Security trends for 2015

3,110 Comments

1. November 17, 2015 at 8:37 am

   Tomi Engdahl says:

   US govt just can’t hire enough cyber-Sherlocks
   One in ten FBI Cyber Task Force teams don’t have a techie
   http://www.theregister.co.uk/2015/11/17/us_cyber_task_forces/

   American federal investigators are having a hard time hiring computer-savvy staff, according to a memo from the Inspector General for the US Department of Justice.

   “Even as it works to expand the ranks of its cybersecurity team, the department continues to face challenges recruiting and retaining highly qualified candidates to do this work,” the memo [PDF] states.

   Last year the FBI got the authorization and budget to hire 134 computer scientists for online investigations. We’re told the agency could only find 82 people interested in working for Uncle Sam. As a result, five of the FBI’s regional 56 Cyber Task Force teams don’t have a computer specialist on hand.

   “In an era of ever-increasing cyber threats, the Department will be challenged to sustain a focused, well-coordinated, and robust cybersecurity approach for the foreseeable future,” Horowitz concluded.

   Reply
2. November 17, 2015 at 8:39 am

   Tomi Engdahl says:

   BitLocker popper uses Windows authentication to attack itself
   Microsoft squashes offline logic flaw that makes lost laptops dynamite
   http://www.theregister.co.uk/2015/11/17/bitlocker_blackhat_ian_haken/

   Blackhat Europe Synopsys security boffin Ian Haken says un-patched PCs in enterprises are at risk of having user accounts popped and Bitlocker bypassed, in an attack he describes as “trivial” to perform.

   The attack vector, sealed off in the latest round of Redmond patches (MS15-122), affect those Windows machines that are part of network domains, notably those in enterprise fleets.

   Only sadistic sysadmins whose users suffer having to enter pre-boot passwords are immune, Haken says.

   Haken says attackers with access to a lost or stolen laptop can spoofing the relevant network domain, to set up a fake user account which matches the username for the victim’s computer.

   The fake account needs to be set with a creation date in the past. The password set does not matter.

   Once the victim machine connects to the spoofed domain, Windows will throw a password reset prompt that will change the credentials in the computer’s local cache.

   The laptop could then be disconnected from the spoofed domain and accessed using the changed credentials.

   Reply
3. November 17, 2015 at 9:34 am

   Tomi Engdahl says:

   Child abuse image hash list shared with major web firms
   19,000 criminal pic hashes given to Facebook, Google
   http://www.theregister.co.uk/2015/11/17/iwf_hash_list/

   The Internet Watch Foundation, Blighty’s voluntary body for policing and filtering the ‘net for child abuse images, has announced nearly 19,000 hashes of “category A” abuse images have already been stored in its new Hash List and distributed to major web firms.

   The abuse images are sorted into categories A, B, and C, with “A” referring to the “worst of the worst”.

   The 19,000 hashes have been “given to five global internet companies [Facebook, Google, Microsoft, Twitter and Yahoo], who had volunteered to conduct a robust test on the list through their systems during the implementation period.”

   Reply
4. November 17, 2015 at 10:11 am

   Tomi Engdahl says:

   Inspiring cyber-physical security into design
   Visualizing the relevance of cyber-physical systems in applications provides background for why new approaches to security are required.
   http://www.controleng.com/single-article/inspiring-cyber-physical-security-into-design/47923fd71a277e8abedeb06f34fd7beb.html

   It wasn’t that long ago when a well-known industrial control system (ICS) security professional was feeling down because of the influx of IT security people invading the industrial sector.

   “There are just too many people in here now that don’t know a PLC [programmable logic controller] from a solenoid trying to offer advice to people who want to do the right thing. But these people don’t know how to separate fact from fiction,” the pro said.

   While the IT-OT schism remains an immediate cause for concern, after attending the mainly IT-centric Blackhat USA 2015 security conference a couple of weeks ago, it appears the IT side of the house wants to start understanding the importance and differences of what industrial security is all about. The level of importance for securing the critical infrastructure keeps rising every day, and the more intelligence the IT environment gets about the OT side, the better off all manufacturing automation companies will be. After all, IT does have an excellent track record for security, and they have been at it for quite a while, albeit from a different angle.

   Yes, IT security professionals need to know the importance of availability. They need to know the system cannot go down for a couple of hours to work on a few things. They have to stay up and running for years at a time in some cases.

   Then there was a talk on how to break into a chemical plant.

   Marina Krotofil, senior security consultant at the European Network for Cyber Security, gave a talk before a packed room titled, “Rocking the Pocketbook: Hacking Chemical Plants for Competition and Extortion.” The interesting thing is Krotofil gave a quick basics course on the manufacturing automation industry and the importance of keeping systems up and running because of the dangerous possibilities of a successful hack.

   Understanding the future of cyber-physical systems security will pay off in terms of keeping a plant safe, Krotofil said.

   Another talk focused on Globalstar satellite transmissions used to monitor water pipelines and drilling applications for oil and gas that can end up compromised to alter messages.

   “Hackers can inject data into systems. These are 20-year-old systems built before security was thought of,” said Colby Moore, a security researcher at Synack. Sound familiar?

   In these old systems, “There is no encryption and everything is done in plain text,” Moore said. “That may have been the case years ago, but there is no excuse today.”

   From oil and gas devices to tracking fleets to consumer products, there are millions of devices deployed, Moore said.

   Another talk focused on Shamoon, the brutal attack that took down 35,000 computers at oil giant Saudi Aramco in 2012.

   Kubecka, who gave the Shamoon talk titled, “How to Implement IT Security after a Meltdown,” really focused on the IT side, but also understood the differences between IT and OT.

   “What IT doesn’t understand is a power plant can’t do a quick reboot to start the system,” she said. “ICS was separated (during the attack), and that was fantastic.”

   While Saudi Aramco’s production did not suffer from the attack, the aftermath was a problem for the entire country.

   Are IT and OT on the same page? No way. But they are in the same book. That is a positive that came out of the conference.

   Reply
5. November 17, 2015 at 10:31 am

   Tomi Engdahl says:

   These are the ways Anonymous could wage ‘war’ on ISIS
   http://www.techinsider.io/the-ways-anonymous-could-wage-war-on-isis-2015-11

   International hacking collective Anonymous declared war this weekend on ISIS, the extremist militant group that claimed responsibility for the attacks in Paris on November 13 which killed 129 people and left another approximately 350 injured.

   Release of private information: retrieval and dissemination of information considered private by ISIS.

   “Doxxing” members: revealing personal, private information about members of ISIS.

   “DDoS” attacks: flooding servers with information requests.

   Hack accounts: Take over social media accounts used by ISIS.

   “Google Bomb” / “Googlewashing” searchable terms with links to anti-ISIS websites.

   Prank calls: flood ISIS phone networks with spam phone calls.

   Reply
6. November 17, 2015 at 10:54 am

   Tomi Engdahl says:

   Cross-device tracking via imperceptible audio beacons threatens user privacy
   http://www.net-security.org/secworld.php?id=19112

   As consumers use multiple devices through the day, and tracking cookies become increasingly less effective, the advertising industry is looking for new ways to track users’ online behavior.

   As they pursue that goal with single-minded dedication, it falls on government institutions, privacy advocates and the users themselves to find ways to assure that individuals’ privacy doesn’t get trampled.

   The Federal Trade Commission (FTC) hosted a workshop to examine the privacy issues around the tracking of consumers’ activities across their different devices for advertising and marketing purposes. When the workshop was announced in March, the FTC called for public comments about the issue, in order to get a good handle on the current situation.

   “The industry leader of cross-device tracking using audio beacons is SilverPush. When a user encounters a SilverPush advertiser on the web, the advertiser drops a cookie on the computer while also playing an ultrasonic audio through the use of the speakers on the computer or device. The inaudible code is recognized and received on the other smart device by the software development kit installed on it. SilverPush also embeds audio beacon signals into TV commercials which are “picked up silently by an app installed on a [device] (unknown to the user).” The audio beacon enables companies like SilverPush to know which ads the user saw, how long the user watched the ad before changing the channel, which kind of smart devices the individual uses, along with other information that adds to the profile of each user that is linked across devices,” they explained.

   High-Frequency Sounds Embedded in Ads Used to Track Users Across Devices
   http://news.softpedia.com/news/high-frequency-sounds-embedded-in-ads-used-to-track-users-across-devices-496256.shtml

   CDT (Center for Democracy & Technology) has alerted the FTC (Federal Trade Commission) about the existence of a privacy-intrusive, hidden high-frequency audio cross-device tracking technology.

   According to an official complaint filed by the CDT, the privacy watchdog is tattling on advertisers like SilverPush, Drawbridge, and Flurry, online companies that deploy ads that squeal high-frequency sounds from the devices they’re loaded on.

   The CDT says that these ultrasonic sounds scan the room for other devices like phones, tablets, TVs, computers, and wearables, effectively tying their presence to a browser cookie, an IP, and indirectly a user.

   A questionable practice, unknown to many, even the FTC

   While advertisers are actively interested in delivering more efficient ads, users may not see it as such. A tracked user may not want personal Web browsing and TV watching habits stored in such fine detail on an advertiser’s unsecure server somewhere online.

   The CDT says that, as of April of 2015, SilverPush’s ultrasonic tracking software (SDK) has been embedded in 67 mobile apps, allowing the company to track 18 million smartphones and an unknown number of nearby devices.

   “CDT is unaware of the existence of any current process for users to identify when probabilistic tracking is being used or meaningfully opt out. This represents a significant infirmity for any type of privacy protection,”

   Reply
7. November 17, 2015 at 10:55 am

   Tomi Engdahl says:

   Re: Comments for November 2015 Workshop on Cross-Device Tracking
   https://cdt.org/files/2015/10/10.16.15-CDT-Cross-Device-Comments.pdf

   Reply
8. November 17, 2015 at 11:04 am

   Tomi Engdahl says:

   After Paris Attacks, Here’s What the CIA Director Gets Wrong About Encryption
   http://www.wired.com/2015/11/paris-attacks-cia-director-john-brennan-what-he-gets-wrong-about-encryption-backdoors/

   It’s not surprising that in the wake of the Paris terrorist attacks last Friday, US government officials would renew their assault on encryption and revive their efforts to force companies to install backdoors in secure products and encryption software.

   Just last month, the government seemed to concede that forced decryption wasn’t the way to go for now, primarily because the public wasn’t convinced yet that encryption is a problem. But US officials had also noted that something could happen to suddenly sway the public in their favor.

   With more than 120 people killed last week in Paris and dozens more seriously wounded, government officials are already touting the City of Light as that case. Former CIA deputy director Michael Morell said as much on CBS This Morning, suggesting that recalcitrant US companies and NSA whistleblower Edward Snowden are to blame for the attacks.

