Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.
Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.
Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.
SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices. Good idea to test your devices against it.
There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.
Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.
Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.
Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.
Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.
Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.
Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.
Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.
European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.
1,930 Comments
Tomi Engdahl says:
Lost In Translation: Hackers Hacking Consumer Devices
http://www.darkreading.com/attacks-breaches/lost-in-translation-hackers-hacking-cons/240159704
New grassroots movement aims to fill the gap between security researchers and the consumer industries that are the subject of their hacking projects
Insulin pumps, heart monitors, HVAC systems, home automation systems, and cars — white-hat security researchers are now regularly discovering dangerous and often life-threatening security flaws in networked consumer devices, but their work is often ignored, dismissed, or demonized by those industries.
The real message of this research often gets misconstrued or lost in translation–misunderstood by consumer product manufacturers new to cybersecurity issues who mistakenly perceive it as troublemaking or joyriding. The makers of these increasingly smarter and more networked devices traditionally just haven’t had much or any interaction with the world of security research.
Until now. Yet security researchers rarely get the attention or response from the medical device, building systems automation, or automobile manufacturers in whose products they poke holes. So a pair of security experts has launched a grass-roots effort to help bridge this wide gap between the researcher community and consumer product policymakers and manufacturers.
“If you have a hacker who’s an expert on a flaw [in a consumer device] and you put him in front of a policymaker, they see a hacker, someone who can’t be 100 percent trusted,”
“We need … to find spokespeople for our industry who have a knowledge of the hacking and security community, but are well-seated in the medical device or automotive industries,”
“If we demonstrate that we’re [security researchers] doing great work and it’s serious, and not just fun and games [hacking] .. and it benefits [consumers], it’s going to become more difficult for [these industries] to criminalize security research. We want to find people who will work with us” to make this happen, such as attorneys or other professionals who can bridge the two worlds, he says.
Percoco says the car-hacking research was a good example of finding important security flaws in consumer products. “It’s even better finding flaws plus presenting fixes, and the best [scenario] is finding, fixing, and advocating with the right representation, people with specific, trusted industry experience” in the automotive or medical device industries, for example, he says.
With more embedded IP capability for automation and convenience, consumer devices are also becoming more exposed security-wise. It’s a shocker to those industries that their products can be hacked: “They always made the assumption that you can’t modify the device unless you’re in front of it,” he says. “But now they are interconnected … and connected to corporate networks, and they are getting more exposure. I don’t think they fully understand the risk that this represents.”
Just this week, the InsideIQ Building Automation Alliance, an association of independent building automation contractors, announced that it had teamed up with Cylance to provide its members with building automation security practices and security training as well as certification to the customers of the systems.
Legislators also need to be brought up to speed on white-hat hacking. There’s a lack of depth in the technical understanding of cybersecurity issues in Congress, for example, Percoco notes, so getting lawmakers better schooled on the risks and issues is also needed via intermediaries, he says.
Tomi Engdahl says:
Mozilla links Gmail with Persona for email-based single sign-on
Usernames and passwords not needed
http://www.theregister.co.uk/2013/08/09/persona_identity_bridge_for_gmail/
The Mozilla Foundation has unveiled a new Identity Bridge that links its Persona single sign-on technology with Gmail, allowing all Gmail users to log in to Persona-enabled sites without entering a username or password.
Persona works by having users register their email addresses with a server called a Persona Identity Provider (IdP), which will then authenticate their identities for other websites using a system based on public-key cryptography, rather than traditional usernames and passwords.
Because most internet users haven’t registered with a Persona IdP, however – and many don’t even know such things exist – Mozilla has developed Identity Bridging as a stopgap measure until Persona is more widely supported.
A Persona Identity Bridge authenticates users using either the OpenID or OAuth protocols – most major email providers offer one or the other – and then translates the results into the Persona protocol for use with Persona-enabled websites.
Mozilla says some 700 million email users now have built-in support for Persona – they don’t have to sign up for any new services or create any new accounts.
Tomi Engdahl says:
NSA Chief: Solution To Stopping The Next Snowden Is Replacing His Former Job With A Machine
http://www.huffingtonpost.com/2013/08/08/nsa-snowden_n_3727668.html
The director of the National Security Agency said Thursday that the agency has found a way to prevent further leaks about American surveillance by replacing nearly all its system administrators with machines.
At a cybersecurity conference, Gen. Keith B. Alexander told the audience that intelligence agencies plan to reduce by 90 percent the number of people in the system administrator position.
The NSA employs or contracts with about 1,000 system administrators, Alexander has previously said.
make computer networks “more defensible and more secure.”
“We’ve put people in the loop of transferring data, securing networks and doing things that machines are probably better at doing,” Alexander said during a panel discussion with the heads of the FBI and CIA, which was attended by about 300 people.
Alexander added, “The intent of what we’re now doing is to come up with ways that limit what people can take, what data they have and how we monitor that.”
Alexander did not mention Snowden by name, but said new technology — which he called a “thin virtual cloud structure” — would replace employees, greatly reducing the agency’s need to trust them with protecting government secrets.
“We trust people with data,” Alexander said at the conference. “At the end of the day it’s all about trust. And people who have access to data as part of their missions, if they misuse that trust they can cause huge damage.”
Tomi says:
How the Government Killed a Secure E-mail Company
http://www.newyorker.com/online/blogs/elements/2013/08/the-government-versus-your-secrets.html?currentPage=all
Lavabit promised, for instance, that messages stored on the service using asymmetric encryption, which encrypts incoming e-mails before they’re saved on Lavabit’s servers, could not even be read by Lavabit itself.
Yesterday, Lavabit went dark. In a cryptic statement posted on the Web site, the service’s owner and operator, Ladar Levison, wrote, “I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.” Those experiences led him to shut down the service rather than, as he put it, “become complicit in crimes against the American people.” Lavabit users reacted with consumer vitriol on the company’s Facebook page (“What about our emails?”), but the tide quickly turned toward government critique. By the end of the night, a similar service, Silent Circle, also shut down its encrypted e-mail product, calling the Lavabit affair the “writing [on] the wall.”
Which secret surveillance scheme is involved in the Lavabit case? The company may have received a national-security letter, which is a demand issued by a federal agency (typically the F.B.I.) that the recipient turn over data about other individuals.
If Lavabit attempted to resist a FISA order, the first thing it would have done is petition the FISA court to review the order, arguing that it was flawed in some way. According to some legal commentators, such an argument, no matter how it is styled, would almost certainly fail; the FISA court so frequently approves surveillance orders that it is often criticized as a rubber stamp.
With these powers, the FISA court could dismantle a stubborn e-mail service provider, or Facebook, piece by piece. An angry FISA court could demand increasingly severe fines, identify more and more officers for jail time, and make it impossible for Facebook to operate within the United States by issuing more (and more invasive) warrants.
Because FISA proceedings are secret, there are only a few examples of dissent.
Any one company rightly fears the FISA court’s ability to punish contempt. But the N.S.A.’s surveillance programs are impossible without robust coöperation from America’s telecommunications and Internet companies. Silicon Valley and the telecoms can’t press this leverage because meta-secrecy keeps the companies trapped in a prisoner’s dilemma. Microsoft doesn’t know if Google is heroically resisting. Tim Cook doesn’t know if Mark Zuckerberg has endured a secret jail sentence for freedom’s cause. No company wants to be the only one to disclose its coöperation with Prism and other programs, lest it appear to be weak on privacy and set itself at a competitive disadvantage. That’s why Google and other companies are petitioning for the right to disclose their participation. And, of course, nobody wants to be the first public company taken apart in contempt proceedings.
Tomi says:
NSA loophole allows warrantless search for US citizens’ emails and phone calls
http://www.theguardian.com/world/2013/aug/09/nsa-loophole-warrantless-searches-email-calls
Exclusive: Spy agency has secret backdoor permission to search databases for individual Americans’ communications
The National Security Agency has a secret backdoor into its vast databases under a legal authority enabling it to search for US citizens’ email and phone calls without a warrant, according to a top-secret document passed to the Guardian by Edward Snowden.
The previously undisclosed rule change allows NSA operatives to hunt for individual Americans’ communications using their name or other identifying information. Senator Ron Wyden told the Guardian that the law provides the NSA with a loophole potentially allowing “warrantless searches for the phone calls or emails of law-abiding Americans”.
The authority, approved in 2011, appears to contrast with repeated assurances from Barack Obama and senior intelligence officials to both Congress and the American public that the privacy of US citizens is protected from the NSA’s dragnet surveillance programs.
The intelligence data is being gathered under Section 702 of the of the Fisa Amendments Act (FAA),
this is the first evidence that the NSA has permission to search those databases for specific US individuals’ communications.
“Once Americans’ communications are collected, a gap in the law that I call the ‘back-door searches loophole’ allows the government to potentially go through these communications and conduct warrantless searches for the phone calls or emails of law-abiding Americans.”
