Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.
Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.
Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.
SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices. Good idea to test your devices against it.
There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.
Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.
Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.
Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.
Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.
Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.
Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.
Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.
European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.
1,930 Comments
Tomi Engdahl says:
How to protect against targeted attacks?
Rate the correct information!
If an organization does not know what information is valuable to it, there is no reason to imagine that the information leaks can be avoided.
Although how does the mind emphasizes that confidentiality is an important role that will focus on the protection of confidential information, in any case, must not be forgotten ensuring data integrity and availability of the implementation.
Finland has not just been examples of false, altered content of the information was misused, but even that day even comes. Instead, the challenge of ensuring access to information is encountering increasingly more easily carried out denial of service attacks (dos) form
When the data classification, there are guidelines, the organization must have the means to carry it out, and just in the traditional physical level (eg, facilities) and on a technical level (information systems, and other tools used in data communications solutions).
Security threats, and more cyber threats, appeared to more closely supervising the fact that the organization’s highest level of confidential information should be handled in an environment where there is no connection to the Internet. For example, the top three stage classification, ie in a secret level (classification * Top Secret *) data should be handled in this way. These data, as well as those dealing with clients would be, therefore, entirely from the Internet or other lower-level networks separated (isolated network environment).
Information from the outside world is brought to such an environment carefully thought-out, a standard method, such as an encrypted USB stick, which pays special attention to cleanliness (see Stuxnet and closed networks pollution).
The middle level (classification * secret *) mean the kind of information that should deal with Internet-connected devices to the network, but from the terminal should not be into direct contact
If the user’s session can be infected with malware, a threat only to end the session terminated, in which case the user’s workstation, and there are the confidential information will remain protected.
The third level (classification * Confidential *) data can be processed in the normal terminals, which are connected to the Internet normally, for example a solid connection or wireless wlan or 3g/4g.
When these two things, namely classification and architecture are in place, an organization must have the technical and administrative means to implement these solutions. They need to instruct and train the users!
Source: http://www.tietoviikko.fi/blogit/turvasatama/miten+suojautua+kohdistetuilta+hyokkayksilta/a945351
Tomi Engdahl says:
Kaspersky: National strategy does not guarantee security
International Cybercrime must be handled with agreements between states.
This is the only way to arkaluontoisinta countries to protect their data from hackers, Russian Kaspersky Lab’s chairman and CEO Eugene Kaspersky said on Thursday in Canberra.
Kaspersky keeps security attacks extremely dangerous.
“Cyber attacks erode international confidence. Domestic players will be tempted to resort to two systems, one public and one reserved for businesses and the public sector operators,” Kaspersky said.
In his opinion, the two systems is a dangerous option for you.
“Businesses and public sector organizations are initially satisfied, but how to budget your money and human resources are sufficient in the end these double systems,” Kaspersky asks.
“It is an unhappy fact that the internet has no boundaries. Therefore launch cyber-attacks are easily spread from country to country. Known that there are hot spots in the world security attacks. Nevertheless, all use similar systems at long last, to facilitate international kyberrikollisten mole of work.”
“Because cyberspace is similar to all work countries, not the individual states can not resort to the national security strategies behind. Data security is required of state and government co-operation,” Kaspersky says.
According to him, the national security organizations today are people in need, even scared.
“They just do not know how to cope with alone. Moreover, the weapons used to attack public sector organizations do not realize that security attacks work like a boomerang: Attacks returning to the thrower’s hand,”
Source: http://www.tietoviikko.fi/cio/kaspersky+kansallinen+strategia+ei+takaa+tietoturvaa/a945506
Tomi Engdahl says:
Cyber espionage ‘extremely dangerous’ for international trust: Kaspersky
http://www.zdnet.com/cyber-espionage-extremely-dangerous-for-international-trust-kaspersky-7000022915/
Summary: Individual national strategies for ‘cyber resilience’ have no place on the borderless internet.
“If nations don’t trust each other in cyberspace, the next step is to separate it [into] two networks. One public network, and one enterprise and government. It’s an obvious step, and I’m not the first man to talk about that,” he said.
“I’m afraid it’s a very bad option … governments and enterprises will be happier, because they have a secure, unhackable network. Good news? No. First of all, there will be much less investment in the public segment. Governments and enterprises leaving the public space means that the budget’s running away. Second, do you have enough engineers to build an Australian national network?”
Kaspersky called for more education for network engineers and security specialists several times during his speech.
He also reinforced his oft-repeated message that attacks against critical infrastructure have the potential to cause collateral damage, as systems other than the intended targets can become infected, and that once a cyber weapon has been deployed, it can easily be reverse-engineered and used by others.
“Unfortunately, the internet doesn’t have borders, and the attacks on very different systems somewhere far, far away from you in the very ‘hot’ areas of this world — maybe in the Middle East, or somewhere in Pakistan or India, or in Latin America, it doesn’t matter — they have the very same computer systems, they have the very same operating systems, the very same hardware,” he said.
“Unfortunately, it is very possible for other nations, which are not in the conflict, will be victims of the cyber attacks on the critical infrastructure.”
“Departments which are responsible for national security, for national defence, they’re scared to death. They don’t know what to do,” Kaspersky said.
“Departments which are responsible for offence, they see it as opportunity. They don’t understand that in cyberspace, everything you do, it’s a boomerang. It will get back to you.”
Tomi Engdahl says:
Tim Berners-Lee: encryption cracking by spy agencies ‘appalling and foolish’
Inventor of world wide web condemns ‘dysfunctional and unaccountable’ oversight as intelligence chiefs face MPs
http://www.theguardian.com/world/2013/nov/06/tim-berners-lee-encryption-spy-agencies
Sir Tim Berners-Lee, the computer scientist who created the world wide web, has called for a “full and frank public debate” over internet surveillance by the National Security Agency and its British counterpart, GCHQ, warning that the system of checks and balances to oversee the agencies has failed.
In an interview with the Guardian, he expressed particular outrage that GCHQ and the NSA had weakened online security by cracking much of the online encryption on which hundreds of millions of users rely to guard data privacy.
He said the agencies’ decision to break the encryption software was appalling and foolish, as it directly contradicted efforts of the US and UK governments to fight cybercrime and cyberwarfare, which they have identified as a national security priority. Berners-Lee also said it was a betrayal of the technology industry.
Tomi Engdahl says:
U.S. weighs option to end dual leadership role at NSA, Cyber Command
http://www.washingtonpost.com/world/national-security/us-weighs-proposal-to-end-dual-leadership-role-at-nsa-cyber-command/2013/11/06/e64a23d8-4701-11e3-b6f8-3782ff6cb769_story.html
The Obama administration is considering ending a controversial policy that since 2010 has placed one military official at the head of both the nation’s largest spy agency and its cyber-operations command, U.S. officials said.
