Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.
Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.
Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.
SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices. Good idea to test your devices against it.
There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.
Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.
Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.
Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.
Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.
Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.
Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.
Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.
European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.
1,930 Comments
Tomi Engdahl says:
Sci-fi Author Charles Stross Cancels Trilogy: the NSA Is Already Doing It
http://entertainment.slashdot.org/story/13/12/11/2135204/sci-fi-author-charles-stross-cancels-trilogy-the-nsa-is-already-doing-it
“Charles Stross has announced that there won’t be a third book in the Halting State trilogy because reality (in a manner of speaking) has caught up to him too fast The last straw was apparently the news that the NSA planted spies in networked games like WoW. Stross comments: ‘At this point, I’m clutching my head. Halting State wasn’t intended to be predictive when I started writing it in 2006.”
Tomi Engdahl says:
Microsoft: Omphaloskepsis and the December 2013 Security Update Release
http://blogs.technet.com/b/msrc/archive/2013/12/10/omphaloskepsis-and-the-december-2013-security-update-release.aspx
Tomi Engdahl says:
Firefox 26 – disciplinary to add-on starting
The Mozilla Foundation has released Firefox 26 web browser. It includes an interesting novelty that is associated with Java and other add-ons in the future. Firefox to put it under control.
Firefox 26 is released, and it can be downloaded from the Mozilla site.
Mozilla has already told the project target. Browsers are still widely used add-ons that play online content. Familiar with add-ons such as Adobe Flash, Oracle’s Java and Microsoft’s Silverlight.
Unfortunately, the add-ons are also a major cause of procrastination browser, crashes and security problems. Mozilla would like why curbs additional parts of the system.
Firefox 26 for change begins with Java.
Under normal circumstances, Java is not active, so that it does not affect the performance of the browser.
Add-ons can be activated only if the user clicks on the website of the Java content.
In the future, the same approach is to be extended to other add-ons. The only exception is in Flash. Mozilla, the reason is that some of the websites for Flash content is “hidden”, in which case the user is difficult to activate it
Mozilla Add-ons consider all of the use of days gone by leaving a technique. Mobile devices add-ons is limited. For example, Apple has blocked Flash from full use of iPhones and iPad tablets. Mozilla is encouraging web developers to avoid the use of additional components.
Source: http://www.tietokone.fi/artikkeli/uutiset/firefox_26_kurinpalautus_lisaosille_alkaa
Tomi Engdahl says:
Data Retention Directive CLASHES with EU citizens’ privacy rights, says top lawman
‘Serious interference’, claims Court of Justice Advocate General
http://www.theregister.co.uk/2013/12/12/court_of_justice_advocate_general_says_data_retention_directive_clashes_with_privacy_rights/
A seven-year-old EU directive that requires telecoms outfits to retain details of phone calls and emails – such as traffic and location – clashes with the 28-member bloc’s privacy rights for citizens, a Court of Justice Advocate General has said.
Pedro Cruz Villalón believes that the 2006 data retention directive “constitutes a serious interference with the fundamental right of citizens to privacy”.
The AG’s opinion is not binding, but – in most cases – the EU’s Court of Justice adopts such viewpoints.
He claimed that the directive was “incompatible” with the Charter of Fundamental Rights because the data retained by ISPs, which are obliged to store traffic and location information on their networks for up to two years, could be abused.
Tomi Engdahl says:
News sites could protect your privacy with encryption. Here’s why they probably won’t.
http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/11/news-sites-could-protect-your-privacy-with-encryption-heres-why-they-probably-wont/
“I’ve basically been trying to bribe media organizations at this point to turn on SSL,” jokes Christopher Soghoian, the principal technologist and a senior policy analyst at the ACLU’s Speech, Privacy and Technology Project. “I have an open offer right now to the technical teams of news organizations: Two bottles of whiskey to anyone who will turn on SSL for their viewers.”
When you browse the Web, you leave a trail of digital bread crumbs. But if you visit a Web address that starts with “https,” your browser shows a lock icon, indicating that you are being protected with SSL encryption. That stops governments, corporations and hackers from learning which pages you’re reading on the site.
With allegations of NSA snooping making headlines on a nearly weekly basis — and reports highlighting the NSA’s use of commercial tracking mechanisms — privacy advocates argue it’s past time for major media organizations to protect their customers’ privacy using SSL encryption by default. Web giants such as Google and Facebook have already made the switch to automatic SSL for many of their services.
But so far, no major media organizations have done so. That’s perhaps largely due to concerns about the added expense and effort of getting third-party advertising and content delivery systems to implement the security protocol.
Tomi Engdahl says:
Crypto weakness in Web comment system exposes hate-mongering politicians
Journalists exploit weakness in Gravatar to identify extremist forum members.
http://arstechnica.com/security/2013/12/crypto-weakness-in-web-comment-system-exposes-hate-mongering-politicians/
Investigative journalists have exploited a cryptographic weakness in a third-party website commenting service to expose politicians and other Swedish public figures who left highly offensive remarks on right-wing blogs, according to published reports.
People have been warning of the privacy risk posed by Gravatar, short for Globally Recognized Avatar, since at least 2009.
By running guessed e-mail addresses through the same algorithm and waiting for output that matches those found in comments, it’s possible to identify the authors, many of whom believe they are posting anonymously.
According to a post published Wednesday by IDG News, that’s precisely the hack the Swedish publication Expressen, working with an investigative journalism group, carried out to expose the public figures who participated in the right-wing forums.
Disqus, the web comment hosting provider for the forums, said in a brief blog post that it is disabling the Gravatar service and removing the MD5-hashed e-mail addresses from the Disqus platforms. It also said people who work to crack the hashes used by its service are in violation of its privacy guidelines.
Tomi Engdahl says:
Report: Physical security business dominated by small group of companies
http://www.cablinginstall.com/articles/2013/12/physical-security-business-report.html
Research and Markets (Dublin, Ireland) has announced the release of its report, The Physical Security Business 2013 to 2017. The report estimates the global market for physical security products was worth $23.4 billion in 2013. The analysis states that, “from a detailed analysis of the structure of the industry, it is clear that this market is being led by a small group of leading edge companies that are relatively new starts in the business.”
“They have taken the opportunity to use disruptive technology to produce products that can deliver on customers requirements,”
The report reveals that the market in China has forged ahead at the highest rates of growth recorded in the industry, and that this market’s aggregate growth over the past 5 years has not slowed down. Despite the fact that its penetration has increased by almost 60% during this time, the researcher postulates that western leading edge IP companies have failed to assert themselves in what will become the biggest single market in the world. The study reviews the reasons behind this failure.
“Continued growth should be built on the foundation that through disruptive IP technologies and innovative business models, we can move clients security operations from a cost center to a cash generator, whilst converging with other services in the business enterprise,” said the spokesperson for Research & Markets.
Tomi Engdahl says:
Presidential Task Force Recommends Overhaul of NSA Surveillance Tactics
Draft Proposals Would Change Spy Agency’s Leadership to Civilian, Limit How It Gathers and Holds Information
http://online.wsj.com/news/article_email/SB10001424052702304202204579254652728273502-lMyQjAxMTAzMDEwMjExNDIyWj
A presidential task force has drafted recommendations that constitute a sweeping overhaul of the National Security Agency, according to people familiar with the recommendations.
The panel’s draft proposals would change the spy agency’s leadership from military to civilian and limit how it gathers and holds the electronic information of Americans.
The task force, for example, proposed that the records of nearly every U.S. phone call now collected in a controversial NSA program be held instead by the phone company or a third-party organization, these people said.
The panel also suggested the imposition of stricter standards before allowing NSA permission to search the data, these people said.
