Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.
Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.
Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.
SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices. Good idea to test your devices against it.
There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.
Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.
Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.
Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.
Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.
Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.
Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.
Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.
European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.
1,930 Comments
Tomi says:
Bruce Schneier: Why Collecting More Data Doesn’t Increase Safety
http://yro.slashdot.org/story/13/05/04/1615202/bruce-schneier-why-collecting-more-data-doesnt-increase-safety
“In heeding calls to increase the amount of surveillance data gathered and shared, agencies like the FBI have impaired their ability to discover actual threats, while guaranteeing erosion of personal and civil freedom. ‘Piling more data onto the mix makes it harder, not easier.”
Why FBI and CIA didn’t connect the dots
http://edition.cnn.com/2013/05/02/opinion/schneier-boston-bombing/index.html
Connecting the dots in a coloring book is easy and fun. They’re right there on the page, and they’re all numbered.
But in real life, the dots can only be numbered after the fact.
In hindsight, we know who the bad guys are. Before the fact, there are an enormous number of potential bad guys.
How many? We don’t know.
We have no idea how many potential “dots” the FBI, CIA, NSA and other agencies collect, but it’s easily in the millions. It’s easy to work backwards through the data and see all the obvious warning signs. But before a terrorist attack, when there are millions of dots — some important but the vast majority unimportant — uncovering plots is a lot harder.
Since what actually happened is so obvious once it happens, we overestimate how obvious it was before it happened.
Kahneman, a Nobel prize winner, wisely noted: “Actions that seemed prudent in foresight can look irresponsibly negligent in hindsight.” Kahneman calls it “the illusion of understanding,”
www.whatissecurity.eu says:
Fantastic website. A lot of useful information here.
I’m sending it to some buddies ans also sharing in delicious. And naturally, thank you on your effort!
Tomi Engdahl says:
Popular Android Anti-Virus Software Fooled By Trivial Techniques
http://it.slashdot.org/story/13/05/07/0226229/popular-android-anti-virus-software-fooled-by-trivial-techniques
“A group of researchers from Northwestern University and North Carolina State University tested ten of the most popular AV products on Android, and discovered that they were easily fooled by common obfuscation techniques.”
“Known malware samples were transformed to generate new variants that contain the exact malicious functions as before. These new variants were then passed to the AV products, and much to the surprise of the paper’s authors, they were rarely flagged — if at all. According to the research, 43% of the signatures used by the AV products are based on file names, checksums or information obtained by the PackageManager API. This means that, as mentioned, common transformations will render their protection useless for the most part. “
Tomi Engdahl says:
Security company McAfee, Stonesoft’s about 290 million euro bid is Inderes analyst Mikael Rautanen view, remarkably high. He holds an offer, above all, technological trade.
“McAfee’s offer is positive news. As such, I would have like to have seen also how Stonesoft’s growth story would have gone materialize, if it had continued as an independent company, but such a good, “he commented.
The deal allows Stonesoft’s potential and knowledge exploitation on a larger scale.
McAfee is a wholly owned subsidiary of Intel.
He says that the offer represents approximately seven times last year’s turnover of Stonesoft. As such, it has a high valuation. In the United States in the field of network security companies have been paid, however, larger amounts of money.
“Network security is a hot field of business so that such companies with a clear technological lead, are valued highly. A mere money or labor can not catch up with the lead of the most successful company, but it is achieved by innovation. ”
In this sense, Stonesoft Corporation has been in the vanguard of its devices have been Evasion with respect of other advanced significantly in the past two years.
Source: http://www.tietoviikko.fi/kaikki_uutiset/stonesoft+menee+lihoiksi+quotmahdollisuuksista+ehdittiin+nahda+vasta+murusiaquot/a899549?s=r&wtm=tietoviikko/-07052013&
Tomi Engdahl says:
Government Lab Reveals It Has Operated Quantum Internet for Over Two Years
http://www.technologyreview.com/view/514581/government-lab-reveals-quantum-internet-operated-continuously-for-over-two-years/
A quantum internet capable of sending perfectly secure messages has been running at Los Alamos National Labs for the last two and a half years, say researchers
One of the dreams for security experts is the creation of a quantum internet that allows perfectly secure communication based on the powerful laws of quantum mechanics.
The basic idea here is that the act of measuring a quantum object, such as a photon, always changes it. So any attempt to eavesdrop on a quantum message cannot fail to leave telltale signs of snooping that the receiver can detect. That allows anybody to send a “one-time pad” over a quantum network which can then be used for secure communication using conventional classical communication.
These systems have an important limitation, however. The current generation of quantum cryptography systems are point-to-point connections over a single length of fibre, So they can send secure messages from A to B but cannot route this information onwards to C, D, E or F.
Today, Richard Hughes and pals at Los Alamos National Labs in New Mexico reveal an alternative quantum internet, which they say they’ve been running for two and half years. Their approach is to create a quantum network based around a hub and spoke-type network. All messages get routed from any point in the network to another via this central hub.
This is not the first time this kind of approach has been tried. The idea is that messages to the hub rely on the usual level of quantum security. However, once at the hub, they are converted to conventional classical bits and then reconverted into quantum bits to be sent on the second leg of their journey.
So as long as the hub is secure, then the network should also be secure.
The problem with this approach is scalability.
Only the hub is capable of receiving a quantum message (although all nodes can send and receiving conventional messages in the normal way).
That may sound limiting but it still allows each node to send a one-time pad to the hub which it then uses to communicate securely over a classical link.
Tomi Engdahl says:
U.S. Says China’s Government, Military Used Cyberespionage
http://online.wsj.com/article_email/SB10001424127887323687604578467442670389684-lMyQjAxMTAzMDAwNjEwNDYyWj.html
The Chinese government has targeted U.S. government computer systems for intrusion, the Pentagon said Monday in a more direct accusation of cyberespionage than the U.S. has made in the past.
The report said China’s cyberespionage was designed to benefit China’s defense and technology industry and to gain insight into U.S. policy makers’ thinking on China.
“China is using its computer network exploitation capability to support intelligence collection against the U.S. diplomatic, economic, and defense industrial base sectors that support U.S. national defense programs,” according to the report, an annual assessment prepared at the direction of Congress.
“China is going back to its historical role in the world. Put in simpler terms it means China is expanding its influence into other areas,” said Anthony Cordesman, a defense analyst at the Center for Strategic and International Studies.
