Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Juli Clover / MacRumors:
New iOS bug crashes Messages app and reboots iPhones when a specific string of text is received via iMessage or SMS — New iOS Bug Crashing iPhones Simply by Receiving a Text Message [Includes Fix]
http://www.macrumors.com/2015/05/26/ios-bug-crashing-iphones-with-text-message/
Tomi Engdahl says:
IoT Security Groundswell Gathers
http://www.eetimes.com/author.asp?section_id=36&doc_id=1326687&
After plenty of talk, a wave of real action aimed at solving the Internet of Things’s security problems is on the rise.
At least twice a week someone pings me with an idea for a guest article on how engineers must solve security problems if the Internet of Things is going to reach its potential. After plenty of talk on the topic, a wave of real action is on the rise.
The Intel-led Open Interconnect Consortium defining a high-level IoT software stack recently called for engineers to join its work on security. I know its rival, the Thread Group, is engaged in similar work. The IEEE is taking a different tack, organizing an effort in which policy makers to join engineers
IoT security was a hot topic at the recent RSA Conference. The Trusted Computing Group put out a white paper there about how to embed in resource-limited IoT nodes its approach to a hardware root of trust.
Stanford University recently wrapped up a seminar on the topic. Another good reference is this list of the ten top attack sites for IoT.
The Global Semiconductor Alliance recently released a report on IoT that called out security issues as noted in a story by my colleague Junko Yoshida. Ad today, IBM released the annual report from the Ponemon Institute on the state of Internet security generally.
The Ponemon study of 350 global companies across all industries said the average total cost of a data breach increased 23 percent over two years to $3.79 million. The average cost paid for each lost or stolen record containing sensitive and confidential information increased six percent to $154. However, the cost in healthcare companies was as high as $363.
The higher costs of breeches may be due in part to wider use of forensic tools, the study said. But it also made it clear there’s plenty of room for better tools. The study estimated a mean time to identify a data breech at 206 days with a range of 20 to 582 days. The mean time to contain one was 69 days with a range of 7 to 175 days.
Tomi Engdahl says:
Symantec was clear leader in data security according to Gartner has published the last year’s statistics. Symantec’s market share was 17.2 per cent last year. On the other hand Symantec’s sales shrank by over one per cent, while the overall market grew by 5.3 per cent.
Intel, the former MacAfee was runner-up in last year’s list of $ 1.8 billion of sales and 8.5 percent market share. IBM had a list of the fastest grower, with nearly $ 1.5 billion in net sales was 17 per cent higher than last year.
Other big: Trend Micro and EMC
Source: http://etn.fi/index.php?option=com_content&view=article&id=2888:symantec-selkea-ykkonen-tietoturvassa&catid=13&Itemid=101
Tomi Engdahl says:
Hola
http://8ch.net/hola.html
Hola “Better Internet” is an extremely popular free VPN. How it works is not very clear to all its users though, as I quickly became aware in the past week when 8chan was hit by multiple denial of service attacks from their network.
When a user installs Hola, he becomes a VPN endpoint, and other users of the Hola network may exit through his internet connection and take on his IP. This is what makes it free: Hola does not pay for the bandwidth that its VPN uses at all, and there is no user opt out for this. On the other hand, with the Tor onion router, users must specifically opt in to be exit nodes and are aware that completely anonymous traffic can pass through their connections, which means they should be ready for abuse reports for child porn, spam, copyrighted content and other ills that come with the territory.
Hola was created by the Israeli corporation Hola Networks Limited at the end of 2012, and at first was just the VPN service. However, Hola has gotten greedy. They recently (late 2014) realized that they basically have a 9 million IP strong botnet on their hands, and they began selling access to this botnet (right now, for HTTP requests only) at https://luminati.io .
Hola is the most unethical VPN I have ever seen.
So far as I can tell, there is no way to tell if an IP has the Hola VPN software installed or not
Tomi Engdahl says:
The touch screen can reveal the user identity to the NSA
US intelligence agency NSA has experimented with a technique in which a smartphone user is identified on the basis of contracts concluded in his sweeps, write Nextgov .
It is developed by Lockheed Martin, a technique that works somewhat the same way as the handiwork make use of identification methods.
Lockheed John Mears said that no man has similar sweeps. According to him, handwriting can be forged, because it is often a rather two-dimensional.
Instead, the sweep can also take into account the strength with which the display is pressed, which makes them more difficult to reproduction. In addition, to further monitor the time spent on scanning.
Mears says that the technology has been successfully developed in conjunction with the NSA for use in smartphones. The Group is not aware of whether the intelligence agency was taken by identification method for wider use.
Source: http://www.tivi.fi/Uutiset/2015-05-28/Kosketusn%C3%A4ytt%C3%B6-voi-paljastaa-henkil%C3%B6llisyyden-NSAlle-3321206.html
Tomi Engdahl says:
Indian music streaming service Gaana hacked, millions of users’ details exposed – See more at: http://www.globalhacknews.com/2015/05/indian-music-streaming-service-gaana.html#sthash.s1zqsyRv.dpuf
Tomi Engdahl says:
F-Secure warns against attacks that exploit software vulnerabilities and have become an easy and well-established malware entry systems.
Security experts say that the attack tools are still the most used of the most popular software targeted to the threat of criminals and is easy to take advantage of them.
“Software programs are always vulnerabilities so will also always be criminals, who are developing them by using malicious software,” says F-Secure’s senior security researcher Timo Hirvonen.
“It has become a business model for them, as a solution or patch made by the companies at the same time reveal software vulnerabilities. Criminals continue to examine the software code to find security vulnerabilities and attacks targeting vulnerabilities in developed malware.”
F-Secure’s recent report raises attack tools big risk factor in today’s digital world, in which criminals seek to automate attacks.
The attack tools accounted for 40% of all malware attacks in 2014 in the second half. Used by criminals Angler tool kit that includes simple software tools to help carry out large-scale malware attacks was a report of the most significant threat to North America.
At the same time as the earlier malware campaigns are focused on vulnerabilities in Java or other older versions of Windows, during the last 6 months It was found Adobe’s popular Flash plugin exploit the vulnerability attacks have increased.
“Software vendors corrective quite actively vulnerabilities, so it is important for people to install updates as soon as they become available. Unpatched software are a significant security risk, which many take realizing that it motivates criminals to continue their attack strategies based on them. ”
Source: http://www.tivi.fi/Kaikki_uutiset/2015-05-28/F-Secure-varoittaa-ohjelmistohaavoittuvuuksista-3321240.html
Tomi Engdahl says:
Now it is calculated: this vastly data leak costs
Ponemon Institute published “Cost of Data Breach Study: Global analysis” report, the average cost of data breach has risen to $ 3.8 million, or about EUR 3.5 million.
This is a growth of 23 per cent from 2013.
The average price for each lost or stolen confidential information has risen by 6 per cent from $ 145 to $ 154. For the report was collected information on 350 organizations and 11 different countries.
The cost increase caused by information leaks, mainly due to three reasons. Number of Norton Resources is constantly growing and therefore information leakage detection costs rise. Also, the business resulting from information leakage losses cost has a significant impact on overall cost. In addition, more and more companies to spend more on data leakage survey measures and crisis management.
Ponemonin According to the report a more active role in the organization’s Board of Directors in the event of data leakage calculates the cost of $ 5.50 / lost information. Also, taking out of insurance against attacks calculates costs $ 4.4 / lost information.
Business continuity management is an important role to play in efforts to reduce the costs of data leakage.
The main costs incurred by organizations leaks of information in the United States (US $ 217 / loss data) and Germany (US $ 211 / lost information).
Costs arising from information leaks vary across industries. The highest costs can be found in the healthcare sector, where the costs could rise by an average of up to $ 363 per lost information. The training focusing on sectors are, respectively, the cost of 300 dollars.
The lowest figures are in the transport sector and the public sector, where the costs are $ 121 and $ 68 per lost information
Hackers and infiltrators contributes to a major part of the information leaks. 45 percent of all leaks caused by this year’s survey, intentional act or criminal activity as a result. The average price of settling such an attack is $ 170 per lost information.
Time, which is used to detect and mitigate data burglary, affecting expenses. Ponemon Institute research shows that the faster an organization is able to verify and to control information leaks, the faster you can assess their financial implications.
Committed with intent to authenticate it takes an average of 256 days, while as a result of human error occurred information leakage authentication takes an average of 158 days.
Source: http://www.tivi.fi/Kaikki_uutiset/2015-05-28/Nyt-se-on-laskettu-n%C3%A4in-huimasti-tietovuoto-maksaa-3321219.html
Tomi Engdahl says:
Aran Khanna / Medium:
Facebook Messenger includes exact GPS location data by default in chats, making it easy to stalk friends
Stalking Your Friends with Facebook Messenger
https://medium.com/@arankhanna/stalking-your-friends-with-facebook-messenger-9da8820bd27d
Tomi Engdahl says:
Russell Brandom / The Verge:
Facebook testing Security Checkup pop-up that offers password security options, shows recent logins
Facebook is testing a new tool to lock down user logins
http://www.theverge.com/2015/5/27/8663271/facebook-security-check-login-news-feed
As services go mobile, logins have gotten a lot stickier and a lot harder to track. Once you’ve logged in on a phone or tablet, that login will usually stick around until you actively turn it off, a particular problem if that phone ends up lost, stolen, or just re-sold.
