Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.
Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.
Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.
SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices. Good idea to test your devices against it.
There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.
Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.
Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.
Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.
Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.
Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.
Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.
Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.
European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.
1,930 Comments
Tomi Engdahl says:
$79 Nymi bracelet aims to replace passwords and keys with your heartbeat
http://www.geek.com/mobile/79-nymi-bracelet-aims-to-replace-passwords-and-keys-with-your-heartbeat-1569351/
It’s a new “wearable authentication device” called Nymi, and its creators think it can replace your passwords and keys — or at least make them a whole lot more secure.
Clasp the Nymi around your wrist, press your fingertip to the sensor on the top, and it springs to life. Built-in LEDs and a vibration motor let you know it’s active, and you can also program them to deliver notifications from your smartphone (Nymi supports Bluetooth 4.0).
Nymi authenticates you by reading your heartbeat the way an electrocardiograph does: by monitoring its electrical activity.
Even if someone was to swipe your Nymi, it wouldn’t be any use to him or her. Without sensing that your heart is thumping out its specific pattern, your Nymi won’t authenticate. It’s got proximity sensors, too, so you don’t need to worry about someone flicking through the contents of your phone while you’re in the bathroom. Nymi knows to unlock your device when it’s close to your wrist.
Initially, Nymi will support Windows, OS X, Android, and iOS, allowing you to unlock your device and log in to apps and websites without pressing a key. Bionym, the company behind Nymi, has much bigger plans for the inexpensive authenticator, though.
It wants to convince other hardware manufacturers
to integrate Nymi support into their products.
Tomi Engdahl says:
Information Technology to leave cars at the mercy of hackers
Everything that has a computer chip, is vulnerable, security researcher points out. A recently published report, the cars are no exception, and the consequences can be frightening.
Car penetration of information technology who are familiar with the findings of hacker tells the AP.
Hackers can get your hands on the car’s functions that affect information technology, for example, using interfaces, including service technicians can diagnose faults and examine the operation of the car. In this way it is possible to command the vehicle functions – perhaps most dangerous tackle braking and steering behavior.
It is not always even need a physical intrusion into the game play, but the commands have been given a mobile phone and a bluetooth connection. Such a car would make life easy for the thief
Source: http://www.tietokone.fi/artikkeli/uutiset/tietotekniikka_jattaa_autot_hakkereiden_armoille
Tomi Engdahl says:
Cyber criminals are easy to trace, because their privacy and security is poor, says security researcher Brian Krebs It-week. He will pay the price for their work and threats from getting into mischief.
Krebs says he is now happy man. One and a half million readers a month collecting the Krebs on Security blog brings livelihood. In addition, he writes a book
Krebs is not chasing the hot news of the day.
- This must be the language in the middle of the mouth. Let’s just say that the disclosures have increased people’s awareness of and care about what they put online. Now that I think paranoia level is where it should be, Krebs merely states.
Krebsiä more interested in un-trendy security events, which others do not just write. These include the spammers, the network drug dealers and the way the botnet operators. That is, the things that were lost IT journalism spotlight a few years ago.
Krebs that cyber criminals make this easy. Kyberkonnien tracing is usually easy, because these private security is usually a completely bad way. Similarly, these operations are very disorganized, although generally found to talk about organized cyber-crime.
Visit exceptionally clear that such a thing as security does not exist. Writing on the machine returns is more or less the only option to ensure the safety. The cloud and security companies Krebs trust because it makes life easier.
- European [EU] like a lot of noise, but do not do anything that might create a couple of new pieces of legislation and directives. Sure, everyone can acquire a cloud in their own country, but in the end there is always someone reliable.
- I do not think that antivirus firms would put their security software the rear doors. It would put those companies out business if the matter comes out.
Ordinary people do not have the Krebs fear, for they are the cybercriminals only numbers. In contrast, in the business world, things are bad state.
- After all, it’s great that the company purchased automation to improve information security. But stop and Employ automation professionals. If no analysis software to collect information, it is useless.
Source: http://www.itviikko.fi/ihmiset-ja-ura/2013/09/05/kyberkonnien-oma-tietoturva-on-retuperalla/201312332/7
Tomi Engdahl says:
Spyware scared: 90 per cent is now trying to cover their tracks
The majority of U.S. Internet users now trying to cover their tracks, reveals a fresh inquiry. More than half while trying to evade surveillance by at least a half.
The Pew Research Center and Carnegie Mellon University survey of 86 percent of online users had done “something” digital footprint fuzzing.
The most common measure of cookies and browsing history, delete (64 percent of users). 41 per cent were deleted or edited what they did or their message online.
Similarly, 41 per cent had prevented the use of cookies.
More effective ways to use fewer. 14 percent of users said concealing an e-mail. The same number said they use virtual networks and in the Tor network such as aids.
The majority of users would want to be anonymous, and without follow-up “at least once in a while,
Source: http://www.tietoviikko.fi/kaikki_uutiset/vakoiluohjelma+saikaytti+90+prosenttia+yrittaa+nyt+peitella+jalkiaan/a927627
Tomi Engdahl says:
Survey: Almost 90 percent of Internet users have taken steps to avoid surveillance
http://www.pcworld.com/article/2048170/almost-90-percent-of-internet-users-have-taken-steps-to-avoid-surveillance-survey-finds.html
A majority of U.S. Internet users polled in a recent survey report taking steps to remove or mask their digital footprints online, according to a report from the Pew Research Center’s Internet Project and Carnegie Mellon University.
While 86 percent of the Internet users polled said they made some attempt hide what they do online, more than half of the Web users also said they have taken steps to avoid observation by organizations, specific people or the government, according to the survey.
People use a variety of measures to decrease their online visibility, the study showed. The most popular one is clearing cookie and browser history, which 64 percent of Internet users polled said they did. Forty-one percent said they deleted or edited something they had posted in the past and 41 percent said they disabled or turned off their browsers’ use of cookies, Pew said.
Beyond general measures taken to go online more or less anonymously, the majority of Internet users polled (55 percent) have tried to avoid observation by specific people or groups. “Hackers, criminals and advertisers are at the top of the list of groups people wish to avoid,” Pew said.
But a minority of Web users said they tried to hide their online activities from certain friends, people form their past, family members or partners as well as their employers, coworkers, supervisors, companies, people that might want payment for downloaded files and to a lesser extent the government (5 percent) and law enforcement (4 percent).
Discovering that many Internet users have tried to conceal their identity or their communications from others was the biggest surprise to the research team, they said in a news release. Not only hackers, but almost everyone has taken some action to avoid surveillance and despite their knowing that anonymity is virtually impossible, most Internet users think they should be able to avoid surveillance online, they said.
Most U.S. citizens would like to be anonymous and untracked online, at least every once in a while, but many think it is not possible to be completely anonymous online, Pew said.
A majority of Web users polled, 66 percent, said they think current privacy laws are not good enough to provide reasonable protections for people’s privacy on their online activities.
“Interestingly, there are not noteworthy differences in answers to this question associated with political or partisan points of view.”
Tomi Engdahl says:
Making Sense of security
Terms, such as business continuity, data integrity, confidentiality and non-repudiation are rife with security professionals in the speech.
Security encryption familiar with the science often talk about the involuntary either a theory or a stumble in his speech on the other hand numerous to detail. Thus the terms in the firewall configuration, ad federation or aes encryption will go smoothly over many listener.
Information Security is responsible for the company and its management, data security, the practical implementation of it largely. The management, however, feels more at ease annoying because the mind does not have a map in which the concepts of information security professionals in the fall. What to do? What would be the security is one film that would explain it all?
To understand the method to the security concept is to share the locations where security is implemented in practice.
These are, first, self-knowledge in data centers and the access to the data network (mobile data), such as terminals, as well as man himself. A person can be in several roles, the end-user, administrator, or even unauthorized intruder.
Information
Key data stores are typically located in data centers, and their security is largely a center of the physical environment and the self-protection of technical data.
This could be compared to even a bank vault. It is important to prevent physical access to unauthorized individuals.
Access
Access to the service is done by using a terminal device via a data network. Society as a whole is highly dependent on computer networks.
Modern techniques and information can be hijacked from computer networks without the subject being noticed.
Fortunately, this is there an antidote – the encryption.
The data network through a thief could also try to get access to the vault. This, in turn, prepares for firewalls.
Access to data through the network therefore takes place, but this requires the terminal and the necessary software.
Terminal security as are often the Achilles’ heel. Because of this, the company’s clients can be “certified”, meaning that they are encoded, and the company’s network to identify its “own people”. Add to this the lock code, up to date anti-virus and any device data encryption, are already relatively safe waters.
