Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Finland has joined the NSA’s intelligence among partners, it turns out the reporter Glenn Greenwald book No Place to Hide: Edward Snowden, the NSA, and the U.S. surveillance state.
Greenwald book, published by the NSA’s internal film for the year 2013, in which Finland is listed on the second group of partners.
Right-group countries are defined as countries with which the United States shall cooperate in certain projects, but which are also the subject of an aggressive American intelligence.
Source: http://www.digitoday.fi/yhteiskunta/2014/05/13/snowden-asiakirjat-suomi-liittyi-nsan-vakoilukumppaniksi/20146763/66?rss=6
Tomi Engdahl says:
Researchers find, analyze forged SSL certs in the wild
http://www.net-security.org/secworld.php?id=16843
A group of researchers from Carnegie Mellon University and Facebook has managed to get a concrete sense of just how prevalent SSL man-in-the-middle attacks using forged SSL certificates are in the wild.
a widely-supported Flash Player plugin was made to enable socket functionalities not natively present in current browsers, so that it could implement a distinct, partial SSL handshake to capture forged certificates.
This detection method was deployed on Facebook’s website, and the result was as follows: of nearly 3.5 million SSL connections analyzed, 6,845 (0.2%) of them were forged SSL certificates.
These certificates are not authorized by the website owners, but most browsers will “accept” them, i.e. they will warn users of the error, but will allow them to choose whether they will continue on to the (potentially insecure) website.
The overwhelming majority of the subjects of the forged certificates were, expectedly, tied to the wildcard domain *.facebook.com.
Tomi Engdahl says:
Analyzing Forged SSL Certificates in the Wild
https://www.linshunghuang.com/papers/mitm.pdf
The SSL man-in-the-middle attack uses forged SSL
certificates to intercept encrypted connections between clients
and servers. However, due to a lack of reliable indicators, it is
still unclear how commonplace these attacks occur in the wild. In
this work, we have designed and implemented a method to detect
the occurrence of SSL man-in-the-middle attack on a top global
website, Facebook
Tomi Engdahl says:
US Navy develops world’s worst e-reader
http://www.naval-technology.com/features/featureus-navy-develops-worlds-worst-e-reader-4265782/
It is an unspoken rule of military procurement that any IT or communications technology will invariably be years behind what is commercially available or technically hobbled to ensure security. One case in point is the uncomfortably backronymed NeRD, or Navy e-Reader Device, an electronic book so secure the 300 titles it holds can never be updated. Ever.
Tomi Engdahl says:
Do you use NAS drives? For work? One just LEAKED secret cash-machine blueprints
So says security biz in ‘share everything to the web’ flaw alert
http://www.theregister.co.uk/2014/05/13/nas_security_risk/
Some personal desktop storage devices are leaking top corporate secrets to the internet – in one case, the designs for a hole-in-the-wall cash machine.
That’s according to intelligence biz Digital Shadows, which tries to work out how proprietary and personal information accidentally escapes network boundaries
We’re told one particular off-the-shelf network-attached storage (NAS) box grants outside access to its file system without authentication by default.
miscreants aware of the “share everything” design flaw are scanning the public internet for vulnerable models, and grabbing sensitive stuff
Above all, sysadmins should keep an eye out for staff using NAS drives that are reachable from the external web – such the over-sharing product Digital Shadows identified.
Digital Shadows did not name the affected NAS box although it has warned the hardware’s maker
Tomi Engdahl says:
EU court backs ‘right to be forgotten’ in Google case
http://www.bbc.com/news/world-europe-27388289
A top EU court has ruled Google must amend some search results at the request of ordinary people in a test of the so-called “right to be forgotten”.
The European Union Court of Justice said links to “irrelevant” and outdated data should be erased on request.
The case was brought by a Spanish man who complained that an auction notice of his repossessed home on Google’s search results infringed his privacy.
Google said the ruling was “disappointing”.
“We now need to take time to analyse the implications,” a spokesperson added.
Tomi Engdahl says:
Linux distos get patching on terminal bug
Pseudo-terminal buffer bug from 2009 discovered
http://www.theregister.co.uk/2014/05/14/linux_distos_get_patching_on_terminal_bug/
Linux admins need to get busy patching, as a newly discovered bug has emerged in the kernel’s tty handling that can let local users create memory corruption leading to denial of service, unauthorised modification of data, and disclosure of information.