There are tools to protect against that, but you may not have checked them out in a while. Login alerts will send you an email any time there’s a new login, while device management can show you every device that’s accessed your account. You can find versions of those tools from Google, Facebook, PayPal, or half a dozen other services, but most users skip past them, if they even know they’re there.
Today, Facebook is releasing a new feature that will give those tools a higher profile. It’s called Security Checkup, and should be popping up into select users’ News Feeds starting today. The Checkup will pop-up over top of the site, prompting users to explore “a couple options you have to increase your security.”
Tomi Engdahl says:
Simple Code Turns Any USB Drive Into A Kill Switch For Your Computer
http://www.gizmodo.com.au/2015/05/simple-code-turns-any-usb-drive-into-a-kill-switch-for-your-computer/
Master criminals, serial adulterers and other tinfoil-hat-wearers spend their lives looking over their shoulders, scared of being caught with a powered-on laptop full of incriminating information in, say, a public library. But some simple code and an empty USB drive could make life much harder for the police.
USBKill is the latest iteration in the police/hacker technological arms race: a program that once activated, will kill a computer if there’s any activity on the USB ports. That activity could include the police installing a mouse jiggler — a tool that prevents computers from going to sleep — or just any USB drive being removed. So, tie a flash drive to your ankle, and you’ve got an instant kill switch for when the police — or the UPS guy — knocks.
What Was On Alleged Silk Road Boss’ Laptop At The Moment of His Arrest
http://gawker.com/what-was-on-alleged-silk-road-boss-laptop-at-the-momen-1469122014
Tomi Engdahl says:
Andrea Peterson / Washington Post:
U.N. report: Encryption is important to human rights — and backdoors undermine it
http://www.washingtonpost.com/blogs/the-switch/wp/2015/05/28/un-report-encryption-is-important-to-human-rights-and-backdoors-undermine-it/
A new report from the United Nation’s Office of the High Commissioner for Human Rights says digital security and privacy are essential to maintaining freedom of opinion and expression around the world — and warns that efforts to weaken security tools in some countries may undermine it everywhere.
The report written by special rapporteur David Kaye says that encryption — the process of digitally scrambling information so that only authorized persons can access it — and anonymity tools “provide the privacy and security necessary for the exercise of the right to freedom of opinion and expression in the digital age.” The report will be presented to the U.N. Human Rights Council next month.
It comes amid a growing debate in the U.S. about how to best balance personal privacy rights and national security.
http://www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session29/Documents/A.HRC.29.32_AEV.doc
Tomi Engdahl says:
Google launches native Android Smart Lock password manager
Look out LastPass: Devs can shunt creds into OS vault
http://www.theregister.co.uk/2015/05/29/google_launches_native_android_smart_lock_password_manager/
Google I/O Android users will be able to store passwords in Google’s native Smart Lock manager, in a security boon for the masses.
The Choc Factory launched the Smart Lock for Passwords at the I/O conference in San Francisco overnight available in the Android M developer preview.
It says developers including Orbitz, Netflix, and The New York Times have relaunched their apps to make use of the feature.
“By integrating Smart Lock for Passwords into your Android app, you can automatically sign users into your app using the credentials they have saved,” the company says in a developer’s guide.
“Use successfully retrieved credentials to sign the user in, or use the Credential API to rapidly on-board new users by partially completing your app’s sign in or sign up form.
“Prompt users after sign-in or sign-up to store their credentials for future automatic authentication.”
Tomi Engdahl says:
Small businesses trashed in big malware campaign
‘Grabit’ malware isn’t subtle or clever, but it’s working
http://www.theregister.co.uk/2015/05/29/grabit_smb_campiagn/
Kaspersky researcher Ido Noar says attackers have hit hundreds of small and medium businesses, stealing credentials and documents in a noisy smash-and-grab campaign.
Noar says criminals have stolen some 10,000 documents from nanotechnology, education, and media outfits in an attack that foists a newly-discovered strain of malware called “Grabit”.
“Our documentation points to a campaign that started somewhere in late February 2015 and ended in mid-March,” Noar says in a notice.
“As the development phase supposedly ended, malware started spreading from India, the United States and Israel to other countries around the globe.
“Grabit threat actors did not use any sophisticated evasions or manoeuvres in their dynamic activity.”
Attackers did not commit much effort to conceal their command and control servers, nor hide from the local system. Noar discovered the locations of the servers by simply opening the malicious Grabit phishing document file in an editor.
The criminals could choose their favourite remote access trojan including DarkComet and the less complex HawkEye keylogger.
Tomi Engdahl says:
Apache Cordova vulnerability leaves Android apps wide open to hackers
One in 20 devices affected by ‘high-severity’ flaw
http://www.theinquirer.net/inquirer/news/2410650/apache-cordova-vulnerability-leaves-android-apps-wide-open-to-hackers
SECURITY RESEARCHERS at Trend Micro have discovered a “major” vulnerability in the Apache Cordova app framework that leaves one in 20 Android apps open to hackers.
Apache Cordova, which is used in 5.6 percent of Android applications, is a toolkit of APIs used by mobile app developers to access native device functions, including cameras and accelerometer, from JavaScript.
It allows devs to create cross-platform mobile apps using standard web technologies like HTML5, CSS3 and JavaScript, which makes it compatible with operating system including iOS, BlackBerry and Windows Phone.
However, Trend Micro has uncovered a flaw that affects only apps running on Android.
“We’ve discovered a vulnerability in the Apache Cordova app framework that allows attackers to modify the behaviour of apps just by clicking a URL,” the security outfit said.
The vulnerability it said to stem from a glitch in the way the Apache Cordova framework handles app developer preferences.
Tomi Engdahl says:
Hacked Emails Reveal Russian Plans to Obtain Sensitive Western Tech
https://firstlook.org/theintercept/2015/05/28/u-s-cyber-firm-alleges-hacked-emails-reveal-russian-front-operation/
In April 2014, Viktor Tarasov wrote to the head of Ruselectronics, a Russian state-owned holding company, about a critical shortage of military equipment. The Russian military lacked thermal imaging systems
he money, Tarasov wrote, would allow the company to buy the equipment under a current contract from a French company without the need for signing a new “end-use certificate,” which requires the buyer to disclose the final recipient.
The emails cover the years 2006 to 2014 and include a number of messages among key Russian business people that detail their plans to obtain the thermal imaging production equipment from foreign sources.
The reason for the shortfall was Russia’s inability to produce a critical component — microbolometer arrays — which can capture images without requiring cooling, reducing the size and complexity of thermal imaging systems.
Shortly after Rogozin’s letter, the email correspondence shows that Cyclone established a new company, called Cyclone-IR, whose job was to acquire the technology needed for domestic production of thermal imaging systems.
Several Western companies listed in the email cache as potential suppliers of sensitive technology to Russia denied doing any business with Cyclone
Tomi Engdahl says:
Crime The Internet The Almighty Buck
Feds Bust a Dark-Web Counterfeit Coupon Kingpin
http://yro.slashdot.org/story/15/05/29/1236218/feds-bust-a-dark-web-counterfeit-coupon-kingpin
The dark web has become the go-to corner of the Internet to buy drugs, stolen financial data, guns…and counterfeit coupons for Clif bars and condoms? The FBI indicted Beauregard Wattigney yesterday for wire fraud and trademark counterfeiting on digital black market sites Silk Road and Silk Road 2. Wattigney allegedly spoofed coupons for dozens of products and sold collections of them online in exchange for Bitcoin.
Inside a Giant Dark-Web Scheme to Sell Counterfeit Coupons
http://www.wired.com/2015/05/inside-a-million-dollar-dark-web-coupon-counterfeiting-scheme/
The FBI accuses Wattigney of doing $1 million in total damage to the affected companies—which range from Sony to Crest to Kraft.
“We have the best, most consistent, most precise, most scannable, most accepted, most diverse collection of coupons anywhere. They are not on anyone’s ban list. They are not blacklisted anywhere,” reads PurpleLotus’s vendor profile on Agora, the largest currently active black market on the Dark Web. “They will save you a ton of money…If you use the coupons for the everyday things that you normally buy, the golden goose will continue to lay golden eggs.”
In addition to those packages of pre-made coupons, ThePurpleLotus also offered a $200 package of “coupon-making lessons.” That digital guide to counterfeiting included a powerpoint presentation showing the step-by-step process of coupon fraud
In his tutorials, ThePurpleLotus explained the simple breakdown of barcode creation using the increasingly universal GS1 standard
In messages on Silk Road 2 forums last year, ThePurpleLotus boasted of launching a new automatic coupon-generating service so that customers could pay a fee to generate a custom coupon for the product of their choice, rather than having to learn his counterfeiting tricks or choose from his existing stock of fraudulent files.
