Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
CloudFlare Teams Up With 15 NGOs To Protect Citizen Journalists And Activists From DDoS Attacks
http://techcrunch.com/2014/06/12/cloudflare-teams-up-with-15-ngos-to-protect-citizen-journalists-and-activists-from-ddos-attacks/
A lot of political speech now happens online, but that also makes it very vulnerable to DDoS attacks from those who don’t agree with a given viewpoint. Many of these sites are hosted by individual journalists (and citizen journalists, if you want to make that distinction) and artists, who likely don’t have the infrastructure and knowledge to protect themselves against these attacks.
To help keep these sites operating, online security and CDN service CloudFlare today announced Project Galileo, a partnership with 15 NGOs to help it identify and protect sites around the world that are under attack. These NGOs include the Access, ACUL, the Electronic Frontier Foundation (EFF), the Center for Democracy and Technology, Mozilla, the Committee to Protect Journalists and the Freedom of the Press Foundation.
“We had bullies censor important journalism because we didn’t recognize the importance of it,” Prince noted. “But it’s also impossible to expect that somebody who is an ops guy is also a multi-lingual political scientist.”
Tomi Engdahl says:
NSA: Our systems are so complex we can’t stop them from deleting data wanted for lawsuit
http://www.washingtonpost.com/blogs/the-switch/wp/2014/06/09/nsa-our-systems-are-so-complex-we-cant-stop-them-from-deleting-data-wanted-for-lawsuit/
The National Security Agency recently used a novel argument for not holding onto information it collects about users online activity: it’s too complex.
The agency is facing a slew of lawsuits over its surveillance programs, many launched after former NSA contractor Edward Snowden leaked information on the agency’s efforts last year. One suit that pre-dates the Snowden leaks, Jewel v. NSA, challenges the constitutionality of programs that the suit allege collect information about American’s telephone and Internet activities.
barring the government from destroying data that the Electronic Frontier Foundation had asked be preserved for that case
But the NSA argued that holding onto the data would be too burdensome. “A requirement to preserve all data acquired under section 702 presents significant operational problems, only one of which is that the NSA may have to shut down all systems and databases that contain Section 702 information,” wrote NSA Deputy Director Richard Ledgett in a court filing submitted to the court.
The government’s explanation raises more concerns, said Cindy Cohn, EFF’s legal director. “To me, it demonstrates that once the government has custody of this information even they can’t keep track of it anymore even for purposes of what they don’t want to destroy,” she said in an interview.
“With the huge amounts of data that they’re gathering it’s not surprising to me that it’s difficult to keep track– that’s why I think it’s so dangerous for them to be collecting all this data en masse,” Cohn added.
The debate over preserving data for the lawsuit puts EFF in the odd position of arguing that the government should retain data the group ultimately wants destroyed.
Tomi Engdahl says:
Ars tests Internet surveillance—by spying on an NPR reporter
A week spent playing NSA reveals just how much data we leak online.
http://arstechnica.com/security/2014/06/what-the-nsa-or-anyone-can-learn-about-you-from-internet-traffic/
Tomi Engdahl says:
Hacker claims PayPal loophole generates FREE MONEY
Convicted hacker comes good with fraudster flowchart
http://www.theregister.co.uk/2014/06/13/hacker_claims_paypal_loophole_generates_free_money/
A PayPal loophole can be exploited to earn free cash according to a convicted former NASA hacker turned white hat.
Fraudsters can double their money, says Razvan Cernaianu, by funnelling cash into a mule account before filing for a transaction refund.
Cernaianu said he reported the loophole to PayPal’s bug bounty team which said it was an issue with its Protection Policy.
Virtual credit cards were payment systems designed to combat online fraud by utilising temporary card numbers.
Tomi Engdahl says:
US government OKs sharper satellite images
A long-standing restriction has been lifted to usher in better quality online mapping
http://www.itworld.com/demand-software/422874/us-government-oks-sharper-satellite-images
The U.S. government has lifted a long-standing restriction that meant companies like Google and Microsoft didn’t have access to the most accurate pictures taken by imaging satellites.
Until this week, satellite operators like DigitalGlobe were prevented by law from selling images to foreign or commercial organizations in which features smaller than 50 centimeters were visible. The restriction was meant to ensure that foreign powers didn’t get access to satellite images that were too good.
The announcement came in the same week that Google said it would buy satellite imaging start-up SkyBox Imaging for $500 million.
SkyBox says its SkySat satellite can capture images at “sub-meter” resolution
Tomi Engdahl says:
OnePlus One debut stymied by Open SSL bug
http://www.techtimes.com/articles/8332/20140611/oneplus-one-debut-stymied-open-ssl-bug.htm
The Open SSL bug, which some believe could be as worrisome as the Heartbleed Bug, has forced OnePlus to delay the launch of their OnePlus One CyanogenMod-based handset. The reports come even as customers who made pre-purchases of the device were told that they would be shipping in mid to late May. Now in mid-June, no devices have been launched.