Recommendations of the task force, which President Barack Obama established in August in response to disclosures from former NSA contractor Edward Snowden, aren’t binding and could change before the final draft is written. But the draft strongly challenges the U.S. intelligence establishment.
The White House has previously said it would consider the panel’s recommendations in its own review of surveillance programs and policies, which is planned for completion by the end of the month.
Recommendations by the task force, called the Review Group on Intelligence and Communications Technology, are contained in a report hundreds of pages long and were described to The Wall Street Journal by four people familiar with them.
The group concluded that NSA surveillance programs follow the law but recommended dozens of changes to structure, transparency and internal security, these people said.
The proposal likely to gain the most attention would revamp the NSA phone records program, which surfaced in the leaks from Mr. Snowden
These lawmakers are in a heated political battle with their counterparts on the House and Senate Intelligence Committees, who have proposed maintaining the NSA’s phone-data program, but adding new oversight and reporting requirements.
Tomi Engdahl says:
Hacker sentenced to 18 months for peddling computer access to US national security lab
http://news.idg.no/cw/art.cfm?id=1369C65F-EB43-AD6B-96C7B9E9FF7051D1
A Pennsylvania man who hacked into multiple corporate, university and government computer networks and tried to sell access to them, including supercomputers from a U.S. national security laboratory, has been sentenced to 18 months in prison.
The Oakland, California, lab is focused on national and global defense and its work includes biosecurity, counterterrorism, nuclear energy, intelligence and military weapons. The supercomputers Miller claimed he had accessed were part of the lab’s National Energy Research Scientific Computing Center (NERSC).
According to court documents, the FBI never “bought” the access credentials for the lab, but it did obtain from Miller proof that he had accessed two supercomputers that provide computing resources for the U.S. Department of Energy.
The FBI also bought from Miller what court documents describe as a “massive database of thousands of log-in credentials into hundreds of computer networks” which he said he obtained by hacking into servers from Layered Tech, a Texas Internet service provider.
“Likewise, he did not successfully monetize his hacking activities,”
Tomi Engdahl says:
Gmail blows up e-mail marketing by caching all images on Google servers
Hosted images mean better privacy, faster load times, and less competition for Google.
http://arstechnica.com/information-technology/2013/12/gmail-blows-up-e-mail-marketing-by-caching-all-images-on-google-servers/
Ever wonder why most e-mail clients hide images by default? The reason for the “display images” button is because images in an e-mail must be loaded from a third-party server. For promotional e-mails and spam, usually this server is operated by the entity that sent the e-mail. So when you load these images, you aren’t just receiving an image—you’re also sending a ton of data about yourself to the e-mail marketer.
Loading images from these promotional e-mails reveals a lot about you. Marketers get a rough idea of your location via your IP address. They can see the HTTP referrer, meaning the URL of the page that requested the image. With the referral data, marketers can see not only what client you are using (desktop app, Web, mobile, etc.) but also what folder you were viewing the e-mail in.
But Google has just announced a move that will shut most of these tactics down: it will cache all images for Gmail users. Embedded images will now be saved by Google, and the e-mail content will be modified to display those images from Google’s cache, instead of from a third-party server. E-mail marketers will no longer be able to get any information from images—they will see a single request from Google, which will then be used to send the image out to all Gmail users.
Tomi Engdahl says:
Google Fixes Credit Card Security Hole, But Snubs Discoverer
http://it.slashdot.org/story/13/12/12/2122210/google-fixes-credit-card-security-hole-but-snubs-discoverer
“Google has fixed a vulnerability, first discovered by researcher Gergely Kalman, which let users search for credit card numbers by using hex number ranges. However, Google should have acknowledged or at least responded to the original bug finder (and possibly even paid him a bounty for it), and should have been more transparent about the process in general.”
Tomi Engdahl says:
Cryptolocker copycat ransomware emerges – but an antidote is possible
Security upstart claims it’s found a file-gobbling nasty with weak encryption
http://www.theregister.co.uk/2013/12/13/locker_ransomware/
Hot on the tail of devilish Cryptolocker comes a copycat software nasty that holds victim’s files to ransom – but the newcomer’s encryption is potentially breakable, we’re told.
Security startup IntelCrawler claims a “large-scale distribution” of the new so-called Locker malware began earlier this month.
Locker, once it has infected a PC, copies and encrypts a victim’s documents, adding a “.perfect” extension, and then deletes the original data. The trojan also places a contact.txt file in each directory containing contact details of the malware author – usually a throwaway mobile phone number or an email address.
“It seems to be the hackers just compare the list of infected IP addresses of the users together with their hostnames,” according to IntelCrawler.
But despite its less-advanced design, Locker has already managed to attack Windows-powered computers in the US, we’re told – including Washington DC, Texas and Missouri – plus PCs in the Netherlands, Turkey, Germany and Russia. Locker also, we’re told, avoids infecting machines running tools used by security researchers, a tactic undoubtedly aimed at ensuring the malware stays under the radar for as long as possible.
The Locker malware uses the TurboPower LockBox library, a cryptographic toolkit for Delphi: specifically, it uses AES-CTR for encrypting the contents of files on infected devices.
Tomi Engdahl says:
Bots now ‘account for 61% of web traffic’
http://www.bbc.co.uk/news/technology-25346235
If you are visiting this page the chances are that you are not a human, at least according to research.
A study by Incapsula suggests 61.5% of all website traffic is now generated by bots. The security firm said that was a 21% rise on last year’s figure of 51%.
Some of these automated software tools are malicious – stealing data or posting ads for scams in comment sections.
But the firm said the biggest growth in traffic was for “good” bots.
These are tools used by search engines to crawl websites in order to index their content, by analytics companies to provide feedback about how a site is performing, and by others to carry out other specific tasks – such as helping the Internet Archive preserve content before it is deleted
To generate its report, Incapsula said it observed 1.45 billion bot visits over a 90 day period.
The information was sourced from 20,000 sites operated by its clients.
Despite the overall growth in bot activity, the firm said that many of the traditional malicious uses of the tools had become less common.
It said there had been a 75% drop in the frequency spam links were being automatically posted. It suggested this was in part down to Google’s efforts to make it harder to carry out the practice.
It also said it had seen a 10% drop in hacking tool bot activities, including the use of code to distribute malware, to steal credit cards and to hijack and deface websites
However, it noted that there had been an 8% rise in the use of “other impersonator bots” – a classification including software that masquerades as being from a search engine or other legitimate agent in order to fool security measures.
tomi says:
Security Professionals: Top Cyber Threat Predictions for 2014
http://blogs.technet.com/b/security/archive/2013/12/11/security-professionals-top-threat-predictions-for-2014.aspx
PREDICTION #1: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization
PREDICTION #2: Service-Impacting Interruptions for Online Services Will Persist
PREDICTION #3: We Will See an Increase in Cybercrime Activity Related to the World Cup
PREDICTION #4: Rise of Regional Cloud Services
PREDICTION #5: Dev-Ops Security Integration Fast Becoming Critical
PREDICTION #6: Cybercrime that Leverages Unsupported Software will Increase
PREDICTION #7: Increase in Social Engineering
PREDICTION #8: Ransomware will Impact More People
Tomi Engdahl says:
Google Cuts Android Privacy Feature, Says Release Was Unintentional
http://yro.slashdot.org/story/13/12/13/1342226/google-cuts-android-privacy-feature-says-release-was-unintentional
“Peter Eckersley at the EFF reports that the ‘App Ops’ privacy feature added to Android in 4.3 has been removed as of 4.4.2. The feature allowed users to easily manage the permission settings for installed apps”
Tomi Engdahl says:
Google Removes Vital Privacy Feature From Android, Claiming Its Release Was Accidental
https://www.eff.org/deeplinks/2013/12/google-removes-vital-privacy-features-android-shortly-after-adding-them
Yesterday, we published a blog post lauding an extremely important app privacy feature that was added in Android 4.3. That feature allows users to install apps while preventing the app from collecting sensitive data like the user’s location or address book.
