltasanomat.fi/asuminen/art-1288574814459.html
Tomi Engdahl says:
Bone up on fresh EU privacy law – or end up in the clink, IT biz warned
Resellers no longer just flogging boxes – now they must offer legal advice
http://www.channelregister.co.uk/2013/06/17/channel_needs_to_prep_for_eu_data_protection/
McAfee Channel Summit Technology resellers, distributors and service providers need to be ready for the freshly proposed European Data Protection law, IDC has said.
The analyst’s research director of European security software Kevin Bailey said that end users were already preparing for the new rules of the incoming regulation, but the technology channel needs to get its act together too.
“The channel should be fully conversant on what the EU data protection regulation is about,” he said at the McAfee EMEA Channel Summit.
“[And] when the EU data protection regulation comes in – you will get fined, you will get put into jail if you breach it.”
The draft bill, which was put forward by European Justice Commissioner Viviane Reding in January last year, proposes a single law on how to handle data across the member states, rather than the patchwork national laws that cover the region now.
Bailey also said that resellers and distributors would need to think about more than just shifting products in the future.
“I think the role of any route to market is more consultative going forward and less about products,” he said.
“The days are gone of moving boxes, it’s about having an opinion you take to your customer and through that offering a service.
Tomi Engdahl says:
NSA PRISM snoop-gate: Won’t someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we’re told
http://www.theregister.co.uk/2013/06/17/surveillance_request_figures/
Apple has joined Facebook and Microsoft in partially revealing how many requests for sensitive user data it received from US investigators, while remaining vague about the details.
The cloud-powered iPad-slinger said it had dealt with between 4,000 and 5,000 surveillance requests from the US government since December 2012.
“The most common form of request comes from police investigating robberies and other crimes, searching for missing children, trying to locate a patient with Alzheimer’s disease, or hoping to prevent a suicide,” Apple said in a public statement.
The Apple statement, although it reveals the number of requests Cupertino complied with, it continues to deny allowing gov bods to access its servers, stating: “We first heard of the government’s ‘Prism’ program when news organizations asked us about it on June 6.”
Facebook released a similar set of data to Apple on Friday, saying it received 9,000-10,000 requests for user data from US authorities (local, state and federal) in the second half of 2012.
Microsoft, meanwhile, said it had handled 6,000 to 7,000 criminal and national security requests from US authorities affecting 31,000 to 32,000 accounts over the last six months of 2012.
“For the first time, we are permitted to include the total volume of national security orders, which may include FISA orders, in this reporting.”
Tomi Engdahl says:
ISPs to include porn filters as standard in UK by 2014
http://www.wired.co.uk/news/archive/2013-06/14/parental-filtering-industry-standard
Parental filters for pornographic content will come as a default setting for all homes in the UK by the end of 2013, says David Cameron’s special advisor on preventing the sexualisation and commercialisation of childhood, Claire Perry MP.
Internet service providers (ISP) will be expected to provide filtering technology to new and existing customers, with an emphasis on opting out, rather than opting in.
“[In the UK] we will have filters where if you do nothing, the parental filters will come pre-ticked,” said Perry, speaking at a Westminster eForum on 14 June.
The move is part of a government effort to force ISPs to make filtering a standard option across industry, and to make the technology easier for consumers to use. As ISPs are voluntarily rolling out filtering technology, it will require no new legislation or regulations.
It had previously been feared that the government would force ISPs to block access to pornographic content unless a consumer specifically requested it.
Tomi says:
Attack programs dealing is public and legitimate business
Security vulnerabilities and attack countries and selling software companies have a million business, says Helsingin Sanomat .
The industry’s major players in the HS: According to the French VUPEN Security,
Vupenin price list is also a secret. Business magazine Forbes, the customers will pay about $ 100 000 (80 000) per year per site, where they will have the right to explore for sale in attack methods, and to buy them. A single attack on the program’s value is probably much higher.
Vupenin researchers are looking for different software, so-called zero-day vulnerabilities to exploit and develop malware, which the company sells forward, completely legally.
VUPEN customers include, inter alia, national intelligence agencies, as well as other authorities. Security breaches, in addition to VUPEN also sells a cyber-attack weapons.