Tomi says:
This Is the Most Detailed Picture of the Internet Ever (and Making it Was Very Illegal)
http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever
An anonymous researcher with a lot of time on his hands apparently shares the sentiment. In a newly published research paper, this unnamed data junkie explains how he used some stupid simple hacking techniques to build a 420,000-node botnet that helped him draw the most detailed map of the Internet known to man. Not only does it show where people are logging in, it also shows changes in traffic patterns over time with an impressive amount of precision. This is all possible, of course, because the researcher hacked into nearly half a million computers so that he could ping each one, charting the resulting paths in order to make such a complex and detailed map. Along those lines, the project has as much to do with hacking as it does with mapping.
The resultant map isn’t perfect, but it is beautiful. Based on the parameter’s of the researcher’s study, the map is already on its way to becoming obsolete, since it shows only devices with IPv4 addresses. (The latest standard is IPv6, but IPv4 is still pretty common.) The map is further limited to Linux-based computers with a certain amount of processing power. And finally, because of the parameters of the hack, it shows some amount of bias towards naive users who don’t put passwords on their computers.
The research also serves as another much-needed warning about Internet security. “A lot of devices and services we have seen during our research should never be connected to the public Internet at all. As a rule of thumb, if you believe that ‘nobody would connect that to the Internet, really nobody’, there are at least 1000 people who did,” says the report. “Whenever you think ‘that shouldn’t be on the Internet but will probably be found a few times’ it’s there a few hundred thousand times. Like half a million printers, or a Million Webcams, or devices that have root as a root password.”
It’s entirely unclear if anybody will actually pursue this anonymous hacker for violating however many laws he violated. But data scientists are excited about the results regardless.
Tomi says:
Hackers Aren’t Going to Hijack Your Plane with a Smartphone
http://motherboard.vice.com/blog/hackers-arent-going-to-hijack-your-plane-with-a-smartphone
A talk given by a security consultant at the Hack In The Box conference in Amsterdam has been making waves for a couple days now, largely because it made bold claims: Hugo Teso, who’s also a trained commercial pilot, said he’d developed a way to hijack airplanes (as in take over their flight controls) by attacking the plane’s systems wirelessly using an Android app he developed.
Sending erroneous plane signatures to screw with traffic control, or even spreading false weather reports, would be a big problem. Even a few could be cause for distrust within the system, which would make it pretty much useless. That on its own may be realistic, but the holes are there. But will a hacker fly your jet into the ground like a remote control plane? I wouldn’t worry about it.
Tomi Engdahl says:
Twitter’s Password Fails
http://www.f-secure.com/weblog/archives/00002550.html
Twitter should stop validating e-mailing addresses in its password reset form.
And then, discriminate between using e-mail and username. If an account is accessed with the username — don’t provide access to the account settings! The e-mail address (alias) could then be used only by account “adminstrators”.
Discriminating between e-mail and username — a way to distinguish between “admins” and “users”.
Tomi Engdahl says:
FTC warns data brokers on privacy rules
http://www.washingtonpost.com/business/technology/ftc-warns-data-brokers-on-privacy-rules/2013/05/07/2e152c16-b748-11e2-92f3-f291801936b8_story.html
Federal officials have intensified their scrutiny of the data brokerage industry by issuing a series of formal letters in recent days alerting companies that they may be violating federal restrictions on the collection and sale of personal information.
The letters to 10 companies — ranging from firms that compile consumer lists for credit offersto a Web site that helps parents screen potential nannies — amounted to warning shots at a large and fast-growing industry that gathers personal information and markets it to a variety of customers.
The Federal Trade Commission is probing whether some of these practices violate the Fair Credit Reporting Act, which regulates how private companies can use personal information.
“It’s the initial sparks in what’s likely to become the next battle in privacy,” said Jeff Chester, executive director of the Center for Digital Democracy. “They may be using people’s data in new ways, but they could cross old laws.”
Tomi Engdahl says:
Unknown assailants threw the Finnish tax authorities web service
The Tax Administration’s online Tuesday morning’s service outage attributed to the discovery of a denial of service attack. The committee says Information Week, CIO Markku Heikura. The service is due to an attack could be used for about half an hour.
“Our site is trying to cut down. Attacks were the same as last fall, the tax account, the service of a denial of service attack,”
In the afternoon the tax service crashed for the second time. That was caused by a system error.
Source: http://www.tietoviikko.fi/kaikki_uutiset/tuntemattomat+hyokkaajat+kaatoivat+verottajan+nettipalvelun/a900298?s=r&wtm=tietoviikko/-08052013&
Tomi Engdahl says:
Backdoor Targeting Apache Servers Spreads To Nginx, Lighttpd
http://apache.slashdot.org/story/13/05/09/003236/backdoor-targeting-apache-servers-spreads-to-nginx-lighttpd
“Last week’s revelation of the existence of Linux/Cdorked.A, a highly advanced and stealthy Apache backdoor used to drive traffic from legitimate compromised sites to malicious websites carrying Blackhole exploit packs, was only the beginning”
“the backdoor also infects sites running the nginx and Lighttpd webservers”
Tomi Engdahl says:
Backdoor targeting Apache servers spreads to nginx, Lighttpd
http://www.net-security.org/secworld.php?id=14882
Last week’s revelation of the existence of Linux/Cdorked.A, a highly advanced and stealthy Apache backdoor used to drive traffic from legitimate compromised sites to malicious websites carrying Blackhole exploit packs, was only the beginning – Eset’s continuing investigation has now revealed that the backdoor also infects sites running the nginx and Lighttpd webservers.
And while Apache is definitely the most widely used of the three, nginx’ has also cornered a considerable portion of the market (around 15 percent).
The AV company’s researchers have, so far, detected more than 400 webservers infected with the backdoor, and 50 of them are among the world’s most popular and visited websites.
“The Linux/Cdorked.A threat is even more stealthy than we first thought: By analyzing how the attackers are configuring the backdoor, we found it will not deliver malicious content if the victim’s IP address is in a very long list of blacklisted IP ranges, nor if the victim’s internet browser’s language is set to Japanese, Finnish, Russian and Ukrainian, Kazakh or Belarusian,” the researchers pointed out.
backdoor Cdorked uses compromised DNS servers to resolve the IP addresses of redirected sites.
Tomi says:
Tool reveals Apple user locations
http://www.scmagazine.com.au/News/342593,tool-reveals-apple-user-locations.aspx
A Melbourne-based researcher has created a tool which uses Apple’s location services, combined with data iPhones and iPads disclose when they join wifi networks, to potentially reveal where users live.
The tool works by accessing Apple’s database of wireless access points, which is collected by iPhones and iPads that have GPS and wifi location services enabled.
