Security trends for 2013

Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.

Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.

Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.

SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices.
Good idea to test your devices against it.

There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.

Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.

Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.

Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.

Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.

crystalball

Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.

Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.

Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.

European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.

1,930 Comments

  1. Tomi Engdahl says:

    Cyber security costs almost doubled in four years

    Hewlett-Packard in (HP) Ella Ponemon Institute study for the “2013 Cost of Cyber ​​Crime Study” shows that, for example, a U.S. firm fight cybercrime incurred by an average of 11.6 million dollars in costs, the company announced today.

    The study also included the United Kingdom, Germany, France, Japan, and Australia.

    Costs have increased four years ago to 78 per cent of the situation. The results also showed that the same term, attack time to deal with an increase of almost 130 per cent, and the average of the individual attack detection spent over a million dollars.

    Attack techniques have evolved in recent years, as the back of the criminals have begun to specialize and share information with each other.

    According to the study advanced security tools – for example, security information and event management (SIEM) solutions, network systems and big data analytics – to provide an effective remedy against cyber threats, and reduce criminal activity costs substantially.

    The essential findings of the 2013 study:

    • The annual one company due to fight cybercrime average cost of 11.6 million dollars, an increase of 26% ($ 2.6 million) more than last year. The sum of the companies surveyed ranged between 1.3 million and 58 million dollars.

    • Each organization had a week on average, 122 of a successful attack. Last year the figure was 102

    • detection of attacks took an average of 32 days, during which the firms that would be an average of 1 035 769 dollar cost, $ 469, or 32 per day. Last year, survived an average of 24 attacks per day, and cost an average of $ 780 591, that is, only 55 percent of the cost. (1)

    - Attacks matures, becomes more common and costly, the entire current threat landscape is changing

    • All cyber attack types the largest expenses incurred by denial of service attacks from within the organization of future attacks as well as web-based attacks. These three types of attacks constitute a total of more than 55 per cent of the cost of the annual cyber resources.

    The external costs of the majority (43 per cent) is due to data theft. Reached close to the business disruption, which formed 36 per cent of the external costs throughout the year.

    Appropriate allocation of resources, security director of high power, well-trained staff recruitment, as well as other similar investments in the administration was also found to be useful.

    Source: http://www.tietoviikko.fi/uutisia/kyberrikollisuuden+kustannukset+lahes+kaksinkertaistuneen+neljassa+vuodessa/a936940

    Reply
  2. Tomi Engdahl says:

    Shadowy drug fans threaten FBI agents, vow to ‘avenge’ Silk Road shutdown
    How dare lawmen close our illegal underground online drug shop?
    http://www.theregister.co.uk/2013/10/10/dark_web_plans_revenge_for_dread_pirate_roberts_arrest/

    Dark web hoodlums linked to the underground drugs bazaar Silk Road are preparing to launch revenge attacks on the FBI agents involved in the shutdown of the site.

    Using hidden forums which are only accessible using Tor, the individuals have been sharing the names and addresses of key figures in the Silk Road bust.

    Although the rabid activists have stopped short of calling for violent attacks on the FBI, they discussed carrying out a campaign of fear aimed at making Feds “think twice” before targeting any anonymous drugs market in future.

    Reply
  3. Tomi Engdahl says:

    Guardian to publish more Snowden intelligence revelations
    http://www.bbc.co.uk/news/uk-24464286

    Guardian editor Alan Rusbridger says he plans to publish more revelations from Edward Snowden despite MI5 warning that such disclosures cause enormous damage.

    He warned that terrorists now had tens of thousands of means of communication “through e-mail, IP telephony, in-game communication, social networking, chat rooms, anonymising services and a myriad of mobile apps”.

    Mr Parker said it was vital for MI5 to retain the capability to access such information if it was to protect the country.

    Mr Rusbridger said those on the security side of the argument wanted to keep everything secret and did not want a debate.

    “You don’t want the press or anyone else writing about it. But MI5 cannot be the only voice in the debate,” he told BBC Radio 4′s World at One.

    Reply
  4. Tomi Engdahl says:

    The legacy IE survivor’s guide: Firefox, Chrome… more IE?
    Ask yourself, how many times do you want to rewrite?
    http://www.theregister.co.uk/2013/10/10/ie6_migration_guide/

    Windows XP and IE6 users will be thrown to the wolves on 9 April, 2014. That’s when Microsoft finally – after more than a decade – stops releasing security updates for operating system and browser.

    Twelve years after it was released, IE6, Microsoft legacy web browser, refuses to die, with usage ranging from 0.2 per cent market share in the US and 0.5 per cent in the UK up to a whopping 22 per cent in China. Britain’s taxman, HMRC was, until recently, running IE6 on 85,000 Windows XP PCs.

    That’s despite five browsers since it was released, two of those compatible with Windows XP with application of the appropriate service packs – SPs 2 and 3 at least give you IE7 and IE8.

    Those on IE7 and IE8 are relatively safe – until support for these browsers’ release operating system, Windows Vista, expires on 11 April, 2017. But, beware: even now, IE7 and IE8 are in Microsoft’s “extended support mode” – same as IE6. Extended support means you get the security fixes – for now.

    It’s time to stop ignoring the IE6 deadline or procrastinating, browser peeps. It might not seem like the end of security updates would be that big of a deal for IE6 – after all, it’s been nearly 15 years now, haven’t attackers found all the vulnerabilities out there already? And just because you’ve got three to four more years doesn’t mean IE7 and IE8 people shouldn’t pay attention, too.

    The problem on IE6 is, even if that were true – and it’s not – Microsoft will continue to issue security updates for Windows Vista, Windows 7 and Windows 8, which means attackers have a script to work from when going after Windows XP.

    “The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse-engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities.”

    In other words, every security update Microsoft releases after April 2014 will serve as a blueprint for how to attack Windows XP. Windows XP won’t necessarily be vulnerable to them all, but all it takes is one.

    If you’ve long since left Windows XP behind, you may wonder why others have stuck with it for so long. The answer, particularly in the enterprise sector, is software. Legacy software that would be too expensive, or, in some cases, very time consuming to re-write keeps many a business soldier on with XP.

    Much of that software happens to be browser-based – intranet apps written specifically for Internet Explorer 6, Widows XP’s default browser.

    The problems for IE6 holdouts – even those on IE7 and IE8 – are problems of history and standards.

    When Windows XP is swept into the dustbin of computing history, there’s an excellent argument for writing apps that conform to web standards rather than the browser du jour.

    Reply
  5. Tomi Engdahl says:

    Hey, watch out, your mouse is attacking!

    Few people afraid of computer mouse or keyboard, but perhaps should – at least if you are an extremely attractive target for hackers. Innocent-appearing peripheral trap can be a very effective tool for data breach, warns the legend of hacker Kevin Mitnick.

    USB-direct connection with the mouse or the keyboard cunning attack carried out based on the fact that the operating system protections or security programs do not care about the user interface of the hid-control devices. Attack is totally unexpected and surprising, and it can remain undetected for a long time.

    “Booby-trapped files but we will get booby-trapped iron. No one ever gets audited peripherals and find out if the equipment is sorkittu, with the exception of the soldiers. For consumers, banks and enterprises in the iron amendment is too hard “, the ex-hacker Kevin Mitnick said the software company reactor DevDay developer event.

    He currently has his own security consulting company now, which makes the customers safety testing.

    The average consumer does not have to just take care of attacks though accessory devices. They prey mainly to businesses and other organizations that are more valuable to attack, but technically well-protected items. The reason is clear: the method is considerably more laborious than the by far the most common method of attack, that is, the malware putting to the victim machine purely online, usually in the browser or its add-on through.

    Mitnick illustrated hardware based attack on usb-stick that is introduced to the target computer keyboard. Attack Code was a small stick in the hidden memory card. The demonstration will update the Windows 7 machine and updated security software did not react when the stick was connected.

    Generalized attacker could then install peripheral devices micro sd card, or a USB control circuit, for example a USB connection inside the paragraph. Suitable equipment may be ready, as shown below Teensy-parts

    In addition, the victim must be adhered tampered with a remote device. It requires social engineering methods, including Kevin Mitnick is a famous and who were the main topic of his presentation.

    “Tricks can even say that you will receive from us a thousand keyboard, because you have been such a good customer. We will send them to you as soon as today, “Mitnick said.

