Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.
Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.
Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.
SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices. Good idea to test your devices against it.
There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.
Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.
Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.
Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.
Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.
Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.
Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.
Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.
European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.
1,930 Comments
Tomi Engdahl says:
Sep 13
Data Broker Giants Hacked by ID Theft Service
http://krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/
An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of Americans has infiltrated computers at some of America’s largest consumer and business data aggregators, according to a seven-month investigation by KrebsOnSecurity.
ssndobhomeThe Web site ssndob[dot]ms (hereafter referred to simply as SSNDOB) has for the past two years marketed itself on underground cybercrime forums as a reliable and affordable service that customers can use to look up SSNs, birthdays and other personal data on any U.S. resident. Prices range from 50 cents to $2.50 per record, and from $5 to $15 for credit and background checks. Customers pay for their subscriptions using largely unregulated and anonymous virtual currencies, such as Bitcoin and WebMoney.
Until very recently, the source of the data sold by SSNDOB has remained a mystery.
Earlier this summer, SSNDOB was compromised by multiple attackers, its own database plundered.
But late last month, an analysis of the networks, network activity and credentials used by SSNDOB administrators indicate that these individuals also were responsible for operating a small but very potent botnet — a collection of hacked computers that are controlled remotely by attackers. This botnet appears to have been in direct communications with internal systems at several large data brokers in the United States. The botnet’s Web-based interface (portions of which are shown below) indicated that the miscreants behind this ID theft service controlled at least five infected systems at different U.S.-based consumer and business data aggregators.
Two of the hacked servers were inside the networks of Atlanta, Ga.-based LexisNexis Inc., a company that according to Wikipedia maintains the world’s largest electronic database for legal and public-records related information. Contacted about the findings, LexisNexis confirmed that the two systems listed in the botnet interface were public-facing LexisNexis Web servers that had been compromised.
Two other compromised systems were located inside the networks of Dun & Bradstreet, a Short Hills, New Jersey data aggregator that licenses information on businesses and corporations for use in credit decisions, business-to-business marketing and supply chain management. According to the date on the files listed in the botnet administration panel, those machines were compromised at least as far back as March 27, 2013.
The fifth server compromised as part of this botnet was located at Internet addresses assigned to Kroll Background America, Inc., a company that provides employment background, drug and health screening.
All three victim companies said they are working with federal authorities and third-party forensics firms in the early stages of determining how far the breaches extend, and whether indeed any sensitive information was accessed and exfiltrated from their networks.
For its part, LexisNexis confirmed that the compromises appear to have begun in April of this year, but said it found “no evidence that customer or consumer data were reached or retrieved,” via the hacked systems.
KNOWLEDGE IS POWER
The intrusions raise major questions about how these compromises may have aided identity thieves. The prevailing wisdom suggests that the attackers were going after these firms for the massive amounts of consumer and business data that they hold. While those data stores are certainly substantial, fraud experts say the really valuable stuff is in the data that these firms hold about consumer and business habits and practices.
Tomi Engdahl says:
NSA chief pleads for public’s help amid push for spying restrictions
http://thehill.com/blogs/hillicon-valley/technology/324499-nsa-chief-pleads-for-publics-help-as-congress-eyes-restrictions
Gen. Keith Alexander, the director of the National Security Agency, called on the public Wednesday to help defend his agency’s powers as Congress mulls restrictions aimed at protecting privacy.
“We need your help. We need to get these facts out,” Alexander said during a cybersecurity summit at the National Press Club. “We need our nation to understand why we need these tools.”
He warned that if Congress hampers the NSA’s ability to gather information, it could allow for terrorist attacks in the United States similar to last week’s massacre in a mall in Nairobi, Kenya.
Following leaks by Edward Snowden this summer about the scope of the NSA’s surveillance, numerous lawmakers, including Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.), have moved to rein in the agency’s power. The lawmakers have expressed particular outrage about the NSA’s bulk collection of domestic phone data.
Alexander said most of the violations under other authorities were unintentional and often did not harm anyone’s privacy. He said many of the violations involved an analyst accidentally typing a wrong number.
Tomi Engdahl says:
NSA reform bill to trim back US surveillance unveiled in Congress
http://www.theguardian.com/world/2013/sep/25/nsa-reform-bill-surveillance-congress
Ron Wyden says Snowden disclosures have ’caused a sea change’ and announces most comprehensive package so far
Four senators at the vanguard of bipartisan efforts to rein in US government spying programs announced the most comprehensive package of surveillance reforms so far presented on Capitol Hill on Wednesday.
The draft bill represented the first sign that key Republican and Democratic figures in the Senate are beginning to coalesce around a raft of proposals to roll back the powers of the National Security Agency in the wake of top-secret disclosures made by whistleblower Edward Snowden.
“The disclosures over the last 100 days have caused a sea change in the way the public views the surveillance system,” said Democratic senator Ron Wyden, unveiling the bill at a press conference alongside Republican Rand Paul.
“We are introducing legislation that is the most comprehensive bipartisan intelligence reform proposal since the disclosures of last June,” he said.
Wyden said the bill would set a high bar for “not cosmetic” intelligence reform, on the eve of a series of congressional hearings into the NSA’s surveillance powers that will begin on Thursday.
Wyden said the House vote in July was “a huge wake-up call”, revealing the depth of opposition to government surveillance programs in the wake of Snowden’s disclosures. Blumenthal said their bill represented a “coming together of a very diverse ideological elements of our respective parties”.
Tomi Engdahl says:
Twitter Alerts Lets You Opt-in On Push Notifications From Emergency Organizations And NGOs During Crises
http://techcrunch.com/2013/09/25/twitter-alerts-lets-you-opt-in-on-push-notifications-from-emergency-organizations-and-ngos-during-crises/
Twitter is rolling out a new system called Twitter Alerts today that lets you choose to receive special alerts from emergency accounts, government organizations and NGOs. The system is designed to expand on Twitter’s ‘Lifeline’ service which was offered to those in Japan suffering from the earthquake last year.
That service connected users to emergency twitter accounts during the earthquake, and Twitter says that it’s now expanding this kind of emergency function out to the rest of the world. Twitter says that this will help users to get “important and accurate information from credible organizations during emergencies, natural disasters or moments when other communications services aren’t accessible.”
The system is available now, and a few organizations are already participating in the U.S., Japan and Korea. But anyone anywhere can receive the alerts.
Tomi Engdahl says:
Krebs: Lexis-Nexis, D&B and Kroll hacked
Data-stealing botnet found in aggregators’ services
http://www.theregister.co.uk/2013/09/25/krebs_lexisnexis_db_and_kroll_hacked/
Major data aggregators have been compromised “for months”, according to prominent security blogger Brian Krebs, including Lexis-Nexis and Dun & Bradstreet.
Writing at Krebsonsecurity, Krebs says the ID theft invasion of the brokers’ servers dated back at least as far as April this year, and that “the miscreants behind this ID theft service controlled at least five infected systems at different U.S.-based consumer and business data aggregators.”
His work started with an attempt to investigate the data sources of a service called ssndob.ms (which has since gone offline), which provided lookups for Americans’ social security and other background-check data. An attack on Ssndob put a copy of its database in front of Krebs, which while not revealing its data sources, indicated that multiple sources existed for its data.
