Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.
Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.
Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.
SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices. Good idea to test your devices against it.
There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.
Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.
Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.
Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.
Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.
Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.
Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.
Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.
European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.
1,930 Comments
Tomi Engdahl says:
France has its own PRISM-like surveillance program, report suggests
http://gigaom.com/2013/07/04/france-has-its-own-prism-like-surveillance-program-report-suggests/
Le Monde says it has exposed a secret scheme, being carried out by the French intelligence service DGSE, that stores metadata for communications inside the country and possibly beyond.
French president François Hollande has been vocal in his objections to the U.S. bugging European institutions but, when the PRISM scandal broke, some criticized him for staying silent – after all, PRISM appears to have sucked in data from people all around the world, including France. Now, if a Le Monde scoop is to be believed, we know why Hollande held back.
The article, published on Thursday, claims that France’s intelligence agency, the DGSE, has its own PRISM-like scheme that collects metadata from communications within the country, as well as those flowing into and out of France. The data is reportedly stored in the DGSE’s basement, where the agency has a supercomputer to chew through it.
Tomi Engdahl says:
European PRISM anger gains momentum with fresh cloud warnings and data threats
http://gigaom.com/2013/07/04/european-prism-anger-gains-momentum-with-fresh-cloud-warnings-and-data-threats/
In a series of new developments, the EU digital chief has warned that policy makers might put “security guarantees ahead of open markets”, and the European Parliament has launched a major inquiry into surveillance revelations.
The EU digital chief, Neelie Kroes, has already suggested that U.S. cloud firms may lose out to a “European cloud” thanks to the NSA’s activities. In a speech on Thursday she warned again that “concerns about cloud security can easily push European policy makers into putting security guarantees ahead of open markets, with consequences for American companies.”
Major investigation
On Thursday the European Parliament (EP) overwhelmingly voted through a resolution relating to PRISM, and also the revelation of U.S. bugging operations targeting European institutions.
eHealth concerns
A report on Europe’s eHealth “revolution” has also just come in. While it doesn’t refer to PRISM specifically, it suggests electronic healthcare services won’t take off without “rebuilding trust in data privacy”.
It’s worth keeping an eye on this aspect of the surveillance fiasco – confidentiality is a core concern for medical professionals, lawyers, journalists and others, but how can they guarantee it to their patients and clients if all electronic data is potentially open to prying eyes?
Expect sparks to keep on flying.
Tomi Engdahl says:
EU votes to support suspending U.S. data sharing agreements, including passenger flight data
http://www.zdnet.com/eu-votes-to-support-suspending-u-s-data-sharing-agreements-including-passenger-flight-data-7000017677/
Summary: The European Parliament voted in favor of a resolution that would back the Commission should it wish to suspend data sharing agreements with the U.S., such as the passenger name records system, in light of mass surveillance by the National Security Agency.
The European Parliament on Thursday adopted a joint, cross-party resolution to begin investigations into widespread surveillance of Europeans by the U.S. National Security Agency (NSA).
In the vote, 483 voted for the resolution, 98 against, and 65 abstained on a vote that called on the U.S. to suspend and review any laws and surveillance programs that “violate the fundamental right of EU citizens to privacy and data protection,” as well as Europe’s “sovereignty and jurisdiction.”
The vote also gave backing to the suspension of data sharing deals between the two continents, should the European Commission take action against its U.S. ally.
Thursday’s plenary session highlights the strained diplomatic relationship between the EU and the U.S. over recent revelations that came to light in June.
Suspend air travel if it helps, says Parliament
Should the Commission decide it necessary to suspend the data sharing agreement of passenger details — including personal and sensitive individual data — it could ultimately lead to the grounding of flights between the EU and the U.S.
Tomi Engdahl says:
European watchdogs order Google to rewrite privacy policy or face legal action
http://www.guardian.co.uk/technology/2013/jul/05/google-privacy-policy-legal-action
UK, Germany and Italy threaten tech company with legal action over 2012 policy which ‘violates commitment to transparency’
Privacy watchdogs in the UK, Germany and Italy have told Google to rewrite its privacy policy in Europe or face legal sanctions
Google has already been censured in Europe over its collection of Wi-Fi data, including usernames, passwords and web page viewing while collecting photos for its Street View system. Both European privacy authorities and US legislators have demanded clarification from the company about the data protection implications of its Google Glass head-mounted system, which can take pictures and video without onlookers knowing. It has also been implicated in a data-sharing row over the NSA’s Prism program, which has collected information from a number of US companies including Google, Microsoft and Apple.
Tomi Engdahl says:
Apple stores your voice data for two years
http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/
Summary: The iPhone and iPad maker holds on to the data from Siri and Dictation for two years, so long as it abides by its own privacy policy — which, as you might expect, is fairly vague.
Tomi Engdahl says:
UK teams with defence and telecom companies on cyber security
http://www.reuters.com/article/2013/07/04/us-britain-cyber-security-idUSBRE9630SJ20130704
Nine of the world’s biggest weapon makers and telecoms providers are teaming up with Britain to bolster the country’s cyber security, aiming to tackle the increasing threat of hacking and other such attacks.
Britain made cyber security one of its top national defence priorities in 2010, citing the growing menace of digital attacks from criminals and state-sponsored overseas groups.
BAE Systems (BAES.L), Rolls-Royce (RR.L), Lockheed Martin (LMT.N) and Hewlett Packard (HPQ.N) are among companies that will team up with government to share information on tackling cyber threats, the Ministry of Defence said on Friday.
“This is a clear demonstration that government and industry can work together – sharing information, experience and expertise”
The country’s government and industry networks suffer from about 70 sophisticated cyber attacks a month, with 15 percent of that against the defence sector, said GCHQ
Tomi Engdahl says:
Sentences for cyber crime and snooping to be tougher across EU
http://www.reuters.com/article/2013/07/04/net-us-eu-cybercrime-idUSBRE9630LD20130704
EU lawmakers agreed on Thursday to toughen criminal penalties across the European Union for cyber attacks, especially those that include harming critical national infrastructure and hijacking computers to steal sensitive data.
The decision mandates national maximum sentences of at least two years in prison for attempting to illegally access information systems.
The maximum penalty for attacks against infrastructure such as power plants, transport, or government networks will be set at five years or more, higher than the current tariff in most member states.
The decision also increases the penalties for illegally intercepting communications, or producing and selling tools to do this.
Tomi Engdahl says:
Rampant Apache website attack hits visitors with highly malicious software
Darkleech is back. Or maybe it never left. Either way, it’s a growing problem.
http://arstechnica.com/security/2013/07/darkleech-infects-40k-apache-site-addresses/
A campaign that forces sites running the Apache Web server to install highly malicious software on visitor’s PCs has compromised more than 40,000 Web addresses in the past nine months, 15,000 of them in the month of May alone.
