Security trends for 2013

Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.

Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.

Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.

SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices.
Good idea to test your devices against it.

There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.

Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.

Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.

Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.

Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.

crystalball

Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.

Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.

Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.

European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.

1,930 Comments

  1. Tomi Engdahl says:

    Pushing for Perfect Forward Secrecy, an Important Web Privacy Protection
    https://www.eff.org/deeplinks/2013/08/pushing-perfect-forward-secrecy-important-web-privacy-protection

    When you access a Web site over an encrypted connection, you’re using a protocol called HTTPS. But not all HTTPS connections are created equal. In the first few milliseconds after a browser connects securely to a server, an important choice is made: the browser sends a list of preferences for what kind of encryption it’s willing to support, and the server replies with a verification certificate and picks a choice for encryption from the browser’s list. These different encryption choices are called “cipher suites.” Most of the time, users don’t have to worry about which suite the browsers and servers are using, but in some cases it can make a big difference.

    One important property is called “perfect forward secrecy,” but only some servers and only some browsers are configured to support it. Sites that use perfect forward secrecy can provide better security to users in cases where the encrypted data is being monitored and recorded by a third party. That particular threat may have once seemed unlikely, but we now know that the NSA does exactly this kind of long-term storage of at least some encrypted communications as they flow through telecommunications hubs, in a collection effort it calls “upstream.”

    When an encrypted connection uses perfect forward secrecy, that means that the session keys the server generates are truly ephemeral, and even somebody with access to the secret key can’t later derive the relevant session key that would allow her to decrypt any particular HTTPS session. So intercepted encrypted data is protected from prying eyes long into the future, even if the website’s secret key is later compromised.

    It’s important to note that no flavor of HTTPS, on its own, will protect the data once it’s on the server. Web services should definitely take precautions to protect that data, too.

    So who protects long-term privacy by supporting perfect forward secrecy? Unfortunately, it’s not a very long list—but it’s growing. Google made headlines when it became the first major web player to enable the feature in November of 2011. Facebook announced last month that, as part of security efforts that included turning on HTTPS by default for all users, it would enable perfect forward secrecy soon. And while it doesn’t serve the same volume as those other sites, http://www.eff.org is also configured to use perfect forward secrecy.

    Reply
  2. Tomi Engdahl says:

    Twitter Implements Forward Secrecy For Connections
    http://yro.slashdot.org/story/13/11/24/033253/twitter-implements-forward-secrecy-for-connections

    “Twitter has enabled Perfect Forward Secrecy across its mobile site, website and API feeds in order to protect against future cracking of the service’s encryption.”

    Reply
  3. Tomi Engdahl says:

    NSA infected 50,000 computer networks with malicious software
    http://www.nrc.nl/nieuws/2013/11/23/nsa-infected-50000-computer-networks-with-malicious-software/

    The American intelligence service – NSA – infected more than 50,000 computer networks worldwide with malicious software designed to steal sensitive information. Documents provided by former NSA-employee Edward Snowden and seen by this newspaper, prove this.

    A management presentation dating from 2012 explains how the NSA collects information worldwide. In addition, the presentation shows that the intelligence service uses ‘Computer Network Exploitation’ (CNE) in more than 50,000 locations. CNE is the secret infiltration of computer systems achieved by installing malware, malicious software.

    The NSA computer attacks are performed by a special department called TAO (Tailored Access Operations). Public sources show that this department employs more than a thousand hackers.

    ‘Sleeper cells’ can be activated with a single push of a button

    The malware can be controlled remotely and be turned on and off at will. The ‘implants’ act as digital ‘sleeper cells’ that can be activated with a single push of a button. According to the Washington Post, the NSA has been carrying out this type of cyber operation since 1998.

    Reply
  4. Tomi Engdahl says:

    Google Chairman Eric Schmidt Thinks Cell Phones Can Stop (And Start) Wars
    http://www.businessinsider.com/google-chairman-eric-schmidt-thinks-cell-phones-can-stop-and-start-wars-2013-11

    Google chairman Eric Schmidt has a solution for global conflict: smartphones.

    The book, which Schmidt co-wrote with Jared Cohen, discusses various technological revolutions – the printing press, the fax machine and so forth – and posits that the Internet (and interconnectedness) can solve many of the world’s problems.

    The U.S. “could have airdropped a million [smartphones] into Afghanistan or Iraq as a thought experiment,” Schmidt said.

    “Would that have altered the course America pursued 10 years ago? I think so. All of a sudden you have a very different political situation inside.”

    Lest you think smartphones are only for preventing foolish wars, they could also help oppressed citizens. Schmidt argued the phones and the web could help foment a revolution in Iran — and would induce one in China within the decade.

    Reply
  5. Tomi Engdahl says:

    How Antisec Died
    Jeremy Hammond, Sabu, and the Intelligence-Industrial Complex
    https://medium.com/quinn-norton/654abf6aeff7

    In Feburary of 2012, Antisec had told me they had over 50
    backdoored servers from governments and corporations, and planned to drop a new one every Friday for the indefinite future. These backdoors were shared in common; Sabu, and by extension the FBI, would have had them as well. Everything seemed settled into a smooth groove of hacking for 2012. The Stratfor mails were released by Wikileaks, but unlike most of Wikileaks’ sources, Antisec wanted credit.

    Wikileaks never confirmed, consistent with their policies.

    The FBI may have only caught one hacker in the Antisec sting, but they walked away with a treasure trove of backdoors, vulnerabilities, and weaponized code.

    Three days after the FBI closed down their Antisec, the head of FBI Cybercrime, Shawn Henry, retired and went to the private sector to head up the Services division of Crowdstrike. Crowdstrike was the company most known for advocating “hackback” until that became unpopular (due to being illegal) at which point they claimed instead to be the most aggressive security company in the business at going after intruders

    Anonymous, as always, goes on. Antisec, as the group Sabu founded, disbanded and blew to the winds in 2012, but the concept remained.

    Reply
  6. Tomi Engdahl says:

    Software Is Reorganizing the World
    http://www.wired.com/opinion/2013/11/software-is-reorganizing-the-world-and-cloud-formations-could-lead-to-physical-nations/

    For the first time in memory, adults in the United States under age forty are now expected to be poorer than their parents. This is the kind of grim reality that in other times and places spurred young people to look abroad for opportunity. Indeed, it is similar to the factors that once pushed millions of people to emigrate from their home countries to make their home in America. Our nation of immigrants is, tautologically, a nation of emigrants.