Whether or not Krebs has discovered a new breach at Lexis-Nexis, The Register notes that the broker has fallen prey to data thieves before.
Back then, Lexis-Nexis ultimately admitted to Senate Judiciary Committee hearings that data breaches were routinely covered up since no law required disclosure.
Tomi Engdahl says:
NSA Director Wants Threat Data Sharing With Private Sector
http://it.slashdot.org/story/13/09/26/013254/nsa-director-wants-threat-data-sharing-with-private-sector
“While Congress and the technology community are still debating and discussing the intelligence gathering capabilities of NSA revealed in recent months, the agency’s director, Gen. Keith Alexander, is not just defending the use of these existing tools, but is pitching the idea of sharing some of the vast amounts of threat and vulnerability data the NSA and other agencies possess with organizations in the private sector.”
Comment:
Is this guy for real? He’s talking about real-time information sharing, obviously with no judicial oversight of any sort, rubber-stamped or otherwise.
FTFA: “Right now, we can’t see what’s happening in real time. We’ve got to share it with them, and potentially with other countries.”
Speaking to a crowd of mainly industry and government workers, Alexander appealed to them to help support the information sharing concept and any legislation that may be required to implement it.
Tomi Engdahl says:
Connected cars: Managing and securing data exchange and processing
http://www.edn.com/design/automotive/4421638/Connected-cars–Managing-and-securing-data-exchange-and-processing
With the rapid growth of cloud, mobile, and social technologies, there has been an explosion in the usage of lightweight web APIs (application programming interfaces) to link applications together across this new world and provide the backend for “Internet of Things” (IoT) devices. This has created an “API economy,” one driven by the demand for access to information – anytime, anywhere.
The automotive sector is making great strides in the IoT space. Cars increasingly include sensors which produce a stream of data, creating a phenomenon called the “connected car,” which uses web APIs to feed information to the consumer and manufacturer. This produces a huge amount of data which must be managed. In addition, APIs are used to control vehicle functionality.
For example, a car owner can use a mobile application to remotely lock/unlock their vehicle and activate the air conditioning five minutes before they get in. This mobile app connects to an API in order to interact with the connected car. In addition, within the transportation industry, an organization can remotely monitor its fleet to ensure its drivers are not driving longer than permitted, potentially falling asleep at the wheel. Car manufacturers such as Ford, Audi, Toyota, and BMW have already jumped on board the connected car trend, and it’s only going to grow as car companies start collaborating with external developers. In fact, cars are on track to soon outnumber mobile apps as API consumers. The sheer amount of data sent to APIs by sensors in cars is staggering.
The rise of the connected car promises a host of benefits, but as with the rise of any new Internet-connected device, data privacy could become a stumbling block to adoption. When it comes to data ownership, the lines between the driver and the manufacturer have the potential to become increasingly blurred.
Currently, there are very few regulations around privacy specifically for the connected car.
In an age of data paranoia, will the current lack of transparency doom the success of the intelligent vehicle? Anything connected to the Internet (including cars) has an “attack surface”, or entry point for malicious activity. Simply trying to keep the system secret is not good enough. An example is Tesla, whose APIs were sniffed and reverse engineered, further demonstrating that you cannot rely on “security through obscurity.”
In a Forbes article earlier this year, reporter Kashmir Hill discussed just how much our cars can know about us.
According to the same article, 85% of new cars have black boxes that capture information about the few seconds before and after a crash. Even the US Department of Transportation wants cars to go wireless so they’ll be able to communicate with each other in order to prevent crashes. All of this communication will be conducted through APIs.
Security expert Bruce Schneier said, “[The Tesla controversy] gives you an idea of the sort of things that will be collected once automobile black boxes become the norm. We’re used to airplane black boxes, which only collected a small amount of data from the minutes just before an incident. But that was back when data was expensive. Now that it’s cheap, expect black boxes to collect everything all the time. And once it’s collected, it’ll be used. By auto manufacturers, by insurance companies, by car rental companies, by marketers. The list will be long.”
“We should think now about who gets access to that data and how they do so, because one day soon, your car is going to be as much of a privacy concern as your smartphone.”
Tomi Engdahl says:
Data Broker Giants Hacked by ID Theft Service
http://krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/
Tomi Engdahl says:
Are finger-print IDs on mobile devices safe?
http://www.edn.com/electronics-blogs/voice-of-the-engineer/4421397/Are-finger-print-IDs-safe-
This week were thinking about Apple’s latest and greatest iPhone, the 5S, which will include Touch ID – Apple’s new fingerprint sensor.
Apple was careful to note that the fingerprint data is encrypted and stored securely within the A7 and never stored on Apple servers or backed up to iCloud.
But is that secure enough for you? We live in an age where nothing is un-hackable. Would you trust something like your finger print to be stored in a chip on your phone or other (easily lost or stolen) mobile device? Or do you argue that your prints are all over your phone already and such an ID is great for convenience?
Tomi Engdahl says:
iPhone 5s TouchID sensor hacked!
http://www.edn.com/electronics-blogs/sensor-ee-perception/4421494/iPhone-5s-TouchID-sensor-hacked-
Bypassing Apple’s TouchID, Chaos Computer Club (CCC) rapidly proved that fingerprint biometrics for access control is hardly foolproof.
Here’s how they did it—Using a photo of a user’s fingerprint taken from a glass surface, the hackers created a fake finger that unlocked an iPhone 5s that is secured with TouchID. The print was photographed, the image cleaned, inverted and laser printed with a thick tone setting. An adhesive was smeared into the pattern created by the toner and the print was lifted and put on the sensor—Voila!
Tomi says:
GCHQ and NSA outsourcing cyber security tasks to third-party vendors
http://www.v3.co.uk/v3-uk/news/2296504/gchq-and-nsa-outsourcing-cyber-security-tasks-to-third-party-vendors
Government agencies such as GCHQ and NSA are outsourcing their requirements to private security firms to boost their cyber capabilities, according to F-Secure.
F-Secure chief research officer Mikko Hypponen (pictured left) reported uncovering evidence that the NSA’s Tailored Access Operations (TAO) unit and GCHQ are outsourcing missions to third-party security companies.
“One thing I’ve been doing for the past two years is finding where they get their expertise from. Do they recruit in house and train? Do they go to universities?” he said.
“I found these job posts listing experience with ‘the Forte Meade customer’ as a necessary skill. The Forte Meade customer is the NSA.”
Hypponen confirmed to V3 that he has seen similar job posts for roles with the UK GCHQ and several other government intelligence agencies. He added that the trend is unsurprising and is simply a sign that agencies are suffering the same effects of the ongoing cyber skills gap as private industry.
A lack of skilled cyber security professionals is an ongoing concern within Europe.
Hypponen said the outsourcing is troubling as it sheds further doubt on intelligence agencies’ ethics, which have come into question since the PRISM scandal.
The F-Secure chief added that the NSA’s behaviour is doubly troubling as it has tarnished two of the most positive technology innovations of the age. “The two greatest tools of our time have been turned into government surveillance tools. I’m talking about the mobile phone and the internet. George Orwell was an optimist. This is what’s happened.”
Hypponen is one of many security experts to slam the NSA over PRISM.