Sites that come under the spell of Darkleech redirect certain visitors to malicious websites that host attack code spawned by the notorious Blackhole exploit kit. The fee-based package available in underground forums makes it easy for novices to exploit vulnerabilities in browsers and browser plug-ins. Web visitors who haven’t installed updates patching those flaws get silently infected with a variety of dangerous malware titles. Among the malware that Darkleech pushes is a “Nymaim” piece of ransomware that demands a $300 payment to unlock encrypted files from a victim’s machine. Other malware titles that get installed include Pony Loader and Sirefef.
“This campaign has been going on for a very long time,” Eset malware researcher Sébastien Duquette wrote in Tuesday’s blog post. “Our data shows that the Blackhole instance has been active for more than two years, since at least February 2011.”
By being highly selective in targeting potential victims, Darkleech developers make it harder for security defenders to unravel the campaign and block infections.
Visitors who are selected are served an HTML-based iframe tag in a Web page from the legitimate site that has been compromised. The iframe exploits code from a malicious site under the control of attackers.
Ransomware that infects US-based visitors, for instance, purports to come from the FBI, while ransomware hitting people in other countries is adapted accordingly.
Only you can prevent Web server hacks
With so many threats successfully targeting mainstream Web servers, administrators should take care to lock down their systems by following good security hygiene. One step is to ensure all default passwords have been changed to a one that’s long and randomly generated. Also key is to make sure all software components—including the operating system and all applications—are fully up to date. It’s also not a bad idea to use a website security scanner from time to time and to occasionally check the cryptographic hash of the HTTP daemon of the Web server to make sure it hasn’t been tampered with.
Zachariah Morano says:
It is fantastic to read an insightful blog post for a change. So many posts nowadays which are a complete waste of time reading through.
Tomi says:
Government surveillance of the internet must end
Column Edward Snowden is a hero
http://www.theinquirer.net/inquirer/opinion/2281407/government-surveillance-of-the-internet-must-end
THE INQUIRER published a poll last week soliciting readers’ opinions about Edward Snowden and government surveillance of the internet. The responses so far reflect that most readers of The INQUIRER don’t approve of internet surveillance and want Snowden protected as a whistleblower.
I couldn’t agree more, and I believe that we all as citizens of the US, the UK and Europe should make both of these opinions abundantly and unmistakably clear to the politicians on both sides of the Atlantic ocean who supposedly represent our best interests and have control over prosecutors and government intelligence agencies.
We all should make our opinions known to those politicians who represent us in government and demand that they put a stop to government surveillance of internet traffic and prevent any continued persecution of Edward Snowden. He is a US patriot, and a hero for freedom.
Tomi says:
NHS Fined £200k After Computers Containing Patient Data Sold On eBay
http://www.techweekeurope.co.uk/news/nhs-surrey-ico-fine-200k-data-breach-121681
An NHS body has been told to pay £200,000 after over 3,000 patient records, including 2000 related to children, were found on a second-hand machine sold on an online auction site. TechWeekEurope understands that auction site is eBay.
The Information Commissioner’s Office (ICO) said it was one of the most serious data breaches it had ever seen, as a contractor for NHS Surrey failed to completely wipe and destroy 1570 hard drives containing the highly sensitive data.
The unnamed contractor said it would carry out the service for free, as long as it could sell any salvageable parts once the hard drives had been destroyed.
Yet a member of public contacted NHS Surrey in May 2012, saying they had bought a computer online and found it contained patient information, including records relating to around 900 adults and 2000 children.
“We should not have to tell organisations to think twice, before outsourcing vital services to companies who offer to work for free.”
Tomi says:
Nations Buying as Hackers Sell Flaws in Computer Code
http://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html?pagewanted=all&_r=0
On the tiny Mediterranean island of Malta, two Italian hackers have been searching for bugs — not the island’s many beetle varieties, but secret flaws in computer code that governments pay hundreds of thousands of dollars to learn about and exploit.
The hackers, Luigi Auriemma, 32, and Donato Ferrante, 28, sell technical details of such vulnerabilities to countries that want to break into the computer systems of foreign adversaries. The two will not reveal the clients of their company, ReVuln, but big buyers of services like theirs include the National Security Agency — which seeks the flaws for America’s growing arsenal of cyberweapons — and American adversaries like the Revolutionary Guards of Iran.
All over the world, from South Africa to South Korea, business is booming in what hackers call “zero days,” the coding flaws in software like Microsoft Windows that can give a buyer unfettered access to a computer and any business, agency or individual dependent on one.
The flaws get their name from the fact that once discovered, “zero days” exist for the user of the computer system to fix them before hackers can take advantage of the vulnerability. A “zero-day exploit” occurs when hackers or governments strike by using the flaw before anyone else knows it exists
A zero-day bug could be as simple as a hacker’s discovering an online account that asks for a password but does not actually require typing one to get in. Bypassing the system by hitting the “Enter” key becomes a zero-day exploit. The average attack persists for almost a year — 312 days — before it is detected, according to Symantec, the maker of antivirus software. Until then it can be exploited or “weaponized” by both criminals and governments to spy on, steal from or attack their target.
Now, the market for information about computer vulnerabilities has turned into a gold rush.
For start-ups eager to displace more established military contractors, selling vulnerabilities — and expertise about how to use them — has become a lucrative opportunity. Firms like Vupen in Montpellier, France; Netragard in Acton, Mass.; Exodus Intelligence in Austin, Tex.; and ReVuln, Mr. Auriemma’s and Mr. Ferrante’s Maltese firm, freely advertise that they sell knowledge of the flaws for cyberespionage and in some cases for cyberweapons.
Many technology companies have started “bug bounty” programs in which they pay hackers to tell them about bugs in their systems rather than have the hackers keep the flaws to themselves — or worse, sell them on the black market. Nearly a decade ago the Mozilla Foundation started one of the first bounty programs to pay for bugs in its Firefox browser. Since then, Google, Facebook and PayPal have all followed suit. In recent months, bounties have soared.
In 2010, Google started paying hackers up to $3,133.70 — the number is hacker code for “elite” — for bugs in its Web browser Chrome.
Tomi says:
Nation Will Gain by Discussing Surveillance, Expert Tells Privacy Board
http://www.nytimes.com/2013/07/10/us/nation-will-gain-by-discussing-surveillance-expert-tells-privacy-board.html?adxnnl=1&pagewanted=all&adxnnlx=1373808462-XN1ZFxj2BGljOdwSxPlTzQ
A retired federal judge, who formerly served on the secret Foreign Intelligence Surveillance Court, on Tuesday praised the growing public discussion about government surveillance fostered by the leaks of classified information by Edward J. Snowden, the former National Security Agency contractor whom the Obama administration has charged with espionage and who remains a fugitive.
“The brouhaha after the Snowden leaks and this meeting indeed establishes what I think is true — that we need to have a more wide-open debate about this in our society, and thankfully we’re beginning to have the debate and this meeting is part of it,” said James Robertson, formerly of the Federal District Court for the District of Columbia.
