Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Chatting to Al Qaeda? Try not to do that – Ex spy chief defends post-Snowden NSA
Everyone spies but ‘someone has to lead’ – Keith Alexander
http://www.theregister.co.uk/2014/10/08/former_nsa_chief_speaks_on_snowden_revelations/
You have nothing to fear from the NSA: that is unless you’re from outside the United States, or you arouse the agency’s suspicion by chatting to Al Qaeda. “Try not to do that,” was the advice given.
The warnings come from former NSA chief General Keith Alexander, who told delegates at a security conference that the National Security Agency’s activities, as described by ex-NSA sysadmin and secret-doc-leaker Edward Snowden, are just the agency doing its job.
“Our data’s in there (NSA databases), my data’s in there. If I talk to an Al Qaeda operative, the chances of my data being looked at is really good, so I try not to do that. If you don’t want to you shouldn’t either,” he told MIRcon delegates.
“It doesn’t mean that we didn’t collect on key leaders around the world,”
“Nations act in nations’ best interest … we at times want to make sure a war doesn’t break out [and] it is important that our political, military leaders know what is going on.”
The former NSA boss said he had had great partnerships with intelligence agencies across the world, including the European Union – even after the Snowden leaks, which he said were written off as being “political”.
Tomi Engdahl says:
This Guy Convinced Google, Dropcam, Pinterest To Let 10,000 Hackers Attack
http://www.businessinsider.com/this-startup-hacks-google-pinterest-2014-10
A startup called Bugcrowd has built a network of 11,700 hackers (and growing) worldwide. They are tasked with ripping into software and websites like trained attack dogs.
When they find a bug, they get paid.
The more bugs they find, the more they are invited in to hack ever-more sensitive parts of a company’s network. They hack companies like Google, Dropcam, Pinterest, even some banks.
And these companies couldn’t be happier about it.
The reason Bugcrowd’s “crowdsourced security testing” works is that it takes the pain and fear out of security testing. Long ago, the good guy hackers (called “white hats” or security researchers) realized that if you pay people to turn in the bugs they find for cash, you have now motivated people to hack for good instead of evil.
These are called bug bounty programs. While big companies like Microsoft and Facebook run their own bug bounty programs, there are good reasons why other enterprises don’t.
Tomi Engdahl says:
Gavin Andresen Proposes Bitcoin Hard Fork to Address Network Scalability
http://www.coindesk.com/gavin-andresen-bitcoin-hard-fork/
Bitcoin Foundation chief scientist Gavin Andresen has proposed increasing the number of transactions allowed on the bitcoin network by raising the maximum block size by 50% per year.
Doing so would require a hard fork and “some risk”, Andresen conceded in a new Bitcoin Foundation blog post, but he concluded that such proposals are necessary for the long-term viability of bitcoin as a global payments system.
he argued that the limit on bitcoin transactions has been identified in the past as a weakness in need of addressing.
The bitcoin network is currently experiencing 50,000–80,000 transactions per day. As Andresen noted, however, the data needs being placed on the bitcoin network aren’t huge, making the 1-megabyte block size sufficient for use today.
In the long-term, though, this block size may lead to issues
Andresen posited that the 50% annual growth rate he suggested would enable the distributed network to facilitate as many as 400 million transactions per day if implemented now. After 12 years, the bitcoin network’s estimated transaction capacity would reach 56 billion transactions per day, according to Andresen’s initial calculations.
Tomi Engdahl says:
US Military Command Holds Informational Meeting With Bitcoin Industry
http://www.coindesk.com/us-military-command-holds-educational-meeting-bitcoin-industry/
Officials from the US Special Operations Command met with American business executives and bitcoin community leaders on Monday in Tampa, Florida, to discuss bitcoin and its role in illicit finance.
The topic is a priority for the US military as it seeks to understand how bitcoin could be used in funding anti-American forces and operations and whether it can take actions to reduce this activity.
Harper told CoinDesk he was impressed by the cross section of representatives present at the meeting and the solid discussion and learning that took place.
However, he went on to say that the Bitcoin Foundation’s role should be to familiarize law enforcement and the military with bitcoin.
Harper said none of the military representatives present at the event offered specific intelligence that ISIS uses bitcoin
Tomi Engdahl says:
Bitcoin Foundation to Standardise Bitcoin Symbol and Code Next Year
http://www.coindesk.com/bitcoin-foundation-standardise-bitcoin-symbol-code-next-year/
The Bitcoin Foundation’s Financial Standards Working Group has shed new light on its priorities for the next six months, announcing it will attempt to standardise bitcoin’s code, currency symbol and subunits over that period.
The first task for the foundation will be to apply for ISO 4217 approval, which would lead to an industry-approved bitcoin currency code.
Tomi Engdahl says:
Ask Slashdot: Dealing With an Unresponsive Manufacturer Who Doesn’t Fix Bugs?
http://ask.slashdot.org/story/14/10/08/1613258/ask-slashdot-dealing-with-an-unresponsive-manufacturer-who-doesnt-fix-bugs
I’ve had huge problems with a security appliance since its installation. Specifically, the VPN SSL client is causing a problem for the majority of my remote clients. The company acknowledged the bug, but they are jerking me around, and no resolution is in sight.
I also talked to various executives at the company and besides giving me apologies, nothing good is coming my way.
Comments:
One way is to give the public the name!
And if it doesn’t, why the hell didn’t someone flag that up before signing on for 3 years of payments with no legal recourse? The problem isn’t really the vendor here, its the dumb ass that signed the contract which allows the vendor to get away with shit like this.
Pull the contract, when they threaten to sue for breach then you threaten to counter sue for non-performance and non-compliance as the product isn’t fit for use.
That’s exactly the right way where I live. You start with a complaint, then escalate with a letter giving them a last chance to fix the issues. You give them a reasonable term, such as 30 days. After that, you terminate the contract and ask for your money back due to breach of contract.
You’ll be much better off if you let a lawyer handle this sort of thing, by the way. But that goes for signing the contract in the first place, too.
If your company is large enough, have a quick chat with your legal department. A 3 year support contract that isn’t providing you with any value is something that’s worth addressing.
If the sales rep doesn’t give you satisfaction, call their boss, then keep on working the way up to the top. Top managers do not like it when their lower level managers aren’t doing their jobs. They want to concentrate on long term, not stuff like this.
if you keep using words like “unacceptable”, “does not meet advertised uptime numbers”, “does not match your published specifications”, “crashes when XXYY happens”, you stay on issue. If you go off issue into raving lunatic, cursing land, you lose your credibility and are dismissed as “angry customer”
You chose your vendor poorly. Hope you learned from it. Next time choose a standards based VPN solution that works across many different platforms and clients.
Company sells product. Check.
Product has issues. Check.
Company is unresponsive to problems. Check.
Company has you locked into support contract. Check.
