Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.
Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.
Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.
SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices. Good idea to test your devices against it.
There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.
Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.
Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.
Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.
Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.
Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.
Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.
Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.
European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.
1,930 Comments
Tomi Engdahl says:
Researchers Hack Webcam While Disabling Warning Lights
http://bits.blogs.nytimes.com/2013/12/19/researchers-hack-webcam-while-disabling-warning-lights/?_r=1&
If you’re sitting at your computer reading this, smile, you could be on camera. Actually, don’t smile.
Last week, researchers at Johns Hopkins University’s Department of Computer Science showed off an exploit that allows a hacker to take over some MacBook computers and activate their Web cameras without the users’ knowledge.
The webcam hacking technique, first reported by The Washington Post, is said to be similar to a tactic used to spy on Cassidy Wolf, a 19-year-old Miss Teen USA, who fell victim to a webcam hacker earlier this year.
The Johns Hopkins paper, titled “iSeeYou: Disabling the MacBook Webcam Indicator LED,” explains how the researchers were able to reprogram an iSight camera’s microcontroller to activate the recording functions and LED activation lights independently to spy on someone without giving that person any idea that the computer camera is in use.
Tomi Engdahl says:
The National Security Agency’s oversharing problem
Ars talks to an ex-NSA pro who filed unlawful sharing complaints—only to be shunned.
http://arstechnica.com/information-technology/2013/12/the-national-security-agencys-oversharing-problem/
In the days after the attacks on September 11, 2001, the National Security Agency underwent a transformation from an organization that operated on a “need to know” basis to a “need to share” culture. In the process, the agency threw out many of the procedures and controls that might have stopped Edward Snowden from walking out the door with thousands of secret documents.
But after the WikiLeaks scandal, the NSA began trying to ratchet back on its internal promiscuity with information classified at the highest level—Top Secret/Sensitive Compartmented Information (TS/SCI). Ironically, it was part of this effort that allowed then-contractor systems administrator Snowden to download thousands of documents from the agency’s highly classified internal Web servers—documents that were openly available to him because of his security clearance and duties assigned. Most of Snowden’s scripting skills were used not to hack into systems within the NSA but to simply manage bulk transfers of data between systems.
“He didn’t need to be a sysadmin to get to [the data],” NSA Director of Technology Lonny Anderson said in an interview with Benjamin Wittes and Robert Chesney of the Brookings Institute. “He just needed a TS/SCI clearance. Where I think we were negligent—if we were negligent—is that we allowed him some form of anonymity. So the lesson learned for us is that you’ve got to remove anonymity from the network.”
According to one former NSA employee, that’s a lesson that the NSA has resisted learning for much of the last decade. Jarrel Nowlin was fired by the agency in 2010 after losing his clearance, and he told Ars in a series of phone interviews and e-mail exchanges that he filed a complaint with the NSA’s inspector general in 2006 over data sharing that he believed violated federal law. Nowlin also filed complaints that NSA employees were sharing access credentials for accounting systems and that employees were sharing data with contractors that allowed them to adjust bids for further work to win new work. Those complaints apparently fell on deaf ears.
Tomi Engdahl says:
Former CIA chief: Snowden should be “hanged by the neck until dead”
A very tentative suggestion of amnesty on a CBS program leads to a threat.
http://arstechnica.com/tech-policy/2013/12/former-cia-chief-snowden-should-be-hanged-by-the-neck-until-dead/
At a Tuesday closed-door meeting with tech leaders, one unnamed participant suggested to Obama that Snowden be pardoned; Obama said he couldn’t do that.
Even that tiny, tentative olive branch seems to have crossed a line for security hawks. NSA Director Gen. Keith Alexander dismissed the idea, comparing Snowden to “a hostage taker taking 50 people hostage, shooting 10, and then say[ing], ‘You give me full amnesty and I’ll let the other 40 go.’”
Former CIA director James Woolsey responded to the suggestion of amnesty even more strongly, saying in a Fox News interview that Snowden should be hanged.
The tough talk on Snowden came the day after a federal judge found the NSA’s broad phone surveillance program is likely unconstitutional.
Tomi Engdahl says:
Gov’t review panel suggests NSA stop holding massive phone database
Today’s report is surprisingly critical of many NSA practices.
http://arstechnica.com/tech-policy/2013/12/govt-review-panel-suggests-nsa-stop-holding-massive-phone-database/
Tomi Engdahl says:
New Android threats could turn some phones into remote bugging devices
“Weirdest permissions” include disabling lock screens and recording audio.
http://arstechnica.com/security/2013/12/new-android-threats-could-turn-some-phones-into-remote-bugging-devices/
Researchers have recently uncovered two unrelated threats that have the potential to turn some Android devices into remotely controlled bugging and spying devices.
The first risk, according to researchers at antivirus provider Bitdefender, comes in the form of a software framework dubbed Widdit, which developers for more than 1,000 Android apps have used to build revenue-generating advertising capabilities into their wares. Widdit includes a bare-bones downloader that requests a host of Android permissions it doesn’t need at the time of installation.
“These permissions are not necessarily used by the SDK [software development kit], but requesting them ensures that anything introduced later in the SDK will work out of the box,” Bitdefender researchers Vlad Bordianu and Tiberius Axinte wrote in a blog post published Tuesday. “Among the weirdest permissions we saw are permissions to disable the lock screen, to record audio, or to read browsing history and bookmarks.”
Another odd privilege acquired by apps that bundle Widdit: they can execute specific code when a device reboots, receives a text message, or places a call, or when an app is installed or uninstalled. What’s more, Widdit uses an unencrypted HTTP channel to download application updates, a design decision that allows attackers on unsecured Wi-Fi networks to replace legitimate updates with malicious files.
An unrelated malware family discovered by researchers from Lookout Security, another provider of Android threat detection software, has the ability to make phone calls with no user interaction, a capability the firm has never seen before. At the moment, MouaBad.p appears to use that capability to dial pricey premium numbers, but there’s nothing stopping its developers from using it to snoop on infected users, particularly given the stealth built into the app.
Tomi Engdahl says:
New managed cyber security service offering launched for protecting industrial control system environments
http://www.controleng.com/single-article/new-managed-cyber-security-service-offering-launched-for-protecting-industrial-control-system-environments/9b44ee9927a91e7ed307f05fb164847c.html
Siemens introduces a comprehensive security service, aiming at control system asset owners in process and discrete industries.
Tomi Engdahl says:
Data breaches go undisclosed
http://www.controleng.com/single-article/data-breaches-go-undisclosed/fd0d7d2a5d9876d09162300f4537f06c.html
Malware striking systems may be more prevalent than suspected as 57% of malware analysts working on enterprise-related data breaches have addressed security problems that U.S. firms failed to disclose, a new survey said.