National Security Council officials are scheduled to meet soon to discuss the issue of separating the leadership of the National Security Agency and Cyber Command, a shift that some officials say would help avoid an undue concentration of power in one individual and separate entities with two fundamentally different missions: spying and conducting military attacks.
Tomi Engdahl says:
Time for Internet Engineers to Fight Back Against the “Surveillance Internet”
http://www.technologyreview.com/view/521306/time-for-internet-engineers-to-fight-back-against-the-surveillance-internet/
Amid torrent of revelations that the NSA finds mass surveillance easy, the IETF ponders how to harden the Internet.
Will the usually obscure Internet Engineering Task Force – that open-to-anyone group of engineers who design and keep the ‘net functioning – step up and fight back against mass surveillance? That possibility is now in the air, following a talk in Vancouver today by cryptographer Bruce Schneier (see “Bruce Schneier: NSA Spying is Making us Less Safe”). He laid partial responsibility of the National Security Agency’s mass surveillance on the IETF’s doorstep.
“Fundamentally, surveillance is a business model of the Internet. The NSA didn’t wake up and say: ‘Let’s just spy on everybody, it said: ‘Wow, corporations are spying on everybody, let’s get ourselves a copy,’ ” he said, referring to the cloud computing providers and others who warehouse data. The NSA found the Internet quite easy to tap in various places; as a result, “The NSA has turned the Internet into a giant surveillance platform” that is robust both politically, legally, and technologically, he added.
The basic problem is that at its core, the existing ‘net is merely a bigger and fancier version of the original one that assumed everyone was honest and trustworthy (all of the early users were researchers in government and academic labs).
The good news is that encryption in various parts of the existing network can go a long way to thwarting NSA surveillance and other eavesdropping
simply by making it that much harder to spy, and thus forcing the NSA or other eavesdroppers to conduct targeted surveillance, rather than scooping everyone’s data. “We have made surveillance too cheap, and we need to make it more expensive,” Schneier added. “We’ve ended up with a public-private surveillance alliance.”
Tomi Engdahl says:
Governments worldwide buried in the Snowden avalanche
http://blogs.reuters.com/jackshafer/2013/11/07/governments-worldwide-buried-in-the-snowden-avalanche/
If the U.S. and British governments could stop the press from publishing stories based on the National Security Agency files leaked by Edward Snowden in June, they probably would have acted by now.
Oh, the Guardian was coerced by the British government into destroying the hard drives in London containing the leaked files, and London police used terrorism law to detain the partner of Glenn Greenwald — one of the journalists to whom Snowden leaked — at Heathrow Airport and confiscated computer media believed to contain leaked files.
But these measures were largely for show.
Meanwhile, hardly a week has expired since June without the publication of a new Snowden revelation somewhere in the world
From the sidelines, the U.S. and British governments appear to be helpless, pitiful giants, to steal a phrase from Richard Nixon, when it comes to the NSA disclosures. Traditionally, the U.S. government has been more or less successful in getting the press to delay — or at least reduce the octane — of their most explosive national security stories
Those techniques won’t work against the reporters writing about the Snowden leaks: Snowden outed himself as the source of the NSA files — essentially confessing to the espionage charge against him — so prosecutors can’t retaliate against Greenwald, the Washington Post‘s Barton Gellman, or filmmaker Laura Poitras, early recipients of the Snowden leaks, by using the courts to expose their sources.
Tomi Engdahl says:
$1.2M Hack Shows Why You Should Never Store Bitcoins on the Internet
http://www.wired.com/wiredenterprise/2013/11/inputs/
Here’s your digital-currency lesson of the day, courtesy of a guy who calls himself TradeFortress: “I don’t recommend storing any bitcoins accessible on computers connected to the internet.”
That may sound like a paradox. Bitcoin is the world’s most popular digital currency, and it’s controlled by a vast collection of computers spread across the internet. But TradeFortress knows what he’s talking about. He’s the founder of a inputs.io, a company that used to store bitcoins in digital wallets for people across the globe. The site was just hacked, with the bandits making off with more than a million dollars’ worth of bitcoins.
Yes, bitcoins are digital. And, yes, bitcoin transactions necessarily happen on the internet. But you can store bitcoins offline, and that’s what the most careful of investors will do. A collection of bitcoins is essentially a private cryptograph key you can use to send money to someone else, and though you can store that key in an online digital wallet, you can also store it on an offline computer
Tomi Engdahl says:
Life on the Forked Road
http://www.linuxjournal.com/content/life-forked-road
We are analog and digital. One is old, the other new. Civilizing the latter will take some work.
On a panel at the last LinuxCon, Linus was asked if the US government ever wanted a backdoor added to Linux. He nodded “yes” while saying “no”.
While we’re sure Linus meant what he said, his answer calls to mind the immortal words of Yogi Berra: “When you come to a fork in the road, take it.”
We are at that fork now. We arrived when Edward Snowden began revealing to muggles what the wizards among us always knew, or at least suspected: that government spying on ordinary data communications among private individuals was not only possible, but happening.
Tomi Engdahl says:
CERT-FI, if the attacker strikes, do not make fuss
The worst mistake persistent cyber attack has been detected is trying to recover as quickly as possible. Network attacker is not in a hurry, so the victim not be.
Cert-fi warn acting improperly, if your company or organization fears the worst happened.
“Do not make a fuss! Busy Rumble destroys the evidence and reveal the counterparty intentions, the mere chasing ghosts, “warn films.
The victim must ensure that the evidence is collected. Even that is not easy, for “against a memory-and harassment-aware software, cryptography, special drivers, and custom file systems”.
Things to recover data to be recorded, including network and system logs, the intruder used by tools such as malware, the command server addresses, and user-agent, and referer information.
Source: http://www.tietokone.fi/artikkeli/uutiset/cert_fi_jos_hyokkaaja_iskee_ala_hosu
Tomi Engdahl says:
Apple issues report detailing Government Information Requests
http://www.tuaw.com/2013/11/05/apple-issues-report-detailing-government-information-requests/
Tomi Engdahl says:
TrueCrypt to go through a crowdfunded, public security audit
http://www.net-security.org/secworld.php?id=15899
After all the revelations about NSA’s spying efforts, and especially after the disclosure of details about its Bullrun program aimed at subverting encryption standards and efforts around the world, the question has been raised of whether any encryption software can be trusted.
