Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.
Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.
Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.
SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices. Good idea to test your devices against it.
There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.
Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.
Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.
Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.
Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.
Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.
Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.
Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.
European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.
1,930 Comments
Tomi says:
Samsung Smart TV: Basically a Linux Box Running Vulnerable Web Apps
http://entertainment.slashdot.org/story/13/08/03/2250247/samsung-smart-tv-basically-a-linux-box-running-vulnerable-web-apps
“Two researchers at the Black Hat Briefings security conference Thursday said Smart TVs from electronics giant Samsung are rife with vulnerabilities in the underlying operating system and Java-based applications. Those vulnerabilities could be used to steal sensitive information on the device owner, or even spy on the television’s surroundings using an integrated webcam.”
Tomi says:
Extraneous Network Services Leave Home Routers Unsecure
http://mobile.slashdot.org/story/13/08/03/2124223/extraneous-network-services-leave-home-routers-unsecure
“Today’s home routers include a multitude of extra functionality, such as the ability to act as a file and print server. An article from CNET shows how an attacker can use vulnerabilities in these services, such as buffer overflows, directory traversal, race conditions, command injections, and bad permissions to take over the router from the local network without knowing the administrative password.”
Tomi says:
Lost phone? Google’s got an app for that, coming this month
Free location and remote wipe service for Android devices
http://www.theregister.co.uk/2013/08/03/android_device_manager/
Google has announced that it will begin offering a free device location and security service for Android phones and tablets for the first time later this month, addressing a longstanding omission in Mountain View’s mobile OS.
According to a blog post by Android product manager Benjamin Poiesz on Friday, the forthcoming Android Device Manager (ADM) will be a combination of a mobile app and online services that will help Android customers both locate lost phones and protect their data when their devices can’t be found.
If your phone is nearby – behind the couch, say, or underneath that stack of old pizza boxes – ADM can let you know by telling it to make a godawful racket. Login to ADM via your Google account, press the Ring button, and the device will holler at its maximum volume, even if you had previously silenced it.
Failing that, unless your gadget is powered off, it must be someplace else. ADM can tell you where – via integration with Google Maps
ADM gives you the option of initiating a remote wipe of all of your phone’s data.
Tomi says:
Your TV might be watching you
http://money.cnn.com/2013/08/01/technology/security/tv-hack/
Today’s high-end televisions are almost all equipped with “smart” PC-like features, including Internet connectivity, apps, microphones and cameras. But a recently discovered security hole in some Samsung Smart TVs shows that many of those bells and whistles aren’t ready for prime time.
But the glitches speak to a larger problem of gadgets that connect to the Internet but have virtually no security to speak of.
Security cameras, lights, heating control systems and even door locks and windows are now increasingly coming with features that allow users to control them remotely. Without proper security controls, there’s little to stop hackers from invading users’ privacy, stealing personal information or spying on people.
Tomi says:
Russia’s Massive Android Malware Industry Revealed
http://securitywatch.pcmag.com/mobile-security/314386-russia-s-massive-android-malware-industry-revealed
Mobile security company Lookout released a report today at DefCon that reveals the amazing size, scope, and complexity of Android malware operations in Russia. The report found the bulk of this Russian malware wasn’t coming from lone individuals in basements, but well-oiled malware producing machines.
Lookout discovered that 10 organizations are responsible for about 60 percent of the Russian SMS malware out there. These were centered around “Malware HQs” which actually produces the malicious apps. Once downloaded, these apps make use of SMS shortcodes that bill victims via their wireless carrier. In the U.S., we often see these attached to charitable organizations like the Red Cross.
Here’s how the scam works: The Malware HQ creates malicious applications that can be configured to look like just about anything. They also register and maintain the shortcodes with wireless carriers.
Victims find the affiliates website or social media spam and download the malicious applications. Once on the victim’s Android device, the malware sends out one or more premium SMS messages—usually costing the victim between $3 and $20 USD.
Because the Malware HQ owns the shortcodes, they get the money from the victim’s carrier. They take a cut, and give the rest to the affiliates, who are apparently paid like normal employees based off their performance.
Tomi says:
Chinese Hacking Team Caught Taking Over Decoy Water Plant
http://www.technologyreview.com/news/517786/chinese-hacking-team-caught-taking-over-decoy-water-plant/
A hacking group accused of being operated by the Chinese army now seems to be going after industrial control systems.
A Chinese hacking group accused this February of being tied to the Chinese army was caught last December infiltrating a decoy water control system for a U.S. municipality, a researcher revealed on Wednesday.
The group, known as APT1, was caught by a research project that provides the most significant proof yet that people are actively trying to exploit the vulnerabilities in industrial control systems. Many of these systems are connected to the Internet to allow remote access (see “Hacking Industrial Systems Turns Out to Be Easy”). APT1, also known as Comment Crew, was lured by a dummy control system set up by Kyle Wilhoit, a researcher with security company Trend Micro, who gave a talk on his findings at the Black Hat conference in Las Vegas.
The attack began in December 2012, says Wilhoit, when a Word document hiding malicious software was used to gain full access to his U.S.-based decoy system, or “honeypot.” The malware used, and other characteristics, were unique to APT1, which security company Mandiant has claimed operates as part of China’s army
“You would think that Comment Crew wouldn’t come after a local water authority,” Wilhoit told MIT Technology Review, but the group clearly didn’t attack the honeypot by accident while seeking another target. “I actually watched the attacker interface with the machine,” says Wilhoit. “It was 100 percent clear they knew what they were doing.”
Cloud software was used to create realistic Web-based login and configuration screens for local water plants seemingly based in Ireland, Russia, Singapore, China, Japan, Australia, Brazil, and the U.S. If a person got beyond the initial access screens, they found control panels and systems for controlling the hardware of water plant systems.
None of the attacks displayed a particularly high level of sophistication, says Wilhoit, but the attackers were clearly well versed in the all-too easily compromised workings of industrial control systems.
Tomi says:
Prepare to Be Shocked!
What happens when you actually click on one of those “One Weird Trick” ads?
http://www.slate.com/articles/business/moneybox/2013/07/how_one_weird_trick_conquered_the_internet_what_happens_when_you_click_on.single.html
Thankfully, Slate has allowed me to slake my curiosity, and yours. They gave me a loaner laptop, a prepaid debit card, and a quest: to investigate these weird tricks and report back to you.
What is Lon up to? “People tend to think something is important if it’s secret,” says Michael Norton, a marketing professor at Harvard Business School. “Studies find that we give greater credence to information if we’ve been told it was once ‘classified.’ Ads like this often purport to be the work of one man, telling you something ‘they’ don’t want you to know.”
“Research on persuasion shows the more arguments you list in favor of something, regardless of the quality of those arguments, the more that people tend to believe it,” Norton says. “Mainstream ads sometimes use long lists of bullet points—people don’t read them, but it’s persuasive to know there are so many reasons to buy.” OK, but if more is better, then why only one trick? “People want a simple solution that has a ton of support.”
