Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.
Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.
Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.
SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices. Good idea to test your devices against it.
There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.
Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.
Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.
Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.
Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.
Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.
Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.
Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.
European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.
1,930 Comments
Tomi Engdahl says:
7000 malware programs in Android software stores
Criminals put in large quantities of dangerous programs Android app stores, says the virus protection investigative AV-Comparatives. Problems are concentrated in one area
The problems are rampant in Asia
AV-Comparatives the app stores surveyed found a total of 7175 malicious program. Among them, 3778 were in direct damaging malware.
In addition, in its 3397 program improperly. The latter group consisted mainly of adware and spyware.
Problems, which were strong in Asia, and China in particular. Nearly 95 percent of the harmful applications of distributed software stores in these areas.
AV-Comparatives estimates that one reason for the poor situation in Asia is the Android market, a very rapid growth in those areas. Criminals have seen the action-packed to the increase of money earning. Malicious software aims to spread the users’ devices camouflaging them attractive applications.
Source: http://www.tietokone.fi/artikkeli/uutiset/7000_tuholaista_android_ohjelmakaupoissa
Tomi Engdahl says:
Tor gets new users a stir because of revealed spying
Finland Tor users has increased from 2000 to about 4000.
It is estimated that there are 1.2 million anonymous Tor web surfers in the world.
Tor the number of users has increased rapidly after Edward Snowden revelations pre-500 000 to the current 1.2 million.
Tor is a free software package that is based on the encryption of network traffic directing more of the anonymous server.
Tor also allows the secret services of the establishment. The Tor network, it is possible to create an invisible web sites to search engines, which find their address just by knowing and having a geographical location is almost impossible to uncover.
User numbers are estimates, which are derived from “a few dozen” Tor server traffic data. The Tor Project is not able to accurately monitor the activities of its users.
Source: http://www.tietokone.fi/artikkeli/uutiset/tor_saa_uusia_kayttajia_vakoilukohun_vuoksi
Tomi Engdahl says:
Researchers reverse-engineer the Dropbox client: What it means
http://www.techrepublic.com/blog/it-security/researchers-reverse-engineer-the-dropbox-client-what-it-means/
There were doubts about being able to reverse engineer heavily-obfuscated applications written in Python. Two researchers have removed all doubt by reverse engineering the immensely popular Dropbox client.
Dropbox’s success hasn’t come without a few hiccups, which brings me to the point of this article. It seems the crew at Dropbox has another problem to contend with, all because of Dhiru Kholia and Przemyslaw Wegrzyn.
“We describe a method to bypass Dropbox’s two-factor authentication and hijack Dropbox accounts. Additionally, generic techniques to intercept SSL data using code injection techniques and monkey patching are presented.”
Tomi Engdahl says:
Every tenth activate the e-mail virus
Routers security inspections of Halon developmental experiences of American e-mail from viruses and other malicious programs. Almost all have received harmful e-mails. Almost one in ten has opened harmful attachments.
The survey was conducted by TNS Global. According to 94.7 percent of Americans have been involved in malicious emails. 8.8 per cent of these, or about the eleventh opened harmful Annex and activate the virus on their computer.
What is worrying is that the side receiving the message almost one-third had already open the attachment, but fortunately left the malware activated.
One in three Americans admit that to open any suspicious e-mail, if the message header is of interest. Message title referring to social media, referring to the title interests women, while men like money, power and sex.
Source: http://www.etn.fi/index.php?option=com_content&view=article&id=284:joka-kymmenes-aktivoi-sahkopostiviruksen&catid=13&Itemid=101
Tomi Engdahl says:
18-Year-Old Syrian Hacker Says It Took 3 People Just Hours To Compromise New York Times, Twitter
http://finance.yahoo.com/news/18-old-syrian-hacker-says-142900489.html
On Tuesday, The New York Times, Twitter, and the Huffington Post U.K. suffered website difficulties after apparently coming under attack from the Syrian Electronic Army (SEA).
The pro-Assad SEA appears to have been able to attack the domain name registrar for the websites, changing ownership of the sites to “SEA.” In the case of The New York Times, the attack appeared to take the website down for a number of hours.
Asked if SEA were involved in the attack and why Twitter — a technology company as opposed to SEA’s standard media company targets — was attacked, he responded:
Yes we are, we attacked Twitter because the suspensions of our accounts for 15 times and we did warned them, NYtimes was hacked as a part of our campaign against the media who keep publishing false/fabricated news about Syria
The group had began planning the attack just a few days ago, according to Th3 Pro. “We started collecting information about Melbourne IT [the companies' domain name registrar ] and what the domains that they are hosting it like a 2 days ago,” he emailed, adding that just three people were involved in the attack and that Twitter and The New York Times were the primary targets.
The attack on The New York Times and Twitter may appear to be a step up from previous attacks, which were enabled by phishing for passwords and usually focused on Twitter accounts — low-hanging fruit, really. However, as Christopher Mims of Quartz notes, they were probably enabled by a phishing attack on Melbourne IT with a creative use of relatively simple techniques. Melbourne IT told CNET that “the credentials of a Melbourne IT reseller (username and password) were used to access a reseller account on Melbourne IT’s systems.”
Tomi Engdahl says:
“The U.S. has the best on-line guns” – deep in enemy networks
The United States is the world’s most powerful Internet attack weapons, says the NSA and the military operation in the leading web-General Keith Alexander. He says that the United States has obtained a permanent foothold deep in enemy networks. The country has built a strong network warfare machinery.
Allegations of cyber attacks on enemy networks and penetration in recent years, especially in China bounces direction. Now the United States says, however, actually, that the war in the network systems and operations in other countries are stronger.
Suggested from the U.S. Congress Armed Services Committee hearing (pdf) , which was attended by General Keith B. Alexander. He leads the spy agency NSA, Central Security Service, and the U.S. Army network warfare number of wards (Cyber Command). They are all located in Fort Meade outside Washington.
“We believe that our ability to attack is the best in the world,” Alexander said.
“Network attacks require a deep, lasting and widespread presence of the enemy computer networks, in order to attack actions may be aimed at,” he says. Alexander the United States must maintain continuous access to the networks and the enemies of the enemy acquired an accurate picture. At the same time, developing the necessary functions attack.
Alexander, therefore, acknowledges that U.S. soldiers are operating a network deep in the enemy’s computer networks.
United States in the war on the same network model as in conventional warfare. Some of the operations are handled within the military, but is widely used to help private enterprises. In particular weapon systems development is outsourced to the defense industry.
Other countries will catch
Keith Alexander warned Congress Committee, and other countries abilities of network operations are growing rapidly. For the United States to maintain its lead, according to Alexander, it should continue to network warfare systems for rapid development.
In recent years, for example, China has widely penetrated into the U.S. corporate systems. This has given rise to fears that the attackers would have sneaked say, electricity or water supply systems. Attackers would like this opportunity to sabotage the society, the key functions of war.