Tomi Engdahl says:
Microsoft defends Azure with two-factor auth security
Like Amazon, but it costs money
http://www.theregister.co.uk/2013/09/26/microsoft_azure_authentication_update/
Microsoft’s multi-factor authentication service has gone into general availability, doubling prices and giving enterprises a service-level agreement.
Microsoft announced the general availability of the product in a blog post on Thursday. The MFA technology allows admins to add an additional layer of security to accounts using the company’s cloud services.
Users can authenticate via an application on their mobile device, an automated voice call, or a text message. The technology was introduced in June of this year, and is based on assets it gained from its acquisition of PhoneFactor in October 2012.
The service works with on-premises VPNs and web applications via integrating with Windows Server Active Directory, as well as with cloud applications such as Windows Azure, Office 365, and Dynamics CRM.
Pricing for the tech is $2 per user per month, or $2 for 10 authentications, making Microsoft significantly more expensive than Amazon Web Services, which charges nothing for a similar service.
Tomi Engdahl says:
SIM card hacker: Bug is either ‘a backdoor, gross negligence, or both’
http://www.theregister.co.uk/2013/09/27/quote_of_the_week/
his was the week that Karsten Nohl, the security researcher who found a way to hack into SIM cards with a single text, told El Reg that he was upset that the mobile industry seemed so unconcerned about the vulnerabilities he had reported.
He told El Reg:
We thought our story was one of white-hat hacking preventing criminal activities, but as there is no crime, so no investigation.
Nohl said he was dismayed by the mobile industry’s lukewarm response to his revelations – and revealed to us, for the first time, exactly how he did it.
Tomi Engdahl says:
How I hacked SIM cards with a single text – and the networks DON’T CARE
US and Euro telcos won’t act until crims do, white hat sniffs
http://www.theregister.co.uk/2013/09/23/white_hat_sim_hacker_disillusioned_and_dismayed_by_operator_response/
Karsten Nohl, the security researcher who broke into SIM cards with a single text, has told The Register he is dismayed by the mobile industry’s lukewarm response to his revelations – and has revealed, for the first time, exactly how he did it.
Nohl thought exposing the flaws in SIM security would force the telcos to fix them. Theoretically, the two flaws would have worked in tandem to intercept calls and threaten the security of wireless NFC applications – such as pay-by-wave and other contactless payments.
The German expert now claims that the most serious of the two flaws has been deliberately ignored by an industry that wants to, allegedly, keep the backdoor ajar so that it can silently roll out software updates to handsets… a gaping access route that may not be closed until it’s too late.
Nohl discovered he could infiltrate SIM cards by sending specially formatted SMS messages, and found a flaw that would enable him to break out from the cards’ inbuilt security sandbox. Yet he was astonished to discover that despite publicly announcing patches and giving every impression of caring, the industry had – according to Nohl – actually done nothing to fix the problems.
Safety by numbers
The first exploit, enabling an attacker to install an application in the secure storage area of a SIM card, has been examined in these pages before, but that only represents a threat if the injected software can break out of the JavaCard sandbox. Nohl claimed that was possible, but until now hasn’t explained exactly how.
JavaCard is an operating system, sharing only a name and some syntax with the Java language. JavaCard licensees get a reference implementation from Oracle and then add their own secret source code to differentiate their products, so not all manufacturers’ SIMs had this flaw – but many did.
Java, even the version used by JavaCard, is supposed to be “memory safe”
What Nohl discovered was that by referencing a variable which referenced a variable which referenced an array he could bypass the bounds check that JavaCard is supposed to perform
Nohl says he warned Gemalto, the world’s largest SIM card manufacturer – which is among those SIM-makers whose cards exhibit the flaw – about the existence of the bug. Gemalto, Nohl alleges, told him that it didn’t matter – only signed applications could be run so their ability to breach the sandbox was irrelevant.
But the researcher points out that in 2010 Gemalto was able to upgrade bank cards in the field after a calendar bug broke millions of German cards. Bank cards are not designed to be upgraded after being issued, and Nohl contends that a similar flaw was exploited then.
GSM standard
It’s the combination of SMS exploit (to gain the application key) and JavaCard flaw (to break out of the sandbox) that makes the situation worrying, along with Nohl’s contention that network operators have become overly reliant on the GSM standard and are losing the skills necessary to secure their systems.
“Smaller networks don’t even know what the SIM cards are configured to do,” he told us. He claimed that in the US, network operator Sprint isn’t authenticating or encrypting SIM updates at all, and that both Vodafone and Telefonica are still issuing SIM cards with the insufficiently secure 56DES cryptography.
As Nohl put it: “Skills are underdeveloped because the crimes are underdeveloped … crime is even more convincing than anything.”
Tomi Engdahl says:
Malware Now Hiding In Graphics Cards
http://it.slashdot.org/story/13/09/26/2024236/malware-now-hiding-in-graphics-cards
“Researchers are closing in on a means to detect previously undetectable stealthy malware that resides in peripherals like graphics and network cards. The malware was developed by the same researchers and targeted host runtime memory using direct memory access provided to hardware devices.”
Tomi Engdahl says:
Research detects dangerous malware hiding in peripherals
DAGGER malware targets direct memory access
http://www.scmagazine.com.au/News/358265,research-detects-dangerous-malware-hiding-in-peripherals.aspx
A Berlin researcher has demonstrated the capability to detect previously undetectable stealthy malware that resides in graphics and network cards.
Patrick Stewin’s proof of concept demonstrated that a detector could be built to find the sophisticated malware that ran on dedicated devices and attacked direct memory access (DMA).
The attacks launched by the malware dubbed DAGGER targeted host runtime memory using DMA provided to hardware devices. These attacks were not within scope of antimalware systems and therefore not detected.
DAGGER, also developed by Stewin and Iurii Bystrov of the FGSect Technical University of Berlin research group, attacked 32bit and 64bit Windows and Linux systems and could bypass memory address randomisation.
“DMA malware is stealthy to a point where the host cannot detect its presence,” Stewin said.
“DMA-based attacks launched from peripherals are capable of compromising the host without exploiting vulnerabilities present in the operating system running on the host.”
“Therefore they present a highly critical threat to system security and integrity. Unfortunately,to date no OS (operating system) implements security mechanisms that can detect DMA-based attacks. Furthermore, attacks against memory management units have been demonstrated in the past and therefore cannot be considered trustworthy.”
Tomi Engdahl says:
No Upper Bound On Phone Record Collection, Says NSA
http://yro.slashdot.org/story/13/09/26/2056204/no-upper-bound-on-phone-record-collection-says-nsa
“[a] U.S. surveillance court has given the National Security Agency no limit on the number of U.S. telephone records it collects in the name of fighting terrorism, the NSA director said Thursday.”
Tomi says:
Hacking firm hints at cybercrime’s professional elite
http://www.newscientist.com/article/mg21929364.700-hacking-firm-hints-at-cybercrimes-professional-elite.html?cmpid=RSS|NSNS|2012-GLOBAL|online-news#.UkcqkHLbO9I
LAST June, one of the world’s most advanced hacker groups hit a problem. The US defence contractor whose systems it wanted to access only allowed a small set of trusted IP addresses to connect to their network. In an unusual move – hackers typically go for the low-hanging fruit – the group hacked the company that provided the IP whitelisting service, enabling it to forge access certificates.
