Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.
Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.
Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.
SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices. Good idea to test your devices against it.
There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.
Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.
Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.
Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.
Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.
Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.
Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.
Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.
European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.
1,930 Comments
Info says:
We are a group of volunteers and starting a new scheme in our community. Your website offered us with valuable info to paintings on. You have performed a formidable process and our entire neighborhood shall be thankful to you.
Tomi Engdahl says:
Security is improved – encryption can become the default
Internet security is renewed, the IETF standardization body reaches a consensus on the changes. An encrypted connection can become the default.
Internet based web browsers and operating data communications protocols should be set at the recent information leaks, says the standards body IETF (Internet Engineering Task Force), Chairman of Jari Arkko.
“Espionage revelations are disturbing. We will try our sector actors to improve the global situation, “says Arkko.
Improve data security, envisages a number of reforms, but no final decisions have been made.
More generally, the use of the web traffic ssl-/tls-algorithms is out of date.
“There are dozens of old algorithms, which are to be eliminated.”
A big change, there are plans for web applications, HTTP 2.0 protocol, which is used in browsers and web servers should be identified.
“Today, the internet default values are reversed. Only the bank or web shop the latest device to https or secure connection on. Now is the opportunity to change the operation so that the encryption is enabled by default. ”
Even if an encrypted connection should not be the default, at least the requirements get tighter. Encrypted connections should always be offered as an alternative.
Arkon states that the reforms will become apparent at a later date. Internet companies and the operators of the network companies are in his view, agree that security is added.
IETF is developing Internet standards body formed by the companies that publish technical protocols describing the operation of the RFC documents (Requests for Comments). The recommendations have become Internet standards.
Chairman of Jari Arkko says that the Finns are the tip of the standards from the publication, although more than 60 countries, the 300 members of the Finnish one is only a few dozens.
“There are a lot of network construction-related business.”
Source: http://www.3t.fi/artikkeli/uutiset/teknologia/tietoturva_paranee_salauksesta_voi_tulla_oletusarvo
Tomi Engdahl says:
FBI Seizes Deep Web Black Market Silk Road, Arrests Owner
http://techcrunch.com/2013/10/02/fbi-seize-deep-web-marketplace-silk-road-arrest-owner/
The feds have caught up to the Silk Road. The underground website long known for drug trafficking and other illegal activity was seized by the FBI who also arrested the owner on three criminal counts. New York State prosecutors charged Ross William Ulbricht with one count each of narcotics trafficking conspiracy, computer hacking conspiracy and money laundering conspiracy, according to a court filing.
Silk Road has long existed in the corner of the Internet dubbed Deep Web and accessible only through the seemingly secure Tor Network. Launched in 2011, the site quickly gained notoriety for its shadowy marketplace of drugs and guns. Silk Road became the Amazon of illegal things. As of July 23, 2013, there were approximately 957,079 registered user accounts, and as the court docs note, this does not necessarily equal the number of actual users.
Although obscured, Silk Road netted big money. The total revenue generated from launch until July 23, 2013, resulted in approximately 9,519,664 Bitcoins and 614,305 Bitcoins of commission for Silk Road itself, court documents reveal. That converts to roughly $1.2 billion in revenue and $79.8 million in commissions, at current Bitcoin prices.
Feds Take Down Online Fraud Bazaar ‘Silk Road’, Arrest Alleged Mastermind
Defendant Charged With Drug Trafficking, Hacking, Money Laundering
http://krebsonsecurity.com/2013/10/feds-take-down-online-fraud-bazaar-silk-road-arrest-alleged-mastermind/
Prosecutors in New York today said that federal agencies have taken over the Silk Road, a sprawling underground Web site that has earned infamy as the “eBay of drugs.” On Tuesday, federal agents in San Francisco arrested the Silk Road’s alleged mastermind. Prosecutors say 29-year-old Ross William Ulbricht, a.k.a “Dread Pirate Roberts” (DPR), will be charged with a range of criminal violations, including conspiracy to commit drug trafficking, and money laundering.
The Silk Road is an online black market that as late as last month was hosting nearly 13,000 sales listings for controlled substances, including marijuana, LSD, heroin, cocaine, methamphetamine and ecstasy. Much like eBay sellers, merchants on the Silk Road are evaluated by previous buyers, who are encouraged to leave feedback about the quality of the seller’s goods and services.
The Silk Road is not available via the regular Internet. Rather, it is only reachable via the Tor network
That is, it was until this week, when FBI agents arrested its alleged proprietor and seized the Web servers running the site. The feds also replaced the Silk Road’s home page with a message saying that the site had been seized by the FBI, Homeland Security Department and the Drug Enforcement Administration.
The Silk Road didn’t just sell drugs. For example, the complaint identifies 801 for-sale listings under “digital goods,” which included banking Trojans, pirated content, and hacked accounts at Netflix and Amazon. The ”forgeries” section of the Silk Road featured 169 ads from vendors of fake driver’s licenses, passports, Social Security cards, utility bills, credit card statements, car insurance records, and other forms of identity documents.
Another popular section of the Silk Road included 159 listings for generic “Services,” mostly those listed by computer hackers offering such services as hijacking Twitter and Facebook accounts of the customer’s choosing. Other classified ads promised the sale of anonymous bank accounts, counterfeit bills, firearms and ammunition, and even hitmen for hire.
“If I were a seller on the Silk Road, I’d be terrified right now,” Weaver said. “Any buyer that didn’t use encryption now has their Silk Road messages seized. The FBI may have the sellers’ shipping addresses for their customers, and for the sellers, the FBI knows the Bitcoin payout addresses, so then it’s a matter of tracing the Bitcoin wallets from there.”
“The drug trafficking counts include the weights of the drugs, which makes me think that the government wants to throw the book at this guy,” Weaver said, noting that those weights carry mandatory sentences. “The drug charges alone have a 30 year mandatory minimum.”
The government also announced today that pursuant to this action, it has seized approximately 26,000 Bitcoins worth roughly $3.6 million, in what it’s calling the largest ever seizure of Bitcoins.
The FBI and the legitimation of the bitcoinverse
http://blogs.reuters.com/felix-salmon/2013/10/02/the-fbi-and-the-legitimation-of-the-bitcoinverse/
Did the FBI just deal a fatal blow to bitcoin? Zero Hedge is at his most apocalyptic this afternoon, saying that “the end may be nigh” for bitcoin now that Silk Road, the bitcoin-fueled drugs bazaar, has been closed down by the Feds. Even Adrian Chen, who has done most of the best reporting on Silk Road, was shocked by what the FBI found:
According to the indictment, Silk Road was bigger than anyone had suspected: It boasted over $1.6 billion in sales from 2011-2013, which resulted in $80 million in commissions. (Researchers had previously estimated that Silk Road was doing about $22 million in total sales per year.)
Chen, too, sees today’s news as bearish for bitcoin: “the extent to which Silk Road underpinned the Bitcoin market is pretty amazing,”
But although I’m skeptical about bitcoin’s future, I don’t see today’s news as bad for the cryptocurrency. In fact, quite the opposite. If Silk Road is now shut down and if no one else manages to enter the vacuum caused by its disappearance, then the FBI will at a stroke have managed to remove the single skeeviest aspect of bitcoin, and the main reason why people like Chuck Schumer are so suspicious of it.
On top of that, the numbers in the FBI complaint are highly misleading.
The US government doesn’t seem to have a reflexively negative attitude towards bitcoin
In other words, for anybody wanting to see the broader adoption of bitcoin, the shuttering of Silk Road should be considered a necessary and very welcome step — and one which will help support its value over the medium term. Sure, the price fell today — but not egregiously so: it was about $140 in the morning, briefly fell as far as $110, and is now back to $125. By bitcoin standards, that’s a surprisingly low amount of volatility on a big-news day. And with Silk Road gone, a significant source of downside tail risk has now been effectively removed from the bitcoinverse.
So if the shuttering of a significant source of bitcoin demand isn’t bad for the currency, what would cause its demise? The answer is basically just neglect. Bitcoins are a fad, and they’re a fad which will pass, a bit like Beanie Babies.
Tomi Engdahl says:
“Cybercrime ‘bill is terrible – three main problems
For ordinary computer users face a huge cost in crime, says Symantec’s extensive research. Stroke victim of a single pocket is substantial, and the amounts are growing dramatically. The decrease mainly comes from three areas.
Symantec says IT-related crime, the consequences of a recent report.
Based on the results of Symantec calculates that for ordinary consumers of crimes 113 billion dollars, or about 83 billion euro bill this year (ten times cost of London Olympics).
Individual victim, the mean damage is $ 298, or about 220 euros. Such a loss is painful in itself, but even more worrying is the growing trend.