Security experts have repeatedly said that it you want to trust this type of software, your best bet is to choose software that is open source. But, in order to be entirely sure, a security audit of the code by independent experts sounds like a definitive answer to that issue
And that it exactly what Matthew Green, cryptographer and research professor at Johns Hopkins University, and Kenneth White, Principal Scientist at Social & Scientific Systems, have set out to do.
The software that will be audited is the famous file and disk encryption software package TrueCrypt.
In order to fund the auditing project, Green and White have started fundraising at FundFill and IndieGoGo, and have so far raised over $50,000 in total.
The goals of the project are several:
To implement deterministic / reproducible builds in order to be sure that the software binaries have not been tampered with.
To do a complete source code audit conducted by a security evaluation company that is qualified to review cryptographic software.
To do a legal review of the software licence, and see whether there is a way to allow TrueCrypt to be bundled with many of the popular Linux distributions.
“The ‘problem’ with Truecrypt is the same problem we have with any popular security software in the post-September-5 era: we don’t know what to trust anymore,”
Tomi Engdahl says:
PSA: The Latest Google Play Services Update May Disable Android Device Manager (Remote Lock And Wipe) In Device Administrators
http://www.androidpolice.com/2013/11/06/psa-the-latest-google-play-services-update-may-disable-android-device-manager-remote-location-and-wipe-in-device-administrators/
It’s a simple fix: just check the version number of your Google Play Services app (it seems to be affecting both 4.0.30 and the slightly newer 4.0.31), then check the Device Administrators section of your Security settings page. If Android Device Manager isn’t enabled (and you want it to be), tap it and press activate. Problem solved.
The larger issue is that this seems to be affecting users without alerting them, so at least some Android phones could be lost or stolen without having the location and wipe security feature that the owner was depending on.
Tomi Engdahl says:
Chrome On Windows To Start Rejecting Extensions From Outside The Chrome Web Store In January
http://techcrunch.com/2013/11/07/chrome-on-windows-to-start-rejecting-extensions-from-outside-the-chrome-web-store-in-january/
Starting in January, Google’s Chrome browser will not allow you to install extensions that aren’t hosted in Google’s own Chrome Web Store.
While Google had recently increased its security measures for keeping malicious extensions out of Chrome by adding additional warnings and disabling silent extension installs, the team clearly felt that it had to go a step further to keep Windows machines safe. The leading cause of complaints from its Windows users, Google says, is still due to malicious extensions that override browser settings and change the user experience in unexpected (and undesired) ways.
Given that these malicious extensions are virtually always hosted outside of the Chrome Web Store, the team has decided to simply shut down the ability to install extensions from third-party sites.
Tomi Engdahl says:
China military hackers persist despite being outed by U.S.: report
http://www.reuters.com/article/2013/11/06/net-us-usa-china-hacking-idUSBRE9A51AN20131106
(Reuters) – The disclosure early this year of a secretive Chinese military unit believed to be behind a series of hacking attacks has failed to halt the cyber intrusions, a U.S. computer security company and congressional advisory panel said on Wednesday.
A report by the cybersecurity company Mandiant in February identified the People’s Liberation Army’s Shanghai-based Unit 61398 as the most likely culprit in hacking attacks on a wide range of industries. China’s Defense Ministry denied the accusations.
“From what we can tell, they are still stealing the same type of data from the same industries,” Mandiant spokeswoman Susan Helmick said on Wednesday.
“The focus appears to be the same but the methods and malware, they had to shift,” Helmick said.
A spokesman for the Chinese embassy in Washington on Wednesday repeated China’s response to the initial Mandiant report.
“Cyber attacks are transnational and anonymous,” said spokesman Geng Shuang. “We don’t know how the evidence is collected in this report.”
Tomi Engdahl says:
Apple patents technology to STALK YOU in your own HOME
Do you really want the music on EVERY TIME you walk to the garage?
http://www.theregister.co.uk/2013/11/06/apple_patents_ihome_of_the_future/
Apple has been granted a patent for technology which will detect movement around the user’s home and automatically change the settings of light switches or other household devices accordingly.
The patent raises the prospect that fanbois could wander around the house, fondling their slab aimlessly while their telly turns itself on or the oven begins to heat up.
Two or more devices will communicate to detect a fanboi’s location, before distributing this information to other devices.
Tomi Engdahl says:
Mikko Paatero
is the Finnish National Police Board Police Commissioner and says:
Cyber threats can be prevented only through broad cooperation and aware of the exposure
Spy discussion, waves are high, the MFA’s extensive network events intrusion. It is good to remember, however, that any kind of espionage has always been and will always happen. Now, however, we are increasingly depends on computer networks, including core espionage directed.
Irregularities occurred in data networks are the offenses for which the prevention and investigation by the police. Furthermore, networks place a government spy operation that responsibility extends beyond the fight against the police in addition to the armed forces. Police in the fight against terrorism and pre-blocking capability is defined in the law of the Security Police task, but also the police is in their own important role.
When it comes to cyber security, and the introduction of threats can not be known for sure whether it is internal or external threats. At least in the early stages it is impossible not say whether the crime prevention activities or military activity. Only because of this point of view is the so-called hard security responsibility to regulate the cooperation of a clear and effective.
So we are clearly in a situation where new legislation is needed
It is well to consider what the possible intelligence agency to be based, who would authorize the inquiries and how it is monitored. The most important thing, however, is that all responsible parties work closely together.
Source: http://blogit.iltalehti.fi/mikko-paatero/2013/11/08/kyberuhkia-voidaan-torjua-vain-laajalla-yhteistyolla-ja-selvilla-vastuilla/
Tomi says:
Exclusive: Snowden persuaded other NSA workers to give up passwords – sources
http://www.reuters.com/article/2013/11/08/net-us-usa-security-snowden-idUSBRE9A703020131108
(Reuters) – Former U.S. National Security Agency contractor Edward Snowden used login credentials and passwords provided unwittingly by colleagues at a spy base in Hawaii to access some of the classified material he leaked to the media, sources said.
The revelation is the latest to indicate that inadequate security measures at the NSA played a significant role in the worst breach of classified data in the super-secret eavesdropping agency’s 61-year history.
“In the classified world, there is a sharp distinction between insiders and outsiders. If you’ve been cleared and especially if you’ve been polygraphed, you’re an insider and you are presumed to be trustworthy,” said Steven Aftergood, a secrecy expert with the Federation of American Scientists.