This group, which calls itself Hidden Lynx, was given a vague face last week when antivirus software-maker Symantec released a report profiling it. Believed to be based in China, the group is known only through traces of malicious software bearing its mark found in the compromised computers of some of the world’s largest companies.
Symantec estimates the group has 100 employees and says it has been operating for four years, specialising in attacks on financial and government institutions in the US. Chances are, the hackers will never be caught.
“They are bleeding edge computer scientists making serious amounts of money.”
Professional hacker groups are not restricted to illegal activities. O’Gorman points to Hacking Team, an Italian outfit which builds the commercial surveillance tool Da Vinci. “There are a couple of companies that will offer not quite a hacking service, but will offer trojans and exploits which they claim they will only sell to law enforcement,” he says.
The rise of large professional hacking groups like Hidden Lynx combined with the development of such borderline products means the average person has greater access to carrying out sophisticated computer attacks than ever before, says O’Gorman. What’s more, many of the sophisticated tools used by hackers have now leaked into underground marketplaces, where anyone can buy them, says Santorelli.
Tomi says:
Did NIST Cripple SHA-3?
http://yro.slashdot.org/story/13/09/28/0219235/did-nist-cripple-sha-3
“In the process of standardizing the SHA-3 competition winning algorithm Keccak, the National Institute of Standards and Technology (NIST) may have lowered the bar for attacks, which might be useful for or even initiated by NSA. ‘NIST is proposing a huge reduction in the internal strength of Keccak below what went into final SHA-3 comp,”
Tomi says:
Metadata On How You Drive Also Reveals Where You Drive
http://tech.slashdot.org/story/13/09/28/1326242/metadata-on-how-you-drive-also-reveals-where-you-drive
“Pay-as-you-drive programs are all the rage in the auto insurance industry. The (voluntary) programs, like Progressive Insurance’s Snapshot use onboard monitoring devices to track information like the speed of the automobile, sudden stops, distance traveled and so on. Safe and infrequent drivers might see their rates drop”
“A study by researchers at the University of Denver claims that the destination of a journey can be derived by combining knowledge of the trip’s origin with the metrics collected by the ‘pay-as-you-drive’ device.”
“The study raises important data privacy questions for the (many) ‘pay-as-you-drive’ programs now being piloted, or offered to drivers – not to mention other programs that seek to match remote sensors and realtime monitoring with products and services.”
Tomi says:
N.S.A. Gathers Data on Social Connections of U.S. Citizens
http://www.nytimes.com/2013/09/29/us/nsa-examines-social-networks-of-us-citizens.html?pagewanted=all&_r=2&
Since 2010, the National Security Agency has been exploiting its huge collections of data to create sophisticated graphs of some Americans’ social connections that can identify their associates, their locations at certain times, their traveling companions and other personal information, according to newly disclosed documents and interviews with officials.
The spy agency began allowing the analysis of phone call and e-mail logs in November 2010 to examine Americans’ networks of associations for foreign intelligence purposes
The policy shift was intended to help the agency “discover and track” connections between intelligence targets overseas and people in the United States, according to an N.S.A. memorandum from January 2011.
The agency was authorized to conduct “large-scale graph analysis on very large sets of communications metadata without having to check foreignness” of every e-mail address, phone number or other identifier, the document said. Because of concerns about infringing on the privacy of American citizens, the computer analysis of such data had previously been permitted only for foreigners.
The agency can augment the communications data with material from public, commercial and other sources, including bank codes, insurance information, Facebook profiles, passenger manifests, voter registration rolls and GPS location information, as well as property records and unspecified tax data, according to the documents.
The new disclosures add to the growing body of knowledge in recent months about the N.S.A.’s access to and use of private information concerning Americans, prompting lawmakers in Washington to call for reining in the agency and President Obama to order an examination of its surveillance policies.
An agency spokeswoman, asked about the analyses of Americans’ data, said, “All data queries must include a foreign intelligence justification, period.”
“All of N.S.A.’s work has a foreign intelligence purpose,” the spokeswoman added. “Our activities are centered on counterterrorism, counterproliferation and cybersecurity.”
Tomi says:
How the FBI found Miss Teen USA’s webcam spy
RAT user “cutefuzzypuppy” wasn’t all that cute.
http://arstechnica.com/tech-policy/2013/09/miss-teen-usas-webcam-spy-called-himself-cutefuzzypuppy/
The sextortionist who snapped nude pictures of Miss Teen USA Cassidy Wolf through her laptop’s webcam has been found and arrested, the FBI revealed yesterday. 19-year old Jared James Abrahams, a California computer science student who went by the online handle “cutefuzzypuppy,” had as many as 150 “slave” computers under his control during the height of his webcam spying in 2012.
Anatomy of a RATer
How did Abrahams get his start learning the intricacies of remote administration tools (RATs), the malware used to spy on his victims? Not surprisingly, he was a regular user of hackforums.net, which features a large RAT forum that I profiled earlier this year.
As cutefuzzypuppy, Abrahams asked for plenty of help distributing software like DarkComet to victims, since he “suck[ed] at social engineering” and needed to find better ways to spread his spyware.
He also announced his successes. On May 17, 2012, he told the RAT community at hackforums.net, “Recently I infected a person at my school with darkcomet. It was total luck that I got her infected because I suck at social engineering. Anyway, this girl happens to be a model and a really good looking one at that :D.”
The “model” in question appears to have been Wolf, whose machine was infected in mid-2012. Abrahams used DarkComet to snap lots of nude photos of Wolf
On March 29, the FBI looked at Wolf’s laptop and found evidence of both DarkComet and another RAT known as Blackshades, which confirmed how the attacker had taken his photos. But who was he? The IP addresses behind the attacker’s e-mails resolved back only to a VPN provider which purposely kept no logs. But the RATs themselves had connected back to the attacker by accessing no-ip.org, a service which allows users to dynamically map their IP address to a domain name (in this case, to cutefuzzypuppy.zapto.org and schedule2013.no-ip.org), thereby allowing the “slaves” to phone home, even when the attacker was using a dynamic IP address from a home Internet account. No-ip.org did keep records, and the FBI obtained them.
The records showed that the no-ip.org account was in the name of Abrahams’ father and the username on the account was “cutefuzzypuppy.” A simple Google search showed just how many times cutefuzzypuppy had written about RATs online.
Tomi says:
NSA Internet Spying Sparks Race to Create Offshore Havens for Data Privacy
Firms Tout ‘Email Made in Germany’ as More Secure; Brazil Wants Its Own Servers
http://online.wsj.com/article_email/SB10001424052702303983904579096082938662594-lMyQjAxMTAzMDIwNzEyNDcyWj.html
Google Inc., GOOG -0.20% Facebook Inc. FB +1.69% and other American technology companies were put on the defensive when Edward Snowden’s allegations about U.S.-government surveillance of Internet traffic emerged this spring.
Outside the U.S., some companies and politicians saw an opportunity.
Three of Germany’s largest email providers, including partly state-owned Deutsche Telekom AG, DTE.XE -0.28% teamed up to offer a new service, Email Made in Germany. The companies promise that by encrypting email through German servers and hewing to the country’s strict privacy laws, U.S. authorities won’t easily be able to pry inside. More than a hundred thousand Germans have flocked to the service since it was rolled out in August.