Symantec experienced by the individual victim’s pecuniary loss has increased by 50 per cent in just one year. If this growth rate continues, the amounts go up as soon as really bitter figures.
Users are primarily due to the loss of the three regions. The largest of them is a fraud. Criminals take casualties every year more than 30 billion euros by criminal means.
The money could be exported, for example-Banking or phishing attacks using. More recent evidence includes the smartphone malware that will begin to send SMS messages to expensive premium-rate services. The monetary value of such frauds relate in particular to the United States and Europe.
Crimes cause harm in other ways. Equipment “repair” the cost of the damage caused by 24 per cent. For example, malware infested computers have to be taken to the service center.
Symantec calculates the costs of smart devices, for example, theft and other loss. They are the third largest cost item of 21 per cent.
The risk of being subjected to computer crime is high. According to Symantec’s offerings is an annual 378 million. There are new victims of more than one million a day.
Almost every other website you have been a some point in the IT crime. When including viruses, fraud and theft, 41 percent of respondents reported being a victim.
According to Symantec’s use of information technologies have emerged unbalanced situation. Users will understand the risks, but often safety basic means remain unused.
For example, 27 percent of adults will tell you that their mobile device is ever lost or stolen. Still, half of the users neglect to do basic safety precautions, such as locking the phone code, data, or to ensure the security of applications.
Anyway, ease of use goes to the safety or privacy concerns prevail.
Source: http://www.tietokone.fi/artikkeli/uutiset/kyberrikosten_lasku_on_hirmuinen_kolme_paaongelmaa
Tomi Engdahl says:
Lavabit founder raises $20,000 to fund court battle
http://www.theguardian.com/technology/2013/oct/02/lavabit-founder-nsa-secure-email-edward-snowden
New details emerge of court case against Ladar Levinson, founder of secure email service used by ex-NSA contractor Edward Snowden, as he hits halfway target to funding defence
Ladar Levinson, the founder of secure email service Lavabit, has raised more than $20,000 to pay the legal fees incurred by a court battle to prevent government interference in his service.
The money already raised is half of the $40,000 target set by Levinson, who says that “defending the constitution is expensive”.
For the government to eavesdrop on Lavabit’s customers, it would have to force Levinson either to store their private keys, or share the SSL certificate the site uses to keep communication between itself and users private.
However Levinson abruptly closed Lavabit in August, writing in explanation to his customers that he refused “to be complicit in… crimes against the American people and the US Constitution,” about which he was not permitted to speak further. At the time, he was not even able to confirm that there was a court case against him.
More details of that case, which will be heard in Virginia’s 4th Circuit Court of Appeals, have become available
That document shows the chronology of the government’s dealings with Lavabit.
Tomi Engdahl says:
Lavabit Founder Waged Privacy Fight as F.B.I. Pursued Snowden
http://www.nytimes.com/2013/10/03/us/snowdens-e-mail-provider-discusses-pressure-from-fbi-to-disclose-data.html?pagewanted=all&_r=0
One day last May, Ladar Levison returned home to find an F.B.I. agent’s business card on his Dallas doorstep. So began a four-month tangle with law enforcement officials that would end with Mr. Levison’s shutting the business he had spent a decade building and becoming an unlikely hero of privacy advocates in their escalating battle with the government over Internet security.
Prosecutors, it turned out, were pursuing a notable user of Lavabit, Mr. Levison’s secure e-mail service: Edward J. Snowden, the former National Security Agency contractor who leaked classified documents that have put the intelligence agency under sharp scrutiny. Mr. Levison was willing to allow investigators with a court order to tap Mr. Snowden’s e-mail account; he had complied with similar narrowly targeted requests involving other customers about two dozen times.
But they wanted more, he said: the passwords, encryption keys and computer code that would essentially allow the government untrammeled access to the protected messages of all his customers. That, he said, was too much.
“You don’t need to bug an entire city to bug one guy’s phone calls,” Mr. Levison, 32, said in a recent interview. “In my case, they wanted to break open the entire box just to get to one connection.”
On Aug. 8, Mr. Levison closed Lavabit rather than, in his view, betray his promise of secure e-mail to his customers.
Mr. Levison’s battle to preserve his customers’ privacy comes at a time when Mr. Snowden’s disclosures have ignited a national debate about the proper limits of surveillance and government intrusion into American Internet companies that promise users that their digital communications are secure.
While Mr. Levison’s struggles have been with the F.B.I., hovering in the background is the N.S.A., which has worked secretly for years to undermine or bypass encrypted services like Lavabit so that their electronic message scrambling cannot obstruct the agency’s spying.
Mr. Levison said he set up Lavabit to make it impossible for outsiders, whether governments or hackers, to spy on users’ communications. He followed the government’s own secure coding guidelines, based on the N.S.A.’s technical guidance, and engineered his systems so as not to log user communications. That way, even if he received a subpoena for a user’s communications, he would not be able to gain access to them. For added measure, he gave customers the option to pay extra to encrypt their e-mail and passwords.
On occasion, he was asked to comply with government requests for specific e-mail accounts
Mr. Levison said he had no qualms about cooperating with such demands, but the latest request was far broader, apparently to allow investigators to track Mr. Snowden’s whereabouts and associates. When Mr. Levison called the F.B.I. agent who had left the business card, the agent seemed interested in learning how Lavabit worked and what tools would be necessary to eavesdrop on an encrypted e-mail account.
“The whole concept of the Internet was built on the idea that companies can keep their own keys,” Mr. Levison said. He told the agents that he would need their request for his encryption keys in writing.
But Mr. Levison said he spent much of the following day thinking of a compromise. He would log the target’s communications, unscramble them with the encryption keys and upload them to a government server once a day. The F.B.I. told him that was not enough. It needed his target’s communications “in real time,” he said.
“How as a small business do you hire the lawyers to appeal this and change public opinion to get the laws changed when Congress doesn’t even know what is going on?” Mr. Levison said.
Tomi Engdahl says:
Edward Snowden’s E-Mail Provider Defied FBI Demands to Turn Over Crypto Keys, Documents Show
http://www.wired.com/threatlevel/2013/10/lavabit_unsealed/
The U.S. government in July obtained a search warrant demanding that Edward Snowden’s e-mail provider, Lavabit, turn over the private SSL keys that protected all web traffic to the site, according to to newly unsealed documents.
The July 16 order came after Texas-based Lavabit refused to circumvent its own security systems to comply with earlier orders intended to monitor a particular Lavabit user’s metadata, defined as “information about each communication sent or received by the account, including the date and time of the communication, the method of communication, and the source and destination of the communication.”
The name of the target is redacted from the unsealed records, but the offenses under investigation are listed as violations of the Espionage Act and theft of government property — the exact charges that have been filed against NSA whistleblower Snowden in the same Virginia court.
The filings show that Lavabit was served on June 28 with a so-called “pen register” order requiring it to record, and provide the government with, the e-mail “from” and “to” lines on every e-mail, as well as the IP address used to access the mailbox. Because they provide only metadata, pen register orders can be obtained without “probable cause” that the target has committed a crime.
In the standard language for such an order, it required Lavabit to provide all “technical assistance necessary to accomplish the installation and use of the pen/trap device”
A conventional e-mail provider can easily funnel email headers to the government in response to such a request. But Lavabit offered paying customers a secure email service that stores incoming messages encrypted to a key known only to that user. Lavabit itself did not have access.
Lavabit founder Ladar Levison balked at the demand, and the government filed a motion to compel Lavabit to comply. Lavabit told the feds that the user had “enabled Lavabit’s encryption services, and thus Lavabit would not provide the requested information,” the government wrote.
“The representative of Lavabit indicated that Lavabit had the technical capability to decrypt the information, but that Lavabit did not want to ‘defeat [its] own system,’” the government complained.
U.S. Magistrate Judge Theresa Buchanan immediately ordered Lavabit to comply, threatening Levison with criminal contempt — which could have potentially put him in jail.
A week later, prosecutors upped the ante and obtained the search warrant demanding “all information necessary to decrypt communications sent to or from the Lavabit e-mail account [redacted] including encryption keys and SSL keys.”
“The privacy of … Lavabit’s users are at stake,” Lavabit attorney Jesse Binnall told Hilton. “We’re not simply speaking of the target of this investigation. We’re talking about over 400,000 individuals and entities that are users of Lavabit who use this service because they believe their communications are secure. By handing over the keys, the encryption keys in this case, they necessarily become less secure.”
By this point, Levison was evidently willing to comply with the original order, and modify his code to intercept the metadata on one user. But the government was no longer interested.
