Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.
Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.
Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.
SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices. Good idea to test your devices against it.
There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.
Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.
Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.
Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.
Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.
Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.
Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.
Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.
European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.
1,930 Comments
Tomi Engdahl says:
UK Cryptographers Call For Outing of Deliberately Weakened Protocols, Products
http://threatpost.com/uk-cryptographers-call-for-outing-of-deliberately-weakened-protocols-products/102301
A group of cryptographers in the UK has published a letter that calls on authorities in that country and the United States to conduct an investigation to determine which security products, protocols and standards have been deliberately weakened by the countries’ intelligence services. The letter, signed by a number of researchers from the University of Bristol and other universities, said that the NSA and British GCHQ “have been acting against the interests of the public that they are meant to serve.”
The appeal comes a couple of weeks after leaked documents from the NSA and its UK counterpart, Government Communications Headquarters, showed that the two agencies have been collaborating on projects that give them the ability to subvert encryption protocols and also have been working with unnamed security vendors to insert backdoors into hardware and software products. Security experts have been debating in recent weeks which products, standards and protocols may have been deliberately weakened, but so far no information has been forthcoming.
The cryptography researchers in the UK are asking the UK and U.S. governments to reveal which ones are suspect.
“By weakening cryptographic standards, in as yet undisclosed ways, and by inserting weaknesses into products which we all rely on to secure critical infrastructure, we believe that the agencies have been acting against the interests of the public that they are meant to serve. We find it shocking that agencies of both the US and UK governments now stand accused of undermining the systems which protect us. By weakening all our security so that they can listen in to the communications of our enemies, they also weaken our security against our potential enemies,” the letter says.
Tomi Engdahl says:
Monday, September 16, 2013
Open Letter From UK Security Researchers
http://bristolcrypto.blogspot.co.uk/2013/09/open-letter-from-uk-security-researchers.html
The UK and US governments recently dramatically increased the funding available to various agencies to help protect our countries against Cyber Attack. Such attacks are now commonplace on both corporations, and individuals. We now all rely on cryptography to secure our mobile phones, credit cards, internet communications etc. and because of this we welcome the government’s prioritization of this area in an era of fiscal squeeze.
However, the documents released show that NSA and GCHQ worked to weaken international cryptographic standards, and to place “backdoors” into security products; such backdoors could of course be potentially exploited by others than the original creators. One of the prime missions of the security services is to protect citizens and corporations from Cyber Attack. By weakening cryptographic standards, in as yet undisclosed ways, and by inserting weaknesses into products which we all rely on to secure critical infrastructure, we believe that the agencies have been acting against the interests of the public that they are meant to serve.
We call on the relevant parties to reveal what systems have been weakened so that they can be repaired, and to create a proper system of oversight with well-defined public rules that clearly forbid weakening the security of civilian systems and infrastructures
Tomi Engdahl says:
Six security dangers Web startups should know and how to counter them
http://pro.gigaom.com/2012/03/six-security-dangers-web-startups-should-know-and-how-to-counter-them/?utm_source=europe&utm_medium=editorial&utm_campaign=auto3&utm_term=690305+belgian-telco-says-it-was-hacked-while-reports-point-to-nsa-or-gchq-as-culprit&utm_content=superglaze
Rapid growth phases at startups are invariably accompanied by an escalating number of attacks and the need to respond to those, as we’ve seen with sites like Facebook, Twitter and many other web-based companies.
Tomi Engdahl says:
Angry Brazilian whacks NASA to put a stop to … er, the NSA
‘Facepalm’ doesn’t even begin to describe this one
http://www.theregister.co.uk/2013/09/17/defacers_hit_nasa_in_nsa_protest/
Multiple NASA websites were defaced last week by a Brazilian hacktivist who may have misread the sites’ URLs, because he wasn’t protesting about the US space agency giving joyrides to inhuman stowaways – he was protesting against NSA spying.
It’s hard to believe anyone would confuse the NSA spy agency with NASA, the space agency, except for satirical purposes or to mock script kiddies in some way, so we can only guess that the hackers behind the attack hit NASA because it’s a US government agency whose systems are noted for being insecure.
“NASA might be picked on simply because it represents low-hanging fruit,” writes Lisa Vaas, in a commentary on the hacking on Sophos’ Naked security blog
Tomi Engdahl says:
Box Gets A Little More Palatable With Some Added Encryption From CipherCloud
http://techcrunch.com/2013/09/16/box-gets-some-added-encryption-from-ciphercloud/
But the company still needs to prove to the markets that its technology is secure. That’s why the integration with companies like CipherCloud will get a lot of attention this week from Box at its annual conference, BoxWorks.
CipherCloud secures data and applications for the cloud. Its platform works across multiple cloud services such as Amazon Web Services, Office 365 and Salesforce.
Today the company is bolstering its service with AES 256-bit encryption to its existing Box offering. With the new capability, encryption keys are retained by the customer and accessed and decrypted by authorized users on personal computers or mobile devices.
The CipherCloud service connects to Box in the background through Box Event APIs. When new files are uploaded, CipherCloud automatically scans content to enforce corporate policies and block file-borne malware. It also performs encryption driven by policy at user and content levels.
CipherCloud is typically deployed within a corporate network or private cloud.
Tomi Engdahl says:
NSA spooks tooled up with zero-day PC security exploits from the FRENCH
America’s ‘closest ally’ biz revealed in FOI dump
http://www.theregister.co.uk/2013/09/17/nsa_vupen/
The NSA bought specialist computer hacking tools and research from French security outfit Vupen, according to documents unearthed using the Freedom of Information Act.
A contract shows the American spooks paid for a year’s supply of zero-day vulnerability information and the software needed to exploit those flaws to attack electronic systems.
The paperwork, obtained by government transparency and accountability site MuckRock, show that the US intelligence nerve-centre signed up to a one-year subscription to Vupen’s “binary analysis and exploits service” last September.
Vupen prides itself on advanced vulnerability research as well as selling software exploits for unpatched flaws in systems – known as zero-days – to governments. Several US defence contractors and security startups, such as Endgame Systems, are also in the business of privately researching and selling information about software vulnerabilities and associated attack code.
“Likely reasons for NSA subscription to Vupen’s 0day exploits: know what capabilities other govs can buy, and false flag, deniable cyber-ops,”
Tomi Engdahl says:
Cloud deployments that you should avoid
http://www.cloudpro.co.uk/iaas/3298/cloud-deployments-that-you-should-avoid/page/0/1
Don’t think of moving everything to the cloud – there are some implementations that really don’t fit
1) Stable, mature, mission-critical applications
New applications, being as they are new, means you can only guess what storage, bandwidth and compute power they will require. Older applications will have been around the organisations so long, its requirements will be long known and documented, so the value of putting these into the public cloud will be very little indeed when compared with applications that need to rapidly scale up and down.
2 – The highly-integrated, business critical application on legacy hardware
Applications such as financial ones or ERP are more often then not a pain to move anywhere, let alone the cloud, as porting them elsewhere can cause a lot of problems and can bring business processes to an abrupt halt.
“Many IT organisations have tight SLAs with their business customers,”
3 – Applications and data you want to keep under your control
Many start-ups use the cloud at the beginning because to the cost and agility benefits, but Rabbetts says that as they grow the cloud becomes less cost effective and they need or want to move it to a more stable platform over which they have greater control.
standard banking applications would be unlikely to make the transition to the cloud, not for technical reasons but for those of risk.
4 – Intellectual property
Organisations should never put intellectual property they are working on in the cloud, unless they can guarantee its security through encryption.
“If a hacker knows your organisation is using a cloud provider to store or share IP related data, the first thing they will do is buy or trial the very same service,”
5 – Keeping the only copy of your important data on the cloud
While public clouds can be secure, they are run by third parties that are subject to various laws or business scenarios (bankruptcy, mergers, etc.). According to Gracely, these laws and scenarios are entirely outside of your control.