After we published the post, several people contacted us to say that the feature had actually been removed in Android 4.4.2, which was released earlier this week. Today, we installed that update to our test device, and can confirm that the App Ops privacy feature that we were excited about yesterday is in fact now gone.
When asked for comment, Google told us that the feature had only ever been released by accident — that it was experimental, and that it could break some of the apps policed by it. We are suspicious of this explanation, and do not think that it in any way justifies removing the feature rather than improving it.
The disappearance of App Ops is alarming news for Android users. The fact that they cannot turn off app permissions is a Stygian hole in the Android security model, and a billion people’s data is being sucked through. Embarrassingly, it is also one that Apple managed to fix in iOS years ago.
Tomi Engdahl says:
Putting Your Phone in This Pouch Supposedly Makes You Untrackable
http://www.wired.com/gadgetlab/2013/12/scottevest-blackout-pockets/?cid=co15696584#slideid-271591
Facebook privacy settings are constantly changing. Seemingly innocuous apps require access to your location in order to work. Incoming calls and messages are funneled into your mobile device non-stop. And if you’re interesting enough, the NSA might be watching your every move.
The easiest way to get some instant privacy in this always-connected world might be to put your phone in this pouch. The Scottevest Blackout Pocket is a Faraday cage disguised as a pencil case, and it’s available in three different “strengths.”
Assuming it works as advertised, the $30 “Level 2″ Blackout Pocket will prevent you from being tracked and constantly distracted by your mobile device. The pouch, which is lined with a RFID-blocking material, supposedly prevents your phone’s cellular and GPS antennas from interacting with the outside world. It basically blankets your mobile device in an invisibility cloak.
$15 Level 1 Blackout Pocket should do the trick. This pouch protects the RFID chips found in many bank cards, key cards, and RFID-equipped passports from being read wirelessly. The Level 2 Blackout Pocket offers both RFID protection and cellular/GPS signal-blocking.
Tomi Engdahl says:
IBM hid China’s reaction to NSA spying ‘cos it cost us BILLIONS, rages angry shareholder
Lawsuit claims US snooping led to 22pc Chinese sales slump
http://www.theregister.co.uk/2013/12/13/ibm_lawsuit_nsa_china/
An IBM shareholder is suing Big Blue, accusing it of hiding the fact that its ties to the NSA spying scandal cost it business in China – and wiped billions off its market value.
“When the company ultimately revealed the truth regarding the collapse of its business in China, the price of IBM stock fell almost $12 per share,” the legal team said in a statement, while inviting other shareholders to join the suit.
IBM lobbied the government in favour of a bill that would allow it to share customers’ data with the NSA, including information from its clients in China, the complaint said. When NSA whistleblower Edward Snowden leaked the documents uncovering the Prism surveillance programme and IBM’s connections to it, Chinese organisations started severing ties with the firm, but it did not disclose this to investors, the court filing went on to alleged.
Tomi says:
By cracking cellphone code, NSA has capacity for decoding private conversations
http://www.washingtonpost.com/business/technology/by-cracking-cellphone-code-nsa-has-capacity-for-decoding-private-conversations/2013/12/13/e119b598-612f-11e3-bf45-61f69f54fc5f_story.html
The cellphone encryption technology used most widely across the world can be easily defeated by the National Security Agency, an internal document shows, giving the agency the means to decode most of the billions of calls and texts that travel over public airwaves every day.
While the military and law enforcement agencies long have been able to hack into individual cellphones, the NSA’s capability appears to be far more sweeping because of the agency’s global signals collection operation. The agency’s ability to crack encryption used by the majority of cellphones in the world offers it wide-ranging powers to listen in on private conversations.
U.S. law prohibits the NSA from collecting the content of conversations between Americans without a court order. But experts say that if the NSA has developed the capacity to easily decode encrypted cellphone conversations, then other nations likely can do the same through their own intelligence services, potentially to Americans’ calls, as well.
The extent of the NSA’s collection of cellphone signals and its use of tools to decode encryption are not clear from a top-secret document provided by former contractor Edward Snowden. But it states that the agency “can process encrypted A5/1” even when the agency has not acquired an encryption key, which unscrambles communications so that they are readable.
The vulnerability outlined in the NSA document concerns encryption developed in the 1980s but still used widely by cellphones that rely on technology called second-generation (2G) GSM. It is dominant in most of the world but less so in the wealthiest nations, including the United States, where newer networks such as 3G and 4G increasingly provide faster speeds and better encryption, industry officials say.
But even where such updated networks are available, they are not always used, because many phones often still rely on 2G networks to make or receive calls. More than 80 percent of cellphones worldwide use weak or no encryption for at least some of their calls, Nohl said.
The NSA has repeatedly stressed that its data collection efforts are aimed at overseas targets, whose legal protections are much lower than U.S. citizens’.
German news magazine Der Spiegel reported in October that a listening station atop the U.S. Embassy in Berlin allowed the NSA to spy on Merkel’s cellphone calls. It also reported that the NSA’s Special Collection Service runs similar operations from 80 U.S. embassies and other government facilities worldwide. These revelations — and especially reports about eavesdropping on the calls of friendly foreign leaders — have caused serious diplomatic fallouts for the Obama administration.
Matthew Blaze, a University of Pennsylvania cryptology expert, said the weakness of A5/1 encryption is “a pretty sweeping, large vulnerability” that helps the NSA listen to cellphone calls overseas and likely also allows foreign governments to listen to the calls of Americans.
“If the NSA knows how to do this, presumably other intelligence agencies, which may be more hostile to the United States, have discovered how to do this, too,” he said.
Amid the uproar over NSA’s eavesdropping on Merkel’s phone, two of the leading German cellphone service providers have announced that they are adopting the newer, stronger A5/3 encryption for their 2G networks.
They “are now doing it after not doing so for 10 years,” said Nohl, who long had urged such a move. “So, thank you, NSA.”
Tomi says:
NSA review to leave spying programs largely unchanged, reports say
http://www.theguardian.com/world/2013/dec/13/nsa-review-to-leave-spying-programs-largely-unchanged-reports-say
• Panel to propose bulk surveillance continue – with some curbs
• Adviser calls apparent decision to leave core intact ‘shameful’
Tomi says:
How the NSA Piggy-Backs on Third-Party Trackers
http://www.slate.com/blogs/future_tense/2013/12/13/nsa_surveillance_and_third_party_trackers_how_cookies_help_government_spies.html
Snooping on the Internet is tricky. The network is diffuse, global, and packed with potential targets. There’s no central system for identifying or locating individuals, so it’s hard to keep track of who is online and what they’re up to. What’s a spy agency to do?
One option is to plant a unique tag on every computer and smartphone, stamp every Internet message with the sender’s tag, and then capture the tagged traffic. Perhaps in a massive database with a quirky all-caps codename. But a project of that scale can’t be kept secret, and if it’s done openly the public will surely object.
Luckily (for the spies) there’s an easier way: free ride on the private sector, which does its own pervasive tagging and monitoring.
That’s precisely what the National Security Agency has been up to, as confirmed most recently by a front-page story in Wednesday’s Washington Post.Other countries’ spy agencies are probably doing the same thing.
Which companies are keeping tabs on you? You probably expect to be tracked by the sites you visit and the apps you run. But these “first parties” often pull in tracking content from unrelated “third parties,” most of which you probably have never heard of.