In an interesting work-around, Levison complied the next day by turning over the private SSL keys as an 11 page printout in 4-point type. The government, not unreasonably, called the printout “illegible.”
The court ordered Levison to provide a more useful electronic copy. By August 5, Lavabit was still resisting the order, and the judge ordered that Levison would be fined $5,000 a day beginning August 6 until he handed over electronic copies of the keys.
On August 8, Levison shuttered Lavabit, making any attempt at surveillance moot.
Tomi Engdahl says:
Researchers Show How Easy It Is To Manipulate Online Opinions
http://tech.slashdot.org/story/13/10/02/2212202/researchers-show-how-easy-it-is-to-manipulate-online-opinions
“A recent study shows that a single random up-vote, randomly chosen, created a herding behavior in ratings that resulted in a 25% increase in the ratings but the negative manipulation had no effect.”
“So in business and society, culture, politics, we found substantial susceptibility to positive herding, whereas in general news, economics, IT, we found no such herding effects in the positive or negative direction.”
Tomi Engdahl says:
Former NSA Honcho Calls Corporate IT Security “Appalling”
http://it.slashdot.org/story/13/10/02/2237204/former-nsa-honcho-calls-corporate-it-security-appalling
“Former NSA technology boss Prescott Winter has a word for the kind of security he sees even at large, technologically sophisticated companies: Appalling. Companies large enough to afford good security remain vulnerable to hackers, malware and criminals because they tend to throw technological solutions at potential areas of risk rather than focusing on specific and immediate threats, Winter said during his keynote speech Oct. 1 at the Splunk Worldwide User’s Conference in Las Vegas.”
Comments:
“In my experience, it’s much more rare to find a company that knows about security than to find one that doesn’t.”
“Most of them don’t. Sometimes the companies that do know just consider it a risk of doing business, easier to pay when things go wrong than to try to secure it. An example of this is credit card companies. Bruce Schenier points out that he would never trust a credit card online because of the security holes, except they promise to reimburse him when things go wrong.”
“You got that right. Security is hard. Security is expensive. Security does not improve profits (as long as they continue to be lucky). The company that spends money on security while their competitors are not, will lose out. Therefore, who needs it? There’s no sense of living dangerously without some really spectacular examples…”
Tomi Engdahl says:
Former NSA Honcho Calls Enterprise Security ‘Appalling’
http://slashdot.org/topic/datacenter/former-nsa-honcho-calls-enterprise-security-appalling/
IT security people focus on infrastructure, not prevention; decent security means identifying and countering actual threats in real time.
Former NSA technology boss Prescott Winter has a word for the kind of security he sees even at large, technologically sophisticated companies: Appalling.
Companies large enough to afford good security remain vulnerable to hackers, malware and criminals because they tend to throw technological solutions at potential areas of risk rather than focusing on specific and immediate threats, Winter said during his keynote speech Oct. 1 at the Splunk Worldwide User’s Conference in Las Vegas.
“As we look at the situation in the security arena… we see an awful lot of big companies – Fortune 100-level companies – with, to be perfectly candid, appalling security. They have fundamentally no idea what they’re doing,” Winter said, according to an Oct. 2 story in U.K. tech-news site Computing.
Digital security threats to large companies are becoming far more common and far more serious, Winter said.
The most effective approach is to match IT security to a company’s lines of business and most valuable assets, not simply reinforce security built to match a network or system topology. Making good rules for security isn’t enough, either: Ttey have to be enforced. “You’ve got to audit and make sure that people are following the rules. Minor mistakes lead to vulnerabilities,” he said.
Even figuring out what to protect requires the same kind of big-data analysis many companies use to identify new markets or develop new products, but that few actually employ to identify their own most valuable assets – both physical and intellectual property – and define how those assets contribute to key strategic business goals, Winter said.
But it’s not enough to do that analysis and protect those potential targets once in a while; it has to be done regularly, almost continually, using information that is close to real time rather than archived. “Big data is the thing that makes the risk management approach work. It’s being able to see enough of your enterprise with enough information that you can actually understand what’s going on,” he said
Tomi Engdahl says:
Iranian cyber warfare commander shot dead in suspected assassination
http://www.telegraph.co.uk/news/worldnews/middleeast/iran/10350285/Iranian-cyber-warfare-commander-shot-dead-in-suspected-assassination.html
The head of Iran’s cyber warfare programme has been shot dead, triggering further accusations that outside powers are carrying out targeted assassinations of key figures in the country’s security apparatus.
The death of Ahmadi, a leading specialist in cyber defences, could be an extension of this campaign of subterfuge. Iran has been accused of carrying out a number of cyber attacks detected in the West. Shashank Joshi, an expert at the Royal United Services Institute (Rusi), said this was seen as a lesser threat than the nuclear programme. “Iran’s cyber attacks on Israel and elsewhere in the region are a rising threat and a growing threat, but it hasn’t yet been seen as a major and sustained onslaught, so it would be pretty novel and significant to take this step in the field of cyber-warfare at this time,” he said.
The Revolutionary Guard has also been accused of lending its expertise to Syria’s regime, helping it to hack Western targets through a body known as the Syrian Electronic Army.
The killing of Ahmadi coincides with a new diplomatic effort by President Hassan Rouhani, Iran’s newly elected leader
Tomi Engdahl says:
In Test Project, N.S.A. Tracked Cellphone Locations
http://www.nytimes.com/2013/10/03/us/nsa-experiment-traced-us-cellphone-locations.html?pagewanted=all
The National Security Agency conducted a secret pilot project in 2010 and 2011 to test the collection of bulk data about the location of Americans’ cellphones, but the agency never moved ahead with such a program, according to intelligence officials.
The existence of the pilot project was reported on Wednesday morning by The New York Times and later confirmed by James R. Clapper, the director of national intelligence, at a Senate Judiciary Committee hearing. The project used data from cellphone towers to locate people’s cellphones.
In his testimony, Mr. Clapper revealed few details about the project. He said that the N.S.A. does not currently collect locational information under Section 215 of the Patriot Act, the provision the government says is the legal basis for the N.S.A.’s once-secret program under which it collects logs of all domestic calls from telephone companies.
Tomi Engdahl says:
Facebook Pushes Passwords One Step Closer to Death
http://www.wired.com/wiredenterprise/2013/10/facebook-yubikey/
October has always been John Flynn’s favorite time of year, but this year, it’s even better. He gets to spend the month trying to hack into a fleet of Facebook computers equipped with a new kind of security tool — a tool that takes computer security beyond the password.
Over the past year, the company has equipped many employee systems with Yubikeys, a little pieces of hardware that let employees securely log into machines with the tap of a finger. This nifty tool can make it that much harder for hackers to bust into a corporate network and do whatever they want — even if the hacker manages to take command of an authorized network machine.
Although the company that makes Yubikey says that it’s been picked up by seven of Silicon Valley’s biggest companies, Facebook is the second big-name web company to publicly get behind the device. Earlier this year, a group of Google researchers endorsed the thing, saying they were fed up with passwords. Passwords aren’t just a pain to type. In the end, they provide a limited amount of security.
At the time, Google said it was studying whether it could replace passwords — or at least enhance them — with the Yubikey, a sliver of hardware that slides into the USB port on the side of your laptop. Basically, you can set things up so that you can’t log-in to machine or a network unless the Yubikey is there and you tap on it.
Facebook likes the devices because they add a second level of security to the Facebook network. If the average Facebook employee wants to read her email, she’ll still have to log into her corporate account with a username or password. But if she tries it in from someplace new — China, for example — Facebook will ask that she tap on her Yubikey too. If that’s not available, she can use a security app on her phone, called Duo. That’s how Facebook ensures that nobody’s breaking in with a stolen password.
As far as Flynn is concerned, this shows how it’s possible to tighten up security without making things harder for workers. “It’s added another layer on top of all the other ways that people do authentication internally,” he says.
“What we’ve found is that our engineers who do a high volume of authentication really like the Yubikey for its ease of use features,” Flynn says. Other users prefer the Duo. “We’ve found that users in our sales or marketing organization really like the application on their phone,” he adds.
The change wasn’t without some snags. Some staffers slid in their Yubikeys upside down and backwards, occasionally shorting the computer.
They’ve even found ways that Yubikey can get rid of passwords altogether. Engineers who what’s known as SSH , for example, can remotely connect to servers via a well-known SSH technique that depends on cryptographic keys instead of passwords, and if they combine this method with a Yubikey, they can connect sans password. Flynn describes the password-free login as a near-magical experience. “You type ssh-space-theserver, and then you press your Yubikey, and then you’re in,” he says.
Facebook engineers can also use the Yubikey instead of passwords when they’re using sudo, a Unix command that lets them run their code with special user privileges.