In fact, ThePurpleLotus’s schemes demonstrate how absurdly easy coupon fraud remains, she argues. Beauchamp points to the insecure method of coupon verification that major retailers like Target, Walmart, and many others use—which essentially amounts to no authentication, only a blacklists of known fraudulent coupons like one maintained by an industry group known as the Coupon Information Center.
Beauchamp notes that when a counterfeit coupon is spotted at the register, consumers often say they were given the coupon by a friend or “found it on the internet” and face no consequences.
“Every day new codes get added to the blacklist,” says Beauchamp. But new fraudulent coupons are being created at a faster rate than ever, she says. “The problem is that it’s a blacklist, not a whitelist. And that affects the whole industry.”
The Coupon Information Corporation, which maintains one list of known fraudulent coupons on behalf of the retail industry, counters that other security measures beyond a blacklist exist to combat coupon fraud.
Wattigney’s transactions may seem relatively benign: mere counterfeit images and software tools.
“I’d estimate that the consumer packaged goods industry experienced tens of millions of dollars of counterfeit coupon damages.” –Jane Beauchamp
Tomi Engdahl says:
Business Insider:
Founder of Silk Road drug marketplace Ross Ulbricht sentenced to life in prison, to forfeit $184M
Founder of the Silk Road drug marketplace sentenced to life in prison without parole
http://uk.businessinsider.com/silk-road-drug-baron-sentenced-to-2015-5?op=1?r=US
The convicted mastermind behind the world’s largest online narcotics emporium has been sentenced to life in prison without parole by a federal judge.
The judge also ordered Ross Ulbricht, 31, to forfeit $184 million dollars. The government estimated that roughly $1.2 billion in illegal drug transactions took place on Silk Road.
“Silk Road was about creating demand and fulfilling demand,” the judge said. “You don’t fit the criminal profile,” noting that he was well-educated, “but you are a criminal.”
Read more: http://uk.businessinsider.com/silk-road-drug-baron-sentenced-to-2015-5?op=1?r=US#ixzz3bYpgEvm4
Tomi Engdahl says:
John Ribeiro / ITworld.com:
Uber revises privacy policy, asks for users’ permission to track location when app is running in background and to access contacts
Uber revises privacy policy, wants more data from users
http://www.itworld.com/article/2928515/security/uber-revises-privacy-policy-wants-more-data-from-users.html
Uber Technologies is revising its privacy policy to allow it to access a rider’s location when its smartphone app is running in the background, and to send special offers to users’ friends and family.
The company has faced criticism in the past over how it handles sensitive information, particularly over its so-called ”God view” tool that apparently lets some Uber employees track the location of customers that have requested car service.
Under the proposed privacy statements, Uber will use its app to collect the precise location of the user’s device when the app is running in the foreground or background, if the app is allowed to access location services through permissions in the mobile OS. The company may also arrive at the approximate location of the user from his IP address.
The company needs these permissions to be able to offer newer services and features, such as ordering food through UberEATs, Tassi said.
he company retains permission to hand over customer data to third parties like vendors, marketing partners and law enforcement officials under certain circumstances.
Tomi Engdahl says:
Andy / TorrentFreak:
Hola sells bandwidth and computing resources of idle user machines that make up its free VPN service, used in one case to mount a DDoS attack on 8chan — Hola VPN Sells Users’ Bandwidth, Founder Confirms — Faced with increasing local website censorship and Internet services …
Hola VPN Sells Users’ Bandwidth, Founder Confirms
By Andy on May 28, 2015
Breaking
http://torrentfreak.com/hola-vpn-sells-users-bandwidth-150528/
The operator of 8chan says the bandwidth of millions of Hola users is being sold for reuse, with some of it even being used to attack his site. Speaking with TorrentFreak, Hola founder Ofer Vilenski says that users’ idle resources are indeed utilized for commercial sale, but that has been the agreement all along.
Faced with increasing local website censorship and Internet services that restrict access depending on where a user is based, more and more people are turning to specialist services designed to overcome such limitations.
With prices plummeting to just a few dollars a month in recent years, VPNs are now within the budgets of most people. However, there are always those who prefer to get such services for free, without giving much consideration to how that might be economically viable.
One of the most popular free VPN/geo-unblocking solutions on the planet is operated by Israel-based Hola. It can be added to most popular browsers in seconds and has an impressive seven million users on Chrome alone. Overall the company boasts 46 million users of its service.
“When a user installs Hola, he becomes a VPN endpoint, and other users of the Hola network may exit through his internet connection and take on his IP. This is what makes it free: Hola does not pay for the bandwidth that its VPN uses at all, and there is no user opt out for this,” Brennan says.
Speaking with TorrentFreak, Hola founder Ofer Vilenski says that his company offers two tiers of service – the free option (which sees traffic routed between Hola users) and a premium service, which operates like a traditional VPN.
However, Brennan says that Hola goes a step further, by selling Hola users’ bandwidth to another company.
And this is how it works.
Hola generates revenue by selling a premium service to customers through its Luminati brand. The resources and bandwidth for the Luminati product are provided by Hola users’ computers when they are sitting idle. In basic terms, Hola users get their service for free as long as they’re prepared to let Hola hand their resources to Luminati for resale. Any users who don’t want this to happen can buy Hola for $5 per month.
Tomi Engdahl says:
U.N. report: Encryption is important to human rights — and backdoors undermine it
http://www.washingtonpost.com/blogs/the-switch/wp/2015/05/28/un-report-encryption-is-important-to-human-rights-and-backdoors-undermine-it/
A new report from the United Nation’s Office of the High Commissioner for Human Rights says digital security and privacy are essential to maintaining freedom of opinion and expression around the world — and warns that efforts to weaken security tools in some countries may undermine it everywhere.
Now, some U.S. law enforcement officials are pushing to have tech companies build ways for the government to access secure content passing through their products — so-called “backdoors.”
FBI Director James Comey and NSA chief Adm. Michael Rogers have said that the growth in encryption use could make it harder to track criminals — and argued that the government should require companies to build ways for law enforcement to access encrypted content.
If the United States goes through with policies that mandate backdoors for law enforcement, it could encourage other nations with poor human rights records to push for similar concessions
Tomi Engdahl says:
Robert Graham / Errata Security:
Proposed Wassenaar export restrictions on cyberweapons endanger security researchers, don’t make the world any safer
Some notes about Wassenaar
http://blog.erratasec.com/2015/05/some-notes-about-wassenaar.html#.VWnMMUbYHLA
What’s a Wassenaar?
The primary goal of the arrangement is anti-proliferation, stopping uranium enrichment and chemical weapons precursors. Another goal is to control conventional weapons, keeping them out of the hands of regimes that would use them against their own people, or to invade their neighbors.
Historically in cybersec, we’ve complained that Wassenaar classifies crypto as a munition. This allows the NSA to eavesdrop and decrypt messages in those countries. This does little to stop dictators from getting their hands on strong crypto, but does a lot to prevent dissidents in those countries from encrypting their messages. Perhaps more importantly, it requires us to jump through a lot of bureaucratic hoops to export computer products, because encryption is built-in to virtually everything.
What specific cyber-weapons is Wassenaar trying to restrict?
The arrangement added three categories of cyber-weapons.
The first is “intrusion malware”. The specific example is malware sold by FinFisher to governments like Bahrain, which has been found on laptops of Bahraini activists living in Washington D.C.
The second is “intrusion exploits”. These are tools, including what’s known as “0-days”, that exploit a bug or vulnerability in software in order to hack into a computer, usually without human intervention.
The third is “IP surveillance” products. These are tools, like those sold by Amesys, that monitor Internet backbones in a country, spy on citizen’s activities, and try to discover everyone activists/dissents talk to.
Wassenaar includes both intrusion malware and intrusion exploits under the single designation “intrusion software”, but while they are both related, they are significantly different from each other. The BIS rules clarifies this difference more.
Haven’t I heard about 0-days/zero-days before?
The bulk of cyber-security research is into vulnerabilities, which are software bugs that hackers can exploit in order to break into computer. Over the last 15 years, the relentless pursuit of these vulnerabilities has made computers dramatically safer.
When such bugs are first discovered, before anybody else knows about them, they are known as 0-days. Almost always, researchers give those 0-days to the appropriate company so that they can fix the bug.
Sometimes, however, a researcher may sell the 0-day to the NSA, so that they can secretly hack into computers using a bug nobody knows about. Selling 0-days has been a big controversy in the community, especially since the Snowden affair.
It’s perfectly legal for American researchers to sell 0-days to the Chinese government instead of the NSA — which would presumably then use them to hack American computers. One goal of the Wassenaar agreement is to close this obvious loophole.
Isn’t stopping intrusion and surveillance software a good thing?
Maybe. Certainly companies like FinFisher and Amesys are evil, knowingly selling to corrupt governments that repress their people.