    Yet while our ancestors had America as their ultimate destination, it is not immediately obvious where those seeking opportunity might head today. Every square foot of earth is already spoken for by one (or more) nation states, every physical frontier long since closed.

    With our bodies hemmed in, our minds have only the cloud — and it is the cloud that has become the destination for an extraordinary mental exodus. Hundreds of millions of people have now migrated to the cloud, spending hours per day working, playing, chatting, and laughing in real-time HD resolution with people thousands of miles away … without knowing their next-door neighbors.

    The concept of migrating our lives to the cloud is much more than a picturesque metaphor, and actually amenable to quantitative study.

    Perhaps the single most important feature of these states of mind is the increasing divergence between our social and geographic neighbors, between the cloud formations of our heads and the physical communities surrounding our bodies. An infinity of subcultures outside the mainstream now blossoms on the Internet — vegans, body modifiers, CrossFitters, Wiccans, DIYers, Pinners, and support groups of all forms. Millions of people are finding their true peers in the cloud, a remedy for the isolation imposed by the anonymous apartment complex or the remote rural location.

    Yet this discrepancy between our cloud subculture and our physical surroundings will not endure indefinitely. Because the latest wave of technology is not just connecting us intellectually and emotionally with remote peers: it is also making us ever more mobile, ever more able to meet our peers in person.

    The future of technology is not really location-based apps; it is about making location completely unimportant.

    When physical goods themselves can’t be digitized, our interface to them will be.

    Silicon Valley is nothing special. The geography of physical concentration is incidental and not worth fighting over.

    Reply
  7. Tomi Engdahl says:

    Pirate Bay founder faces Danish hacking charges
    http://www.bbc.co.uk/news/technology-25054054

    In his letter he said it had been shown that his computer, which was used in the Danish hack, could have been controlled remotely and the attack carried out by someone else.

    Mr Warg and a Danish accomplice are accused of downloading lots of files from CSC mainframes that included documents about wanted criminals.

    Reply
  8. Tomi Engdahl says:

    Leaked MS ad video parodies Chrome as surveillance tech
    Kettle, Kettle, come in, over. Kettle, kettle, do you copy, this is Pot, over
    http://www.theregister.co.uk/2013/11/25/scroogled_leak_video/

    A leaked Microsoft ad, meant only for internal consumption, parodies a Google campaign as it portrays Google Chrome as a data-snaffling privacy-stealing parasite.

    Chrome is depicted as a surveillance technology to make money from private information for the benefit of Google.

    The video sits alongside Microsoft’s overt “Scroogled” campaign, which recently hatched a merchandising arm intended to further blacken the reputation of Redmond’s arch-rival Google.

    Reply
  9. Tomi Engdahl says:

    Facebook’s Zuckerberg: US gov ‘blew it’ on mass surveillance
    By all means MINE THAT DATA, just tell us about it… bitch
    http://www.theregister.co.uk/2013/11/25/zuckerberg_says_us_government_blew_it_on_mass_surveillance/

    Facebook supremo Mark Zuckerberg – whose company is routinely criticised for its dubious data-mining practices – has attacked the US government for being secretive about its online spying activities.

    “I think the government really blew it on this one. And I honestly think that they’re continuing to blow it in some ways and I hope that they become more transparent in that part of it,” he told ABC News.

    Zuck argued that a balance was needed to allow American citizens to live in a safe country where they are protected by spooks while, at the same time, being kept in the loop about mass surveillance – something the Facebook chief arguably knows a thing or two about.

    “The future of our economy is a knowledge economy.”

    Reply
  10. Tomi Engdahl says:

    FBI sends memo to US.gov sysadmins: You’ve been hacked… for the past YEAR
    Claims Anonymous hacktivists have been pilfering info through leaky backdoors
    http://www.theregister.co.uk/2013/11/18/anon_us_gov_hack_warning/

    Hacktivists allegedly affiliated with Anonymous have been covertly breaking into US government systems and pilfering sensitive information for nearly a year, the FBI warned last week.

    The attacks (which began last December and are thought to be ongoing) exploit flaws in Adobe’s ColdFusion web app development software to plant backdoors on compromised systems, according to an FBI memo seen by Reuters. The memo said the US army, Department of Energy, Department of Health and Human Services, and others had all been targeted.

    Some of the breaches have been publicised by Anonymous under the a campaign dubbed Operation Last Resort (‪#OpLastResort‬), which aims to protest against the overzealous prosecution of computer crime suspects including Aaron Swartz

    “The majority of the intrusions have not yet been made publicly known,” the Feds warned, Reuters reports. “It is unknown exactly how many systems have been compromised, but it is a widespread problem that should be addressed.”

    News of the warning broke late last week shortly after Anonymous affiliated hacker Jeremy Hammond was jailed for 10 years for hacking into the systems of private intelligence firm Stratfor and stealing credit card details and emails.

    Reply
  11. Tomi Engdahl says:

    Google account recovery vulnerability
    http://www.orenh.com/2013/11/google-account-recovery-vulnerability.html

    If I told you to think of the most sensitive features (security-wise) in a web application, you would probably say – Login. Well if your definition of “Login” does not include password recovery, then it would definitely be the second one. This means, that password recovery is often in the center of attention for attackers – and for security professionals.

    So let’s say you are using Paypal, Facebook or Twitter, and you forgot your password (shit happens, right?). They will ask you to put your email in a nice input box, and wait until you get a password recovery link.

    Did you ever stop and ask what does GMAIL stand for? It’s the Global Main Authentication and Identification Library. Seriously, if someone got access to your Gmail account, he can “password recover” his way to any other web/mobile application out there (!).

    But seriously, what’s the worst someone can do? Make you initialize password recovery process for other Google Accounts?

    Google adds CAPTCHA validation for accounts that are being abused through their Password Recovery.

    Holy guacamole! We are reflected directly to a form action! That’s awesome… we can put any URL here… and since you know you’ve just clicked a Reset Password button on Google, you would be happy to give away your password :)

    Once you click on the Reset Password button, you are going to get to the hacker’s page (a smart hacker will use a Google hosted site, like Google Sites)

    But you know what would be really fun? If we can turn it to a Cross-Site Scripting attack.