While a “local user” issue wouldn’t normally be something to lose too much sleep over – certainly nothing like Heartbleed – CVE-2014-0196 is problematic where users are sharing the same Linux host in the cloud.
A user only needs shell privileges to be in a position to trigger the bug.
Tomi Engdahl says:
IETF plans to NSA-proof all future internet protocols
Standards boffins promise bloody fight for those who seek to sniff private data
http://www.theregister.co.uk/2014/05/14/ietf_documents_start_of_its_privacy_battle/
The IETF has taken the next small step down the long, long road of protecting user traffic from spooks, snoops and attackers, setting down the basic architectural principle that new protocols should resist monitoring.
It’s not going to be a trivial undertaking: practically every layer of the Internet protocol stack has its origins in a more innocent era.
The new document, RFC 7258 (here), formalises the decision reached at the Vancouver IETF plenary in March that pervasive monitoring is an attack on Internet users (and, in fact, “Pervasive Monitoring is an Attack” is the title of the RFC).
Tomi Engdahl says:
European court says Google must respect ‘right to be forgotten’
http://www.reuters.com/article/2014/05/13/us-eu-google-dataprotection-idUSBREA4C07120140513
Tomi Engdahl says:
Google’s Legal Blow: What ‘the Right to Be Forgotten’ Means
http://blogs.wsj.com/digits/2014/05/13/what-you-need-to-know-about-the-eu-high-court-google-ruling/
The European Court of Justice on Tuesday ruled that individuals can ask Google Inc. to remove links to news articles, court judgments and other documents in search results for their name.
What’s the bottom line?
The court’s decision means that individuals can ask Google or other search operators to take down links to web pages that are published by third parties, such as newspapers, containing information relating to them. That doesn’t mean that the article or website has to be removed or altered by the original publisher. It would only affect search results compiled by search engine operators like Google.
Does this ruling apply all over the world or just within the EU?
It’s not yet clear. The ruling says that European data protection law is applicable as soon as a “data controller” like Google is operating in the European market.
Tomi Engdahl says:
Dogevault praying backups work after confirming attack
So deleted. Very missing. Much backed up
http://www.theregister.co.uk/2014/05/14/dogevault_praying_backups_work_after_confirming_attack/
“On the 11th of May, the Doge Vault online wallet service was compromised by attackers, resulting in a service disruption and tampering with wallet funds,” the now-sparse site says at the time of writing.
The site says it is “salvaging existing wallet data from an off-site backup”. That leaves it on the cusp of becoming either a backup success story or yet another cautionary tale about how startups don’t take backup seriously.
Tomi Engdahl says:
Do Embedded Systems Need a Time To Die?
http://hardware.slashdot.org/story/14/05/14/029236/do-embedded-systems-need-a-time-to-die
“Dan Geer, the CISO of In-Q-Tel, has proposed giving embedded devices such as industrial control and SCADA systems a scheduled end-of-life in order to manage a future in which hundreds of billions of them will populate every corner of our personal, professional and lived environments. Individually, these devices may not be particularly valuable. But, together, IoT systems are tremendously powerful and capable of causing tremendous social disruption.”
“Geer proposes a novel solution: embedded systems that do not have a means of being (securely) managed and updated remotely should be configured with some kind of ‘end of life,’ past which they will cease to operate.”
Tomi Engdahl says:
Blade Runner Redux: Do Embedded Systems Need A Time To Die?
https://securityledger.com/2014/05/blade-runner-redux-do-embedded-systems-need-a-time-to-die/
“The embedded systems space, already bigger than what is normally thought of as ‘a computer,’ makes the attack surface of the non-embedded space trivial if not irrelevant,” Geer said.
The problem with embedded systems (like replicants) becoming ‘immortal’ is that the longer embedded systems persist in IT environments, the harder they become to manage and defend, he said.
Computing monocultures, Geer said, raise the likelihood of what he terms “cascade failures” in which the ripple effects of attacks against a wide range of computing systems cause disruption far in excess of what would be possible by attacks on any one system.
“The Internet of Things, which is to say the appearance of network connected micro controllers in seemingly every device, should raise hackles on every neck,” he told attendees.