   “We don’t know yet, but I think what we’re going to learn is that [the attackers] used these encrypted apps, right?,” he said on the show Monday morning. “Commercial encryption, which is very difficult, if not impossible, for governments to break. The producers of this encryption do not produce the key, right, for either them to open this stuff up or for them to give to governments to open this stuff up. This is the result of Edward Snowden and the public debate. I now think we’re going to have another public debate about encryption, and whether government should have the keys, and I think the result may be different this time as a result of what’s happened in Paris.”

   CIA Director John Brennan said something similar

   No solid information has come out publicly yet about what communication methods the attackers used to plot their assault.

   On Sunday, the New York Times published a story stating that the Paris attackers “are believed to have communicated [with ISIS] using encryption technology.” The paper’s sources were unnamed European officials briefed on the investigation. It was not clear, however, “whether the encryption was part of widely used communications tools, like WhatsApp, which the authorities have a hard time monitoring, or something more elaborate,” the paper noted.

   Twitter users harshly criticized the Times story, and it has since disappeared from the site (though it is archived)

   A Yahoo news story on Saturday added to the theme, declaring that the Paris attacks show that US surveillance of ISIS is going dark.

   Numerous other news stories have suggested that attackers like the ones who struck Paris may be using something other than WhatsApp.

   A source told the paper that they are using it because “Playstation 4 is even more difficult to monitor than WhatsApp.”

   US Law enforcement and intelligence agencies have been warning for years that their inability to decrypt communication passing between phones and computers—even when they have a warrant or other legal authority to access the communication—has left them in the dark about what terrorists are planning.

   But there are several holes in the argument that forcing backdoors on companies will make us all more secure. While doing this would no doubt make things easier for the intelligence and law enforcement communities, it would come at a grave societal cost—and a different security cost—and still fail to solve some of the problems intelligence agencies say they face with surveillance.

   1. Backdoors Won’t Combat Home-Brewed Encryption.

   Forcing US companies and makers of encryption software to install backdoors and hand over encryption keys to the government would not solve the problem of terrorist suspects’ products that are made in countries not controlled by US laws.

   “There’s no way of preventing a terrorist from installing a Russian [encryption] app or a Brasilian app,”

   2. Other Ways to Get Information. The arguments for backdoors and forced decryption often fail to note the many other methods law enforcement and intelligence agencies can use to get the information they need. To bypass and undermine encryption, intelligence agencies can hack the computers and mobile phones of known targets to either obtain their private encryption keys or obtain email and text communications before they’re encrypted and after they’re decrypted on the target’s computer.
   “We’re still living in an absolute Golden Age of surveillance,” says Cardozo. “And there is always a way of getting the data that is needed for intelligence purposes.”

   3. Encryption Doesn’t Obscure Metadata. Encryption doesn’t prevent surveillance agencies from intercepting metadata and knowing who is communicating with whom. Metadata can reveal phone numbers and IP addresses that are communicating with one another, the date and time of communication and even in some cases the location of the people communicating. Such data can be scooped up in mass quantities through signals intelligence or by tapping undersea cables. Metadata can be extremely powerful in establishing connections, identities and locating people.

   4. Backdoors Make Everyone Vulnerable. As security experts have long pointed out, backdoors and encryption keys held by a service provider or law enforcement agencies don’t just make terrorists and criminals open to surveillance from Western authorities with authorization—they make everyone vulnerable to the same type of surveillance from unauthorized entities, such as everyday hackers and spy agencies from Russia, China, and other countries. This means federal lawmakers on Capitol Hill and other government workers who use commercial encryption would be vulnerable as well.

   “If Snowden has taught us anything, it’s that the intel agencies are drowning in data,” Cardozo says. “They have this ‘collect it all mentality’ and that has led to a ridiculous amount of data in their possession. It’s not about having enough data; it’s a matter of not knowing what to do with the data they already have. That’s been true since before 9/11, and it’s even more true now.”

   Reply
9. November 17, 2015 at 11:06 am

   Tomi Engdahl says:

   Visa uses bitcoin’s blockchain technology to cut paperwork out of car leasing
   A new proof-of-concept lets you lease a car in a matter of minutes thanks to a combination of Visa, DocuSign and blockchain technology
   http://www.telegraph.co.uk/technology/news/11961296/Visa-uses-bitcoins-blockchain-technology-to-cut-paperwork-out-of-car-rental.html

   Reply
10. November 17, 2015 at 11:58 am

    Tomi Engdahl says:

    No, The French Flag Colours Overlay on Facebook Profile Pics is NOT a Virus
    http://www.hoax-slayer.net/no-the-french-flag-colours-overlay-on-facebook-profile-pics-is-not-a-virus/

    According to a rather strange little rumour that is currently gathering momentum on Facebook, the French flag colours overlay that many people are currently using for their profile pictures is a virus.

    However, the overlay is certainly not a virus and is in no way malicious. The overlay is simply a way to show solidarity with France and the people of Paris after the recent terrorist attack in that nation.

    Facebook now offers the option to temporarily change your profile picture to support a cause or even your sports team

    Facebook scam: French Flag colors on Facebook virus
    http://cyberwarzone.com/facebook-scam-french-flag-colors-on-facebook-virus/

    Beware of people which claim that the ‘French Flag’ Facebook profile picture is a virus. Rumors are currently spreading on Facebook which claim that the French Flag Facebook profile picture is a virus, and that It is very dangerous.

    The fact is, that the Facebook French Flag profile picture is part of a campaign to raise awareness about the recent terrorist attacks in France. The French Flag picture can be used by people to show their support to the French people.

    People which claim that it is an virus are trying to lure unaware people into malicious scams which are actually an virus – so please be aware if someone offers to fix your ‘French Profile’ picture for you because they think it is a virus.

    Reply
11. November 17, 2015 at 12:22 pm

    Tomi Engdahl says:

    Don’t count on STARTTLS to automatically encrypt your sensitive e-mails
    TLS stripping and DNS attacks allow eavesdropping on protected messages.
    http://arstechnica.com/security/2015/10/dont-count-on-starttls-to-automatically-encrypt-your-sensitive-e-mails/

    Researchers have some good and bad news about the availability of secure e-mail. Use of STARTTLS and three other security extensions has surged in recent months, but their failure rate remains high, in large part because of active attacks that downgrade encrypted connections to unencrypted ones.

    That conclusion, reached in a recently published research paper, means that a significant chunk of e-mail continues to be transmitted in plaintext and with no mechanism for verifying that a message hasn’t been tampered with while it travels from sender to receiver. The downgrades are largely made possible by the simple mail transfer protocol used by many e-mail services. Because it wasn’t originally designed to provide message confidentiality or integrity, it relies on later-developed extensions including STARTTLS, domainkeys Identified Mail, sender policy framework, and domain-based message authentication that often don’t work as intended.

    The findings are based on Gmail SMTP connection logs spanning from January 2014 to April 2015 and a snapshot of SMTP server configurations from April 2015 from the Alexa top million domains. The Gmail data showed that incoming messages protected by transport layer security encryption grew 82 percent in one year, peaking to 60 percent of all inbound mail by the end of the study. Outgoing messages increased 54 percent, with 80 percent of messages protected. The improvement was largely the result of Yahoo, Outlook, and a small number of other large e-mail providers updating their servers to use STARTTLS.

    Reply
12. November 17, 2015 at 1:50 pm

    Tomi Engdahl says:

    Terrorists seek to commit deadly ‘cyber attacks’ in UK, says Chancellor Osborne
    ‘We know they want it’ chimes George during GCHQ speech
    http://www.theregister.co.uk/2015/11/17/osborne_cybersecurity_announcement_isil_gchq/

    Following Prime Minister David Cameron’s re-announcement of funding increases for UK security personnel, Chancellor George Osborne delivered a speech today to GCHQ workers explaining that the increase is necessary as ISIL is seeking to “develop the capability” to launch deadly cyber attacks against British infrastructure.

    How such a capability could be developed is unclear, but Osborne will declare to GCHQ that although “ISIL [Islamic State of Iraq and the Levant, and often known as IS] has not been able to use [the internet] to kill people yet by attacking our infrastructure through cyber attack … we know they want it”.

    Osborne confirmed that a funding increase of £1.9bn will be delivered by 2020, taking total “cyber spending” to £3.2bn by the Chancellor’s maths. The increase, he stated, had been decided before the terrorist attacks in Paris, despite previous announcements citing those attacks, and the Sinai aircraft disaster.

    GCHQ’s Cheltenham complex will soon house a new “National Cyber Centre”

    There will also be a “stronger Active Defence Programme”

    “The stakes could hardly be higher,” Osborne said. “If our electricity supply, or our air traffic control, or our hospitals were successfully attacked online, the impact could be measured not just in terms of economic damage but of lives lost.”

    “The real issue about hacking is its use on an industrial scale by the NSA, GCHQ and others,”

    Reply
13. November 17, 2015 at 2:16 pm

    Tomi Engdahl says:

    Microsoft To Provide New Encryption Algorithm For the Healthcare Sector
    http://science.slashdot.org/story/15/11/16/2129258/microsoft-to-provide-new-encryption-algorithm-for-the-healthcare-sector

    The healthcare sector gets a hand from Microsoft, who will release a new encryption algorithm which will allow developers to handle genomic data in encrypted format, without the need of decryption, and by doing so, minimizing security risks. The new algorithm is dubbed SEAL (Simple Encrypted Arithmetic Library) and is based on homomorphic encryption

    Microsoft Helps Out Healthcare Sector with New Data Encryption Algorithm
    http://news.softpedia.com/news/microsoft-helps-out-healthcare-sector-with-new-data-encryption-algorithm-496249.shtml

    Microsoft will provide a free tool to help with biomedical data processing and encryption

    In a recent paper released on its research portal, Microsoft has announced a new encryption algorithm that implements the theory of homomorphic encryption.

    Homomorphic encryption is a method of encryption that encodes data in such a way that it allows developers to work with the encrypted data as if it were in unencrypted form. Operations ran on homomorphically encrypted data yield the same results as when run on the data’s cleartext version.

    Microsoft’s new algorithm, named SEAL (Simple Encrypted Arithmetic Library), is modeled after homomorphic encryption principles, and allows developers to carry out addition and multiplication operations on the encrypted data.

    For now, the Redmond company says that SEAL can only handle genomic data used in bioinformatics.

    Reply
14. November 17, 2015 at 2:29 pm

    Tomi Engdahl says:

    Snowden Says It’s Your Duty To Use an Ad Blocker (for Security)
    http://yro.slashdot.org/story/15/11/17/1311213/snowden-says-its-your-duty-to-use-an-ad-blocker-for-security

    In a long interview about reclaiming your privacy online, ex-NSA whistleblower Edward Snowden states that it’s not just a good idea to use ad blocking software, it’s your duty: “Everybody should be running adblock software, if only from a safety perspective. We’ve seen internet providers like Comcast, AT&T, or whoever it is, insert their own ads into your plaintext http connections. As long as service providers are serving ads with active content that require the use of JavaScript to display, that have some kind of active content like Flash embedded in it, anything that can be a vector for attack in your web browser — you should be actively trying to block these.”