What about all the weirdness? “A word like ‘weird’ is not so negative, and kind of intriguing,”
Poorly drawn graphics are a deliberate choice as well. “People notice when you put something in the space that’s different, even if it’s ugly,” Urminsky says. “This might hurt the brand of established companies, but the companies here have non-existent or negative brand associations, so it may be worth it for the extra attention.”
Plus, “if the ad were too professional, it might undermine the illusion that it’s one man against the system,” Norton says
here may be another reason for the length and shoddiness of the ads. “The point is not always to get the customer to buy the product,” Urminsky says. “It may be to vet the customer. Long videos can act as a sorting mechanism, a way to ‘qualify your prospects.’ Once you’ve established this is a person who’ll sit through anything, you can contact them by email later and sell them other products.”
Tomi says:
Finnish network, the user’s biggest concern is not foreign intelligence services but for commercial purposes collect information about the parties. This is the assessment of STT’s interviews with privacy experts.
Experts point out that the major online players such as Google and trade groups gather huge amounts of information, the basis of which people can easily profiled.
Source: http://www.3t.fi/artikkeli/uutiset/teknologia/kansalaisen_syyta_pelata_kauppaa_enemman_kuin_vakoilijaa
aplikacje mobilne says:
I’m really impressed with your writing skills as well as with the layout in your blog. Is that this a paid subject matter or did you modify it your self? Either way keep up the nice quality writing, it’s rare to see a great weblog
like this one nowadays..
Tomi Engdahl says:
Feds Are Suspects in New Malware That Attacks Tor Anonymity
http://www.wired.com/threatlevel/2013/08/freedom-hosting/
Security researchers tonight are poring over a piece of malicious software that takes advantage of a Firefox security vulnerability to identify some users of the privacy-protecting Tor anonymity network.
The malware showed up Sunday morning on multiple websites hosted by the anonymous hosting company Freedom Hosting. That would normally be considered a blatantly criminal “drive-by” hack attack, but nobody’s calling in the FBI this time. The FBI is the prime suspect.
“It just sends identifying information to some IP in Reston, Virginia,” says reverse-engineer Vlad Tsyrklevich. “It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based.”
Court documents and FBI files released under the FOIA have described the CIPAV as software the FBI can deliver through a browser exploit to gather information from the target’s machine and send it to an FBI server in Virginia. The FBI has been using the CIPAV since 2002 against hackers, online sexual predators, extortionists, and others, primarily to identify suspects who are disguising their location using proxy servers or anonymity services, like Tor.
Freedom Hosting is a provider of turnkey “Tor hidden service” sites — special sites, with addresses ending in .onion — that hide their geographic location behind layers of routing, and can be reached only over the Tor anonymity network.
“The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based,” the non-profit Tor Project wrote in a blog post Sunday. “We’re investigating these bugs and will fix them if we can.”
The inevitable conclusion is that the malware is designed specifically to attack the Tor browser.
The heart of the malicious Javascript is a tiny Windows executable hidden in a variable named “Magneto.” A traditional virus would use that executable to download and install a full-featured backdoor, so the hacker could come in later and steal passwords, enlist the computer in a DDoS botnet, and generally do all the other nasty things that happen to a hacked Windows box.
But the Magneto code doesn’t download anything. It looks up the victim’s MAC address — a unique hardware identifier for the computer’s network or Wi-Fi card — and the victim’s Windows hostname. Then it sends it to the Virginia server, outside of Tor, to expose the user’s real IP address, and coded as a standard HTTP web request.
Tomi Engdahl says:
University of Oulu tool found more than a hundred holes in browsers
University of Oulu has found more than a hundred pre-unknown vulnerabilities in web browsers. They were discovered at the University developed an open-source Radamsa tool.
“We calculate the vulnerability of such a defect, which may be the manufacturer’s analysis is likely to be exploited through a browser of an attack. Carried out the attack usually needs today, one to five errors in order to control the computer through the rest of the content of the page ”
According to the University of all vulnerabilities are reported directly to the manufacturers. Gaps have been found, for example, anti-virus software and popular audio and video file formats.
Radamsa tool is fully automated and fully developed at the University of Oulu.
Source: http://www.tietoviikko.fi/kehittaja/oulun+yliopiston+tyokalu+loysi+yli+sata+reikaa+selaimista/a918909
Tomi Engdahl says:
Tor fingers Firefox flaw for FAIL but FBI’s also in the frame
Malware means ‘attacker now has a list of vulnerable Tor users’
http://www.theregister.co.uk/2013/08/06/tor_fingers_firefox_for_fail/
Tor has confirmed the existence of malware that has taken down some of its hidden nodes and says flaws in Firefox are the source of the problem.
The network anonymising service yesterday noted the disappearance of some nodes on its network. The outfit hasn’t offered any more insight into what’s down, or exactly what brought anything that is down down.
But it has issued a ”critical security announcement saying Tor Browser Bundle versions based on Firefox 17 ESR are vulnerable to “arbitrary code execution” that means “an attacker could in principle take over the victim’s computer.”
“However, the observed version of the attack appears to collect the hostname and MAC address of the victim computer, send that to a remote webserver over a non-Tor connection, and then crash or exit. The attack appears to have been injected into (or by) various Tor hidden services, and it’s reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services.”
Avoiding the flaw is easy. Firefox 17.0.7 ESR addressed the bug. Firefox is now on release 22, so if you have upgraded, you’re safe.
Tomi Engdahl says:
REVEALED: Cyberthug tool that BREAKS HBSC’s anti-Trojan tech
Browser lockdown method also used by PayPal
http://www.theregister.co.uk/2013/08/06/trusteer_pushes_updates_after_cybercrook_brew_up_browser_lockdown_exploit/
Cybercrooks on an underground forum have developed a technique to bypass anti-Trojan technology from Trusteer used by financial institutions worldwide – including HSBC and Paypal – to protect depositors from cybersnoopers.
Trusteer has downplayed the vulnerability and said it’s in the process of rolling out beefed-up protection anyway. However, independent security researchers who first spotted the exploit warn that bank customers remain at risk.
Trusteer’s Rapport browser lock-down technology is offered as a voluntary download by 50 banks worldwide, including NatWest and HSBC in the UK. US customers include ING Direct USA; eBay and PayPal also offer it to their customers as protection against banking Trojans.
An exploit on private cybercrime forums, spotted by digital forensics firm Group-IB, offers a means to bypass the browser lock-down technology.
In a statement Amit Klein, CTO at Trusteer. downplayed the seriousness of the flaw. Klein said the bug only affected one of the protection layers offered to customers by the software.
The patch for this vulnerability is available and is being rolled out automatically to the entire Trusteer Rapport customer base. No action is required from Rapport users.
Tomi Engdahl says:
‘Smart homes’ are vulnerable, say hackers
http://edition.cnn.com/2013/08/02/tech/innovation/hackable-homes/index.html?hpt=te_t1
Hacking into a $6,000 Japanese “smart” toilet and taking control of the bidet is a neat trick or a mean prank, but it’s not the type of security issue most people will ever have to worry about.