Tomi Engdahl says:
BitTorrent Unveils Secure Chat To Counter ‘NSA Dragnet Surveillance’
http://yro.slashdot.org/story/13/12/20/039247/bittorrent-unveils-secure-chat-to-counter-nsa-dragnet-surveillance
“Jacob Kastrenakes reports on The Verge that as part a response to the NSA’s wide-reaching surveillance programs, BitTorrent is unveiling a secure messaging service that will use public key encryption, forward secrecy, and a distributed hash table so that chats will be individually encrypted and won’t be stored on some company’s server. ‘It’s become increasingly clear that we need to devote hackathons, hours and resources to developing a messaging app that protects user privacy,’ says Christian Averill, BitTorrent’s director of communications.”
Tomi Engdahl says:
BitTorrent unveils secure messaging service to counter ‘NSA dragnet surveillance’
http://www.theverge.com/2013/12/19/5228116/bittorrent-chat-private-peer-to-peer-messaging-service
BitTorrent wants to build a secure chat service that will only ever let a message’s sender and receiver take a look at what’s being sent — encrypted or otherwise. It announced the service several months ago, and today it’s detailing how BitTorrent Chat will work. In a blog post, BitTorrent explains that the service will use public key encryption, forward secrecy, and a distributed hash table — a jumble of technologies that mean chats will be individually encrypted and won’t be stored on some company’s server.
The service is in part a response to the NSA’s wide-reaching surveillance programs, among other privacy concerns. “It’s become increasingly clear that we need to devote hackathons, hours and resources to developing a messaging app that protects user privacy,” Christian Averill, BitTorrent’s director of communications
Because most current chat services rely on central servers to facilitate the exchange of messages, Averill writes, “they’re vulnerable: to hackers, to NSA dragnet surveillance sweeps.”
BitTorrent chat aims to avoid those vulnerabilities through its encryption methods and decentralized infrastructure.
Tomi Engdahl says:
Google: Surge in pressure from govts to DELETE CHUNKS of the web
Libelous book about MP among stuff pulled offline
http://www.theregister.co.uk/2013/12/19/google_reports_jump_in_government_takedown_requests/
Governments, judges, cops and politicians are continuing to lobby Google to tear down online material critical of their operations, we’re told.
Today, the advertising giant said that, in the first six months of 2013, it received 3,846 demands from public officials to remove 24,737 personal blog posts, YouTube videos and other pieces of content it hosts. That’s up 68 per cent on the second half of 2012.
And according to the web giant, which has just published its latest transparency report, 93 requests focused on content that was critical of people in public office. Defamation and copyright infringement were often cited, but less than one third of the highlighted material was removed in the first half of 2013.
“Over the past four years, one worrying trend has remained consistent: governments continue to ask us to remove political content,” wrote Google legal director Susan Infantino, who called out Turkey and Russia for ramping up the number of complaints.
“Judges have asked us to remove information that’s critical of them, police departments want us to take down videos or blogs that shine a light on their conduct, and local institutions like town councils don’t want people to be able to find information about their decision-making processes,” she added.
Notable cases include the removal of 76 apps from the Google Play store over alleged infringements of government copyrights
The report is the latest in a transparency program that Google is soon hoping to expand. The company has petitioned the US government to allow it to post information and notifications relating to FISA takedown requests. Thus far the requests have not been granted.
Tomi Engdahl says:
Verizon is also preparing to launch its own transparency report on law enforcement data requests, a particularly interesting development given the mobile carrier’s recent interactions with the NSA and the revelations of federal officials collecting mass archives of user activity.
“All companies are required to provide information to government agencies in certain circumstances, however, and this new report is intended to provide more transparency about law enforcement requests,” said Verizon general counsel and executive vice president of public policy Randall Milch.
Source: http://www.theregister.co.uk/2013/12/19/google_reports_jump_in_government_takedown_requests/
Tomi Engdahl says:
Banks’ risk management is in a bad way – the cause is found in IT
Banks will not be able to sufficiently assess the financial risks due to aging its information technology , warns the field supervising the Basel Committee on Banking Supervision Committee.
The Committee released in January of international guidelines , which was supposed to boosts banks to renew their IT systems to contemporary. The Committee believes that the banks are not able to identify the global economic crisis after the threats in sufficient quantities , as information systems do not fall for it.
Banks’ systems are believed to be the level required by the Committee until 2016 .
” Many banks have difficulties in data management , architecture, and processes ,”
The Committee expressed the hope that the banks concentrate their data to control the current. Also, the risk analysis should be used to improve data sources and reporting to improve.
Source: http://www.tietoviikko.fi/kaikki_uutiset/pankkien+riskienhallinta+on+retuperalla++syy+loytyy+tietotekniikasta/a955745
Tomi Engdahl says:
Obama’s NSA review gives the lie to Britain’s timid platitudes: a debate is possible
http://www.theguardian.com/commentisfree/2013/dec/19/obama-nsa-review-britain-debate-possible
In the US, the official response to Snowden’s revelations celebrates journalism and calls for real change. In Britain, the picture has been rather different
What a relief. It is, after all, possible to discuss the operations of modern intelligence agencies without having to prove one’s patriotism, be turned over by the police, summoned by politicians or visited by state-employed technicians with instructions to smash up one’s computers.
The 300-page report into the Guardian’s revelations about the US National Security Agency commissioned by President Obama and published this week is wide-ranging, informed and thoughtful.
The five authors of the report are not hand-wringing liberals. They number one former CIA deputy director; a counter-terrorism adviser to George W Bush and his father; two former White House advisers; and a former dean of the Chicago law school. Not what the British prime minister would call “airy-fairy lah-di-dah” types.
Six months ago the British cabinet secretary, Sir Jeremy Heywood, was in the Guardian’s London office telling us there had been “enough” debate on the matter of what intelligence agencies got up to. But here are Obama’s experts revelling in the debate; exploring the tensions between privacy and national security, yes – but going much further, discussing cryptology; civil liberties; the right of citizens and governments to be informed; relationships with other countries; and the potential damage that unconstrained espionage can cause to trade, commerce and the digital economy.
Only 10 weeks ago British spy chiefs were doing their best to ventilate their “cease and desist” rhetoric on journalists – implying they had no right to venture into their territory.
Obama’s panel of experts profoundly disagree: “It will not do for the press to be fearful, intimidated or cowed by government officials,” they write. “If they are, it is ‘We the People’ who will suffer. Part of the responsibility of our free press is to ferret out and expose information that government officials would prefer to keep secret when such secrecy is unwarranted.”
Tomi Engdahl says:
It’s Not Just the NSA: Police Are Tracking Your Car
http://yro.slashdot.org/story/13/12/20/1331224/its-not-just-the-nsa-police-are-tracking-your-car
“Every day in Britain, a vast system of cameras tracks cars on the road, feeding their movements into a database used by police.”