Tomi says:
NSA Tries To Justify Its Surveillance Programs With Ridiculous Assertions
http://www.techdirt.com/articles/20130809/15171824130/nsa-tries-to-justify-its-surveillance-programs-with-ridiculous-assertions.shtml
Tomi says:
Don’t worry, NSA says—we only “touch” 1.6% of daily global Internet traffic
http://arstechnica.com/tech-policy/2013/08/dont-worry-nsa-sayswe-only-touch-1-6-of-daily-global-internet-traffic/
New seven-page document from Ft. Meade defends agency’s activities and policies.
On the same day that President Barack Obama spoke to the press about possible surveillance reforms—and released a related white paper on the subject—the National Security Agency came out with its own rare, publicly-released, seven-page document (PDF), essentially justifying its own practices.
Tomi says:
Obama’s NSA Conference Could Be Subtitled ‘The Guardian Gets Results’
http://www.huffingtonpost.com/2013/08/09/obama-snowden-guardian-journalism-results_n_3733842.html
President Obama’s press conference on Friday was full of headline-making news about new proposals to reform the American surveillance system. But another headline could also be appropriate: “Journalism gets results.”
The press conference came after weeks of steady reports about the scale and scope of the National Security Agency’s surveillance capabilities, all stemming from a mountain of leaks from former NSA contractor Edward Snowden. The vast majority of the reports appeared in the Guardian.
Obama’s decision to both acknowledge Snowden’s impact and to propose changes also led some to wonder how he could still paint Snowden in a bad light
Tomi says:
Uncovers the United States NSA’s spy scope of the projects have raised eyebrows for weeks. Surprised by the information technology systems, which left the espionage carried out.
NSA’s project has provided information to the intelligence agency of the former employee through. NSA worked with the subcontractor invoice Edward Snowden has submitted a dossier in The Guardian newspaper, which published it in several installments.
NSA says himself that Xkeyscore is a “massive distributed Linux cluster”. The documents are from 2008. Then the system consisted of more than 700 servers. The complex is built easily cultivated, so the system can be continuously connected to the new Linux machines.
What is interesting is the fact that the NSA, the system is distributed to about 150 different locations.
The whole internet in one database
Xkeyscore system is built on advanced systems for data storage, retrieval and analysis. All of the world gathered from web browsing is stored in about three days. Indexing motors are looking for material for certain types of information needed to use the search system.
Data stored in databases and can be processed in different automatic systems. The system also has built in connections to other NSA’s used by information systems.
All of this is designed to help the NSA’s analysts find terrorists and to acquire more intelligence. The analyst may, for example to look for Iran sent encrypted files. These files can be called up and the encryption can then decode the NSA’s computers.
Heavy-duty system maintenance requires a fair amount of money. NSA material obtained suggesting that the systems for calculating annual costs of at least hundreds of millions of euros.
Source: http://www.tietokone.fi/artikkeli/uutiset/hammastyttava_jarjestelma_nsa_n_jattivakoilun_takana
Tomi says:
The Pirate Bay Launches Browser To Evade ISP Blockades
http://tech.slashdot.org/story/13/08/10/1519211/the-pirate-bay-launches-browser-to-evade-isp-blockades
“According to the Pirate Browser website, the browser is basically a bundled package consisting of the Tor client and Firefox Portable browser.”
Tomi says:
NSA by the numbers
http://buzzmachine.com/2013/08/10/nsa-by-the-numbers/
Fear not, says the NSA, we “touch” only 1.6% of daily internet traffic. If, as they say, the net carries 1,826 petabytes of information per day, then the NSA “touches” about 29 petabytes a day. They don’t say what “touch” means. Ingest? Store? Analyze? Inquiring minds want to know.
For context, Google in 2010 said it had indexed only 0.004% of the data on the net. So by inference from the percentages, does that mean that the NSA is equal to 400 Googles? Better math minds than mine will correct me if I’m wrong.
Seven petabytes of photos are added to Facebook each month. That’s .23 petabytes per day. So that means the NSA is 126 Facebooks.
Keep in mind that most of the data passing on the net is not email or web pages. It’s media. According to Sandvine data for the U.S. fixed net from 2013, real-time entertainment accounted for 62% of net traffic, P2P file-sharing for 10.5%.
HTTP — the web — accounts for only 11.8% of aggregated up- and download traffic in the U.S., Sandvine says. Communications — the part of the net the NSA really cares about — accounts for 2.9% in the U.S.
So by very rough, beer-soaked-napkin numbers, the NSA’s 1.6% of net traffic would be half of the communication on the net.
metadata doesn’t add up to much data at all; it’s just a few bits per file — who sent what to whom — and that’s where the NSA finds much of its incriminating information.
Tomi says:
WebBrowserPassView v1.43
http://www.nirsoft.net/utils/web_browser_password.html
WebBrowserPassView is a password recovery tool that reveals the passwords stored by the following Web browsers: Internet Explorer (Version 4.0 – 10.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera. This tool can be used to recover your lost/forgotten password of any Website, including popular Web sites, like Facebook, Yahoo, Google, and GMail, as long as the password is stored by your Web Browser.
This utility works on any version of Windows, starting from Windows 2000, and up to Windows 8, including 64-bit systems.
This utility is released as freeware.
False Virus/Trojan Warning
WebBrowserPassView is a tool that retrieves secret passwords stored in your system, and thus your Antivirus may falsely detect this tool is infected with Trojan/Virus.
Tomi Engdahl says:
Inside the Decision To Shut Down Silent Mail
http://yro.slashdot.org/story/13/08/11/2128212/inside-the-decision-to-shut-down-silent-mail
“Silent Circle’s decision to shut down its Silent Mail email service may have come quickly yesterday, and the timing of the announcement admittedly was prompted by Lavabit’s decision to suspend operations hours before. But the seeds for this decision may have been sown long before Edward Snowden”
Tomi Engdahl says:
Inside the Decision To Shut Down Silent Mail
https://threatpost.com/inside-the-decision-to-shut-down-silent-mail/101952
Silent Circle’s value proposition is its secure real-time voice, video and text communication services; email may have been extraneous from the start. And given the actions of the NSA whistleblower and Internet providers and technology companies seeking transparencies about government requests for customer data, Silent Mail’s days were numbered.
“When we saw the Lavabit announcement, the thing we were worrying about had happened, and it had happened to somebody else. It was very difficult to not think I’m next,” Callas said. “I had been discussing with Phil [founder and PGP developer Phil Zimmerman] over dinner the night before, should we be doing this and what the timing should be. I was looking at it from point that I want to be a responsible service provider and not leave users in a lurch. [The Lavabit announcement] told me I have to start moving on it now.”
Within hours, the decision was made and a blogpost was live on the Silent Circle website explaining why.
Tomi Engdahl says:
After Lavabit Shut-Down, Dotcom’s Mega Promises Secure Mail
http://yro.slashdot.org/story/13/08/11/1244209/after-lavabit-shut-down-dotcoms-mega-promises-secure-mail
“Lavabit may no longer be an option, but recent events driven interest in email and other ways to communicate without exposing quite so much, quite so fast, to organizations like the NSA (and DEA, and other agencies). Kim Dotcom as usual enjoys filling the spotlight, when it comes to shuttling bits around in ways that don’t please the U.S. government, and Dotcom’s privacy-oriented Mega has disclosed plans to serve as an email provider with an emphasis on encryption.”
“‘The biggest tech hurdle is providing email functionality that people expect, such as searching emails, that are trivial to provide if emails are stored in plain text (or available in plain text) on the server side,’ Kumar said. ‘If all the server can see is encrypted text, as is the case with true end-to-end encryption, then all the functionality has to be built client side. [That’s] not quite impossible but very, very hard. That’s why even Silent Circle didn’t go there.’”
Tomi Engdahl says:
Microsoft Is Working On a Cloud Operating System For the US Government
http://yro.slashdot.org/story/13/08/11/2058235/microsoft-is-working-on-a-cloud-operating-system-for-the-us-government
“It seems that Microsoft is relying even more on the opportunities provided by the cloud technology. The Redmond behemoth is preparing to come up with a cloud operating system that is specially meant for government purposes.”
“Government agencies already use two of Microsoft’s basic cloud products: Windows Azure and Windows Server.”
“somewhat new Cloud OS that could bear the name “Fairfax””
“enhanced security, relying on physical servers on site at government locations.”
Tomi Engdahl says:
Cybersecurity Pros in High Demand, Highly Paid and Highly Selective
http://www.cio.com/article/737851/Cybersecurity_Pros_in_High_Demand_Highly_Paid_and_Highly_Selective?page=1&taxonomyId=3123
A survey of cybersecurity workers reveals a profile of a highly compensated profession whose members say the integrity of their employer matters most.
Experts in cybersecurity are among the most sought-after professionals in the tech sector, with demand for workers in that field outpacing other IT jobs by a wide margin.
Cybersecurity Pros in High Demand
A new survey by Semper Secure, a public-private partnership in Virginia formed to advance the cybersecurity profession, offers a fresh glimpse at what security workers earn, what they look for in an employer and where the hubs of innovation are located.
Cybersecurity Salaries Three Times National Average
Cybersecurity professionals report an average salary of $116,000, or approximately $55.77 per hour. That’s nearly three times the national median income for full-time wage and salary workers, according to the Bureau of Labor Statistics.
