Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.
Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.
Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.
SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices. Good idea to test your devices against it.
There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.
Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.
Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.
Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.
Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.
Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.
Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.
Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.
European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.
1,930 Comments
Tomi Engdahl says:
No warrant, no problem: US gov’t uses travel alerts for warrantless electronics search
http://www.zdnet.com/no-warrant-no-problem-us-govt-uses-travel-alerts-for-warrantless-electronics-search-7000020487/
Summary: The ACLU has released documents showing how the US government uses border searches to take citizens’ electronics and rifle through private data to its heart’s content.
Tomi Engdahl says:
Agency denies helping NSA beat encryption
http://thehill.com/blogs/hillicon-valley/technology/321309-nist-denies-helping-nsa-undermine-privacy-standards
A Commerce Department agency that sets technical standards is denying that it helped the National Security Agency “deliberately weaken” encryption.
Documents leaked by Edward Snowden last week showed that the NSA has been waging an aggressive campaign to break Internet encryption technologies.
The Guardian and The New York Times, which obtained the documents, reported that the NSA successfully got NIST to adopt its version of a security standard in 2006.
That standard included vulnerabilities that NSA hackers could later exploit to spy on private communications, the papers reported.
NIST is not a regulatory agency — it only helps private groups agree on voluntary standards and guidelines. If outside groups stop trusting the NIST, it could undermine the agency’s usefulness.
“NIST would not deliberately weaken a cryptographic standard,” the agency said in the statement.
Tomi Engdahl says:
NSA illegally searched 15,000 suspects’ phone records, according to declassified report
http://www.theverge.com/2013/9/10/4716642/nsa-illegally-searched-15000-suspects-phone-records-according-to
As the result of a lawsuit by the Electronic Frontier Foundation, the Office of the Director of National Intelligence declassified a new cache of documents today, revealing more than a dozen FISA court rulings and internal documents. Among the documents are details of a so-called “compliance breach” in 2009 that saw the NSA improperly track more than 15,000 suspects in violation of FISA court rulings, and resulted in only minimal repercussions for the agency.
The dispute centered around the legal idea of “reasonable, articulable suspicion,” the bar a law enforcement agency must clear before they can stop to search a suspect.
But the NSA’s software, whether through bad code or legal ignorance, seems to have ignored reasonable suspicion entirely. A software audit on January 15th, 2009 revealed that, out of the 17,835 phone numbers on the NSA’s alert list (referred to as “identifiers”), fewer than 2,000 had cleared the FISA court’s standard of reasonable suspicion. Making matters worse was that much of the NSA didn’t seem to think there was a problem. As one document puts it, even the NSA’s in-house lawyers “appear to have viewed the alert process as merely a means of identifying a particular identifier on the alert list that might warrant further scrutiny.”
Tomi Engdahl says:
NSA Violated Privacy Protections, Officials Say
Revelation Calls Into Question Security of Phone-Record Database
http://online.wsj.com/article_email/SB10001424127887324094704579067422990999360-lMyQjAxMTAzMDEwMDExNDAyWj.html
The National Security Agency’s searches of a database containing the phone records of nearly all Americans violated privacy protections for three years by failing to meet a court-ordered standard, according to court documents released Tuesday.
The documents showed the violations continued until a judge ordered an overhaul of the program in 2009.
Top U.S. officials, including Gen. Alexander, have repeatedly reassured lawmakers and the public that the phone-records program has been carefully executed under oversight from the secret national security court.
The NSA violations occurred between 2006, when the phone-records program first came under court supervision, and 2009, when NSA officials told Judge Walton the program had been conducting searches using thousands of phone numbers that didn’t meet court standards. Before 2006, the program was run without court supervision.
The records, called “metadata,” includes phone numbers people dialed and where they were calling from. The content of the calls isn’t obtained under this program.
The NSA used an “alert list” of nearly 18,000 numbers of “counterterrorism interest” to screen phone records on a daily basis and determine which ones it should look at most closely, a senior intelligence official said.
Tomi Engdahl says:
AppDirect raises $9M, acquires Standing Cloud to help businesses adopt a hybrid network in the NSA’s wake
http://pandodaily.com/2013/09/10/appdirect-raises-9m-acquires-standing-cloud-to-help-businesses-adopt-a-hybrid-network-in-the-nsas-wake/
The revelations have led to questions concerning the safety of many US-based technology services, with some suggesting that consumers should boycott or avoid companies based in the country, whether they’ve been implicated in the leaks or not. (Many companies are unable to reveal government requests.)
The acquisition will allow AppDirect to better serve businesses seeking to use a privately-hosted cloud infrastructure instead of relying on public clouds. Daniel Saks, the company’s chief executive, says that this capability will become increasingly important as businesses adopt hybrid infrastructures which rely on both privately-and publicly-hosted networks.
“People are certainly more afraid of the cloud for certain things but are embracing it for others,” Saks says. “Our response to that is, let’s give customers options.”
US-based cloud networks have advantages over private networks, Saks says — namely that they can be more reliable and easier to scale. Privately-hosted networks, meanwhile, are often seen as more secure and less likely to be tampered with by the US government. Hybrid solutions are meant to offer the best of both set-ups.
“Businesses need to make the choice that their data is confidential and that it needs added security,” Saks says. They can use a private network to host that data, he says; for other information and services they can use public networks.
That approach is riddled with potentially — or perhaps probably — faulty assumptions, of course. Most of us are unaware of the NSA and other government agencies’ ability to gather information from anything connected to the Internet, whether it’s a smartphone or a privately-hosted network.
Relying on a private network to keep data secure is like hoping that encryption will protect your communications or that a blanket will ward off nightmarish creatures in the middle of the night: it might make some businesses and citizens feel better, but it’s unlikely to make much of a difference in practice.
Tomi Engdahl says:
Is there already an attacker on your network?
Corporate networks using multi-level and multi-layer shields against cyber-attacks. It is still quite possible that in many ways the web is already an intruder inside. “I would dare to claim that Finland is not found in any of the integrator, which had not already been taken over, one way or another,” says nSense leading security researcher Tomi Tuominen.
The introduction of a simple attack economics.
“One-stop point for taking over a large coverage of the absurd. Integrators, as well as advertising platforms will want to take over, because they have such a big access to all parts, “says Tuominen. Economies of scale in applying the principle in its own way the U.S. and British intelligence services, the methods of Edward Snowden has revealed.
a number of cases where criminals have taken advantage of the attackers quietly organization’s information security holes in the network, or software. This has been done for years without anyone noticing, entrusts the organization of the system is solidly protected.
Bringing has more than ten years a lot of intrusion investigations, incident response.
“It will open up a completely different world. We’ll see what the bad guys really are doing and what kind of techniques they use. There is still every time I go to a gig, I learned something new, such as new technology or something that I have not previously found in public sources, “he says
Found techniques associated with a typical post-break-after exploitation of measures and data extraction of large amounts of data to move out. “The attacker point of view, it is a reasonably large part of the operation.”
Introduction of the attackers, black-hat hackers take over the entire period of new items as much as possible without compromising their own safety. After a successful break-in after the access may be left unused for long periods of time. A corporate network may be sampled from a database or file list, search for information by the buyer, and only then take advantage of access.
