Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Mobile Banking Apps For iOS Woefully Insecure
http://it.slashdot.org/story/14/01/10/224239/mobile-banking-apps-for-ios-woefully-insecure
“Mobile banking applications fall short on their use of encryption, validation of digital certificates and two-factor authentication, putting financial transactions at risk worldwide. An examination of 40 iOS mobile banking apps from 60 leading banks worldwide revealed a slew of security shortcomings”
Personal banking apps leak info through phone
http://blog.ioactive.com/2014/01/personal-banking-apps-leak-info-through.html
Tomi Engdahl says:
Teen Reported to Police After Finding Security Hole in Website
http://www.wired.com/threatlevel/2014/01/teen-reported-security-hole/
A teenager in Australia who thought he was doing a good deed by reporting a security vulnerability in a government website was reported to the police.
Rogers says he contacted the site after Christmas to report the vulnerability but never got a response. After waiting two weeks, he contacted the newspaper to report the problem. When The Age called the Transportation Department for comment, it reported Rogers to the police.
“It’s truly disappointing that a government agency has developed a website which has these sorts of flaws,” Phil Kernick, of cyber security consultancy CQR, told the paper. “So if this kid found it, he was probably not the first one. Someone else was probably able to find it too, which means that this information may already be out there.”
It’s likely he used a SQL injection vulnerability, one of the most common ways to breach web sites and gain access to backend databases.
Tomi Engdahl says:
Australian Teen Reports SQL Injection Vulnerability, Gets Arrested
http://yro.slashdot.org/story/14/01/11/0248244/australian-teen-reports-sql-injection-vulnerability-gets-arrested
Comments:
I’ve been in this field for decades, and there have been far too many similar cases, like the one that TFA is reporting, happened to too many innocent people.
All of them committed one very sinful mistake – they report the flaws to the authority, the WRONG way.
If you ever discover any vulnerability of any official website / db / whatever, don’t tell them, and don’t tell the media either.
Most of the reporters are spineless creeps who suck up to the power-that-be.
Instead, you have two options -
1. Keep quite.
2. “leak” the info to some hacking circle and let others do the job for you.
If you ever take the 2nd option, you do need to know how to wipe off all your online traces (mag address, ip address, and so on) so nobody, not even the hackers, can trace you.
If leak the info, then when they go looking into the later breech and ding your name linked to the IP address of a prior breech you’ll be every bit as much a suspect as the crackers doing harm.
The problem is that the computer fraud and abuse act is too harsh — It needs an exemption / amnesty for folks who use responsible disclosure after stumbling on a flaw. The real problem is that folks in charge, like the NSA, FBI, etc. would rather you just didn’t do any hacking at all. They’d like to have a monopoly on that, so the laws won’t change.
If you’re not browsing by proxy in this day and age, you’re screwed.
The law does not care if you are white hat or black hat. Well at least with respect to guilt, it can be considered at sentencing.
If its not your computer and if you don’t have the owner’s permission you can’t do penetration testing without putting yourself at risk.
Tomi Engdahl says:
SHOCK REVELATION: Telstra manages its networks!
Post-Snowden reporting is getting very, very, silly
http://www.theregister.co.uk/2013/12/05/shock_revelation_telstra_manages_its_networks/
Reporting on telcos’ role in communications interception is getting very, very, silly.
Carriers operate networks. If they didn’t monitor them extensively, we’d be worse off than if they did! That the tools they use harvest lots of data about network traffic should not be news to anyone.
That they gather a lot of data that spooks could find interesting cannot be denied. That they gather a lot of data network administrators find interesting cannot be denied.
And let’s not forget that just about every piece of technology Telstra and every other business uses to operate produces log files. And those files can be analysed to produce information on who did what, when and where. Customers. Partners. Staff. Records about all of them are being created by every router, every server, every firewall.
And they’re all sitting there waiting to be analysed by someone unscrupulous – maybe even a journalist – who will use them to prove a point.
Tomi Engdahl says:
Samsung: Knox Security Gap Not Specific to Galaxy Devices
http://www.techinvestornews.com/Mobile/Latest-Mobile-News/samsung-knox-security-gap-not-specific-to-galaxy-devices
Samsung Electronics said a security gap in its Galaxy smartphone identified by an Israeli cybersecurity lab is not specific to the company’s devices.
Tomi Engdahl says:
Smart TVs, smart fridges, smart washing machines? Disaster waiting to happen
Op-ed: Hardware companies are generally bad at writing software—and bad at updating it.
http://arstechnica.com/gadgets/2014/01/smart-tvs-smart-fridges-smart-washing-machines-disaster-waiting-to-happen/
If you believe what the likes of LG and Samsung have been promoting this week at CES, everything will soon be smart. We’ll be able to send messages to our washing machines, run apps on our fridges, and have TVs as powerful as computers. It may be too late to resist this movement, with smart TVs already firmly entrenched in the mid-to-high end market, but resist it we should. That’s because the “Internet of things” stands a really good chance of turning into the “Internet of unmaintained, insecure, and dangerously hackable things.”