Geer isn’t hostile to the idea of monocultures. Rather, he argues that if we are to opt in favor of monolithic computing infrastructures, we need “tight central control” of that infrastructure. That might come either in the form of a robust and secure management infrastructure that keeps close tabs on the operation and behavior of connected devices and allows them to be rapidly updated (a la Windows update). Or it could come in the form of a kind of designed obsolescence – a ‘mortality.’
“By ‘more like humans’ I mean this: embedded systems, if having no remote management interface and thus out of reach, are a life form and as the purpose of life is to end, an embedded system without a remote management interface must be so designed as to be certain to die no later than some fixed time,”
Tomi Engdahl says:
.Security of Things
.Dan Geer, 7 May 14, Cambridge
http://geer.tinho.net/geer.secot.7v14.txt
Tomi Engdahl says:
Journalist vs. the Syrian Electronic Army
http://news.slashdot.org/story/14/05/13/193219/journalist-vs-the-syrian-electronic-army
“Journalist Ira Winkler has an article about his personal run-in with the Syrian Electronic Army. While admitting that the SEA has succeeded in hijacking the Wall Street Journal’s Twitter accounts and defacing the RSA conference website, he calls them immature, inept script kiddies in this Computerworld column.”
Tomi Engdahl says:
Database down! DBA ninjas to the rescue
Handy 101 guide for Oracle administrators
http://www.theregister.co.uk/2014/05/14/oracle_dba_workshop_data_restoration/
First things first
Ideally, you’ll want to avoid your database going down in the first place.
Oracle further divides unplanned downtime into two areas: data failures, and computer failures. DBAs will be most interested in data failures – the four main categories are:
Storage error
Human error
Corruption
Site failure
DBAs have some control over storage error and human error, at least.
While you can protect against some of these things, DBAs still haven’t worked out how to control fire, flooding and other acts of god
There are three things to back up in an Oracle database
The server parameters file (SPFILE)
The Control file
The data files themselves (generally considered quite important).
There are two broad kinds of backup: a cold backup, and a hot one. Cold (offline) backups are the easiest to do.
Hot backups are good for recovering databases on the fly, rather than complete restoration from scratch.
Tomi Engdahl says:
Kyberturvallisuuskeskus face every day a new scam pages that try to be joking Finnish bank accounts. A month ago started a campaign masquerades as a recovery service , and builds on the previous Customs and Itella scams.
New phishing pages crop up more and more every day as soon as the previous has been switched off . Criminals have adopted text messaging, encrypted network connection and collection service similar to the portal . In addition, they will continue to make use of fake e-mails and false online banking log-in pages.
The third new feature is the collection service similar to a web portal , which bank ID links that appear to be quite real. Some of them may be, but others may control the clicker phishing sites.
Sources:
http://www.digitoday.fi/tietoturva/2014/05/14/suomi-kalastelun-uudet-kujeet-tekstiviesteja-ja-perintaportaali/20146820/66?rss=6
https://www.cert.fi/tietoturvanyt/2014/05/ttn201405131125.html
Tomi Engdahl says:
GCHQ’s ‘NOSEY SMURF’ spyware snoops dragged into privacy tribunal
Privacy International believes UK intelligence nerve-centre may have infected millions
http://www.theregister.co.uk/2014/05/14/gchq_privacy_international/
Campaigning charity Privacy International has launched a legal bid to stop GCHQ and British intelligence agents from spying on Brits using malware.
Its complaint [PDF] to the UK’s Investigatory Powers Tribunal is a formal challenge to snoops’ use of malicious software and hacking to surveil people. Privacy International fears millions of innocent people may have had their machines attacked and personal data slurped by British g-men.