Bummer, dude. But what you’re describing is pretty much what any of us in the software industry have been seeing for a long time — the salesman is always lying to you.
Out of curiosity, did you do your own extensive testing and have your legal department put penalty/early termination clauses in? Or, have you become victim to believing what the sales guy told you?
I’m betting half the people on Slashdot have worked at companies where the sales people sold impossible things which don’t exist as sold. And the other half has worked for companies which have bought stuff which didn’t live up to what the sales guy said.
Tomi Engdahl says:
Gmail security is a problem for Tor users
http://www.dailydot.com/politics/gmail-tor-lockout-problem/
It turns out Tor and Google aren’t always a great mix.
While working Monday morning, Gmail suddenly logged me out. After trying to get back in, I was told that my exit had been because of ‘unusual activity’ with my account.
This happens when Google automatically detects your IP address coming from geographically distinct areas in quick succession: a symptom of someone accessing your account without your permission elsewhere in the world. Or, perhaps because you’re using the popular anonymity tool Tor, which reroutes your traffic to make it appear as though you’re logging in from somewhere you’re not.
At the time, I was using Tor.
It’s important to point out that Google didn’t lock my account explicitly for my use of Tor. Rather, the email service’s security system “thought” my account was being fiddled with by a third party, while I’m (pretty) sure it wasn’t.
That alone would be a mere nuisance—not a problem worth mentioning. It’s what I had to do to regain access to my email that is a cause for concern: I had to register a telephone number to receive a verification code, which I then punched into my browser, unlocking my account.
Gmail is far from the only online service that fails to play nice with Tor. A recent blog post from the Tor Project lamented that many people have problems with popular websites when using the network. After mentioning that pressure from policy makers or Internet service providers can make it difficult for Tor to expand
Tomi Engdahl says:
‘Bill Gates swallowing bike on a beach’ is ideal password say boffins
Train your brain to remember long passwords with flash card memory-building technique
http://www.theregister.co.uk/2014/10/09/bill_gates_swallowing_bike_on_a_beach_is_ideal_password_say_boffins/
A quartet of researchers from Carnegie Mellon University’s Computer Science Department have explained a method they feel makes it possible to memorise several complex passwords.
As their ArXiv paper, Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords explains, passwords are important but most people choose weak ones because they’re easier to remember. That’s obviously not optimal, so the boffins decided to experiment with a technique called “spaced repetition”, which they describe as “a memorization technique that incorporates increasing intervals of time between subsequent review of previously learned material.”
Spaced repetition will be familiar to anyone who has leaned a language using flash cards: after first encountering knowledge you review it, then review it again after a longer period of time, then again after an even longer interval.
As hoped, participants’ recall of the passphrases they cooked up improved over time, to the extent that the researchers feel spaced repetition and PAO stories could enable people to recall up to 14 complex passphrases.
The authors suggest their study makes policies mandating fresh passwords every 30 days a bad idea, as “By forcing users to reset their password frequently an organization forces its users to remain within the most difficult rehearsal region.” They also feel that the PAO method is likely to result in the creation of more complex passwords, which is helpful under any circumstances.
Tomi Engdahl says:
Hey, non-US websites – FBI don’t have to show you any stinkin’ warrant
Prosecutors in Silk Road raid trial: If you’re outside the US, you’re fair game for hacking
http://www.theregister.co.uk/2014/10/08/prosecutors_claim_no_warrant_needed_for_silk_road/
US government attorneys have argued that the FBI didn’t need a warrant to snoop evidence from the Silk Road darknet drugs souk, for a simple reason: its servers were located outside the United States.
Attorneys representing accused Silk Road headman Ross Ulbricht have suggested that the FBI used hacking techniques to pull data from the Silk Road servers without first obtaining a warrant, which they claim violated Ulbricht’s Fourth Amendment right to privacy.
Tomi Engdahl says:
The Malware of the Future May Come Bearing Real Gifts
http://it.slashdot.org/story/14/10/08/2132237/the-malware-of-the-future-may-come-bearing-real-gifts
“Research by Prof. Giovanni Vigna of the University of California leads him to believe that the malware of the future will come in a friendly form, be genuinely useful and may not reveal its intentions for a protracted period of time.”
This article outlines the extraordinary game of cat-and-mouse being played between researchers and hackers, and how future malware exploits are likely to abandon a rush for the buffer overflow in favor of ‘the long game’ — and to make themselves useful in the process.
The malware of the future may come bearing real gifts
http://thestack.com/mimicry-in-malware-giovanni-vigna-081014
For Prof. Vigna, the real challenge may lie ahead, to a time when malware develops to a new level of disingenuousness. The professor’s own experiments with mimicry simulation have convinced him that genuine system calls and integrity of functionality will be incorporated into future malware configurations, making the identification of hostile intent even harder to evaluate in malicious programs. It hasn’t happened yet, so far as he can tell, but it seems to make sense.
Tomi Engdahl says:
Pen-testers outline golden rules to make hacks more €xpen$ive
Sorry sysadmins, you just lost root access in the name of security
http://www.theregister.co.uk/2014/10/09/pentesters_golden_rules_to_make_hacks_more_xpenive/
Not one administrator to rule them all, but a few: that’s the advice offered by seasoned penetration testers Aaron Beuhring and Kyle Salous to enterprises wanting to be less attractive to hackers.
In a presentation at the MIRCon 2014 conference in Washington the duo listed a series of low cost changes to access controls, whitelisting, and group policies that could harden the enterprise enough to make targeted malware attacks quite expensive, hopefully prohibitively so.
“You can train users all you want, but unless they are reverse-engineers, they aren’t going to stop clicking things,” Beuhring said.
“We’re not saying whitelisting is easy … you need to create inventory of programs you run and you need to understand the protocols they run on.
The cost of implementing a whitelist could be next to nothing, Beuhring said, with cost determined by the time required to determine an organisation’s requirements rather than the need to buy kit.
Another tip offered was that users should never be allowed to operate as admins. Godmode should not even be granted to all tech staff.
“None of your users should ever log in as administrator,” Salous said. “Create a separate admin account for everyone in your tech department.”
“Every time we make them (attackers) work [harder], it’s an opportunity to detect their activity.”
The advice offered by the pair is best practice, yet is rarely adopted.
Tomi Engdahl says:
Want to break Netflix? It’ll pay you to do the job
‘Senior Chaos Engineer’ sought to inflict all sorts of nasty, nasty, pain
http://www.theregister.co.uk/2014/10/09/want_to_break_netflix_itll_pay_you_to_do_the_job/
In 2012, Netflix open sourced a tool called Chaos Monkey that it uses to test its networks and systems by trying to break them with attacks based on all sorts of chaotic events.
Now the company wants to hire a “Senior Chaos Engineer” to do the same … only more painfully.