But what about a hackable front-door lock, motion detector or security camera?
Manufacturers are rushing to connect everyday objects around the house to the Internet so people can do things like control them with smartphones. It’s already possible to remotely turn lights off and on or put them on a timer. Motion detectors can be connected to alarms, windows can text you when they’re opened, thermometers will know when you’re home or away and adjust the temperature accordingly. You can see a live stream of security cameras in your house from halfway around the world using mobile apps.
There’s even an oven that can be controlled with an Android app.
These devices are commercially available now and they’re making the smart home of the future a reality, but researchers warn that security for these devices isn’t being taken seriously enough by manufacturers or the people buying them.
In 2012, 1.5 million home automation products were shipped in the U.S. That number is predicted to soar to 8 million by 2017. One of the most popular wireless standards for these home automation devices is Z-Wave, and an estimated 5 million Z-Wave devices will be shipped this year in the United States.
Security researchers say that connecting anything to a network opens it up for attacks, and they’re eagerly testing smart devices to find flaws and inform manufacturers.
The most obvious threat seems to be home security devices. A smart door lock is designed be opened with a PIN code or an app. Using a smartphone, you can change the code from anywhere — great for people with heavy Airbnb traffic.
At a Black Hat session, Daniel Crowley demonstrated how a third party can hack into a front-door lock and open it from a computer. He then asked for a random four-digit number from the audience and successfully changed the lock’s code. Crowley says that smart-lock technology is still way too immature to trust.
“If someone breaks into your house and there’s no sign of forced entry, how are you going to get your insurance company back?” he said.
Without increased attention to security of connected devices, burglars of the future won’t need crowbars and ski masks.
They could monitor your home network or security cameras to see when you are out of the house, disable any motion detectors and pop open the front door with a few lines of code.
tomi says:
BREACH Compression Attack Steals SSL Secrets
http://it.slashdot.org/story/13/08/05/233216/breach-compression-attack-steals-ssl-secrets
“A serious attack against ciphertext secrets buried inside HTTPS responses has prompted an advisory from Homeland Security. The BREACH attack is an offshoot of CRIME, which was thought dead and buried after it was disclosed in September. Released at last week’s Black Hat USA 2013, BREACH enables an attacker to read encrypted messages over the Web by injecting plaintext into an HTTPS request and measuring compression changes.”
tomi says:
Exclusive: U.S. directs agents to cover up program used to investigate Americans
http://www.reuters.com/article/2013/08/05/us-dea-sod-idUSBRE97409R20130805
A secretive U.S. Drug Enforcement Administration unit is funneling information from intelligence intercepts, wiretaps, informants and a massive database of telephone records to authorities across the nation to help them launch criminal investigations of Americans.
Although these cases rarely involve national security issues, documents reviewed by Reuters show that law enforcement agents have been directed to conceal how such investigations truly begin – not only from defense lawyers but also sometimes from prosecutors and judges.
The undated documents show that federal agents are trained to “recreate” the investigative trail to effectively cover up where the information originated, a practice that some experts say violates a defendant’s Constitutional right to a fair trial.
“It is one thing to create special rules for national security,” Gertner said. “Ordinary crime is entirely different. It sounds like they are phonying up investigations.”
tomi says:
Wi-Fi Pineapple Hacking Device Sells Out At DEF CON
http://mobile.slashdot.org/story/13/08/06/0042256/wi-fi-pineapple-hacking-device-sells-out-at-def-con
“At the recent DEF CON conference over the weekend, vendor were selling all kinds of gear. But one device stood out from all the others: the Wi-Fi Pineapple — an all in one Wi-Fi hacking device that costs only $80 (a lot cheaper than a PwnPlug) and powered by a very vibrant open source community of users. Pineapple creator Darren Kitchen said that 1.2 Pineapple’s per minute were sold on the first day of DEF CON”
“The Pineapple run Linux, based on OpenWRT, is packed with open source tools including Karma, DNS Spoof, SSL Strip, URL Snarf,”
Tomi Engdahl says:
Xerox scanners/photocopiers randomly alter numbers in scanned documents
http://www.dkriesel.com/en/blog/2013/0802_xerox-workcentres_are_switching_written_numbers_when_scanning
In this article I present in which way scanners / copiers of the Xerox WorkCentre Line randomly alter written numbers in pages that are scanned. This is not an OCR problem (as we switched off OCR on purpose), it is a lot worse – patches of the pixel data are randomly replaced in a very subtle and dangerous way: The scanned images look correct at first glance, even though numbers may actually be incorrect. Without a fuss, this may cause scenarios like:
Incorrect invoices
Construction plans with incorrect numbers (as will be shown later in the article) even though they look right
Other incorrect construction plans, for example for bridges (danger of life may be the result!)
Incorrect metering of medicine, even worse, I think.
To make things even more worse: The copiers in question are the common Xerox WorkCentres, and Xerox seemed to be unaware of the issue until we found out about it last Wednesday
Tomi Engdahl says:
Surveillance: The Enemy of Innovation
http://www.mondaynote.com/2013/08/05/surveillance-the-enemy-of-innovation/
When we think of government surveillance, we worry about our liberties, about losing a private space where no one knows what we do, say, think. But there is more. Total Surveillance is the enemy of innovation, of anything that threatens public or private incumbents.
This is what we think we know so far: The State, whatever that means these days, monitors and records everything everywhere. We’re assured that this is done with good intentions and with our best interests in mind: Restless vigilance is needed in the war on terror, drug trafficking, money-laundering. Laws that get in the way — such as the one that, on the surface, forbids the US to spy on its own citizens — are bent in ingenious ways, such as outsourcing the surveillance to a friendly or needy ally.
If this sounds outlandish, see The Guardian’s revelations about XKeyscore, the NSA tool that collects “nearly everything a user does on the internet”. Or read about the relationship between the NSA and the UK’s GCHQ
Every day there’s another story. Today, the WSJ tells us that the FBI has mastered the hacking tools required to remotely turn on microphones and cameras on smartphones and laptops
The surveillance and snooping isn’t just about computers. We have license plate recorders and federally mandated black boxes in cars.
And now we hear about yet another form of metadata collection: It seems that the US Post Office scans every envelope that they process
To this litany we must add private companies that record everything we do. Not just our posts, emails, and purchases, but the websites we visit, the buttons we click, even the way movement of the mouse…everything is recorded in a log file, and it’s made available to the “authorities” as well as buyers/sellers of profiling information. It’s all part of the Grand Bargain known as If the Product Is Free Then You Are the Product Being Sold.
We’re now closer to trouble with innovation. In an almost-present future, we’ll have zero privacy. Many will know what we do, what we say, where we are, at all times. This will cast a Stasi shadow over our lives, our minds, our emotions.
Total surveillance protects everything, starting with the status quo.
Is the situation hopeless?
I pray not. But I can’t help but see our laws — the tax code is the prime example — as old operating systems that are patched together, that have accumulated layer upon layer of silt. No one can comprehend these rules anymore, they’re too big and complicated to fit in one’s head…they’re seemingly unfixable.