Tomi Engdahl says:
How Britain exported next-generation surveillance
https://medium.com/matter/d15b5801b79e
Thousands of cameras, millions of photographs, terabytes of data. You’re tracked, wherever you go.
There was a hit: a request to detain anyone driving Chapman’s car had been entered into the system three days earlier. Once the computers had processed their search—a matter of fractions of a second—the command to apprehend the driver was broadcast to local officers, who stopped and arrested Chapman as soon as they were able.
This feat was made possible by the continuous operation of a vast automated surveillance network that sits astride Britain’s roads. The technology—known as License Plate Recognition (LPR) in the US, where it is also used—captures and stores data on up to 15 million journeys in the UK each day.
Tomi Engdahl says:
DHS Turns To Unpaid Interns For Nation’s Cyber Security
http://it.slashdot.org/story/13/12/20/1646239/dhs-turns-to-unpaid-interns-for-nations-cyber-security
“A week after President Obama stressed the importance of computer science to America, the Department of Homeland Security put out a call for 100+ of the nations’ best-and-brightest college students to work for nothing on the nation’s cyber security. The unpaid internship program, DHS notes, is the realization of recommendations from the Homeland Security Advisory Council’s Task Force on CyberSkills”
“will begin in spring 2014 and participate throughout the summer”
Tomi Engdahl says:
DHS Announces Expansion of Cyber Student Volunteer Initiative
http://www.dhs.gov/news/2013/12/16/dhs-announces-expansion-cyber-student-volunteer-initiative
The Department of Homeland Security (DHS) today announced the launch of the 2014 Secretary’s Honors Program (SHP) Cyber Student Volunteer Initiative for college students. Through the program, more than 100 unpaid student volunteer assignments will be available to support DHS’ cyber mission at local DHS field offices in over 60 locations across the country.
This program, created in April 2013 by former Secretary Janet Napolitano
The SHP Cyber Student Volunteer Initiative is a highly competitive program created to attract top talent to DHS, and is part of the Department’s efforts to address recommendations from the Homeland Security Advisory Council’s Task Force on CyberSkills.
Tomi Engdahl says:
Professor : Automation systems are protected basis in a bit of sleep
Aalto University researchers fresh security research reveals that there are still a number of grid-connected , unprotected automation systems.
Automation systems are managed , for example, surveillance cameras and electronic locks houses . They also control the number of the basic structures such as the even distribution of water .
Web-based attack was found in open automation systems and the entities total of 4 695
Unsecure items quantities have thus increased significantly – more than 60 per cent since last spring , when the matter was investigated for the first time . Aalto University researchers estimates that the most critical is the number of a hundred.
Aalto University School of Networking professor Jukka Manner , the problem should be to wake up in advance.
” A large percentage is explained by the fact that automation and web -dependent systems are increasing. Moreover, they are installed in the walls” , the mainland states.
Manner of the unprotected automation systems is usually due to human error . On the other hand are mainly responsible for the computer systems administrators , and equipment suppliers on the other hand , that is, how they both help their clients for startup .
Difficult to automation systems, protection is not a Manner that . Often sufficient to protect the simple firewalls.
“The reason for the large exception can also be found välipitämättömyydestä . Suppose that no one is interested in slam Finnish wind mills or machine shops . ”
“It is now possible to check that the security holes exploited without anyone noticing. ”
Continental believes that the information the spring of open automation systems not achieved all its targets. The growth of the number of items , this does not explain .
“That’s why most of the old sites are still open , it is interesting . Problem with going through now in a bit of sleep , of which only wake up when something happens.”
In the spring of objects found in the open for about 80 per cent were still open. As in the spring , according to Manner’s alarming is that many devices on a network user interfaces are also available the user names and passwords.
Communications Regulatory Authority of the National Security Authority ( Cert.fi ) release, the unprotected devices connected to the network and automation systems has remained roughly the same since the spring .
Now, the network found , unprotected automation equipment consists of, among others, industrial automation , real estate automation systems and network cameras.
Already in the spring on the report told that the open automation equipment found , for example, two power plants , wind mill , water treatment plant , one of the prison , and the traffic system .
Source: http://www.hs.fi/kotimaa/Professori+Automaatioj%C3%A4rjestelmien+suojaamattomuus+on+ruususen+unta/a1387514900750
Tomi Engdahl says:
Exclusive: Secret contract tied NSA and security industry pioneer
http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220
(Reuters) – As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned.
Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a “back door” in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products.
The earlier disclosures of RSA’s entanglement with the NSA already had shocked some in the close-knit world of computer security experts.
RSA, now a subsidiary of computer storage giant EMC Corp, urged customers to stop using the NSA formula after the Snowden disclosures revealed its weakness.
The RSA deal shows one way the NSA carried out what Snowden’s documents describe as a key strategy for enhancing surveillance: the systematic erosion of security tools. NSA documents released in recent months called for using “commercial relationships” to advance that goal, but did not name any security companies as collaborators.
The NSA came under attack this week in a landmark report from a White House panel appointed to review U.S. surveillance policy. The panel noted that “encryption is an essential basis for trust on the Internet,” and called for a halt to any NSA efforts to undermine it.
RSA and others claimed victory when export restrictions relaxed.
But the NSA was determined to read what it wanted, and the quest gained urgency after the September 11, 2001 attacks.
An algorithm called Dual Elliptic Curve, developed inside the agency, was on the road to approval by the National Institutes of Standards and Technology as one of four acceptable methods for generating random numbers. NIST’s blessing is required for many products sold to the government and often sets a broader de facto standard.
RSA adopted the algorithm even before NIST approved it.
RSA’s contract made Dual Elliptic Curve the default option for producing random numbers in the RSA toolkit. No alarms were raised, former employees said, because the deal was handled by business leaders rather than pure technologists.
Tomi Engdahl says:
The world’s most famous hacker : this is the worst corporate security threat
Web -based applications are computer security experts and the world’s most famous hacker Kevin Mitnick , companies at the moment the biggest threat to your computer . In addition, the old bag of tricks , such as social engineering , or manipulation of the users , as well as malware, are still significant security threats.
Modern , for example, the intruder can take advantage of social media to feed the corporate network with the assistance of a trojan careless employee . Manipulation is based on the general confidence of the people using the benefit of all, from publicly available information .
” Small , alone, useless pieces created by combining valuable information ,”
F-Secure’s Mikko Hypponen, head of research confirms Mitnick view of the risks of web -based applications . Php and sql security vulnerabilities according to him, almost all systems .
“Almost any system can get in, you just long enough to try,” Hypponen said.
Web applications are almost all businesses regardless of size . Problems , in particular for smaller companies to use the system . The larger the company , and the more public web application , the better its information security is usually taken care of by Hyppönen .