    Companies can try to protect themselves from hardware based attacks:Windows Group policies can be denied of all kinds of USB peripherals self install, Mac OS X, you can use the udev rules.

    In some organizations, all usb ports simply blocked with epoxy glue.

    Source: http://www.tietokone.fi/artikkeli/uutiset/hei_varo_hiiresi_hyokkaa

    Reply
  6. Tomi Engdahl says:

    FPDetective
    http://homes.esat.kuleuven.be/~gacar/fpdetective/

    The paper “FPDetective: Dusting the Web for Fingerprinters” (PDF) describes the first comprehensive effort to measure the prevalence of device fingerprinting on the Internet. It will be presented at the 20th ACM Conference on Computer and Communications Security that takes place in Berlin in November.

    FPDetective is designed as a flexible, general purpose framework that can be used to conduct large scale web privacy studies.

    Reply
  7. Tomi Engdahl says:

    Editors on the NSA files: ‘What the Guardian is doing is important for democracy’
    http://www.theguardian.com/world/2013/oct/10/guardian-democracy-editors

    On Thursday the Daily Mail described the Guardian as ‘The paper that helps Britain’s enemies’. We showed that article to many of the world’s leading editors. This is what they said

    New York Times:
    “In a democracy, the press plays a vital role in informing the public and holding those in power accountable. The NSA has vast intelligence-gathering powers and capabilities and its role in society is an important subject for responsible newsgathering organisations such as the New York Times and the Guardian. A public debate about the proper perimeters for eavesdropping by intelligence agencies is healthy for the public and necessary.”

    Der Spiegel:
    “The utmost duty of a journalist is to expose abuses and the abuse of power. The global surveillance of digital communication by the NSA and GCHQ is no less than an abuse on a massive scale with consequences that at this point seem completely unpredictable.”

    HAARETZ:
    “Journalists have only one responsibility: to keep their readers informed and educated about whatever their government is doing on their behalf – and first and foremost on security and intelligence organisations, which by their nature infringe on civil liberties. The Snowden revelations, and their publication by the Guardian, have been a prime example of fearlessly exercising this journalistic responsibility.”

    Slate:
    “I have just been reading Tim Weiner’s history of the CIA, Legacy of Ashes, which is heavily based on leaked and declassified government documents. Over and again, one is struck by how poorly Americans’ interests have been served by secrecy – and by the folly, misjudgment, and abuse of power that might have been prevented by public knowledge. One does not have to admire Julian Assange or Edward Snowden to recognise that their revelations, filtered by scrupulous journalists, have served the fundamental democratic interest of knowing what our governments are up to and how they may be abridging our rights.”

    Reply
  8. Tomi Engdahl says:

    Spies and journalism: when worlds collide
    http://www.theguardian.com/commentisfree/2013/oct/10/spies-journalism-security-daily-mail-editorial

    The raging global discussion about the proper limits of surveillance of the past few months will become harder to ignore

    The Effects of Mass Surveillance on Journalism
    http://towcenter.org/blog/the-effects-of-mass-surveillance-on-journalism/

    Mass surveillance of the kind practiced by the NSA produces a chilling effect on journalism, because sources do not feel they can have a private conversation with a reporter. That’s the message of a group of scholars, journalists, and researchers from Columbia Journalism School and the MIT Center for Civic Media, in a public comment to the Review Group on Intelligence and Communication Technologies convened by President Obama.

    The 15 page letter argues that mass surveillance is harmful to journalism and incompatible with existing law and policy. It goes on to document recent chilling effects, showing that real harm has already occurred.

    “Put plainly, what the NSA is doing is incompatible with the existing law and policy protecting the confidentiality of journalist-­‐source communications. This is not merely an incompatibility in spirit, but a series of specific and serious discrepancies between the activities of the intelligence community and existing law, policy, and practice in the rest of the government. Further, the climate of secrecy around mass surveillance activities is itself actively harmful to journalism, as sources cannot know when they might be monitored, or how intercepted information might be used against them.”

    The letter documents how NSA’s domestic phone and internet surveillance activities contradict recent Department of Justice policy.

    The Obama Administration and the Press
    Leak investigations and surveillance in post-9/11 America
    http://cpj.org/reports/2013/10/obama-and-the-press-us-leaks-surveillance-post-911.php

    U.S. President Barack Obama came into office pledging open government, but he has fallen short of his promise. Journalists and transparency advocates say the White House curbs routine disclosure of information and deploys its own media to evade scrutiny by the press. Aggressive prosecution of leakers of classified information and broad electronic surveillance programs deter government sources from speaking to journalists.

    Six government employees, plus two contractors including Edward Snowden, have been subjects of felony criminal prosecutions since 2009 under the 1917 Espionage Act, accused of leaking classified information to the press—compared with a total of three such prosecutions in all previous U.S. administrations. Still more criminal investigations into leaks are under way. Reporters’ phone logs and e-mails were secretly subpoenaed and seized by the Justice Department in two of the investigations, and a Fox News reporter was accused in an affidavit for one of those subpoenas of being “an aider, abettor and/or conspirator” of an indicted leak defendant, exposing him to possible prosecution for doing his job as a journalist. In another leak case, a New York Times reporter has been ordered to testify against a defendant or go to jail.

    Obama Administration Has Gone To Unprecedented Lengths To Thwart Journalists, Report Finds
    http://www.huffingtonpost.com/2013/10/10/obama-press-freedom-cpj_n_4073037.html

    Leonard Downie spent more than four decades at The Washington Post, including 17 years as the paper’s top editor, and has heard plenty of grumbling from reporters blocked from access to government information. “I’m used to journalists complaining,” he told HuffPost in an interview.

    But after speaking to 30 veteran Washington journalists to prepare a Committee to Protect Journalists report, Downie said he was persuaded that concerns about lack of government transparency are legitimate. Those interviewed, he wrote, “could not remember any precedent” to the Obama administration’s aggressive crackdown on leaks and efforts to control information.

    For 32 years, the Committee to Protect Journalists has been better known for investigating press freedom under authoritarian governments, or where journalists are killed with impunity or in war zones. But this spring’s revelations about the Justice Department secretly seizing phone records at The Associated Press and obtaining a Fox News reporter’s email account have increased concerns closer to home. ‘

    WORSE THAN BUSH

    In the report, a who’s who of Washington journalists are quoted complaining that the Obama administration has been unresponsive to media requests, has been overly sensitive to critical coverage and has fostered a climate in the capital that makes potential news sources reluctant to speak.

    David Sanger, chief Washington correspondent for The New York Times, said “this is the most closed, control freak administration I’ve ever covered.”

    Reply
  9. Tomi Engdahl says:

    Judge: Google’s Tracking Not Harmful
    http://blogs.wsj.com/digits/2013/10/10/judge-googles-tracking-not-harmful/

    It just got even tougher to stop a company from tracking your movements online.

    A federal judge in Delaware Wednesday dismissed a class-action lawsuit brought against GoogleGOOG +1.43% and two other tech companies, arguing that the Web users who brought the case couldn’t prove that Google’s tracking practices caused them harm.

    The plaintiffs were users of web browsers from AppleAAPL +0.62% and MicrosoftMSFT +2.09%, which have settings that block “cookies,” the tiny pieces of code placed on computers to track users’ movements as they browse the Internet. The plaintiffs alleged that Google, and online advertisers Vibrant Media and the Media Innovation Group, had “tricked” the browsers into accepting cookies, and as a result were subject to targeted ads.

    U.S. District Judge Sue Robinson wrote that the companies had circumvented the browsers’ settings, allowing users’ personal information to be sold to ad companies. But the judge said that the plaintiffs couldn’t show that they suffered because the companies collected and sold their information.

    A Google spokeswoman said the company was “pleased” with the decision, which was earlier reported by Bloomberg. “Protecting the privacy and security of our users is one of our top priorities,” Google said in an emailed statement.

    Reply
  10. Tomi Engdahl says:

    Cloud Security: Mobile Startup Lookout Gets $55M Led By Deutsche Telekom To Go Global & Target Enterprise
    http://techcrunch.com/2013/10/10/mobile-security-app-lookout-takes-another-55m-led-by-deutsche-telekom-to-expand-in-europe-enterprise/

    Mobile security company Lookout is all about protecting user’s mobile devices against malicious threats, a business that today has 45 million customers. Today it’s raising its own profile a little bit more. The startup is announcing another $55 million in funding, led by strategic investor Deutsche Telekom, parent of T-Mobile. This will be used to help the company keep building out its service in Europe and other international markets, as well as towards the growth and launch of its enterprise services, specifically Lookout for Business, later this year.