Tomi Engdahl says:
Hacked without knowing it
http://www.controleng.com/single-article/hacked-without-knowing-it/e5d9c2b312d10880e3c64a3745751d9a.html
Engineering and IT Insight: Cyber-criminals are stealing manufacturing companies’ intellectual property (IP). Is your lack of cyber security hardware, software, and best practices giving away millions of dollars of IP to unknown competitors without your knowledge?
It is hard not to be afraid, maybe very afraid. Recent news articles and security analyst reports have listed the types of attacks and illicit information gathering directed against manufacturing companies, and they are not what you may expect. Much of the current press announcements are about stealing credit card information, social media account passwords, and social security numbers, but cyber-criminals are after something much more valuable in manufacturing companies—their intellectual property (IP). While national security agencies are pushing companies to harden critical infrastructure against disruptions from cyber terrorists, there is less attention given to protecting the intellectual property that manufacturing companies have spent millions of dollars to develop.
Advanced persistent threat
Companies compromised by directed attacks, usually called advanced persistent threats (APTs), have included those in the aerospace, energy, transportation, pharmaceutical, biotechnology, engineering services, high-tech electronics, chemicals, food and agriculture, and metals industries. Information stolen has included product development data, test results, system designs, product manuals, parts lists, simulation technologies, manufacturing procedures, descriptions of proprietary processes, standard operating procedures, and waste management processes. This is information that can be used to replicate production facilities. Many companies think this information has little value outside their company, but if they have global competition and the competition can replicate products and processes at a fraction of the cost, there will be damages.
Most of your competitors will not resort to using illicitly acquired information, but if your competition is based in a country with limited intellectual property rights, or even in a country actively stealing manufacturing IP, then you are at risk. If you are at risk, you may have already been hacked and not even know it. Intellectual property theft is done in a stealth mode. There is a saying among cyber security experts that there are only two types of companies: those that have been hacked, and those that don’t yet know they have been hacked.
With physical security, a company can reduce your risk by operating in safe neighborhoods, alarming all of your windows and doors, and hiring security guards. Unfortunately, with cyber security there are no safe neighborhoods. The Internet has put cyber-criminals only one click away from your doorstep, so we are all in the same electronic neighborhood.
With physical security, windows and doors are the ways in and out. With cyber security, the ways in and out can be different. Many attacks are introduced through infected USB drives and email, but report back through Internet communications. IT departments should have procedures in place to monitor all outbound Internet traffic for suspicious and atypical behavior.
With physical security, companies can employ security services to monitor alarms and provide guards to look for suspicious activity. If your manufacturing IP has value and would put you at a corporate disadvantage if stolen, then you need to employ active measures to maintain security. These can be accomplished through port scans, checks of actual installed vs. approved programs and libraries, checks of actual vs. approved accounts, and checks of actual vs. approved scheduled tasks.
Making your own safe neighborhood, locking and protecting your assets, and employing active measures to check for security breaches are the main tools for protecting your manufacturing intellectual property.
Tomi Engdahl says:
Cloud corporations to go up to 35 000 $ 000 000 over the mouth of the United States
U.S. National Security Agency NSA carried out phishing is up to 35 billion dollar blow to the U.S. for business to the cloud. The committee reported on the Financial Times .
A Washington DC think tank Information Technology & Innovation Foundation (ITIF) calculations, the three-year cloud business generated net sales of narrowing in the 21.5 to 35,000,000,000 U.S. dollars a stir because of spyware.
Sufferers, including Amazon, Google and Microsoft.
Think-tank, the network of espionage impact the competitiveness of U.S. cloud providers is long. Moreover, it is a big and growing business. Global sales of the cloud is estimated to be $ 207 billion in 2016.
Source: http://www.tietoviikko.fi/kaikki_uutiset/pilvifirmoilta+menee+jopa+35+000+000+000+dollaria+ohi+suun+yhdysvalloissa/a919000
Tomi Engdahl says:
Windows Phones susceptible to password theft when connecting to rogue Wi-Fi
Turn on certificate requirement before connecting to WPA2 networks. Now.
http://arstechnica.com/security/2013/08/windows-phones-susceptible-to-password-theft-when-connecting-to-rogue-wi-fi/
Smartphones running Microsoft’s Windows Phone operating system are vulnerable to attacks that can extract the user credentials needed to log in to sensitive corporate networks, the company warned Monday.
The vulnerability resides in a Wi-Fi authentication scheme known as PEAP-MS-CHAPv2, which Windows Phones use to access wireless networks protected by version 2 of the Wi-Fi Protected Access protocol. Cryptographic weaknesses in the Microsoft-developed technology allow attackers to recover a phone’s encrypted domain credentials when it connects to a rogue access point. By exploiting vulnerabilities in the MS-CHAPv2 cryptographic protocol, the adversary could then decrypt the data.
The advisory comes a little more than a year after researchers devised an attack against the MS-CHAPv2 cryptographic scheme that made it trivial to break the encryption used by hundreds of anonymity and security services.
Tomi Engdahl says:
Hey, you know Android apps can ‘access ALL’ of your Google account?
One-click login hands over keys to Gmail, Google Drive et al, says researcher
http://www.theregister.co.uk/2013/08/06/android_oneclick_authentication_open_to_hacking/
The single-click Google account login for Android apps is a little too convenient for hackers, according to Tripwire’s Craig Young, who has demonstrated a flaw in the authentication method.
The mechanism is called “weblogin”, and basically it allows users to use their Google account credentials as authentication for third-party apps, without sharing the username and password itself: a token is generated to represent the user’s login details.
Young claimed the unique token used by Google’s weblogin system can be harvested by a rogue app and then used to access all of the advertising’s giants services as that user.
To demonstrate the flaw at this month’s Def Con 21 hacking conference in Las Vegas, Young created an Android app that asks for access to the user’s Google account to display stocks from Google Finance.
Assuming the user grants permission the app, it issues a token to access the requested data. The rogue app sends that token back to the hacker, who can paste it into a web session to access all of the user’s Google services, said Young.
That includes unrestricted access to Gmail, Google Drive, Google Calendar and so forth, even though the permission was only given for an Android app to access Google Finance, we’re told.
The flaw is typical of what happens when simplicity overtakes security in developers’ order of priorities.
Tomi Engdahl says:
FireEye files for $175M IPO so investors can cash in on cybersecurity craze
http://gigaom.com/2013/08/05/fireeye-files-for-175m-ipo-so-investors-can-cash-in-on-cybersecurity-craze/
FireEye wants to go public in its quest to sell boxes that find threats firewalls can’t. That way at least investors can make money off the company, which to date is unprofitable.
FireEye, founded in 2004 and based in Milpitas, Calif., makes software and hardware for spotting security threats in real time on the internet, email and file systems. The company’s Web Malware Protection System — boxes that can supplement firewalls in a network — is a popular product. Anonymized information on new threats that FireEye hardware detects gets sent up to the company’s cloud, so other systems can stay up to date.