“As such, you should make sure that you have a working copy (within your immediate control) of any information that you deem “catastrophic to lose” for the business,” he says.
6 – Having no exit strategy for your data on the cloud
Putting data and applications into the cloud may have huge advantages for your business, but nothing should go into the cloud without a strategy of how you will get it out
7 – The applications with low latency/tight SLA requirements
Just because it is technically feasible to put an application into the cloud (ie there are no hardware/legacy issues) doesn’t mean that you should. Factors such as latency or high SLA can mean that cloud is not the appropriate choice for some apps.
“Latency sensitive apps come under this heading and often need to be relatively close to one another to operate effectively,”
Tomi Engdahl says:
NSA Bought Exploit Service From VUPEN, Contract Shows
http://threatpost.com/nsa-bought-exploit-service-from-vupen-contract-shows
The U.S. government–particularly the National Security Agency–are often regarded as having advanced offensive cybersecurity capabilities. But that doesn’t mean that they’re above bringing in a little outside help when it’s needed. A newly public contract shows that the NSA last year bought a subscription to the zero-day service sold by French security firm VUPEN.
The contract, made public through a Freedom of Information Act request by MuckRock, an open government project that publishes a variety of such documents, shows that the NSA bought VUPEN’s services on Sept. 14, 2012. The NSA contract is for a one-year subscription to the company’s “binary analysis and exploits service”.
VUPEN is one of a handful of companies that sell software exploits and vulnerability details.
Tomi Engdahl says:
Zero day IE flaw exploited in targeted attacks. Microsoft releases temporary fix
http://grahamcluley.com/2013/09/serious-flaw-exploited-targeted-attacks-microsoft-temporary-fix/
Microsoft has released an emergency workaround for users of Internet Explorer, to protect against a “limited number” of targeted attacks being specifically directed at IE 8 and IE 9 – but which could potentially affect all versions of the web browser.
Tomi Engdahl says:
CERT-FI warning 01/2013
http://www.cert.fi/varoitukset/2013/varoitus-2013-01.html
Of several hundreds of Finnish and foreign services, concluded infiltrations have been diverted from their closest usernames and password to the seals. Intrusion thought occurred during the current year
The police are investigating nearly a hundred Finnish services attached in the hacking series.
Information Burglaries have been carried out utilizing the services of SQL and XSS vulnerabilities. The attacker has got hold of hundreds of thousands of users in the user names, e-mail addresses, passwords and password seals. There may also be social security numbers and credit card information.
Helsinki police is on the case of pre-trial investigation.
Intrusion affected services Releases: list will be updated as and when the services are fixed and users have bee informed and webmaster posted notification.
Tomi Engdahl says:
Microsoft releases temporary fix for vulnerability in all IE versions, warns of targeted IE8 and IE9 attacks
http://thenextweb.com/microsoft/2013/09/17/microsoft-investigating-new-ie-vulnerability-in-all-versions-warns-of-targeted-attacks-against-ie8-and-ie9/
Microsoft is investigating a new remote code execution vulnerability in Internet Explorer and preparing a security update for all supported versions of its browser (IE6, IE7, IE8, IE9, IE10, and IE11). The company has issued a security advisory in the meantime because it has confirmed reports that the issue is being exploited in a “limited number of targeted attacks” specifically directed at IE8 and IE9.
Tomi says:
Researchers can slip an undetectable trojan into Intel’s Ivy Bridge CPUs
New technique bakes super stealthy hardware trojans into chip silicon.
http://arstechnica.com/security/2013/09/researchers-can-slip-an-undetectable-trojan-into-intels-ivy-bridge-cpus/
Scientists have developed a technique to sabotage the cryptographic capabilities included in Intel’s Ivy Bridge line of microprocessors. The technique works without being detected by built-in tests or physical inspection of the chip.
The proof of concept comes eight years after the US Department of Defense voiced concern that integrated circuits used in crucial military systems might be altered in ways that covertly undermined their security or reliability. The report was the starting point for research into techniques for detecting so-called hardware trojans. But until now, there has been little study into just how feasible it would be to alter the design or manufacturing process of widely used chips to equip them with secret backdoors.
In a recently published research paper, scientists devised two such backdoors they said adversaries could feasibly build into processors to surreptitiously bypass cryptographic protections provided by the computer running the chips.
In addition to the Ivy Bridge processor, the researchers applied the dopant technique to lodge a trojan in a chip prototype that was designed to withstand so-called side channel attacks. The result: cryptographic keys could be correctly extracted on the tampered device with a correlation close to 1.
Tomi Engdahl says:
Linus Torvalds Talks Linux Development at LinuxCon
http://www.eweek.com/developer/linus-torvalds-talks-linux-development-at-linuxcon.html
Torvalds responds to a question about whether the U.S. government asked him to put a backdoor in Linux, and explains why he’s a developer and how others can be.
One of the first questions that Torvalds was asked was about how easy or hard it is to actually get involved with Linux kernel development.
“We have an amazing amount of developers, and in some respects it is hard to get involved,” Torvalds said. “In other respects, of all the open-source projects that are out there, it is easier to get involved in Linux because there is so much to do.” Torvalds pointed to the numbers of people currently involved in Linux. “It can’t be that hard to get involved,” he said.
NSA Backdoor
Torvalds was also asked if he had ever been approached by the U.S. government to insert a backdoor into Linux.
Torvalds responded “no” while shaking his head “yes,” as the audience broke into spontaneous laughter.
Tomi Engdahl says:
Linus Torvalds Admits He’s Been Asked To Insert Backdoor Into Linux
http://linux.slashdot.org/story/13/09/19/0227238/linus-torvalds-admits-hes-been-asked-to-insert-backdoor-into-linux
“One question he was asked was whether a government agency had ever asked about inserting a back-door into Linux. Torvalds responded ‘no’ while shaking his head ‘yes,”
Tomi Engdahl says:
Brazil Looks to Break from U.S.-Centric Internet
http://world.time.com/2013/09/18/brazil-looks-to-break-from-u-s-centric-internet/
Brazil plans to divorce itself from the U.S.-centric Internet over Washington’s widespread online spying, a move that many experts fear will be a potentially dangerous first step toward fracturing a global network built with minimal interference by governments.
President Dilma Rousseff ordered a series of measures aimed at greater Brazilian online independence and security following revelations that the U.S. National Security Agency intercepted her communications, hacked into the state-owned Petrobras oil company’s network and spied on Brazilians who entrusted their personal data to U.S. tech companies such as Facebook and Google.
The leader is so angered by the espionage that on Tuesday she postponed next month’s scheduled trip to Washington, where she was to be honored with a state dinner.
Internet security and policy experts say the Brazilian government’s reaction to information leaked by former NSA contractor Edward Snowden is understandable, but warn it could set the Internet on a course of Balkanization.
“The global backlash is only beginning and will get far more severe in coming months,” said Sascha Meinrath, director of the Open Technology Institute at the Washington-based New America Foundation think tank. “This notion of national privacy sovereignty is going to be an increasingly salient issue around the globe.”
While Brazil isn’t proposing to bar its citizens from U.S.-based Web services, it wants their data to be stored locally as the nation assumes greater control over Brazilians’ Internet use to protect them from NSA snooping.
Tomi Engdahl says:
Killer app: why do anonymous Q&A networks keep leading to suicides?
Ask.fm could have learned from Formspring’s mistakes — but didn’t
http://www.theverge.com/2013/9/17/4740902/no-good-answers-why-didnt-ask-fm-learn-from-the-formspring-suicides
Teens bullied through an anonymous question-and-answer site. A spate of suicides among the young people who used it. Growing outrage, sensational headlines, and eventual government intervention. This is the story of the quickly expanding Ask.fm over the past month — but just a couple years earlier, it was also the story of Formspring.
Founders of tech companies pride themselves on their ability to rapidly iterate, learning from others’ mistakes and their own in the pursuit of perpetual progress. Yet in this case, one social network’s trajectory followed another’s so closely it appeared to be working from a script.