Vulnerabilities selling is a growing business.
Zero-day vulnerabilities and malware to exploit the trade has been traditionally on the black market hackers, criminals, businesses and governments. Today, trading is open for public and legitimate business.
VUPEN offers service packages in different price ranges, which is to low sensitivity of the information and instructions for patching. Most expensive package includes instructions on how to take advantage of the opening to malware and may be ready to attack the program.
“It is better to be traded legally,” said the network user rights in pursuing Effi-Ville Oksanen, Vice-President of the Association.
“Otherwise, it would happen on the black market and vulnerabilities more easily end up in the hands of criminals.”
VUPEN qualify for a clientele “reliable” and “responsible” authorities and intelligence organizations. On its website the company says to offer his software from NATO countries and partners, the ASEAN countries and the United States, Australia and New Zealand formed by ANZUS group. UN, EU or U.S. sanctions for countries within the repressive State or its citizens are not sold.
Bekrar is, however, acknowledged that the Vupenilla not the ultimate control over where its products are used.
Both legal and black market trade amounts considered to be a secret, but according to The Economist vulnerabilities prices have quadrupled since 2004.
Sources:
http://www.tietoviikko.fi/kaikki_uutiset/hs+yritys+myy+turvaaukkoja+ja+hyokkayksohjelmia+tiedustelupalveluille/a909899?s=r&wtm=tietoviikko/-17062013&
http://www.hs.fi/ulkomaat/Tietoturva-aukoilla+tahkotaan+miljoonia/a1371264995752
Tomi says:
Apple co-founder complains: “America is becoming a Soviet”
The newly discovered Prism spyware scandal was disappointed Wozniak and think about their relationship with their country of origin. At a young age, he learned to respect the country and its values, but today the situation has changed.
“I was so proud of my country and now I find out that the situation is quite different than before … The Constitution recognized the good values do not mean anything anymore. We do not even have the right to open, “he complains.
Wozniak feels that America is increasingly becoming a country like the Soviet Union. “In today’s digital world, you can not hardly even own anything. Put in the cloud photos may only be deleted if the service provider to decide, “he says.
“When I grew up, the ownership of the thing that separated us from the Soviet Union.”
Source: http://www.tietoviikko.fi/kaikki_uutiset/applen+perustaja+valittaa+quotamerikasta+on+tulossa+neuvostoliittoquot/a909888?s=r&wtm=tietoviikko/-17062013&
Tomi says:
British financial world to take seriously the risks of cyber attacks. Four of the five largest banks in the country to keep the network attack worse than the threat of the euro crisis, says Bank of England expert Andrew Haldane.
The financial sector and the public sector organizations in the last year were the British attack on the most popular destinations, says Symantec security house the British Chief Technology Officer John Pig.
Source: http://www.tietoviikko.fi/kaikki_uutiset/englannin+keskuspankki+pelkaa+kyberiskua+enemman+kuin+eurokriisia/a909915?s=r&wtm=tietoviikko/-17062013&
Tomi says:
NSA whistleblower to tech firms, Obama: ‘Grow a pair!’
Ed Snowden: Email tracking grabs ‘IPs, raw data, content, headers, attachments, everything’
http://www.theregister.co.uk/2013/06/17/ed_snowden_questions_nsa_policy/
Edward Snowden, the 29-year-old fugitive who revealed the NSA’s PRISM system, has told the technology companies involved in surveillance to stand up for user’s rights and demand a change in the current law.
“If for example Facebook, Google, Microsoft, and Apple refused to provide this cooperation with the Intelligence Community, what do you think the government would do? Shut them down?” he said, during a question and answer session hosted by The Guardian
The current filtering system used to ensure that illegal US domestic surveillance isn’t being carried out is hopelessly outdated, he said. Technically, everything can be recorded, so restrictions on what analysts can access are based solely on IT policy. In practice that means data filters are set at “widest allowable aperture,” and if data leaves US borders it’s automatically scooped.
Snowden said data analysts view what’s collected, and if US domestic users get scanned it’s called “incidental collection”.