    All of this is part of the company’s bigger ambition to become not just the Symantec of the mobile world, but the default security provider for all of your devices. “It’s become more than just a mobile application,” Hering said. “It’s a cloud platform.”

    The partnership that Lookout announced with Samsung in September, to partner with the OEM on its Knox enterprise platform, was a natural progression from that. “It’s the opportunity to leverage that consumer footprint to accelerate into the enterprise,” he said today.

    Lookout’s security platform is based around a “mobile threat dataset,” that it uses to weed out potentially harmful viruses, worms and so on, which has proven to be a problem particularly on Android devices. It’s also based on a collective, big data approach that improves as more people sign up. “As more people and devices connect to the network, Lookout’s platform becomes more intelligent, providing a safer experience for everyone,” the company notes. Or, as Hering put it to me today, “Our model and vision is leveraging big data to solve the security problem. The majority of that is in the cloud today, with the power of our user base contributing significantly to our threat intelligence. We think of ourselves as a big data company as much as anything.”

    “With the huge uptake of smartphone penetration, the ‘security for mobile devices’ topic has become much more important. It’s critical that we offer services that our customers trust,” said Heikki Mäkijärvi, SVP global strategic partnerships Deutsche Telekom

    Reply
  11. Tomi Engdahl says:

    Lavabit Files Opening Brief in Landmark Privacy Case
    http://www.wired.com/threatlevel/2013/10/lavabit-brief/

    Secure email provider Lavabit just filed the opening brief in its appeal of a court order demanding it turn over the private SSL keys that protected all web traffic to the site.

    “The government proposed to examine and copy Lavabit’s most sensitive, closely guarded records–its private keys–despite the fact that those keys were not contraband, were not the fruits of any crime, were not used to commit any crime, and were not evidence of any crime. Rather, the government obtained a warrant to search and seize Lavabit’s property simply because it believed that the information would be helpful to know as it conducted its investigation of someone else.”

    Reply
  12. Tomi Engdahl says:

    EU court holds news website liable for readers’ comments
    The European Court of Human Rights approves fine for news site
    http://www.computerworld.com.au/article/528799/eu_court_holds_news_website_liable_readers_comments/

    Seven top European Union judges ruled Thursday that a leading Internet news website is legally responsible for offensive views posted by readers in the site’s comments section.

    The European Court of Human Rights found that Estonian courts were within their rights to fine Delfi, one of the country’s largest news websites, for comments made anonymously about a news article, according to a judgment.

    Delfi argued that it was not responsible for the comments and that the fine violated E.U. freedom of expression laws. However the judges agreed that Article 10 of E.U. law allowed freedom of expression to be interfered with by national courts in order to protect a person’s reputation, as long as the interference was proportionate to the circumstances.

    Reply
  13. Tomi Engdahl says:

    Electronic Frontier Foundation bails from Global Network Initiative
    PRISM claims a casualty as EFF can’t bear to be associated with NSA
    http://www.theregister.co.uk/2013/10/11/electronic_frontiers_foundation_bails_from_global_network_initiative/

    The Electronic Frontiers Foundation (EFF) has resigned from the Global Network Initiative (GNI), citing the presence of GNI members who co-operated with the NSA as making its ongoing involvement untenable.

    The GNI was established in 2008 and aims to promote privacy and freedom of speech online. Its membership roster comprises academics, governments and plenty of IT companies. Among those in the latter category are Facebook, Google, Microsoft and Yahoo!

    The EFF signs off by wishing the GNI well and saying it hopes the two can work together.

    Reply
  14. Tomi Engdahl says:

    Finnish Police Commissioner Paatero: the greatest threat are cyber security threats

    Human slip digital footprint is growing and offers a continuously better tools to criminals. Finland and around the world is so tough professionals, that they have access to anywhere, says National Police Commissioner Mikko Paatero.

    National Police Commissioner Mikko Paatero admit that Finland should pay attention to the threats posed by the Internet. Rising concern is the people’s ever-expanding digital footprint.

    We recorded information on the social network, search engines, Etukortti advantage as a navigator through. Enough information by combining and analyzing the tools we give noticing criminals.

    - The legislature is hard to keep up to date with the rapidly evolving field like communications and are responsible for.

    The goal is to be better informed about what kind of information the internet on the move. It requires, however, a broad cooperation between public authorities and the help from the private security industry.

    - Cyber ​​security is now the biggest threat worldwide and in Finland. It does not know any boundaries, Paatero says.

    He points out that there is no need to stir up hysteria. The risks, however, should be aware and use common sense.

    On the Internet in fraud detection is a form of art, where the police have a lot to learn.

    - There are things in which the toads are usually a little above, and the police are following suit. But this is our first prioroty in the future

    Source: http://yle.fi/uutiset/poliisiylijohtaja_paatero_kyberturvallisuuden_vaarantuminen_suurimpia_uhkakuvia/6877353

    Reply
  15. Tomi Engdahl says:

    Court: NSA can continue sweeping phone data collection (Video)
    http://thehill.com/blogs/hillicon-valley/technology/328181-court-gives-nsa-permission-to-continue-massive-phone-data-collection

    The Foreign Intelligence Surveillance Court has granted the National Security Agency (NSA) permission to continue its collection of records on all U.S. phone calls.

    The Office of the Director of National Intelligence announced the court’s approval in a statement late Friday. The court authorizes the program for only limited time periods and requires that the government submit new requests every several months for re-authorization.

    Reply
  16. Tomi Engdahl says:

    C.I.A. Warning on Snowden in ’09 Said to Slip Through the Cracks
    http://www.nytimes.com/2013/10/11/us/cia-warning-on-snowden-in-09-said-to-slip-through-the-cracks.html?pagewanted=all&_r=0

    Just as Edward J. Snowden was preparing to leave Geneva and a job as a C.I.A. technician in 2009, his supervisor wrote a derogatory report in his personnel file, noting a distinct change in the young man’s behavior and work habits, as well as a troubling suspicion.

    The C.I.A. suspected that Mr. Snowden was trying to break into classified computer files to which he was not authorized to have access, and decided to send him home, according to two senior American officials.

    But the red flags went unheeded. Mr. Snowden left the C.I.A. to become a contractor for the National Security Agency, and four years later he leaked thousands of classified documents. The supervisor’s cautionary note and the C.I.A.’s suspicions apparently were not forwarded to the N.S.A. or its contractors, and surfaced only after federal investigators began scrutinizing Mr. Snowden’s record once the documents began spilling out, intelligence and law enforcement officials said.

    Reply
  17. Tomi Engdahl says:

    ICANN, W3C Call For End Of US Internet Ascendancy Following NSA Revelations
    http://techcrunch.com/2013/10/11/icann-w3c-call-for-end-of-us-internet-ascendancy-following-nsa-revelations/

    Key Internet stakeholders, including the Internet Corporation for Assigned Names and Numbers (ICANN), and the World Wide Web Consortium (W3C) have released a statement condemning pervasive government surveillance and calling for an internationalization of the Internet’s underlying framework.

    The Internet as we know it today is largely managed through a model that is multi-stakeholder, with various non-governmental groups keeping the trains on time. Through this system, no single government gets to hold sway over the Internet, which preserves its role as a catalyst for free speech, open inquiry, dialogue and porn.

    It works pretty well, all things considered.

    Would you like the United Nations determining what sort of speech fits the “common purpose”? Of course not. That’s why keeping elements of the Internet’s core structure in the United States, under our aegis, has been so beneficial; the free speech laws in this country are perhaps the most ironclad of any.

    However, post-NSA revelations, the United States has lost its standing as the Internet’s defender. Instead, it has been revealed that as a country we have systematically worked to undermine its encryption, and the inherent privacy that it grants users.

    Instead of keeping the Internet safe, we have built an industry designed on its subversion. And now the Internet is ready to break up with us.