Source: http://www.tietokone.fi/artikkeli/uutiset/usa_lla_parhaat_nettiaseet_syvalla_vihollisten_verkoissa
Tomi Engdahl says:
INFORMATION TECHNOLOGY AND CYBER
OPERATIONS: MODERNIZATION AND
POLICY ISSUES TO SUPPORT THE
FUTURE FORCE
http://www.gpo.gov/fdsys/pkg/CHRG-113hhrg80187/pdf/CHRG-113hhrg80187.pdf
Tomi Engdahl says:
Unpatched Mac bug gives attackers “super user” status by going back in time
Exploiting the five-month-old “sudo” flaw in OS X just got easier.
http://arstechnica.com/security/2013/08/unpatched-mac-bug-gives-attackers-super-user-status-by-going-back-in-time/
Researchers have made it easier to exploit a five-month-old security flaw that allows penetration testers and less-ethical hackers to gain nearly unfettered “root” access to Macs over which they already have limited control.
The authentication bypass vulnerability was reported in March and resides in a Unix component known as sudo. While the program is designed to require a password before granting “super user” privileges such as access to other users’ files, the bug makes it possible to obtain that sensitive access by resetting the computer clock to January 1, 1970. That date is known in computing circles as the Unix epoch, and it represents the beginning of time as measured by the operating system and most of the applications that run on it. By invoking the sudo command and then resetting the date, computers can be tricked into turning over root privileges without a password.
Developers of Metasploit, an open-source software framework that streamlines the exploitation of vulnerabilities in a wide array of operating systems and applications, recently added a module that makes it easier to exploit the sudo vulnerability on Macs. The addition capitalizes on the fact that all versions of OS X from 10.7 through the current 10.8.4 remain vulnerable. While the bug also affected many Linux distributions, most of those require a root password to change the computer clock. Macs impose no such restrictions on clock changes, thanks to the systemsetup binary.
Mac users should realize that an attacker must satisfy a variety of conditions before being able to exploit this vulnerability.
“The bug is significant because it allows any user-level compromise to become root, which in turn exposes things like clear-text passwords from Keychain and makes it possible for the intruder to install a permanent rootkit,” HD Moore, the founder of the Metasploit project and the chief research officer at security firm Rapid7, told Ars.
Tomi Engdahl says:
Tech Companies and Government May Soon Go to War Over Surveillance
http://www.wired.com/opinion/2013/08/stop-clumping-tech-companies-in-with-government-in-the-surveillance-scandals-they-may-be-at-war/
Everyone assumes that technology companies like Apple, Facebook, and Google don’t care that their customers are being spied on. I don’t believe that’s true.
On the very day the media dropped detailed documents on the NSA’s X-Keyscore collection program, the Facebook engineering team published a blog post stating that all access to Facebook via apps and web browsers was now SSL encrypted. Given X-Keyscore was a program primarily designed to intercept unencrypted internet traffic, you could be forgiven for interpreting Facebook’s post as a middle finger pointed in NSA’s direction.
There are new interception hurdles everywhere you look. Even plain old SSL encryption is becoming more difficult to snoop on. Previously, governments could rely on complicit or compromised certificate authorities to provide them with the means to intercept encrypted traffic. Thanks to the Iranian government’s overly enthusiastic use of this technique, Google made changes to the Chrome browser to neuter the practice. Similar updates are expected soon in Internet Explorer. There goes another interception technique for law enforcement!
And it’s only going to get worse for the poor ole G-Men. Technology companies are enabling security features that make certain types of government surveillance extremely difficult, and it’s a trend that’s set to continue. That’s why the U.S. government has long wanted laws that force tech companies to make their products wiretap friendly.
It’s not just web providers that are making life more difficult for government intercepts. It would take Apple, for example, a negligible amount of development time to introduce the cryptographic anti-snooping features of OTR — a form of instant messaging encryption and authentication — into a protocol like iMessage. At the moment authorities can get in the middle of the keying process at Cupertino and read user content, if they show a warrant. But one simple iOS update and they won’t be able to do that anymore without setting off alarm bells
There’s the rub. Currently, there’s no law stopping companies like Apple, Facebook, and Google from introducing such security changes or forcing them to build in backdoors. Why would Apple want its users migrating to cross-platform, anti-snooping messaging apps like Hemlis (by the founders of The Pirate Bay)? Especially when the company could push itself out of the surveillance business with its own technical tweaks before federal regulations force them to become key players in warrant execution.
You want us to execute that warrant for you? Ok, sure, but the user will get a nice big popup warning telling them that their messages are likely being intercepted!
The FBI has legitimate reasons to want these laws. Violating the civil rights of the general population isn’t its core business; wiretaps are vital to many legitimate investigations into awful crimes. Technology has changed enough over the past 30 years to believe that some communications legitimately targeted by the FBI and other agencies are “going dark”. (Even unencrypted internet-based messages are complicated to intercept. If the target of a warrant uses the in-game chat feature in Pokemon for Nintendo DS to communicate with a co-conspirator, forget about fancy encryption — how the hell are they going to decode that?)
Tomi Engdahl says:
U.S. spy network’s successes, failures and objectives detailed in ‘black budget’ summary
http://www.washingtonpost.com/world/national-security/black-budget-summary-details-us-spy-networks-successes-failures-and-objectives/2013/08/29/7e57bb78-10ab-11e3-8cdd-bcdc09410972_story.html
U.S. spy agencies have built an intelligence-gathering colossus since the attacks of Sept. 11, 2001, but remain unable to provide critical information to the president on a range of national security threats, according to the government’s top-secret budget.
The $52.6 billion “black budget” for fiscal 2013, obtained by The Washington Post from former intelligence contractor Edward Snowden, maps a bureaucratic and operational landscape that has never been subject to public scrutiny.
The 178-page budget summary for the National Intelligence Program details the successes, failures and objectives of the 16 spy agencies that make up the U.S. intelligence community, which has 107,035 employees.
The summary describes cutting-edge technologies, agent recruiting and ongoing operations.
“The United States has made a considerable investment in the Intelligence Community since the terror attacks of 9/11, a time which includes wars in Iraq and Afghanistan, the Arab Spring, the proliferation of weapons of mass destruction technology, and asymmetric threats in such areas as cyber-warfare,” Director of National Intelligence James R. Clapper Jr. wrote in response to inquiries from The Post.
“Our budgets are classified”
Tomi Engdahl says:
NSA paying U.S. companies for access to communications networks
http://www.washingtonpost.com/world/national-security/nsa-paying-us-companies-for-access-to-communications-networks/2013/08/29/5641a4b6-10c2-11e3-bdf6-e4fc677d94a1_story.html
The National Security Agency is paying hundreds of millions of dollars a year to U.S. companies for clandestine access to their communications networks, filtering vast traffic flows for foreign targets in a process that also sweeps in large volumes of American telephone calls, e-mails and instant messages.
The bulk of the spending, detailed in a multi-volume intelligence budget obtained by The Washington Post, goes to participants in a Corporate Partner Access Project for major U.S. telecommunications providers. The documents open an important window into surveillance operations on U.S. territory that have been the subject of debate since they were revealed by The Post and Britain’s Guardian newspaper in June.
New details of the corporate-partner project, which falls under the NSA’s Special Source Operations, confirm that the agency taps into “high volume circuit and packet-switched networks,” according to the spending blueprint for fiscal 2013. The program was expected to cost $278 million in the current fiscal year, down nearly one-third from its peak of $394 million in 2011.
Tomi Engdahl says:
The NSA has its own team of elite hackers
http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/29/the-nsa-has-its-own-team-of-elite-hackers/
Our Post colleagues have had a busy day. First, they released documents revealing the U.S. intelligence budget from National Security Agency (NSA) leaker Edward Snowden. Then they recounted exactly how the hunt for Osama bin Laden went down.