Those customers were sent emails from OnePlus over why the smartphone had yet to be shipped, with the company worried about the Open SSL bug hampering the phones functionality and success if the company were to ship the devices immediately.
While most observers argue that the Open SSL bug is not to see the overall concerns that the Heartbleed Bug had on the tech world, as this one doesn’t appear to be as widespread or as invasive as the Heartbleed bug, but it has forced a number of companies to look twice at their software before delivering it to the public.
The Open SSL bug has reportedly been in the coding for 15 years before it was discovered in May.
Tomi Engdahl says:
Restaurant chain uses CARBON PAPER to fight credit card hack
Ye olde click-clack card imprint machines are back at P.F. Chang’s China Bistro
http://www.theregister.co.uk/2014/06/13/restaurant_chain_uses_carbon_paper_to_fight_credit_card_hack/
Chinese restaurant chain P.F. Chang’s China Bistro has resorted to mechanical credit card imprint-capture machines after credit and debit card information was stolen from some of its 200+ restaurants.
That investigation “is still ongoing” but has already “concluded that data has been compromised.”
The chain admits that “credit card and debit card numbers that have been used at P.F. Chang’s are involved.”
Tomi Engdahl says:
US Pushing Local Police To Keep Quiet On Cell-Phone Surveillance Technology
http://yro.slashdot.org/story/14/06/12/2128255/us-pushing-local-police-to-keep-quiet-on-cell-phone-surveillance-technology
The Obama administration has been quietly advising local police not to disclose details about surveillance technology they are using to sweep up basic cellphone data from entire neighborhoods, The Associated Press has learned.
Tomi Engdahl says:
US pushing local cops to stay mum on surveillance
US pushing local police departments to keep quiet on cell-phone surveillance technology
https://news.yahoo.com/us-pushing-local-cops-stay-174613067.html;_ylt=AwrBJR4e65lTwmEAb7zQtDMD
Citing security reasons, the U.S. has intervened in routine state public records cases and criminal trials regarding use of the technology. This has resulted in police departments withholding materials or heavily censoring documents in rare instances when they disclose any about the purchase and use of such powerful surveillance equipment.
Federal involvement in local open records proceedings is unusual. It comes at a time when President Barack Obama has said he welcomes a debate on government surveillance and called for more transparency about spying in the wake of disclosures about classified federal surveillance programs.
One well-known type of this surveillance equipment is known as a Stingray, an innovative way for law enforcement to track cellphones used by suspects and gather evidence. The equipment tricks cellphones into identifying some of their owners’ account information, like a unique subscriber number, and transmitting data to police as if it were a phone company’s tower. That allows police to obtain cellphone information without having to ask for help from service providers, such as Verizon or AT&T, and can locate a phone without the user even making a call or sending a text message.
Tomi Engdahl says:
In A Further Humiliation To Microsoft, Facebook Will Not Honor ‘Do Not Track’ Signals On Internet Explorer
Facebook will not honor the “do not track” signal being sent by Microsoft’s Internet Explorer web browser when it rolls out a new ad system across the web, according to Ad Age:
A Facebook spokesman said that’s “because currently there is no industry consensus.”
Read more: http://www.businessinsider.com/facebook-will-not-honor-do-not-track-2014-6#ixzz34WHECyc6
Tomi Engdahl says:
Entirely new trojan quietly wheeled into black hat forums
Pandemiya is 25,000 lines of original password-pinching botnet badassery
http://www.theregister.co.uk/2014/06/13/pricey_ground_up_built_malware_constantly_infects_everything/
An RSA researcher claims to have found an entirely new trojan during his trawls of the criminal underground.
RSA researcher Eli Marcus says the “Pandemiya” trojan comprises about 25,000 lines of fresh code. With most malware based on proven platforms, entirely new code is a rarity.
Pandemiya is nasty: it can steal data from forms, create fake web pages and take screen shots to send back to the botmasters who deploy it.
The software is modular and pervasive, and unique thanks to its ability to inject itself into all new processes via the Windows security registry function CreateProcess API.
“The advent of a freshly coded new trojan malware application is not too common in the underground,”
The good news is that Pandemiya can be removed with a little registry-tweaking and command line action
Tomi Engdahl says:
We’re ALL Winston Smith now – and our common enemy is the Big Brother State
Private firms slurp data too? Meh
http://www.theregister.co.uk/2014/06/11/privacy_invasion_by_the_state_is_far_worse_than_by_private_firms_worstall_weds/
“Young people willingly give up their privacy on Google and Facebook because they have not read George Orwell’s Nineteen Eighty-Four unlike previous generations, a leading academic has warned. Noel Sharkey, professor of artificial intelligence and robotics at Sheffield University, said that large corporations were hovering up private information and modern generations did not realize it was wrong. He said that older people who had grown up reading George Orwell’s 1984 about ‘Big Brother technology and ‘ authoritarianism’, were in a better position to resist the creeping erosion of privacy.”
