Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Schneier: NSA snooping tactics will be copied by criminals in 3 to 5 years
The good news? Strong crypto still works
http://www.theregister.co.uk/2014/02/26/nsa_snooping_tactics_will_be_copied_by_criminals_in_35_years/
If you thought NSA snooping was bad, you ain’t seen nothing yet: online criminals have also been watching and should soon be able to copy the agency’s invasive surveillance tactics, according to security guru Bruce Schneier.
“The NSA techniques give about a three to five year lead on what cyber-criminals will do,” he told an audience at the RSA 2014 conference in San Francisco.
“These techniques for exfiltrating data aren’t magical, they are just expensive. Everything we know about technology is that it gets cheaper. So the notion of putting up a fake cell tower or wireless access point, of jumping air gaps, you’re going to see this stuff – it’s really just a matter of time.”
IT buyers should be realistic and decide who they want to be spied upon by.
“If someone’s going to spy on you then better the US than Russia.”
Tomi Engdahl says:
Mt. Gox’s Demise Marks The End of Bitcoin’s First Wave Of Entrepreneurs
http://techcrunch.com/2014/02/25/mt-gox-demise/
“You can’t trust anyone. Sometimes, you can’t trust your own team,” he told me.
While Bitcoin has had a long and volatile history given numerous thefts and scams, Mt. Gox may represent its biggest crisis in confidence to date. For well over a year, Mt. Gox was Bitcoin’s largest and most visible player as the biggest exchange in the world.
Not only is the sheer headline size of the losses enormous at $400 million, the cryptocurrency crossed over into mainstream consciousness last year.
Bitcoin’s next generation of founders is cleaner, more pedigreed and suited to Wall Street’s and Capitol Hill’s tastes. They are no less libertarian or wolf-like.
U.S.-based regulators, who have been surprisingly favorable toward Bitcoin over the last year, are bound to ask more questions in the coming weeks.
Tomi Engdahl says:
After Mt. Gox Implodes, Bitcoin CEOs and Lawmakers Scramble
http://www.forbes.com/sites/kashmirhill/2014/02/25/mt-gox-implosion-has-u-s-lawmakers-renew-call-for-oversight/
a leaked document circulated by Bitcoin entreprenuer and blogger Ryan Selkis suggested a massive hack that robbed the site of 744,000 coins, or $380 million at Bitcoin’s current value; that’s 6% of all Bitcoin in circulation.
While Mt. Gox’s reported 500,000 customers watch their Bitcoin holdings go up in smoke,
U.S. lawmakers say the Mt. Gox implosion is proof that the Bitcoin industry requires strong regulatory oversight.
“The disturbing news today from Japan is a reminder of the damage potentially ill equipped and unregulated financial actors can wreak on unsuspecting consumers,” said Sen. Tom Carper (D-Del) in a statement.
Tomi Engdahl says:
Bitcoin’s Price Plummets As Mt. Gox Goes Dark, With Massive Hack Rumored
http://www.forbes.com/sites/andygreenberg/2014/02/25/bitcoins-price-plummets-as-mt-gox-goes-dark-with-massive-hack-rumored/
Tomi Engdahl says:
A Plan to Rebuild Computer Security From the Ground Up
http://www.wired.com/business/2014/02/casado-vmware-goldilocks-layer/
Martin Casado once worked on some of the most secure computer networks ever built. And keeping them secure, he says, was a complete nightmare.
The world’s computer and networking hardware, he explains, just isn’t designed in a way that you can readily shape security systems and policies.
“Security is some political boss or some executive saying: ‘You should not be able to access this’ or ‘This piece of information is sensitive and should not be stored with this other information.’ It’s a person thinking of a policy and writing it down on a piece of paper,” Casado explains. “The reality was that there was no good way to take that security policy and actually implement it in your physical infrastructure.”
Though his project is still in the early stages, outside security outfits can see its potential value. “It makes a lot of sense,”
Tomi Engdahl says:
Look What I Found: Pony is After Your Coins!
http://blog.spiderlabs.com/2014/02/look-what-i-found-pony-is-after-your-coins.html
We recently discovered yet another instance of a Pony botnet controller. Not only did this Pony botnet steal credentials for approximately 700,000 accounts, it’s also more advanced and collected approximately $220,000 (all values in this post will be in U.S. dollars) worth, at time of writing, of virtual currencies such as BitCoin (BTC), LiteCoin (LTC), FeatherCoin (FTC) and 27 others.
Tomi Engdahl says:
Warfare on the Internet should be a total ban on international treaties, relies on RSA’s Chairman of the Board. He proposes four basic standard internet where problems are brought under control. Internet war, the ban may seem impossible, but something similar has been seen before.
Net of the biggest problems is the lack of standards, said Coviello. Thus, the RSA was now proposes four basic standards, according to which all countries should work.