In that second report, Craig Whitlock and Barton Gellman shared a few tidbits about the role of the government’s hacking unit, Tailored Access Operations (TAO) in the hunt, writing that TAO “enabled the NSA to collect intelligence from mobile phones that were used by al-Qaeda operatives and other ‘persons of interest’ in the bin Laden hunt.”
Aid claims TAO is also responsible for developing programs that could destroy or damage foreign computers and networks via cyberattacks if commanded to do so by the president.
So, TAO might have had something to do with the development of Stuxnet and Flame, malware programs thought to have been jointly developed by the U.S. and Israel. The malware initially targeted the Iranian nuclear program, but quickly made its way into the digital wild.
According to Aid, TAO’s primary base is in the NSA headquarters in Fort Meade. There, he says, some 600 members of the unit work rotating shifts 24-7 in an “ultramodern” space at the center of the base called the Remote Operations Center (ROC).
But for all the reported secrecy surrounding TAO’s activities, a quick search of networking site LinkedIn shows a number of current and former intelligence community employees talking pretty openly about the exploits.
Friday Fun: USA vs NSA Animation « Tomi Engdahl’s ePanorama blog says:
[...] background why this is so relevant, check the comments at Security trends for 2013 [...]
Tomi Engdahl says:
CoreText Font Rendering Bug Leads To iOS, OS X Exploit
http://apple.slashdot.org/story/13/08/29/155221/coretext-font-rendering-bug-leads-to-ios-os-x-exploit
“Android might be targeted by hackers and malware far more often than Apple’s iOS platform, but that doesn’t mean devices like the iPhone and iPad are immune to threats.”
Tomi Engdahl says:
NSA: NOBODY could stop Snowden – he was A SYSADMIN
Virtually unfettered access blew sensitive docs wide open
http://www.theregister.co.uk/2013/08/30/snowden_sysadmin_access_to_nsa_docs/
The US National Security Agency may have some of the most sophisticated cyber-surveillance programs in the world, but it was trivial for former NSA contractor Edward Snowden to walk off with sensitive data, sources say, owing to the agency’s antiquated internal security.
“The [Defense Department] and especially NSA are known for awesome cyber security, but this seems somewhat misplaced,” former US security official Jason Healey told NBC News on Thursday. “They are great at some sophisticated tasks but oddly bad at many of the simplest.”
“It’s 2013,” an insider told NBC, “and the NSA is stuck in 2003 technology.”
For example, the NSA policy prevents a typical worker from doing things like copying files to USB thumb drives or other external storage. But Snowden had an easy way around those restrictions, simply by virtue of being classified as a “systems administrator”.
The NSA is reportedly only now piecing together the exact steps Snowden took to infiltrate its systems, including identifying specific users whose accounts he used to access documents. But there’s no clear paper trail – investigators are said to be looking for red-flag discrepancies, such as accounts that were accessed while their owners were on vacation.
Tomi Engdahl says:
New Snowden Leak Reports ‘Groundbreaking’ NSA Crypto-Cracking
http://www.wired.com/threatlevel/2013/08/black-budget/
The latest published leak from NSA whistleblower Edward Snowden lays bare classified details of the U.S. government’s $52.6 billion intelligence budget, and makes the first reference in any of the Snowden documents to a “groundbreaking” U.S. encryption-breaking effort targeted squarely at internet traffic.
The Post published only 43 pages from the document, consisting of charts, tables and a 5-page summary written by Director of National Intelligence James Clapper.
One of those methods, though, is hinted at in the Clapper summary — and it’s interesting. Clapper briefly notes some programs the intelligence agencies are closing or scaling back, as well as those they’re pouring additional funds into. Overhead imagery captured by spy satellites was slated for reduction, for example, while SIGINT, the electronic spying that’s been the focus of the Snowden leaks, got a fresh infusion.
“Also,” Clapper writes in a line marked “top secret,” “we are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit internet traffic.”
The Post’s article doesn’t detail the “groundbreaking cryptanalytic capabilities” Clapper mentions, and there’s no elaboration in the portion of the document published by the paper. But the document shows that 21 percent of the intelligence budget — around $11 billion — is dedicated to the Consolidated Cryptologic Program that staffs 35,000 employees in the NSA and the armed forces.
Previous Snowden leaks have documented the NSA and British intelligence’s sniffing of raw internet traffic. But information on the NSA’s efforts to crack the encrypted portion of that traffic — which would include much of the email transiting the net — has remained absent; conspicuously so, given the NSA’s history as world-class codebreakers. The leaked budget document is the first published Snowden leak to touch upon the question of how safe routinely encrypted traffic is from cutting-edge nation-state spying.
Tomi Engdahl says:
Who Built the Syrian Electronic Army?
http://krebsonsecurity.com/2013/08/who-built-the-syrian-electronic-army/
A hacking group calling itself the Syrian Electronic Army (SEA) has been getting an unusual amount of press lately, most recently after hijacking the Web sites of The New York Times and The Washington Post, among others. But surprisingly little light has been shed on the individuals behind these headline-grabbing attacks. Beginning today, I’ll be taking a closer look at this organization, starting with one of the group’s core architects.
Tomi Engdahl says:
HMRC nabs 5 after £500k ‘cyber attack’ on tax systems
Italian authorities helped taxman cuff suspect as he got off plane
http://www.theregister.co.uk/2013/08/30/hmrc_systems_subjected_to_alleged_tax_fraud_cyber_attack/
Computer systems operated by the UK’s tax authority have been subjected to a cyber attack in an attempted tax scam, it has said.
HMRC said that it suspects five men it arrested of using “illegally obtained personal data from third parties” to set up fake tax self-assessment accounts online in a bid to “steal large sums of false tax rebates”.
It said that the value of the attempted fraud would have amounted to £500,000.
Tomi says:
Feds plow $10 billion into “groundbreaking” crypto-cracking program
Consolidated Cryptologic Program has 35,000 employees working to defeat enemy crypto.
http://arstechnica.com/security/2013/08/feds-plow-10-billion-into-groundbreaking-crypto-cracking-program/
The federal government is pouring almost $11 billion per year into a 35,000-employee program dedicated to “groundbreaking” methods to decode encrypted messages such as e-mails, according to an intelligence black budget published by The Washington Post.
The 17-page document, leaked to the paper by former National Security Agency (NSA) contractor Edward Snowden, gives an unprecedented breakdown of the massive amount of tax-payer dollars—which reached $52 billion in fiscal 2013—that the government pours into surveillance and other intelligence-gathering programs. It also details the changing priorities of the government’s most elite spy agencies. Not surprisingly, in a world that’s increasingly driven by networks and electronics, they are spending less on the collection of some hard-copy media and satellite operations while increasing resources for sophisticated signals intelligence, a field of electronic spying feds frequently refer to as “SIGINT.”
“We are bolstering our support for clandestine SIGINT capabilities to collect against high priority targets, including foreign leadership targets,” James Clapper, director of national intelligence, wrote in a summary published by the WaPo. “Also, we are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit Internet traffic.”
