Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.
Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.
Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.
SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices. Good idea to test your devices against it.
There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.
Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.
Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.
Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.
Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.
Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.
Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.
Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.
European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.
1,930 Comments
Tomi Engdahl says:
LG Smart TVs logging USB filenames and viewing info to LG servers
http://doctorbeet.blogspot.co.uk/2013/11/lg-smart-tvs-logging-usb-filenames-and.html
Earlier this month I discovered that my new LG Smart TV was displaying ads on the Smart landing screen.
After some investigation, I found a rather creepy corporate video advertising their data collection practices to potential advertisers. It’s quite long but a sample of their claims are as follows:
LG Smart Ad analyses users favourite programs, online behaviour, search keywords and other information to offer relevant ads to target audiences. For example, LG Smart Ad can feature sharp suits to men, or alluring cosmetics and fragrances to women.
At this point, I decided to do some traffic analysis to see what was being sent. It turns out that viewing information appears to be being sent regardless of whether this option is set to On or Off.
Here you can clearly see that a unique device ID is transmitted, along with the Channel name “BBC NEWS” and a unique device ID.
This information appears to be sent back unencrypted and in the clear to LG every time you change channel, even if you have gone to the trouble of changing the setting above to switch collection of viewing information off.
I noticed filenames were being posted to LG’s servers and that these filenames were ones stored on my external USB hard drive.
My wife was shocked to see our children’s names being transmitted in the name of a Christmas video file that we had watched from USB.
So what does LG have to say about this?
So how can we prevent this from happening?
Tomi Engdahl says:
Boston Cops Outraged Over Plans to Watch Their Movements Using GPS
http://yro.slashdot.org/story/13/11/19/034240/boston-cops-outraged-over-plans-to-watch-their-movements-using-gps
“The Boston Globe reports that the pending use of GPS tracking devices, slated to be installed in Boston police cruisers, has many officers worried that commanders will monitor their every move.”
Tomi Engdahl says:
Company Tries to Fine Customer $3,500 for Leaving Negative Review Online
http://mashable.com/2013/11/19/kleargear-negative-review-fine/
We all know we’re supposed to read the Terms and Conditions before we agree to anything, but few people ever do so. Unfortunately, that means companies can slip whatever they want in there.
Case in point: the website Kleargear.com has a clause in their terms of sale that allows them to harass customers who “negatively impact” their business.
Currently, the website is using this obscure non-disparagement clause to target a customer who left a bad review on a separate site, ripoffreport.com.
Three years after the review was published, Kleargear sent Palmer a notice demanding that the post be deleted or she would be fined $3,500.
Ripoffreport.com, however, refused to delete the post unless they were given $2,000. When the Palmers were unable to pay either site, Kleargear dinged the Palmers’ credit
Tomi Engdahl says:
The New Threat: Targeted Internet Traffic Misdirection
http://www.renesys.com/2013/11/mitm-internet-hijacking/
Traffic interception has certainly been a hot topic in 2013. The world has been focused on interception carried out the old fashioned way, by getting into the right buildings and listening to the right cables. But there’s actually been a significant uptick this year in a completely different kind of attack, one that can be carried out by anybody, at a distance, using Internet route hijacking.
After consultations with many of the affected parties, we’re coming forth with some details in the hope that we can make this particular vulnerability obsolete.
For years, we’ve observed that there was potential for someone to weaponize the classic Pakistan-and-Youtube style route hijack.
This year, that potential has become reality. We have actually observed live Man-In-the-Middle (MITM) hijacks on more than 60 days so far this year. About 1,500 individual IP blocks have been hijacked, in events lasting from minutes to days, by attackers working from various countries.
Simple BGP alarming is not sufficient to distinguish MITM from a generic route hijacking or fat-finger routing mistake; you have to follow up with active path measurements while the attack is underway in order to verify that traffic is being simultaneously diverted and then redelivered to the victim. We’ve done that here.
What makes a Man-in-the-Middle routing attack different from a simple route hijack? Simply put, the traffic keeps flowing and everything looks fine to the recipient. The attackers keep at least one outbound path clean. After they receive and inspect the victim’s traffic, they release it right back onto the Internet, and the clean path delivers it to its intended destination. If the hijacker is in a plausible geographic location between the victim and its counterparties, they should not even notice the increase in latency that results from the interception. It’s possible to drag specific Internet traffic halfway around the world, inspect it, modify it if desired, and send it on its way. Who needs fiberoptic taps?
Tomi Engdahl says:
Sobriety Checkpoints Paved Path to NSA Email Spying
http://www.wired.com/threatlevel/2013/11/nsa-web-metadata/
Sobriety checkpoints and mandatory drug testing of student athletes and railroad workers are among the legal precedents justifying the U.S. government’s now-defunct and court-approved secret email metadata dragnet surveillance program, according to documents the authorities released late Monday.
The thousands of pages of records the President Barack Obama administration unveiled include the nation’s first opinion from a secret tribunal authorizing the government to obtain data from the “to,” “from,” “cc,” and “bcc” fields of all emails “to thwart terrorist attacks.”
The President George W. Bush administration first implemented the program shortly after the 2001 terror attacks. But it wasn’t until 2004 that the administration sought authorization from the secret court after being faced with threats of resignation from senior officials.
“These documents show that the government asked the FISC for permission to collect information far beyond what was authorized by the statute and the court acquiesced,” said Elizabeth Goitein, co-director at the Brennan Center.
She sided with the NSA’s plea for bulk collection. “NSA asserts that more precisely targeted forms of collection against known accounts would tend to screen out the ‘unknowns’ that NSA wants to discover, so that NSA needs bulk collection in order to identify unknown (REDACTED) communications.”
Tomi Engdahl says:
1.2% of apps on Google Play are repackaged to deliver ads, collect info
http://www.net-security.org/secworld.php?id=15976
Not a month goes by without security researchers finding new malicious apps on Google Play. According to BitDefender, more than one percent of 420,000+ analyzed apps offered on Google’s official Android store are repackaged versions of legitimate apps. In the long run, their existence hurts the users, the legitimate developers, and Google’s reputation in general.
Google Play has recently surpassed the one million mark when it comes to the apps it offers, and the researchers have analyzed a good chunk of the total in order to discover just how many are hiding their true nature.
“By design, Android applications can be disassembled, modified and reassembled to provide new functionalities. This way an attacker can easily rip an APK off the Play Store, turn it into program code, modify it and distribute it as its own,” explains Loredana Botezatu, communication specialist at Bitdefender. “Out of the 420,646 applications analyzed, more than 5077 APKs have been copies of other apps in Google Play.”