Most Coviello, however, focused on the denial of network warfare: the use of weapons should be a total ban on international treaties.
He admits that the proposal may sound utopian. Similar bans have, however, been seen in the past. Of nuclear weapons and the spread of chemical weapons is limited to international treaties.
Source: Tietokone
http://www.tietokone.fi/artikkeli/uutiset/kielletaan_nettisodankaynti_vahemman_utopistista_kuin_luulisi
Tomi Engdahl says:
DNSSEC Part I: the Concepts
http://www.linuxjournal.com/content/dnssec-part-i-concepts
Like IPv6, DNSSEC is one of those great forward-looking protocols that unfortunately hasn’t seen wide adoption yet. Before I implemented it myself, I could see why. Although some people think BIND itself is difficult to set up, DNSSEC adds an extra layer of keys, key management and a slew of additional DNS records.
Tomi Engdahl says:
Japan authorities looking into closure of Mt. Gox bitcoin exchange
http://www.reuters.com/article/2014/02/26/us-bitcoin-mtgox-japan-idUSBREA1P0D820140226
“At this stage the relevant financial authorities, the police, the Finance Ministry and others are gathering information on the case,”
Mt. Gox CEO Mark Karpeles told Reuters in an email: “We should have an official announcement ready soon-ish.”
Tomi Engdahl says:
Collective SSL FAIL a symptom of software’s cultural malaise
Apple, WhatsApp and Belkin show that if you ask for bad software, you get bad software
http://www.theregister.co.uk/2014/02/23/goto_fail_a_symptom_of_softwares_cultural_malaise/
In the 19 years that have passed since the first implementation of SSL, you could be forgiven for expecting that the industry could do it right by now: and yet last week, not one but three SSL vendors were discovered to have implementation problems.
Belkin was caught not checking SSL certificates; WhatsApp was discovered to have overlooked certificate pinning in its SSL implementation; but Apple’s SSL woes outshone them both, exposing hundreds of millions of iOS and OS X Mavericks users to man-in-the-middle attacks.
It’s apparent that Apple suffered a double slip: someone’s command-V slipped, and it wasn’t caught in any code review.
Reward mechanisms inside companies are, I suspect, no better: it’s easy to imagine that eyes bleary and bloodshot simply didn’t notice the error.
“Code review can be effective against these sorts of bug. Not just auditing, but review of each change as it goes in,” Langley writes.
Tomi Engdahl says:
IE Vulnerability Exposing Banking Logins, Spreading Rapidly
http://tech.slashdot.org/story/14/02/26/1447222/ie-vulnerability-exposing-banking-logins-spreading-rapidly
“A vulnerability in Internet Explorer 9 and 10 that allows attackers to target banking login info, first reported on February 13, is being exploited in the wild, and attacks are spreading rapidly.”
Tomi Engdahl says:
IE zero-day exploit being used in widespread attacks
http://www.itworld.com/security/406979/ie-zero-day-exploit-being-used-widespread-attacks
The exploit is being distributed from many compromised websites around the world, researchers from Symantec said
The vulnerability affects Internet Explorer 9 and 10 and was publicly revealed on Feb. 13 by researchers from security firm FireEye who found an exploit for the flaw being served from the Veterans of Foreign Wars (VFW) website. Security researchers from security firm Websense later reported that the same vulnerability was being exploited from the compromised website of French aerospace association GIFAS (Groupement des Industries Francaises Aeronautiques et Spatiales).
Tomi Engdahl says:
Mt. Gox Shuts Down: Collapse Should Come As No Surprise
http://slashdot.org/story/14/02/26/1539250/mt-gox-shuts-down-collapse-should-come-as-no-surprise
“With the Mt. Gox failure being Bitcoin’s biggest since the collapse of the ponzi run by Trendon Shavers, also known as Pirateat40″
“Mt. Gox has halted all operations indefinitely. A statement from the CEO”
https://www.mtgox.com/
“In light of recent news reports and the potential repercussions on MtGox’s operations and the market, a decision was taken to close all transactions for the time being”
“Please visit this page for further announcements and updates”
Grave concerns re MtGox
http://trilema.com/2013/grave-concerns-re-mtgox/
There are two major points to consider before proceeding to the actual discussion.
I. The suspicion of self trading. You probably vaguely know about the one time two years ago when Bitcoin nearly died.
II. The long history of deceitful communication.
Tomi Engdahl says:
Boeing’s secret ‘Black’ spy phone will detect tampering, self-destruct if cracked open
http://www.geekwire.com/2014/boeings-secret-black-phone-will-detect-tampering-self-destruct-cracked-open/
Nearly two years after word leaked about Boeing’s plans to build a secure Android phone, the aerospace giant and defense contractor has quietly filed documents with the FCC for what it’s calling the “Black” phone.
