Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Skype’s Twitter, Facebook, and blog hacked by Syrian Electronic Army demanding an end to spying
http://thenextweb.com/microsoft/2014/01/01/skypes-twitter-account-blog-get-hacked-sea-demanding-end-spying/#!q75eS
Tomi Engdahl says:
Snapchat: In ‘theory’ you could use exploit to… Oh CRAP is that 4.6 MILLION users’ details?
http://www.theregister.co.uk/2014/01/02/snapchat_leak/
Hackers claim to have lifted millions of Snapchat usernames and phone numbers, apparently taking advantage of a vulnerability that the messaging service last week dismissed as mostly theoretical.
A partially redacted database of 4.6 million usernames and phone numbers (minus two digits) – purportedly of Snapchat users – have been released by the miscreants through a site called SnapchatDB.
As previously reported, Australian security outfit Gibson Security explained how to access any phone number and username from the smartphone photo-sharing service to underline its concerns.
Tomi Engdahl says:
Orange to take legal action after report of spying via its cable
http://www.reuters.com/article/2013/12/30/us-usa-security-orange-idUSBRE9BT0MN20131230
Orange (ORAN.PA) is preparing its legal response to a report alleging the U.S. National Security Agency (NSA) accessed customers’ data transmitted by a submarine cable partly used by the French telecoms operator.
Tomi Engdahl says:
Windows crashed ? The error report gives a significant advantage to attack
Windows sent by mistake and crashes include forwards valuable data in unencrypted form , security researchers warn .
” This information gives a significant advantage to attack . It reveals the target’s network drawings , “says Websense Security Research Manager Alex Watson.
Error reports snooping is possible , among other things, with the open wifi networks
U.S. Security Agency NSA snoopers such as error reports spyware on the other hand is easier.
In practice, the attackers are able to look for error reports for computers with the software are outdated and therefore vulnerable.
Source: http://www.tietoviikko.fi/kaikki_uutiset/kaatuiko+windows+virheraportti+antaa+hyokkaajille+merkittavan+edun/a957073
Tomi Engdahl says:
The New York Times Pushes For Clemency For Snowden
http://yro.slashdot.org/story/14/01/02/1328241/the-new-york-times-pushes-for-clemency-for-snowden
“The Editorial Board of the New York Times has weighed in on the criminal charges facing Edward Snowden and writes that ‘Snowden deserves better than a life of permanent exile, fear and flight..’ ‘He may have committed a crime to do so, but he has done his country a great service.”
Tomi Engdahl says:
Edward Snowden, Whistle-Blower
http://www.nytimes.com/2014/01/02/opinion/edward-snowden-whistle-blower.html?_r=0
In retrospect, Mr. Snowden was clearly justified in believing that the only way to blow the whistle on this kind of intelligence-gathering was to expose it to the public and let the resulting furor do the work his superiors would not. Beyond the mass collection of phone and Internet data, consider just a few of the violations he revealed or the legal actions he provoked
When someone reveals that government officials have routinely and deliberately broken the law, that person should not face life in prison at the hands of the same government. That’s why Rick Ledgett, who leads the N.S.A.’s task force on the Snowden leaks, recently told CBS News that he would consider amnesty if Mr. Snowden would stop any additional leaks. And it’s why President Obama should tell his aides to begin finding a way to end Mr. Snowden’s vilification and give him an incentive to return home.
Tomi Engdahl says:
OpenSSL site defacement involving hypervisor hack rattles nerves (updated)
Attackers target OpenSSL’s Web host, raising questions about how, and who else?
http://arstechnica.com/security/2014/01/openssl-site-defacement-involving-hypervisor-hack-rattles-nerves/
The official website for the widely used OpenSSL code library was compromised four days ago in an incident that is stoking concerns among some security professionals.
Code repositories remained untouched in the December 29 hack, and the only outward sign of a breach was a defacement left on the OpenSSL.org home page. The compromise is nonetheless rattling some nerves. In a brief advisory last updated on New Year’s Day, officials said “the attack was made via hypervisor through the hosting provider and not via any vulnerability in the OS configuration.”
After all, saying a compromise was achieved through a hypervisor vulnerability in the Web host of one of the Internet’s most important sites isn’t necessarily comforting news if the service or hypervisor platform is widely used by others.
Fortunately, the attackers didn’t, or weren’t able to, use their access to slip backdoor code into the OpenSSL software, which websites around the world use to provide HTTPS encryption for the pages they serve. That assurance is possible because the code is maintained and distributed through Git, a source-code management system that allows developers and users to maintain independent copies all over the Internet.
Still, it wasn’t that long ago that OpenSSL used a source code management system that didn’t provide as much anti-tampering assurance.