But it’s more than just the money. Cybersecurity professionals say that they actively seek employers with strong reputations for integrity and those that are recognized as leaders in their field.
“For top talent, cybersecurity isn’t about just a job and a paycheck,” says Jim Duffey, secretary of technology at the office of the governor of Virginia. “It is about the hottest technology, deployed by honorable organizations, for a purpose that is inherently important.”
Where Do the Cybersecurity Pros Go to Work
Where are the great hubs of innovation in the cybersecurity sector? Perhaps not surprisingly, respondents identified California (home to so much of the IT sector) and the greater Washington-D.C. area, with its heavy concentration of government workers, contractors and the defense industry.
“Government agencies and defense/aerospace firms remain magnets for cybersecurity professionals,”
“These people aren’t jumping from job to job looking for salary bumps and signing bonuses,”
Eight-five percent of respondents said that they hold a professional certification
Forty-four percent of respondents said that they hold a bachelor’s degree
34 percent said they hold a master’s degree
Just 5 percent said that they hold a doctoral degree
Tomi Engdahl says:
Cars hacked – good-bye brakes
Two security researchers managed to penetrate the computer and take control of automotive steering system, brakes, and other important functions.
The researchers reported findings at the beginning of August in Las Vegas at the Defcon conference.
Twitter safety engineer Charlie Miller and the security company employed IOActivelle Chris Valasek spent ten months, explaining how they could penetrate new cars electronic control devices. Object they had in the 2010 Ford Escape and the 2010 Toyota Prius.
Miller and Valasek were able to connect the laptop to the network communication control device and tucked the error messages. Here’s how they got the car brakes inoperative vehicle is in motion, moved by the steering wheel, accelerated, shut down the engine, tamper with safety belts, speed and distorted by the gas meter readings, used the lights and played horn.
They also found a way to interfere with the control units by system software or firmware from those units.
Miller and Valasekin the purpose was to find out what would happen if the control unit from accessing the network. According to them, does not matter, was it an attack locally or remotely, with access to one control unit provides access to the entire network, and allows you to enter commands.
Miller said that it is probable that the future will find ways to make remote attackers throug bluetooth and WLAN vulnerabilities.
Although the researchers, it is possible that the information will be used for criminal purposes, they have released its report. They hope that other researchers continue their work.
“I think it is better to reveal all, to find the problems and start talking to them,” Miller said.
Toyota representative said that the company uses to ensure automotive electronic control unit to be safe. According to the company, it should be noted that Miller and Valasekin doing the attack systems infiltrated by tampering with the dashboard and connect to the computer, which would not be able to stay in the driver noticing.
Source: http://www.tietoviikko.fi/kaikki_uutiset/autot+hakkeroitiin++hyvasti+jarrut/a920089
Tomi Engdahl says:
ANSI/BICSI-005 standard addresses design and implementation of security systems
http://www.cablinginstall.com/articles/2013/08/ansi-bicsi-005.html?cmpid=EnlCIMAugust122013
BICSI recently released its latest ANSI-approved standard, ANSI/BICSI-005-2013 Electronic Safety and Security (ESS) System Design and Implementation Best Practices. When announcing the standard’s availability, BICSI commented, “As the systems used within security have become more complex, so too has the cabling infrastructure to address both communication and security requirements. Little has been written to support this convergence of security and cabling infrastructure, until now.”
The association added that the BICSI-005 standard “bridges the two worlds of security and communications by providing the security professional with the requirements and recommendations of a structured cabling infrastructure needed to support today’s security systems while providing the cabling design professional information on different elements within safety and security systems that affect the design.”
Jerry Bowman, BICSI’s president, noted of the standard, “The protection against risks and threats to life-safety, business and personal assets is and always will be a matter of great importance. BICSI-005 is a tremendous resource for those working on the design and implementation of electronic safety and security and related infrastructure for a variety of security functions and systems. We truly appreciate the efforts of all the volunteer subject matter experts who contributed to this publication.”
Tomi Engdahl says:
Thieves Reaching for Linux—”Hand of Thief” Trojan Targets Linux #INTH3WILD
https://blogs.rsa.com/thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3wild/
Just two weeks after reporting about the commercialization of the KINS banking Trojan, RSA reveals yet another weapon to be used in a cybercriminal’s arsenal.
It appears that a Russia based cybercrime team has set its sights on offering a new banking Trojan targeting the Linux operating system. This appears to be a commercial operation, which includes support/sales agents and software developer(s).
Hand of Thief is a Trojan designed to steal information from machines running the Linux OS. This malware is currently offered for sale in closed cybercrime communities for $2,000 USD (€1,500 EUR) with free updates. The current functionality includes form grabbers and backdoor capabilities, however, it’s expected that the Trojan will have a new suite of web injections and graduate to become full-blown banking malware in the very near future.
The Trojan’s developer claims it has been tested on 15 different Linux desktop distributions, including Ubuntu Fedora and Debian. As for desktop environments, the malware supports 8 different environments, including Gnome and Kde.
So What’s Next?
We are left with a number of questions:
Without the ability to spread the malware as widely as on the Windows platform, the price tag seems hefty, and raises the question – will the Linux Trojan have the same value as its Windows counterparts?
Also, with recent recommendations to leave the supposedly insecure Windows OS for the safer Linux distributions, does Hand of Thief represent the early signs of Linux becoming less secure as cybercrime migrates to the platform?
Tomi Engdahl says:
Android random number flaw implicated in Bitcoin thefts
http://nakedsecurity.sophos.com/2013/08/12/android-random-number-flaw-implicated-in-bitcoin-thefts/
Bitcoin is often in the news, not least because it is somewhat controversial.
It’s a digital currency, backed by cryptography, not by any central issuing authority.
The calculations required to “mine” a Bitcoin are configured so that the complexity of finding them doubles every four years.
That means there’s an exponential dropoff in the rate at which new Bitcoins appear, and that the supply is capped at 21 million Bitcoins.
Now, creating BTCs is one thing, but buying and selling with these digital strings – actually realising that $100/BTC – is quite another matter.
You need somewhere to store your Bitcoins, and a digital wallet that uses public key cryptography is the obvious answer.
The public key algorithm used in the BTC infrastructure is called ECDSA, short for Elliptic Curve Digital Signature Algorithm.
Bitcoin signatures use 256-bit keys, giving a choice of a whopping 1077 different possible random numbers; with a truly random choice for each signature, collisions should be as good as impossible.
Unless you use a flawed pseudorandom number generator (PRNG), that is.
Bitcoin wallet software that re-uses random numbers was found last year by a researcher called Nils Schneide
Well, it’s happened again.
It looks as though, at least on occasion, the Java-based PRNG on Android will repeat its pseudorandom sequences, thanks to a flaw in Android’s so-called SecureRandom Java class.
Tomi Engdahl says:
Ally and Target: US Intelligence Watches Germany Closely
http://www.spiegel.de/international/world/germany-is-a-both-a-partner-to-and-a-target-of-nsa-surveillance-a-916029.html
German intelligence services cooperate closely with the NSA, but the country is also a target of US surveillance, as a document seen by SPIEGEL makes clear. The spy software XKeyscore is operated from a facility in Hesse, with some of the results landing on President Obama’s desk.
According to internal NSA information, which SPIEGEL has seen, the agency’s European Cryptologic Center (ECC) is headquartered in Griesheim. A 2011 NSA report indicates that the ECC is responsible for the “largest analysis and productivity in Europe.” According to the report, results from the secret installation find their way into the President’s Daily Brief, the daily intelligence report given to US President Barack Obama, an average of twice a week.
Germany is a special place for the NSA, in many respects. Few other countries are the source of as much data for US intelligence agencies, much of which comes from the Bundesnachrichtendienst (BND), Germany’s foreign intelligence agency. At the same time Germany itself, despite all friendly assurances to the contrary, is also a target of the surveillance. According to a “secret” summary among the documents obtained by Snowden, which SPIEGEL was able to view, Germany is one of the targets of US espionage activity.
Tomi Engdahl says:
Mega to run ‘cutting-edge’ encrypted email after Lavabit’s ‘privacy seppuku’
http://rt.com/news/mega-secure-email-lavabit-359/
Kim Dotcom’s Mega.co.nz is working on a highly-secure email service to run on a non-US-based server. It comes as the US squeezes email providers that offer encryption and Mega’s CEO calls Lavabit’s shutdown an “honorable act of Privacy Seppuku.”
Mega’s Chief Executive Vikram Kumar, who is heading the development of the company’s own end-to-end encryption technology to protect the privacy of the future email’s users, has reacted to the Lavabit founder’s decision to suspend his service’s operations – an act, which was shortly followed by voluntary closing down of another secure email service, Silent Circle.
Such a policy manifests that “there is always a choice” for any company approached by the agents
Mega doing ‘true crypto work for masses’
Meanwhile, Kumar has been involved in an email service project with what he says is exceptional level of encryption.
Mega has been doing an “exciting” but “very hard” and time-consuming job of developing both highly-secure and functional email service, Kumar told ZDNet.