“Boeing’s Black phone will be sold primarily to government agencies and companies engaged in contractual activities with those agencies that are related to defense and homeland security,” a lawyer for the company says in a letter accompanying the filing. “The device will be marketed and sold in a manner such that low level technical and operational information about the product will not be provided to the general public. Detailed technical information distributed at trade shows will be limited or protected by non-disclosure agreements.”
Tomi Engdahl says:
UK unis, McAfee collude to beat collusion attacks
EPSRC splashes cash at security
http://www.theregister.co.uk/2014/02/27/uk_unis_mcafee_collude_to_beat_collusion_attacks/
The UK’s Engineering and Physical Sciences Research Council (EPSRC) is backing research designed to improve detection of “collusion” between malicious apps on the Android platform.
Collusion attacks use malicious apps with different levels of permissions to bypass Android access controls. For example, one app might request permission to access personal data, but not ask for Internet access. Instead, the user might be encouraged to install a second app that has communication access.
In that scenario, the app with access to data would then pass information to the app with Internet access for transmission back to an attacker.
According to that paper, collusion attacks are a consequence of per-app permission models. They undermine the assumption that applications can be independently restricted in their access to resources.
Tomi Engdahl says:
Exclusive: State of Bitcoin 2014 Report Analyses Emerging Trends
http://www.coindesk.com/bitcoin-2014-report/
Today, CoinDesk is pleased to release its first ever ‘State of Bitcoin’ report.
As anyone who follows Bitcoin closely knows, this is an extremely fast-moving space – making the production of a comprehensive while still up-to-date report extremely difficult.
Tomi Engdahl says:
OpenID Connect Identity Protocol Launches With Support From Google, Microsoft & Others
http://techcrunch.com/2014/02/26/openid-foundation-launches-openid-connect-identity-protocol-with-support-from-google-microsoft-others/
Signing users in to a mobile or web app isn’t necessarily hard, but keeping their credentials safe is something that’s often best left to specialists. The OpenID Foundation today announced the launch of OpenID Connect, the organization’s latest standard for authenticating users and building distributed identity systems. The standard has the backing of Google, Microsoft, Salesforce, Deutsche Telekom, TechCrunch parent AOL and numerous other companies and mobile network operators.
Tomi Engdahl says:
Q&A: Schneier on trust, NSA spying and the end of US internet hegemony
Basically, we’re screwed for the next decade or so
http://www.theregister.co.uk/2014/02/27/qa_schneier_on_trust_nsa_spying_and_the_end_of_us_internet_hegemony/
RSA 2014 Bruce Schneier is the man who literally wrote the book on modern encryption, publishing Applied Cryptography in 1994, and for the past 20 years has been an important and sometimes outspoken voice in the security industry.
More recently he’s been working on documents released by Edward Snowden on NSA activities and presented his findings
Are you worried that you are personally under surveillance?
Yes, 100 per cent: I’m a target. If the FBI tried to get a warrant on my computer based on the fact that I have worked with Snowden documents then the odds they would get it are 100 per cent. And I do take pains. But look at that NSA Tailored Access Operations catalogue from 2008. The fact that I’m running an air-gapped computer is irrelevant – if the NSA wanted in, they would get in.
The reason they are not is because they know that if it ever got out that they attacked US journalists, the shit-storm would be ginormous.
How do you think this situation will look five years down the line?
I think five years is too soon. I think ten years from now this will be looked back on as the start of restoring privacy and security. In five years it’s going to be in the middle of the process.
Tomi Engdahl says:
ICANN seeks to tackle DNS namespace collision risks
Prepare to watch sysadmins freak out over 127.0.53.53 appearing in logs
http://www.computerworld.com.au/article/539336/icann_seeks_tackle_dns_namespace_collision_risks/
As the number of top-level domains undergoes explosive growth, the Internet Corporation for Assigned Names and Numbers (ICANN) is studying ways to reduce the risk of traffic intended for internal network destinations ending up on the Internet via the Domain Name System.
The draft of a report (PDF) commissioned by ICANN and carried out by JAS Global Advisors includes a series of recommendations — ranging from alerting network operators by returning 127.0.53.53 as an IP address to, in extreme conditions, killing a delegated second-level domain — to deal with the issue.
Tomi Engdahl says:
Senator asks U.S. to ban Bitcoin and all other cryptocurrencies
http://www.dailydot.com/politics/senator-joe-manchin-bitcoin-litecoin-dogecoin-ban/
Senator Joe Manchin (D-W.Va.) has called for the U.S. to ban Bitcoin, and by extension all anonymous cryptocurrencies.
His primary concern, though, is economic, and that he doesn’t believe in its long-term viability. “I am most concerned that as Bitcoin is inevitably banned in other countries, Americans will be left holding the bag on a valueless currency,” he wrote.