    This is a damn shame. If we as a nation hadn’t decided that everyone’s Internet was our own plaything to abuse, the Internet could have kept its center of gravity here

    Reply
  18. Tomi Engdahl says:

    The core Internet institutions abandon the US Government
    http://www.internetgovernance.org/2013/10/11/the-core-internet-institutions-abandon-the-us-government/

    In Montevideo, Uruguay this week, the Directors of all the major Internet organizations – ICANN, the Internet Engineering Task Force, the Internet Architecture Board, the World Wide Web Consortium, the Internet Society, all five of the regional Internet address registries – turned their back on the US government. With striking unanimity, the organizations that actually develop and administer Internet standards and resources initiated a break with 3 decades of U.S. dominance of Internet governance.

    A statement released by this group called for “accelerating the globalization of ICANN and IANA functions, towards an environment in which all stakeholders, including all governments, participate on an equal footing.”

    Underscoring the global significance and the determination of the group to have a global impact, the Montevideo statement was released in English, Spanish, French, Arabic, Russian and Chinese.

    Make no mistake about it: this is important. It is the latest, and one of the most significant manifestations of the fallout from the Snowden revelations about NSA spying on the global Internet. It’s one thing when the government of Brazil, a longtime antagonist regarding the US role in Internet governance, gets indignant and makes threats because of the revelations.

    Reply
  19. Tomi Engdahl says:

    Hey banks: Use Win XP after deadline? You’ll PAY if card data’s snaffled
    DPA fines and Payment Card Industry fines, it all adds up – watchdog
    http://www.theregister.co.uk/2013/10/14/pci_dss_compliance_at_risk_if_banks_use_windows_xp_after_microsoft_withdraws_support_services_regulatory_agencies_warn/

    Banks that use the Windows XP operating system will face a risk to their compliance with payment card data security rules if they continue to operate the software after Microsoft withdraws its extended support services, a US regulatory body has warned.

    Microsoft confirmed in 2010 that it would end “extended support” for Windows XP and Office 2003 on 8 April 2014. The Federal Financial Institutions Examination Council (FFIEC) has now called on financial institutions and technology service providers (TSPs) to “address the risk from the continued use of XP” beyond that date.

    “Microsoft will discontinue extended support for XP effective April 8, 2014,” the FFIEC said in a statement. “After this date, Microsoft will no longer provide regular security patches, technical assistance, or support for XP. Financial institutions, TSPs, and other third parties that use XP in personal computers, servers, and purpose-built devices such as automated teller machines (ATM), or that are dependent on applications that require use of XP could be exposed to increased operational risk.

    “Potential problems include degradation in the delivery of various products and services, application incompatibilities, and increased potential for data theft and unauthorised additions, deletions, and changes of data. Additionally, financial institutions and TSPs that are subject to the requirements of the Payment Card Industry Data Security Standard (PCI DSS) and continue to use XP after April 8, 2014, may no longer be compliant,” it said.

    PCI DSS is the main standard related to storing payment card data and it sets out 12 requirements specifying steps which should be taken to ensure payment card data is kept safe both during and after transactions. The standard is currently in the process of being updated.

    “If businesses using XP have not already done so, they should now be holding internal discussions about the pros and cons of upgrading the operating system they use away from XP,” he said. “Upgrading is not the only option, however.

    “Businesses will be able to continue to use XP after Microsoft withdraws its extended support if the risks associated with that can be managed. They will no longer be able to rely on Microsoft flagging up security vulnerabilities and fixing those problems for them, though.”

    Reply
  20. Tomi Engdahl says:

    Hillary Clinton: we need to talk sensibly about spying
    http://www.theguardian.com/world/2013/oct/11/hillary-clinton-spying

    Former US secretary of state greets debate as British shadow home secretary calls for oversight of intelligence

    Hillary Clinton has called for a “sensible adult conversation”, to be held in a transparent way, about the boundaries of state surveillance highlighted by the leaking of secret NSA files by the whistleblower Edward Snowden.

    “We need to have a sensible adult conversation about what is necessary to be done, and how to do it, in a way that is as transparent as it can be, with as much oversight and citizens’ understanding as there can be.”

    The conciliatory language of Clinton and Cooper contrasted with that of MI5, whose director general, Andrew Parker, warned earlier this week that the leaked documents by Snowden had provided a gift to terrorists.

    Straw, foreign secretary during the Iraq war in 2003, told the BBC: “They’re blinding themselves about the consequence and also showing an extraordinary naivety and arrogance in implying that they are in a position to judge whether or not particular secrets which they have published are not likely to damage the national interest, and they’re not in any position at all to do that.”

    Reply
  21. Tomi Engdahl says:

    Brazil whacks PRISM with secure email plan
    President Tweets desire to protect against ‘possible espionage’
    http://www.theregister.co.uk/2013/10/14/brazil_waxes_lyrical_on_security/

    A week after joining a consortium calling for the USA’s currently cold, dead, fingers to be pried off the internet’s internal machinery, Brazil has announced that it will develop a secure e-mail system to try and protect its government-level communications against American spying.

    The nation’s President Dilma Rousseff used the secure messaging channel Twitter to make the announcement that she’s going to order SERPRO – that country’s federal data processing service – to implement a whole-of-government secure e-mail system.

    Reply
  22. Tomi Engdahl says:

    Back door found in D-Link routers
    D-secret is D-logon string allowing access to everything
    http://www.theregister.co.uk/2013/10/13/dlink_routers_have_admin_backdoor/

    A group of embedded device hackers has turned up a vulnerability in D-Link consumer-level devices that provides unauthenticated access to the units’ admin interfaces.

    The flaw means an attacker could take over all of the user-controllable functions of the popular home routers, which includes the DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240 units. According to the post on /DEV/TTYS0, a couple of Planex routers are also affected, since they use the same firmware.

    A Binwalk extract of the DLink DIR-100 firmware revealed that an unauthenticated user needs only change their user agent string to xmlset_roodkcableoj28840ybtide to access the router’s Web interface with no authentication.

    Some commentards to that post claimed to have successfully tested the backdoor against devices visible to the Shodan device search engine.

    At this point, there’s no defence against the backdoor, so users are advised to disable WAN-port access to the administrative interfaces of affected products.

    Reply
  23. Tomi Engdahl says:

    D-Link Router backdoor vulnerability discovered
    http://techgeek.com.au/2013/10/13/d-link-router-backdoor-vulnerability-discovered/

    A rather worrying security vulnerability has been discovered which is affecting several D-Link branded modem routers. Posted on a website dedicated to Embedded Device Hacking, /dev/ttyS0, the vulnerability was discovered when one of its writers reverse engineered a firmware update from D-Link.

    The security vulnerability will allow full access into the configuration page of the router without knowing the username and password. According to the blog post, when you set your user-agent on your browser to a certain string, the modem will skip the authentication functions and simply log you straight into the router – allowing you to configure anything at your leisure.

    TechGeek has independently verified the vulnerability on one of the affected models.

    According to the blog post, the firmware version 1.13 is affected and as well a small amount of known D-Link products:

    DIR-100
    DI-524
    DI-524UP
    DI-604S
    DI-604UP
    DI-604+
    TM-G5240

    Most of the routers above are end-of-life routers and most likely not supported by D-Link anymore.

    Reply
  24. Tomi Engdahl says:

    Europe won’t save you: Why e-mail is probably safer in the US
    German firms aren’t allowed to say anything if they have to hand data over.
    http://arstechnica.com/tech-policy/2013/10/europe-wont-save-you-why-e-mail-is-probably-safer-in-the-us/

    Last week, a United States federal appellate court unsealed a set of documents pertaining to Lavabit, the e-mail provider of choice for former National Security Agency contractor Edward Snowden. The documents show that Lavabit’s founder, Ladar Levison, strongly resisted government pressure that would have resulted in the privacy of all users being compromised as a way to get at Snowden’s e-mail. Levinson went so far as to shutter the company, destroying its servers entirely.

    “People using my service trusted me to safeguard their online identities and protect their information,” Levison wrote in a press release last Wednesday. “I simply could not betray that trust.”

    The Lavabit case is the best known example of a company willing to go to extreme lengths in order to protect its customers’ privacy. Since Lavabit has fallen (as has Silent Circle’s Silent Mail service), many journalists and business people have speculated that foreign e-mail providers might have policies that would theoretically be more resistant to government intrusion, particularly in Europe and especially in Germany and Switzerland, which have strong data protection and privacy laws.

    But a closer look at German law in particular reveals that a German e-mail provider certainly wouldn’t offer more protection—and would likely offer less—than a similar American e-mail provider.