However, good and evil products are often indistinguishable from each other. The best way to secure your stuff is for you to attack yourself.
That means things like bug bounties that encourage people to find 0-days in your software, so that you can fix them before hackers (or the NSA) exploit them.
while Wasenaar targets evil products, they inadvertently catch the bulk of defensive products in their rules as well.
Here’s the thing, though: the cyberspace has no borders.
Normal arms control works because they are physical things. They require a huge industrial base to produce. Not only the weapons themselves, but the equipment and materials used to produce weapons can be tracked.
None of this argument applies to cyberspace. A single hacker working out of their mom’s basement can create the next devastating 0-day.
Isn’t there an exception for open-source?
Yes and no. Wassenaar explicitly exempts open-source code in theory. That means you can publish your code to GitHub knowing that corrupt governments will use it, without getting in trouble with the law.
However, there are situations where this doesn’t apply. When security researchers discover 0-day, they typically write a proof-of-concept exploit, then present their findings at the next conference. That means they have unpublished code on their laptop, code that they may make public later, but which is not yet technically open-source. If they travel outside the country, they have technically violated both the letter and the spirit of the export restrictions, and can go to jail for 20 years and be forced to pay a $1 million fine.
Tomi Engdahl says:
Joseph Menn / Reuters:
Sources: US tried deploying Stuxnet-style virus against North Korea five years ago to destroy equipment, but the campaign failed — Exclusive: U.S. tried Stuxnet-style campaign against North Korea but failed – sources — The United States tried to deploy a version of the Stuxnet computer virus …
Exclusive: U.S. tried Stuxnet-style campaign against North Korea but failed – sources
http://www.reuters.com/article/2015/05/29/us-usa-northkorea-stuxnet-idUSKBN0OE2DM20150529
The United States tried to deploy a version of the Stuxnet computer virus to attack North Korea’s nuclear weapons program five years ago but ultimately failed, according to people familiar with the covert campaign.
The operation began in tandem with the now-famous Stuxnet attack that sabotaged Iran’s nuclear program in 2009 and 2010 by destroying a thousand or more centrifuges that were enriching uranium. Reuters and others have reported that the Iran attack was a joint effort by U.S. and Israeli forces.
Tomi Engdahl says:
Alan Yuhas / Guardian:
In protest of NSA surveillance laws, more than 10K websites redirect visitors from congressional IP addresses to blackoutcongress.org
More than 10,000 websites ‘blackout’ Congress in protest of NSA surveillance laws
http://www.theguardian.com/us-news/2015/may/29/congress-nsa-website-block-patriot-act
Fight for the Future provides code to block access from congressional IP addresses amid debate to re-authorize Patriot Act or pass USA Freedom Act
More than 10,000 websites blocked users from computers in Congress on Friday, in a demonstration against any possible re-authorization of NSA surveillance powers.
“This is a blackout,” read the site to which computers from congressional IP addresses were redirected. “We are blocking your access until you end mass surveillance laws.”
“Right now the code affects only visitors from Congress, we’re willing to keep it up,” said Holmes Wilson, a co-founder of Fight for the Future, the group which wrote the code and is leading the online protest.
The redirect site also includes semi-nude, sometimes explicit photos submitted by people, under the heading: “NSA spying makes me feel naked.”
Tomi Engdahl says:
Darrell Etherington / TechCrunch:
Google’s Project Vault Is A Secure Computing Environment On A Micro SD Card, For Any Platform
http://techcrunch.com/2015/05/29/googles-project-vault-is-a-secure-computing-environment-on-a-micro-sd-card-for-any-platform/#.b5imzi:5KwQ
Project Vault is a secure computer contained entirely on a micro SD sized device. Google’s ATAP said the micro SD format made sense because there’s already advanced security features on your phone, contained in the SIM card, which protects the things important to carriers. Vault is designed to be an equivalent, but designed to project a user’s important content.
They went with the micro SD form factor so that they could have more data throughput to project video, and they wanted storage (Vault has 4GB of data storage on board) and they wanted modularity, so you could take it wherever you wanted.
Onboard the Vault itself is an ARM processor running ARTOS, a secure operating system focused on privacy and data security. It also has anNFC chip and an antenna (for proving that you are in control and that it’s correctly authorized). Finally, there’s a suite of cryptographic services, including hashing, signing, batch encryption and a hardware random number generator.
Vault provides two-factor auth in a way that’s easy enough for anyone to use, and developers don’t have to do anything to get stuff ready to work with it – the system sees it as generic storage device with a standard file system.
Said file system includes just two files, one for read and one for write, that any app has to go through in order to communicate with Vault. This also means that it works with any operating system, including Android, Windows, OS X and Linux, since essentially it’s just a generic storage device to the host computer or phone.
Tomi Engdahl says:
Drew FitzGerald / Wall Street Journal:
Level 3 now blocking traffic to servers believed to be controlled by criminals, encouraging other carriers to adopt its more aggressive stance
Level 3 Tries to Waylay Hackers
Internet carrier takes to blocking traffic to servers believed controlled by criminal gangs
http://www.wsj.com/articles/level-3-tries-to-waylay-hackers-1432891803
Earlier this month, Brett Wentworth took Level 3 Communications Inc. into territory that most rivals have been reluctant to enter. The director of global security at the largest carrier of Internet traffic cut off data from reaching a group of servers in China that his company believed was involved in an active hacking attack.
The decision was reached after a broad internal review. The Broomfield, Colo., company is taking an aggressive—and some say risky approach—to battling criminal activity. Risky because hackers often hijack legitimate machines to do their dirty work, raising the risk of collateral damage by sidelining a business using the same group of servers. Such tactics also run against a widely held belief that large carriers should be facilitating traffic, not halting it. And carriers are reluctant to create the expectation that they will police the Internet.
Yet with attacks on the rise, Level 3 three years ago decided it is worth the risks. At a rate of about once every few weeks, the carrier is shutting down questionable traffic that doesn’t involve any of its clients. When the source of the trouble is hard to pinpoint, it often casts a wide net and intercepts traffic from large blocks of Internet addresses.
Recently, that meant stopping traffic from a powerful network of computer servers controlled by a group of hackers that security researchers dubbed SSHPsychos.
Level 3 is now opening up about its methods because it wants its fellow network operators to follow its example. The stance, if copied, could change Internet carriers’ traditionally passive approach to defending against attacks meant to overwhelm websites or steal vast amounts of credit card data such as have plagued U.S. retailers for the past two years.
Other large Internet carriers remain wary of playing Internet cop.
What may appear as a flood of Internet traffic designed to cripple a company’s Web servers might actually be an unexpectedly busy day for a retailer, said AT&T Chief Security Officer Ed Amoroso. The telecom giant focuses on attacks that target its own network or the systems of its customers and intrudes on third-party traffic only after careful discussion with its legal team.
“We have to be careful, and the carrier industry has to be very careful not to go pushing buttons,” Mr. Amoroso said. “You’re never 100% sure of these things.”
Level 3 carries traffic to or from about 40% of all Internet addresses, far more than any other network
The company hunts for hackers by combing through security blog posts and email advisories to get a handle on possible threats. Its software scans more than 45 billion detailed routing logs a day for signs of malicious activity before deciding to act, according to Dale Drew, Level 3’s chief security officer.
“Everyone rationalizes why they shouldn’t do anything,” he said. “We’re experimenting with it to see how aggressive we could be.”
Tomi Engdahl says:
Guardian:
Senate advances USA Freedom Act, but vote on bill likely won’t come for several days, causing temporary shutdown of some Patriot Act powers — Patriot Act powers to lapse at midnight as Senate fails to agree on NSA reform — Surveillance hawks concede defeat as Rand Paul forces shutdown …
NSA programme: Bush-era powers expire as US prepares to roll back surveillance
http://www.theguardian.com/us-news/2015/may/31/nsa-reform-senate-deal-as-patriot-act
Sweeping intelligence capabilities exposed by Edward Snowden shut down as hawks concede defeat on first major surveillance reform in a generation
Sweeping US surveillance powers, enjoyed by the National Security Agency since the aftermath of the 2001 terrorist attacks, are to shut down at midnight on Monday after a dramatic Senate showdown in which even the NSA’s biggest supporters conceded that substantial reforms were inevitable.
Tomi Engdahl says:
Android Bitcoin wallet Blockchain was briefly borked
Non-random Bitcoin user gets $8k worth of bug-addressed freebies
http://www.theregister.co.uk/2015/06/01/blockchain_app_shows_how_not_to_code/
In “rare circumstances”, the Android Bitcoin wallet Blockchain could prove a catastrophic failure for users, so its authors have rushed out an update.
According to the app’s advisory, the bug affected a mere “handful” of users, with one report noting that the bug ended up with one lucky Bitcoin account holder being sent 34 bitcoins – around US$8,000 worth.
The problem is that Blockchain’s authors didn’t notice when their random number generator of choice, random.org, switched over to HTTPS for better security, and started returning a 301 error (moved permanently) to apps asking for a random number.