“It’s the anonymous, unregulated nature of it,” that Manchin finds a problem
Tomi Engdahl says:
‘Obnoxious’ RSA protests by DEF CON organizations, Code Pink draw ire
http://www.zdnet.com/obnoxious-rsa-protests-by-def-con-organizations-code-pink-draw-ire-7000026822/
The RSA security conference (where the world’s security companies come to do business with each other), opened its doors this week in San Francisco to a wide range of protests by security professionals who would otherwise be attending and speaking at the conference.
sold-out opposition conference “TrustyCon” are getting everyone’s attention this week
Tomi Engdahl says:
Mt. Gox Receives Subpoena From Federal Prosecutor: Source
http://online.wsj.com/news/articles/SB10001424052702303880604579405852448992982
Tomi Engdahl says:
Energy firms’ security so POOR, insurers REFUSE to take their cash
They’re turning down MULTI-MILLION pound contracts…
http://www.theregister.co.uk/2014/02/27/energy_sector_refused_cyber_insurance/
Underwriters are reportedly refusing to insure energy firms because poor security controls are leaving them wide open to attacks by hackers and malware infestations.
Lloyd’s of London told the BBC they had seen a surge in requests for insurance from energy sector firms but poor test scores from security risk assessors means that insurers are turning down potential multi-million pound contracts.
Infosec experts called in to review energy sector systems come back with negative reviews. And that means offering “safety net” insurance against breaches is not viable as a business proposition.
“We would not want insurance to be a substitute for security,” Khudari explained.
Industrial control plants at power utilities and other energy sector firms, as elsewhere, rely on SCADA (Supervisory Control and Data Acquisition) technology. These legacy systems are increasingly being connected to the internet, essentially to make them easier to manage remotely. At the same time, more and more security problems are being discovered by security researchers investigating industrial plant security in the wake of the infamous Stuxnet worm, which has made research into the formerly overlooked topic “sexy”.
More and more problems are being discovered in crucial systems that are rarely patched and this creates a recipe for disaster.
With all this in mind, it’s no great surprise to find energy firms turning down energy sector insurance contracts.
“Energy firms seeking insurance against cyber-attacks shows the vulnerability of our critical infrastructure is finally hitting home,”
“However, insurance is only a plaster over these underlying weaknesses. Organisations need to act now to protect their networks and address the unique nature of interconnected real-time control systems. Encryption of data in transit and rigorous authentication protocols, for example, should become de rigueur,” said McIntosh.
Tomi Engdahl says:
Yahoo webcam images from millions of users intercepted by GCHQ
http://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam-images-internet-yahoo
• Optic Nerve program collected Yahoo webcam images in bulk
• 1.8m users targeted by UK agency in six-month period alone
• Yahoo: ‘A whole new level of violation of our users’ privacy’
• Material included large quantity of sexually explicit images
Britain’s surveillance agency GCHQ, with aid from the US National Security Agency, intercepted and stored the webcam images of millions of internet users not suspected of wrongdoing, secret documents reveal.
Tomi Engdahl says:
TrustyCon: Hypponen warns of government malware, loss of vendor trust
http://searchsecurity.techtarget.com/news/2240215264/TrustyCon-Hypponen-warns-of-government-malware-loss-of-vendor-trust
“We’re slaving away, not seeing what is going on in the world, and what we should do is wake up.”
“Today I’m happy not to have an RSA Conference badge on me,” said Hypponen. “The [RSA-NSA] revelations regarding backdooring or weakening security is the declaration of losing trust.”
Throughout his impassioned talk, Hypponen emphasized that trust is principle that is essential to the success of the security industry. He opined that the customers and users of security vendors’ products “blindly trust” companies like RSA, F-Secure, and others to mitigate threats that they would otherwise be incapable of defeating on their own.
Hypponen indicated that RSA is hardly the only vendor facing scrutiny. He said that the trustworthiness of U.S.-based security and technology companies is quickly eroding,
Tomi Engdahl says:
Apple Explains Exactly How Secure iMessage Really Is
http://techcrunch.com/2014/02/27/apple-explains-exactly-how-secure-imessage-really-is/
Tomi Engdahl says:
EXCLUSIVE: Charlie Shrem Speaks Out About Mt. Gox, His Arrest and the Bitcoin Bromance
http://www.coindesk.com/exclusive-charlie-shrem-speaks-mt-gox-arrest-bitcoin-bromance/
“I’ve known Mark Karpeles for a very long time. Mark is a very sweet guy. Very non-confrontational, but has he made bad business decisions? Yes. Has he failed to do everything he should have? Yes.”
Shrem believes a number of factors are responsible for the exchange’s current issues, from a lack of PR presence to poor management structure, but first and foremost is the inadequacy of the technology Mt. Gox is built upon
Tomi Engdahl says:
Tor is building an anonymous instant messenger
http://www.dailydot.com/technology/tor-instant-messaging-bundle/
Forget the $16 billion romance between Facebook and WhatsApp. There’s a new messaging tool worth watching.