Tomi Engdahl says:
Your USB cable, the spy: Inside the NSA’s catalog of surveillance magic
Latest batch of documents leaked shows NSA’s power to pwn.
http://arstechnica.com/information-technology/2013/12/inside-the-nsas-leaked-catalog-of-surveillance-magic/
In some cases, the NSA has modified the firmware of computers and network hardware—including systems shipped by Cisco, Dell, Hewlett-Packard, Huawei, and Juniper Networks—to give its operators both eyes and ears inside the offices the agency has targeted. In others, the NSA has crafted custom BIOS exploits that can survive even the reinstallation of operating systems. And in still others, the NSA has built and deployed its own USB cables at target locations—complete with spy hardware and radio transceiver packed inside.
Tomi Engdahl says:
Backdoor in wireless DSL routers lets attacker reset router, get admin
A quick Christmas hack uncovers a vulnerability in Linksys, Netgear, others.
http://arstechnica.com/security/2014/01/backdoor-in-wireless-dsl-routers-lets-attacker-reset-router-get-admin/
A hacker has found a backdoor to wireless combination router/DSL modems that could allow an attacker to reset the router’s configuration and gain access to the administrative control panel. The attack, confirmed to work on several Linksys and Netgear DSL modems, exploits an open port accessible over the wireless local network.
Performing a scan, he found that the router responded to messages over an unusual TCP port number: 32764.
What he found was a simple interface that allowed him to send commands to the router without being authenticated as the administrator.
After some additional testing, Vanderbecken found that the interface allowed him to execute a number of commands directly against the router, including a command-line shell.
Tomi Engdahl says:
What a successful exploit of a Linux server looks like
How one box was converted into a Bitcoin-mining, DoS-spewing, bug-exploiting bot.
http://arstechnica.com/security/2013/12/anatomy-of-a-hack-what-a-successful-exploit-of-a-linux-server-looks-like/
Like most mainstream operating systems these days, fully patched installations of Linux provide a level of security that requires a fair amount of malicious hacking to overcome. Those assurances can be completely undone by a single unpatched application, as Andre’ DiMino has demonstrated when he documented an Ubuntu machine in his lab being converted into a Bitcoin-mining, denial-of-service-spewing, vulnerability-exploiting hostage under the control of attackers.
DiMino’s anatomy lesson is a graphic demonstration of recent advances in exploits for Linux. Once primarily the domain of machines running Windows, point-and-click exploits are used to commandeer machines so attackers can use them in online crime schemes. The increased horsepower and bandwidth available in many Linux servers often makes them more attractive than personal computers running Microsoft OSes. And as has always been the case, hijacked bots don’t come with expensive electricity bills, and they often make it easy for criminals to cover their tracks.
Tomi Engdahl says:
January 2014 Issue of Linux Journal: Security
http://www.linuxjournal.com/content/january-2014-issue-linux-journal-security
Tomi Engdahl says:
Post-NSA government still trusted over private firms with personal data handling
http://www.computing.co.uk/ctg/news/2320788/post-nsa-government-still-trusted-over-private-firms-with-personal-data-handling
Governments remain the organisations most trusted by the public to handle personal data, despite revelations about surveillance and data collection schemes by the US National Security Agency (NSA), the UK’s GCHQ and other governmental organisations around the world.
That’s according to research by accounting and consultancy firm Ernst & Young, which suggests that more than half of people – 55 per cent – say they’re comfortable sharing personal information with central government organisations, such as HM Revenue & Customs and the NHS.
However, consumers are more wary about sharing their data with private companies. Just one-third told Ernst & Young that they’re willing to share personal information with financial institutions, while one-quarter are happy to do so when it comes to their energy provider. Only one-fifth of those surveyed said they’re comfortable sharing personal data with supermarkets.
“What our survey shows is a shift in attitudes and practices towards how consumers treat their personal data, and the access they will allow to their data, both now and in future,” said Steve Wilkinson, managing partner, UK & Ireland, client service at Ernst & Young.
Tomi Engdahl says:
NSA statement does not deny ‘spying’ on members of Congress
http://www.theguardian.com/world/2014/jan/04/nsa-spying-bernie-sanders-members-congress
• Agency responds to questions from Senator Bernie Sanders
• Statement cites ‘same privacy protections as all US persons’
The agency has been at the centre of political controversy since a former contractor, Edward Snowden, released thousands of documents on its activities to media outlets including the Guardian.
In its statement, which comes as the NSA gears up for a make-or-break legislative battle over the scope of its surveillance powers, the agency pointed to “privacy protections” which it says it keeps on all Americans’ phone records.
Tomi Engdahl says:
FISA Court Reauthorizes NSA Phone Metadata Collection
http://www.huffingtonpost.com/2014/01/03/fisa-nsa-phone-metadata_n_4538367.html
Foreign Intelligence Surveillance Court on Friday reauthorized the National Security Agency’s phone surveillance program, the Director of National Intelligence said in a statement.
Director of National Intelligence James Clapper pointed out that several federal judges have upheld the so-called metadata collection program.