As a person who owns the device, he can easily forget that a work-related data is owned by the company, and therefore it must be protected.
The fact that the user has the appropriate body, for example, to ensure two-way authentication, the password is sent after logging on, say, a person’s cell phone. This ID and password theft is not enough, but thief must be in possession of the person’s phone.
The authorization for the service within the system of processes and information is shared in such a way that a given user role access to a specific part of the area.
Man
Despite all of the technical implementation, data security loopholes in
The weakest link in security is typically a human, user or third party, such as an administrator or a criminal, either inadvertently or intentionally harmful activity.
Big brother
Security is the interesting thing is that the motive of the perpetrator is not always a crime, or self-interest.
Some people try to mess up just because they have the know-how. Others believe that they have a duty to share confidential information on all the others.
The EU Charter of Fundamental Rights of privacy is a fundamental human right. Security is so important that it is governed by national and international level.
And an even bigger cousin
After all this, we should all feel safe to feel … what about the NSA’s PRISM program, a top-secret documents now in Russia that sits on the CIA and the NSA worked with Edward Snowden revealed?
It is not difficult to imagine that terrorists and criminals hunt collecting massive databases. This ‘big data’ analytics combined, and terrorist communication networks revealed.
These methods inquiry in power will certainly increase, but the eyebrows to rise. In practice, you just have to trust that the information gathered from a democratic state – makes it to the credit card company or the state security agency – used for the wrong purposes.
It is clear that the State intelligence has always been, and always will be. State security is considered more important than the individual’s privacy.
Seven brothers and fluoroscopy
The only way to avoid a possible traffic monitoring is to go to the wilderness of spruce stump up and live a self-sufficient and leave the cell phone and credit cards at home.
That happens quite a bit, but rather the trend is to share everything possible about oneself in public. This could say that now, but it is stupid to tell too much. It is good to remember that a large part of the data will never be destroyed, because its destruction cost more than the store.
Secret Science civic literacy
Since almost all actions are based on processes and knowledge, it is not available for isolated operations into its own islet. The same applies to the information security. It must, however, be able to talk intelligibly.
Although in the end the security of information, both in practice and can be divided according to whether that knowledge, access to information, or the user. So there you have it.
Source: http://www.tietoviikko.fi/cio/blogit/CIO_100_blogi/tolkkua+tietoturvaan/a927303
Tomi Engdahl says:
This is funny:
http://www.dilbert.com/2013-09-06/
Tomi Engdahl says:
Patriot Act Author Says NSA Is Abusing Spy Law
http://www.wired.com/threatlevel/2013/09/nsa-abusing-patriot-act/
Rep. Jim Sensenbrenner (R-Wisconsin) quickly ushered in the USA Patriot Act in the wake of the September 2001 terror attacks. But the author of the act, which greatly expanded the government’s spy powers, says the National Security Agency is abusing that law by collecting records of all telephone calls in the United States.
“I stand by the Patriot Act and support the specific targeting of terrorists by our government, but the proper balance has not been struck between civil rights and American security,” Sensenbrenner said in a statement. “A large, intrusive government — however benevolent it claims to be — is not immune from the simple truth that centralized power threatens liberty. Americans are increasingly wary that Washington is violating the privacy rights guaranteed to us by the Fourth Amendment.”
Tomi Engdahl says:
FBI Cyber Division Adds Syrian Electronic Army To Wanted List
http://news.slashdot.org/story/13/09/05/2249249/fbi-cyber-division-adds-syrian-electronic-army-to-wanted-list
“The U.S. government has had enough of the Syrian Electronic Army’s hacks of Western media and government outlets. A week after the SEA shut down the New York Times, the FBI Cyber Division unit has officially added the pro-Assad hacker collective to its wanted list.”
Tomi Engdahl says:
NSA and GCHQ unlock privacy and security on the internet
http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security
• NSA and GCHQ unlock encryption used to protect emails, banking and medical records
• $250m-a-year US program works covertly with tech companies to insert weaknesses into products
• Security experts say programs ‘undermine the fabric of the internet’
US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden.
The files show that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.
The agencies, the documents reveal, have adopted a battery of methods in their systematic and ongoing assault on what they see as one of the biggest threats to their ability to access huge swathes of internet traffic – “the use of ubiquitous encryption across the internet”.
Those methods include covert measures to ensure NSA control over setting of international encryption standards, the use of supercomputers to break encryption with “brute force”, and – the most closely guarded secret of all – collaboration with technology companies and internet service providers themselves.
The agencies insist that the ability to defeat encryption is vital to their core missions of counter-terrorism and foreign intelligence gathering.
But security experts accused them of attacking the internet itself and the privacy of all users. “Cryptography forms the basis for trust online,” said Bruce Schneier, an encryption specialist and fellow at Harvard’s Berkman Center for Internet and Society. “By deliberately undermining online security in a short-sighted effort to eavesdrop, the NSA is undermining the very fabric of the internet.” Classified briefings between the agencies celebrate their success at “defeating network security and privacy”.
“For the past decade, NSA has lead [sic] an aggressive, multi-pronged effort to break widely used internet encryption technologies,” stated a 2010 GCHQ document. “Vast amounts of encrypted internet data which have up till now been discarded are now exploitable.”
Tomi Engdahl says:
N.S.A. Able to Foil Basic Safeguards of Privacy on Web
http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=all&_r=0
The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.
The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.
Many users assume — or have been assured by Internet companies — that their data is safe from prying eyes, including those of the government, and the N.S.A. wants to keep it that way. The agency treats its recent successes in deciphering protected information as among its most closely guarded secrets
Beginning in 2000, as encryption tools were gradually blanketing the Web, the N.S.A. invested billions of dollars in a clandestine campaign to preserve its ability to eavesdrop. Having lost a public battle in the 1990s to insert its own “back door” in all encryption, it set out to accomplish the same goal by stealth.
The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.
The N.S.A. hacked into target computers to snare messages before they were encrypted. In some cases, companies say they were coerced by the government into handing over their master encryption keys or building in a back door. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.
An intelligence budget document makes clear that the effort is still going strong.
The N.S.A., which has specialized in code-breaking since its creation in 1952, sees that task as essential to its mission. If it cannot decipher the messages of terrorists, foreign spies and other adversaries, the United States will be at serious risk, agency officials say.
But some experts say the N.S.A.’s campaign to bypass and weaken communications security may have serious unintended consequences. They say the agency is working at cross-purposes with its other major mission, apart from eavesdropping: ensuring the security of American communications.
“The risk is that when you build a back door into systems, you’re not the only one to exploit it,” said Matthew D. Green, a cryptography researcher at Johns Hopkins University. “Those back doors could work against U.S. communications, too.”
Tomi Engdahl says:
NSA’s Decade-Long Plan to Undermine Encryption Includes Backdoors, Stolen Keys, Manipulating Standards
http://www.wired.com/threatlevel/2013/09/nsa-backdoored-and-stole-keys/
It was only a matter of time before we learned that the NSA has managed to thwart much of the encryption that protects telephone and online communication, but new revelations show the extent to which the agency, and Britain’s GCHQ, have gone to systematically undermine encryption.
Without the ability to actually crack the strongest algorithms that protect data, the intelligence agencies have systematically worked to thwart or bypass encryption using a variety of underhanded methods, according to revelations published by the New York Times and Guardian newspapers and the journalism non-profit ProPublica, based on documents leaked by NSA whistleblower Edward Snowden.
These methods, part of a highly secret program codenamed Bullrun, have included pressuring vendors to install backdoors in their products to allow intelligence agencies to access data, and obtaining encryption keys by pressuring vendors to hand them over or hacking into systems and stealing them.
Most surprising, however, is the revelation that the agency has worked to covertly undermine the encryption standards developers rely upon to build secure products. Undermining standards and installing backdoors don’t just allow the government to spy on data but create fundamental insecurities in systems that would allow others to spy on the data as well.
“The encryption technologies that the NSA has exploited to enable its secret dragnet surveillance are the same technologies that protect our most sensitive information, including medical records, financial transactions, and commercial secrets,”
The most shocking revelation involves the NSA’s efforts to deliberately weaken international encryption standards developers use to make their encryption secure, thereby undermining systems that human rights organizers, Third World activists and others depend upon to protect their communications from corrupt and oppressive regimes and U.S. companies rely upon to keep their trade secrets secret. One of the agency’s stated goals in its 2013 budget was to “influence policies, standards and specifications for commercial public key technologies.”