    While there are many choices out there, we’re going to focus on one American service (Riseup.net) and one German service (Posteo.de) to better understand what foreign privacy policies state and what their legal requirements actually are.

    Clearly, properly encrypted e-mail offers the best security for messages both in transit and at rest. But as many Ars readers who have acted as informal tech support for their non-techy friends and family can attest, relatively few people are going to be encrypting all their e-mails by default anytime soon. So the next best thing might just be to choose an e-mail provider that will collect as little of your information as possible and will not easily turn over what other information it does have, such as IP logs or even user e-mail accounts themselves. (And yes, you can roll your own mail server or have proper hosting—but a lot people want just turnkey e-mail. Again, think about what your family members use.)

    “In terms of privacy, anything is better than Google, I’d guess,” Ralf Bendrath, a senior policy advisor to a German member of the European Parliament, told Ars. “In terms of usability, of course not. Everybody has to decide for himself or herself where the priorities are, I guess.”

    “German law forbids providers to talk about inquiries for user data or handing over user data,” Löhr added. “We are currently investigating a possible way with our lawyer to issue a transparency report about questions from police like Google, Microsoft, and [many] other US providers do, but we can not promise we will be able to do so. We try hard.”

    In America, the targets of criminal search warrants almost always don’t know those warrants are coming, as they’re typically sealed. The United States also has National Security Letters, which prevent recipient companies from speaking about searches publicly. And as the Foreign Intelligence Surveillance Court has come under greater scrutiny, it’s become more common knowledge that its orders are sealed as well.

    So while Germany may not have secret courts, its e-mail services still have to adhere to court orders that cannot be disclosed to its targets.

    Reply
  25. D-link firewall teardown and vulnerability « Tomi Engdahl’s ePanorama blog says:

    [...] hard-coded passwords that pass all the checks to their devices that are supposed to be secure. This kind of secrets will be revealed all too often. In this case the the secret was in firmware update packet in plain text inside the [...]

    Reply
  26. Tomi Engdahl says:

    NSA collects millions of e-mail address books globally
    http://www.washingtonpost.com/world/national-security/nsa-collects-millions-of-e-mail-address-books-globally/2013/10/14/8e58b5be-34f9-11e3-80c6-7e6dd8d22d8f_story.html

    The National Security Agency is harvesting hundreds of millions of contact lists from personal e-mail and instant messaging accounts around the world, many of them belonging to Americans, according to senior intelligence officials and top-secret documents provided by former NSA contractor Edward Snowden.

    The collection program, which has not been disclosed before, intercepts e-mail address books and “buddy lists” from instant messaging services as they move across global data links. Online services often transmit those contacts when a user logs on, composes a message, or synchronizes a computer or mobile device with information stored on remote servers.

    Reply
  27. Tomi Engdahl says:

    D-Link to padlock router backdoor by end of October
    The backdoor lets attackers change a router configuration without authenticating
    http://www.computerworld.com/s/article/print/9243201/D_Link_to_padlock_router_backdoor_by_end_of_October

    D-Link will address by the end of October a security issue in some of its routers that could allow attackers to change the device settings without requiring a username and password.

    The issue consists of a backdoor-type function built into the firmware of some D-Link routers that can be used to bypass the normal authentication procedure on their Web-based user interfaces.

    “If your browser’s user agent string is ‘xmlset_roodkcableoj28840ybtide’ (no quotes), you can access the web interface without any authentication and view/change the device settings,”

    When read in reverse, the last part of this hard-coded value is “edit by 04882 joel backdoor.”

    D-Link will release firmware updates to address the vulnerability in affected routers by the end of October, the networking equipment manufacturer said via email.

    According to Heffner, the affected models likely include D-Link’s DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+, TM-G5240 and possibly DIR-615.

    Reply
  28. Tomi Engdahl says:

    The NSA’s problem? Too much data.
    http://apps.washingtonpost.com/g/page/world/the-nsas-overcollection-problem/517/

    The National Security Agency’s Special Source Operations branch manages “partnerships” in which U.S. and foreign telecommunications companies allow the NSA to use their facilities to intercept phone calls, e-mails and other data. This briefing describes problems with overcollection of data from e-mail address books and buddy lists, as well as NSA efforts to filter out what it does not need.

    Reply
  29. Tomi Engdahl says:

    According to stats collected by NameSpace, .tel, .no, .xxx, .ie, .nz, .cz and .ch are the safest top-level domains.

    Source: https://twitter.com/mikko/status/389700513270222848/photo/1

    Reply
  30. Tomi Engdahl says:

    Linux RNG May Be Insecure After All
    http://it.slashdot.org/story/13/10/14/2318211/linux-rng-may-be-insecure-after-all

    “As a followup to Linus’s opinion people skeptical of the Linux random number generator, a new paper analyzes the robustness of /dev/urandom and /dev/random”

    “we show several attacks proving that these PRNGs are not robust according to our definition, and do not accumulate entropy properly.”

    “it remains unclear if these attacks lead to actual exploitable vulnerabilities in practice.’”

    Of course, you might not even be able to trust hardware RNGs.

    Reply
  31. Tomi Engdahl says:

    Nude Photo of Tampere is not the only case – Yankee moralism limits the Finnish media

    Google, Facebook, and other U.S. Internet companies to regulate the way in the Finnish media get their message across.
    Tampere University of Applied Sciences nude model drawing was too much for Facebook. Link to news item was removed, and the IS’s Facebook administrators were blamed for this.

    Facebook is not the only one of its kind. Also, Google snarled the evening Sanomat, the bikini was too much and he is the 2013 GTI-girl -article. This does not even take any nudity. The company does not accept bikini Google ads.

    We’re in a situation where American listed companies regulated by the morality of what the Finnish media to publish any given channels.

    As you can see, this affects, news, and entertainment content.
    American attitude toward nudity and sexuality is in it’s most neutral form pretty limiting.

    Facebook and partners can not influence what newspapers publish their own web pages and paper. However, they can influence what they can not tell the social network.

    It is easy to say that “they do not then postatko to Facebook.” That is not so. Digitized world of social media is an important way to communicate with the media and the audience to convey to these news, as well as the lighter content quickly and directly.

    The setting is tricky to say the least, when internet companies governed the world from the other side being transmitted in the news. There are two problems.

    Still smacks of a dominant market position misappropriation. The actual discussion is very little.

    Second, the boundaries will be drawn on the companies’ place of morality that. There is, therefore, not accepted the fact that all over the suitability of the cross do not go in the same place.

    Finland is the best country in the freedom of the press to measure the countries on the list, coming second with the Netherlands and Norway.

    Source: http://www.iltasanomat.fi/digi/art-1288609755457.html

    Reply
  32. Tomi Engdahl says:

    Feds Demand Supreme Court Thwart Challenge to NSA Phone Spying
    http://www.wired.com/threatlevel/2013/10/scotus-nsa-phone-metadata/

    The President Barack Obama administration is urging the Supreme Court to reject a challenge to the National Security Agency’s once-secret telephone metadata spying program.

    The filing — the first government briefing on the topic to reach the Supreme Court — was in response to the Electronic Privacy Information Center’s petition asking the justices to halt the program that was disclosed by NSA leaker Edward Snowden.

    Among other defenses, the administration said Friday that only the phone companies can challenge the secret orders from the Foreign Intelligence Surveillance Court to hand over metadata of every call made to and from the United States.

    “The ongoing collection of the domestic telephone records of millions of Americans by the NSA, untethered to any particular investigation, is beyond the authority granted by Congress to the FISC …” according to EPIC’s petition.

    Reply
  33. Tomi Engdahl says:

    Exclusive: Greenwald exits Guardian for new Omidyar media venture
    http://www.reuters.com/article/2013/10/15/us-usa-security-greenwald-idUSBRE99E18D20131015

    Glenn Greenwald, who has made headlines around the world with his reporting on U.S. electronic surveillance programs, is leaving the Guardian newspaper to join a new media venture funded by eBay founder Pierre Omidyar, according to people familiar with the matter.

    a blog post on Tuesday that he was presented with a “once-in-a-career dream journalistic opportunity” that he could not pass up.

    Reply
  34. Tomi Engdahl says:

    Exclusive: Glenn Greenwald Will Leave Guardian To Create New News Organization
    http://www.buzzfeed.com/bensmith/exclusive-glenn-greenwald-will-leave-guardian-to-create-new

    The reporter who broke the NSA story promises “a momentous new venture.” A “very substantial new media outlet” with serious backing, he says.

