Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.
Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.
Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.
SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices. Good idea to test your devices against it.
There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.
Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.
Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.
Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.
Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.
Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.
Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.
Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.
European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.
1,930 Comments
Tomi Engdahl says:
Forrester: NSA Spying Could Cost Cloud $180B, But Probably Won’t
http://yro.slashdot.org/story/13/08/15/2259206/forrester-nsa-spying-could-cost-cloud-180b-but-probably-wont
“Forrester’s James Staten argues in a blog post that the U.S. cloud computing industry stands to lose as much as $180 billion, using the reasoning put forth by a well-circulated report from The Information Technology and Innovation Foundation that pegged potential losses closer to $35 billion”
Tomi Engdahl says:
The Cost of PRISM Will Be Larger Than ITIF Projects
http://blogs.forrester.com/james_staten/13-08-14-the_cost_of_prism_will_be_larger_than_itif_projects
Earlier this month The Information Technology & Innovation Foundation (ITIF) published a prediction that the U.S. cloud computing industry stands to lose up to $35 billion by 2016 thanks to the National Security Agency (NSA) PRISM project, leaked to the media in June. We think this estimate is too low and could be as high as $180 billion or a 25% hit to overall IT service provider revenues in that same timeframe. That is, if you believe the assumption that government spying is more a concern than the business benefits of going cloud.
The high-end figure, assumes US-based cloud computing providers would lose 20% of the potential revenues available from the foreign market. However we believe there are two additional impacts that would further be felt from this revelation:
1. US customers would also bypass US cloud providers for their international and overseas business – costing these cloud providers up to 20% of this business as well.
2. Non-US cloud providers will lose as much as 20% of their available overseas and domestic opportunities due to other governments taking similar actions.
If it is to be believed, as ITIF estimates, that half the cloud market will be fulfilled by non-US providers, then assuming this factor has just as much impact as the PRISM leak will have on US providers, then non-US cloud providers would take a hit of another $35 billion by 2016.
Add it all up and you have a net loss for the service provider space of about $180 billion by 2016 which would be roughly a 25% decline in the overall IT services market by that final year, using Forrester market estimates. All from the unveiling of a single kangaroo-court action called PRISM.
Scary picture but probably unrealistic.
Tomi Engdahl says:
NSA broke privacy rules thousands of times per year, audit finds
http://www.washingtonpost.com/world/national-security/nsa-broke-privacy-rules-thousands-of-times-per-year-audit-finds/2013/08/15/3310e554-05ca-11e3-a07f-49ddc7417125_story.html
The National Security Agency has broken privacy rules or overstepped its legal authority thousands of times each year since Congress granted the agency broad new powers in 2008, according to an internal audit and other top-secret documents.
Most of the infractions involve unauthorized surveillance of Americans or foreign intelligence targets in the United States, both of which are restricted by statute and executive order. They range from significant violations of law to typographical errors that resulted in unintended interception of U.S. e-mails and telephone calls.
Tomi Engdahl says:
NSA, DEA, IRS Lie About Fact That Americans Are Routinely Spied On By Our Government: Time For A Special Prosecutor
http://www.forbes.com/sites/jennifergranick/2013/08/14/nsa-dea-irs-lie-about-fact-that-americans-are-routinely-spied-on-by-our-government-time-for-a-special-prosecutor-2/
It seems that every day brings a new revelation about the scope of the NSA’s heretofore secret warrantless mass surveillance programs. And as we learn more, the picture becomes increasingly alarming. Last week we discovered that the NSA shares information with a division of the Drug Enforcement Administration called the Special Operations Division (SOD). The DEA uses the information in drug investigations. But it also gives NSA data out to other agencies – in particular, the Internal Revenue Service, which, as you might imagine, is always looking for information on tax cheats.
The Obama Administration repeatedly has assured us that the NSA does not collect the private information of ordinary Americans. Those statements simply are not true. We now know that the agency regularly intercepts and inspects Americans’ phone calls, emails, and other communications, and it shares this information with other federal agencies that use it to investigate drug trafficking and tax evasion. Worse, DEA and IRS agents are told to lie to judges and defense attorneys about their use of NSA data, and about the very existence of the SOD, and to make up stories about how these investigations started so that no one will know information is coming from the NSA’s top secret surveillance programs.
Tomi Engdahl says:
Court: Ability to police U.S. spying program limited
http://www.washingtonpost.com/politics/court-ability-to-police-us-spying-program-limited/2013/08/15/4a8c8c44-05cd-11e3-a07f-49ddc7417125_story.html
The leader of the secret court that is supposed to provide critical oversight of the government’s vast spying programs said that its ability do so is limited and that it must trust the government to report when it improperly spies on Americans.
“The FISC is forced to rely upon the accuracy of the information that is provided to the Court,” its chief, U.S. District Judge Reggie B. Walton, said in a written statement to The Washington Post.
Tomi Engdahl says:
NSA statements to The Post
By Barton Gellman, Friday, August 16, 4:10 AM
http://www.washingtonpost.com/world/national-security/nsa-statements-to-the-post/2013/08/15/f40dd2c4-05d6-11e3-a07f-49ddc7417125_story.html
The National Security Agency offered these comments on The Washington Post’s article about privacy violations.
Tomi Engdahl says:
China to probe IBM, Oracle, EMC for security concerns: paper
http://www.reuters.com/article/2013/08/16/us-china-ioe-idUSBRE97F02720130816
China’s Ministry of Public Security and a cabinet-level research center are preparing to probe IBM Corp, Oracle Corp and EMC Corp over security issues, the official Shanghai Securities News said on Friday.
China, repeatedly accused by the United States of hacking, was given considerable ammunition by Snowden’s allegations, which Beijing has used to point the finger at Washington for hypocrisy.
Tomi Engdahl says:
Syrian Hackers Use Outbrain to Target The Washington Post, Time, and CNN
http://www.theatlanticwire.com/global/2013/08/syrian-hackers-use-outbrain-target-washington-post-time-and-cnn/68370/
For a brief period on Thursday morning, the Washington Post’s website redirected some visitors to a webpage controlled by the Syrian Electronic Army. In a brief statement, the site didn’t indicate how the infiltration occurred, but subsequent reports suggest that the hackers were able to manipulate a content recommendation service The Post uses on its site.