On the other hand , smaller companies rarely have their own applications and systems as much important information
Source: http://www.tietoviikko.fi/kaikki_uutiset/maailman+tunnetuin+hakkeri+tama+on+yritysten+pahin+tietoturvauhka/a939422
Tomi Engdahl says:
Ask Slashdot: Can Commercial Hardware Routers Be Trusted?
http://yro.slashdot.org/story/13/12/21/222245/ask-slashdot-can-commercial-hardware-routers-be-trusted
“Given reports that various vendors and encryption algorithms have been compromised. Is it still possible to trust any commercial hardware routers or is ‘roll your own’ the only reasonable path going forward?”
Comment:
actually the obvious answer is that trust is not a binary thing. Evaluate your threat models. If you want to be safe from the NSA, and you are protecting information they want to know, then yes, I would say that eschewing any technology from corporations that are easily coerced by the NSA would be a good idea. Of course, that is practically impossible. But you do what you can. And wanting a device with all source available, in a form that is easy to (perhaps modify and) compile to a verifiable equivalent of the stock firmware and operating system would be the first obvious step.
Actually, the obvious answer is that you don’t have a choice. No matter how much effort you put into it, you will always be depending on third party hard- or software that simply have to trust. So, you want to solder your own PCB? Sure, go ahead, but your Ralink SoC is still manufactured somewhere in China. Don’t trust Cisco’s IOS? Sure, write your own, and let me know how you designed and manufactured your own ASICs.
Yes, there is a lot that you can do and I think the closest real answer to the poster’s question is to just get an OpenWRT capable router and compile from scratch, but to not trust anyone is simply not an option.
Tomi Engdahl says:
Bloomberg anchor displays bitcoin on TV, immediately gets robbed by viewer
http://rt.com/usa/bloomberg-anchor-robbed-bitcoin-747/
Bloomberg TV provided viewers with an important lesson in digital currency when one of its anchors had a gift card stolen while showing it during a live broadcast.
On Friday, December 20, Matt Miller surprised his two fellow anchors – Adam Johnson and Trish Regan – with bitcoin gift certificates during his “12 Days of Bitcoin” segment. Johnson then flashed his certificate on the screen for roughly 10 seconds – more than enough time for a Reddit user to scan the digital QR code with his phone and take the gift for himself.
“The guy that is hosting the series gave bitcoin gift certificates to the other two hosts. One of them opens up the certificate to reveal QR code of the private key,” he wrote. “They then proceeded to show a closeup of the QR code in glorious HD for about 10 seconds. Hilarious.”
“I took it, it was only $20 worth. It was exhilarating nevertheless”
Although milywaymasta offered to return the cash, Miller followed up with the user on Reddit, stating that it would not be necessary.
“So freaking classic but also a GREAT lesson in bitcoin security!” he wrote. “You can keep the $20 – well earned.”
Tomi Engdahl says:
2013 in Review: Revelations, Tragedy, and Fighting Back
https://www.eff.org/deeplinks/2013/12/2013-review
When it comes to the fight for free expression and privacy in technology, 2013 changed everything.
This was the year we received confirmation and disturbing details about the NSA programs that are sweeping up information on hundreds of millions of people in the United States and around the world.
In December, a federal judge even found the surveillance likely unconstitutional, calling it “almost-Orwellian.”
Tomi Engdahl says:
2013 in Review: The Year the NSA Finally Admitted Its “Collect It All” Strategy
https://www.eff.org/deeplinks/2013/12/2013-year-nsas-collect-it-all-strategy-was-revealed
As the year draws to a close, EFF is looking back at the major trends influencing digital rights in 2013 and discussing where we are in the fight for free expression, innovation, fair use, and privacy.
Tomi Engdahl says:
2013 was a very hacked year
More to come
http://www.theinquirer.net/inquirer/feature/2320371/2013-was-a-very-hacked-year
Tomi Engdahl says:
7 Reasons the TSA Sucks (A Security Expert’s Perspective)
http://www.cracked.com/blog/7-reasons-tsa-sucks-a-security-experts-perspective/
For a bunch of people in snappy uniforms patting down crotches, the TSA is remarkably unpopular. Nobody likes going through security at the airport, but you probably figured most of it had a point. All those hours spent in line with other shoeless travelers are a necessary precursor to safe flying. It’s annoying, but at least it wards off terrorism.
That’s all bullshit. The TSA couldn’t protect you from a 6-year-old with a water balloon. What are my qualifications for saying that? My name is Rafi Sela, and I was the head of security for the world’s safest airport. Here’s what your country does wrong.
Tomi Engdahl says:
Judge Rules NSA Bulk Telephone Metadata Spying Is Lawful
http://www.wired.com/threatlevel/2013/12/judge-upholds-nsa-spying/
A federal judge ruled today that the NSA’s bulk telephone metadata spying program is “lawful” and represents the nation’s “counter-punch” to terrorism, a decision at odds with a different federal judge who two weeks ago said it infringed the Constitution.
“The natural tension between protecting the nation and preserving civil liberty is squarely presented by the Government’s bulk telephone metadata collection program. Edward Snowden’s unauthorized disclosure of Foreign Intelligence Surveillance Court (“FISC”) orders has provoked a public debate and this litigation.
Pauley, a President Bill Clinton appointee, said the spying was a reasonable, “vital tool” to combat terrorism and is less intrusive than the data people “voluntarily surrender” to “trans-national corporations.”
Tomi Engdahl says:
Snowden to warn Brits on Xmas telly: Your children will NEVER have privacy
Ex-NSA man tries political pressure in Channel 4′s Christmas Day speech
http://www.theregister.co.uk/2013/12/24/snowden_channel_4_christmas_message/
Celebrity whistleblower Edward Snowden will hit Britain’s TV screens tomorrow to warn families: “A child born today will grow up with no conception of privacy at all.”
eferring to the high level of surveillance in George Orwell’s novel Nineteen Eighty-Four, he opines:
Great Britain’s George Orwell warned us of the danger of this kind of information. The types of collection in the book – microphones and video cameras, TVs that watch us – are nothing compared to what we have available today. We have sensors in our pockets that track us everywhere we go. Think about what this means for the privacy of the average person.
A child born today will grow up with no conception of privacy at all. They’ll never know what it means to have a private moment to themselves; an unrecorded, unanalyzed thought.
And that’s a problem because privacy matters, privacy is what allows us to determine who we are and who we want to be.
Continuing along those lines, Snowden concludes in his Channel 4 message:
The conversation occurring today will determine the amount of trust we can place both in the technology that surrounds us and the government that regulates it.
Together we can find a better balance, end mass surveillance and remind the government that if it really wants to know how we feel, asking is always cheaper than spying.