These may be small, geeky tricks, but they’re a step in the direction of password liberation. And that’s a good thing. This not only provides better protection for our computers and computer networks, it makes life easier for the people who use them. “The more you can move people to authentication systems that are both secure and don’t require them remembering crazy stuff, the more engagement you’ll get from your user base,” Flynn says.
Tomi Engdahl says:
Adobe’s network compromised: 2.9 million customer names, encrypted credit and debit card numbers, and source code
http://thenextweb.com/insider/2013/10/03/adobe-says-its-network-was-compromised-2-9-million-customer-names-encrypted-credit-and-debit-card-numbers/
Software firm Adobe today revealed its network was compromised. Information that was leaked included 2.9 million customer names, encrypted credit or debit card numbers, expiration dates, and “other information relating to customer orders.”
Adobe wouldn’t say when the breach occurred, and only mentioned that its security team discovered sophisticated attacks on its network “very recently.” Source code for “numerous Adobe products” was also accessed.
Adobe says its investigation so far has found that the attackers accessed Adobe customer IDs and encrypted passwords on its systems. It does not currently believe they removed decrypted credit or debit card numbers and that it does not think the illegal access of its source code could provide any specific increased risk to its customers.
Tomi Engdahl says:
Yahoo hit with new lawsuit over email scanning in wake of Gmail ruling
http://gigaom.com/2013/10/03/yahoo-hit-with-new-lawsuit-over-email-scanning-in-wake-of-gmail-ruling/
Summary:
A court ruling last week may have opened the door for non Gmail users to sue Google over email scanning. Now, a similar lawsuit has hit Yahoo.
Can big email providers scan your messages in order to serve you relevant advertising? Google and Yahoo have long assumed the answer is yes, which is one of the reasons the giant companies provide free email to millions of people.
Last week, however, a federal judge in California refused to throw out a class action case against Google, ruling that people who swapped messages with Gmail users — but do not use Gmail themselves — had never given the search giant permission to read their email.
As a result, the judge ruled that Google could not simply say that the Wiretap Act did not apply, and permitted the case to go forwards towards a trial.
Yahoo was hit with a similar lawsuit over email scanning in 2012, but court records show the parties voluntarily dismissed that suit early this year.
Tomi Engdahl says:
Adobe hit in ‘sophisticated’ hack targeting customers, source code
A-Doh!-bee: 2.9 MEEELLION accounts slurped, source code compromised
http://www.theregister.co.uk/2013/10/03/adobe_major_hack/
The company said on Thursday that it has been the victim of a major cyberattack and said hackers had accessed those millions of customer IDs and encrypted passwords
“We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders,” the company said.
“As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. If your user ID and password were involved, you will receive an email notification from us with information on how to change your password,” the company wrote.
Security firm Hold Security claims to have found 40 gigabytes in encrypted archives on a hacker’s server, apparently containing source code on some of Adobe’s biggest products.
“This breach poses a serious concern to countless businesses and individuals,” Hold Security wrote. “Effectively, this breach may have opened a gateway for new generation of viruses, malware, and exploits.”
Tomi Engdahl says:
arkOS: Building the anti-cloud (on a Raspberry Pi)
http://www.techworld.com.au/article/528273/arkos_building_anti-cloud_raspberry_pi_/
arkOS is an open source project designed to let its users take control of their personal data and make running a home server as easy as using a PC
At the start of this year, analyst firm Gartner predicted that over the next four years a total of US$677 would be spent on cloud services. The growth of ‘things-as-a-service’ is upending enterprise IT and creating entirely new, innovative business models. At the same time, social networks such as Facebook and Twitter have built massive user bases, and created databases that are home to enormous amounts of information about account holders.
Collectively, all of this means that people’s data, and the services they use with it, are more likely than ever to be found outside of home PCs and other personal devices, housed in servers that they will probably never likely to see let alone touch. But, when everything is delivered as a service, people’s control and even ownership of their data gets hazy to say the least.
Earlier this year NSA whistle-blower Edward Snowden offered some insight – in revelations that probably surprised few but still outraged many – into the massive level of data collection and analysis carried out by state actors.
arkOS is not a solution to the surveillance state, but it does offer an alternative to those who would rather exercise some measure of control over their data and, at the very least, not lock away their information in online services where its retrieval and use is at the whim of a corporation, not the user.
Tomi Engdahl says:
Facebook Graph Search can now paw through your posts and status updates
http://nakedsecurity.sophos.com/2013/10/02/facebook-graph-search-can-now-paw-through-your-posts-and-status-updates/
It’s been nearly 10 months, but finally, the wait is over: We can now run Facebook searches to find single women who like men and like getting drunk and who might happen to mention such things in posts and status updates.
Thanks goes to the rollout of Facebook Graph Search’s ability to search every single public Facebook post and status update ever made, announced by Facebook on Monday.
The searches can be modified by time – “All of my posts from 2012,” for example – location, or the people who participated.
Graph Search for post and status updates is rolling out slowly to a small group of people who currently have Graph Search, Facebook says
Privacy controls still pertain.
Those who run Graph Searches can only see content that has been shared with them, including posts shared publicly by people who aren’t friends.
But it’s worth noting that the broadening of Graph Search’s capabilities opens up all public posts ever, as well as any posted shared directly to each user, to aggregation.
To maintain privacy and keep strangers out of your conversations and unaware of your activity, don’t use hashtags.
Also, to maintain privacy, use privacy controls. Millions of Facebook users are oblivious to, or just don’t use, privacy controls.
To see who can find the things you’ve shared, you can use privacy shortcuts and Activity Log to review your personal trail of glory and misdeeds to find out just what was shared publicly.
Go to Facebook’s Activity Log page to find a list of your posts and activity, from today back to the dawn of your Facebook life.
There, you can find stories and photos you’ve been tagged in, Pages you’ve liked, friends you’ve added, your photos, and photos you’re tagged in that are shared with Public.
It’s been about 9.5 months since the launch.
Imagine what people have thought to search for in that time?
Tomi says:
‘Tor Stinks’ presentation – read the full document
http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document
Top-secret presentation says ‘We will never be able to de-anonymize all Tor users all the time’ but ‘with manual analysis we can de-anonymize a very small fraction of Tor users’
Tomi says:
NSA and GCHQ target Tor network that protects anonymity of web users
http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack-tor-network-encryption
• Top-secret documents detail repeated efforts to crack Tor
• US-funded tool relied upon by dissidents and activists
• Core security of network remains intact but NSA has some success attacking users’ computers
• Bruce Schneier: the NSA’s attacks must be made public
• Attacking Tor: the technical details
• ‘Peeling back the layers with Egotistical Giraffe’ – document
• ‘Tor Stinks’ presentation – full document
• Tor: ‘The king of high-secure, low-latency anonymity’
Tomi says:
Attacking Tor: how the NSA targets users’ online anonymity
http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity
Secret servers and a privileged position on the internet’s backbone used to identify users and attack target computers
Tor is a well-designed and robust anonymity tool, and successfully attacking it is difficult.
The online anonymity network Tor is a high-priority target for the National Security Agency. The work of attacking Tor is done by the NSA’s application vulnerabilities branch, which is part of the systems intelligence directorate, or SID. The majority of NSA employees work in SID, which is tasked with collecting data from communications systems around the world.
According to a top-secret NSA presentation provided by the whistleblower Edward Snowden, one successful technique the NSA has developed involves exploiting the Tor browser bundle, a collection of programs designed to make it easy for people to install and use the software. The trick identified Tor users on the internet and then executes an attack against their Firefox web browser.
The NSA refers to these capabilities as CNE, or computer network exploitation.
The first step of this process is finding Tor users. To accomplish this, the NSA relies on its vast capability to monitor large parts of the internet. This is done via the agency’s partnership with US telecoms firms under programs codenamed Stormbrew, Fairview, Oakstar and Blarney.
Using powerful data analysis tools with codenames such as Turbulence, Turmoil and Tumult, the NSA automatically sifts through the enormous amount of internet traffic that it sees, looking for Tor connections.
After identifying an individual Tor user on the internet, the NSA uses its network of secret internet servers to redirect those users to another set of secret internet servers, with the codename FoxAcid, to infect the user’s computer.
Once the computer is successfully attacked, it secretly calls back to a FoxAcid server, which then performs additional attacks on the target computer to ensure that it remains compromised long-term, and continues to provide eavesdropping information back to the NSA.
Tor is a well-designed and robust anonymity tool, and successfully attacking it is difficult. The NSA attacks we found individually target Tor users by exploiting vulnerabilities in their Firefox browsers, and not the Tor application directly.