Like Formspring, Ask.fm also grew quickly. Its founders also raised venture capital, though they have declined to say how much
But just as on Formspring, allowing people to message others without so much as registering with an email address led to high-profile bullying incidents. Four suicides in Britain and Ireland have been linked to Ask.fm, and the company has figured in US bullying cases as well. In the wake of Hannah Smith’s death, the site added “bullying” and “harassment” categories to its safety report form, and made its “report” button more visible around the site. Ask.fm also promised to respond to all safety reports within 24 hours, effective this month.
So why didn’t Ask.fm learn from Formspring’s lesson? They may have run into the same issue Formspring did: curtailing anonymous messages drives teens away. “We slowly created features that would eliminate anonymous questions coming into your inbox,” one ex-Formspring employee recalled. “But on the other hand, that hurts growth. It’s a very fine line. And those are really tough product decisions to make.”
Safety features weren’t the only reason for Formspring’s failure. Changes to Facebook’s developer policies meant that fewer Q&A posts showed up in the news feed, for one thing. For another, teen users grew up and grew bored of Q&A. Reduced anonymity “definitely played some role” in the company’s collapse, another former employee said.
Tomi Engdahl says:
RSA Tells Its Developer Customers: Stop Using NSA-Linked Algorithm
http://www.wired.com/threatlevel/2013/09/rsa-advisory-nsa-algorithm/
Amidst all of the confusion and concern over an encryption algorithm that may contain an NSA backdoor, RSA Security released an advisory to developer customers today noting that the algorithm is the default in one of its toolkits and strongly advising them to stop using the algorithm.
The advisory provides developers with information about how to change the default to one of a number of other random number generator algorithms RSA supports and notes that RSA has also changed the default on its end in BSafe and in an RSA key management system.
The company is the first to go public with such an announcement in the wake of revelations by the New York Times that the NSA may have inserted an intentional weakness in the algorithm — known as Dual Elliptic Curve Deterministic Random Bit Generation (or Dual EC DRBG) — and then used its influence to get the algorithm added to a national standard issued by the National Institute of Standards and Technology.
In its advisory, RSA said that all versions of RSA BSAFE Toolkits, including all versions of Crypto-C ME, Micro Edition Suite, Crypto-J, Cert-J, SSL-J, Crypto-C, Cert-C, SSL-C were affected.
In addition, all versions of RSA Data Protection Manager (DPM) server and clients were affected as well.
The company said that to “ensure a high level of assurance in their application, RSA strongly recommends that customers discontinue use of Dual EC DRBG and move to a different PRNG.”
RSA is currently doing an internal review of all of its products to see where the algorithm gets invoked and to change those.
“Every product that we as RSA make, if it has a crypto function, we may or may not ourselves have decided to use this algorithm,” said Sam Curry, chief technical officer for RSA Security. “So we’re also going to go through and make sure that we ourselves follow our own advice and aren’t using this algorithm.”
Tomi Engdahl says:
Wi-Fi Sniffing Lets Researchers Build Graph of Offline Social Networks
http://mobile.slashdot.org/story/13/09/19/2041243/wi-fi-sniffing-lets-researchers-build-graph-of-offline-social-networks
“The probe requests emitted by a smartphone as it seeks a Wi-Fi network to connect reveal the device’s manufacturer thanks to its MAC address. This can offer some information about a crowd of people by looking at the breakdown by device brand. However, because some OSes include a preferred network list (PNL) in their probes, it may be possible to use Wi-Fi sniffing to infer even more information about a group of people by looking for common SSIDs”
Tomi Engdahl says:
Crowdfunded Bounty For Hacking iPhone 5S Fingerprint Authentication
http://apple.slashdot.org/story/13/09/19/1727230/crowdfunded-bounty-for-hacking-iphone-5s-fingerprint-authentication
“There’s more than $13,000 pledged for a crowdfunded bounty for bypassing an iPhone 5S’s fingerprint reader. The bounty, set up by a security expert and an exploit reseller requires entrants to lift prints ‘like from a beer mug.’”
Tomi Engdahl says:
Internet of Things Demands New Social Contract To Protect Privacy
http://yro.slashdot.org/story/13/09/19/2334226/internet-of-things-demands-new-social-contract-to-protect-privacy
“Changes brought about by the Internet of Things demands the creation of a whole new social contract to enshrine the right to privacy and prevent the creation of technology-fueled Orwellian surveillance states in which individual privacy protections take a back seat to security and ‘control.’ That, according to an opinion piece penned by the head of the European Commission’s Knowledge Sharing Unit.”
Tomi Engdahl says:
Belgacom Attack: Britain’s GCHQ Hacked Belgian Telecoms Firm
http://www.spiegel.de/international/europe/british-spy-agency-gchq-hacked-belgian-telecoms-firm-a-923406.html
A cyber attack on Belgacom raised considerable attention last week. Documents leaked by Edward Snowden and seen by SPIEGEL indicate that Britain’s GCHQ intelligence agency was responsible for the attack.
Belgacom, whose major customers include institutions like the European Commission, the European Council and the European Parliament, ordered an internal investigation following the recent revelations about spying by the United States’ National Security Agency (NSA) and determined it had been the subject of an attack. The company then referred the incident to Belgian prosecutors. Last week, Belgian Prime Minister Elio di Rupo spoke of a “violation of the public firm’s integrity.”
When news first emerged of the cyber attack, suspicions in Belgium were initially directed at the NSA. But the presentation suggests that it was Belgium’s own European Union partner Britain that is behind “Operation Socialist,” even though the presentation indicates that the British used spying technology for the operation that the NSA had developed.
According to the slides in the GCHQ presentation, the attack was directed at several Belgacom employees and involved the planting of a highly developed attack technology referred to as a “Quantum Insert” (“QI”). It appears to be a method with which the person being targeted, without their knowledge, is redirected to websites that then plant malware on their computers that can then manipulate them. Some of the employees whose computers were infiltrated had “good access” to important parts of Belgacom’s infrastructure, and this seemed to please the British spies, according to the slides.
The documents also suggest that GCHQ continued to probe the areas of infrastructure to which the targeted employees had access.
Tomi Engdahl says:
Security Researchers Claim Apple Technically Capable Of Intercepting iMessages
http://techcrunch.com/2013/09/19/security-researchers-claim-apple-others-technically-capable-of-intercepting-imessages/
Two security researchers have posted an outline for a talk about Apple’s iMessage security to be presented next month. The report claims that Apple could — but not that it does — intercept iMessages and read them if it wishes.
Apple had previously claimed, via its security documents, that iMessages were encrypted end-to-end and that it is unable to read them. Researchers ‘GG’ and Cyril ‘Pod2G‘ Cattiaux of firm Quarkslab claim that they have discovered a method to perform a man-in-the-middle (MITM) attack, which can intercept these messages and allow them to be read, despite the encryption used by Apple.
Tomi Engdahl says:
NSA taught business the value of metadata
Telecommunications metadata does not include the content of the calls itself. Metadata studied only traffic information such as the number of data, the starting times and more, in some cases, such as call billing.
NSA (National Security Agency) revealing of spying of own citizen has given rise to something good: companies are realizing how valuable this kind of meta-data collection is a business.
The huge amount of rings analysis can reveal information about the callers and even the spending patterns of behavior. That’s what the NSA also ultimately trying to do.
Customer and employee behavior, as well as the progress of projects easier to predict metadan help. Similarly, companies can more clearly to choose the most appropriate situations of best practices.
Metadata real contribution to, say, service centers and sales capacity assessment of peak forecasting.
Many corporate telephone systems to collect existing information, such as phone numbers, call times and call duration periods of time.
Telecommunications metadata underestimated in vain, because it can give a company a really valuable information about all the hype of big data support.