Tomi Engdahl says:
Slurp away, NSA: Mass phone data collection IS legal, rules federal judge
Inter-court fracas means the Supremes will have to dust off robes
http://www.theregister.co.uk/2013/12/27/slurp_away_nsa_mass_phone_data_collection_is_legal_rules_federal_judge/
A US federal judge has ruled that the NSA is within its rights to harvest millions of innocent Americans’ telephone call records under Section 215 of the Patriot Act – and that the dragnet is fine under the Fourth Amendment since the data was collected by a third-party telco, not the government.
The decision kicks the debate over the legality of the intelligence agency’s controversial mass-surveillance operations closer to the Supreme Court.
Tomi Engdahl says:
Snowden leak journo leaks next leak: NSA, GCHQ dying to snoop on your gadgets mid-flight
Greenwald blasts US, UK during hacker confab speech
http://www.theregister.co.uk/2013/12/27/greenwald_30c3/
Top-secret documents leaked by NSA whistleblower Edward Snowden have been plastered across our screens and front-pages for months by Glenn Greenwald and his team.
And on Friday the journalist couldn’t help but leak a few details about a forthcoming wave of fresh revelations regarding the US and UK governments’ mass surveillance operations.
In a keynote speech to this year’s Chaos Communication Congress in Hamburg, Germany, Greenwald claimed NSA and GCHQ analysts are infuriated that they cannot easily track or monitor airline passengers’ smartphones and other electronic gadgets mid-flight – implying that may be about to change.
Conveniently, US comms watchdog the FCC has given a thumbs up to in-flight mobile broadband, and the European Aviation Safety Agency is relaxing its rules on the use of electronics before and during flights – in theory, granting spies a direct pathway to personal computers and handhelds tens of thousands of feet above ground.
Greenwald then turned his ire onto the NSA and GCHQ’s long-running quest for total awareness of the world’s communications networks:
The NSA and GCHQ … are obsessed with searching out any small little crevice on the planet where some forms of communication may be taking place without them being able to invade it.
One of the stories we’re working on now – I used to get in trouble at the Guardian for pre-announcing my stories, but I’m not at the Guardian so I’m just going to do it anyway – the NSA and GCHQ are being driven crazy by this idea that you can go on an airplane and use certain cellphone devices or internet services and be away from their prying eyes for a few hours at a time.
They are obsessed with finding ways to invade the systems of online, onboard internet services and mobile phone services, because the very idea that human beings can communicate even for a few moments without them being able to collect and store and analyze and monitor what it is that we’re saying is simply intolerable.
“A surveillance state breeds conformity, because if human beings know they are susceptible to being watched, even if they’re not being watched, they cling far more closely to orthodoxy.”
Tomi Engdahl says:
Want access to mobe users’ location, camera, phone ID? EXPLAIN YOURSELVES – ICO
Watchdog warns app developers about data protection obligations
http://www.theregister.co.uk/2013/12/24/ico_warns_app_developers_about_data_protection_obligations/
Software developers should consider deploying “just-in-time notifications” to inform users about the imminent processing of personal data in mobile applications (apps), the Information Commissioner’s Office (ICO) has said.
The UK’s data protection watchdog said that the pop-up disclosures were one way companies could explain to users how they plan to use their personal data, and could help them meet the legal standard for obtaining consent to such activity under the Data Protection Act (DPA). It said that businesses should consider whether traditional ways of presenting information about user privacy and obtaining consent are suitable for the mobile environment.
“Consider just-in-time notifications, where the necessary information is provided to the user just before data processing occurs,” the ICO recommended in new guidance it has issued on privacy in mobile applications. “Notifications like this could be particularly useful when collecting more intrusive data such as GPS location, or for prompting users about features of an app that they are using for the first time.”
Tomi Engdahl says:
Fight the Spies, Says Chaos Computer Club
http://www.wired.com/threatlevel/2013/12/fight-spies-says-chaos-computer-club/
For years, hackers and programmers have laughed at big-screen portrayals of security agents accessing vast stores of data despite a lack of technological savvy.
This year, in the wake of ongoing revelations of surveillance by the National Security Agency (NSA) and others, the laughing stopped. As the 30th Chaos Communication Congress opened today in Hamburg, Germany, members of what is one of the world’s most prominent hacker and digital-civil-rights organizations warned that a “Hollywood” future of increasingly inescapable surveillance is becoming depressingly real.
“This year we found ourselves waking up from a bad dream, to a reality that was even worse,” said Tim Pritlove, one of the congress’s organizers. “We have woken to a reality that can no longer be ignored.”
Much of this year’s conference will analyze the depth of current surveillance worldwide, and examine possible responses. Assange will be giving a talk calling on “hackers, sysadmins, developers and people of a technical persuasion” to organize against national surveillance programs. Glenn Greenwald, the reporter who has been instrumental in publicizing Edward Snowden’s revelations, will give a first-evening keynote. Other sessions will focus on privacy in China, India, and elsewhere.
“What we need to do now is reinvent the Net. We have to rethink the Net,” said Pritlove, opening the congress on Friday. “What we need is a new standards alliance. A force so strong that can at least slow the pace of global surveillance, and get some control back.”
Traditional security topics will also be a key focus, with talks on weaknesses in systems ranging from mobile-data networks to RFID-based apartment-door keys.
“Self-censorship is going on online,” lizvlx said. “But we get used to this Facebook-speak, this Twitter-speak. Eventually the conversations we have in real life will mirror the ones we have online.”
“From being a small group of nerds and geeks whose advice was mostly ignored, it all became a huge movement of people whose advice is still mostly ignored,” Pritlove said. “But if there’s one thing we’ve learned from the last year, it is that each of us can make a difference.”
Tomi Engdahl says:
VIDEO: Alternative Christmas Message
http://www.channel4.com/programmes/alternative-christmas-message/4od#3629294
Whistleblower Edward Snowden, who revealed the mass surveillance programmes organised by the US and other governments, gives this year’s The Alternative Christmas Message.
Tomi Engdahl says:
Samsung Phone Studied for Possible Security Gap
Israeli Researchers Point to Alleged Vulnerability in Galaxy S4
http://online.wsj.com/news/articles/SB10001424052702304244904579276191788427198
Tomi Engdahl says:
MetaPhone study shows how easy it is to link phone number “metadata” to real people
http://gigaom.com/2013/12/26/metaphone-study-shows-how-easy-it-is-to-link-phone-number-metadata-to-real-people/
We’ve long known that the U.S. government’s explanation that it only collected “metadata” related to the phone numbers it has been hoovering up over the last several years was a poor attempt at minimizing the value of the data collected by the National Security Agency and revealed by Edward Snowden. But just how easy is it to link a phone number with a real person?
armed with just Google, Intellius, and directories run by Yelp, Google Places, and Facebook, the project identified the people and businesses attached 91 of 100 numbers randomly selected from the project’s opt-in database.