This, too, is difficult. Tor users often turn off vulnerable services like scripts and Flash when using Tor, making it difficult to target those services. Even so, the NSA uses a series of native Firefox vulnerabilities to attack users of the Tor browser bundle.
Tomi says:
Intelligence chief says the US attacks encryption because the bad guys use it
http://www.theverge.com/2013/10/4/4803646/james-clapper-justifies-tor-breaking-as-necessary-to-fight-terrorists
Director of National Intelligence James Clapper has responded to leaks showing how the NSA tried (and largely failed) to break through Tor’s encryption network. While his statement doesn’t shed much new light on the situation, it encapsulates the intelligence community’s general response to criticism since the first leaks were published: that the threat of terrorism or other threats to national security makes any arguably legal tactic not only ethical, but vital.
“These are the tools our adversaries use to communicate and coordinate attacks against the United States.”
“In the modern telecommunications era, our adversaries have the ability to hide their messages and discussions among those of innocent people around the world. They use the very same social networking sites, encryption tools and other security features that protect our daily online activities.”
These are promises and warnings we’ve heard many times, and they’re all valid defenses of the overall surveillance apparatus. What they don’t do, unfortunately, is address the implicit questions that Greenwald and Schneier have posed: should one wing of the US government attempt to undermine the very tools that other branches have helped create?
military grade cloud encryption storage says:
Great post. I was checking constantly this blog and I am impressed!
I care for such info a lot.
Extremely useful info particularly the last part
I was seeking this particular info for a long time.
Thank you and best of luck.
lifetime and unlimited storage says:
I don’t know whether it’s just me or if everybody else encountering issues with your blog.
It seems like some of the text in your posts are running off the screen.
Can someone else please provide feedback and let me know if this is happening to them as well?
This might be a problem with my browser because I’ve had this happen before.
Thanks
tomi says:
I know that some of the very long URLs on the comments can run off the screen on some cases..
Everything else should stay nicely it their place.
Tomi says:
Withdrawn from use mobile devices to reveal data that the user thinks it removed. They are of interest as abusive skeptical of companies as criminals.
The use of exiting the tablet and smartphone devices involved may be leaking personal information or corporate secrets. Even the factory settings may not delete data permanently. Data recovery is used by both investigate by the police and for abuse.
“Mobile phones similar to the PC machines, so the investigation are the same”, and forensic data recovery firm Kroll Ontrack Ibas Country Manager Finland Jyri base notes.
“Our analysis shows that 90 percent of companies allow business data storage, smart phones”, such as encryption software manufacturer of Check Point Software Technologies, Country Manager Jukka Saaremaa says.
“The equipment is lost and stolen the time, and, therefore, the presumption should be that the secret information can be fitted to mobile devices.”
Of old phones has been possible to dig out information over long period, but the new equipment for the factory settings may prevent this, Jyri base notes.
“Phones and software, there are new versions, so no general can not say.”
File device-level encryption has become increasingly common, which can also prevent data from digging.
Data recovery tool is Sam Serenius a business secret.
“It is a PC-like device, with connections from different manufacturers phones. The device has been authorized. Mobile device manufacturers are not helping us in obtaining these. ”
Source: http://www.3t.fi/artikkeli/uutiset/teknologia/salaisuutesi_voivat_karata_vanhan_alypuhelimen_mukana
Tomi says:
Taking Back Control of Your Data, With Fine Grained, Explicit Permissions
http://yro.slashdot.org/story/13/10/05/2250218/taking-back-control-of-your-data-with-fine-grained-explicit-permissions
BrokenHalo writes with a story at New Scientist outlining one approach to reclaiming your online privacy: a software gatekeeper (described in detail in a paper from last year) from two MIT developers.
“Developers Sandy Pentland and Yves-Alexandre de Montjoye claim OpenPDS (PDF) disrupts what NSA whistleblower Edward Snowden called the ‘architecture of oppression,’ by letting users see and control any third-party requests for their information – whether that’s from the NSA or Google”
Tomi says:
Private data gatekeeper stands between you and the NSA
http://www.newscientist.com/article/mg22029374.600-private-data-gatekeeper-stands-between-you-and-the-nsa.html#.UlCVfIaUQko
Software like openPDS acts as a bodyguard for your personal data when apps – or even governments – come snooping
Editorial: “Time for us all to take charge of our personal data”
BIG BROTHER is watching you. But that doesn’t mean you can’t do something about it – by wresting back control of your data.
If you want to install an app on your smartphone, you usually have to agree to give the program access to various functions and to data on the phone, such as your contacts. Instead of letting the apps have direct access to the data, openPDS sits in between them, controlling the flow of information. Hosted either on a smartphone or on an internet-connected hard drive in your house, it siphons off data from your phone or computer as you generate it.
It can store your current and historical location, browsing history, content and information related to sent and received emails, and any other personal data required. When external applications or services need to know things about you to provide a service, they ask openPDS the question, and it tells them the answer – if you allow it to
Pentland says openPDS provides a technical solution to an issue the European Commission raised in 2012, when it declared that people have the right to easier access to and control of their own data. “I realised something needed to be done about data control,” he says. “With openPDS, you control your own data and share it with third parties on an opt-in basis.”
Storing this information on your smartphone or on a hard drive in your house are not the only options. ID3, an MIT spin-off, is building a cloud version of openPDS.
“OpenPDS is a building block for the emerging personal data ecosystem,”
Tomi says:
Android fingerprint sensors 6 months away
http://www.usatoday.com/story/cybertruth/2013/09/30/android-fingerprint-sensors-6-months-away/2897199/
Tomi Engdahl says:
Europe Aims to Regulate the Cloud
http://www.nytimes.com/2013/10/07/business/international/europe-aims-to-regulate-the-cloud.html?pagewanted=all&_r=0
The words “cloud computing” never appeared in a 119-page digital privacy regulation introduced in Europe last year.
They do now.
Even before revelations this summer by Edward J. Snowden on the extent of spying by the National Security Agency on electronic communications, the European Parliament busied itself attaching amendments to its data privacy regulation. Several would change the rules of cloud computing, the technology that enables the sharing of software and files among computers on the Internet.
And since the news broke of widespread monitoring by the United States spy agency, cloud computing has become one of the regulatory flash points in Brussels as a debate ensued over how to protect data from snooping American eyes.
transmitting data among mobile phones, tablet computers and clouds, even while encrypted, makes it more accessible to snooping.
The European Union wants to regulate the cloud even if that makes its use more complicated. One proposed amendment would require “all transfers of data” from a cloud in the European Union to a cloud maintained in the United States or elsewhere to “be accompanied with a notification to the data subject of such transfer and its legal effects.”
Another amendment takes it further, barring such transfers unless several conditions are met. Not only must consent be provided by the subject of the data, but the person must be “informed in clear, unambiguous and warning language through a separate and prominently visible reference” to “the possibility of the personal data being subject to intelligence gathering or surveillance by third-country authorities.”
And there are other potential conflicts between European and American laws. The European Commission is considering imposing sanctions on companies that turn over records to American law enforcement authorities if the move violates European privacy regulations.
While policy-making on cloud computing is proceeding on more than one track in Brussels, the tracks all appear to be heading in the same general direction: a more robust regulatory regime delineating how data is handled and released. Policy makers hope to have a new regulation in place before the European elections next May.
The stances from politicians across the European Union are similar.
“We need to realize that European citizens will not embrace the cloud if they are worried for their privacy or for the security of their data,” said Neelie Kroes, the European Commission vice president in charge of telecommunications and information policy, in a statement.
Tomi Engdahl says:
After Silk Road seizure, FBI Bitcoin wallet identified and pranked
http://www.zdnet.com/after-silk-road-seizure-fbi-bitcoin-wallet-identified-and-pranked-7000021603/
Summary: In the the arrest of Silk Road founder Ross Ulbricht the FBI seized around 26,000 Bitcoins. The FBI’s ‘wallet’ has been identified and is now the target of micropayments with pointed messages.
Tomi Engdahl says:
Analysis of Silk Road’s Historical Impact on Bitcoin
http://thegenesisblock.com/analysis-silk-roads-historical-impact-bitcoin/
Ulbricht was caught as a result of human error and excessive risks related to physical delivery of false identification being delivered to his home address in San Francisco from Canada. After tracking the package, authorities found their way to Ulbricht and were able to compile a significant case against him (more details in the official complaint embedded below). Notably, it does not appear he was tracked as the result of any underlying flaws with tor, used for anonymous web browsing, or bitcoin, the only currency accepted on Silk Road.