    Glenn Greenwald, the lawyer and blogger who brought The Guardian the biggest scoop of the decade, is departing the London-based news organization, for a brand-new, large-scale, broadly focused media outlet, he told BuzzFeed Tuesday

    Reply
  35. Tomi Engdahl says:

    Removing my children from the Internet
    http://www.ryan-mclaughlin.com/fatherhood/removing-children-internet/

    About a week ago I began deleting all photos and videos of my children from the Internet. This is proving to be no easy task. Like many parents, I’ve excitedly shared virtually every step, misstep and milestone that myself and my children have muddled our way through.

    To be honest, aside from making sure my Facebook privacy permissions were set, I hadn’t given a whole lot of thought about sharing photos of the kids online.

    My view on sharing photos of the kids has always been that the advantages of having an easy, centralized way of sharing photos with an extended family that are thousands of kilometres away outweighed the largely fictional threat of creepy people having access to them.

    In the months since, I’ve returned to topic a few times and found myself increasingly conflicted about things.

    It forced me to really dig deep into why I share photos of my kids. Convenience? Sure. But there are convenient ways to share photos with family that don’t run the risk of my kids unwittingly being used in advertisements or enshrined in Google Image searches for all time. While Zoë Stagg attributes it to ego, and while there is some science to back that up, I believe it was pride that was leading me to share.

    And so I’ve taken a tip from Amy Webb’s article and expanded on something I had already done to a limited extent — in addition to removing all media featuring them from the public Internet, I’ve created a digital trust of sorts. I’ve registered domain names and e-mail accounts for both boys. They may never use them, but at least they’ll have the option to in the future

    It may be inevitable that when they grow tall enough to have cameras and social media accounts they’ll share every mundane and embarrassing detail of their lives, with Facebook and Google mining it all for advertisers. And so be it, such is the world in which we live.

    Reply
  36. Tomi Engdahl says:

    Ask Slashdot: Why Isn’t There More Public Outrage About NSA Revelations?
    http://ask.slashdot.org/story/13/10/15/2251201/ask-slashdot-why-isnt-there-more-public-outrage-about-nsa-revelations

    “Whereas the initial news reports about NSA splying in June kicked off a firestorm of controversy and discussion (aggravated by the drama of Snowden seeking asylum in pretty much any country that would have him), the unveiling of the NSA’s Great Contact-List Caper has ranked below the news stories such as the government shutdown, negotiations over Iran’s nuclear program, and invites for Apple’s upcoming iPad event on aggregators such as Google News; it also didn’t make much of a blip on Twitter and other online forums. There’s the very real possibility that Americans, despite the assurances of government officials, are being monitored in a way that potentially violates their privacy.”

    Reply
  37. Tomi Engdahl says:

    A Court Order is an Insider Attack
    https://freedom-to-tinker.com/blog/felten/a-court-order-is-an-insider-attack/

    Commentators on the Lavabit case, including the judge himself, have criticized Lavabit for designing its system in a way that resisted court-ordered access to user data. They ask: If court orders are legitimate, why should we allow engineers to design services that protect users against court-ordered access?

    The answer is simple but subtle: There are good reasons to protect against insider attacks, and a court order is an insider attack.

    To see why, consider two companies, which we’ll call Lavabit and Guavabit. At Lavabit, an employee, on receiving a court order, copies user data and gives it to an outside party—in this case, the government. Meanwhile, over at Guavabit, an employee, on receiving a bribe or extortion threat from a drug cartel, copies user data and gives it to an outside party

    From a purely technological standpoint, these two scenarios are exactly the same: an employee copies user data and gives it to an outside party. Only two things are different: the employee’s motivation, and the destination of the data after it leaves the company. Neither of these differences is visible to the company’s technology—it can’t read the employee’s mind to learn the motivation, and it can’t tell where the data will go once it has been extracted from the company’s system. Technical measures that prevent one access scenario will unavoidably prevent the other one.

    Insider attacks are a big problem. You might have read about a recent insider attack against the NSA by Edward Snowden. Similar but less spectacular attacks happen all the time

    In the end, what led to Lavabit’s shutdown was not that the company’s technology was too resistant to insider attacks, but that it wasn’t resistant. The government got an order that would have required Lavabit to execute the ultimate insider attack, essentially giving the government a master key to unlock the data of any Lavabit user at any time. Rather than do this, Lavabit chose to shut down.

    Had Lavabit had in place measures to prevent disclosure of its master key, it would have been unable to comply with the ultimate court order—and it would have also been safe against a rogue employee turning over its master key to bad actors.

    Reply
  38. Tomi Engdahl says:

    The NSA Is Collecting Lots of Spam
    http://it.slashdot.org/story/13/10/15/1753235/the-nsa-is-collecting-lots-of-spam

    “One side effect of the NSA’s surveillance program is that a great deal of spam is getting swept up along with the actual communications data. Overwhelming amounts, perhaps.”

    Reply
  39. Tomi says:

    Finnish Communications Regulatory Authority : Intelligence services do not tempt the Finnish operators

    Communications Agency report that foreign intelligence agencies are not approaching the Finnish telecoms operators to request for information. The conclusion is based on the operators to the Agency ‘s answers .

    Swedish Defence Radio Institute FRA acquired the rights to monitor all cross-border traffic.

    Sweden’s military intelligence the power to touch the Finnish as the majority of the Finnish outbound data traffic passing through Sweden .

    ” At that time, we were concerned about the message traffic safety, but now the situation is slightly different when the service has been required to disclose information ” , Saarimäki notes .

    The island hill , problems may arise when the Finnish operator working in cooperation with a foreign partner or customer to acquire the service directly from the service provider that operates under the laws of another country .

    ” If the Finnish phone the customer is abroad and is responsible for Finland to an incoming call , it is his responsibility to assess whether any communication security risk,” says Saarimäki .

    Source: http://www.hs.fi/kotimaa/Viestint%C3%A4virasto+Tiedustelupalvelut+eiv%C3%A4t+kiusaa+suomalaisoperaattoreita/a1381888296197

    Reply
  40. Tomi says:

    Snowden leaks: David Cameron urges committee to investigate Guardian
    http://www.theguardian.com/world/2013/oct/16/snowden-leaks-david-cameron-investigate-guardian

    PM says leaks have damaged national security and suggests MPs could ‘examine issue and make further recommendations’

    David Cameron has encouraged a Commons select committee to investigate whether the Guardian has broken the law or damaged national security by publishing secrets leaked by the National Security Agency whistleblower Edward Snowden.

    He made his proposal in response to a question from former defence secretary Liam Fox, saying the Guardian had been guilty of double standards for exposing the scandal of phone hacking by newspapers and yet had gone on to publish secrets from the NSA taken by Snowden.

    Reply
  41. Tomi says:

    Akamai: Half Of All Internet Connections Now At 4Mbps+, Safari Remains Most Used Mobile Browser
    http://techcrunch.com/2013/10/16/akamai-half-of-all-internet-connections-now-at-4mbps-safari-remains-most-used-mobile-browser-globally/

    Threats

    Akamai, focused on helping things zip around as fast as possible, also by default also tracks what is liable to slow that down. It notes it observed “attack traffic”, which will mean things like distributed denial of service attacks, come from some 175 unique countries or regions, and of those, Indonesia came out on top, growing its share of attack traffic by two-fold to 38% of all attacks. That helped it overtake China, which accounted for 33%, as the top attack dog. While the U.S. may be the target for many attacks, it’s increasingly become the origin of them

    Indeed, when it comes to what regions and categories are seeing the most attacks, it looks like the crime follows the money. The Americas, and the U.S. specifically, saw the most DDoS attacks in Q2, and enterprise services are proving to be the most vulnerable, with e-commerce coming in at a close second.

    Breaking that out more, within enterprise, business services are taking the lead in DDoS attacks: Akamai says that this is the first time they’ve been in first position. Akamai notes that this was influenced specifically because of malicious activity in the Asia-Pacific region specifically. Additionally, this is the first time that pharmaceuticals and healthcare have made their way into the rankings — one of the downsides in the going growth of e-health services (and something for those companies to get more aggressive in trying to guard against as they grow).