Tomi Engdahl says:
MetaPhone: The NSA’s Got Your Number
http://webpolicy.org/2013/12/23/metaphone-the-nsas-got-your-number/
“You have my telephone number connecting with your telephone number,” explained President Obama in a PBS interview. “[T]here are no names . . . in that database.”
Versions of this argument have appeared frequently in debates over the NSA’s domestic phone metadata program. The factual premise is that the NSA only compels disclosure of numbers, not names. One might conclude, then, that there isn’t much cause for privacy concern.
So, just how easy is it to identify a phone number?
Trivial, we found. We randomly sampled 5,000 numbers from our crowdsourced MetaPhone dataset and queried the Yelp, Google Places, and Facebook directories. With little marginal effort and just those three sources—all free and public—we matched 1,356 (27.1%) of the numbers. Specifically, there were 378 hits (7.6%) on Yelp, 684 (13.7%) on Google Places, and 618 (12.3%) on Facebook.
What about if an organization were willing to put in some manpower?
Tomi Engdahl says:
What’s In Your Metadata?
http://cyberlaw.stanford.edu/blog/2013/11/what%27s-in-your-metadata
The NSA has confirmed that it collects American phone records. Defenders of the program insist it has little privacy impact and is “not surveillance.”
Like many computer scientists, we strongly disagree. Phone metadata is inherently revealing.
Tomi Engdahl says:
Phone app helps nab Palos Heights burglary suspects
http://www.suntimes.com/24606987-761/phone-app-helps-nab-palos-heights-burglary-suspects.html
A Palos Heights resident was quick to react when she saw two burglars breaking into her rental condominium — watching the crime-in-progress from Hawaii thanks to an app on her smartphone, police said.
The men broke into the home after removing a window in the attached garage at about 1:30 p.m. on Nov. 26, police said.
Meanwhile, the resident who was in Hawaii watched the crime unfold from an application on her phone that was synced up to three security cameras inside, police said. The security system is designed to send an alert to the phone whenever there is movement inside the house.
Tomi Engdahl says:
Protect your Android device from malware
http://howto.cnet.com/8301-11310_39-57615162-285/protect-your-android-device-from-malware/
Mobile malware is on the rise and your device could be at risk. These tips could help you stay safe and keep your personal information out of the hands of cybercriminals.
Tomi Engdahl says:
Inside TAO: Documents Reveal Top NSA Hacking Unit
http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969.html
The NSA’s TAO hacking unit is considered to be the intelligence agency’s top secret weapon. It maintains its own covert network, infiltrates computers around the world and even intercepts shipping deliveries to plant back doors in electronics ordered by those it is targeting.
On-Call Digital Plumbers
One of the two main buildings at the former plant has since housed a sophisticated NSA unit, one that has benefited the most from this expansion and has grown the fastest in recent years — the Office of Tailored Access Operations, or TAO. This is the NSA’s top operative unit — something like a squad of plumbers that can be called in when normal access to a target is blocked.
According to internal NSA documents viewed by SPIEGEL, these on-call digital plumbers are involved in many sensitive operations conducted by American intelligence agencies. TAO’s area of operations ranges from counterterrorism to cyber attacks to traditional espionage. The documents reveal just how diversified the tools at TAO’s disposal have become — and also how it exploits the technical weaknesses of the IT industry, from Microsoft to Cisco and Huawei, to carry out its discreet and efficient attacks.
The unit is “akin to the wunderkind of the US intelligence community,” says Matthew Aid, a historian who specializes in the history of the NSA. “Getting the ungettable” is the NSA’s own description of its duties. “It is not about the quantity produced but the quality of intelligence that is important,” one former TAO chief wrote, describing her work in a document. The paper seen by SPIEGEL quotes the former unit head stating that TAO has contributed “some of the most significant intelligence our country has ever seen.” The unit, it goes on, has “access to our very hardest targets.”
Tomi Engdahl says:
How the NSA, and your boss, can intercept and break SSL
http://www.zdnet.com/how-the-nsa-and-your-boss-can-intercept-and-break-ssl-7000016573/
Summary: Most people believe that SSL is the gold-standard of Internet security. It is good, but SSL communications can be intercepted and broken. Here’s how.
Tomi Engdahl says:
How the NSA Actually Weaponized the Internet
http://www.darkgovernment.com/news/how-the-nsa-actually-weaponized-the-internet/
The internet backbone — the infrastructure of networks upon which internet traffic travels — went from being a passive infrastructure for communication to an active weapon for attacks.
Tomi Engdahl says:
Report: NSA intercepts computer deliveries
http://www.islandpacket.com/2013/12/29/2869000/report-nsa-intercepts-computer.html
A German magazine lifted the lid on the operations of the National Security Agency’s hacking unit Sunday, reporting that American spies intercept computer deliveries, exploit hardware vulnerabilities, and even hijack Microsoft’s internal reporting system to spy on their targets.
Der Spiegel’s revelations relate to a division of the NSA known as Tailored Access Operations, or TAO, which is painted as an elite team of hackers specializing in stealing data from the toughest of targets.
Der Spiegel said TAO had a catalog of high-tech gadgets for particularly hard-to-crack cases, including computer monitor cables specially modified to record what is being typed across the screen, USB sticks secretly fitted with radio transmitters to broadcast stolen data over the airwaves, and fake base stations intended to intercept mobile phone signals on the go.
The NSA doesn’t just rely on James Bond-style spy gear, the magazine said. Some of the attacks described by Der Spiegel exploit weaknesses in the architecture of the Internet to deliver malicious software to specific computers. Others take advantage of weaknesses in hardware or software distributed by some of the world’s leading information technology companies, including Cisco Systems, Inc. and China’s Huawei Technologies Ltd., the magazine reported.
Old-fashioned methods get a mention too. Der Spiegel said that if the NSA tracked a target ordering a new computer or other electronic accessories, TAO could tap its allies in the FBI and the CIA, intercept the hardware in transit, and take it to a secret workshop where it could be discretely fitted with espionage software before being sent on its way.
Intercepting computer equipment in such a way is among the NSA’s “most productive operations,” and has helped harvest intelligence from around the world, one document cited by Der Spiegel stated.
Tomi Engdahl says:
The NSA Actually Intercepted Packages to Put Backdoors in Electronics
http://gizmodo.com/the-nsa-actually-intercepted-packages-to-put-backdoors-1491169592
The NSA revelations keep on coming, and if you’re feeling desensitized to the whole thing it’s time to refocus and get your game face on for 2014. Because shit continues to get real.
SPIEGEL published two pieces this morning about the NSA’s Tailored Access Operations (TAO) division, aka premier hacking ninja squad. According to Snowden documents, TAO has a catalog of all the commercial equipment that carries NSA backdoors. And it’s a who’s who of a list. Storage products from Western Digital, Seagate, Maxtor and Samsung have backdoors in their firmware, firewalls from Juniper Networks have been compromised, plus networking equipment from Cisco and Huawei, and even unspecified products from Dell. TAO actually intercepts online orders of these and other electronics to bug them.