    Edward Snowden Explains How To Reclaim Your Privacy
    https://theintercept.com/2015/11/12/edward-snowden-explains-how-to-reclaim-your-privacy/

    Lee: What do you think about Tor? Do you think that everyone should be familiar with it, or do you think that it’s only a use-it-if-you-need-it thing?

    Snowden: I think Tor is the most important privacy-enhancing technology project being used today. I use Tor personally all the time.

    Micah Lee: What are some operational security practices you think everyone should adopt? Just useful stuff for average people.

    Edward Snowden: [Opsec] is important even if you’re not worried about the NSA. Because when you think about who the victims of surveillance are, on a day-to-day basis, you’re thinking about people who are in abusive spousal relationships, you’re thinking about people who are concerned about stalkers, you’re thinking about children who are concerned about their parents overhearing things. It’s to reclaim a level of privacy.

    The first step that anyone could take is to encrypt their phone calls and their text messages. You can do that through the smartphone app Signal, by Open Whisper Systems. It’s free, and you can just download it immediately.

    You should encrypt your hard disk, so that if your computer is stolen the information isn’t obtainable to an adversary — pictures, where you live, where you work, where your kids are, where you go to school.

    Use a password manager. One of the main things that gets people’s private information exposed, not necessarily to the most powerful adversaries, but to the most common ones, are data dumps.
    A password manager allows you to create unique passwords for every site that are unbreakable, but you don’t have the burden of memorizing them.

    The other thing there is two-factor authentication. The value of this is if someone does steal your password, or it’s left or exposed somewhere … [two-factor authentication] allows the provider to send you a secondary means of authentication — a text message or something like that

    We should not live lives as if we are electronically naked.

    We should armor ourselves using systems we can rely on every day. This doesn’t need to be an extraordinary lifestyle change. It doesn’t have to be something that is disruptive. It should be invisible, it should be atmospheric, it should be something that happens painlessly, effortlessly.

    Snowden: Almost every principle of operating security is to think about vulnerability. Think about what the risks of compromise are and how to mitigate them. In every step, in every action, in every point involved, in every point of decision, you have to stop and reflect and think, “What would be the impact if my adversary were aware of my activities?” If that impact is something that’s not survivable, either you have to change or refrain from that activity, you have to mitigate that through some kind of tools or system to protect the information and reduce the risk of compromise, or ultimately, you have to accept the risk of discovery and have a plan to mitigate the response. Because sometimes you can’t always keep something secret, but you can plan your response.

    Lee: Are there principles of operational security that you think would be applicable to everyday life?

    Snowden: Yes, that’s selective sharing. Everybody doesn’t need to know everything about us. Your friend doesn’t need to know what pharmacy you go to. Facebook doesn’t need to know your password security questions. You don’t need to have your mother’s maiden name on your Facebook page, if that’s what you use for recovering your password on Gmail.

    Lee: Do you think people should use adblock software?

    Snowden: Yes.

    Everybody should be running adblock software, if only from a safety perspective …

    Lee: Nice. So there’s a lot of esoteric attacks that you hear about in the media. There’s disk encryption attacks like evil maid attacks, and cold-boot attacks. There’s all sorts of firmware attacks. There’s BadUSB and BadBIOS, and baseband attacks on cellphones. All of these are probably unlikely to happen to many people very often. Is this something people should be concerned about? How do you go about deciding if you personally should be concerned about this sort of attack and try to defend against it?

    Snowden: It all comes down to personal evaluation of your personal threat model, right? That is the bottom line of what operational security is about. You have to assess the risk of compromise. On the basis of that determine how much effort needs to be invested into mitigating that risk.

    There’s a counter to every attack. The idea is you can play the cat-and-mouse game forever.

    Lee: What sort of security tools are you currently excited about? What are you finding interesting?

    Snowden: I’ll just namecheck Qubes here, just because it’s interesting. I’m really excited about Qubes because the idea of VM-separating machines, requiring expensive, costly sandbox escapes to get persistence on a machine, is a big step up in terms of burdening the attacker with greater resource and sophistication requirements for maintaining a compromise.

    Lee: People use smartphones a lot. What do you think about using a smartphone for secure communications?

    Snowden: Something that people forget about cellphones in general, of any type, is that you’re leaving a permanent record of all of your physical locations as you move around. … The problem with cellphones is they’re basically always talking about you, even when you’re not using them.

    Reply
15. November 17, 2015 at 2:37 pm

    Tomi Engdahl says:

    The million-dollar hole in the FBI ‘paying CMU to crack Tor’ story
    Researchers and writers blur lines, cause problems
    http://www.theregister.co.uk/2015/11/17/milliondollar_hole_in_fbi_tor_story/

    It’s something every journalist learns: if you hit on an important story, make sure every part of it is accurate. One small error is all that is needed to undermine the entire piece.

    It’s something every journalist learns: if you hit on an important story, make sure every part of it is accurate. One small error is all that is needed to undermine the entire piece.

    Roger Dingledine is not a journalist, but as interim chief executive of the Tor project, he should have known to be more careful when he wrote in a blog post that the FBI paid Carnegie-Mellon $1m to help identify users of the anonymizing network.

    It was a single line, but one that is now being used to put a question mark over the entire story.

    We have been told that the payment to CMU was at least $1 million.

    The fact that the FBI was using information gleaned from a “university-based research institute” – according to court documents – to identify and prosecute individual users was a significant story worthy of further investigation.

    But a financial connection, a quid pro quo, is something else entirely. And that was made plain from the sudden explosion of stories – ours included – focused on the payment.

    The figure has been leapt on by Carnegie Mellon and the FBI. “I’m not aware of any payment,” the university’s press person told WiReD. “I’d like to see the substantiation for their claim.”

    Likewise, the FBI. A spokesman told Ars Technica that the story was “inaccurate”

    Both researchers believed to be at the center of the saga – Alexander Volynkin and Michael McCord – work for Carnegie Mellon University and the “Computer Emergency Response Team” – CERT – which is a division of the university’s Software Engineering Institute (SEI).

    CERT’s SEI parent is an FFRDC – a Federally Funded Research and Development Center – which is a very specific entity funded by the US government to carry out clearly defined long-term research.

    When Volynkin and McCord discovered a security flaw in the Tor network while at their jobs at CERT. They then used it to carry out research into the Tor network itself.

    The researchers did not inform the Tor Project of this flaw nor their research, however – meaning that the organization was unaware who was behind the tracking activity when it shut the relays down in July

    The information gleaned from that piece of “research” found its way into the hands of the FBI, that then used it to effect real-world arrests of two people – one in connection with the Silk Road drug-trading marketplace, and the other on suspected child porn offenses. We don’t know when that happened.

    All of this fits into place: researchers, intrigued at discovering a flaw in an anonymous network, carry out live tests to see if they can track people and discover their real identities. It is the sort of research that makes your name.

    But the $1m turns that story on its head. If true, suddenly we have the federal authorities paying a university to carry out investigative work on their behalf.

    “We have been told that the payment to CMU was at least $1 million.”

    The evidence for this claim is weak at best. It’s no wonder the FBI and Carnegie Mellon are unhappy about it, and they have every right to be

    Reply
16. November 17, 2015 at 2:55 pm

    Tomi Engdahl says:

    NYT Quietly Pulls Article Blaming Encryption In Paris Attacks
    http://yro.slashdot.org/story/15/11/17/1357248/nyt-quietly-pulls-article-blaming-encryption-in-paris-attacks

    Inside Sources reports that the New York Times has quietly pulled a story from its website alleging the attackers used encrypted technology. The original piece which has since been removed, can be found on the Internet Archive and stated. “The attackers are believed to have communicated using encryption technology, according to European officials who had been briefed on the investigation but were not authorized to speak publicly.”

    Reply
17. November 18, 2015 at 10:00 am

    Tomi Engdahl says:

    ISIS Has Help Desk for Terrorists Staffed Around the Clock
    http://www.nbcnews.com/storyline/paris-terror-attacks/isis-has-help-desk-terrorists-staffed-around-clock-n464391

    NBC News has learned that ISIS is using a web-savvy new tactic to expand its global operational footprint — a 24-hour Jihadi Help Desk to help its foot soldiers spread its message worldwide, recruit followers and launch more attacks on foreign soil.

    Counterterrorism analysts affiliated with the U.S. Army tell NBC News that the ISIS help desk, manned by a half-dozen senior operatives around the clock, was established with the express purpose of helping would-be jihadists use encryption and other secure communications in order to evade detection by law enforcement and intelligence authorities.

    The relatively new development — which law enforcement and intel officials say has ramped up over the past year — is alarming

    Authorities are now homing in on the terror group’s growing cyber capabilities after attacks in Paris, Egypt and elsewhere for which ISIS has claimed credit.

    “They’ve developed a series of different platforms in which they can train one another on digital security to avoid intelligence and law enforcement agencies for the explicit purpose of recruitment, propaganda and operational planning,”

    The existence of the Jihadi Help Desk has raised alarm bells in Washington and within the global counterterrorism community because it appears to be allowing a far wider web of militants to network with each other and plot attacks. A senior European counterterrorism official said that concerns about the recent development are especially serious in Europe, where ISIS operatives are believed to be plotting major attacks, some of them with direct assistance from ISIS headquarters in Syria.

    “While some of the contacts between groups like ISIL and potential recruits occur in publicly accessible social networking sites,”

    “They are very decentralized. They are operating in virtually every region of the world.”

    The help desk workers closely track all of the many new kinds of security software and encryption as they come online, and produce materials to train others in how to use them. The CTC has obtained more than 300 pages of documents showing the help desk is training everyone from novice militants to the most experienced jihadists in digital operational security.

    And once the help desk operatives develop personal connections with people, ISIS then contacts them to engage them in actual operational planning — including recruiting, fundraising and potentially attacks.

    Reply
18. November 18, 2015 at 10:15 am

    Tomi Engdahl says:

    More POS malware, just in time for Christmas
    VXers stuff evidence-purging malware in retailer stockings.
    http://www.theregister.co.uk/2015/11/16/more_pos_malware_just_in_time_for_christmas/

    Threat researchers are warning of two pieces of point of sales malware that have gone largely undetected during years of retail wrecking and now appear likely to earn VXers a haul over the coming festive break.

    The Cherry Picker and AbaddonPOS malware, exposed in the last week, are the latest evolution in stealthy and capable point of sales credit and debit card plundering.

    Reply
19. November 18, 2015 at 10:17 am

    Tomi Engdahl says:

    Eric S Raymond releases hardened, slimmer NTP beta
    Early version for the ‘adventurous’, but not quite ‘crazy’.
    http://www.theregister.co.uk/2015/11/18/network_time_protocol_beta/

    Dogged developer and open source champion Eric S Raymond has announced a beta of a refined version of the network time protocol code as open source following financial backing.

    Raymond (@esrtweet) has been plugging away at a more secure and cleaner version of NTP part time, as “architecture and protocols guru” on the NTPsec project. He’s also tried to gain some crowdfunding to support his efforts to improve the known insecure code.