The ten-year Bullrun program began after the U.S. government failed in its pla to place a backdoor, the so-called Clipper chip, into encryption that would have allowed it to eavesdrop on communications at will. Without the Clipper chip, the government launched a systematic plan using trickery and other methods to circumvent encryption and achieved an unspecified breakthrough in 2010.
“Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on,” cryptographer Bruce Schneier notes in a story by the Guardian. “If the backdoor is discovered, it’s explained away as a mistake. And as we now know, the NSA has enjoyed enormous success from this program.”
Tomi Engdahl says:
What Exactly Are the NSA’s ‘Groundbreaking Cryptanalytic Capabilities’?
By Bruce Schneier
http://www.wired.com/opinion/2013/09/black-budget-what-exactly-are-the-nsas-cryptanalytic-capabilities/all/1
“Also, we are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit internet traffic.”
Honestly, I’m skeptical. Whatever the NSA has up its top-secret sleeves, the mathematics of cryptography will still be the most secure part of any encryption system. I worry a lot more about poorly designed cryptographic products, software bugs, bad passwords, companies that collaborate with the NSA to leak all or part of the keys, and insecure computers and networks.
Those are where the real vulnerabilities are, and where the NSA spends the bulk of its efforts.
This isn’t the first time we’ve heard this rumor.
Perhaps the NSA has some new mathematics that breaks one or more of the popular encryption algorithms: AES, Twofish, Serpent, triple-DES, Serpent. It wouldn’t be the first time this happened.
It’s very probable that the NSA has newer techniques that remain undiscovered in academia. Even so, such techniques are unlikely to result in a practical attack that can break actual encrypted plaintext.
Right now the upper practical limit on brute force is somewhere under 80 bits. However, using that as a guide gives us some indication as to how good an attack has to be to break any of the modern algorithms. These days, encryption algorithms have, at a minimum, 128-bit keys.
That means any NSA cryptoanalytic breakthrough has to reduce the effective key length by at least 48 bits in order to be practical.
There’s more, though. That DES attack requires an impractical 70 terabytes of known plaintext encrypted with the key we’re trying to break. Other mathematical attacks require similar amounts of data. In order to be effective in decrypting actual operational traffic, the NSA needs an attack that can be executed with the known plaintext in a common MS-Word header: much, much less.
So while the NSA certainly has symmetric cryptanalysis capabilities that we in the academic world do not, converting that into practical attacks on the sorts of data it is likely to encounter seems so impossible as to be fanciful.
Much of the public-key cryptography we use today involves elliptic curves, something that is even more ripe for mathematical breakthroughs.
Certainly the fact that the NSA is pushing elliptic-curve cryptography is some indication that it can break them more easily.
If we think that’s the case, the fix is easy: increase the key lengths.
Assuming the hypothetical NSA breakthroughs don’t totally break public-cryptography — and that’s a very reasonable assumption — it’s pretty easy to stay a few steps ahead of the NSA by using ever-longer keys. We’re already trying to phase out 1024-bit RSA keys in favor of 2048-bit keys. Perhaps we need to jump even further ahead and consider 3072-bit keys. And maybe we should be even more paranoid about elliptic curves and use key lengths above 500 bits.
I think it extraordinarily unlikely that the NSA has built a quantum computer capable of performing the magnitude of calculation necessary to do this, but it’s possible. The defense is easy, if annoying: stick with symmetric cryptography based on shared secrets, and use 256-bit keys.
There’s a saying inside the NSA: “Cryptanalysis always gets better. It never gets worse.”
Tomi Engdahl says:
Stuxnet Expert Proposes New Framework For ICS/SCADA Security
http://www.darkreading.com/management/stuxnet-expert-proposes-new-framework-fo/240160846
CS/SCADA expert Ralph Langner shoots down risk management mindset in critical infrastructure security and proposes a more process-oriented approach
Critical infrastructure operators that have adopted the security industry’s popular risk management mindset are doing it wrong, according to Ralph Langner.
Langner, the German security expert who deciphered how Stuxnet targeted the Siemens PLCs in Iran’s Natanz nuclear facility, today released a proposed cybersecurity framework for industrial control systems (ICS) that he says is a better fit than the U.S. government’s Cyber Security Framework (PDF), which is currently in draft form.
The so-called Robust ICS Planning and Evaluation, or RIPE, framework takes a different approach to locking down plants, with more of a process-based approach than the risk-based NIST-led Cyber Security Framework. It all starts with these organizations establishing a “security capability,” Langner says.
“ICS environments are notorious for their lack of enforcing security policies, if such even exist, specifically for contractors. The bigger asset owners in critical infrastructure do have policies for staff, but not for contractors. After Stuxnet, this seems quite negligent,” Langner told Dark Reading.
Then there’s the patching conundrum for ICS/SCADA systems: while most of these organizations claim to have a patching regimen, it’s mostly only an annual patching cycle, he says. “If you dig even deeper, you may find that from the systems that should have been patched per policy, only about half of them really are,” Langner says.
The bottom line is that cybersecurity is a low priority in private ICS environments. Langner estimates that some 95 percent of critical infrastructure operators don’t have a dedicated security professional for their systems, and their ICS security makes up less than one percent of their IT budget for process and ICS equipment and services.
“An organization can simply decide that their target implementation tier is zero, which basically means a completely immature cybersecurity process, and still be conformant with the CSF.”
Risk management has basically become a “religion” in security, says Richard Bejtlich, CSO at Mandiant. “Risk management has been beaten into everyone’s head, but below the business level, I don’t think most IT security people” are focused on it, he says.
Tomi Engdahl says:
Windows 8′s Picture Passwords Weaker Than Users Might Hope
http://it.slashdot.org/story/13/09/05/2144247/windows-8s-picture-passwords-weaker-than-users-might-hope
“word of work done by researchers at Arizona State University, Delaware State University and GFS Technology Inc., who find that the multiple-picture sequence security option of Windows 8 suffers from various flaws”
Tomi Engdahl says:
Why We Published the Decryption Story
http://www.propublica.org/article/why-we-published-the-decryption-story
ProPublica is today publishing a story in partnership with the Guardian and The New York Times about U.S. and U.K. government efforts to decode enormous amounts of Internet traffic previously thought to have been safe from prying eyes.
The story, we believe, is an important one. It shows that the expectations of millions of Internet users regarding the privacy of their electronic communications are mistaken. These expectations guide the practices of private individuals and businesses, most of them innocent of any wrongdoing. The potential for abuse of such extraordinary capabilities for surveillance, including for political purposes, is considerable.
The government insists it has put in place checks and balances to limit misuses of this technology. But the question of whether they are effective is far from resolved and is an issue that can only be debated by the people and their elected representatives if the basic facts are revealed.
American history is replete with examples of the dangers of unchecked power operating in secret.
Tomi Engdahl says:
NSA cracks encryption with ease
All your keys are belong to it
http://www.theinquirer.net/inquirer/news/2293089/nsa-cracks-encryption-with-ease
THE UNITED STATES National Security Agency (NSA) is adept at cracking most encrypted communications, according to leaked documents, holds commercial encryption keys for ease of access and has backdoors into many systems and software products.
The NSA collaborates with the British GCHQ on defeating routine cryptography processes and has got itself into a position where it punches through them like they were wet paper bags.
“These frightening revelations imply that the NSA has not only pursued an aggressive [programme] of obtaining private encryption keys for commercial products – allowing the organization to decrypt vast amounts of Internet traffic that use these products – but that the agency has also attempted to put backdoors into cryptographic standards designed to secure users’ communications,” said the Electronic Frontier Foundation in response.
“Additionally, the leaked documents make clear that companies have been complicit in allowing this unprecedented spying to take place, though the identities of cooperating companies remain unknown.”
The programme is called Bullrun and is managed by a group called the Five Eyes. This is made up of representatives from the UK, US, Canada, Australia and New Zealand.
Tomi Engdahl says:
Schneier: The US Government Has Betrayed the Internet, We Need To Take It Back
http://yro.slashdot.org/story/13/09/06/0148201/schneier-the-us-government-has-betrayed-the-internet-we-need-to-take-it-back
“Quoting Bruce Schneier in the Guardian: ‘The NSA has undermined a fundamental social contract. We engineers built the internet – and now we have to fix it. Government and industry have betrayed the internet, and us. This is not the internet the world needs, or the internet its creators envisioned. We need to take it back. And by we, I mean the engineering community.”
Tomi Engdahl says:
The US government has betrayed the internet. We need to take it back
http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying
The NSA has undermined a fundamental social contract. We engineers built the internet – and now we have to fix it
Government and industry have betrayed the internet, and us.