On Twitter, the SEA demonstrated that it had gained access to the administrative panel of Outbrain, a third-party system that provides those “Other stories from around the web” recommendations at the bottom of articles at numerous web sites, including at The Atlantic Wire. How the redirect worked isn’t clear, but it’s possible that the hackers were able to manipulate the code included on Post articles to include a simple redirect to an external site.
In other words, despite its statement, it seems likely that The Washington Post itself wasn’t hacked. But its use of a third-party tool for story recommendations created an opportunity for the hackers. Earlier this year, the newspaper confirmed that it had been hacked by individuals in China.
Tomi Engdahl says:
Snowden downloaded NSA secrets while working for Dell, sources say
http://www.reuters.com/article/2013/08/15/us-usa-security-snowden-dell-idUSBRE97E17P20130815
Former intelligence contractor Edward Snowden began downloading documents describing the U.S. government’s electronic spying programs while he was working for Dell Inc in April 2012, almost a year earlier than previously reported, according to U.S. officials and other sources familiar with the matter.
Snowden, who was granted a year’s asylum by Russia on August 1, worked for Dell from 2009 until earlier this year, assigned as a contractor to U.S. National Security Agency facilities in the United States and Japan.
Snowden downloaded information while employed by Dell about eavesdropping programs run by the NSA and Britain’s Government Communications Headquarters, and left an electronic footprint indicating when he accessed the documents, said the sources, speaking on condition of anonymity.
Some of the material Snowden downloaded in April 2012 while a Dell employee related to NSA collection from fiber-optic cables, including transoceanic cables, of large quantities of internet traffic and other communications, the sources said.
Snowden has said he left Dell for a job at Booz Allen Hamilton in Hawaii around March of this year, specifically to gain access to additional top-secret documents that could be leaked to the media.
Booz Allen Hamilton fired Snowden after he fled to Hong Kong with a trove of secret material.
Tomi Engdahl says:
‘New York Times’ Publishes Articles on Facebook During Site Outage
http://mashable.com/2013/08/14/new-york-times-outage-facebook/
The New York Times’ website and iOS apps went down for more than two hours Wednesday due to an internal issue, but that didn’t stop the paper of record from publishing breaking news.
At first, the Times took page from The Boston Globe strategy during the Boston bombings and started tweeting out breaking news from its various Twitter accounts without linking to articles
Tomi Engdahl says:
Bradley Manning Did Not Hurt the United States
https://pressfreedomfoundation.org/blog/2013/08/bradley-manning-did-not-hurt-united-states
Former Defense Secretary Robert Gates has admitted the leaks caused no serious damage, telling Congress that the reactions to the leaks were “significantly overwrought.” He went on to say: “Is this embarrassing? Yes. Is it awkward? Yes. Consequences for U.S. foreign policy? I think fairly modest.’’
Tomi Engdahl says:
“451″ Error Will Tell Users When Governments Are Blocking Websites
http://yro.slashdot.org/story/13/08/15/1933239/451-error-will-tell-users-when-governments-are-blocking-websites
“To fend off the chilling effects of heavy-handed internet restriction, the UK consumer rights organization Open Rights Group wants to create a new version of the ’404 Page Not Found’ error message, called ’451 unavailable,’ to specify that a webpage wasn’t simply not there, it was ordered to be blocked for legal reasons.”
Tomi Engdahl says:
Site blocked for legal reasons
http://www.451unavailable.org/
Courts can order your Internet Service Provider to block certain websites.
ISPs often don’t say why a website is blocked and court orders are rarely voluntarily published. So when sites are blocked, it’s really hard to find out why.
451 Unavailable is here to help ISPs make it clear why websites are blocked and to encourage courts to publish blocking orders.
Can you help to shine light on Internet censorship?
Tomi Engdahl says:
SD Times Blog: Google admits an Android crypto PRNG flaw led to Bitcoin heist
http://sdt.bz/64008
Last week, thieves hijacked Bitcoin transactions and stole approximately US$5,720 worth of Bitcoins from Android digital wallet apps. This week, we know how they did it.
In a blog post yesterday by Android Security Engineer Alex Klyubin, Google revealed that flaws in Android’s Java and OpenSSL crypto PRNG (pseudorandom number generator) led to the theft of more than 55 Bitcoins.
“We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG,” he wrote.
“Developers who use JCA for key generation, signing or random-number generation should update their applications to explicitly initialize the PRNG with entropy from /dev/urandom or /dev/random,” he said.
“Also, developers should evaluate whether to regenerate cryptographic keys or other random values previously generated using JCA APIs such as SecureRandom, KeyGenerator, KeyPairGenerator, KeyAgreement, and Signature.”
Tomi Engdahl says:
Some SecureRandom Thoughts
http://android-developers.blogspot.com.au/2013/08/some-securerandom-thoughts.html
The Android security team has been investigating the root cause of the compromise of a bitcoin transaction that led to the update of multiple Bitcoin applications on August 11.
We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG. Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected. Applications that establish TLS/SSL connections using the HttpClient and java.net classes are not affected as those classes do seed the OpenSSL PRNG with values from /dev/urandom.
Developers who use JCA for key generation, signing or random number generation should update their applications to explicitly initialize the PRNG with entropy from /dev/urandom or /dev/random.
In addition to this developer recommendation, Android has developed patches that ensure that Android’s OpenSSL PRNG is initialized correctly. Those patches have been provided to OHA partners.
Tomi Engdahl says:
NSA Spying: The Three Pillars of Government Trust Have Fallen
https://www.eff.org/deeplinks/2013/08/nsa-spying-three-pillars-government-trust-have-fallen
With each recent revelation about the NSA’s spying programs government officials have tried to reassure the American people that all three branches of government—the Executive branch, the Judiciary branch, and the Congress—knowingly approved these programs and exercised rigorous oversight over them.