    He says in the last four months he has reduced the size of the NTP from “227KLOC to 98KLOC” or by 57 percent.

    NTPsec has been “seriously security-hardened” Raymond says, including the fixing of all public vulnerabilities and holes and the inclusion of preventive measures to shutter whole vulnerability classes.

    “The (current) NTP Classic codebase had accumulated serious vulnerabilities Raymond says.

    “We’ve worked overtime to identify and plug the critical holes; more needs to be done on the lesser ones.

    Beta version 0.9.0 has “some rough edges, mostly due to the rather traumatic (but utterly necessary) replacement of the autoconf build system.”

    “However, the core function – syncing your clock via NTP – is solid, and using 0.9.0 for production might be judged a bit adventurous but wouldn’t be crazy,” Raymond says.

    Reply
20. November 18, 2015 at 10:54 am

    Tomi Engdahl says:

    Finnish telecom operator Elisa set up a cyber security center to protect enterprises from network attacks

    Elisa Kyberturvakeskus is a new cyber security service that monitors and protects consumers and businesses as well as public administration, cyber threats.

    The service observing, reporting and rejects launch cyber-attacks around the clock every day of the year, thereby enabling business continuity during the unexpected.

    - Digital technology is an integral part of our society and our companies activities where possible, in addition also has a large digital responsibility. New kyberturvakeskuksemme we offer our customers a service detection and prevention of various types of threats to preventive and real-time protection, says Elisa’s Corporate Customers unit director Timo Katajisto.

    Kyberturvakeskus expand the Elisa service offering in the fight against cyber threats. In addition to the fight launched in the fall of 2014 denial of service attacks (ELISA plate) and a real-time view of the situation (Elisa Sense) kyberturvakeskus is responsible for managing customers’ vulnerabilities, web threats and logs, as well as various anomalies treatment.

    Source: http://www.epressi.com/tiedotteet/telekommunikaatio/elisa-perustaa-kyberturvakeskuksen-suojaamaan-yrityksia-verkkohyokkayksilta.html

    Reply
21. November 18, 2015 at 10:56 am

    Tomi Engdahl says:

    Elisa IoT Innovation Challenge award to Foller for reducing food wastage

    Launched in April, Elisa IoT Innovation Challenge competition is resolved Slush 2015 event. The first prize of EUR 50 000 won Foller, which developed the service aims to reduce food wastage.

    Developed by Follerin service will reduce food wastage by monitoring the degree of freshness of food throughout the production, transport and during the distribution chain. Competition in the product development cycle was exceptionally fast, because the top three were selected after only six weeks of intensive product development. Foller started from zero, but less than three months, they created an operational service, which already has a pilot customers.

    - In today’s world of business, it is crucial that the observed potential can be reached quickly R & D stage and pilot projects. Elisa IoT platform enabled us this. Next, can scale and develop the service further. The journey continues, “says a representative Folleria Tomi Kankainen.

    Real-time information about the freshness of food

    Food wastage is a huge problem, both in Finland and abroad. Fabric alone, according to the home country’s annual food waste is worth around EUR 500 million. Globally, food is wasted every year 1.3 trillion pounds.

    Real-time monitoring of food freshness enables automatic pricing and marketing to consumers. Developer Team is intended in the future to reduce food wastage as food shops and cafes and at home. Foller has had time to launch a pilot project in one Incl. With the Deli.

    - Foller is evidence of the speed of the digital world. Technology has always been an enabler, but inertia and price development have been wide innovation on the road. Elisa IoT was conceived to let the ideas of the possibility of practice.

    Elisa IoT Innovation Challenge competition was launched in April, and the actual development phase began in mid-August.

    Source: http://www.epressi.com/tiedotteet/telekommunikaatio/elisa-iot-innovation-challenge-kilpailun-voitto-ruuan-havikkia-vahentavalle-follerille.html

    Reply
22. November 18, 2015 at 11:09 am

    Tomi Engdahl says:

    Security company Check Point, the world’s most common malware families were in October Conficker, Sality and Cutwail. Conflicker alone accounted for about 20 per cent of all attacks detected in October.

    The biggest source of problems Conflicker to take over the machine and move it to a botnet command. Malware gets commandments command from the server.

    Sality attacks were the second most common, about 10 percent of the total. Sality attack focuses on Windows platform, allowing remote control of the charging device, and malware.

    Cutwail botnet is a network that sends spam and makes denial of service attacks. Bot keep in touch with the command center, from which it receives instructions for sent emails.

    Finland was the safety statistics of 133 countries ranked 12. We were attacked quite rarely, but still a little more often than the other Nordic countries.

    Source: http://etn.fi/index.php?option=com_content&view=article&id=3607:yksi-haitta-oli-joka-viidennen-hyokkayksen-takana&catid=13&Itemid=101

    Reply
23. November 18, 2015 at 11:48 am

    Tomi Engdahl says:

    Anonymous Takes Down Thousands of ISIS-Related Twitter Accounts In a Day
    http://tech.slashdot.org/story/15/11/17/1917226/anonymous-takes-down-thousands-of-isis-related-twitter-accounts-in-a-day?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    Softpedia is reporting that Anonymous, along with social media users, have identified several thousand Twitter accounts allegedly linked to ISIS members. “Besides scanning for ISIS Twitter accounts themselves, the hacking group has also opened access to the [takedown operation] site to those interested. Anyone who comes across ISIS social media accounts can easily search the database and report any new terrorists and supporters. The website is called #opIceISIS [slow right now, but it does load] and will index ISIS members based on their real name, location, picture, Twitter, Facebook, and YouTube accounts.” Anonymous crowdsourcing their operations… welcome to the brave new world, ISIS.

    An article at The Independent reminds everyone that this information has not been independently confirmed, and that Anonymous is certainly capable of misidentifying people.

    One Day Later, Anonymous Already Takes Down 3,824 Pro-ISIS Twitter Accounts
    http://news.softpedia.com/news/one-day-later-anonymous-already-takes-down-3-824-pro-isis-twitter-accounts-496258.shtml

    ‘Operation Isis’ Anonymous activists begin leaking suspected extremist Twitter account details
    http://www.independent.co.uk/life-style/gadgets-and-tech/news/paris-attacks-anonymous-operation-isis-activists-begin-leaking-details-of-suspected-extremist-a6737291.html

    Organising under #opISIS and #opParis, the group is attempting to take down the websites and social media accounts of people associated with the group — as well as apparently release personal details of those involved in recruitment

    Reply
24. November 18, 2015 at 11:49 am

    Tomi Engdahl says:

    Microsoft Invests $1 Billion In ‘Holistic’ Security Strategy
    http://tech.slashdot.org/story/15/11/17/2038200/microsoft-invests-1-billion-in-holistic-security-strategy

    Microsoft has invested $1 billion over the past year in security and doubled its number of security executives, according to company’s CISO Bret Arsenault. In an address today (webcast), CEO Satya Nadella officially announced the launch of a new managed security services group and a new cyber defense operations center

    Microsoft Invests $1 Billion In ‘Holistic’ Security Strategy
    http://www.darkreading.com/endpoint/microsoft-invests-$1-billion-in-holistic-security-strategy/d/d-id/1323170?

    Executives detail strategic and cultural shift at Microsoft to an integrated security approach across its software and services, and announce new managed services group and cyber defense operation center.

    Reply
25. November 18, 2015 at 11:52 am

    Tomi Engdahl says:

    Could a Change In Wording Attract More Women To Infosec?
    http://science.slashdot.org/story/15/11/17/200226/could-a-change-in-wording-attract-more-women-to-infosec?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    “Information security is an endeavor that is frequently described in terms of war,” writes Lysa Myers. “But what would the gender balance of this industry be like if we used more terms from other disciplines?” Just 14 percent of U.S. federal government personnel in cybersecurity specialties are women

    A change in wording could attract more women to infosec
    http://www.csoonline.com/article/3005406/it-careers/a-change-in-wording-could-attract-more-women-to-infosec.html

    Information security is an endeavor that is frequently described in terms of war. What can we learn from history and from other industries about what a change in verbiage might do to affect the gender balance of this industry?

    Information security is an endeavor that is frequently described in terms of war: Red team. Blue team. White hat. Black hat. Battle plan. Kill chain. Command and Control. Trojan horse. Payload. Demilitarized zone. Reconnaissance. Infiltration. Adversary. But what would the gender balance of this industry be like if we used more terms from other disciplines?

    At the recent National Initiative for Cybersecurity Education (NICE) conference, I found myself in several discussions about the possibility that battlefield verbiage caused girls to avoid pursuing InfoSec careers. Answering the question above is not a simple task, but we may take some clues from history, as well as other industries, to view the possibilities.

    The biggest reason we use so many battle-related security phrases is probably because the military has long been an incubator for new technology. Protecting that machinery and knowledge from prying eyes is no small feat; the military trains and employs a great number of people to secure its systems. As a result, many people involved in cybersecurity started their careers in military or government organizations.

    As far as gender imbalances go, the military is nearly as lopsided as the InfoSec industry: 14.5 percent of the active duty force as of 2013 was comprised of women, with only 7.1 percent of the top ranks being held by women. In cybersecurity specialties 14 percent of personnel are female.

    According to a recent report by Raytheon and the National Cyber Security Alliance (NCSA), the majority of women and men are not being introduced to InfoSec careers.

    With the dearth of computer education in K-12 schools in the U.S., this is hardly surprising. But it does show a clear pattern of this industry being perceived as a masculine profession rather than a feminine one.

    Perhaps the reason for the facts above is best explained by a comment that stuck with me from the NICE conference, from someone who had taught a GenCyber camp for girls. He found that one effective way to get girls to feel passionate about security was to create an emotional connection with the subject: e.g. the shock and distress of seeing your drone hacked or your password exposed.

    It may be hard to imagine that people would develop attachments to creepy critters and perplexing puzzles. But it’s not hard to see how security is every bit as much about caring and advocacy as it is about battle.

    Reply
26. November 18, 2015 at 12:34 pm

    Tomi Engdahl says:

    Sky warning over ‘cash for porn’ letter
    http://www.bbc.com/news/technology-34842863

    Sky has warned some of its customers they are likely to receive letters demanding cash for illegally downloaded pornographic films.

    The letters, from the Golden Eye company, which has previously targeted O2 customers, threaten legal action.

    While Sky stops short of telling users not to pay, it advises them to “carefully read the letter”.

    The practice of so-called speculative invoicing has been criticised by judges and solicitors in other cases.

    Speculative invoicing is defined by the Citizens’ Advice Bureau as a “pay up or else” scheme in which “some unscrupulous solicitors and companies… target subscribers to internet services and demand payment from them for copyright infringement to avoid having to go to court”.

    Sky said Golden Eye had “successfully applied for a court order against Sky”.

    This required the internet service provider (ISP) to hand over the IP addresses Golden Eye had identified as being associated with downloading films illegally.