Tomi Engdahl says:
How to Always Start Any Browser in Private Browsing Mode
http://www.howtogeek.com/137466/how-to-always-start-any-browser-in-private-browsing-mode/
Private browsing mode doesn’t offer complete privacy, but it does prevent your browser from saving your history, searches, cookies, and other private data between browsing sessions. You can have your browser always start in private-browsing mode if you prefer it.
Most people won’t want to use private-browsing mode permanently. You will have to log into the websites you use each time you open your browser, as your browser won’t save the cookies that keep your login state.
To activate Google Chrome’s incognito mode by default, you will need to add a command-line option to its shortcut.
Firefox allows you to automatically enable private-browsing mode via its options window. Click the Firefox menu button and select Options to open it.
You will need to add a command-line option to your Internet Explorer shortcuts to activate InPrivate Browsing by default.
Opera also has a command-line option to enable private-browsing mode.
Tomi Engdahl says:
Citywide RFID Master House Key? Already Broken
http://www.wired.com/threatlevel/2013/12/citywide-rfid-master-house-key-already-broken/
HAMBURG – In the bad old days, city apartment buildings often allowed entry to postal or emergency workers with a single master key, which was easily copied or sold on the black market.
Many buildings are today switching to RFID-based key cards, citing an advance in security. Yet this claim is certainly suspect. Speaking at the Chaos Communication Congress (CCC) here, security researcher Adrian Dabrowski said a reverse-engineering project had let him open more than 90 percent of the electronically locked apartment doors in his home city of Vienna.
“Customers should not expect any significantly higher security from the new system than with the old system.”
The use of RFID cards for master building locks is a particularly sensitive topic, as residents themselves generally lack access to the keys themselves, and are dependent on house managers to create a safe environment.
Tomi Engdahl says:
Thousands of visitors to yahoo.com hit with malware attack, researchers say
http://www.washingtonpost.com/blogs/the-switch/wp/2014/01/04/thousands-of-visitors-to-yahoo-com-hit-with-malware-attack-researchers-say/
Two Internet security firms have reported that Yahoo’s advertising servers have been distributing malware to hundreds of thousands of users over the last few days. The attack appears to be the work of malicious parties who have hijacked Yahoo’s advertising network for their own ends.
Tomi Engdahl says:
Bitcoin Is Good
http://recode.net/2014/01/02/bitcoin-is-good/
Approaching bitcoin as a currency or store of value is focusing on a single and secondary application of the bitcoin network (analogous to analyzing a single feature built on top of the Internet, like email). The first application of the network which has gained broad adoption is payments, where it can be easily demonstrated that real money is being saved by harnessing the efficiency of the network. Since one must acquire bitcoin to use the bitcoin network, this has given bitcoin as a currency value as a secondary effect.
Krugman states that bitcoin does not act as a good store of value because it does not have some kind of inherent floor to its value.
Looking at other examples, he implies, gold has decorative and commercial applications and fiat currencies have the backing of their respective sovereign entities. In contrast, bitcoin as a currency has no value unless people use the bitcoin network. If this lack of a clear floor is part of the strict economic definition of a “store of value,” Krugman may very well be correct that bitcoin is not one, but that does not mean the value is not real, nor does it mean that value is ephemeral.
We find the early days of the Internet to be an instructive example in demonstrating this long-term value creation through network efficiency. The Internet had a core innovation that made it valuable: The ability to disseminate data over a distributed network in a way that was significantly cheaper than the prior methods. Similarly, bitcoin has a core technological innovation: The ability to publicly verify ownership, instantly transfer that ownership and do so without the need for a trusted third party. Just as the Internet brought the cost of disseminating information down by an order of magnitude, bitcoin brings the cost of transferring ownership down by an order of magnitude.
Tomi Engdahl says:
Gaping admin access holes found in SoHo routers from Linksys, Netgear and others
http://nakedsecurity.sophos.com/2014/01/03/gaping-admin-access-holes-found-in-soho-routers-from-linksys-netgear-and-others/
For many home users, the router-slash-firewall at the edge of their network plays an vital security role.
In a word, your SoHo router is important.
So it is always alarming to read about sloppy programming in the firmware that ships with this sort of device.
Late last year, we wrote about “Joel’s Backdoor,” a misfeature in some D-Link routers which would have been a great joke, if only the side-effects hadn’t been so serious.
Unauthenticated administrative access, just like that!
Here’s another flaw, this time in various router products from Sercomm, that shows a similarly casual attitude to security by programmers who really owe you better code.
Eloi spotted a TCP service listening on network port 32764 on the router’s internal (wireless) interface.
Anyone you let onto your home network, even as a temporary guest, can easily find out how to login to your router, and to your ISP.
If you are affected, you’re going to need a firmware update, which probably won’t come from Sercomm, but rather from the vendor whose brand is on the router.
Tomi Engdahl says:
Passing the red shield: Intel Security to replace McAfee brand
http://www.zdnet.com/passing-the-red-shield-intel-security-to-replace-mcafee-brand-7000024869/
Summary: As Intel rebrands its security group, McAfee will finally lose its brand name, an entire decade after its founder John McAfee resigned.