These devices will inevitably be abandoned by their manufacturers, and the result will be lots of “smart” functionality—fridges that know what we buy and when, TVs that know what shows we watch—all connected to the Internet 24/7, all completely insecure.
Even if we assume that these devices ship with no known flaws—a questionable assumption in and of itself if SOHO routers are anything to judge by—a few months or years down the line, that will no longer be the case. Flaws and insecurities will be uncovered, and the software components of these smart devices will need to be updated to address those problems. They’ll need these updates for the lifetime of the device, too. Old software is routinely vulnerable to newly discovered flaws, so there’s no point in any reasonable timeframe at which it’s OK to stop updating the software.
A history of non-existent updates
Herein lies the problem, because if there’s one thing that companies like Samsung have demonstrated in the past, it’s a total unwillingness to provide a lifetime of software fixes and updates. Even smartphones, which are generally assumed to have a two-year lifecycle (with replacements driven by cheap or “free” contract-subsidized pricing), rarely receive updates for the full two years (Apple’s iPhone being the one notable exception).
A typical smartphone bought today will remain useful and usable for at least three years, but its system software support will tend to dry up after just 18 months.
Tomi Engdahl says:
Hackers Steal Card Data from Neiman Marcus
http://krebsonsecurity.com/2014/01/hackers-steal-card-data-from-neiman-marcus/
Responding to inquiries about a possible data breach involving customer credit and debit card information, upscale retailer Neiman Marcus acknowledged today that it is working with the U.S. Secret Service to investigate a hacker break-in that has exposed an unknown number of customer cards.
The disclosure comes as many in the retail sector are seeking more information about the causes of the breach at nationwide retail giant Target, which extended from around Thanksgiving 2013 to Dec. 15, and affected some 40 million customer debit and credit cards.
Tomi Engdahl says:
Overstock makes $124K from 780 Bitcoin orders a day after giving the crypto-currency a thumbs up
http://venturebeat.com/2014/01/10/overstock-makes-124k-from-780-bitcoin-orders-within-24-hours-of-accepting-it-as-payment/
Overstock announced a partnership with popular Bitcoin wallet Coinbase yesterday, making it the largest merchant to accept Bitcoin to date. It is also one of the first major, mainstream retailers — meaning its reach extends far beyond the tech world — to accept the controversial crypto-currency.
The Bitcoin experiment is in its infancy, and it carries big risks. Bitcoin is volatile and has the potential to crash. This is part of what deters retailers. The fear is that if Bitcoin is at one price and then drops, the merchant loses money.
Coinbase is making a big effort to calm these concerns. It created a suite of merchants tools that make it easy to begin accepting Bitcoin and guarantees a certain exchange rate.
When a Bitcoin payment comes through, Coinbase immediately cashes out that Bitcoin value and transfers in dollars to the retailer. The risk is really with Coinbase, rather than Overstock.
Bitcoin has other benefits — it eliminates credit card processing fees, so it’s much cheaper for retailers than accepting payments from Visa, MasterCard, or PayPal.
Tomi Engdahl says:
Smart TVs, smart fridges, smart washing machines? Disaster waiting to happen
Op-ed: Hardware companies are generally bad at writing software—and bad at updating it.
http://arstechnica.com/gadgets/2014/01/smart-tvs-smart-fridges-smart-washing-machines-disaster-waiting-to-happen/
Tomi Engdahl says:
Tweets and threats: Gangs find new home on the Net
http://hosted.ap.org/dynamic/stories/U/US_STREET_GANGS_SOCIAL_MEDIA?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2014-01-11-16-29-49
As social media has increasingly become part of daily life, both gangs and law enforcement are trying to capitalize on the reach of this new digital world – and both, in their own ways, are succeeding.
Social media has exploded among street gangs who exploit it – often brazenly – to brag, conspire and incite violence. They’re turning to Twitter, Facebook, YouTube and Instagram to flaunt guns and wads of cash, threaten rivals, intimidate informants and in a small number of cases, sell weapons, drugs – even plot murder.
“What’s taking place online is what’s taking place in the streets,”
The Internet does more for a gang’s brand or a gang member’s identity than word-of-mouth could ever do.”
On the crime-fighting side, “cyberbanging” or “Internet banging” – a phrase used by Desmond Patton, a University of Michigan researcher, to describe this activity – is transforming how police and prosecutors pursue gangs. Along with traditional investigative techniques, police monitor gangs online – sometimes communicating with them using aliases – and track their activities and rivalries, looking for ways to short-circuit potential flare-ups.
Tomi Engdahl says:
A Defense of Chris Christie, Courtesy of the NSA
The New Jersey governor can survive the bridge scandal by using the crisis-communications strategy of the surveillance state.
http://www.theatlantic.com/politics/archive/2014/01/a-defense-of-chris-christie-courtesy-of-the-nsa/282971/
To some readers, these talking points may seem absurd or deliberately misleading, but there isn’t any denying that so far they’re working okay for the NSA.
Tomi Engdahl says:
How the cost of cell phone surveillance can change legal privacy protections
http://news.cnet.com/8301-1009_3-57617028-83/how-the-cost-of-cell-phone-surveillance-can-change-legal-privacy-protections/
New research into the financial cost to law enforcement demonstrates just how cheap it is to track a suspect with a cell phone, and how those figures can affect the legal barriers protecting privacy.