Tomi says:
Credit Card Numbers Still Google-able
http://search.slashdot.org/story/13/11/08/1454251/credit-card-numbers-still-google-able
“In 2007, I wrote that you could find troves of credit card numbers on Google, most of them still active, using the simple trick of Googling the first 8 digits of your credit card number.”
“in 2013, it appears to still be just as easy.”
If you have a Visa, Mastercard, or Discover Card number handy, do a Google search for the first 8 digits in the form “1234 5678″ (don’t forget the double quotes around the numbers, and the space in the middle). The odds are that you will find at least some pages among the search results which include other credit card numbers that begin with the same 8 digits.
Those Google hits will frequently be in the form of a spreadsheet or document that looks like it was made for someone’s internal use and wasn’t meant to be leaked on the Web
Tomi Engdahl says:
Lavabit, secure email? Hardly, says infosec wizard Moxie Marlinspike
Claims of multiple security measures just ‘promises,’ researcher claims
http://www.epanorama.net/blog/2013/01/14/security-trends-for-2013/
Former Lavabit proprietor Ladar Levison claims the new Dark Mail initiative he’s cooking up with the team from Silent Circle will enable email that’s virtually spy-proof, but according to at least one expert, the original Lavabit service was never all that secure to begin with.
“After all,” security guru Moxie Marlinspike wrote in a blog post this week, “how is it possible that a service which wasn’t supposed to have access to its users’ emails found itself in a position where it had no other option but to shut down in an attempt to avoid complying with a request for the contents of its users’ emails?”
The main problem with Lavabit’s design, according to Marlinspike, is that each Lavabit user’s private encryption key was stored on the Lavabit server. The key was itself encrypted with a password, true. But every time the user wanted to read an email, that password needed to be transmitted to the server, essentially negating any security.
“Unlike the design of most secure servers, which are ciphertext in and ciphertext out, this is the inverse: plaintext in and plaintext out,” Marlinspike wrote.
Tomi Engdahl says:
How Google paved the way for NSA’s intercepts – just as The Register predicted 9 YEARS AGO
Gmail redefined searching and reading… just like we said it would
http://www.epanorama.net/blog/2013/01/14/security-trends-for-2013/comment-page-29/#comment-2461477
Much hilarity has greeted Eric Schmidt’s deeply sincere “outrage” at his “discovery” that the NSA was spying on Google. For example, Vanity Fair pointed Mr Schmidt to some helpful Google searches.
But the NSA is merely treading in some well-worn footsteps – some of which were made by Google itself. Let us refresh your memory of one of the most prescient and chilling pieces of prediction in the last decade. For all this was forecast here at The Register in early 2004 – nine years ago.
In early 2004, Google launched Gmail. Gmail performed an automated interception of your email, and – having scanned the contents and guessed at its meaning – ran contextual advertising alongside it.
Former security advisor Mark Rasch, an attorney who had worked in the Department of Justice’s cyberfraud department during the Clinton administration, and was writing for Security Focus, raised a very interesting problem. If Google could search through and read your email without explicit legal authorisation, then surely the security agencies could do the same.
Tomi says:
Exclusive: Snowden persuaded other NSA workers to give up passwords – sources
http://www.reuters.com/article/2013/11/08/net-us-usa-security-snowden-idUSBRE9A703020131108
A handful of agency employees who gave their login details to Snowden were identified, questioned and removed from their assignments
Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator, a second source said.
Reuters reported last month that the NSA failed to install the most up-to-date, anti-leak software at the Hawaii site before Snowden went to work there and downloaded highly classified documents belonging to the agency and its British counterpart, Government Communication Headquarters.
“In the classified world, there is a sharp distinction between insiders and outsiders. If you’ve been cleared and especially if you’ve been polygraphed, you’re an insider and you are presumed to be trustworthy,” said Steven Aftergood, a secrecy expert with the Federation of American Scientists.
“What agencies are having a hard time grappling with is the insider threat, the idea that the guy in the next cubicle may not be reliable,” he added.
Tomi says:
Paradise Lost: Paranoia Has Undermined US Democracy
http://www.spiegel.de/international/world/paranoia-has-undermined-united-states-claim-to-liberal-democracy-a-932326.html
While far from a dictatorship, the United States has employed a number of paranoid tactics that delegitimize its democracy. This phenomenon is on display in the fictional TV series “Homeland,” which depicts hysterical CIA agents in a hysterical country.
Political paranoia requires an enemy, or at least the concept of an enemy.
After the Soviet Union collapsed in 1991, the United States experienced a relatively relaxed decade, until hijacked jetliners crashed into the World Trade Center and destroyed parts of the Pentagon on Sept. 11, 2001.
While far from all democracies are paranoid, virtually all dictatorships are. For dictators, paranoia helps shape and preserve their autocratic systems. Autocrats need an enemy — always an internal enemy and sometimes an external one, too — to legitimize violence and coercion, and to generate allegiance.
The United States cannot be compared with Nazi Germany or with China. Unfortunately, however, a paranoid democracy tends to use tools that are beneath a democracy, the tools of a dictatorship, and they include as much surveillance as possible.
Information is the most valuable thing in a paranoid world. Those who feel threatened want to know as much as possible about potential threats, so as to be able to control their fears and prepare preventive attacks.
Now the intelligence services have developed a giant information procurement machine, which is also useful in industrial espionage. To ensure that nothing escapes their notice, they violate the privacy of millions and millions of people and alienate allied nations and their politicians.
Another form of paranoid information procurement is torture, used by American intelligence agencies to gain information about terrorists.
While paranoia legitimizes a dictatorship, it can achieve the opposite effect in a democracy. The United States is no longer a model of liberal democracy. That much has been made clear in light of mass surveillance, torture, the extralegal detention camp at Guantanamo and an isolationist ideology
Tomi says:
Brute forcing the unlock PIN on an android phonehttp://www.bbrotherton.com/main/androidpinbruteforce
My lovely girlfriend is so concerned about security that now even she can’t access her phone. After changing the PIN on her phone, she could not remember what it was. She quickly enlisted my help to get it unlocked and avoid having to lose her pictures and other data that was not backed up. This presented a rather tough problem:
Encryption Enabled
Bootloader Locked
No permissions for Android Device Manager to change PIN
6 Digit PIN
After doing some research I quickly concluded the only way short of her remembering the PIN was to try to brute force it.
After some quick calculations we saw that we had gone from 1,000,000 possible permutations to around 5,000. Now at least we are in the realm of the possible.
Without too much effort I was able to punch out some firmware that made the STM32F4Discovery act as a USB HID Keyboard device.