Tor, the team behind the world’s leading online anonymity service, is developing a new anonymous instant messenger client, according to documents produced at the Tor 2014 Winter Developers Meeting in Reykjavík, Iceland.
The Tor Instant Messaging Bundle (TIMB) is set to work with the open-source InstantBird messenger client in experimental builds released to the public by March 31, 2014.
Tomi Engdahl says:
Apple slams shut TEN code execution holes in QuickTime on Windows
Plus stability fix for iTunes on Redmond-powered PCs
http://www.theregister.co.uk/2014/02/28/apple_drops_patches_for_windows_quicktime_and_itunes/
Apple has patched security vulnerabilities in the Windows version of its QuickTime media player that allowed malicious video files to execute arbitrary code.
The entertainment goliath said version 7.7.5 of QuickTime will fix 10 serious bugs that can be exploited to crash the software or pull off remote-code execution on Windows 7, Vista and XP PCs.
Tomi Engdahl says:
Microsoft Research co-develops cloud data scrambler
‘Melbourne Shuffle’ will make it harder for cloud operators to mine or sniff your data
http://www.theregister.co.uk/2014/02/28/microsoft_research_chap_codevelops_cloud_data_scrambler/
In a paper titled The Melbourne Shuffle: Improving Oblivious Storage in the Cloud, authors Olga Ohrimenko, Michael T. Goodrich, Roberto Tamassia and Eli Upfal kick things off with the statement that “One of the unmistakable recent trends in networked computation and distributed information management is that of cloud storage, whereby users outsource data to external servers that manage and provide access to their data.”
“Such services also introduce privacy concerns,” the quartet write, because “, it is likely that cloud storage providers will want to perform data mining on user data, and it is also possible that such data will be subject to government searches. Thus, there is a need for algorithmic solutions that preserve the desirable properties of cloud storage while also providing privacy protection for user data.”
Encryption alone, they continue, “is not sufficient to achieve privacy protection, because the data access patterns that users exhibit can reveal information about the content of their data”.
Tomi Engdahl says:
Stealthy attacks multiply and victims turn to spooks-as-a-service
http://www.itworld.com/security/407067/stealthy-attacks-multiply-and-victims-turn-spooks-service
As the list of victims of sophisticated cyber attacks expands, so does the need for high-priced talent to help investigate and recover from those attacks. The latest solution: hosted services offering access to cyber intelligence and incident response to customers who lack it.
But the bigger story about cyber talent – at RSA and elsewhere – is of scarcity rather than abundance. Finding experts with experience identifying and analyzing sophisticated cyber threats is a herculean task. Hiring them is even harder, and few organizations can afford an internal team of cyber forensic experts to stand at the ready.
“There’s a lot of interesting innovation of what’s going on with threat intelligence,” said Ted Julian, the Chief Marketing Officer at Co3 Systems. “But all of that only matters if you can act on it. This is complicated stuff, and it requires a very different set of skills.
Tomi Engdahl says:
Yes, You Too Can Be An Evil Network Overlord – On The Cheap With OpenBSD, pflow And nfsen
http://bsdly.blogspot.ca/2014/02/yes-you-too-can-be-evil-network.html
Have you ever wanted to know what’s really going on in your network? Some free tools with surprising origins can help you to an almost frightening degree.
I’ve focused mainly on OpenBSD here, but netflow sensors exist or should exist for essentially anything that has a TCP/IP stack. And nfsen works well on Linux and other Unix-like systems, too, I’ve heard tell.
Tomi Engdahl says:
Man selling home for $135,000 in Dogecoins
http://edition.cnn.com/2014/02/26/tech/innovation/dogecoin-cryptocurrency-tech-irpt/index.html
The Dogecoin started off as a penniless Internet joke. But Matt Thompson plans on selling his vacation home for this meme-inspired currency.
The newbie cryptocurrency started off as a parody of Bitcoin,
But this satirical currency isn’t just a punchline anymore. Through trading and transactions between users, the currency went from being worth nothing to being valued at more than $65 million, and it has a uniquely supportive community of users from the site Reddit.
“It was important to the founders that the currency would be friendly and accepting. Most of these Bitcoin competitors are created to make a lot of money, but it’s hard to generate a healthy supportive community,” he said. Doernberg estimates that more than 100,000 people use Dogecoin actively.
“Dogecoin is sort of this self-fulfilling prophecy,” he said. “The more people who accept it, the more value it has. Bitcoin has a head start on that,” he said.
Tomi Engdahl says:
GCHQ peered into millions of Yahoo video chats
Grabbed screenshots every five minutes
http://www.theinquirer.net/inquirer/news/2331447/gchq-peered-into-millions-of-yahoo-video-chats
UK SPY AGENCY Government Communications Head Quarters (GCHQ) broke into millions of people’s Yahoo accounts, watched their webcam chats and took photos of participants.