“The biggest tech hurdle is providing email functionality that people expect, such as searching emails, that are trivial to provide if emails are stored in plain text (or available in plain text) on the server side. If all the server can see is encrypted text, as is the case with true end-to-end encryption, then all the functionality has to be built client side,” he explained, adding that even Silent Circle did not try to achieve such a feat.
“On this and other fronts, Mega is doing some hugely cutting-edge stuff. There is probably no one in the world who takes the Mega approach of making true crypto work for the masses, our core proposition,” Kumar said.
Tomi Engdahl says:
Windows XP hidden wounds while waiting for the funeral
Online criminals are put in place the found non-Windows XP-based vulnerabilities in the store, warns the American Sans-tietoturvainstuutin expert Jason Fossen.
According to him, now found in the attack codes are unearthed until April next year, when Microsoft will end Windows XP’s support forever.
Fossen explain the phenomenon of simple mathematics. Windows XP-based attack code on the black market price is 50 000-150 000 dollars, because Microsoft is usually the place gaps in a matter of weeks.
In the future, the attack code could be useful, however, for months or even years. It all depends on just how fast security software, learn how to combat further attacks.
Thus, the critical vulnerabilities developed for methods of attack rates can be up to twice as high.
If Jason Fossen is right, can Windows XP vulnerabilities come out at the end of this year and early next year, lower than usual. This may be a sign that cyber criminals really silent gaps to be discovered.
Microsoft offers the April 2014 Windows XP support only to companies and other large organizations who are willing to pay for individual Support considerable sums of money.
Source: http://www.tietoviikko.fi/kaikki_uutiset/windows+xp+haavat+piilotetaan+hautajaisia+odotellessa/a920732
Tomi Engdahl says:
Hacking Transcend Wifi SD Cards
http://hackaday.com/2013/08/12/hacking-transcend-wifi-sd-cards/
Transcend WiFi SD Card. It allows him to transfer his pictures to any WiFi-enabled device in a matter of seconds.
As he suspected that some kind of Linux was running on it, he began to see if he could get a root access on it… and succeeded.
His clear and detailed write-up begins with explaining how a simple trick allowed him to browse through the card’s file system, which (as he guessed correctly) is running busybox. From there he was able to see if any of the poorly written Perl scripts had security holes… and got more than he bargained for.
[Pablo] found that the user set password is directly entered in a Linux shell command. Therefore, the password ”admin; echo haxx > /tmp/hi.txt #” could create a hi.txt text file.
From there things got easy. He just had to make the card download another busybox to use all the commands that were originally disabled in the card’s Linux. In the end he got the card to connect a bash to his computer so he could launch every command he wanted.
Tomi Engdahl says:
REVEALED: Simple ‘open sesame’ to unlock your HOME by radiowave
Schoolboy security slip-ups in burglar sensors, electronic locks discovered
http://www.theregister.co.uk/2013/08/13/wave_goodbye_to_security_with_zwave/
Black Hat A pair of security researchers probing the Z-Wave home-automation standard managed to unlock doors and disable sensors controlled by the technology.
Behrang Fouladi and Sahand Ghanoun took a long hard look at Z-Wave for their presentation at last week’s Black Hat hacking conference in Las Vegas. The wireless standard dominates home-automation in the US, but the pair discovered some worrying flaws.
Not only were they able to switch off a motion sensor with a relatively simple replay attack, but they also managed to take control of a wireless door lock by supplanting the proper control centre, potentially allowing a burglar to walk right in and make himself comfortable.
The Z-Wave specifications are only available to paying customers after they’ve signed the non-disclosure agreement, which makes analysis of the standard difficult by preventing open discussion of potential flaws. It also makes manufacturers lazy in their implementations, which proved crucial to the success of the hack.
There’s very little open-source code available for the unpublished standard, but by extending the OpenZ-Wave toolkit the pair were able to analyse over-the-air communications with a motion sensor and discovered it was vulnerable to a simple replay attack.
That shouldn’t be possible – replay attacks are the most basic of penetrative techniques and any modern system should be immune to them, but for some reason the tested Z-Wave sensor wasn’t.
More formidable was a Z-Wave door lock, as it should be. Commands sent to the lock from the network controller are encrypted using AES128, well beyond the reach of all but the best-funded government agencies, but as is so often the case it’s the implementation, not the encryption, that proved to be flawed.
An automated home will have a single Z-Wave network, operating in the low-frequency industrial, scientific and medical (ISM) band (868MHz in Europe and 908MHz in the US), and each network is secured with a unique network key.
That network key is created by the device that appoints itself as network controller (normally a home hub of some sort) and distributed to other devices when they join the network, encrypted using a global key hard coded onto every Z-Wave device
The Z-Wave global key is only used during network setup – meaning it is of no value to anyone attacking an established network even if it remains a concern in some circumstances. But it turns out the global key isn’t necessary to hijack at least one model of lock.
When the lock is first set up, and receives the network key from the controller, the user is required to press a physical button on the bottom of the keypad to acknowledge the new device. But once installed the lock can reconnect to a controller (say, after a battery failure) without user interaction, and it turns out that it isn’t very picky about the network controller to which it connects.
Our attacker just identifies a lock on the network and sends it a new network key from his own network controller; the fickle door lock happily forgets its previous attachment and stands ready to respond to new commands, suitably encrypted using the new key, such as “open the door, please”.
More testing is needed, but the pair’s hypothesis is that both companies are using example code provided in the Z-Wave software development kit, and that the example code is intended to be just that – an example not to intended for use in actual products.
Tomi Engdahl says:
The NSA Is Commandeering the Internet
Technology companies have to fight for their users, or they’ll eventually lose them.
Bruce Schneier Aug 12 2013, 10:05 AM E
http://www.theatlantic.com/technology/archive/2013/08/the-nsa-is-commandeering-the-internet/278572/
It turns out that the NSA’s domestic and world-wide surveillance apparatus is even more extensive than we thought. Bluntly: The government has commandeered the Internet. Most of the largest Internet companies provide information to the NSA, betraying their users. Some, as we’ve learned, fight and lose. Others cooperate, either out of patriotism or because they believe it’s easier that way.
I have one message to the executives of those companies: fight.
The NSA doesn’t care about you or your customers, and will burn you the moment it’s convenient to do so.
We’re already starting to see that. Google, Yahoo, Microsoft and others are pleading with the government to allow them to explain details of what information they provided in response to National Security Letters and other government demands. They’ve lost the trust of their customers, and explaining what they do — and don’t do — is how to get it back. The government has refused; they don’t care.
It will be the same with you. There are lots more high-tech companies who have cooperated with the government. Most of those company names are somewhere in the thousands of documents that Edward Snowden took with him, and sooner or later they’ll be released to the public. The NSA probably told you that your cooperation would forever remain secret, but they’re sloppy.
This is why you have to fight. When it becomes public that the NSA has been hoovering up all of your users’ communications and personal files, what’s going to save you in the eyes of those users is whether or not you fought. Fighting will cost you money in the short term, but capitulating will cost you more in the long term.
Already companies are taking their data and communications out of the US.
The extreme case of fighting is shutting down entirely. The secure e-mail service Lavabit did that last week
The same day, Silent Circle followed suit, shutting down their email service in advance of any government strong-arm tactics
But they can fight. You, an executive in one of those companies, can fight. You’ll probably lose, but you need to take the stand. And you might win. It’s time we called the government’s actions what it really is: commandeering. Commandeering is a practice we’re used to in wartime, where commercial ships are taken for military use, or production lines are converted to military production. But now it’s happening in peacetime. Vast swaths of the Internet are being commandeered to support this surveillance state.
If this is happening to your company, do what you can to isolate the actions.
Journalism professor Jeff Jarvis recently wrote in The Guardian: “Technology companies: now is the moment when you must answer for us, your users, whether you are collaborators in the US government’s efforts to ‘collect it all’ — our every move on the internet or whether you, too, are victims of its overreach.”
Tomi Engdahl says:
Stop Thinking That Tech Hacks Will Fix Our Surveillance Problems
http://www.wired.com/opinion/2013/08/yah-surveillance-sucks-but-technology-isnt-the-only-solution/
That’s it, I’m calling it early: this is officially the “summer of surveillance.” Especially with the latest news that due to this surveillance, not one, but two, separate companies announced they were shutting down their encrypted email services (including the one that Edward Snowden was using) this week.
“If you knew what I know about email, you might not use it either,” said the owner of one of those companies, Lavabit.
This statement, paradoxically, both misses the point and hints at the right course of action.
Because there are two separate — yet often entangled — ideologies in our discourse about the surveillance state: The first is the individualistic conception of cyber-hygiene: how you should behave to secure your own communications, protect your own data, and avoid your own tracking. The second is the notion of tech-centric solutionism (a term popularized by Evgeny Morozov): what tech hack, device, or app can I turn to for a quick fix to my privacy troubles?
The problem is that focusing on one or both of these approaches distracts from the much-needed political reform and societal pushback necessary to dig up a surveillance state at its root.