I needed a good USB Keyboard library first, being lazy (or good) engineer I found a good library in the Arduino Source and copied it. It was very easy to port from C++ to C and to get it working with the STM32F4Discovery USB Driver.
Tomi says:
Secure Bitcoin wallet Inputs.io hacked; unable to pay all user balances
http://www.techienews.co.uk/972801/secure-bitcoin-wallet-inputs-io-hacked-unable-pay-user-balances/
Advertised as a high-security bitcoin web wallet and a Bitcoin Foundation silver member, Inputs.io has been hacked with total of 4100 BTC siphoned off. The secure web wallet has revealed that it is not in a position to pay all user balances.
“Two hacks totalling about 4100 BTC have left Inputs.io unable to pay all user balances”, reads a message on inputs.io website. The attacker managed to compromise the hosting account of input.io through the use of an old email address, which didn’t have any phone numbers attached to it. “The attacker was able to bypass 2FA due to a flaw on the server host side.”
Tomi says:
$1.2M Hack Shows Why You Should Never Store Bitcoins on the Internet
http://www.wired.com/wiredenterprise/2013/11/inputs/
Here’s your digital-currency lesson of the day, courtesy of a guy who calls himself TradeFortress: “I don’t recommend storing any bitcoins accessible on computers connected to the internet.”
That may sound like a paradox. Bitcoin is the world’s most popular digital currency, and it’s controlled by a vast collection of computers spread across the internet. But TradeFortress knows what he’s talking about. He’s the founder of a inputs.io, a company that used to store bitcoins in digital wallets for people across the globe. The site was just hacked, with the bandits making off with more than a million dollars’ worth of bitcoins.
TradeFortress says that this was a social engineering attack, meaning that the attacker masqueraded as someone he wasn’t in order to get access to the site’s systems on cloud-hosting provider Linode. “The attack was done through compromising a chain of email accounts which eventually allowed the attacker to reset the password for the the Linode server,” he said.
Tomi Engdahl says:
UK spies continue “quantum insert” attack via LinkedIn, Slashdot pages
Targets included engineers at Global Roaming Exchange providers and OPEC.
http://arstechnica.com/tech-policy/2013/11/uk-spies-continue-quantum-insert-attack-via-linkedin-slashdot-pages/
According to a new report (German) by Der Spiegel, the British signals intelligence spy agency has again employed a “quantum insert” technique as a way to target employees of two companies that are GRX (Global Roaming Exchange) providers.
GRX is roughly analogous to an IX (Internet Exchange), and it acts as a major exchange for mobile Internet traffic while users roam around the globe.
Der Spiegel suggests that the Government Communications Headquarters (GCHQ), the British sister agency to the NSA, used spoofed versions of LinkedIn and Slashdot pages to serve malware to targets. This type of attack was also used to target “nine salaried employees” of the Organization of Petroleum Exporting Countries (OPEC), the global oil cartel.
This new revelation may be related to an attack earlier this year against Belgacom International Carrier Services (BICS), a subsidiary of the Belgian telecom giant Belgacom. BICS is another one of the few GRX providers worldwide.
Bruce Schneier, a well-known cryptographer and security expert, explained on his blog last month that “the NSA relies on its secret partnerships with US telecoms companies.” Presumably, the GCHQ has a similar arrangement with UK and/or European telcos.
Tomi Engdahl says:
Stuxnet infected Russian nuke power plant – Kaspersky
Another unintended victim of game-changing Iran attack
http://www.epanorama.net/blog/2013/01/14/security-trends-for-2013/comment-page-29/#comment-2471566
The infamous Stuxnet malware thought to have been developed by the US and Israel to disrupt Iran’s nuclear facilities, also managed to cause chaos at a Russian nuclear plant, according to Eugene Kaspersky.
The Kaspersky Lab founder claimed that a “friend” of his, working at the unnamed power plant, sent him a message that its internal network, which was disconnected from the internet, had been “badly infected by Stuxnet”.
Kaspersky didn’t reveal when exactly this happened, saying only that it was during the “Stuxnet time”.
“Everything you do is a boomerang,” he added. “It will get back to you.”
“It’s cyber space. [There are] no borders, [and many facilities share the] same systems.”
Tomi Engdahl says:
Facial recognition, once a battlefield tool, lands in San Diego County
http://cironline.org/reports/facial-recognition-once-battlefield-tool-lands-san-diego-county-5502
On a residential street in San Diego County, Calif., Chula Vista police had just arrested a young woman, still in her pajamas, for possession of narcotics. Before taking her away, Officer Rob Halverson paused in the front yard, held a Samsung Galaxy tablet up to the woman’s face and snapped a photo.
Halverson fiddled with the tablet with his index finger a few times, and – without needing to ask the woman’s name or check her identification – her mug shot from a previous arrest, address, criminal history and other personal information appeared on the screen.
Halverson had run the woman’s photograph through the Tactical Identification System, a new mobile facial recognition technology now in the hands of San Diego-area law enforcement. In an instant, the system matches images taken in the field with databases of about 348,000 San Diego County arrestees. The system itself has nearly 1.4 million booking photos because many people have multiple mug shots on record.
For some, the use of biometric technology by police represents a radical milestone in the militarization of American law enforcement.
For years, technology that was developed on the battlefield has been migrating into domestic police agencies.
Tomi Engdahl says:
Quantum Spying: GCHQ Used Fake LinkedIn Pages to Target Engineers
http://www.spiegel.de/international/world/ghcq-targets-engineers-with-fake-linkedin-pages-a-932821.html
Elite GCHQ teams targeted employees of mobile communications companies and billing companies to gain access to their company networks. The spies used fake copies of LinkedIn profiles as one of their tools.
The Belgacom employees probably thought nothing was amiss when they pulled up their profiles on LinkedIn, the professional networking site. The pages looked the way they always did, and they didn’t take any longer than usual to load.
The victims didn’t notice that what they were looking at wasn’t the original site but a fake profile with one invisible added feature: a small piece of malware that turned their computers into tools for Britain’s GCHQ intelligence service.
The British intelligence workers had already thoroughly researched the engineers.
Then they determined which of the potential targets used LinkedIn or Slashdot.org, a popular news website in the IT community.
The computers of these “candidates” were then infected with computer malware that had been placed using infiltration technology the intelligence agency refers to as “Quantum Insert,” which enabled the GCHQ spies to deeply infiltrate the Belgacom internal network and that of its subsidiary BICS, which operates a so-called GRX router system. This type of router is required when users make calls or go online with their mobile phones while abroad.
The operation is not an isolated case, but in fact is only one of the signature projects of an elite British Internet intelligence hacking unit working under the auspices of a group called MyNOC, or “My Network Operations Centre.”