The surveillance court has ruled that the domestic call log program is legally authorized by a provision of the Patriot Act that allows the government to obtain business records deemed “relevant” to an investigation. Several panelists portrayed the court’s theory as dubious, citing comments by lawmakers who said they did not intend to authorize such bulk collection in the Patriot Act.
And Michael Davidson, a former counsel to the Senate Intelligence Committee, noted that the call log program must be reapproved by the surveillance court every 90 days and the overseas targeting program once a year.
Tomi says:
Attention, Shoppers: Store Is Tracking Your Cell
http://www.nytimes.com/2013/07/15/business/attention-shopper-stores-are-tracking-your-cell.html?adxnnl=1&pagewanted=all&adxnnlx=1373868399-Q5cZRpR3BHVoBhy37HPvIg
Like dozens of other brick-and-mortar retailers, Nordstrom wanted to learn more about its customers — how many came through the doors, how many were repeat visitors — the kind of information that e-commerce sites like Amazon have in spades. So last fall the company started testing new technology that allowed it to track customers’ movements by following the Wi-Fi signals from their smartphones.
“We did hear some complaints,” said Tara Darrow, a spokeswoman for the store. Nordstrom ended the experiment in May, she said, in part because of the comments.
Nordstrom’s experiment is part of a movement by retailers to gather data about in-store shoppers’ behavior and moods, using video surveillance and signals from their cellphones and apps to learn information as varied as their sex, how many minutes they spend in the candy aisle and how long they look at merchandise before buying it.
But while consumers seem to have no problem with cookies, profiles and other online tools that let e-commerce sites know who they are and how they shop, some bristle at the physical version, at a time when government surveillance — of telephone calls, Internet activity and Postal Service deliveries — is front and center because of the leaks by Edward J. Snowden.
“Way over the line,” one consumer posted to Facebook in response to a local news story about Nordstrom’s efforts at some of its stores.
“The idea that you’re being stalked in a store is, I think, a bit creepy, as opposed to, it’s only a cookie — they don’t really know who I am,”
Cameras have become so sophisticated, with sharper lenses and data-processing, that companies can analyze what shoppers are looking at, and even what their mood is.
For example, Realeyes, based in London, which analyzes facial cues for responses to online ads, monitors shoppers’ so-called happiness levels in stores and their reactions at the register.
Nomi, of New York, uses Wi-Fi to track customers’ behavior in a store, but goes one step further by matching a phone with an individual.
When a shopper has volunteered some personal information, either by downloading a retailer’s app or providing an e-mail address when using in-store Wi-Fi, Nomi pulls up a profile of that customer
If these methods seem intrusive, at least some consumers seem happy to trade privacy for deals.
Tomi says:
N.S.A. Leaks Revive Push in Russia to Control Net
http://www.nytimes.com/2013/07/15/business/global/nsa-leaks-stir-plans-in-russia-to-control-net.html?pagewanted=all
Edward J. Snowden, the former National Security Agency contractor, fled the United States saying he did not want to live in a surveillance state.
But now the Russians are using his very presence here — on Friday Mr. Snowden said he intended to remain in Russia for some time while seeking asylum elsewhere — to push for tighter controls over the Internet.
Two members of Russia’s Parliament have cited Mr. Snowden’s leaks about N.S.A. spying as arguments to compel global Internet companies like Google and Microsoft to comply more closely with Russian rules on personal data storage.
These rules, rights groups say, might help safeguard personal data but also would open a back door for Russian law enforcement into services like Gmail.
“We need to quickly put these huge transnational companies like Google, Microsoft and Facebook under national controls,” Ruslan Gattarov, a member of the upper chamber of the Russian Parliament, or Federation Council, said in an interview. “This is the lesson Snowden taught us.”
The Russian reaction may surprise Mr. Snowden most of all. In an interview with The Guardian, he said he unveiled details of N.S.A. surveillance because “I don’t want to live in a world where there is no privacy and therefore no room for intellectual exploration and creativity.”
Tomi says:
Internet pioneer Vint Cerf talks online privacy, Google Glass and the future of libraries
http://thenextweb.com/insider/2013/07/12/vint-cerf/
Tomi Engdahl says:
Break Out The Shaker – Salting Passwords For Tighter Security
http://www.rackspace.com/blog/break-out-the-shaker-salting-passwords-for-tighter-security/?cm_mmc=SMB12Display-_-Techmeme-_-AppDev-_-Salt
What can safe crackers and hamburgers teach us about preventing password security breaches? And what’s the difference between encryption and hashing anyway? Salting? Bcrypt? We all know that password security is very important; the fear of a password security breach keeps developers up at night, and if it happens at the wrong time it can shatter users’ confidence in your software or stunt your application’s growth. There are a lot of different ways to protect passwords, so how do we know which one to choose?
In this video, I’ll explain the differences between two common password protection methods, encryption and hashing, and I’ll show why they alone are not enough to protect your password database. Hackers have sophisticated ways to crack encryption keys; once they get that key it is like they have a combination to a safe and can loot everything inside. While hashing is a one-way function and offers a level of protection, rainbow tables and pre-computed tables enable hackers the opportunity compromise your application.
Tomi says:
Snowden’s Contingency: ‘Dead Man’s Switch’ Borrows From Cold War, WikiLeaks
http://www.wired.com/threatlevel/2013/07/snowden-dead-mans-switch/
The strategy employed by NSA whistleblower Edward Snowden to discourage a CIA hit job has been likened to a tactic employed by the U.S. and Russian governments during the Cold War.
But Snowden also reportedly passed encrypted copies of his cache to a number of third parties who have a non-journalistic mission: If Snowden should suffer a mysterious, fatal accident, these parties will find themselves in possession of the decryption key, and they can publish the documents to the world.
“The U.S. government should be on its knees every day begging that nothing happen to Snowden,” Greenwald said in a recent interview with the Argentinean paper La Nacion, that was highlighted in a much-circulated Reuters story, “because if something does happen to him, all the information will be revealed and it could be its worst nightmare.”
Snowden’s strategy has been described jocularly in the press as a “dead man’s switch”
But Snowden’s case is actually a kind of reverse dead man’s switch, says John Prados, senior research fellow for the National Security Archive and author of several books on secret wars of the CIA.
“The operation of the system is reversed. He’s not calling up someone every 25 hours saying I’m still free, don’t let the stuff out. The stuff is out, and if he isn’t free, then they let it out. The dynamic is reversed from the traditional concept of the dead man switch.”
Greenwald told the Associated Press that media descriptions of Snowden’s tactic have been over-simplified.
Tomi says:
Schneier on Security
A blog covering security and security technology.
https://www.schneier.com/blog/archives/2013/07/snowdens_dead_m.html
Edward Snowden has set up a dead man’s switch. He’s distributed encrypted copies of his document trove to various people, and has set up some sort of automatic system to distribute the key, should something happen to him.