Most iPhones and iPads regularly submit information about access points within range to Apple, regardless of whether users connect to them.
Apple uses this ‘crowd-sourced’ data to run its location services, however the location database is not meant to be public.
His proof of concept Python application, iSniff GPS, uses this process to allow users to view maps of nearby access points.
“You can send Apple a single MAC address of a wifi router and they will send back a result set including the GPS coordinates of that MAC address and about 400 others,” Seiwert said.
Tomi says:
Use These Secret NSA Google Search Tips to Become Your Own Spy Agency
http://www.wired.com/threatlevel/2013/05/nsa-manual-on-hacking-internet/?cid=7829534
There’s so much data available on the internet that even government cyberspies need a little help now and then to sift through it all. So to assist them, the National Security Agency produced a book to help its spies uncover intelligence hiding on the web.
The 643-page tome, called Untangling the Web: A Guide to Internet Research (.pdf), was just released by the NSA following a FOIA request
filled with advice for using search engines, the Internet Archive and other online tools. But the most interesting is the chapter titled “Google Hacking.”
finance and accounting jobs in australia says:
Hello! I simply would like to give a huge thumbs up for the nice info you’ve right here on
this post. I will probably be coming again to your blog for more soon.
implant says:
I am not positive where you are getting your information, but great topic. I needs to spend some time studying more or figuring out more. Thank you for fantastic info I used to be on the lookout for this info for my mission.
Tomi Engdahl says:
Kaspersky inks a deal with Qualcomm to improve Android security
Says lower level OS work is needed
http://www.theinquirer.net/inquirer/news/2262217/kaspersky-inks-a-deal-with-qualcomm-to-improve-android-security
SECURITY FIRM Kaspersky Lab has signed an agreement with chip designer Qualcomm to improve security at “the lower level” of a smartphone’s mobile operating system (OS).
Kaspersky told The INQUIRER that it has agreed to offer “special terms” for preloading Kaspersky Mobile Security and Kaspersky Tablet Security products on Android devices powered by Qualcomm Snapdragon processors.
“We are trying to build relationships with some vendors in the mobile world – a main one for us is Qualcomm – we are talking with them about incorporating security in the lower level operating system,” Grebenikov said.
“For example, [vendors] cannot protect against malware which is divided into several pieces and each is not malicious itself but when installed all together they will have a malicious functionality.”
Tomi Engdahl says:
Cloud services, security concerns IT managers
Almost 70 per cent of the respondents feel that consumer cloud services in use constitute a risk to the company’s confidential information.
According to the one-half (51 percent) of chief information officer was of the opinion that cloud services will increase the general knowledge related to the security level.
Almost half (45 per cent) of the respondents indicated that they do not fully trust the cloud service providers of information security processes and practices and do not believe them to be sufficiently high to meet the security requirements of their company.
Less than half (46 percent) of respondents reported that their organizations provided their employees with training and services in the cloud, and the cloud located in the safe use of the data.
42 per cent were unaware of the fact they are working in accordance with the provisions of the cloud to be confidential information, and regulatory requirements are met.
Source: http://www.tietoviikko.fi/kaikki_uutiset/pilvipalveluiden+tietoturva+huolestuttaa+tietohallintojohtajia/a900972?s=r&wtm=tietoviikko/-13052013&
Eugene says:
If you are going for finest contents like me, only
pay a visit this web page everyday since it provides quality contents, thanks
Tomi Engdahl says:
Biometrics
A heart to my key
http://www.economist.com/blogs/babbage/2013/05/biometrics
IN “SKYFALL”, the latest James Bond movie, 007 is given a gun that only he can fire. It works by recognising his palm print, rendering it impotent when it falls into a baddy’s hands. Like many of Q’s more fanciful inventions, the fiction is easier to conjure up than the fact. But there is a real-life biometric system that would have served Bond just as well: cardiac-rhythm recognition.
Anyone who has watched a medical drama can picture an electrocardiogram (ECG)—the five peaks and troughs, known as a PQRST pattern (see picture), that map each heartbeat. The shape of this pattern is affected by such things as the heart’s size, its shape and its position in the body. Cardiologists have known since 1964 that everyone’s heartbeat is thus unique, and researchers around the world have been trying to turn that knowledge into a viable biometric system. Until now, they have had little success. One group may, though, have cracked it.
Foteini Agrafioti of the University of Toronto and her colleagues have patented a system which constantly measures a person’s PQRST pattern, confirms this corresponds with the registered user’s pattern, and can thus verify to various devices that the user is who he says he is. Through a company called Bionym, which they have founded, they will unveil it to the world in June.
Bionym’s first plan was to sell just the heart-identification software, in the hope manufacturers of phones, tablets and the like would embed into their devices a sensor that could use it.
Biometric recognition systems, from hand geometry, via face recognition and fingerprints, to iris recognition, are becoming more common.
ECGs are also difficult to clone.
An elevated heartbeat does not change the shape of an ECG, just its frequency. And five years’ data collected by Dr Agrafioti’s group suggest age does not change it much either.
There is always the question, of course, of whether people will want to wear the wristband. But that might be dealt with by the development of smart watches that do lots of other things as well. Several large companies are thought to be working on these.
Tomi Engdahl says:
Cyber caper: behind the scenes of the $45 million global ATM heist
http://www.theverge.com/2013/5/13/4326336/cyber-caper-behind-the-scenes-of-the-45-million-atm-heist
Hackers coordinated with cells on the ground to carry out a precise, sophisticated attack
The man in the black beanie was part of a sophisticated “Unlimited Operation,” according to prosecutors in New York. Hackers allegedly broke into the computer systems of at least two credit card processing companies, stole prepaid debit card account numbers and programmed them with astronomical balances. Normally, prepaid debit cards are capped according to how much the customer paid for the card; the hackers essentially created infinite cards.
Heist-300-1
Map of Reyes’ alleged route withdrawing money from ATMs on February 19th. The numbers indicate the ATM cameras that allegedly captured him, in order. Source: US Attorney, Eastern District of New York
The account numbers were then emailed or texted to accomplices on the ground, who used a device called a “skimmer” to encode the account numbers onto the magnetic stripes of dummy cards. The groundlings then went on a withdrawal spree, hitting as many ATMs as they could in a matter of hours, while the hackers watched the transactions from behind remote screens, in real time. Between two tightly-coordinated heists, the shadowy criminal ring netted nearly $45 million in cash.