Instead of giving users an error, Blockchain used the number 301 to generate the private key corresponding to address 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F (the lucky recipient of the stray Bitcoin).
Tomi Engdahl says:
Mac bug makes rootkit injection as easy as falling asleep
Apple hacker reveals cracker 0day rootkit whacker
http://www.theregister.co.uk/2015/06/01/apple_suspend_bug_0day/
Respected Apple hacker Pedro Vilaça has uncovered a low-level zero day vulnerability in Mac computers that allows privileged users to more easily install EFI rootkits.
Vilaça says the attack, first thought to be an extension of previous research rather than separate zero day, took advantage of unlocked flash protections when machines go into sleep mode.
“Apple’s S3 suspend-resume implementation is so f*cked up that they will leave the flash protections unlocked after a suspend-resume cycle,” Vilaça says in a post.
“It means that you can overwrite the contents of your BIOS from userland a rootkit EFI without any other tricks other than a suspend-resume cycle, a kernel extension, flashrom, and root access.
Tomi Engdahl says:
Security News This Week: If the Patriot Act Expires It Won’t Spell Doom
http://www.wired.com/2015/05/security-news-this-week-may-29/
So many hacks, so few days in the week to write alarming stories about every one.
The biggest security news this week actually wasn’t about a hack at all. Silk Road creator Ross Ulbricht got a sentence of life in prison without the possibility of parole. The US reportedly tried to use a Stuxnet-like worm against the nuclear program of North Korea, but failed. And perhaps the biggest story of the week is as-yet unresolved: tomorrow, the senate will meet in a special session to vote on extending certain provisions of the Patriot Act, which are set to expire to Monday. The outcome o that vote will have massive repercussions on the NSA’s ability to surveil us.
Now You Can Creepily Stalk Your Facebook Friends’ Locations
Oh, great. As if Facebook wasn’t creepy enough, Harvard computer science and mathematics student Aran Khanna created a Chrome extension to help users stalk their friends. Called Marauders Map [sic], the extension scrapes user’s location data and plots it on a map. Location data is stunningly precise
Your SmartPhone And Fitness Tracker Can Also Out Your Location
You probably realize that the Bluetooth Low Energy signals sent out by your devices are constantly transmitting data. Researchers at Context Information Security found that they can also be used to track your location up to 100 meters in open air or 800 meters (about a half mile) with a high-gain antenna.
Security breaches lead to millions of dollars in damages to big businesses, and the South African security firm Thinkst may have solution. Canary, its network appliance coupled with an online monitoring system, lures hackers with a juicy honeypot, and then alerts companies to their intrusion. It’s not foolproof, since sophisticated intruders may avoid the honeypots
Controversial TISA Treaty Leaked
TISA is a trade agreement secretly making rules for the internet, and is in danger of passing under legislative Fast Track. TISA, which focuses on services rather than goods
IfThePatriotActExpires: Prepare For The Pending Apocalypse
Three provisions under Section 215 of the Patriot Act are set to expire on June 1, and the doomsday predictions have filled newspaper pages all week. According to Senator Lindsey Graham, “anybody who neuters the program is going to be partially responsible for the next attack.” This in spite of the fact that the program is unconstitutional, has been largely ineffective, and “would provide the illusion of triumph even while leaving much of the machinery of surveillance intact,”
Hola VPN Turns Users Into Exit Nodes
If you’ve ever used the free version of the Israeli-based VPN Hola, your bandwidth has been sold to Luminati VPN Network, and it’s even possible that your computer has been used in illegal or abusive activity.
Tomi Engdahl says:
Peer-based Hola! VPN application and the associated browser plug-in has found a number of serious vulnerabilities. Vulnerabilities in the update is not available.
Hola! VPN software and browser plug vulnerabilities, it is possible to program the user complete control of the machine in several different ways.
Hola! VPN in the contract conditions include the free version for a service provider can take advantage of free online resources to users and resold thus resulting throughput
Source: https://www.viestintavirasto.fi/kyberturvallisuus/haavoittuvuudet/2015/haavoittuvuus-2015-045.html
Tomi Engdahl says:
Tor Connections To Hidden Services Could Be Easy To De-Anonymize
http://tech.slashdot.org/story/15/06/01/0311214/tor-connections-to-hidden-services-could-be-easy-to-de-anonymize
Identifying users who access Tor hidden services — websites that are only accessible inside the Tor anonymity network — is easier than de-anonymizing users who use Tor to access regular Internet websites.
That’s because the addresses of the Hidden Service Directories (HSDirs) used to index those Tor-network-only sites, though shuffled daily, can be predicted (and hijacked) with cheap brute-force techniques.
Tor connections to hidden services could be easy to de-anonymize
It’s safer to access Internet websites over Tor than hidden services, researchers said
http://www.computerworld.com.au/article/576210/tor-connections-hidden-services-could-easy-de-anonymize/
Tomi Engdahl says:
A Private Social Network for Cell Phones
Users can share information, but the network only sees encrypted data.
http://www.technologyreview.com/news/419503/a-private-social-network-for-cell-phones/
Researchers at Microsoft have developed mobile social networking software that lets users share personal information with friends but not the network itself.
“When you share a photo or other information with a friend on [a site like] Flickr, their servers are also able to read that information,” explains Iqbal Mohomed, a researcher at Microsoft Research Silicon Valley, who developed the new network, called Contrail, with several colleagues. “With Contrail, the central location doesn’t ever know my information, or what particular users care about–it just sees encrypted stuff to pass on.”
Tomi Engdahl says:
Cybersecurity and the Tylenol Murders
https://www.eff.org/deeplinks/2015/05/cybersecurity-and-tylenol-murders
When a criminal started lacing Tylenol capsules with cyanide in 1982, Johnson & Johnson quickly sprang into action to ensure consumer safety. It increased its internal production controls, recalled the capsules, offered an exchange for tablets, and within two months started using triple-seal tamper-resistant packaging. The company focused on fixing weak points in their supply chain so that users could be sure that no one had interfered with the product before they purchased it.
This story is taught in business schools as an example of how a company chose to be proactive to protect its users. The FDA also passed regulations requiring increased security and Congress ultimately passed an anti-tampering law.
This story springs to mind today as Congress considers the latest cybersecurity and data breach bills. To folks who understand computer security and networks, it’s plain that the key problem are our vulnerable infrastructure and weak computer security, much like the vulnerabilities in Johnson & Johnson’s supply chain in the 1980s. As then, the failure to secure our networks, the services we rely upon, and our individual computers makes it easy for bad actors to step in and “poison” our information.
So if we were to approach this as a safety problem, the way forward is clear: We need better incentives for companies who store our data to keep it secure. In fact, there is broad agreement that we can easily raise the bar against cyberthieves and spies. Known vulnerabilities frequently go unpatched.
Yet none of the proposals now in Congress are aimed at actually increasing the safety of our data. Instead, the focus is on “information sharing,” a euphemism for more surveillance of users and networks.
But that’s not all. Not only is Congress failing to address the need for increased computer and network security, key parts of the government are working to undermine our safety. The FBI continues to demonize strong cryptography, trying instead to sell the public on “technologically stupid” strategy that will make us all less safe. Equally outrageous, the recent Logjam vulnerabilities show that the NSA has been spending billions of our tax dollars to exploit weaknesses in our computer security—weaknesses caused by the government’s own ill-advised regulation of cryptography in the 1990s—rather than helping us strengthen our systems.
But how can we create stronger incentives for companies to protect our data?
If Congress wants to help, it has a big tool box, starting with its own government purchasing power
Congress can also endorse strong encryption and take steps ranging from setting funding priorities
Additionally, though, we need to ensure that companies to whom we entrust our data have clear, enforceable obligations to keep it safe from bad guys.
products liability law makes the company responsible for the harm that comes to us due to the behavior of others if safer designs are available, and the attack was foreseeable.
Online services do have some baseline responsibility under negligence standards, as well as a few other legal doctrines, and those were relied upon in the cases against Target, Home Depot, the Gap, and Zappos. Yet so far those standards have been interpreted by the courts to put a very low burden on companies and a very high burden on those harmed. On their own, companies have largely failed to take develop shared, strong standards for what is “reasonable” security, and Congress hasn’t forced them to, leaving the courts with little to point to when trying to hold companies to account.
Another problem is that the law hasn’t figured out a good way to recognize the harms suffered due to poor cybersecurity, which means that the threat of a lawsuit over a cybersecurity breach isn’t nearly as powerful as it might be in a situation involving, say, insecure cars or pain relievers.
Congress (or state legislatures) could step in on any one of these topic to encourage real security for users—by creating incentives for greater security, a greater downside for companies that fail to do so and by rewarding those companies who make the effort to develop stronger security.
Yet none of these options are even part of the legislative debate; they often aren’t even mentioned. Instead the proposed laws go the other way—giving companies immunity if they create more risk with your data by “sharing” it with the government, where it could still be hacked. “Information sharing” is focused on forensics—finding who did it and how after the fact—rather than on protecting computer users in the first place.