As NSA-Broil has shown, security forces were able to access the relevant data specifically a combination of many sources of information. Also, companies can get the same valuable information to support decision making especially in the area of customer relationship management.
CRM (Customer Relations Management) will benefit by collecting and analyzing data, as business decision-makers to choose the most suitable market conditions, strategies and best practices.
NSA example demonstrates that the authorities to understand the metadata value.
Source: http://www.tietoviikko.fi/cio/nsa+opetti+yrityksille+metadatan+arvon/a931806
Tomi Engdahl says:
What the NSA and Business (Should) Have in Common
http://www.cio.com/article/739947/What_the_NSA_and_Business_Should_Have_in_Common?page=1&taxonomyId=3061
Regardless of where you sit on the privacy vs. security spectrum regarding the controversy over the NSA collecting telephony metadata for millions of phone calls, the situation has made one thing clear: telephony metadata can be valuable. In fact, now is a good time to evaluate (or create) a system for internally gathering and making the most out of this important, but often overlooked information source.
Tomi says:
NSA to try to prevent a recurrence of Snowden scandal
NSA’s chief technology officer says the Agency changed its intranet stored, declared to be secret file processing practices. The aim is to prevent Edward Snowden in the summer by the revelation of the document such as the recurrence.
Snowden the NSA works for system administrators. The job allowed the transfer of secret documents in an intranet portal, file sharing area for anyone to wonder the matter is moderate, the NSA’s CTO Lonny Anderson told NPR in an interview.
Snowden was, therefore, in the right place at the right time and did not have any access to secret wiles of such information:
“The job was perfect for covert task to someone who wants to leak documents. He did it for a living. He did not have the wonderful witty. He did his job, “fled Russia, whistle-blower says a former supervisor.
Intra found thousands of secret PowerPoint presentations, documents, as well as the right to intelligence organization reports. Anderson answers to explain what, where possible, but it is still not clear how Snowden was possible to download the data from the memory stick and carry it out of the office on security over.
After information leakage, the NSA has sought to make it possible leakage practices in many places.
Maintenance of rights holders in the future operation of logs to the log entries, which revealed suspicious activity. In addition, confidential files are “tagged” so as to find out which of the other files are processed as they are with the work on behalf of September to open or to deal with them. A similar monitoring is carried out in Finland, including the police and health professionals systems.
Backup, for example, are currently the two with the same rights attributed to a person in teams, alone. Here’s how one person can not make copies of the other way than what they are supposed to do.
Source: http://www.tietoviikko.fi/kaikki_uutiset/nsa+yrittaa+estaa+snowdenskandaalin+toistumisen/a931866
Tomi Engdahl says:
Police in New York Really Want You to Download iOS 7
http://allthingsd.com/20130921/police-in-new-york-really-want-you-to-download-ios-7/
The New York Police Department has more of a relationship with Apple’s iPhone than merely performing crowd control at and around Apple stores on iPhone launch days like yesterday.
A new iPhone model also means a probable uptick in attempts to steal them. And since Friday’s launch of the iPhone 5s and 5c also happens to coincide with the launch of Apple’s iOS 7, which has some new security measures intended to deter theft, New York’s finest and other police agencies around the U.S. are making an effort to get people to download it.
The new feature is called Activation Lock and basically what it does is force anyone who has the phone — including anyone who has stolen it — to enter an Apple ID and password before they can turn off the “Find My Phone” security feature, erase it or reactivate it.
Naturally, this feature is helpful to police who are often called upon to locate stolen phones, so they’re pushing iPhone owners to download the new OS.
Tomi Engdahl says:
Chaos Computer Club Bypasses Apple’s Touch ID System (with copy of original fingerprint)
http://www.macrumors.com/2013/09/22/chaos-computer-club-bypasses-apples-touch-id-system/
The Chaos Computer Club claims to be able to bypass Apple’s new Touch ID fingerprint sensor with a photo of the original user’s fingerprint. The bypass is demonstrated in this short video
Apple’s new iPhone 5s includes a fingerprint sensor called TouchID, which can be used to unlock the iPhone as well as make purchases on the Apple iTunes store.
Tomi Engdahl says:
Close the N.S.A.’s Back Doors
http://www.nytimes.com/2013/09/22/opinion/sunday/close-the-nsas-back-doors.html?pagewanted=all&_r=0
In 2006, a federal agency, the National Institute of Standards and Technology, helped build an international encryption system to help countries and industries fend off computer hacking and theft. Unbeknown to the many users of the system, a different government arm, the National Security Agency, secretly inserted a “back door” into the system that allowed federal spies to crack open any data that was encoded using its technology.
Documents leaked by Edward Snowden, the former N.S.A. contractor, make clear that the agency has never met an encryption system that it has not tried to penetrate. And it frequently tries to take the easy way out. Because modern cryptography can be so hard to break, even using the brute force of the agency’s powerful supercomputers, the agency prefers to collaborate with big software companies and cipher authors, getting hidden access built right into their systems.
These back doors and special access routes are a terrible idea, another example of the intelligence community’s overreach. Companies and individuals are increasingly putting their most confidential data on cloud storage services, and need to rely on assurances their data will be secure. Knowing that encryption has been deliberately weakened will undermine confidence in these systems and interfere with commerce.
The back doors also strip away the expectations of privacy that individuals, businesses and governments have in ordinary communications. If back doors are built into systems by the N.S.A., who is to say that other countries’ spy agencies — or hackers, pirates and terrorists — won’t discover and exploit them?
The government can get a warrant and break into the communications or data of any individual or company suspected of breaking the law. But crippling everyone’s ability to use encryption is going too far, just as the N.S.A. has exceeded its boundaries in collecting everyone’s phone records rather than limiting its focus to actual suspects.
Tomi Engdahl says:
Close ties between White House, NSA spying review
http://bigstory.ap.org/article/close-ties-between-white-house-nsa-spying-review
Stung by public unease about new details of spying by the National Security Agency, President Barack Obama selected a panel of advisers he described as independent experts to scrutinize the NSA’s surveillance programs to be sure they weren’t violating civil liberties and to restore Americans’ trust.
But with just weeks remaining before its first deadline to report back to the White House, the review panel has effectively been operating as an arm of the Office of the Director of National Intelligence, which oversees the NSA and all other U.S. spy efforts.
The panel’s advisers work in offices on loan from the DNI.
“No one can look at this group and say it’s completely independent,” said one attendee, Sascha Meinrath, director of the Open Technology Institute and vice president at the New America Foundation. Meinrath said the closed meetings “leave the public out of the loop.”
Obama described the panel an Aug. 9 speech as an “independent group” and said its members would “consider how we can maintain the trust of the people, how we can make sure that there absolutely is no abuse in terms of how these surveillance technologies are used.”
Four of the five review panel members previously worked for Democratic administrations
“We would have liked a more diverse group,” said Michelle Richardson, an ACLU legislative counsel who attended one meeting for civil liberties groups.
The review panel overlaps with a similar effort by a second advisory group. In July, Obama asked the independent Privacy and Civil Liberties Oversight Board to report on the NSA programs and their effects on civil liberties.
Neither session, according to participants, gave any hint of changes under consideration.
“Any time someone brought up what was at the heart of these issues,” Meinrath said, “we were told to put that into record on the website, or else we were told it was classified.”
Tomi Engdahl says:
Intruder was revealed – what should be learned?
The media has been over a week news coverage of a wide, more than a hundred domestic and foreign Finnish hackers hacking into the web service. CERT-fi unit is made in this year’s first security warning on Friday, 13.9. under the title “Finnish user names and passwords stolen intrusion in the series”.
This is the tip of the iceberg
Information from breaking into experimenting with “all the time” and they fail on a regular basis, only a fraction of these end up in the public domain. Each case must, however, learn and improve their own practices. What are the different target groups, where you will learn?
Website or other service provider, or OWNER
When you buy a new on-line or other ICT service to ensure that it meets the basic requirements of data security. Require them as part of the competitive bidding process or other procurement process. Follow the level of compliance.