“We can say that we protect the email inbox according to German law,”
Fueled by the controversy, countries are seeking to use data-privacy laws as a competitive advantage—a way to boost domestic companies that long have sought an edge over Google, Microsoft Corp. MSFT +1.53% and other U.S. tech giants.
“Countries are competing to be the Cayman Islands of data privacy,”
Tomi Engdahl says:
Bruce Schneier: NSA Spying Is Making Us Less Safe
http://www.technologyreview.com/news/519336/bruce-schneier-nsa-spying-is-making-us-less-safe/
The security researcher Bruce Schneier, who is now helping the Guardian newspaper review Snowden documents, suggests that more revelations are on the way.
Bruce Schneier, a cryptographer and author on security topics, last month took on a side gig: helping the Guardian newspaper pore through documents purloined from the U.S. National Security Agency by contractor Edward Snowden, lately of Moscow.
In recent months that newspaper and other media have issued a steady stream of revelations, including the vast scale at which the NSA accesses major cloud platforms, taps calls and text messages of wireless carriers, and tries to subvert encryption.
This year Schneier is also a fellow at Harvard’s Berkman Center for Internet and Society. In a conversation there with David Talbot, chief correspondent of MIT Technology Review, Schneier provided perspective on the revelations to date—and hinted that more were coming.
Taken together, what do all of the Snowden documents leaked thus far reveal that we didn’t know already?
Those of us in the security community who watch the NSA had made assumptions along the lines of what Snowden revealed. But there was scant evidence and no proof. What these leaks reveal is how robust NSA surveillance is, how pervasive it is, and to what degree the NSA has commandeered the entire Internet and turned it into a surveillance platform.
We are seeing the NSA collecting data from all of the cloud providers we use: Google and Facebook and Apple and Yahoo, etc. We see the NSA in partnerships with all the major telcos in the U.S., and many others around the world, to collect data on the backbone. We see the NSA deliberately subverting cryptography, through secret agreements with vendors, to make security systems less effective. The scope and scale are enormous.
The only analogy I can give is that it’s like death. We all know how the story ends. But seeing the actual details, and seeing the actual programs, is very different than knowing it theoretically.
The NSA mission is national security. How is the snooping really affecting the average person?
The NSA’s actions are making us all less safe. They’re not just spying on the bad guys, they’re deliberately weakening Internet security for everyone—including the good guys.
There have been many allusions to NSA efforts to put back doors in consumer products and software. What’s the reality?
The reality is that we don’t know how pervasive this is; we just know that it happens. I have heard several stories from people and am working to get them published. The way it seems to go, it’s never an explicit request from the NSA. It’s more of a joking thing: “So, are you going to give us a back door?” If you act amenable, then the conversation progresses. If you don’t, it’s completely deniable. It’s like going out on a date. Sex might never be explicitly mentioned, but you know it’s on the table.
Great. So you’ve recently suggested five tips for how people can make it much harder, if not impossible, to get snooped on. These include using various encryption technologies and location-obscuring methods. Is that the solution?
My five tips suck. They are not things the average person can use. One of them is to use PGP [a data-encryption program]
Basically, the average user is screwed. You can’t say “Don’t use Google”—that’s a useless piece of advice. Or “Don’t use Facebook,”
The Internet has become essential to our lives, and it has been subverted into a gigantic surveillance platform. The solutions have to be political. The best advice for the average person is to agitate for political change.
Tomi Engdahl says:
Does EU and U.S. data protection agreement fall apart?
“Something to happen anyway, regardless of the NSA scandal”
The protection of EU citizens and businesses providing contract has gone to the review of the EU Commission.
European Commission Vice-President Viviane Reding, said in late July released a memorandum that the safe harbor necessarily guarantee security. The final straw was the beginning of summer uncovered NSA’s practiced by a major phishing.
The Commission is currently working on assessment of the Safe Harbor Agreement. It is scheduled to be completed by the end of the year.
Source: http://www.tietoviikko.fi/kaikki_uutiset/kaatuuko+eun+ja+usan+tietosuojasopimus+quottapahtuu+joka+tapauksessa+jotain+nsaskandaalista+riippumattaquot/a931817
Tomi Engdahl says:
NSA: Yes, some of our spooks DID snoop on overseas lovers
But it’s OK, they resigned before we gave them a slap on the wrist
http://www.theregister.co.uk/2013/09/30/nsa_gmen_snooped_on_lovers/
NSA spooks used top secret surveillance techniques to snoop on their partners and check out prospective lovers, according to an official admission made to a US senator.
A letter from NSA inspector general Dr. George Ellard reveals that spies “intentionally misused” signals intelligence (SIGINT) techniques to gather information on the objects of their affection.
There are currently two open investigations into amorous eavesdropping and a third case is being considered for further investigation.
Tomi Engdahl says:
NSA in new SHOCK ‘can see public data’ SCANDAL!
What you say on Twitter doesn’t stay on Twitter
http://www.theregister.co.uk/2013/09/30/nsa_in_shock_can_see_public_data_scandal/
In the latest round of increasingly-hyperbolic leaks about what spy agencies are doing with data, reports are emerging that the NSA has been graphing connections between American individuals. Moreover, it’s using stuff that people publish on their social media timelines to help the case along.
According to this item in the New York Times, the NSA extended its analysis of phone call and e-mail logs in 2010 “to examine Americans’ networks of associations for foreign intelligence purposes”, something that was previously prevented because the agency was only allowed to snoop on foreigners.
Tomi Engdahl says:
How Your Smartphone Can Spy On What You Type
http://it.slashdot.org/story/13/09/29/1825247/how-your-smartphone-can-spy-on-what-you-type
“We all do it — place our phones down on the desk next to the keyboard. This might not be such a good idea if you want to keep your work to yourself. A team of researchers from MIT and the Georgia Institute of Technology have provided proof of concept for logging keystrokes using nothing but the sensors inside a smartphone — an iPhone 4 to be precise”
Tomi Engdahl says:
N.S.A. Gathers Data on Social Connections of U.S. Citizens
http://www.nytimes.com/2013/09/29/us/nsa-examines-social-networks-of-us-citizens.html?_r=0&pagewanted=all
Since 2010, the National Security Agency has been exploiting its huge collections of data to create sophisticated graphs of some Americans’ social connections that can identify their associates, their locations at certain times, their traveling companions and other personal information, according to newly disclosed documents and interviews with officials.
Tomi Engdahl says:
NSA in new SHOCK ‘can see public data’ SCANDAL!
What you say on Twitter doesn’t stay on Twitter
http://www.theregister.co.uk/2013/09/30/nsa_in_shock_can_see_public_data_scandal/
In the latest round of increasingly-hyperbolic leaks about what spy agencies are doing with data, reports are emerging that the NSA has been graphing connections between American individuals. Moreover, it’s using stuff that people publish on their social media timelines to help the case along.
While great emphasis is given to the use of software to “sophisticated graphs” of the connections between individuals, the latest “Snowden revelation”,
More spooky but less surprising: the NSA seems to have worked out that if punters are already publishing information about themselves on social networks like Facebook or Twitter, it might be able to scoop that information into its databases (and from there into its analysis) without a warrant.
In the outside world, The Register notes that the mass collection and analysis of Twitter information is used by all sorts of people, nearly always without government oversight or warrant, to provide everything from detecting rainfall to earthquakes.