I’m not sure he’s thought this through, though. I would be more worried that someone would kill me in order to get the documents released than I would be that someone would kill me to prevent the documents from being released. Any real-world situation involves multiple adversaries
Tomi says:
Corollary Snowden revelation: Control is no longer considered a secret?
The authorization control program for the maintenance ended on Friday, and the project received the same route to further justice. U.S. officials told this release willingly in pursuit of transparency by the collection of data.
Odni in now takes place through the information in order to undo the security classification:
- We try to give priority to cases which we believe is the most public interest, says Robert Litt Odni to.
The control program authorization expired on Friday. United States of America said that surprisingly, the public – as well as the fact that the government received the same way the court for permission to continue.
Source: http://yle.fi/uutiset/seuraus_snowdenin_paljastuksesta_valvontaa_ei_pideta_enaa_salassa/6741656
Tomi says:
U.S. security NSA reported on Wednesday to supervise a much larger amount of traffic than what the public has been told in the past.
NSA’s deputy director of the John Inglis told the Congress to the Committee that the service has overseen the “two-or three-step” from a terrorist suspect the people. In practice, the NSA collects terrorist suspects, therefore, familiar with familiar call information.
Source: http://www.3t.fi/artikkeli/uutiset/talous/nsa_valvonut_terroristiepailtyjen_tutun_tuttuja
Tomi says:
US Promises Not To Kill Or Torture Snowden
http://yro.slashdot.org/story/13/07/27/0059243/us-promises-not-to-kill-or-torture-snowden
“The WSJ reports that Attorney General Eric Holder promises Edward Snowden won’t be tortured or face the death penalty in a new letter hoping to persuade Russia not to grant him asylum or refugee status.”
Tomi says:
GPS Spoofing With $3000 Worth of Equipment and a Laptop
http://tech.slashdot.org/story/13/07/26/2344215/gps-spoofing-with-3000-worth-of-equipment-and-a-laptop
“Todd Humphreys and a team from the University of Texas proved the concept that a terrorist could take over the navigation of a ship or even a plane,”
Tomi says:
EXCLUSIVE: GPS flaw could let terrorists hijack ships, planes
http://www.foxnews.com/tech/2013/07/26/exclusive-gps-flaw-could-let-terrorists-hijack-ships-planes/
The world’s GPS system is vulnerable to hackers or terrorists who could use it to hijack ships — even commercial airliners, according to a frightening new study that exposes a huge potential hole in national security.
Using a laptop, a small antenna and an electronic GPS “spoofer” built for $3,000, GPS expert Todd Humphreys and his team at the University of Texas took control of the sophisticated navigation system aboard an $80 million, 210-foot super-yacht in the Mediterranean Sea.
“We injected our spoofing signals into its GPS antennas and we’re basically able to control its navigation system with our spoofing signals,” Humphreys told Fox News.
By feeding counterfeit radio signals to the yacht, the UT team was able to drive the ship far off course, steer it left and right
‘Imagine shutting down a port. Imagine running a ship aground. These are the kinds of implications we’re worried about.’
- Todd Humphreys, a GPS expert at the University of Texas
“Professor Humphreys and his team did a number of attacks and basically we on the bridge were absolutely unaware of any difference,” Schofield said. “I was gobsmacked — but my entire deck team was similarly gobsmacked,” he told Fox News.
“For maritime traffic, there are big implications,”
As the Costa Concordia tragically proved, a cruise ship off-course can have disastrous results. The Exxon Valdez was only narrowly off its intended track
And because aircraft have a similar navigation system to that aboard the White Rose of Drachs, Humphreys says a commercial airliner could be “spoofed” as well.
Tomi says:
Defcon presenters preview hack that takes Prius out of driver’s control
http://hackaday.com/2013/07/26/defcon-presenters-preview-hack-that-takes-prius-out-of-drivers-control/
This one’s a treasure trove of CAN bus hacks that will scare the crap out of an unsuspecting driver — or worse. [Charlie Miller] and [Chris Valasek] are getting ready to present their findings, which were underwritten by DARPA, at this year’s Defcon.
The hacks shown off start as seemingly innocent data tweaks, like misrepresenting your fuel level or displaying 199 mph on the speedometer while the car is standing still. But things start to get interesting when they take that speed readout from 199 down to zero instantly, which has the effect of telling the car you’ve been in a crash
You’ve got to see the video on this one.
The purpose of the work is to highlight areas where auto manufacturers need to tighten up security. It certainly gives us an idea of what we’ll see in the next Bond film.
Tomi Engdahl says:
“The largest-ever hacker” fraud revealed
The Internet has revealed an international criminal skein, which the U.S. authorities call the worst known project information from being stolen. Russia and Ukraine, for example, acted as criminals hit store chains and payment intermediaries, and the damage is considerable. Two of the men have been caught.
Determination of any charge, the men stole the credit card information by attacking a number of different business systems. The list of U.S. retailers such as 7-Eleven, JC Penney and Hannaford, as well as the French retail chain Carrefour.
Shocks were also made by Visa and Diners credit card payment systems, as well as mediating companies. Technology on the Nasdaq Stock Exchange was one of the target of attacks.
The systems were 160 million credit card information. Their data were copied to blank cards, and cards was then raised money and made purchases. A stolen credit card information was also used in on-line purchases and credit card information was sold on.
Crimes resulted in hundreds of millions of dollars of damage.
The prosecutor disclosed that the attacks were generally used the so-called SQL injection technique.
Source: http://www.tietokone.fi/artikkeli/uutiset/historian_suurin_hakkeripetos_paljastui
Tomi Engdahl says:
Android application by surprise $ 3,000 bill – on the move have been hundreds of similar scams
Suspicious Applications rampant in Google Play app store, alert the security company Symantec.
Symantec has found the last few months more than 1,200 suspicious, the Android platform developed for application to play the sundry shop.
In general, Google will remove malicious programs almost immediately, but sometimes dangerous applications, removal of spent days on end.
“Despite their short life span applications must provide money to con artists, because their development does not seem to taper off,” says Symantec’s representative Joji Hamada.
Security company says an embodiment of fooling the users for the adult entertainment service, with price per year generated more than $ 3000.
On the surface, the application does not affect threatening. Going Lanka, however, called for by several steps and clicking the mouse, on the other hand what makes this type of fraud detection difficult.
“For any program of this type of fraud is difficult to find,” Symantec evaluated. According to the company, such programs are a scam perches to be cleaned up by hand.
Recently, Google added to Android’s latest version, 4.3 version of the tool, which automatically scans applications security for malicious code.
Source: http://www.tietoviikko.fi/kaikki_uutiset/androidsovellus+yllattaa+3000+dollarin+laskulla++liikkeella+on+ollut+satoja+vastaavia+huijauksia/a916953
Tomi Engdahl says:
When Lousy Code Strikes, Google Dispatches Its Elite ‘Gopher Team’
http://www.wired.com/wiredenterprise/2013/07/gopher/
The problem was the software underpinning the file server system was more than five years old. It had simply languished.