Tomi Engdahl says:
Tiny Constables and the Cost of Surveillance: Making Cents Out of United States v. Jones
http://www.yalelawjournal.org/the-yale-law-journal-pocket-part/constitutional-law/tiny-constables-and-the-cost-of-surveillance:-making-cents-out-of-united-states-v.-jones/
Tomi Engdahl says:
Hackers gain ‘full control’ of critical SCADA systems
By Darren Pauli on Jan 10, 2014 10:06 AM
http://www.itnews.com.au/News/369200,hackers-gain-full-control-of-critical-scada-systems.aspx
Over 60,000 exposed control systems found online.
Researchers have found vulnerabilities in industrial control systems that they say grant full control of systems running energy, chemical and transportation systems.
Positive Research chief technology officer Sergey Gordeychik and consultant Gleb Gritsai detailed vulnerabilities in Siemens WinCC software which was used in industrial control systems including Iran’s Natanz nuclear plant that was targeted by the US Stuxnet program.
“We don’t have big experience in nuclear industry, but for energy, oil and gas, chemical and transportation sectors during our assessments project we demonstrated to owners how to get full control [of] industrial infrastructure with all the attendant risks,” Gordeychik told SC Magazine.
But it wasn’t just industrial systems that were affected; the researchers found some 60,000 ICS devices — many which were home systems — exposed to the public internet and at risk of attack.
Tomi Engdahl says:
The Cloud: A Prescription for Data Security
Peak 10 | December 18,2013 | News
http://www.peak10.com/blog/post/the-cloud-a-prescription-for-data-security?utm_source=News&utm_medium=cpc-pk10mkto-2988&utm_campaign=datasecurity1#.UtL_7PuAq9I
It seems ironic, then, that many healthcare organizations have been hesitant to move their data and applications to the cloud because of security concerns. In actuality, the bigger threats often reside in their own offices.
Topping it is theft and unauthorized access or disclosure.
That’s not to say the cloud is the perfect solution. However, if a laptop or mobile device is stolen, the thieves can’t access patient data if it’s stored in the cloud instead of on a device.
There are legitimate concerns about cloud security, however. Data stored in the cloud typically resides in a multi-tenant environment, and shares virtualized server space with data from other customers. An inherent risk of multi-tenancy is the potential failure of isolation mechanisms that separate memory, storage and routing between tenants.
Tomi Engdahl says:
F-Secure’s Hypponen: Bitcoin is already the most important economic option for cyber criminals
“Governmental network attacks stop is a bit like trying to stop James Bond,” said the security company F-Secure ‘s Chief Research Officer Mikko Hypponen .
“This may be trying to protect themselves against, but no guarantees of success is not.”
Network Spy is increasing as more and more companies and governments about the network connection is away.
Cybercrime again is first and foremost a business, so the criminals of interest where money changes hands.
“Bitcoin mining with hijacked capacity by cyber criminals is the most important economic option,” claimed Hypponen.
Source: http://www.tietoviikko.fi/uutisia/fsecuren+hypponen+bitcoin+on+jo+verkkorikollisten+tarkein+ansaintakeino/a958839
Tomi Engdahl says:
Exclusive: More well-known U.S. retailers victims of cyber attacks – sources
http://www.reuters.com/article/2014/01/12/us-target-databreach-retailers-idUSBREA0B01720140112
Target Corp and Neiman Marcus are not the only U.S. retailers whose networks were breached over the holiday shopping season last year, according to sources familiar with attacks on other merchants that have yet to be publicly disclosed.
Smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target, according to the people familiar with the attacks.
Those breaches have yet to come to light.
Tomi Engdahl says:
Hacked Cybercrime Forum Exposes Nearly 20,000 “Bad Actors”
http://www.securityweek.com/hacked-cybercrime-forum-exposes-nearly-20000-bad-actors
Cyber-criminals targeted an online community and stole member information and login credentials from the site’s forum database late Tuesday. What sets this attack apart from similar data breaches is the fact that the victims were part of a community of Eastern European cyber-criminals.
“Verified” happens to be one of the largest online communities for Eastern European cyber-criminals, according to security firm IntelCrawler,
This incident shows the cyber-crime community is just as vulnerable to attack as legitimate businesses and ordinary Internet users, IntelCrawler researchers said.
Law enforcement types would be able to use the profile information as a form of “deep e-crime intelligence” and make some arrests, the researchers speculated.
Unpatched Software A Risk Every data breach is a learning opportunity, and this incident is no difference, highlighting patching and software vulnerability management.
Tomi Engdahl says:
Half of the online stores have been stuck all day
Online shopping has made it impossible in most parts of Finnish online stores during the Sunday. Payment blockage is due to a failed software update at Paytrail payment service systems run by Cygate. Paytrail Services business has dual system backup ensure, which in this case has not worked.