    Google Security Team Response
    Google security team acted really fast. This issue was fixed in 10 days. This was reported according to the Vulnerability Reward Program rules

    Reply
  12. Tomi Engdahl says:

    N.S.A. May Have Penetrated Internet Cable Links
    http://www.nytimes.com/2013/11/26/technology/a-peephole-for-the-nsa.html?pagewanted=all&_r=0

    The recent revelation that the National Security Agency was able to eavesdrop on the communications of Google and Yahoo users without breaking into either companies’ data centers sounded like something pulled from a Robert Ludlum spy thriller.

    How on earth, the companies asked, did the N.S.A. get their data without them knowing about it?

    The most likely answer is a modern spin on a century-old eavesdropping tradition.

    People knowledgeable about Google and Yahoo’s infrastructure say they believe that government spies bypassed the big Internet companies and hit them at a weak spot — the fiber-optic cables that connect data centers around the world that are owned by companies like Verizon Communications, the BT Group, the Vodafone Group and Level 3 Communications. In particular, fingers have been pointed at Level 3, the world’s largest so-called Internet backbone provider, whose cables are used by Google and Yahoo.

    The Internet companies’ data centers are locked down with full-time security and state-of-the-art surveillance, including heat sensors and iris scanners. But between the data centers — on Level 3’s fiber-optic cables that connected those massive computer farms — information was unencrypted and an easier target for government intercept efforts, according to three people with knowledge of Google’s and Yahoo’s systems who spoke on the condition of anonymity.

    “Everyone was so focused on the N.S.A. secretly getting access to the front door that there was an assumption they weren’t going behind the companies’ backs and tapping data through the back door, too,” said Kevin Werbach, an associate professor at the Wharton School.

    Reply
  13. Tomi Engdahl says:

    Julian Assange unlikely to face U.S. charges over publishing classified documents
    http://www.washingtonpost.com/world/national-security/julian-assange-unlikely-to-face-us-charges-over-publishing-classified-documents/2013/11/25/dd27decc-55f1-11e3-8304-caf30787c0a9_story.html

    The Justice Department has all but concluded it will not bring charges against WikiLeaks founder Julian Assange for publishing classified documents because government lawyers said they could not do so without also prosecuting U.S. news organizations and journalists, according to U.S. officials.

    The officials stressed that a formal decision has not been made, and a grand jury investigating WikiLeaks remains impaneled, but they said there is little possibility of bringing a case against Assange

    Justice officials said they looked hard at Assange but realized that they have what they described as a “New York Times problem.” If the Justice Department indicted Assange, it would also have to prosecute the New York Times and other news organizations and writers who published classified material, including The Washington Post and Britain’s Guardian newspaper, according to the officials, who spoke on the condition of anonymity to discuss internal deliberations.

    Reply
  14. Tomi Engdahl says:

    NSA-busting secure, open, router seeks cash and code from crowd
    Oz designers deliver TOR, IPSec and 1 Gbps box with locks
    http://www.theregister.co.uk/2013/11/26/oz_developer_crowdfunding_open_secure_router/

    Australian embedded systems designer Redfish is hoping to attract funding from the crowd to market a secure routing platform that open-sources both the hardware and software to protect users from unwanted snooping.

    Speaking to The Register ahead of the launch, Redfish managing director Justin Clacherty said the project is designed to get security in front of ordinary users – those who don’t have the skills or confidence to set up complex crypto schemes or dive into the world of TOR.

    Reply
  15. Tomi Engdahl says:

    ‘MacGyver’ geezer makes ‘SHOTGUN, GRENADE’ from airport shop tat
    Hobby project brings visit from the Feds
    http://www.theregister.co.uk/2013/11/26/madcap_macgyver_builds_shotgun_grenade_from_airport_shop_parts/

    Application developer and part-time security researcher Evan Booth has produced a series of videos showing how an array of apparently deadly weapons can be MacGyver’d from stuff on sale in airport shops.

    His inventions can be built from things bought after walking through the usual security checks; we’re told they include a remote-controlled suitcase bomb made using a child’s toy, a Zippo lighter and cans of Axe body spray; a potentially lethal set of nunchucks; a club capable of smashing apart a coconut; and a fragmentation grenade that he assembled in less than eight minutes.

    “If we’re trying stop a terrorist threat at the airport it’s already too late,”

    Booth’s videos show that you can at least get a big bang from materials found in airport shops. Lithium from batteries, for example, when mixed with water, can act as an explosive when coupled with an aerosol can, while consumer electronics goods can be adapted in a variety of lethal ways.

    Reply
  16. Tomi Engdahl says:

    Google urged to hose down Great Firewall with HTTPS
    Activists argue Chocolate Factory could call Beijing’s bluff
    http://www.theregister.co.uk/2013/11/26/greatfire_censorship_china_google_blocked/

    A non-profit anti-censorship body has called on Eric Schmidt and Google to lead by example and call China’s bluff on web censorship with a simple two-pronged approach.

    GreatFire.org co-founder Charlie Smith claimed in a blog post that Google should switch its China search service to HTTPS by default, as it does in the US, which means Beijing would have to block it completely or not at all, rather than the selective search results it blocks today.

    Secondly, Smith urged Google to redirect users trying to visit blocked sites to a mirrored version of that site hosted by the Chocolate Factory.
    “They have sometimes made Google services like Gmail excruciatingly difficult to use,” he wrote. “But given how essential Google’s services are to so many individuals and businesses, blocking the company entirely would have immediate and disastrous economic consequences.”

    Reply
  17. Tomi Engdahl says:

    Microsoft, suspecting NSA spying, to ramp up efforts to encrypt its Internet traffic
    http://www.washingtonpost.com/business/technology/microsoft-suspecting-nsa-spying-to-ramp-up-efforts-to-encrypt-its-internet-traffic/2013/11/26/44236b48-56a9-11e3-8304-caf30787c0a9_story.html

    Microsoft is moving toward a major new effort to encrypt its Internet traffic amid fears that the National Security Agency may have broken into its global communications links, said people familiar with the emerging plans.

    Suspicions at Microsoft, while building for several months, sharpened in October when it was reported that the NSA was intercepting traffic inside the private networks of Google and Yahoo, two industry rivals with similar global infrastructures, said people with direct knowledge of the company’s deliberations. They said top Microsoft executives are meeting this week to decide what encryption initiatives to deploy and how quickly.

    Documents obtained from former NSA contractor Edward Snowden suggest — but do not prove — that the company is right to be concerned.

    Though Microsoft officials said they had no independent verification of the NSA targeting the company in this way, general counsel Brad Smith said Tuesday that it would be “very disturbing” and a possible constitutional breach if true.

