Security trends for 2013

Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.

Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.

Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.

SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices.
Good idea to test your devices against it.

There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.

Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.

Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.

Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.

Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.

crystalball

Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.

Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.

Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.

European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.

1,930 Comments

  1. Tomi Engdahl says:

    Microsoft Warns Customers Away From SHA-1 and RC4
    http://threatpost.com/microsoft-warns-customers-away-from-sha-1-and-rc4/102902

    The RC4 and SHA-1 algorithms have taken a lot of hits in recent years, with new attacks popping up on a regular basis. Many security experts and cryptographers have been recommending that vendors begin phasing the two out, and Microsoft on Tuesday said that is now recommending to developers that they deprecate RC4 and stop using the SHA-1 hash algorithm.

    RC4 is among the older stream cipher suites in use today, and there have been a number of practical attacks against it, including plaintext-recovery attacks. The improvements in computing power have made many of these attacks more feasible for attackers, and so Microsoft is telling developers to drop RC4 from their applications.

    “Microsoft is recommending that customers enable TLS1.2 in their services and take steps to retire and deprecate RC4 as used in their TLS implementations.”

    “Using a sample size of five million sites, we found that 58% of sites do not use RC4, while approximately 43% do. Of the 43% that utilize RC4, only 3.9% require its use. Therefore disabling RC4 by default has the potential to decrease the use of RC4 by over almost forty percent.”

    The software company also is recommending that certificate authorities and others stop using the SHA-1 algorithm. Microsoft cited the existence of known collision attacks against SHA-1 as the main reason for advising against its use.

    Reply
  2. Tomi Engdahl says:

    Bill Gates and President Bill Clinton on the NSA, Safe Sex, and American Exceptionalism
    http://www.wired.com/business/2013/11/bill-gates-bill-clinton-wired/2/

    When it comes to privacy, connectivity is another matter. Microsoft, with Bill Gates at the helm, fought to build encryption into the company’s products—technology that would protect customers’ information. The Clinton administration, meanwhile, tried to reconcile the spread of cryptography with national security. We seemed to have reached a balance, but the Snowden leaks revealed that data collection by the NSA was far more widespread than assumed. What is the proper balance of surveillance and security, and where do we go from here?

    Gates: Historically, privacy was almost implicit, because it was hard to find and gather information. But in the digital world, whether it’s digital cameras or satellites or just what you click on, we need to have more explicit rules—not just for governments but for private companies. There are legitimate reasons for the government to watch what’s going on, particularly with nuclear and biological weapons. So it’d be nice if there was a way that some part of the government that we really trusted was looking at that information. Right now, people are going, “Oh my gosh!” and you wonder—did they not think anything was going on? But it’s probably good there is now an explicit conversation.

    Clinton: In a funny way, while our handling of Big Data has made the erosion of personal liberty more likely, it has also made more likely the loss of legitimate national security secrets. I started calling around to friends of mine who are in this business, and they believe there are technological fixes to protect national security secrets. Why do 5 million people have security clearances? And why are they able to go all across an information landscape instead of being more tightly siloed?

    Reply
  3. Tomi Engdahl says:

    The operations of a cyber arms dealer
    http://www.net-security.org/secworld.php?id=15928

    FireEye researchers have linked eleven distinct APT cyber espionage campaigns previously believed to be unrelated, leading them to believe that there is a shared operation that supplies and maintains malware tools and weapons used in them.

    In a recently released report that details the connections, they dubbed this development and logistics operation as Sunshop Digital Quartermaster, and posit that it supports these and possibly other APT campaigns, as part of a “formal offensive apparatus”.

    “This digital quartermaster also might be a cyber arms dealer of sorts, a common supplier of tools used to conduct attacks and establish footholds in targeted systems,” they explained.

    But despite using varying techniques, tactics, and procedures, Sunshop and the 10 other linked campaigns all leveraged a common development infrastructure, and shared – in various combinations – the same malware tools, the same elements of code, binaries with the same timestamps, and signed binaries with the same digital certificates.

    “A typical builder provides a graphical user interface that enables a malicious actor to configure elements such as the location of the command and control server,“

    Despite all these findings, the researchers concede there is a (very unlikely) possibility that the different campaigns are all executed by the same, well-resourced actor who also created all the tools, weapons and infrastructure that supported them.

    Reply
  4. Tomi Engdahl says:

    Supply Chain Analysis: From
    Quartermaster to Sunshop
    http://www.fireeye.com/resources/pdfs/fireeye-malware-supply-chain.pdf

    Many seemingly unrelated cyber attacks may, in fact, be part of a broader offensive fueled by a shared development and logistics infrastructure—a finding that suggests some targets are facing
    a more organized menace than they realize.

    This report examines 11 advanced persistent threat (APT) campaigns targeting a wide swath of industries.

    Though they appeared unrelated at first, further investigation uncovered several key links between them: the same malware tools, the same elements of code, binaries with the same timestamps, and
    signed binaries with the same digital certificates.

    Taken together, these commonalities point to centralized APT planning and development. How prevalent this model has become is unclear. But adopting it makes financial sense for attackers, so the findings may
    imply a bigger trend.

    This report focuses on two key findings:
    • Shared development and logistics
    • A shared malware-builder tool

    Reply
  5. Tomi Engdahl says:

    Buggy software in need of patching? Hey, we got that right here – Adobe
    Gaping holes in ColdFusion, Flash slammed shut on Patch Tuesday
    http://www.theregister.co.uk/2013/11/13/adobe_follows_microsoft_with_patches_for_coldfusion_and_flash/

    Adobe has released a batch of scheduled security fixes to address critical flaws in its Flash Player and ColdFusion products.

    The company said the updates will tackle a pair of security vulnerabilities in the two platforms which could be exploited remotely by attackers.

    For Flash Player, the update applies to Windows, Linux and OS X systems and fixes remote code execution flaws. The company warned that, if targeted, the flaws could allow an attacker to execute attack code on a targeted system without requiring any user notification or interaction.

    To install the update, Adobe recommends that users update to the latest versions of Adobe Flash Player and, if necessary, Adobe AIR. The company noted that users running Google Chrome and Internet Explorer on Windows 8 and 8.1 will automatically receive the update when they update to the latest versions of their browser.

    Reply
  6. Tomi says:

    Russia: Hidden chips ‘launch spam attacks from irons’
    http://www.bbc.co.uk/news/blogs-news-from-elsewhere-24707337

    Cyber criminals are planting chips in electric irons and kettles to launch spam attacks, reports in Russia suggest.

    State-owned channel Rossiya 24 even showed footage of a technician opening up an iron included in a batch of Chinese imports to find a “spy chip” with what he called “a little microphone”. Its correspondent said the hidden devices were mostly being used to spread viruses, by connecting to any computer within a 200m (656ft) radius which were using unprotected Wi-Fi networks. Other products found to have rogue components reportedly included mobile phones and car dashboard cameras.

    Reply
  7. Tomi says:

    HTTP 2.0 May Be SSL-Only
    http://it.slashdot.org/story/13/11/13/1938207/http-20-may-be-ssl-only

    “In an email to the HTTP working group, Mark Nottingham laid out the three top proposals about how HTTP 2.0 will handle encryption. The frontrunner right now is this: ‘HTTP/2 to only be used with https:// URIs on the “open” Internet. http:// URIs would continue to use HTTP/1.’ This isn’t set in stone yet,”

    “The big goal here is to increase the use of encryption on the open web.”