Source: YLE
http://yle.fi/uutiset/puolet_verkkokaupoista_on_ollut_jumissa_koko_paivan/7027005
Tomi Engdahl says:
Target Confirms Point-of-Sale Malware Was Used in Attack
http://www.securityweek.com/target-confirms-point-sale-malware-was-used-attack
According to Target Chairman and CEO Gregg Steinhafel, point-of-sale (POS) malware was used in the recent attack that compromised millions of credit and debit card account numbers of customers across the country.
“While Steinfhafel said the full extent of what transpired is not yet known, what Target does know is that malware was installed on the company’ point of sale registers,” Quick wrote Sunday evening.
According to a report from Reuters, Target and Neiman Marcus may not be alone, as other popular U.S. retailers may have been breached during the busy the holiday shopping season.
“Smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target,” Reuters reported, citing sources familiar with the attacks. “Those breaches have yet to come to light. Also, similar breaches may have occurred earlier last year.”
After gaining access to a merchant’s network, attackers can install memory-parsing malware on register systems or backend processing servers to extract magnetic-stripe data as it moves through the through the payment process.
Memory parser malware targets payment card data being processed “in the clear” (unencrypted) in a system’s random access memory (RAM).
“The malware is configured to hook into a payment application binary responsible for processing payment transactions and extracts the systems memory for full track data,” Visa explained in a security advisory.
“These binaries are responsible for processing authorization data, which includes full magnetic-stripe data. When authorization data is processed, the payment application decrypts the transaction on the cash register system or BOH server and stores the authorization data in random access memory (RAM). The data must be decrypted for the authorization to be completed, so hackers are accessing full track data when it is stored in RAM and using malware such as memory-parsers to steal it.”
Visa first warned about these types of attacks targeting grocery merchants, but said merchant segment is vulnerable. According to Visa, these types memory parser malware attacks have been found only targeting Windows-based operating systems.
Tomi Engdahl says:
The Next Data Privacy Battle May Be Waged Inside Your Car
http://www.nytimes.com/2014/01/11/business/the-next-privacy-battle-may-be-waged-inside-your-car.html?pagewanted=all&_r=0
Cars are becoming smarter than ever, with global positioning systems, Internet connections, data recorders and high-definition cameras. Drivers can barely make a left turn, put on their seatbelts or push 80 miles an hour without their actions somehow, somewhere being tracked or recorded.
Automakers say they are only responding to consumer demand, and besides, they and regulators say, the new technologies help them better understand consumers and make the cars safer. But privacy advocates increasingly see something more unsettling for drivers: that someone is always watching.
Now two senators are trying to give car owners more say over some of that data.
“We’ve got real privacy concerns on the part of the public,” Senator Hoeven said in a telephone interview. “People are very concerned about their personal privacy, especially as technology continues to advance,” he said, referring to revelations of spying by the National Security Agency. Fourteen states have already passed similar laws.
“Manufacturers do a poor job of informing consumers and explaining the privacy implications of new technology,” said Khaliah Barnes of the Electronic Privacy Information Center, a consumer group based in Washington. “Often, that information is in the owner’s manual, and when’s the last time you thumbed through your owner’s manual?”
Tomi Engdahl says:
Banking apps: insecure and badly written, say researchers
Buggy code, bad security
http://www.theregister.co.uk/2014/01/13/banking_apps_insecure_and_badly_written_say_researchers/
Security researchers IO Active are warning that many smartphone banking apps are leaky and need to be fixed.
Tomi Engdahl says:
Hackers gain ‘full control’ of critical SCADA systems
http://www.itnews.com.au/News/369200,hackers-gain-full-control-of-critical-scada-systems.aspx
Over 60,000 exposed control systems found online.
Researchers have found vulnerabilities in industrial control systems that they say grant full control of systems running energy, chemical and transportation systems.
Tomi Engdahl says:
Transparency Report: Government removal requests continue to rise
http://googleblog.blogspot.fi/2013/12/transparency-report-government-removal.html
Tomi Engdahl says:
Easy email encryption
LEAP hopes its open-source, encrypted email will be useful for journalists and newsrooms
http://www.cjr.org/behind_the_news/leap_email.php?page=all
Email, that daily workflow staple, is becoming a real problem in this post-Snowden era. Or rather, it always has been an issue—but many of us are just becoming aware of just how big of one it is. Service providers can be forced to hand over customer data to government agencies or might shut down to avoid doing so; accounts can get hacked; communications can be intercepted—we all know now what goes on in the NSA. But the most widely trusted method of encryption, industry veteran Pretty Good Privacy, has a pretty steep learning curve, both in understanding the abstract concepts involved and the actual step-by-step process. Why can’t it just be easy?
This is the challenge that the LEAP Encryption Access Project might just meet. Established by a grant from the Open Technology Fund, LEAP is a nonprofit group of developers working to make encrypted digital communication easy, and free.
LEAP isn’t itself an email service provider. It’s encryption software that you download and install and then use in conjunction with an email client like Thunderbird, Apple Mail, or Outlook. But what makes LEAP different from other secure email setups, like the PGP interface Enigmail for instance, is that it automates the key-exchange part of the encryption process, which is probably the most cumbersome component. LEAP also makes sure that the service provider never has access to your data, because the encrypting and de-encrypting all happens on your computer.