Tomi Engdahl says:
App to manage Android app permissions
Getting on top of privacy
http://www.theregister.co.uk/2014/01/07/app_to_manage_android_app_permissions/
The app has been created in response to the poor permission control offered natively by Android over apps. As Facebook users have noted over the last few weeks, for example, their Android app is now demanding access to SMS / MMS, calendar events, and WiFi control.
SnoopWall is one of the growing class of permission management apps, a segment that’s attracted growing interest ever since Google’s bungled on-then-off release of App Ops in December.
Described by the company as “counterveillance anti-spyware software for consumers”, SnoopWall is designed to block eavesdropping, protect the camera, microphone, GPS, Bluetooth, NFC, WiFi and “other high-risk data ports”.
Tomi Engdahl says:
NSA refuses to deny spying on members of Congress
Legislators ‘have the same privacy protections as all U.S. persons’
http://www.theregister.co.uk/2014/01/06/nsa_refuses_to_deny_spying_on_members_of_congress/
“NSA’s authorities to collect signals intelligence data include procedures that protect the privacy of U.S. persons. Such protections are built into and cut across the entire process. Members of Congress have the same privacy protections as all U.S. persons,”
Tomi Engdahl says:
Obama plans intelligence surveillance reforms, aides say
http://www.latimes.com/nation/la-na-obama-intelligence-20140104,0,6482346.story#ixzz2phfUuAp3
President Obama is expected to put a public advocate on the secret surveillance court and remove telephone records data from direct government control.
Tomi Engdahl says:
Intel CEO Brian Krzanich announces McAfee brand name will be replaced by Intel Security
http://thenextweb.com/insider/2014/01/07/intel-ceo-brian-krzanich-announces-mcafee-brand-name-will-replaced-intel-security/#!rCt9b
Tomi Engdahl says:
NSA revelations: the ‘middle ground’ everyone should be talking about
http://www.theguardian.com/commentisfree/2014/jan/06/nsa-tailored-access-operations-privacy
The NSA’s Tailored Access Operations show there’s a way to be safe and get good intelligence without mass surveillance
Tomi Engdahl says:
Palo Alto Networks Buys Cyber Security Startup Founded By Former NSA Engineers, Morta
http://techcrunch.com/2014/01/06/in-its-first-acquisition-palo-alto-networks-buys-cyber-security-startup-founded-by-former-nsa-engineers-morta/
While the startup remained in stealth over the past year and didn’t reveal any details on its product, Morta was developing a new technology to counter advanced cyber threats. The startup is based on the premise that traditional layered network defense is broken and their offering will actually be able to fend off advanced attackers from complex hacks and more.
Tomi Engdahl says:
The Internet of Things Is Wildly Insecure — And Often Unpatchable
By Bruce Schneier
http://www.wired.com/opinion/2014/01/theres-no-good-way-to-patch-the-internet-of-things-and-thats-a-huge-problem/
We’re at a crisis point now with regard to the security of embedded systems, where computing is embedded into the hardware itself — as with the Internet of Things. These embedded computers are riddled with vulnerabilities, and there’s no good way to patch them.
It’s not unlike what happened in the mid-1990s, when the insecurity of personal computers was reaching crisis levels. Software and operating systems were riddled with security vulnerabilities, and there was no good way to patch them. Companies were trying to keep vulnerabilities secret, and not releasing security updates quickly. And when updates were released, it was hard — if not impossible — to get users to install them. This has changed over the past twenty years, due to a combination of full disclosure — publishing vulnerabilities to force companies to issue patches quicker — and automatic updates: automating the process of installing updates on users’ computers. The results aren’t perfect, but they’re much better than ever before.
But this time the problem is much worse, because the world is different: All of these devices are connected to the Internet. The computers in our routers and modems are much more powerful than the PCs of the mid-1990s, and the Internet of Things will put computers into all sorts of consumer devices. The industries producing these devices are even less capable of fixing the problem than the PC and software industries were.
If we don’t solve this soon, we’re in for a security disaster as hackers figure out that it’s easier to hack routers than computers.
Typically, these systems are powered by specialized computer chips made by companies such as Broadcom, Qualcomm, and Marvell. These chips are cheap, and the profit margins slim. Aside from price, the way the manufacturers differentiate themselves from each other is by features and bandwidth. They typically put a version of the Linux operating system onto the chips, as well as a bunch of other open-source and proprietary components and drivers. They do as little engineering as possible before shipping, and there’s little incentive to update their “board support package” until absolutely necessary.
The system manufacturers — usually original device manufacturers (ODMs) who often don’t get their brand name on the finished product — choose a chip based on price and features, and then build a router, server, or whatever. They don’t do a lot of engineering, either. The brand-name company on the box may add a user interface and maybe some new features, make sure everything works, and they’re done, too.