“If code doesn’t receive constant love it turns to shit,” Fitzpatrick said.
The original C++ code wasn’t well documented, its automated tests weren’t up to snuff and no one really knew how it was supposed to work. People kept making incremental changes, resulting in a patchwork programmers refer to as “spaghetti code.” The unreliability was driving the server operations team crazy, but no one had time to rewrite something that technically worked. So Fitzpatrick volunteered to do it. That’s the kind of thing he does at Google, where he’s part of an team of about 25 engineers creating a custom programming language called Go.
“It took them a while to realize I wasn’t being flippant,” he said.
Fitzpatrick was only too happy to spend time re-writing something that technically worked — for another team, no less — because he needs guinea pigs. Fixing that bit of a code was a great opportunity to use Go and test it in a real-world system.
The new dl.google.com software contains fewer lines of code, uses less memory and, most importantly, is more reliable, he says.
“Our primary job with Go is make Google more efficient,” he says.
The language still isn’t widely used outside of Google, but it’s notched a few converts.
Couchbase, an open source database that powers applications for companies like Zynga and NTT DoCoMo, is written partially in Go. Its developers have also written parts of the system in Erlang, C and C++.
Tomi says:
Google engineer blasts domestic spying after receiving NSA award
http://www.theverge.com/2013/7/28/4565758/google-engineer-joseph-bonneau-science-of-guessing-nsa-award
Google engineer Joseph Bonneau is the first person to be awarded the NSA’s “Best Scientific Cybersecurity Paper” award for his paper “The Science of Guessing,” which analyzed over 70 million user passwords in an effort to study why we’re all so horrible at making strong passwords. “Even seemingly distant language communities choose the same weak passwords,” he concludes.
In a blog post, Bonneau expresses thanks for winning the award, but decries the NSA’s large-scale efforts to collect private documents from citizens. “I don’t think a free society is compatible with an organisation like the NSA in its current form,”
Tomi says:
FISA court judge: No company has ever challenged Patriot Act sharing
Also: Court staff helps gov’t lawyers make their applications more palatable.
http://arstechnica.com/tech-policy/2013/07/fisa-court-judge-no-company-has-ever-challenged-patriot-act-sharing/
According to one of the 11 judges that sits on the Foreign Intelligence Surveillance Court (FISC), no corporation ever served with a “business record” court order under the Patriot Act has ever challenged one, even though the law provides them a means to do so.
In other words, when the government asked Verizon to hand over call records and other metadata to the National Security Agency (NSA), the company did so without so much as a peep. Earlier this month, the Electronic Privacy Information Center filed an emergency petition to the Supreme Court to halt the entire metadata sharing program.
“This is not a typical judicial proceeding”
The FISC is one of the United States’ least publicly understood judicial entities. All of its 11 sitting judges, who serve seven-year terms, are appointed by the Supreme Court Chief Justice John Roberts. Ten of the 11 FISC judges are conservative Republicans.
The annual statistics provided to Congress by the Attorney General pursuant to 50 USC § 1807 and 1862(b)—frequently cited to in press reports as a suggestion that the Court’s approval rate of applications is over 99%—reflect only the number of final applications submitted to and acted on by the Court.
In short, it appears that the government only submits applications that it knows will get approved—after having first gotten them modified to meet that approval.
Tomi says:
Google’s Data-Trove Dance
Internal Debates Arise Over Using Collected Information and Protecting Privacy
http://online.wsj.com/article_email/SB10001424127887324170004578635812623154242-lMyQjAxMTAzMDMwMDEzNDAyWj.html
In 2011, Google Inc. GOOG +0.98% Chief Executive and co-founder Larry Page asked executives to develop a new, simplified privacy tool that would act as a kind of sliding scale
Because Google has so many Web services that operate differently, executives found it impossible to reduce privacy controls to so few categories, these people said. Also, allowing people to select the maximum-protection setting, known as the “tin-foil-hat option,” went against Google’s newer efforts to get more people to share information about themselves on the Google+ social-networking service, they said.
Technology companies say they care about user privacy and seek to shield their users from unwarranted government intrusion, but they are collecting and sifting increasing volumes of user data from which they profit. For most consumers, providing personal information for Web services is a worthwhile trade. Others object to having their online lives tracked and analyzed.
Thousands of Data ‘Events’
Every hour, an active Google user can generate hundreds or thousands of data “events” that Google stores in its computers, said people familiar with its data-gathering process.
These include when people use Google’s array of Web and mobile-device services, which have long collected information about what individuals are privately searching for on the Web. It includes the videos they watch on YouTube, which gets more than one billion visitors a month; phone calls they’ve made using Google Voice and through nearly one billion Google-powered Android smartphones; and messages they send via Android phones or through Gmail, which has more than 425 million users.
If a user signs in to his or her Google account to use Gmail and other services, the information collected grows and is connected to the name associated with the account. Google can log information about the addresses of websites that person visits after doing Google searches.
Even if the person visits sites without first searching for them on Google, the company can collect many of the website addresses people using Google’s Chrome Web browser or if they visit one of millions of sites that have pieces of Google code, such as its “+1″ button, installed.
Tomi says:
The Bradley Manning verdict is still bad news for the press
http://www.theguardian.com/commentisfree/2013/jul/30/bradley-manning-verdict-bad-news-for-journalists
The Obama administration’s war on leaks and, by extension, the work of investigative reporters, has been unrelenting
if journalism dodged one figurative bullet, it faces many more in this era. The ever-more-essential field of national security journalism was already endangered. It remains so. The Obama administration’s war on leaks and, by extension, the work of investigative reporters who dare to challenge the most secretive government in our lifetimes, has been unrelenting.
The Manning verdict had plenty of bad news for the press. By finding Manning guilty of five counts of espionage, the judge endorsed the government’s other radical theories, and left the journalism organization that initially passed along the leaks to the public, Wikileaks, no less vulnerable than it had been before the case started. Anyone who thinks Julian Assange isn’t still a target of the US Government hasn’t been paying attention; if the US can pry him loose from Ecuador’s embassy in London and extradite him, you can be certain that he’ll face charges, too, and the Manning verdict will be vital to that case.
Tomi says:
Google Starts Upgrading Its SSL Certificates To 2048-bit Keys
http://tech.slashdot.org/story/13/07/30/2033223/google-starts-upgrading-its-ssl-certificates-to-2048-bit-keys
“Google today announced it has already started upgrading all of its SSL certificates to 2048-bit keys. The goal is to beef up the encryption on the connections made to its services”
Tomi says:
Well known security researcher was tried to be framed to be a drug dealer:
Mail from the (Velvet) Cybercrime Underground
http://krebsonsecurity.com/2013/07/mail-from-the-velvet-cybercrime-underground/
Over the past six months, “fans” of this Web site and its author have shown their affection in some curious ways. One called in a phony hostage situation that resulted in a dozen heavily armed police surrounding my home. Another opened a $20,000 new line of credit in my name. Others sent more than $1,000 in bogus PayPal donations from hacked accounts. Still more admirers paid my cable bill for the next three years using stolen credit cards. Malware authors have even used my name and likeness to peddle their wares.