By subverting the internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and manage our internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host our data: we can no longer trust them to be ethical internet stewards.
This is not the internet the world needs, or the internet its creators envisioned. We need to take it back.
And by we, I mean the engineering community.
Yes, this is primarily a political problem, a policy matter that requires political intervention.
But this is also an engineering problem, and there are several things engineers can – and should – do.
One, we should expose. If you do not have a security clearance, and if you have not received a National Security Letter, you are not bound by a federal confidentially requirements or a gag order.
We need to know how exactly how the NSA and other agencies are subverting routers, switches, the internet backbone, encryption technologies and cloud systems. I already have five stories from people like you, and I’ve just started collecting. I want 50.
Two, we can design.
We can make surveillance expensive again. In particular, we need open protocols, open implementations, open systems – these will be harder for the NSA to subvert.
Three, we can influence governance. I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better. The NSA’s actions are legitimizing the internet abuses by China, Russia, Iran and others.
Unfortunately, this is going play directly into the hands of totalitarian governments that want to control their country’s internet for even more extreme forms of surveillance. We need to figure out how to prevent that, too. We need to avoid the mistakes of the International Telecommunications Union, which has become a forum to legitimize bad government behavior, and create truly international governance that can’t be dominated or abused by any one country.
Generations from now, when people look back on these early decades of the internet, I hope they will not be disappointed in us
Dismantling the surveillance state won’t be easy.
Again, the politics of this is a bigger task than the engineering, but the engineering is critical
To the engineers, I say this: we built the internet, and some of us have helped to subvert it. Now, those of us who love liberty have to fix it.
Tomi says:
Majority of Tor crypto keys could be broken by NSA, researcher says
http://arstechnica.com/security/2013/09/majority-of-tor-crypto-keys-could-be-broken-by-nsa-researcher-says/
The majority of devices connected to the Tor privacy service may be using encryption keys that can be broken by the National Security Agency, a security researcher has speculated.
Rob Graham, CEO of penetration testing firm Errata Security, arrived at that conclusion by running his own “hostile” exit node on Tor and surveying the encryption algorithms established by incoming connections. About 76 percent of the 22,920 connections he polled used some form of 1024-bit Diffie-Hellman key. The analysis came a day after revelations the NSA can circumvent much of the encryption used on the Internet. While no one knows for sure exactly what the NSA is capable of cracking, educated speculation has long made a case that the keys Graham observed are within reach of the US spy agency.
“Everyone seems to agree that if anything, the NSA can break 1024 RSA/DH keys,” Graham wrote in a blog post published Friday.
He went on to cite official Tor statistics to observe that only 10 percent of Tor servers are using version 2.4 of the software. That’s the only Tor release that implements elliptical curve Diffie-Hellman crypto, which cryptographers believe is much harder to break. The remaining versions use keys that are presumed to be weaker.
“Of course, this is just guessing about the NSA’s capabilities,” he wrote. “As it turns out, the newer elliptical keys may turn out to be relatively easier to crack than people thought, meaning that older software may in fact be more secure. But since 1024 bit RSA/DH has been the most popular SSL encryption for the past decade, I’d assume that it’s that, rather than curves, [it's 1024 RSA/DH] that the NSA is best at cracking.”
Tomi says:
Software developer shows how to crack it’s own software:
How to crack Cobalt Strike AND backdoor it
http://blog.strategiccyber.com/2013/09/05/how-to-crack-cobalt-strike-and-backdoor-it/
You know you’ve made it (somewhere?) as a software developer, when people pirate your stuff.
Tomi says:
U.S. says security camera maker settles over hacking incidents
http://www.reuters.com/article/2013/09/04/us-usa-privacy-cameras-idUSBRE98317P20130904?feedType=RSS&feedName=technologyNews
A company that sells security cameras that were hacked, causing live feeds from hundreds of homes and small businesses to appear on the Internet, has settled allegations that it failed to adequately secure the devices.
Under the settlement, TRENDnet is barred from misrepresenting that the buggy software is secure. It is also required to address security risks, help customers fix their software and obtain an independent assessment of their security programs every year for 20 years.
Tomi says:
Legislation Seeks to Bar N.S.A. Tactic in Encryption
http://www.nytimes.com/2013/09/07/us/politics/legislation-seeks-to-bar-nsa-tactic-in-encryption.html?_r=0
After disclosures about the National Security Agency’s stealth campaign to counter Internet privacy protections, a congressman has proposed legislation that would prohibit the agency from installing “back doors” into encryption, the electronic scrambling that protects e-mail, online transactions and other communications.
“We pay them to spy,” Mr. Holt said. “But if in the process they degrade the security of the encryption we all use, it’s a net national disservice.”
The documents show that N.S.A. cryptographers have made major progress in breaking the encryption in common use for everyday transactions on the Web, like Secure Sockets Layer, or SSL, as well as the virtual private networks, or VPNs, that many businesses use for confidential communications among employees.
Sascha Meinrath, the director of the Open Technology Institute, a research group in Washington, said the reports were “a startling indication that the U.S. has been a remarkably irresponsible steward of the Internet,” which he said the N.S.A. was trying to turn into “a massive platform for detailed, intrusive and unrestrained surveillance.”
Companies like Google and Facebook have been moving to new systems that, in principle, would make government eavesdropping more difficult. Google is in the process of encrypting all data that travels via fiber-optic lines between its data centers. The company speeded up the process in June after the initial N.S.A. disclosures
For services like Gmail, once data reaches a user’s computer it has been encrypted. But as messages and other data like search queries travel internally among Google’s data centers they are not encrypted, largely because it is technically complicated and expensive to do.
Facebook announced last month that it would also transition to a novel encryption method, called perfect forward secrecy, that makes eavesdropping far more difficult.
N.S.A.’s efforts against encryption began with its dual role: eavesdropping on foreign communications while protecting American communications.
“Invariably the two missions collide,”
Tomi says:
US intelligence: Snowden’s latest leaks ‘road map’ for adversaries
‘We’re only doing our job,’ tumbls spy agency
http://www.theregister.co.uk/2013/09/06/us_intelligence_says_snowdens_latest_leaks_give_roadmap_to_adversaries/
The US Office of the Director of National Intelligence (ODNI) has issued a response to the latest revelations from Edward Snowden with a warning that the information is “not news,” but has nevertheless harmed the agency’s ability to keep America and its allies safe.
One project, codenamed “Bullrun”, involved working with commercial software vendors to allow direct access to unencrypted communications.
“Throughout history, nations have used encryption to protect their secrets, and today, terrorists, cybercriminals, human traffickers and others also use code to hide their activities,” the agency said on its recently launched Tumblr page. “Our intelligence community would not be doing its job if we did not try to counter that.”
Tomi says:
Large botnet cause of recent Tor network overload
http://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-overload/
Recently, Roger Dingledine described a sudden increase in Tor users on the Tor Talk mailinglist. To date there has been a large amount of speculation as to why this may have happened. A large number of articles seem to suggest this to be the result of the recent global espionage events, the evasion of the Pirate Bay blockades using the PirateBrowser or the Syrian civil war.
At the time of writing, the amount of Tor clients actually appears to have more than quintupled already.
An alternative recurring explanation is the increased usage of botnets using Tor, based on the assertion that the increase appears to consist of mostly new users to Tor that apparently are not doing much given the limited impact on Tor exit performance. In recent days, we have indeed found evidence which suggests that a specific and rather unknown botnet is responsible for the majority of the sudden uptick in Tor users. A recent detection name that has been used in relation to this botnet is “Mevade.A”, but older references suggest the name “Sefnit”, which dates back to at least 2009 and also included Tor connectivity. We have found various references that the malware is internally known as SBC to its operators.
Previously, the botnet communicated mainly using HTTP as well as alternative communication methods. More recently and coinciding with the uptick in Tor users, the botnet switched to Tor as its method of communication for its command and control channel. The botnet appears to be massive in size as well as very widespread.
Tomi says:
How a Man in Austria Used Legos to Hack Amazon’s Kindle E-Book Security
http://allthingsd.com/20130906/how-a-man-in-austria-used-legos-to-hack-amazons-kindle-e-book-security/
A university professor in Austria has released the video, showing how he has automated a low-tech approach to bypassing the digital rights management system on the Kindle.
Using Lego’s Mindstorms — a basic robotics kit popular with hobbyists — plus a Kindle and a Mac, he has assembled a way to photograph what’s on the screen, and then submit it to a cloud-based text-recognition service.