Few finds dns-tunneling
Network security, it is essential to look at what data is most valuable, and ensure that it is a particularly strong protection for the back. It is recommended to analyze network traffic continuously and look for the anomalies, anomalies.
Bringing the example of the so-called strikers techniques dns-tunneling. Its use is basically easy to spot, but requires an exceptional defender of consciousness.
There was a case of any type of attack, it is always preceded by reconnaissance phase. It is caused by the traffic should alert you. The inquiry against you should think about how to fool spies.
If you can make intelligence more difficult, it is half the battle.
The intruder cyber criminals are using not only his own software to also make wide use of tools, which was originally created to meet the needs of network defense. Similarly, network security professionals are trying to use the tricks of the attackers, when checking the back walls of the durability.
Source: http://www.tietokone.fi/artikkeli/uutiset/hyokkaaja_on_jo_verkossasi
Tomi Engdahl says:
IT Pros and BYOD Users See Support Much Differently
http://www.cio.com/article/739361/IT_Pros_and_BYOD_Users_See_Support_Much_Differently
When it comes to providing mobile support to BYOD employees, IT and end users have drastically different perspectives. More than half of tech pros recently surveyed would give themselves a grade of A or B. However, most users would give IT a C or worse. Why the disconnect?
A new report suggests IT might be delivering poor mobile support to BYOD employees even though IT pros think they’re doing a good job. In other words, mobility is becoming a major point of contention in the rocky IT-business relationship — and tech leaders aren’t even aware there’s an issue.
BYOD Isn’t Easy
To be fair, IT has a tough job.
For starters, smartphones and tablets have sold largely on their simplicity. It just works, says Apple. This is a hard standard to live up to for an IT department in charge of security and network bandwidth despite dwindling resources.
A whopping 86 percent of BYOD-ers say they access or save work-related information on their mobile device. Some 5 percent of users admitted losing a personal device used for work, either forgetting it somewhere or having it stolen. Given that many users have more than one device, CDW estimates one in 20 of all devices will be lost or stolen.
While this is bad enough, here’s the punch in the gut: 83 percent of lost smartphones are used in attempts to access corporate data, says Symantec.
Moreover, mobile devices put pressure on the corporate network, leading to network latency and scalability problems. Nearly 40 percent of IT pros say they’ve already seen serious issues tied to network performance.
The problem is only going to get worse, too, as IT pros expect the number of personal smartphones and tablets accessing the network to more than double in the next two years.
In order to corral these dangers, CIOs have had to implement strict end-user guidelines and BYOD policies.
Tomi Engdahl says:
Torvalds shoots down call to yank ‘backdoored’ Intel RdRand in Linux crypto
‘We actually know what we are doing. You don’t’ says kernel boss
http://www.theregister.co.uk/2013/09/10/torvalds_on_rrrand_nsa_gchq/
Linux supremo Linus Torvalds has snubbed a petition calling for his open-source kernel to spurn the Intel processor instruction RdRand for generating random numbers – feared to be nobbled by US spooks to produce cryptographically weak values.
Torvalds branded the England-based bloke who created the petition, Kyle Condon, “ignorant”. The head Penguista said anyone who backed the call to remove RdRand from his operating system kernel should learn how crypto works.
“Short answer: we actually know what we are doing. You don’t.”
Torvalds argued in his mild outburst that the values from RdRand are combined with other sources of randomness, which would thwart any attempts to game the processor’s output – but it’s claimed that mix is trivial (involving just an exclusive OR) and can be circumvented by g-men.
The catalyst for the petition seems to be the belief that the RdRand instruction in Intel processors has been compromised by the NSA and GCHQ, following the latest disclosures from whistleblower Edward Snowden.
The pseudo-device /dev/random generates a virtually endless stream of random numbers on GNU/Linux systems, which are crucial for encrypting information in a secure manner. RdRand is an instruction [PDF] found in modern Intel chips that stashes a “high-quality, high-performance entropy” generated random number in a given CPU register.
According to the latest clutch of Snowden documents published by ProPublica, The New York Times and The Guardian last week, the NSA and GCHQ have broken basic encryption on the web – mostly by cheating rather than defeating the mathematics involved: unnamed chipsets are believed to have been compromised at the design stage so that encrypted data generated on those systems is easier to crack by spooks armed with supercomputers.
The details are short, but the implication is that American and British spies can crack TLS/SSL connections used to secure HTTPS websites and virtual private networks (VPNs)
Given RdRand is present in quite a few PCs and servers powering or using chunks of the internet, conspiracy theorists are terrified that RdRand is compromised.
However, as Torvalds pointed out in response to the petition RdRand is one of many inputs used by the Linux kernel’s pool to generate random characters.
The kernel chieftain wrote: “We use rdrand as _one_ of many inputs into the random pool, and we use it as a way to _improve_ that random pool. So even if rdrand were to be back-doored by the NSA, our use of rdrand actually improves the quality of the random numbers you get from /dev/random. Really short answer: you’re ignorant.”
Tomi says:
Google security exec: ‘Passwords are dead’
http://news.cnet.com/8301-1009_3-57602286-83/google-security-exec-passwords-are-dead/
Speaking at TechCrunch Disrupt, Google’s Heather Adkins says startups should look beyond passwords to secure users and their data.
in the future, the “game is over for” any startup that relies on passwords as its chief method to secure users and their data.
Adkins, speaking alongside Kleiner Perkins Caufield & Byers managing partner Ted Schlein and author James Bamford, said that looking ahead, “our relationship with passwords are done,” and that “passwords are done at Google.”
She talked briefly about Google’s use of two-step authentication and the fact that the search giant has been working to innovate in the area of non-standard password security. As a result, she said, any startup that still relies on standard passwords needs to ensure that it has an abuse team set up to deal “with customers getting compromised.”
Finally, Adkins argued, technology companies need to step up and build products that protect users so “they don’t rely on not getting fooled.” Ultimately, she said, anyone starting a new technology company should be sure that one person is designated to focus on security and privacy, and that one of the first 25 employees should work full time on security and privacy.
Tomi Engdahl says:
Yankee Agency rumbles, “NSA did not put encryption standards back doors”
Despite numerous rumors to the U.S. National Bureau of Standards Nist (National Institute of Standards and Technology) denies that the NSA would be able to influence the standards of encryption systems.
“Nist never deliberately weaken encryption standards,” the agency said in a statement on Tuesday.
The Opinion is last week’s newspapers, the New York Times news , the Journal claimed that the NSA’s to have slipped the NIST approved algorithms, the rear doors, which are virtually impossible to detect.
The U.S. Treasury Department under the Nist has led to a number of on the internet data encryption techniques used to research. These include, inter alia, harrow and dec. Web browsers used by the SSL protocol take advantage of both technologies.
Nist, however, admitted they collaborated with the NSA of, but added that this was due to the NSA’s employees for excellence in the field. Also, U.S. law requires that Nist consulting encryption issues NSA.
Nist stressed in a statement that the development of standards is an open process that anyone can monitor and comment.