Tomi Engdahl says:
Why everyone is left less secure when the NSA doesn’t help fix security flaws
http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/04/why-everyone-is-left-less-secure-when-the-nsa-doesnt-help-fix-security-flaws/
In a frank discussion about the government’s approach to vulnerabilities in cyber-infrastructure during a Washington Post Live summit Thursday, former NSA chief Michael Hayden said the agency is not always “ethically or legally compelled” to help fix flaws it knows about. If the agency thinks that no one else will be able to exploit a vulnerability, it leaves the problem unfixed to aid in its own spying efforts. That approach might be convenient for the NSA, but it needlessly endangers the security of Americans’ computers.
The statement came after an audience member asked if backdoors reported in the NSA leaks introduced vulnerabilities that could be exploited by hackers.
“any [backdoor] mechanism that anybody would put into something obviously creates another class of vulnerabilities.”
Hayden argued the concept of vulnerabilities was not unique to the Internet and had been an issue the NSA has dealt with since its founding. “There’s a reason that America’s offensive and defensive squads are up at Fort Meade,” Hayden said, explaining “because both offense and defense at this world hinges on a question of vulnerability.” Hayden then laid out the concept of NOBUS, which stands for “nobody but us,” that he termed “very useful” for making macro-judgments about how to react to vulnerabilities, regardless of if those flaws are “preexistent, not designed, mistake, intended, implanted, [or] whatever”
To a certain extent, this NOBUS idea reflects the weighing of the dual defensive and offensive mission of the NSA. Sure, patching vulnerabilities might effectively make infrastructure safer on a broad scale. But we’re talking about the same agency that reportedly has a 600-some elite offensive hacker squad, Tailored Access Operations or TAO, working out of its headquarters. And NOBUS also raises a lot of questions about how the intelligence agency determines if something is likely to be exploited by adversaries.
Take the NSA’s connection to the zero-day market.
significant contract with with Vupen
Sometimes these zero-days are used to exploit systems by the hackers who discover them, sometimes vendors are told about them as part of bug bounty programs, and sometimes they end up in these digital gray markets.
The United States is a major player in these gray markets, although other nations are reported to be also in on the game. A Reuters’s special report from May claimed the United States was the biggest buyer of exploits from this market, with defense contractors and government agencies spending “at least tens of millions of dollars a year just on exploits.”
“The NSA does not have a monopoly over the exploits that it buys, whether from the black market or from defense contractors. Those same vulnerabilities can and will be discovered by other researchers too, some of whom may sell them to other governments and criminals,” Soghoian said.
And while from a defensive perspective, it makes sense for intelligence agencies to scour these marketplaces and try to buy exploits out of the market, it doesn’t seem like that’s how it always works.
Sometimes purchased exploits appear to be making it into government designed malware. For instance, the Stuxnet worm that targeted Iranian uranium facilities is widely believed to have been a joint American-Israeli development — and a security researcher told the Economist at least one of the four exploits it relies on was bought rather than engineered in-house.
Stuxnet also illustrates how the deployment of offensive cybertools could be bad for consumer and business IT security. Stuxnet managed to make it into the digital wild pretty quickly, infecting other industrial systems and companies. And that’s not all. “Some of the zero-days used in Stuxnet were later exploited by criminals,”
“This is just one of many scenarios where offense and defense conflict,” when it comes to cybersecurity, Soghoian said. “For the NSA to have offensive abilities they must leave the public vulnerable.”
Tomi Engdahl says:
Mugged by a Mug Shot Online
http://www.nytimes.com/2013/10/06/business/mugged-by-a-mug-shot-online.html?pagewanted=all
But once he is done, Mr. Birnbaum’s record will be clean. Which means that by the time he graduates from the University of Texas at Austin, he can start his working life without taint.
At least in the eyes of the law. In the eyes of anyone who searches for Mr. Birnbaum online, the taint could last a very long time. That’s because the mug shot from his arrest is posted on a handful of for-profit Web sites, with names like Mugshots, BustedMugshots and JustMugshots. These companies routinely show up high in Google searches; a week ago, the top four results for “Maxwell Birnbaum” were mug-shot sites.
The ostensible point of these sites is to give the public a quick way to glean the unsavory history of a neighbor, a potential date or anyone else. That sounds civic-minded, until you consider one way most of these sites make money: by charging a fee to remove the image. That fee can be anywhere from $30 to $400, or even higher. Pay up, in other words, and the picture is deleted, at least from the site that was paid.
To Mr. Birnbaum, and millions of other Americans now captured on one or more of these sites, this sounds like extortion. Mug shots are merely artifacts of an arrest, not proof of a conviction, and many people whose images are now on display were never found guilty, or the charges against them were dropped. But these pictures can cause serious reputational damage
“The assistant to this state rep called my friend back and said, ‘We’d like to hire him, but we Google every potential employee, and the first thing that came up when we searched for Maxwell was a mug shot for a drug arrest,’ ”
It was only a matter of time before the Internet started to monetize humiliation. In this case, the time was early 2011, when mug-shot Web sites started popping up to turn the most embarrassing photograph of anyone’s life into cash. The sites are perfectly legal, and they get financial oxygen the same way as other online businesses — through credit card companies and PayPal. Some states, though, are looking for ways to curb them.
But as legislators draft laws, they are finding plenty of resistance, much of it from journalists who assert that public records should be just that: public.
The Reporters Committee for Freedom of the Press argues that any restriction on booking photographs raises First Amendment issues and impinges on editors’ right to determine what is newsworthy. That right was recently exercised by newspapers and Web sites around the world when the public got its first look at Aaron Alexis, the Navy Yard gunman, through a booking photograph from a 2010 arrest.
“What we have is a situation where people are doing controversial things with public records,”
MUG shots have been online for years, but they appear to have become the basis for businesses in 2010, thanks to Craig Robert Wiggen
“No one should have to go to the courthouse to find out if their kid’s baseball coach has been arrested, or if the person they’re going on a date with tonight has been arrested,” he said. “Our goal is to make that information available online, without having to jump through any hoops.”
JustMugshots began in 2012 and now has five employees, two of whom spend all their time dredging up images from 300 sources. The site has nearly 16.8 million such photos, according to Mr. D’Antonio.
JustMugshots has a “courtesy removal service,” allowing people who have been exonerated, or never charged, or even those who can demonstrate that they have turned around their lives, to get their image taken down free. Mr. D’Antonio declined to say how many people had been granted mercy deletions.
“We review paid orders and we have refunded paid orders, if, after doing some research, it becomes clear that there is a reason to do so.”
JUSTMUGSHOTS is one of several sites named in a class-action lawsuit filed last year by Scott A. Ciolek, a lawyer in Toledo, Ohio.
“You can’t threaten to embarrass someone unless they pay you money,” he said, “even if they did exactly what you are threatening to embarrass them about.”
Tomi Engdahl says:
Google Cracks Down On Mugshot Blackmail Sites
http://search.slashdot.org/story/13/10/06/2017239/google-cracks-down-on-mugshot-blackmail-sites
“Google is apparently displeased with sites designed to extract money from arrestees in exchange for removing their mugshot pictures online, and is tweaking its algorithms to at least reduce their revenue stream.”
Tomi Engdahl says:
Want to Evade NSA Spying? Don’t Connect to the Internet
By Bruce Schneier
10.07.13 6:30 AM
http://www.wired.com/opinion/2013/10/149481/
Since I started working with Snowden’s documents, I have been using a number of tools to try to stay secure from the NSA. The advice I shared included using Tor, preferring certain cryptography over others, and using public-domain encryption wherever possible.
I also recommended using an air gap, which physically isolates a computer or local network of computers from the internet. (The name comes from the literal gap of air between the computer and the internet; the word predates wireless networks.)
But this is more complicated than it sounds, and requires explanation.
Since we know that computers connected to the internet are vulnerable to outside hacking, an air gap should protect against those attacks. There are a lot of systems that use — or should use — air gaps: classified military networks, nuclear power plant controls, medical equipment, avionics, and so on.
Osama Bin Laden used one. I hope human rights organizations in repressive countries are doing the same.
Air gaps might be conceptually simple, but they’re hard to maintain in practice. The truth is that nobody wants a computer that never receives files from the internet and never sends files out into the internet. What they want is a computer that’s not directly connected to the internet, albeit with some secure way of moving files on and off.
But every time a file moves back or forth, there’s the potential for attack.
And air gaps have been breached. Stuxnet was a U.S. and Israeli military-grade piece of malware that attacked the Natanz nuclear plant in Iran. It successfully jumped the air gap and penetrated the Natanz network. Another piece of malware named agent.btz, probably Chinese in origin, successfully jumped the air gap protecting U.S. military networks.