Tomi Engdahl says:
Estonia Urged To Drop Internet Voting Over Security Fears
http://it.slashdot.org/story/14/05/14/1418256/estonia-urged-to-drop-internet-voting-over-security-fears
“A team of global IT experts have urged Estonia to drop electronic voting from this month’s European elections, saying they had identified major security risks, suggesting that the system’s operational security is lax, transparency measures are insufficient. and the software design is vulnerable to cyber attacks ‘Estonia’s Internet voting system blindly trusts the election servers and the voters’ computers,”
Tomi Engdahl says:
RFC 7258: Pervasive Monitoring Is an Attack
http://yro.slashdot.org/story/14/05/14/1248205/rfc-7258-pervasive-monitoring-is-an-attack
Tomi Engdahl says:
Photos of an NSA “upgrade” factory show Cisco router getting implant
Servers, routers get “beacons” implanted at secret locations by NSA’s TAO team.
http://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/
A document included in the trove of National Security Agency files released with Glenn Greenwald’s book No Place to Hide details how the agency’s Tailored Access Operations (TAO) unit and other NSA employees intercept servers, routers, and other network gear being shipped to organizations targeted for surveillance and install covert implant firmware onto them before they’re delivered. These Trojan horse systems were described by an NSA manager as being “some of the most productive operations in TAO because they pre-position access points into hard target networks around the world.”
Tomi Engdahl says:
Cisco comments:
Internet Security Necessary for Global Technology Economy
http://blogs.cisco.com/news/internet-security-necessary-for-global-technology-economy/
Today’s security challenges are real and significant. We want governments to detect and disrupt terrorist networks before they inflict harm on our society, our citizens, and our systems of government. We also want to live in countries that respect their citizens’ basic human rights. The tension between security and freedom has become one the most pressing issues of our day. Societies wracked by terror cannot be truly free, but an overreaching government can also undermine freedom.
It is in this context that I want to offer some thoughts on actions by the US Government that in Cisco’s eyes have overreached, undermining the goals of free communication, and steps that can be taken to right that balance, and I do so on behalf of all of Cisco’s leadership team.
Confidence in the open, global Internet has brought enormous economic benefits to the United States and to billions around the world. This confidence has been eroded by revelations of government surveillance, by efforts of the US government to force US companies to provide access to communications of non-US citizens even when that violates the privacy laws of countries where US companies do business, and allegations that governments exploit rather than report security vulnerabilities in products.
This past December, eight technology companies expressed concern to the President of the United States and Members of Congress that the US government’s surveillance efforts are in fact harmful. They stated, in part, “We urge the US to take the lead and make reforms that ensure that government surveillance efforts are clearly restricted by law, proportionate to the risks, transparent and subject to independent oversight.”
This week a number of media outlets reported another serious allegation: that the National Security Agency took steps to compromise IT products enroute to customers, including Cisco products.
We comply with US laws
Governments should not interfere with the ability of companies to lawfully deliver internet infrastructure as ordered by their customers
Tomi Engdahl says:
OpenDNS raises $35M for its security and content-filtering servers
http://venturebeat.com/2014/05/14/opendns-raises-35m-for-its-security-and-content-filtering-servers/
OpenDNS, a company that provides a variety of services that includes protecting companies and individuals from cyberattacks, just raised a $35 million round of funding from a host of investors.
“OpenDNS is a true innovator among security companies,” said Stefan Dyckerhoff of Sutter Hill Ventures, one of the investors, in a statement. While that’s the sort of promotional statement you’d expect a major investor to make, it’s not incorrect: OpenDNS takes an unusual approach.
Most security companies require you to install software on your computer, smartphone, or on a box somewhere on your company’s network, and that software then monitors the applications you install and the data that travels through the network, looking for suspicious activity.
By contrast, OpenDNS technology starts with its own domain-name servers, which work much like other name servers on the Internet-wide Domain Name System (DNS). However, by routing customers’ Internet connections through its own servers, it is able to provide a level of protection — for instance, by keeping you from connecting to a known malicious site.
Tomi Engdahl says:
Google gets tougher on suspicious Google Apps logins
http://www.cnet.com/news/google-gets-tougher-on-suspicious-google-apps-logins/
Don’t lose your smartphone: To thwart unauthorized access to Gmail and other services, Google is bringing aspects of dual-factor authentication to those who haven’t signed up for it.
Tomi Engdahl says:
Orwellian threats caused the New York Times to spike a story on NSA spying way back in 2004
http://www.pri.org/stories/2014-05-12/orwellian-threats-caused-new-york-times-spike-story-nsa-spying-way-back-2004
It was about a year ago that former NSA contractor Edward Snowden got two journalists into a Hong Kong hotel room, where he divulged some of the biggest US state secrets in modern history.