Tomi says:
U.S. spy agencies mounted 231 offensive cyber-operations in 2011, documents show
http://www.washingtonpost.com/world/national-security/us-spy-agencies-mounted-231-offensive-cyber-operations-in-2011-documents-show/2013/08/30/d090a6ae-119e-11e3-b4cb-fd7ce041d814_story.html
U.S. intelligence services carried out 231 offensive cyber-operations in 2011, the leading edge of a clandestine campaign that embraces the Internet as a theater of spying, sabotage and war, according to top-secret documents obtained by The Washington Post.
That disclosure, in a classified intelligence budget provided by NSA leaker Edward Snowden, provides new evidence that the Obama administration’s growing ranks of cyberwarriors infiltrate and disrupt foreign computer networks.
Additionally, under an extensive effort code-named GENIE, U.S. computer specialists break into foreign networks so that they can be put under surreptitious U.S. control. Budget documents say the $652 million project has placed “covert implants,” sophisticated malware transmitted from far away, in computers, routers and firewalls on tens of thousands of machines every year, with plans to expand those numbers into the millions.
The scope and scale of offensive operations represent an evolution in policy, which in the past sought to preserve an international norm against acts of aggression in cyberspace, in part because U.S. economic and military power depend so heavily on computers.
“The policy debate has moved so that offensive options are more prominent now,”
Of the 231 offensive operations conducted in 2011, the budget said, nearly three-quarters were against top-priority targets, which former officials say includes adversaries such as Iran, Russia, China and North Korea and activities such as nuclear proliferation.
Tomi says:
Syrian Electronic Army ‘Hack’ Of The NYTimes Was The Exact Remedy MPAA Demanded With SOPA
http://www.techdirt.com/articles/20130828/15432924343/syrian-electronic-army-hack-nytimes-was-exact-remedy-mpaa-demanded-with-sopa.shtml
There were many, many concerns related to SOPA and PIPA when they were proposed, but the absolute biggest was the use of DNS blocking as a “remedy” against sites where it was alleged that infringement was a primary purpose. Of course, as tons of technology experts points out, any form of DNS filtering or redirecting would be a security nightmare and would do almost nothing to actually stop infringement.
As you may have heard, this week the Syrian Electronic Army was effectively able to “take down” nytimes.com by engaging in a bit of DNS hacking, which was really nothing more than a DNS redirect. As Rob Pegoraro points out, this is the same basic remedy that the MPAA wanted so badly with SOPA.
So it’s somewhat ineffective for blocking (though, very effective for drawing much more attention to what you want blocked). It was a dumb idea by the technologically illiterate folks at the MPAA to suggest a form of DNS hacking as any kind of remedy to copyright infringement, and the NY Times redirect hack just made that even clearer.
Tomi says:
Snowden is great news for hybrid cloud says VMware
Customers don’t want no steeenking NSA sniffing their data
http://www.theregister.co.uk/2013/08/27/vmware_says_snowdens_great_news_for_hybrid_cloud_business/
VMworld 2013 Edward Snowden’s revelations about the extent of the online snoopery in the US are good for business, say VMware CEO Pat Gelsinger and COO Carl Eschenbach.
Speaking today at VMWorld 2013 the, pair were asked if Snowden’s leaks are changing customers’ attitudes to public clouds. Both answered in the affirmative.
“We have clearly seen sensitivity has increased since Snowden’s disclosure,” Gelsinger said, adding that he’s now feeling a bit smug about VMware’s plan to offer hybrid cloud services deeply integrated with on-premises IT, an arrangement under which users can keep confidential data in their own data centres.
“This re-enforces that our strategy is the right one,” he said. The strategy is playing particularly well outside the USA. “As we go to foreign countries it is critical infrastructure be on their soil,” he said.
Eschenbach concurred, saying “the US government is validation that users will leverage hybrid clouds. It is not if but when people take advantage of hybrid cloud.”
Tomi says:
India Wants To Ban US-Based Email Systems For Government Communications Over NSA Concerns
http://www.techdirt.com/articles/20130830/10502924366/india-banning-us-based-email-systems-government-communications-over-nsa-concerns.shtml
Back in June and July, during much more innocent times, Glyn Moody and Tim Cushing doubled up on stories about the intrusive surveillance system India had set up and commented on how the NSA must have been drooling over having that kind of capability. Now, those stories probably seem sweetly ignorant, since we know much more about what the NSA is both capable of doing and how little restraint they suffer, but the point is that India is not made up of saints when it comes to respecting the privacy of their citizens.
So it may be a sign of trouble that India distrusts the American government enough to force government officials to pull their email from American-based email providers.
In an increasingly connected globe, the postures of our allies are every bit as important as those of our enemies. The American government pissed off a friend in India, Hopefully that won’t come back to bite us.
Tomi says:
Syria’s Other Army: How the Hackers Wage War
http://www.newyorker.com/online/blogs/elements/2013/08/syrian-electronic-army-hackers-new-york-times-tactics.html?currentPage=all
At 5:41 P.M. on Tuesday, a tweet from the account of the hacker collective known as the Syrian Electronic Army, which supports the regime of Syria’s President, Bashar al-Assad, said, “Media is going down…” It had been a couple of hours since the Web site of the Times had gone offline for the second time this month.
The S.E.A.’s attacks on media organizations and journalists have been remarkably successful—in terms of collecting trophies, if nothing else.
On Tuesday, the S.E.A. did not hack the Times or Twitter directly. Rather, it breached Melbourne IT, a domain-name registration service that the Times and Twitter both used to manage their Web addresses.
The chief information officer of the New York Times Company told the paper that compared to previous attacks, the assault on the Times and Twitter through Melbourne IT was like “breaking into Fort Knox. A domain registrar should have extremely tight security because they are holding the security to hundreds if not thousands of Web sites.”
But the S.E.A.’s method, though its execution was sophisticated, was rather simple conceptually: it began by gaining access to Melbourne IT’s system using the log-in of a U.S.-based domain reseller, which it obtained using a technique known as spearphishing. This is as much an exploitation of human weakness as it is a technical accomplishment: it’s a gambit designed to trick people into voluntarily revealing information in response to what appears to be a message from a legitimate Web site or service.
Spearphishing through e-mail has consistently been the S.E.A.’s tactic of choice, Schultz said in a phone call.
The S.E.A. already has adapted in a way that makes its attacks more punishing: while previous assaults focussed on media organizations directly, the S.E.A. has recently begun targeting third-party services and infrastructure that the media rely on, allowing it to hit multiple targets at once. The widespread use of third-party services for things like commenting or content recommendations makes each site only as secure as its weakest service.
Few concrete facts are known about the S.E.A., but it has the appearance of a loose hacker collective. It formed in 2011, in the midst of the Syrian uprisings, and it is assuredly pro-Assad. It has targeted Web sites and services associated with dissidents and organizations it believes are aligned with rebels, as well as media organizations.
Whether the S.E.A. is under the control of the Syrian government is unclear.
Regardless, it’s clear that the individuals who make up the S.E.A. are not simply technically savvy in a rote way. They are fully native products and producers of Internet culture. They use English, both on social media and in their phishing attacks
Tomi Engdahl says:
AT&T Partnered With DEA to Provide Access to 26 Years of Phone Records
http://gawker.com/at-t-partnered-with-dea-to-provide-access-to-26-years-o-1237996951
Since at least 2007, DEA agents and local police detectives have had regular access to a gigantic database that contains detailed records of every American phone call that’s passed through an AT&T switch in the past 26 years. The program, named the Hemisphere Project, also pays AT&T employees to work alongside drug-enforcement officers stationed in three states.