Source: http://www.tietoviikko.fi/uutisia/jenkkivirasto+jyrahti+quotnsa+ei+ujuttanut+salausstandardeihin+takaoviaquot/a929294
Tomi Engdahl says:
Mark Zuckerberg on NSA spying: ‘The government blew it’
http://www.theverge.com/2013/9/11/4719732/facebooks-mark-zuckerberg
Facebook CEO calls for more transparency in interview at TechCrunch Disrupt
The federal government has done a bad job recently in balancing its job protecting US citizens from terrorism with its role in defending civil liberties, Facebook founder Mark Zuckerberg said today at TechCrunch Disrupt. “Frankly, I think that the government blew it,” he said. “They blew it on communicating the balance of what they were going for with this.”
Facebook was implicated earlier this summer when documents leaked by former National Security Administration contractor Edward Snowden suggested it was among the companies that participate in PRISM
On Monday, Facebook joined Yahoo in filing suit asking the FISA court for permission to publish more detailed data on the government’s requests for user information.
He’ll soon get to make his case directly to lawmakers. Politico reported today that Zuckerberg will travel to Washington next week to meet with top Republicans in the House of Representatives. The agenda is broad but is expected to include discussion of the NSA leaks and related privacy issues for Facebook, according to the report.
Tomi Engdahl says:
Unisys Stealth Solution Suite Overview
http://www.youtube.com/watch?v=Ag2vXCx-SDE
Unisys Stealth Solution allows multiple user communities to share the same IT infrastructure, securely. Stealth isolates applications so that only the authorized users can see and access the data unique to that application. In effect, you can’t hack what you can’t see. And, it works without application or infrastructure changes.
Tomi Engdahl says:
Ministry of Defence, the new IT boss declares: “Citizens do not need to be worried about”
The Ministry of Defence as the new Chief Information Officer in June started Teemu Anttila says that the level of cyber security in Finland is good. In the coming years a fresh leader employs, among other things, the ongoing reform of the defense force coordination and control.
The seven-year fixed-term stint also includes a comprehensive security audit, as well as the overall architecture of the Defence Administration systematic improvement project.
“The Defence Forces have a very long development work. It is essential for planning to cover the entire government sector, as well as co-operation with all stakeholders, “Anttila, logging his picture in the future.
What then is the present Finnish kyberturvallisuustilanne? The mainstream media talks about increasing launch cyber-attacks, the targets are at media houses, when a security authorities.
According to Anttila, citizens are safe.
“Kyber-word is probably the novelty … Finland has prepared these things for a long time, and the attack itself is not new,” he says. “The Department of Defense and the government point of view, we are properly in these areas at a good level.”
At the international level, Finland has a very good security issues, know-how, Anttila says.
“Defense is the pioneer in this, even if resources are scarce. Citizens do not need to be concerned about. ”
Source: http://www.tietoviikko.fi/cio/puolustusministerion+uusi+itpomo+vakuuttaa+quotkansalaisten+ei+tarvitse+olla+huolissaanquot/a928860?s=u&wtm=tivi-11092013
Tomi Engdahl says:
The Windows Flaw That Cracks Amazon Web Services
http://slashdot.org/topic/bi/the-windows-flaw-that-cracks-amazon-web-services/
Some code tinkering allows you to copy data from Amazon Web Services (or another hosting provider) without the data’s owner realizing what’s going on.
Those hijacked ATMs are a perfect analogy for what can happen to your data when it’s stored in a hosting provider’s datacenter: Entire volumes of data could potentially be copied, and the hacker could go to town on the copy without you ever knowing what happened.
Many cloud-hosting companies offer a feature that lets you create a direct copy of your volumes, which can be attached to another server instance. You can do this yourself, as I’ll demonstrate shortly. But if you can do it, can the employees at Amazon Web Services do it as well? Or even a non-employee who manages to locate the volume and make a copy of it?
Here are the possible steps for making that happen
Safeguards
I mentioned earlier that, when I attached the Windows drive to the Linux machine, I could see all the data there. The reason is that the data wasn’t encrypted. Windows allows you to encrypt your files and folders, but the encryption is far from perfect: the system encrypts the files using a public key, and decrypts them using a private key. This makes the files nearly impossible to decrypt, except for one big problem: The system has access to the private key, and so a hacker could potentially gain access to it as well. In fact, the private key is itself encrypted using the hash for the user’s password. That hash is easily obtainable as outlined above.
Instead, when you have sensitive data, encrypt your files with something better, such as this tool or something similar. And still keep that data out of the cloud.
However, your clients may still want a sense of security, even with their non-sensitive data. This is called “sales.” If a local business wants a cloud-hosted Website and takes several bids from local Web design firms, and one says, “There’s no reason to encrypt” while the other says, “We’ll encrypt your data,” the business owner with little technical knowledge will probably go with the one who encrypts, simply because it sounds better—even if the reason the second design firm doesn’t encrypt is because they don’t put their client’s sensitive data in the cloud.
Tomi Engdahl says:
Apple: New iPhone Not Storing Fingerprints, Doesn’t Like Sweat
http://blogs.wsj.com/digits/2013/09/11/apple-new-iphone-not-storing-fingerprints-doesnt-like-sweat/
Apple’s new iPhone 5S, which comes with a fingerprint scanner, won’t store actual images of users’ fingerprints on the device, a company spokesman confirmed Wednesday, a decision that could ease concerns from privacy hawks.
Rather, Apple’s new Touch ID system only stores “fingerprint data,” which remains encrypted within the iPhone’s processor, a company representative said Wednesday. The phone then uses the digital signature to unlock itself or make purchases in Apple’s iTunes, iBooks or App stores.
In practice, this means that even if someone cracked an iPhone’s encrypted chip, they likely wouldn’t be able to reverse engineer someone’s fingerprint.
The iPhone maker has pitched the addition of a fingerprint sensor to its flagship smartphone as a security boost for consumers. But the company also appears conscious of privacy concerns that could arise from storing biometric data on everyday electronics. Fingerprint technology is not new, but still exotic for most customers. Apple appears to want to nip some concerns in the bud.
To start with, Apple said it is not currently allowing third-party applications to use the scanner
Tomi Engdahl says:
Snowden Nominated for Freedom of Thought Prize
http://en.rian.ru/world/20130911/183359483/Snowden-Nominated-for-Freedom-of-Thought-Prize.html
BRUSSELS/MOSCOW, September 11 (RIA Novosti) – Members of the European Parliament are officially nominating fugitive US leaker Edward Snowden for a prize celebrating freedom of thought, a parliamentary representative said Wednesday.
Snowden is a candidate for the European Parliament’s Sakharov Prize for Freedom of Thought, named after Soviet scientist and dissident Andrei Sakharov, which honors people or organizations for their work in the defense of human rights and freedom of thought.
Christian Engstrom, a member of the Swedish Pirate Party who co-nominated Snowden for the award, wrote that Snowden is “paying a heavy personal price” for his “heroic” effort.
“The US government hunts him as an outlaw… Governments that dare to offer him asylum are threatened with dire consequences by the US government,” Engstrom wrote on his personal blog page. “In a painful irony, his only sanctuary is Russia, a country with democratic problems and authoritarian tendencies.”
“Edward Snowden risked his life to confirm what we had long suspected regarding mass online surveillance, a major scandal of our times. He revealed details of violations of EU data protection law and fundamental rights.”