Tomi Engdahl says:
The Three Big Lies: How The Federal Government Kept Its Post-9/11 Spying On Americans A Secret
http://www.techdirt.com/articles/20140513/17454627224/three-lies-how-federal-government-kept-its-post-911-spying-americans-secret.shtml
Either way, the thing that stands out to me is how the administration tried, desperately to stop anyone from revealing “The Program” with three big lies, which are discussed in all three of the links above. Here’s the short summary of what happened any time anyone sought to raise issues about the legality of “The Program”:
It’s completely legal and has been judged as such (though don’t ask why)
It’s “unbelievably effective.” You wouldn’t believe the threats we’re stopping — and that’s why we can’t talk about it.
If you reveal it, hundreds of thousands of Americans may die in a future attack — and the blood will be on your hands if you reveal and/or stop this program.
Of course, at this point, we now know that basically all three of those things are untrue.
Tomi Engdahl says:
AT&T’s GigaPower plans turn privacy into a luxury that few would choose
http://gigaom.com/2014/05/13/atts-gigapower-plans-turn-privacy-into-a-luxury-that-few-would-choose/
Customers of AT&T’s GigaPower service could end up paying more than double the $29 advertised cost to keep Ma Bell from monitoring their web surfing if they elect to get video with their broadband.
Tomi Engdahl says:
Google ruling ‘astonishing’, says Wikipedia founder Wales
http://www.bbc.com/news/technology-27407017
A ruling forcing Google to remove search results has been described as “astonishing” by Wikipedia founder Jimmy Wales.
The European Courts of Justice ruled on Tuesday that an individual could demand that “irrelevant or outdated” information be deleted from results.
Mr Wales said it was “one of the most wide-sweeping internet censorship rulings that I’ve ever seen”.
Google has said it is looking into the implications of the decision.
Mr Wales, speaking to BBC Radio 5 live, said: “I suspect this isn’t going to stand for very long.
“If you really dig into it, it doesn’t make a lot of sense. They’re asking Google… you can complain about something and just say it’s irrelevant, and Google has to make some kind of a determination about that.
Continue reading the main story
“Start Quote
This is exactly what the data protection reform is about”
Viviane Reding European Commission
“That’s a very hard and difficult thing for Google to do – particularly if it’s at risk of being held legally liable if it gets it wrong in some way.
“Normally we would think whoever is publishing the information, they have the primary responsibility – Google just helps us to find the things that are online.”
He added: “I would expect that Google is going to resist these claims quite vigorously.
Tomi Engdahl says:
Teen Arrested for 30+ Swattings, Bomb Threats
http://krebsonsecurity.com/2014/05/teen-arrested-for-30-swattings-bomb-threats/
A 16-year-old male from Ottawa, Canada has been arrested for allegedly making at least 30 fraudulent calls to emergency services across North America over the past few months. The false alarms — two of which targeted this reporter — involved calling in phony bomb threats and multiple attempts at “swatting” — a hoax in which the perpetrator spoofs a call about a hostage situation or other violent crime in progress in the hopes of tricking police into responding at a particular address with deadly force.
Tomi Engdahl says:
Canadian Law Enforcement Officers Arrest Canadian Resident Suspected in Series of ‘Swatting’ Incidents Throughout North America
http://www.fbi.gov/losangeles/press-releases/2014/canadian-law-enforcement-officers-arrest-canadian-resident-suspected-in-series-of-swatting-incidents-throughout-north-america
Tomi Engdahl says:
Latest IE flaw being actively exploited
Coordinated leet attackers smell like China’s infamous APT1
http://www.theregister.co.uk/2014/05/15/aussie_biz_served_april_ie_exploit/
April’s Internet Explorer flaw is being exploited, with at least two listed Australian entities targeted by a sophisticated foreign hacking outfit.
Tomi Engdahl says:
Phil Zimmermann’s ‘Spy-Proof’ Mobile Phone In Demand
http://mobile.slashdot.org/story/14/05/14/194205/phil-zimmermanns-spy-proof-mobile-phone-in-demand
“BlackPhone was designed by Phil Zimmermann (inventor of PGP).”
“The OS is a customized version of Android called PrivatOS which offers encrypted calls, texts and emails that can’t be unscrambled even by spy agencies.”