Tomi Engdahl says:
The future security scenarios problems are no longer solved MDM (Mobile Device Management) software, or end-user security guaranteeing.
Opportunities Internet and it brings countless interconnected devices make security even more complicated, says the IT house Citrix Chief Technology Officer Christian Reilly.
“Information security solutions do not change, at least not to simpler. No one should pretend that the problems are overcome only by securing the terminals. IoT may lead to a war that can not win,”
Citrix CTO believes that even staff their own portable data security are of trivial things compared to the risk of the Internet.
“Mutually sheer number of connected devices is beyond anything previously experienced. And together, these devices produce huge amount of data,” says Reilly.
According to forecasts, the IoT’s district by the end of the decade can be up to 50 billion units.
In his opinion, must be to reflect on whether to attempt to secure all the equipment and network connections, or only the ones that really matter, the British Cloudpro write .
Source: http://www.tivi.fi/CIO/2015-06-02/IoT-nostaa-turvauhat-ennenn%C3%A4kem%C3%A4tt%C3%B6m%C3%A4lle-tasolle-3321950.html
Tomi Engdahl says:
Citrix: endpoint security is not enough to protect business data
http://www.cloudpro.co.uk/cloud-essentials/cloud-security/5078/citrix-endpoint-security-is-not-enough-to-protect-business-data
Companies need to take a more holistic approach to security than just MDM, says Citrix
Mobile device management (MDM) and endpoint security are no longer enough to a secure workplace IT, Citrix has claimed.
“[Security] is not getting any less complex and let’s not pretend that we are going to win security by securing the device, because by a large portion that is an unwinnable war.”
Reilly also pointed out that the proliferation of devices now goes far beyond the bring your own device (BYOD) trend, thanks to the Internet of Things (IoT).
“The sheer number of devices we’re going to see connected on these networks is going to surpass anything we have ever seen before … and all these devices are going to chuck out tonnes and tonnes of data,” said Reilly.
“Typical security has been based around user interaction.”
“The question is do you to try and secure them all, or do you just try and secure what really what matters?”
From a Citrix point of view, there are three ways to approach the problem of the changing threat and security landscape: focusing on data rather than devices, using a multi-faceted approach to security, and virtualisation.
Gier Ramleth, chief strategy officer, said in the second day keynote: “[We] want to start keeping the data back where I can control the data, in the data centres. So we do virtualsation. And then if we then have to move it to other devices, we want to containerise it.”
“Now we need different forms of security models to deal with that. You have to tie this down. The model I use is ‘DDRR’: Deter, Detect, Respond and Remediate. We can’t plan what happens to us, but we can plan how we deal with it and that’s where you have to go,” said Ramleth.
“This is a scary world we live in … and that is not going to get any less complicated as we move forward with where technology is going.”
Tomi Engdahl says:
The data security company F-Secure acquires the Danish security company nSense. The purchase price is EUR 15 million, in addition to which three million are tied to performance targets.
Privately dedicated nSense offers security services, consulting services and vulnerability assessment services for large companies. NSense is specialized in the financial and banking solutions for large enterprises and other services.
NSense includes listed on the Helsinki First North as Nixu competitors.
“NSense products and services will help us to expand into new areas and to strengthen our ability to meet the needs of large enterprises, particularly in the detection of attacks and their prevention. Our expertise merger will allow us to develop new software kyberturvallisuustarpeisiin of our customers now and in the future,” F-Secure CEO Christian Fredrikson says the release.
Source: http://www.arvopaperi.fi/uutisarkisto/fsecure+ostaa+nsensen/a1065742
Tomi Engdahl says:
IT-savvy US congressmen to Feds: End your crypto-backdoor crusade
Bad actors will like bad ideas
http://www.theregister.co.uk/2015/06/02/itsavvy_congressmen_to_feds_can_your_cryptobackdoor_campaign/
US Congress’ only Comp. Sci. majors are trying to convince the head of the FBI that there’s no such thing as a safe backdoor.
In yet another attempt to instil good sense in the Feds, Congressmen Will Hurd and Ted Lieu have written an open letter to FBI director James Comey trying to spike the latter’s enthusiasm for encryption-busting for law enforcement.
Last September, Comey fired the first shots in the new crypto-war, complaining that crypto stopped the FBI from collaring crims. With that encouragement from the US, UK prime minister David Cameron joined the ban-crypto camp.
That’s led the tech sector to fight back against a revival of the 1990s’ “crypto wars”.
Hurd’s and Lieu’s letter says that imposing weak crypto on tech companies and their customers goes beyond asking companies for help fighting crime: “There is a difference between private companies assisting law enforcement and the government compelling companies to weaken their products to make investigations easier”.
Second, they make the hard-to-argue point that any backdoor “can be exploited by bad actors such as criminals, spies and those engaged in economic espionage.”
They continue that “computer code and encryption algorithms are neutral and have no idea if they are being accessed by an FBI agent, a terrorist or a hacker”, something that hasn’t been addressed in oversight hearings on the issue.
Tomi Engdahl says:
Hola! TV geo-block botters open bug bounties
Bot shop’s security chop shot
http://www.theregister.co.uk/2015/06/02/hola_tv_geoblock_botters_open_bug_bounties/
Smarting from a barrage of criticism for botting its customers, VPN service Hola is hoping a bug bounty program will restore its security credentials.
The VPN service was caught turning its 9.7 million users into Luminati exit-nodes. It advertised this service as using customers who downloaded Luminati’s TV geo-block smasher program as “Super Proxies” who were used to rout requests.
Hola chief executive officer Ofer Vilenski says as part of wider security upgrades, the company will invite hackers to report vulnerabilities in its service allowing it to sling patches and harden the platform.
“We have changed our site and product installation flows to make it crystal clear that Hola is P2P (peer to peer), and that you are sharing your resources with others,” Vilenski says .
Tomi Engdahl says:
“Cyber security market services searching shape. Moving is a very heterogeneous set of actors who ponders whether they are product companies or consulting houses,”
“It will be interesting to see what is finally the security companies in terms of the right strategy, whether they have a clear advantage in that in addition to the product business also carried out in the service business,”
Source: http://www.tivi.fi/Kaikki_uutiset/2015-06-02/F-Secure-valitsi-tanskalaisen—miksi-ei-suomalaista-3322030.html
Tomi Engdahl says:
Facebook Now Supports PGP To Send You Encrypted Emails
http://tech.slashdot.org/story/15/06/02/0231218/facebook-now-supports-pgp-to-send-you-encrypted-emails
You can now have Facebook encrypt email it sends to you by adding your PGP key to your profile. The PGP feature is “experimental” and will be rolled out slowly.
Facebook Now Supports PGP To Send You Encrypted Emails
http://techcrunch.com/2015/06/01/facebook-now-supports-pgp-to-send-you-encrypted-emails/
You can now instruct Facebook to encrypt every email it sends to you so nobody — not even the NSA — is likely to be able to read your messages anytime soon. All you have to do is import your public PGP key into your Facebook settings and you’re good to go.
The problem here, of course, is that most people have no idea how public/private key email encryption works and how to even get started with it. In the wake of Edward Snowden’s leaks, a number of organizations, including Google, promised to completely hide the complexities of end-to-end email encryption from regular users. Very few of these products have materialized so far, however — not for lack of trying, but because this is actually a very complex problem, both from a technical and user experience perspective.
Facebook uses the well-established PGP scheme
It’s still by no means a completely trivial procedure, and you still need to have a basic understanding of what you are doing.
Tomi Engdahl says:
Ransomware Creator Apologizes For “Sleeper” Attack, Releases Decryption Keys
http://it.slashdot.org/story/15/06/01/209224/ransomware-creator-apologizes-for-sleeper-attack-releases-decryption-keys
Last week, a new strain of ransomware called Locker was activated after having been sitting silently on infected PCs. Security firm KnowBe4 called Locker a “sleeper” campaign that, when the malware’s creator “woke it up,” encrypted the infected devices’ files and charged roughly $24 in exchange for the decryption keys. This week, an internet user claiming to be the creator of Locker publicly apologized for the campaign and appears to have released the decryption keys for all the devices that fell victim to it, KnowBe4 reported in an alert issued today.
However, the post did not mention anything about providing a refund to victims who paid the 0.1 bitcoin (equal to $22.88)
Ransomware creator apologizes for ‘sleeper’ attack, releases decryption keys
http://www.networkworld.com/article/2929492/security0/ransomware-creator-apologizes-for-sleeper-attack-releases-decryption-keys.html
Criminal with a soft spot relents on successful Locker ransomware campaign and offers free decryption for victims. Refunds don’t appear to be coming, however.
Speculating as to why the malware’s creator would suddenly put an end what could have been a successful scam, Sjouwerman suggests he or she may have become concerned about attracting unwanted attention from either law enforcement or organized crime. Many ransomware campaigns have origins in organized criminal outfits, often in Eastern Europe, Sjouwerman says.