“Instead of spending thousands or hundreds of thousands of dollars developing, testing and marketing a great application to monetize, plagiarists take the road that is less time-costly and less resource intensive by simply hijacking a successful application at the original developer’s expenses,” Botezatu points out.
Obviously, the most targeted are those that are most popular, such as Facebook’s and Twitter’s, but also game apps.
Tomi Engdahl says:
Your LG smart TV SPIES on you when you change channels – researcher
Phones home with the names of videos you watch, too
http://www.theregister.co.uk/2013/11/20/lg_smart_tv_data_collection/
LG smart TVs silently log owners’ viewing habits to the South Korean company’s servers and use them to serve targeted ads, one researcher has claimed.
According to Yorkshire, UK–based hacker “DoctorBeet,” the internet-enabled sets try to phone home to LG every time a viewer changes the channel, giving the chaebol the ability to track exactly which channels are being watched, minute by minute.
Using network packet-sniffing tools, DoctorBeet discovered that his set was also transmitting the names of media files he played off USB storage, which he observes could potentially be embarrassing for those in the habit of watching less savory downloaded fare.
Tomi Engdahl says:
Internet daddy Vint Cerf: ‘Privacy may be an ANOMALY’
‘Our social behaviour [online] is quite damaging’
http://www.theregister.co.uk/2013/11/20/vint_cerf_privacy_may_be_an_anomaly_online/
Vint Cerf has said that expectations of privacy in the digital age may be impossible to achieve because of the level of oversharing that takes place on social media sites.
“it will be increasingly difficult for us to achieve privacy”, according to a series of tweets from Adweek reporter Katy Bachman.
Cerf – who is Google’s chief internet preacher – added: “Privacy may be an anomaly.”
“Our social behavior is quite damaging to privacy. Technology has outraced our social intellect,” Cerf said
Tomi Engdahl says:
Google extends its proactive Patch Reward Program to include Android Open Source Project, Web servers, and more
http://thenextweb.com/google/2013/11/19/google-extends-proactive-patch-reward-program-include-android-open-source-project-web-servers/
Google today extended its proactive Patch Reward Program to include even more open-source software (OSS). Among them is the Android Open Source Project, which the company previously did not reveal was going to be added.
Last month, Google started providing financial incentives (between $500 and $3,133.70) for proactive improvements to OSS that go beyond merely fixing a known security bug. Google said at the time it would be rolling out the program gradually, and hinted that more project types would be on the way.
Interestingly, Google at launch said it would eventually add support for widely used Web servers, popular SMTP services, toolchain security improvements, and virtual private networking. Android, network time, and additional core libraries were not mentioned explicitly last month, but were added today nevertheless, suggesting that the program is off to a solid start.
Tomi Engdahl says:
Gaming Company Fined $1M for Turning Customers Into Secret Bitcoin Army
http://www.wired.com/wiredenterprise/2013/11/e-sports/
A gaming software company has been slapped with a $1 million fine after secretly adding bitcoin mining software to a product update earlier this year.
E-Sports Entertainment Association (ESEA) — which lets serious CounterStrike players face each other down in anti-cheat modes — infected about 14,000 of its customers with the code, which ended up mining about 30 bitcoins over two weeks last spring.
The company blamed a rogue employee, who has since been terminated. It’s still facing a class action over the matter in California. “What transpired the past two weeks is a case of an employee acting on his own and without authorization to access our community through our company’s resources,” ESEA co-founder Craig Levine told WIRED back in May.
The settlement was announced today by the New Jersey Attorney General, which says that ESEA will pay $325,000 of the fine upfront, and will only be hit with the rest of the penalty if it’s caught misbehaving over the next decade.
Tomi Engdahl says:
This startup’s tech verifies your identity by scanning your eye with your smartphone
http://venturebeat.com/2013/11/19/this-startups-tech-verifies-your-identity-with-an-eye-scan-on-your-smartphone/
Eye scanner identification systems are the stuff of spy movies, but EyeVerify is bringing them to the mainstream.
EyeVerify’s biometric software verifies your identity on your phone with your “eyeprint.” Using a smartphone camera, the technology captures images of your eye and creates a template with information about blood vessels, vein patterns, and other physical things.
EyeVerify developed a SDK that software developers integrate into their applications to enable eyeprint verification. Rather than using a password to log in to an app, you could “sign in” with EyeVerify.
CEO Toby Rush said the goal is to “take passwords down for the count.”
Humans have unique and stable patterns of blood vessels that are evident in the whites of their eyes. One eye has two eyeprints, one on each side of the iris, and basic smartphone cameras can capture these.
The concept of identifying people based on these veins was developed by Dr. Reza Derakshani in 2006 and patented in 2008
The more complicated and varied your passwords are, the more secure they are. However, most people don’t want to keep track of a large number of passwords. The average person has to remember 15 passwords, and 61% percent of people reuse passwords from site to site, which is known as “password negligence.”
As a result, sensitive information about bank accounts, health records, and enterprise data is not as protected as it could be. Too many passwords and not enough memory contributes to 39 percent of all malicious hacking attacks, which can cost large enterprises $5.5 million each.
Tomi Engdahl says:
The problem with passwords (infographic)
http://venturebeat.com/2013/05/01/the-problem-with-passwords-infographic/
More than half of us say we can’t remember all our passwords. Which makes sense, given that almost a third of all companies require their employees to remember six or more of them.
Cloud identity management company Ping Identity says that between those six or more corporate passwords and all the personal passwords we maintain, the average person has to remember 15 passwords. That’s probably a recipe for disaster, given the total information onslaught we face every day, which is why the majority of us — 61 percent — reuse passwords from site to site.
That’s what security companies call “password negligence,” and the results are costly.
Too many passwords and not enough memory contributes to 39 percent of all malicious hacking attacks, which can cost large enterprises $5.5 million each.
Tomi Engdahl says:
Which Companies Are Encrypting Your Data Properly?
https://www.eff.org/deeplinks/2013/11/encrypt-web-report-whos-doing-what
http://gizmodo.com/which-companies-are-encrypting-your-data-properly-1468088449
We’ve asked the companies in our Who Has Your Back Program what they are doing to bolster encryption in light of the NSA’s unlawful surveillance of your communications. We’re pleased to see that four companies—Dropbox, Google, SpiderOak and Sonic.net—are implementing five out of five of our best practices for encryption.
By adopting these practices, described below, these service providers have taken a critical step towards protecting their users from warrantless seizure of their information off of fiber-optic cables.
By enabling encryption across their networks, service providers can make backdoor surveillance more challenging, requiring the government to go to courts and use legal process.