Tomi Engdahl says:
Sony To Make Movie of Edward Snowden Story
http://entertainment.slashdot.org/story/14/05/14/222202/sony-to-make-movie-of-edward-snowden-story
“Sony Pictures Entertainment has acquired the rights to the new book by journalist Glenn Greenwald about fugitive US intelligence leaker Edward Snowden, the studio said Wednesday.”
Tomi Engdahl says:
Cyberbullying: Are you just as brave in person?
http://www.technorati.com/technology/article/cyberbullying-are-you-just-as-brave/
Physical bullying has existed since the dawn of man and has had many tragic victims. Cyberbullying has been on a meteoric rise with the advent of each new piece of social technology. While it is still lagging behind physical bullying, this isn’t a metric we want to see growth in.
The ability to harass people anonymously just makes it worse. Facebook will allow you to create a page, hide behind secrecy and pretty much go crazy harassing people. This isn’t just children, but adults are doing it as well.
Most of these people are cowards in person. It’s the safety of distance and anonymity that makes them brave.
As many as 25 percent of teenagers have experienced cyberbullying at some point
Your biggest challenge is going to be to control yourself to only pay attention to the items that are issues and not intrude entirely in your kids lives.
Tomi Engdahl says:
Circle wants to be your friendly neighborhood bitcoin bank
http://www.theverge.com/2014/5/16/5721690/circle-wants-to-be-your-friendly-neighborhood-bitcoin-bank
The implosion and subsequent liquidation of bitcoin exchange Mt. Gox last month played to the worst fears about digital currencies. Confusing to use and volatile as a store of value, bitcoin has also been the frequent target of hackers, thieves, and incompetent businessmen. Despite bitcoin’s appeal to venture capitalists eager to profit from a new financial system, the value for the average person remains elusive.
Circle, a highly anticipated new bitcoin startup that has raised $26 million, is hoping to change all that. The company, which is opening its service today in a limited release, hopes to be your friendly online bitcoin bank. Its web-based interface lets you deposit US currency and see it converted instantly to bitcoin without any fees. It physically isolates your bitcoin keys in cold-storage vaults and requires multiple “signatures” to bring them online. Its deposits are 100 percent insured, and it complies with US money transmitting and anti-money laundering laws. “The focus is on making this easier for people to adopt,” says the company’s CEO, Jeremy Allaire
Specifically, the focus is on making bitcoin easier to use for transactions as opposed to merely fueling speculation by investors.
Tomi Engdahl says:
Who Has Your Back? 2014: Protecting Your Data From Government Requests
https://www.eff.org/who-has-your-back-government-data-requests-2014
We entrust our most sensitive, private, and important information to technology companies like Google, Facebook, and Verizon. Collectively, these companies are privy to the conversations, photos, social connections, and location data of almost everyone online. The choices these companies make affect the privacy of every one of their users. So which companies stand with their users, embracing transparency around government data requests? Which companies have resisted improper government demands by fighting for user privacy in the courts and on Capitol Hill? In short, which companies have your back?
These questions are even more important in the wake of the past year’s revelations about mass surveillance, which showcase how the United States government has been taking advantage of the rich trove of data we entrust to technology companies to engage in surveillance of millions of innocent people in the US and around the world.
Tomi Engdahl says:
First smartphone ‘kill switch’ law signed in Minnesota
http://www.theverge.com/2014/5/14/5718910/first-smartphone-kill-switch-law-signed-in-minnesota
On July 1st, 2015, it will be illegal to sell a smartphone in Minnesota without antitheft software preinstalled. That’s because Minnesota Governor Mark Dayton just signed the first so-called “kill switch” bill into law. The idea is that if smartphone owners can always remotely disable and wipe their phones after they’re stolen, it will deter criminals from stealing them at all. It’s a feature that police departments across the country have requested, due to how popular it has become for thieves to snatch the small, high-value devices. Nationally, an estimated one in three robberies involves smartphones, according to the FCC.
Tomi Engdahl says:
Dogecoin off the leash after Doge Vault admits server attack
So restored. Much bare metal panic. Very insecurity
http://www.theregister.co.uk/2014/05/16/dogecoin_off_the_leash_after_doge_vault_admits_server_attack/
Cryptocurrency exchange Doge Vault has confirmed it has lost about seventy per cent of Dogecoin it held on its customers’ behalf.