The ugly tale comes from the Guardian and is part of a series of revelations by government surveillance whistleblower Edward Snowden.
The Guardian reported that a system called Optic Nerve was in operation between 2008 and 2012 and had the remit of intercepting and storing webcam images from Yahoo.
Tomi Engdahl says:
War on Anonymous: British Spies Attacked Hackers, Snowden Docs Show
http://www.nbcnews.com/news/investigations/war-anonymous-british-spies-attacked-hackers-snowden-docs-show-n21361
A secret British spy unit created to mount cyber attacks on Britain’s enemies has waged war on the hacktivists of Anonymous and LulzSec, according to documents taken from the National Security Agency by Edward Snowden and obtained by NBC News.
According to the documents, a division of Government Communications Headquarters (GCHQ), the British counterpart of the NSA, shut down communications among Anonymous hacktivists by launching a “denial of service” (DDOS) attack – the same technique hackers use to take down bank, retail and government websites – making the British government the first Western government known to have conducted such an attack.
Tomi Engdahl says:
Hackers target Brazil’s World Cup for cyber attacks
http://uk.reuters.com/article/2014/02/26/uk-worldcup-brazil-hackers-idUKBREA1P1C620140226
Brazilian hackers are threatening to disrupt the World Cup with attacks ranging from jamming websites to data theft, adding cyber warfare to the list of challenges for a competition already marred by protests, delays and overspending.
“The attacks will be directed against official websites and those of companies sponsoring the Cup,” a hacker known as Che Commodore said in a late-night Skype conversation.
Problems include overstrained networks, widespread use of pirated software and low investment in online security. To make matters worse, Brazil is home to one of the world’s most sophisticated cyber-criminal communities, which is already disrupting ticket sales and other World Cup commerce.
Brazil says it is ready, or as ready as it can be.
“It would be reckless for any nation to say it’s 100 percent prepared for a threat,”
The worst-case scenario would be an attack sophisticated enough to cripple Brazil’s power grid, communications or air-traffic control systems. But General dos Santos said in a recent interview that authorities aren’t expecting anything that bad.
Tomi Engdahl says:
Energy firm cyber-defence is ‘too weak’, insurers say
http://www.bbc.com/news/technology-26358042
Power companies are being refused insurance cover for cyber-attacks because their defences are perceived as weak, the BBC has learned.
Underwriters at Lloyd’s of London say they have seen a “huge increase” in demand for cover from energy firms.
But surveyor assessments of the cyber-defences in place concluded that protections were inadequate.
Energy industry veterans said they were “not surprised” the companies were being refused cover.
“They are all worried about their reliance on computer systems and how they can offset that with insurance,” she said.
Any company that applies for cover has to let experts employed by Kiln and other underwriters look over their systems to see if they are doing enough to keep intruders out.
Unfortunately, said Ms Khudari, after such checks were carried out, the majority of applicants were turned away because their cyber-defences were lacking.
Financial pressures and the ability to manage systems remotely was inadvertently giving attackers a loophole they could slip through, said Nathan McNeill, chief strategy officer at remote management firm Bomgar.
Trying to cut costs by linking up plant and machinery to a control centre so they could be managed remotely meant those systems were effectively exposed to the net, he said.
“If something has basic connectivity then it will become internet connectivity through some channel,” he said.
This left critical infrastructure exposed, he said, because typically the control systems for such hardware was written long before the web age and had only rudimentary security tools.
Known as Scada (Supervisory Control and Data Acquisition), this software has come under increasing scrutiny by security researchers who have exposed many flaws in it.
Tomi Engdahl says:
Leaked: Just before Bitcoin catastrophe, MtGox dreamed of riches
The exchange site also said it would need “influential lobbyists” going forward.
http://arstechnica.com/business/2014/02/leaked-just-before-bitcoin-catastrophe-mtgox-dreamed-of-riches/
At some point in recent weeks, MtGox appears to have pitched investors, arguing that it was poised to increase its profits 20-fold in just two years on the back of “no debt nor outside financing.”
That’s according to a newly published document entitled “Business Plan Europe 2014-2017,” and it appears to have been authored by MtGox executives in 2014
Like MtGox’s purported “Crisis Strategy Draft,” which was published earlier this week, the new document raises more questions than it answers.
Mt. Gox Files for Bankruptcy Protection
Bitcoin Exchange Had $63.6 Million in Outstanding Debt
http://online.wsj.com/news/article_email/SB10001424052702303801304579410010379087576-lMyQjAxMTA0MDIwNzEyNDcyWj
Bitcoin exchange Mt. Gox said it was filing for bankruptcy protection and that 750,000 of its customers’ bitcoins and 100,000 of its own had been lost.
At market prices charted by the CoinDesk bitcoin index, that would represent a loss of $473 million.