SPIEGEL notes that the documents do not provide any evidence that the manufacturers mentioned had any idea about this NSA activity.
TAO uses software hacking in things like Windows bug reports to get the information and device control they need, of course. But if that’s not enough, they even have a special group of hardware hackers who create modified equipment for TAO specialists to try and plant.
Tomi Engdahl says:
Ambient Computer Noise Leaks Your Encryption Keys
http://hackaday.com/2013/12/20/ambient-computer-noise-leaks-your-encryption-keys/
[Daniel, Adi, and Eran], students researchers at Tel Aviv University and the Weizmann Institute of Science have successfully extracted 4096-bit RSA encryption keys using only the sound produced by the target computer. It may sound a bit like magic, but this is a real attack – although it’s practicality may be questionable.
During most of their testing, the team used some very high-end audio equipment, including Brüel & Kjær laboratory grade microphones and a parabolic reflector. By directing the microphone at the processor air vents, they were able to extract enough sound to proceed with their attack. [Daniel, Adi, and Eran] started from the source of GnuPG. They worked from there all the way down to the individual opcodes running on the x86 processor in the target PC. As each opcode is run, a sound signature is produced. The signature changes slightly depending on the data the processor is operating on. By using this information, and some very detailed spectral analysis, the team was able to extract encryption keys.
They even were able to use a cell phone to perform the audio attack. Due to the cell phone’s lower quality microphone, a much longer (on the order of several hours) time is needed to extract the necessary data.
Tomi Engdahl says:
Unintended Consequences: How NSA Revelations May Lead to Even More Surveillance
http://lauren.vortex.com/archive/001074.html
Ironically for longtime observers of NSA and other intelligence agencies, and those of us who warned early about the abuses being ensconced in the PATRIOT and Homeland Security Acts — and were accused of being unpatriotic in return — scarcely little in the “revelations” to date are a real surprise at all. Nor are reports of intelligence agencies weakening encryption systems anything new — concerns about NSA influence over the Data Encryption Standard (DES), reach back about four decades.
Perhaps the biggest genuine surprise has been NSA’s shoddy security practices. But we can be sure that NSA and other agencies around the world are hard at work to try make sure there won’t be any more Snowdens.
It’s in the scope of domestic intelligence that we can see the most likelihood of change. Unfortunately, much smart money is now going on the bet that in the long run the result of all these revelations will actually be more domestic surveillance (under various changing names and labels) not less!
How could this be? How could this happen?
There are various clues from around the world.
For example, just weeks ago, and shortly after a high level French ex-intelligence official was quoted as saying essentially that “we don’t resent NSA, we simply envy them!” France passed legislation legalizing a vast range of repressive domestic surveillance practices.
News stories immediately proclaimed this to be an enormous expansion of French spying. But observers in the know noted that in reality this kind of surveillance had been going on by the French government for a very long time — the new legislation simply made it explicitly legal.
And therein is the key. Counterintuitively perhaps, once these programs are made visible they become vastly easier to expand under one justification or another, because you no longer have to worry so much about the very existence of the programs being exposed.
Here in the U.S., it’s the NSA telephone “metadata” program that has received the most attention in the domestic context. And there’s yet another irony here — this is the very same data that telephone companies have traditionally collected of their own volition since the dawn of itemized call billing.
“This then may be the ultimate irony in this surveillance saga.”
Tomi Engdahl says:
Shopping for Spy Gear: Catalog Advertises NSA Toolbox
http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
After years of speculation that electronics can be accessed by intelligence agencies through a back door, an internal NSA catalog reveals that such methods already exist for numerous end-user devices.
A 50-Page Catalog
These NSA agents, who specialize in secret back doors, are able to keep an eye on all levels of our digital lives — from computing centers to individual computers, and from laptops to mobile phones. For nearly every lock, ANT seems to have a key in its toolbox. And no matter what walls companies erect, the NSA’s specialists seem already to have gotten past them.
This, at least, is the impression gained from flipping through the 50-page document. The list reads like a mail-order catalog, one from which other NSA employees can order technologies from the ANT division for tapping their targets’ data. The catalog even lists the prices for these electronic break-in tools, with costs ranging from free to $250,000.
In the case of Juniper, the name of this particular digital lock pick is “FEEDTROUGH.” This malware burrows into Juniper firewalls and makes it possible to smuggle other NSA programs into mainframe computers. Thanks to FEEDTROUGH, these implants can, by design, even survive “across reboots and software upgrades.” In this way, US government spies can secure themselves a permanent presence in computer networks. The catalog states that FEEDTROUGH “has been deployed on many target platforms.”
Master Carpenters
The specialists at ANT, which presumably stands for Advanced or Access Network Technology, could be described as master carpenters for the NSA’s department for Tailored Access Operations (TAO). In cases where TAO’s usual hacking and data-skimming methods don’t suffice, ANT workers step in with their special tools, penetrating networking equipment, monitoring mobile phones and computers and diverting or even modifying data. Such “implants,” as they are referred to in NSA parlance, have played a considerable role in the intelligence agency’s ability to establish a global covert network that operates alongside the Internet.
The ANT division doesn’t just manufacture surveillance hardware. It also develops software for special tasks. The ANT developers have a clear preference for planting their malicious code in so-called BIOS, software located on a computer’s motherboard that is the first thing to load when a computer is turned on.
This has a number of valuable advantages: an infected PC or server appears to be functioning normally, so the infection remains invisible to virus protection and other security programs. And even if the hard drive of an infected computer has been completely erased and a new operating system is installed, the ANT malware can continue to function and ensures that new spyware can once again be loaded onto what is presumed to be a clean computer. The ANT developers call this “Persistence” and believe this approach has provided them with the possibility of permanent access.
Tomi Engdahl says:
Exclusive: Target hackers stole encrypted bank PINs – source
http://www.reuters.com/article/2013/12/25/us-target-databreach-idUSBRE9BN0L220131225
The hackers who attacked Target Corp and compromised up to 40 million credit cards and debit cards also managed to steal encrypted personal identification numbers (PINs), according to a senior payments executive familiar with the situation.
One major U.S. bank fears that the thieves would be able to crack the encryption code and make fraudulent withdrawals from consumer bank accounts, said the executive, who spoke on the condition of anonymity because the data breach is still under investigation.
Target spokeswoman Molly Snyder said “no unencrypted PIN data was accessed” and there was no evidence that PIN data has been “compromised.” She confirmed that some “encrypted data” was stolen, but declined to say if that included encrypted PINs.
Target has not said how its systems were compromised, though it described the operation as “sophisticated.”