According to a report in the New York Times, the Hemisphere Project began in 2007 and has been carried out in secret since. The database goes back to 1987 and includes information about every call that’s gone through an AT&T switch. That information consists of user’s phone numbers, the time and duration of their calls, and their location. About 4 billion new calls are added to the database each day. For comparison, the Patriot Act allows the NSA to store just five years worth of caller information, which can only include phone numbers and the time and duration of calls.
Tomi Engdahl says:
Synopsis of the Hemisphere Project
http://www.nytimes.com/interactive/2013/09/02/us/hemisphere-project.html?pagewanted=all
A slide presentation given to The New York Times shows that the Hemisphere Project was started in 2007 and has been carried out in great secrecy.
Tomi Engdahl says:
Drug Agents Use Vast Phone Trove, Eclipsing N.S.A.’s
http://www.nytimes.com/2013/09/02/us/drug-agents-use-vast-phone-trove-eclipsing-nsas.html?pagewanted=all&_r=0
For at least six years, law enforcement officials working on a counternarcotics program have had routine access, using subpoenas, to an enormous AT&T database that contains the records of decades of Americans’ phone calls — parallel to but covering a far longer time than the National Security Agency’s hotly disputed collection of phone call logs.
The Hemisphere Project, a partnership between federal and local drug officials and AT&T that has not previously been reported, involves an extremely close association between the government and the telecommunications giant.
The government pays AT&T to place its employees in drug-fighting units around the country. Those employees sit alongside Drug Enforcement Administration agents and local detectives and supply them with the phone data from as far back as 1987.
Tomi Engdahl says:
Thoughts on privacy
http://blogs.law.harvard.edu/doc/2013/08/31/thoughts-on-privacy/
In Here Is New York, E.B. White opens with this sentence: “On any person who desires such queer prizes, New York will bestow the gift of loneliness and the gift of privacy.” Sixty-four years have passed since White wrote that, and it still makes perfect sense to me, hunched behind a desk in a back room of a Manhattan apartment.
That’s because privacy is mostly a settled issue in the physical world, and a grace of civilized life. Clothing, for example, is a privacy technology. So are walls, doors, windows and shades.
Private spaces in public settings are well understood in every healthy and mature culture.
Worse, the institution we look toward for protection from this kind of unwelcome surveillance — our government — spies on us too, and relies on private companies for help with activities that would be a crime if the Fourth Amendment still meant what it says.
I see two reasons why privacy is now under extreme threat in the digital world — and the physical one too, as surveillance cameras bloom like flowers in public spaces, and as marketers and spooks together look toward the “Internet of Things” for ways to harvest an infinitude of personal data.
The end-to-end principle was back-burnered when client-server (aka calf-cow) got baked into e-commerce in the late ’90s. In a single slide Phil Windley summarizes what happened after that. It looks like this:
The History of E-commerce
1995: Invention of the cookie.
The end.
Another irony: the overlords are nerds too. And they lord over what Bruce Schneier calls a feudal system:
Reason #2
We have loosed three things into the digital world that we (by which I mean everybody) do not yet fully comprehend, much less deal with (through policy, tech or whatever). Those are:
Ubiquitous computing power. In the old days only the big guys had it. Now we all do.
Ubiquitous Internet access. This puts us all at zero virtual distance from each other, at costs that also veer toward zero as well.
Unlimited ability to observe, copy and store data, which is the blood and flesh of the entire networked world.
In tech, what can be done will be done, sooner or later, especially if it’s possible to do it in secret — and if it helps make money, fight a war or both. This is why we have bad acting on a massive scale: from click farms gaming the digital advertising business, to the NSA doing what now know it does.
Tomi Engdahl says:
Ex-Googler Gives the World a Better Bitcoin
http://www.wired.com/wiredenterprise/2013/08/litecoin/?mbid=social11374364
Charles Lee was a software engineer at Google, spending his days hacking networking code for the search giant’s new-age operating system, ChromeOS. But in his spare time, he rewrote Bitcoin, the world’s most popular digital currency.
Early one October morning two years ago, Lee unleashed his project, Litecoin,
Government regulation may put the squeeze on Bitcoin — and perhaps Litecoin too. But digital currency will continue to evolve and grow. It’s what so much of the world wants.
Although its dwarfed by Bitcoin’s popularity, people seem to like Litecoin because it’s a more credible alternative to the growing list of Bitcoin imitators, which Lee saw as either technologically challenged or straight up pump-and-dump scams.
He took the basic ideas behind Bitcoin — a currency created by a pseudonymous character who goes by the name Satoshi Nakamoto — and refined them. Litecoin was designed to pump out four times as many coins as Bitcoin, in an effort to keep the digital currency from becoming scarce and too expensive. It processes transactions more quickly, and discourages the kind of high-volume but very small transactions that have become a nuisance on the Bitcoin network. And it lets regular folks more easily “mine” coins — i.e. provide the online currency system with the computing power it needs, in exchange for digital money.
The result wasn’t a Bitcoin killer. But it was something that gave digital currency yet another stamp of approval.
Tomi Engdahl says:
Snowden leaks CIA and NSA black budget
$56bn funds US government spy agencies
http://www.theinquirer.net/inquirer/news/2291739/snowden-leaks-cia-and-nsa-black-budget
The secret so-called black budgets of many US intelligence agencies have been published by the Washington Post after it obtained the documentation materials from the US National Security Agency (NSA) whistleblower Edward Snowden.
The Washington Post said, “The $52.6bn ‘black budget’ for fiscal 2013, obtained by The Washington Post from former intelligence contractor Edward Snowden, maps a bureaucratic and operational landscape that has never been subject to public scrutiny. Although the government has annually released its overall level of intelligence spending since 2007, it has not divulged how it uses the money or how it performs against the goals set by the president and Congress.”
Tomi Engdahl says:
The Legal Purgatory at the US Border: Detained, Searched, and Interrogated
http://news.slashdot.org/story/13/09/01/1944202/the-legal-purgatory-at-the-us-border-detained-searched-and-interrogated
“America may be the land of the free, but upon arrival millions of visitors cross a legal purgatory at the U.S. border. It is an international legal phenomenon that is left much to the discretion of host countries.”
Tomi Engdahl says:
Boffins confirm quantum crypto can keep a secret
Hack-defeating QKD protocol validated in two sets of tests
http://www.theregister.co.uk/2013/09/02/your_secrets_are_safe_with_quanta_after_all/
Over recent years, the gap between theoretical security of quantum crytography and practical implementation has provided plenty of fun for super-geniuses the world over.
Yes, quantum cryptography is supposed to be unbreakable.
However, practical implementations of quantum cryptography left various possible attack vectors. To close these attacks (described in more detail below), the quantum crypto community proposed a new protocol, MDI-QKD (measurement device independent quantum key distribution), and now, two research groups working independently have verified that MDI-QKD gets a long way towards a provably-secure quantum crypto scheme.
Since Charlie never reports polarisation values, all a third party (Eve) would be able to determine is whether Alice and Bob are synchronised. Eve can’t tell from observing Charlie what the secret negotiated between Alice and Bob is.
The Canadian experiment took the MDI-QKD proposal on a field test – not using it to generate random keys, but to determine whether the measurement scheme would work over realistic distances. Charlie was kept on campus, while Alice and Bob were 6 km and 12 km away, respectively.