    Comments:

    People think that adding encryption to something makes it more secure. No, it does not. Encryption is worthless without secure key exchange, and no matter how you dress it up, our existing SSL infrastructure doesn’t cut it. It never has. It was built insecure. All you’re doing is adding a middle man, the certificate authority, that somehow you’re supposed to blindly trust to never, not even once, fuck it up and issue a certificate that is later used to fuck you with. http://www.microsoft.com can be signed by any of the over one hundred certificate authorities in your browser. The SSL protocol doesn’t tell the browser to check all hundred plus for duplicates; it just goes to the one that signed it and asks: Are you valid?

    The CA system is broken. It is so broken it needs to be put on a giant thousand mile wide sign and hoisted int orbit so it can be seen at night saying: “This system is fucked.” Mandating a fucked system isn’t improving security!

    Show me where and how you plan on making key exchange secure over a badly compromised and inherently insecure medium, aka the internet, using the internet. It can’t be done. No matter how you cut it, you need another medium through which to do the initial key exchange. And everything about SSL comes down to one simple question: Who do you trust? And who does the person you trusted, in turn, trust? Because that’s all SSL is: It’s a trust chain. And chains are only as strong as the weakest link.

    Break the chain, people. Let the browser user take control over who, how, and when, to trust.

    If everything is to go SSL, we now need widespread “man-in-the-middle” intercept detection. This requires a few things:

    SSL certs need to be published publicly and widely, so tampering will be detected.
    Any CA issuing a bogus or wildcard cert needs to be downgraded immediately, even if it invalidates every cert they’ve issued. Browsers should be equipped to raise warning messages when this happens.
    MITM detection needs to be implemented within the protocol. This is tricky, but possible.

    Reply
  8. Tomi Engdahl says:

    Our Government Has Weaponized the Internet. Here’s How They Did It
    http://www.wired.com/opinion/2013/11/this-is-how-the-internet-backbone-has-been-turned-into-a-weapon/

    The internet backbone — the infrastructure of networks upon which internet traffic travels — went from being a passive infrastructure for communication to an active weapon for attacks.

    According to revelations about the QUANTUM program, the NSA can “shoot” (their words) an exploit at any target it desires as his or her traffic passes across the backbone. It appears that the NSA and GCHQ were the first to turn the internet backbone into a weapon; absent Snowdens of their own, other countries may do the same and then say, “It wasn’t us. And even if it was, you started it.”

    Which means the rest of us — and especially any company or individual whose operations are economically or politically significant — are now targets. All cleartext traffic is not just information being sent from sender to receiver, but is a possible attack vector.

    Here’s how it works.

    The QUANTUM codename is deliciously apt for a technique known as “packet injection,” which spoofs or forges packets to intercept them. The NSA’s wiretaps don’t even need to be silent; they just need to send a message that arrives at the target first. It works by examining requests and injecting a forged reply that appears to come from the real recipient so the victim acts on it.

    In this case, packet injection is used for “man-on-the-side” attacks — which are more failure-tolerant than man-in-the-middle attacks because they allow one to observe and add (but not also subtract, as the man-in-the-middle attacks do). That’s why these are particularly popular in censorship systems. It can’t keep up? That’s okay. Better to miss a few than to not work at all.

    Reply
  9. Tomi Engdahl says:

    Next-gen HTTP 2.0 protocol will require HTTPS encryption (most of the time)
    http://www.pcworld.com/article/2061189/next-gen-http-2-0-protocol-will-require-https-encryption-most-of-the-time-.html

    Sending data in plain text just doesn’t cut it in an age of abundant hack attacks and mass metadata collection. Some of the biggest names on the Web—Facebook, Google, Twitter, etc.—have already embraced default encryption to safeguard your precious data, and the next-gen version of the crucial HTTP protocol will only work for URLs protected by HTTPS.

    Mark Nottingham, chair of the HTTPbis working group developing the HTTP 2.0 protocol for the Internet Engineering Task Force, made the announcement early Wednesday in a Worldwide Web Consortium mailing list.

    “HTTP/2.0 will only work for https:// URIs — part of @ietf response to pervasive monitoring. http://lists.w3.org/Archives/Public/ietf-http-wg/2013OctDec/0625.html …”

    Non-encrypted HTTP URLs would continue to use the current HTTP protocol, though Nottingham says the HTTP 2.0 protocol will still need to formally define how the protocol handles unencrypted URLs.

    “To be clear—we will still define how to use HTTP/2.0 with http:// URIs, because in some use cases, an implementer may make an informed choice to use the protocol without encryption,” he wrote. “However, for the common case—browsing the open Web—you’ll need to use https:// URIs and if you want to use the newest version of HTTP.”

    One more step on a long road to a faster, safer Web

    The HTTPbis Working Group’s last call for HTTP 2.0 is slated to occur in April 2014, before submitting HTTP 2.0 to the Internet Engineering Standards Group in November 2014 for consideration as a formal standard.

    The current HTTP 2.0 draft implementation was inspired by Spdy, an open protocol that’s compatible with standard HTTP and uses TLS encryption almost universally.

    Reply
  10. Tomi Engdahl says:

    I want NSA chief’s head on a plate for Merkelgate, storms Senator McCain
    And raging Republican reckons ‘pigs will fly’ if Snowden hasn’t sold out to the Russians
    http://www.theregister.co.uk/2013/11/11/nsa_boss_should_resign_over_merkelgate_senator_mccain/

    John McCain, the US senator who lost to Barack Obama in the 2008 presidential elections, wants General Keith Alexander, head of the NSA and US Cyber Command, to resign over revelations that US spies bugged the telephone of Germany’s Chancellor Angela Merkel.

    Gen Alexander is due to retire in the spring.

    McCain admitted there had always been a certain amount of eavesdropping on friends, but the Merkel spying should not have happened.

    Reply
  11. Tomi Engdahl says:

    US intelligence wants to radically advance facial recognition software
    National Intelligence agency wants to cull facial IDs from massive amounts of video, images
    http://www.networkworld.com/community/blog/us-intelligence-wants-radically-advance-facial-recognition-software

    Identifying people from video streams or boatloads of images can be a daunting task for humans and computers.

    But a 4-year development program set to start in April 2014 known as Janus aims to develop software and algorithms that erase those problems and could radically alter the facial recognition world as we know it.

    Funded by the Office of the Director of National Intelligence’s “high-risk, high-payoff research” group, Intelligence Advanced Research Projects Activity (IARPA) Janus “seeks to improve face recognition performance using representations developed from real-world video and images instead of from calibrated and constrained collections.”

    IARPA says Janus is not focused on furthering generic object recognition, or on the development of advanced interfaces for facial analysis but rather wants new technology that can make use of use new image representations where additional information such as novel poses or lighting variations to improve recognition performance.

    Reply
  12. Tomi Engdahl says:

    Who’s hogging Amazon’s cloud CPUs? I’ll kill ‘em … oh, look, it was me
    CloudTrail sent in by web bazaar to flag up greedy API slurpings
    http://www.theregister.co.uk/2013/11/14/cloudtrail_api_amazon/

    No one trusts the cloud, not even people who have built their businesses entirely on it – or so Amazon has indicated with a new tool that reveals how individual Amazon Web Services systems are being accessed.

    For organizations that have sat themselves in Bezos & Co’s cloud, the web bazaar announced a new security utility called CloudTrail, which monitors calls to the AWS software interfaces.

    The service gives sysadmins a clear idea of what exactly is accessing the cloud’s resource at any one time. Security logs are stored in Amazon’s mainstay S3 service with the option of being archived to its long-term low-cost Glacier storage as well.