    Reply
  18. Tomi Engdahl says:

    End the N.S.A. Dragnet, Now
    http://www.nytimes.com/2013/11/26/opinion/end-the-nsa-dragnet-now.html?pagewanted=all&_r=0

    THE framers of the Constitution declared that government officials had no power to seize the records of individual Americans without evidence of wrongdoing, and they embedded this principle in the Fourth Amendment. The bulk collection of Americans’ telephone records — so-called metadata — by the National Security Agency is, in our view, a clear case of a general warrant that violates the spirit of the framers’ intentions. This intrusive program was authorized under a secret legal process by the Foreign Intelligence Surveillance Court, so for years American citizens did not have the knowledge needed to challenge the infringement of their privacy rights.

    Our first priority is to keep Americans safe from the threat of terrorism. If government agencies identify a suspected terrorist, they should absolutely go to the relevant phone companies to get that person’s phone records. But this can be done without collecting the records of millions of law-abiding Americans.

    The usefulness of the bulk collection program has been greatly exaggerated.

    Despite this, the surveillance reform bill recently ratified by the Senate Intelligence Committee would explicitly permit the government to engage in dragnet collection as long as there were rules about when officials could look at these phone records. It would also give intelligence agencies wide latitude to conduct warrantless searches for Americans’ phone calls and emails.

    Congress has a crucial opportunity to reassert constitutionally guaranteed liberties by reforming the N.S.A.’s overbroad collection of Americans’ personal data.

    Rather than adopt our legislation, the Intelligence Committee chose to codify excessively broad domestic surveillance authorities.

    trust has been undermined by the N.S.A.’s domestic surveillance programs, as well as by senior officials’ misleading statements about surveillance.

    Reply
  19. Tomi Engdahl says:

    UN passes anti-spying resolution
    http://news.yahoo.com/un-passes-anti-spying-resolution-193128274.html

    UNITED NATIONS (United States) (AFP) – A UN rights committee on Tuesday passed a “right to privacy” resolution pressed by Germany and Brazil, which have led international outrage over reports of US spying on their leaders.

    The resolution says that surveillance and data interception by governments and companies “may violate or abuse human rights.”

    Fifty-five countries, including France, Russia and North Korea, co-sponsored the text which did not name any target but made lightly veiled references to spying which has put the US National Security Agency at the center of global controversy.

    The United States and key allies Britain, Australia, Canada and New Zealand — who together make up the so-called “Five-Eyes” intelligence group — joined a consensus vote passing the resolution after language suggesting that foreign spying would be a rights violation was weakened.

    Reply
  20. Tomi Engdahl says:

    21 nations after resolution against US spying at United Nations
    http://www.presstv.ir/detail/2013/10/27/331519/nations-after-resolution-against-us-spying/

    UN member states are “deeply concerned at human rights violations and abuses that may result from the conduct of extra-territorial surveillance or interception of communications in foreign jurisdictions,” according to the draft.

    “Emphasizing that illegal surveillance of private communications and the indiscriminate interception of personal data of citizens constitutes a highly intrusive act that violates the rights to freedom of expression and privacy and threatens the foundations of a democratic society.”

    The global outrage over US government surveillance further spiked after The Guardian — citing a confidential memo obtained from American whistleblower Edward Snowden – revealed that the NSA is illegally eavesdropping on phone conversations of 35 world leaders.

    On Friday, the State Department announced that the US initiated a review of its surveillance programs in order to “balance security needs with privacy concerns.”

    However, individuals in the intelligence and defense community are concerned that the NSA’s spying activities have proven too damaging.

    “This is an example of the very worst aspects of the Snowden disclosures,” a former defense official with deep experience in NATO told The Foreign Policy. “It will be very difficult for the US to dig out of this, although we will over time. The short term costs in credibility and trust are enormous.”

    The UN resolution is expected to be presented in front of the United Nations General Assembly human rights committee before the end of the year.

    Reply
  21. Tomi Engdahl says:

    Guess What? Your Facebook Friends List Is Never Private
    http://www.tomsguide.com/us/facebook-friends-list-vulnerability,news-17907.html

    Even if you’ve set your Facebook friend list to private, a vulnerability in the social media platform makes it easy for anyone to find it, whether accidentally or through more sinister means.

    The vulnerability is simple: To see someone’s full friend list, potential snoops or stalkers only need to create a new Facebook profile and send their target a friend request.

    Then, thanks to Facebook’s “People You May Know” feature, which mines friend networks to suggest new connections, the snoop will be able to see their target’s friend list.

    The target doesn’t even have to accept the friend request for this to work.

    Reply
  22. Tomi Engdahl says:

    CryptoLocker: US Police Department Pays $750 Bitcoin Ransom to Cybercriminals
    http://www.ibtimes.co.uk/articles/524137/20131121/cryptolocker-ransomware-police-department-pays-bitcoin-ransom.htm

    A police department in Massachusetts has paid $750 for two bitcoins to release files encrypted by the increasingly pervasive Cryptolocker ransomware.

    A computer in the police department of Swansea, Massachusetts was hit by the CryptoLocker ransomware on 6 November.

    CryptoLocker is a particularly pernicious piece of malware that is typically spread as a malicious attachment in emails which look to come from financial institutions or postal services.

    The malware infected the computer in the Swansea police department and encrypted files on the PC’s hard drive including “images and word documents” which could include police reports and arrest photos of suspects.

    The police department clearly had no backup system in place as it paid the ransom of two bitcoins, despite FBI guidance not to pay the cyber-criminals behind the attack. At the time two bitcoins were worth $750 but if the police had to pay up today, the price would be $1,300 as bitcoin’s vlaue has risen considerably in recent weeks.

    “It was an education for [those who] had to deal with it. [The malware] is so complicated and successful that you have to buy these bitcoins, which we had never heard of,” Swansea Police Lt. Gregory Ryan told the Herald News in Massachusetts.

    “We’ve upgraded our antivirus software. We’re going to try to tighten the belt, and have experts come in, but as all computer experts say, there is no foolproof way to lock your system down.”

    The ransomware only affects Windows PCs and not Macs, scanning hard drive, attached drives such as USB sticks, and even cloud storage accounts like DropBox, for a wide range of file types.

    Once it discovers the files, the malware encrypts them and displays a countdown timer, giving the victim a limited amount of time to pay up or see their files encrypted forever.

    Security company Bitdefenders Labs has discovered that over 12,000 victims have been claimed globally in the week between 27 October and 1 November.