Outside audits of data collection did take place, he said, but they were “cursory, incomplete, and easily fooled by fake justifications.” For example, Snowden claims that at Britain’s GCHQ electronic surveillance headquarters, only 5 per cent of claimed audits were completed.
Tomi Engdahl says:
President Obama Defends NSA Spying
http://www.buzzfeed.com/buzzfeedpolitics/president-obama-defends-nsa-spying
It’s “transparent,” the president tells Charlie Rose in an interview. Here’s a portion of that transcript, from PBS.
Barack Obama: Well, in the end, and what I’ve said, and I continue to believe, is that we don’t have to sacrifice our freedom in order to achieve security. That’s a false choice. That doesn’t mean that there are not tradeoffs involved in any given program, in any given action that we take.
Charlie Rose: But has FISA court turned down any request?
Barack Obama: The — because — the — first of all, Charlie, the number of requests are surprisingly small… number one. Number two, folks don’t go with a query unless they’ve got a pretty good suspicion.
Charlie Rose: Let me just ask you this. If someone leaks all this information about NSA surveillance, as Mr. Snowden did….
Barack Obama: I’m not going to comment on prosecution…. The case has been referred to the DOJ for criminal investigation…
Tomi Engdahl says:
Snowden Smuggled Documents From NSA on a Thumb Drive
http://www.wired.com/threatlevel/2013/06/snowden-thumb-drive/
The dreaded thumb drive has struck the Defense Department again as word comes that NSA whistleblower Edward Snowden smuggled out thousands of classified documents on one of the portable devices, despite the military’s efforts to ban them.
Investigators also know how many documents Snowden downloaded from the NSA network and what server he took them from, according to The Los Angeles Times, quoting an unnamed official.
Tomi Engdahl says:
Edward Snowden Is Not A Fan Of Spying On Foreign Citizens, Either
http://www.buzzfeed.com/evanmcsan/edward-snowden-is-not-a-fan-of-spying-on-foreign-citizens-ei
The NSA leaker says the government can read people’s emails, and that’s wrong no matter which country they live in.
Edward Snowden, the man who turned an unlikely career in intelligence gathering into one of the largest leaks of classified data ever, says the federal government shouldn’t be snooping on anyone without direct concern he or she is involved in a terrorist plot — and that includes citizens of foreign countries.
“Suspicionless surveillance does not become OK simply because it’s only victimizing 95% of the world instead of 100%. Our founders did not write that ‘We hold these Truths to be self-evident, that all US Persons are created equal.’”
Tomi Engdahl says:
Journalists Need To Start Asking About Storage, Not Access
http://uncrunched.com/2013/06/17/journalists-need-to-start-asking-about-storage-not-access/
It’s becoming pretty clear, particularly from today’s Snowden Q&A and the partial transcript from President Obama’s Charlie Rose interview, that we’re zeroing in on how the government accesses private individual data.
If you’re not a “U.S. person,” there are few restrictions on what the U.S. government can do to monitor you. If you are a U.S. person then there are at least some restrictions, and the involvement of at least the secret FISA court, before that data can be accessed.
But here’s what journalists should be asking at this point: What data does the government store? How long have they been storing it? Do they ever delete it?
All of the government arguments around 4th Amendment protections center on policy decisions regarding what the NSA and FBI can look at. But as they make these arguments they infer that the data is already sitting on government servers.
Tomi Engdahl says:
Edward Snowden says ‘the truth is coming,’ but when will we see the rest of his evidence?
http://www.theverge.com/2013/6/17/4437960/edward-snowden-nsa-question-answer-prism
“The US government is not going to be able to cover this up by jailing or murdering me,” Snowden said, opening the session with melodrama. “Truth is coming, and it cannot be stopped.”
Snowden repeated publicly known facts, reiterating that more information about how PRISM works will be revealed in the future.
When asked about counter-surveillance measures, Snowden affirmed that encryption can help safeguard against NSA spying. “Properly implemented strong crypto systems are one of the few things that you can rely on,” Snowden said. “Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.”