    “It is a service that logs all API calls you are making to AWS resources,”

    Initially CloudTrail will logs API calls to a decent portion of the alphabet soup of Amazon services, including EC2, EBS, RDS, VPC, IAM, STS, and Redshift.

    Reply
  13. Tomi Engdahl says:

    Cisco blame their earnings dropping with spy scandal: “The volume of orders just fell and fell,”

    Cisco predicts the company’s net sales to decline in the future, the company said disclosing the fiscal year 2014 first-quarter results. Its net sales were the company’s own as well as analysts’ consensus forecast of what the company explains in emerging markets with weak demand.

    Cisco estimates that affect the demand for the NSA spying scandal. The company supplies a large part of the network devices, the flow of traffic through the NSA told spying.

    Cisco forecasts that its net sales in the current quarter will fall 8-10 per cent year-on-year, and the trend is expected next year half way.

    Lower than estimated revenue was due to a reduction in orders, particularly in developing countries

    Source: http://www.tietoviikko.fi/kaikki_uutiset/cisco+syyttaa+tuloksestaan+vakoiluskandaalia+quottilausten+maarat+vain+putosivat+ja+putosivatquot/a947434

    Reply
  14. Tomi Engdahl says:

    6 Tips to Help CIOs Manage Shadow IT
    http://www.cio.com/article/743114/6_Tips_to_Help_CIOs_Manage_Shadow_IT

    IT, mobile and security experts offer advice on how to minimize the risks associated with third-party apps and services as well as with employees using their mobile devices in the workplace.

    1. Monitor your network — to find out if or where you have a Shadow IT problem. “Regardless of whether employees use company-issued or personal (i.e., BYOD) hardware, organizations need to identify where all their data resides — [in house], in the data center, at the edge or in the cloud,”

    2. Prioritize risk. “Not all software/services used outside of IT control is bad,”

    3. Establish guidelines around BYOD and apps/cloud services. “To accommodate the needs of business units, IT can create and share a list of approved software/applications beyond the standard issue software,”

    4. Offer alternatives. “Today’s workers expect to be able to find, view and use their data across locations and devices,” says White. “If enterprises don’t provide a secure solution for access to corporate data remotely, employees will find their own ways to manage information to work efficiently by using consumer products that can put the organization at risk,” he says.
    “By providing employees with secure, IT-controlled anywhere, anytime access to information on-the-go, they can reduce the risk of employees deploying outside products that are beyond the awareness, discovery and control of IT,” White says.

    5. Restrict access to third-party apps. “Restrict your users’ access to applications such as Dropbox, SharePoint and SkyDrive among others,”

    6. Offer amnesty on Shadow IT. “When identifying the threats of Shadow IT, you have two choices: First, your IT department can identify the traffic to and from third-party cloud solutions that deliver Shadow IT, like Skype, Box and Dropbox,”
    “However, this process is time-consuming, inaccurate and blocking entirely is almost impossible,” Scott-Cowley says. The better option: “Hold an amnesty on Shadow IT. A no-consequences, ‘stand up, own up and be counted’ strategy, without fear of retribution works — especially if you give users an opportunity to explain why they needed a third-party app and why your corporate platforms weren’t up to the job.”

    Reply
  15. Tomi Engdahl says:

    The second operating system hiding in every mobile phone
    http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone

    I’ve always known this, and I’m sure most of you do too, but we never really talk about it. Every smartphone or other device with mobile communications capability (e.g. 3G or LTE) actually runs not one, but two operating systems. Aside from the operating system that we as end-users see (Android, iOS, PalmOS), it also runs a small operating system that manages everything related to radio. Since this functionality is highly timing-dependent, a real-time operating system is required.

    This operating system is stored in firmware, and runs on the baseband processor. As far as I know, this baseband RTOS is always entirely proprietary. For instance, the RTOS inside Qualcomm baseband processors (in this specific case, the MSM6280) is called AMSS, built upon their own proprietary REX kernel, and is made up of 69 concurrent tasks, handling everything from USB to GPS. It runs on an ARMv5 processor.

    The problem here is clear: these baseband processors and the proprietary, closed software they run are poorly understood, as there’s no proper peer review. This is actually kind of weird, considering just how important these little bits of software are to the functioning of a modern communication device.

    You may think these baseband RTOS’ are safe and secure, but that’s not exactly the case. You may have the most secure mobile operating system in the world, but you’re still running a second operating system that is poorly understood, poorly documented, proprietary, and all you have to go on are Qualcomm’s Infineon’s, and others’ blue eyes.

    The insecurity of baseband software is not by error; it’s by design. The standards that govern how these baseband processors and radios work were designed in the ’80s, ending up with a complicated codebase written in the ’90s – complete with a ’90s attitude towards security. For instance, there is barely any exploit mitigation, so exploits are free to run amok. What makes it even worse, is that every baseband processor inherently trusts whatever data it receives from a base station (e.g. in a cell tower). Nothing is checked, everything is automatically trusted. Lastly, the baseband processor is usually the master processor, whereas the application processor (which runs the mobile operating system) is the slave.

    So, we have a complete operating system, running on an ARM processor, without any exploit mitigation (or only very little of it), which automatically trusts every instruction, piece of code, or data it receives from the base station you’re connected to. What could possibly go wrong?

    With this in mind, security researcher Ralf-Philipp Weinmann of the University of Luxembourg set out to reverse engineer the baseband processor software of both Qualcomm and Infineon, and he easily spotted loads and loads of bugs, scattered all over the place, each and every one of which could lead to exploits – crashing the device, and even allowing the attacker to remotely execute code. Remember: all over the air. One of the exploits he found required nothing more but a 73 byte message to get remote code execution. Over the air.

    You can do some crazy things with these exploits. For instance, you can turn on auto-answer, using the Hayes command set.

    This is a pretty serious issue, but one that you rarely hear about.

    Reply
  16. Tomi Engdahl says:

    Baseband Hacking: A New Frontier for Smartphone Break-ins
    http://readwrite.com/2011/01/18/baseband_hacking_a_new_frontier_for_smartphone_break_ins#awesm=~onavOrh5tvGfRh

    Security researcher Ralf-Philipp Weinmann says he has found a new way to hack into mobile devices – by using a baseband hack that takes advantage of bugs found in the firmware on mobile phone chipsets sold by Qualcomm and Infineon Technologies. Weinmann will demonstrate the hack on both an iPhone and an Android device at this week’s Black Hat

    Reply
  17. Tomi Engdahl says:

    A Fraying of the Public/Private Surveillance Partnership
    https://www.schneier.com/blog/archives/2013/11/a_fraying_of_th.html

    The public/private surveillance partnership between the NSA and corporate data collectors is starting to fray. The reason is sunlight. The publicity resulting from the Snowden documents has made companies think twice before allowing the NSA access to their users’ and customers’ data.

    Pre-Snowden, there was no downside to cooperating with the NSA. If the NSA asked you for copies of all your Internet traffic, or to put backdoors into your security software, you could assume that your cooperation would forever remain secret. To be fair, not every corporation cooperated willingly. Some fought in court. But it seems that a lot of them, telcos and backbone providers especially, were happy to give the NSA unfettered access to everything.

    Post-Snowden, this is changing. Now that many companies’ cooperation has become public, they’re facing a PR backlash from customers and users who are upset that their data is flowing to the NSA. And this is costing those companies business.

    This is the new reality. The rules of secrecy are different, and companies have to assume that their responses to NSA data demands will become public. This means there is now a significant cost to cooperating, and a corresponding benefit to fighting.