The problem with this process is that no one entity has any incentive, expertise, or even ability to patch the software once it’s shipped. The chip manufacturer is busy shipping the next version of the chip, and the ODM is busy upgrading its product to work with this next chip. Maintaining the older chips and products just isn’t a priority.
And the software is old, even when the device is new.
To make matters worse, it’s often impossible to patch the software or upgrade the components to the latest version. Often, the complete source code isn’t available. Yes, they’ll have the source code to Linux and any other open-source components. But many of the device drivers and other components are just “binary blobs” — no source code at all.
Even when a patch is possible, it’s rarely applied.
This is only the beginning. All it will take is some easy-to-use hacker tools for the script kiddies to get into the game.
And the Internet of Things will only make this problem worse, as the Internet — as well as our homes and bodies — becomes flooded with new embedded devices that will be equally poorly maintained and unpatchable.
We were here before with personal computers, and we fixed the problem. But disclosing vulnerabilities in an effort to force vendors to fix the problem won’t work the same way as with embedded systems.
Tomi Engdahl says:
David Cameron’s internet porn filter is the start of censorship creep
http://www.theguardian.com/commentisfree/2014/jan/03/david-cameron-internet-porn-filter-censorship-creep
The question of who is allowed access to what data is a defining one of our age – and Edward Snowden has taught us to be wary
Tomi Engdahl says:
NSA seeks to build quantum computer that could crack most types of encryption
http://www.washingtonpost.com/world/national-security/nsa-seeks-to-build-quantum-computer-that-could-crack-most-types-of-encryption/2014/01/02/8fff297e-7195-11e3-8def-a33011492df2_story.html
According to documents provided by former NSA contractor Edward Snowden, the effort to build “a cryptologically useful quantum computer” — a machine exponentially faster than classical computers — is part of a $79.7 million research program titled “Penetrating Hard Targets.”
Tomi Engdahl says:
Internet Censors Came For TorrentFreak & Now I’m Really Mad
http://torrentfreak.com/internet-censors-came-for-torrentfreak-now-im-really-mad-140105/
ISPs exist to provide us with unfettered access to the Internet, not the version they or their technology partners feels is appropriate for us. Their ‘parental controls’ do not achieve their stated aim of “protecting children” and are already causing collateral damage by blocking totally innocent sites such as the one you are reading now. It’s hard not to get angry when you realize your website’s accessibility is becoming disabled by default.
Here at TF we’ve long been opponents of website blocking. It’s a blunt instrument that is prone to causing collateral damage and known for failing to achieve its stated aims. We recently discovered that thanks to Sky’s Broadband Shield filtering system, TorrentFreak is now blocked on one of the UK’s largest ISPs by users who think they are protecting their kids.
Tomi Engdahl says:
Are new technologies undermining the laws of war?
http://bos.sagepub.com/content/70/1/21.full
Today, emerging military technologies—including unmanned aerial vehicles, directed-energy weapons, lethal autonomous robots, and cyber weapons—raise the prospect of upheavals in military practice so fundamental that they challenge assumptions underlying long-established international laws of war, particularly those relating to the primacy of the state and the geographic bounds of warfare.
Although the armed forces are inherently conservative, almost every senior officer in any modern military can reel off cases when technological advance changed military history. New security technologies have often had profound cultural and social implications
Today’s emerging military technologies—including unmanned aerial vehicles, directed-energy weapons, lethal autonomous robots, and cyber weapons such as the extraordinary Stuxnet—raise the prospect of upheavals in military practices so fundamental that they challenge long-established laws of war. The possibility of weapons that make their own decisions about targeting and killing humans, for example, has ethical implications obvious and frightening enough to have entered popular culture.
But both technology and broader social and political changes—such as the rise of global, networked terrorist institutions—could be undermining the laws of war. More broadly, if long-standing legal, cultural, and civil institutions are being destabilized by modern rates of technological change, there may be ways to make them more adaptable. The rate and nature of such change could mean that, at some point, old institutions must be jettisoned in favor of new ones.
Tomi Engdahl says:
Finnish businesses serious deficiencies in data security
According to soon to be published study, half of the ten largest companies in Finland of operators fail the security test. According to experts, is a common problem that companies do not take security seriously.
Audit and consulting firm KPMG’s forthcoming study, business information, security is a major gaps.
Yle News has learned that the report took part in ten of Finland’s largest listed companies belonging to the organization. Side of the break-ins were found within the internal network.
- The study does not by itself explained, from the break-ins are due. Most likely, it has been the lack of anti-virus updates and security monitoring, security expert says Matti Järvinen KPMG to.
According to the survey companies can be divided into three: those whose networks were “quite right,” those whose networks showed “some malicious traffic,” and of those who showed up to the network, “a large-scale attack traffic.” According to KPMG, the data traffic was observed in a lot of events, including corporate anti-virus programs do not work.
The report does not indicate what caused the break-ins is or how serious malware has been all about.
Lack of awareness of corporate information security is familiar to experts in the field.