It’s sort of a combination of high tech meets low. The scanning is done by way of the Mac’s iSight camera. The Mindstorms set does two things: Hits the page-advance button on the Kindle (it appears to be an older model, like the one in the picture above), then mashes the space bar on the Mac, causing it to take a picture.
It’s not intended as a statement against e-books, which he loves, he says, but rather what he considers a “dramatic loss of rights for the book owner. “The owner isn’t even an owner anymore but rather a licensee of the book,” he says.
Another thing: He’s only ever scanned one book, and that was just to prove the concept. And he hasn’t shared it anywhere “…since it would get me in deep trouble,” he says.
Tomi says:
NSA Revelations Cast Doubt on the Entire Tech Industry
http://www.wired.com/threatlevel/2013/09/tech-industry-tainted/
Six years ago, two Microsoft cryptography researchers discovered some weirdness in an obscure cryptography standard authored by the National Security Agency. There was a bug in a government-standard random number generator that could be used to encrypt data.
The researchers, Dan Shumow and Niels Ferguson, found that the number generator appeared to have been built with a backdoor — it came with a secret numeric key that could allow a third party to decrypt code that it helped generate.
According to Thursday’s reports by the ProPublica, the Guardian, and The New York Times, classified documents leaked by NSA whistleblower Edward Snowden appear to confirm what everyone suspected: that the backdoor was engineered by the NSA. Worse still, a top-secret NSA document published with the reports says that the NSA has worked with industry partners to “covertly influence” technology products.
That sounds bad, but so far, there’s not much hard evidence about what exactly has been compromised. No company is named in the new allegations.
The result is that the trustworthiness of the systems we used to communicate on the internet is in doubt. “I think all companies have a little bit of taint after this,”
“I think that no encryption created by anyone is going to protect you from everyone. The stronger the encryption the harder they are going to work to decrypt it,” he said. “I don’t care what company is selling you encryption software. Whatever they are going to sell you, it can be decrypted. There’s nothing that is infallible.”
“If these claims are true, and the NSA introduced backdoors into global security standards, this seems like a clear perversion of democracy,” Castro added. “This just further erodes the competitiveness of U.S. tech companies. In particular, I think this enlarges the scope of companies that will suffer backlash since cryptographic standards are often embedded in hardware.”
Castro wrote a report last month predicting that Snowden’s PRISM revelations could cost the U.S. cloud-computing industry as much as $35 billion
But not everyone thinks that U.S. competitiveness will be hit. The documents talk about the NSA working with foreign companies too. “I don’t think there’s going to be any direct major impact because there aren’t any other countries that are cherubs in all this either,” says Paul Kocher, president of Cryptography Research.
Tomi says:
John Gilmore Analyzes NSA Obstruction of Crypto In IPSEC
http://linux.slashdot.org/story/13/09/07/195241/john-gilmore-analyzes-nsa-obstruction-of-crypto-in-ipsec
“In a recent article posted on the cryptography mailing list, long time civil libertarian and free software entrepreneur John Gilmore has analyzed possible NSA obstruction of cryptography in IPSEC. He suggests that packet processing in the Linux kernel had been obstructed by one kernel developer. Gilmore suggests that the NSA has been plotting against strong cryptography on mobile phones.”
Tomi says:
Opening Discussion: Speculation on “BULLRUN”
http://www.mail-archive.com/[email protected]/msg12325.html
Speaking as someone who followed the IPSEC IETF standards committee
pretty closely
NSA employees participted throughout, and occupied leadership roles
in the committee and among the editors of the documents
Every once in a while, someone not an NSA employee, but who had
longstanding ties to NSA, would make a suggestion that reduced
privacy or security, but which seemed to make sense when viewed
by people who didn’t know much about crypto.
The resulting standard was incredibly complicated — so complex
that every real cryptographer who tried to analyze it threw up
their hands and said, “We can’t even begin to evaluate its
security unless you simplify it radically”.
The IPSEC standards also mandated support for the “null”
encryption option (plaintext hiding in supposedly-encrypted
packets), for 56-bit Single DES, and for the use of a 768-bit
Diffie-Hellman group, all of which are insecure
The protocol had major deployment problems, largely resulting from
changing the maximum segment size that could be passed
Our team (FreeS/WAN) built the Linux implementation of IPSEC
I also found situations where NSA employees
explicitly lied to standards committees
To this day, no mobile telephone standards committee has considered
or adopted any end-to-end (phone-to-phone) privacy protocols. This is
because the big companies involved
Tomi says:
Putting the security jigsaw together
Do you have all the pieces and the right picture?
http://www.theregister.co.uk/2013/09/06/putting_the_security_jigsaw_together/
Effective IT security is both important and hard to implement, and it isn’t getting any easier. Central systems are becoming more complex, and keeping up with the ever-changing threat landscape is an ongoing challenge.
Then there’s the fact that end users are more mobile than ever and increasingly reckon they should be able to use any device they like to access corporate systems and data.
Tomi says:
Der Spiegel: NSA spying on the smart phones
According to claimed NSA’s secret documents information (contacts, text messages, location) can be obtained from iPhone, BlackBerry phones and Android operating system phones.
Source: http://www.iltalehti.fi/ulkomaat/2013090817461015_ul.shtml
Tomi Engdahl says:
Privacy Scandal: NSA Can Spy on Smart Phone Data
http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-smart-phone-data-a-920971.html
SPIEGEL has learned from internal NSA documents that the US intelligence agency has the capability of tapping user data from the iPhone, devices using Android as well as BlackBerry, a system previously believed to be highly secure.
The documents state that it is possible for the NSA to tap most sensitive data held on these smart phones, including contact lists, SMS traffic, notes and location information about where a user has been.
The documents also indicate that the NSA has set up specific working groups to deal with each operating system, with the goal of gaining secret access to the data held on the phones.
In the internal documents, experts boast about successful access to iPhone data in instances where the NSA is able to infiltrate the computer a person uses to sync their iPhone. Mini-programs, so-called “scripts,” then enable additional access to at least 38 iPhone features.
The documents suggest the intelligence specialists have also had similar success in hacking into BlackBerrys.
The documents also state that the NSA has succeeded in accessing the BlackBerry mail system, which is known to be very secure. This could mark a huge setback for the company, which has always claimed that its mail system is uncrackable.
Tomi Engdahl says:
Long-shot bill forbidding NSA backdoors in encryption has renewed attention
Introduced in July, the Surveillance State Repeal Act’s provisions now seem more urgent.
http://arstechnica.com/tech-policy/2013/09/long-shot-bill-forbidding-nsa-backdoors-in-encryption-has-some-renewed-attention/
In the wake of revelations that the National Security Agency (NSA) has broken through many Internet privacy protections, Representative Rush D. Holt (D-NJ) has introduced legislation to prohibit the NSA from building backdoors into encryption mechanisms, according to The New York Times. While Rep. Holt actually introduced the legislation to the House in July under the name “Surveillance State Repeal Act,” recent news may bring this bill more attention.
Still, that’s not saying much for its success. The bill mainly asks for the total repeal of both the Patriot Act and the FISA Amendments Act of 2008.
Tomi Engdahl says:
Brazilian TV show says U.S. spied on state-run Petrobras oil firm, cites NSA documents
http://www.washingtonpost.com/world/brazil-tv-to-release-nsa-documents-that-show-us-spied-on-petrobras/2013/09/08/8c4cdaf6-18d0-11e3-a628-7e6dde8f889d_story.html
A Brazilian television show, citing classified documents provided by former National Security Agency contractor Edward Snowden, reported Sunday night that the Obama administration has spied on the state-run Petrobras oil producer, Brazil’s most important company.
The program said the NSA focused on the oil giant’s computer network, as well as on those of Google and the Society for Worldwide Interbank Financial Telecommunication (SWIFT), a European firm that enables money transfers.
The show did not disclose why Petrobras or the other companies would be targeted, although the “Fantastico” report said the documents were part of a presentation used to train new agents about how to breach private computer networks.
Those disclosures caused an uproar in Brazil.
But news that an American intelligence agency has shown interest in Petrobras is sure to rankle officials here, both because of the Obama administration’s claims that its spying was aimed at thwarting terrorist threats and the sensitivity Brazilians have about foreign meddling when it comes to the country’s natural resources.
“The revelations suggest that the U.S. went way too far, beyond any reasonable justification of containing security threats,
“I think it is indiscriminate spying that has nothing to do with national security,” Bernardo said. “It’s espionage with a commercial, industrial aim.”