    Over the past few months, more companies have woken up to the fact that the NSA is basically treating them as adversaries, and are responding as such

    The Snowden documents made it clear how much the NSA relies on corporations to eavesdrop on the Internet. The NSA didn’t build a massive Internet eavesdropping system from scratch. It noticed that the corporate world was already eavesdropping on every Internet user — surveillance is the business model of the Internet, after all — and simply got copies for itself.

    Now, that secret ecosystem is breaking down.

    These developments will only help security

    Reply
  18. Tomi Engdahl says:

    Microsoft Patches Old Software Flaws with New Fixes
    http://www.tomsguide.com/us/microsoft-november-patch-tuesday,news-17855.html

    Microsoft released eight fixes for 19 security flaws in this month’s Patch Tuesday update, including one actively being exploited by a possibly state-sponsored team of Chinese hackers.

    However, Microsoft did not patch a very serious flaw in Microsoft Office that affects all versions of Windows and is currently being exploited by a second team of malicious hackers, this one in South Asia. It’s possible that flaw will be fixed by an out-of-cycle update before next month’s scheduled Patch Tuesday on Dec. 9.

    Reply
  19. Tomi Engdahl says:

    Hackers steal ‘FULL credit card details’ of 376,000 people from Irish loyalty programme firm
    Data was unencrypted, claims Irish data protection commish
    http://www.theregister.co.uk/2013/11/14/irish_loyalty_card_breach/

    According to the results of a preliminary investigation by the Office of the Data Protection Commissioner (ODPC), credit card and – contrary to all payment storage rules – CVV details were held unencrypted on Loyaltybuild’s systems in the run-up to attacks in the middle of October.

    CVV – Card Verification Value – numbers are the three-digit security code found on the back of a credit or debit card, used to prove that a customer making an online purchase has physical possession of the card. They are an important anti-fraud measure.

    Data Protection Commissioner Billy Hawkes told the Irish Times that Loyaltybuild had stored financial information in unencrypted form, along with the three-digit security code printed on customers’ credit and debit cards. We put this specific accusation to Loyaltybuild but have yet to hear back from the firm.

    “It’s unclear why Loyaltybuild stored the compromised credit card information in the first place,” said Gene Meltser, technical director for Neohapsis Labs, the research arm of mobile and cloud security services firm Neohapsis. “In general, loyalty based programs function by rewarding users for specific purchasing activity, and to do that, loyalty rewards programmes only need to correlate a member’s account information, such asa name, to purchasing activity records related to the reward in question.”

    “In an overwhelming majority of cases, it is unnecessary to store detailed credit card data, and in absolutely all cases it is prohibited to store the 3- or 4-digit codes, or CVV values, off the credit card. To store this data unencrypted would not only be fundamentally prohibited under PCI-DSS requirements, but also demonstrating considerable negligence in protecting customer and payment data,”

    Reply
  20. Tomi Engdahl says:

    Microsoft FAILS to encrypt data centre links despite NSA snooping
    Odds of a new ‘F*CK YOU NSA’ engineer’s rant: Medium
    http://www.theregister.co.uk/2013/11/14/ms_data_centre_link_uncryption/

    Microsoft has admitted it doesn’t yet encrypt “server-to-server” communications, although it plans to review its security arrangements in the wake of ongoing revelations about NSA spying.

    The non-cryption admission, made by a senior Microsoft legal officer during an EU inquiry, comes shortly after leaks by whistleblower Edward Snowden revealed that Google and Yahoo! data centre interconnects were being tapped by the NSA’s spies, as part of a program code-named MUSCULAR.

    “These risks were well known before Snowden, and European companies who want to show they are serious about data protection will be considering legal action.”

    Google’s Lundblad told MEPs that the internet giant is encrypting server connections and data centre interconnects, which he described as an ongoing process that never finishes.

    Reply
  21. Tomi Engdahl says:

    Owner of Lavabit Faces $10K Fine For Protecting His Users From Federal Spying
    http://www.dailytech.com/Owner+of+Lavabit+Faces+10K+Fine+For+Protecting+His+Users+From+Federal+Spying/article33743.htm

    Protecting your customers may lead to big penalties in today’s police state

    Ladar Levison had a thriving business. His encrypted email service was heavily used by corporate users that valued protecting their trade secrets. The Obama administration, however, stepped in and crushed this American success story.

    After it was revealed that the Obama administration was nullifying the Constitutional protections against search and seizure in order to execute warrantless seizures of the metadata of America’s law abiding majority, the administration struck back. Members of Congress, including numerous Republicans that showed a surprising solidarity with the Democratic President, labeled Edward Snowden a “traitor”.

    In the aftermath, one of the Snowden reports carelessly showed his email — revealing he had a Lavabit address. Now President Obama and his bipartisan backers had a new victim to sink the teeth of the judicial system into.

    Mr. Levison was faced with a tough choice.

    Instead he opted for choice C — to act in civil disobedience while being careful not to directly defy the legal statutes of the USA PATRIOT Act. He allegedly ducked out his back door when he first saw federal agents coming to his home, denying them a chance to deliver a subpoena.

    The Obama administration’s FISA court was not happy with this action.

    It held Mr. Levison in contempt of court and authorized the U.S. Federal Bureau of Investigations (FBI) to install malware on Mr. Levison’s servers — R — and fine him $5,000 for every day he did not turn over his customers’ encryption keys.

    Mr. Levison exercised his Constitutional rights and waited two days, before defiantly delivering a printout of the keys printed in size 4 font. But by then he’d already shut down his business and purged his servers, leaving nothing for the feds to collect.

    Mr. Levison stated in a brief release, “[I refuse] to become complicit in crimes against the American people.”

    The Obama administration was outraged at that refusal. The U.S. Department of Justice (DOJ) briefly considered seeking his imprisonment, according to sources. But after Mr. Levison collected $100,000 USD in donations to support a legal defense, the DOJ declined to seek prison time for Mr. Levison’s acts of civil disobedience. Instead it opted to just punish Mr. Levison with the financial penalty stated in the original contempt order — a fine of $10,000 USD.

    Reply
  22. Tomi Engdahl says:

    In the future, your Facebook credentials to log in to Microsoft’s Windows 8 and Windows Phone 8 applications.

    Microsoft has added the ability for developers to use applications on the Login login service. In practice, the user does not need to create a username and password for applications, but the authentication is done with Facebook credentials.

    Microsoft’s chief Steve Guggenheim’s the Facebook Login feature of more applications and the use of check-ins, as well as to facilitate the registration.

    Microsoft is also called the Microsoft Account Authentication service. The company sees its own service on Loginin a complementary activity.

    Critics, Facebook’s login service is eroding the network security, because the same username and password can be used for a multitude of different services.

    Source: http://www.tietoviikko.fi/kehittaja/microsoft+tursottaa+rasvaa+windowssovelluksiin+facebookin+tuubista/a947640

    Reply
  23. Tomi Engdahl says:

    Microsoft’s new Cybercrime Center combines tactics against hacking groups
    http://www.reuters.com/article/2013/11/14/net-us-microsoft-cybercrime-idUSBRE9AD0P120131114

    The maker of the most popular computer operating system in the world is launching a new strategy against criminal hackers by bringing together security engineers, digital forensics experts and lawyers trained in fighting software pirates under one roof at its new Cybercrime Center.