Earlier this month, the administrator of an exclusive cybercrime forum hatched and executed a plan to purchase heroin, have it mailed to my home, and then spoof a phone call from one of my neighbors alerting the local police. Thankfully, I had already established a presence on his forum and was able to monitor the scam in real time and alert my local police well in advance of the delivery.
This would-be smear campaign was the brainchild of a fraudster known variously online as “Fly,” “Flycracker,” and MUXACC1
Last week, I alerted the FBI about this scheme, and contacted a Fairfax County Police officer who came out and took an official report about it.
Tomi says:
Parking block may take a picture of your license plate
Car parks to facilitate dealings with license plate image recognition. The new system allows transactions goes perhaps in the future without paper tickets.
The garage motorists may encounter confusion: out of the boom is rising very quickly! Was the parking ticket payment in vain, the ability of the hall out for free just by accident?
Europark Finland Oy CEO Christer Hedelle these customers are familiar with the new ihmettelyjä etätunnistusjärjestelmästä.
- Yes it is a little wonder that the boom is already open!
September of wonder has been slowly growing remote recognition system. It describes the license plate of the vehicle in running and combine it with parking ticket, the machine will print the boom. The new system offers the advantages of being faster to drive out.
- You pay for parking, vending machine and exit is significantly smoother when the system detects the car’s license plate when you drive put. Boom requires no more than a brief pause.
In Helsinki Finland identification devices make use of a number of car parks: Euro Park, Q-Park and the Forum P’s halls. Most large players have the system in use in some halls.
The system is quite heavy, it requires new software, more computing capacity, camera and the meter cable connections. Christer Hede acknowledges that the price tag is easily drawn a pretty penny.
- I’m sure the system will be in one term all the halls, but it is not such that it invested in fast now.
The system has been criticized for the fact that the parking operator is potentially in possession of thousands of motorists’ movements. Christer Hede, however, assure that the security risk involved.
- For example, the driver will not be described in a freeway, the camera focuses only on the license plate. When a customer to run out, the event also set off out of the system
Somewhat surprisingly, the new system may help to motorists, even when the parking ticket is lost. The new ticket can be printed using the registration number. In the future, tickets may not be needed at all, and paid in the registration number.
Source: http://yle.fi/uutiset/parkkitalo_kuvaa_autosi_rekisterikilven/6756999
Tomi says:
Government ‘spying’ on my Verizon phone? Who cares?
http://buzz.money.cnn.com/2013/06/06/verizon-nsa-phone-records/?iid=s_bn_mid
Tomi says:
The coming push for open source everything
http://www.infoworld.com/d/data-center/the-coming-push-open-source-everything-223011
When we can no longer trust proprietary hardware or software, open source becomes the only option
Tomi says:
The coming push for open source everything
http://www.infoworld.com/d/data-center/the-coming-push-open-source-everything-223011
When we can no longer trust proprietary hardware or software, open source becomes the only option
With the news about PRISM and other clandestine data-vacuuming operations in place all over the world, it’s clear there’s a problem. It’s not just about hoovering up information from millions of people — it’s the vast number of devices that can no longer be trusted for use in business and government. When the code running anywhere along a data path is not open source, there’s a chance it’s doing something you can’t know about and potentially transmitting data to someone who shouldn’t have it. That possibility should serve to upset even nontechnical executives, to say nothing about governments all over the world.
Open source closes the backdoors
With open source, the veil is already lifted, and an army of developers inspects the code all the time. The potential for hidden backdoors is dramatically reduced. But that doesn’t really matter if you go deep enough.
Sure, you can install pfSense on a server and know it’s not backdoored, but what about the hardware within the server itself? What about the TCP offloading code in the NICs? Or the BIOS? It could contain a nefarious element that you simply can’t trust — unless, of course, all that code were open source as well.
Options for open source
At some point in the near future, concerns over this type of corporate and governmental espionage may force larger organizations to make hard decisions. There would seem to be three options.
Companies could increase their IT budgets dramatically to counter this threat by validating every since piece of commercial code in use anywhere on the network.
They could start building their own hardware and writing their own software, from desktop OS through to the ICs in their routers.
They could turn to open source solutions the whole way around.
The first two options are not possible for the vast majority of organizations, but the last one certainly is. If significant dollars start flowing in that direction, there will be a bumper crop of companies that will mold and develop open source solutions and sell the hardware and support for them, while giving away the code for free.
Tomi says:
More Encryption Is Not the Solution
http://queue.acm.org/detail.cfm?id=2508864
Cryptography as privacy works only if both ends work at it in good faith
The recent exposure of the dragnet-style surveillance of Internet traffic has provoked a number of responses that are variations of the general formula, “More encryption is the solution.” This is not the case. In fact, more encryption will probably only make the privacy crisis worse than it already is.
Inconvenient Fact #1 about Privacy
Politics Trumps Cryptography
Nation-states have police forces with guns. Cryptographers and the IETF (Internet Engineering Task Force) do not.
Inconvenient Fact #2 about Privacy
Not Everybody Has a Right to Privacy
The privacy of some strata of the population has been restricted. In many nation-states, for example, prisoners are allowed private communication only with their designated lawyers; all other communications must be monitored by a prison guard.
Many employees sign away most of their rights to privacy while “on the clock,”
Inconvenient Fact #3 about Privacy
Encryption Will Be Broken, If Need Be
if a nation-state decides that somebody should not have privacy, then it will use whatever means available to prevent that privacy.
With expenditures of this scale, there are a whole host of things one could buy to weaken encryption. I would contact providers of popular cloud and “whatever-as-service” providers and make them an offer they couldn’t refuse: on all HTTPS connections out of the country, the symmetric key cannot be random; it must come from a dictionary of 100 million random-looking keys that I provide. The key from the other side? Slip that in there somewhere, and I can find it (encrypted in a Set-Cookie header?).
In the long run, nobody is going to notice that the symmetric keys are not random
Major operating-system vendors could be told to collect the keys to encrypted partitions as part of their “automatic update communication,” and nobody would notice
Politics, Not Encryption, Is the Answer
As long as politics trumps encryption, fighting the battle for privacy with encryption is a losing proposition.
Tomi says:
XKeyscore: NSA tool collects ‘nearly everything a user does on the internet’
http://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data
• XKeyscore gives ‘widest-reaching’ collection of online data
• NSA analysts require no prior authorization for searches
• Sweeps up emails, social media activity and browsing history
• NSA’s XKeyscore program – read one of the presentations
A top secret National Security Agency program allows analysts to search with no prior authorization through vast databases containing emails, online chats and the browsing histories of millions of individuals, according to documents provided by whistleblower Edward Snowden.
The NSA boasts in training materials that the program, called XKeyscore, is its “widest-reaching” system for developing intelligence from the internet.