Tomi Engdahl says:
IETF floats plan to PRISM-proof the Internet
Proposal hopes to ‘resist or prevent all forms of covert intercept capability’
http://www.theregister.co.uk/2013/09/12/ietf_floats_prismproof_plan_for_harder_internet/
The Internet Engineering Task Force (IETF) has posted “PRISM-Proof Security Considerations” aimed at making it much harder for governments to implement programs like the PRISM effort whistleblower Edward Snowden exposed as one of the tools in the NSA’s spookery toolbag.
The proposal has just one author – Phillip Hallam-Baker of the Comodo Group – which makes it a little unusual
The proposal suggests the internet be re-engineered with “a communications architecture that is designed to resist or prevent all forms of covert intercept capability. The concerns to be addressed are not restricted to the specific capabilities known or suspected of being supported by PRISM or the NSA or even the US government and its allies.”
Sadly the paper is a little light on for actual ideas about how the internet can be PRISM-proofed,
Tomi Engdahl says:
PRISM-Proof Security Considerations
draft-hallambaker-prismproof-req-00
http://www.ietf.org/id/draft-hallambaker-prismproof-req-00.txt
Tomi Engdahl says:
Wireless encryption: a situation ripe for consumer frustration
http://www.edn.com/electronics-blogs/brians-brain/4420287/Wireless-encryption–a-situation-ripe-for-consumer-frustration
All’s well that ends well? Not even close. This project required way too much research on my part in order to reach an acceptable albeit not optimal conclusion. Among other things, I encountered:
Terminology inconsistency (“PSK” versus “Personal”)
Inappropriate supported settings combinations (“WPA plus AES” and “WPA2 plus TKIP” on the TV-IP422Ws)
A dearth of documentation (which encryption modes do my router’s “WPA Personal” and “WPA2 Personal” security modes use? I think, respectively, “TKIP” and “AES,” but I’m still not absolutely sure), and
Gear that claims to support WPA2 but doesn’t … and I still don’t know whether the WPA2 weak link is the common router or the network cameras-and-print server.
If it took a techie like me this much time and effort to get to this point, how much more work awaits the average consumer? Or, more likely, how little time and effort will it take before the average consumer throws up his or her hands in frustration and takes (or ships) everything back to the store for refund? And does anyone really wonder, therefore, why consumers’ technology adoption and evolution trends substantially lag their potential?
Tomi Engdahl says:
Zuckerberg: US government ‘blew it’ on NSA surveillance
http://www.theguardian.com/technology/2013/sep/11/yahoo-ceo-mayer-jail-nsa-surveillance
Facebook CEO joins Yahoo’s Marissa Mayer in saying the US did ‘bad job’ of balancing people’s privacy and duty to protect
Mark Zuckerberg of Facebook and Marissa Mayer, the CEO of Yahoo, struck back on Wednesday at critics who have charged tech companies with doing too little to fight off NSA surveillance. Mayer said executives faced jail if they revealed government secrets.
Yahoo and Facebook, along with other tech firms, are pushing for the right to be allowed to publish the number of requests they receive from the spy agency. Companies are forbidden by law to disclose how much data they provide.
During an interview at the Techcrunch Disrupt conference in San Francisco, Mayer was asked why tech companies had not simply decided to tell the public more about what the US surveillance industry was up to. “Releasing classified information is treason and you are incarcerated,” she said.
Mayer said she was “proud to be part of an organisation that from the beginning, in 2007, has been sceptical of – and has been scrutinizing – those requests [from the NSA].”
Yahoo has previously unsuccessfully sued the foreign intelligence surveillance (Fisa) court, which provides the legal framework for NSA surveillance.
Zuckerberg said the government had done a “bad job” of balancing people’s privacy and its duty to protect. “Frankly I think the government blew it,” he said.
In a blogpost, Google said it was asking for permission to publish “detailed statistics about the types (if any) of national security requests” it receives under Fisa.
Tomi Engdahl says:
Only 500 People in the World Understand Security
http://www.designnews.com/author.asp?section_id=1386&doc_id=266202
“There are only about 500 people in the world who really understand industrial control system security.”
I heard this comment at an event recently, the Siemens Automation Fair in New Orleans. It was stated by Marc Ayala, ICS/SCADA security manager at Cimation, a security solutions company specializing in automation, industrial IT, and enterprise data solutions, including oil and gas.
I wasn’t sure if I heard correctly, or if Marc may have been off base, so I followed up with him after the event. He didn’t back off the statement. He did qualify that he was referring to people who are protecting the control system side, and not the enterprise or IT security.
When you think about industrial security and what needs to be protected, think about the three P’s — people, property, and production. Clearly, safety is the No. 1 element. That typically refers to people and the environment. Property is pretty obvious, but comes in after people, obviously. With respect to protecting production, sustainability is the key. If production goes away, business goes away. That’s clearly a bad thing. You could argue that too often production shows up as No. 1 on this list, although not too many people would admit it.
Here’s an element of security that I would not have thought of (I’m clearly not on the list of 500): Adobe Acrobat Reader is the de-facto standard for control systems deployed to read your online manuals. Adobe Acrobat is a crucial vulnerability point.
Many security intrusions have exploited the limitations of Adobe Acrobat, including both the Reader and the Updater. Unfortunately, too many users don’t keep that application up to date.
Tomi Engdahl says:
A gigantic intrusion: Hundreds of thousands of victims – a Finnish man arrested
Hundreds of thousands of user names and passwords have been compromised, say
Police find more than a hundred Finnish service kohdistunutta hacking series. Information burglary is apparently going on for the first half of last year to this day.
Break-ins has been the subject include discussion forums.
According to police, an extensive series of hacking has been arrested a Finnish man who is recognized what he did. A man is not familiar to the police.
Risun that the motive is not clear. So far, there is no indication that the break-ins be desired economic benefits.
Communications Regulatory Authority says that the hundreds of thousands of user accounts and passwords has been compromised. There may also be social security numbers and credit card information. Communications agency is not aware that the stolen codes should be published anywhere.
Source: http://www.iltalehti.fi/uutiset/2013091317485636_uu.shtml
Tomi Engdahl says:
CERT-FI warning:
http://www.cert.fi/varoitukset/2013/varoitus-2013-01.html
Of several hundreds of Finnish and foreign services, concluded infiltrations have been diverted from their closest usernames and password to the seals. Intrusion thought occurred during the current year
Information Burglaries have been carried out utilizing the services of SQL and XSS vulnerabilities. The attacker has got hold of hundreds of thousands of users in the user names, e-mail addresses, passwords and password seals. There may also be social security numbers and credit card information. Communications Office does not have information about the burglaries over the information obtained should be published.
Instructions for webmasters
The service administrator needs to take care of data breach vulnerabilities make it possible to prevent further damage. The service will take care of the maintenance of adequate information to their customers. Information and also has to make sure that customers change their passwords leaked.
Tomi Engdahl says:
Security of Java takes a dangerous turn for the worse, experts say
Beware of increasingly advanced exploits targeting flaws that will never be fixed.
http://arstechnica.com/security/2013/09/security-of-java-takes-a-dangerous-turn-for-the-worse-experts-say/
The security of Oracle’s Java software framework, installed on some three billion devices worldwide, is taking a turn for the worse, thanks to an uptick in attacks targeting vulnerabilities that will never be patched and increasingly sophisticated exploits, security researchers said.