    The commerce threat, like the one in e-health, also underscores the ongoing trend that of e-commerce and how it is growing in ubiquity. Akamai notes that unlike business services, these attacks happened worldwide and were not concentrated in a particular region.

    When it comes to what kinds of attacks are the most popular today, those targeting the http port (80) remain the top choice for malicious hackers, accounting for 24% of all attack traffic. Worryingly, https, SSL-based attacks (port 443) are growing and are 17% of all attack traffic (not exactly as secure as you would imagine). Port 445, Microsoft-DS, once the most popular for attacks, is at 15% of all traffic but growing faster than the top two. For those looking for safer pastures. Port 8080, http alternate, is at 1.4% of all attack traffic.

    Reply
  42. Tomi Engdahl says:

    U.S. eavesdropping agency chief, top deputy expected to depart soon
    http://www.reuters.com/article/2013/10/16/us-usa-nsa-transition-idUSBRE99F12W20131016

    The director of the U.S. National Security Agency and his deputy are expected to depart in the coming months, U.S. officials said on Wednesday, in a development that could give President Barack Obama a chance to reshape the eavesdropping agency.

    Army General Keith Alexander’s eight-year tenure was rocked this year by revelations contained in documents leaked by former NSA contractor Edward Snowden about the agency’s widespread scooping up of telephone, email and social-media data.

    Alexander has formalized plans to leave by next March or April, while his civilian deputy, John “Chris” Inglis, is due to retire by year’s end, according to U.S. officials who spoke on condition of anonymity.

    NSA spokeswoman Vanee Vines said Alexander planned to leave office in the spring after three extensions to his tenure, and the process for picking his successor was still under way.

    “This has nothing to do with media leaks, the decision for his retirement was made prior; an agreement was made with the (Secretary of Defense) and the Chairman for one more year – to March 2014,” Vines told Reuters in an email.

    Reply
  43. Tomi Engdahl says:

    Dutch authorities: operators used the data collected for them in marketing

    Some of the Dutch mobile and internet operators have used public needs the information collected without permission marketing, communications authorities to reveal the report.

    EU laws in the mobile and internet operators shall keep records of its customers’ communications traffic from six months to two years. Information is to be used mainly to serious criminal and terrorist investigations.

    Operators have the right to use some of the information for their own purposes, such as billing, market research, as well as additional services for the production. Marketing of use, however, would require a separate license for each customer.

    Data without your permission companies have used is a penalty offense.

    Citizens for doing the digital rights organization Bits of Freedom tells warned of potential abuses in the preparation of the law. The organization calls on the governments of their countries to drive change in the EU’s laws on which the data is stored.

    Source: http://www.tietoviikko.fi/kaikki_uutiset/hollantilaisoperaattorit+kayttivat+viranomaisille+kerattyja+tietoja+markkinointiin/a938938

    Reply
  44. Tomi Engdahl says:

    AuthenTec cofounder shows off early prototype of Apple’s Touch ID
    By Lester Victor Marks
    http://appleinsider.com/articles/13/10/16/authentec-cofounder-shows-off-early-prototype-of-apples-touch-id

    F. Scott Moody, the cofounder of Apple-acquired company AuthenTec, gave a presentation this week on the origins of what is now the Touch ID technology found in the iPhone 5s, and AppleInsider was present for a hands-on with an early prototype fingerprint scanner.

    Early versions of Touch ID were dubbed FingerLoc, with a fingerprint scanning box connected via ribbon to another, even larger box.

    Though the early versions were both buggy and bulky, what drove FingerLoc was essentially “a piece of silicon” that was improved over time, he said.

    “We convinced people that the signal processing and work could be shrunk into an exceedingly small sensor that we eventually got down to 80 cents,” he said.

    The metal ring around early prototype scanners, just like the one in the iPhone 5s home button, works like a capacitor, sending a signal through the user’s finger that allows it to sense through the outer layer of dead skin, into an inner layer where the skin is alive. Moody said AuthenTec worked closely with a number of dermatologists in development to perfect the technology.

    Reply
  45. Tomi Engdahl says:

    The NSA’s New Code Breakers
    America’s using front companies, break-in artists, and hacktivists to spy on everyone — and only North Korea seems able to resist.
    http://www.foreignpolicy.com/articles/2013/10/15/the_nsa_s_new_codebreakers?page=0,0

    There was a time when the code breakers of the National Security Agency actually took the lead in solving enemy encryption systems. These days, not so much. In today’s NSA, it’s hackers, break-in artists, corporate liaisons, and shadow salesman using front companies who are at the forefront of this effort. Even so-called “hacktivists” play an unwitting role in helping the NSA gain access to computer networks — both hostile and friendly.

    Just about the only place that’s somewhat immune to the NSA’s new style of code-breaking attacks? North Korea, because it’s so disconnected from the rest of the world’s networks.

    Former U.S. intelligence officials confirm that the more than 1,500 cryptanalysts, mathematicians, scientists, engineers, and computer technicians who comprise NSA’s elite cryptanalytic unit, the Office of Cryptanalysis and Exploitation Services (S31), have had a remarkably large number of code-breaking successes against foreign targets since the 9/11 attacks. But these wins were largely dependent on clandestine intelligence activities for much of their success in penetrating foreign communications networks and encryption systems, and not the more traditional cryptanalytic attacks on encrypted messages that were the norm during the Cold War era.

    The NSA today has more supercomputers than ever, and the agency still employs a number of puzzle-solvers, linguists, and math geeks. But these classic cryptanalysts have, in part, given way to a new breed.

    You won’t learn this in the files leaked by former NSA contractor Edward Snowden — at least not directly. According to individuals who have reviewed the entire collection of 50,000 documents provided to the media by Snowden, what is missing from the papers is any document which lays out in detail just how successful the agency’s code-breaking efforts have been.

    But the most sensitive of these clandestine techniques, and by far the most productive to date, is to covertly hack into targeted computers and copy the documents and message traffic stored on these machines before they are encrypted, a process known within the NSA as “Endpoint” operations. Responsibility for conducting these Endpoint operations rests with the computer hackers of the NSA’s cyberespionage unit, the Office of Tailored Access Operations (TAO).

    According to sources familiar with the organization’s operations, TAO has been enormously successful over the past 12 years in covertly inserting highly sophisticated spyware into the hard drives of over 80,000 computer systems around the world, although this number could be much higher. And according to the sources, these implants are designed in such a way that they cannot be detected by currently available commercial computer security software. It has been suggested to me by a reliable source that “this is not an accident,”

    Former agency personnel confirm that in innumerable instances, these TAO implants have allowed NSA analysts to copy and read all of the unencrypted documents stored on the targeted computer’s hard drive, as well as copy every document and email message produced and/or transmitted by the machine.

    But TAO doesn’t just spy on America’s rivals. In 2012, the group reportedly compromised the encryption system used by an important G-8 country to transmit sensitive diplomatic communications via satellite to its embassies around the world. The same is true with a number of countries in the Middle East and South Asia, including Egypt, Syria, Iran, and Pakistan, although the details of these successes are not yet known. And finally, sources report that TAO has successfully compromised the privacy protection systems currently used on a range of 4G cell phones and hand-held devices, thanks in large part to help from a major American telecommunications company.

    Over time, TAO has become increasingly accomplished at its mission, thanks in part to the high-level cooperation that it secretly receives from the “big three” American telecommunications companies (AT&T, Verizon, and Sprint), most of the large U.S.-based Internet service providers, and many of the top computer security software manufacturers and consulting companies.

    TAO is also very active in the global computer security industry marketplace, using the CIA, Defense Intelligence Agency, and State Department to help it keep close tabs on the latest computer security devices and software systems being developed around the world.

    The extreme sensitivity of TAO’s collection efforts has required the NSA to take extraordinary steps to try to disguise its computer-hacking activities. For instance, current and former intelligence sources confirm that TAO increasingly depends on clandestine techniques, such as commercial cover, to hide its activities. TAO uses an array of commercial business entities, some of them proprietary companies established specifically for this purpose, to try to hide its global computer-hacking activities from computer security experts in a maze of interlocking computer servers and command-and-control systems located in the United States and overseas that have no discernible link to the NSA or the U.S. government.