To be sure, personal protections are important. There are some easy plug-ins and simple behavioral changes people can make. And there’s no shortage of articles and how-to guides tips for securing privacy, with headlines promising “Five ways to stop the NSA from spying on you.” Through means such as end-to-end encryption, software for anonymized web surfing, and removing device’s batteries, why, you too, can enjoy secure communications. But if we really want to attempt to thwart the NSA’s spying, well, you’ll need to brush up on your computer science skills and take a deep dive into cryptographic techniques.
Here’s the thing, though: We shouldn’t resolve ourselves to a life where cyber-hygiene and an obsession with technological solutions fools us into thinking we’ve somehow preserved our privacy.
This might be sufficient if, say, we’re trying to prevent a boss or partner from snooping. But it’s always going to be a losing battle when going against a panoptic titan whose methods are wide-reaching, constantly evolving, and classified.
The fundamental belief in technology’s ability to “fix” everything ignores the fact that not everything needs to be fixed in the first place.
In fact, taking the tech-centric route can lead to even more severe, unintended consequences. There’s a feedback loop between solutionist tendencies and the growth of a surveillance state: The rapid spread and use of technologies ironically laid the very foundation for it to engulf more and more aspects of our lives. Governments around the world must be saying a prayer of thanks because most of us willingly carry, at all times, a location tracker, listening bug, camera, internet hunter-gatherer, and more in the form of a smartphone.
Being a “techie” often blinds us to the plight of the majority — who, for one reason or another, don’t know they’re targets for tracking or simply can’t avoid being one.
The Snowden leaks have led to renewed, even frantic, interest in finding the best ways to protect privacy and resist the government’s blanket monitoring and collecting of our data. A recent Pew Research poll shows, for the first time, that more people are concerned about the status of their civil liberties than about threats from terrorism.
Tomi Engdahl says:
NSA-proof email encryption? Cobblers, sniff German hackers
‘Comical, shameless game’ based on tech that won’t stop determined g-men
http://www.theregister.co.uk/2013/08/13/deutsche_mail_scorned_by_hackers/
Analysis German hackers have poured scorn on Deutsche Telekom’s plan to offer “secure email”, describing it as little more than a marketing gimmick.
Deutsche Telekom and partner United Internet are rolling out SSL-encrypted connections between users’ computers and the companies’ mail servers as part of the “Email made in Germany” offer.
Deutsche Telekom’s email service T-Online or United Internet’s GMX and Web.de services will also avoid routing customers’ email traffic through US-hosted infrastructure – and thus avoid surveillance by Uncle Sam’s spooks.
René Obermann, chief exec of Deutsche Telekom, described the offer as a response to the NSA PRISM and XKEYSCORE global internet dragnet controversy
The two firms said in a statement that the scheme would offer secure communication for two-thirds of all email users in Germany.
Ralph Dommermuth, chief exec of United Internet AG, added: “Alongside email encryption and the designation of secure e-mail addresses, a third key element relates to data processing and archiving, which is carried out in Germany. This ensures that Germany’s stringent data privacy laws are complied with.”
Messages sent to mail servers outside Germany will not be encrypted in transit, at least initially, which means the data can be intercepted by network taps, installed in the internet’s arteries worldwide, that are run by the NSA and the UK’s eavesdropping centre, GCHQ.
“Email Made in Germany” only promises that email will be protected in transit with no guarantees that it will be stored in an encrypted format. Lavabit offered encrypted storage before it shut up shop last week, perhaps permanently, as a result of pressure from the US authorities to hand over those messages.
German hackers at the Chaos Computer Club dismissed Deutsche Telekom and United Internet’s offer as a shrewdly timed marketing stunt. Like security experts, they repeat the advice that end-to-end encryption using packages such as PGP are the only way to ensure email privacy
Chaos Computer Club’s statement refers to De-Mail, a German encrypted email service that links users’ addresses with verified identities, confirmed during the sign-up process using state-issued identification cards.
Tomi Engdahl says:
N.S.A. Leaks Make Plan for Cyberdefense Unlikely
http://www.nytimes.com/2013/08/13/us/nsa-leaks-make-plan-for-cyberdefense-unlikely.html?pagewanted=all&_r=0
Even while rapidly expanding its electronic surveillance around the world, the National Security Agency has lobbied inside the government to deploy the equivalent of a “Star Wars” defense for America’s computer networks, designed to intercept cyberattacks before they could cripple power plants, banks or financial markets.
But administration officials say the plan, championed by Gen. Keith B. Alexander, the director of the National Security Agency and head of the Pentagon’s Cyber Command, has virtually no chance of moving forward given the backlash against the N.S.A. over the recent disclosures about its surveillance programs.
Senior agency officials concede that much of the technology needed to filter malicious software, known as malware, by searching incoming messages for signs of programs designed to steal data, or attack banks or energy firms, is strikingly similar to the technology the N.S.A. already uses for surveillance.
”The plan was always a little vague, at least as Keith described it, but today it may be Snowden’s biggest single victim,”
“Whatever trust was there is now gone,” the official added. “I mean, who would believe the N.S.A. when it insists it is blocking Chinese attacks but not using the same technology to read your e-mail?”
Tomi Engdahl says:
NSA “touches” more of Internet than Google
In deep packet inspection, it’s not the size of the data that matters.
http://arstechnica.com/information-technology/2013/08/the-1-6-percent-of-the-internet-that-nsa-touches-is-bigger-than-it-seems/
According to figures published by a major tech provider, the Internet carries 1,826 Petabytes of information per day. In its foreign intelligence mission, NSA touches about 1.6 percent of that. However, of the 1.6 percent of the data, only 0.025 percent is actually selected for review. The net effect is that NSA analysts look at 0.00004 percent of the world’s traffic in conducting their mission—that’s less than one part in a million.
Put another way, if a standard basketball court represented the global communications environment, NSA’s total collection would be represented by an area smaller than a dime on that basketball court.
The numbers are no real surprise—we’ve already discussed how the laws of physics would make it impossible for the NSA to capture everything, or even a significant portion of everything, that passes over the Internet. But they’re also misleading. In the world of deep packet inspection, verbs like “touch,” “select,” “collect,” and “look at” don’t begin to adequately describe what is going on or what information is extracted from traffic in the process. Considering all that’s within what flows across the Internet, 1.6 percent could hold a significant portion of the metadata describing person-to-person communications.
While 29.21 petabytes is a fraction of the overall traffic on the Internet, it is the equivalent of the traffic that passes through several major Internet exchanges each day. It amounts roughly to 2.77 terabits per second—more than the average throughput of the Equinix exchange network, the CoreSite Any2 Exchange, New York International Internet Exchange (NYIIX), and Seattle Internet Exchange (SIX) combined. In other words, the 1.6 percent of the total of Internet traffic “touched” by the NSA could easily contain much of the traffic passing through the US’ core networks. It can certainly include all the traffic inbound from and outbound to other nations.
The NSA has approximately 150 XKeyscore collection points worldwide. To reach 29.21 petabytes per day, XKeyscore sites pull in around 190 terabytes a day. And to keep the three-day “buffer” XKeyscore holds of captured traffic, that would mean the sites have an average of about 600 terabytes of storage—the equivalent of a fairly manageable 150 4-TB drives.
Regardless how much data flows through the NSA’s tap points, all of it is getting checked. While the NSA may “touch” only 29.21 petabytes of data a day, it runs its digital fingers through everything that flows through the tap points to do so.
The NSA’s XKeyscore uses packet analyzers, the hardware plugged into the network that diverted Internet data is routed down, to look at the contents of network traffic as it passes by. The packet analyzers use a set of rules to check each packet they “see” as it is read by the analyzers’ software into memory.
Packets that don’t meet any of the rules that have been configured are sent along unmolested.
Packets that match one or more of the rules get routed to processing servers for further analysis. Those rules can be very broad—”grab everything with an IP address in its header that is outside the United States,” for example—or they can look for very specific patterns within packets, such as those of VPN and website log-ins, Skype and VoIP traffic, or e-mails with attachments.
Tomi Engdahl says:
What the NSA can do with “big data”
The NSA can’t capture everything that crosses the Internet—but doesn’t need to.
http://arstechnica.com/information-technology/2013/06/what-the-nsa-can-do-with-big-data/
One organization’s data centers hold the contents of much of the visible Internet—and much of it that isn’t visible just by clicking your way around. It has satellite imagery of much of the world and ground-level photography of homes and businesses and government installations tied into a geospatial database that is cross-indexed to petabytes of information about individuals and organizations. And its analytics systems process the Web search requests, e-mail messages, and other electronic activities of hundreds of millions of people.
No one at this organization actually “knows” everything about what individuals are doing on the Web, though there is certainly the potential for abuse. By policy, all of the “knowing” happens in software, while the organization’s analysts generally handle exceptions (like violations of the law) picked from the flotsam of the seas of data that their systems process.
We know some of this thanks to an earlier whistleblower—former AT&T employee Mark Klein, who revealed in 2006 that AT&T had helped NSA install a tap into the fiber backbone for AT&T’s WorldNet, “splitting” the traffic to run into a Narus Insight Semantic Traffic Analyzer. (The gear has since been rebranded as “Intelligence Traffic Analyzer,” or ITA.)