The way Chaos Monkey works is conceptually fairly simple. It runs as a service on Amazon Web Services (AWS), where it seeks out Auto Scaling Groups (ASGs) of virtual machine instances. When it finds one, it picks one of its virtual machines at random and terminates it.
At first blush, this may sound like the most maddening piece of software ever, and if a hacker figured out a way to use it maliciously, it could probably cause someone some real headaches.
But Chaos Monkey is a tool, and the reason it runs around your network like a psychopathic ape is because in reality, system failures are one of the most common types of problems the people who manage cloud services must deal with in everyday life.
Like Chaos Monkey, the others – including Latency Monkey, Conformity Monkey, Doctor Monkey, Janitor Monkey, Security Monkey, 10-18 Monkey, and the unnervingly-named Chaos Gorilla – are all designed to root out unseen problems in cloud architectures.
https://github.com/Netflix/SimianArmy
Tools for keeping your cloud operating in top form. Chaos Monkey is a resiliency tool that helps applications tolerate random instance failures.
Tomi Engdahl says:
Russian cybercrime group compromised half a million computers
http://www.computerworld.com/article/2692500/russian-cybercrime-group-compromised-half-a-million-computers.html
Proofpoint said the group targeted large U.S. and European banks, compromising 800K online accounts
In a new report, Proofpoint said it found a large number of WordPress websites that had been compromised to perform a drive-by download of Qbot, also known as Qakbot, a malicious software program.
Fifty-two percent of the compromised computers were running Windows XP, “a figure that is at once unsurprising — considering that support for Windows XP, including patches, ended in April 2014,” according to the report.
Tomi Engdahl says:
“Security is a parasite: it absorbs resources and interferes with the systems’
University of Turku dissertation Jukka Vuorinen study examines the information security less technical point of view, because his field is sociology. Exceptional approach provides an interesting picture.
In addition to the security that gives its name to security, it also serves as a troublemaker, among other things.
“Security is a parasite that grabs and absorbs resources,” says Vuorinen.
According to him, it is interrupting, and between the rub. For example, the password for logins always interrupt an activity and hamper the use of information systems.
“Security interrupt whatever it comes into contact. Between the Print get their share of the malware as ordinary users. Security, therefore, seeks in between and is equal, whether it be good or evil intentions, “says Vuorinen.
When a system is protected, it is to be kept in certain respects closed and frozen.
“Security is trying to prevent other interventions in their own intervention by, to prevent interruptions interruptions. Example of intervention can be thought of security software. System connected to a security software to change the underlying system. As such, one could argue that security is always a disturbing noise and the noise in the system,” says Vuorinen.
Securing information is Vuorinen according to a process that requires the resources and equipment to people. Each of the security process takes time and energy, whether it’s security software or training aboard.
Source: http://www.tivi.fi/kaikki_uutiset/quottietoturva+on+loinen+se+imee+resursseja+ja+hairitsee+jarjestelmiaquot/a1018401
Tomi Engdahl says:
Jitters over US surveillance could break the Internet, tech leaders warn
Loss of trust in Internet companies could lead to protectionism and a splintered Internet, they say
http://www.itworld.com/security/440886/jitters-over-us-surveillance-could-break-internet-tech-leaders-warn
Overly broad U.S. government surveillance is breaking down trust on the Internet in ways that could hurt users everywhere and make it harder to launch new kinds of services, tech executives told a U.S. senator pushing for reforms.
Revelations about National Security Agency (NSA) monitoring are leading foreign governments to consider erecting barriers against the global Internet and requiring their citizens’ data be stored in the same country, according to Sen. Ron Wyden
Wyden gathered executives from Google, Facebook, Microsoft, Dropbox and venture capital firm Greylock Partners in a high school gym to talk about the economic impact of U.S. digital surveillance as it affects international attitudes toward American Internet companies. Wyden said he supports surveillance where necessary but is worried about “dragnet” spying such as the wholesale collection of phone records. That kind of spying is turning users against U.S. companies, he said. “This is going to cost America jobs,” Wyden said.
The breakdown of trust is bad not just for well-known American tech companies but for anyone trying to start or operate a Web-scale business, executives said.
“The simplest outcome is that we’re going to end up breaking the Internet,” said Eric Schmidt, Google’s executive chairman. A splintering of the Internet would have costs in terms of science, knowledge, jobs and other areas, he said.
“It costs more to run a network where you have to put data centers around the world,”
Tomi Engdahl says:
Sir Tim Berners-Lee: Data is more valuable to individuals than to the cloud
Corporations wasting data on “queasy” targeted advertising tech
http://www.theinquirer.net/inquirer/news/2374713/sir-tim-berners-lee-data-is-more-valuable-to-individuals-than-to-the-cloud
SIR TIM BERNERS-LEE has declared that data ownership will be core to the future of the web, saying it is of more value in the hands of individuals than it is to the cloud.
Speaking at the 2014 IP Expo in London, Berners-Lee, founder of the World Wide Web, said that data is more valuable to people than it is to companies.
“The data that [businesses] have about you isn’t as valuable to them as it is to you,” he said. “What are these people going to do with that data? They’re going to target you with an ad which makes you feel a bit queasy. Targeted adverts are not the future.”
Instead, Berners-Lee believes that data is more useful under the ownership of individuals, who can use it to gain insights about their lives and activity.
“In general, if you put together all that data, from my wearable, my house, from other companies like the credit card company and the banks, from all the social networks, I can give my computer a good view of my life, and I can use that. That information is more valuable to me than it is to the cloud.”
“If you give [people] the ability to see how [data is] used and you ban its misuse then people are much more happy to open up to their data being used,” he concluded.
Tomi Engdahl says:
Internet freedom besieged by big businesses warns Sir Tim Berners-Lee
http://www.v3.co.uk/v3-uk/news/2372672/internet-freedom-besieged-by-big-businesses-warns-sir-tim-berners-lee
Big companies and governments are a threat to the internet, said web inventor Sir Time Berners-Lee, who called for rules to safeguard independence and privacy for internet users.
At the Web We Want Festival in London, the British computer scientist called for a ‘bill of rights’ to be established to protect web users against snooping and censorship from big companies and data-gathering government organisations.
According to reports by the Press Association, Berners-Lee is concerned that companies tweak and work around laws to establish significant control over internet users.
“It [the internet] has got so big that if a company can control your access to the internet, if they can control which websites they go to, then they have tremendous control over your life,” he declared.
Berners-Lee believes organisations can use their placement within the internet to abuse their positions of power.
Tomi Engdahl says:
Symantec to Split Into Storage, Security Companies
http://www.bloomberg.com/news/2014-10-09/symantec-to-split-into-storage-security-companies.html
Tomi Engdahl says:
Crims zapped mobes, slabs we collared for evidence, wail cops
Don’t worry, sarge, we got all the … oh, WTF!
http://www.theregister.co.uk/2014/10/10/police_say_criminals_remotely_wiping_seized_mobes/
You know that nifty remote wipe function that takes all the photos off your phone when it gets lost? Turns out criminals know about it too, and they’re using it to wipe phones taken by police as evidence.