    “We have written to all affected customers, advising them carefully to read the letter from Golden Eye, and if they want any further help, to contact the Citizens’ Advice Bureau,” Sky said.

    Golden Eye director Julian Becker told the BBC that letters would be sent to “thousands” of Sky customers.

    He denied that the company was involved in speculative invoicing, saying that “rights holders… both adult and mainstream producers have every right to protect their content and livelihood from internet thieves”.

    “We have only written to those account holders for whom we have evidence of copyright infringement,” he said.

    Michael Coyle, who has represented hundreds of clients who have faced similar letters, said those people who receive them were in a difficult position.

    “If they go to a solicitor, they will want a minimum of £500 to £700, and that is about what Golden Eye will ask for compensation, so many will think that it is easier to pay to make it go away,” he said.

    Reply
27. November 18, 2015 at 12:42 pm

    Tomi Engdahl says:

    Bret Arsenault / The Official Microsoft Blog:
    Microsoft to create a Cyber Defense Operations Center and an Enterprise Cybersecurity Group, with security experts for rapid response to security threats

    Enterprise security for our mobile-first, cloud-first world
    http://blogs.microsoft.com/blog/2015/11/17/enterprise-security-for-our-mobile-first-cloud-first-world/

    Today, I was able to join Microsoft CEO Satya Nadella in Washington, D.C., where he delivered a keynote that highlighted the need for a new approach to security. He shared how Microsoft uses its unique insight into the threat landscape to help better protect customers, and showcased how Microsoft technologies work in tandem with each other, and with solutions from the security ecosystem, to deliver a holistic, agile, security platform for today’s enterprise.

    New approach

    In our mobile-first, cloud-first world, employees work on corporate applications and access sensitive data from on-premises and cloud-based systems using every type of device from laptops to BYO devices to IoT sensors. While there is an immense opportunity for enterprises and individuals to derive personal and professional value from today’s connected technologies, there is a corresponding growth in risk as people increase their exposure to cyber security threats. While security has always been a focus for Microsoft, we recognize that the digital world in which we live requires a new approach to how we Protect, Detect and Respond to security threats.

    We must better Protect all endpoints – from sensors and datacenters to identities and SaaS applications. We must move faster to Detect threats using the scale and intelligence of the cloud, machine learning and behavioral monitoring. We must Respond more quickly and comprehensively, and empower our customers with insights that are actionable and holistic.

    Microsoft’s unique insights into the threat landscape, informed by trillions of signals from billions of sources, create an intelligent security graph that we use to inform how we protect all endpoints, better detect attacks and accelerate our response. The intelligent security graph is powered by inputs we receive across our end points, consumer services, commercial services and on-premises technologies – and uniquely positions us to better protect our customers and their data.

    A holistic, agile, security platform

    During today’s keynote, Satya Nadella showcased how innovations in Windows 10, Office 365, Microsoft Azure, and Microsoft Enterprise Mobility Suite (EMS) work in tandem with each other, and with partner solutions from across the security ecosystem to deliver a holistic, agile, security platform. Combined with insights from the intelligent security graph, these security features are designed to help prevent the accidental or intentional loss of corporate data, prevent password related attacks, and prevent and respond to the installation of malware on a machine or in your environment.

    Improving our security posture

    While there will always be new threats, new attacks and new technologies, companies can take action today to address security concerns and improve their security postures. It is critical for companies to strengthen their core security hygiene (across things like monitoring, antivirus, patch and operating systems), adopt modern platforms and comprehensive identity, security and management solutions, and leverage features offered within cloud services; and it is just as important to create education and awareness across employee populations in order to build and sustain a pervasive security culture.

    Reply
28. November 18, 2015 at 12:47 pm

    Tomi Engdahl says:

    Natasha Lomas / TechCrunch:
    In the aftermath of Paris attacks, intelligence agencies scapegoat encryption to mask the failures of mass surveillance — Encryption Is Being Scapegoated To Mask The Failures Of Mass Surveillance — Well that took no time at all. Intelligence agencies rolled right into the horror …

    Encryption Is Being Scapegoated To Mask The Failures Of Mass Surveillance
    http://techcrunch.com/2015/11/17/the-blame-game/

    Well that took no time at all. Intelligence agencies rolled right into the horror and fury in the immediate wake of the latest co-ordinated terror attacks in the French capital on Friday, to launch their latest co-ordinated assault on strong encryption — and on the tech companies creating secure comms services — seeking to scapegoat end-to-end encryption as the enabling layer for extremists to perpetrate mass murder.

    There’s no doubt they were waiting for just such an ‘opportune moment’ to redouble their attacks on encryption after recent attempts to lobby for encryption-perforating legislation foundered. (A strategy confirmed by a leaked email sent by the intelligence community’s top lawyer, Robert S. Litt, this August — and subsequently obtained by the Washington Post — in which he anticipated that a “very hostile legislative environment… could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement”. Et voila Paris… )

    Speaking to CBS News the weekend in the immediate aftermath of the Paris attacks, former CIA deputy director Michael Morell said: “I think this is going to open an entire new debate about security versus privacy.”

    Elsewhere the fast-flowing attacks on encrypted tech services have come without a byline — from unnamed European and American officials who say they are “not authorized to speak publicly”. Yet are happy to speak publicly, anonymously.

    The NYT published an article on Sunday alleging that attackers had used “encryption technology” to communicate — citing “European officials who had been briefed on the investigation but were not authorized to speak publicly”. (The paper subsequently pulled the article from its website, as noted by InsideSources, although it can still be read via the Internet Archive.)

    The irony of government/intelligence agency sources briefing against encryption on condition of anonymity as they seek to undermine the public’s right to privacy would be darkly comic if it weren’t quite so brazen.

    Here’s what one such unidentified British intelligence source told Politico: “As members of the general public get preoccupied that the government is spying on them, they have adopted these applications and terrorists have found them tailor-made for their own use.”

    “Seeking to outlaw technology tools that are used by the vast majority of people to protect the substance of law-abiding lives is not just bad politics, it’s dangerous policy.”

    In the same Politico article, an identified source — J.M. Berger, the co-author of a book about ISIS — makes a far more credible claim: “Terrorists use technology improvisationally.”

    Of course they do. The co-founder of secure messaging app Telegram, Pavel Durov, made much the same point earlier this fall when asked directly by TechCrunch about ISIS using his app to communicate. “Ultimately the ISIS will always find a way to communicate within themselves. And if any means of communication turns out to be not secure for them, then they switch to another one,” Durov argued. “I still think we’re doing the right thing — protecting our users privacy.”

    Bottom line: banning encryption or enforcing tech companies to backdoor communications services has zero chance of being effective at stopping terrorists finding ways to communicate securely. They can and will route around such attempts to infiltrate their comms, as others have detailed at length.

    Here’s a recap: terrorists can use encryption tools that are freely distributed from countries where your anti-encryption laws have no jurisdiction. Terrorists can (and do) build their own securely encrypted communication tools. Terrorists can switch to newer (or older) technologies to circumvent enforcement laws or enforced perforations. They can use plain old obfuscation to code their communications within noisy digital platforms like the Playstation 4 network, folding their chatter into general background digital noise (of which there is no shortage). And terrorists can meet in person, using a network of trusted couriers to facilitate these meetings, as Al Qaeda — the terrorist group that perpetrated the highly sophisticated 9/11 attacks at a time when smartphones were far less common, nor was there a ready supply of easy-to-use end-to-end encrypted messaging apps — is known to have done.

    Point is, technology is not a two-lane highway that can be regulated with a couple of neat roadblocks — whatever many politicians appear to think. All such roadblocks will do is catch the law-abiding citizens who rely on digital highways to conduct more and more aspects of their daily lives. And make those law-abiding citizens less safe in multiple ways.

    Reply
29. November 21, 2015 at 11:05 pm

    Tomi Engdahl says:

    TrueCrypt is safer than previously reported, detailed analysis concludes
    Fraunhofer Institute gives clean bill of health to crypto tool used by millions.
    http://arstechnica.com/security/2015/11/truecrypt-is-safer-than-previously-reported-detailed-analysis-concludes/

    The TrueCrypt whole-disk encryption tool used by millions of privacy and security enthusiasts is safer than some studies have suggested, according to a comprehensive security analysis conducted by the prestigious Fraunhofer Institute for Secure Information Technology.

    The extremely detailed 77-page report comes five weeks after Google’s Project Zero security team disclosed two previously unknown TrueCrypt vulnerabilities.

    Despite the vulnerabilities, the analysis concluded that TrueCrypt remains safe when used as a tool for encrypting data at rest as opposed to data stored in computer memory or on a mounted drive. The researchers said the vulnerabilities uncovered by Project Zero and in the Fraunhofer analysis should be fixed but that there’s no indication that they can be exploited to provide attackers access to encrypted data stored on an unmounted hard drive or thumb drive.

    When random numbers aren’t

    Further Reading
    TrueCrypt security audit is good news, so why all the glum faces?

    No fatal flaws found but troubling questions about TrueCrypt’s future remain.
    The analysis, which was performed under contract with Germany’s Federal Office for Security in Information Technology, largely echoes the conclusions reached in April in a separate security audit of TrueCrypt. It also uncovered several programming errors, the most serious of which involved the use of a Windows programming interface to generate random numbers used by cryptographic keys. The Fraunhofer researchers also found weaknesses in the way TrueCrypt retrieves random numbers.

    Theoretically, weaknesses in generating random numbers can make it easier for attackers to guess the secret keys needed to decrypt encrypted data.

    The conclusion means that the millions of people who have relied on TrueCrypt will probably have a grace period to safely continue using the program until VeraCrypt or another TrueCrypt replacement is farther along in development.

    Reply
30. November 21, 2015 at 11:18 pm

    Tomi Engdahl says:

    Kim Zetter / Wired:
    ISIS’ OPSEC manual reveals how it handles cybersecurity, from Tor and Tails to BlackPhone
    http://www.wired.com/2015/11/isis-opsec-encryption-manuals-reveal-terrorist-group-security-protocols/

    In the wake of the Paris attacks, US government officials have been vocal in their condemnation of encryption, suggesting that US companies like Apple and Google have blood on their hands for refusing to give intelligence and law enforcement agencies backdoors to unlock customer phones and decrypt protected communications. But news reports of the Paris attacks have revealed that at least some of the time, the terrorists behind the attacks didn’t bother to use encryption while communicating, allowing authorities to intercept and read their messages.

    Reports in France say that investigators were able to locate some of the suspects’ hideout this week using data from a cellphone apparently abandoned by one of the attackers in a trashcan outside the Bataclan concert hall where Friday’s attack occurred, according to Le Monde. Authorities tracked the phone’s movements prior to the attack,

    Other reports indicate that a previous ISIS terrorist plot targeting police in Belgium was disrupted in that country last January because Abdelhamid Abaaoud—suspected mastermind of both that plot and the Paris attacks—had failed to use encryption.