President Obama recited this talking point just last week, saying: “as President, I’ve taken steps to make sure they have strong oversight by all three branches of government and clear safeguards to prevent abuse and protect the rights of the American people.” With these three pillars of oversight in place, the argument goes, how could the activities possibly be illegal or invasive of our privacy?
Today, the Washington Post confirmed that two of those oversight pillars—the Executive branch and the court overseeing the spying, the Foreign Intelligence Surveillance Court (FISA court)—don’t really exist. The third pillar came down slowly over the last few weeks, with Congressional revelations about the limitations on its oversight, including what Representative Sensennbrenner called “rope a dope” classified briefings. With this, the house of government trust has fallen, and it’s time to act. Join the over 500,000 people demanding an end to the unconstitutional NSA spying.
Tomi Engdahl says:
A closed e-mail service owner, “Do not under any circumstances let your private information with any American service over”
“I think you’d deserve to know what is going on – [the U.S. Constitution], the first paragraph should guarantee freedom of expression for me in these situations. Unfortunately, Congress has enacted laws that determine otherwise,” he said.
He gives in his ending letter also a heavy piece of advice: “This experience has taught me one very important thing: if Congress does not act in this regard and, if supported us do not have a very strong precedent, I would recommend a really strong that you do not under any circumstances allow the private your information with any of the company’s possession, which is a physical ties to the United States.”
Texan Republican presidential candidate Ron Paul thinks that the case ‘is the subject of interest to anyone who care about freedom. ”
Source: http://www.tietoviikko.fi/kaikki_uutiset/suljetun+sahkopostipalvelun+omistaja+quotalkaa+missaan+nimessa+antako+yksityistietojanne+yhdenkaan+amerikkalaisen+palvelun+haltuunquot/a921966
Tomi Engdahl says:
Google to encrypt Cloud Storage data by default
Users can choose if they want to hold the encryption keys themselves
http://www.itworld.com/cloud-computing/369304/google-encrypt-cloud-storage-data-default
Google said Thursday it will by default encrypt data warehoused in its Cloud Storage service.
The server-side encryption is now active for all new data written to Cloud Storage, and older data will be encrypted in the coming months, wrote Dave Barth, a Google product manager, in a blog post.
“If you require encryption for your data, this functionality frees you from the hassle and risk of managing your own encryption and decryption keys,” Barth wrote. “We manage the cryptographic keys on your behalf using the same hardened key management systems that Google uses for our own encrypted data, including strict key access controls and auditing.”
The data and metadata around an object stored in Cloud Storage is encrypted with a unique key using 128-bit Advanced Encryption Standard algorithm, and the “per-object key itself is encrypted with a unique key associated with the object owner,” Barth wrote.
Data collection programs revealed by former U.S. National Security Agency contractor Edward Snowden have raised questions about U.S. government data requests made to Internet companies such as Google for national security investigations.
Tomi says:
Remotely Assembled Malware Blows Past Apple’s Screening Process
http://www.technologyreview.com/news/518096/remotely-assembled-malware-blows-past-apples-screening-process/
Research unmasks a weakness of Apple’s App Store: new apps apparently are run for only a few seconds before approval.
Mystery has long shrouded how Apple vets iPhone, iPad, and iPod apps for safety. Now, researchers who managed to get a malicious app up for sale in the App Store have determined that the company’s review process runs at least some programs for only a few seconds before giving the green light.
“The app did a phone-home when it was installed, asking for commands. This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed,” says Long Lu, a Stony Brook University researcher who was part of the team at Georgia Tech, led by Tielei Wang, that wrote the Apple-fooling app.
Tomi Engdahl says:
Why can’t email be secure?
http://silentcircle.wordpress.com/2013/08/16/why-cant-email-be-secure/
Coming on the heels of our announcement that we had shut down our Silent Mail service, we received a comment about securing email communications.
“In a recent press release, your company stated it was impossible to secure email communication ‘as we know it’. To me, it would seem to be a very easily solvable problem. Simply write a plug in for popular email applications that automatically applies asymmetric key cryptography to any emails being exchanged between people who both possess the plugin. Granted this would not work until the keys were exchanged but the plugin would make that trivial.”
If the goal is simply to encrypt the body of the message there are services and products that accomplish this. You could use traditional PGP/SMIME to encrypt the body of the message. If you were to do this, you would still have to manage the keys yourself. You could go a step further and have a server that manages keys/users for you, or a collection of federated servers. Such a beast might look very much like the PGP Universal server. For an individual, a server, or collection of them probably isn’t practical. For a company, it could make sense.
One would encrypt the body of the message if it contains information that is more important than the meta data of who is communicating, and how often.
If your goal is to not have metadata leakage in your otherwise secure communications, you may wish to avoid email altogether. Email leaks the information about who is communicating, and how often. This information may be just as damaging as the content of the email.
If you put a plugin in your email client that needs to exchange keys with another party, you would require that the other party be online at the time you wish to send your message. That’s awkward when you wish to email somebody half-way around the world
Its unlikely you could use a well known port (such as tcp/443), because most ISPs block that kind of traffic inbound.
Additionally, email provides no means to secure the headers (routing information, and the envelope). The routing information, which is visible by looking at the headers of any email message, by design, is all unencrypted. Any server in the path between sender and recipient, can view any portion of the headers, as they are stored as plain text in the beginning of the message.
Tomi Engdahl says:
Webcam spying goes mainstream as Miss Teen USA describes hack
“The light didn’t even go on, so I had no idea.”
http://arstechnica.com/tech-policy/2013/08/webcam-spying-goes-mainstream-as-miss-teen-usa-describes-hack/
Webcam hacking has officially gone mainstream with yesterday’s revelation that the new Miss Teen USA, Cassidy Wolf, was the victim of a “sextortion” plot in which someone slipped Remote Administration Tool (RAT) software onto her computer and used it to snap (apparently nude) pictures of Wolf in her room. “I wasn’t aware that somebody was watching me (on my webcam),” she told The Today Show. “The light (on the camera) didn’t even go on, so I had no idea.”
Wolf said that the hacker tried to extort her, threatening to release the pictures publicly if she didn’t follow his demands. The FBI has admitted that it is investigating the case and eventually said that has identified a suspect.