Spooks can easily watch these tracking IDs as they flit across the Net, unprotected by any encryption, and then use the IDs to build the mother of all tracking databases. The NSA collects vast amounts of international Internet traffic, and it retains the metadata—including tracking IDs—for at least a year.
Unique identifiers solve many surveillance problems.
Geolocation is yet another freebie from the private sector. An Internet address provides only a rough estimate of a device’s location; greater precision requires access to hardware features like GPS or Wifi. What spy agency would risk tapping directly into devices’ GPS or Wifi chips? They don’t need to—advertising and analytics software queries the onboard sensors, then phones home with an unencrypted and precise location. One NSA program, HAPPYFOOT, appears specifically designed to take advantage of this data.
The proliferation of third-party trackers also increases the reach of Internet surveillance. No government, not even the United States, can monitor every network path. Most Web pages include multiple third parties, each typically contacted through a different route, giving spies more places to capture user activity.
If online services don’t like this, they can go beyond lobbying for legal changes—useful as that is—and upgrade their technology. Tracking servers can switch to HTTPS, the secure, encrypted version of the Web’s protocol. The expert consensus seems to be that even the NSA cannot accomplish mass surveillance of encrypted network traffic; HTTPS would put tracking IDs beyond a bulk eavesdropper’s reach.
Tomi says:
XP bully, even if you do not use it
When the Windows XP operating system upgrades next year will cease, XP still leaves a long deep shadow. It will be a pain in the ass later than the time not only to their users even for those who do not use it. The whole internet-wide XP users unknowingly spreading the age-old attacks. In the business world XP operating company while there is a risk for all partners.
Finnish Communications Regulatory Authority under the Cert-fi, the head of Erka Koivunen says that the Cert-fin has been talked about within the security vulnerabilities of the long tail.
s a typical example he gives is Allapple malware in 2006. It infected only with Windows XP machines.
“Allapplen wrote to the insurance company annoyed the Estonian company and its sole purpose was to interfere with the insurance company’s website for a denial of service attack means”
“Yesterday I checked it, and still more than 99 per cent of the insurance company’s server, the incoming traffic is filtered out because it looks like attack traffic. The author has identified, convicted, sentence did time, but his deed he lives on in that world, “Koivunen explains.
XP machine anywhere in the world can not contain Allapplen. The user does not disturb in any way. Finnish online though the user would know Allapplesta, as the telecom operator would take it due to traffic because of us and disrupt the network until the malware has been removed.
Most of the cases that come to CERT-FI are associated with the malware for Windows XP users. XP causes the disappearance of the image, therefore, the sighs of relief.
“This is almost my entire career I have been waiting for the light thrown soils XP,” he laughed. “XP’s bottom is weathered, it is a product of its time, and the current threats were not aware of the publication. It can be said that not fit for the internet “.
Koivunen considered it desirable that the final XP Mohicans fall, for example, engine cooling fan failing due to or because of it, that someone changed to a modern operating system.
“This is a smart philosophy from Microsoft, that the euro is controlled. I certainly do not want that Redmond developers to use their time more XP. ”
In the business world of Windows XP on the end of 08.04.2014 also a major concern for those who are no longer XP use.
“Helping SMEs to operate in a network model, and if you act XP dependent, it poses a security risk to the entire network,” says Petteri Järvinen.
XP business users protection against threats is becoming increasingly difficult.
“If the company has any interesting information and if you work in product development or in the field of competition, XP platform makes it Alongside business running the risk protection against the threat of a significant difficult,” Koivunen said.
Large companies were also constitutes indirect threat to XP. If the subcontracting network is XP users, these make up the juicy attack attack interface, which endanger the principal and the subcontractor network security.
Companies that rely on XP take unnecessary risks.
Some people may mistakenly think that the XP is so old, it is therefore a very mature product and that the problems would be long since been corrected.
“This can not think, because there is so much to such a code, which was not originally written to be protected. Zero-day alongside the problem is that XP has also been used in an average time badly. Updates have been installed. Criminals do not even have to use a zero for days, because with less can get in, “Koivunen said.
Source: http://www.tietokone.fi/artikkeli/uutiset/xp_kiusaa_vaikka_et_sita_kayttaisi
Tomi says:
Your LinkedIn Password Is On Display in a Museum in Germany
http://motherboard.vice.com/blog/your-linkedin-password-is-on-display-in-a-museum-in-germany
If you’ve forgotten your LinkedIn password, you could always do the account reset thing. Or you could ask the artist Aram Bartholl to find it for you—there’s a good chance he’ll have it on file. If he does, he’s likely in the process of putting it on public display in a museum in Europe somewhere.
Earlier this year, it was London. Most recently, it was a university in Germany. Wherever it is, Bartholl is opening up his eight white, plainly printed binders full of the 4.7 million user passwords that were pilfered from the social network and made public by a hacker last year. He brings the books to his exhibits, called ‘Forgot Your Password’, where you’re free to see if he’s got your data
“These eight volumes contain 4.7 million LinkedIn clear text user passwords printed in alphabetical order,” the description of his project reads. “Visitors are invited to look up their own password.”
Tomi says:
Investor Lawsuit Blames NSA For $12B Loss In IBM Value
http://yro.slashdot.org/story/13/12/14/1858222/investor-lawsuit-blames-nsa-for-12b-loss-in-ibm-value
“While anyone can file a lawsuit, being sued by an institutional investor is a little different”
Tomi says:
Lawsuit accuses IBM of hiding China risks amid NSA spy scandal
http://www.reuters.com/article/2013/12/12/us-ibm-lawsuit-idUSBRE9BB1BP20131212
IBM Corp has been sued by a shareholder who accused it of concealing how its ties to what became a major U.S. spying scandal reduced business in China and ultimately caused its market value to plunge more than $12 billion.
IBM lobbied Congress hard to pass a law letting it share personal data of customers in China and elsewhere with the U.S. National Security Agency, in a bid to protect its intellectual property rights, according to a complaint filed in the U.S. District Court in Manhattan.
The plaintiff in the complaint, Louisiana Sheriffs’ Pension & Relief Fund, said this threatened IBM hardware sales in China, particularly given a program known as Prism that let the NSA spy on that country through technology companies such as IBM.
It said this led IBM on October 16 to post disappointing third-quarter results, including drops in China of 22 percent in sales and 40 percent in hardware sales.
Tomi Engdahl says:
AP Reporter: Keeping The Levinson Story A Secret Was The “Hardest Thing I’ve Done”
http://www.buzzfeed.com/jacobfischler/ap-reporter-keeping-the-levinson-story-a-secret-was-the-hard
The government asked several journalists to stay quiet — even as other media outlets — and occasionally their own — told a story they and others knew to be false or incomplete.
For years reporters and editors at top news organizations sat on a story that disproved the official lie about retired FBI agent Robert Levinson — even as other outlets continued to report it as fact.
Associated Press Thursday night revealed that Levinson did not go to Iran as a private businessman as the government and his family had said, but as a CIA contractor. The report also revealed that the mission had already triggered a minor meltdown at the country’s most important intelligence agency: it lead to several firings and a rewriting of the CIA’s rules for “analyst.”
Tomi Engdahl says:
Boston Police indefinitely suspends license plate reader program
BPD’s scanners saw a stolen motorcycle 59 times over 5 months and police did nothing.
http://arstechnica.com/tech-policy/2013/12/boston-police-indefinitely-suspends-license-plate-reader-program/
The Boston Police Department (BPD) has indefinitely halted its use of license plate readers (LPR) following an investigation published on Saturday into their use by the investigative journalism organization MuckRock and the Boston Globe.
This suspension likely makes Boston one of the largest cities in America to stop using this sort of technology, which for years has been in wide use by thousands of law enforcement agencies nationwide.