“The cyberattacks employed by the defendants and their co-conspirators in this case are known in the cyber underworld as ‘Unlimited Operations,’”
“They became a virtual criminal flash mob, going from machine to machine, drawing as much money as they could, before these accounts were shut down,” US attorney Loretta Lynch said at a press conference.
The hackers targeted specific financial service providers, according to the indictment, suggesting that they were aware of some security vulnerability.
This isn’t the first time hackers have ripped off ATMs for millions of dollars. Cyberattacks have resulted in hackers taking $2 million from European ATMs in 46 cities and tens of millions of dollars were stolen from 12 European banks just in the last year, according to research by Symantec.
The vulnerability that led to the hacks appears to have something to do with the complicated, fragmented system that relies on many providers to get customers cash on demand.
“There’s an increasing sophistication,”
Tomi Engdahl says:
Drugstore Cowboy
http://www.wired.com/threatlevel/2013/05/google-pharma-whitaker-sting/all/
Meet the career con man who made a fortune selling illegal pharmaceuticals online—and pulled off a federal sting that forced Google to pay $500 million.
That’s what Whitaker was now: a cooperator. It felt surreal. One year ago he was in Mexico, living the most fulfilling life he’d ever known in his chaotic, troubled years on the planet. He had been bringing in obscene amounts of money by selling black-market steroids and human growth hormone online.
For a while he bottled sterile water in 1-milliliter vials, marketed it as a steroid called Dutchminnie, and sold it for $1,000 a pop.
the Feds asked him how he had grown his online enterprise. Whitaker’s answer was immediate: He had used Google AdWords. In fact, he claimed, Google employees had actively helped him advertise his business, even though he had made no attempt to hide its illegal nature. It was reasonable to assume, Whitaker said, that Google was helping other rogue Internet pharmacies too.
If true, this would be a bombshell. This was Google, after all.
the chance to go after the almighty Google was too juicy to dismiss. But even if Whitaker were telling the truth—a big if—how could he prove that this was official Google policy rather than the actions of a few amoral individuals?
“I want to be the largest steroids dealer in the US,” Whitaker told the Google rep.
SportsDrugs.net.
The site was blatantly illegal. Indeed, an IRS agent had designed it to look as sketchy as possible.
Google rejected the site and wouldn’t allow him to advertise it.
So the agents instructed Whitaker to ask his Google rep a single question over and over again: How can I make this site acceptable to Google?
The rep agreed to help. One of the reasons SportsDrugs.net had been rejected, the rep explained, was that it was too explicit. So Whitaker renamed the site NotGrowingOldEasy.com.
after being stripped of even more drug imagery so it had a “softer” feel, NotGrowingOldEasy.com finally passed Google’s review on the third try.
as far as Google knew, Whitaker still intended to sell the same drugs. And when a new Google rep was assigned to help
NextDayProgram.org was designed to be as explicit as possible.
Despite the site’s open promise to sell RU-486, it passed Google’s policy review on its first try, without any objections.
Whitaker kept designing new sites, working with different Google account reps to advertise ever sketchier online businesses.
Reich ended up lobbying for him to receive the shortened prison term, describing Whitaker’s cooperation as “rather extraordinary.”
Google settled with the government in August 2011, agreeing to pay a $500 million corporate forfeiture that was one of the biggest in US history at the time. As part of the agreement, the company acknowledged that it had helped presumably Canadian online pharmacies use AdWords as early as 2003, that it knew US customers were buying drugs through these ads, that advertisers were selling drugs without requiring prescriptions, and that Google employees actively helped advertisers circumvent their own pharmaceutical policies and third-party verification services.
Tomi Engdahl says:
McAfee all-in-one security suite covers PCs, tablets, and smartphones
Put your passport and ID docs in the cloud
http://www.theregister.co.uk/2013/05/15/mcafee_livesafe/
McAfee has launched an all-in-one cross-platform security suite for consumers that incorporates online storage through biometric authentication as well as a host of other security technologies. Equally importantly, the Intel security division is trying to shake up the way security software is sold to consumers.
The McAfee LiveSafe service features a cloud-based “safety deposit box” – Personal Locker – that allows online users to store their most sensitive documents, including financial records and copies of IDs and passports, providing they fit into the 1GB allocated storage space. Users would access their documents through biometric authentication – using voice, face, and device recognition technologies.
This is delivered through Intel Identity Protection Technology, a tamper-resistant hardware authentication mechanism, built into the latest Intel processors.
The cross-device service offers protection for a user’s PCs, Macs, smartphones, and tablets against the latest malware and spam, along with a host of other security technologies, including McAfee Anti-Theft. This aspect of the technology gives consumer the means to remotely lock, disable or wipe a device as well as an ability to recover some data if a device gets either lost or stolen.
The LiveSafe service will be offered from July 2013 at a special introductory price of £19.99 with the purchase of selected new PCs or tablets. LiveSafe will come preinstalled on Ultrabook devices and PCs from Dell starting on June 9. By contrast, a 12-month subscription for consumers’ existing PCs and tablets will cost £79.99.
Tomi says:
Marlinspike: Saudi mobe network tried to recruit me to sniff citizens’ privates
Gov plans to probe tweets, chat, claims crypto guru
http://www.theregister.co.uk/2013/05/14/saudi_arabia_misfiring_surveillance_recruitment_pitch/
Claims that a Saudi mobile network is attempting to spy on citizens emerged after the telco apparently tried to recruit top cryptographer Moxie Marlinspike – who promptly went public.
The cryptography expert and former hacker, who left Twitter’s security team in January, said he had been asked to help Mobily in its state-backed project to monitor encrypted chat sent by Twitter, Viber, WhatsApp and other third-party smartphone natter apps.
Mobily, one of two telecom operators in Saudi Arabia, is believed to be under pressure from a regulator within the kingdom to wiretap the aforementioned apps. Its bosses, it is claimed, sought technical knowhow from Marlinspike, who created a tool that intercepted secure web traffic to highlight shortcomings in HTTPS and SSL.
But the expert would have been a rather poor recruitment target: he co-founded Whisper Systems, a company which provided free encrypted cellphone comms technology to dissidents in Egypt during the time of the Arab Spring uprising. And he devised the Convergence SSL system to strengthen the bedrock of cryptography HTTPS web browsing is built on.
“What Mobily is up to is what’s happening everywhere, and we can’t ignore that.”
Tomi Engdahl says:
Is It Wrong to Use Data From the World’s First ‘Nice’ Botnet?
http://www.wired.com/wiredenterprise/2013/05/internet_census/
When Morgan Marquis-Boire heard about the Internet Census 2012, he was excited.