The company’s lawyer also said at a news conference at the Tokyo District Court that Mt. Gox had outstanding debt of about ¥6.5 billion ($63.6 million) with assets worth ¥3.84 billion.
One Japanese small-business owner that accepts bitcoin as payment said Japanese banks had expressed skepticism toward the payment method, and that the business’s lenders this week asked that the company wouldn’t use bitcoin in the wake of Mt. Gox’s stopping all transactions on Tuesday. “They’re approaching bitcoin very conservatively,” the owner said.
“It is disappointing they hid so much for so long,”
Tomi Engdahl says:
Two in five Brits cough up for CryptoLocker ransomware’s demands
Cowed victims hand over thousands rather than install basic security measures
http://www.theregister.co.uk/2014/02/28/cryptolocker_victims_pay_up_survey/
Around two in five people who fall victim to CryptoLocker have agreed to pay a ransom of around £300 to recover their files, according to a survey of victims.
CryptoLocker encrypts files on compromised machines. Compromised files become unintelligible and unrecoverable – unless victims have made back-ups – without paying crooks an unlock fee
The first survey, released in August 2013, revealed almost one in five people (18.4 per cent) in the UK had their online accounts hacked, with some people (2.3%) losing more than £10,000 due to criminal activity.
Tomi Engdahl says:
Optic Nerve: millions of Yahoo webcam images intercepted by GCHQ
http://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam-images-internet-yahoo
Optic Nerve collected still images of Yahoo webcam chats in bulk and saved them to agency databases, regardless of whether individual users were an intelligence target or not.
In one six-month period in 2008 alone, the agency collected webcam imagery – including substantial quantities of sexually explicit communications – from more than 1.8 million Yahoo user accounts globally.
Yahoo reacted furiously to the webcam interception when approached by the Guardian. The company denied any prior knowledge of the program, accusing the agencies of “a whole new level of violation of our users’ privacy”.
The document estimates that between 3% and 11% of the Yahoo webcam imagery harvested by GCHQ contains “undesirable nudity”.
Yahoo software allows more than one person to view a webcam stream without necessarily sending a reciprocal stream means that it appears sometimes to be used for broadcasting pornography
One document tells agency staff they were allowed to display “webcam images associated with similar Yahoo identifiers to your known target”.
Optic Nerve, the documents provided by NSA whistleblower Edward Snowden show, began as a prototype in 2008 and was still active in 2012,
Yahoo has been one of the most outspoken technology companies objecting to the NSA’s bulk surveillance
Tomi Engdahl says:
RSA 2014 security conference app has ‘severe vulnerabilities’
Half a dozen security flaws uncovered
http://www.theinquirer.net/inquirer/news/2331535/rsa-2014-security-conference-app-has-severe-vulnerabilities
IOACTIVE LABS HAS FOUND half a dozen security flaws in RSA Security’s Conference 2014 app.
It is also bad when the hot topic at the RSA show is, of course, security.
“The RSA Conference 2014 application downloads a SQLite DB file that is used to populate the visual portions of the app (such as schedules and speaker information) but, for some bizarre reason, it also contains information of every registered user of the application – including their name, surname, title, employer, and nationality.”
“no idea why the app developers chose to do that”
Tomi Engdahl says:
Lawsuit against Google over Gmail faces hurdle, U.S. judge says
http://www.reuters.com/article/2014/02/28/us-google-gmail-lawsuit-idUSBREA1R02420140228
A U.S. judge on Thursday said some plaintiffs accusing Google of improperly scanning their email faced a significant hurdle in their attempt to move forward with the lawsuit as a class action.
The case is being closely watched as it could alter how tech companies provide email service.
Tomi Engdahl says:
Google Tells Court You Cannot Expect Privacy When Sending Messages to Gmail — People Who Care About Privacy Should Not Use Service, Consumer Watchdog Says
http://www.consumerwatchdog.org/newsrelease/google-tells-court-you-cannot-expect-privacy-when-sending-messages-gmail-people-who-care
Tomi Engdahl says:
360 million newly stolen credentials on black market: cybersecurity firm
http://www.reuters.com/article/2014/02/25/us-cybercrime-databreach-idUSBREA1O20S20140225
A cybersecurity firm said on Tuesday that it uncovered stolen credentials from some 360 million accounts that are available for sale on cyber black markets, though it is unsure where they came from or what they can be used to access.
Holden said he believes the 360 million records were obtained in separate attacks
She said hackers can do far more harm with stolen credentials than with stolen payment cards, particularly when people use the same login and password for multiple accounts.
“They can get access to your actual bank account. That is huge,” Bearfield said. “That is not necessarily recoverable funds.”
Tomi Engdahl says:
Meet the seven people who hold the keys to worldwide internet security
http://www.theguardian.com/technology/2014/feb/28/seven-people-keys-worldwide-internet-security-web
It sounds like the stuff of science fiction: seven keys, held by individuals from all over the world, that together control security at the core of the web. The reality is rather closer to The Office than The Matrix
The keyholders have been meeting four times a year, twice on the east coast of the US and twice here on the west, since 2010.