    The new approach, to be launched on Thursday, is the latest attempt to close the gap created in the past decade as criminal hackers innovated in technology and business methods to stay ahead of adversaries mired in the slow-moving world of international law enforcement.

    Already, many of the biggest victories against organized online criminals have come when private companies have worked together to seize control of the networks of hacked computers, called botnets, that carry out criminal operations. Though it is at times derided for the security shortfalls in its own products, Microsoft has led more of those seizures than any other company.

    “Cybercrime is getting worse,”

    The center features a lab for dissecting malicious software samples that is accessible only with fingerprint authorization. In another room, a monitor tracks the countries and Internet service providers with the greatest number of machines belonging to some of the worst botnets.

    About 80 of the crime unit’s 100 staffers have focused on the piracy of Microsoft products, with far fewer devoted to deconstructing the methods of criminals attacking Microsoft users and stopping them when possible.

    Reply
  24. tomi says:

    NSA Fallout: Tech Firms Feel a Chill Inside China
    http://online.wsj.com/news/article_email/SB10001424052702303789604579198370093354680-lMyQjAxMTAzMDEwNDExNDQyWj

    Big U.S. computer and software companies are reporting a sudden chill in sales to China, and some blame increased government hostility toward the U.S.

    In the latest sign, computer-networking-gear maker Cisco Systems Inc. said Wednesday that orders from China in the latest quarter fell 18% from the same period a year earlier.

    Earlier, International Business Machines Corp. , Hewlett-Packard Co. and Microsoft Corp. all reported declining sales to China in their most recent fiscal quarters.

    Reply
  25. Tomi Engdahl says:

    Safety Finds a Home on the Ethernet Network
    http://www.designnews.com/author.asp?section_id=1386&doc_id=268390&cid=nl.dn14

    Not many years ago, safety systems were standalone networks.

    It was common practice to make sure the safety network was physically separate from the network that controlled the plant. Many machines had their own safety tools that were completely separate from networks altogether. This made for an inefficient patchwork of differing systems running through the plant, but that has completely changed in just a few short years. Now the unthinkable is the rule: Safety lives on the same Ethernet network as the control system.

    The result of these changes is that safety is now more efficient, more flexible, less expensive, and safer.

    “You can have a safe network on a standard network. The thing we use is the black channel principle,” Zachary Stank, safety specialist at Phoenix Contact, told Design News. “The safety is on the same network as control, but it can’t be touched by anything.”

    Before the shift to Ethernet networks, the idea of running safety and control on the same network was considered reckless. The two functions were incompatible. This incompatibility is still the case. The difference now is that Ethernet allows clear separation between control and safety even though they’re on the same wire.

    Hackers are now targeting safety networks
    These days, anything that is networked is vulnerable to hackers. Networked safety is no exception. “If your threat is somebody who wants to cause you upset, embarrass you, and show that you can’t be trusted, they will go after the safety system,” Eric Byres, chief technology officer at Tofino Security, a Belden company, told Design News.

    Byres noted that tools to hack into a safety system have been showing up at hacker conferences. He pointed to a toolkit offered by a Russian company for $2,500 that is specifically designed to attack networked safety systems. While that cost may seem dear to your bedroom hacker, Byres views it as little. “If a criminal organization wants to extort money or steal intellectual property and sell it, the $2,500 is chump change.”

    Reply
  26. Tomi Engdahl says:

    Hackers at Your Gate
    http://www.designnews.com/author.asp?section_id=1386&doc_id=269644&cid=nl.dn14

    Hackers are trying to get into your plant data and your intellectual property. Think you’re safe? Hackers may have already attacked your data. The average length of time from a cyber-attack to the moment that attack is detected is a whopping 416 days, according to the National Board of Information Security Examiners (NBISE).

    Michael Assante, director of NBISE painted a dire picture of the growing threat of cyber-security at the Rockwell Automation Fair in Houston Tuesday.

    Assante classified cyber-attacks into three categories:

    General cyber-attacks are less structured. The hackers are out for notoriety and fame. They’re part of the hacker community.
    Targeted cyber-attacks are directed to specific goals. The attacks could be for monetary gain or to steal intellectual property.
    The third category is the most dangerous, strategic cyber-attacks. These are highly structured attacks with intent to commit major economic disruption or cyber-terrorism. Assante noted that strategic cyber-attacks are growing. “We have passed the inflection point,” he said.

    As for warding off attacks, Assante believes the answer is an educated staff and networks that require authentication. “People pave the way to cyber-security,” he said. “We have to secure people, and we have to make people cyber-aware.”

    Kulaszewicz noted that Rockwell and Cisco Systems have developed a strategic relationship to increase connectivity and productivity, but also to work on security. “We’re using role-based security. We design for security and audit to identify gaps,” he said.

    Who are the bad guys?
    Attacks can come from anywhere in the world. (At a hackers conference you can buy a Russian toolkit to crack plant systems for $2,500.) However, the biggest threat may be plant employees. “It can be malicious insiders,”

    Reply
  27. Tomi Engdahl says:

    CIA collects data on international money transfers

    The U.S. Central Intelligence Agency CIA secretly collects data on international money transfers, says the Wall Street Journal .

    WSJ reports that the CIA has received court permission to collect data on international money transfers in the same way as the NSA is authorized to collect meta-data calls.

    Source: http://www.tietoviikko.fi/kaikki_uutiset/cia+keraa+dataa+kansainvalisista+rahasiirroista/a947779

    Reply
  28. Tomi Engdahl says:

    NSA Wants To Reveal Its Secrets To Prevent Snowden From Revealing Them First
    http://yro.slashdot.org/story/13/11/14/2354216/nsa-wants-to-reveal-its-secrets-to-prevent-snowden-from-revealing-them-first

    “According to a recent report by Tom Gjelten of NPR, ‘NSA officials are bracing for more surveillance disclosures from the documents taken by former contractor Edward Snowden — and they want to get out in front of the story. “

    Reply
  29. Tomi Engdahl says:

    Intelligence Officials Aim To Pre-Empt More Surveillance Leaks
    http://www.npr.org/blogs/thetwo-way/2013/11/13/245065678/intelligence-officials-aim-to-preempt-more-surveillance-leaks

    NSA officials are bracing for more surveillance disclosures from the documents taken by former contractor Edward Snowden — and they want to get out in front of the story.

    In a recent speech, NSA Director Keith Alexander said Snowden may have taken as many as 200,000 NSA documents with him when he left his post in Hawaii. If so, the vast majority of them have yet to be released.

    Intelligence officials tell NPR they believe Snowden’s secrets fall into four categories:

    ŸInformation on NSA capabilities

    NSA intelligence reports on threats, foreign leaders and other topics

    Information on NSA partnerships, such as those made with private U.S. tech companies and foreign intelligence services

    Details of SIGINT “requirements” levied against the NSA by other U.S. government agencies

    Most of the disclosures so far have pertained to NSA capabilities and NSA partnerships. Officials are most concerned about the fourth category of secrets — the “requirements” disclosures.

    NSA officials say the agency is now dealing with about 36,000 pages of such requirements from various government agencies, all of them specifying intelligence targets about some government agency that wants more information.

    Disclosure of these requests could reveal where there are gaps in U.S. intelligence and therefore highlight some U.S. vulnerabilities. NSA officials say few, if any, of the disclosures so far fall into this category.

    Reply
  30. Tomi Engdahl says:

    TSA screening works only ‘a little better than chance,’ according to government report
    http://www.theverge.com/2013/11/13/5100702/tsa-screening-works-only-a-little-better-than-chance-according-to

    The Transportation Safety Administration has long relied on singling out airline passengers that agents believe are behaving suspiciously, even as outside groups like the General Accounting Office maintain that these behavioral indicators are unreliable.