Customers include D-Wave Systems, NetApp, Sallie Mae, University of California, Berkeley, and the U.S. Department of Defense.
In the filing the company reported $83.3 million in revenue and a $35.8 million net loss last year.
Tomi Engdahl says:
Dragon Lady: An Investigation Into the Industry Behind the Majority of Russian-Made Malware
https://www.lookout.com/resources/reports/dragon-lady
Low cost online reputation management says:
I am truly thankful to the holder of this website who
has shared this impressive article at at this time.
Tomi says:
Usenix and EFF Reps Talk About VW’s Attempt to Suppress a Presentation (Video)
http://it.slashdot.org/story/13/08/06/1749202/usenix-and-eff-reps-talk-about-vws-attempt-to-suppress-a-presentation-video
“You may have read about this on Slashdot: Three researchers were going to present a paper next week at the USENIX Security ’13 conference about security holes they found in one of Volkswagen’s anti-theft systems, but a British court said they couldn’t. One of the presenters works at a British university, and the court may have jurisdiction over him. The other two are not U.K. residents, and the Usenix conference is being held in Washington D.C., so jurisdiction questions are flying thick and fast. Amusingly, whether the paper is published and presented or not, the security holes and crack codes it is supposed to contain have been available on the Internet for quite a while, so bad guys who want to learn about them most likely have done so already.”
Tomi says:
Math Advance Suggest RSA Encryption Could Fall Within 5 Years
http://it.slashdot.org/story/13/08/06/2056239/math-advance-suggest-rsa-encryption-could-fall-within-5-years
“The two encryption systems used to secure the most important connections and digital files could become useless within years, reports MIT Technology Review, due to progress towards solving the discrete logarithm problem. Both RSA and Diffie-Hellman encryption rely on there being no efficient algorithm for that problem”
“companies large and small begin planning to move to elliptic curve cryptographycompanies large and small begin planning to move to elliptic curve cryptography”
Tomi Engdahl says:
TOR Project: Stop using Windows, disable JavaScript
http://www.itworld.com/software/367979/tor-project-stop-using-windows-disable-javascript
The anonymizing network gives some advice following a startling Firefox zero-day vulnerability
he TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox that undermined the main advantages of the privacy-centered network.
The zero-day vulnerability allowed as-yet-unknown interlopers to use a malicious piece of JavaScript to collect crucial identifying information on computers visiting some websites using The Onion Router (TOR) network.
“Really, switching away from Windows is probably a good security move for many reasons,” according to a security advisory posted Monday by The TOR Project.
The TOR Project’s reasoning comes from the characteristics of the malicious JavaScript that exploited the zero-day vulnerability. The script was written to target Windows computers running Firefox 17 ESR (Extended Support Release), a version of the browser customized to view websites using TOR.
People using Linux and OS X were not affected, but that doesn’t mean they couldn’t be targeted in the future. “This wasn’t the first Firefox vulnerability, nor will it be the last,” The TOR Project warned.
The JavaScript was likely planted on certain websites that the attacker wanted to see who came to visit. The script collected the hostname and MAC (Media Access Control) address of a person’s computer and sent it to a remote computer, the exact kind of data that TOR users hope to avoid revealing while surfing the Internet.
Tomi Engdahl says:
Twitter’s Killer New Two-Factor Solution Kicks SMS to the Curb
http://www.wired.com/threatlevel/2013/08/twitter-new-two-facto/
When Twitter rolled out two-factor authentication back in May, it hinted that the SMS authentication would be merely a first step in a more robust security solution. Today, WIRED got a better look at the company’s just-announced new system that relies on application based authentication–which means it can provide a complete end to end security without relying on third parties or codes sent via SMS.
“When we decided to implement two-factor, we wanted something that was easy to use and didn’t follow the same formula everyone else was using,” explains Twitter security engineer Alex Smolen.
The new two-factor system works like this. A user enrolls using the mobile app, which generates a 2048-bit RSA keypair. The private key lives on the phone itself, and the public key is uploaded to Twitter’s server.
When Twitter receives a new login request with a username and password, the server sends a challenge based on a 190-bit, 32 character random nonce, to the mobile app — along with a notification that gives the user the time, location, and browser information associated with the login request. The user can then opt to approve or deny this login request.
If approved, the app replies to a challenge with its private key, relays that information back to the server. The server compares that challenge with a request ID, and if it authenticates, the user is automatically logged in.
On the user end, this means there’s no string of numbers to enter, nor do you have to swap to a third party authentication app or carrier. You just use the Twitter client itself. It means that the system isn’t vulnerable to a compromised SMS delivery channel, and moreover, it’s easy.
“Other two-factor systems rely on a shared secret,” explains Smolen. “We wanted to come up with a design where it is only stored on the client side; the secret’s only stored on the phone.”
Tomi Engdahl says:
OpenX ad servers “pre-compromised” – official distro contained remote code backdoor
http://nakedsecurity.sophos.com/2013/08/07/openx-ad-servers-pre-compromised-official-distro-contained-remote-code-backdoor/
You don’t always have to break into someone’s web server to get them to deliver your malware for you.
You may be able to implant malware onto a site from which your victim fetches third-party content, and thus serve up your malware one step removed.
You compromise the third party’s servers; they pass on the compromise to their customers; and those customers pass the compromised files onto users as they browse.
We’ve written regularly about this problem over the years, and the freebie ad server OpenX has popped up in the saga on numerous occasions.
Federal Office of Information Security in Germany (BSI, or Bundesamt für Sicherheit in der Informationstechnik), pushing out warnings about poisoned online adverts in January and in April 2013.
“In the past few days, online criminals have again carried out large-scale compromises of OpenX servers delivering advertising banners. The BSI already warned about this problem in January of this year.”
“The BSI is reporting a backdoor in the current version of (2.8.10) of the OpenX ad server…The backdoor gives an attacker remote code execution of PHP programs.”
In you are using OpenX, you can look for evidence of this compromise, or anything orchestrated similarly, by searching through the JavaScript files in your OpenX installation directory for embedded PHP code.
I hope even more that OpenX comes up soon with some official statements that will help OpenX users determine whether they were affected by this hole.
Tomi Engdahl says:
Chrome’s insane password security strategy
Chrome does something interesting when you first run it.
http://blog.elliottkember.com/chromes-insane-password-security-strategy
I decided to hit Chrome’s “Import bookmarks now” link
Why is “Saved passwords” greyed out, and mandatory? Why have a check-box? This is the illusion of choice. I think it’s deeply misleading, and this is why:
There’s no master password, no security, not even a prompt that “these passwords are visible”. Visit chrome://settings/passwords in Chrome if you don’t believe me.
There are two sides to this. The developer’s side, and the user’s side. Both roles have vastly different opinions as to how the computer works
While all of these points are valid, this doesn’t address the real problem: Google isn’t clear about its password security.
In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It’s the mass market – the users. The overwhelming majority. They don’t know it works like this. They don’t expect it to be it’s this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay.