Narus’ gear was also used by the FBI as a replacement for its homegrown “Carnivore” system. It scans packets for “tag pairs”—sets of packet attributes and values that are being monitored for—and then grabs the data for packets that match the criteria.
In an interview I conducted with Narus’ director of product management for cyber analytics Neil Harrington in September of 2012, Harrington said the company’s Insight systems can analyze and sort gigabits of data each second. “Typically with a 10 gigabit Ethernet interface, we would see a throughput rate of up to 12 gigabits per second with everything turned on. So out of the possible 20 gigabits, we see about 12. If we turn off tag pairs that we’re not interested in, we can make it more efficient.”
A single Narus ITA is capable of processing the full contents of 1.5 gigabytes worth of packet data per second. That’s 5400 gigabytes per hour, or 129.6 terabytes per day, for each 10-gigabit network tap. All that data gets shoveled off to a set of logic servers using a proprietary messaging protocol, which process and reassemble the contents of the packets, turning petabytes per day into gigabytes of tabular data about traffic—the metadata of the packets passing through the box— and captured application data.
NSA operates many of these network tap operations both in the US and around the world.
Storing it, indexing it, and analyzing it in volume required technology beyond what was generally available commercially. Considering that, according to Cisco, the total world Internet traffic for 2012 was 1.1 exabytes per day is physically impossible, let alone practical, for the NSA to capture and retain even a fraction of the world’s Internet traffic on a daily basis.
There’s also the issue of intercepting packets protected by Secure Socket Layer (SSL) encryption. Breaking encryption of SSL-protected traffic is, under the best of circumstances, computationally costly and can’t be applied across the whole of Internet traffic (despite the apparent certificate-cracking success demonstrated by the Flame malware attack on Iran). So while the NSA can probably do it, they probably can’t do it in real-time.
NSA is still collecting call data records for all domestic calls and calls between US and foreign numbers
“comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, International Mobile Subscriber Identity (IMEI) number, etc.), trunk identifier, telephone calling card numbers, and time and duration of call.”
In 2006, USA Today called the call database “the largest database in the world.”
BigTable and Hadoop-based databases offered a way to handle huge amounts of data being captured by the NSA’s operations, but they lacked something critical to intelligence operations: compartmentalized security (or any security at all, for that matter). So in 2008, NSA set out to create a better version of BigTable, called Accumulo—now an Apache Foundation project.
Accumulo is a “NoSQL” database, based on key-value pairs. It’s a design similar to Google’s BigTable or Amazon’s DynamoDB, but Accumulo has special security features designed for the NSA, like multiple levels of security access. The program is built on the open-source Hadoop platform and other Apache products.
One of those is called Column Visibility—a capability that allows individual items within a row of data to have different classifications.
Accumulo also can generate near real-time reports from specific patterns in data. So, for instance, the system could look for specific words or addressees in e-mail messages that come from a range of IP addresses; or, it could look for phone numbers that are two degrees of separation from a target’s phone number. Then it can spit those chosen e-mails or phone numbers into another database, where NSA workers could peruse it at their leisure.
In other words, Accumulo allows the NSA to do what Google does with your e-mails and Web searches—only with everything that flows across the Internet, or with every phone call you make.
One of the obstacles to NSA monitoring of Internet communications is SSL. On the surface, “cloud” services such as Gmail, Facebook, and the service formerly known as Hotmail have made that problem harder to overcome as they’ve pulled more interactions in behind SSL-protected sessions. But ironically, those communications services actually started to make it easier for the NSA to collect that protected data through the PRISM program.
PRISM gives the NSA an online connection to cloud providers.
The NSA could theoretically export much of the metadata from these services—without having a specific target—in order to preserve data in the event that the NSA has cause to perform a search. But it’s unlikely, simply for storage capacity reasons, that they copy the application data itself—e-mails, attachments, etc.—on a large scale.
The NSA could theoretically export much of the metadata from these services—without having a specific target—in order to preserve data in the event that the NSA has cause to perform a search. But it’s unlikely, simply for storage capacity reasons, that they copy the application data itself—e-mails, attachments, etc.—on a large scale.
Tomi Engdahl says:
Building a panopticon: The evolution of the NSA’s XKeyscore
How the NSA went from off-the-shelf to a homegrown “Google for packets.”
http://arstechnica.com/information-technology/2013/08/building-a-panopticon-the-evolution-of-the-nsas-xkeyscore/
The National Security Agency’s (NSA) apparatus for spying on what passes over the Internet, phone lines, and airways has long been the stuff of legend, with the public catching only brief glimpses into its Leviathan nature. Thanks to the documents leaked by former NSA contractor Edward Snowden, we now have a much bigger picture.
After the attacks of September 11, 2001 and the subsequent passage of the USA PATRIOT Act, the NSA and other organizations within the federal intelligence, defense, and law enforcement communities rushed to up their game in Internet surveillance. The NSA had already developed a “signals intelligence” operation that spanned the globe. But it had not had a mandate for sweeping surveillance operations—let alone permission for it—since the Foreign Intelligence Surveillance Act (FISA) was passed in 1978. (Imagine what Richard Nixon could have done with Facebook monitoring.)
Early on, the NSA needed a quick fix. It got that by buying largely off-the-shelf systems for network monitoring, as evidenced by the installation of hardware from Boeing subsidiary Narus at network tap sites such as AT&T’s Folsom Street facility in San Francisco. In 2003, the NSA worked with AT&T to install a collection of networking and computing gear—including Narus’ Semantic Traffic Analyzer (STA) 6400—to monitor the peering links for AT&T’s WorldNet Internet service. Narus’ STA software, which evolved into the Intelligent Traffic Analyzer line, was also used by the FBI as a replacement for its Carnivore system during that time frame.
Narus’ system is broken into two parts. The first is a computing device in-line with the network that watches the metadata in the packets passing by for ones that match “key pairs,” which can be a specific IP address or a range of IP addresses, a keyword within a Web browser request, or a pattern identifying a certain type of traffic such as a VPN or Tor connection.
Packets that match those rules are thrown to the second part of Narus’ system—a collection of analytic processing systems—over a separate high-speed network backbone by way of messaging middleware similar to the transaction systems used in financial systems and commodity trading floors.
In the current generation of Narus’ system, the processing systems run on commodity Linux servers and re-assemble network sessions as they’re captured, mining them for metadata, file attachments, and other application data and then indexing and dumping that information to a searchable database.
There are a couple of trade-offs with Narus’ approach. For one thing, the number of rules loaded on the network-sensing machine directly impact how much traffic it can handle—the more rules, the more compute power burned and memory consumed per packet, and the fewer packets that can be handled simultaneously. When I interviewed Narus’ director of product management for cyber analytics Neil Harrington last year, he said that “with everything turned on” on a two-way, 10-gigabit Ethernet connection—that is, with all of the pre-configured filters turned on—”out of the possible 20 gigabits, we see about 12. If we turn off tag pairs that we’re not interested in, we can make it more efficient.”
In other words, to handle really big volumes of data and not miss anything with a traffic analyzer, you have to widen the scope of what you collect. The processing side can handle the extra data—as long as the bandwidth of the local network fabric isn’t exceeded and you’ve added enough servers and storage. But that means that more information is collected “inadvertently” in the process. It’s like catching a few dolphins so you don’t miss the tuna.
Collecting more data brings up another issue: where to put it all and how to transport it. Even when you store just the cream skimmed off the top of the 129.6 terabytes per day that can be collected from a 10-gigabit network tap, you’re still faced with at least tens of terabytes of data per tap that need to be written to a database. The laws of physics prevented the NSA from moving all that digested data back over its own private networks to a central data center; getting all the raw packets collected by the taps back home was out of the question.
All of these considerations were behind the design of XKeyscore. Based on public data (such as “clearance” job listings and other sources), the NSA used a small internal startup-like organization made up of NSA personnel and contract help from companies such as defense contractor SAIC to build and maintain XKeyscore.
Built with the same fundamental front-end principles (albeit with some significant custom code thrown in, XKeyscore solved the problem of collecting at wire speed by dumping a lot more to a local storage “cache.” And it balanced the conflict between minimizing how much data got sent home to the NSA’s data centers and giving analysts flexibility and depth in how they searched data by using the power of Web interfaces like Representation State Transfer (REST).
XKeyscore takes the data brought in by the packet capture systems connected to the NSA’s taps and processes it with arrays of Linux machines. The Linux processing nodes can run a collection of “plugin” analysis engines that look for content in captured network sessions; there are specialized plugins for mining packets for phone numbers, e-mail addresses, webmail and chat activity, and the full content of users’ Web browser sessions. For selected traffic, XKeyscore can also generate a full replay of a network session between two Internet addresses.
Tomi Engdahl says:
Amid Data Controversy, NSA Builds Its Biggest Data Farm
http://www.npr.org/2013/06/10/190160772/amid-data-controversy-nsa-builds-its-biggest-data-farm
As privacy advocates and security experts debate the validity of the National Security Agency’s massive data gathering operations, the agency is putting the finishing touches on its biggest data farm yet.