These attacks work by exploiting security vulnerabilities in the removable media used to transfer files on and off the air gapped computers.
Since working with Snowden’s NSA files, I have tried to maintain a single air-gapped computer. It turned out to be harder than I expected, and I have ten rules for anyone trying to do the same
Tomi Engdahl says:
Windows 8 Picture Passwords Easy to Crack, say Researchers
http://www.tomshardware.com/news/picture-gesture-authentication-windows-8-security,24560.html
Recently during the USENIX Security Symposium, researchers from Arizona State University, Delaware State University and GFS Technology Inc. presented “On the Security of Picture Gesture Authentication,” a paper (pdf) showing that most unique picture password gestures used in Windows 8 aren’t quite so unique. In fact, it may not really matter what picture the Windows 8 account holder uses: the login screen can still be easily bypassed.
“Based on the findings of our user studies, we also propose a novel attack framework that is capable of cracking passwords on previously unseen pictures in a picture gesture authentication system,” the paper states.
They discovered that one of the most common methods used in this authentication process was with a photo of a person and triple tapping on the face, one of which lands on the eyes.
The study determined that there is a relationship between the background images and the user’s identity, personality or interests.
“It is obvious that pictures with personally identifiable information may leak personal information,” the paper states.
At the end of the study, the researchers had gathered enough evidence to develop an attack framework capable of cracking passwords on previously unseen pictures in a picture gesture authentication system.
Tomi Engdahl says:
Two million Chinese net cops
More than two million Chinese earn a living sitting by looking at messages from 500 million internet users.
Chinese public opinion in an open forum with the peak of the internet, the community services, discussion forums, and micro-blogs. These people raise millions of topics, many of which are sensitive to at least the Chinese style. They will ensure that the issues arise around the mass movements, high-ranking officials do not get blamed and the Communist Party of the position being questioned.
Internet content controls employs more than two million people, reported on the BBC , which was founded knowledge of Chinese Beijing News article. They are not called the Sensor monitors the Internet, but opinion analysts.
According to the Beijing News’ on-line supervisors is to collect and analyze micro-blogs, comments, and reports to work on decision-makers. Their assignment is not to delete content.
Web guards using the specially developed search engine. RT.com reported the Xinhua news agency of public opinion monitoring unit deputy director of the Shan Xuegang as saying that thousands of processors filter the Chinese and foreign content of the services.
“This will leave behind that of the previously used methods that utilized Google, and other search engines Baidu,” Shan said.
Source: http://www.tietokone.fi/artikkeli/uutiset/kaksi_miljoonaa_kiinalaista_kyttaa_muiden_netinkayttoa
Tomi Engdahl says:
Mobile Malware, High-Risk Apps Hit 1M Mark
http://blog.trendmicro.com/trendlabs-security-intelligence/mobile-malware-high-risk-apps-hit-1m-mark/
With three months to spare before the year ends, our prediction that mobile threats, specifically malware and high-risk apps reaching the 1 million mark has finally come true.
In our 2Q Security Roundup for the year, we noted that more than 700 thousand malicious and risky apps were found in the wild. This impressive number plus the continuous popularity of the platform among users lead us to predict that 2013 would be the year when Android malware reaches 1 million.
Our Mobile App Reputation data indicates that there are now 1 million mobile malware (such as premium service abusers) and high-risk apps (apps that aggressively serve ads that lead to dubious sites). Among the 1 million questionable apps we found, 75% perform outright malicious routines, while 25% exhibits dubious routines, which include adware.
The threat to mobile devices, however, is not limited rogue versions of popular apps and adware. Threat actors are also pouncing on mobile users’ banking transactions, with the likes of FAKEBANK and FAKETOKEN malware threatening users
Tomi says:
UK Minister: British Cabinet Was Told Nothing About GCHQ/NSA Spying Programs
http://yro.slashdot.org/story/13/10/07/1236221/uk-minister-british-cabinet-was-told-nothing-about-gchqnsa-spying-programs
“From the Guardian: ‘Cabinet ministers and members of the national security council were told nothing about the existence and scale of the vast data-gathering programs run by British and American intelligence agencies, a former member of the government has revealed.”
Tomi Engdahl says:
Surveillance panel shut down
http://www.politico.com/story/2013/10/surveillance-panel-shut-down-97891.html
A panel President Barack Obama set up in August to assess the government’s use of surveillance technologies hit some turbulence related to the government shutdown last week and found itself effectively frozen on Friday after its staff was furloughed, according to a person briefed on the panel’s operations.
“While the work we’re doing is important, it is no more important than – and quite frankly a lot less important – than a lot of the work being left undone by the government shutdown, both in the intelligence community and outside the intelligence community.”
Tomi Engdahl says:
Hackers Target AT&T to Vodacom in SIM-Card Scam
http://www.bloomberg.com/news/2013-10-07/hackers-target-at-t-to-vodacom-in-sim-card-scam.html
At wireless carriers such as AT&T Inc. (T) and South Africa’s Vodacom Group Ltd. (VOD), a new hacking threat has emerged involving the illicit swapping of SIM cards, the plastic chips that authenticate customers on mobile networks. Criminals call users and impersonate the companies to glean personal information, which they use to hijack the chips and customer accounts, paving the way for online banking fraud and international calling theft.
The scam represents a growing threat to the global telecommunications industry, which is projected to lose $46.3 billion to fraud in 2013, or about 2 percent of total revenue, according to the Communications Fraud Control Association. Account takeovers such as SIM-card switches are one of the most common types of fraud, and may rack up $3.6 billion in losses this year, almost triple the amount in 2011, the CFCA estimates.
“Attackers are definitely getting more advanced,” said Lawrence Pingree, a mobile-security researcher at Gartner Inc. “It’s almost like stealing at a bank — going right in and doing it in person. It’s very personal.”
Tomi Engdahl says:
First they came for the mugshot websites, but I said nothing…
http://gigaom.com/2013/10/07/first-they-came-for-the-mugshot-websites-but-i-said-nothing/
Google has made a change to its search algorithm to downgrade sites that post mugshot photos, but this decision raises some troubling questions about how much we rely on Google to choose what we see and don’t see
Tomi Engdahl says:
What Mugshots Mean For Public Data
http://www.hilarymason.com/blog/what-mugshots-mean-for-public-data/
The New York Times has a story this morning on the growing use of mugshot data for, essentially, extortion. These sites scrape mugshots off of public records databases, use SEO techniques to rank highly in Google searches for people’s names, and then charge those featured in the image to have the pages removed. Many of the people featured were never even convicted of a crime.
What the mugshot story demonstrates but never says explicitly is that data is no longer just private or public, but often exists in an in-between state, where the public-ness of the data is a function of how much work is required to find it.
Before mugshot sites, you had to actually visit each state’s database, figure out how to query it, and assemble the results.
Now you just search, and this information is there. It is just as public as it was before, but the cost to access has become a matter of seconds, not hours or days
The debate around fixing this problem has focused on whether the data should be removed from the public entirely. I’d like to see this conversation reframed around how we maintain the friction and cost to access technically public data such that it is no longer economically feasible to run these sorts of aggregated extortion sites while still maintaining the ability of journalists and concerned citizens to explore the records as necessary for their work.
Tomi Engdahl says:
Digital ‘activists’ scramble to build Silk Road 2.0, but drug kingpins are spooked
We can hardly find a dealer, moan Blighty drug users
http://www.theregister.co.uk/2013/10/08/silk_road_2_point_0/
Former Silk Roaders say they are preparing to open new anonymous online drug bazaars after last week’s collapse of the illicit Tor marketplace. Meanwhile, drug dealers appear to have taken fright after the takedown of the hidden website.
Tomi Engdahl says:
The NSA’s hiring – and they want a CIVIL LIBERTIES officer
In other news, the Spanish Inquisition want an equal opprtunities officer
http://www.theregister.co.uk/2013/09/24/nsa_privacy_officer/
Infamous US spy agency the NSA is looking to appoint a Civil Liberties & Privacy Officer.
The challenging position is an internal posting, aimed at potential candidates who already work at the top secret spy agency.
Key responsibilities include advising NSA director Keith Alexander and the senior leadership team to ensure that all agency activities “appropriately protect privacy and civil liberties consistent with operational, legal, and other requirements.”
Another aspect of the job will include making sure “privacy protections are addressed as part of all internal strategic decision processes related to the agency’s operations, key relationships, tradecraft, technologies, resources or policies.”
Tomi says:
Android malware problem approaching the pc’s ten-year return levels. Microsoft took the problem under control. Does Google do the same?
Android problem with the malware is not really a secret. Trend Micro says that have found a million malware programs for the world’s most popular mobile operating system. F-Secure says that even Google’s own Play-download store is no longer reliable.