Other so-called “enrichment data” cross-matched by the NSA can include “bank codes, insurance information … passenger manifests, voter registration rolls and GPS location information … property records and unspecified tax data”, some of which may be more troubling since each of these carries different privacy expectations.
Tomi Engdahl says:
UK to create new cyber defence force
http://www.bbc.co.uk/news/uk-24321717
The UK is to create a new cyber unit to help defend national security, the defence secretary has announced.
The Ministry of Defence is set to recruit hundreds of reservists as computer experts to work alongside regular forces in the creation of the new Joint Cyber Reserve Unit.
The new unit will also, if necessary, launch strikes in cyber space, Philip Hammond said.
Recruiting for reservists to join the unit will start next month.
The role of the unit is to protect computer networks and safeguard vital data.
Mr Hammond told the Conservative Party conference that “the threat is real”.
“Last year, our cyber defences blocked around 400,000 advanced, malicious cyber threats to the government secure intranet alone,” he said.
In a statement, the Ministry of Defence (MoD) said the “creation of the “Joint Cyber Unit (Reserve) will allow it to draw on individuals’ talent, skills and expertise gained from their civilian experience to meet these threats”.
“This is the new frontier of defence. For years, we have been building a defensive capability to protect ourselves against these cyber attacks. That is no longer enough.
“You deter people by having an offensive capability.”
“Our commanders can use cyber weapons alongside conventional weapons in future conflicts.”
Tomi Engdahl says:
Security Concerns about the cloud cast a shadow over the world
Cloud services in the Nordic countries take a more cautious approach than the rest of Europe. Doubts about the security and also their skills.
Such results can be read in a survey commissioned by CA Technologies. According to the North half of the decision-makers is still waiting for more convincing on the usefulness of the cloud, while the rest of Europe, cloud technology has received over with 57 per cent of IT.
The down side is, however, is that half of the Nordic IT decision makers already have a pro cloud view. They tend to use cloud technology whenever possible, or at least to consider the suitability of new decisions.
Supporters praise the cloud for cost-effective, as it allows you to maintain a more efficient processes and facilitates communication
Source: http://www.tietokone.fi/artikkeli/uutiset/tietoturvahuolet_varjostavat_pilvimaailmaa
Tomi Engdahl says:
Security guru John McAfee returned to public
“Stop NSA espionage with hundred dolla device”
John McAfee, famous for its security software developer history, many other events and and a man who fled during a murder investigation in Belize, appeared for the first time in his escape after the public on Saturday. He announced the development of the against NSA device.
McAfee electrified the audience by telling the details of its planned device, which can fight off the U.S. national intelligence agency NSA’s widely practiced by phishing.
He said the future for themselves, and which he called the name Decentral, to enter the market of about one hundred dollars.
“The state can not get any to find out who you are or where you are,” McAfee promised. According to him, the state is unable to prevent the ban on the set as he brings it up for sale in England or Asia, where the United States to prohibit it.
Decentral gets its name from the fact that it communicates with smart phones, tablet computers and other devices, and create a decentralized, airborne and mobile local area networks in which government spy agencies are not able to penetrate.
McAfee hopes to have a prototype ready in six months, which has a range of three blocks to the city and 400 meters in rural areas, and that works with both Android and iPhone.
Source: http://www.tietokone.fi/artikkeli/uutiset/stoppi_nsa_n_vakoilulle_satasen_laitteella
Tomi Engdahl says:
Students Find Ways To Hack School-Issued iPads Within A Week
http://www.npr.org/blogs/alltechconsidered/2013/09/27/226654921/students-find-ways-to-hack-school-issued-ipads-within-a-week
Los Angeles Unified School District started issuing iPads to its students this school year, as part of a $30 million deal with Apple. The rollout is in the first of three phases, and ultimately, the goal is to distribute more than 600,000 devices.
But less than a week after getting their iPads, almost 200 of the districts’ software blocks on the devices that limit what websites the students can use.
“They told me Friday, ‘I would do it for you because you’re my friend,’ ” she says. “They told me that!”
If you weren’t a friend, the hack would cost $2.
“They were charging people to do it. It was like a little black market,” Najera says.
The students are getting around software that lets school district officials know where the iPads are, and what the students are doing with them at all times.
The district’s chief information officer, Ronald Chandler, says he wasn’t really surprised that students bypassed blocks so quickly. He says that hacks happen at all levels, whether it’s secured parts of the federal government, or student iPads.
“So we talked to students, and we asked them, ‘Why did you do this?’ And in many cases, they said, ‘You guys are just locking us out of too much stuff.’ ”
“They were bound to fail,” says Renee Hobbs, who runs the Media Education Lab at the University of Rhode Island. She’s been a skeptic of the iPad program from the start. “Children are growing up today [with] the iPad used as a device for entertainment. So when the iPad comes into the classroom, then there’s a shift in everybody’s thinking.”
Tomi Engdahl says:
Google may face fine under EU privacy laws
The action follows a French-led analysis of Google’s new privacy policy
http://www.cmo.com.au/article/527785/google_may_face_fine_under_eu_privacy_laws/
Google faces financial sanctions in France after failing to comply with an order to alter how it stores and shares user data to conform to the nation’s privacy laws.
The enforcement follows an analysis led by European data protection authorities of a new privacy policy that Google enacted in 2012, France’s privacy watchdog, the Commission Nationale de L’Informatique et des Libertes, said Friday on its website.
Google was ordered in June by the CNIL to comply with French data protection laws within three months. But Google had not changed its policies to comply with French laws by a deadline on Friday, because the company said that France’s data protection laws did not apply to users of certain Google services in France, the CNIL said.
Google could be fined a maximum of €150,000 (US$202,562), or €300,000 for a second offense, and could in some circumstances be ordered to refrain from processing personal data in certain ways for three months.
Tomi Engdahl says:
Metasploit creator seeks crowd’s help for vuln scanning
Project Sonar combines tools, data and research
http://www.theregister.co.uk/2013/09/30/hd_more_seeks_crowd_help_for_vuln_scanning/
Security outfit Rapid7 has decided that there’s just too much security vulnerability information out there for any one group to handle, so its solution is to try and crowd-source the effort.
Announcing Project Sonar, the company is offering tools and datasets for download, with the idea that the community will provide input into the necessary research.
The brainchild of Metasploit creator HD Moore, the aim of Project Sonar is to scan publicly-facing Internet hosts, compile their vulnerabilities into datasets, mine those datasets, and share the results with the security industry.
Even though there’s widespread insecurity across the Internet, Rapid7 says “at the moment there isn’t much collaboration and internet scanning is seen as a fairly niche activity of hardcore security researchers.
Tomi Engdahl says:
Rapid7 Launches Project Sonar to Crowdsource Security Research
http://www.securityweek.com/rapid7-launches-project-sonar-crowdsource-security-research
Vulnerability management software company Rapid7 has launched an ambitious community project to scan the public Internet, organize the results and share the data with the IT security industry.
“If we try to parse the data sets ourselves, even with a team of 30 people, it would take multiple years just to figure out the vulnerabilities in the data set. It’s ridiculous, really,” Moore said in an interview with SecurityWeek.