Make sure that the service provider is operational security updates, monitoring and distribution, incidents and problems related to the management of operations (process), including the management of security incidents and communication. What kind of periodic security reporting is included in the current service plan?
Internet or ICT service provider / operator (technical owner)
Monitor the services provided by the information security situation following the example Cert and other vulnerability bulletins, and make a follow-up to this standardized approach. When the vulnerability is published, do not wait, but check whether it relates to its production of platforms you use.
If applies, and if the update is not yet available, do the other measures necessary to reduce the risk. If the update is already available to design and test the effects of the update and take it to production.
Do not forget to keep your customers up to date – you can never be too much of informing these things!
Make sure that your contact information is clearly available
The service user
Your operations in terms of all the most important factor is the service you bones used passwords. Share passwords, for example, in three categories: critical, important and basic services for passwords.
The critical passwords, for example, all tasks and leisure postal services, as well as Live/Account- Microsoft, Google and Facebook passwords or other things, which are working with money or credit card information.
Make sure that these passwords to comply with the so-called quality , or are not easily guessed or mathematically breakable. Above all, these must be unique, since the same passwords will not be used for the above services!
If such a critical, for example, casual e-mail password is broken, the criminal can retrieve information about you to other network services, change their passwords and to take control of their own network. In this case, the criminal might have access to on-line shops and credit cards.
The criminal is able to orthodox acting to do all of this at night and remove the tinkering of received e-mail messages without you noticing. This is one reason why I recommend to replace leisure passwords on a regular basis.
Make sure to practice and also how you can recover your password if it has been hijacked, and if it is not under your control.
In the worst case, you need to be in direct personal contact with the service, maintenance and service shows’re right, the original user.
Important passwords may for example be similar, the same algorithm passwords formed in such a way that one such disclosure does not immediately open the way for other services to commit an offense.
Of basic services, passwords can be all the same, but the style that meets the standards
So, yet another way is to use password manager software, the best known and probably the most preferred open source KeePass , which is also the German security authorities BSI recommends
Source: http://www.tietoviikko.fi/blogit/turvasatama/tietomurtautuja+paljastui++mita+pitaisi+oppia/a932175
Tomi Engdahl says:
Major US security company warns over NSA link to encryption formula
http://www.theguardian.com/world/2013/sep/21/rsa-emc-warning-encryption-system-nsa
RSA, the security arm of EMC, sends email to customers over default random number generator which uses weak formula
A major American computer security company has told thousands of customers to stop using an encryption system that relies on a mathematical formula developed by the National Security Agency (NSA).
RSA, the security arm of the storage company EMC, sent an email to customers telling them that the default random number generator in a toolkit for developers used a weak formula, and they should switch to one of the other formulas in the product.
The abrupt warning is the latest fallout from the huge intelligence disclosures by the whistleblower Edward Snowden about the extent of surveillance and the debasement of encryption by the NSA.
Last week, the New York Times reported that Snowden’s cache of documents from his time working for an NSA contractor showed that the agency used its public participation in the process for setting voluntary cryptography standards, run by the government’s National Institute of Standards (NIST) and Technology, to push for a formula it knew it could break. Soon after that revelation, the NIST began advising against the use of one of its cryptographic standards and, having accepted the NSA proposal in 2006 as one of four systems acceptable for government use, said it would reconsider that inclusion in the wake of questions about its security.
RSA’s warning underscores how the slow-moving standards process and industry practices could leave many users exposed to hacking by the NSA or others who could exploit the same flaw for years to come.
Rik Ferguson, of the security company Trend Micro, told the Guardian: “That particular standard, the Pseudo Random Number Generator [PRNG] standard, has long been thought to have at best a weakness, and at worst a back door, pretty much since its publication in 2006.”
Encryption systems use pseudo-random number generators as part of a complex mathematical process of creating theoretically uncrackable codes. If the number sequences generated can be predicted, that makes the code crackable, given sufficient computing power.
A person familiar with the process by which NIST would have accepted the PRNG told Reuters that it accepted the code in part because many government agencies were already using it.
It was unclear how the company could reach all the former customers of its development tools, let alone how those programmers could in turn reach all of their customers. That could mean that the weakened PRNG has been used in products spread around the world over the past seven years.
Rik Ferguson said: “The advantage of [the flaw] being so public for so long is that its use has been limited. Typically, cryptographers tend to avoid algorithms that have been shown to be weak. Nonetheless, it’s not so much the weakness of the standard that counts, but ‘security’ services’ willingness to subvert the very building blocks that so many of their own citizens and enterprises may later come to rely on for confidentiality and security.”
Tomi Engdahl says:
U.S. National Security Agency NSA’s activities more like Dan Brown’s 1998 edition of the book “Unbreakable Fortress” pattern. Now, the security company RSA Security claims that the NSA managed to squeeze in your back door to one random number generator is recommended.
It is a Dual-named EC DRBG privacy codes (Dual Elliptic Curve Deterministic Random Bit Generation). RSA Security, the algorithm will, unfortunately, the default encryption for many of its products.
The company urges customers not to use the algorithm when no other options are available.
Security researchers suspected as early as 2007, the EC Dual DRBG has been prepared in such a way that the NSA could theoretically sabotage it. The New York Times Edward Snowden received documents, this fear has proved to be true.
Dual EC DRBG has been the standard for NIST (The National Institute of Standards and Technology) since 2006.
Source: http://www.etn.fi/index.php?option=com_content&view=article&id=400:nsa-ujutti-takaportin-salausstandardiin&catid=13&Itemid=101
Tomi Engdahl says:
Secret documents reveal NSA spying on encrypted internet communications
http://grahamcluley.com/2013/09/nsa-spying-encrypted-internet-communications/
If you haven’t read the articles in the New York Times or The Guardian today, you probably should.
If true, it’s one of the most shocking things you will ever read about the internet.
In a nutshell, documents obtained by The Guardian have revealed that the NSA works with technology companies to “covertly influence” product designs, helping them to collect “vast amounts” of encrypted data.
Tomi Engdahl says:
Bug victim left the bank’s chief information officer changes
A bug a month ago suffered from investment bank Goldman Sachs to change the CIO.
The company had an embarrassing light in August, when the stock market software did caused my misjudgment and caused disturbance in the stock market.
Initially, computer failure was suspected to have caused up to hundreds of millions of dollars in losses. Current estimates of the disadvantages are the order of tens of millions.
Source: http://www.tietoviikko.fi/cio/bugista+karsineen+jattipankin+tietohallintojohtaja+vaihtuu/a932457
magie blanche says:
Hi there very nice web-site! Male. Beautiful. Excellent. I’m going to save your internet-site plus consider the nourishes furthermore? I’m content to discover a lot of practical information and facts the following within the distribute, we would like come up with additional associated with this respect, appreciate giving.
Tomi Engdahl says:
Schneier: Metadata Equals Surveillance
http://news.slashdot.org/story/13/09/23/194216/schneier-metadata-equals-surveillance
“Bruce Schneier writes that lots of people discount the seriousness of the NSA’s actions by saying that it’s just metadata — after all the NSA isn’t really listening in on everybody’s calls — they’re just keeping track of who you call.”
“Now imagine you hired that same detective to surveil that person. The result would be details of what he did: where he went, who he talked to, what he looked at, what he purchased — how he spent his day. That’s all metadata.”
Tomi Engdahl says:
September 23, 2013
Metadata Equals Surveillance
https://www.schneier.com/blog/archives/2013/09/metadata_equals.html
Back in June, when the contents of Edward Snowden’s cache of NSA documents were just starting to be revealed and we learned about the NSA collecting phone metadata of every American, many people — including President Obama — discounted the seriousness of the NSA’s actions by saying that it’s just metadata.
Lots and lots of people effectively demolished that trivialization, but the arguments are generally subtle and hard to convey quickly and simply. I have a more compact argument: metadata equals surveillance.