- We [in Finland] security awareness is still weak. Only when the damage occurs, wake up to the fact that this has been a problem, considering the information and information technology law professor Tom Voutilainen, University of Eastern Finland.
Cyber security center Situation Centre Manager Antti Skylark not even he surprised at the results of the prior.
- We have a business casual time guidance: just taken medicine to help. The right software and equipment upgrades in shape, the Minister points out.
According to experts, information security is not understood, and not enough is known about it.
- Information security is often left to the IT department seized. It you do not meditate a comprehensive risk management point of view, but figuring out just individual technical solutions.
Malware and viruses can be “harmless,” the company’s security. At worst, lack of security, however, according to experts, lead to customer data protection failure. It may also allow for corporate espionage, clearing accounts, or even bankruptcy.
Professor Tomi Voutilainen estimates that data breaches, as well as the public and private sector actors in networks are more common than people think.
Source: YLE Uutiset
http://yle.fi/uutiset/suomalaisilla_suuryrityksilla_vakavia_puutteita_tietoturvassa/7012109
Tomi Engdahl says:
Bruce Schneier Joins Startup Co3 Systems
http://threatpost.com/bruce-schneier-joins-startup-co3-systems/103429
Bruce Schneier, the famed cryptographer and author who recently left his longtime post at BT, has taken a new position as CTO of Co3 Systems, a startup that provides incident response systems. Schneier, a central figure in the security industry for more than two decades, said he is excited about the new challenge ahead.
Schneier said that he sees a lot of need for the service that Co3 provides, especially in today’s environment where breaches are a daily occurrence and every organization is a target.
Schneier said that he sees a lot of need for the service that Co3 provides, especially in today’s environment where breaches are a daily occurrence and every organization is a target.
Tomi Engdahl says:
At least eight security experts boycott prominent security conference over NSA ties
http://www.washingtonpost.com/blogs/the-switch/wp/2014/01/07/at-least-six-security-experts-boycott-prominent-security-conference-over-nsa-ties/
At least eight computer security researchers have withdrawn from a major security conference in a protest against the conference’s sponsor, computer security firm RSA. That company has been accused of taking money from the National Security Agency to incorporate a flawed encryption algorithm into one of its security products.
Reuters reported last month on a secret $10 million contract between RSA and the NSA. Allegedly, RSA, an encryption pioneer that is now a division of EMC, took a $10 million payment for making a specific NSA-developed algorithm the default method for generating random numbers in one of their security products.
The revelations, and the evasive response from RSA, triggered outrage among some security professionals. Within days of the story, the first rumblings of a boycott of the RSA Conference scheduled for February started to appear. The RSA Conference is a major cybersecurity industry event that attracted over 24,000 attendees in 2013.
Yet, Josh Thomas of Atredis Partners announced Dec. 22 that he was pulling his talk due to a “moral imperative.” Then Mikko Hypponen, chief research officer at Finnish cybersecurity company F-Secure, announced that he would be cancelling his talk (appropriately titled “Governments as Malware Authors”)
Tomi Engdahl says:
How the NSA Almost Killed the Internet
http://www.wired.com/threatlevel/2014/01/how-the-us-almost-killed-the-internet/all/
Google, Facebook, Microsoft, and the other tech titans have had to fight for their lives against their own government. An exclusive look inside their year from hell—and why the Internet will never be the same.
Tomi Engdahl says:
Silicon Valley’s New Spy Satellites
Three startups are launching services—and orbiters—to provide real-time, better-than-Google imagery of the Earth.
http://www.theatlantic.com/technology/archive/2014/01/silicon-valleys-new-spy-satellites/282580/
Imagine an energy company which manages a pipeline through Canada’s taiga. The company’s charged with maintaining that pipeline, with making sure it isn’t leaking and hasn’t been compromised. So, every day, the company pays a local to get in a plane and fly over the otherwise inert, massive metal tube, looking for objects, organic or otherwise, that shouldn’t be there.
Or that’s what they’ve done for many years. Five years from now, that pilot might be out of a job. Tiny satellites, whizzing over head in low Earth orbit, could photograph every meter of the pipeline. It won’t seem like anyone’s nearby, but, should a truck or stain appear on the ice, a system administrator in Houston would get a text message warning of a problem.
Humans began photographing their home planet from space in a scientifically useful way about a half-century ago. Now the images are ubiquitous: On a web search, in a phone app, on the news, we see the browns and blues that denote pictures taken from the sky.
Larsen leads Urthecast. It’s one of a cadre of startups—three are now out of stealth mode—tossing cameras out of the atmosphere and trying to turn them into a business. Each of the three is choosing different methods, different kinds of devices, and different orbits. Each is selling something a little different. They are Urthecast, Planet Labs, and Skybox.
Tomi Engdahl says:
Kanye’s Lawyer Moves to Block Coinye
http://blogs.wsj.com/digits/2014/01/07/kanyes-lawyer-moves-to-block-coinye/
Lawyers for Kanye West filed cease-and-desist papers against the seven anonymous coders behind Coinye West, a virtual currency that went from chatroom joke to Internet sensation last week.