Why Crypto Is So Important
The National Security Agency’s MUSCULAR program, which tapped into the fiber-optic lines connecting the data centers of Internet giants like Google and Yahoo, exposed the tremendous vulnerabilities companies can face when up against as powerful an agency as the NSA. Bypassing the companies’ legal departments, the program grabbed extralegal access to your communications, without even the courtesy of an order from the secret rubber-stamp FISA court. The program is not right, and it’s not just.
With that in mind, EFF has asked service providers to implement strong encryption. We would like to see encryption on every step of the way for a communication on its way to, or within, a service provider’s systems.
For starters, we have asked companies to encrypt their websites with Hypertext Transfer Protocol Secure (HTTPS) by default.
We have also asked them to flag all authentication cookies as secure. This means cookie communications are limited to encrypted transmission
asked companies to enable HTTP Strict Transport Security (HSTS). HSTS essentially insists on using secure communications, preventing certain attacks
All of these technologies are now industry-standard best practices. While they encrypt the communications from the end user to the server and back, the MUSCULAR revelations have shown this is not enough. Accordingly, we have asked service providers to encrypt communications between company cloud servers and data centers. Anytime a users’ data transits a network, it should be strongly encrypted, in case an attacker has access to the physical data links or has compromised the network equipment.
In addition, we have asked for email service providers to implement STARTTLS for email transfer. STARTTLS is an opportunistic encryption system, which encrypts communications between email servers that use the Simple Mail Transfer Protocol (SMTP) standard.
If both email servers understand STARTTLS, then the communications will be encrypted in transit.
Tomi Engdahl says:
Free Poster – Malicious Mobile Apps – A Growing Threat
http://subscriber.emediausa.com/Bulletins/BulletinPreview.aspx?BF=1&BRID=58316
With the exploding use of mobile devices and BYOD, mobile apps represent a major new threat.
Below are some key highlights:
73% of IT pros expect mobile threats to their networks will increase in the next 12 months
Mobile threats account for 59% of all malware
12% of all Android Apps are now malicious
Tomi Engdahl says:
SCADA flaws put world leaders at risk of TERRIBLE TRAFFIC JAM
Host city for 2014′s G20 meeting pen tests its traffic lights and finds flaws galore
http://www.theregister.co.uk/2013/11/21/scada_flaws_put_world_leaders_at_risk_of_terrible_traffic_jam/
In November 2014, leaders of the G20 group of nations will convene in Brisbane, Australia, for a few days of plotting to form a one-world government high-level talks aimed at ensuring global stability and amity.
Queensland, the Australian state in which Brisbane is located, is leaving no preparatory stone unturned as it readies itself for the summit. For example: new laws mean it will be illegal to carry a reptile, fly a kite or use a laser pointer close to the venues used for the meeting.
The State has also conducted a review of its traffic management systems, mostly to figure out how to improve traffic flow but also with half an eye on the G20 summit and the likely online attacks and protests it will attract.
That review’s report (PDF) tried penetration tests on Queensland’s two operators of intelligent transport systems (ITS) and succeed with both. “The entities audited did not actively monitor and manage information technology security risks and did not have comprehensive staff security awareness programs,” the report notes. Managers assumed the SCADA kit in use was secure, staff weren’t aware of social engineering or other attacks and it was possible to extract information from both traffic system operators with USB keys.
“If the systems were specifically targeted, hackers could access the system and potentially cause traffic congestion, public inconvenience and affect emergency response times. Such attacks could also cause appreciable economic consequences in terms of lost productivity.”
Tomi Engdahl says:
Google’s Schmidt predicts end to global censorship in a DECADE
China, North Korea, Syria … are you listening?
http://www.theregister.co.uk/2013/11/21/google_end_censorship_schmidt/
Google executive chairman Eric Schmidt has been shooting his mouth of again – this time predicting the end of global internet censorship within a decade.
“First they try to block you; second, they try to infiltrate you; and third, you win. I really think that’s how it works. Because the power is shifted,” he said, according to Reuters.
“I believe there’s a real chance that we can eliminate censorship and the possibility of censorship in a decade.”
Tomi Engdahl says:
Cryptolocker infects cop PC: Massachusetts plod fork out Bitcoin ransom
Police learn about crypto-currency and AES256 crypto the hard way
http://www.theregister.co.uk/2013/11/21/police_pay_cryptolocker_crooks_to_get_their_computers_back/
Massachusetts cops have admitted paying a ransom to get their data back on an official police computer infected with the devilish Cryptolocker ransomware.
Cryptolocker is a rather unpleasant strain of malware, first spotted in August, that encrypts documents on the infiltrated Windows PC and will throw away the decryption key unless a ransom is paid before a time limit. The sophisticated software, which uses virtually unbreakable 256-bit AES and 2048-bit RSA encryption, even offers a payment plan for victims who have trouble forking out the two Bitcoins (right now $1,200) required to recover the obfuscated data.
“The virus is not here anymore,” Ryan said. “We’ve upgraded our antivirus software. We’re going to try to tighten the belt, and have experts come in, but as all computer experts say, there is no foolproof way to lock your system down.”
Tomi Engdahl says:
Microsoft Now Sells T-Shirts That Claim Google’s Chrome Steals Your Data
http://techcrunch.com/2013/11/20/microsoft-now-sells-t-shirts-that-claim-googles-chrome-steals-your-data/
Microsoft has started to sell t-shirts, hats, mugs, and sweatshirts that bear slogans from its Scroogled campaign that needles Google as bad on privacy.
Scroogled, as you certainly know, is a campaign by Microsoft to paint Google in a negative light when it comes to things like Gmail’s automatic scanning of incoming email to target advertisements.
Microsoft also scans incoming email, but only to weed out malware and the like. This has always felt like a small distinction to me.
Microsoft and Google have had a rough year, fighting over email, YouTube, and more. Given their huge competitive surface area — from selling music, to search, to mobile operating systems, and so forth — that’s not surprising. Still, Microsoft appears more willing to sling mud.
Tomi Engdahl says:
US and UK struck secret deal to allow NSA to ‘unmask’ Britons’ personal data
http://www.theguardian.com/world/2013/nov/20/us-uk-secret-deal-surveillance-personal-data
• 2007 deal allows NSA to store previously restricted material
• UK citizens not suspected of wrongdoing caught up in dragnet
• Separate draft memo proposes US spying on ‘Five-Eyes’ allies
Tomi Engdahl says:
Private firms selling mass surveillance systems around world, documents show
One Dubai-based firm offers DIY system similar to GCHQ’s Tempora programme, which taps fibre-optic cables
http://www.theguardian.com/world/2013/nov/18/private-firms-mass-surveillance-technologies
Private firms are selling spying tools and mass surveillance technologies to developing countries with promises that “off the shelf” equipment will allow them to snoop on millions of emails, text messages and phone calls, according to a cache of documents published on Monday.