The BBC has heard from a few UK forces that report some of the mobes and tablets they’ve taken in as evidence have been remotely wiped.
Apparently, Brits have been able to establish connections with their confiscated devices and, using the remote management tools offered by vendors, wiped their mobes ‘n’ slabs in order to remove evidence.
Tomi Engdahl says:
Malware analysts tell crooks to shape up and write decent code
Who writes their own crypto these days? Seriously!
http://www.theregister.co.uk/2014/10/10/writing_better_malware_with_fireeye/
Blackhats beware: reverse engineers are laughing at your buggy advanced persistent threat (APT) malware.
You’ve done pretty well though: your custom payloads were effective at breaking into enterprises and the damage it did was quite devastating.
But many were being found and added to anti-malware signatures all too quickly.
“A ridiculous amount of code to put in a backdoor,”
Point of Sales malware is the new black and it made sense that you would work on a cash-rich target.
“Do a little better, try a little harder. Wrap your stuff in #ifdef statements — it takes like five seconds and it will get rid of the things you don’t want me to see,” Wartell said.
Apply the crypto maxim to packers and stop building your own “hilariously” broken code, and instead use tried and tested off-the-shelf options like Themida and VMProtect.
More fundamentally, stop being lazy programmers. Your malware was in the hands of intelligent reverse engineers more quickly than the time it took you to write it so you need to find better ways to hide.
You could take lesson from crimeware writers too. Those folks created less damaging malware that targeted everybody, everywhere, in a bid to hose as many bank accounts and credentials as possible. They had to hide to survive.
Tomi Engdahl says:
‘A motivated, funded, skilled hacker will always get in’ – Schneier
It’s how you respond that’s key, says securo guru
http://www.theregister.co.uk/2014/10/09/your_security_defences_are_going_to_fall_get_over_it_schneier/
IP Expo Hacking attacks are more or less inevitable, so organisations need to move on from the protection and detection of attacks towards managing their response to breaches so as to minimise harm, according to security guru Bruce Schneier.
Prevention and detection are necessary, but not sufficient, he said. Improving response means that organisations stay on their feet even after they are hit by a serious security breach or hacking attack.
“A sufficiently motivated, funded and skilled hacker will always get in,” Schneier told delegates during a keynote at the IP Expo conference in London. The security guru added that criminals and hackers are now using the sort of tools and techniques that were once the sole purview of intel agencies.
While the ’90s were the era of protection (antivirus, firewall etc) this changed around 2000, when detection products (such as IDS/IPS) systems became more important, he said. This decade in the infosec biz belongs to response, according to Schneier. The security guru left BT last year to become CTO of incident response firm Co3 Systems.
Cloudy with a chance of pwnage
Security teams are incorporating incident response because of three trends in computing, according to Schneier. Firstly, we’ve lost control of our computing environment, much of which has been outsourced to the cloud. This makes response more complicated, because enterprises lack visibility into parts of their critical network infrastructures actually run by other companies. Users’ control of computing devices is also on the wane
Secondly, attacks are becoming more sophisticated and targeted.
As hacking becomes a more integral part of geopolitics, unrelated networks are increasingly collateral damage in nation-state fights, according to Schneier. Lastly, companies continue to underinvest in protection and detection – both of which are imperfect, anyway – obliging “response” to pick up the slack.
Security is a combination of people, process, and technology, Schneier explained during a keynote presentation. Protection systems are almost all technology. Detection requires more-or-less equal proportions of people, process, and technology. Response is mostly done by people, with assistance from process and technology. Incident response can’t be automated because everyone’s network is different. All attacks are different too.
Tomi Engdahl says:
AT&T fired employee who accessed personal info of around 1,600 customers
http://www.fiercewireless.com/story/att-fired-employee-who-accessed-personal-info-around-1600-customers/2014-10-07?utm_medium=rss&utm_source=rss&utm_campaign=rss
AT&T (NYSE: T) said it fired an employee who gained unauthorized access to personal information on around 1,600 customers, including their Social Security and driver’s license numbers. Nearly all of the customers affected were wireless customers, according to AT&T.
The company said the unauthorized privacy breach occurred in August and that it only recently learned of the incident.
AT&T also said the employee would have also been able to view subscribers’ customer proprietary network information (CPNI). CPNI includes the phone numbers of the caller and those the subscriber called, the duration of calls, the location at the beginning and end of calls and other similar information. As a result, AT&T said it had notified federal law enforcement authorities about the breach, as required by FCC regulations.
Tomi Engdahl says:
Apple beefs up iCloud security once again with app-specific passwords
For apps that don’t support two-factor authentication
http://www.theinquirer.net/inquirer/news/2374780/apple-beefs-up-icloud-security-once-again-with-app-specific-passwords
APPLE HAS BEEFED UP its iCloud security once again, adding per-application passwords for third-party apps that don’t support two-factor authentication.
Following the high-profile celebrity iCloud hack last month, Apple was quick to add extra security to its cloud storage service. The most recent addition is app-specific passwords to guard against exposure of a user’s iCloud details.
Apple nudged those using two-factor authentication about the new feature following its initial announcement last month, saying: “This is a reminder that starting tomorrow, app-specific passwords will be required to access your iCloud data using third-party apps such as Microsoft Outlook, Mozilla Thunderbird or other mail, contacts and calendar apps.
Tomi Engdahl says:
Devices being remotely wiped in police custody
http://www.bbc.com/news/technology-29464889
All the data on some of the tablets and phones seized as evidence is being wiped out, remotely, while they are in police custody, the BBC has learned.
Cambridgeshire, Derbyshire, Nottingham and Durham police all told BBC News handsets had been remotely “wiped”.
The technology used was designed to allow owners to remove sensitive data from their phones if they are stolen.
“If a device has a signal, in theory it is possible to wipe it remotely,” said Ken Munro, a digital forensics expert with Pen Test Partners.
Asked whether the police felt that the issue had damaged their investigation, the spokeswoman said: “We don’t know because we don’t know what was on the phone.”
Microwave help
Mr Munro, who analyses hundreds of laptops, tablets, phones and other devices for corporate clients, said: “When we seize a device for digital forensics, we put it immediately into a radio-frequency shielded bag, which prevents any signals from getting through.
“If we can’t get to the scene within an hour, we tell the client to pop it in a microwave oven.
“The microwave is reasonably effective as a shield against mobile or tablet signals – just don’t turn it on.”
ePanorama.net editorial note: Microwave oven will block only WLAN communications at 2.4 GHz. It will not block 2G, 3G or 4G mobile networks.
Tomi Engdahl says:
SecureDrives, which develops hard drives for the military, is releasing one next year that can be physically destroyed just by sending a text message.