The reader’s first reaction: Does not apply to me or any other well-informed users.
Wrong.
Because Android is the world’s most popular operating system, it can also be found grannies phones and children’s phones. When they have access to the application store up the phone to hinge can be just about anything.
If Google wants to maintain its position, it must do something about it. And quickly, because the problem is getting out of hand.
The good news is that it can be done.
Indeed, Microsoft has once again favored by security experts. When Windows XP virus problem exploded in uncontrollable, the company launched a Trusted computing projects, and cut the other application development for a while. Which resulted in the Windows Security Center, mandatory firewalls and other things that are now taken for granted.
If nothing is done, there will be malware Android to become the end of the story. No later than when driveby downloads start to succeed for Android, Google is in trouble.
Source: http://www.digitoday.fi/tietoturva/2013/10/09/google-uskallatko-tarttua-android-haitakeongelmaan/201314027/66
Tomi says:
Mikko Hypponen: “Who we’re fighting has completely changed in the last decade”
http://grahamcluley.com/2013/10/computer-security-turning-point/
Mikko Hypponen is one of the best known names in the anti-virus industry. In this article he describes how the last decade has completely changed who we are fighting, and how 2003 was turning point in the history of computer security.
If you were running Windows on your computer 10 years ago, you were running Windows XP.
In fact, you were most likely running Windows XP SP1 (Service Pack 1).
This is important, as Windows XP SP1 did not have a firewall enabled by default and did not feature automatic updates.
No wonder then, that worms and viruses were rampant in 2003.
In fact, we saw some of the worst outbreaks in history in 2003: Slammer, Sasser, Blaster, Mydoom, Sobig and so on.
They went on to do some spectacular damage.
The problems with Windows security were so bad that Microsoft had to do something. And it did.
In hindsight, the company did a spectacular turnaround in their security processes.
Microsoft started Trustworthy Computing. It stopped all new development for a while to go back and find and fix old vulnerabilities.
Today, the difference in the default security level of 64-bit Windows 8 is so much ahead of Windows XP you can’t even compare them.
When the Microsoft ship started to become tighter and harder to attack, the attackers started looking for easier targets.
One favorite was Adobe Reader and Adobe Flash.
The battle at hand right now is with Java and Oracle. It seems that Oracle hasn’t gotten their act together yet.
The overall security level of end users’ systems is now better than ever before. The last decade has brought us great improvements.
Unfortunately, the last decade has also completely changed who we’re fighting.
In 2003, all the malware was still being written by hobbyists, for fun. The hobbyists have been replaced by new attackers: not just organized criminals, but also hacktivists and governments. Criminals and especially governments can afford to invest in their attacks.
Tomi says:
Google’s Schmidt: Android more secure than iPhone
http://www.zdnet.com/googles-schmidt-android-more-secure-than-iphone-7000021670/
Delivered with a spice of arrogance, Google’s executive chairman Eric Schmidt on Monday declared the Android platform more secure than Apple’s iPhone.
“If you polled many people in this audience they would say Google Android is not their principal platform [...] When you say Android, people say, wait a minute, Android is not secure.”
Schmidt didn’t miss a beat, replying, “Not secure? It’s more secure than the iPhone.”
The Google chairman danced around a straight answer explaining Android has more than a billion users, is a platform that will be around for a while, and therefore goes through rigorous real-world security testing.
Schmidt then offered up another complaint he often hears — that the platform is fragmented — and then he shot that down. “With Android we have an agreement for vendors that you keep the Android stores compatible and that is a great breakthrough for Android,” he said.
Schmidt compared it to his Unix days in the 1980s, saying, “The key thing was that we did not have an app store to keep the Unix people together.”
Schmidt said in the distant future there would be an assumption that nothing is secure and that security will be devised on a per app basis for each user.
Tomi says:
How the Bible and YouTube are fueling the next frontier of password cracking
Crackers tap new sources to uncover “givemelibertyorgivemedeath” and other phrases.
http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/
Early last year, password security researcher Kevin Young was hitting a brick wall. Over the previous few weeks, he made steady progress decoding cryptographically protected password data leaked from the then-recent hack of intelligence firm Stratfor. But with about 60 percent of the more than 860,000 password hashes cracked, his attempts to decipher the remaining 40 percent were failing.
The so-called dictionary attacks he mounted using lists of more than 20 million passwords culled from previous website hacks had worked well.
his attacks revealed Stratfor passwords such as “pinkyandthebrain,” “pithecanthropus,” and “moonlightshadow.” Brute-force techniques trying every possible combination of letters, numbers, and special characters had also succeeded at cracking all passwords of eight or fewer characters.
He cracked the first 60 percent of the list using the freely available Hashcat and John the Ripper password-cracking programs, which ran the guesses through the same MD5 algorithm Stratfor and many other sites used to generate the one-way hashes. When the output of a guessed word matched one of the leaked Stratfor hashes, Young would have successfully cracked another password. (Security professionals call the technique an “offline” attack because guesses are never entered directly into a webpage.)
A free cracking dictionary anyone can compile
Young joined forces with fellow security researcher Josh Dustin, and the cracking duo quickly settled on trying longer strings of words found online. They started small. They took a single article from USA Today, isolated select phrases, and inputted them into their password crackers. Within a few weeks, they expanded their sources to include the entire contents of Wikipedia and the first 15,000 works of Project Gutenberg, which bills itself as the largest single collection of free electronic books. Almost immediately, hashes from Stratfor and other leaks that remained uncracked for months fell.
“Rather than try a brute force that makes sense to a computer but not to people, let’s use human beings because people typically make these long passwords based on things that humans use,” Dustin remembered thinking. “I basically utilized the person who wrote the article on Wikipedia to put words together for us.”
Almost immediately, a flood of once-stubborn passwords revealed themselves.
An arms race as old as civilization
The experience underscores the rapidly unfolding arms race between everyday people trying to secure their digital assets and the whitehat and blackhat hackers trying to compromise them. The race is almost certainly as old as the password, which itself dates back to as early as ancient Rome, when military leaders developed a careful procedure for circulating daily watchwords to prevent infiltration by enemy soldiers.
Enter the “pointless” passphrase
As awareness has grown about the growing insecurity of passwords that were presumed strong only a few years ago, many people have turned to passphrases, often pulled from what they believe are overlooked songs, books, or other sources. The idea is to generate a long passcode that contains upper- and lower-case letters and possibly punctuation that’s nonetheless easy to remember. This turns out to be largely an exercise in futility. As is the case with passwords, the same thing that makes passphrases easy to remember makes them susceptible to easy cracking.
“I see a lot more users choosing passphrases today than three years ago,”
No, mangling won’t save your passphrase, either
Crackers run their list of phrases through many of the same rule sets they use for single words. Within milliseconds, assuming the most commonly used “fast” hashing algorithms are used, a cracker guessing the sentence “The quick brown fox jumps over the lazy dog” can also try “The_quick_brown_fox_jumps_over_the_lazy_dog”, “Thequickbrownfoxjumpsoverthelazydog,”
One force pushing the frontier of passphrase cracking is relatively new. oclHashcat-plus, the Hashcat version that can use dozens of graphics cards to simultaneously crack huge numbers of cryptographic hashes in seconds, was recently updated to tackle passphrases as long as 55 characters, breaking a previous 15-character limit.
Tomi Engdahl says:
Google begins offering financial rewards for proactive security patches made to select open-source projects
http://thenextweb.com/google/2013/10/09/google-begins-offering-financial-rewards-for-proactive-security-patches-made-to-select-open-source-projects/
Google today started to provide financial incentives for proactive improvements to open-source software (OSS) that go beyond merely fixing a known security bug. Awards currently range between $500 and $3,133.70.
Google says it will be rolling out the program gradually, the speed of which will be dermined on the quality of the received submissions and feedback from the developer community. The initial run is limited in scope to the following projects:
Core infrastructure network services: OpenSSH, BIND, ISC DHCP.
Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib.
Open-source foundations of Google Chrome: Chromium, Blink.
Other high-impact libraries: OpenSSL, zlib.
Security-critical, commonly used components of the Linux kernel (including KVM).
Soon (it wouldn’t say when exactly), the company will extend the program to:
Widely used web servers: Apache httpd, lighttpd, nginx.
Popular SMTP services: Sendmail, Postfix, Exim.
Toolchain security improvements for GCC, binutils, and llvm.
Virtual private networking: OpenVPN.
In other words, Google is trying to bring its Vulnerability Reward Program to the world of OSS in the hopes of improving the security of key third-party software critical to the health of the entire Internet.