The story itself isn’t remarkable
—but these kinds of sextortion plots have to date been covered largely in the tech press and in local papers.
These hacks are such a profound privacy violation—accessing webcams, microphones, and stored files provides the attacker with almost unfettered access to one’s private life, thoughts, documents, even conversations—that they routinely generate amazement in interlocutors.
Wolf is even making sextortion and webcam hacking one of the centerpieces of her educational efforts as Miss Teen USA—certainly a first, and a good lesson for other teens to hear.
Tomi Engdahl says:
Taking down “the largest child pornography conspiracy ever prosecuted”
How the Internet police mounted an international effort against “The Cache.”
http://arstechnica.com/tech-policy/2013/08/operation-joint-hammer-taking-down-the-largest-child-pornography-conspiracy-ever-prosecuted/
Tomi Engdahl says:
Wikileaks Releases A Massive “Insurance” File That No One Can Open
http://yro.slashdot.org/story/13/08/18/1641241/wikileaks-releases-a-massive-insurance-file-that-no-one-can-open
” Anti-secrecy organization WikiLeaks just released a treasure trove of files, that at least for now, you can’t read.”
“posted links for about 400 gigabytes of files on their Facebook page Saturday, and asked their fans to download and mirror them elsewhere.”
Tomi Engdahl says:
Most Veterans Administration Data Breaches From Paper Documents Not PCs
http://news.slashdot.org/story/13/08/19/0142208/most-veterans-administration-data-breaches-from-paper-documents-not-pcs
“‘Between 96 and 98 percent of our [data breach] incidents — it varies from month to month — deal with physical paper where people are not thinking about the fact that that piece of paper they’re carrying around making benefits determinations has sensitive information and they need to protect it,’ said Stephen Warren, VA acting assistant secretary for information and technology
Tomi Engdahl says:
Teens really realize what social media can reveal
Contrary to popular belief, teens care about their privacy online. The Pew Research Center study 12 to 17-year-olds perceptions of online privacy.
The study also revealed that 70 percent of teens have asked for advice to manage their privacy. Many adults may be surprised that the parents and the guys are just as important advisors.
42% asked for advice from friends online privacy manage
41% of parents
37% said his sister or serkultaa
13% sought information on the website
9% said the teacher
3% asked from some outside
12 to 13 per cent of girls aged 77 has asked for privacy management advice, the boys, the figure is 66 per cent.
“Privacy Settings are easy., I think that they [Facebook] modify them often, reset or something. So they have to constantly update themselves,” said one of the study participated in the 13-year-old son.
Source: http://www.tietoviikko.fi/kaikki_uutiset/teinit+kylla+tajuavat+mita+somessa+voi+paljastaa/a922250
Tomi Engdahl says:
Think your smutty Snapchats can’t be saved by dorks? THINK AGAIN
Snapchat Save app promises hassle-free image and video capture
http://www.theregister.co.uk/2013/08/12/all_your_sexts_are_belong_to_me_snapchat_picturesaving_app_arrives/
Sexting has become even more inadvisable following the launch of an app which can surreptitiously store images sent using the self-destructing photo service Snapchat.
Anyone looking to broadcast pictures of their naughty bits was given a boost when Snapchat first launched, because it purported to destroy images a few moments after they were viewed.
But a new app called Snap Save has removed the very raison d’être of Snapchat by allowing users to save images.
Up until now, it was possible for the average Joe (or Josephine) to take a screenshot of pictures or video sent via Snapchat, but the popular sexting app automatically notifies the sender if that happens.
Snap Save promises that “other users will never know you saved the message”,
Tomi Engdahl says:
Microsoft warns of post-April zero day hack bonanza on Windows XP
Beginning April 2014, patches will bring new threats
http://www.theregister.co.uk/2013/08/16/microsoft_warns_itll_be_handing_out_zero_days_for_windows_xp/
Microsoft has a Windows XP problem: people still like it and aren’t willing to upgrade just yet. So it’s warning users that if they don’t upgrade soon, hackers will lie in wait each new Patch Tuesday to reverse-engineer a full set of new vulnerabilities.
“The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities,” said Tim Rains, Microsoft’s director of trustworthy computing, in a blog post.
“If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a ‘zero day’ vulnerability forever.”
He points out that from July 2012 through July 2013, Windows XP received 45 patches, 30 of which were relevant to Windows 7 and 8 as well, and there is considerable flaw cross-over found among the three operating systems. XP is also by far the most malware-infected operating systems, he points out.
Hackers have learned to get around XP systems like Data Execution Prevention (DEP), Rains warned, although it has forced attackers to up their game somewhat. The threat landscape has also changed significantly since the last service pack for XP came out in 2008 – five years is a very long time in the malware industry, after all.
Despite the ending of free XP security updates on April 8 of next year, Rains says he still meets businesses that run XP on some systems and plan to continue doing so until the hardware fails. According to recent data, 15 per cent of IT managers running XP don’t even realize support is ending, and they are going to have to shell out for premium support for security holes.
Tomi Engdahl says:
Facebook is seen as a special episode. Palestinian young people notice the security problem is not taken seriously. So he broke CEO Mark Zuckerberg’s Facebook pages and advised there.
facebook vulnerability 2013
http://khalil-sh.blogspot.co.uk/p/facebook_16.html
Facebook Exploit [ post to facebook users even they are not in friendl list]
i report that exploit through whitehat –> http://www.facebook.com/whitehat
facebook security replay was that the link gives error opening
after my second report i record this video which shows the exploit
They told him flat out when he reported it “this is not a bug” they didn’t ask for more info or anything. He post on zuck’s page then it becomes a bug but he violated TOS.. That’s a no win right there
There was mistake on Khalil part that he didn’t included technical information for reproducing the bug in first report. But Facebook guys were more stupid not to ask for further technical details or any demo
Tomi Engdahl says:
Prison Computer ‘Glitch’ Blamed for Opening Cell Doors in Maximum-Security Wing
http://www.wired.com/threatlevel/2013/08/computer-prison-door-mishap/
Florida prison officials say a computer “glitch” may be to blame for opening all of the doors at a maximum security wing simultaneously, setting prisoners free and allowing gang members to pursue a rival with weapons.