The most visible sign of deterioration is in-the-wild attacks exploiting unpatched vulnerabilities in Java version 6, Christopher Budd, threat communications manager at antivirus provider Trend Micro, wrote in a blog post published Tuesday. The version, which Oracle stopped supporting in February, is still used by about half of the Java user base, he said. Malware developers have responded by reverse engineering security patches issued for Java 7 and using the insights to craft exploits for the older version. Because Java 6 is no longer supported, those same flaws will never be fixed.
“This is a large pool of vulnerable users who will never be protected with security fixes and so [they're] viable targets for attack,” Budd said.
Tomi Engdahl says:
CloudFlare CEO: ‘Insane’ NSA gag order is costing U.S. tech firms customers
http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/12/cloudflare-ceo-says-insane-nsa-gag-order-is-costing-u-s-tech-firms-customers/
We’ve now moved beyond mere talk about how the National Security Agency’s surveillance programs may hurt U.S. cloud providers, says Matthew Prince, the chief executive of CloudFlare. The companies are already feeling the pain.
CloudFlare, a Web site security firm and network provider with clients that run the gamut from WikiLeaks to the Duke and Duchess of Cambridge, is getting 50 to 100 calls per day from customers demanding more answers about the firm’s involvement with the U.S. National Security Agency, Prince says.
But that’s information the company can’t give out, he explains, and the inability to say anything about government requests is seriously hurting his business.
“We get calls regularly that say, ‘CloudFlare must be working with the NSA,’ which we’re not,” Prince said. “We’ve gone so far as to litigate requests that did not meet with our processes, but I can’t tell you anything beyond that, which is insane.”
“The fundamental thing here is trust. We’re in the trust business. These programs threaten that trust,” Prince said. “We’ve lost customers as a result of this and will continue to lose customers as a result of this.”
Prince said the tech community is as much to blame as Washington for these types of problems. The two often have conflicting goals, with tech working to flow around barriers, and law aiming to build them up, he said.
Without more leeway from the government, Prince said, tech companies will have to come up with their own solutions that could cost law enforcement agencies valuable crime-fighting tools. Google has said that it’s planning to encrypt its records to hamper government security programs that affect its customers’ privacy. And Prince said he may have to do the same, for the good of his clients.
Tomi Engdahl says:
Stealthy Dopant-Level Hardware Trojans
http://hardware.slashdot.org/story/13/09/13/1228216/stealthy-dopant-level-hardware-trojans
“A team of researchers funded in part by the NSF has just published a paper in which they demonstrate a way to introduce hardware Trojans into a chip by altering only the dopant masks of a few of the chip’s transistors. From the paper: ‘Instead of adding additional circuitry to the target design, we insert our hardware Trojans by changing the dopant polarity of existing transistors.”
“modified circuit appears legitimate on all wiring layers”
“In a test of their technique against Intel’s Ivy Bridge Random Number Generator (RNG)”
‘Our Trojan is capable of reducing the security of the produced random number from 128 bits to n bits, where n can be chosen.’
“Trojan easily passes the NIST random number test suite if n is chosen sufficiently high by the attacker.”
Tomi Engdahl says:
$20 ‘Toy’ Deactivates Cheap Home Alarms, Opens Doors
http://tech.slashdot.org/story/13/09/13/1341217/20-toy-deactivates-cheap-home-alarms-opens-doors
“Cheap home alarms, door opening systems and wireless mains switches can be bypassed with low-cost and home-made devices that can replicate their infrared signals. Fixed-code radio frequency systems could be attacked using a $20 ‘toy’, or using basic DIY componentry.”
Tomi says:
Hacker sentenced to 3 years for law enforcement website attacks
http://fox13now.com/2013/09/12/hacker-sentenced-to-3-years-for-law-enforcement-website-attacks/
SALT LAKE CITY — An Ohio man who pleaded guilty to hacking into the website of the Salt Lake City Police Department and other law enforcement websites was sentenced to three years in federal prison.
In an interview with FOX 13 over Twitter, “ItsKahuna” claimed to be a part of the Internet collective known as “Anonymous,” and had claimed responsibility for the hacking to protest a bill in the Utah State Legislature that would have made possessing graffiti tools a crime.
Tomi says:
Google knows nearly every Wi-Fi password in the world
http://blogs.computerworld.com/android/22806/google-knows-nearly-every-wi-fi-password-world
If an Android device (phone or tablet) has ever logged on to a particular Wi-Fi network, then Google probably knows the Wi-Fi password. Considering how many Android devices there are, it is likely that Google can access most Wi-Fi passwords worldwide.
Recently IDC reported that 187 million Android phones were shipped in the second quarter of this year. That multiplies out to 748 million phones in 2013, a figure that does not include Android tablets.
Many (probably most) of these Android phones and tablets are phoning home to Google, backing up Wi-Fi passwords along with other assorted settings. And, although they have never said so directly, it is obvious that Google can read the passwords.
Sounds like a James Bond movie.
Android devices have defaulted to coughing up Wi-Fi passwords since version 2.2. And, since the feature is presented as a good thing, most people wouldn’t change it.
What is not said, is that Google can read the Wi-Fi passwords.
And, if you are reading this and thinking about one Wi-Fi network, be aware that Android devices remember the passwords to every Wi-Fi network they have logged on to.
The good news is that Android owners can opt out just by turning off the checkbox.
The bad news is that, like any American company, Google can be compelled by agencies of the U.S. government to silently spill the beans.
When it comes to Wi-Fi, the NSA, CIA and FBI may not need hackers and cryptographers. They may not need to exploit WPS or UPnP. If Android devices are offering up your secrets, WPA2 encryption and a long random password offer no protection.
I doubt that Google wants to rat out their own customers. They may simply have no choice. What large public American company would? Just yesterday, Marissa Mayer, the CEO of Yahoo, said executives faced jail if they revealed government secrets. Lavabit felt there was a choice, but it was a single person operation.
Tomi says:
FBI Admits It Controlled Tor Servers Behind Mass Malware Attack
http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/
It wasn’t ever seriously in doubt, but the FBI yesterday acknowledged that it secretly took control of Freedom Hosting last July, days before the servers of the largest provider of ultra-anonymous hosting were found to be serving custom malware designed to identify visitors.
Freedom Hosting’s operator, Eric Eoin Marques, had rented the servers from an unnamed commercial hosting provider in France, and paid for them from a bank account in Las Vegas. It’s not clear how the FBI took over the servers in late July, but the bureau was temporarily thwarted when Marques somehow regained access and changed the passwords, briefly locking out the FBI until it gained back control.
Freedom Hosting was a provider of turnkey “Tor hidden service” sites — special sites, with addresses ending in .onion, that hide their geographic location behind layers of routing, and can be reached only over the Tor anonymity network. Tor hidden services are used by sites that need to evade surveillance or protect users’ privacy to an extraordinary degree – including human rights groups and journalists. But they also appeal to serious criminal elements, child-pornography traders among them.
The apparent FBI-malware attack was first noticed on August 4, when all of the hidden service sites hosted by Freedom Hosting began displaying a “Down for Maintenance” message. That included at least some lawful websites, such as the secure email provider TorMail.