Tomi Engdahl says:
NSA Revelations Cast Doubt on the Entire Tech Industry
http://www.wired.com/threatlevel/2013/09/tech-industry-tainted/
Six years ago, two Microsoft cryptography researchers discovered some weirdness in an obscure cryptography standard authored by the National Security Agency. There was a bug in a government-standard random number generator that could be used to encrypt data.
According to Thursday’s reports by the ProPublica, the Guardian, and The New York Times, classified documents leaked by NSA whistleblower Edward Snowden appear to confirm what everyone suspected: that the backdoor was engineered by the NSA. Worse still, a top-secret NSA document published with the reports says that the NSA has worked with industry partners to “covertly influence” technology products.
That sounds bad, but so far, there’s not much hard evidence about what exactly has been compromised. No company is named in the new allegations. The details of the reported modifications are murky. So while much of the internet’s security systems appear to be broken, it’s unclear where the problems lie.
The result is that the trustworthiness of the systems we used to communicate on the internet is in doubt. “I think all companies have a little bit of taint after this,” says Christopher Soghoian, a technologist with the American Civil Liberties Union.
The latest documents show that the NSA has vast crypto-cracking resources, a database of secretly held encryption keys used to decrypt private communications, and an ability to crack cryptography in certain VPN encryption chips. Its goal: to crack in a widespread way the internet’s security tools and protocols.
Tomi Engdahl says:
Secret documents reveal NSA spying on encrypted internet communications
http://grahamcluley.com/2013/09/nsa-spying-encrypted-internet-communications/
According to the documents provided by whistleblower Edward Snowden, encryption tools that the NSA has had some success in hacking include:
VPNs (Virtual Private Networks), commonly used by businesses to allow workers to access their office networks remotely.
Encrypted chat programs which provide end-to-end encryption. Such systems should not allow data to be decrypted at any point during the message transfer.
HTTPS – the long-standing method of encrypting data (such as passwords and financial information) between a web browser and a secure website, such as your online bank, your webmail or social networking site. If you’ve ever visited a website whose URL begins https:// and displays a small padlock, you’re using HTTPS to secure your communications.
TLS/SSL (Transport Layer Security / Secure Sockets Layer – used by HTTPS.
Encrypted VoIP (Internet telephony) services. Skype and Apple FaceTime are examples of free services that offer encrypted phone and video calls. The leaked documents suggest that the NSA is working with some VoIP services to obtain access to messages before they are encrypted.
The documents reveal the NSA was covertly working with technology firms to not only weaken encryption but also to introduce exploitable backdoors that could be used for surveillance
The story is very important, and many will find it highly disturbing.
If any weakness is inserted into the technologies used to protect the privacy of many millions of internet users it could be exploited not just by law enforcement and surveillance agencies in the USA or United Kingdom, but also foreign nations and online criminals. A backdoor in a security systems fundamentally compromises the security of all users.
Tomi Engdahl says:
Finnish Hospitals in a hurry to upgrade computers – Patient data at risk
Hospital districts new to the tens of thousands of computers during this winter – otherwise the patient data is at risk of falling into the wrong hands, writes Yle.
Microsoft will end in April next year the security updates for Windows XP operating system, widely used in Finnish hospitals and health centers.
The problem is that when you run out of upgrades, hackers can feel free to take advantage of the operating system of programming errors. Hospital districts have now launched a big update operation due to a matter, to write Yle.
- It is certain that if the hospital districts have until next spring after the Windows XP machines in use, computers do not do security updates, and it is a real problem
YLE asked the medical district, how well they are able to update the machine in time. According to the answers of about 60 per cent of hospital districts to be successful, the rest do not.
Source: http://www.iltalehti.fi/digi/2013090917462832_du.shtml
Tomi Engdahl says:
India govt reportedly monitors Web activities, without ISP knowledge
http://www.zdnet.com/in/india-govt-reportedly-monitors-web-activities-without-isp-knowledge-7000020396/
Summary: Indian government said to have deployed Lawful Intercept and Monitoring systems to track Internet activities of citizens, separate from similar systems used by telcos in the government’s Central Monitoring System project.
The Indian government is reportedly carrying out Internet surveillance on its citizens, in contrast with the government’s rules and notifications for ensuring communications privacy.
Tomi Engdahl says:
Hypponen: United States Secret Service asked the F-Secure encryption software back door
United States Secret Service has asked a Finnish security company F-Secure data encryption software, F-Secure Desktop is possible the rear doors. The committee says the F-Secure’s Chief Research Officer Mikko Hypponen on Twitter account.
The Secret Service asked back door “years ago” , Hyppönen memory, the year 1999 .
Hypponen also writes on Twitter that the F-Secure applications do not have the rear doors.
Source: http://www.tietoviikko.fi/uutisia/hypponen+yhdysvaltain+salainen+palvelu+tiedusteli+fsecuren+salausohjelmistosta+takaovea/a928361
Tomi Engdahl says:
EFF victory will reveal NSA surveillance documents
Days until hundreds of documents released
http://www.theinquirer.net/inquirer/news/2293191/eff-victory-will-reveal-nsa-surveillance-documents
INTERNET RIGHTS GROUP the Electronic Frontier Foundation has won a legal victory that will force the release of hundreds of NSA surveillance related documents that date back at least nine years.
The EFF has pushed hard for the release of the papers
“It was not until the start of the release of documents leaked by NSA whistleblower Edward Snowden that the government’s position became untenable and the court ordered the government to begin the declassification review process.”
Included in the document releases will be more information about how the US security agencies interpret Section 215 of the Patriot Act.
Tomi Engdahl says:
Barrett Brown Faces 105 Years in Jail
But no one can figure out what law he broke. Introducing America’s least likely political prisoner
http://www.rollingstone.com/culture/news/barrett-brown-faces-105-years-in-jail-20130905
The mid-June sun is setting on the Mansfield jail near Dallas when Barrett Brown, the former public face of Anonymous, shuffles into the visitors hall wearing a jumpsuit of blazing orange. Once the nattiest anarchist around, Brown now looks like every other inmate in the overcrowded North Texas facility
Encountering Barrett Brown’s story in passing, it is tempting to group him with other Anonymous associates who have popped up in the news for cutting pleas and changing sides. Brown’s case, however, is a thing apart. Although he knew some of those involved in high-profile “hacktivism,” he is no hacker. His situation is closer to the runaway prosecution that destroyed Aaron Swartz, the programmer-activist who committed suicide in the face of criminal charges similar to those now being leveled at Brown. But unlike Swartz, who illegally downloaded a large cache of academic articles, Brown never broke into a server; he never even leaked a document.
The most serious charges against him relate not to hacking or theft, but to copying and pasting a link to data that had been hacked and released by others.
“What is most concerning about Barrett’s case is the disconnect between his conduct and the charged crime,” says Ghappour. “He copy-pasted a publicly available link containing publicly available data that he was researching in his capacity as a journalist. The charges require twisting the relevant statutes beyond recognition and have serious implications for journalists as well as academics. Who’s allowed to look at document dumps?”
Brown’s case is a bellwether for press freedoms in the new century, where hacks and leaks provide some of our only glimpses into the technologies and policies of an increasingly privatized national security-and-surveillance state. What Brown did through his organization Project PM was attempt to expand these peepholes. He did this by leading group investigations into the world of private intelligence and cybersecurity contracting, a $56 billion industry that consumes 70 percent of the U.S. intelligence budget.
“Barrett was an investigative journalist who was merely doing his professional duty,” says Christophe Deloire of Reporters Without Borders. “The sentence that he is facing is absurd and dangerous.”
This latter action, called Operation PayBack, earned the attention of the Justice Department. In the summer of 2011, the FBI issued 35 search warrants and arrested 14 suspected hackers.
After Operation Payback, Anonymous was on the radar of every private security firm looking to build a quick reputation.
Once the hackers who broke into HBGary’s servers discovered that Barr was basically a clown, they abandoned pursuit.
When the hackers posted the e-mails on a BitTorrent site, he used Project PM to organize the painstaking work of collating and connecting the dots to see what picture emerged.
In early December 2011, a young Chicago Anon named Jeremy Hammond cracked Stratfor’s server and downloaded some 5 million internal documents.
With the apparent blessing and supervision of the FBI, Sabu provided the server for Hammond to store the docs. Hammond then proceeded to release them to the public.
Meanwhile, deeply buried in the TrapWire debate was the fact that included in the Stratfor docs were the credit-card numbers of 5,000 Stratfor clients. Brown likely did not give the numbers a second thought. But it’s these numbers that form the most serious charges against Brown. The government alleges that when Brown pasted a link in a chat room to the alreadyleaked documents, he was intentionally “transferring” data for the purpose of credit-card and identity fraud.