“What we can assume is that he is a talented coder but not an experienced cybercriminal, because a foul-up like this would never have happened with professional Eastern European organized cybercrime,” Sjouwerman says. “He may have worked as a developer for one of these gangs and decided to start his own outfit, which backfired.”
Tomi Engdahl says:
Craig Timberg / Washington Post:
The vulnerable Border Gateway protocol, a quick-fix solution from 1989, still directs most internet traffic
The long life of a quick ‘fix’
Internet protocol from 1989 leaves data vulnerable to hijackers
http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-2/
The “three-napkins protocol,” as its inventors jokingly dubbed it, would soon revolutionize the Internet. And though there were lingering issues, the engineers saw their creation as a “hack” or “kludge,” slang for a short-term fix to be replaced as soon as a better alternative arrived.
That was 1989.
More than a quarter-century later — a span that has seen the fall of the Berlin Wall, the rise of the smartphone and an explosion of hacking — the “three-napkins protocol” still directs most long-haul traffic on the global network despite years of increasingly strenuous warnings about critical security problems. The three-napkins protocol has become the kludge that never died.
“Short-term solutions tend to stay with us for a very long time. And long-term solutions tend to never happen,” said Yakov Rekhter, one of the engineers who invented the “three-napkins protocol.” “That’s what I learned from this experience.”
The Internet can appear as elegantly designed as a race car as it immerses us in consuming worlds of sight and sound. But it’s closer to an assemblage of kludges — more Frankenstein than Ferrari — that endure because they work, or at least work well enough.
The consequences play out across cyberspace every second of every day, as hackers exploit old, poorly protected systems to scam, steal and spy on a scale never before possible. The flaws they exploit often are well-known and ancient in technological terms, surviving only because of an industry-wide penchant for patching over problems rather than replacing the rot.
“You’re in Hackerville here on the Internet. Period,”
At its most basic level, BGP helps routers decide how to send giant flows of data across the vast mesh of connections that make up the Internet. With infinite numbers of possible paths — some slow and meandering, others quick and direct — BGP gives routers the information they need to pick one, even though there is no overall map of the Internet and no authority charged with directing its traffic.
The creation of BGP, which relies on individual networks continuously sharing information about available data links, helped the Internet continue its growth into a worldwide network. But BGP also allows huge swaths of data to be “hijacked” by almost anyone with the necessary skills and access.
The main reason is that BGP, like many key systems on the Internet, is built to automatically trust users — something that may work on smaller networks but leaves a global one ripe for attack.
Hijackings have become routine events that even experts struggle to explain
Warnings about the risks inherent in BGP are almost as old as the protocol itself.
security “wasn’t even on the table” when he sat down with his soft-spoken co-inventor, Kirk Lougheed, for lunch during an engineering conference in January 1989.
This was an era when hacks were rare and the toll modest.
The big issue of the day was the possibility that the Internet might break down. A halt in its furious expansion would have hurt the network’s users and the profits of companies supplying gear and services.
“When Yakov and I showed up with a solution and it seemed to work, people were quite willing to accept it because they didn’t have anything else.”
There were other efforts underway to build routing protocols. BGP won out because it was simple, solved the problem at hand and proved versatile enough to keep data flowing as the Internet doubled in size, again and again and again. Networks across the world embraced the protocol, giving it an edge it has never relinquished.
“Everybody was just so knee-deep in alligators that they just needed to get something together quickly,” said Noel Chiappa, a retired networking researcher. “They didn’t have the time to look long-term.”
The problem: There is no map. Routers using BGP make routing decisions based on information provided by their neighbors in cyberspace, which in turn gather information from their neighbors in cyberspace, and so on. This works well so long as the information — contained in messages called BGP “advertisements” — is accurate.
Any false information can spread almost instantly across the Internet because there is no way to check the honesty, or even the identity, of those making the advertisements.
Such an obvious problem, Lougheed said, would never be tolerated in today’s more security-conscious world. “If somebody comes up with a design that doesn’t anticipate deception, they get beat up and sent back to the drawing board,” he said.
Whether the cause is intentional deception or an accident, the results are the same: Internet traffic gets diverted, often by thousands of miles. Sometimes it eventually finds its way to the proper destination, causing only delays in transmission. Sometimes the data gets stolen by hackers. Sometimes it just disappears altogether into the cyberspace
Rekhter and others continued improving BGP, implementing the final version of the protocol in 1994. Hijackings of data already had begun, making clear the need for a more secure alternative, but years of work failed to produce one that could supplant BGP.
“All these proposals have died on the vine,”
‘No one was buying’
Industry skepticism was rooted in the idea that security was a bad bet for business. Nobody liked to get hacked, but companies were not legally liable for the damages. Protective measures, meanwhile, carried costs that few wanted to pay, such as limited features, slowed performance or higher sticker prices for gear and software.
Companies that experimented with products that had extra security features, such as built-in encryption, found little interest from consumers who had cheaper, easier alternatives available, said Robert Metcalfe, founder of 3Com, a former networking hardware maker.
“No one would buy the secure versions,” Metcalfe said. “We built it, and we tried to sell it, and no one was buying.”
The pace of action on fixing BGP picked up after the April 2010 incident involving U.S. military traffic flowing through Beijing. A major push has come from the Department of Homeland Security, which has spent $8 million over the past four years on efforts to develop and deploy secure BGP technology.
The first step toward better BGP security has been a new system of secure cryptographic keys for networks, allowing them to authenticate their identities in cyberspace and make clear what networks they ordinarily handle traffic for.
But getting network operators to participate is proving difficult. Many already employ filters that limit exposure to false BGP messages. That approach offers only partial protection, but it’s easier than using cryptographic keys. Many network operators also are cool to taking the further step of adopting a secure new routing protocol called BGPSEC to replace BGP.
That decentralized way of making decisions, which is more essential to the Internet than any single protocol, also means security improvements require many individual actions by networks, site operators and users. Each must weigh the value of a change, then proceed. Or not.
“There is a cost associated with doing security. And the question is: Who is going to pay the price?”
Lougheed, too, is a skeptic. “If lack of security becomes a significant cost to doing business, a lot of people will be interested in fixing the problem. At this point, people are just patching their way through it, keeping one step ahead of the bad guys.”
In Europe and the Middle East collectively, almost 9 percent of networks have taken the first step of acquiring cryptographic keys for identifying themselves in cyberspace.
North America and Africa are doing much worse, with less than 1 percent.
Tomi Engdahl says:
Adam Gross / Facebook Developers:
Facebook to remove support for SHA-1 certificate signatures Oct. 1, will require SHA-2
Moving to a More Secure Standard: Please Update your Apps To Support Certificates Signed with SHA-2
https://developers.facebook.com/blog/post/2015/06/02/SHA-2-Updates-Needed/
As part of our commitments to helping developers build secure apps and protecting the people who use Facebook, we’re updating our encryption requirements for Facebook-connected apps to reflect a new and more secure industry standard. As a result, apps that don’t support SHA-2 certificate signatures will no longer be able to connect to Facebook starting on October 1, 2015
These changes are part of a broader shift in how browsers and web sites encrypt traffic to protect the contents of online communications. Typically, web browsers use a hash function to create a unique fingerprint for a chunk of data or a message.
For the past two decades, the SHA-1 standard has been the preferred choice across the Internet for calculating message fingerprints. But after identifying security weaknesses in SHA-1, the Certificate Authority and Browser Forum recently published new Baseline Requirements for SSL recommending that all certificate authorities transition away from SHA-1 based signatures, with a full sunset date of January 1, 2016.
We’ll be updating our servers to stop accepting SHA-1 based connections before this final date, on October 1, 2015. After that date, we’ll require apps and sites that connect to Facebook to support the more secure SHA-2 connections.
Tomi Engdahl says:
Robin Sidel / Wall Street Journal:
Biggest MasterCard issuers reject $19M settlement with Target over hacked credit-card data
Biggest MasterCard Issuers Scuttled Deal on Target Data Breach
Citigroup, Capital One and J.P. Morgan Chase vetoed MasterCard’s deal with Target over hacked credit-card data
http://www.wsj.com/article_email/biggest-mastercard-issuers-scuttled-deal-on-target-data-breach-1433253072-lMyQjAxMTA1MDA0MjIwMjIyWj
News that the settlement didn’t obtain approval from enough banks was reported last month. The names of the big banks opposing the pact hadn’t previously been reported.
The three banks decided to quash the pact that was negotiated on the industry’s behalf by MasterCard because they thought it was too small to cover their losses in the incident, the people said.
As a result, the carefully negotiated pact is now in flux as other banks and credit unions hope that they can get a better deal in court
Target’s breach was one of the largest in recent years, exposing 40 million credit and debit cards to fraud and causing an unknown amount of losses to card-issuing banks.
Trade groups representing community banks and credit unions estimate that they have spent more than $350 million to reissue credit and debit cards and deal with other issues related to the Target breach and a subsequent hacking at Home Depot Inc.