The hard drive -which will cost more than £1,000 – is also immune to the radio-frequency blocking bags.
“The hard drive is constantly looking for GSM [Global System for Mobile Communications] signals, if it is starved of them it it would destroy itself. It would see such a bag as a threat,” said James Little, head of sales at SecureDrives.
Source: http://www.bbc.com/news/technology-29464889
Tomi Engdahl says:
Facebook scammers punt fake ‘sexy vid’ of Emma Watson
Malware-flinging ‘Guy Fawkes’ YouTuber lurks behind
http://www.theregister.co.uk/2014/10/10/fake_emma_watson_video_scam_used_to_spread_malware_through_facebook/
Scammers are taking advantage of Emma Watson’s growing popularity by using the Harry Potter star as bait to spread malware on Facebook.
The supposed “sexy videos” of the British actress – who has recently stood up against sexism in her new role as Goodwill Ambassador for Women – drop Trojans rather than the promised salacious content. More precisely, the malware poses as a Flash Player update supposedly needed to view the non-existent racy content.
The scam comes just weeks after a nude photo leak threat targeting Watson turned out to be a hoax by an outfit called Rantic Marketing operating through a site called “emmayouarenext.com”.
Tomi Engdahl says:
Put down that shotgun: Wi-Fi’s the way to beat Zombies
CreepyDOL sensors can pick walkers from humans with MAC snack attack
http://www.theregister.co.uk/2014/10/10/staring_down_the_walking_dead_trust_in_80211/
survivors could locate nearby smart phones detected by their wireless mesh network of CreepyDOL sensors
The sensors would reveal MAC address information of nearby smartphones in the pockets of the living and dead. Using a tactic borrowed from snooping retail giants, a clever tech could locate the closest human townships, and determine when scouting parties have been turned into brain-eating walkers.
“We use 802.11 to save the city in a post-apocalyptic zombie invasion,” Fowler said at the BSides security conference.
“When someone is bitten, the [usage] data virtually flat lines, with regular 15 minute spikes for email checking.
While Fowler’s zombie-survival technology has an obvious problem – Zombies aren’t likely to keep the electricity grid up and running – it is already being used as a valued tracking tool by supermarkets, and as the hacker contends, possibly governments.
Smart phones of all stripes send out identifying packets to passing Wi-Fi access points that allow MAC addresses to be gleaned. That information has been used by US retail chains to track the movements of shoppers in store.
Such was the use of tracking that Apple in its latest iOS version 8 attempted to scramble iPhone MAC addresses while perusing Wi-Fi access points in a bid to restore privacy.
But Cupertino’s MAC-scrambler is flawed, Fowler said, meaning tracking continued.
http://blog.ussjoin.com/2013/08/creepydol.html
Tomi Engdahl says:
Rise of the Machines: FIRST HUMAN VICTIM – 2015
Internet of Things robots WILL break 1st law – EU top cops
http://www.theregister.co.uk/2014/10/06/top_eu_cops_internet_of_things_devices_could_soon_become_instruments_of_murder/
Death via internet, online contract killers and crime-as-a-service were just three of the scarier elements discussed by international top cops at the Interpol-Europol cybercrime summit in Singapore last week.
The Internet Organised Crime Threat Assessment, a report prepared by Europol’s cybercrime division, warns that the so-called Internet of Things has created a target for new forms of blackmail, ransomware and “possible death”.
Thanks to machine-to-machine communication, more and more critical every day devices are becoming connected, and it’s apparently only a matter of time before a rogue smart car or hacked pacemaker kills someone.
Europol estimates that there are 10 billion internet-enabled devices. “Cybercriminals need not be present in target countries and are able to conduct crime against large numbers of victims across different countries simultaneously with minimum effort and risk,” says the report.
Tomi Engdahl says:
EU, Google, Facebook, Twitter, Microsoft: We’ll fight terrorists… with WORKSHOPS
EU has dinner with Big Tech before debating data protection
http://www.theregister.co.uk/2014/10/10/eu_google_facebook_twitter_microsoft_workshop_terrorist/
The EU, and several of the world’s biggest and most powerful tech companies, made little progress in finding ways to combat terrorists’ use of online media, following a meeting and dinner on Wednesday night.
EU government ministers met Google, Facebook, Twitter, and Microsoft representatives.
Although terrorist groups (most notably IS/Isis) have increasingly used social media tools to spread their message, there was no formal agreement on any concrete steps to limit their internet activities.
However, it was agreed to organise “joint training and awareness raising workshops for the representatives of the law enforcement authorities, internet industry, and civil society,”
Tomi Engdahl says:
Software gurus: Only developers can defeat mass surveillance
Fowler, Dörnenburg urge devs to stick up for the users
http://www.theregister.co.uk/2014/10/10/developers_its_your_job_to_defeat_mass_surveillance_say_software_gurus/
Software developers should not be content with writing code that works, they have a responsibility not to harm their users, say Agile development experts Martin Fowler and Agile Erik Dörnenburg, speaking at the Goto Aarhus conference in Denmark last week.
Agile has been influential, to the extent that most software projects today claim to adopt it
Spending a bit more on ink is one thing, but the more serious problem is the emerging surveillance culture, argue Fowler and Dörnenburg. “What we do online is tracked to an enormous extent, a lot of it by commercial organisations,” says Fowler. Privacy is constantly undermined. “We are trained to think privacy is a special need. The default is everybody can observe everything. Privacy should be the default. The tracking should be something that is out of the norm,” says Dörnenburg.
Most people think this does not matter, either because they have nothing to hide, or because they believe they are not interesting to those who might be observing them. This is a false argument, they argue, because there are people for whom it does matter: “the kind of people that annoy and bother those that are powerful. One example is an investigative journalist,” says Fowler. “Those people are essential to the operation of a free society. If we don’t have investigative journalists rooting out corruption, how do we know how to vote intelligently?”
One of the key issues is that so much data passes through the internet without encryption. “The responsibility is on us as a profession, says Dörnenburg “It is naïve that we created protocols (like email and HTTP that transmitted everything in plain text. We as technologists have taken the easy way out. Then we blame the users and tell them to install this or that plug-in. We need to make it so easy to use that normal users do not need to do anything special.”
The duo are promoting an open source project called Pixelated which does encrypted email.
https://github.com/pixelated-project
Another problem is centralisation, according to the duo. “If you look at the history, first everything was heavily centralised in the mainframe era, then we had a level of decentralisation with client server, and then with the cloud platforms you’re going back to a different kind of centralisation,” ThoughtWorks CTO Rebecca Parsons told me. “When you are looking at a surveillance surface, there are only a small number of places to go. With email, with Salesforce, you’re getting a massive centralisation there.”
The prevailing wisdom is that multi-tenanted cloud platforms offer more cost-effective and reliable solutions than those built on private infrastructure, but centralisation has risks of its own that should be considered.