“If the Pentagon Papers included creditcard info, then would The New York Times have been barred from researching them?” says Brown’s co-counsel Ghappour.
Among hacktivists, theories differ on the motive behind the FBI action.
Over the next four months, federal grand juries issued three multicount indictments for obstruction and “access devicefraud” related to the Stratfor link. It is the last of these that concern civil-liberties activists and that could have a possible chilling effect. “One can’t apply the transfer provision of the statute to someone conducting research,” says Ghappour. “If cutting and pasting a link is the same as the transfer of the underlying data, then anyone on the Internet is prone to violating the Computer Fraud and Abuse Act.”
Tomi Engdahl says:
A Journalist-Agitator Facing Prison Over a Link
http://www.nytimes.com/2013/09/09/business/media/a-journalist-agitator-facing-prison-over-a-link.html?pagewanted=all&_r=0
Barrett Brown makes for a pretty complicated victim. A Dallas-based journalist obsessed with the government’s ties to private security firms, Mr. Brown has been in jail for a year, facing charges that carry a combined penalty of more than 100 years in prison.
Professionally, his career embodies many of the conflicts and contradictions of journalism in the digital era. He has written for The Guardian, Vanity Fair and The Huffington Post, but as with so many of his peers, the line between his journalism and his activism is nonexistent. He has served in the past as a spokesman of sorts for Anonymous, the hacker collective, although some members of the group did not always appreciate his work on its behalf.
Project PM first looked at the documents spilled by the hack of HBGary Federal, a security firm, in February 2011 and uncovered a remarkable campaign of coordinated disinformation against advocacy groups, which Mr. Brown wrote about in The Guardian, among other places.
In December 2011, approximately five million e-mails from Stratfor Global Intelligence, an intelligence contractor, were hacked by Anonymous and posted on WikiLeaks. The files contained revelations about close and perhaps inappropriate ties between government security agencies and private contractors. In a chat room for Project PM, Mr. Brown posted a link to it.
Among the millions of Stratfor files were data containing credit cards and security codes, part of the vast trove of internal company documents.
According to one of the indictments, by linking to the files, Mr. Brown “provided access to data stolen from company Stratfor Global Intelligence to include in excess of 5,000 credit card account numbers, the card holders’ identification information, and the authentication features for the credit cards.”
But keep in mind that no one has accused Mr. Brown of playing a role in the actual stealing of the data, only of posting a link to the trove of documents.
Journalists from other news organizations link to stolen information frequently. Just last week, The New York Times, The Guardian and ProPublica collaborated on a significant article about the National Security Agency’s effort to defeat encryption technologies. The article was based on, and linked to, documents that were stolen by Edward J. Snowden, a private contractor working for the government who this summer leaked millions of pages of documents to the reporter Glenn Greenwald and The Guardian along with Barton Gellman of The Washington Post.
By trying to criminalize linking, the federal authorities in the Northern District of Texas — Mr. Brown lives in Dallas — are suggesting that to share information online is the same as possessing it or even stealing it.
Speaking by phone on Thursday, Charles Swift, one of his lawyers, spoke carefully.
“Mr. Brown is presumed innocent of the charges against him and in support of the presumption, the defense anticipates challenging both the legal assumptions and the facts that underlie the charges against him,” he said.
“The big reason this matters is that he transferred a link, something all of us do every single day, and ended up being charged for it,” said Jennifer Lynch, a staff lawyer at the Electronic Frontier Foundation, an advocacy group that presses for Internet freedom and privacy. “I think that this administration is trying to prosecute the release of information in any way it can.”
“But it is important to remember that the majority of the 105 years he faces are the result of linking to a file. He did not and has not hacked anything, and the link he posted has been posted by many, many other news organizations.”
At a time of high government secrecy with increasing amounts of information deemed classified, other routes to the truth have emerged, many of them digital. News organizations in receipt of leaked documents are increasingly confronting tough decisions about what to publish, and are defending their practices in court and in the court of public opinion, not to mention before an administration determined to aggressively prosecute leakers.
Tomi Engdahl says:
Google Speeding Up New Encryption Project After Edward Snowden Revealed Projects Bullrun And Edgehill
http://www.ibtimes.com/google-speeding-new-encryption-project-after-edward-snowden-revealed-projects-bullrun-edgehill
In response to NSA’s Bullrun and GCHQ’s Edgehill, Google said it has accelerated efforts to build new encryption software that is impenetrable to the government agencies.
“It’s an arms race,” Eric Grosse, the vice president of security engineering at Google, said. “We regard these government agencies as among the most skilled players in the game.”
Encryption is used to create trust and confidence among online consumers, and it protects the privacy of emails, banking and medical records. Without keys to unlock entire encryption programs, government surveillance agencies like the NSA cannot collect wholesale data from citizens but could do targeted hacks of suspected criminals or terrorist threats.
Google has not provided details on its new encryption efforts but did say it would be “end-to-end,” meaning that all servers and fiber-optic lines involved in delivering information will be encrypted.
Tomi Engdahl says:
iSpy: How the NSA Accesses Smartphone Data
http://www.spiegel.de/international/world/how-the-nsa-spies-on-smartphones-including-the-blackberry-a-921161.html
The US intelligence agency NSA has been taking advantage of the smartphone boom. It has developed the ability to hack into iPhones, android devices and even the BlackBerry, previously believed to be particularly secure.
A salesman approached and raved about the iPhone, saying that there were already “400,000 apps” for the device. Hayden, amused, turned to his wife and quietly asked: “This kid doesn’t know who I am, does he? Four-hundred-thousand apps means 400,000 possibilities for attacks.”
US intelligence service doesn’t just bug embassies and access data from undersea cables to gain information. The NSA is also extremely interested in that new form of communication which has experienced such breathtaking success in recent years: smartphones.
In Germany, more than 50 percent of all mobile phone users now possess a smartphone; in the UK, the share is two-thirds. About 130 million people in the US have such a device. The mini-computers have become personal communication centers, digital assistants and life coaches, and they often know more about their users than most users suspect.
For an agency like the NSA, the data storage units are a goldmine, combining in a single device almost all the information that would interest an intelligence agency: social contacts, details about the user’s behavior and location, interests (through search terms, for example), photos and sometimes credit card numbers and passwords.
Smartphones, in short, are a wonderful technical innovation, but also a terrific opportunity to spy on people, opening doors that even such a powerful organization as the NSA couldn’t look behind until now.
The NSA tackled the issue at the same speed with which the devices changed user behavior. According to the documents, it set up task forces for the leading smartphone manufacturers and operating systems. Specialized teams began intensively studying Apple’s iPhone and its iOS operating system, as well as Google’s Android mobile operating system. Another team worked on ways to attack BlackBerry
The material contains no indications of large-scale spying on smartphone users, and yet the documents leave no doubt that if the intelligence service defines a smartphone as a target, it will find a way to gain access to its information.
In exploiting the smartphone, the intelligence agency takes advantage of the carefree approach many users take to the device. According to one NSA presentation, smartphone users demonstrate “nomophobia,” or “no mobile phobia.” The only thing many users worry about is losing reception. A detailed NSA presentation titled, “Does your target have a smartphone?” shows how extensive the surveillance methods against users of Apple’s popular iPhone already are.
In three consecutive transparencies, the authors of the presentation draw a comparison with “1984,” George Orwell’s classic novel about a surveillance state, revealing the agency’s current view of smartphones and their users. “Who knew in 1984 that this would be Big Brother …” the authors ask, in reference to a photo of Apple co-founder Steve Jobs
The NSA analysts are especially enthusiastic about the geolocation data stored in smartphones and many of their apps, data that enables them to determine a user’s whereabouts at a given time.
The internal documents indicate that this was not the only success against Blackberry, a company that markets its devices as being surveillance-proof — and one that has recently lost substantial market share due to strategic mistakes, as the NSA also notes with interest.
Tomi Engdahl says:
NSA spies reportedly exploited iPhone location bug not fixed until 2011
File gave detailed account of users’ whereabouts over extended periods of time.
http://arstechnica.com/security/2013/09/nsa-spies-reportedly-exploited-iphone-location-bug-not-fixed-until-2011/
The latest revelation about the National Security Agency’s (NSA) expansive surveillance program isn’t really a revelation at all. It comes from Germany’s Der Spiegel magazine, which reports that smartphones powered by Apple’s iOS, Google’s Android, and Blackberry’s operating systems are among the devices government spies exploit when they want to intercept a target’s communications.