The latest revelations will add to the intense public and congressional debate around the extent of NSA surveillance programs.
XKeyscore, the documents boast, is the NSA’s “widest reaching” system developing intelligence from computer networks – what the agency calls Digital Network Intelligence (DNI). One presentation claims the program covers “nearly everything a typical user does on the internet”, including the content of emails, websites visited and searches, as well as their metadata.
Analysts can also use XKeyscore and other NSA systems to obtain ongoing “real-time” interception of an individual’s internet activity.
Under US law, the NSA is required to obtain an individualized Fisa warrant only if the target of their surveillance is a ‘US person’, though no such warrant is required for intercepting the communications of Americans with foreign targets.
In a second Guardian interview in June, Snowden elaborated on his statement about being able to read any individual’s email if he had their email address. He said the claim was based in part on the email search capabilities of XKeyscore, which Snowden says he was authorized to use while working as a Booz Allen contractor for the NSA.
Beyond emails, the XKeyscore system allows analysts to monitor a virtually unlimited array of other internet activities, including those within social media.
The XKeyscore program also allows an analyst to learn the IP addresses of every person who visits any website the analyst specifies.
Tomi says:
Blackhat: iOS device charger exploit installs and activates malware
http://hackaday.com/2013/08/01/blackhat-ios-device-charger-exploit-installs-and-activates-malware/
A team of researchers from Georgia Tech unveiled their findings yesterday at the Blackhat conference. Their topic is a power charger exploit that installs malware on iOS devices. Who would have thought that there’d be a security hole associated with the charging port on a device? Oh wait, after seeing hotel room locks exploited through their power jack this is an avenue that should be examined with all device security.
Tomi says:
The top 10 new reasons to be afraid of hackers
http://www.theverge.com/2013/7/31/4568992/top-10-new-reasons-to-be-afraid-of-hackers-def-con-black-hat
The scariest new tricks at this year’s twin computer crime conferences, Black Hat and Def Con
10. Surprise: hackers can find your old Snapchats.
Ephemeral apps like Snapchat, Facebook Poke, and Wickr are getting increasingly popular as people recognize the allure of self-destructing messages
9. Your GoPro is now a spycam
Two security researchers have figured out multiple ways to turn the GoPro into a remote audio or video bug, as well as a way to control the device remotely. That could be trouble for soldiers using the cameras to record themselves on duty in Afghanistan.
8. If a high-security lock can’t be broken electronically, it can be picked with 3D-printed keys.
one team of hackers will present software that can generate 3D models for keys to any Schlage Primus, one of the most common high-security locks in the United States, when given the lock’s serial number.
7. Someone is listening to your cell phone calls with $250 equipment.
Two years ago, hackers figured out how to listen in on conversations on cell phones that use the GSM system, which includes AT&T and T-Mobile customers, for under $1,500. Now, a team of three security consultants have figured out how to do the same for CDMA phones, operated by Verizon and Sprint, for under $300.
6. Tiny computers around town are mapping your every move.
Security researcher Brendan O’Connor has created a system of $60 sensors designed to be planted around a neighborhood or city. The sensors track anything with a signal, including cell phones and mobile devices, feeding the data back to a central database that places the signals on a map.
5. Hackers could shut down a power plant.
Wireless networks are pretty useful for controlling power plants. They’ve also been implemented in nuclear, oil, gas, and water facilities. A pair of hackers discovered a vulnerability in a certain type of wireless device made by three of the leading industrial wireless automation solution providers. The vulnerability means that a hacker within a 40-mile range of the plant could read and write data into theses devices using only radio transceivers.
4. Hackers are haunting your house.
Let’s start with your smart television: hackers can grab your account information, install a virus, or take over your webcam and microphone and stare at you while you scarf popcorn on the couch. Suddenly you’re sweating: the hackers have cranked up your thermostat to sauna levels. Next, the lights start flickering on and off. And finally, your smart door-lock, which uses Wi-Fi or Bluetooth, suddenly clicks open. As connected devices make our home lives more convenient, the paths of entry multiply from just the computer to everything in the house.
3. You could be shocked to death by your own pacemaker.
Notorious hacker Barnaby Jack was scheduled to give a lecture on how to talk to and remotely take over these medical devices. This cyber attack is deadly: a hacker could stop a patient’s heart from 30 feet away. Jack passed away suddenly last week
bugs and viruses can seriously disrupt modern medical devices.
2. Hackers could take control of your car while you’re driving.
Car hacking has turned out to be one of the biggest hacking trends of the year. Hackers can break into your car remotely or sneak in to tweak things under the dashboard.
exploits for vehicle security and driverless cars.
1. You’re being hacked by the government.
The US is becoming a dystopian surveillance state. Or at least, that’s how the hackers tell it. The government is no longer content to request data from private companies, demanding backdoor systems that afford unfettered, real-time access.
“While politicians are clearly scared about hacks from China, our own law enforcement agencies are clearly in the hacking business,”
Tomi says:
Exclusive: NSA pays £100m in secret funding for GCHQ
http://www.theguardian.com/uk-news/2013/aug/01/nsa-paid-gchq-spying-edward-snowden
• Secret payments revealed in leaks by Edward Snowden
• GCHQ expected to ‘pull its weight’ for Americans
• Weaker regulation of British spies ‘a selling point’ for NSA
The NSA paid £15.5m towards redevelopments at GCHQ’s site in Bude, north Cornwall, which intercepts communications from the transatlantic cables that carry internet traffic.
The US government has paid at least £100m to the UK spy agency GCHQ over the last three years to secure access to and influence over Britain’s intelligence gathering programmes.
The top secret payments are set out in documents which make clear that the Americans expect a return on the investment, and that GCHQ has to work hard to meet their demands.
The funding underlines the closeness of the relationship between GCHQ and its US equivalent, the National Security Agency.
Snowden warned about the relationship between the NSA and GCHQ, saying the organisations have been jointly responsible for developing techniques that allow the mass harvesting and analysis of internet traffic. “It’s not just a US problem,” he said. “They are worse than the US.”
Tomi says:
FBI Taps Hacker Tactics to Spy on Suspects
http://online.wsj.com/article_email/SB10001424127887323997004578641993388259674-lMyQjAxMTAzMDAwMTEwNDEyWj.html
Law-Enforcement Officials Expand Use of Tools Such as Spyware as People Under Investigation ‘Go Dark,’ Evading Wiretaps
Law-enforcement officials in the U.S. are expanding the use of tools routinely used by computer hackers to gather information on suspects, bringing the criminal wiretap into the cyber age.
Federal agencies have largely kept quiet about these capabilities, but court documents and interviews with people involved in the programs provide new details about the hacking tools, including spyware delivered to computers and phones through email or Web links—techniques more commonly associated with attacks by criminals.
People familiar with the Federal Bureau of Investigation’s programs say that the use of hacking tools under court orders has grown as agents seek to keep up with suspects who use new communications technology, including some types of online chat and encryption tools. The use of such communications, which can’t be wiretapped like a phone, is called “going dark” among law enforcement.