    The National Crime Agency, like the FBI in the US, does not advise users to pay the ransom, as there is no guarantee that payments will be honoured.

    Reply
  23. Tomi Engdahl says:

    N.S.A. May Have Hit Internet Companies at a Weak Spot
    http://www.nytimes.com/2013/11/26/technology/a-peephole-for-the-nsa.html?ref=international-home&_r=0&pagewanted=all

    The agency was capturing a copy of all the data passing over the telecommunications links and then filtering it in AT&T facilities that housed systems that were able to filter data packets at high speed.

    Documents taken by Edward J. Snowden and reported by The Washington Post indicate that, seven years after Mr. Klein first described the N.S.A.’s surveillance technologies, they have been refined and modernized.

    “From Echelon to Total Information Awareness to Prism, all these programs have gone under different names, but in essence do the same thing,” said Chip Pitts, a law lecturer at Stanford University School of Law.

    Based in the Denver suburbs, Level 3 is not a household name like Verizon or AT&T, but in terms of its ability to carry traffic, it is bigger than the other two carriers combined. Its networking equipment is found in 200 data centers in the United States, more than 100 centers in Europe and 14 in Latin America.

    Mr. Pitts said that while working as the chief legal officer at Nokia in the 1990s, he successfully fended off an effort by intelligence agencies to get backdoor access into Nokia’s computer networking equipment.

    Nearly 20 years later, Verizon has said that it and other carriers are forced to comply with government requests in every country in which they operate, and are limited in what they can say about their arrangements.

    “At the end of the day, if the Justice Department shows up at your door, you have to comply,”

    Reply
  24. Tomi Engdahl says:

    The EU got tired of phishing: Facebook and Google may have to keep their data in Europe?

    The European Commission today publish a report fires the possible closure of borders, free movement of data from the EU and the United States. The report calls for the United States to act eu protect citizens’ privacy.

    The conclusions of the report, the U.S. national intelligence the NSA’s spy practiced by a massive violation of the EU-US safe harbor agreement, which gives U.S. companies are allowed to operate in Europe without local regulation and supervision. Americans are also charged with phishing information from commercial exploitation.

    Safe harbor agreement is a powerful tool for the Commission. The agreement would know separation from the major inconveniences for American technology companies.

    EU gives Obama the Board of Directors of time until the spring to respond to the report the concerns expressed.

    Source: http://www.itviikko.fi/tietoturva/2013/11/27/eu-kyllastyi-urkintaan-facebook-ja-google-voivat-joutua-pitamaan-tietonsa-euroopassa/201316473/7?rss=8

    Reply
  25. Tomi Engdahl says:

    Researchers Retract Claim Of Link Between Alleged Silk Road Mastermind And Founder Of Bitcoin
    Read more: http://www.businessinsider.com/silk-road-satoshi-paper-retraction-2013-11#ixzz2lq9fRvEd

    Reply
  26. Tomi Engdahl says:

    Top-Secret Document Reveals NSA Spied On Porn Habits As Part Of Plan To Discredit ‘Radicalizers’
    http://www.huffingtonpost.com/2013/11/26/nsa-porn-muslims_n_4346128.html

    The National Security Agency has been gathering records of online sexual activity and evidence of visits to pornographic websites as part of a proposed plan to harm the reputations of those whom the agency believes are radicalizing others through incendiary speeches, according to a top-secret NSA document. The document, provided by NSA whistleblower Edward Snowden, identifies six targets, all Muslims, as “exemplars” of how “personal vulnerabilities” can be learned through electronic surveillance, and then exploited to undermine a target’s credibility, reputation and authority.

    Stewart Baker, a one-time general counsel for the NSA and a top Homeland Security official in the Bush administration, said that the idea of using potentially embarrassing information to undermine targets is a sound one. “If people are engaged in trying to recruit folks to kill Americans and we can discredit them, we ought to,” said Baker. “On the whole, it’s fairer and maybe more humane” than bombing a target, he said, describing the tactic as “dropping the truth on them.”

    Any system can be abused, Baker allowed, but he said fears of the policy drifting to domestic political opponents don’t justify rejecting it.

    NSA believes the targeted individuals radicalize people through the expression of controversial ideas via YouTube, Facebook and other social media websites.

    Jaffer, however, warned that the lessons of history ought to compel serious concern that a “president will ask the NSA to use the fruits of surveillance to discredit a political opponent, journalist or human rights activist.”

    “The NSA has used its power that way in the past and it would be naïve to think it couldn’t use its power that way in the future,” he said.

    Reply
  27. Tomi Engdahl says:

    New Instagram craze allows scams – debit card abuse victim’s responsibility

    Instagram-up service, users have downloaded over the network photos of their credit and debit card to the extent that the Federation of Financial Services is concerned.

    “From my debit card in any case not to spread to network images, which can identify the card data. In some online shopping card for payment sufficient to simply credit card number, expiration date and name of the user, “says the Financial Sector Federation expert Kirsi Klepp

    Financial Sector Federation, so far the largest part of the card images are foreigners. Is found among the photos of Finnish cards.

    Photos of payment cards may be shared because of the acquaintances, for example, want to introduce a fresh, personalized photo card base.

    “A debit card is a valuable load. It should be used with care. The card will take care of such as cash on hand. If the card is used for online shopping wrong and it turns out that the card user is actually stretched card information to all the people, he shall pay the price of abuse, “Klepp says.

    Source: http://www.tietoviikko.fi/kaikki_uutiset/uusi+instagramvillitys+mahdollistaa+huijaukset++maksukortin+vaarinkaytos+uhrin+vastuulle/a950305

    Reply
  28. Tomi Engdahl says:

    Information Processing Association on Tuesday, the 60th anniversary of the decade the most significant IT player in the F-Secure’s Chief Research Officer Mikko Hyppönen

    Linus Torvalds developed Linux operating system kernel, in turn, was chosen as the most important product.

    “Options were really easy”

    The Board of the Association of Information Technology Mikko Hyppönen choice, among other things, the fact that he is listed on the Foreign Policy magazine hundred most important thinkers of the listing. Hypponen is also the only Finnish, which has been invited to perform at the peak of speakers TED event.

    The Board also considers that Hyppönen know-how information security practices, and in particular, malware analysis and top-notch. It has also made him one of the best-known Finnish ICT experts.