Thieves made $9 billion of fraudulent transactions that were tied to existing card accounts last year
More recently, thieves have exposed card information from a string of well-known merchants, including Home Depot, Neiman Marcus Group Ltd., Staples Inc., Sears Holdings Corp. ’s Kmart chain, International Dairy Queen Inc. and others.
Retailers are responding by installing technology at checkout counters that, combined with new cards embedded with computer chips, is designed to prevent thieves from creating counterfeit cards.
Tomi Engdahl says:
Matthew Panzarino / TechCrunch:
Tim Cook talks data encryption and criticizes competitors’ stances on customer privacy at Washington event
Apple’s Tim Cook Delivers Blistering Speech On Encryption, Privacy
http://techcrunch.com/2015/06/02/apples-tim-cook-delivers-blistering-speech-on-encryption-privacy/#.7thvn3:B3Mp
Yesterday evening, Apple CEO Tim Cook was honored for ‘corporate leadership’ during EPIC’s Champions of Freedom event in Washington. Cook spoke remotely to the assembled audience on guarding customer privacy, ensuring security and protecting their right to encryption.
“Like many of you, we at Apple reject the idea that our customers should have to make tradeoffs between privacy and security,” Cook opened. “We can, and we must provide both in equal measure. We believe that people have a fundamental right to privacy. The American people demand it, the constitution demands it, morality demands it.”
This marked the first time that EPIC, a nonprofit research center in Washington focused on emerging privacy and civil liberties issues, has given the honor to a person from the business world.
The hosts of the event included cryptographer Bruce Schneier, EPIC president Marc Rotenberg, Lobbyist Hilary Rosen and Stanford Lecturer in Law Chip Pitts.
“I’m speaking to you from Silicon Valley, where some of the most prominent and successful companies have built their businesses by lulling their customers into complacency about their personal information,” said Cook. “They’re gobbling up everything they can learn about you and trying to monetize it. We think that’s wrong. And it’s not the kind of company that Apple wants to be.”
“We believe the customer should be in control of their own information. You might like these so-called free services, but we don’t think they’re worth having your email, your search history and now even your family photos data mined and sold off for god knows what advertising purpose. And we think some day, customers will see this for what it is.”
Cook then switched gears to talk about encryption — directly addressing the efforts by policy makers to force Apple to offer a ‘master key’ that would allow government agencies access to consumer devices.
“There’s another attack on our civil liberties that we see heating up every day — it’s the battle over encryption. Some in Washington are hoping to undermine the ability of ordinary citizens to encrypt their data,” said Cook.
“We think this is incredibly dangerous. We’ve been offering encryption tools in our products for years, and we’re going to stay on that path. We think it’s a critical feature for our customers who want to keep their data secure.”
“Removing encryption tools from our products altogether, as some in Washington would like us to do, would only hurt law-abiding citizens who rely on us to protect their data. The bad guys will still encrypt; it’s easy to do and readily available.”
Cook said that Apple designs its products to “collect the minimum amount of data necessary to create great experiences.”
“We shouldn’t ask our customers to make a tradeoff between privacy and security. We need to offer them the best of both,” Cook wrapped up. “Ultimately, protecting someone else’s data protects all of us.”
Tomi Engdahl says:
Senate Passes Major NSA Reform Bill
http://www.nationaljournal.com/tech/patriot-act-senate-vote-rand-paul-nsa-reform-mcconnell-freedom-act-20150602
The USA Freedom Act, which will restore but reform the expired Patriot Act’s spy authorities, earned final passage Tuesday and will be sent to the president.
June 2, 2015 After weeks of tense standoffs marked by the lapse of parts of the Patriot Act, the Senate on Tuesday easily passed comprehensive surveillance reform, ending a chapter of high-stakes brinkmanship on Capitol Hill that eventually concluded with lawmakers taking their first significant step away from the post-9/11 national security policies that have come to define two presidencies.
The Freedom Act’s passage is the crescendo of nearly two years of start-and-stop bipartisan, bicameral work to pull back the government’s post-9/11 surveillance powers that began shortly after the disclosures by former intelligence contractor Edward Snowden in June of 2013.
Most notably, the bill would end the NSA’s once-secret interpretation of Section 215 of the Patriot Act to justify its bulk collection of U.S. call metadata, the first and most controversial of the programs exposed by Snowden.
Tomi Engdahl says:
Peter Bright / Ars Technica:
Microsoft bringing SSH to Windows and PowerShell — Will contribute to OpenSSH to make it run well on Windows. — SSH, or secure shell, is the mainstay of remote access and administration in the Linux world, and the lack of any straightforward equivalent has always been an awkward feature of the Windows world.
Microsoft bringing SSH to Windows and PowerShell
Will contribute to OpenSSH to make it run well on Windows
http://arstechnica.com/information-technology/2015/06/microsoft-bringing-ssh-to-windows-and-powershell/
SSH, or secure shell, is the mainstay of remote access and administration in the Linux world, and the lack of any straightforward equivalent has always been an awkward feature of the Windows world. While there are various third-party options, Windows lacks both a native SSH client, for connecting to Linux machines, and it lacks an SSH server, to support inbound connections from Linux machines.
The PowerShell team announced that this is going to change: Microsoft is going to work with and contribute to OpenSSH, the de facto standard SSH implementation in the Unix world, to bring its SSH client and server to Windows.
PowerShell is in some ways an obvious group to do such work; while PowerShell is arguably stronger as a scripting language than it is an interactive shell, it’s nonetheless Microsoft’s preferred tool for command-line Windows management and administration. The ability to connect securely to a Windows machine from a Linux one to use a PowerShell shell is a logical extension of PowerShell’s capabilities.
Even with a native SSH server, Windows still won’t be as good a platform for remote command-line management as Unix
Tomi Engdahl says:
IRS failed to address computer security weaknesses, making attack on 104,000 taxpayers more likely, watchdog says
http://www.washingtonpost.com/blogs/federal-eye/wp/2015/06/02/irs-has-not-done-everything-it-can-to-protect-its-computer-networks-from-hackers-watchdog-says/
A government watchdog told lawmakers Tuesday that the Internal Revenue Service has failed to put in place dozens of security upgrades to fight cyberattacks, improvements he said would have made it “much more difficult” for hackers to gain access to the personal information of 104,000 taxpayers in the spring.
“It would have been much more difficult if they had implemented all of the recommendations we made,”
George and IRS Commissioner John Koskinen also said the thieves are operating a worldwide criminal syndicate that originates not just in Russia but in many other countries.
“They cross geographic boundaries and cooperate when it’s in their interest.”
The committee is examining the increasing security risks faced by the IRS, which revealed last week that thieves hacked into a system called “Get Transcript,” clearing a security screen that requires users to know the taxpayer’s Social Security number, date of birth, address and tax filing status. The criminals were able to use the information to submit fraudulent tax returns. About 13,000 of these fraudulent returns were processed this tax season, costing the IRS about $39 million, Koskinen said.
Internet security for the IRS has been the inspector general’s top concern since 2011.
“We also found that the IRS is not monitoring a significant percentage of its [computer] servers, which puts data at risk,” George said. “They need to be even more vigilant to protect the confidentiality of their data.”
“What worked yesterday, what worked a year ago, may not work again today,”
Budget cuts have been an obstacle to security upgrades, Koskinen said
Koskinen also said he has been unable to hire top IT talent to replace outgoing staff, since the federal hiring process is cumbersome and the government pays less than the private sector.
Several senators acknowledged, though, that they are not optimistic that the IRS will be able to win the race against identity theft.
“The money stolen in the cybercrime wave could end up in war zones,” he said. “It could be used to fund acts of terror without being traced.”
Said George of the increase in cyberattacks: “This is a federal,state, local, global problem. I don’t see it ending anytime soon”
Tomi Engdahl says:
Holy SSH-it! Microsoft promises secure logins for Windows PowerShell
Now that the door has hit Ballmer on the way out, OpenSSH support is go
http://www.theregister.co.uk/2015/06/02/openssh_windows/
Microsoft has finally decided to add support for SSH to PowerShell, allowing people to log into Windows systems and use software remotely over an encrypted connection.
Users of Linux, the BSDs, and other operating systems, will know all about OpenSSH and its usefulness in connecting machines in a secure way to execute commands and transfer data. And soon Windows PowerShell – the command-line shell and scripting language – can be used over SSH, we’re told.
“The PowerShell team [will] adopt an industry-proven solution while providing tight integration with Windows; a solution that Microsoft will deliver in Windows while working closely with experts across the planet to build it,” wrote Microsoft group software engineering manager Angel Calvo.
“I’m pleased to announce that the PowerShell team will support and contribute to the OpenSSH community.”
PowerShell’s SSH support will allow users to “interoperate between Windows and Linux – both Linux connecting to and managing Windows via SSH and, vice versa, Windows connecting to and managing Linux via SSH.”
This isn’t the first time Microsofties have tried to adopt SSH for Windows. Engineers at Redmond giant say they had tried on two separate occasions to allow the secure protocol to be used within Windows, attempts that were struck down by leadership.