The gargantuan $1.2 billion complex at a National Guard base 26 miles south of Salt Lake City features 1.5 million square feet of top secret space. High-performance NSA computers alone will fill up 100,000 square feet.
The Utah Data Center is a data farm that will begin harvesting emails, phone records, text messages and other electronic data in September.
Tomi Engdahl says:
After Paying $2M in Rewards, Google Multiplies Some Bug Bounties Five Times
https://threatpost.com/after-paying-2m-in-rewards-google-multiplies-some-bug-bounties-five-times/101973
Google’s bug bounty program has been one of the more successful reward systems of its kind, and the company has regularly modified and expanded the program over the years to keep pace with what’s going on in the industry. Google also has increased the rewards it offers for certain kinds of vulnerabilities several times, and the company is doing it again, raising the lower reward level from $1,000 to $5,000.
“Today, the Chromium program is raising reward levels significantly. In a nutshell, bugs previously rewarded at the $1,000 level will now be considered for reward at up to $5,000. In many cases, this will be a 5x increase in reward level! ”
At the same time it announced the new reward levels for researcher, the company also revealed that it has paid out more than $2 million in rewards since the inception of the bug bounty programs. Google effectively has two separate reward programs: one for Web properties such as Gmail; and one for Chrome and Chrome OS. The company has paid out more than $1 million for each of the programs.
Google was among the first wave of large software vendors to establish a bug bounty program, and many others have followed suit since then. Most recently, Microsoft started a bug bounty program in June, which is slightly different from typical reward systems, but offers up to $100,000 for new attacks that can bypass modern browser defenses.
“We find that VRPs appear to provide an economically efficient mechanism for finding vulnerabilities, with a reasonable cost/benefit trade-off. In particular, they appear to be 2-100 times more cost effective than hiring expert security researchers to find vulnerabilities. We therefore recommend that more vendors consider using them to their (and their users’) advantage,” the paper, written by Matthew Finifter, Devdatta Akhawe, and David Wagner, says.
Tomi Engdahl says:
Yes, Gmail users have an expectation of privacy
http://www.theverge.com/2013/8/14/4621474/yes-gmail-users-have-an-expectation-of-privacy
Sending email to Gmail users means you expect Google’s servers will process it
Consumer groups are up in arms today over a motion Google made in June to dismiss a class-action lawsuit alleging that Gmail violates federal and state wiretapping laws by scanning emails at the server level.
This line has been widely misinterpreted to make it seem like Google is saying Gmail users have no expectation of privacy when they use Gmail, and the outrage is thick. Consumer Watchdog put out a press release calling the line a “stunning admission” that “Google has finally admitted they don’t respect privacy.”
Unfortunately for outrage junkies, there’s just nothing here. First of all, Google’s argument isn’t even about Gmail users,
From there, Google’s argument starts broadly and moves towards the specific — that’s where the “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties” line comes in.
Tomi Engdahl says:
The Creepy Ad Firm That’s Charging Top Brands For YouTube Ads That Aren’t Supposed To Exist
http://www.forbes.com/sites/alexkonrad/2013/08/13/charging-top-brands-for-made-up-youtube-ads/
YouTube viewers with a penchant for downloading what they watch have been unwittingly participating in a sketchy advertising cycle that shows them ads in places YouTube and Google never meant for an ad to exist. Placed through video download plug-ins
YouTube downloader. That plug-in would then insert ad slots onto the user’s browser when they went to various YouTube pages
Spider.io found the scam by searching one billion ad impressions for anomalous images sold on network clients, says founder Douglas de Jager. “We weren’t looking for Sambreel,” de Jager says but soon the company was unraveling threads that all tied back to Sambreel or subsidiaries Yontoo and Alactro.
The Interactive Advertising Bureau could not be reached for comment and the Media Rating Council said it doesn’t audit YouTube. But Gartner analyst Andrew Frank says ad tech players are well aware of the damage such bad practices can do to their industry. “Most have expressed intentions to deal with the problem head-on, and some have taken proactive steps to do so, but the proponents of such techniques are resourceful,” Frank says. “It’s clear that substantially more efforts are needed to protect the digital advertising ecosystem from fraud.”
One way to discourage such tactics would be for the judicial system to clarify a stronger application of copyright law to punish the parties contributing to the “infringing ad” ecosystem, Frank says.
Tomi Engdahl says:
Hacker ‘shouts abuse’ via Foscam baby monitoring camera
http://www.bbc.co.uk/news/technology-23693460
A hacker was able to shout abuse at a two-year-old child by exploiting a vulnerability in a camera advertised as an ideal “baby monitor”.
ABC News revealed how a couple in Houston, Texas, heard a voice saying lewd comments coming from the camera, made by manufacturer Foscam.
Vulnerabilities in Foscam products were exposed in April, and the company issued an emergency fix.
Foscam said it was unable to provide a statement at this time.
However, a UK-based reseller told the BBC it would contact its entire customer database to remind them “the importance in setting a password to their cameras”.
‘Kids room’
The BBC has found evidence of hackers sharing information on how to access insecure Foscam cameras via several widely-used forums.
Using specialist search engines, people can narrow their results by location.
On one forum, internet addresses for cameras – not all made by Foscam – were listed with descriptions such as “school/daycare?” and “kids room”.
In April, security firm Qualys uncovered a weakness in Foscam’s devices.
The company said that various attack techniques exposed the camera’s remote monitoring access – the simplest of which was simply scraping Foscam’s website for unique identifying codes for each customer.
Around two out of every 10 Foscam cameras monitored by the researchers were insecure, Qualys said – using just “admin” to log in, and requiring no password.
A spokesman for GadgetFreakz said the company was looking at ways to better inform customers of the importance of setting secure passwords, adding that it prided itself on good customer service.
Tomi Engdahl says:
How A ‘Deviant’ Philosopher Built Palantir, A CIA-Funded Data-Mining Juggernaut
http://www.forbes.com/sites/andygreenberg/2013/08/14/agent-of-intelligence-how-a-deviant-philosopher-built-palantir-a-cia-funded-data-mining-juggernaut/
Since rumors began to spread that a startup called Palantir helped to kill Osama bin Laden, Alex Karp hasn’t had much time to himself.
Palantir lives the realities of its customers: the NSA, the FBI and the CIA–an early investor through its In-Q-Tel venture fund–along with an alphabet soup of other U.S. counterterrorism and military agencies.
And now Palantir is emerging from the shadow world of spies and special ops to take corporate America by storm. The same tools that can predict ambushes in Iraq are helping pharmaceutical firms analyze drug data. According to a former JPMorgan Chase staffer, they’ve saved the firm hundreds of millions of dollars by addressing issues from cyberfraud to distressed mortgages. A Palantir user at a bank can, in seconds, see connections between a Nigerian Internet protocol address, a proxy server somewhere within the U.S. and payments flowing out from a hijacked home equity line of credit, just as military customers piece together fingerprints on artillery shell fragments, location data, anonymous tips and social media to track down Afghani bombmakers.
The bottom line: A CIA-funded firm run by an eccentric philosopher has become one of the most valuable private companies in tech, priced at between $5 billion and $8 billion in a round of funding the company is currently pursuing.
The biggest problem for Palantir’s business may be just how well its software works: It helps its customers see too much. In the wake of NSA leaker Edward Snowden’s revelations of the agency’s mass surveillance, Palantir’s tools have come to represent privacy advocates’ greatest fears of data-mining technology — Google-level engineering applied directly to government spying. That combination of Big Brother and Big Data has come into focus just as Palantir is emerging as one of the fastest-growing startups in the Valley, threatening to contaminate its first public impressions and render the firm toxic in the eyes of customers and investors just when it needs them most.
“They’re in a scary business,” says Electronic Frontier Foundation attorney Lee Tien. ACLU analyst Jay Stanley has written that Palantir’s software could enable a “true totalitarian nightmare, monitoring the activities of innocent Americans on a mass scale.”
Palantir boasts of technical safeguards for privacy that go well beyond the legal requirements for most of its customers, as well as a team of “privacy and civil liberties engineers.” But it’s Karp himself who ultimately decides the company’s path. “He’s our conscience,” says senior engineer Ari Gesher.
The question looms, however, of whether business realities and competition will corrupt those warm and fuzzy ideals.
In the business proposal that Palantir sent NCRIC, it offered customer references that included the Los Angeles and New York police departments, boasting that it enabled searches of the NYPD’s 500 million plate photos in less than five seconds.
Katz-Lacabe wasn’t impressed. Palantir’s software, he points out, has no default time limits–all information remains searchable for as long as it’s stored on the customer’s servers. And its auditing function? “I don’t think it means a damn thing,” he says. “Logs aren’t useful unless someone is looking at them.”
“If we as a democratic society believe that license plates in public trigger Fourth Amendment protections, our product can make sure you can’t cross that line,” he says, adding that there should be time limits on retaining such data
DESPITE WHAT any critic says, it’s clear that Alex Karp does indeed value privacy–his own.