The papers show how firms, including dozens from Britain, tout the capabilities at private trade fairs aimed at offering nations in Africa, Asia and the Middle East the kind of powerful capabilities that are usually associated with government agencies such as GCHQ and its US counterpart, the National Security Agency.
The market has raised concerns among human rights groups and ministers, who are poised to announce new rules about the sale of such equipment from Britain.
“The government agrees that further regulation is necessary,” a spokesman for the Department for Business, Innovation and Skills said. “These products have legitimate uses … but we recognise that they may also be used to conduct espionage.”
Tomi Engdahl says:
Cupid Media Hack Exposed 42M Passwords
http://krebsonsecurity.com/2013/11/cupid-media-hack-exposed-42m-passwords/
An intrusion at online dating service Cupid Media earlier this year exposed more than 42 million consumer records, including names, email addresses, unencrypted passwords and birthdays, according to information obtained by KrebsOnSecurity.
The data stolen from Southport, Australia-based niche dating service Cupid Media was found on the same server where hackers had amassed tens of millions of records stolen from Adobe, PR Newswire and the National White Collar Crime Center (NW3C), among others.
The purloined database contains more than 42 million entries
“The number of active members affected by this event is considerably less than the 42 million that you have previously quoted,” Bolton said.
“Adobe said they have 38 million users and they lost information on 150 million,” Holden said. “It comes to down to the definition of users versus individuals who entrusted their data to a service.”
The danger with such a large breach is that far too many people reuse the same passwords at multiple sites, meaning a compromise like this can give thieves instant access to tens of thousands of email inboxes and other sensitive sites tied to a user’s email address. Indeed, Facebook has been mining the leaked Adobe data for information about any of its own users who might have reused their Adobe password and inadvertently exposed their Facebook accounts to hijacking as a result of the breach.
It seems that many Cupid users did not place much value in their accounts when picking passwords, because a huge percentage of them chose downright awful passwords. By my count, more than 10 percent of Cupid’s users chose one of these 10 passwords
Tomi Engdahl says:
Bob Woodward: Edward Snowden Should Have Come To Me Instead
http://www.huffingtonpost.com/2013/11/20/bob-woodward-edward-snowden-guardian_n_4311354.html
Edward Snowden may have helped blow the lid on the NSA’s secret surveillance programs, but Bob Woodward has one complaint: that Snowden should have come to him with the leaks.
“I wish [Snowden] had come to me instead of others, particularly The Guardian,” Woodward told King in an interview that airs Thursday on Hulu. “I would have said to him ‘let’s not reveal who you are. Let’s make you a protected source and give me time with this data and let’s sort it out and present it in a coherent way.’”
“I think that people are confused about whether it’s illegal, whether it’s bad, whether it’s bad policy,”
Tomi Engdahl says:
Meet Stuxnet’s stealthier older sister: Super-bug turned Iran’s nuke plants into pressure cookers
New report claims to blow lid off Mark I cyber-weapon build
http://www.theregister.co.uk/2013/11/21/stuxnet_fearsome_predecessor/
Super-malware Stuxnet had an older sibling that was also designed to wreck Iran’s nuclear facilities albeit in a different way, according to new research.
The elder strain of the worm, dubbed Stuxnet Mark I, dates from 2007 – three years before Stuxnet Mark II was discovered and well documented in 2010.
Writing in Foreign Policy magazine yesterday, top computer security researcher Ralph Langner claimed that the Mark I version of the weapons-grade malware would infect the computers controlling Iran’s sensitive scientific equipment, and carefully ramp up the pressure within high-speed rotating centrifuges
Crucially, the malware did by overriding gas valves attached to the equipment while hiding sensor readings of the abnormal activity from the plant’s engineers and scientists. The end goal was to sabotage the cascade protection system that kept thousands of 1970s-era centrifuges operational.
The 2010 version, by contrast, targeted the centrifuge drive systems: it quietly sped up and slowed down rotors connected to centrifuges until they reached breaking point, triggering an increased rate of failures as a result.
But prior to that, Stuxnet Mark I sabotaged the protection system the Iranians hacked together to keep their obsolete and unreliable IR-1 centrifuges safe, as Langner explained in detail in his 4,200-word article.
Samples of the Mark I malware were submitted to online malware clearing house VirusTotal in 2007, but it was only recognised as such five years later in 2012.
The Mark I had to be installed on a computer connected to the industrial control system to carry out its sabotage, or otherwise infect a machine from a USB drive; it was probably installed by a human, either wittingly or unwittingly.
He reckoned the 2010 build of Stuxnet set back the Iranian nuclear programme by two years: it subtly reduced the centrifuges’ ability to reliably enrich uranium at volume, forcing the scientists to tear their hair out in frustration and chase a ghost in the machine. This was a far longer delay than if the software nasty triggered the sudden catastrophic destruction of all operating centrifuges, because Iran would have been able to diagnose the problem and rebuild its processing plant using spares.
The effectiveness of the whole scheme is a matter of some dispute among foreign policy and security analysts with some even arguing it ultimately galvinised Iran’s nuclear efforts.
Tomi Engdahl says:
LG investigates Smart TV ‘unauthorised spying’ claim
http://www.bbc.co.uk/news/technology-25018225
LG is investigating allegations that some of its TVs send details about their owners’ viewing habits back to the manufacturer even if the users have activated a privacy setting.
It follows a blog by a UK-based IT consultant who detailed how his Smart TV was sending data about which channels were being watched.
His investigation also indicated that the TVs uploaded information about the contents of devices attached to the TV.
It could mean LG has broken the law.
The Information Commissioner’s Office told the BBC it was looking into the issue.
“We have recently been made aware of a possible data breach which may involve LG Smart TVs,” said a spokesman.
“We will be making enquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken.”
When the consultant – Hull-based Jason Huntley – contacted the South Korean company he was told that by using the TV he had accepted LG’s terms and conditions, and that any remaining concerns should be directed to the retailer who had sold him the screen.
But when the BBC contacted LG, it indicated it was looking into the complaint.
Mr Huntley said he had first come across the issue in October when he had begun researching how his Smart TV had been able to show his family tailored adverts on its user interface.
Digging into the TV’s menu system, he had noticed that an option called “collection of watching info” had been switched on by default, he said.