The choice for developers, says Fowler, is “being responsible over maximising gain. When it comes to the crunch, do we need to be responsible first? Or do we maximise the financial gain and just not care?”
Tomi Engdahl says:
Selfmite on STEROIDS: Pumped-up SMS worm is BACK…
Geo-aware nasty spaffs dodgy gear all over your mobe
http://www.theregister.co.uk/2014/10/10/selfmite_sms_worm_goes_global/
The SMS worm Selfmite is back: bigger, badder and now global.
The worm, which first surfaced in June and affects Android smartphones and tablets, has spawned a new version.
Selfmite-B infects many more users, uses several money-making techniques and is generally more dangerous and difficult to stop, warns mobile security firm AdaptiveMobile.
AdaptiveMobile has tracked more than 150,000 messages sent over the past 10 days from over 100 compromised devices found in 16 countries.
Users get infected if they download and install malicious APK files from URLs contained in text messages spammed out by already compromised devices. Once installed, Selfmite-B sends messages to all of contacts in a user’s phone in a loop, which means that potential victims will continue to receive messages until the mobile carrier detects and blocks these messages or the owner deletes the malware.
The cybercrooks behind the scam have come up with multiple ways to make money, mostly through dodgy affiliate programs.
Tomi Engdahl says:
Malware devs offer $100 a pop for ‘active’ Google Play accounts
Underground market is full of Android wrongness
http://www.theregister.co.uk/2013/03/08/google_play_malfeasence/
Virus writers are paying top dollar for access to “active” Google Play accounts to help them spread mobile malware across the Android ecosystem.
Google charges $25 to Android developers who wish to sell their wares through the Google Play marketplace but a denizen of an underground cybercrime forum is offering to purchase these accounts for $100 apiece, a 300 per cent mark-up.
The miscreant is offering “$100 for sellers willing to part with an active, verified Play account that is tied to a dedicated server”. Developer accounts at Google Play can be used to offer malware up as legitimate apps before offering these Trojanised packages for sale to prospective marks.
The same wheeler-dealer is also selling an Android mobile malware creation toolkit that targets banking customers of Citibank, HSBC and ING and many other banks in multiple countries, reports investigative journalist turned security blogger Brian Krebs.
The most widespread Android threats can be divided into three major groups: SMS Trojans, which steal money by sending premium texts; adware; and exploits to gain root access that allow criminals to enter the device and extract any data stored on it.
Tomi Engdahl says:
KeePass Password Safe
http://keepass.info/
Today you need to remember many passwords. You need a password for the Windows network logon, your e-mail account, your website’s FTP password, online passwords (like website member account), etc. etc. etc. The list is endless. Also, you should use different passwords for each account.
KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database.
Yes, KeePass is really free, and more than that: it is open source (OSI certified). You can have a look at its full source and check whether the encryption algorithms are implemented correctly.
Tomi Engdahl says:
Thousands of Snapchat images may have been hacked via a third-party image-saving service
https://gigaom.com/2014/10/10/thousands-of-snapchat-images-may-have-been-hacked-via-a-third-party-image-saving-service/
The hackers are claiming that a searchable database will soon go live, featuring hundreds of thousands of images that the senders hoped were self-destructing.
The database of a Snapchat image-saving service — not associated with Snapchat itself — has allegedly been hacked, and the hackers have claimed on 4chan that they will make hundreds of thousands of Snapchat users’ private images and videos available in a searchable database.
Tomi Engdahl says:
Payment terminals data breaches reports continue: The most recent victim is the American Dairy Queen fast food chain, who told Backoff-called malware has stolen payment card data a total of 395 payment terminal for several weeks. Dairy Queen does not tell you how many thing all the card details were wrong hands. Malware stole customers’ names, payment card numbers and validity periods.
Dairy Queen, breach to its systems was achieved initially by using a third-party user names. The same technique was used for breaking Target.
According to US security of the Backoff and similar malware have contaminated up to a thousands of payment terminals. They steal information from payment terminal memory RAM before it is encrypted.
Source: http://www.tivi.fi/uutisia/haittaohjelma+piileskeli+400+myymalassa++korttitiedot+konnien+kasiin/a1018987
Tomi Engdahl says:
Snapchat denies it was hacked
4Chan members threaten to create searchable database of images and video
http://www.computerworld.com/article/2824626/snapchat-denies-it-was-hacked.html
While hackers say they have broken into a giant Snapchat database filled with Snapchat photos and videos and have been collecting files for years, the content messaging service denies it was hacked.
According to one published report, a third-party Snapchat client app accessed a 13GB library of photo and video files for years. Snapchat users thought the library had been deleted.
n a statement today, Snapchat denied its servers had been hacked.
Tomi Engdahl says:
Blowing the whistle without blowing your career
http://www.computerworld.com/article/2689846/blowing-the-whistle-without-blowing-your-career.html
How techies can bring data mishandling and abuses to light without putting their careers in jeopardy.
Technology professionals are among today’s most infamous whistleblowers.
But for every high-profile case, there are plenty of tales of IT professionals who have accused their employers of wrongdoing without making national headlines or feeling the need to seek asylum in foreign countries.
For four years now, the Dodd-Frank Wall Street Reform and Consumer Protection Act has received mixed reviews on its ability to fulfill its mandate to reward and protect people who report governmental or corporate misconduct.
Tomi Engdahl says:
Hackers accessed at least 100K Snapchat photos, Snapchat says through third-party app that violated TOS
Hackers Access At Least 100,000 Snapchat Photos And Prepare To Leak Them, Including Underage Nude Pictures
Read more: http://www.businessinsider.com/snapchat-hacked-the-snappening-2014-10#ixzz3FppAxqhJ
Tomi Engdahl says:
Tokyo court orders Google to delete search results about Japanese man, citing privacy violations
Google Suffers New Privacy Setback in Japan
http://online.wsj.com/news/article_email/google-suffers-new-privacy-setback-in-japan-1412933523-lMyQjAxMTE0MDEzMDUxNjAyWj
Google Inc. GOOGL -2.74% has suffered another setback on privacy issues, this time in Japan, following a European court ruling that gave Internet users the right to ask the company to remove information about them from search results.
The Tokyo District Court on Thursday issued an injunction, ordering Google to remove some Internet search results about a Japanese man that are considered to be violating his privacy, representatives from both sides said.
Though the Tokyo court order has far less sweeping implications than the precedent-setting ruling by the European Court of Justice, it touches on similar issues.
Google Provides Details on ‘Right to Be Forgotten’ Requests in E.U.
http://bits.blogs.nytimes.com/2014/10/09/google-provides-details-on-right-to-be-forgotten-requests/?_php=true&_type=blogs&_r=0
Google has evaluated 498K URLs for removal from search results under European laws since May, has removed 41.8%
Tomi Engdahl says:
Smile! Marketing Firms Are Mining Your Selfies
Photo-Sharing Sites Are Being Scanned to Find Brands, Target Ads
http://online.wsj.com/articles/smile-marketing-firms-are-mining-your-selfies-1412882222
Most users of popular photo-sharing sites like Instagram, Flickr and Pinterest know that anyone can view their vacation pictures if shared publicly.