    The Linux kernel is ideally suited for the small size and high reliability for demanding applications. It is used today in mobile phones, televisions, video game consoles, cars, industrial automation and many other embedded.
    Official version of Linux 1.0 was released in March 1994.

    Source: http://www.tietoviikko.fi/kaikki_uutiset/fsecuren+hypponen+valittiin+vuosikymmenen+itvaikuttajaksi/a950304

    Reply
  29. Tomi Engdahl says:

    HTG Explains: Why Every User On Your Computer Should Have Their Own User Account
    http://www.howtogeek.com/142434/htg-explains-why-every-user-on-your-computer-should-have-their-own-user-account/

    Multiple user accounts were once impractical to use on Windows, but they aren’t anymore. If multiple people use your computer – particularly children or guests – you should give each person a separate user account.

    This article focuses on details specific to Windows, but the same broad reasons apply on Mac OS X, Linux, and even Android tablets with their new multiple user accounts feature.

    Why Not Just Use One Account?

    If you use a single user account on your computer, everyone will share the same application settings, files, and system permissions.

    Application Settings: When you use a single user account, everyone using the computer will use the same browser. This allows other people to use your online accounts if you stay logged in, view your browser history, dig through your bookmarks, and more.

    Files: With multiple people sharing a single user account, no one really has any private files. Anyone using the same user account can view your files.

    System Permissions: Other user accounts can be either standard or administrator accounts. If they’re standard accounts, you can use Windows’ built-in parental controls to set limits for your kids’ computer use and view information about it.

    This is even more crucial on Windows 8, where you log in with a Microsoft account (like a Hotmail account) by default. If you sign in with your Hotmail account, you’ll remain logged into the modern Mail app while using the computer. Anyone using your user account could pop open the Mail app, even if you logged out of Hotmail or Microsoft’s Outlook.com in your browser.

    Reply
  30. Tomi Engdahl says:

    HTG Explains: The Security Risks of Unlocking Your Android Phone’s Bootloader
    http://www.howtogeek.com/142502/htg-explains-the-security-risks-of-unlocking-your-android-phones-bootloader/

    Android geeks often unlock their bootloaders to root their devices and install custom ROMs. But there’s a reason devices come with locked bootloaders – unlocking your bootloader creates security risks.

    We’re not advising against rooting and using custom ROMs if that’s really what you want to do, but you should be aware of the risks. For the same reason Android doesn’t come rooted, it doesn’t come unlocked – with more power comes more risks.

    A device with a locked bootloader will only boot the operating system currently on it. You can’t install a custom operating system – the bootloader will refuse to load it.

    If your device’s bootloader is unlocked, you will see an unlocked padlock icon on the screen during the start of the boot process.

    Android Wipes Itself When You Unlock Your Bootloader

    If you have a Nexus device like a Nexus 4 or Nexus 7, there’s a quick, official way to unlock your bootloader. As part of this process, Android wipes all data on your device. You get a device with an unlocked bootloader, but one that has none of your data on it. You can then install a custom ROM.

    Bypassing Your PIN or Password

    If your Android phone has a standard locked bootloader when a thief gets their hands on it, they won’t be able to access the device’s data without knowing its PIN or password

    Reply
  31. Tomi Engdahl says:

    How to View and Disable Installed Plug-ins in Any Browser
    http://www.howtogeek.com/139916/how-to-view-and-disable-installed-browser-plug-ins-in-any-browser/

    Browser plug-ins like Flash and Java add additional features web pages can use. However, they can also slow things down when in use or add extra security holes, particularly in the case of Java.

    Each web browser has a built-in way to view your installed browser plug-ins and choose which are enabled, although this feature is hidden in many browsers.

    Reply
  32. Tomi Engdahl says:

    ISPs should block ‘pirate’ websites, says European Court of Justice
    http://www.theinquirer.net/inquirer/news/2309389/isps-should-block-pirate-websites-says-euro-court-of-justice

    THE EUROPEAN COURT OF JUSTICE is deciding whether it is right that an internet service provider (ISP) can be told to block access to a website suspected of playing host to pirated content.

    It is due to vote on this soon, and in the meantime ECJ Advocate General Cruz Villalón, a member of the court, said that the ban mechanism was a likely one, but added that it must also be managed and proportionate.

    Reply
  33. Tomi Engdahl says:

    Euro computer emergency teams need better support – ENISA
    ‘We’re here to help’
    http://www.theregister.co.uk/2013/11/27/euro_certs_need_better_support_says_enisa/

    Europe – via ENISA, the EU network and information security agency – is setting its shoulder to the Sisyphean task of trying to align its various national Computer Emergency Response Teams (CERTs).

    The problem, the agency says in a new paper published here, is that there’s a lack of cross-border coordination of Computer Emergency Response Team actions.

    It hopes to create interoperability of things like information feeds and ticketing systems between the CERTs, NATO, and the private sector.

    ENISA says it will initiate a cross-border information-sharing project in 2014 to help national CERTs in Europe.

    Reply
  34. Tomi Engdahl says:

    Eurocrats recommend right to sue American companies over snooping
    Citizens need protection against the NSA
    http://www.theregister.co.uk/2013/11/27/euro_commissioners_to_us_snoop_off/

    The European Commission is calling for better protection of its citizens’ data, against intrusion by American agencies like the NSA.

    According to Reuters, the commission wants European citizens to have the right to sue in America over misuse of their data – something the US has promised but not yet implemented.

    The report quotes EU justice commissioner Viviane Reding as saying “I have … made clear that Europe expects to see the necessary legislative change in the U.S. sooner rather than later, and in any case before summer 2014”.

    Reply
  35. Tomi Engdahl says:

    Ruby on Rails CookieStore Vulnerability Plagues Prominent Websites
    http://threatpost.com/ruby-on-rails-cookiestore-vulnerability-plagues-prominent-websites/103038

    A lingering security issue in Ruby on Rails that stems from a setting in the framework’s cookie-based storage mechanism is still present in almost 2,000 websites.

    Sites using an old version of Ruby on Rails that relies on CookieStore, the framework’s default cookie storage mechanism, are at risk. CookieStore saves each user’s session hash in the cookie on the client side, something that keeps each cookie valid for life. This makes it possible for an attacker to glean a user’s log-in information – either via cross-side scripting or session sidejacking – and log in as them at a later date.

    Some of the sites even fail to use SSL after their log-in pages, meaning they are communicating each user’s permanent session cookie without encryption for anyone to sniff and steal.