Marquis-Boire, a Google engineer by day, spends his spare time looking for state-sponsored spyware, and here was something new that he could use. The Internet Census was the result of a massive and unprecedented internet scan that compiled data on about 1.3 billion Internet Protocol addresses.
As quickly as possible, he downloaded the Census’s 9 terabytes of data and discovered something that nobody had seen before. FinFisher, a spyware program that had been used to spy on dissidents from Bahrain and Ethiopia, was being used in many more countries than people had previously realized.
Marquis-Boire had done his own Internet mapping in the past, and found FinFisher running in 25 countries.
Because the Internet Census had so many different vantage points — 420,000 in total — it offered a unique look at the computers on many different networks. And it showed that FinFisher servers were running in 11 new countries including Austria, Pakistan and South Africa.
But there was a problem. The Internet Census was illegal. Somebody — nobody knows exactly who — had built a network of hacked computers called the Carna botnet to generate the data.
In his paper describing how the Carna botnet worked, the anonymous researcher said that one of his guiding principals was: “Be Nice”.
And today, not everyone is sure that the data it compiled should be used, at least in the academic community of researchers who map out the internet. “It seems like there’s a lot of conflict within the community about whether it’s right to use this data because it was gathered in a way that was unethical,”
In fact, the U.S. Department of Homeland Security has already bankrolled some study of these ethical questions. In 2012, Claffy and a group of academics created their own version of the Belmont report. Called the Menlo Report, it’s a first step toward spelling out the ethical principals that should govern this type of Internet research.
“Today there is not a hard and fast rule that would make the Carna botnet data unacceptable,” says John Heidermann, an academic researcher who has been building maps of the internet since 2006
Tomi Engdahl says:
Deep packet inspection–Use cases, requirements and architectures—Part I
http://www.eetimes.com/design/industrial-control/4414474/Deep-packet-inspection-Use-cases–requirements-and-architectures-Part-I?Ecosystem=communications-design
Deep packet inspection, or DPI, is a form of computer network packet filtering that examines the data part (and possibly also the header) of a packet as it passes an inspection point, searching for defined criteria to decide what, if any, action should be taken by the network on that packet.
A classified packet may be redirected, marked/tagged, blocked, rate limited, or reported to a reporting agent in the network. Many DPI devices can identify packet flows (rather than packet-by-packet analysis), allowing control actions based on accumulated flow information.
Typical identification parameters include source and destination IP and ports. Some devices support far deeper inspection of packets to examine the metadata of protocols used and may use these for reporting and classification.
DPI enables a range of network services including network optimization, flow inspection, data flow management, security and application monitoring. These services may be called many things
Tomi Engdahl says:
Homeland Security cuts off Dwolla bitcoin transfers
http://news.cnet.com/8301-13578_3-57584511-38/homeland-security-cuts-off-dwolla-bitcoin-transfers/
Immigration and Customs Enforcement confirms an “ongoing investigation” that led to Dwolla cutting off bitcoin transfers to Mt. Gox
The U.S. Department of Homeland Security confirmed it has initiated legal action that prompted the Dwolla payment service to stop processing bitcoin transactions.
implant says:
We are a gaggle of volunteers and opening a new scheme in our community. Your website offered us with helpful info to paintings on. You have performed a formidable task and our whole neighborhood might be thankful to you.
Tomi Engdahl says:
Bitcoins, Wikileaks, 3D printers, PGP and the gov’s battle against information
http://pandodaily.com/2013/05/13/bitcoins-wikileaks-3d-printers-pgp-and-the-govs-battle-against-information/
The U.S. government has a hard enough time parrying foreign threats like terrorist groups and hostile nations but it’s the unfettered distribution of information in the form of software that could pose the greatest threat of all.
In the past few years we’ve seen the emergence of Wikileaks, Bitcoins and 3D printers – paradigm busters that resist regulation or control by outside forces. Each has the potential to make all of us a little bit freer.
Each also has its martyr, or at least a martyr in waiting.
The government can’t completely stop Bitcoins, Wikileaks, 3D printers and PGP either; it can only try to mitigate the threat they pose to its powers. It hasn’t been able to stamp out hackers, the ultimate information warriors, either, even though they have long been in the sights of federal prosecutors, with potential sentences far outstripping the seriousness of the crimes – if indeed the crimes actually took place.
Like its war on drugs, the government can try to make it more difficult for its citizens to procure information, incarcerate those it can catch, but if people want them, they’ll find a way to get them.
Tomi Engdahl says:
Social Media Pose New Riddle for CIA
http://online.wsj.com/article_email/SB10001424127887323398204578487173173371526-lMyQjAxMTAzMDEwNjExNDYyWj.html
Effective spycraft has long called for cover—a job, family or routine that would keep a government agent from drawing undue attention. Now, that calculation extends to spies’ use of social media.
Only in the past few years has the Central Intelligence Agency issued standardized guidelines on how to use social media, according to one former intelligence official. The line these guidelines draw appears to be thin: Revealing too much on Facebook and Twitter risks tipping too much to the other side. But given that social media use is becoming ubiquitous, revealing too little could also arouse suspicion.
“Technology is changing the spy business in so many different ways,” the ex-intelligence official said. “It’s very easy to find out a lot of information about people.”
The issue is particularly sensitive for young government employees who went to college when Facebook was already ubiquitous on campus. They are part of a generation that shares personal information more widely and rapidly than before.
“The rules had to catch up with the technology,”
Tomi Engdahl says:
Boffins find ‘scary radio attack’* against pacemakers
*Attack is actually ‘very difficult in real world’
http://www.theregister.co.uk/2013/05/20/rfi_interferes_with_pacemakers/
“The researchers found that they could use radio interference to send false heartbeat signals to the devices in controlled lab conditions. Theoretically, a false signal could inhibit needed pacing, or cause unnecessary defibrillation shocks.
“Experiments show that this would be very difficult to do in real world conditions, however.”
This would be unexceptional, except that pretty much every outlet to cover the story runs with a long boilerplate generalising the “hacker threat” we all live under before finally admitting that right now, an exploit would be a bit of a challenge.
The researchers suggest “solutions to help the sensors ensure that the signals they’re receiving are authentic. Software could ‘ping’ the cardiac tissue to determine whether the previous pulse came from the heart or from interference. If the source was not the heart, the software could raise a red flag.”