Mobile Phones Become Monitoring Tools
“We can locate, collect, exploit (in real time where appropriate) high value mobile devices & services in a fully converged target centric manner,” a GCHQ document from 2011 states. For years, the British spies have aspired to potentially transform every mobile phone on the planet into a monitoring tool that could be activated at any time.
In the case of Mach, for example, the GCHQ spies came across a computer expert working for the company’s branch in India.
A complex graph of his digital life depicts the man’s name in red crosshairs and lists his work computers and those he uses privately (“suspected tablet PC”). His Skype username is listed, as are his Gmail account and his profile on a social networking site. The British government hackers even gained access to the cookies on the unsuspecting victim’s computers, as well as identifying the IP addresses he uses to surf the web for work or personal use.
In short, GCHQ knew everything about the man’s digital life, making him an open book for its spies.
In an article in Britain’s Guardian newspaper, American IT security expert Bruce Schneier describes in detail how Quantum Insert technology is used to place malware. Apparently, the agencies use high-speed servers located at key Internet switching points. When a target calls up a specific website, such as LinkedIn, these servers are activated. Instead of the desired website, they supply an exact copy, but one that also smuggles the government hackers’ spying code onto the target computers.
According to other secret documents, Quantum is an extremely sophisticated exploitation tool developed by the NSA and comes in various versions. The Quantum Insert method used with Belgacom is especially popular among British and US spies. It was also used by GCHQ to infiltrate the computer network of OPEC’s Vienna headquarters.
For the British, all of this was apparently only an intermediate step on the path to a greater goal. In addition to the conventional Internet, GCHQ now wants to turn the mobile web into an all-seeing surveillance machine.
This is how the GCHQ spies described their “vision” in 2011: “Any mobile device, anywhere, anytime!”
Tomi Engdahl says:
Attacking Tor: how the NSA targets users’ online anonymity
http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity
Secret servers and a privileged position on the internet’s backbone used to identify users and attack target computers
Tomi Engdahl says:
Privacy Pretense
How Silicon Valley Helped the NSA
http://www.foreignaffairs.com/articles/140246/abraham-newman/privacy-pretense
Last month, Silicon Valley purported to be shocked by revelations that the National Security Agency (NSA) has routinely accessed the servers of tech giants Google and Yahoo, which store data for hundreds of millions of users. In response, the companies pledged to step up privacy protections.
There is only one problem: Such protections run counter to the business model and public policy agenda that tech companies have pursued for decades. For years, U.S. information technology (IT) firms have actively backed weak privacy rules that let them collect massive amounts of personal data.
Lax rules created fertile ground for NSA snooping. In the wake of the surveillance scandals, as consumer confidence plummets, technology companies’ economic futures are threatened.
Since the 1990s, companies from Google to Yahoo and Microsoft have done their best to ward off national privacy rules, calling instead for self-regulation.
For its part, the Obama administration has seemed all too happy to go along with this self-regulatory agenda
U.S. Internet companies have also backed lax privacy rules outside of the United States.U.S. Internet companies have also backed lax privacy rules outside of the United States.
Until this year, the self-regulation strategy paid off: With their nearly unrestricted access to U.S. consumer data, IT companies were able to mine information in ways that many of their European competitors could never imagine.
To regain consumer confidence and ensure their economic fortunes, technology firms will have to transform the way they view the regulation of personal information. Self-regulation is necessary but not sufficient. A better privacy system would have four key parts.
First, consumers need an advocate that can help them navigate the overly complex and technical world of information technology.
Second, Congress should pass national data-breach legislation. Such rules, which have already been passed in California, require companies to notify consumers when their data has been lost or stolen.
Third
IT companies must change their attitudes toward consumer information.
Finally, U.S. IT firms need to play a constructive role in building a global framework for the protection of personal information
Tomi Engdahl says:
“Internet of Things” Signals Eventual Merger of Cloud and Mobile Management
http://www.centrify.com/blogs/tomkemp/merger_of_cloud_and_mobile_management.asp?ls=304-013-techmemeInternetofThings
I think most of us have heard the expression “Internet of Things” (IoT). To me that expression represents a world of an increasing number of smart devices (i.e. “Things”) talking to an increasing number of cloud-based (i.e. “Internet”) resources and services, and in the middle of this interconnected world are users who are leveraging some of these devices to interact with some of these services.
I believe in this “IoT” world that identity is super important, be it authenticating device-to-device, device-to-cloud, or cloud-to-cloud communication, as well as granularly controlling which users and which devices can access what. An “IoT” world also means a de-perimeterized world, and the value of security solutions that protect the perimeter become devalued as the perimeter dissolves. This makes identity even more important from a security perspective as that becomes the one thing that IT security can in theory control when the organization no longer owns the end user device (e.g. BYOD phone) and/or the backend resource (e.g. a SaaS app).
And within an “IoT” world the concept of identity itself is transforming. For example, before “IoT” identity vis a vis the enterprise was about how to best manage your users’ IDs and passwords and grant them access to systems and applications. Now identity is also about needing to know a user’s location (e.g. don’t allow access if the user’s location is outside where he normally accesses apps from) and their devices (e.g. only allow access for this user from these specific trusted devices that are associated with this user).
Tomi Engdahl says:
Smartphone cameras can give away PIN codes, researchers warn
http://gigaom.com/2013/11/08/smartphone-users-eyes-can-give-away-their-pin-codes-researchers-warn/
Summary:
Researchers at the University of Cambridge have demonstrated an attack that can reveal the PIN codes for sensitive apps, such as those for banking, by tapping into the device’s microphone and camera.
This should be of concern to the developers of banking apps and the like, although there’s not a lot they can do about it. The Cambridge researchers suggested that OS designers implement a whitelist for sensors rather than leaving them all active all the time – this would mitigate the risk by denying access to all shared hardware resources “except those explicitly allowed,” though I’d imagine it would conflict with recent features introduced to smartphones, such as always-on microphones.
Another option, of course, is to stop using PIN codes. Identity could instead be confirmed through the use of biometrics (although that introduces different risks), and the researchers also note that secondary devices such as smart watches could act as secure ID when brought together with the handset.
Tomi Engdahl says:
It’s the Inter-THREAT of THINGS: Lightbulb ARMY could turn on HUMANITY
CTO calmly illuminates us on the world’s biggest potential botnet
http://www.theregister.co.uk/2013/11/06/what_if_the_light_bulbs_turned_on_us/
Fujitsu’s CTO has sketched a nightmare vision of lightbulbs turning on their human masters in massive denial of service attacks if industry doesn’t get a grip on the security of the “internet of things”.