Tomi Engdahl says:
Google Tells Court You Cannot Expect Privacy When Sending Messages to Gmail — People Who Care About Privacy Should Not Use Service, Consumer Watchdog Says
http://www.consumerwatchdog.org/newsrelease/google-tells-court-you-cannot-expect-privacy-when-sending-messages-gmail-people-who-care
Google’s brief said: “Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their emails are processed by the recipient’s [email provider] in the course of delivery. Indeed, ‘a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.’” (Motion to dismiss, Page 19)
Consumer Watchdog said today that people who care about their email correspondents’ privacy should not use the Internet giant’s service.
Tomi Engdahl says:
How Much Will PRISM Cost the U.S. Cloud Computing Industry ?
http://www2.itif.org/2013-cloud-computing-costs.pdf
BY DANIEL CASTRO
AUGUST 2013
The recent revelations about the extent to which the National Security
Agency (NSA) and other U.S. law enforcement and national security
agencies have used provisions in the Foreign Intelligence Surveillance Act (FISA) and USA PATRIOT Act to obtain electronic data from third-parties will likely have an immediate and lasting impact on the competitiveness of the U.S. cloud computing industry if foreign customers decide the risks of storing data with a U.S. company outweigh the benefits
The U.S. cloud computing industry stands to lose $22 to $35 billion over the next three years as a result of the recent revelations about the NSA’s electronic surveillance programs.
What is the basis for these assumptions? The data are still thin—clearly this is a developing story and perceptions will likely evolve — but in June and July of 2013, the Cloud Security Alliance surveyed its members , who are industry practitioners, companies, and other cloud computing stakeholders, about their reactions to the NSA leaks. 16 Nor non-U.S. residents, 10 percent of respondents indicated that they had cancelled a project with a U.S.-based cloud computing provider; 56 percent said that they would be less likely to use a U.S.-based cloud computing service. For U.S. residents, slightly more than a third (36 percent) indicated that the NSA leaks made it more difficult for them to do business outside of the United States.
Thus we might reasonably conclude that given current conditions U.S. cloud service providers stand to lose somewhere between 10 and 20 percent of the foreign market in the next few years.
Tomi Engdahl says:
‘Maintenance Update,’ Not Hackers, Felled NY Times
http://www.wired.com/threatlevel/2013/08/nyt-maintenance-update/
The New York Times’ website and corporate email went down sporadically earlier today, fueling widespread speculation the newspaper of record might have been hacked or went offline for traffic-congestion reasons.
But, in the end, it was a maintenance glitch, the paper said.
Tomi Engdahl says:
Feds Crack Encrypted Drives, Arrest Child Porn Suspect
http://www.wired.com/threatlevel/2013/08/feds-crack-encrypted-drives/
Federal authorities have cracked two encrypted drives they say are filled with child pornography, leading to an arrest in an ongoing case that shows the limits of encryption and highlights a novel legal issue in which the government has been trying to force the defendant to decrypt the drives to aid his prosecution.
“The investigation is ongoing and the FBI is still working on decrypting Feldman’s remaining seven encrypted drives,”
Though rare, decryption orders are likely to become more common as the public increasingly embraces technology that comes standard on most operating systems. Decryption orders have never squarely been addressed by the Supreme Court, despite conflicting opinions in the lower courts.
Among the last times an encryption order came up in court was last year, when a federal appeals court rejected an appeal from a bank-fraud defendant who has been ordered to decrypt her laptop so its contents could be used in her criminal case.
The issue was later mooted for defendant Romano Fricosu as a co-defendant eventually supplied a password.
Whether a defendant forgets the password is another story.
That issue, too, has never been addressed in court. But judges usually view forgetfulness “as a sham or subterfuge that purposely avoids giving responsive answers.”
Tomi Engdahl says:
Your encrypted files are ‘exponentially easier’ to crack, warn MIT boffins
Maths gurus tug rug from under modern crypto: ‘You’d be surprised how quickly it takes’
http://www.theregister.co.uk/2013/08/14/research_shakes_crypto_foundations/
Encryption systems may be a lot less secure than we thought, according to new research into the maths underpinning today’s cryptography.
Boffins in the US and Ireland have managed to poke holes in modern information theory, an area of mathematics used to prove the strength of cryptographic systems before they are trusted and widely deployed.
As a result, the scientists claim it’s easier to take encrypted files and deduce their original unencrypted contents than one would expect.
In other words, computers can find correlations between encrypted data and its unencrypted form far faster than previously thought, and eventually crack the lot. Code-breaking software needs to find just one reliable correlation before it can hit the jackpot.
Analyses of modern cryptographic algorithms assume perfectly uniform sources of information, in which the mix of binary 1s and 0s is perfectly random and hopelessly unpredictable.
In reality, data is never that perfect: parts of files can be guessed and those bytes used as a foothold in cracking open the data by brute force.
“It’s still exponentially hard, but it’s exponentially easier than we thought,” said Ken Duffy, of the National University of Ireland (NUI), who co-wrote this latest research.
Tomi Engdahl says:
DARPA Fears Big Data Could Become Big Threat
http://yro.slashdot.org/story/13/08/14/181231/darpa-fears-big-data-could-become-big-threat
“For most businesses, data analytics presents an opportunity. But for DARPA, the military agency responsible for developing new technology, so-called ‘Big Data’ could represent a big threat. DARPA is apparently looking to fund researchers who can ‘investigate the national security threat posed by public data available either for purchase or through open sources.’ ”
“As Foreign Policy points out, there’s a certain amount of irony in the government soliciting ways to reduce its vulnerability to data exploitation. ‘At the time government officials are assuring Americans they have nothing to fear from the National Security Agency poring through their personal records,’ “
Tomi Engdahl says:
US, Germany To Enter No-Spying Agreement
http://politics.slashdot.org/story/13/08/14/216252/us-germany-to-enter-no-spying-agreement
“The German Federal Intelligence Service said in a news release that the U.S. has verbally committed to enter into a no-spying agreement with Germany.”
Tomi Engdahl says:
IBM buys Trusteer, forms Israeli cybersecurity lab
http://www.zdnet.com/ibm-buys-trusteer-forms-israeli-cybersecurity-lab-7000019436/
Summary: IBM has purchased enterprise security firm Trusteer with the development of an Israel-based cybersecurity lab in mind.
IBM has acquired security firm Trusteer as part of the formation of a security lab focused on mobile and application security, counter-fraud and malware detection.
In an announcement Thursday, IBM said it has entered a definitive agreement to acquire the company, which specializes in protecting businesses networks, mobile devices and web applications from cybercriminals.
The agreement will add Trusteer’s security solutions to IBM’s current portfolio. IBM says that by securing Trusteer, the company’s fraud protection, advanced persistent threat protection, zero-day vulnerabilities, endpoint security and threat intelligence services will be strengthened.
Tomi says:
The Chinese attack servers, Apache Struts
The Chinese data attackers take advantage of security flaws found in the Apache Struts framework for Java-based Web applications.
Security company Trend Micro has found a Chinese chat forums instructions how to use these security holes exploited in attacks.
Struts 2.3.15.1 is the safest currently available version. According to Trend Micro update the most recent version is extremely recommended.
Some developers have warned that the latest version update may break some programs.
Source: http://www.tietoviikko.fi/kehittaja/kiinalaiset+hyokkaavat+apache+struts+palvelimiin/a921620
Tomi Engdahl says:
Washington Post Hacked, a Day After New York Times
http://news.slashdot.org/story/13/08/15/162211/washington-post-hacked-a-day-after-new-york-times
“A day after the New York Times was brought down by a cyber attack, the Washington Post reported being hacked, with various news stories being redirected to the website of the Syrian Electronic Army.”
“The NYT themselves claims they weren’t hacked.”
Tomi Engdahl says:
In Snowden’s wake, China will probe IBM, Oracle, and EMC for security threats
http://qz.com/115970/in-snowdens-wake-china-will-probe-ibm-oracle-and-emc-for-security-threats/
The Edward Snowden scandal is about to become a major headache for some US tech firms, as the Chinese government prepares to probe IBM, Oracle, and EMC over “security issues,” according to the official Shanghai Securities News.
“At present, thanks to their technological superiority, many of our core information technology systems are basically dominated by foreign hardware and software firms, but the Prism scandal implies security problems,” an anonymous source told Shanghai Securities News, according to a Reuters report.
IBM, the world’s largest IT company, Oracle, the biggest enterprise software firm, and EMC, a leading cloud computing and Big Data provider, all have substantial businesses in China that could be damaged if Beijing takes a hard line on potential NSA intrusions—much as China-based Huawei, the world’s biggest vendor of telecom equipment, has been largely blocked from doing business in the United States.
Investigators at China’s Ministry of Public Security and a cabinet-level research center will reportedly carry out the probe.
Previously China’s state-run media, which is often used to signal government policy, identified eight US companies—Cisco, IBM, Google, Qualcomm, Intel, Apple, Oracle, and Microsoft—as US government proxies that posed a “terrible security threat.”