“That’s a terrible implementation of the idea,” Mr Huntley told the BBC.
“It still sends the traffic but labels it saying I didn’t want it to be sent.
“”It’s actually worse, I think, than if they’d not offered the optout in the first place since it allows the user to believe nothing is being sent.”
Tomi Engdahl says:
Technology to Protect Against Mass Surveillance (Part 1)
https://www.eff.org/deeplinks/2013/07/technology-protect-against-mass-surveillance-part-1
Tomi Engdahl says:
SSD drives difficult to drain
With a computer and the included hard drive is disabled, especially in business environments, it is very important to ensure that removal, have valuable information into the wrong hands. The spread of SSD-drives will increase the difficulty factor.
Finnish Blancco data destruction specialist says in a statement made a breakthrough in solid-state disks in a safe emptying.
According to the company the problem is a flash memory-based on the complexity of the technology. The plates are emptied difficult security locks, which Blancco will now first in the world they know how to automatically open. It has applied the insights of a patent.
“A secure data destruction ssd discs, disc requires a so-called freeze lock-block demolition. Inhibition after unloading data erasure software can be accessed ssd disk firmware level disposal commands, “describes the data sheet.
Source: http://www.tietokone.fi/artikkeli/uutiset/ssd_levyjen_tyhjennys_vaikeaa
Tomi Engdahl says:
CryptoLocker: Better Back Up Your Stuff
http://www.f-secure.com/weblog/archives/00002640.html
If you haven’t heard much about “CryptoLocker” yet… you will.
Unlike much of the ransomware we’ve written about in the past, CryptoLocker doesn’t attempt to use police themed trickery or other sleight of hand. It’s strictly business. It infects via e-mail attachments (zip files containing supposed PDF files) and then sets about encrypting all of your personal data files — photos, music, documents, et cetera.
And then… you have three days to pay the ransom. Or else.
CryptoLocker is trending in the US
That’s right, CryptoLocker accepts everybody’s favorite cryptocurrency as payment. And that’s why this could be a tipping point. One of the biggest factors keeping ransomware at bay is the difficulty it takes to get paid. Thanks to Bitcoin and other similar digital currencies… that barrier is eroding fast.
Ransomware economics: the more frictionless Bitcoin becomes — the more prevalent CryptoLocker will become.
Backup your stuff.
Tomi Engdahl says:
How UK banks contain threats from cybercriminals
http://www.bbc.co.uk/news/technology-24568134
The UK’s banks are regularly being caught out by cybercriminals, BBC research suggests.
Data from three sources indicates that spam, viruses and other malicious messages regularly emerge from machines sitting on banks’ corporate networks.
It is likely that the computers were compromised when bank staff and contractors were caught out by booby-trapped email attachments.
They may also have visited sites seeded with code that infected their PCs.
Some of those infected machines are also likely to have been enrolled in a botnet – a large network of hijacked computers that are used by cybercriminals to distribute spam and viruses, attack other websites or as a source of saleable personal data.
But, say experts, banks are doing a better job than most at protecting their machines from malware.
The BBC found that in 2013 there were more than 20 incidents involving UK bank networks indicative of malicious activity. Similar, though lower, numbers were seen in 2012 and 2011.
In addition, sources inside UK banks told the BBC that they deal with up to a dozen incidents a month of employees’ machines getting infected with malware.
James Lyne, global head of security research at security firm Sophos, said evidence of a botnet on a bank network would be “exceptionally concerning”.
“It would give attackers a foothold that they can exploit,” he said.
“There should be no spam coming out of these networks,”
“If they are vulnerable to that you have to wonder what else they are vulnerable to,” said Prof van Eeten.
“The criminal use of cyber-techniques is an integral part of financial crime offending,” he said.
“The challenge in this area is that as banks develop their controls in line with new criminal methodologies, new techniques will emerge,” he said.
Statistics gathered by security firm OpenDNS suggest that up to 900 botnets are active in late 2013. These crime networks typically involve many tens of thousands of machines. The biggest count millions of PCs as victims.
Botnets have become the standard tool of the cybercrime underground, said Mr Lyne from Sophos.
Mr Lyne added that it was not surprising that banks were regularly having to find and flush out infected machines as they typically ran systems serving tens of thousands of users and a similar number of computers. Defending all those people and PCs against the 250,000 novel malware variants produced every day was a herculean task, he said.
“Complexity is the enemy of security,” he said.
“Retail ISPs have infection rates that are several orders of magnitude higher,” he said. “This is peanuts compared to that.”
Tomi Engdahl says:
In Finland, the company has been a spy working days
Finland needed this kind of revival, says security firm Stonesoft kyberturvallisuusjohtaja Jarno Limnéll Ministry of Foreign Affairs were detected by a network of espionage.
“These things come up often in pulses, and then there is a danger that the media and public opinion pressure to overreact.”
In his opinion, the case of UM was very friendly reminder – not just critical, but serious enough.
Limnéll sees the doctrine which occurred three seats.
“We’re not immune to cyber threats, even though we are a small and pretty harmless in March. For example, corporate espionage has been with us for days for a long time. ”
Source: http://www.tietoviikko.fi/kaikki_uutiset/suomessa+yritysvakoilu+on+ollut+arkipaivaa/a947975
Tomi Engdahl says:
LG promises to stop your Smart TV spying on you
http://www.engadget.com/2013/11/21/lg-admits-smart-tv-data-collection/
In light of accusations that its Smart TVs were sending private data to its servers, LG has admitted that some of its sets are behaving in ways they shouldn’t be.
In a statement, the Korean manufacturer conceded that it has been collecting channel, TV platform and broadcast source data from some units, even when the feature was switched off.
In response to claims it was also beaming over names of files located on connected USB keys, LG admits that it actually forms part of an upcoming service that searches the internet for detailed information on a particular film or TV show.
Understandably, both features might leave a nasty taste in your mouth, especially if you own one of the affected Smart TVs.
working on a new firmware update that will ensure its data-collection settings adhere to user preferences
Tomi Engdahl says:
LG: You caught us! Our smart TVs really DO spy on you
‘Don’t worry, we’ll switch that off for you real soon’
http://www.theregister.co.uk/2013/11/22/lg_tv_spying_statement/
South Korean electronics giant LG has confirmed that some of its smart TVs have been logging their owners’ viewing habits without their permission and has promised a patch.
Hull, UK–based developer Jason Huntley, aka “DoctorBeet,” was first to notice the spying behavior when he analyzed network traffic coming from his LG TV and found that it transmitted the names of TV channels and media files he was watching, even when a data-collection feature was supposedly disabled.