As Ars has reported for more than a year, LPRs are in use in cities big and small across America. Typically, the specialized cameras scan a given plate using optical character recognition technology, checking that plate against a “hot list” of stolen or wanted vehicles. The device then also typically will record the date, time, and GPS location of any plates—hot or not—that it sees.
The cameras typically scan at an extremely high rate, usually around 60 plates per second.
Tomi Engdahl says:
The Golden Era Of Spam Comments Has Ended
http://www.theawl.com/2013/12/the-new-spammer-panic
The search engine optimization community has spent the last two years in a panic. SEO people flood our Internet with spam links and fake Twitter bots and paid traffic, to help bad websites look more popular than they are, to deliver fake viewers to web ads.
They now spend their lives on the run, Google nipping at their heels. Their biggest project? Removing all the spam links on websites like this one—the spam links that they put there.
In early 2011, Google issued an update to its search algorithm—they called it “Panda”—that elevated social media and news sites. Sites both big and small, usually spammy and sometimes not, saw major decline in their Google traffic. Companies like About and Mahalo and eHow cratered. Google said they wanted for “the ‘good guys’ making great sites for users, not just algorithms, to see their effort rewarded.”
In spring of 2012, Google moved on from Panda to Penguin, which further refined that goal, though still the updates sometimes had a negative effect on non-spam sites, cutting traffic to older and larger sites.
But it was the Penguin 2.1, released in October, that sent spammers to the bitter edge; now they can’t repent fast enough for their spammy sins.
Essentially, the more your site is linked to across the web, the higher Google will rank you, and links from sites that are similar to your own are better than links from sites that have nothing to do with anything. Over time, the quality of those links has become more and more important.
But: what’s the easiest way to place a link on a site you don’t own? Why, it’s blog comments.
So the black hat spam folks who spread these links across the Internet have reversed course. The Awl, and other websites like it, receive email after email each day from companies requesting that we help them clean up their presence in the comments, deleting links posted by fake accounts, the log-in information for which has long been lost or never recorded.
“The average drop was from page one to page five in Google,”
Tomi Engdahl says:
The NSA: An Inside View
http://lorensr.me/nsa-an-inside-view.html
Conclusion
If you are a US citizen, I hope you are reassured to know how capable and thorough your cyber spy agency and military command are. I was extremely impressed by the Agency’s capabilities, both those that have been declassified and those that are still unknown to the public. If you are a citizen of the UK, Canada, New Zealand, or Australia, you may also be glad, because everything the NSA collects is by default shared with your government (the default classification is TS//SI//REL TO FVEY, or “release to five eyes”, which are the aforementioned countries and the US). Even if you are not a citizen of the Five Eyes, you shouldn’t be worried about your data being viewed unless you’re involved with a group of interest, such as a foreign government or violent organization. You may be unhappy about the fact that we’re spying on your government, just as I am unhappy that the Chinese military is hacking into America’s government and industry. And I would prefer a world in which spying was unnecessary. But humanity is not there yet.
I do believe that the safeguards against unauthorized data retrieval by Agency employees can and should be improved. I do not believe that their information-gathering powers should be curtailed. Such restriction would not only hinder the Agency’s ability to gather intelligence, but also impede its ability to wage cyberwarfare.* The NSA is our best hope in this war. In my mind, the Agency’s continued dominance of the Internet is absolutely worth the once-a-year one-in-three-hundred-million chance that your private data will be purposefully viewed by an NSA employee.
Tomi Engdahl says:
Welcome to the Internet of Thingies: 61.5% of Web Traffic Is Not Human
And here’s how to build your own little traffic bot, even though you shouldn’t
http://www.theatlantic.com/technology/archive/2013/12/welcome-to-the-internet-of-thingies-615-of-web-traffic-is-not-human/282309/
It happened last year for the first time: bot traffic eclipsed human traffic, according to the bot-trackers at Incapsula.
This year, Incapsula says 61.5 percent of traffic on the web is non-human.
Now, you might think this portends the arrival of “The Internet of Things”—that ever-promised network that will connect your fridge and car to your smartphone. But it does not.
This non-human traffic is search bots, scrapers, hacking tools, and other human impersonators, little pieces of code skittering across the web. You might describe this phenomenon as The Internet of Thingies.
Because bots are not difficult to build. In fact, it’s so simple that a journalist (who has not learned to code) can do it.
I do it with a ($300) program called UBot Studio, which is an infrastructural piece of the botting world. It lets people like me program and execute simple scripts in browsers without (really) knowing any code.
So, the goal is mimicking humans. Which means that you can’t just send 100,000 visits to the same page. That’d be very suspicious.
So you want to spread the traffic out over a bunch of target pages.
if the botting process is done subtly, no one might think to check what was going on. Because from a publisher’s perspective, how much do you really want to know?
And indeed, some reports have come out showing that people don’t check. One traffic buyer told Digiday, “We worked with a major supply-side platform partner that was just wink wink, nudge nudge about it. They asked us to explain why almost all of our traffic came from one operating system and the majority had all the same user-agent string.”
The point is: It’s so easy to build bots that do various things that they are overrunning the human traffic on the web.
Now, to understand the human web, we have to reckon with the logic of the non-human web. It is, in part, shady traffic that allows ad networks and exchanges to flourish. And these automated ad buying platforms — while they do a lot of good, no doubt about it — also put pressure on other publishers to sell ads more cheaply. When they do that, there’s less money for content, and the content quality suffers.
Tomi Engdahl says:
The Mission to Decentralize the Internet
http://www.newyorker.com/online/blogs/elements/2013/12/the-mission-to-decentralize-the-internet.html?currentPage=all
In the nineteen-seventies, the Internet was a small, decentralized collective of computers. The personal-computer revolution that followed built upon that foundation, stoking optimism encapsulated by John Perry Barlow’s 1996 manifesto “A Declaration of the Independence of Cyberspace.” Barlow described a chaotic digital utopia, where “netizens” self-govern and the institutions of old hold no sway. “On behalf of the future, I ask you of the past to leave us alone,” he writes. “You are not welcome among us. You have no sovereignty where we gather.”
This is not the Internet we know today. Nearly two decades later, a staggering percentage of communications flow through a small set of corporations—and thus, under the profound influence of those companies and other institutions. Google, for instance, now comprises twenty-five per cent of all North American Internet traffic; an outage last August caused worldwide traffic to plummet by around forty per cent.
Engineers anticipated this convergence. As early as 1967, one of the key architects of the system for exchanging small packets of data that gave birth to the Internet, Paul Baran, predicted the rise of a centralized “computer utility” that would offer computing much the same way that power companies provide electricity. Today, that model is largely embodied by the information empires of Amazon, Google, and other cloud-computing companies. Like Baran anticipated, they offer us convenience at the expense of privacy.
Internet users now regularly submit to terms-of-service agreements that give companies license to share their personal data with other institutions, from advertisers to governments. In the U.S., the Electronic Communications Privacy Act, a law that predates the Web, allows law enforcement to obtain without a warrant private data that citizens entrust to third parties—including location data passively gathered from cell phones and the contents of e-mails that have either been opened or left unattended for a hundred and eighty days. As Edward Snowden’s leaks have shown, these vast troves of information allow intelligence agencies to focus on just a few key targets in order to monitor large portions of the world’s population.
Still, an air of distrust surrounds the U.S. cloud industry. The N.S.A. collects data through formal arrangements with tech companies; ingests Web traffic as it enters and leaves the U.S.; and deliberately weakens cryptographic standards.