In the US-China test, Alice, Bob and Charlie were confined to the lab (albeit using a 50 km fibre on a reel): their test was demonstrating that MDI-QKD allows truly random keys to be generated. Not only that, but the test showed that realistic key generation rates of 25 kbit secure keys can be generated using the technique.
In both cases, the answer was “yes”. So while companies making commercial QKD kit had already started responding to the earlier attacks, there is now a protocol available for future designs.
Tomi Engdahl says:
New EU rules: Telco only SOMETIMES has to tell you it spaffed your data
Can’t do it immediately? Do it later. Can’t later? Give a, er, ‘reasoned justification’
http://www.theregister.co.uk/2013/09/02/telecoms_companies_now_subject_to_new_personal_data_breach_notification_rules/
New rules setting out the circumstances in which telecoms companies need to report personal data breaches, as well as the kind of information they need to share in those reports, have come into force.
The EU’s Regulation on the notification of personal data breaches applies to all providers of publicly available electronic communications services, such as internet service providers (ISPs) and other telecoms companies, and sets new rules on notifying both regulators and customers about personal data breaches.
Under the Regulation all providers of publicly available electronic communications services in the EU will have to inform their competent national authority
within 24 hours of detecting that they have experienced a personal data breach.
If all the information that the Regulation states should be provided to regulators is unknown, the companies would be able to submit a partial initial notification within the 24-hour deadline and follow it up with a further notification
The telecoms providers will also generally have to notify individuals affected by a personal data breach “without undue delay” in cases where the breach is “likely to adversely affect the personal data or privacy” of those individuals.
However, telecoms providers would be able to avoid having to notify individuals if they can show regulators to their satisfaction that the use of “technological protection measures” has rendered the breached data “unintelligible to any person who is not authorised to access it”.
At the time the Commission said that the purpose of the new rules was to “ensure all customers receive equivalent treatment across the EU in case of a data breach, and to ensure businesses can take a pan-EU approach to these problems if they operate in more than one country”.
Tomi Engdahl says:
Eggheads turn Motorola feature phone into CITYWIDE GSM jammer
Innocent mobile turns bad… with good software
http://www.theregister.co.uk/2013/08/28/german_boffins_mod_moto_into_citywide_gsm_jammer/
Berlin boffins have spotted a procedural flaw in the long-lived GSM protocol and created an exploit around it which can knock out a mobile network or even target an individual subscriber in the same city.
The exploit, presented at the 22nd USENIX Security Symposium last week, takes advantage of the fact that GSM lets phones establish a radio connection before cryptographically authenticating them. That allows a hacked Motorola C123 to masquerade as any handset, before the real device can get connected, denying service to one customer or a whole network.
The 2G telephony standard embodied in GSM has some serious cryptography behind it. Once a radio connection has been established, a key-exchange protocol identifies the customer and encrypts the communication. Before that, however, the handset has to respond to a paging request and it is this response that the boffins have managed to fake.
Faking the response won’t get you access to the mark’s calls or text messages, but it will prevent them arriving at their intended destination
But denying service is certainly possible, and the team even managed to deny service to a specific number – which is more concerning, as this would be very hard to detect. Cutting off an individual phone could be very helpful in a number of circumstances.
El Reg adds that the encryption level is specified by the network and GSM authentication isn’t mutual, so this technique could be combined with a faked base station (which would specify no encryption) to allow a true man-in-the-middle attack.
Fixing the problem would mean changing the GSM protocol, which isn’t very likely. Operators could also keep track of radio links which failed at the authentication stage, which would enable them to alert a user if it was happening – though not by call or text, obviously.
3G networks do mutually authenticate, though they also establish a radio connection prior to authentication so could be vulnerable to a similar attack – likewise with 4G networks.
Tomi Engdahl says:
Here Nokia Mobile software runs on the dashboard of cars. Navigation software to add spice to the phone app, which also supports Windows Phone Android-powered competitors.
Nokia’s position in cars has been a strong Navteq map to acquire up to. Many of the world’s biggest car manufacturers use Navteq maps.
Now, these services will be extended Nokia Here Auto product. This is not only a map of automobiles, automotive systems, but full functional navigation system.
An integral part of the new product in the smartphone software, which extends the vehicle system. Here Car Companion application (photo below), released on the Windows Phone platform, and in addition to Android.
This is understandable. Android is about 80 per cent market share in smart phones, so the phone software is practically forced to do it. Nokia has not made an application for iOS version of Apple’s iPhone.
Auto system and the smartphone will bring a combination of Nokia’s many benefits. Smartphone Programme for example, may tell you what the car is parked, and then guide you through the user’s car. This application will be able to view your information, such as the amount of fuel, the temperature inside the tire pressure or even the windshield washer fluid volume.
The user can also control the car’s devices with smartphone. For example, the car doors are locked and the air conditioning system can be controlled by phone.
Auto Tour route can be planned even before the car moving. Plans can be made Here.com smartphone or web service.
Maps operate 95 different countries, and the system will tell the rider such as traffic congestion and fuel prices. When the car is approaching the destination, the system may display the item photos, parking information, and even the interior of the maps.
Nokia says that Here Car will be launched in the coming months. Cooperation will take place with car systems manufacturers Continental and Magneti Marelli.
Source: http://www.itviikko.fi/uutiset/2013/09/02/here-auto-nokia-tahtoo-autoilijan-yleispalvelijaksi/201312160/7?rss=8
Tomi Engdahl says:
U.S. spy agencies mounted 231 offensive cyber-operations in 2011, documents show
http://www.washingtonpost.com/world/national-security/us-spy-agencies-mounted-231-offensive-cyber-operations-in-2011-documents-show/2013/08/30/d090a6ae-119e-11e3-b4cb-fd7ce041d814_story.html
Tomi Engdahl says:
NSA spy: At the end of the year 85 000 “sleeping” malware all over the world
NSA to install sleeping spyware software for tens of thousands of computers and network devices around the world, says the Washington Post. Will rise in the coming years millions.
American Washington Post newspaper (WP) has released new information about the United States cyber-operations.
The magazine also revealed the NSA’s Genie (genie) program, which the United States to foreign data networks over in silence. Program within the framework of non-functional computers, routers, and firewalls and other network devices contaminates the Americans with malicious software. Some of the programs operating secretly gathers information, part of creating back doors, which can be used in future infiltrations.
At the end of the American programs to stem damage to the equipment is estimated to be 85 000 This amount is to raise millions in the coming years.
Some of the intelligence used to treat “field missions”, which currently heard by installing spyware software or enabling tapping attachment site.
Monitoring software for programming the NSA has its own section, TAO (Tailored Access Operations), that is tailored to a fraction of department operations.
In addition, the NSA gray market to buy software vulnerability information that can be used to launch cyber-attacks. To this end, the NSA budgeted for this year of € 19 million.
Source: http://www.iltasanomat.fi/digi/art-1288595231751.html
Tomi Engdahl says:
Syrian Electronic Army hacks US Marines, asks ‘bros’ to fight on its side
While US patriot hackers face off with pro-Assad hacktivists
http://www.theregister.co.uk/2013/09/03/sea_hits_marines/
A US marines recruitment website, http://www.marines.com, was hacked and defaced by hacktivists from the infamous Syrian Electronic Army over the weekend.