But they may be surprised to learn that a new crop of digital marketing companies are searching, scanning, storing and repurposing these images to draw insights for big-brand advertisers.
Some companies, such as Ditto Labs Inc., use software to scan photos—the image of someone holding a Coca-Cola can, for example—to identify logos, whether the person in the image is smiling, and the scene’s context. The data allow marketers to send targeted ads or conduct market research.
“This is an area that could be ripe for commercial exploitation and predatory marketing,” said Joni Lupovitz, vice president at children’s privacy advocacy group Common Sense Media. “Just because you happen to be in a certain place or captured an image, you might not understand that could be used to build a profile of you online.”
Tomi Engdahl says:
Signed Malware = Expensive “Oops” for HP
http://krebsonsecurity.com/2014/10/signed-malware-is-expensive-oops-for-hp/
Computer and software industry maker HP is in the process of notifying customers about a seemingly harmless security incident in 2010 that nevertheless could prove expensive for the company to fix and present unique support problems for users of its older products.
Earlier this week, HP quietly produced several client advisories stating that on Oct. 21, 2014 it plans to revoke a digital certificate the company previously used to cryptographically sign software components that ship with many of its older products. HP said it was taking this step out of an abundance of caution because it discovered that the certificate had mistakenly been used to sign malicious software way back in May 2010.
Code-signing is a practice intended to give computer users and network administrators additional confidence about the integrity and security of a file or program. Consequently, private digital certificates that major software vendors use to sign code are highly prized by attackers, because they allow those attackers to better disguise malware as legitimate software.
For example, the infamous Stuxnet malware – apparently created as a state-sponsored project to delay Iran’s nuclear ambitions — contained several components that were digitally signed with certificates that had been stolen from well-known companies.
Even if the security concerns from this incident are minimal, the revocation of this certificate is likely to create support issues for some customers. The certificate in question expired several years ago, and so it cannot be used to digitally sign new files. But according to HP, it was used to sign a huge swath of HP software — including crucial hardware and software drivers, and other components that interact in fundamental ways with the Microsoft Windows operating system.
Tomi Engdahl says:
Kmart Says Credit Card System Breached In Malware Attack
http://www.buzzfeed.com/jimdalrympleii/kmart-says-credit-card-system-breached-in-malware-attack#y8n7wx
The attack began in September and involved the use of malware. A separate hack reportedly targeted Dairy Queen.
Kmart says customer credit card numbers were exposed after criminals used malware to infiltrate the company’s data system.
Sears, which owns Kmart, said Friday the data breach began in early September and involved “a form of malware” that current anti-virus systems couldn’t pick up.
The breach was detected by the company’s security team Thursday. The team removed the malware, but not before debit and credit card numbers were compromised.
Riefs did not say how large the breach was, but when asked if it included everyone who shopped at Kmart between September and Thursday, he responded that it was “potentially those customers.”
The company said the breach did not extend to PIN numbers, email addresses, social security numbers, or other personal information.
Tomi Engdahl says:
Android SMS worm Selfmite is back, more aggressive than ever
http://www.computerworld.com/article/2824619/android-sms-worm-selfmite-is-back-more-aggressive-than-ever.html
Credit: Alexander Shirokov
A new version of the worm is causing infected devices to send thousands of spam text messages and has spread to 16 countries
A new version of an Android worm called Selfmite has the potential to ramp up huge SMS charges for victims in its attempt to spread to as many devices as possible.
Featured Resource
Presented by Scribe Software
10 Best Practices for Integrating Data
Data integration is often underestimated and poorly implemented, taking time and resources. Yet it
Learn More
The first version of Selfmite was discovered in June, but its distribution was quickly disrupted by security researchers. The worm — a rare type of malware in the Android ecosystem — spread by sending text messages with links to a malicious APK (Android Package) to the first 20 entries in the address book of every victim.
“According to our data, Selfmite.b is responsible for sending over 150k messages during the past 10 days from a bit more than 100 infected devices,”
At an average of 1,500 text messages sent per infected device, Selfmite.b can be very costly for users whose mobile plans don’t include unlimited SMS messages. ome mobile carriers might detect the abuse and block it, but this might leave the victim unable to send legitimate text messages.
Fortunately, the worm’s distribution system does not use exploits and relies only on social engineering — users would have to click on the spammed links and then manually install the downloaded APK in order for their devices to be infected.
Tomi Engdahl says:
Windows Users, Get Ready For a Bigger-Than-Usual Patch Tuesday
http://tech.slashdot.org/story/14/10/11/1433243/windows-users-get-ready-for-a-bigger-than-usual-patch-tuesday
October is stacking up to be a bumper Patch Tuesday update with nine bulletins lined up for delivery — three rated critical.
Top of the critical list is an update for Internet Explorer that affects all currently supported versions 6 to 11, on all operating system including Windows RT.
Tomi Engdahl says:
Core Secrets: NSA Saboteurs In China and Germany
http://politics.slashdot.org/story/14/10/11/1318230/core-secrets-nsa-saboteurs-in-china-and-germany
The National Security Agency has had agents in China, Germany, and South Korea working on programs that use “physical subversion” to infiltrate and compromise networks and devices, according to documents obtained by The Intercept.
Core Secrets: NSA Saboteurs in China and Germany
https://firstlook.org/theintercept/2014/10/10/core-secrets/
The documents, leaked by NSA whistleblower Edward Snowden, also indicate that the agency has used “under cover” operatives to gain access to sensitive data and systems in the global communications industry, and that these secret agents may have even dealt with American firms. The documents describe a range of clandestine field activities that are among the agency’s “core secrets” when it comes to computer network attacks, details of which are apparently shared with only a small number of officials outside the NSA.
“It’s something that many people have been wondering about for a long time,”
Previous disclosures about the NSA’s corporate partnerships have focused largely on U.S. companies providing the agency with vast amounts of customer data, including phone records and email traffic. But documents published today by The Intercept suggest that even as the agency uses secret operatives to penetrate them, companies have also cooperated more broadly to undermine the physical infrastructure of the internet than has been previously confirmed.
In addition to so-called “close access” operations, the NSA’s “core secrets” include the fact that the agency works with U.S. and foreign companies to weaken their encryption systems; the fact that the NSA spends “hundreds of millions of dollars” on technology to defeat commercial encryption; and the fact that the agency works with U.S. and foreign companies to penetrate computer networks, possibly without the knowledge of the host countries. Many of the NSA’s core secrets concern its relationships to domestic and foreign corporations.