    Reply
  46. Tomi Engdahl says:

    How to Design — And Defend Against — The Perfect Security Backdoor
    http://www.wired.com/opinion/2013/10/how-to-design-and-defend-against-the-perfect-backdoor/

    We already know the NSA wants to eavesdrop on the internet. It has secret agreements with telcos to get direct access to bulk internet traffic. It has massive systems like TUMULT, TURMOIL, and TURBULENCE to sift through it all. And it can identify ciphertext — encrypted information — and figure out which programs could have created it.

    But what the NSA wants is to be able to read that encrypted information in as close to real-time as possible. It wants backdoors, just like the cybercriminals and less benevolent governments do.

    And we have to figure out how to make it harder for them, or anyone else, to insert those backdoors.

    How the NSA Gets Its Backdoors

    The FBI tried to get backdoor access embedded in an AT&T secure telephone system in the mid-1990s. The Clipper Chip included something called a LEAF: a Law Enforcement Access Field. It was the key used to encrypt the phone conversation

    But the Clipper Chip faced severe backlash, and became defunct a few years after being announced.

    Having lost that public battle, the NSA decided to get its backdoors through subterfuge: by asking nicely, pressuring, threatening, bribing, or mandating through secret order. The general name for this program is BULLRUN.

    Defending against these attacks is difficult. We know from subliminal channel and kleptography research that it’s pretty much impossible to guarantee that a complex piece of software isn’t leaking secret information. We know from Ken Thompson’s famous talk on “trusting trust” (first delivered in the ACM Turing Award Lectures) that you can never be totally sure if there’s a security flaw in your software.

    Since BULLRUN became public last month, the security community has been examining security flaws discovered over the past several years, looking for signs of deliberate tampering. The Debian random number flaw was probably not deliberate, but the 2003 Linux security vulnerability probably was. The DUAL_EC_DRBG random number generator may or may not have been a backdoor. The SSL 2.0 flaw was probably an honest mistake. The GSM A5/1 encryption algorithm was almost certainly deliberately weakened. All the common RSA moduli out there in the wild: We don’t know. Microsoft’s _NSAKEY looks like a smoking gun, but honestly, we don’t know.

    How the NSA Designs Backdoors

    While a separate program that sends our data to some IP address somewhere is certainly how any hacker — from the lowliest script kiddie up to the NSA – spies on our computers, it’s too labor-intensive to work in the general case.

    For government eavesdroppers like the NSA, subtlety is critical. In particular, three characteristics are important:

    Low discoverability. The less the backdoor affects the normal operations of the program, the better.

    High deniability. If discovered, the backdoor should look like a mistake. It could be a single opcode change. Or maybe a “mistyped” constant.

    Minimal conspiracy. The more people who know about the backdoor, the more likely the secret is to get out. So any good backdoor should be known to very few people.

    These characteristics imply several things:

    A closed-source system is safer to subvert, because an open-source system comes with a greater risk of that subversion being discovered. On the other hand, a big open-source system with a lot of developers and sloppy version control is easier to subvert.

    If a software system only has to interoperate with itself, then it is easier to subvert.

    A commercial software system is easier to subvert, because the profit motive provides a strong incentive for the company to go along with the NSA’s requests.

    Protocols developed by large open standards bodies are harder to influence, because a lot of eyes are paying attention. Systems designed by closed standards bodies are easier to influence, especially if the people involved in the standards don’t really understand security.

    Systems that send seemingly random information in the clear are easier to subvert.

    Design Strategies for Defending Against Backdoors:

    Vendors should make their encryption code public, including the protocol specifications. This will allow others to examine the code for vulnerabilities.

    The community should create independent compatible versions of encryption systems, to verify they are operating properly.

    There should be no master secrets. These are just too vulnerable.

    All random number generators should conform to published and accepted standards. Breaking the random number generator is the easiest difficult-to-detect method of subverting an encryption system.

    Encryption protocols should be designed so as not to leak any random information.

    **

    This is a hard problem.

    Reply
  47. Tomi Engdahl says:

    Think You Can Live Offline Without Being Tracked? Here’s What It Takes
    http://www.fastcompany.com/3019847/think-you-can-live-offline-without-being-tracked-heres-what-it-takes

    We asked the most privacy-aware people we could find what it would take to go off the radar. Hint: You’re going to need to do more than throw away your laptop.

    Reply
  48. Tomi Engdahl says:

    Most parents allow unsupervised internet access to children at age 8
    How old is too young for kids to go online unsupervised? Age 8, according to a Microsoft study.
    http://www.networkworld.com/community/blog/parents-allow-unsupervised-access-internet-and-devices-starting-age-8

    When you consider all types of devices with online connectivity — mobile phones, gaming consoles, tablets, laptops, PCs, smart TVs, e-readers, etc. — there is a good chance you are online as much, if not more, than you are offline. If you are a parent of a young child, then you probably have purchased techy toys for either fun or for learning; as your child grows, then you must also decide at what age your child can go online, for how long, where, and for what purposes. Microsoft asked 1,000 adults, both parents and non-parents, “How old is too young for kids to go online unsupervised?”

    Ninety-four percent of parents said they allow their kids unsupervised access to at least one device or online service like email or social networks. The poll found that most parents allow their kids access to gaming consoles and computers at age eight.

    However, when it comes to kids under the age of seven?

    41% of parents allow them to use a gaming console unsupervised.
    40% allow unsupervised access to a computer.
    29% of parents allow their kids under age 7 to use a mobile apps unsupervised.

    The poll also asked about teaching online safety to kids. Eighty-nine percent of people without kids and 74% of parents “agree that parents should provide online safety guidance.”

    Are you flipping kidding me? If an eight-year-old child is online, unsupervised, without safety guidance, then that seems like a recipe for disaster. And kids installing mobile apps without supervision…does that mean they know all about checking out the permissions that apps ask for and what is and is not acceptable?

    Microsoft’s survey found that the average age is between 11 and 12 for kids to start using mobile phones, texting and social networks, which could still potentially be disastrous without some kind of parental online safety guidance.

    Reply
  49. Tomi Engdahl says:

    Privacy Fears Grow as Cities Increase Surveillance
    http://www.nytimes.com/2013/10/14/technology/privacy-fears-as-surveillance-grows-in-cities.html?_r=0

    Federal grants of $7 million awarded to this city were meant largely to help thwart terror attacks at its bustling port. But instead, the money is going to a police initiative that will collect and analyze reams of surveillance data from around town — from gunshot-detection sensors in the barrios of East Oakland to license plate readers mounted on police cars patrolling the city’s upscale hills.

    The new system, scheduled to begin next summer, is the latest example of how cities are compiling and processing large amounts of information, known as big data, for routine law enforcement. And the system underscores how technology has enabled the tracking of people in many aspects of life.

    The police can monitor a fire hose of social media posts to look for evidence of criminal activities; transportation agencies can track commuters’ toll payments when drivers use an electronic pass; and the National Security Agency, as news reports this summer revealed, scooped up telephone records of millions of cellphone customers in the United States.

    Reply
  50. Tomi Engdahl says:

    Nixu: these are the weak points of the Internet in Finland
    Indifference and strange choices

    Finnish network environment is considered a safe, but there is place for upgrade. Security Consultant Company Nixu is a hacker on the basis of an analysis of the material problem areas, of which the most typical of wrong-configured network printers, non-crypted management and outdated web software versions.

    The analysis is made of the material used by the unknown hacker collected botnet to six months in an open global locations on the internet servers. He named the project Internet Census of 2012.

    Finnish to the data was about half a million. Senior security consultant Marko Ruotsalainen notes that the Finnish network is still plenty of room for improvement.

    “Too many server security updates have not been done. The data found 693 different versions of the software, which found a total of 985 well-known vulnerabilities. Most vulnerabilities of web servers, and in particular the most popular web server software, Apache and PHP, older versions, “says Swedish Nixu release.

    Network robot from Finland found a lot of web-based services, and connections that do not fall in there, such as the Internet of industrial control software, remote management systems and network printers.

    “Particularly puzzling was the network displayed a large number of printers, as they should definitely located in the protected behind firewalls. The network printer is also often used as a scanner and scanned documents and printouts are stored in its memory. An attacker could thus obtain a simple printer for the company critical data capital. In addition, the printer can allow for deeper penetration of the company’s internal network, “Swedish warns.

    Source: http://www.tietokone.fi/artikkeli/uutiset/nixu_nama_ovat_internetin_heikot_kohdat_suomessa

    Reply

Leave a Reply to Tomi Cancel reply

Your email address will not be published. Required fields are marked *

*

*