    Summarizing 400 studies over the past 60 years, the report concludes that humans perform only “the same as or slightly better than chance.” Given that the TSA has spent almost a billion dollars on the program, that’s a pretty poor record.

    Reply
  31. Tomi Engdahl says:

    Getting a Shell on any Android Device
    http://hackaday.com/2013/11/17/getting-a-shell-on-any-android-device/

    If you’re an Evil Customs Agent or other nefarious Three Letter Agency Person, you’re probably very interesting in getting data off people’s phones. Even if the screen is locked, there’s a way around this problem: just use the Android Debug Bridge (ADB), a handy way to get a shell on any Android device with just a USB cable. The ADB can be turned off, though, so what is the Stasi to do if they can’t access your phone over ADB? [Michael Ossmann] and [Kyle Osborn] have the answer that involves a little-known property of USB devices.

    USB mini and micro plugs have five pins – power, ground, D+, D-, and an oft-overlooked ID pin. With a particular resistance between this ID pin and ground, the USB multiplexor inside your phone can allow anyone with the proper hardware to access the state of the charger, get an audio signal, mess around with the MP3s on your device, or even get a shell.

    The guys went farther with some proprietary Samsung hardware that could, if they had the service manual, unlock any samsung phone made in the last 15 years. They’re working on building a device that will automagically get a shell on any phone and have built some rather interesting hardware.

    Comment:

    matt says:
    November 17, 2013 at 2:34 am

    The article title is definitely misleading, and it seems as if Brian didnt read the paper at all. This isnt applicable to ANY android device, only those which use multiplexers ICs on the USB port, and only if they are designed to explicitly allow this. The hack here tested only the Nexus and was able to get to a debugger which had access to an unprivileged shell. I havent played with android much, but if you rooted your device couldnt you just ‘chmod -x adb’ to fix this issue?

    Reply
  32. Tomi says:

    Exclusive: FBI warns of U.S. government breaches by Anonymous hackers
    http://www.reuters.com/article/2013/11/16/us-usa-security-anonymous-fbi-idUSBRE9AE17C20131116

    (Reuters) – Activist hackers linked to the collective known as Anonymous have secretly accessed U.S. government computers in multiple agencies and stolen sensitive information in a campaign that began almost a year ago, the FBI warned this week.

    The hackers exploited a flaw in Adobe Systems Inc’s software to launch a rash of electronic break-ins that began last December, then left “back doors” to return to many of the machines as recently as last month, the Federal Bureau of Investigation said in a memo seen by Reuters.

    The memo, distributed on Thursday, described the attacks as “a widespread problem that should be addressed.” It said the breach affected the U.S. Army, Department of Energy, Department of Health and Human Services, and perhaps many more agencies.

    Reply
  33. Tomi says:

    Digital Detectives
    http://www.microsoft.com/en-us/news/stories/cybercrime/index.html

    Inside Microsoft’s new headquarters for the fight against cybercrime

    Last year, an army of five million zombie computers began taking marching orders from an Eastern European cybercriminal kingpin.

    These computers weren’t in a dank warehouse or an abandoned strip mall, but in homes and offices across 90 countries. The infected PCs belonged to a vast array of unwitting users who detected nothing out of the ordinary. Meanwhile, when its malevolent creators issued the command, the zombie army lurched to life.

    The zombies recorded keystrokes, capturing login passwords and Social Security numbers, spying on financial information, and logging people’s most sensitive and personal information.

    Over the course of 18 months, this botnet (nicknamed Citadel) stole half a billion dollars from students and bankers, grandparents and businesses. This summer, the FBI, bank investigators, technology researchers and Microsoft teamed up to try to stop it.

    Reply
  34. Tomi Engdahl says:

    Think NSA Snooping Is Bad? Check Out MPAA Theater Security
    http://www.wired.com/threatlevel/2013/11/mpaa-theater-security/

    Hollywood studios are urging theater operators to crack down on in-theater camcording with the deployment of night-vision goggles, low-light binoculars and security cameras.

    The latest version of the Motion Picture Association of America’s “Best Practices to Prevent Film Theft” (.pdf) also suggests old-school surveillance, like “random bag and jacket checks for prohibited items” and to “observe patrons” when entering the theater.

    Camcording and industry leaks are the top methods of choice for movies to find their way to file-sharing sites like The Pirate Bay and on unauthorized DVDs. Camcording is a federal felony carrying a maximum 3 year penalty.

    The document also asserts a top rule practiced by all the world’s spy agencies: Trust no one.

    Reply
  35. Tomi Engdahl says:

    TOXIC DOLPHIN SANDWICH on the menu, say hacktivists
    Anonymous plans day of attacks to protest Japanese fishing naughtiness
    http://www.theregister.co.uk/2013/11/18/anonymous_dolphin_hunting_taiji_attack/

    Entities using the name and iconography of Anonymous (EUTNAIOA) and claiming to come from the USA have threatened a series of online attacks against the Japanese government in protest at the continued practice of dolphin hunting in the small town of Taiji.

    Reply
  36. Tomi Engdahl says:

    Keeping your endpoint data safe: some simple precautions
    Stay one step ahead
    http://www.theregister.co.uk/2013/10/21/data_security/

    People are out to get you. Your business, your users, your systems and your data all have value to someone.

    You could be targeted because you have something that someone specifically wants, or because attackers are hoping to find bank account details or email addresses to spam, or because they want your compute power for a botnet.

    Few companies have the luxury of being able to dedicate one or more members of staff to security, but there are some easy layers of defence that everyone should have in place.

    Security does not earn money so it tends to be something companies attend to after an incident. But remember you may very well be blamed for not having identifed the risks.

    Black magic

    A unified threat management solution is one defence option. This is a gateway that has black wizardry to protect you from spam, intrusions and viruses, as well as controlling content or network traffic.

    It is one of those balance calls: you won’t stop everything (impossible) but for a reasonably small outlay you will be ahead of many people out there and become a less easy target.

    This sort of device should alert you to something going on that you would normally not be aware of.

    Ye of little faith

    Endpoint security is another area where it might seem like you are dishing out cash for nothing.

    Microsoft Windows 7 and below have this covered fairly well with Microsoft Security Essentials for your anti-virus needs and Windows Defender for spyware. Windows 8 has Windows Defender built in and does both anti-virus and anti-spamware.

    One of the most common methods of getting something unwanted is via an infected USB. Blocking USB devices is of course one line of defence

    Fear of phones

    The latest threat on the block is mobile malware. Android phones are still the worst, hands down, so if you can possibly avoid it, don’t provide them to staff. iPhones, Windows phones and BlackBerrys are much safer in that regard.

    Enforcing a PIN or password on devices is the most basic level of protection and should be employed wherever possible.

    It is worth having a look at a mobile device management platform. It can report on what apps are installed on your mobile fleet, allow you to remote-wipe when someone leaves their phone in the back of a taxi, and can help identify devices that are not running the latest operating system version.

    Beware the mafia

    Making sure that accounts are disabled as people walk out the door for the last time is a very small price to pay to avoid a potential high risk of damage.

    Reply
  37. Tomi Engdahl says:

    Exclusive: FBI warns of U.S. government breaches by Anonymous hackers
    http://www.reuters.com/article/2013/11/16/us-usa-security-anonymous-fbi-idUSBRE9AE17C20131116

    Activist hackers linked to the collective known as Anonymous have secretly accessed U.S. government computers in multiple agencies and stolen sensitive information in a campaign that began almost a year ago, the FBI warned this week.