The outfit has updated its website to say “It is believed the attacker gained access to the node on which Doge Vault’s virtual machines were stored, providing them with full access to our systems.”
That sounds nasty, in two ways. If the attacker was able to access either the physical server, all sorts of questions need to be asked of whoever it was that hosted Doge Vault’s servers. If it was possible to access the underlying virtualisation tools, it would sure be nice to know what they were so we can all scratch them off the list of kit to be considered for secure multi-tenancy rigs.
Doge Vault seems, at least, to have had some success restoring its data
Tomi Engdahl says:
Zurich Insurance Group and Atlantic Council Release New Recommendations from Pioneering Report on Cyber Risk, Shocks, and Resilience
Risk Nexus
Beyond data breaches: global interconnections of cyber risk
http://www.zurich.com/internet/main/SiteCollectionDocuments/insight/risk-nexus-april-2014-en.pdf
Tomi Engdahl says:
January Cyber Risk Wednesday: Cyber Resilience through Measurement
http://www.youtube.com/watch?v=8BuKBbSwnMI
Tomi Engdahl says:
Locking it down: Steps to Oracle database security
A DBA guide to securing your intellectual assets
http://www.theregister.co.uk/2014/05/16/oracle_dba_workshop_security_guide/
How secure is your Oracle database? One of the DBA’s roles is to ensure that the database is reliable and available, and to maintain the integrity of its data. Adequate system security is a big part of that process, and the more that you can do to lock down your database, the happier your compliance department and IT director will be.
Here are a few steps that you can take to secure your database from attack.
Secure your configuration during setup
Manage privileges
Manage your passwords
Restrict network access
Secure data access
Conduct regular audits
Tomi Engdahl says:
NSA spying side effect : Suppliers have been pried used the data in order to win an invitation to tender
NSA’s spy network in some places the undesirable effects are nothing short of absurd.
Berlin organized Privacy Days spoken to former NSA technology, who was responsible for William Binney told the startling things in the way in which the NSA’s contractors are taking advantage of the data accumulated by spying on the mountains, which they too often had access to .
The former technical director of the NSA , William Binney , has left on Tuesday at the European Data Protection Day in Berlin hardly any good to say about his former employer . The employees of the intelligence procured downright a “kick” from the mass surveillance , complained Binney , who retired after 11 September 2001, from the office , and became the whistleblower . This would contribute ” totalitarian ” trains .
Connection information in the system played an important role of the intelligence , because with their help created detailed profiles and stakeholders , where appropriate, to “No -Fly ” – or even landed “kill ” lists.
The entire monitoring system not only permits , own relationship partners as well as politicians, lawyers , journalists or even sniff constitutional judges , but also a high degree of economic espionage . Contractors as IT service providers or consultants would have access to the data mountains and created from it analyzes and could thus undercut offers from competitors , Binney said. The secret to a deletion, complex environment would not solve , but ” get hold of the next contract ” the problem. Many companies survived as the exuberant mass storage.
Leading NSA employees are known to lie to the public and themselves. In addition, a secretly acting , Putting on winding constructions legal system have emerged , which undermines the Constitution and democracy.
Sources:
http://www.tietoviikko.fi/uutisia/nsan+vakoilun+lieveilmio+alihankkijat+kayttivat+urkittua+dataa+voittaakseen+tarjouskilpailuita/a988157
http://www.heise.de/newsticker/meldung/Ehemaliger-NSA-Technikchef-Der-NSA-gehoert-das-Netzwerk-2188605.html
Tomi Engdahl says:
GCHQ grants security clearance to Samsung’s Knox mobe security
Galaxies all round for pen-pushers… 007 will have to stick with Q’s kit
http://www.theregister.co.uk/2014/05/16/samsung_knox_gets_official_security_clearence/
The official containerisation solution for security on Samsung phones and tablets has passed muster with GCHQ. It’s now deemed safe enough for UK government employees to get a Galaxy Note 3, Galaxy S3 S4 or Galaxy S5 all of which run the Korean firm’s KNOX software.
This is akin to a standard business. The typical threat profile for the OFFICIAL classification is broadly similar to that faced by a large UK private company with valuable information and services.