As virtual currencies like bitcoin and litecoin have taken off, copycats have emerged. Some offer slight tweaks to the bitcoin code to account for fraudsters or improve transactions. Others, such as BBQcoin and dogecoin, appear more as jokes than legitimate crypto-currencies.
Tomi Engdahl says:
Using Psychology To Create A Better Malware Warning
http://threatpost.com/using-psychology-to-create-a-better-malware-warning/103459
It turns out the best way to get people to pay attention to those malware warnings that pop up in browsers may be to stop tweaking them, scrap them entirely and rebuild from scratch. According to a study on the subject published last week, efficient malware warnings shouldn’t scare users away, they should give a clear and concise idea of what is happening and how much risk users are exposing themselves to.
It’s already well documented that the average computer user largely ignores the warnings, but new research is trying to determine just how browser architects and information technology specialists can create more effective warnings going forward.
Tomi Engdahl says:
How To Create Your Own Cryptocurrency
http://news.slashdot.org/story/14/01/07/2134242/how-to-create-your-own-cryptocurrency
“Since the code for Bitcoin is open source, we have seen the creation of various Bitcoin clones and enhancements (Litecoin, Dogecoin or Coinye West, anyone?… There are about 70″
Tomi Engdahl says:
Bitcoin me: How to make your own digital currency
http://www.theguardian.com/technology/2014/jan/07/bitcoin-me-how-to-make-your-own-digital-currency
Move over Dogecoin: the Herncoin is here. But what can making your own currency teach you about the world of bitcoin?
Tomi Engdahl says:
Reading this May Harm Your Computer: The Psychology of Malware Warnings
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2374379
Tomi Engdahl says:
PC skeleton key lets you reset forgotten passwords
http://m.cnet.com.au/pc-skeleton-key-lets-you-reset-forgotten-passwords-339346349.htm?redir=1
A USB “key” seeking funding on Kickstarter contains software that can reset any forgotten Windows password to regain access to your account.
A key-shaped USB, it contains software that allows you to boot your Windows PC in an administrator mode that allows you to view all user accounts for that PC — and reset any or all of the passwords, quickly and easily. You can also use it — along with antivirus software — to clean up after malware that locks you out of your PC.
“While other utilities exist to help with this activity they are often complex to setup, require technical knowledge to use and need a working computer with an Internet connection before you can get started,” Lovell wrote.
As for any potential security concerns, Lovell told CNET Australia that Windows PCs are not particularly secure anyway — if you wish to gain unauthorised access to a Windows PC, you can find methods online to bypass a Windows password within minutes with ease.
Tomi Engdahl says:
Justice minister tries to further delay snoop silo laws in Germany
Opposes Coalition’s position on EU data retention directive – report
http://www.theregister.co.uk/2014/01/08/german_minister_seeks_to_further_delay_implementation_of_eu_data_retention_laws/
Germany might further delay its implementation of the Data Retention Directive despite facing potential financial penalties of more than €300,000 for each day it fails to transpose it into national law, according to media reports.
Under the Directive telecoms and other electronic communications firms are required to retain identifying details of phone calls and emails, such as the traffic and location, to help the police detect and investigate serious crimes. The details exclude the content of those communications.
The Directive was established in 2006 to make it a requirement for telecoms and other electronic communications companies to retain the personal data for a period determined by national governments of between six months and two years.
Tomi Engdahl says:
Campaign to kick NSA man from crypto standards group fails
Co-chair’s ousting would ‘limit the body of expertise’ argues chairman
http://www.theregister.co.uk/2014/01/08/nsa_bod_crypto_standard_co_chair_controversy/
National Security Agency employee Kevin Igoe is to keep his position on the panel of an influential internet standards working group, the powers-that-be decided last weekend.
Igoe, who co-chairs the Internet Research Task Force’s Crypto Forum Research Group (CFRG), had been accused by those campaigning for his removal of pushing for the adoption of a weakened version of the “Dragonfly” key exchange protocol.
His critics also took issue with what they held to be a more general conflict of interest between his role of helping to set the most secure cryptographic standards and his employment by the intelligence agency, which has recently come under fire after whistleblower sysadmin Edward Snowden’s revelations on its widespread data gathering.
Lars Eggert, IRTF chair, rejected calls to dismiss Igoe despite concluding that the process followed on Dragonfly was flawed
“NSA agent co-chairing key crypto standards body” makes a catchy, albeit factually incorrect, news headline, and publicity like this may deter new people from participating in the CFRG
Tomi Engdahl says:
Ask Slashdot: How To Protect Your Passwords From Amnesia?
http://ask.slashdot.org/story/14/01/08/0430209/ask-slashdot-how-to-protect-your-passwords-from-amnesia
Tomi Engdahl says:
Carmakers keep data on drivers’ locations
http://www.detroitnews.com/article/20140107/AUTO01/301070017
A government report finds that major automakers are keeping information about where drivers have been — collected from onboard navigation systems — for varying lengths of time. Owners of those cars can’t demand that the information be destroyed. And, says the U.S. senator requesting the investigation, that raises questions about driver privacy.