The attack was used to post a propaganda message claiming that the Syrian Army have been fighting Al Qaeda insurgents for three years and describing Obama as a “traitor”.
The hack followed US President Barack Obama’s announcement that he is seeking Congressional approval for a military strike on Syria, in response to reports that the Assad regime was using chemical weapons against the Syrian people.
Last week the SEA denied that its own web server had been hacked back in April and further denied that a voluminous data leak had occurred in connection with the “hack”. The incident followed days after high-profile DNS redirection attacks by the pro-Assad hacktivists on the New York Times and Twitter.
Tomi says:
Chargen service, denial of service attacks, elements to your Favorites
TCP / IP Services-small entity within the chargen service is now widely used for denial of service attacks. Attacks have been targeted at Finnish servers.
Chargen service can use both TCP and UDP protocol. When the service is to use the port to send a UDP packet, the server is responsible for the occasional text containing the package.
Chargen service is rarely necessary, and in most cases it would be necessary to switch off servers. Also, some routers provide chargen service, but it is usually disabled by default.
Source: http://www.cert.fi/tietoturvanyt/2013/08/ttn201308271453.html
Tomi Engdahl says:
Citadel botnet resurges to storm Japanese PCs
Banking Trojan infects 20,000 IP addresses
http://www.theregister.co.uk/2013/09/04/citadel_wreaks_havoc_in_japan/
Citadel, the aggressive botnet at the heart of a widely criticised takedown by Microsoft back in June, is back and stealing banking credentials from Japanese users, according to Trend Micro.
The security vendor claimed to have found “at least 9 IP addresses”, mostly located in Europe and the US, functioning as the botnet’s command and control servers.
As well as Japanese financial and banking organisations, the botnet has been targeting popular webmail services such as Gmail, Hotmail and Yahoo Mail, Trend Micro said.
Citadel was the subject of Operation b54, what Microsoft described back in June as its “most aggressive botnet operation to date”. Working with the FBI, financial institutions and other technology firms, Redmond said it disrupted some 1,400 botnets associated with the Trojan, which had nabbed more than $500m from bank accounts around the world.
However, the initiative was slammed by the security community after Microsoft allegedly seized hundreds of domains as part of its swoop which were already being sinkholed by researchers to find out more about the botnet.
Tomi Engdahl says:
Open-Source Python Code Shows Lowest Defect Density
http://developers.slashdot.org/story/13/09/03/2032248/open-source-python-code-shows-lowest-defect-density
“Coverity has found open-source Python code to contain a lower defect density than any other language.”
“The 2012 Scan Report found an average defect density of .69 for open source software projects that leverage the Coverity Scan service, as compared to the accepted industry standard defect density for good quality software of 1.0.”
“Coverity Scan service has analyzed nearly 400,000 lines of Python code and identified 996 new defects — 860 of which have been fixed by the Python community.”
Tomi Engdahl says:
Mobile Security Firm Lookout Partners With Samsung, Plans to Attack Corporate Market Later This Year
http://allthingsd.com/20130903/mobile-security-firm-lookout-partners-with-samsung-plans-to-attack-corporate-market-later-this-year/
After spending its first two years trying to keep consumer phones secure, Lookout is taking aim at the corporate market.
The San Francisco startup, which focuses on securing mobile devices, is announcing plans on Wednesday to offer its first enterprise product — Lookout For Business — later this year. Lookout also said that its software will become part of Samsung’s Knox program for securing Android devices.
it will work on both iOS and Android, has been in the works for about a year
One of the key things, Mahaffey said, is offering security in a way that “doesn’t suck.” Too much corporate security software, he said, works by limiting access to popular applications, restricting browser use, and other onerous limitations.
Tomi Engdahl says:
“Coffee is budgeted more than cyber security”
No one said to Obama: “Mr. President, you would violate the law.” And no one said, “It is strange that you did not have to break the law.”
It carved a Washington Post journalist for a long time served as a security expert Brian Krebs of the NSA spying scandal security house Nixu organized by the Corporate Cyber Security Seminar in Helsinki.
Krebs found that people can not see the forest for the trees: they are not concerned about the U.S. laws are not violated, if terrorism under the guise of spying on their own, independent country and our allies citizens.
Most are unable to make the effort to protect itself from espionage, hacking, or launch cyber-attacks. It is too cumbersome. Or when does it make you last encrypted your hard drive?
The security and protection to provide the tools are difficult to use. Instead cyber-criminal attack tools are remarkably easy to use.
“Point and click” – so created a modern cyber-attack, Krebs says. When an attack is much easier than the protection against risks materialize easily.
Businesses pay more for coffee as a cyber security
Krebs According to the information security not taken care of undertakings was sufficient. Cyber security leaders responsible for security (CSO, Chief Security Officer) will normally operate at too low a budget. Krebs cleavage that most of the companies’ coffee has budgeted more money than cyber-security”.
The budget shows lack of specific personnel. Skilled personnel is essential for the company’s cyber security. Employees should not outsource or automate activities.
Even the high hardware and software budget is not enough: the company may have millions in Software and iron, and the data can be automatically produced by the squeal of the ongoing data breach – but it does not help.
Data must be able to interpret, and it requires professionals.
During the presentation, Krebs also pointed out that all the security standards may not want to follow: if you comply with the public security specifications, cyber-criminals know what kind of barrier they are against.
Cyber-criminals the other hand, do not shy away from breaches of the standards such as security protocols abuse – the attacker does not care what’s inside through, but as long as the hole is found.
Source: http://www.tietoviikko.fi/cio/quotkahviin+budjetoidaan+enemman+kuin+kyberturvallisuuteenquot/a927163
Tomi Engdahl says:
Potential Major Security Flaw on HP Laptop Discovered with RTL-SDR
http://www.rtl-sdr.com/potential-major-security-flaw-hp-laptop-discovered-rtl-sdr/
Over on Reddit, user cronek discovered by using his RTL-SDR that the microphone on his HP EliteBook 8460p laptop computer was continuously and unintentionally transmitting the audio from the built in microphone at 24 MHz in FM modulation. He found that the only requirement needed for the microphone to transmit was that the laptop needed to be turned on – even muting the microphone did nothing to stop the transmission.
“I accidentally stumbled upon a signal in the 24MHz range, appearing to be 4 carriers. I tuned to it and heard silence, then someone came into my office and started talking and I could hear them speak”
This is of potential concern as as the US Military is apparently transitioning to this particular laptop. However, this may be an isolated incident
Tomi Engdahl says:
Anatomy of a killer bug: How just 5 characters can murder iPhone, Mac apps
What evil lurks in the Unicode of Death … oh, a buffer overrun
http://www.theregister.co.uk/2013/09/04/unicode_of_death_crash/
Analysis There has been much sniggering into sleeves after wags found they could upset iOS 6 iPhones and iPads, and Macs running OS X 10.8, by sending a simple rogue text message or email.
A bug is triggered when the CoreText component in the vulnerable Apple operating systems tries to render on screen a particular sequence of Unicode characters: the kernel reacts by killing the running program, be it your web browser, message client, Twitter app or whatever tried to use CoreText to display the naughty string.
Much hilarity ensued as people tweeted the special characters, posted them in web article comments or texted them, and rejoiced in the howls of fanbois’ frustration. (Facebook had to block the string from being submitted as a status update.)