    The hackers exploited a flaw in Adobe Systems Inc’s software to launch a rash of electronic break-ins that began last December, then left “back doors” to return to many of the machines as recently as last month, the Federal Bureau of Investigation said in a memo seen by Reuters.

    Reply
  38. Tomi Engdahl says:

    A Russian GPS Using U.S. Soil Stirs Spy Fears
    http://www.nytimes.com/2013/11/17/world/europe/a-russian-gps-using-us-soil-stirs-spy-fears.html?pagewanted=all&_r=0

    In the view of America’s spy services, the next potential threat from Russia may not come from a nefarious cyberweapon or secrets gleaned from the files of Edward J. Snowden, the former National Security Agency contractor now in Moscow.

    Instead, this menace may come in the form of a seemingly innocuous dome-topped antenna perched atop an electronics-packed building surrounded by a security fence somewhere in the United States.

    In recent months, the Central Intelligence Agency and the Pentagon have been quietly waging a campaign to stop the State Department from allowing Roscosmos, the Russian space agency, to build about half a dozen of these structures, known as monitor stations, on United States soil, several American officials said.

    They fear that these structures could help Russia spy on the United States and improve the precision of Russian weaponry, the officials said.

    “I would like to understand why the United States would be interested in enabling a GPS competitor, like Russian Glonass, when the world’s reliance on GPS is a clear advantage to the United States on multiple levels,” said Representative Mike D. Rogers, Republican of Alabama, the chairman of a House Armed Services subcommittee.

    Reply
  39. Tomi Engdahl says:

    Don’t do business with these companies
    http://www.f-secure.com/weblog/archives/00002639.html

    What do Inteqno, Altran Strategies, Deticaconsulting and Nezux have in common?

    Well, first of all, they are all one and the same. Or actually, none of them are real companies at all. They are phony online shells run by online criminals. They only serve one purpose: to make it appear that these companies are legitimate, that they really exists and that they have a history. These are needed so they have enough credibility to try to hire people.

    So what kind of people are phony companies hiring? Specifically, they are hiring money mules (definition). Of course, these companies don’t label their positions as “money mules”, they call the job position “Customer Assistant” or “Operations Assistant”…

    These companies post job offers on sites like Linkedin and send them out via direct emails.

    Reply
  40. Tomi Engdahl says:

    Study: Only these anti-virus software to prevent all infections

    Only three anti-virus program to block all virus infections, shows a new survey .

    Software to test the AV-Comparatives website report the full 100 per cent protection offered only by Kaspersky, Panda and Trend Micro software. F-Secure ranked seventh in 99.4 per cent of earnings.
    The result was particularly because of user self-made errors (stupid configuration)

    The study compared 21 were anti-virus software, as well as with each other and in relation to Windows 7 for your own protection factory settings.

    Kingsoft fared worst, with software fared even worse than Windows’ own virus protection – the user was, therefore, more secure, without extra software.

    Sources:
    http://chart.av-comparatives.org/chart1.php?chart=chart2&year=2013&month=10&sort=0&zoom=2
    http://www.tietoviikko.fi/kaikki_uutiset/selvitys+vain+nama+virustorjuntaohjelmat+estavat+kaikki+tartunnat/a948068

    Reply
  41. Tomi Engdahl says:

    Password hack of vBulletin.com fuels fears of in-the-wild 0-day attacks
    Hacks on sites using the widely used forum software spread to its maker.
    http://arstechnica.com/security/2013/11/password-hack-of-vbulletin-com-fuels-fears-of-in-the-wild-0-day-attacks/

    Forums software maker vBulletin has been breached by hackers who got access to customer password data and other personal information, in a compromise that has heightened speculation there may be a critical vulnerability that threatens websites that run the widely used program.

    “Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password,” vBulletin Technical Support Lead Wayne Luke wrote in a post published Friday evening. “Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password.”

    The speculation that there’s a critical vulnerability in vBulletin goes well beyond the compromise of three websites that use the program.

    To summarize, then: The Inject0r Team members claimed they breached vBulletin.com by exploiting a previously undocumented vulnerability in the vBulletin software.

    The Inject0r Team website claims to be selling attack code that exploits the vBulletin vulnerability and offers screen shots said to prove the root compromises are real.

    Reply
  42. Tomi Engdahl says:

    HS: Police procurement of equipment in connection with a criminal organization

    Helsingin Sanomat (HS) data: The Finnish police have purchased surveillance and monitoring equipment from a company with links to criminal organization United Brotherhood.

    Equipment sold to the police Trevoc company

    Helsinki Police Department was not aware of the connection.

    Source: http://www.taloussanomat.fi/politiikka/2013/11/17/hs-poliisin-laitehankinta-yhteydessa-rikollisjarjestoon/201315985/12?rss=4

    Reply
  43. Tomi Engdahl says:

    TrueCrypt audit project founder: ‘We’ve set our sights high’
    Vuln-busting review of opern-source encrypto-tech starts a-rollin’
    http://www.theregister.co.uk/2013/11/18/truecrypt_audit_founder_qanda/

    A TrueCrypt audit project has uncovered a well of technical support with its plans to publicly audit the widely used disk and file encryption utility for the first time.

    TrueCrypt is a widely used utility that encrypts and decrypts entire drives, partitions or files within a virtual disk. The tool can also hide volumes of data on discs.

    The TrueCrypt audit project raised enough money to pay for a professional review of the software within days of its launch.

    Kenneth White: On IndieGoGo, you have to set a funding time range, so the 60 days was arbitrary, and, at the time we thought $25,000 was a pretty ambitious stretch goal. It turns out we hit that target in the first four days of the campaign.

    The Reg: Are there any historic precedents for your project? Do you think the same idea could be applied to evaluating other security packages? I understand that you want to do TrueCrypt first but am wondering if this type of kick-starter idea might be applied to other security projects, by yourself or others, in future?

    White: The closest with TrueCrypt was by the 2008 review by engineers working with privacy-cd.org.

    But more broadly, the best model we have seen – and [one which we] hold as our standard – is the recent public review (PDF) of SecureDrop by the University of Washington CS Engineering Department, along with Bruce Schneier and Jacob Applebaum.

    Reply
  44. Tomi Engdahl says:

    Government Standards Agency “Strongly” Suggests Dropping its Own Encryption Standard
    http://www.propublica.org/article/standards-agency-strongly-suggests-dropping-its-own-encryption-standard

    Following revelations about the NSA’s covert influence on computer security standards, the National Institute of Standards and Technology, or NIST, announced earlier this week it is revisiting some of its encryption standards.

    But in a little-noticed footnote, NIST went a step further, saying it is “strongly” recommending against even using one of the standards.

    As ProPublica, the New York Times, and the Guardian reported last week, documents provided by Edward Snowden suggest that the NSA has heavily influenced the standard, which has been used around the world.

    Various versions of Microsoft Windows, including those used in tablets and smartphones, contain implementations of the standard, though the NSA-influenced portion isn’t enabled by default. Developers creating applications for the platform must choose to enable it.

    The NIST standard describes what is known as an “elliptic curve-based deterministic random bit generator.”

    The Times reported that the Snowden documents suggest the NSA was involved in creating the number generator.