Unfortunately, all this security does have a slight trade-off. The LEAP setup means that you won’t be able to log in to your email through a typical Web browser; you have to access it through the software on your computer.
The stakes are undeniably high—not least for journalists working with sensitive material. “Like free speech, the right to whisper is a necessary precondition for a free society,” reads the LEAP website. “Without it, civil society and political freedom become impossible. As the importance of digital communication for civic participation increases, so does the importance of the ability to digitally whisper.”
Tomi Engdahl says:
Exclusive: More well-known U.S. retailers victims of cyber attacks – sources
http://www.reuters.com/article/2014/01/12/us-target-databreach-retailers-idUSBREA0B01720140112
SCRAPING MEMORY
Target has not disclosed how the attackers managed to breach its network or siphon off some of its most sensitive data.
The sources who spoke to Reuters about the breaches said that investigators believe the attackers used similar techniques and pieces of malicious software to steal data from Target and other retailers.
One of the pieces of malware they used was something known as a RAM scraper, or memory-parsing software, which enables cyber criminals to grab encrypted data by capturing it when it travels through the live memory of a computer, where it appears in plain text, the sources said.
While the technology has been around for many years, its use has increased in recent years as retailers have improved their security, making it more difficult for hackers to obtain credit card data using other approaches.
Visa Inc issued two alerts last year about a surge in cyber attacks on retailers that specifically warned about the threat from memory parsing malware.
DELAYED DISCLOSURE
Retailers are often reluctant to report breaches out of concern it could hurt their businesses.
Doug Johnson, vice president of risk management policy with the American Bankers Association, said banks and credit card firms like Visa are forbidden from naming merchants that have been breached, unless they disclose it themselves.
“It is really frustrating to the bank and also the customer,” Johnson said.
“Target was not the only retailer who got hit, but they got hit the biggest,” Litan said.
Tomi Engdahl says:
LEAP Encryption Access Project
https://leap.se/en/home
LEAP is a non-profit dedicated to giving all internet users access to secure communication. Our focus is on adapting encryption technology to make it easy to use and widely available.
Tomi Engdahl says:
Syrian Electronic Army claims Microsoft as its latest victim
Twitter account falls, emails snarfed
http://www.theinquirer.net/inquirer/news/2322417/syrian-electronic-army-claims-microsoft-as-its-latest-victim
POLITICAL HACKTIVIST OUTFIT the Syrian Electronic Army (SEA) has claimed Microsoft as its latest victim.
Earlier this month the SEA took over Skype’s twitter account and blog and posted a message about NSA surveillance.
Previous victims of the SEA have included BBC Weather, Huffington Post, Fox News, the Telegraph and the Associated Press.
Tomi Engdahl says:
Were we just hacked? Applying digital forensic techniques for your industrial control systems
https://event.webcasts.com/starthere.jsp?ei=1027566&utm_source=emailcampaign1069&utm_medium=phpList
Companies that have had their industrial networks attacked from the outside usually don’t realize it at all, or if they do, that knowledge probably comes a year or more after the initial incident. Why? Companies don’t understand their own networks well enough to know when something is happening that shouldn’t be happening. There is no practical way to apply concepts of digital forensic investigation if you don’t understand your own networks.
Tomi Engdahl says:
People deal with information security as heart attacks – “it can not happen to me”
Security know how the theoretical level, but its real meaning is not understood. As claimed by the author and security advice to John Sileo.
Not many people would be willing to hand over her purse to a stranger. Handbag found in the wallet contained a credit card falling into the wrong hands can mean a huge economic damage. The contents of the bag could also reveal the owner’s family information that is not desired on the outside.
Still, the network is trusted according to Sileon, almost all of your information and are ready to hand over the site as the site almost without thinking the consequences.
“Information is money. The less you use it, the more of it you have. ”
People have information on best practices and on-line looming risks. They will not only be taken seriously before it is too late.
“It can not happen to me. As a heart attack always says,”
The problem can be solved by putting into practice the doctrines that the majority of the users of the network to know.
Source: Tietoviikko
http://www.tietoviikko.fi/kaikki_uutiset/ihmiset+suhtautuvat+tietoturvaan+kuin+sydankohtauksiin++quotei+se+voi+minulle+tapahtuaquot/a950413
Tomi Engdahl says:
Dropbox outage was caused by ‘buggy’ upgrade: DDoS us? You hardly know us…
1775Sec: Um, we were trolling for, er, Aaron Swartz…
http://www.theregister.co.uk/2014/01/13/dropbox_outage_trolling/
Pranksters latched onto an outage at Dropbox on Friday to push false rumours of a politically motivated hack.
A group calling itself 1775Sec claimed that it had taken advantage of a vulnerability to knock out the widely used sync-and-share service.
Dropbox denied the claim on Sunday, stating that the outage had happened after routine maintenance went awry and apologising for the resulting problems.
1775Sec withdrew claims of a cyber attack even before Dropbox’s initial denials, stating that its boasts were a ruse designed to expose credulous tech reporting.