Tomi Engdahl says:
Apple Mobile Devices Cleared for Use on U.S. Military Networks
http://www.bloomberg.com/news/2013-05-17/apple-mobile-devices-cleared-for-use-on-u-s-military-networks.html
The Pentagon cleared Apple Inc. devices for use on its networks, setting the stage for the maker of iPhones and iPads to compete with Samsung Electronics Co. and BlackBerry for military sales.
The decision eventually may spur a three-way fight for a market long dominated by Waterloo, Ontario-based BlackBerry.
The Pentagon has depended on BlackBerrys, which have consistently received federal certification for protecting sensitive data.
Samsung
secure version of Google’s Android operating system
The Galaxy S4 released in April will be the first smartphone using the new system, known as Knox, according to Samsung.
Tomi Engdahl says:
Stonesoft Limnéll HS for: Finland could be kyberdiplomat
“I believe that kyberturvallisuusmaailmassa window of opportunity is open for the following three years,” Stonesoft cyber security chief Jarmo Limnéll says Tuesday’s Helsingin Sanomat.
He estimated that more states are developing their own cyber attack capability, the greater the need to cyber peace intermediate. Cyber peace intermediary would be in the sense that the standard mediation, the parties to agree to those which are neutral as possible and with the minimum of its own links.
Cyber attacks are different from normal attacks, so that governments do not take responsibility for them. Because of this, the peace of intermediaries could be more proactive.
Source: http://www.tietoviikko.fi/kaikki_uutiset/stonesoftin+limnll+hslle+suomi+voisi+olla+kyberdiplomaatti/a902911?s=r&wtm=tietoviikko/-21052013&
Tomi Engdahl says:
Chinese hackers who breached Google gained access to sensitive data, U.S. officials say
http://www.washingtonpost.com/world/national-security/chinese-hackers-who-breached-google-gained-access-to-sensitive-data-us-officials-say/2013/05/20/51330428-be34-11e2-89c9-3be8095fe767_story.html
Chinese hackers who breached Google’s servers several years ago gained access to a sensitive database with years’ worth of information about U.S. surveillance targets, according to current and former government officials.
The breach appears to have been aimed at unearthing the identities of Chinese intelligence operatives in the United States who may have been under surveillance by American law enforcement agencies.
It’s unclear how much the hackers were able to discover.
“What we found was the attackers were actually looking for the accounts that we had lawful wiretap orders on,”
“If you think about this, this is brilliant counterintelligence,”
Microsoft now disputes that its servers had been compromised as part of the cyberespionage campaign that targeted Google and about 20 other companies.
The U.S. government has been concerned about Chinese hacking since at least the early 2000s, when network intrusions were discovered at U.S. energy labs and defense contractors.
“It is an absolute rule of thumb that the best counterintelligence tool isn’t defensive — it’s offensive. It’s penetrating the other service,”
Google did not disclose that breach publicly, but soon after detecting it, the company alerted the FBI, former officials said. Bureau officials told FBI Director Robert S. Mueller III, who briefed President Obama.
Tomi Engdahl says:
The man who ‘nearly broke the internet’
http://www.guardian.co.uk/technology/2013/may/20/man-accused-breaking-the-internet
Sven Olaf Kamphuis is accused of global cybercrime, but Spanish police found him in a squalid flat with his name on the letterbox
Kamphuis, 35, is one of the most controversial characters in the murky world of spam and hacking – deemed the internet’s public enemy number one by some, though others believe his reputation has been blown out of proportion by the grandstanding of his foes.
he allegedly masterminded a flurry of March internet attacks that the security company CloudFlare claimed “almost broke the internet”,
Kamphuis displayed a Napoleonic sense of grandeur. “He claimed he had diplomatic status,” said the Spanish police officer who led the operation, but asked not to be named. “He said he was the telecommunications minister and foreign minister of a place called the Cyberbunker Republic. He didn’t seem to be joking.”
Britain, the United States and Germany were all affected by the massive denial of service attacks that he launched.
“The van was fitted out as a mobile office from which he could launch his attacks.”
The result was what the New York Times called an attack of previously “unknown magnitudes”, producing a 300bn-bits-per-second data stream that targeted the British and Swiss-based anti-spam operator Spamhaus and its allies. This had reportedly blacklisted his CB3ROB/Cyberbunker company
the huge number of spammers he hosts has led even hacktivists sympathetic to his pro-Pirate party, Anonymous and Julian Assange’s stance to question his real activities.
If this was one of the most successful spammers in history, why was he living in a squalid flat and a camper van?
Tomi Engdahl says:
Utah Springs Surprise Tax on Massive NSA Data Center
http://www.wired.com/wiredenterprise/2013/05/nsa-tax/
The National Security Agency should complete construction of its 1 million square foot data center near Bluffdale, Utah, this year. As Wired first reported last year, its purpose is to intercept, analyze and store data passing through both domestic and foreign communications networks — including the e-mails, phone calls and Google search history of U.S. citizens.
Tomi Engdahl says:
FedRAMP seal of approval clears Amazon for more government work
http://gigaom.com/2013/05/20/fedramp-seal-of-approval-clears-amazon-for-a-lot-more-government-work/
Amazon Web Services can now claim a rare blessing among cloud providers: it has earned the FedRAMP accreditation that certifies that it has met a variety of security standards. That certification, which covers AWS GovCloud as well as Amazon’s other U.S. regions, should make it easier for state, local and government agencies to put workloads on Amazon’s public cloud infrastructure without having to jump through so many hoops.
FedRAMP, which stands for the Federal Risk and Authorization Management Program, “is a U.S. government-wide standardized approach to security assessment, authorization and monitoring,”
AWS now has both a FISMA (Federal Information Security Management Act) Moderate and a FedRAMP Moderate ranking.The latter designation means that ”sensitive data” can be stored and managed on AWS infrastructure.
“This is a journey, a sliding scale. Sensitive data is a term of art used in government. Even more top secret categories of data require additional certifications,” Selipsky said.
To date, exactly one cloud provider — Autonomic Resources, a small North Carolina company — had earned the FedRAMP seal of approval from the General Services Administration. Now AWS is in the mix
Up to 15 providers are expected to clear FedRAMP hurdles this year with double that number expected to do so in 2014 when FedRAMP certification becomes mandatory
Tomi Engdahl says:
China abandoned “online war cease-fire” – the attack continues
Chinese government hackers were the three-month “ceasefire” in their attacks against the United States, telling the New York Times’ sources. Now, peace has ended. The situation is likely to begin to escalate.
The strategy paid off, but only for a moment, tells the New York Times
According to them, the Shanghai Located close to the Chinese military hackers unit went three months ago to silent mode. Making the attacks stopped. The attackers even removed the spyware that they were the victims of installed systems.