On Thursday, a second blogger tried to replicate Huntley’s results and found that his own set was also transmitting the names of media files hosted on his local network.
It’s a good thing no one’s intercepting everyone’s internet traffic, right?
“Information such as channel, TV platform, broadcast source, etc. that is collected by certain LG Smart TVs is not personal but viewing information,”
LG says it is working on a firmware update for the affected TVs that will stop the transmission of viewing information when that feature is disabled and also remove the network-scanning feature. No date for the patch was given, but LG says it is being prepared “for immediate rollout.”
Tomi Engdahl says:
NSA’s Project Marina stores EVERYONE’S metadata for A YEAR
Latest Snowden leak shows government economical with the truth
http://www.theregister.co.uk/2013/09/30/nsas_project_marina_stores_everyones_metadata_for_up_to_a_year/
New details from NSA whistleblower Edward Snowden have shown the existence of Project Marina, a metadata collection system that collects details on the activity of almost all internet users, regardless of whether they are legitimate subjects for enquiry or not.
The US government has always insisted that – as far as possible – data is only collected on either non-US citizens or people deemed worthy of investigation. But according to a training manual obtained by Snowden, all the internet metadata slurped by the NSA’s surveillance apparatus is fed into Marina and stored for a year so that analysts can pore over it.
“The Marina metadata application tracks a user’s browser experience, gathers contact information/content and develops summaries of target,” the analysts’ guide leaked to The Guardian explains – a statement that sounds remarkably like Facebook’s business plan.
Marina gets its metadata from such sources as the PRISM scheme the agency runs with commercial partners, data it buys from other companies, feeds from its taps on international data pipelines, and other sources. Oddly, the phone metadata the NSA collects is not included in Marina, possibly for compliance purposes.
Tomi Engdahl says:
UN surveillance resolution goes ahead despite attempts to dilute language
Failed attempt by US, UK and Australia shows increased isolation of ‘Five-Eyes’ nations amid international controversy
http://www.theguardian.com/world/2013/nov/21/un-surveillance-resolution-us-uk-dilute-language?CMP=twt_gu
The US, UK and their close intelligence partners have largely failed in their efforts to water down a United Nations draft resolution expressing deep concern about “unlawful or arbitrary” surveillance and calling for protection for the privacy of citizens worldwide.
The attempt to soften the language in the draft resolution was almost exclusively confined to the US, Britain and Australia, members of the ‘Five-Eyes’ intelligence-sharing partnership at the heart of the international controversy over mass surveillance and revelations about spying on allies.
The draft resolution shows the extent to which the three countries have been left isolated on the issue.
Diplomats involved in the negotations have told the Guardian that the US was reluctant to be seen as leading the opposition publicly and instead orchestrated from the sidelines, leaving Australia in the forefront.
Tomi Engdahl says:
Inside America’s Plan to Kill Online Privacy Right Everywhere
http://thecable.foreignpolicy.com/posts/2013/11/20/exclusive_inside_americas_plan_to_kill_online_privacy_rights_everywhere
Tomi Engdahl says:
Spies, journalists and inconvenient truths
http://www.theage.com.au/comment/spies-journalists-and-inconvenient-truths-20131121-2xyh3.html?rand=1703039
As surveillance of almost everything we do electronically grows, phone-tapping has sparked a critical debate about what the media should and should not publish.
Tomi Engdahl says:
It’s Insecurity, Not Narcissism, That Makes Us Like ‘What Would I Say’
http://www.wired.com/underwire/2013/11/what-would-i-say-generator/
If you’ve logged into your Facebook or Twitter accounts in the past two weeks, you have probably seen at least one – or more likely, six or seven – posts from an app called What Would I Say?. Simply put, it’s a little mechanism that, when you give it permission, processes every status, photo caption, and comment you’ve ever posted to your own Facebook timeline and spits out a randomly generated status that resembles something “you would say.”
Of course, What Would I Say? is certainly not the first (nor is it the last, probably) of its kind: From That Can Be My Next Tweet to @Tofu_product, there are a variety of text generators ready to plumb the digital depths of our online presences and create bizarre, uncanny valley reflections.
“It’s an uncanny valley situation, where [the app] reflects the self, but not too well, and not too poorly,” he says. “It’s enough of you that you recognize yourself, but it’s a distorted-enough reflection where it’s not creepy.”
Tomi Engdahl says:
Bug bounty upstart thinks there’s BIG MONEY in crowdtesting
They might be onto something by outsourcing it, though
http://www.theregister.co.uk/2013/11/22/crowdsource_bug_bounty_scheme/
Security startup CrowdCurity is marketing a cloud-based platform that allows businesses to set up and run their own bug bounty and security testing programmes.
Bug bounty programmes have become fairly commonplace across the IT industry over recent years. The schemes reward researchers for reporting flaws to vendors, rather than hawking them through exploit brokers or vulnerability marketplaces.
Google’s bug bounties are probably the best known in the industry but many other vendors including Facebook and (most recently) Microsoft have launched comparable programmes.
Jakob Storm, co-founder of CrowdCurity, told El Reg that despite these many schemes there was still an extensive market left unaddressed. He added that firms already running bug bounty programmes could benefit from outsourcing the day-to-day administration of the programme to CrowdCurity.
Tomi Engdahl says:
Tim Berners-Lee warns against government surveillance
Web pioneer puts a flea in the ear
http://www.theinquirer.net/inquirer/news/2308652/tim-berners-lee-warns-against-government-surveillance
THE INVENTOR of the world wide web, Sir Tim Berners-Lee has spoken out against government surveillance and censorship.
Berners-Lee made his comments as the World Wide Web Foundation (WWWF) released its latest state of the web report. The report is mostly about the good that has been done, but Berners-Lee took the opportunity to warn the world about the looming dangers of government surveillance and censorship.
According to a report on the Guardian newspaper Berners-Lee warned about “a growing tide of surveillance and censorship”.
“One of the most encouraging findings of this year’s web Index is how the web and social media are increasingly spurring people to organise, take action and try to expose wrongdoing in every region of the world,” he said.
“But some governments are threatened by this, and a growing tide of surveillance and censorship now threatens the future of democracy. Bold steps are needed now to protect our fundamental rights to privacy and freedom of opinion and association online.”
“Legal limits on government snooping online urgently need review. 94 percent of countries in the Web Index do not meet best practice standards for checks and balances on government interception of electronic communications.”
The UK and US were both criticised for government snooping online, and while Sweden is top for openness, second is Norway.