Tomi Engdahl says:
Tapping: It’s not just for phones anymore
March 1, 2013
http://www.cablinginstall.com/articles/print/volume-21/issue-3/features/tapping-its-not-just-for-phones-anymore.html
Integrated tapping technology allows administrators to monitor data center traffic without disrupting the production environment.
What is port tapping?
Port tapping is a method of monitoring traffic being transmitted and received along a link in a network; this monitored traffic is then analyzed. This can be done actively via electronic devices that replicate (also called “mirroring”) the link’s data and send it to a monitoring device. Or it can be done passively with a device that simply passes through all data and sends it simultaneously to both its intended recipient and to a monitoring device. In both instances, the monitoring device filters the data and sends it to various software tools for analysis, where it is then sent to application-layer software for use by network administrators.
The question often comes up, what does tap stand for? The answer is, nothing. The word is used in the surveillance sense (a “tap” on a phone line), meaning to connect into and monitor communications that are being transmitted.
Active and passive tapping
Active tapping, sometimes called mirroring or SPAN (switch port analysis), uses active electronics to duplicate a link’s traffic and send it to a monitoring device. An active port tap requires that one of the switch ports be used solely for tapping, thereby reducing the number of ports that can be used for live network data.
Passive tapping is considered “pass through,” in that the link’s traffic is not replicated by the switch in any way. Instead, the optical signal’s power is divided, and the data stream sent simultaneously to both live traffic and monitoring electronics.
Tomi Engdahl says:
British Defense Officials Send Out Media Notice To Censor Further Leaks From Edward Snowden
Defence officials issued a confidential D notice to the BBC and other media groups in an attempt to censor coverage of surveillance tactics employed by intelligence agencies in the UK and US.
Read more: http://www.guardian.co.uk/world/2013/jun/17/defence-d-bbc-media-censor-surveillance-security##ixzz2WYSfqCAR
Tomi Engdahl says:
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it’s a Google problem – Chrome only, insists Adobe
http://www.theregister.co.uk/2013/06/18/flash_webcam_flaw/
A security flaw thought to have been fixed by Adobe in October 2011 has reappeared thanks to a new vulnerability involving Flash Player browser plug-ins.
The as yet unpatched vulnerability creates a means to seize control of webcams without permission before siphoning off video and audio from victims’ PCs. The clickjack-style flaw was uncovered by security consultant Egor Homakov, who developed a harmless proof-of-concept exploit to underline his concerns and push for an early fix.
“This works precisely like regular clickjacking – you click on a transparent flash object, it allows access to Camera/Audio channel. Voila, attacker sees and hears you,” Homakov explains in a blog post.
“This vulnerability affects users on Flash Player installed with Google Chrome,”
Tomi Engdahl says:
State photo-ID databases become troves for police
http://www.washingtonpost.com/business/technology/state-photo-id-databases-become-troves-for-police/2013/06/16/6f014bd4-ced5-11e2-8845-d970ccb04497_story.html?hpid=z3
The faces of more than 120 million people are in searchable photo databases that state officials assembled to prevent driver’s-license fraud but that increasingly are used by police to identify suspects, accomplices and even innocent bystanders in a wide range of criminal investigations.
The facial databases have grown rapidly in recent years and generally operate with few legal safeguards beyond the requirement that searches are conducted for “law enforcement purposes.” Amid rising concern about the National Security Agency’s high-tech surveillance aimed at foreigners, it is these state-level facial-recognition programs that more typically involve American citizens.
But law enforcement use of such facial searches is blurring the traditional boundaries between criminal and non-criminal databases, putting images of people never arrested in what amount to perpetual digital lineups. The most advanced systems allow police to run searches from laptop computers in their patrol cars and offer access to the FBI and other federal authorities.
Tomi Engdahl says:
A Catalogue of Journalistic Malfeasance
https://medium.com/state-of-play/bb27db32ae38
The reporting on Edward Snowden has been dreadful. Is there a way to make it better?
The initial story, reported by Glenn Greenwald, seemed to expose a heretofore unknown vast surveillance apparatus operated by the federal government.
While the story as reported sounds like normal journalistic practice, it is not
The next leak Greenwald published, with veteran national security reporter Ewan MacAskill, made an even more eyepopping claim: “The National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants.” That report also turned out to be largely exaggerated.