    All of this suggests that the attackers were guilty of major OPSEC failures—that is, if it weren’t for the fact that some of them still managed to pull off the Paris attacks without prior detection. This suggests they either did use encryption during earlier planning stages of their attacks, or that authorities were so overwhelmed tracking other suspects—French investigators claim they recently thwarted six other attacks—that they overlooked the suspects who pulled off the Paris attacks. This indeed might be the case since Turkish authorities have said they tried to warn French authorities twice about one of the suspects but never got a response.

    Despite this, US authorities have flooded the media this week with stories about how ISIS’ use of encryption and other anti-surveillance technologies has thwarted their ability to track the terrorists. But authorities have also slyly hinted that some of the encryption technologies the terrorists use are not as secure as they think they are, or are not being configured and used in a truly secure manner. So what exactly are ISIS attackers doing for OPSEC?

    It turns out that a 34-page guide to operational security (.pdf) that ISIS members advise recruits to follow, offers some clues.

    The guide was originally written about a year ago by a Kuwaiti security firm known as Cyberkov to advise journalists and political activists in Gaza on how to protect their identities, the identity of their sources and the integrity of information they report. But members of ISIS have since co-opted it for their own use as well.

    The guide offers a handy compilation of advice on how to keep communications and location data private, as well as links to dozens of privacy and security applications and services, including the Tor browser, the Tails operating system; Cryptocat, Wickr, and Telegram encrypted chat tools; Hushmail and ProtonMail for email; and RedPhone and Signal for encrypted phone communications. Gmail, the guide notes, is only considered secure if the account is opened using false credentials and is used with Tor or a virtual private network. Android and iOS platforms are only secure when communications are routed through Tor.

    The manual advises disabling the GPS tagging feature on mobile phones to avoid leaking location data when taking photos—a mistake that a Vice reporter made in 2012 when interviewing murder suspect John McAfee who was on the lam. Alternatively, operatives and journalists can use the Mappr app can be used to falsify location data and throw intelligence agencies off their trail.

    The OPSEC manual used by ISIS also advises against using Instagram because its parent company, Facebook, has a poor track record on privacy, and it warns that mobile communications can be intercepted, even though GSM networks are encrypted. It advises readers to use encrypted phones like Cryptophone or BlackPhone instead.

    There are no surprises among the documents. Most of the recommendations are the same that other civil liberties and journalist groups around the world advise human rights workers, political activists, whistleblowers and reporters to use to secure their communications and obscure their identity or hide their location.

    “This is about as good at OPSEC as you can get without being formally trained by a government,” Brantly, a cyber fellow with the West Point center, told WIRED. “This is roughly [the same advice] I give to human rights activists and journalists to avoid state surveillance in other countries. If they do it right, then they can become pretty secure. [But] there’s a difference between telling somebody how to do it and then [them] doing it right.”

    The documents warn that followers should use strong passwords and avoid clicking on suspicious links, to prevent intelligence agencies and everyday hackers from breaching their systems.

    It advises users to always use a VPN online to encrypt data and prevent ISPs and spy agencies from reading their communication. But it cautions users to stay away from American providers of VPNs and encrypted chat tools and instead use ones like Telegram and Sicher, instant messaging apps made by companies based in Germany, or the Freedome, a VPN from the Finish computer security firm F-Secure. Apple’s iMessage, an end-to-end encryption service, also gets a thumbs-up

    Although US government officials have repeatedly cited WhatsApp as a tool ISIS uses to thwart surveillance, the Kuwaiti manual actually puts the chat application on a “banned” list.

    He also says they’ve seen no sign yet that ISIS is using home-brewed encryption programs that its members created themselves. “Al Qaeda developed their own encryption platform for a while. But ISIS right now is largely using Telegram [for encrypted communication],”

    “There’s a whole section on hacking [in the ISIS forums],” Brantley says. “They’re not super-talented hackers, but they’re reasonable.”

    Reply
31. November 21, 2015 at 11:35 pm

    Tomi Engdahl says:

    Steve Huffman / reddit:
    Reddit updating privacy policy to honor Do Not Track; CEO Huffman urges users to consider privacy browser extensions that block third-party scripts, cookies
    https://www.reddit.com/r/announcements/comments/3tlcil/we_are_updating_our_privacy_policy_effective_jan/

    Reply
32. November 22, 2015 at 10:58 am

    Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Malicious Android apps force adware on users by hijacking the Android Accessibility Service and can be extremely difficult to uninstall

    Risk Assessment / Security & Hacktivism
    Android adware can install itself even when users explicitly reject it
    Hard-to-uninstall apps can also hijack Android Accessibility Service.
    http://arstechnica.com/security/2015/11/android-adware-can-install-itself-even-when-users-explicitly-reject-it/

    Two weeks ago, Ars reported on newly discovered Android adware that is virtually impossible to uninstall. Now, researchers have uncovered malicious apps that can get installed even when a user has expressly tapped a button rejecting the app.

    The hijacking happens after a user has installed a trojanized app that masquerades as an official app available in Google Play and then is made available in third-party markets. During the installation, apps from an adware family known as Shedun try to trick people into granting the app control over the Android Accessibility Service, which is designed to provide vision-impaired users alternative ways to interact with their mobile devices. Ironically enough, Shedun apps try to gain such control by displaying dialogs such as this one, which promises to help weed out intrusive advertisements.

    “Shedun does not exploit a vulnerability in the service,” researchers from mobile security provider Lookout wrote in a blog post published Thursday morning. “Instead it takes advantage of the service’s legitimate features. By gaining the permission to use the accessibility service, Shedun is able to read the text that appears on screen, determine if an application installation prompt is shown, scroll through the permission list, and finally, press the install button without any physical interaction from the user.”

    Reply
33. November 22, 2015 at 11:14 am

    Tomi Engdahl says:

    Francesco Guarascio / Reuters:
    In the wake of the Paris attacks, EU ministers urge European Commission to propose measures to improve checks on Bitcoin and other non-banking payment methods

    EU steps up controls on bitcoin, pre-paid cards to curb terrorist funds
    http://www.reuters.com/article/2015/11/20/us-france-shooting-eu-terrorism-funding-idUSKCN0T922D20151120#trSJzKTuhXpsrdpT.99

    The European Union will increase controls on pre-paid cards, money remittances and bitcoin in a bid to curb terrorism funding after the attacks in Paris that killed 129 people.

    EU interior and justice ministers agreed on Friday in Brussels to tighten checks on payment methods that may be conducted anonymously and might be used by terrorist organizations to finance attacks.

    Read more at Reutershttp://www.reuters.com/article/2015/11/20/us-france-shooting-eu-terrorism-funding-idUSKCN0T922D20151120#trSJzKTuhXpsrdpT.99

    Reply
34. November 23, 2015 at 7:30 am

    Tomi Engdahl says:

    Ransomware Is Coming to Medical Devices
    http://motherboard.vice.com/read/ransomware-is-coming-to-medical-devices

    Chest pains send you into convulsions, then stop abruptly. Is something wrong with your pacemaker? As you pant for breath, a message pops up on your phone. “Want to keep living? Pay us a ransom now, or you die.”

    This is not cyberpunk dystopia, but a probable near future, according to a report released last week by Forrester Research. The number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.”

    Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. To date ransomware has hit Windows users hardest, although Android and MacOS users are now facing similar extortion.

    “That’s a bold specific prediction,” Joshua Corman, founder of I Am the Cavalry, a global grassroots organization focused on issues where computer security intersects public safety and human life, told Motherboard in a telephone call. “I hope it doesn’t happen as they say it will, because that would shatter our confidence in these lifesaving medical devices.”

    The technical hurdles to create such ransomware are not high. “It’s definitely feasible from a technical standpoint,”

    Medical device ransomware would be a modern form of highway robbery with lives at stake

    “Assuming that no one would do this is naive,” he added, “and assuming that organizations are capable of stopping it is unmerited trust.”

    The cybersecurity of most medical devices is poor. A 2013 DHS advisory, based on research by Rios and colleague Terry McCorkle, warned that 300 medical devices made by 40 different manufacturers use hard-coded passwords—passwords that are set at the factory and cannot be changed by end users—easily discoverable by downloading the manual from the manufacturer.

    In June, the FDA warned health care providers to stop using a drug pump due to a rudimentary cybersecurity flaw. And in September, researchers reported that honeypots pretending to be medical devices attracted more than 50,000 successful logins and nearly 300 malware payloads.

    “While we’ve been doing this for 15-25 years in cyber, this is year zero or one for them [the healthcare industry],” Corman said. “We can’t give them 15-25 years to catch up, although it’s not reasonable to get there overnight….We’re trying to approach this with teamwork and ambassador skill, not a pointing finger, but a helping hand.”

    Ransomware today is big business.

    Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016.

    “With PCs people have valuable information that they want back, but with IoT people have personal devices that can sometimes be very expensive and very valuable.”

    “If someone takes over your 1,500€ connected fridge, you’re definitely motivated to get it back up and running. Or if someone takes over your car and you’re rushing to the office, of course you will pay.”

    I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, and it’s planning to publish a similar report using medical device-specific language soon.

    medical devices should receive security updates in a timely fashion, like an iPhone. Finally, I Am The Cavalry recommends that, just as hacking a car stereo should not give an attacker access to the brakes, medical devices should segment critical systems from non-critical systems, including air gapping, or disconnecting from the internet, the most sensitive devices.

    Networked medical devices save lives. Despite the hacking risk, Corman remains positive about the future. “The trade-offs are there, but it’s an informed trade-off… Do you really want someone who needs that pacemaker to be afraid to trust it? Because that too will lead to loss of life.”

    https://www.iamthecavalry.org/

    Reply
35. November 23, 2015 at 7:34 am

    Tomi Engdahl says:

    Electronic Frontier Foundation:
    EFF and Visualizing Impact launch Onlinecensorship.org to collect reports on content takedowns by Facebook, Twitter, and other social media services

    Onlinecensorship.org Tracks Content Takedowns by Facebook, Twitter, and Other Social Media Sites
    New Project Will Gather Users’ Stories of Censorship from Around the World
    https://www.eff.org/press/releases/onlinecensorshiporg-tracks-content-takedowns-facebook-twitter-and-other-social-media

    Reply
36. November 23, 2015 at 7:44 am

    Tomi Engdahl says:

    Who’s running dozens of top-secret unpatched databases? The Dept of Homeland Security
    Irony alert
    http://www.theregister.co.uk/2015/11/20/homeland_securitys_secret_unpatched_pcs_dbs/

    The US Department of Homeland Security is running dozens of unpatched databases, some of which are rated “secret” and even “top secret,” according to an audit.

    An inspection [PDF] of the department’s IT infrastructure found huge security gaps, including the fact that 136 systems had expired “authorities to operate” – meaning that no one was in charge of keeping them updated. Of the 136, 17 were classified as “secret” or “top secret.”

    Unsurprisingly, with so many systems not undergoing active maintenance, the audit found that many did not have up-to-date security patches, leaving them open to hacking efforts. The problems extended from browsers to PCs to databases. It also found a large number of weak passwords.