But a surveillance video released this week (see above) suggests that the doors may have been opened intentionally — either by a staff member or remotely by someone else inside or outside the prison who triggered a “group release” button in the computerized system.
It’s not the first time that an apparent glitch with the release occurred.
“The software in the computer has only one kind of thing, operator error, and we don’t know what triggers that, so part of the inquiry is to find out what the software is saying,” he said.
J.C. Dugue, Williams’s attorney, told WIRED that it’s hard to imagine the doors in Florida opened without an assist from guards or some other accomplice on the inside.
But a trio of security researchers — John Strauchs, Teague Newman, and Tiffany Rad — say that many prison systems have vulnerabilities that can be exploited remotely by hackers or accomplices from inside or outside a prison. They have examined systems at a number of facilities and two years ago presented their findings at the DefCon hacker conference in Las Vegas.
Some of the vulnerabilities exist in the architecture and configuration of the systems, causing them to be accessible via the internet. Other vulnerabilities exist in the programmable logic controllers that are used to control not only prison doors, but surveillance cameras and other prison systems. Many PLCs use Ladder Logic programming and a communications protocol that have no security protections built into them. There are also vulnerabilities in the Windows-based desktop machines that are used to monitor and program the PLCs. Anyone who gains access to these computers can control the PLCs and the operations they monitor, the researchers say.
According to Strauchs, a hacker could install malware to gain control of prison computers
“Bear in mind, a prison security electronic system has many parts beyond door control such as intercoms, lighting control, video surveillance, water and shower control, and so forth,” the researchers wrote in a paper they released in 2011. “Access to any part, such as a remote intercom station, might provide access to all parts.”
Prison systems have a cascading release function so that in an emergency
Newman told WIRED that the diagram seems to indicate that control systems for doors are properly segmented and are not immediately accessible from the internet.
Ryan told WIRED he had never considered the possibility that the system might have been hacked — either from an insider or an outsider — but said investigators would now look into that.
Tomi Engdahl says:
David Miranda, schedule 7 and the danger that all reporters now face
http://www.theguardian.com/commentisfree/2013/aug/19/david-miranda-schedule7-danger-reporters
As the events in a Heathrow transit lounge – and the Guardian offices – have shown, the threat to journalism is real and growing
On Sunday morning David Miranda, the partner of Guardian columnist Glenn Greenwald, was detained as he was passing through Heathrow airport on his way back to Rio de Janeiro, where the couple live. Greenwald is the reporter who has broken most of the stories about state surveillance based on the leaks from the former NSA contractor Edward Snowden. Greenwald’s work has undoubtedly been troublesome and embarrassing for western governments. But, as the debate in America and Europe has shown, there is considerable public interest in what his stories have revealed about the right balance between security, civil liberties, freedom of speech and privacy.
Miranda is not a journalist, but he still plays a valuable role in helping his partner do his journalistic work.
That work is immensely complicated by the certainty that it would be highly unadvisable for Greenwald (or any other journalist) to regard any electronic means of communication as safe.
Miranda was held for nine hours under schedule 7 of the UK’s terror laws, which give enormous discretion to stop, search and question people who have no connection with “terror”, as ordinarily understood.
Miranda was held for nine hours under schedule 7 of the UK’s terror laws, which give enormous discretion to stop, search and question people who have no connection with “terror”, as ordinarily understood.
We are not there yet, but it may not be long before it will be impossible for journalists to have confidential sources. Most reporting – indeed, most human life in 2013 – leaves too much of a digital fingerprint. Those colleagues who denigrate Snowden or say reporters should trust the state to know best (many of them in the UK, oddly, on the right) may one day have a cruel awakening. One day it will be their reporting, their cause, under attack. But at least reporters now know to stay away from Heathrow transit lounges.
Tomi Engdahl says:
U.K. government thought destroying Guardian hard drives would stop Snowden stories
http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/19/u-k-government-thought-destroying-guardian-hard-drives-would-stop-snowden-stories/
In a remarkable post, Guardian editor Alan Rusbridger describes how the British government raided the Guardian’s offices in order to destroy hard drives containing information provided by NSA leaker Edward Snowden. The British government had been pressuring the Guardian to return or destroy the Snowden documents. Rusbridger says he tried to explain that destroying hard drives would be pointless
Rusbridger says the Guardian’s investigative work will continue. “We will continue to do patient, painstaking reporting on the Snowden documents,” he writes. “We just won’t do it in London.”
Tomi Engdahl says:
Barton Gellman: Evidence portrays NSA as ‘flawed organization’
http://www.washingtonpost.com/posttv/video/onbackground/barton-gellman-nsa-a-flawed-organization/2013/08/19/4cc05b2c-08f1-11e3-9941-6711ed662e71_video.html
Barton Gellman, a senior fellow at The Century Foundation, first reported for the The Washington Post on the National Security Agency’s extensive surveillance programs.
Tomi Engdahl says:
White House Taps McAfee CTO for Cybersecurity Post
http://blogs.wsj.com/digits/2013/08/19/white-house-taps-mcafee-cto-for-cybersecurity-post/
The Obama administration officially tapped a senior executive at the computer-security giant McAfee to be the Department of Homeland Security’s top cybersecurity official.
Phyllis Schneck, a vice president and chief technology officer for the public sector at McAfee, a unit of Intel, will start in early September as the deputy undersecretary for cybersecurity, a DHS official said. Homeland Security takes a leading role in protecting U.S. networks from foreign and domestic hackers.
She steps into a position that has had an active revolving door lately.
Washington has struggled of late to determine how heavy a hand it will take in dealing with the private sector. One contentious issue is whether the government should set minimum standards that companies in key industries like banking and energy should meet in order to protect their networks from cyberattacks. Companies generally want to set up their own criteria.
“We have strengthened partnerships with the private sector to secure cyber networks and protect physical assets,” outgoing DHS Secretary Janet Napolitano said in a written statement.