    McNamara has reached out to a handful of the sites but with more than 1500 affected, it’s a lengthy list to go through. Kickstarter for example – one of the sites that doesn’t use SSL the entire time a user is logged in – is aware of the issue

    While Ruby on Rails moved to encrypt cookies by default in version 4.0, it doesn’t change the fact that users’ information is still at risk. Just because users’ cookies are encrypted and therefore unreadable doesn’t make the cookies useless to an attacker.

    “Version 4.0 and beyond still have this problem,” McNamara told Threatpost in an email. “The attacker could save the encrypted cookie and send it to the server to log in as the victim without having to read the contents of the cookie.”

    “The encryption does not protect against reusing the cookie after logout,”

    McNamara points out that anyone looking to see if the Ruby on Rails site they’re visiting is using CookieStore just needs to look for the string “Bah7” at the beginning of the value of the cookies. He adds that a cursory search on SHODAN, the search engine that gained notoriety a few years ago for sniffing out unprotected SCADA devices, reveals 60,000+ vulnerable sites.

    Reply
  36. Tomi Engdahl says:

    Spam fighters call for “parking tickets” on unsafe servers
    http://www.pcpro.co.uk/news/security/385666/spam-fighters-call-for-parking-tickets-on-unsafe-servers

    Anti-spam outfit, Spamhaus, has called on the UK government to fine those who are running internet infrastructure that could be exploited by criminals.

    Spamhaus was hit by what’s been described as the “biggest ever” cyber-attack earlier this year.

    The fines would be akin to parking tickets, chief information officer of Spamhaus, Richard Cox, told PC Pro. Speaking from the Cyber Security Summit in London, which was attended by members of UK law enforcement and government, Cox said it should be illegal for people to leave servers unsecured, since that would allow crooks to use them as part of their attack infrastructure.

    In Cox’s eyes, those who leave open Domain Name Server (DNS) resolvers vulnerable to attack should be fined, if they have previously received a warning.

    “Once they know it can be used for attacks and fraud, that should be an offence,” Cox said. “You should be subject to something like a parking ticket… where the fine is greater than the cost of fixing it.

    “If we introduce a sensible law, it’s quite likely other countries will follow.”

    Another flawed proposal?

    Numerous proposals to police threats on the internet have been proposed in the past, none of which have come to fruition. Microsoft’s Scott Charney caused a stir in 2010 when he suggested infected machines should be quarantined from the web. Others have suggested something like a driving licence, where irresponsible users are given points before being banned for repeated bad behaviour.

    novel, but implementing it would be an onerous task.

    Woodward said government could be more proactive about notifying people. “That could be a useful service that government agencies could provide, not to penalise but to alert those running vulnerable servers”

    Reply
  37. Tomi Engdahl says:

    UK’s biggest firms “need to tighten up security”
    http://www.pcpro.co.uk/news/security/385669/uks-biggest-firms-need-to-tighten-up-security

    The UK’s top 350 listed companies are well-versed in online threats, but don’t do enough to protect themselves, the government has warned.

    The Department of Business Innovation and Skills (BIS) has surveyed the FTSE 350 and found that while many understand the implications of being hacked, most don’t stay up-to-date on the latest threats.

    The survey was launched after a warning from KPMG in July that FTSE 350 firms regularly “leak data” such as email addresses and usernames by sharing documents online.

    KPMG warned at the time that companies were making themselves an easy target for hackers by failing to clean up after themselves.

    According to the results of the BIS survey, 62% of companies discuss the importance of security at board level. More than half have added cyberthreats to their strategic risk registers, and 60% have also identified their most important information and assets.

    But while companies might be aware of a wider threat, they fall behind when it comes to taking practical measures.

    Reply
  38. Tomi Engdahl says:

    Plain Text Offenders
    http://plaintextoffenders.com/

    Did you just email me back my own password?!

    Reply
  39. Tomi says:

    Always-on voice search from your desktop: “Ok Google” comes to Google.com
    Google releases Chrome extension that enables hands-free searching from Google.com
    http://arstechnica.com/gadgets/2013/11/always-on-voice-search-from-your-desktop-ok-google-comes-to-google-com/

    Smartphones have changed the computing landscape quite a bit, and it often seems like desktop computers and laptops get left behind. “Always-on” voice search is going to completely change the way we interact with computers, but, until now, it has been strictly mobile only.

    Today, Google released a Chrome extension that enables always-on voice search from a desktop.

    The Chrome extension is probably just a temporary measure—a lot of the hotword code is built in to Google.com already. HTML5 allows browsers to natively capture microphone input, and it’s even possible to do it as soon as the page loads. The only problem is that, currently, you have to explicitly give a Web page permission to access the microphone every time the page loads. Chrome is really just missing an “always allow” button for the microphone permission,

    Reply
  40. bench craft company says:

    Great post. I was checking continuously this blog and I am inspired!
    Extremely useful information specially the remaining section :
    ) I handle such information a lot. I used to be looking for this particular information for a very
    lengthy time. Thanks and best of luck.

    Reply
  41. Tomi Engdahl says:

    NSA surveillance: Europe threatens to freeze US data-sharing arrangements
    After Edward Snowden revelations, EU executive underlines US compliance with European law and ‘how things have gone badly’
    http://www.theguardian.com/world/2013/nov/26/nsa-surveillance-europe-threatens-freeze-us-data-sharing

    The EU executive is threatening to freeze crucial data-sharing arrangements with the US because of the Edward Snowden revelations about the mass surveillance of the National Security Agency.

    The US will have to adjust their surveillance activities to comply with EU law and enable legal redress in the US courts for Europeans whose rights may have been infringed, said Viviane Reding, the EU’s justice and rights commissioner who is negotiating with the US on the fallout from the NSA scandal.

    European businesses need to compete on a level playing field with US rivals, Reding told the Guardian.

    The EU commissioner said there was little she or Brussels could do about the activities of the NSA’s main partner in mass surveillance, Britain’s Government Communications Headquarters or GCHQ, since secret services in the EU were the strict remit of national governments.

    “I have direct competence in law enforcement but not in secret services. That remains with the member states. In general, secret services are national,” said the commissioner, from Luxembourg.

    Pressing the Americans in negotiations in Washington last week, Reding was unable to obtain US figures on the scale of the US surveillance of Europeans.

    The commercial data exchange, known as “Safe Harbor”, was found to be flawed.