    The report notes that “improvements have been made,” but highlights a series of worrying discrepancies.

    The report makes six recommendations, two of which have since been resolved.

    In case you are interested in the worst parts of the DHS in terms of unsecured databases, top of the list comes the Coast Guard with 26, followed by FEMA with 25, Customs and Border Protection with 14, and the DHS’ headquarters with 11.

    Best of bunch was the Secret Service with just two, but even it failed miserably to hit overall targets. It managed to put just 75 per cent of its secret or top secret databases through the proper security checks, and just 58 per cent of its non-secret databases. The DHS targets are 100 per cent and 75 per cent respectively.

    Reply
37. November 23, 2015 at 8:17 am

    Tomi Engdahl says:

    CIOs Spend a Third of Their Time On Security
    http://it.slashdot.org/story/15/11/22/1431237/cios-spend-a-third-of-their-time-on-security

    Much has been discussed about the potential security risks of an Internet of Things future in which billions of devices and machines are all talking to each other automatically. But the IoT market is exploding at a breakneck pace, leaving all companies scrambling to figure out the security piece of the puzzle now, before it’s too late. In fact, some experts believe this issue will be what separates the winners from the losers, as security concerns either stop companies from getting into the IoT market, or delay existing IoT projects and leave the door open to swifter competition. That’s likely why, according to CIO Magazine’s annual survey, CIOs are spending a third of their time on security.

    These 4 responsibilities just jumped to the top of CIOs to-do list
    https://enterprisersproject.com/article/2015/11/these-4-responsibilities-just-jumped-top-cios-do-list

    The Enterprisers Project (TEP): CIO Magazine’s State of the CIO Survey does a great job bringing to light the activities, concerns, opportunities, challenges currently on the minds of IT leaders. Did you notice any big shifts in how CIOs are spending their day-to-day?

    Adam DennisonDennison: Absolutely. There were four key areas where we saw big jumps this year, but time spent on security was the most noticeable change. It came as no surprise that our 2015 survey reflected a heightened sense of responsibility in this arena. The year before was commonly dubbed “the year of the breach” in IT circles, so we were not shocked to see that time spent on security management jumped from 24 percent in 2014 to 31 percent in 2015. The trend was also reflected when survey respondents were asked what their CEO’s top priorities for the CIO were for the coming year. Cybersecurity jumped from the number eight priority in 2014 to number four in 2015.

    It’s clear that security is no longer a functional task for a CIO. It’s not a back-office afterthought. It has become a boardroom discussion, and it’s paramount in any initiative that CIOs are going to undertake in the foreseeable future. If IT leaders want to embrace the sexy, new technologies they are hearing about today—the SMAC stack, third platform, Internet of Things, etc—security is going to be upfront and at the center of the discussion. And as CIOs spend more of their time on security, budgets will follow.

    TEP: Were there any surprising takeaways for CIOs in the survey results this year?

    Dennison: It’s clear that the job of understanding the customers is falling increasingly to the CIO, and it will become more and more critical to their success. CIOs are feeling the pressure to become more customer friendly as the expectations of “always-on,” hyper-connected consumers create new demands on IT. Quite literally, some of their jobs depend on it.

    Reply
38. November 23, 2015 at 8:22 am

    Tomi Engdahl says:

    Shedun trojan adware is hitting the Android Accessibility Service
    Malware was spotted by security firm Lookout
    http://www.theinquirer.net/inquirer/news/2435721/shedun-trojan-adware-is-hitting-the-android-accessibility-service

    Reply
39. November 23, 2015 at 8:23 am

    Tomi Engdahl says:

    GCHQ is using graffiti to find hipster coders
    The beard’s long… long beard
    http://www.theinquirer.net/inquirer/news/2435685/gchq-is-using-graffiti-to-find-hipster-coders

    UK LISTENING POST and gossip vault GCHQ is looking to hire the kind of people who look down at the ground and read messages that they see there.

    GCHQ has begun placing messages to job seekers on the ground in London, according to reports, and it appears that the organisation is removing dirt to leave its message as opposed to vandalising the streets with paint.

    The street-level head-hunting operation has been reported on widely.

    Reply
40. November 23, 2015 at 8:28 am

    Tomi Engdahl says:

    Criminal Ruskie BOFHs help hackers steal $790 million in three years
    Twenty pro hackers grease Russia’s best crime groups.
    http://www.theregister.co.uk/2015/11/23/790_million_russian_financial_cybercrime/

    Kaspersky investigation unit boss Ruslan Stoyanov says a Russian cyber scum group of just 20 professional hackers have have made a tidy US$790 million in three years by emptying the world’s bank accounts.

    Stoyanov says some $509 million is thought to have been ripped from the wallets of individuals and businesses from the US, and across the European Union since 2012. The remainder was plundered within former Soviet Union states.

    In the same time police have arrested more than 160 Russian cybercriminals from small to large criminal gangs who are accused of stealing cash using trojan.s

    Stoyanov says the figures are based on crime data and are therefore likely to be very conservative.

    “Of course, this figure only includes confirmed losses, the details of which were obtained by law enforcement authorities during the investigation. In reality, cybercriminals could have stolen a much larger amount.”

    The crime gangs have skill sets that mirror legit tech shops, including web designers, programmers, and BOFHs, along with “cryptors” who obfuscate malware in ways that help it to evade security software.

    System admins perform “near-identical tasks to their counterparts in legitimate businesses” Stoyanov says, building and maintaining IT infrastructure.

    “Cybercriminal system administrators configure management servers, buy abuse-resistant hosting for servers, ensure the availability of tools for anonymous connection to the servers (VPN) and resolve other technical challenges, including the interaction with remote system administrators hired to perform small tasks,” he says.

    Kasperksy has investigated more than 300 online financial attacks since 2013.

    Reply
41. November 23, 2015 at 8:35 am

    Tomi Engdahl says:

    Top questions asked on the ISIS ‘Help Desk’
    http://money.cnn.com/2015/11/18/technology/isis-jihad-help-desk/index.html?iid=hp-stack-dom

    ISIS has a technology resource for jihadists looking to better cover their tracks. The terror group has five to six members offering 24-hour support on how to encrypt communications, hide personal details and use apps like Twitter while avoiding surveillance.

    It’s kind of like a “help desk,” though not an actual call center hiding in the hills. It is a group of IT specialists answering questions from locations spread out all over the world, according to Dr. Aaron Brantly, a cyber fellow at the Combating Terrorism Center at West Point.

    The advice is largely being relayed on an ISIS “channel” on Telegram, a messaging app that has become popular among members of the group because it allows for “special secret chats.”

    The jihadi help desk has lengthy training manuals, and Brantly has reviewed over 300 pages of training documents and roughly 25 YouTube videos that provide tips to evade intelligence agencies and law enforcement.

    “I would say they’re quite technically sophisticated on the whole,” Brantly said.

    Reply
42. November 23, 2015 at 8:43 am

    Tomi Engdahl says:

    Why Facebook and Twitter Can’t Just Wipe Out ISIS Online
    http://www.wired.com/2015/11/facebook-and-twitter-face-tough-choices-as-isis-exploits-social-media/

    Given that ISIS and other terrorist organizations have proven adept at using social media to disseminate propaganda and incite fear, it seems obvious that platforms like Facebook and Twitter would aggressively and mercilessly delete such content and ban those who post it.

    It may seem equally obvious that those companies would move quickly to do just that when presidential candidates appear to call for them to help out and as US Representative Joe Barton asks the Federal Communications Commission, “Isn’t there something we can do under existing law to shut those Internet sites down?” But it’s not that simple, and social media platforms have grappled with the issue in some ways since at least the days when Al Qaeda affiliates started uploading videos to YouTube.

    The problem lies in the global nature of social media, the reliance upon self-policing by users to identify objectionable content, and the fact that many of those banned simply open a new account and continue posting their hatred. A blanket policy of banning anything that might be seen as inciting violence also could lead to questions of censorship, because one person’s hateful propaganda could be another’s free speech. That’s not to say companies like Facebook and Twitter aren’t taking this seriously and trying to draw a distinction between the two. But it’s not as simple as you might think.

    ‘No Place for Terrorists’

    Facebook says any profile, page, or group related to a terrorist organization is shut down and any content celebrating terrorism is removed. “There is no place for terrorists on Facebook,” says Facebook spokesman Andrew Souvall. “We work aggressively to ensure that we do not have terrorists or terror groups using the site, and we also remove any content that praises or supports terrorism.”

    It seems to broadly work. Facebook has deleted posts and blocked accounts in such a way that ISIS-related newsletters, videos, and photos don’t seem to crop up as much as elsewhere on the web, says Steve Stalinsky, executive director of Middle East Media Research.

    In the past few years, the use of Twitter, on the other hand, has grown. ISIS supporters embraced the platform

    Until last fall, Twitter had largely taken a more detached stance on ISIS-related content. It began taking a more aggressive approac

    While an active social network typically grows over time, Berger says that the suspensions on Twitter have helped to keep the size of the network “roughly flat.” Moreover, users whose accounts are repeatedly suspended come back with new accounts with fewer followers.

    “The good news is that this limits the reach of their propaganda and recruiting, and makes it harder for ISIS to accomplish its goals online,” Berger says.

    Propaganda or Political Speech

    But the challenge for sites like Facebook and Twitter goes beyond tracking down content that promotes terrorism. It also requires defining “promoting terrorism.” In a sense, the two platforms are global communities, each engaged in a constant process of determining community norms as the use of the platforms evolves.

    “While it’s true that companies legally can restrict speech as they see fit, it doesn’t mean that it’s good for society to have the companies that host most of our everyday speech taking on that kind of power.”

    Reply
43. November 23, 2015 at 9:41 am

    Tomi Engdahl says:

    New Dell computer comes with a eDellRoot trusted root certificate
    http://joenord.blogspot.in/2015/11/new-dell-computer-comes-with-edellroot.html

    I recently purchased a Dell Inspiron 5000 series notebook (October 2015). Setting things up, I was surprised to see a trusted root certificate pre-installed on the machine labeled “eDellRoot”. I’m having a tough time coming up with a good reason that Dell Computer Corporation needs to be a trusted root CA on my computer.

    It has me thinking things similar to the Lenovo mistakes earlier this year with Superfish which I described at the time on twitter as “Lenovo commits corporate suicide”. With this eDellRoot presence causing curiosity

    Observe, the eDellRoot certificate is a trusted root that expires in 2039 and is intended for “All” purposes.

    Drill in to see the certificate details and alarm bells start going off.

    “You have a private key that corresponds to this certificate”. This is getting very fishy! As a user computer, I should NEVER have a private key that corresponds to a root CA. Only the certificate issuing computer should have a private key and that computer should be … very well protected!

    This is the same action that existed with Superfish and in that case, Lenovo made the tremendously awful action of using the SAME private key on every computer. Has Dell done the same?