Today, go up to somebody non-technical. Ask to borrow their computer. Visit chrome://settings/passwords and click “show” on a few of the rows. See what they have to say.
I bet you it won’t be “That’s how password management works”.
Tomi Engdahl says:
This is not many people know: This is easily revealed your password
E-mail and Facebook passwords phishing from Web browser is surprisingly easy.
Many people do not know that Firefox and Chrome web browsers can be used to check web services and client passwords, up to the user.
In Firefox, this can be done by going to Options, select the Security tab, clicking on the “Saved Passwords” and then select “Show Passwords”.
The browser lists online services such as email, Facebook, other social networks and even date service passwords.
Chrome measure equivalent to going to your menu buttons settings, click Advanced Options, and then “manage saved passwords”.
With Internet Explorer you will not see the passwords this way.
Use profiles
Anyone can see your passwords if the user does not remember to log out of the computer. Another user’s password list can not examine if the workstation is used in more different profiles.
If the profiles is only one, all the family can basically see each other’s passwords. The passwords are displayed, even if the browser history has been removed.
In Firefox, the user is able to create a master password, which the browser will ask the browser is opened, for example, or the password list is opened. Very few of the user is not aware of this possibility.
In Firefox create the master password from security tab.
In Chrome such a possibility does not exist at all.
Non-fiction writer Peter Järvinen be amazed at how easy it is for personal passwords to spy.
- I warned about this in my book for the first time three years ago. I’ve always wondered how the browser can be such a function.
Järvinen, advising the user to ensure data security.
- Machine or personal profile must be turned off when away from the desk. Safest thing would be that the user let the browser store passwords at all, but they would be fed to a time again. However, this is normally supplied.
Your computer should turn on the password-protected screen saver.
- Chrome browser sync your passwords to all user machines, including a laptop. In this case, the workstation can pry the password, even though the machine is not even used, Järvinen says.
Source: http://www.iltalehti.fi/digi/2013080717340252_du.shtml
Tomi Engdahl says:
WebBrowserPassView v1.43
Copyright (c) 2011 – 2013 Nir Sofer
http://www.nirsoft.net/utils/web_browser_password.html
WebBrowserPassView is a password recovery tool that reveals the passwords stored by the following Web browsers: Internet Explorer (Version 4.0 – 10.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera. This tool can be used to recover your lost/forgotten password of any Website, including popular Web sites, like Facebook, Yahoo, Google, and GMail, as long as the password is stored by your Web Browser.
After running it, the main window of WebBrowserPassView displays the list of all Web browser passwords found in your system.
Tomi Engdahl says:
Cyber Attacks Strike Zimbabweans Around Controversial Election
http://www.techweekeurope.co.uk/news/zimbabwe-election-cyber-attacks-123938
Zimbabweans knocked offline and see data wiped because of slew of cyber attacks last week during the elections, TechWeekEurope learns
Two massive distributed denial of service (DDoS) attacks against hosting providers took placeg this weekend. They took a slew of sites offline, a number of which were reporting heavily on the hugely controversial Zimbabwean election, TechWeekEurope has learned.
“All of the information I had recorded on 30 July in the evening through to lunchtime the next day had been wiped.
“Even our website designer and engineer couldn’t really explain what happened. Then, whilst we were still talking about the wiping, we realised the site wasn’t working.
“It is curious because we have never had this problem before in the past 10 years.”
A tweet from GreenNet earlier this week read: “The nature and magnitude of this attack does suggest corporate or governmental sponsors, likely a very unsavoury one.”
The DDoS that hit GreenNet was not a crude attack using a botnet to fire traffic straight at a target port, but a DNS reflection attack using UDP packets, which can generate considerable power.
HostGator, a huge hosting provider in the US, also suffered a big DDoS hit over the weekend. That took out popular Zimbabwean news service Nehanda Radio, amongst many others.
Vern Bondoc says:
My spouse and I ended up being thrilled that Emmanuel could do his research out of the precious recommendations he gained in your site. It is now and again perplexing to just happen to be handing out information and facts that many men and women have been trying to sell. And we all see we have the website owner to appreciate because of that. Most of the illustrations you have made, the easy site navigation, the relationships you will make it easier to promote it’s got many amazing, and it’s helping our son and us understand the subject matter is enjoyable, which is exceptionally pressing. Thank you for the whole lot!
Tomi Engdahl says:
Schneier on Security
August 6, 2013
NSA Surveillance and Mission Creep
http://www.schneier.com/blog/archives/2013/08/nsa_surveillanc.html
Last month, I wrote about the potential for mass surveillance mission creep: the tendency for the vast NSA surveillance apparatus to be used for other, lesser, crimes. My essay was theoretical, but it turns out to be already happening.
Other agencies are already asking to use the NSA data:
Agencies working to curb drug trafficking, cyberattacks, money laundering, counterfeiting and even copyright infringement complain that their attempts to exploit the security agency’s vast resources have often been turned down
The Drug Enforcement Agency is already using this data, and lying about it:
The undated documents show that federal agents are trained to “recreate” the investigative trail to effectively cover up where the information originated, a practice that some experts say violates a defendant’s Constitutional right to a fair trial.
This is really bad. The surveillance state is closer than most of us think.
Tomi Engdahl says:
Important Update for OpenX Source 2.8.10 Users
http://blog.openx.org/08/important-update-for-openx-source-2-8-10-users/
Recently we became aware of a security issue with OpenX Source v. 2.8.10 (the open source ad serving product) whereby the binary distribution of v. 2.8.10 was compromised, and two of the files were replaced with two new modified files that contained a remote code execution vulnerability.
In response to this situation, we have released OpenX Source v. 2.8.11. OpenX Source v. 2.8.10 users should visit – http://forum.openx.org/index.php?showtopic=503521628 – for comprehensive instructions for remediation. This is a mandatory upgrade for all users of the OpenX Source v. 2.8.10 and should be applied immediately.
Tomi Engdahl says:
NSA revelations could hurt collaboration with ‘betrayed’ hackers
http://www.reuters.com/article/2013/08/03/net-us-usa-security-hacking-ethics-idUSBRE9720A020130803
The U.S. government’s efforts to recruit talented hackers could suffer from the recent revelations about its vast domestic surveillance programs, as many private researchers express disillusionment with the National Security Agency.
Though hackers tend to be anti-establishment by nature, the NSA and other intelligence agencies had made major inroads in recent years in hiring some of the best and brightest, and paying for information on software flaws that help them gain access to target computers and phones.
Much of that goodwill has been erased after the NSA’s classified programs to monitor phone records and Internet activity were exposed by former NSA contractor Edward Snowden, according to prominent hackers and cyber experts.
With top intelligence officials warning in March that cyber attacks and cyber espionage have supplanted terrorism as the top security threat facing the United States, the administration is trying to boost security in critical infrastructure and the military is vastly increasing its ranks of computer specialists.
The NSA, working with the Department of Homeland Security, has been lending more of its expertise to protect defense contractors, banks, utilities and other industries that are being spied upon or attacked by rival nations.