JPMorgan has said it was able to reduce inconvenience by giving customers new debit cards printed quickly at many of its branches, and by keeping branches open for extended hours. A Santander spokeswoman was not available for comment on Tuesday.
Security experts said it is highly unusual for banks to reduce caps on withdrawals, and the move likely reflects worries that PINs have fallen into criminal hands, even if they are encrypted.
“That’s a really extreme measure to take,” said Avivah Litan, a Gartner analyst who specializes in cyber security and fraud detection. “They definitely found something in the data that showed there was something happening with cash withdrawals.”
While the use of encryption codes may prevent amateur hackers from obtaining the digital keys to customer bank deposits, the concern is the coding cannot stop the kind of sophisticated cyber criminal who was able to infiltrate Target for three weeks.
As an example of potential vulnerabilities in PIN encryption, Clemens said he once worked for a retailer who hired his firm to hack into its network to find security vulnerabilities. He was able to access the closely guarded digital “key” used to unscramble encrypted PINs, which he said surprised his client, who thought the data was secure.
In other cases, hackers can get PINs by using a tool known as a “RAM scraper,” which captures the PINs while they are temporarily stored in memory, Clemens said.
Tomi Engdahl says:
Edward Snowden, after months of NSA revelations, says his mission’s accomplished
http://www.washingtonpost.com/world/national-security/edward-snowden-after-months-of-nsa-revelations-says-his-missions-accomplished/2013/12/23/49fc36de-6c1c-11e3-a523-fe73f0ff6b8d_story.html
Late this spring, Snowden supplied three journalists, including this one, with caches of top-secret documents from the National Security Agency, where he worked as a contractor. Dozens of revelations followed, and then hundreds, as news organizations around the world picked up the story. Congress pressed for explanations, new evidence revived old lawsuits and the Obama administration was obliged to declassify thousands of pages it had fought for years to conceal.
Taken together, the revelations have brought to light a global surveillance system that cast off many of its historical restraints after the attacks of Sept. 11, 2001. Secret legal authorities empowered the NSA to sweep in the telephone, Internet and location records of whole populations. One of the leaked presentation slides described the agency’s “collection philosophy” as “Order one of everything off the menu.”
Six months after the first revelations appeared in The Washington Post and Britain’s Guardian newspaper, Snowden agreed to reflect at length on the roots and repercussions of his choice. He was relaxed and animated over two days of nearly unbroken conversation, fueled by burgers, pasta, ice cream and Russian pastry.
“For me, in terms of personal satisfaction, the mission’s already accomplished,” he said. “I already won. As soon as the journalists were able to work, everything that I had been trying to do was validated. Because, remember, I didn’t want to change society. I wanted to give society a chance to determine if it should change itself.”
“All I wanted was for the public to be able to have a say in how they are governed,” he said. “That is a milestone we left a long time ago. Right now, all we are looking at are stretch goals.”
Snowden is an orderly thinker, with an engineer’s approach to problem-solving. He had come to believe that a dangerous machine of mass surveillance was growing unchecked.
Snowden grants that NSA employees by and large believe in their mission and trust the agency to handle the secrets it takes from ordinary people — deliberately, in the case of bulk records collection, and “incidentally,” when the content of American phone calls and e-mails are swept into NSA systems along with foreign targets.
But Snowden also said acceptance of the agency’s operations was not universal. He began to test that proposition more than a year ago, he said, in periodic conversations with co-workers and superiors that foreshadowed his emerging plan.
“I asked these people, ‘What do you think the public would do if this was on the front page?’ ” he said. He noted that critics have accused him of bypassing internal channels of dissent. “How is that not reporting it? How is that not raising it?” he said.
By last December, Snowden was contacting reporters, although he had not yet passed along any classified information. He continued to give his colleagues the “front-page test,” he said, until April.
Just before releasing the documents this spring, Snowden made a final review of the risks. He had overcome what he described at the time as a “selfish fear” of the consequences for himself.
“I said to you the only fear [left] is apathy — that people won’t care, that they won’t want change,” he recalled this month.
The documents leaked by Snowden compelled attention because they revealed to Americans a history they did not know they had.
Internal briefing documents reveled in the “Golden Age of Electronic Surveillance.” Brawny cover names such as MUSCULAR, TUMULT and TURMOIL boasted of the agency’s prowess.
Using PRISM, the cover name for collection of user data from Google, Yahoo, Microsoft, Apple and five other U.S.-based companies, the NSA could obtain all communications to or from any specified target. The companies had no choice but to comply with the government’s request for data.
That operation, which used the cover name MUSCULAR, tapped into U.S. company data from outside U.S. territory. The NSA, therefore, believed it did not need permission from Congress or judicial oversight.
Disclosure of the MUSCULAR project enraged and galvanized U.S. technology executives. They believed the NSA had lawful access to their front doors — and had broken down the back doors anyway.
They wondered, he said, whether the NSA was “collecting proprietary information from the companies themselves.”
Snowden has focused on much the same point from the beginning: Individual targeting would cure most of what he believes is wrong with the NSA.
In the Moscow interview, Snowden said, “What the government wants is something they never had before,” adding: “They want total awareness. The question is, is that something we should be allowing?”
At the NSA, he said, “there are people in the office who joke about, ‘We put warheads on foreheads.’ Twitter doesn’t put warheads on foreheads.”
Privacy, as Snowden sees it, is a universal right, applicable to American and foreign surveillance alike.
On June 29, Gilles de Kerchove, the European Union’s counterterrorism coordinator, awoke to a report in Der Spiegel that U.S. intelligence had broken into E.U. offices, including his, to implant surveillance devices.
U.S. officials say it is obvious that Snowden’s disclosures will do grave harm to intelligence gathering, exposing methods that adversaries will learn to avoid.
Other officials, who declined to speak on the record about particulars, said they had watched some of their surveillance targets, in effect, changing channels. That evidence can be read another way, they acknowledged, given that the NSA managed to monitor the shift.
Snowden taught U.S. intelligence personnel how to operate securely in a “high-threat digital environment,”
Tomi Engdahl says:
Cash machines raided with infected USB sticks
http://www.bbc.co.uk/news/technology-25550512
Researchers have revealed how cyber-thieves sliced into cash machines in order to infect them with malware earlier this year.
The criminals cut the holes in order to plug in USB drives that installed their code onto the ATMs.
Details of the attacks on an unnamed European bank’s cash dispensers were presented at the hacker-themed Chaos Computing Congress in Hamburg, Germany.
The crimes also appear to indicate the thieves mistrusted each other.
The two researchers who detailed the attacks have asked for their names not to be published
After surveillance was increased, the bank discovered the criminals were vandalising the machines to use the infected USB sticks.
Once the malware had been transferred they patched the holes up. This allowed the same machines to be targeted several times without the hack being discovered.