But how did that bug work? After some examination, it appears to be a rather cute programming cock-up that’s fairly easy to explain.
Final thoughts
In the meantime, the flaw as it stands doesn’t appear to be exploitable beyond crashing a user’s program: it’s mighty hard to leverage an end-of-array read fault into something more serious.
It can also be triggered on 32-bit ARM-powered iPhones, iPods and iPads running the latest publicly available version of iOS. This means the bug isn’t specific to a particular architecture: the buffer overrun will work in much the same way except within 32 bits rather than 64 as seen above.
The app-slaying coding error is absent in iOS 7 and Mac OS X 10.9 (codenamed Mavericks), both due for a public release soon.
Tomi Engdahl says:
Our Newfound Fear of Risk
http://www.schneier.com/blog/archives/2013/09/our_newfound_fe.html
We’re afraid of risk. It’s a normal part of life, but we’re increasingly unwilling to accept it at any level. So we turn to technology to protect us. The problem is that technological security measures aren’t free. They cost money, of course, but they cost other things as well. They often don’t provide the security they advertise, and — paradoxically — they often increase risk somewhere else. This problem is particularly stark when the risk involves another person: crime, terrorism, and so on. While technology has made us much safer against natural risks like accidents and disease, it works less well against man-made risks.
the general point is that we tend to fixate on a particular risk and then do everything we can to mitigate it, including giving up our freedoms and liberties.
There’s a subtle psychological explanation. Risk tolerance is both cultural and dependent on the environment around us. As we have advanced technologically as a society, we have reduced many of the risks that have been with us for millennia.
Our notions of risk are not absolute; they’re based more on how far they are from whatever we think of as “normal.” So as our perception of what is normal gets safer, the remaining risks stand out more. When your population is dying of the plague, protecting yourself from the occasional thief or murderer is a luxury. When everyone is healthy, it becomes a necessity.
Some of this fear results from imperfect risk perception. We’re bad at accurately assessing risk; we tend to exaggerate spectacular, strange, and rare events, and downplay ordinary, familiar, and common ones. This leads us to believe that violence against police, school shootings, and terrorist attacks are more common and more deadly than they actually are — and that the costs, dangers, and risks of a militarized police, a school system without flexibility, and a surveillance state without privacy are less than they really are.
Some of this fear stems from the fact that we put people in charge of just one aspect of the risk equation. No one wants to be the senior officer who didn’t approve the SWAT team for the one subpoena delivery that resulted in an officer being shot.
We also expect that science and technology should be able to mitigate these risks, as they mitigate so many others. There’s a fundamental problem at the intersection of these security measures with science and technology; it has to do with the types of risk they’re arrayed against. Most of the risks we face in life are against nature: disease, accident, weather, random chance. As our science has improved — medicine is the big one, but other sciences as well — we become better at mitigating and recovering from those sorts of risks.
Security measures combat a very different sort of risk: a risk stemming from another person.
When you implement measures to mitigate the effects of the random risks of the world, you’re safer as a result. When you implement measures to reduce the risks from your fellow human beings, the human beings adapt and you get less risk reduction than you’d expect — and you also get more side effects, because we all adapt.
We need to relearn how to recognize the trade-offs that come from risk management, especially risk from our fellow human beings. We need to relearn how to accept risk, and even embrace it, as essential to human progress and our free society.
Tomi Engdahl says:
The faulty FBI files that can ruin your life
http://edition.cnn.com/2013/09/02/opinion/neighly-fbi-background-checks/index.html?hpt=hp_t4&utm_source=buffer&utm_campaign=Buffer&utm_content=buffer6e301&utm_medium=twitter
No amount of economic growth will land you a job if you get unfairly snagged in the FBI’s faulty background check system. And you can lose your job because of the FBI file inaccuracies, too.
A National Employment Law Project report found the FBI ran a record 16.9 million employment background checks — a six-fold increase from a decade ago — for jobs ranging from child care to truck driving, port workers to mortgage processors. Although background checks can contribute to workplace safety, inaccuracies in the FBI database mean that these checks are blocking about 600,000 Americans a year from jobs for which they may be perfectly qualified.
The glitch is that FBI records often fail to report the final outcomes of arrests. The case might have been dismissed or the charges reduced, but a prospective employer might not know it from the FBI background check.
Tomi Engdahl says:
Gov’t settles with marketer of home security cameras after hack exposes people’s homes online
http://www.washingtonpost.com/politics/govt-settles-with-marketer-of-home-security-cameras-after-hack-exposes-peoples-homes-online/2013/09/04/02753986-1597-11e3-961c-f22d3aaf19ab_story.html
The government is requiring the marketer of Internet-connected home monitoring cameras to come up with a better security design after feeds from people’s homes — video from baby monitors and home security systems — were posted online for public view.
lax security practices led to the breach by California-based TRENDnet.
went public in January 2012 after a hacker exploited a security flaw in the company’s software and posted links of video feeds to nearly 700 cameras.
According to the commission, the cameras had faulty software that left them open to online viewing, and in some cases listening, by anyone with the Internet address of the cameras.
Tomi Engdahl says:
NSA Laughs at PCs, Prefers Hacking Routers and Switches
http://www.wired.com/threatlevel/2013/09/nsa-router-hacking/
The NSA runs a massive, full-time hacking operation targeting foreign systems, the latest leaks from Edward Snowden show. But unlike conventional cybercriminals, the agency is less interested in hacking PCs and Macs. Instead, America’s spooks have their eyes on the internet routers and switches that form the basic infrastructure of the net, and are largely overlooked as security vulnerabilities.
Under a $652-million program codenamed “Genie,” U.S. intel agencies have hacked into foreign computers and networks to monitor communications crossing them and to establish control over them, according to a secret black budget document leaked to the Washington Post. U.S. intelligence agencies conducted 231 offensive cyber operations in 2011 to penetrate the computer networks of targets abroad.
Most of the hacks targeted the systems and communications of top adversaries like China, Russia, Iran and North Korea and included activities around nuclear proliferation.
The NSA’s focus on routers highlights an often-overlooked attack vector with huge advantages for the intruder, says Marc Maiffret, chief technology officer at security firm Beyond Trust. Hacking routers is an ideal way for an intelligence or military agency to maintain a persistent hold on network traffic because the systems aren’t updated with new software very often or patched in the way that Windows and Linux systems are.
“No one updates their routers,” he says. “If you think people are bad about patching Windows and Linux (which they are) then they are … horrible about updating their networking gear because it is too critical, and usually they don’t have redundancy to be able to do it properly.”
He also notes that routers don’t have security software that can help detect a breach.
Hijacking routers and switches could allow the NSA to do more than just eavesdrop on all the communications crossing that equipment. It would also let them bring down networks or prevent certain communication
Tomi Engdahl says:
Silent Circle launches encrypted text messaging app on Android
http://www.theverge.com/2013/9/4/4693740/silent-text-encrypted-messaging-file-sharing-launches-on-android
Silent Circle is launching its secure file sharing and text messaging app, Silent Text, on Android today, almost a year after the service first launched for iOS. The app allows mobile users to transfer 100MB files of any type, or to just send one another simple messages. It protects the data using end-to-end encryption, and it stores those encryption keys on users’ devices — not Silent Circle’s own servers — which makes the people in the conversation the only ones with the key to decrypt it.