When the government collects metadata on people, the government puts them under surveillance. When the government collects metadata on the entire country, they put everyone under surveillance. When Google does it, they do the same thing. Metadata equals surveillance; it’s that simple.
Tomi Engdahl says:
Phew, NSA Is Just Collecting Metadata. (You Should Still Worry)
http://www.wired.com/opinion/2013/06/phew-it-was-just-metadata-not-think-again/
We now know that every day, U.S. phone companies quietly send the government a list of who called whom and when — “telephony metadata” — for every call made on their networks, because of a secret order by the Foreign Intelligence Surveillance Court. It turns out that this has been going on for seven years (and was even reported by USA Today then); the difference now is that the government — uncharacteristically for such a secret intelligence operation — quickly acknowledged the authenticity of the leaked order and the existence of the metadata collection program.
Should we be worried? At least “nobody is listening to our telephone calls” (so the president himself assured us). People breathed a sigh of relief since first learning of the surveillance because surely there’s nothing to worry about when it comes to such seemingly innocuous information — it’s just metadata, after all. Phew!
Unfortunately, metadata still leaves a lot to be concerned about. There’s more to privacy than just the sounds of our voices: Content may be what we say, but metadata is about what we actually do.
And unlike our words, metadata doesn’t lie.
The Metadata Is the Message
With today’s communications technology, is metadata really less revealing than content? Especially when we’re dealing with metadata at the scale that we now know the NSA and FBI are receiving?
Because at such a scale, people’s intuition about the relative invasiveness of content and metadata starts to fail them. Phone records can actually be more revealing than content when someone has as many records and as complete a set of them as the NSA does.
Metadata is our context. And that can reveal far more about us than the words we speak. Context yields insights into who we are and the implicit, hidden relationships between us.
The instinct is to use technology to counter technology. It’s not so easy.
Tomi Engdahl says:
Post-PRISM, Google Confirms Quietly Moving To Make All Searches Secure, Except For Ad Clicks
http://searchengineland.com/post-prism-google-secure-searches-172487
In the past month, Google quietly made a change aimed at encrypting all search activity — except for clicks on ads. Google says this has been done to provide “extra protection” for searchers, and the company may be aiming to block NSA spying activity. Possibly, it’s a move to increase ad sales. Or both. Welcome to the confusing world of Google secure search.
Two Years Ago: Secure Searching For Logged-In Users
In October 2011, Google began encrypting searches for anyone who was logged into Google. The reason given was privacy.
This Month: Secure Searching Being Made Default For Everyone
Now, Google has flipped on encryption for people who aren’t even signed-in.
“We added SSL encryption for our signed-in search users in 2011, as well as searches from the Chrome omnibox earlier this year. We’re now working to bring this extra protection to more users who are not signed in.”
A Sudden Change
One key question is “Why so suddenly?,” what prompted Google to make such a change out of the blue. And it was sudden.
When searches are encrypted, search terms that are normally passed along to publishers after someone clicks on their links at Google get withheld. In Google Analytics, the actual term is replaced with a “Not Provided” notation.
Over the past two years, the percentage of search terms as “not provided” has increased as Mozilla’s Firefox in July 2012, Apple’s Safari browser in iOS 6 in September 2012 and Google’s own Chrome browser in January 2013 have used encrypted search, even when people aren’t signed in at Google.
That’s lead to a steady increase but not giant leap in “not provided” activity.
Done To Block The NSA?
The first is the whole US National Security Agency spying thing. In June, Google was accused of cooperating to give the NSA instant and direct access to its search data through the PRISM spying program, something the company has strongly denied. That hasn’t saved it from criticism.
Done To Boost Ad Sales?
The other reason is that Google recently made a change so that one of the easiest ways for publishers to see the actual terms that have been withheld over time is through the Google AdWords system.
Privacy Loophole Remains For Advertisers
That’s especially so given that ad search traffic has never been made secure. No encryption stops people from eavesdropping on the terms used when someone searches at Google and clicks on an ad.
Tomi Engdahl says:
Report: Standalone security market fades amid growing demand for integrated security
http://www.cablinginstall.com/articles/2013/09/infonetics-integrated-security.html
Infonetics Research has released its 2nd quarter (2Q13) Network Security Appliances and Software market share and forecast report. “There’s never been a time when the world was more tuned-in to broad privacy and security issues, and with the recent revelations about the NSA’s PRISM surveillance program, consumers and businesses around the globe are re-evaluating their security posture, preferred vendors, and deployment strategies,” notes Jeff Wilson, principal analyst for security at Infonetics Research.
According to the study, worldwide network security appliance and software revenue totaled $1.6 billion in 2Q13, an increase of 4% sequentially.
In terms of market share, Cisco, Check Point, Fortinet, HP, and Palo Alto Networks all posted strong revenue results in the network security market in 2Q13.
“While it’s too early to say if the NSA debacle will have an impact on security spending, one trend in the security sector is clear: buyers are looking to consolidate security platforms wherever they can,”
Tomi Engdahl says:
Low footprint software firewall protects IoT devices
http://www.edn.com/electronics-products/other/4421446/Low-footprint-software-firewall-protects-IoT-devices
Icon Labs has released what it claims to be the industry’s first software firewall that protects connected Smart Home devices from Internet-based attacks. Dubbed “Floodgate at Home”, the software features the Icon Labs suite of security products to provide device protection, management and incident reporting to home users and service providers via a secure web page.
Once the device is connected to the web, the end user, home system integrator or service provider sets up the security arrangement. This limits access to a few specific people, phone numbers, or the IP address of a specific laptop or tablet.
By stopping communication from unapproved devices, the software blocks unauthorized access, protects against automated hacking drones, and can even prevent the device from being discovered by hackers. It is designed for use in embedded systems and can be used with operating systems such as Embedded Linux, INTEGRITY, VelOSity, VxWorks, LynxOS, MQX, or eCos, or devices without an operating system.
Tomi says:
Java has become more and more dangerous
Security experts have time and again warned of the dangers of Java. F-Secure’s just published a report about the exploitation of Java vulnerabilities generalized further.
Java attacks increased from F-Secure, according to one-third of this year’s first half compared to last year’s second half. Java is directed against the attacks that account for nearly half of the ten most common finding, while the list of vulnerabilities to exploit.
In general, the first half of 2013 a variety of attacks exploiting vulnerabilities increased significantly, and they are the most common attack method. Most vulnerabilities of attacks experienced in the United States, where 78 out of thousand users ran into a variety of security holes to exploit. In Finland, the ratio was only 14/1000.
The most common way to exploit vulnerabilities is to attack them contaminated with harmful or through the web site.
Android is a “mobile-side Java”
According to F-Secure the number of Android malware has doubled in the beginning of the year.
Android malware Do not apply only to the application through the app stores, but with help of hacked ads and web pages. The latter is becoming increasingly common, although it is not yet as advanced as infecting computers. The method is easy to detect, because the user is prompted for permission to install applications. It does not help anything if you are foolish – if the user is going to give permission, then malware is installed.
Source: http://www.tietokone.fi/artikkeli/uutiset/java_muuttunut_yha_vaarallisemmaksi
Tomi says:
“Technology companies have deceived consumers’
President of the Consumers’ Association, Leena Simonen of technology companies have deceived consumers when they install back doors in software.
“Security suffer disadvantages do not expose consumers to only exercised by the State surveillance, but they also allow the enrichment of seeking to cyber-crime,” Simone says the Consumers’ Association bulletin.
“Consumers should be able to make purchasing decisions based on adequate information and the reliability of the information industries is important to many consumers purchasing decision. Consumers should have the right to decide whether consumers are deceived by technology companies and is there place for such companies in the market place”
Source: http://www.tietoviikko.fi/kaikki_uutiset/quotteknologiayritykset+ovat+pettaneet+kuluttajatquot/a932973
Tomi Engdahl says:
Jyväskylä Finland: students receive hands-on experience on cyber-security
Elisa starts kyberturvallisuuteen of co-operation with the University of Applied Sciences. The operator leaves the Jyväskylä University of Applied Security Technology project.