One solution, espoused by some programmers, is to make the Internet more like it used to be—less centralized and more distributed. Jacob Cook, a twenty-three-year-old student, is the brains behind ArkOS, a lightweight version of the free Linux operating system. It runs on the credit-card-sized Raspberry Pi, a thirty-five dollar microcomputer adored by teachers and tinkerers. It’s designed so that average users can create personal clouds to store data that they can access anywhere, without relying on a distant data center owned by Dropbox or Amazon. It’s sort of like buying and maintaining your own car to get around, rather than relying on privately owned taxis. Cook’s mission is to “make hosting a server as easy as using a desktop P.C. or a smartphone,” he said.
Like other privacy advocates, Cook’s goal isn’t to end surveillance, but to make it harder to do en masse. “When you couple a secure, self-hosted platform with properly implemented cryptography, you can make N.S.A.-style spying and network intrusion extremely difficult and expensive,” he told me in an e-mail.
Bitmessage is an e-mail replacement proposed last year that has been called the “the Bitcoin of online communication.” Instead of talking to a central mail server, Bitmessage distributes messages across a network of peers running the Bitmessage software.
Another ambitious project, Namecoin, is a P2P system almost identical to Bitcoin. But instead of currency, it functions as a decentralized replacement for the Internet’s Domain Name System.
The infrastructure does allow for large-scale takedowns, like in 2010, when the Department of Justice tried to seize ten domains it believed to be hosting child pornography, but accidentally took down eighty-four thousand innocent Web sites in the process.
“Discussions about innovation, resilience, open protocols, data ownership and the numerous surrounding issues,” said Redecentralize’s Bolychevsky, “need to become mainstream if we want the Internet to stay free, democratic, and engaging.”
Tomi Engdahl says:
NSA searches contents of most communications entering and leaving US
http://www.theverge.com/2013/8/8/4602104/nsa-searches-contents-of-most-communications-entering-and-leaving-us
The NSA is using keywords to search the contents of most communications that pass in and out of the United States, the New York Times reports. The surveillance is far broader than the programs the agency has previously admitted to, which are known to “inadvertently” collect the communications of American citizens who directly or indirectly communicate with foreign targets.
An anonymous intelligence official says the NSA searches for communications containing “selectors,” or keywords, related to surveillance targets by making a temporary copy of most emails and texts that cross the border for analysts to review. The process reportedly requires at least one party to be located overseas, and does not allow for “retrospective searching.” The cross-border collection was authorized in 2008 under the FISA Amendments Act, the same law that gave the green light to the PRISM program.
Tomi Engdahl says:
NSA alleges ‘BIOS plot to destroy PCs’
Un-named PC maker sought help to defeat un-named nation’s PC-bricking plan
http://www.theregister.co.uk/2013/12/16/nsa_alleges_bios_plot_to_destroy_pcs/
Senior National Security Agency (NSA) officials have told US news magazine program “60 Minutes” that a foreign nation tried to infect computers with a BIOS-based virus that would have enabled them to be remotely destroyed.
NSA Director General Keith Alexander and Information Assurance Director Debora Plunkett both appeared on the program in an attempt to defend the many unsettling domestic espionage programs revealed by Edward Snowden.
A foreign country developed BIOS malware “disguised as a request for a software update” that would have turned PCs into “a brick.” Plunkett said “The NSA working with computer manufacturers was able to close this vulnerability”. 60 Minutes names China as the culprit
Tomi Engdahl says:
Google Makes It Harder For Marketers To Collect User Data
http://tech.slashdot.org/story/13/12/15/1952216/google-makes-it-harder-for-marketers-to-collect-user-data
“In a seemingly minor update, Google announced that all Gmail images will now be cached on their own servers, before being displayed to users”
“Because each user won’t download the images from a third-party server, marketers won’t be able to see open-rates, log IP addresses, or gather information on user location and browser type. Google says the changes are intended to enhance user privacy and security.”
Tomi Engdahl says:
Turn Off Gmail’s Auto Image Loading to Keep Email Snoops at Bay
http://www.wired.com/gadgetlab/2013/12/turn-gmail-auto-image-loading-off/
Gmail recently announced a change to the way it handles images in your emails by default. You used to have to opt in to see images embedded in your incoming messages by clicking a “Display images below” or “Always display images from (address)” link at the top of each message. Now, all images in your messages will load automatically.
Google is hyping the enhanced security of this new way of doing things, primarily because all emailed images will now be cached on the company’s own servers. That means that when they’re opened, only Google will be able to see your IP address and device details, not some potential spammer or nefarious e-buddy. It also means that Google is now copying every image sent through Gmail to its own servers.
Some argue that this new “cache and load” approach will help keep you from being tracked by marketers. Others argue that it will allow marketers to track your habits even more effectively, in some cases letting them know when you’ve opened and read their messages.
Either way, there are clear benefits to the old way of opting in to view messages.
Tomi Engdahl says:
IETF To Change TLS Implementation In Applications
http://it.slashdot.org/story/13/12/15/086212/ietf-to-change-tls-implementation-in-applications
“The NSA surveillance scandal has created ripples all across the Internet, and the latest one is a new effort from the IETF to change the way that encryption is used in a variety of critical application protocols, including HTTP and SMTP. The new TLS application working group was formed”
Tomi Engdahl says:
New IETF Group to Tackle TLS Implementation in Applications
https://threatpost.com/new-ietf-group-to-tackle-tls-implementation-in-applications/103183
The NSA surveillance scandal has created ripples all across the Internet, and the latest one is a new effort from the IETF to change the way that encryption is used in a variety of critical application protocols, including HTTP and SMTP.
The new TLS application working group was formed to help developers and the people who deploy their applications incorporate the encryption protocol correctly. TLS is the successor to SSL and is used to encrypt information in a variety of applications, but is most often encountered by users in their Web browsers. Sites use it to secure their communications with users, and in the wake of the revelations about the ways that the NSA is eavesdropping on email and Web traffic its use has become much more important. The IETF is trying to help ensure that it’s deployed properly, reducing the errors that could make surveillance and other attacks easier.
“There is a renewed and urgent interest in the IETF to increase the security of transmissions over the Internet. Many application protocols have defined methods for using TLS to authenticate the server (and sometimes the client), and to encrypt the connection between the client and server. However, there is a diversity of definitions and requirements, and that diversity has caused confusion for application developers and also has led to lack of interoperability or lack of deployment. Implementers and deployers are faced with multiple security issues in real-world usage of TLS, which currently does not preclude insecure ciphers and modes of operation,” the description in the working group’s charter says.
Tomi Engdahl says:
Don’t be fooled by the 60 Minutes report on the NSA
http://www.theverge.com/2013/12/15/5214452/60-minutes-softball-NSA-expose
Tonight’s episode of 60 Minutes featured what CBS promised was an unusual inside look at the secretive National Security Agency, but instead offered a routine look at the agency’s propaganda with no critical voices
The interview also featured an extensive attempt by NSA agents to discredit former contractor Edward Snowden. Snowden, who leaked documents this year which revealed the extent of the telephone records program and other efforts like PRISM, was described by CBS’ John Miller as a “20-something-year old high school dropout contractor.”
The NSA and White House have worked in recent months to repair the US intelligence community’s image, opting to make selective disclosures about the secret orders and legal interpretations that have allowed the government to conduct bulk surveillance on American citizens. Meanwhile, journalists in possession of documents leaked by Snowden continue to release reports about the NSA’s unprecedented surveillance programs. While Snowden was reported to have left the stolen files behind before seeking asylum in Russia, the NSA says that he may still have up to 1.7 million documents.
Tomi Engdahl says:
EBA warns consumers on virtual currencies
http://www.eba.europa.eu/-/eba-warns-consumers-on-virtual-currencies
The European Banking Authority (EBA) issued today a warning on a series of risks deriving from buying, holding or trading virtual currencies such as Bitcoins. The EBA said that consumers are not protected through regulation when using virtual currencies as a means of payment and may be at risk of losing their money. It also added that there is no guarantee that currency values remain stable The warning was issued while the Authority assesses further all relevant aspects associated with virtual currencies, in order to identify whether virtual currencies can and should be regulated and supervised.