“Did anyone bother to do some research. lol. We made the Internet Reporters look like fools! That is what we did in your honor Aaron Swartz,” “Did anyone bother to do some research. lol. We made the Internet Reporters look like fools! That is what we did in your honor Aaron Swartz,”
Tomi Engdahl says:
Target hack adds up to 110 million affected punters
Oh for goodness sake
http://www.theinquirer.net/inquirer/news/2322451/target-hack-adds-up-to-110-million-affected-punters
While that 40 million number applied to actual purchasers the firm says that 70 million ‘guests’ might also have been affected.
110 million is a large number of people.
Target said that it will provide customers with free credit monitoring and that customers will not be expected to cough up for any purchases made with their details that were used fraudulently.
It also reminded its customers to monitor their financial accounts and watch out for fraudulent activity.
Tomi Engdahl says:
I Spent Two Hours Talking With NSA’s Big Wigs. Here’s What’s Got Them Mad
http://www.wired.com/threatlevel/2014/01/nsa-surveillance/
They really hate Snowden. The NSA is clearly, madly, deeply furious.
The dual mission of the NSA generates cognitive dissonance. Right on its home page, the NSA says its core missions are “to protect U.S. national security systems and to produce foreign signals intelligence information.” The officials repeatedly claimed they pursue both responsibilities with equal vigor.
There’s a built-in conflict here: If U.S. industries distribute strong encryption throughout the world, it should make the NSA’s signals-gathering job much harder. Yet the NSA says it welcomes encryption.
Nonetheless, the Snowden leaks indicate that the NSA has engaged in numerous efforts that tamper with the security of American products. The officials resisted this characterization. Why, they asked, would they compromise security of products they use themselves, like Windows, Cisco routers, or the encryption standards they allegedly compromised?
They believe their intelligence gathering is palatable because it’s controlled by laws, regulations, and internal oversight. Looking at the world through their eyes, there is no privacy threat in collecting massive amounts of information — if access to that information is rigidly controlled and minimalized.
They really hate Snowden. The NSA is clearly, madly, deeply furious at the man whose actions triggered the biggest crisis in its history.
The NSA has an admittedly insular culture — the officials described it as almost like a family.
Tomi Engdahl says:
Scans Increase for New Linksys Backdoor (32764/TCP)
https://isc.sans.edu/forums/diary/Scans+Increase+for+New+Linksys+Backdoor+32764+TCP+/17336
We do see a lot of probes for port 32764/TCP . According to a post to github from 2 days ago, some Linksys devices may be listening on this port enabling full unauthenticated admin access.
TCP/32764 backdoor
Or how linksys saved Christmas!
https://github.com/elvanderb/TCP-32764/raw/master/backdoor_description_for_those_who_don-t_like_pptx.pdf
Unkown service listening on TCP/32764
•Responds ScMMxFFxFFxFFxFFx00x00x00x00 to any requests.
Let’s get the firmware!
So if you need an access to the admin panel….
some codes and notes about the backdoor listening on TCP-32764 in linksys WAG200G.
https://github.com/elvanderb/TCP-32764
According to https://www.cert.fi/tietoturvanyt/2014/01/ttn201401031811.html the vulnerability can be found at following devices:
Linksys: WAG54G2, WAG120N, WAG160N, WAG200G ,WAG320N
Netgear:DM111Pv2, DGN1000 N150, DGN2000B, DGN3500, DG834G v2, DG834 v3.
The service is open to LAN side, and on some devices also to WAN side.
There is a tool available that allows to control the device, for example change password and reset device to factory settings.
Tomi Engdahl says:
Vulnerability leaves Cisco small biz routers wide open to attack
Exploit code available, but no patch until end of the month
http://www.theregister.co.uk/2014/01/14/cisco_small_business_router_flaw/
A number of Cisco networking products for small businesses contain critical vulnerabilities that could allow attackers to gain root access to the equipment, the networking giant has warned.
The affected products include the WAP4410N Wireless-N Access Point, the WRVS4400N Wireless-N Gigabit Security Router, and the RVS4000 4-port Gigabit Security Router, Cisco said in a security advisory issued late on Friday.
Tomi Engdahl says:
US BACKDOORED our satellites, claim UAE
French sat contract at risk
http://www.theregister.co.uk/2014/01/06/us_backdoored_our_satellites_claim_uae/
Tomi Engdahl says:
Modern spying 101: How NSA bugs Chinese PCs with tiny USB radios – NYT
Project ‘Quantum’ pwns air-gapped computers with mysterious devices
http://www.theregister.co.uk/2014/01/15/nsa_quantum_radio_compromize/
The NSA has compromised almost 100,000 computers around the world in its quest to get its tentacles into air-gapped computers operated by adversaries such as the Chinese Army.
The revelation was made by the New York Times in a report published on Tuesday based on documents released by Edward Snowden.
uses a “covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards.”
These ghastly widgets sometimes pass data onto a briefcase-sized relay point named “Nightstand” that can be used up to eight miles away, and can feed data packets back to the compromised host.
Tomi Engdahl says:
N.S.A. Devises Radio Pathway Into Computers
http://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connected-to-internet.html?partner=rss&emc=rss&smid=tw-nytimesworld&module=ArrowsNav&contentCollection=U.S.&action=keypress®ion=FixedLeft&pgtype=article&_r=0
The National Security Agency has implanted software in nearly 100,000 computers around the world that allows the United States to conduct surveillance on those machines and can also create a digital highway for launching cyberattacks.