Tomi Engdahl says:
Required to use SNMPv3?
http://www.dpstele.com/dpsnews/snmp_snmpv3_mediation_equipment.php?article_id=58829&m_row_id=1999640&mailing_id=10478&link=S&uni=229765212f79946b46
How much SNMP v1 & v2c equipment do you have in your network? At most companies, it’s a big number.
Despite the obvious advantages of an open standard, early versions of SNMP (v1 & v2c) were not built with security in mind. This poses a big challenge today if you work at a security-conscious organization, like a utility or government entity, that now requires encrypted SNMPv3.
If you’ve got a lot of SNMP v1 & v2c equipment in your network combined with a requirement to use only secure SNMPv3, it may seem like you’ve been given 2 incompatible goals:
1. Stop using all of your SNMP v1 & v2c equipment.
2. Don’t spend budget money on new SNMPv3 equipment.
What you need is a small (and relatively inexpensive) box that will mediate SNMP v1 & v2c traps to encrypted SNMPv3.
Your older SNMP equipment will send unencrypted traps only as far as the local NetGuardian (not across the wider network). The NetGuardian will convert the trap to SNMPv3 and send it back to your central SNMP manager.
Tomi Engdahl says:
ENISA, reveals some surprising reasons why millions of net users are suffering from last year’s communications are disrupted.
The greatest harm caused problems do not suddenly joined the online crime, but it’s pretty traditional computer errors. This is reflected in network security ENISA, the European Union, to improve the authority’s report , which says the network operation last year.
Network congestion problems were overwhelming, as measured by how many users each case on average touched. The average was up to 9.4 million users. Software Errors placed second in 4.3 million users per case and power failures third with 3.1 million users.
Launch cyber-attacks reached after the first four, therefore, for an average of “only” about 1.8 million users per case.
ENISA, the hardware failure was clearly the most common cause of network problems, and broken switches were mostly to blame for the problems.
Source: http://www.digitoday.fi/yhteiskunta/2013/08/20/patkiiko-netti-tassa-syyt/201311522/66
Tomi Engdahl says:
UK Government Destroys Guardian’s Snowden Drives
http://news.slashdot.org/story/13/08/20/0217238/uk-government-destroys-guardians-snowden-drives
“An anonymous reader writes with revelations that the UK government has been pressuring the Guardian over its publication of the Snowden leaks for a while, and that it ultimately ended with GHCQ officials smashing drives of data to pieces.”
Tomi Engdahl says:
Why the NSA Can’t Replace 90% of Its System Administrators
http://it.slashdot.org/story/13/08/19/2221257/why-the-nsa-cant-replace-90-of-its-system-administrators
“Curious about the recently purposed NSA cuts, Courtney Nash explores a few myths about systems automation ‘In the aftermath of Edward Snowden’s revelations about NSA’s domestic surveillance activities, the NSA has recently announced that they plan to get rid of 90% of their system administrators via software automation in order to “improve security.”
Tomi Engdahl says:
Automation Myths
The NSA Can’t Replace 90% of Its System Administrators
http://programming.oreilly.com/2013/08/automation-myths.html
In the aftermath of Edward Snowden’s revelations about NSA’s domestic surveillance activities, the NSA has recently announced that they plan to get rid of 90% of their system administrators via software automation in order to “improve security.” So far, I’ve mostly seen this piece of news reported and commented on straightforwardly. But it simply doesn’t add up. Either the NSA has a monumental (yet not necessarily surprising) level of bureaucratic bloat that they could feasibly cut that amount of staff regardless of automation, or they are simply going to be less effective once they’ve reduced their staff.
I talked with a few people who are intimately familiar with the kind of software that would typically be used for automation of traditional sysadmin tasks (Puppet and Chef). Typically, their products are used to allow an existing group of operations people to do much more, not attempting to do the same amount of work with significantly fewer people. The magical thinking that the NSA can actually put in automation sufficient to do away with 90% of their system administration staff belies some fundamental misunderstandings about automation. I’ll tackle the two biggest ones here.
1. Automation replaces people. Automation is about gaining leverage–it’s about streamlining human tasks that can be handled by computers in order to add mental brainpower.
2. Automation increases security. Automation increases consistency, which can have a relationship with security. Prior to automating something, you might have a wide variety of people doing the same thing in varying ways, hence with varying outcomes. From a security standpoint, automation provides infrastructure security, and makes it auditable. But it doesn’t really increase data/information security (e.g. this file can/cannot live on that server)–those too are human tasks requiring human judgement.
tomi says:
Three Banks Lose Millions After Wire Transfer Switches Hacked
http://news.slashdot.org/story/13/08/21/027243/three-banks-lose-millions-after-wire-transfer-switches-hacked
“Criminals have stolen millions from three unnamed U.S. banks by launching slow and stealthy denial of service attacks as a distraction before attacking wire payment switches. The switches manage and execute wire transfers”
Tomi Engdahl says:
Millions stolen from US banks after ‘wire payment switch’ targeted
http://www.scmagazine.com.au/News/354155,millions-stolen-from-us-banks-after-wire-payment-switch-targeted.aspx
Criminals have recently hijacked the wire payment switch at several US banks to steal millions from accounts, a security analyst says.
Gartner vice president Avivah Litan said at least three banks were struck in the past few months using “low-powered” distributed denial-of-service (DDoS) attacks meant to divert the attention and resources of banks away from fraudulent wire transfers simultaneously occurring.
The loses “added up to millions [lost] across the three banks”, she said.
“It was a stealth, low-powered DDoS attack, meaning it wasn’t something that knocked their website down for hours.”
The attack against the wire payment switch — a system that manages and executes wire transfers at banks — could have resulted in even far greater loses, Litan said.
It differed from traditional attacks which typically took aim at customer computers to steal banking credentials such as login information and card numbers.
“The service portal is down, the bank is losing money and reliability, and the security team is juggling the priorities of what to fix first,” she said.
“That’s when the switch attack – which is very rare because those systems are not easily compromised [and require] high-privilege level in a more advanced persistent threat style case – takes place.”
Researchers at Dell SecureWorks in April detailed how DDoS attacks were used as a cover for fraudulent attacks against banks.