These efforts rely on recruiting talented hackers and working with professionals in the private sector.
Some security experts remain supportive of the government.
Def Con, where attendance is expected to top last year’s 15,000, conference founder and government advisor Jeff Moss asked federal agents to stay away.
Moss last year brought Alexander as a keynote speaker to woo the hacking community. But he said the relationship between hackers and the government has worsened since then.
“I haven’t seen this level or sort of animosity since the 90s,” Moss said in an interview.
the secret projects also scooped up huge amounts of American data, according to documents leaked by Snowden, triggering sharp criticism from many lawmakers and civil liberties advocates.
“A lot of people feel betrayed by it,”
“I don’t think anyone should believe anything they tell us,” former NSA hacker Charlie Miller said of top intelligence officials. “I wouldn’t work there anymore.”
At Black Hat, a casual polling station at a vendor’s exhibition booth asking whether Snowden was a villain or a hero produced a dead heat: 138 to 138. European attendees were especially prone to vote for hero, the vendor said.
“The debate is just starting,”
Tomi Engdahl says:
So, you gonna foot this ‘$200bn’ hacking bill, insurance giants asked
Cyber-cleanups of cyber-raids on Uncle Sam’s cyber-assets cost cyber-amounts of cash
http://www.theregister.co.uk/2013/08/08/obama_sets_out_plans_to_insure_firms_against_hack_attacks/
Multibillion-dollar energy giants, rail companies and other corporations should take out insurance policies for damage caused by hackers, a White House official has suggested.
The government apparatchik is working on a so-called Cybersecurity Framework of best practices to safeguard America’s critical infrastructure – think power plants, water supplies and so on. The insurance policy plan was mooted among other suggestions on how best to defend important firms from electronic attacks.
The framework will be finalised by February 2014; adhering to its standards is voluntary, although it’s likely companies running vital services will be the first to sign up. And, obviously, it needs private insurance giants in the mix to offer indemnification against hackers.
The agencies involved in the discussions, which include the departments of Homeland Security, Commerce, and Treasury, were keen to get the insurance industry involved in the introduction of the framework, as they will be vital in soaking up losses caused by computer network breaches – the sorts of attacks that allegedly cost the UK up to £27bn a year and the US between $119bn and $188bn annually.
Tomi Engdahl says:
Chrome web browser password feature slammed as ‘security flaw’
Not really a flaw
http://www.theinquirer.net/inquirer/news/2287710/chrome-web-browser-password-feature-slammed-as-security-flaw
ALARMS HAVE BEEN RAISED about Google’s Chrome web browser, with reports slamming the firm for a “security flaw” that allows users to view stored passwords from the settings panel.
“There’s no master password, no security, not even a prompt that ‘these passwords are visible,’” Kember warned in his blog post entitled “Chrome’s insane password security strategy”.
Though he does have a point that in Chrome you can view your own passwords rather easily, what some reports are missing is that this isn’t really a “flaw” as such, and it definitely isn’t anything new.
Chrome has been built this way for quite some time, and what many reports haven’t mentioned is that the user has to be logged into the web browser to access saved passwords through the menu.
The saved passwords feature exists to help people view their passwords if they forget them.
Perhaps it could be said that it is the fault of the user if they decide not to log out after a session of web browsing on another person’s computer, or allow someone else to use their Chrome browser that they don’t trust without logging out first.
If people are concerned about security, they should protect their accounts with OS level or device level security settings, like passwords or screen prompts. If a user shares their PC, smartphone or tablet with someone that they don’t fully trust, then that person could simply go directly to the device owner’s Gmail account or Facebook page to snoop, provided that the owner hasn’t logged out like they would need to do in Chrome, too.
Google also takes this view and has said that this feature is not a security flaw.
“We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that’s really what they get.”
Tomi Engdahl says:
Email Company Reportedly Used By Edward Snowden Shuts Down Rather Than Hand Data Over To Feds
http://www.forbes.com/sites/kashmirhill/2013/08/08/email-company-reportedly-used-by-edward-snowden-shuts-down-rather-than-hand-data-over-to-feds/
When Edward Snowden emailed journalists and activists in July to invite them to a briefing at the Moscow airport during his long stay there, he used the email account “[email protected]” according to one of the invitees. Texas-based Lavabit came into being in 2004 as an alternative to Google’s Gmail, as an email provider that wouldn’t scan users’ email for keywords. Being identified as the provider of choice for the country’s most famous NSA whistleblower led to a flurry of attention for Lavabit and its encrypted email services, from journalists, and also, apparently, from government investigators. Lavabit founder Ladar Levison announced Thursday that he’s shutting down the company rather than cooperating with a government investigation (presumably into Snowden).
“I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit,” writes Levison. “After significant soul searching, I have decided to suspend operations.”
Meanwhile, Lavabit’s users are not so pleased with the shutdown. Judging from complaints on the Lavabit Facebook wall — e.g., “Shutting down service with no warning and no chance to migrate is complete BULLSH**.” — they care more about service than principles.
Tomi Engdahl says:
Give Me Complicity or Give Me Death: Lavabit Chooses Death
http://cyberlaw.stanford.edu/blog/2013/08/give-me-complicity-or-give-me-death-lavabit-chooses-death
Today, Lavabit, an email service provider that promised its customers better privacy and security than other publicly available services, shut its doors. Reading between the lines of a cryptic message posted on the site’s homepage, about six weeks ago the service was served with some kind of demand for user information, as well as a gag order preventing the company from disclosing both the details of that order as well as its very existence. Rather than cooperate, owner Ladar Levison has decided to close the doors on his 10-year-old company.
There are two sad lessons to learn from the (potentially temporary) demise of Lavabit.
First, communications service providers are at a severe disadvantage when it comes to resisting even abusive or overbroad government surveillance demands. The court processes and the reasons for surveillance are kept secret from the companies. The cases that interpret the government’s powers under the law are secret. Knowledgeable counsel is hard to find… and expensive.
Second, the fact that neither Americans nor foreigners trust the U.S. government and its NSA anymore puts the U.S. communications companies at a severe competitive disadvantage. American law provides almost no protection for foreigners, who comprise a growing majority of any global company’s customers.
This mistrust of the U.S. government’s relationship with Internet companies is particularly damaging to cloud computing services, a sector led by American firms like Microsoft, Google and Amazon. Foreign companies say they are less likely to do business with U.S. cloud companies, and foreign governments have entertained the idea of requiring data be kept locally. The truth is, we don’t know that switching to non-U.S. based communications service providers would avoid U.S. government overreaching.
Tomi Engdahl says:
NSA spying may cost cloud companies $35 billion
http://blog.sfgate.com/techchron/2013/08/08/nsa-spying-may-cost-cloud-companies-35-billion/
The National Security Agency surveillance programs aren’t just costing the United States credibility on the world stage — they’re costing domestic tech companies big money.
The recent revelations that the NSA is closely tracking the electronic footprints of foreign citizens could cut as much as $35 billion off the top lines of U.S. cloud computing companies over the next three years. It might also put the nation’s leadership position in the fast growing sector at stake.