“The more time i spend on these scan projects, the more I realize how big the job is. The majority of the work isn’t just figuring out the vulnerabilities themselves, but you have to identify all the the affected vendors, identify the firmware versions, coordinate the disclosure process. It’s a ton of backend work,” he explained.
“We really need the involvement of the community to understand the scanning tools and go through the existing data to reduce the time to get these [vulnerabilities] reported and fixed,” Moore explained.
He said security researchers can also find “interesting” vulnerabilities that can be sold to vulnerability brokers like HP’s Zero Day Initiative. “The great thing about this is that you can find vulnerabilities, report them via the brokers [and] get paid for them,” Moore said, arguing that the IT security ecosystem benefits because these vulnerabilities will get reported to the affected vendors for fixes.
Tomi Engdahl says:
NSA stores metadata of millions of web users for up to a year, secret files show
http://www.theguardian.com/world/2013/sep/30/nsa-americans-metadata-year-documents
The National Security Agency is storing the online metadata of millions of internet users for up to a year, regardless of whether or not they are persons of interest to the agency, top secret documents reveal.
Metadata provides a record of almost anything a user does online, from browsing history – such as map searches and websites visited – to account details, email activity, and even some account passwords. This can be used to build a detailed picture of an individual’s life.
“The Marina metadata application tracks a user’s browser experience, gathers contact information/content and develops summaries of target,” the analysts’ guide explains. “This tool offers the ability to export the data in a variety of formats, as well as create various charts to assist in pattern-of-life development.”
• Vast amounts of data kept in repository codenamed Marina
• Data retained regardless of whether person is NSA target
• Material used to build ‘pattern-of-life’ profiles of individuals
• What is metadata? Find out with our interactive guide
Tomi Engdahl says:
Silent Circle Moving Away From NIST Ciphers in Wake of NSA Revelations
http://threatpost.com/silent-circle-moving-away-from-nist-ciphers-in-wake-of-nsa-revelations/102452
The first major domino to fall in the crypto world after the NSA leaks by Edward Snowden began was the decision by Lavabit, a secure email provider, to shut down in August rather than comply with a government order. Shortly thereafter, Silent Circle, another provider of secure email and other services, said it was discontinuing its Silent Mail offering, as well. Now, Silent Circle is going a step further, saying that it plans to replace the NIST-related cipher suites in its products with independently designed ones, not because the company distrusts NIST, but because its executives are worried about the NSA’s influence on NIST’s development of ciphers in the last couple of decades.
Jon Callas, one of the founders of Silent Circle and a respected cryptographer, said Monday that the company has been watching all of the developments and revelations coming out of the NSA leaks and has come to the decision that it’s in the best interest of the company and its customers to replace the AES cipher and the SHA-2 hash function and give customers other options. Those options, Callas said, will include non-NIST ciphers such as Twofish and Skein.
Twofish is a cipher suite written by Bruce Schneier and it was one of the finalists during the AES competition, but lost out to the Rijndael algorithm. It has been resistant to cryptanalysis thus far, and Callas said it also has the advantage of being an easy replacement for AES in Silent Circle’s products. The company also will be replacing SHA-2, an older NIST hash function, with Skein, which was a finalists in the recently completed SHA-3 competition.
“We are going to replace our use of the AES cipher with the Twofish cipher, as it is a drop-in replacement. We are going to replace our use of the SHA–2 hash functions with the Skein hash function. We are also examining using the Threefish cipher where that makes sense.”
The decision by Silent Circle comes at a time when there are many unanswered questions about the NSA‘s influence on cryptographic algorithm development, specifically those standards developed by NIST.
“The DUAL_EC_DRBG discussion has been comic. The major discussion has been whether this was evil or merely stupid”
“This doesn’t mean we think that AES is insecure, or SHA–2 is insecure, or even that P–384 is insecure.”
Tomi Engdahl says:
Sinkhole Sucks Brains From Wasteful Bitcoin Mining Botnet
http://it.slashdot.org/story/13/10/01/0346246/sinkhole-sucks-brains-from-wasteful-bitcoin-mining-botnet
“A sinkhole has taken a quarter of the bots out of the ZeroAcess botnet which was making money for its operators through click fraud and Bitcoin mining.”
“ZeroAccess was using $561,000 of electricity a day on infected PCs, to generate about $2000 worth of Bitcoin.”
Tomi Engdahl says:
Another 100 Gigabit DDoS Attack Strikes — This Time Unreflected
http://it.slashdot.org/story/13/10/02/021245/another-100-gigabit-ddos-attack-strikes-this-time-unreflected
“In March of this year, we saw the first ever 100 Gigabit DDoS attack, which was possible due to a DNS Reflection Amplification attack. Now word is out that a new 100 Gigabit attack has struck using raw bandwidth, without any DNS Reflection”
Tomi Engdahl says:
Latest 100 Gigabit Attack Is One of Internet’s Largest – See more at: http://www.eweek.com/security/latest-100-gigabit-attack-is-one-of-internets-largest.html
Quite possibly, the largest raw packet bandwidth attack in history slams a site for nine hours, but the site under attack stays afloat.
The attack took place on Sept. 24, and to date the victim of the attack is remaining in the shadows, not wanting to be publicly identified. The target Website is protected by cloud security vendor Incapsula, which was able to withstand the massive distributed denial-of-service (DDoS) attack and keep the targeted Website up and running.
“The most outstanding thing about this attack is that it did not use any amplification, which means that they had 100 Gigabits of available bandwidth on their own,” Gaffan said. “The attack lasted nine hours, and that type of bandwidth is not cheap or readily available.”
Gaffan added that he was shocked that 100 Gigabits of bandwidth was being used in a targeted attack and—other than Incapsula and its own service providers that were on the receiving end—no one seemed to notice.
“In a typical DDoS, an attacker will turn up the gauges on bandwidth as much as possible until they are able to break down a site,” Gaffan said. “There is no point in throwing 100 Gigabits of traffic against a site that will go down with 10 Gigabits.”
Gaffan’s assumption is that 100 Gigabits of raw bandwidth was the attacker’s own physical limit of capacity. The attack did not start off with 100 Gigabits of traffic, but rather that was the peak bandwidth achieved during the nine-hour attack, he said.
“Our assumption is the attacker realized that they were getting blocked and that there was no point in continuing to throw rocks at a tank if the rocks were just going to bounce off,” Gaffan said.
There are a number of reasons why Incapsula was able to withstand the 100 Gigabit attack. For one, Incapsula has more than 400 Gigabits of capacity that is globally distributed around the world, according to Gaffan. Incapsula also has its own Web application firewall (WAF) and associated DDoS protection technologies to further limit the risk.
Tomi Engdahl says:
U.S. Spy Panel Is Loaded With Insiders
http://news.slashdot.org/story/13/10/02/0155224/us-spy-panel-is-loaded-with-insiders
“After a public backlash to government spying, President Barack Obama called for an independent group to review the vast surveillance programs that allow the collections of phone and email records.”
“At the end of the day, a task force led by Gen. Clapper full of insiders – and not directed to look at the extensive abuse – will never get at the bottom of the unconstitutional spying”
Tomi Engdahl says:
Obama spy panel is loaded with insiders, critics charge
Read more here: http://www.mcclatchydc.com/2013/10/01/203818/obama-spy-panel-is-loaded-with.html#storylink=cpy
Tomi Engdahl says:
Edward Snowden shortlisted for EU’s Sakharov prize
http://www.bbc.co.uk/news/world-europe-24347225
Edward Snowden, the fugitive American former intelligence worker, has made the shortlist of three for the Sakharov prize, Europe’s top human rights award.