    Reply
  45. Tomi Engdahl says:

    Netflix users targeted by Microsoft Silverlight exploit
    Uninstall Silverlight if you don’t use it
    http://www.theinquirer.net/inquirer/news/2307450/netflix-users-targeted-by-microsoft-silverlight-exploit

    STREAMING FILM AND TV SERVICE Netflix users are being targeted by an exploit that executes arbitrary code in Microsoft Silverlight and allows cybercrooks to “do almost anything to their computer”.

    Found by security firm Malwarebytes, the exploit affects Netflix users by targeting vulnerabilities in Microsoft’s application framework Silverlight, which Netflix relies on to work. Malwarebytes told Silverlight users to uninstall Silverlight if they no longer need it, or to update it to the latest version to avoid being targeted.

    The vulnerability is exploited by users visiting compromised or malicious websites. The flaw, which exists in Silverlight versions prior to 5.1.20125.0, allows attackers to execute arbitrary code on the affected systems without any user interaction.

    “Upon landing on the exploit page, the Angler exploit kit will determine if Silverlight is installed and what version is running,” Malwarebytes explained. “If the conditions are right, a specially crafted library is triggered to exploit the Silverlight vulnerability.”

    Malwarebyutes said even if you do not have Netflix installed and have installed Silverlight in the past, simply remove it altogether

    Reply
  46. Tomi Engdahl says:

    What can bring Microsoft and Google together? WAR ON FILTH
    If you can’t find it, it isn’t there, apparently
    http://www.theregister.co.uk/2013/11/18/child_abuse_images_microsoft_google_search/

    Google and Microsoft have bent to political pressure in the UK by agreeing to make a number of changes to their search engine algorithms in a move that not only makes it a little harder for sickos to hunt down child abuse images online, but should also prevent regulatory intervention.

    UK Prime Minister David Cameron said that “significant progress” had been made since the summer months when he began wrangling with search engine providers and other internet players over the relative ease with which illegal content that shows children being sexually abused could be accessed.

    Despite search engines working closely with the Internet Watch Foundation in Britain, which claims it can on average remove access to such material

    He said in a piece for the Mail today that the ad giant had assembled a 200-strong team of engineers to work on “state-of-the-art technology to tackle the problem”.

    Number 10 said that Microsoft and Google had agreed, among other things, to block child abuse images, videos and pathways that lead to illegal material. It means that around 100,000 unique searches worldwide on Google will now apparently be halted.

    The next step is for Google and MS to work with cops at the NCA – which has 4,000 people on its books tracking, investigating and cuffing paedophiles in the UK – to try to tackle the peer-to-peer networks in darker corners of the web.

    But Cameron’s summit with ISPs, Google, Microsoft and others will not just discuss illegal child abuse images. The Prime Minister is also hoping to develop ways in which “children viewing online pornography and other damaging material at a very early age” can be stopped.

    Reply
  47. Tomi Engdahl says:

    Court order that allowed NSA surveillance is revealed for first time
    http://www.theguardian.com/world/2013/nov/19/court-order-that-allowed-nsa-surveillance-is-revealed-for-first-time

    Fisa court judge who authorised massive tapping of metadata was hesitant but felt she could not stand in the way

    Reply
  48. Tomi Engdahl says:

    Google Completes Upgrade of its SSL Certificates to 2048-Bit RSA
    http://threatpost.com/google-completes-upgrade-of-its-ssl-certificates-to-2048-bit-rsa/102959

    Google announced today that it has completed the upgrade of all its SSL certificates to 2048-bit RSA or better, coming in more than a month ahead of schedule.

    “We have completed this process which will allow the industry to start removing trust from weaker 1024-bit keys next year,” Google security engineer Dan Dulay said today.

    By choosing the longer key lengths, Google makes cracking the SSL connections that encrypt and secure banking transactions, email communication and more online that much tougher.

    “The hardware security module that contained our old 1024-bit intermediate certificate has served us well,” Dulay said. “Its final duty after all outstanding certificates were revoked was to be carefully destroyed.”

    Google’s Dulay also said that its intermediate certificate authority, the Google Internet Authority, will issue 2048-bit certificates for its websites and online services going forward.

    Google has had SSL on by default in Gmail since 2010 and has been encrypting searches for logged-in users by default since October 2011. This September, Google instituted SSL by default for all searches.

    Reply
  49. Tomi Engdahl says:

    Microsoft, Cisco: RC4 encryption considered harmful, avoid at all costs
    Why not try this lovely AES-GCM, and don’t forget to bin SHA-1, too
    http://www.theregister.co.uk/2013/11/14/ms_moves_off_rc4/

    Microsoft has urged the Windows world to dump the once trusty but now distrusted RC4 encryption algorithm – and pick something stronger. Cisco has also told its customers to “avoid” the cipher.

    RC4, developed in 1987, is a popular stream cipher that’s often used in HTTPS connections to protect sensitive network traffic from eavesdroppers, among other uses.

    Academics found flaws in the algorithm years ago, and top-secret documents leaked by ex-NSA contractor Edward Snowden this year suggest US and UK spies have developed “groundbreaking cryptanalysis capabilities”, which ultimately allow the intelligence agencies to break RC4 encryption. Distrust of the cipher is therefore widespread but far from universal.

    Jacob Appelbaum, a computer security researcher and leading Tor developer, bluntly warned earlier this month: “RC4 is broken in real-time by the ‪NSA‬ – stop using it.” Ivan Ristic, director of engineering at computer security biz Qualys, added: “Even if there is no evidence, it’s prudent to assume RC4 is fully broken.”

    Now this week, Microsoft has gone public to “strongly encourage customers to evaluate, test and implement the options for disabling RC4 to increase the security of clients, servers and applications”. Specifically, Redmond wants people to switch to crypto-protocol TLS 1.2 – as used in HTTPS, secure SMTP, VPNs and other tech – and use the strong cipher AES-GCM.

    Networking giant Cisco has also, as of this month, downgraded RC4 from “legacy” to “avoid” in its recommendations for cryptographic algorithms.

    “The problem is stream ciphers like RC4 were one the primary defences used by many websites against the infamous BEAST and Lucky Thirteen attacks,”

    Windows 8.1 and Internet Explorer 11, both made available mid-October, default to TLS 1.2 and shun RC4. Microsoft has now provided a mechanism to disable the use of RC4 in Windows 7, 8, RT, Server 2008 R2 and Server 2012.

    Reply
  50. Tomi Engdahl says:

    Microsoft also announced that beginning on January 1, 2016 Windows will no longer support the use of X.509 certificates issued using the aging SHA-1 hashing algorithm for SSL and software code signing:

    Microsoft is recommending that customers and CAs stop using SHA-1 for cryptographic applications, including use in SSL/TLS and code signing. Microsoft Security Advisory 2880823 has been released along with the policy announcement that Microsoft will stop recognising the validity of SHA-1 based certificates after 2016.

    The older MD5 hashing algorithm was considered weak for many years,

    SHA-1, published in 1995, is significantly stronger than MD5, but Microsoft is withdrawing support for the technology before it is broken, using its market position to push change towards wider use of the newer SHA-2 set of functions: SHA-224, SHA-256, SHA-384 and SHA-512. Encryption experts welcomed the move.

    “SHA-1 isn’t broken yet in a practical sense, but the algorithm is barely hanging on and attacks will only get worse,” wrote encryption guru Bruce Schneier. “Migrating away from SHA-1 is the smart thing to do.”

    Source: http://www.theregister.co.uk/2013/11/14/ms_moves_off_rc4/

    Reply

Leave a Reply to tomi Cancel reply

Your email address will not be published. Required fields are marked *

*

*