The technology, which the agency has used since at least 2008, relies on a covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards inserted surreptitiously into the computers.
The radio frequency technology has helped solve one of the biggest problems facing American intelligence agencies for years: getting into computers that adversaries, and some American partners, have tried to make impervious to spying or cyberattack. In most cases, the radio frequency hardware must be physically inserted by a spy, a manufacturer or an unwitting user.
There is no evidence that the N.S.A. has implanted its software or used its radio frequency technology inside the United States. While refusing to comment on the scope of the Quantum program, the N.S.A. said its actions were not comparable to China’s.
“N.S.A.’s activities are focused and specifically deployed against — and only against — valid foreign intelligence targets in response to intelligence requirements,” Vanee Vines, an agency spokeswoman, said in a statement.
Tomi Engdahl says:
You win, Kanye’: Coinye creators throw in towel after rapper sues
This time, Kanye West is not gonna let them finish
http://www.theregister.co.uk/2014/01/15/coinye_cancelled/
The short and turbulent life of Coinye, the digital cryptocurrency named after rapper Kanye West, has come to an end.
Tomi Engdahl says:
Target Hackers Have More Data Than They Can Sell
http://it.slashdot.org/story/14/01/15/0156201/target-hackers-have-more-data-than-they-can-sell
“The hackers who stole millions of credit card numbers from Target customers are probably ‘laying low knowing that everyone is looking for them,’”
“it’s also likely that they can’t sell them”
Tomi Engdahl says:
When Google closes the Nest deal, privacy issues for the internet of things will hit the big time
http://gigaom.com/2014/01/13/when-google-closes-the-nest-deal-privacy-issues-for-the-internet-of-things-will-hit-the-big-time/
Summary:
Google intends to buy a connected thermostat that knows when you’re home and where you are within it. Given Google’s quest to index all the world’s information, this deal should jumpstart the conversation about privacy and the internet of things.
Google rocked the smart home market Monday with its intention to purchase connected home thermostat maker Nest for $3.2 billion, which will force a much-needed conversation about data privacy and security for the internet of things.
It’s a conversation that has seemingly stalled as advocates for the connected home expound upon the benefits in convenience, energy efficiency and even the health of people who are collecting and connecting their data and devices together through a variety of gadgets and services. On the other side are hackers and security researchers who warn how easy some of the devices are to exploit — gaining control of data or even video streams about what’s going on in the home.
But when a company like Google — which has had numerous run-ins over privacy in the U.S. and abroad — plans to buy a company that makes products equipped with motion detectors that track what’s happening inside the home, it’s time that conversation about privacy and the internet of things takes a step forward.
More information:
http://gigaom.com/2014/01/13/when-google-closes-the-nest-deal-privacy-issues-for-the-internet-of-things-will-hit-the-big-time/
http://gigaom.com/2014/01/13/the-winners-and-losers-in-googles-acquisition-of-nest/
http://investor.google.com/releases/2014/0113.html
http://gigaom.com/2014/01/13/breaking-google-acquires-digital-device-maker-nest-for-3-2b/
http://tech.slashdot.org/story/14/01/13/2256228/google-buys-home-automation-company-nest
http://www.theregister.co.uk/2014/01/13/google_buys_smart_home_device_builder_nest_for_32_beeelion_in_cash/
http://www.tietokone.fi/artikkeli/uutiset/googlen_suuri_yritysosto_nest_kalliimpi_kuin_youtube
http://www.tietoviikko.fi/kaikki_uutiset/google+alkaa+nuuskia+koteja+uusilla+vempeleillaan/a959351
http://techcrunch.com/2014/01/13/nest-says-customer-data-from-devices-will-only-be-used-for-nest-products-and-services/
https://nest.com/blog/2014/01/13/welcome-home/
http://recode.net/2014/01/13/google-acquires-nest-for-3-2b/
http://daringfireball.net/2014/01/googles_acquisition_of_nest
http://www.wired.com/business/2014/01/google-nest-buy/
http://www.theinquirer.net/inquirer/news/2322719/google-spends-usd32bn-feathering-its-nest
http://www.elektroniikkalehti.fi/index.php?option=com_content&view=article&id=833:google-panostaa-kotiautomaatioon&catid=13&Itemid=101
http://techcrunch.com/2014/01/13/nest-investors-strike-it-rich/?source=gravity
http://www.tietokone.fi/artikkeli/uutiset/googlen_suuri_yritysosto_nest_kalliimpi_kuin_youtube
http://www.mercurynews.com/business/ci_24834727/palo-altos-nest-labs-reportedly-raising-at-least
http://www.tietoviikko.fi/kaikki_uutiset/google+alkaa+nuuskia+koteja+uusilla+vempeleillaan/a959351
Tomi Engdahl says:
Firefox, which is 100% open source, has a critical security advantage over all other browsers
http://brendaneich.com/2014/01/trust-but-verify/
http://www.theregister.co.uk/2014/01/14/eich_urges_open_source_surveillance_audits/
Tomi Engdahl says:
Out in the Open: An NSA-Proof Twitter, Built With Code From Bitcoin and BitTorrent
http://www.wired.com/wiredenterprise/2014/01/twister/