The aim is to improve the fight against cyber threats and anticipation. The partnership opens up opportunities for students to acquire practical experience in the company.
“Particularly valuable is our students receive hands-on experience,”
Source: http://www.tietoviikko.fi/kaikki_uutiset/jyvaskylan+opiskelijat+saavat+kaytannon+kokemusta+kyberturvasta/a933157
Tomi Engdahl says:
Why I Hacked Apple’s TouchID, And Still Think It Is Awesome.
https://blog.lookout.com/blog/2013/09/23/why-i-hacked-apples-touchid-and-still-think-it-is-awesome/
By now, the news is out —TouchID was hacked. In truth, none of us really expected otherwise. Fingerprint biometrics use a security credential that gets left behind everywhere you go on everything you touch.
The fact that fingerprints can be lifted is not really up for debate— CSI technicians have been doing it for decades. The big question with TouchID was whether or not Apple could implement a design that would resist attacks using lifted fingerprints, or whether they would join the long line of manufacturers who had tried but failed to implement a completely secure solution.
Does this mean TouchID is flawed and that it should be avoided? The answer to that isn’t as simple as you might think. Yes, TouchID has flaws, and yes, it’s possible to exploit those flaws and unlock an iPhone. But, the reality is these flaws are not something that the average consumer should worry about. Why? Because exploiting them was anything but trivial.
Hacking TouchID relies upon a combination of skills, existing academic research and the patience of a Crime Scene Technician.
First you have to obtain a suitable print. A suitable print needs to be unsmudged and be a complete print of the correct finger that unlocks a phone.
So in order to “hack” your phone a thief would have to work out which finger is correct AND lift a good clean print of the correct finger.
Creating the fake fingerprint is arguably the hardest part and by no means “easy.” It is a lengthy process that takes several hours and uses over a thousand dollars worth of equipment including a high resolution camera and laser printer
Using fake fingerprints is a little tricky; I got the best results by sticking it to a slightly damp finger.
So what do we learn from all this?
Practically, an attack is still a little bit in the realm of a John le Carré novel. It is certainly not something your average street thief would be able to do, and even then, they would have to get lucky. Don’t forget you only get five attempts before TouchID rejects all fingerprints requiring a PIN code to unlock it. However, let’s be clear, TouchID is unlikely to withstand a targeted attack. A dedicated attacker with time and resources to observe his victim and collect data, is probably not going to see TouchID as much of a challenge. Luckily this isn’t a threat that many of us face.
Fingerprint security will help protect you against the three biggest threats facing smartphone users today:
Fingerprint security will protect your data from a street thief that grabs your phone.
Fingerprint security will protect you in the event you drop/forget/misplace your phone.
Fingerprint security could protect you against phishing attacks (if Apple allows it)
Fingerprint security has a darker side though: we need to carefully evaluate how its data is going to be managed and the impact it will have on personal privacy.
The big questions here are:
What data does Apple capture from a finger as it is enrolled?
How is this data stored and how is it accessed?
Can this data be used to recreate a user’s fingerprint mathematically or through visual reconstruction?
In a similar fashion, fingerprints are viewed quite differently to passwords and PINs in the eyes of the law.
Despite being hacked, TouchID is an exciting step forwards for smartphone security and I stand by our earlier blog on fingerprint security. Hacking TouchID gave me respect for its design and some ideas about how we can make it strong moving forward.
Tomi Engdahl says:
Dropbox pushes to publish spy data request details
http://www.pcworld.com/article/2049307/dropbox-joins-bid-to-publish-spy-data-requests.html
Cloud storage locker Dropbox has joined Google, Microsoft, Yahoo, LinkedIn and Facebook in their quest for permission to publish the number of data requests they have received from the U.S. government, and the number of users affected by those requests.
Dropbox filed a brief with the U.S. Foreign Intelligence Surveillance (FISA) Court asking for confirmation that it has the right to report the number of national security requests it receives, if any, Dropbox said in an update to its transparency report page on Monday.
Tomi Engdahl says:
The first test F-Secure Dropbox-killer, Younited
Finnish security company F-Secure offers consumers a custom recording service Spotify packaged. Techno Geek wonders minute choice, but to find a promising start over.
Helsinki-based security company is in the right place at the right time. Company intends to strike up Edward Snowden uncover the PRISM project markets created and begins to provide secure cloud storage.
F-Secure today revealed the name of the service – Younited – and let the experiment with how the service works.
The company’s purpose is to create a storage service that works seamlessly with the operating system. Younitedista has applications for iPhone, Android, Windows Phone, Windows PC and Mac. There is also a HTML5-based browser version.
The service name is silly (brings to mind a dating site). F-Secure claims service appearance tuned to hipster more than the traditional techo-nerd: the user interface is reminiscent of Spotify, not the traditional file management view.
Synchronize or share folders -
oh so what?
Before you start to use the program, the user must internalize the file sharing. Or at least one of them.
Younited can be used either by throwing the files in the sync folder, which is the traditional way of using cloud storage. The service recognizes the file type and automatically sorts the files to image, video, music, documents and views.
Another way is to define the folders whose contents are automatically copied to the cloud.
In fact, the interface is intuitive. The program offers a general view and file formats based on subviews. While it may make sub-folders, the main idea is for people to create a collection of files in the Spotify playlists. The collection may want to put any number of files, and it can be shared on any other storage services in a familiar way.
Facebook, Picasa, and Dropbox can be integrated into the Younitedia, which means that Younited works a metadata service: images and contents on other integrated services are displayed as part of the Younited view.
The software is still in development, which showed..
Since the program is still in progress, not all of the final version come with features not yet in place.
Younited is not yet publicly available. F-Secure of October to the beginning of service, “a three-digit number of” testers. In fact, the test will start in November and the program will be released sometime early next year.
Basic use is free, and as complimentary get five gigabytes of storage. In addition there are two commercial versions.
Laaksonen says that the version of the service will also enable small and medium-sized enterprises.
Can Younited become Dropoxin and partners contender? Maybe. – if they are lucky and service becomes fashionable.
F-Secure will compete in storage instead of the service features. Some of the features, such as a mobile service, file scanning for malware virtual sandbox, there are free and some paid.
Another major competitive advantage is Finnish. Laaksonen assure you that the service is no back doors.
The content is encrypted with 256-bit AES algorithm and the content is digested in three different locations. One stored in the service files to another user data and metadata in the third.
The data centers are located: two in Finland and F-Secure does not reveal the location of third.
In the same market, competing with, among other things, Dropbox, Microsoft’s SkyDrive, Apple’s iCloud and Google Drive. Dropbox offers 2GB of free storage, SkyDrive 7 GB, 5 GB of iCloud and Google Drive 15 GB.
Sources:
http://www.digitoday.fi/data/2013/09/12/f-secure-haastaa-googlen-ja-dropboxin–jakaa-ilmaiseksi-salattua-tallennustilaa/201312767/66
http://www.digitoday.fi/data/2013/09/25/ensitestissa-f-securen-dropboxin-tappaja-younited/201313308/66
Tomi Engdahl says:
Foiling Medical Implant Hackers
R. Colin Johnson
9/24/2013 06:15 PM EDT
http://www.eetimes.com/document.asp?doc_id=1319599&
The increasing proliferation of medical implants that can be programmed wirelessly, such as pacemakers, insulin pumps, defibrillators, neural implants, and drug delivery systems, has prompted concern that hackers could gain access and harm a patient.
Now researchers at Rice University claim to have an answer. Called Heart-to-Heart (H2H) the novel cryptographic technique uses the patient’s own heartbeat as a random number generator. It will be presented at the upcoming Association for Computing Machinery (ACM) Conference on Computer and Communications Security (November 4-8, Berlin).