The EBA also reminded that as transactions in virtual currency provide a high degree of anonymity, they may be misused for criminal activities, including money laundering. This misuse could lead law enforcement agencies to close exchange platforms at short notice and prevent consumers from accessing or retrieving any funds that the platforms may be holding for them.
About virtual currencies
A virtual currency is a form of unregulated digital money, not issued or guaranteed by a central bank, which can act as means of payment. Virtual currencies have come in many forms, beginning as currencies within online computer gaming environments and social networks, and developing into means of payment accepted ‘offline’ or in ‘real life’. It is now increasingly possible to use virtual currencies as a means to pay for goods and services with retailers, restaurants and entertainment venues. These transactions often do not incur any fees or charges, and do not involve a bank.
More recently, the virtual currency ‘Bitcoin’ has set the scene for a new generation of decentralised, peer-to-peer virtual currencies – often also referred to as crypto-currencies.
Tomi Engdahl says:
NSA alleges ‘BIOS plot to destroy PCs’
Un-named PC maker sought help to defeat un-named nation’s PC-bricking plan
http://www.theregister.co.uk/2013/12/16/nsa_alleges_bios_plot_to_destroy_pcs/
Senior National Security Agency (NSA) officials have told US news magazine program “60 Minutes” that a foreign nation tried to infect computers with a BIOS-based virus that would have enabled them to be remotely destroyed.
NSA Director General Keith Alexander and Information Assurance Director Debora Plunkett both appeared on the program in an attempt to defend the many unsettling domestic espionage programs revealed by Edward Snowden.
Tomi Engdahl says:
NSA speaks out on Snowden, spying
http://www.cbsnews.com/news/nsa-speaks-out-on-snowden-spying/
The NSA gives unprecedented access to the agency’s HQ and, for the first time, explains what it does and what it says it doesn’t do: spy on Americans
John Miller: There is a perception out there that the NSA is widely collecting the content of the phone calls of Americans. Is that true?
Gen. Keith Alexander: No, that’s not true. NSA can only target the communications of a U.S. person with a probable cause finding under specific court order. Today, we have less than 60 authorizations on specific persons to do that.
“The fact is, we’re not collecting everybody’s email, we’re not collecting everybody’s phone things, we’re not listening to that. Our job is foreign intelligence and we’re very good at that.”
Tomi Engdahl says:
Steelie Neelie: EU biz can use YOUR private data WITHOUT PERMISSION
‘Part-anonymise’ it and you’re good to go, says unelected digital czar
http://www.theregister.co.uk/2013/12/16/unelected_digital_czar_data_slurping_without_consent/
Businesses should be allowed to process part-anonymised, or pseudonymised, data without the consent of individuals whose data it is in certain circumstances, a senior EU official has said.
Neelie Kroes, the EU Commissioner responsible for the Digital Agenda, said that companies should be able to process pseudonymised data without consent where they have a ‘legitimate interest’ in doing so. In a speech at a data protection congress held by the International Association of Privacy Professionals Europe in Brussels, Kroes said she supported proposed reforms to the EU’s existing data protection framework that were backed by a committee of MEPs in October.
Under those plans, businesses would have the right to use data that they collect from individuals more freely, and in accordance with the data protection regime, if they pseudonymised the information. If data was fully anonymised then data protection laws would not apply to the information at all, but Kroes said that some of the benefits that can be gleaned from making use of personal information can be lost if data is anonymised. She said she backed plans that would permit the use of pseudonymised data without consent if certain criteria were met.
Tomi Engdahl says:
Security guru Bruce Schneier to leave employer BT
Nothing to do with criticising GCHQ and the NSA, insists telco
http://www.theregister.co.uk/2013/12/16/bruce_schneier_leaves_bt/
Noted security guru Bruce Schneier, who has devoted a great deal of attention and energy over recent weeks to analysing the Edward Snowden leaks into the activities of the NSA and allied spy agencies, is to leave UK telco BT.
A spokesman for BT said:
“We can confirm that Bruce Schneier, BT’s security futurologist, is leaving BT at the end of December 2013.”
Our source suggested that Schneier was shown the door because of his recent comments about the NSA and GCHQ’s mass surveillance activities.
BT denies this, saying that the working relationship had come to its “natural end”.
BT denied that Schneier leaving was anything to do with his recent critical commentaries on the dragnet surveillance tactics of Blighty’s GCHQ in partnership with the NSA
Tomi Engdahl says:
Cyber-terrorists? Pah! Superhero protesters were a bigger threat to London Olympics
Seb Coe: Taxi drivers blocked from 2012-only lanes were also a bit testy
http://www.theregister.co.uk/2013/11/04/olympics_rsa_coe/
RSA Europe 2013 Protests from groups such as Fathers4Justice were more of a worry to London 2012 Olympic Games organisers than computer hackers, according to the former chairman of London 2012, Lord Sebastian Coe.
He said procedures put in place before the Games to guard its IT systems – including Wi-Fi networks in stadiums as well as the main Olympics website – had worked well.
“You have to deliver the Games within an environment of security,”
“The threats of disruption came from everything from Fathers4Justice through to taxi drivers, angry they weren’t allowed into the Olympic lanes. That tended to be the level of the threat. Most of the challenges weren’t terrorists, cyber or otherwise,” said Coe, who was speaking at the RSA Conference Europe 2013
Earlier at the conference, BT security chief executive officer Mark Hughes said that no cyber attack had occurred during the Games, repeating previous statements by the telco giant. BT dealt with over 212 million cyber attacks on the official website during last year’s Olympic and Para-Olympic Games.
The only serious IT threat of any note came from concerns that power to the Olympic Stadium might be disrupted.
A recent documentary from BBC Radio 4 revealed that London Olympics officials were warned hours before the opening ceremony that the event might come under cyber-attack.
The security team had already run extensive tests on the electricity supply systems supporting the games long before the threat, which, based on the discovery of “attack tools and targeting information”,
In the event nothing happened.
“There was a potential for cyber-attack even though we didn’t suffer any incursion,” Coe said during a press conference ahead of the closing keynote speech. “We had systems in place to defend against attack and this might have even acted as a deterrent.”
Tomi Engdahl says:
Judge: NSA phone program likely unconstitutional
http://www.politico.com/story/2013/12/national-security-agency-phones-judge-101203.html
A federal judge ruled Monday that the National Security Agency program which collects information on nearly all telephone calls made to, from or within the United States is likely unconstitutional.
U.S. District Court Judge Richard Leon found that the program appears to violate the Fourth Amendment ban on unreasonable searches and seizures. He also said the Justice Department had failed to demonstrate that collecting the information had helped to head off terrorist attacks.
“I cannot imagine a more ‘indiscriminate’ and ‘arbitrary invasion’ than this systematic and high-tech collection and retention of personal data on virtually every single citizen for purposes of querying it and analyzing it without judicial approval,” wrote Leon, an appointee of President George W. Bush.
Tomi Engdahl says:
Edward Snowden says judge’s ruling vindicates NSA surveillance disclosures
http://www.theguardian.com/world/2013/dec/16/edward-snowden-ruling-nsa-surveillance
• NSA whistleblower welcomes Judge Richard Leon’s ruling
• ‘Programs would not withstand constitutional challenge’
• Judge: phone surveillance program likely unconstitutional
Edward Snowden, the former security contractor who leaked a trove of National Security Agency documents, welcomed a court ruling on Monday that declared the bulk collection of Americans’ telephone records to be a likely violation of the US constitution.