Mandiant security company says the New York Times that hackers now have returned. They have struck partly on the same sites as before.
Return of the Company under the same as before. Deleted malware has been restored and is once again infiltrated networks. The aim seems to be again at information theft.
The U.S. government, according to sources, this was to be expected.
Source: http://www.tietokone.fi/uutiset/kiina_lopetti_nettisodan_tulitauon_hyokkays_jatkuu
Tomi Engdahl says:
Congressional Report: US Power Grid Highly Vulnerable To Cyberattack
http://hardware.slashdot.org/story/13/05/22/0155228/congressional-report-us-power-grid-highly-vulnerable-to-cyberattack
“Despite warnings that a cyberattack could cripple the nation’s power supply, a U.S. Congressional report (PDF) finds that power companies’ efforts to protect the power grid are insufficient. Attacks are apparently commonplace, with one utility claiming they fight off some 10,000 attempted attacks every month. The report also found that while most power companies are complying with mandatory standards for protection, few do much else above and beyond that to protect the grid.”
Tomi Engdahl says:
SAP touts service that sells customer data from phone firms
http://news.cnet.com/8301-1009_3-57585627-83/sap-touts-service-that-sells-customer-data-from-phone-firms/
The European maker of enterprise software would serve as a kind of middleman, analyzing data gathered by various wireless operators, selling results to marketers, and sharing the profits with the wireless companies.
Verizon Wireless already sells its customers’ mobile data to marketers. Now European enterprise-software giant SAP is taking things a step further by testing a service that will sell data collected by a number of wireless providers.
SAP announced its Consumer Insight 365 mobile service this week at the CTIA 2013 wireless show in Las Vegas. The service will, the company said in a release, pull data from SAP’s “extensive partner network” including “over 990 mobile operators;” aggregate and analyze it “without drilling down into user-specific information;” and make results available to subscribers through a Web portal.
SAP says its Mobile Services division works with more than 990 operators and 5.8 billion subscribers across 210 countries.
Tomi Engdahl says:
Research finds new channels to trigger mobile malware
May 16, 2013
http://phys.org/news/2013-05-channels-trigger-mobile-malware.html
(Phys.org) —Researchers at the University of Alabama at Birmingham (UAB) have uncovered new hard-to-detect methods that criminals may use to trigger mobile device malware that could eventually lead to targeted attacks launched by a large number of infected mobile devices in the same geographical area. Such attacks could be triggered by music, lighting or vibration.
“When you go to an arena or Starbucks, you don’t expect the music to have a hidden message, so this is a big paradigm shift because the public sees only emails and the Internet as vulnerable to malware attacks,”
A team of UAB researchers was able to trigger malware hidden in mobile devices from 55 feet away in a crowded hallway using music. They were also successful, at various distances, using music videos; lighting from a television, computer monitor and overhead bulbs; vibrations from a subwoofer; and magnetic fields.
“We showed that these sensory channels can be used to send short messages that may eventually be used to trigger a mass-signal attack,”
“While traditional networking communication used to send such triggers can be detected relatively easily, there does not seem to be a good way to detect such covert channels currently.”
Tomi Engdahl says:
Dutch citizens keep extra cash at hand following DDoS attacks
http://www.virusbtn.com/blog/2013/05_22.xml
Month-long attacks had significant impact.
25% of Dutch citizens have followed advice to keep extra cash at home, following a recent spate of DDoS attacks on Dutch banks.
At the beginning of April, customers of Dutch bank ING reported that the balance of their online bank account wasn’t what they expected it to be, with the difference in some cases running to hundreds of euros. Some customers even reported that they were unable to pay using chip-and-pin as a consequence. Initially, the bank blamed the issue on a technical error, and reassured its customers that no money had disappeared.
While the bank appears to have been right on the latter account, it later changed its statement and revealed that the issues had been caused by a DDoS attack. And that was just the beginning: the attacks spread to other banks, taking down their websites and online payment systems. They also took down iDEAL, a widely used online payments system.
Over the next few weeks, as many other organisations were targeted by similar attacks, DDoS became a prime item on the news – making knowledge of DDoS attacks among the Dutch population more widespread than in any other country (with the possible exception of Estonia).
Although no new attacks have been reported since 8th May, the impact of the attacks on the country – where Internet penetration is extremely high – has been significant. It has led many people to wonder whether they have become too dependent on online services.
Although in the past DDoS attacks have been used to hide theft or to extort money from the targeted sites, the scale, variation and longevity of these attacks make these unlikely reasons.
There have been suggestions that the attacks are a retaliation against the arrest in Spain and subsequent extradition to the Netherlands of Sven Olaf Kamphuis, himself accused of orchestrating DDoS attacks against Spamhaus.
Tomi Engdahl says:
US power grid the target of ‘numerous and daily’ cyber-attacks
Report finds utilities vulnerable, threatened
http://www.theregister.co.uk/2013/05/23/us_power_grid_cyber_attack_report/
The US electricity grid is under near constant attack from malware and cyber-criminals, yet most utility companies implement only the barest minimum of security standards, according to a new report released by Congressmen Ed Markey (D-MA) and Henry Waxman (D-CA).
“National security experts say that cyber attacks on America’s electric grid top the target list for terrorists and rogue states, yet we remain highly vulnerable to attacks,” Markey said in a statement. “We need to push electric utilities to enlist all of the measures they can now, and push for stronger standards in Congress that will keep our economy and our country safe from cyber warfare.”
Among the report’s findings, more than a dozen utilities surveyed said their systems were under “daily,” “frequent,” or “constant” attack, with one claiming to be the target of around 10,000 attempted cyber-attacks each month.
“Cyber-attacks can create instant effects at very low cost, and are very difficult to positively attribute back to the attacker,” the report states.
To help harden US infrastructure against such attacks, Markey and Waxman would like to see Congress grant the Federal Energy Regulatory Commission (FERC) additional authority to draft and enforce cyber-security standards among power utility companies.
Tomi Engdahl says:
SCADA security is better and worse than we think
‘Kill chains’ are long and attack-stopping weak links are many
http://www.theregister.co.uk/2013/05/23/scada_security/
AUSCERT 2013 First the good news: for all the known vulnerabilities that exist in the SCADA world, exploiting them in a way that can actually “shut down a power plant” is harder than most people (particularly including media) realise.
That’s because even though in a fairly short time the number of known vulnerabilities in programmable logic controllers (PLCs) has gone from zero to 171, turning the existence of a vulnerability into a successful exploit is a much more complex task than merely launching an attack against the individual device.