Today, reprogramming medical implants are performed in the doctor’s office where security is not a concern. Traditional cryptographic techniques can be used for secure access to implants there, but, according to the Rice researchers, hackers could gain wireless access to implants outside the doctor’s office by breaking those techniques. Sophisticated, traditional cryptography could be used, but that would tax the processing power of the implant’s microcontroller and run down its battery. H2H, on the other hand, is designed to be easy on computing resources and yet more secure than traditional cryptography.
In essence, the technique derives a random password from the heartbeat of the patient that can only be computed when touching the patient. Called touch-to-access by the researchers, they claim touching is important, since hackers could determine the rough outline of a heartbeat remotely with special cameras.
“We have shown that the heartbeat has enough randomness to be used as a random number generator,”
Tomi Engdahl says:
How a Crypto ‘Backdoor’ Pitted the Tech World Against the NSA
http://www.wired.com/threatlevel/2013/09/nsa-backdoor/all/
In August 2007, a young programmer in Microsoft’s Windows security group stood up to give a five-minute turbo talk at the annual Crypto conference in Santa Barbara.
Dan Shumow and his Microsoft colleague Niels Ferguson titled theirs, provocatively, “On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng.” It was a title only a crypto geek would love or get.
The talk was only nine slides long. But those nine slides were potentially dynamite. They laid out a case showing that a new encryption standard, given a stamp of approval by the U.S. government, possessed a glaring weakness that made an algorithm in it susceptible to cracking. But the weakness they described wasn’t just an average vulnerability, it had the kind of properties one would want if one were intentionally inserting a backdoor to make the algorithm susceptible to cracking by design.
For such a dramatic presentation — by mathematicians’ standards — the reaction to it was surprisingly muted.
Six years later, that’s all changed.
Early this month the New York Times drew a connection between their talk and memos leaked by Edward Snowden, classified Top Secret, that apparently confirms that the weakness in the standard and so-called Dual_EC_DRBG algorithm was indeed a backdoor. The Times story implies that the backdoor was intentionally put there by the NSA as part of a $250-million, decade-long covert operation by the agency to weaken and undermine the integrity of a number of encryption systems used by millions of people around the world.
The Times story has kindled a firestorm over the integrity of the byzantine process that produces security standards. The National Institute of Standards and Technology, which approved Dual_EC_DRBG and the standard, is now facing a crisis of confidence, having been forced to re-open the standard for public discussion, while security and crypto firms scramble to unravel how deeply the suspect algorithm infiltrated their code, if at all. On Thursday, corporate giant RSA Security publicly renounced Dual_EC_DRBG, while also conceding that its commercial suite of cryptographic libraries had been using the bad algorithm as its default algorithm for years.
But beneath the flames, a surprising uncertainty is still smoldering over whether Dual_EC_DRBG really is backdoored. The Times, crypto experts note, hasn’t released the memos that purport to prove the existence of a backdoor, and the paper’s direct quotes from the classified documents don’t mention any backdoor in the algorithm or efforts by the NSA to weaken it or the standard. They only discuss efforts to push the standard through committees for approval.
“If [NSA] spent $250 million weakening the standard and this is the best that they could do, then we have nothing to fear from them,”
But Paul Kocher, president and chief scientist of Cryptography Research, says that regardless of the lack of evidence in the Times story, he discounts the “bad cryptography” explanation for the weakness, in favor of the backdoor one.
“Bad cryptography happens through laziness and ignorance,” he says. “But in this case, a great deal of effort went into creating this and choosing a structure that happens to be amenable to attack.
“What’s mathematically creative [with this algorithm] is that when you look at it, you can’t even prove whether there is a backdoor or not, which is very bizarre in cryptography,” he says. “Usually the presence of a backdoor is something you can prove is there, because you can see it and exploit it…. In my entire career in cryptography, I’ve never seen a vulnerability like this.”
It’s not the first time the NSA has been accused of installing backdoors. Crypto trapdoors, real and imagined, have been part of NSA lore for decades
Each of the four algorithms was based on a different cryptographic design family.
Good random number generation is at the core of encryption, and a weak RNG can undo the entire encryption system. Random number generators play a role in creating cryptographic keys, in opening secure communications between users and web sites and in resetting passwords for email accounts. Without assured randomness, an attacker can predict what the system will generate and undermine the algorithm.
“Even if no one knows the secret numbers, the fact that the backdoor is present makes Dual_EC_DRBG very fragile,”
No one knew who had produced the constants, but it was assumed that because the NSA had pushed the algorithm into the standard, the agency had generated the numbers. The spy agency might also, then, have generated a secret key.
Schneier called it “scary stuff indeed,” but he also said at the time that it made no sense as a backdoor, since it was so obvious to anyone who looked at the algorithm and standard that there was this flaw in it. As a result, developers of web sites and software applications wouldn’t use it to help secure their products and systems, he said.
But in fact, many developers did use it.
The U.S. government has enormous purchasing power, and vendors soon were forced to implement the suspect standard as a condition of selling their products to federal agencies under so-called FIPS certification requirements. Microsoft added support for the standard, including the elliptic curve random-number generator, in a Vista update in February 2008, though it did not make the problematic generator the default algorithm.
Asked why Microsoft supported the algorithm when two of its own employees had shown it to be weakened, a second Microsoft senior manager who spoke with WIRED said that while the weakness in the algorithm and standard was “weird” it “wasn’t a smoking gun.” It was more of an “odd property.”
Microsoft decided to include the algorithm in its operating system because a major customer was asking for it, because it had been sanctioned by NIST, and because it wasn’t going to be enabled as the default algorithm in the system, thus having no impact on other customers.
Other major companies, like Cisco and RSA, added it as well. NIST in fact provides a lengthy list of companies that have included it in their libraries, though the list doesn’t say which companies made it the default algorithm in their library or which products have been developed that invoke the algorithm.
A Cisco spokesman told WIRED that the algorithm was implemented in its standard crypto library around mid-2012, a library that is used in more than 120 product lines, but the algorithm is not the default, and the default algorithm cannot be changed by users. The company is currently completing an internal audit of all of its products that leverage the NIST standard.
RSA, however, made the algorithm the default in its BShare toolkit for Java and C developers until this week when it told WIRED that it was changing the default following the renewed controversy over it. The company sent an advisory to developer customers “strongly” urging them to change the default to one of a number of other random number generator algorithms RSA supports. RSA also changed the default on its own end in BSafe and in an RSA key management system. The company is currently doing an internal review of all of its products to see where the algorithm gets invoked in order to change those.
RSA actually added the algorithm to its libraries in 2004 or 2005, before NIST approved it for the standard in 2006 and before the government made it a requirement for FIPS certification, says Sam Curry, the company’s chief technology officer.
“Cryptography is a changing field. Some algorithms go up and some come down and we make the best decisions we can in any point in time,” he says
Curry says the fact that the algorithm is slower actually provides it with better security in at least one respect.
“The length of time that you have to gather samples will determine the strength of your random number generation. So the fact that it’s slower sometimes gives it a wider sample set to do initial seeding,” he says. “Precisely because it takes a little longer, it actually winds up giving you more randomness in your initial seeding, and that can be an advantage.”
Despite the renewed controversy over the algorithm and standard, Microsoft managers say they still don’t think the weaknesses constitute an intentional backdoor.
Tomi Engdahl says:
LexisNexis and Other Major Data Brokers Hacked By ID Theft Service
http://it.slashdot.org/story/13/09/25/1426236/lexisnexis-and-other-major-data-brokers-hacked-by-id-theft-service
“Have we reached the point where it is time to admit that the ID thieves are winning and will continue to win as long as their incentives are sufficient to make it lucrative for them? According to Krebs On Security an analysis of a database pilfered from commercial identity thieves identified breaches in 25 data brokers including the heavyweights Dun and Bradstreet and LexisNexis.”
And they had access for months to most of them.