The Government Accountability Office in a report released Monday found major automakers have differing policies about how much data they collect and how long they keep it.
Automakers collect location data in order to provide drivers with real-time traffic information, to help find the nearest gas station or restaurant, and to provide emergency roadside assistance and stolen vehicle tracking. But, the report found, “If companies retained data, they did not allow consumers to request that their data be deleted, which is a recommended practice.”
The Alliance of Automobile Manufacturers, the trade group representing Detroit’s Big Three automakers, Toyota, Volkswagen AG and other major automakers, said automakers are committed to driver privacy. “Details of the industry’s strict privacy policies are traditionally included in our sales and service agreements,” spokeswoman Gloria Bergquist said. “That way, we ensure our customers have the opportunity to familiarize themselves with these strict privacy policies.”
Tomi Engdahl says:
Burglars Who Took On F.B.I. Abandon Shadows
http://www.nytimes.com/2014/01/07/us/burglars-who-took-on-fbi-abandon-shadows.html?pagewanted=all&_r=0
The perfect crime is far easier to pull off when nobody is watching.
So on a night nearly 43 years ago, while Muhammad Ali and Joe Frazier bludgeoned each other over 15 rounds in a televised title bout viewed by millions around the world, burglars took a lock pick and a crowbar and broke into a Federal Bureau of Investigation office in a suburb of Philadelphia, making off with nearly every document inside.
They were never caught, and the stolen documents that they mailed anonymously to newspaper reporters were the first trickle of what would become a flood of revelations about extensive spying and dirty-tricks operations by the F.B.I. against dissident groups.
The burglary in Media, Pa., on March 8, 1971, is a historical echo today, as disclosures by the former National Security Agency contractor Edward J. Snowden have cast another unflattering light on government spying and opened a national debate about the proper limits of government surveillance.
Unlike Mr. Snowden, who downloaded hundreds of thousands of digital N.S.A. files onto computer hard drives, the Media burglars did their work the 20th-century way: they cased the F.B.I. office for months, wore gloves as they packed the papers into suitcases, and loaded the suitcases into getaway cars.
Tomi Engdahl says:
Intel got rid of McAfee’s name – and promises a free security phones
McAfee had already comment on the matter to the BBC:
- I am forever grateful to Intel, it will save me from the linkages between me and the world’s lowest quality program. And these are not mine, but of millions of users irritated words.
- My joy is Intel’s decision is indescribable.
Intel also announced the launch of the McAfee security products use free of charge mobile devices. The company makes security software for iOS and for Android. The company did not provide the details on this yet.
Source:
Digitoday
http://www.digitoday.fi/tietoturva/2014/01/07/intel-hankkiutui-eroon-mcafeen-nimesta–ja-lupaa-ilmaista-tietoturvaa-puhelimiin/2014226/66?rss=6
Tomi Engdahl says:
Infosec experts boycott RSA conflab over alleged ‘secret’ NSA contract
Pioneering security firm were allegedly paid $10m to use flawed algorithm
http://www.theregister.co.uk/2014/01/08/rsa_conference_boycott/
More security researchers are boycotting next month’s US edition of the RSA Conference in protest against an alleged “secret deal” the company is said to have struck with the National Security Agency.
Last month Reuters reported that the NSA “secretly paid” RSA Security $10m in return for making the Dual_EC_DRBG random number generator algorithm the default option in its BSAFE cryptographic toolkit.
In response, RSA issued a carefully worded denial that it had never knowingly put a backdoor in its BSAFE toolkit at the behest of the NSA or anyone else.
Security researchers first expressed concerns that Dual_EC_DRBG was flawed on purpose, in effect creating a back door, as far back as 2006 – but RSA only advised customers against using the technology last September.
Tomi Engdahl says:
Thank you for the NSA: use of encryption is expected to explosive
Unisys experts estimate more and more companies this year to be interested in encryption technologies. U.S. intelligence disclosures revealed that the number of large files are stored in online services can be spied. Some of these companies have already been taken since the use of encryption technologies to protect content and traffic.
Unisys Security Director Dave Frymier sees the NSA’s intelligence The increased scope of the scandal to have good consequences, regardless of what anyone has to unmask the Edward Snowden. Now, companies and the public are more aware of cyber security.
In the past, many companies imagined that their internal networks are secure. Frymier believes that, in this year companies will start to use encryption technologies also in their internal networks.
Frymier believes that encryption also improve the confidence of IaaS cloud services.
Source: Tietoviikko
http://www.tietoviikko.fi/kaikki_uutiset/kiitos+nsan+salauksen+kayton+odotetaan+rajahtavan/a958134