Tomi says:
The FISA court will release more opinions because of Snowden
http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/13/the-fisa-court-will-release-more-opinions-because-of-snowden/
Call it the Edward Snowden effect: Citing the former NSA contractor, a federal judge has ordered the government to declassify more reports from the secret Foreign Intelligence Surveillance Court.
That some administration officials are seeing another side suggests a broader discussion about government secrecy — and not just this particular surveillance program — may be in order.
Tomi says:
Google’s Eric Schmidt says government spying is ‘the nature of our society’
http://www.theguardian.com/world/2013/sep/13/eric-schmidt-google-nsa-surveillance
Tech giant’s executive chairman calls for greater transparency but declines to ‘pass judgment’ on spying operations
“There’s been spying for years, there’s been surveillance for years, and so forth, I’m not going to pass judgement on that, it’s the nature of our society,” he said.
With the other major technology companies, Google has been pressing the US government to be more open about the surveillance orders issued by the Foreign Intelligence Surveillance Court, which is also known as the Fisa court. He pointed out that Google has filed legal briefs to force the Fisa court to disclose more information.
Schmidt said his comments were based on the presumption that documents disclosed by the NSA whistleblower Edward Snowden were “roughly accurate”.
He said: “We all have to look at ourselves and say: ‘Is this what we want?’”
“The real danger [from] the publicity about all of this is that other countries will begin to put very serious encryption – we use the term ‘balkanization’ in general – to essentially split the internet and that the internet’s going to be much more country specific,” Schmidt said. “That would be a very bad thing, it would really break the way the internet works, and I think that’s what I worry about. There’s been spying for years, there’s been surveillance for years, and so forth, I’m not going to pass judgment on that, it’s the nature of our society.”
Tomi says:
Majority of Tor crypto keys could be broken by NSA, researcher says
http://arstechnica.com/security/2013/09/majority-of-tor-crypto-keys-could-be-broken-by-nsa-researcher-says/
The majority of devices connected to the Tor privacy service may be using encryption keys that can be broken by the National Security Agency (NSA), a security researcher has speculated.
Rob Graham, CEO of penetration testing firm Errata Security, arrived at that conclusion by running his own “hostile” exit node on Tor and surveying the encryption algorithms established by incoming connections. About 76 percent of the 22,920 connections he polled used some form of 1024-bit Diffie-Hellman key.
“Everyone seems to agree that if anything, the NSA can break 1024 RSA/DH keys,” Graham wrote in a blog post published Friday. “Assuming no ‘breakthroughs,’ the NSA can spend $1 billion on custom chips that can break such a key in a few hours. We know the NSA builds custom chips; they’ve got fairly public deals with IBM foundries to build chips.”
“Of course, this is just guessing about the NSA’s capabilities,” he wrote.
“But since 1024 bit RSA/DH has been the most popular SSL encryption for the past decade, I’d assume that it’s that, rather than curves, [it's 1024 RSA/DH] that the NSA is best at cracking.”
Tomi says:
Meet Hacking Team, the company that helps the police hack you
Hacking Team may not have any clients in the US yet, but it’s not for lack of trying
http://www.theverge.com/2013/9/13/4723610/meet-hacking-team-the-company-that-helps-police-hack-into-computers
In 2001, a pair of Italian programmers wrote a program called Ettercap, a “comprehensive suite for man-in-the-middle attacks” — in other words, a set of tools for eavesdropping, sniffing passwords, and remotely manipulating someone’s computer.
Ettercap was so powerful that its authors, ALoR and NaGA, eventually got a call from the Milan police department. But the cops didn’t want to bust the programmers for enabling hacker attacks. They wanted to use Ettercap to spy on citizens.
That’s how a small tech security consultancy ended up transforming into one of the first sellers of commercial hacking software to the police.
Their Milan-based company, Hacking Team, now has 40 employees and sells commercial hacking software to law enforcement in “several dozen countries” on “six continents.”
Today, Hacking Team’s flagship product, Da Vinci, enables law enforcement at federal, state, or local levels to collect heaps more data than the National Security Agency’s controversial PRISM program is reportedly capable of gathering. With Da Vinci, the police can monitor a suspect’s cell phone conversations, emails, and Skype calls, and even spy on the target through his or her webcam and microphone. It’s as if the investigator were standing behind a suspect using their computer.
Hackers have written rootkits and backdoors for decades. But the development of commercial hacking software — complete with custom features, regular updates, and tech support — is fairly new.
“You’re actually getting a commercially developed product,”
Companies like Hacking Team, Gamma International, and VUPEN are now developing this software and pitching it to government agencies around the world.
these clients are spying on citizens.
governments hacking their own citizens is new legal ground in many nations, including the US, where it was recently revealed that the FBI is building its own hacking tools.
Hacking Team says it only sells to law enforcement and intelligence agencies and will not sell to countries that are blacklisted by NATO. Critics say the software has ended up in rogue hands
A tool like Da Vinci could be attractive to large US police departments
Da Vinci costs “hundreds of thousands of dollars” and is customized for each client, says Eric Rabe, Hacking Team’s senior counsel and US spokesman.
The ascent of companies like Hacking Team is “potentially worrisome” because of the potential for abuse by law enforcement, says Kurt Opsahl, a senior staff attorney with the Electronic Frontier Foundation.
Tomi says:
Legislation Seeks to Bar N.S.A. Tactic in Encryption
http://www.nytimes.com/2013/09/07/us/politics/legislation-seeks-to-bar-nsa-tactic-in-encryption.html?_r=0
After disclosures about the National Security Agency’s stealth campaign to counter Internet privacy protections, a congressman has proposed legislation that would prohibit the agency from installing “back doors” into encryption, the electronic scrambling that protects e-mail, online transactions and other communications.
“We pay them to spy,” Mr. Holt said. “But if in the process they degrade the security of the encryption we all use, it’s a net national disservice.”
Tomi says:
Silicon Valley Luminaries Got Grilled On The NSA At Disrupt, Here’s How They Responded
http://techcrunch.com/2013/09/14/silicon-valley-luminaries-got-grilled-on-the-nsa-at-disrupt-heres-how-they-responded/
Tomi says:
E-ZPasses Get Read All Over New York (Not Just At Toll Booths)
http://www.forbes.com/sites/kashmirhill/2013/09/12/e-zpasses-get-read-all-over-new-york-not-just-at-toll-booths/
After spotting a police car with two huge boxes on its trunk — that turned out to be license-plate-reading cameras — a man in New Jersey became obsessed with the loss of privacy for vehicles on American roads. (He’s not the only one.) The man, who goes by the Internet handle “Puking Monkey,” did an analysis of the many ways his car could be tracked and stumbled upon something rather interesting: his E-ZPass, which he obtained for the purpose of paying tolls, was being used to track his car in unexpected places, far away from any toll booths.
he hacked his RFID-enabled E-ZPass to set off a light and a “moo cow” every time it was being read.
Tomi Engdahl says:
The phone synchronization lies in the risk of spying
Criminals or intelligence officials may have access to your notes, contact information, location data and messages for smart phones, if they manage to squeeze a program for the PC computer.
Data synchronization or backup to a PC or server is the biggest risk of information leaks, similar to security researcher Sean Sullivan, security software manufacturer only F-Secure.
“There is no indication that spy would get inside the smart phones through the mobile network, but through the data backup process,” Sullivan estimates.