    Is it Dell?
    Consider, while I do know that this certificate came pre-installed on the computer and I do know that it is named “Dell”, I do not actually know that this certificate came from Dell Computer Corporation. Root certificates are always self-signed, so all I really know is that eDellRoot says eDellRoot is legit. Where it breaks down is that the private key IS PRESENT on my computer and that means … bad.

    Reply
44. November 23, 2015 at 12:16 pm

    Tomi Engdahl says:

    How cyber insurance actually works
    Insurance industry insider tells all
    http://www.theregister.co.uk/2015/11/23/how_cyber_insurance_really_works/

    It’s not a good comparison as car insurance is a mandatory purchase that is usually selected purely on price effectively as a licence to drive rather than a form of protection…

    Commercial insurance is really very different. Firstly, almost all commercial cover is a discretionary purchase, and secondly the vast majority is bought through a broker who has a professional responsibility (and liability) to ensure it’s suitable.

    The final decision on an insurance program is usually taken by a finance director, but it’s not uncommon for the overall program to be ratified by the board. In short, commercial insurance purchases are a hard-headed business decision taken at a senior level.

    while cost is a factor, the suitability of cover and quality of the claims service are given at least equal prominence

    So what does this tell us about the growth of cyber insurance? Well the products have been around longer than you might imagine, but have been getting a lot more media time in the last couple of years. Mostly this reflects an increase in the board level understanding of the potential risks they are running, although this may also reflect an increase in understanding that traditional policies don’t cover cyber events.

    Cyber insurance is usually structured as a variant of business continuity products (called business interruption in the trade) which are designed to make an incident survivable at a business level by providing cash to soften the financial impact. This says a lot about how insurers see cyber risks. Essentially they are viewed as unpredictable disasters which could affect any firm – it’s a bit of a bleak view but insurers tend to be that way, at least before their second pint.

    Given that the cover is about business survival, cyber insurance is generally sold on the basis of business size with less emphasis on individual data sets. Usually cover will provide cash to make up for shortfalls in revenue, additional costs of dealing with the incident and possibly customer liabilities (e.g. paying for credit monitoring). Insurers typically also have a panel of incident response providers which for smaller businesses this can be hugely helpful.

    So why isn’t there more of this about? Unfortunately cyber risks are actually hard to cover because insurers care about four things:

    Risk selection and pricing: This relies on understanding the likely claims volumes and sizes. This is difficult when the pool of previously written policies is small and the risks levels are changing rapidly (making them non-comparable) which is certainly the case.

    Moral Hazard: Or put more simply, making sure that as a customer you are still incentivised to manage your own risks rather than buying cover and letting the insurer pick up the tab. This is probably the easiest to address as commercial policies quite often come with requirements for improvements

    Claims inflation (including fraud): Unsurprisingly, the main cost to an insurer is the cost of claims so this is always an area of focus. With increasing breach disclosure and the rise in civil cases and regulatory fines this is a fast moving target. This makes it hard for insurers to understand what the likely liabilities will be in the medium term. That said these things move slowly enough to not be a problem within the average policy life.

    Aggregation and systemic risk: Using a physical world example, in principle you might be happy to insure $10bn of coastal property but you clearly wouldn’t want it all in Miami. The problem for cyber products is that there is a worrying possibility that big events could be truly global and cut across all classes of organisation. As an insurer that’s frankly terrifying as they can’t be sure they’ve spread their risks against catastrophes and if they wrote a lot of cover one bad event could put them out of business.

    Finally, a recent article on El Reg suggested that insurers should consider buying an anti-virus or similar security product firm in order to better understand the risks. While I agree with the basic sentiment, frankly that suggestion is more than just a little nuts. Going back to an analogy with car insurance, this would be like Direct Line announcing that it wanted to buy Goodyear to better understand how cars perform in wet weather.

    Reply
45. November 23, 2015 at 12:16 pm

    Tomi Engdahl says:

    NSW plods panned for illegal surveillance
    Faked Facebook profile not a hit with magistrate
    http://www.theregister.co.uk/2015/11/15/nsw_plods_panned_for_illegal_surveillance/

    A Sydney magistrate has called “criminal” a vindictive operation in which NSW police snooped on someone’s private Facebook posts.

    Reply
46. November 23, 2015 at 12:19 pm

    Tomi Engdahl says:

    All Cisco certs add cloud, IoT, ‘business transformation’
    Network admins: Go buy a tie and some kool-aid, diluted to 10 per cent of your marks
    http://www.theregister.co.uk/2015/11/23/all_cisco_certs_add_cloud_iot_business_transformation/

    Cisco has announced a major refresh of its certification programs, all of which will henceforth include material on cloud, the internet of things, cloud, “network programmability” and “business transformation”.

    Cloud and IoT are self-explanatory while “network programmability” is software-defined networking by another name. While Cisco is making much of the three topics’ inclusion representing a major modernisation of its certifications, “core” topics beyond the three new elements will account for 90 per cent of the available score in exams.

    “Business transformation” is all about making sure networking pros can speak the language of colleagues capable of saying things like “building disruptive digital businesses” without a hint of irony or self-loathing.

    The biggest changes will be felt by those studying for Cisco Certified Internetwork Expert (CCIE) and Cisco Certified Design Expert (CCDE) certifications, as all candidates will be directed into fields of study that “ensure that experts are equipped to participate in meaningful business discussions about these new technical areas that are shaping business strategy and operations.”

    The Cisco Certified Network Associate qualification’s Security skein has changed and now “expands focus from network security to end-to-end IT security, with emphasis on core technologies and skills needed to maintain enterprise information systems.”

    Cisco’s been trying to elevate the role of networking staff for years

    Reply
47. November 23, 2015 at 12:19 pm

    Tomi Engdahl says:

    Top Android app devs found exfiltrating mystery stealth packets
    Half of covert packets are about analytics, half are a mystery
    http://www.theregister.co.uk/2015/11/23/mit_covert_apps/

    Four researchers have found two thirds of the most popular Android apps indulge in seemingly-useless covert chatter with remote servers.

    Top developers including Gameloft, Unity3d, and grillgames are implicated to varying degrees.

    The chatter has no use to users. About half of the traffic is related to analytics, such as that used by Twitter and Pandora, with the rest of unknown purpose.

    Five apps died when the covert chatter was killed off after the code in question was manipulated by the research team.

    Reply
48. November 23, 2015 at 12:24 pm

    Tomi Engdahl says:

    Malvertising: How the ad model makes crime pay
    … and who’s liable for all the money lost?
    http://www.theregister.co.uk/2015/11/23/liability_chain_malvertising_advertising/

    The exploitation of online advertising networks by malware-flingers is expected to cause up to $1bn in damages by the end of this year, but despite ongoing regulatory efforts, it is not clear to whom the liability for these enormous losses will fall.

    The increasingly sophistication with which online advertisers profile users has allowed those exploiting ad networks to hit victims with extraordinary cost-effectiveness. The way that ad networks sell impressions targeted to browser types, that identify whether anti-virus solutions are active, and display recipients’ earnings profile, alongside the low barrier to entry for new customers, allows for criminals to reap high returns on their investments.

    Delivering a presentation on the mechanics behind malvertising attacks, Malwarebytes’ senior security researcher Jérôme Segura noted how advertising networks’ mechanics were an important aspect of the return on investment for miscreants, allowing the the attack vector to expand.

    In particular, it is real-time bidding (RTB) – enabling advertisers to purchase and sell advertising inventory through a programmatic and automated auction process – that provides criminals with their economic platform. With RTB, customers need only pay for the auctions which they win. This has obvious efficiency benefits for the advertisers, whose business provides much of the finance behind online businesses, however it also provides an opportune environment for threat actors to elbow their way in.

    Malvertising campaigns can thus effectively target only those who will be vulnerable to the attack, which means that such attacks are “very cost-effective,” according to Malwarebytes’ CEO Marcin Kleczynski, to the degree that their “pay-per-impression rate is essentially pay-per-infection”.

    According to Malwarebytes, one malvertising campaign that ran from January to February this year was able to expose 6,000 web browsers to malware for an investment of just $5. Responsibility for the damages caused through this expanding attack vector, which are expected to reach $1bn this year, remains difficult to attribute.

    “Advertisers bring in money and it would be going against business sense to terminate them at their first offence,”

    Reply
49. November 23, 2015 at 12:32 pm

    Tomi Engdahl says:

    Security News This Week: The Manhattan DA Wants Backdoors for Smartphones
    http://www.wired.com/2015/11/security-news-this-week-the-manhattan-da-wants-backdoors-for-smartphones/

    This week, most major security news connected to the Paris terrorist attacks, which government officials eagerly used as an opportunity to renew their assault on encryption. After the attacks, it’s likely that encryption will be a key issue in the 2016 election. Although it turns out that the Paris attackers did not encrypt their communications at least part of the time, a look at an OPSEC manual used by ISIS gave the world insight into the terror group’s security protocols. Meanwhile, the startup Zerodium broke with tradition and published a price chart for zero-day attacks, and Carnegie Mellon denied getting paid for turning its Tor-breaking method over to the FBI—though it likely handed over the information after getting subpoenaed. We also took a look at what Quantico gets wrong about hacking (spoiler: everything), and showed you how to enable two-factor authentication for your Amazon account.

    Reply
50. November 23, 2015 at 12:49 pm

    Tomi Engdahl says:

    The History of SQL Injection, the Hack That Will Never Go Away
    http://it.slashdot.org/story/15/11/22/1437203/the-history-of-sql-injection-the-hack-that-will-never-go-away

    From the Motherboard article: “SQL injection (SQLi) is where hackers typically enter malicious commands into forms on a website to make it churn out juicy bits of data. It’s been used to steal the personal details of World Health Organization employees, grab data from the Wall Street Journal, and hit the sites of US federal agencies. ‘It’s the most easy way to hack,’

    SQLi is relatively easy to defend against. So why, in 2015, is SQLi still leading to some of the biggest breaches around?”

    The History of SQL Injection, the Hack That Will Never Go Away
    http://motherboard.vice.com/read/the-history-of-sql-injection-the-hack-that-will-never-go-away

    One of the hackers suspected of being behind the TalkTalk breach, which led to the personal details of at least 150,000 people being stolen, used a vulnerability discovered two years before he was even born.

    That method of attack was SQL injection (SQLi), where hackers typically enter malicious commands into forms on a website to make it churn out juicy bits of data. It’s been used to steal the personal details of World Health Organization employees, grab data from the Wall Street Journal, and hit the sites of US federal agencies.

    “It’s the most easy way to hack,” the pseudonymous hacker w0rm, who was responsible for the Wall Street Journal hack, told Motherboard. The attack took only a “few hours.”

    But, for all its simplicity, as well as its effectiveness at siphoning the digital innards of corporations and governments alike, SQLi is relatively easy to defend against.

    So why, in 2015, is SQLi still leading to some of the biggest breaches around?

    “According to Microsoft, what you’re about to read is not a problem, so don’t worry about doing anything to stop it.”

    Reply