Litan suggested that financial institutions “slow down” their money transfer system when experiencing DDoS attacks in order to minimise the impact of such threats.
Tomi Engdahl says:
Security expert kick-starts fund to pay Facebook bug finder a $10K bounty
Khalil Shreateh, who was rebuffed by Facebook, says, ‘Thank you so much’
http://www.computerworld.com/s/article/print/9241749/Security_expert_kick_starts_fund_to_pay_Facebook_bug_finder_a_10K_bounty
After a Palestinian researcher was denied a bug bounty by Facebook, Marc Maiffret, CTO of BeyondTrust, kicked off a crowd-sourced fund yesterday to come up with a reward.
The researcher, Khalil Shreateh, expressed his gratitude today to Maiffret and others who have contributed to the fund.
Seventy-nine people have contributed nearly $9,000 in the last 24 hours to an account that will be handed over to Shreateh once it reaches the goal of $10,000.
Earlier this month Shreateh reported a vulnerability to Facebook’s bug bounty program, saying that he had found a way to post content to any user’s timeline, even when not on a victim’s friends list. Facebook rebuffed him in return emails and ultimately claimed his discovery wasn’t a bug.
Frustrated, Shreateh took matters into his own hands and planted a message on CEO Mark Zuckerberg’s Facebook timeline.
That got the attention of Facebook’s security engineers, who quickly locked Shreateh out of his account. After restoring his access, Facebook said it would not pay him a bounty.
“The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission,” said Facebook software engineer Matt Jones in a Sunday entry on Hacker News. “Exploiting bugs to impact real users is not acceptable behavior for a white hat.”
Jones did acknowledge that Facebook should have asked Shreateh for more information before dismissing his report, but he also ticked off a list of reasons, including the fact that Facebook receives “hundreds of reports each day” and the lack of detailed proof in Shreateh’s original report. He also intimated that Shreateh’s poor English skills had been a problem.
In an interview on CNN Monday, Maiffret took exception to Facebook’s decision not to reward Shreateh.
“Ultimately, he helped kill a bug that could have been used by pretty bad guys out there to do things against Facebook users,” said Maiffret. “Ultimately, he did a great thing and I don’t think that should be lost in all this.”
The vulnerability was certainly worth money to criminals, Maiffret asserted.
Tomi Engdahl says:
NSA files: why the Guardian in London destroyed hard drives of leaked files
http://www.theguardian.com/world/2013/aug/20/nsa-snowden-files-drives-destroyed-london
A threat of legal action by the government that could have stopped reporting on the files leaked by Edward Snowden led to a symbolic act at the Guardian’s offices in London
Guardian editors on Tuesday revealed why and how the newspaper destroyed computer hard drives containing copies of some of the secret files leaked by Edward Snowden.
The decision was taken after a threat of legal action by the government that could have stopped reporting on the extent of American and British government surveillance revealed by the documents.
The editor of the Guardian, Alan Rusbridger, had earlier informed government officials that other copies of the files existed outside the country and that the Guardian was neither the sole recipient nor steward of the files leaked by Snowden, a former National Security Agency (NSA) contractor. But the government insisted that the material be either destroyed or surrendered.
Tomi Engdahl says:
US doesn’t know what Snowden took, sources say
http://investigations.nbcnews.com/_news/2013/08/20/20108770-us-doesnt-know-what-snowden-took-sources-say?lite
More than two months after documents leaked by former contractor Edward Snowden first began appearing in the news media, the National Security Agency still doesn’t know the full extent of what he took, according to intelligence community sources, and is “overwhelmed” trying to assess the damage.
Officials, including NSA Director Keith Alexander, have assured the public that the government knows the scope of the damage, but two separate sources briefed on the matter told NBC News that the NSA has been unable to determine how many documents he took and what they are.
Tomi Engdahl says:
New Details Show Broader NSA Surveillance Reach
Programs Cover 75% of Nation’s Traffic, Can Snare Emails
http://online.wsj.com/article_email/SB10001424127887324108204579022874091732470-lMyQjAxMTAzMDIwMDEyNDAyWj.html
The National Security Agency—which possesses only limited legal authority to spy on U.S. citizens—has built a surveillance network that covers more Americans’ Internet communications than officials have publicly disclosed, current and former officials say.
The system has the capacity to reach roughly 75% of all U.S. Internet traffic in the hunt for foreign intelligence, including a wide array of communications by foreigners and Americans. In some cases, it retains the written content of emails sent between citizens within the U.S. and also filters domestic phone calls made with Internet technology, these people say.
The NSA’s filtering, carried out with telecom companies, is designed to look for communications that either originate or end abroad, or are entirely foreign but happen to be passing through the U.S. But officials say the system’s broad reach makes it more likely that purely domestic communications will be incidentally intercepted and collected in the hunt for foreign ones.
The programs, code-named Blarney, Fairview, Oakstar, Lithium and Stormbrew, among others, filter and gather information at major telecommunications companies.
The NSA defends its practices as legal and respectful of Americans’ privacy.
The NSA’s U.S. programs have been described in narrower terms in the documents released by former NSA contractor Edward Snowden. One, for instance, acquires Americans’ phone records; another, called Prism, makes requests for stored data to Internet companies. By contrast, this set of programs shows the NSA has the capability to track almost anything that happens online, so long as it is covered by a broad court order.
Tomi Engdahl says:
Info Leak Wars To Get Messier
http://yro.slashdot.org/story/13/08/20/2241241/info-leak-wars-to-get-messier
“the partner of the Guardian’s Glenn Greenwald, was detained while transporting encrypted data on the Snowden affair from Berlin; all his electronics were seized.”
“British police destroyed more of the newspaper’s hard drives.”
“Privacy blogger Dan Tynan sees where this one is going: reporters like Greenwald are going to stop even bothering to be circumspect with their revelations.”
Tomi Engdahl says:
In the 21st century surveillance state, we are all terrorists
http://www.itworld.com/it-management/369776/21st-century-surveillance-state-we-are-all-terrorists
Intimidating reporters, destroying their computers, detaining them under false pretenses — it’s all in a day’s work for today’s modern spy agency.