What these men and women control is the system at the heart of the web: the domain name system, or DNS. This is the internet’s version of a telephone directory
The master key is part of a new global effort to make the whole domain name system secure and the internet safer: every time the keyholders meet, they are verifying that each entry in these online “phone books” is authentic. This prevents a proliferation of fake web addresses which could lead people to malicious sites, used to hack computers or steal credit card details.
The east and west coast ceremonies each have seven keyholders, with a further seven people around the world who could access a last-resort measure to reconstruct the system if something calamitous were to happen. Each of the 14 primary keyholders owns a traditional metal key to a safety deposit box, which in turn contains a smartcard, which in turn activates a machine that creates a new master key.
Tomi Engdahl says:
At the RSA Security Conference, Things Get Testy and Then They Get Awkward
http://bits.blogs.nytimes.com/2014/02/28/at-the-rsa-security-conference-things-get-testy-and-then-they-get-awkward/?_php=true&_type=blogs&_r=0
It was hard to avoid the shadow of Edward J. Snowden at the annual RSA security conference this week.
“Has RSA done work with the N.S.A.? Yes. But the fact has been a matter of public record for nearly a decade,” Mr. Coviello said, noting that RSA and other security companies regularly worked with the N.S.A.’s defense arm. “When or if the N.S.A. blurs the lines between its defensive and intelligence-gathering roles, and exploits its position of trust within the security community, then that’s a problem.”
Tomi Engdahl says:
UK spies on MILLIONS of Yahoo! webcams, ogles sex vids – report
Perfectly legal for us to watch your unencrypted steamy cam sessions, sniffs GCHQ
http://www.theregister.co.uk/2014/02/27/gchq_optic_nerve/
British spies allegedly intercepted and stored nude pics and other stills from millions of Yahoo! Messenger webcams – and mulled capturing snaps from the XBox’s Kinect camera, too.
The UK intelligence agency GCHQ started slurping photos from innocent netizens’ camera feeds in 2008,
Although Yahoo!’s instant messaging service uses SSL to encrypt passwords when logging in, it does not prevent network eavesdroppers from intercepting, decoding and storing text messages and live webcam feeds between contacts.
“Unfortunately … it would appear that a surprising number of people use webcam conversations to show intimate parts of their body to the other person,” GCHQ wrote in a document leaked by ex-NSA whistleblower Edward Snowden to the newspaper.
The American Civil Liberties Union (ACLU) was rather annoyed as well, with staff attorney Alex Abdo saying in a statement: “This is a truly shocking revelation that underscores the importance of the debate on privacy now taking place and the reforms being considered. In a world in which there is no technological barrier to pervasive surveillance, the scope of the government’s surveillance activities must be decided by the public, not secretive spy agencies interpreting secret legal authorities.”
Tomi Engdahl says:
The IETF needed a wake-up call on security, says chairman
The Snowden revelations have made the standards organization rethink its approach on security
http://www.networkworld.com/news/2014/022814-the-ietf-needed-a-wake-up-279307.html
Security and how to protect users from pervasive monitoring will dominate the proceedings when members of Internet Engineering Task Force meet in London starting Sunday.
For an organization that develops the standards we all depend on for the Internet to work, the continued revelations made by NSA whistleblower Edward Snowden have had wide-ranging repercussions.
“It wasn’t a surprise that some activities like this are going on. I think that the scale and some of the tactics surprised the community a little bit. … You could also argue that maybe we needed the wake-up call,” said IETF Chairman Jari Arkko.
The security implications of the disclosures are something the IETF must deal with, according to Arkko.
Tomi Engdahl says:
Bitcoin or bust: MtGox files for bankruptcy protection
Exchanges ‘fesses up to losing 750,000 Bitcoins
http://www.theregister.co.uk/2014/02/28/bitcoin_or_bust_mt_gox_files_for_bankruptcy_protection/
Ailing Bitcoin exchange MtGox has filed for bankruptcy protection after admitting it did indeed “lose” 750,000 of its customers’ Bitcoins along with 1000,000 of its own – together worth about £283m.
MtGox founder Mark Karpeles appeared in person and took a bow
The loss of all those Bitcoins was “due to weaknesses in the system,” he said.
“Amateur hour is now over. There is massive investment in Bitcoin industries”
Tomi Engdahl says:
News
Technology
Internet
Meet the seven people who hold the keys to worldwide internet security
http://www.theguardian.com/technology/2014/feb/28/seven-people-keys-worldwide-internet-security-web
It sounds like the stuff of science fiction: seven keys, held by individuals from all over the world, that together control security at the core of the web. The reality is rather closer to The Office than The Matrix