And even if they don’t get that incandescent, the much vaunted internet-connected lightbulb leaves users open to having their homes messed with and broken into by hackers, warned Dr Joseph Reger.
he warned, it was entirely feasible that miscreants could hack into your home illumination system to check usage. This could easily tip them off to when you’re likely to be home, or even whether you’re on holiday – and thus choose the optimum time to break in.
However, as bulbs – and other devices – gain more “intelligence”, far more serious possibilities arise. “There will be some that are more intelligent,” predicted Reger, and therefore could be injected with malicious code and used to mount DDoS attacks, for example.
“You suddenly have an army of attackers…billions of soldiers. And that’s new,” he said.
Tomi Engdahl says:
New Release of Our Free Android Permissions Dashboard
http://www.f-secure.com/weblog/archives/00002638.html
F-Secure App Permissions, our Android permissions dashboard, launched on November 1st. And in just under one week, there are thousands of installs and extremely positive feedback. Thank you!
Best of all — App Permissions requires ZERO permissions.
It’s totally free, small, and easy to use.
You’ll find it on Google Play: F-Secure App Permissions.
Tomi says:
Vanish from the Internet With This One-Stop Website
http://www.wired.com/gadgetlab/2013/08/just-delete-me/
Even if you’re not Edward Snowden, there are times when excising your social media presence is necessary. Companies usually don’t make it easy, though, often hiding the delete button inside myriad confusing menus and settings. Save some time and bookmark justdelete.me, a new page that collects direct links for killing various accounts dead and puts them all on one, easy-to-use page.
Tomi says:
International Space Station Infected With USB Stick Malware Carried on Board by Russian Astronauts
http://www.ibtimes.co.uk/articles/521246/20131111/international-space-station-infected-malware-russian-astronaut.htm
Renowned security expert Eugene Kaspersky reveals that the International Space Station was infected by a USB stick carried into space by a Russian astronaut.
Kaspersky said he had been told that from time to time there were “virus epidemics” on the station.
The Russian said this example shows that not being connected to the internet does not prevent you from being infected. In another example, Kaspersky revealed that an unnamed Russian nuclear facility, which is also cut off from the public internet, was infected with the infamous Stuxnet malware.
“[The staffer said] their nuclear plant network which was disconnected from the internet … was badly infected by Stuxnet. So unfortunately these people who were responsible for offensive technologies, they recognise cyber weapons as an opportunity.”
terms of cyber-espionage “all the data is stolen globally… at least twice.”
Kaspersky told the Press Club that creating malware like Stuxnet, Gauss, Flame and Red October is a highly complex process which would cost up to $10 million to develop.
Tomi Engdahl says:
Facebook Warns Users After Adobe Breach
http://krebsonsecurity.com/2013/11/facebook-warns-users-after-adobe-breach/
Facebook is mining data leaked from the recent breach at Adobe in an effort to help its users better secure their accounts. Facebook users who used the same email and password combinations at both Facebook and Adobe’s site are being asked to change their password and to answer some additional security questions.
Facebook spokesman Jay Nancarrow said Facebook is constantly on the lookout for data leaked from other breach incidents that may endanger accounts of its own users. Nancarrow said that the social networking service has similarly acted in the wake of other high profile breaches to determine if any of its own users’ credentials may have been affected.
Tomi Engdahl says:
Security researcher Cédric ‘Sid’ Blancher dead at 37
Skydiving accident claims Wifitap author
http://www.theregister.co.uk/2013/11/12/cdric_sid_blancher_dead_at_37/
Security researcher Cédric “Sid” Blancher has reportedly been killed in a skydiving accident in France.
Among other things, the 37-year-old Blancher was a sought-after speaker on WiFi security, and in 2005 published a Python-based WiFi traffic injection tool called Wifitap.
he also put together a paper on how to exploit Skype to act as a botnet.
Tomi Engdahl says:
Majority of Malware Analysts Aware of Data Breaches Not Disclosed by Their Employers
http://www.threattracksecurity.com/press-release/majority-of-malware-analysts-aware-of-data-breaches-not-disclosed-by-their-employers.aspx
ThreatTrack Security today published a study that reveals mounting cybersecurity challenges within U.S. enterprises. Nearly 6 in 10 malware analysts reported they have investigated or addressed a data breach that was never disclosed by their company.
These results suggest that the data breach epidemic – totaling 621 confirmed data breaches in 2012, according to Verizon’s 2013 Data Breach Investigations Report – may be significantly underreported, leaving enterprises’ customers and data-sharing partners unaware of a wide array of potential security risks associated with the loss of personal or proprietary information. Moreover, the largest companies, those with more than 500 employees, are even more likely to have had an unreported breach, with 66% of malware analysts with enterprises of that size reporting undisclosed data breaches.
“While it is discouraging that so many malware analysts are aware of data breaches that enterprises have not disclosed, it is no surprise that the breaches are occurring,”
Outmanned, Outgunned and Out of Time
40% of respondents reported that one of the most difficult aspects of defending their organization’s network was the fact that they don’t have enough highly-skilled security personnel on staff. To exacerbate matters, their time is often spent tackling easily avoidable malware infections originating at the highest levels of their organization. At the following rates, malware analysts revealed a device used by a member of their senior leadership team had become infected with malware due to executives:
Visiting a pornographic website (40%)
Clicking on a malicious link in a phishing email (56%)
Allowing a family member to use a company-owned device (45%)
Installing a malicious mobile app (33%)
When asked to identify the most difficult aspects of defending their companies’ networks from advanced malware, 67% said the complexity of malware is a chief factor; 67% said the volume of malware attacks; and 58% cited the ineffectiveness of anti-malware solutions, underscoring the fundamental importance of a multi-layered, advanced cyber defense.
More than half (52%) of all malware analysts said it typically takes them more than 2 hours to analyze a new malware sample
37% of respondents said the U.S. is the country most adept at conducting cyber espionage. China was a close second at 33%.
Tomi Engdahl says:
Network Intrusion is growing rapidly in Finland
Known to the police the network the number of burglaries last year was 503, while in 2008 similar crimes came to light 183 Case shows for corporate security review of national cooperation.
According to the list, only a small part of the cyber-crime is detected, and even a smaller portion is reported to the police.
Security breaches are made, especially for large companies. More than four out of ten of the company has been found to unauthorized attempts to access your network.
Attacks of factors intended to provide the malware target company without anyone noticing. After one of the company’s employee activates the malware. Finally, the information gathered trying to get out of the company without anyone noticing.