Rather than “direct access to the systems” of such internet companies, it turns out that the NSA has an automated system to request and serve subpoenas that companies then fulfill to their liking — through a dropbox, a secure FTP server, or some other method. It is not data-mining as many reports initially said. Soon after those first, misleading stories were published, the companies themselves rushed to issue public statements revealing how they cooperate and why, and how they try to fight back.
But the exaggerations and misreporting did not end there. The Guardian also published a twelve-minute-long interview with Edward Snowden
Indeed, a common thread in the flurry of reporting around the NSA revelations was a seeming misunderstanding of the technology involved, leaving reporters susceptible to dubious claims they did not know how to verify.
As a result, Snowden and the reporters following his every word have stretched basic facts.
Then, last week, a common, unclassified software package — PRISM — badly misreported. Journalists did not distinguish between a software program (like the web browser you’re using to read this post) and a program of operations. They printed that the software program was secret — it was not, as a five-minute Google search revealed — and missed that the operation using PRISM actually was. It was a total mess.
The Guardian isn’t the only paper to have been caught up in the sexiness of the Snowden leaks. The Washington Post also had to walk back much of its early reporting.
If there’s any common thread holding all of these misreportings and poor fact checking together, it is time. The rush to be first out of the gate with explosive new details of anything — or, in the Guardian’s case, the rush to publish before Snowden could be located and arrested — created perverse incentives to publish without verification.
Tomi Engdahl says:
Internet fraud still stings suckers
Australians twice as gullible as Americans
http://www.theregister.co.uk/2013/06/18/internet_fraud_still_stings_suckers/
Australians fell prey to online scams to the tune of around $AUD93.5 million in 2012, and reported nearly 84,000 “scam-related contacts” to the Australian Competition and Consumer Commission (ACCC).
The Commission has just released the results of its 2012 report on scam activity,
There’s good news in the report, since 88 percent of the people reporting scams to the ACCC also reported that they suffered no financial loss (that is, they didn’t fall for the scam), and most of those reporting loss were taken down for less than $500.
Out of the 83,803 total reports, just 13 percent – a little under 11,000 – related to computer hacking incidents.
Tomi Engdahl says:
SAP users slack, slow and backward on security
Some systems unpatched since 2005, says researcher
http://www.theregister.co.uk/2013/06/18/sap_users_slack_slow_and_backward_on_security/
Cross-site scripting, failure to check credentials, directory traversal and SQL injection make up more than three-quarters of vulnerabilities in SAP environments, according to a presentation by ERPScan’s Alexander Polyakov to RSAConference Asia Pacific 2013.
And the vulnerable state of the SAP world is increasingly attracting the attention of security researchers, Polyakov said, with nearly 60 percent of vulnerabilities found in 2013 turned up by outsiders.
That’s troubling, he told delegates, because ERPScan is also observing a growing willingness by SAP users to open up interfaces to the Internet, either for remote workers, inter-office connections, or remote management.
“If someone gets access to the SAP they can steal HR data, financial data or corporate secrets … or get access to a SCADA system.”
A successful intrusion into the SAP system could easily mean the “end of the business”,
Tomi Engdahl says:
Drug gang hacks into Belgian seaport, cops seize TONNE of smack
9 nabbed after shipping container system used to transport heroin, cocaine
http://www.theregister.co.uk/2013/06/18/drug_smugglers_using_hackers/
Police in the Netherlands and Belgium have seized a tonne of cocaine, a tonne of heroin and a suitcase stuffed with €1.3m after uncovering a massive drug smuggling operation that used hackers to break into the systems of shipping companies.
According to the Netherlands public prosecutor (statement here in Dutch), a Netherlands-based drug ring hired hackers to manipulate systems in the major port of Antwerp in their neighbouring country, Belgium, in order to arrange pick-ups.
The hackers obtained access at two container terminals by using spear phishing and malware attacks directed at port authority workers and shipping companies, before changing the location and the delivery times of containers that had the drugs in them, according to the public prosecutor.