Mr Snowden was nominated by Green politicians in the European Parliament for leaking details of US surveillance.
Nominees also include Malala Yousafzai, the Pakistani teenager shot in the head for demanding education for girls.
Former recipients of the prize, awarded by the European Parliament, include Nelson Mandela and Aung San Suu Kyi.
Mr Snowden’s nomination recognised that his disclosure of US surveillance activities was an “enormous service” to human rights and European citizens, the parliament’s Green group said.
“The surveillance of whole populations, rather than individuals, threatens to be the greatest human rights challenge of our time,”
Tomi Engdahl says:
State-backed hackers: You think you’re so mysterious, but you’re really not – report
It’s those ‘regional traits’ that give you away, say infosec sleuths
http://www.theregister.co.uk/2013/10/02/nation_state_cyberattack/
Nation-state driven cyber attacks often take on a distinct national or regional flavours that can uncloak their origins, according to new research by net security firm FireEye.
Computer viruses, worms, and denial of service attacks often appear from behind a veil of anonymity. But a skilful blending of forensic “reverse-hacking” techniques combined with deep knowledge of others’ strategic cultures and their geopolitical aims can uncover the perpetrators of attacks.
Kenneth Geers, senior global threat analyst at threat protection biz FireEye, explained: “Cyber shots are fired in peacetime for immediate geopolitical ends, as well as to prepare for possible future kinetic attacks. Since attacks are localised and idiosyncratic—understanding the geopolitics of each region can aid in cyber defence.”
“A cyber attack, viewed outside of its geopolitical context, allows very little legal manoeuvring room for the defending state,”
Cyber attacks can be a low-cost, high payoff way to defend national sovereignty and to project national power. According to FireEye, the key characteristics for some of the main regions of the world include:
Asia-Pacific: home to large, bureaucratic hacker groups, such as the “Comment Crew” who pursues targets in high-frequency, brute-force attacks.
Russia/Eastern Europe: More technically advanced cyberattacks that are often highly effective at evading detection.
Middle East: Cybercriminals in the region often using creativity, deception, and social engineering to trick users into compromising their own computers.
United States: origin of the most complex, targeted, and rigorously engineered cyber attack campaigns to date, such as the Stuxnet worm. Attackers favour a drone-like approach to malware delivery.
FireEye’s report goes on to speculate about factors that could change the world’s cyber security landscape in the near to medium term, including a cyber arms treaty that could stem the use of online attacks and about whether privacy concerns from the ongoing Snowden revelations about PRISM might serve to restrain government-sponsored cyber attacks in the US and globally.
Tomi Engdahl says:
FireEye’s report, titled World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks
http://www.fireeye.com/resources/pdfs/fireeye-wwc-report.pdf
Tomi Engdahl says:
Cyber-knowledge at a premium: The two Finnish police, secondment
Two Finnish police officers were hired to get busy against cyber-treads in Europol and Interpol.
Europol Norton Resources-fraud unit is assigned to a senior expert in criminal Officer Sami Harmoinen Oulu police station. Interpol Norton Resources fraud activity was elected, in turn, Detective Kimmo Ulkuniemi NBI.
- Cyber-crime is often a cross-border and effective investigation requires close international police co-operation, he says the police bulletin.
- Cyber crime solving requires more public-private partnerships. The police expertise, resources and knowledge alone is not sufficient for detection, but to businesses and public sector organizations through cooperation with identifying, investigating and preventing future cyber crimes, Ulkuniemi says, according to police.
Source: http://www.digitoday.fi/tyo-ja-ura/2013/10/02/kyberosaaminen-arvossaan-kahdelle-suomalaispoliisille-ulkomaan-komennus/201313695/66?rss=6
Tomi Engdahl says:
Grappling with the ZeroAccess Botnet
http://www.symantec.com/connect/blogs/grappling-zeroaccess-botnet
The ZeroAccess botnet is one of the largest known botnets in existence today with a population upwards of 1.9 million computers, on any given day, as observed by Symantec in August 2013. A key feature of the ZeroAccess botnet is its use of a peer-to-peer (P2P) command-and-control (C&C) communications architecture, which gives the botnet a high degree of availability and redundancy. Since no central C&C server exists, you cannot simply disable a set of attacker servers to neuter the botnet. Whenever a computer becomes infected with ZeroAccess, it first reaches out to a number of its peers to exchange details about other peers in its known P2P network. This way, bots become aware of other peers and can propagate instructions and files throughout the network quickly and efficiently. In the ZeroAccess botnet, there is constant communication between peers. Each peer continuously connects with other peers to exchange peer lists and check for updated files, making it highly resistant to any take-down attempts.
Back in March of this year, our engineers began to study in detail the mechanism used by ZeroAccess bots to communicate with each other to see how the botnet could be sinkholed.
On July 16, we began to sinkhole ZeroAccess infections. This operation quickly resulted in the detachment of over half a million bots and made a serious dent to the number of bots controlled by the botmaster.
Tomi Engdahl says:
World War C: Understanding
Nation-State Motives Behind
Today’s Advanced Cyber Attacks
http://www.fireeye.com/resources/pdfs/fireeye-wwc-report.pdf
Cyberspace has become a full-blown war zone as governments across the globe clash for digital supremacy in a new, mostly invisible theater of operations. Once limited to opportunistic criminals, cyber attacks are becoming a key weapon for governments seeking to defend national sovereignty and project national power.
From strategic cyber espionage campaigns, such as Moonlight Maze and Titan Rain, to the destructive, such as military cyber strikes on Georgia and Iran, human and international conflicts are entering a new phase in their long histories. In this shadowy battlefield, victories are fought with bits instead of bullets, malware instead of militias, and botnets instead of bombs.
These covert assaults are largely unseen by the public. Unlike the wars of yesteryear, this cyber war produces no dramatic images of exploding warheads, crumbled buildings, or fleeing civilians. But the list of casualties—which already includes some of the biggest names in technology, financial services, defense, and government —is growing larger by the day.
A cyber attack is best understood not as an end in itself, but as a potentially powerful means to a wide variety of political, military, and economic goals.
“Serious cyber attacks are unlikely to be motiveless,” said Martin Libicki, Senior Scientist at RAND Corp. “Countries carry them out to achieve certain ends, which tend to reflect their broader strategic goals.
The relationship between the means chosen and their goals will look rational and reasonable to them if not necessarily to us.”
Just as each country has a unique political system, history, and culture, state-sponsored attacks also have distinctive characteristics, which include everything from motivation to target to type of attack.
Here is a quick overview:
•Asia-Pacific. Home to large, bureaucratic hacker groups such as the “Comment Crew” who pursue many goals and targets in high-frequency, brute-force attacks.
• Russia/Eastern Europe. These cyber attacks are more technically advanced and highly effective at evading detection.
• Middle East. These hackers are dynamic, often using creativity, deception, and social engineering
to trick users into compromising their own computers.
• United States. The most complex, targeted, and rigorously engineered cyber attack campaigns to date.