The agency’s core secrets are outlined in a 13-page “brief sheet” about Sentry Eagle, an umbrella term that the NSA used to encompass its most sensitive programs “to protect America’s cyberspace.”
Tomi Engdahl says:
NSA: Even the Secrets We Tell You Are Too Secret For You To Know About
https://firstlook.org/theintercept/2014/10/09/nsa-even-secrets-tell-secret-know/
It’s an assertion that defies common sense but speaks volumes about how the U.S. intelligence complex dodges accountability: The National Security Agency is arguing that even the secrets it has intentionally disclosed to reporters are still so secret that disclosing their disclosure threatens national security.
Tomi Engdahl says:
Thousands of Snapchat images may have been hacked via a third-party image-saving service
https://gigaom.com/2014/10/10/thousands-of-snapchat-images-may-have-been-hacked-via-a-third-party-image-saving-service/
The hackers are claiming that a searchable database will soon go live, featuring hundreds of thousands of images that the senders hoped were self-destructing.
The database of a Snapchat image-saving service — not associated with Snapchat itself — has allegedly been hacked, and the hackers have claimed on 4chan
Snapchat’s popular service lets people send each other self-destructing pictures, but there are ways to get round this limitation.
“We can confirm that Snapchat’s servers were never breached and were not the source of these leaks,” Snapchat said in an emailed statement on Friday.
“Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security.”
As Snapchat “hack” highlights, promises of privacy and security can be very dangerous
https://gigaom.com/2014/10/11/as-snapchat-hack-highlights-promises-of-privacy-and-security-can-be-very-dangerous/
There are few things riskier than recommending a security or privacy measure that turns out not to work — a fact that applies to app vendors and security-focused journalists alike.
In the wake of this week’s apparent hacking of hundreds of thousands of Snapchat images via a third-party service, it’s worth revisiting some fundamentals about the scary business of security and privacy recommendations.
Even something like PGP email encryption — technically speaking, a very secure mechanism — has potentially disastrous pitfalls. Correct usage takes place within strict guidelines that are in many circumstances difficult to follow
Snapchat hack
Which brings us back to Snapchat and this week’s apparent hack of a third-party service, which some Snapchat customers had been using to save supposedly self-destructing photos for repeated viewing. According to some reports, this service was quietly filing away copies of the pictures passing through its systems, and then someone else stole that trove.
Going on the assumption that the hack occurred, or even just considering that it could, this both is and isn’t Snapchat’s fault.
Unfortunately, the ultimate weapon against this sort of abuse would be for Snapchat to not exist at all, because a service like that is inherently insecure.
Snapchat no longer promises its users that their photos will “disappear forever”, but that’s only because the U.S. Federal Trade Commission ordered it to stop doing so five months ago.
Snapchat bears some responsibility if it makes promises it can’t keep, no matter how hard it tries. That makes it somewhat disappointing to see the company try to shift the blame entirely onto those users who secretly saved the snaps they received – even though these users must certainly bear the majority of the blame, Snapchat’s inability to stop them, combined with the image it projects to vulnerable people (its users are largely young, remember), means the company must share some of the blame too.
The fact is, if you face a determined attacker – whether it be someone saving Snapchat images, or someone who knows how to exploit the weaknesses in a service like iCloud, or the NSA, or a stalker in the offline world – you’re in trouble.
That doesn’t mean it’s not worth taking defensive measures, as they can work against less competent or less focused attackers. But it does mean that those promoting defensive measures – whether they be security vendors, or “privacy app” marketers, or journalists like me – had better be extraordinarily careful about what claims they attach to their recommendations.
Tomi Engdahl says:
Edward Snowden’s Privacy Tips: “Get Rid Of Dropbox,” Avoid Facebook And Google
http://techcrunch.com/2014/10/11/edward-snowden-new-yorker-festival/
According to Edward Snowden, people who care about their privacy should stay away from popular consumer Internet services like Dropbox, Facebook, and Google.
His first answer called for a reform of government policies. Some people take the position that they “don’t have anything to hide,” but he argued that when you say that, “You’re inverting the model of responsibility for how rights work”:
When you say, ‘I have nothing to hide,’ you’re saying, ‘I don’t care about this right.’ You’re saying, ‘I don’t have this right, because I’ve got to the point where I have to justify it.’ The way rights work is, the government has to justify its intrusion into your rights.
He added that on an individual level, people should seek out encrypted tools and stop using services that are “hostile to privacy.” For one thing, he said you should “get rid of Dropbox,” because it doesn’t support encryption, and you should consider alternatives like SpiderOak.
He also suggested that while Facebook and Google have improved their security, they remain “dangerous services” that people should avoid.
Snowden dismissed claims that increased encryption on iOS will hurt crime-fighting efforts. Even with that encryption, he said law enforcement officials can still ask for warrants that will give them complete access to a suspect’s phone, which will include the key to the encrypted data.
Snowden acknowledged that there’s some irony in his taking shelter in China and Russia, countries that don’t exactly have spotless human rights or privacy records themselves. He said Russia was supposed to be a transit point on his way to Latin America
Tomi Engdahl says:
Only 100 cybercrime brains worldwide says Europol boss
http://www.bbc.com/news/technology-29567782
There are only “around 100″ cybercriminal kingpins behind global cybercrime, according to the head of Europol’s Cybercrime Centre.
Speaking to the BBC’s Tech Tent radio show, Troels Oerting said that law enforcers needed to target the “rather limited group of good programmers”.
“We roughly know who they are. If we can take them out of the equation then the rest will fall down,” he said.
Although, he added, fighting cybercrime remained an uphill battle.
“This is not a static number, it will increase unfortunately,” he said.
The biggest issue facing cybercrime fighters at the moment was the fact that it was borderless, he told the BBC.
“Criminals no longer come to our countries, they commit their crimes from a distance and because of this I cannot use the normal tools to catch them.”
“I have to work with countries I am not used to working with and that scares me a bit,”
Mr Oerting described how Russian-speaking criminal gangs were creating and testing malware and then selling it as a service in online forums.
“Then it is downloaded by all kinds of criminals, from Eastern Europe, Europe, Africa and America,” he said.
This commercialisation of cybercrime is making his job harder.
“It is so easy to be a cybercriminal. You don’t have to be a cyber-expert because you just download the programs that you want to use.”
On the issue of what consumers should be worried about, he said: “What I think you should be afraid of is the stealing of your private, sensitive information – your inbox credentials, your Facebook account. If they know a bit about you they can reset your Google accounts, your Apple accounts. Then they simply take over your life,” he said.
Tomi Engdahl says:
Second leaker in US intelligence, says Glenn Greenwald
http://www.theguardian.com/us-news/2014/oct/11/second-leaker-in-us-intelligence-says-glenn-greenwald
Citizenfour, new film on spying whistleblower Edward Snowden, shows journalist Greenwald discussing other source