The FBI develops some hacking tools internally and purchases others from the private sector.
The bureau typically uses hacking in cases involving organized crime, child pornography or counterterrorism, a former U.S. official said. It is loath to use these tools when investigating hackers, out of fear the suspect will discover and publicize the technique, the person said.
The FBI has been developing hacking tools for more than a decade, but rarely discloses its techniques publicly in legal cases.
The FBI employs a number of hackers who write custom surveillance software, and also buys software from the private sector, former U.S. officials said.
HackingTeam provides software that can extract information from phones and computers and send it back to a monitoring system.
U.K.-based Gamma International offers computer exploits, which take advantage of holes in software to deliver spying tools, according to people familiar with the company. Gamma has marketed “0 day exploits”
Tomi says:
Hackers target Google Code developer website to spread malware
Firm urges businesses to update their security protocols
By Lee Bell
http://www.theinquirer.net/inquirer/news/2286378/hackers-target-google-code-developer-website-to-spread-malware
THE GOOGLE CODE developer website is being used by hackers to spread malware, security firm Z-Scaler has warned.
According to Z-Scaler security researcher Chris Mannon who reported uncovering the ploy, cyber crooks are using the Google Code website as a fresh twist on their usual attack strategies.
“Malware writers are now turning to commercial file-hosting sites to peddle their wares,” Mannon wrote in a company blog post. “If these legitimate file hosts are not scanning the content they are hosting, it may force network administrators to block the service altogether.
Tomi says:
Tools for Heavy-Duty Attacks Get a Little Too Easy
http://slashdot.org/topic/datacenter/tools-for-heavy-duty-attacks-get-a-little-too-easy/
One security tool leverages AWS to crack passwords; another builds ‘bot armies.
At most technical conferences, presenters bringing up risks from the cloud would talk about lost data, the difficulty of integrating authentication and monitoring among different platforms, the inability to verify the security of the hardware actually holding the data—all issues having to do more with process than technology.
In two presentations at the Black Hat security conference this week, however, researchers demonstrated one commercial service and one ‘bot-building technique designed as penetration tools for improving security—while also posing a potent threat on their own.
Information-security provider Praetorian announced July 31 a free, cloud-based password-cracking service designed to test or crack the password of every user in a company. PWAudit.com is a password-security testing tool designed to automate the process of testing passwords, while making it clear to end users how to choose a good one.
“I cannot count the number of times that a site-wide compromise of a client’s environment started with a weak, default or re-used password,”
Just cracking a few passwords at a time shows a lack of appreciation of the power of the cloud, according to one presentation at this week’s Black Hat security conference in Las Vegas. Software bots installed as agents on vulnerable machines are a far more efficient way to crack passwords, send spam or launch DDOS attacks than simply using one cloud, especially if the attack uses a million slaved PCs assembled for next to no cost, according to the originators of the exploit—Jermiah Grossman, CTO of WhiteHat Security, and Matt Johanson, manager of WhateHat’s Threat Research Center.
Tomi says:
FBI spooks use MALWARE to spy on suspects’ Android mobes – report
Spear-phishing: It’s not just for the bad guys
theregister.co.uk/2013/08/02/fbi_staff_admit_hacking_android/
The Federal Bureau of Investigation is using mobile malware to infect, and control, suspects’ Android handsets, allowing it to record nearby sounds and copy data without physical access to the devices.
That’s according to “former officers” interviewed by the Wall Street Journal ahead of privacy advocate Christopher Soghoian’s presentation at hacker-conflab Black Hat later today.
The FBI’s Remote Operations Unit has been listening in to desktop computers for years, explains the paper, but mobile phones are a relatively new target.
It would never work with tech-savvy suspects, though: suspects still need to infect themselves with the malware by clicking a dodgy link or opening the wrong attachment. This is why computer hackers are never targeted this way – they might notice and publicise the technique, said the “former officers”, who noted that in other cases it had proved hugely valuable.
Tomi says:
FBI pressures Internet providers to install surveillance software
http://news.cnet.com/8301-13578_3-57596791-38/fbi-pressures-internet-providers-to-install-surveillance-software/
CNET has learned the FBI has developed custom “port reader” software to intercept Internet metadata in real time. And, in some cases, it wants to force Internet providers to use the software.
The U.S. government is quietly pressuring telecommunications providers to install eavesdropping technology deep inside companies’ internal networks to facilitate surveillance efforts.
FBI officials have been sparring with carriers, a process that has on occasion included threats of contempt of court, in a bid to deploy government-provided software capable of intercepting and analyzing entire communications streams. The FBI’s legal position during these discussions is that the software’s real-time interception of metadata is authorized under the Patriot Act.
Attempts by the FBI to install what it internally refers to as “port reader” software, which have not been previously disclosed, were described to CNET in interviews over the last few weeks. One former government official said the software used to be known internally as the “harvesting program.”
FBI said it has the legal authority to use alternate methods to collect Internet metadata, including source and destination IP addresses
There’s a significant exception to both sets of laws: large quantities of metadata can be intercepted in real time through a so-called pen register and trap and trace order with minimal judicial review or oversight. That metadata includes IP addresses, e-mail addresses, identities of Facebook correspondents, Web sites visited, and possibly Internet search terms as well.
A little-noticed section of the Patriot Act that added one word — “process” — to existing law authorized the FBI to implant its own surveillance technology on carriers’ networks.
An industry source said the FBI wants providers to use their existing CALEA compliance hardware to route the targeted customer’s communications through the port reader software.
Tomi says:
It Now Appears Possible to Hack a (Fancy, Japanese) Toilet
These are the dangers of putting computers in objects that did not used to have computers.
http://www.theatlantic.com/technology/archive/2013/08/it-now-appears-possible-to-hack-a-fancy-japanese-toilet/278322/
For, yesterday, we learned that toilets can be hacked.
The information security company Trustwave Holdings published an advisory regarding Satis-brand toilets.
deodorizing capabilities, an automatic seat, a two nozzle bidet spray — but also it can be controlled by an Android app.
ccording to Trustwave, every Satis toilet has the same hard-coded Bluetooth PIN, which means “any person using the ‘My Satis’ [Android] application can control any Satis toilet.”
Tomi says:
British court has banned Birmingham University computer scientists published research that could facilitate the theft of luxury cars.
Applied for an injunction in a car manufacturer Volkswagen. Researcher Flavio Garcia explained the other two encryption technology expert with the Volkswagen-owned luxury car brands, a number of security systems can be broken. Among other things, Porsche, Lamborghini and Audi.
Volkswagen asked the first researchers to publish a report without the secret codes. The researchers, however, refused
The study was presented in Washington at the security symposium in August.
Source: http://www.tietoviikko.fi/kaikki_uutiset/tutkija+mursi+okyautojen+turvajarjestelman++tuomioistuin+kielsi+tutkimuksen+julkaisun/a917706