The review points out that if a company only focuses on the fight against threats coming from the outside, the information is easy to send out.
Source: http://www.iltasanomat.fi/digi/art-1288619934016.html
Tomi Engdahl says:
In Lavabit Appeal, U.S. Doubles Down on Access to Web Crypto Keys
http://www.wired.com/threatlevel/2013/11/lavabit-doj/
A U.S. email provider can promise its users all the security and privacy it wants; it still has to do whatever it takes to give the government access.
That’s the gist of the Justice Department’s 60-page appellate brief in the Lavabit surveillance case, filed today in the U.S. 4th Circuit Court of Appeals in Richmond, Virginia.
In the brief, the government defends its use of a search warrant and a grand jury subpoena to obtain the private encryption keys for Lavabit’s email service and website
Lavabit lost a court argument challenging the orders in August. He stalled for two days then turned over the keys and shut down his business on August 8, mooting any attempt at prospective surveillance. He’s appealing $10,000 in sanctions.
Tomi Engdahl says:
Microsoft Updates Surface Firmware, Patches IE Zero-Day Exploit Among 19 Total Flaws
http://techcrunch.com/2013/11/12/microsoft-updates-surface-firmware-patches-ie-zero-day-exploit-among-19-total-flaws/
Among the updates are a set of Internet Explorer fixes that are worth checking into if you manage PCs.
Tomi Engdahl says:
Smartphone PIN revealed by camera and microphone
http://www.bbc.co.uk/news/technology-24897581
The PIN for a smartphone can be revealed by its camera and microphone, researchers have warned.
“We demonstrated that the camera, usually used for conferencing or face recognition, can be used maliciously,” say the report’s authors Prof Ross Anderson and Laurent Simon.
According to the research, the microphone is used to detect “touch-events” as a user enters their PIN. In effect, it can “hear” the clicks that the phone makes as a user presses the virtual number keys.
The camera then estimates the orientation of the phone as the user is doing this and “correlates it to the position of the digit tapped by the user”.
One suggestion to prevent a PIN being identified is to use a longer number but the researchers warn this affects “memorability and usability”.
“Randomising” the position of numbers on the keypad is also suggested but the researchers believe this would “cripple usability on phones”.
Tomi Engdahl says:
10 Year Prison Term Sought for Anonymous Hacktivist Jeremy Hammond
http://www.wired.com/threatlevel/2013/11/hammond-sentencing-memo/
Anonymous hacktivist Jeremy Hammond should receive the maximum 10 year prison term for defacing law enforcement and corporate websites and stealing 200 gigabytes of email and 60,000 credit card numbers from a private intelligence firm, prosecutors argued in a court filing today.
“Contrary to the picture he paints of himself … Hammond is a computer hacking recidivist who, following a federal conviction for computer hacking, went on to engage in a massive hacking spree during which he caused harm to numerous businesses, individuals, and governments, resulting in losses of between $1 million and $2.5 million, and threatened the safety of the public at large, especially law enforcement officers and their families,” the government wrote in a sentencing memorandum.
Tomi Engdahl says:
Europe, SAVE US! Patriot Act author begs for help to curb NSA spying
Says agency is out of control and mass surveillance must stop
http://www.theregister.co.uk/2013/11/13/author_of_patriot_act_pleads_europe_to_help_curb_nsa_spying/
US House Representative Jim Sensenbrenner, the lead author of controversial anti-terror law the Patriot Act, has asked the European Parliament for help in taming the NSA.
He also called for Europe to put pressure on the US to change its legislation and bring a halt to the spy agency’s planet-wide communications data-slurping activities.
“After 9-11, with America at risk and poised to enter its most intensive conflict since the Vietnam War, Congress extended the executive branch broader powers to protect the American people. But the NSA abused that trust,” Sensenbrenner (R-WI) told [PDF] the parliament’s Civil Liberties Committee.
Sensenbrenner said he was “appalled” by the stream of revelations about the extent of mass surveillance employed by US and UK intelligence agencies, which have come to light in documents leaked by whistleblower Edward Snowden.
The bugging of German Chancellor’s cellphone was a case in point he said.
Sensenbrenner asked the European Parliament to put pressure on the US to reform its intelligence agencies and reel in the power of the all-seeing, all-hacking NSA. By working together there was a chance that the surveillance by the agency could be curtailed, Sensenbrenner said.
Tomi Engdahl says:
Microsoft fears XP could cause Indian BANKOCALPYSE
Up to 70 per cent of public banks could still be using ancient OS
http://www.theregister.co.uk/2013/11/13/india_banks_microsoft_xp_migration_miss/
The Indian banking industry could be facing a partial meltdown after Microsoft revealed new research claiming over 34,000 publicly-funded bank branches are still reliant on Windows XP.
The report from Ascentius Consulting revealed that XP penetration in the banking sector is at 40-70 per cent. Some 34,115 branches were singled out as at risk, with just under 100 working days left until the migration deadline.
Ascentius estimated that it will take banks between four and six months to move onto a newer version of Windows, meaning time is getting a bit tight before – the hard deadline being April 8 2014.
Microsoft warned that large numbers of branches could find themselves unable to serve their customers, especially in rural and semi-rural areas.
A few months ago HP reckoned that around 40 per cent of UK businesses were still using XP.
Tomi Engdahl says:
Don’t expect data on P2P networks to be private, judge rules
Defendants claimed that searching for files on their computers violated Fourth Amendment rights
http://www.computerworld.com/s/article/9243970/Don_t_expect_data_on_P2P_networks_to_be_private_judge_rules
There can be no expectation of privacy in data exposed to the Internet over a peer-to-peer file-sharing network, a federal judge in Vermont ruled in a case involving three individuals charged with possession of child pornography.
The three men had argued that police illegally gathered information from their computers using an automated P2P search tool and then used that information to obtain probable cause warrants for searching their computers.
Tomi Engdahl says:
Microsoft Warns Customers Away From RC4 and SHA-1
http://it.slashdot.org/story/13/11/13/0154244/microsoft-warns-customers-away-from-rc4-and-sha-1
“The RC4 and SHA-1 algorithms have taken a lot of hits in recent years, with new attacks popping up on a regular basis. Many security experts and cryptographers have been recommending that vendors begin phasing the two out, and Microsoft on Tuesday said it is now recommending to developers that they deprecate RC4 and stop using the SHA-1 hash algorithm.”
“The company also said that as of January 2016 it will no longer will validate any code signing or root certificate that uses SHA-1.”