If an operator notices unusual processes taking place on a system that aren’t in his operational manual, Fabro said, it’s expected that the employee will take some sort of action, or at least investigate what’s going on. So to go from “here’s a vulnerability in one system” to “here’s a nationwide blackout” takes a lot more effort than we believe.
However, Fabro said, as attackers become more sophisticated and learn ore about both the SCADA systems and their control environments, the likelihood of more dangerous SCADA-based attacks increases.
A key part of defending against those attacks that may occur, he said, is to start with a thorough understanding of the “kill chain” – the number of steps and scenarios an attacker is forced to step through to achieve what they want.
“Time and time again people are the vector, the kill-chain’s tipping point is at people,” he said. “An individual who was tricked and had done something inappropriate – clicked on the link in the e-mail, let someone into the facility.”
It points to a difficult cultural problem in defending industrial control systems, because in trying to instil a new security culture, “the people you’re risking upsetting are the ones you’re relying on to run the system.”
Tomi Engdahl says:
Software supply chain’s soft underbelly
http://www.edn.com/electronics-blogs/supply-chain-reaction/4414342/Software-supply-chain-s-soft-underbelly
With all the attention on counterfeit electronic components, it’s easy to overlook the vulnerabilities of other supply chains in the computing industry. A recent Gartner report calls attention to the importance of investigating the supply chains of software, services, and even data. The report warns that the “IT supply chain” has become alarmingly insecure.
One example the report cites is the admission in May 2012 by Chinese mobile-phone maker ZTE that one model of its Android phone had a backdoor installed in its software. The backdoor, which was found only in smartphones shipped to the United States, allowed installation of arbitrary applications and full access to any data stored on the phone. There could be other smartphones with similar vulnerabilities, says the report.
To protect against such hacks, corporations need to institute a formal IT supply-chain risk-management program, including investigation into the robustness of software-update mechanisms, says the report. For smartphones, in particular, it recommends asking all hardware and software suppliers for specifics on how they update firmware and software.
The Gartner report notes that just because this happened in a ZTE phone doesn’t necessarily mean that the company had a nefarious motive.
That’s a perfect example of why today’s convoluted IT supply chain is increasingly insecure. The Gartner report says software supply chains can be easy targets because of increased use of outsourced software development. Even if a company uses its own developers, many use thirdparty libraries and frameworks that include open-source software, which can be vulnerable.
Are you doing what you should to ensure the integrity of your software supply chain?
Tomi Engdahl says:
Homeland Security Reportedly Warns 3D-Printed Guns Are “Impossible” To Contain
http://techcrunch.com/2013/05/23/homeland-security-reportedly-warns-3d-printed-guns-are-impossible-to-contain/
A new bulletin from the U.S. Department of Homeland Security warns that lethal, undetectable 3D-printed firearms may be “impossible” to contain
“Significant advances in three-dimensional (3D) printing capabilities, availability of free digital 3D printer files for firearms components, and difficulty regulating file sharing may present public safety risks from unqualified gun seekers who obtain or manufacture 3D printed guns,” reads a May 21 bulletin from the Joint Regional Intelligence Center obtained by Fox News. “Limiting access may be impossible.”
“Even if the practice is prohibited by new legislation, online distribution of these digital files will be as difficult to control as any other illegally traded music, movie or software files.”
“The only security procedure to catch [the 3D firearms] is a pat down. Is America ready for pat-downs at every event?”
Tomi Engdahl says:
Obama: Leak Investigations ‘May Chill Investigative Journalism’
http://www.huffingtonpost.com/2013/05/23/obama-leak-investigations-journalism-chill_n_3327659.html
President Obama said Thursday that he is “troubled by the possibility that leak investigations may chill the investigative journalism that holds government accountable.”
In a major speech on national security, Obama said that the “Justice Department’s investigation of national security leaks offers a recent example of the challenges involved in striking the right balance between our security and our open society.”
There have been growing concerns about press freedom following the Justice Department’s secret seizure of AP records and its accusation that Fox News reporter James Rosen could be part of a criminal conspiracy for soliciting information from a source.
Tomi Engdahl says:
Leonard Downie: Obama’s war on leaks undermines investigative journalism
http://www.washingtonpost.com/opinions/leonard-downie-obamas-war-on-leaks-undermines-investigative-journalism/2013/05/23/4fe4ac2e-c19b-11e2-bfdb-3886a561c1ff_story.html#
For the past five years, beginning with his first presidential campaign, Barack Obama has promised that his government would be the most open and transparent in American history. Recently, while stating that he makes “no apologies” for his Justice Department’s investigations into suspected leaks of classified information, the president added that “a free press, free expression and the open flow of information helps hold me accountable, helps hold our government accountable and helps our democracy function.” Then, in his National Defense University speech Thursday, Obama said he was “troubled by the possibility that leak investigations may chill the investigative journalism that holds government accountable.”
But the Obama administration’s steadily escalating war on leaks, the most militant I have seen since the Nixon administration, has disregarded the First Amendment and intimidated a growing number of government sources of information — most of which would not be classified — that is vital for journalists to hold leaders accountable.
The secret and far-reaching subpoena and seizure of two months of records for 20 Associated Press phone lines and switchboards
At the request of the White House and the CIA, the AP held the story for five days to protect an ongoing intelligence operation.
After the AP story appeared, Obama administration officials spoke freely about the operation.
Such investigations are not unusual, especially in national security cases, but they have proliferated in the Obama administration.
Decades-old Justice Department guidelines restrict federal subpoenas for reporters or their phone records, saying they should be used only as a last resort in an investigation. Justice officials have contended that this was the case with the Associated Press leak.
“I really don’t know what their motive is,” Pruitt said on “Face the Nation.” But, he added, “I know what the message being sent is: If you talk to the press, we’re going to go after you.”
After the 2001 terrorist attacks, the George W. Bush administration increased government secrecy in a variety of ways that Obama, as candidate and president, vowed to reverse. Soon after taking office, Obama and Holder issued memos and directives instructing government agencies to be more responsive to Freedom of Information Act (FOIA) requests and to make more government information public through Web sites and social media.
But there’s not nearly enough of what journalists and citizens need to hold the government truly accountable
Every administration I remember has tried to control its message and manage contacts with the media.
“The White House doesn’t want anyone leaking,”
Tomi Engdahl says:
The AV-TEST Institute registers over 200,000 new malicious programs every day.
Source: http://www.av-test.org/en/statistics/malware/