“You’ve had your debate. There’s no need to write any more.”
These chilling words were delivered by an unnamed official of Her Majesty’s Secret Service to UK Guardian editor Alan Rusbridger, shortly before he was ordered to destroy every computer and hard drive containing files given to the Guardian by Edward Snowden.
This encounter happened more than a month ago. Rusbridger only revealed it yesterday after British secret service detained David Miranda at Heathrow Airport under Schedule 7 of the UK’s Terrorism Act 2000, the British equivalent of the Patriot Act.
That law allows UK officials to detain suspected terrorists for up to 9 hours while denying them contact with anyone else. And that’s exactly what they did. The Brits also confiscated all of Miranda’s digital gear – which, presumably, contained more documents from Edward Snowden.
Miranda is the boyfriend of journalist Glenn Greenwald.
I think even lifelong British bureaucrats understand that destroying the Guardian’s hardware did nothing to destroy the data that lives on it. Encrypted copies abound – if not in England, then certainly in Russia, Germany, and Brazil.
Datapocalypse
Still I think this strategy will backfire horribly on the spooks. Because here’s what is most likely to happen.
So far, I think, the Guardian and others have exercised reasonable restraint in what they have reported. They are at least attempting to understand the data before presenting it, and to maintain a balance between the public’s right to know and putting lives or even countries in danger. Reasonable people can disagree about how good a job they’re doing at that, but it’s clear they’re trying to achieve a level of responsible disclosure (unlike, say, Julian Assange did when he released 250,000 unredacted state department cables from Bradley Manning).
If you detain reporters at the airport and confiscate their thumb drives or force them to destroy computers, they will stop trying to parse the data and redact the most sensitive bits. The only safe way to handle this information in the future would be to distribute it as widely and quickly as possible.
In other words, a total Internet data free for all, open to anyone and everyone – including foreign spies and actual terrorists. Is that the world we want to live in? I don’t think so. But it’s far preferable to one in which no one dares speak at all, lest they become one more “mistake.”
Tomi Engdahl says:
Florida Town Stores License Plate Camera Images For Ten Years
http://tech.slashdot.org/story/13/08/20/2250214/florida-town-stores-license-plate-camera-images-for-ten-years
“Yet another privacy concern story, this time from Florida. The Longboat Key police have their new license plate camera up and running, but according to the police chief, this one stores all images as ‘evidence’ for up to ten years.”
“What could possibly go wrong?”
Tomi Engdahl says:
British Newspaper Has Advantages in Battle With Government Over Secrets
http://www.nytimes.com/2013/08/21/world/europe/british-news-organization-has-advantages-in-secrets-battle-with-government.html?pagewanted=all
Alan Rusbridger, the mop-haired, soft-spoken editor of The Guardian newspaper, finds himself in a shadowy battle with the British government over purloined secrets that the government will have a hard time winning in the Internet age.
It was deeply involved in publishing the WikiLeaks material and with that organization’s impresario, Julian Assange, and now with the lawyer Glenn Greenwald and the former National Security Agency contractor, turned leaker, Edward J. Snowden.
Having gone global and remained free to readers on the Web, with a newsroom in New York as well as in London, The Guardian is a much harder news organization than most to intimidate or censor, as the British government, with no written Constitution or Bill of Rights to enshrine protections of free speech, has discovered.
“You have powerful protections in America that we don’t,”
In conversations with him, the British government threatened the paper with “prior restraint,” he said, to stop it from publishing material, and then demanded that The Guardian return or destroy the classified material it was holding.
“It was quite explicit: we had to destroy it or give it back to them,” Mr. Rusbridger said in an earlier interview with the BBC. “I explained that there were other copies, not within the U.K., so I couldn’t see the point of destroying one copy. But because we had other copies I was happy to destroy a copy in London.”
“If the police believe that an individual is in possession of highly sensitive stolen information that would help terrorism, then they should act, and the law provides them a framework to do that,” the spokeswoman said. “Those who oppose this sort of action need to think about what they are condoning.”
The officials then threatened legal action to obtain the documents. Then two security experts from Britain’s Government Communications Headquarters, known as G.C.H.Q., the counterpart to the American National Security Agency, came to oversee the destruction of hard drives in The Guardian basement by Guardian executives, Mr. Rusbridger said.
He called it “one of the most bizarre moments in The Guardian’s long history.”
“’If you’re not on our side, you’re on the side of the terrorists,’ is what they’re trying to say,” Mr. Davis said.
Robert Wintemute, a professor of human rights law at King’s College, London, said that “I hope this is an aberration rather than a signal of a wider clampdown” on press freedom and human rights.
this site says:
“Heather,
I’m sorry you had such a bad experience with such nasty health consequences from following the advice of folks who have no responsibility and accountability to others as part of their ethical codes in dispersing health information.”
Tomi Engdahl says:
Secret court ‘troubled’ by NSA surveillance, ruled illegal
http://www.zdnet.com/nsa-surveillance-ruled-illegal-and-unconstitutional-7000019699/
Summary: A secret Washington D.C.-based surveillance court found an NSA email and data collection program illegal in 2011, as it collected tens of thousands of American emails each year.
The U.S. government on Wednesday released a secret court ruling that found some surveillance conducted by the National Security Agency illegal.
The Electronic Frontier Foundation (EFF) heralded the release of the 86-page opinion by the Foreign Intelligence Surveillance Court (FISC), set up under its namesake 1978 act, as a “victory.”
The Director for National Intelligence James Clapper announced in a statement, following the release of the court opinion, the establishment of a review group which will report on the U.S.’ surveillance capabilities by mid-December.
The group will assess “whether the U.S. employs its technical collection capabilities in a manner that optimally protects our national security [...] while appropriately accounting for other policy considerations, such as the risk of unauthorized disclosure and our need to maintain the public trust.”
It comes after weeks of leaks releases by a number of U.K. and U.S. newspapers and outlets acquired by former NSA contractor Edward Snowden, who blew the whistle on a number of U.S. government surveillance programs in June.