Subsequently, the smugglers sent their own drivers to pick up drug-loaded shipping containers before the legitimate haulier could collect them.
Tomi Engdahl says:
Apple claims it can’t decrypt FaceTime and iMessage data, details extent of government requests
http://www.theverge.com/2013/6/17/4437272/apple-government-data-request-information-prism
Tomi Engdahl says:
President Obama defends NSA program in ‘Charlie Rose’ interview
http://www.theverge.com/2013/6/18/4442614/president-obama-defends-nsa-program-in-charlie-rose-interview
With questions about the NSA and FBI’s surveillance programs mounting, President Barack Obama took to Charlie Rose last night to try to lay critics’ concerns to rest. Between questions on Syria and cybersecurity talks with China, Obama defended the government’s oversight of FISA data-gathering. Unfortunately, this didn’t provide much in the way of new information
Tomi Engdahl says:
NSA Implementing ‘Two-Person’ Rule To Stop The Next Edward Snowden
http://www.forbes.com/sites/andygreenberg/2013/06/18/nsa-director-says-agency-implementing-two-person-rule-to-stop-the-next-edward-snowden/
The next Edward Snowden may need a partner on the inside.
On Tuesday, National Security Agency Director Keith Alexander told a congressional hearing of the Intelligence Committee that the agency is implementing a “two-person” system to prevent future leaks of classified information like the one pulled off by 29-year-old Booz Allen contractor Edward Snowden, who exfiltrated “thousands” of files according to the Guardian, to whom he has given several of the secret documents.
“We have to learn from these mistakes when they occur,”
That “two-person rule,” it would seem, will be something similar to the one implemented in some cases by the military after Army private Bradley Manning was able to write hundreds of thousands of secret files to CDs and leak them to WikiLeaks. The rule required that anyone copying data from a secure network onto portable storage media does so with a second person who ensures he or she isn’t also collecting unauthorized data.
It may come as a surprise that the NSA doesn’t already have that rule in place, especially for young outside contractor employees like Snowden. But Alexander emphasized that Snowden was one of close to a thousand systems administrator–mostly outside contractors–who may have had the ability to set privileges and audit conditions on networks.
When asked how Snowden had gained such broad access to the NSA’s networks despite only working for Booz Allen for three months, Alexander said that he had in fact held a position at the NSA for the twelve months prior to taking that private contractor job.
The questions about the NSA’s lack of leak protections came in the midst of a conversation that largely focused on the NSA’s justification for the broad surveillance those leaks revealed.
Tomi Engdahl says:
Google challenges U.S. gag order, citing First Amendment
http://www.washingtonpost.com/business/technology/google-challenges-us-gag-order-citing-first-amendment/2013/06/18/96835c72-d832-11e2-a9f2-42ee3912ae0e_story.html
Google asked the secretive Foreign Intelligence Surveillance Court on Tuesday to ease long-standing gag orders over data requests the court makes, arguing that the company has a constitutional right to speak about information it is forced to give the government.
Revelations about the program, called PRISM, have opened fissures between U.S. officials and the involved companies, which have scrambled to reassure their users without violating strict rules against disclosing information that the government has classified as top secret.
A high-profile legal showdown might help Google’s efforts to portray itself as aggressively resisting government surveillance
In 2008, the court rejected a challenge from a technology company that argued that a government request for information on foreign users was too broad to be constitutional.
The sharply limited public window into the legal infrastructure of surveillance review has made it difficult for outsiders to evaluate its decisions or the value of the secrecy it maintains.
“As with so many areas of national security, it’s hard to know if it makes a difference,” said Orin Kerr, a George Washington University law professor. “It’s very frustrating, and that’s the essence of it.”
All of the technology companies involved in PRISM, including Facebook, Apple, Microsoft, Google and Yahoo, have struggled to respond to the revelations about NSA surveillance.
Tomi Engdahl says:
Researchers able to predict Apple iOS-generated hotspot passwords
http://www.zdnet.com/researchers-able-to-predict-apple-ios-generated-hotspot-passwords-7000016937/
Summary: Although iOS generates seemingly random passwords for its hotspots to eliminate the use of ‘default’ passwords, researchers at a German university have found that they are able to break these passwords in under a minute.