Tomi Engdahl says:
Mathematical Model Helps Estimate Optimal Timing of Cyber Attack
http://it.slashdot.org/story/14/01/14/0353208/mathematical-model-helps-estimate-optimal-timing-of-cyber-attack
http://news.sciencemag.org/technology/2014/01/cyberwar-surprise-attacks-get-mathematical-treatment
http://www.theregister.co.uk/2014/01/14/us_researchers_develop_decision_model_for_cyberattacks/
Tomi Engdahl says:
Use strong passwords and install antivirus, mmkay? UK.gov pushes awareness campaign
It’s meant to be ‘accessible’, so don’t point and laugh
http://www.theregister.co.uk/2014/01/14/uk_gov_initiative_cyber_streetwise/
THOUSANDS of UK.gov Win XP PCs to face April hacker storm… including boxes at TAXMAN, NHS
FOIs reveal bureaucrats losing switchover race by widest margin
http://www.theregister.co.uk/2014/01/14/win_xp_uk_gov_hacker_deadline_miss/
Tomi Engdahl says:
Canadian Spy Agency: We Spied on Canadian Residents “Incidentally”
http://www.dailytech.com/Canadian+Spy+Agency+We+Spied+on+Canadian+Residents+Incidentally/article34117.htm
This is the first time the CSE has admitted to spying on Canadians while looking for foreign targets
Leaks by former U.S. National Security Agency (NSA) contractor Edward Snowden have brought many reviews, questions and even forthcoming changes to the government agency. Now, it looks like Canada’s foreign intelligence agency could receive similar treatment as its actions have now come under the microscope as well.
According to the Ottawa Citizen, the Communications Security Establishment Canada (CSE) — which is Canada’s spy agency — admitted that it has “incidentally” spies on Canadians while searching for foreign intelligence.
This is the first time the CSE has admitted to spying on Canadians.
Tomi Engdahl says:
PayPal President Says Company ‘Believes’ in Bitcoin
http://www.wired.com/wiredenterprise/2014/01/paypal_bitcoin/
PayPal president David Marcus is trying to make nice with bitcoin, the digital currency that could ultimately become a big competitor to his company’s massively popular online payments service.
Today, on Twitter, he said the folks at PayPal are in fact “believers” in bitcoin and that the company supports the sale of bitcoin mining rigs, the machines that help drive the worldwide open source software system that is bitcoin. It’s yet another sign that the influence of bitcoin is expanding — and that existing tech outfits like PayPal have no choice but to respond.
Tomi Engdahl says:
US BACKDOORED our satellites, claim UAE
French sat contract at risk
http://www.theregister.co.uk/2014/01/06/us_backdoored_our_satellites_claim_uae/
A French contract to supply intelligence satellites to the United Arab Emirates could be cancelled, with the UAE claiming it’s discovered backdoors in US-supplied components of the birds.
Defence News, which broke the story, claims that the $US930 million contract could be scrapped, according to high-level UAE sources, if the issue can’t be resolved. That would be a blow for prime contractor Airbus Defence and Space, and payload maker Thales Alenia Space.
Defence News says the backdoors would “provide a back door to the highly secure data transmitted to the ground station”. An unnamed UAE source says the discovery of the components has been reported to Sheikh Mohammed Bin Zayed, deputy supreme commander of the UAE’s armed forces.
Along with a ground station, the Pleiades-type satellites, known as Falcon Eye, are due for delivery 2018.
Tomi Engdahl says:
Edward Snowden To Join Daniel Ellsberg, Others on Freedom of the Press Foundation’s Board of Directors
https://pressfreedomfoundation.org/blog/2014/01/edward-snowden-join-daniel-ellsberg-others-freedom-press-foundations-board-directors
Freedom of the Press Foundation was founded in 2012 in part to build a movement to support and strengthen the First Amendment and defend those who are on the front lines holding power to account.
FPF co-founder Glenn Greenwald said: “We began this organization to protect and support those who are being punished for bringing transparency to the world’s most powerful factions or otherwise dissent from government policy. Edward Snowden is a perfect example of our group’s purpose, as he’s being persecuted for his heroic whistleblowing, and it is very fitting that he can now work alongside us in defense of press freedom, accountability, and the public’s right-to-know.”
Ellsberg added: “The secrecy system in this country is broken. No one is punished for using secrecy to conceal dangerous policies, lies, or crimes, yet concerned employees who wish to inform the American public about what the government is doing under their name are treated as spies.”
Freedom of the Press Foundation was founded in 2012 to support and defend aggressive, public-interest journalism dedicated to transparency and accountability.
Tomi Engdahl says:
Donate to Support Encryption Tools for Journalists
https://pressfreedomfoundation.org/
Protecting the digital communications of journalists is now one of the biggest press freedom challenges in the 21st Century. A record number of whistleblowers have recently been prosecuted in large part because the government thinks it can now obtain email and phone records detailing sources talking to journalists, without ever attempting to force the journalist to testify in court.