Tomi Engdahl says:
Network Monitoring does not protect against espionage
The Finnish authorities seems to be itching to get to oversee the network. It does not, however, protect the public authorities themselves against espionage.
“Before you go to ask for additional powers or impose additional duties, should put the basics into shape”, the Data Protection Ombudsman Reijo Aarnio comment Turun Sanomat . Aarnio says only 60 per cent of government services has reached a specific level of the basic requirements of data security.
Also the University of Eastern Finland in information and information technology law professor Tom says Voutilainen Turun Sanomat newspaper in an interview that the network control should be the exception. He sees control in some contexts be justified, but not continuous. Voutilainen see that network supervisor needs a supervisor, but do not trust politicians.
Source: http://www.tietoviikko.fi/kaikki_uutiset/tietosuojavaltuutettu+tsssa+verkon+valvominen+ei+suojele+vakoilulta/a949344
Tomi Engdahl says:
BYOG: Why You NEED A Google Glass Policy
http://www.forbes.com/sites/netapp/2013/08/13/google-glass-policy/
Don’t look now, but here comes BYOG: “bring your own Glass.” Soon enough, employees and executives will be showing up for work wearing Google’s innovative new headset.
Today, there are probably between 10,000 and 15,000 people in the world who have Google Glass
Google Glass will never be as ubiquitous as the smartphone, but it will be mainstream. You need to start preparing now for the inevitable introduction of this technology into your offices and inside the firewall.
Is Glass Half Empty Or Half Full?
There are clear benefits and risks to Google Glass in the workplace.
Your IT department will use them for alerts and notifications as they used to use pagers and currently use smartphones. They’ll be able to see the alert, and in many cases respond to it, while continuing to do whatever it is they were doing, even if they were in a meeting.
Drivers, warehouse workers and others who use both hands during work will benefit enormously. Glass will essentially give them the basic tools of a white collar worker sitting at a desk as they are in the factory or in the field.
It will prove to be a massive benefit to the visually impaired and other disabled employees.
But Glass will also introduce new risks and challenges.
For starters, it has a camera on the front. It takes only a second to snap a picture or begin recording a video.
The biggest wildcard is that, like smartphones, Google Glass runs apps. And you can’t know what app is running on any particular user’s device.
Are they recording what they see and sending it to your competition?
Are they harvesting equipment serial numbers?
Are they watching porn?
There’s almost no way to know. (Note that none of these activities requires an Internet connection — keeping them off the network doesn’t eliminate the risk.)
Here’s one scenario to consider. Right now, smartphone apps, head-mounted camera systems and car dashcams have the ability to record the past. Apps will give Google Glass this ability. That means after a private conversation involving company secrets, personnel issues or other sensitive topics, a user running such an app will be able to walk away, press a button, and the audio or video of that conversation can be preserved, and uploaded to the cloud.
Tomi says:
NYPD: Thieves still really love Apple Inc. devices
http://www.myfoxny.com/story/24016575/nypd-thieves-still-really-love-apple-inc-devices
the NYPD says, that Apple products are among the biggest targets for thieves.
The NYPD says that in 2012, nearly 20 percent of all burglaries, robberies and grand larcenies involved apple products. In total almost 16,000 apple items were stolen. That is 14 percent of all the crime in the city.
Bob Strang, a former FBI and DEA agent, is now CEO of Investigative Management Group. He said the items have a high resell value. He said these Apple thefts are not petty crimes: the criminals have a network.
Tomi says:
Meet the man who’ll TAKE OVER if UK faces CYBER ATTACK
Chris Gibson to head up UK’s national Computer Emergency Response Team
http://www.theregister.co.uk/2013/11/22/uk_cert_analysis/
The delayed launch of the national Computer Emergency Response Team (CERT) is getting back on track with the appointment of its new director, Chris Gibson. This comes after the project was delayed until next year.
The organisation was due to be up and running this year but recruitment and other issues meant its launch was put back until early 2014.
CERT-UK, a pillar of the government’s £650m National Cyber Security Strategy, is designed to co-ordinate responses to online attacks on a national level.
Idea from industry
The UK has had industry-specific CERTs for years (such as Janet CSIRT for university networks, and comparable organisations within government and for the UK defence forces) but has been slow to set up a national CERT, designed to co-ordinate response across all public and private sectors. CERT-UK will provide a comparable function to US-CERT, which has been operating for 10 years since 2003.
“A national CERT is the de facto CERT that CERTs in other countries would contact to help deal with a security issue.”
“A CERT, Computer Emergency Response Team, is a service set up by organisations, industry bodies or governments to help their constituents deal with computer security issues. Typically many CERTs would act as coordination points to assist other CERTs deal with incidents. Other CERTs may offer devices such as alerting subscribers to vulnerabilities or targeted attacks, while others may also offer incident response services.”
The practical difficulties involved in the seemingly straightforward task of sharing cyber information was highlighted during a round table discussion of programme committee members at the RSA Conference Europe late last month.
Researchers at antivirus firms have long shared malware samples with their peers at other vendors. But there’s nowhere near this level of co-operation in sharing the details of software vulnerabilities and exploits, which have become a marketable commodity over recent years.
Threat sharing among commercial firms, meanwhile, has historically been limited to small communities where everybody knows each other, such as banking or academia, rather than through cross-industry partnerships. Damage to brand reputation if news about breaches or other security problems leak out has historically tended to inhibit even anonymous sharing of security threats outside closed groups.
Earlier this week, EU cyber security agency ENISA called for better data-sharing and interoperability among European CERTs.
Tomi says:
NSA infected 50,000 computer networks with malicious software
http://www.nrc.nl/nieuws/2013/11/23/nsa-infected-50000-computer-networks-with-malicious-software/
The American intelligence service – NSA – infected more than 50,000 computer networks worldwide with malicious software designed to steal sensitive information. Documents provided by former NSA-employee Edward Snowden and seen by this newspaper, prove this.
A management presentation dating from 2012 explains how the NSA collects information worldwide. In addition, the presentation shows that the intelligence service uses ‘Computer Network Exploitation’ (CNE) in more than 50,000 locations. CNE is the secret infiltration of computer systems achieved by installing malware, malicious software.
One example of this type of hacking was discovered in September 2013 at the Belgium telecom provider Belgacom. For a number of years the British intelligence service – GCHQ – has been installing this malicious software in the Belgacom network in order to tap their customers’ telephone and data traffic. The Belgacom network was infiltrated by GCHQ through a process of luring employees to a false Linkedin page.