Snowden said the ruling, by a US district judge, justified his disclosures. “I acted on my belief that the NSA’s mass surveillance programs would not withstand a constitutional challenge, and that the American public deserved a chance to see these issues determined by open courts,” he said in comments released through Glenn Greenwald, the former Guardian journalist who received the documents from Snowden.
“Today, a secret program authorised by a secret court was, when exposed to the light of day, found to violate Americans’ rights. It is the first of many,” said Snowden, whose statement was first reported by the New York Times.
Tomi Engdahl says:
NSA goes on 60 Minutes: the definitive facts behind CBS’s flawed report
Our take on five things the spy agency would like the public to believe about its vast surveillance powers
http://www.theguardian.com/world/2013/dec/16/nsa-surveillance-60-minutes-cbs-facts
Surveillance is just about what you say and what you write
If there’s a consistent thread to the NSA’s public defense of itself, it’s that the stuff NSA collects from Americans in bulk doesn’t actually impact their privacy. After all, as Keith Alexander told Miller, it’s just metadata – data about your phone calls, not what you said on the phone.
It’s the metadata – who you called, who called you, for how long, how frequently you communicate – that has intelligence value, not, in Alexander’s telling,
Snowden and the NSA’s hiring boom
The NSA, for obvious reasons, isn’t fond of whistleblower Edward Snowden. It portrayed him to 60 Minutes as a weirdo.
The obvious question here is why the NSA considers it exculpatory to say an obvious eccentric was able to abscond with an unprecedented amount of data. That sounds uncomfortably like an admission that the NSA is less able to safeguard its vast storehouses of information than it lets on.
The Chinese financial sector kill-switch
Among the more eye-opening claims made by NSA is that it detected what CBS terms the “BIOS Plot” – an attempt by China to launch malicious code in the guise of a firmware update that would have targeted computers apparently linked to the US financial system, rendering them pieces of junk.
“Think about the impact of that across the entire globe,” NSA cyber-defense official Debora Plunkett told 60 Minutes. “It could literally take down the US economy.”
There are as many red flags surrounding the BIOS Plot as there are in all of China.
NSA isn’t collecting data transiting between Google and Yahoo data centers, except when it is
Since it doesn’t own or operate any of the world’s telecommunications infrastructure, the NSA is significantly dependent on tech and telecommunications companies, such as Google and Yahoo. So when the Washington Post reported, based on Snowden documents, that the NSA intercepts data transiting between Google and Yahoo’s foreign data centers, the companies reacted with horror at what they considered a breach of trust – one that occurred without any court orders.
If you take away Alexander’s “that’s not correct” line, the rest of his answer sounds remarkably like a confirmation of what the Post reported. “I think he confirmed it, feigning denial,” reporter Barton Gellman tweeted.
The NSA wasn’t trying to break the law that got broken
Give Miller credit for at least mentioning that “a judge on the Fisa court” overseeing US surveillance was alarmed that the NSA “systematically transgressed” the agreed-upon limitations on its abilities to query its databases. Alexander’s response: “There was nobody willfully or knowingly trying to break the law.”
Actually, two different Fisa court judges – John Bates and Reggie Walton, the current presiding judge – raised major concerns about the way the NSA searches through its vast data troves on multiple occasions.
Tomi Engdahl says:
Obama To Meet Tech Execs Over NSA Spying, Obamacare Website
http://swampland.time.com/2013/12/16/obama-to-meet-tech-execs-over-nsa-spying-obamacare-website/
President Barack Obama will meet with many of Silicon Valley’s best-known executives Tuesday at the White House to discuss the troubled Healthcare.gov website and controversial surveillance programs run by the National Security Agency, the administration announced.
The meeting comes one day after a federal judge ruled that an NSA phone data collection program likely violates the Constitution, and one week after eight tech giants released an open letter to Obama and Congress protesting the scale of government surveillance programs. “This summer’s revelations highlighted the urgent need to reform government surveillance practices worldwide,” AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter, Yahoo wrote in the letter.
The balance in many countries has tipped too far in favor of the state and away from the rights of the individual — rights that are enshrined in our Constitution. This undermines the freedoms we all cherish. It’s time for a change.”
Tomi Engdahl says:
Judge Questions Legality of N.S.A. Phone Records
http://www.nytimes.com/2013/12/17/us/politics/federal-judge-rules-against-nsa-phone-data-program.html?pagewanted=all&_r=0
A federal district judge ruled on Monday that the National Security Agency program that is systematically keeping records of all Americans’ phone calls most likely violates the Constitution, describing its technology as “almost Orwellian” and suggesting that James Madison would be “aghast” to learn that the government was encroaching on liberty in such a way.
Tomi Engdahl says:
An NSA Coworker Remembers The Real Edward Snowden: ‘A Genius Among Geniuses’
http://www.forbes.com/sites/andygreenberg/2013/12/16/an-nsa-coworker-remembers-the-real-edward-snowden-a-genius-among-geniuses/
Perhaps Edward Snowden’s hoodie should have raised suspicions.
The black sweatshirt sold by the civil libertarian Electronic Frontier Foundation featured a parody of the National Security Agency’s logo, with the traditional key in an eagle’s claws replaced by a collection of AT&T cables, and eavesdropping headphones covering the menacing bird’s ears. Snowden wore it regularly to stay warm in the air-conditioned underground NSA Hawaii Kunia facility known as “the tunnel.”
His coworkers assumed it was meant ironically. And a geek as gifted as Snowden could get away with a few irregularities.
Months after Snowden leaked tens of thousands of the NSA’s most highly classified documents to the media, the former intelligence contractor has stayed out of the limelight, rarely granting interviews or sharing personal details.
But an NSA staffer who contacted me last month and asked not to be identified–and whose claims we checked with Snowden himself via his ACLU lawyer Ben Wizner—offered me a very different, firsthand portrait of how Snowden was seen by his colleagues in the agency’s Hawaii office: A principled and ultra-competent, if somewhat eccentric employee, and one who earned the access used to pull off his leak by impressing superiors with sheer talent.
According to the source, Snowden didn’t dupe coworkers into handing over their passwords, as one report has claimed. Nor did Snowden fabricate SSH keys to gain unauthorized access, he or she says.
Instead, there’s little mystery as to how Snowden gained his access: It was given to him.
“That kid was a genius among geniuses,” says the NSA staffer. “NSA is full of smart people, but anybody who sat in a meeting with Ed will tell you he was in a class of his own…I’ve never seen anything like it.”
Before coming to NSA Hawaii, Snowden had impressed NSA officials by developing a backup system that the NSA had widely implemented in its codebreaking operations.
He also frequently reported security vulnerabilities in NSA software. Many of the bugs were never patched.
Snowden had been brought to Hawaii as a cybersecurity expert working for Dell’s services division but due to a problem with the contract was reassigned to become an administrator for the Microsoft intranet management system known as Sharepoint.
As further evidence that Snowden didn’t hijack his colleagues’ accounts for his leak, the NSA staffer points to an occasion when Snowden was given a manager’s password so that he could cover for him while he was on vacation.
Snowden’s superiors were so impressed with his skills that he was at one point offered a position on the elite team of NSA hackers known as Tailored Access Operations. He unexpectedly turned it down and instead joined Booz Allen to work at NSA’s Threat Operation Center.
Another hint of his whistleblower conscience, aside from the telltale hoodie: Snowden kept a copy of the constitution on his desk to cite when arguing against NSA activities he thought might violate it.
He frequently walked NSA’s halls carrying a Rubik’s cube
Snowden’s former colleague says that he or she has slowly come to understand Snowden’s decision to leak the NSA’s files.