That’s according to a new study by the Information Technology and Innovation Foundation, which tried to assess the financial toll of the clandestine PRISM program uncovered by The Guardian and Washington Post in early June. Leaks from defense contractor Edward Snowden showed that the NSA is routinely analyzing emails, photographs, online searches and other digital files that cross the servers of tech giants like Apple, Facebook, Google, Microsoft and Yahoo.
“the severity of the threat depends on whether it will come to light that other governments also have Prism-like programs.”
“It remains to be seen how big a hit,”
The ITIF based its conclusions, which it acknowledged were a rough guess, on a recent survey of 500 respondents by the Cloud Security
Alliance. The industry group found that “56 percent of non-US residents were less likely to use US-based cloud providers, in light of recent revelations about government access to customer information.”
The Cloud Security Alliance survey suggests overseas citizens and businesses have begun to wonder if they can trust their information with major U.S. companies.
Tomi Engdahl says:
Silent Circle Preemptively Shuts Down Encrypted Email Service To Prevent NSA Spying
http://techcrunch.com/2013/08/08/silent-circle-preemptively-shuts-down-encrypted-email-service-to-prevent-nsa-spying/
“We knew USG would come after us”. That’s why Silent Circle CEO Michael Janke tells TechCrunch his company shut down its Silent Mail encrypted email service. It hadn’t been told to provide data to the government, but after Lavabit shut down today rather than be “complicit” with NSA spying, Silent Circle told customers it has killed off Silent Mail rather than risk their privacy.
The Silent Circle blog posts explains “We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now.” It’s especially damning considering Silent Circle’s co-founder and president is Phil Zimmermann, the inventor of widely-used email encryption program Pretty Good Privacy.
Silent Circle reportedly had revenue increase 400% month-over-month in July after corporate enterprise customers switched to its services in hopes of avoiding surveillance.
Silent Circle’s other secure services including Silent Phone and Silent Text will continue to operate as they do all the encryption on the client side within users’ devices. But it explained that “Email that uses standard Internet protocols cannot have the same security guarantees that real-time communications has.”
Tomi Engdahl says:
N.S.A. Said to Search Content of Messages to and From U.S.
http://www.nytimes.com/2013/08/08/us/broader-sifting-of-data-abroad-is-seen-by-nsa.html?pagewanted=all&_r=0
The National Security Agency is searching the contents of vast amounts of Americans’ e-mail and text communications into and out of the country, hunting for people who mention information about foreigners under surveillance, according to intelligence officials.
The N.S.A. is not just intercepting the communications of Americans who are in direct contact with foreigners targeted overseas, a practice that government officials have openly acknowledged.
While it has long been known that the agency conducts extensive computer searches of data it vacuums up overseas, that it is systematically searching — without warrants — through the contents of Americans’ communications that cross the border reveals more about the scale of its secret operations.
Government officials say the cross-border surveillance was authorized by a 2008 law, the FISA Amendments Act
Tomi Engdahl says:
Why Wasn’t the NSA Prepared?
http://www.theatlantic.com/national/archive/2013/08/why-wasnt-the-nsa-prepared/278310/
Contingency planning is critical to covert operations, and the NSA’s failure to anticipate or effectively mitigate its recent leak is inexcusable.
In the coming weeks, Congress and the civilian defense leadership will have to ask a lot of questions about the National Security Agency’s surveillance programs, and how to reconcile them with privacy concerns. But they will also have to ask a more basic set of questions: Why on earth wasn’t the NSA prepared for this? Why didn’t the intelligence agency’s leadership have a plan to deal with the global outcry that would follow the leak of classified Internet surveillance programs?
Contingency planning is a critical part of every military operation, and is even more important for secret or covert activities.
the NSA is a Defense Department organization, and the director of NSA is a 4-star general. As such, it is troubling that the NSA appears to have no plan in place for how to respond once its spying program was made public and plastered on the front pages around the world. Instead, the best defense General Alexander could offer a room full of security professionals at the Black Hat convention, almost two months after the leak, was an explanation of FISA courts and the successful prosecution of a San Diego cab driver who sent money to a Somali militia.
The NSA leadership had ample warning signs that leaks were possible, and that public reaction in the U.S. and around the world would be overwhelmingly negative. In 2003, Congress shut down Admiral Poindexter’s ‘Total Information Awareness’ program
The warning signs about fallout from the NSA Internet surveillance were even clearer: Senators Ron Wyden and Mark Udall publicly raised concerns about the program as far back as 2011, and directly communicated their worries to General Alexander in 2012.
When initial reports of the PRISM program asserted that there were backdoors and direct data access in some of the most important tech companies in the world, the firms’ awkward denials were justifiably met with skepticism. They couldn’t fully deny the charges without disclosing certain classified details, and the only affirmative statements they could make had to be cleared with the government first, which ultimately led to all of the companies issuing statements that included curiously similar phrasing, further fueling paranoia. By the time the record was corrected, over a week later, the damage had been done. Even if the surveillance programs are legally constrained and ostensibly target only a small number of suspects, the companies are perceived as being complicit in a massive, American government dragnet.
Tomi Engdahl says:
NSA to cut system administrators by 90 percent to limit data access
http://preview.reuters.com/2013/8/9/nsa-to-cut-system-administrators-by-90-percent-to
The National Security Agency, hit by disclosures of classified data by former contractor Edward Snowden, said Thursday it intends to eliminate about 90 percent of its system administrators to reduce the number of people with access to secret information.
Keith Alexander, the director of the NSA, the U.S. spy agency charged with monitoring foreign electronic communications, told a cybersecurity conference in New York City that automating much of the work would improve security.
“What we’re in the process of doing – not fast enough – is reducing our system administrators by about 90 percent,” he said.
The remarks came as the agency is facing scrutiny after Snowden, who had been one of about 1,000 system administrators who help run the agency’s networks, leaked classified details about surveillance programs to the press.
Tomi Engdahl says:
Update on Scanning Issue: Software Patches To Come
http://realbusinessatxerox.blogs.xerox.com/2013/08/07/update-on-scanning-issue-software-patches-to-come/?CMP=SMO-EXT#.UgSyd21sUin
There have been reports regarding errors with the scanning function of some of our office devices in which characters can potentially be substituted for others. This does not impact standard printing, copying and traditional fax functions.
Here are the two solutions:
Reset Scanning Defaults: Xerox is providing a guide demonstrating how to check the current device scan settings and how to return them to factory default.
Apply a Software Patch
You will not see a character substitution issue when scanning with the factory default settings.
Tomi Engdahl says:
Consumer Device Hacking Concerns Getting Lost In Translation
http://it.slashdot.org/story/13/08/09/0217244/consumer-device-hacking-concerns-getting-lost-in-translation
“Hackers who hack insulin pumps, heart monitors, HVAC systems, home automation systems, and cars are finding some life-threatening security flaws in these newly networked consumer devices, but their work is often dismissed or demonized by those industries and the policymakers who govern their safety.”