Phones have been pried from the information revealed in the Journal of the German Spiegel reported the latest U.S. security services of the NSA spying suspicions.
“It was not new, that this can be done. Instead surprising is how large scale this has happened, “said application unit leader Kim Westerlund security consulting company Nixu.
“Many people use PC-to-phone computer while traveling to charge the battery when the wire is connected,” says Sullivan.
Information has been carried on the Android, Blackberry and iOS devices. Westerlund believes that the same success of Windows phones. He does not like the risk of a major large-scale espionage, because the need to have access to the PC machine.
“This means targeted stroke”
REMEMBER THESE
♦ Protect your PC machine that you use to sync.
♦ Think about where the cloud service you can trust.
♦ Make sure you enable automatic updates.
♦ Remember that the unpatched programs are the most common data leakage risk.
Source: http://www.3t.fi/artikkeli/uutiset/teknologia/nain_urkinta_onnistuu_puhelimen_synkronoinnissa_piilee_riski
Tomi Engdahl says:
Argentina arrests teen hacker who netted $50,000 a month
http://www.bbc.co.uk/news/world-latin-america-24089050
Police in Argentina have arrested a 19-year-old man accused of heading a gang of hackers who targeted international money transfer and gambling websites.
Dubbed “the superhacker”, the teenager was making $50,000 (£31,500) a month, working from his bedroom in Buenos Aires, police say.
The arrest operation shut down the power to the entire neighbourhood to prevent the deletion of sensitive data.
The hackers allegedly used malware attacks to build up a network of thousands of zombie computers, which were then used to illegally divert money from accounts leaving virtually no trace behind.
Tomi Engdahl says:
Cloning an infrared disarming remote of a $8 home security system
http://hackaday.com/2013/09/15/cloning-an-infrared-disarming-remote-of-a-8-home-security-system/
[Sylvio] decided to buy one of the cheap alarm systems you can find on the internet to have a look at its insides. The kit he bought was composed of one main motion sensor and two remote controls to arm/disarm it.
Communication between the remotes and the sensor is done by using infrared, requiring a direct line of sight for a signal to be received.
if one of your neighbours had this ‘security system’ one could just disarm it with any of the same remotes…
[Sylvio] then explains different ways to replicate the simple IR signal, first with an Arduino then with a frequency generator and finally using the USB Infrared Toy from Dangerous Prototypes. We agree with his conclusion: “you get what you pay for”.
Tomi Engdahl says:
Cloning an Infrared Disarming Remote of a Consumer Grade Home Security System
http://volvent.blogspot.com.au/2013/09/cloning-infrared-disarming-remote-of.html
This blog post looks at a cheap home security system purchased from E-Bay and ways of defeating it by cloning the remote that disarms it.
Tomi Engdahl says:
‘Follow the Money’: NSA Spies on International Payments
http://www.spiegel.de/international/world/spiegel-exclusive-nsa-spies-on-international-bank-transactions-a-922276.html
The United States’ NSA intelligence agency is interested in international payments processed by companies including Visa, SPIEGEL has learned. It has even set up its own financial database to track money flows through a “tailored access operations” division.
The National Security Agency (NSA) widely monitors international payments, banking and credit card transactions, according to documents seen by SPIEGEL.
Further NSA documents from 2010 show that the NSA also targets the transactions of customers of large credit card companies like VISA for surveillance. NSA analysts at an internal conference that year described in detail how they had apparently successfully searched through the US company’s complex transaction network for tapping possibilities.
Their aim was to gain access to transactions by VISA customers in Europe, the Middle East and Africa, according to one presentation.
The NSA’s Tracfin data bank also contained data from the Brussels-based Society for Worldwide Interbank Financial Telecommunication (SWIFT), a network used by thousands of banks to send transaction information securely. SWIFT was named as a “target,” according to the documents
Tomi Engdahl says:
Analysis: Despite fears, NSA revelations helping U.S. tech industry
http://www.reuters.com/article/2013/09/15/us-usa-security-snowden-tech-analysis-idUSBRE98E08S20130915
(Reuters) – Edward Snowden’s unprecedented exposure of U.S. technology companies’ close collaboration with national intelligence agencies, widely expected to damage the industry’s financial performance abroad, may actually end up helping.
Despite emphatic predictions of waning business prospects, some of the big Internet companies that the former National Security Agency contractor showed to be closely involved in gathering data on people overseas – such as Google Inc. and Facebook Inc. – say privately that they have felt little if any impact on their businesses.
Insiders at companies that offer remote computing services known as cloud computing, including Amazon and Microsoft Corp, also say they are seeing no fallout.
Meanwhile, smaller U.S. companies offering encryption and related security services are seeing a jump in business overseas, along with an uptick in sales domestically as individuals and companies work harder to protect secrets.
“Our value proposition had been that it’s a wild world out there, while doing business internationally you need to protect yourself,”
LITTLE IMPACT
Google employees told Reuters that the company has seen no significant impact on its business, and a person briefed on Microsoft’s business in Europe likewise said that company has had no issues. At Amazon, which was not named in Snowden’s documents but is seen as a likely victim because it is a top provider of cloud computing services, a spokeswoman said global demand “has never been greater.”
Politicians in Europe and Brazil have cited the Snowden documents in pushing for new privacy laws and standards for cloud contracts and in urging local companies to steer clear of U.S. vendors.
“If European cloud customers cannot trust the U.S. government, then maybe they won’t trust U.S. cloud providers either,” European Commission Vice President Neelie Kroes told The Guardian. “If I am right, there are multibillion-euro consequences for American companies.”
There have indeed been some contract cancellations.
There are multiple theories for why the business impact of the Snowden leaks has been so minimal.
One is that cloud customers have few good alternatives, since U.S. companies have most of the market and switching costs money.
Perhaps more convincing, Amazon, Microsoft and some others offer data centers in Europe with encryption that prevents significant hurdles to snooping by anyone including the service providers themselves and the U.S. agencies. Encryption, however, comes with drawbacks, making using the cloud more cumbersome.
Another possibility is that tech-buying companies elsewhere believe that their own governments have scanning procedures that are every bit as invasive as the American programs
BOON FOR ENCRYPTION SECTOR
“One of the results we see from Snowden is an increased awareness across the board about the incredible cyber insecurity,” Denaro said.
“Clients are now inquiring how they can protect their data overseas, what kinds of access the states might have and what controls or constraints they could put in with residency or encryption,” said Gartner researcher Lawrence Pingree
Stiennon said that after more companies encrypt, the NSA and other agencies will spend more to break through, accelerating a lucrative cycle.
“They will start focusing on the encrypted data, because that’s where all the good stuff is,” Stiennon said.
Tomi Engdahl says:
FISA Court Will Release More Opinions Because of Snowden
http://news.slashdot.org/story/13/09/15/0348227/fisa-court-will-release-more-opinions-because-of-snowden
“Call it the Edward Snowden effect: Citing the former NSA contractor, a federal judge has ordered the government to declassify more reports from the secret Foreign Intelligence Surveillance Court.”