    “The commission will underline that things have gone very badly indeed. Our analysis is Safe Harbor seems not to be safe. We’re asking the US not just to speak, but to act,” Reding said. “There is always a possibility to scrap Safe Harbor … It’s important that these recommendations are acted on by the US side by summer 2014. Next summer is a Damocles sword. It’s a real to-do list. Enforcement is absolutely critical. Safe Harbor cannot be only an empty shell.”

    Reply
  42. Tomi Engdahl says:

    Post-Snowden, European Commission Sets Out Actions Needed To Restore Trust In E.U.-U.S. Data Flows
    http://techcrunch.com/2013/11/27/not-so-safe/

    The European Commission has today detailed the actions it believes are required to restore trust in data-sharing agreements between the European Union and the U.S. following revelations of surveillance dragnets operated by U.S. intelligence agencies.

    The U.S.-E.U. Safe Harbour agreement, which dates back to 2000, generally requires US companies to adhere to a set of E.U. personal data protection principles – such as informing citizens that their data is being collected and how it will be used. In the case of the NSA’s mass data-harvesting activities those principles are clearly not being adhered to, although the agreement allows for adherence to be “limited” in instances of national security, public interest, or law enforcement requirements. And that’s a loop-hole U.S. intelligence agencies have (apparently) been fully exploiting.

    So ‘Safe Harbour’, as it stands, is not so safe; effectively giving the NSA a pass to collect EU citizens data through the commercial entities it’s been (mis)appropriating as its data harvesting arms.

    Since then, against a politically pressurised backdrop of more and more details of the U.S. surveillance dragnet emerging, the European Commission agreed to review the Safe Harbour agreement – which had a membership of 3,246 companies as of late-September 2013. Today’s call for action includes the outcome of that review process.

    ”European citizens’ trust has been shaken by the Snowden case, and serious concerns still remain following the allegations of widespread access by U.S. intelligence agencies to personal data. Today, we put forward a clear agenda for how the U.S. can work with the EU to rebuild trust, and reassure EU citizens that their data will be protected. Everyone from Internet users to authorities on both sides of the Atlantic stand to gain from cooperation, based on strong legal safeguards and trust that these safeguards will be respected” said Cecilia Malmström, European Commissioner for Home Affairs, in a statement.

    “Massive spying on our citizens, companies and leaders is unacceptable. Citizens on both sides of the Atlantic need to be reassured that their data is protected and companies need to know existing agreements are respected and enforced,” added Vice-President Viviane Reding, the EU’s Justice Commissioner, in a statement.

    Reply
  43. Tomi Engdahl says:

    Markets More: Bitcoin Litecoin
    There Are Dozens Of Digital Currencies That Are All Going Insane Right Now

    Read more: http://www.businessinsider.com/prices-of-different-digital-currencies-2013-11#ixzz2lvSTdatp

    Reply
  44. Tomi Engdahl says:

    Stolen smartphone database is complete, says CTIA
    But will it make a difference?
    http://www.theverge.com/2013/11/27/5153694/stolen-smartphone-database-is-complete-says-ctia

    AT&T, T-Mobile, Sprint, and Verizon Wireless launched a database for stolen smartphones last year, and today the wireless industry says that database system is complete. CTIA president and CEO Steve Largent announced that the database now allows carriers to block activation of LTE smartphones as well as 3G devices, hopefully deterring their theft, and has been integrated with international databases so foreign carriers can assist the effort. “As more countries and more carriers around the world participate in the 3G and 4G/LTE databases, criminals will have fewer outlets since these stolen phones would be blacklisted and could not be reactivated,” wrote Largent in a press release.

    That point about international carriers is more important than you might think. While the US database has been active for a year, New York City officials say it hasn’t made a real dent in smartphone thefts. Since foreign carriers weren’t included in the original effort, organized crime syndicates are literally fronting truckloads of cash to ship stolen smartphones overseas where they can be sold without fear.

    prosecutors launched the “Save Our Smartphones Initative”, hoping to convince US carriers and smartphone manufacturers to install a “kill switch” in their devices that could completely deactivate them if they were stolen.

    Reply
  45. Tomi Engdahl says:

    NSA Planned To Discredit Radicals Based On Web-Browsing Habits
    http://yro.slashdot.org/story/13/11/27/1736236/nsa-planned-to-discredit-radicals-based-on-web-browsing-habits

    “New leaked documents show that the NSA was not only monitoring suspected radical sympathizers, but planned to discredit them based on their web-surfing habits.”

    Reply
  46. Tomi Engdahl says:

    Death and the NSA: Motherboard Meets Bruce Schneier
    http://motherboard.vice.com/blog/bruce-schneier-interview-video

    Since Edward Snowden’s disclosures about widespread NSA surveillance, Americans and people everywhere have been presented with a digital variation on an old analog threat: the erosion of freedoms and privacy in exchange, presumably, for safety and security.

    Bruce Schneier knows the debate well. He’s an expert in cryptography and he wrote the book on computer security; Applied Cryptography is one of the field’s basic resources, “the book the NSA never wanted to be published,” raved Wired in 1994.

    He knows the evidence well too: lately he’s been helping the Guardian and the journalist Glenn Greenwald review the documents they have gathered from Snowden, in order to help explain some of the agency’s top secret and highly complex spying programs.

    To do that, Schneier has taken his careful digital privacy regime to a new level, relying on a laptop with an encrypted hard drive that he never connects to the internet.

    Still, Schneier manages to avoid paranoia.

    Reply
  47. Tomi Engdahl says:

    Death and the NSA: A Q&A With Bruce Schneier
    http://yro.slashdot.org/story/13/11/28/0041202/death-and-the-nsa-a-qa-with-bruce-schneier

    “Since Edward Snowden’s disclosures about widespread NSA surveillance, Americans and people everywhere have been presented with a digital variation on an old analog threat: the erosion of freedoms and privacy in exchange, presumably, for safety and security. Bruce Schneier knows the debate well.”

    Comments on page:

    “Security is mostly a superstition. It does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing.” Helen Keller

    Security is a process, not a product. For instance, one cannot purchase some product that guarantees your online security, then babble endlessly on Facebook about your every bowel movement while expecting to be “secure”.

    Reply
  48. Tomi Engdahl says:

    The FBI Might Do More Domestic Surveillance than the NSA
    https://www.schneier.com/blog/archives/2013/11/the_fbi_might_d.html

    This is a long article about the FBI’s Data Intercept Technology Unit (DITU), which is basically its own internal NSA.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*