Tomi says:
Ask Slashdot: How Do You Protect Your Privacy These Days? Or Do You?
http://yro.slashdot.org/story/13/11/24/0339225/ask-slashdot-how-do-you-protect-your-privacy-these-days-or-do-you
“”The NSA snoops traffic and has backdoors in encryption algorithms. Law enforcement agencies are operating surveillance drones domestically (not to mention traffic cameras and satellites). Commercial entities like Google, Facebook and Amazon have vast data on your internet behavior. The average Joe has sophisticated video-shooting and sharing technology in his pocket”
“Your private health, financial, etc. data is protected by under-funded IT organizations which are not under your control.”
Tomi says:
Internet Traffic Following Malicious Detours Via Route Injection Attacks
http://threatpost.com/internet-traffic-following-malicious-detours-via-route-injection-attacks/102981
Attackers are accessing routers running on the border gateway protocol (BGP) and injecting additional hops that redirect large blocks of Internet traffic to locations where it can be monitored and even manipulated before being sent to its intended destination.
Internet intelligence company Renesys has detected close to 1,500 IP address blocks that have been hijacked on more than 60 days this year, a disturbing trend that indicates attackers could finally have an increased interest in weaknesses inherent in core Internet infrastructure.
It is unknown how the attackers are accessing the affected routers, whether they have physical access or whether the router is exposed to the Internet, but that’s the easy part. The route injection is merely a few tweaks to the router’s configuration.
“It’s actually making a BGP-speaking router do exactly what it is intended to do. All you’re doing is changing the configuration on the router,”
Tomi says:
Users ID’ed through typing, mouse movements
Continuous authentication app created from DARPA research
http://www.scmagazine.com.au/News/365221,users-ided-through-typing-mouse-movements.aspx
Researchers have built a continuous authentication platform that can accurately identify users based on their typing patterns.
A series of 90 minute typing tests carried out on 2000 people at Iowa State University found users could be identified with a half percent margin of error based on the way they hit keys.
The work has been spun into an application that could continuously authenticate users and lock accounts if another person jumped on the computer resulting in irregularities being detected.
Uniquely syncopated mouse and keyboard patterns made it possible to identify users, Iowa State University associate professor Morris Chang said.
“These pauses between words, searches for unusual characters and spellings of unfamiliar words, all have to do with our past experiences, our learning experiences,” Chang said. “And so we call them cognitive fingerprints which manifest themselves in typing rhythms.”
Tomi Engdahl says:
A spurned techie’s revenge: Locking down his ex’s digital life
Revenge porn is just the tip of the iceberg when it comes to cyber-domestic abuse.
http://arstechnica.com/tech-policy/2013/11/a-spurned-techies-revenge-locking-down-his-exs-digital-life/
The most recent comprehensive study on stalking and domestic violence, conducted by the Department of Justice in 2006, found that more than 887,000 people were aware that they were victims of cyber stalking or electronic monitoring in that year alone. And that was a year before the iPhone was released and well before the smartphone boom really began.
“Think of how many times you leave your phone unattended,” Southworth said. “And there’s this idea that people get that if you don’t share passwords with your best friend or your boyfriend, you don’t trust them.” Once someone has physical access and the password, it’s difficult to roll that exposure back. Furthermore, the market for spyware and other tracking tools for mobile devices has been growing.
That’s a common problem in dealing with these sorts of cases, Southworth said. “Some victims just want their device clean and just want the stalking to stop. But if you clean off the device, you’re destroying the evidence.”
And even when software is removed, the persistence of such stalkers usually means that they won’t stop their behavior—they’ll just take different approaches
Tomi Engdahl says:
Excess of stolen identities leads to massive price cuts, US ID costs just $25
http://www.geek.com/news/excess-of-stolen-identities-leads-to-massive-price-cuts-us-id-costs-just-25-1577923/
Cybercriminals have been busy over the past couple of years, and it’s starting to show. Digital identity inventory levels have never been higher, and prices have never been lower. It’s a great time to be a black market buyer.
According to a new report from Dell SecureWorks, an American identity is now selling for just $25. Two years ago, a fraudster would have had to shell out $40 for the same data. That’s what happens when supply outpaces demand in the business world, and it generally holds true even when you’re talking about criminal enterprises.
That $25 covers “fullz,” which typically include your name, mailing address, phone numbers, email addresses, date of birth, and social security number as well as complete bank account or credit card information.
Those who prefer to order a la carte can pick up a US Mastercard or Visa for the bargain-basement price of $4
Ransomware isn’t a new phenomenon, but Cryptolocker has taken things to a new level.
It’s working, and working well. Unlike other cybercriminals who are slashing prices, the Cryptolocker crew is watching income rise and methodically perfecting their malware — adding support for anonymized payments via Bitcoin and rolling out a late payment option for those who regret ignoring the initial deadline.
Tomi Engdahl says:
Shaken NSA Grapples With an Overhaul
Agency’s Director Offered to Resign Last Summer in Wake of Snowden Leaks
http://online.wsj.com/news/articles/SB10001424052702304607104579214673029584730
Shortly after former government contractor Edward Snowden revealed himself in June as the source of leaked National Security Agency documents, the agency’s director, Gen. Keith Alexander, offered to resign, according to a senior U.S. official.
The offer, which hasn’t previously been reported, was declined by the Obama administration. But it shows the degree to which Mr. Snowden’s revelations have shaken the NSA’s foundations—unlike any event in its six-decade history, including the blowback against domestic spying in the 1970s.
Tomi Engdahl says:
New Snowden leaks reveal US, Australia’s Asian allies
http://www.theage.com.au/technology/technology-news/new-snowden-leaks-reveal-us-australias-asian-allies-20131124-2y3mh.html
Singapore and South Korea are playing key roles helping the United States and Australia tap undersea telecommunications links across Asia, according to top secret documents leaked by former US intelligence contractor Edward Snowden. New details have also been revealed about the involvement of Australia and New Zealand in the interception of global satellite communications.
A top secret United States National Security Agency map shows that the US and its “Five Eyes” intelligence partners tap high speed fibre optic cables at 20 locations worldwide. The interception operation involves cooperation with local governments and telecommunications companies or else through “covert, clandestine” operations.
The undersea cable interception operations are part of a global web that in the words of another leaked NSA planning document enables the “Five Eyes” partners – the US, United Kingdom, Australia, Canada and New Zealand – to trace “anyone, anywhere, anytime” in what is described as “the golden age” signals intelligence.
The leaked NSA map also shows South Korea is another key interception point with cable landings at Pusan providing access to the external communications of China, Hong Kong and Taiwan.
South Korea’s National Intelligence Service has long been a close collaborator with the US Central Intelligence Agency and the NSA, as well as the Australian intelligence agencies.