Tomi Engdahl says:
It’s about time: Java update includes tool for blocking drive-by exploits
Whitelist clamps down on web-based code
http://www.theregister.co.uk/2013/09/13/java_deployment_rule_set/
Oracle’s latest update to the Java SE Development Kit (JDK) version 7 adds new security features designed to help businesses avoid being stung by critical vulnerabilities in out-of-date versions of Java.
After a string of embarrassing Java security flaws was disclosed by independent researchers, Oracle has made addressing vulnerabilities its top priority for JDK 7, even going as far as to delay the release of JDK 8 so it could devote more resources to fixing bugs.
But many businesses still keep older versions of Java installed on client PCs because certain custom applications require them. That’s bad, because these out-of-date versions contain critical vulnerabilities that in some cases will never be fixed. Oracle discontinued support for JDK 6 in June.
JDK 7 Update 40, issued on Tuesday, implements a new feature called Deployment Rule Set that aims to address this problem. It allows businesses that centrally manage their Java desktop installations to establish a set of rules specifying which Java applets and Java Web Start applications – collectively termed Rich Internet Applications (RIAs) – are allowed to run on client PCs.
For example, an admin could create a rule blocking execution of all RIAs and then add additional rules to whitelist specific ones. Rules can be written to match any portion of an application’s URL, including the port number, and they can even specify the version of Java that should be used to run it.
By creating such rules, companies should be able to avoid many of the most serious Java exploits that have cropped up in recent months
Tomi Engdahl says:
Wrap That Rascal With A USB Condom
http://hothardware.com/News/Wrap-That-Rascal-With-A-USB-Condom/
Yep, a USB condom. That term is mostly a dose of marketing brilliance, which is to say that grabs your attention while also serving as an apt description of the product. A little company called int3.cc has developed a product—a USB condom—that blocks the data pins in your USB device while leaving the power pins free.
Thus, any time you need to plug a device such as a smartphones into a USB port to charge it—let’s say at a public charging kiosk or a coworker’s computer–you don’t have to worry about compromising any data or contracting some nasty malware. It’s one of those simple solutions that seems so obvious once someone came up with it, and surely lots of folks, such as business travelers, students, and anyone in a corporate environment that uses a USB stick in multiple machines, will be glad for it.
Tomi Engdahl says:
Microsoft endures Patch Horror Day on Friday 13th – issues updates to 8 of 13 updates
http://nakedsecurity.sophos.com/2013/09/14/microsoft-endures-patch-horror-day-on-friday-13th-issues-updates-to-8-of-13-updates/
Last weekend, I made a joke about Friday the Thirteenth no longer implying anything in computer security circles except that it was a week with a Patch Tuesday in it.
And what happened?
Friday the Thirteenth turned into Patch Horror Day for Microsoft, as Redmond release engineers waited, no doubt with bated breath, to see if they had solved the problems that required eight out of 13 security patches to be reissued.
Last month, of course, Microsoft turned out a couple of patches that didn’t work properly; this month, patching worked far too keenly for some users.
Soon after we’d written up our Tuesday recommendations, concluding with our usual imprecation to “patch early, patch often” (this time, in fact, we said, “Best get patching right away, then!”), we began to see worried comments appearing on Naked Security.
Tomi Engdahl says:
Belgian telco says it was hacked, while reports point to NSA or GCHQ as culprit
http://gigaom.com/2013/09/16/belgian-telco-says-it-was-hacked-while-reports-point-to-nsa-or-gchq-as-culprit/
Summary:
Belgium’s federal prosecutor is looking into a claim by Belgacom that its systems were hacked into and infected with a virus. Reports say the complexity of the malware suggests an intelligence agency was to blame.
Here’s a curious one: Belgium’s largest telco has filed a complaint against an “unknown third party” that hacked into its internal IT systems and apparently inserted a virus. Belgacom hasn’t officially suggested who this third party might be, but De Standaard has quoted sources as saying it was the U.S. National Security Agency or one of its partners.
That and other reports say the attacker was most likely the NSA or Britain’s GCHQ, based on the complexity of the malware. They also suggest the hackers were after traffic from countries such as Syria and Yemen. On both counts, the evidence appears to be circumstantial for now.
Anyhow, Belgium’s federal prosecutor is now on the case, so let’s see what the investigation turns up.
Tomi Engdahl says:
Fatal crypto flaw in some government-certified smartcards makes forgery a snap
With government certifications this broken, the NSA may not need backdoors.
http://arstechnica.com/security/2013/09/fatal-crypto-flaw-in-some-government-certified-smartcards-makes-forgery-a-snap/
Raising troubling questions about the reliability of government-mandated cryptography certifications used around the world, scientists have unearthed flaws in Taiwan’s secure digital ID system that allow attackers to impersonate some citizens who rely on it to pay taxes, register cars, and file immigration papers.
The crippling weaknesses uncovered in the Taiwanese Citizen Digital Certificate program cast doubt that certifications designed to ensure cryptographic protections used by governments and other sensitive organizations can’t be circumvented by adversaries, the scientists reported in a research paper scheduled to be presented later this year at the Asiacrypt 2013 conference in Bangalore, India. The flaws may highlight shortcomings in similar cryptographic systems used by other governments around the world since the vulnerable smartcards used in the Taiwanese program passed the FIPS 140-2 Level 2 and the Common Criteria standards. The certifications, managed by the National Institute of Standards and Technology (NIST) and its counterparts all over the world, impose a rigid set of requirements on all cryptographic hardware and software used by a raft of government agencies and contractors.
The team of scientists uncovered what their paper called a “fatal flaw” in the hardware random number generator (RNG) used to ensure the numbers that form the raw materials of crypto keys aren’t based on discernible patterns.
“The findings are certainly significant for the citizens who have been issued flawed cards, since any attacker could impersonate them online, the research team wrote in an e-mail to Ars
The research is being published two weeks after documents leaked by former National Security Agency (NSA) contractor Edward Snowden outlined the covert hand intelligence agents have played in deliberately weakening international encryption standards.
The researchers said they informed officials in Taiwan’s government of the problems and were told that as many as 10,000 cards might suffer similar weaknesses.
Not the first time
The discovery has roots in research published last year that made another astonishing discovery: four of every 1,000 1024-bit keys found on the Internet provided no cryptographic security at all. The reason: as with Taiwan’s Citizen Digital Certificate keys, the almost 27,000 cryptographically worthless keys they found shared primes with at least one other key
“Our results make it pretty clear that the more computational effort we expend, the more keys we were able to factor,” the researchers wrote. “We did enough computation to illustrate the danger, but a motivated attacker could easily go further.”
To prevent these common mistakes, standards bodies sponsored by governments around the world have created a set of rigid criteria cryptographic systems must pass to receive certifications that can be trusted. The certifications are often a condition of a hardware or software platform being adopted or purchased by the government agency or contractor.
But despite passing both the FIPS 140-2 Level 2 and Common Criteria standards, the RNG process used to generate the weak cards clearly didn’t meet their mandated requirements.
Tomi Engdahl says:
UK Cryptographers Call For UK and US To Out Weakened Products
http://it.slashdot.org/story/13/09/17/0254215/uk-cryptographers-call-for-uk-and-us-to-out-weakened-products
“A group of cryptographers in the UK has published a letter that calls on authorities in that country and the United States to conduct an investigation to determine which security products, protocols and standards have been deliberately weakened by the countries’ intelligence services.”