For SECRET levels of security, there is an approved solution which uses a special version of BlackBerry phones which show a red border in secure mode and ancient Motorola phones with Sectéra hardware encryption modules for voice. General Dynamics, which makes Sectéra, has Android solutions, but they have not been approved.
Tomi Engdahl says:
Crypto-guru slams ‘NSA-proof’ tech, says today’s crypto is strong enough
Reminder: The maths is good, it’s the implementation that sucks
http://www.theregister.co.uk/2014/05/16/kiwi_prof_calls_bunk_on_nsaproof_tech_says_crypto_is_enough/
History is filled with companies shamed by their shoddy cryptography implementations – even though the underlying maths is bang on.
In a presentation titled “Crypto Won’t Save You” at the AusCERT conference on Australia’s Gold Coast, respected cryptographer Peter Gutmann of the University of Auckland took security bods through a decade of breaches featuring a laundry list of the world’s biggest brands.
Gutmann’s point was to demonstrate how the weakest point of cryptography was typically in its implementation rather than the maths itself. He demonstrated that consumer devices from the Amazon Kindle to the Sony Playstation and Microsoft Xbox consoles were hacked not because of weak cryptography, but due to poor deployment of security mechanisms, which were bypassed by attackers.
Many more systems have been broken due to poor implementations. The crypto used by lower-end ransomware to encrypt victims’ files can be broken by security pros, allowing the documents to be rescued without having to pay the ransom.
“Crypto is not any good to you when it can be so easily bypassed. The lesson is you need to secure every part of the system and not just throw crypto at one bit and assume that you’ll be safe.”
“There were so many other ways to render DKIM ineffective that no one bothered attacking the crypto,”
“We don’t need any new NSA-proof protocols. Any well-designed, appropriately-deployed protocol is NSA-proof,”
Tomi Engdahl says:
Slide set:
Crypto Won’t Save You Either
http://regmedia.co.uk/2014/05/16/0955_peter_gutmann.pdf
Tomi Engdahl says:
Chilling Effects
A joint project of the Electronic Frontier Foundation and Harvard, Stanford, Berkeley, University of San Francisco, University of Maine, George Washington School of Law, and Santa Clara University School of Law clinics.
https://www.chillingeffects.org/
Do you know your online rights? Have you received a letter asking you to remove information from a Web site or to stop engaging in an activity? Are you concerned about liability for information that someone else posted to your online forum? If so, this site is for you.
Chilling Effects aims to help you understand the protections that the First Amendment and intellectual property laws give to your online activities.
Tomi Engdahl says:
German Regulator Says Google Promises ‘Right to be Forgotten’ Mechanism in Two Weeks
http://blogs.wsj.com/digits/2014/05/15/german-regulator-says-google-promises-right-to-be-forgotten-mechanism-in-two-weeks/
Google Inc.GOOGL -0.15% will create a mechanism for German users to request the removal of links to information about them from the company’s popular search engine within the next two weeks, German privacy officials said Thursday, a sign that Google is moving quickly to implement a landmark decision from Europe’s top court that users have a right to such removals.
“They promised to come up with a process within two weeks for users to log their complaints,”
Tomi Engdahl says:
Google: Report other legal removal issue
https://support.google.com/legal/contact/lr_legalother?product=websearch
Remove information from Google
https://support.google.com/websearch/troubleshooter/3111061?hl=en
If you want to remove information from Google, in most cases you need to contact the webmaster of the page and ask them to delete the content in question. For a few cases, Google will remove information from our results.
Tomi Engdahl says:
Emory University server accidentally sends reformat request to all Windows PCs, including itself
http://thenextweb.com/shareables/2014/05/16/emory-university-server-accidentally-sends-reformat-request-windows-pcs-including/
A Windows 7 deployment image was accidently sent to all Windows machines, including laptops, desktops, and even servers. This image started with a repartition/reformat set of tasks.
What did we learn today? Always backup. Backup everything. Everything always.
Tomi Engdahl says:
Quantum Random Number Generator Created Using A Smartphone Camera
https://medium.com/the-physics-arxiv-blog/602f88552b64
Physicists have exploited the laws of quantum mechanics to generate random numbers on a Nokia N9 smartphone, a breakthrough that could have major implications for information security