The lack of specifics in the article makes it hard identify the iOS bug, but it sure sounds like the one a pair of researchers reported in April 2011. It allowed anyone with physical access to an iPhone or iPad, or potentially a data backup of the device, to reconstruct a detailed account of the user’s comings and goings, often down to the second, over an extended period of time.
After their discovery became public, Warden and Allan learned that forensic investigators had been exploiting the bug for years to dredge up the comings and goings of iPhone users involved in civil or criminal court cases.
Tomi Engdahl says:
Is Twitter revealing your location without your permission?
http://www.electronicproducts.com/Computer_Peripherals/Communication_Peripherals/Is_Twitter_revealing_your_location_without_your_permission.aspx
Social media has become a part of everyday life. If you have a Facebook or Twitter account, you’re probably even familiar with posts that show a friend’s exact location.
As you may suspect, this can be very dangerous since it allows others to know exactly where you are at all times. So you can opt to turn off your geotagging settings, but what happens when your social media sites can access your location, even if you don’t offer it up.
To deal with this issue, a University of Southern California (USC) researcher has created an application that lets you test your own location footprint.
In his one week sampling period, he found that about 20% of the tweets actually showed a user’s location so accurately that you could locate their exact street or even better.
A lot of users gave their location willingly by using their GPS function.
“The downside is that mining this kind of information can also provide opportunities for criminal misuse of data,” said Weidemann.
Tomi Engdahl says:
NSA slides reveal: iPhone users are all ZOMBIES
OK, not literally. Plus: Our favourite spooks show us how to hack an iPhone – report
http://www.theregister.co.uk/2013/09/09/fanbois_the_nsa_thinks_youre_all_zombies/
Spooks at the US National Security Agency (NSA) can’t believe we’re all paying for the equipment it’s using to spy on us, describing Steve Jobs as Big Brother and iPhone buyers as “zombies”.
That assertion comes from NSA documents leaked to Germany’s Spiegel Online.
The self-promoting presentation, purportedly an internal NSA report from 2010 titled “Exploring Current Trends, Targets and Techniques”, includes a number of slides presenting snapshots of grinning iPhone-brandishing customers as analogous to the “zombies” brainwashed by Big Brother – in a reference to George Orwell’s Nineteen Eighty-Four.
The argument is backed up with selfies taken by a (foreign) government official (apparently on his couch at home in front of the TV) and lifted from his iPhone.
A slide from a second presentation, “Your target is using a BlackBerry? Now what?”, then presents details of how best to attack the hitherto invulnerable Canadian smartphone platform.
The fact that the NSA has teams cracking mobile operating systems should surprise no one: these people are paid to spy
Almost all communications go through a server of some sort, and in the normal run of things the authorities just sequester that server. Tapping phone calls or messages is much easier at the server, and most countries have lawful intercept legislation which permits this with some from of judicial oversight. The United States’ NSA has the provision to work outside national borders, however, so it might need to take a less public approach.
When it comes to an iPhone, the best approach, according to the documents seen by Spiegel Online, is hacking the computer to which it is connected. Synchronised data is a lot easier to attack, lacking the hardware protection available on mobile platforms, so get into their PC, lift the data and perhaps even subvert the iPhone from there.
Many attacks seem to depend on getting users to open attachments or visit dodgy websites, vectors of attack well known in the security business. The NSA presentation calls this “Nomophobia”, or “no phone phobia”, as mobile users haven’t yet learnt to worry about their security.
Windows Phone users… security through obscurity
But what’s really surprising is the lack of information on Android or Windows Phone,
Tomi Engdahl says:
Boffins propose NSA-proof crypto for cloud computing
Only one problem with joint UK-Danish project: low SPDZ
http://www.theregister.co.uk/2013/09/10/boffins_propose_more_spookproof_crypto/
It’s more likely that the NSA has devoted its efforts to key capture and side-channel attacks rather than brute-forcing its way through ciphertext en masse – but it’s also true that our crypto maths won’t last forever.
Which draws attention to projects like this one (PDF), which is looking at protection of multi-party computation (MPC) activities.
According to Phys.org: “The idea behind Multi-Party Computation is that it should enable two or more people to compute any function of their choosing on their secret inputs, without revealing their inputs to either party. One example is an election; voters want their vote to be counted but they do not want their vote made public.”
The aim of the work by a UK-Danish collaboration is to strap the supercharger onto a protocol called SPDZ – pronounced Speedz – to give it real-world performance.
In SPDZ, two machines working on a multi-party computation problem can do so without revealing their data to each other.
“MPC is similar in concept to the “zero knowledge proof”
Tomi Engdahl says:
How to foil NSA sabotage: use a dead man’s switch
http://www.theguardian.com/technology/2013/sep/09/nsa-sabotage-dead-mans-switch
Registering for nothing-to-see-here deadlines could help to sound the alert when a website has been compromised
The more we learn about the breadth and depth of the NSA and GCHQ’s programmes of spying on the general public, the more alarming it all becomes. The most recent stories about the deliberate sabotage of security technology are the full stop at the end of a sentence
It doesn’t really matter if you trust the “good” spies of America and the UK not to abuse their powers (though even the NSA now admits to routine abuse, you should still be wary of deliberately weakened security. It is laughable to suppose that the back doors that the NSA has secretly inserted into common technologies will only be exploited by the NSA. There are plenty of crooks, foreign powers, and creeps who devote themselves to picking away patiently at the systems that make up the world and guard its wealth and security (that is, your wealth and security) and whatever sneaky tools the NSA has stashed for itself in your operating system, hardware, applications and services, they will surely find and exploit.
One important check against the NSA’s war on security is transparency. Programmes published under free/open software licenses can be independently audited are much harder to hide secret back doors in. But what about the services that we use – certificate providers, hosted email and cloud computers, and all the other remote computers and networks that we entrust with our sensitive data?
Ultimately these are only as trustworthy as the people who run them.
even the most trustworthy operators may face secret orders to silently betray you, with terrible penalties if they speak out.
This is not a new problem.
Sell has yet to receive a secret order, so she can legally report in each transparency report: “Wickr has received zero secret orders from law enforcement and spy agencies. Watch closely for this notice to disappear.” When the day came that her service had been served by the NSA, she could provide an alert to attentive users (and, more realistically, journalists) who would spread the word. Wickr is designed so that it knows nothing about its users’ communications, so an NSA order would presumably leave its utility intact, but notice that the service had been subjected to an order would be a useful signal to users of other, related services.
This gave me an idea for a more general service: a dead man’s switch to help fight back in the war on security. This service would allow you to register a URL by requesting a message from it, appending your own public key to it and posting it to that URL.
Once you’re registered, you tell the dead man’s switch how often you plan on notifying it that you have not received a secret order, expressed in hours.
No one’s ever tested this approach in court, and I can’t say whether a judge would be able to distinguish between “not revealing a secret order” and “failing to note the absence of a secret order”, but in US jurisprudence, compelling someone to speak a lie is generally more fraught with constitutional issues than compelled silence about the truth. The UK is on less stable ground – the “unwritten constitution” lacks clarity on this subject
When the NSA came up with codenames for its projects to sabotage security products, it chose “BULLRUN” and “MANASSAS”,
Our world is made up of computers. Our cars and homes are computers into which we insert our bodies; our hearing aids and implanted defibrillators are computers we insert into our bodies. The deliberate sabotage of computers is an act of depraved indifference to the physical security and economic and intellectual integrity of every person alive. If the law is perverted so that we cannot tell people when their security has been undermined, it follows that we must find some other legal way to warn them about services that are not fit for purpose.
Tomi Engdahl says:
Crypto prof asked to remove NSA-related blog post
Predictable backtrack from Johns Hopkins comes a few hours later.
http://arstechnica.com/security/2013/09/crypto-prof-asked-to-remove-nsa-related-blog-post/
Matthew Green is a well-known cryptography professor, currently teaching in the computer science department of Johns Hopkins University in Baltimore. Last week, Green authored a long and interesting blog post about the recent revelations that the National Security Agency (NSA) has, among much else, subverted crypto standards. In his words, “The TL;DR ['too long; didn't read' version] is that the NSA has been doing some very bad things.” And Green went on to speculate at some length about what those “bad things” were and what they might mean.
Today, Green’s academic dean contacted him to ask that “all copies” of the blog post be removed from university servers. Green said that the move was not “my Dean’s fault,” but he did not elaborate.
Was basic academic freedom on the line?
Thanks to the wonder of Google’s cache, here is the original post