Tomi Engdahl says:
NSA’s Role In Terror Cases Concealed From Defense Lawyers
http://yro.slashdot.org/story/13/06/19/0326244/nsas-role-in-terror-cases-concealed-from-defense-lawyers
“‘Confidentiality is critical to national security.’ So wrote the Justice Department in concealing the NSA’s role in two wiretap cases.”
New York attorney Joshua Dratel: ‘National security is about keeping illegal conduct concealed from the American public until you’re forced to justify it because someone ratted you out.’
Tomi Engdahl says:
Fisa court oversight: a look inside a secret and empty process
http://www.guardian.co.uk/commentisfree/2013/jun/19/fisa-court-oversight-process-secrecy
Obama and other NSA defenders insist there are robust limitations on surveillance but the documents show otherwise
The supposed safeguard under the FAA is that the NSA annually submits a document setting forth its general procedures for how it decides on whom it can eavesdrop without a warrant. The Fisa court then approves those general procedures. And then the NSA is empowered to issue “directives” to telephone and internet companies to obtain the communications for whomever the NSA decides – with no external (i.e. outside the executive branch) oversight – complies with the guidelines it submitted to the court.
Tomi Engdahl says:
A startup looks to stop fraud with a new method for ‘fingerprinting’ phone calls
Pindrop Security is using acoustic analysis tech to stop social engineering
http://www.theverge.com/2013/6/19/4443588/pindrop-acoustic-analysis-fights-phone-fraud-social-engineering
One of the most cherished and time-honored traditions of computer security conferences like Def Con has been the Social Engineering contest. It’s a simple but satisfying hacker bloodsport — contestants sit inside a glass isolation booth in front of a live audience and call up companies to see how many passwords, addresses, and other secret information they can coax from clueless customer service representatives.
Of course, the reason it’s so effective — and thus, entertaining — is because social engineering bypasses firewalls and encryption to attack the most vulnerable component of any security system: humans.
Georgia-based startup Pindrop Security isn’t releasing a patch for human gullibility, but it is getting $11 million of venture funding for a novel fraud detection technology
it uses audio signal processing to authenticate calls by analyzing their acoustic properties in real time.
The project came from the PhD thesis of Pindrop’s CEO and founder, Vijay Balasubramaniyan, who realized something useful about the subtle differences in audio quality and other attributes of various countries’ phone lines. For example, you can measure things that differ from country to country, like the audio cutoff frequency, to compare the declared origin of the call against audio profiles stored in the database. Vijay says those profiles are built using 147 different audio signatures across the categories of loss, noise, and spectrum, allowing the system to create a unique fingerprint for specific handsets, applications, and regions.
That means you’d be able to tell the difference between, say, a Blackberry calling from Nevada and a Skype call coming from Nigeria.
Knowing roughly where those calls originate can be useful, since fraudsters usually lie about where they’re calling from, says Scott Weiss, a former Cisco security manager
Tomi Engdahl says:
Clear your cache: Websites store personal data on your Web browser
http://www.latimes.com/business/technology/la-fi-tn-clear-cache-websites-store-sensitive-data-20130619,0,2154007.story
Sensitive financial and healthcare information is stored on Web browsers, making it easily accessible to hackers, a new analysis has found.
Web browsers – Chrome, Firefox, Safari and Internet Explorer – often save images and other content on a user’s hard drive
Though websites generally try to block sensitive data from being saved, Baltimore-based security consulting firm Independent Security Evaluators says that many websites are using methods that no longer work.
ADP, Verizon Wireless, Scottrade, Geico, Equifax, PayPal and Allstate were among the websites that saved items such as prescription information, utility bills, check images and credit reports.
All told, 21 of 30 websites tested by ISE had failed to use the correct technique to block sensitive transmissions from being stored on a computer or smartphone.
“What I think consumers need to realize is that this isn’t their fault,”
“But they should be wary of using public computers, and they also should clean up this data by clearing their caches to solve this problem for the time being.”
The other option for consumers is to use “private browsing” or “incognito” modes in their browser.