One way of putting this is that there’s privacy and then there’s privacy.
Then there’s the government insisting that you don’t even get the option of privacy. You cannot opt out of the data collection or of the monitoring, even if you decide that you are willing to give up some of the delights of the modern world.
The difference here, of course, is motivation. Those guys slurping the Big Data streams couldn’t give a hoot how we get our jollies, nor what our political beliefs are. They’re just out to make a buck or two by getting us to use their services. Which we will do for as long as we think what we give up to gain those services is worth it.
“Obviously, information is power. That means information is wealth. If we must accept yet more extreme information concentration in order to benefit from the increased safety and convenience of better transportation, then it isn’t worth it. This idea that a marked loss of democracy is worth the safety or convenience has always been dangled before us, and has always been wrong.”
Common to both of these stories is the mistake that private sector information-gathering is the same as (and thus as dangerous as) mandatory state collection of the same data. They’re simply not the same thing at all.
Google takes too much information? Use DuckDuckGo. Facebook too much? MySpace is still around, isn’t it? We have choices here and each of us can make our own.
Tomi Engdahl says:
Feedly hits third day of downtime as DDoS attacks continue
No sign of attacks ending any time soon
http://www.theinquirer.net/inquirer/news/2349403/evernote-and-deezer-fess-up-to-ddos-attacks
RSS SERVICE Feedly has hit its third day of downtime due to continued distributed denial service (DDoS) attacks.
Feedly’s third day of outage comes after Evernote and Deezer also warned users of DDoS attacks on their service.
However, while some DDoS attacks are often used as smokescreen for data theft, both Evernote, Deezer and Feedly all assured subscribers that, unlike recent attacks on eBay and Spotify, no user data has been pinched, and no action needs to be taken.
Tomi Engdahl says:
Former Microsoft Employee Involved In Windows 8 Leaks Given 3-Month Sentence
http://techcrunch.com/2014/06/12/former-microsoft-employee-involved-in-windows-8-leaks-given-3-month-sentence/
After pleading guilty, former Microsoft employee Alex Kibkalo will pay a $100 fine and serve three months in prison for stealing trade secrets.
Microsoft had been critical of Google reading email algorithmically to serve better ads — Google has curtailed that practice for a subset of its users in response to a lawsuit – and here was the Redmond-based software company doing it by hand.
To its credit, Microsoft quickly instituted a new review policy that would see an external third-party oversee data retrieval.
Tomi Engdahl says:
AT&T says customer data accessed to unlock smartphones
Social Security numbers were accessed in a bid to unlock smartphones
http://www.itworld.com/security/422883/att-says-customer-data-accessed-unlock-smartphones
June 12, 2014, 5:06 PM — Personal information, including Social Security numbers and call records, was accessed for an unknown number of AT&T Mobility customers by people outside of the company, AT&T has confirmed.
The breach took place between April 9-21, but was only disclosed this week in a filing with California regulators.
“We recently learned that three employees of one of our vendors accessed some AT&T customer accounts without proper authorization,” the company said in a statement.
Tomi Engdahl says:
From the report, Gartner states:
Products must be able to support single-enterprise firewall deployments and large and/or complex deployments, including branch offices, multitiered demilitarized zones (DMZs) and, increasingly, the option to include virtual versions.
Through 2018, more than 75% of enterprises will continue to seek network security from a different vendor than their network infrastructure vendor.
Source: http://connect.paloaltonetworks.com/gartner-mq-2014
Tomi Engdahl says:
Yes. Facebook will KNOW you’ve been browsing for smut
Zuck’s spell: Look into my eyes, not around the eyes. You’re under
http://www.theregister.co.uk/2014/06/12/facebook_mines_deep_into_your_browsing_history_to_make_more_ad_cash/
Facebook is pushing the idea that it is offering tighter ad controls to its users just as it prepares to start targeting the web and app browsing habits of netizens in the US.
The Menlo Park-based company said it had decided to start mining the data tucked away in users’ browsing history because “many companies [read: rivals] already do this”.
The free content ad network said in a blog post that Facebookers who hate the idea of yet more intrusive advertising can switch the feature off via the “industry-standard Digital Advertising Alliance opt out”. In other words, all Facebook users in the US will have their browsing behaviour tracked by default.
The policies – or presumably a tweaked, EU-flavoured version – are expected to follow later this year.
The company’s main strategy appears to be to slurp data from an even more detailed profile of its 1.25 billion users
Tomi Engdahl says:
Even Toilets Aren’t Safe as Hackers Target Home Devices
http://www.bloomberg.com/news/2014-06-10/even-toilets-aren-t-safe-as-hackers-target-home-devices.html
Come home to a hot iron and smoldering clothes this afternoon? Soon, it may not be a sign of forgetfulness, but rather evidence that you’ve been hacked.
In coming years, your smartphone will be able to lock your house, turn on the air conditioning, check whether the milk is out of date, or even heat up your iron. Great news, except that all that convenience could also let criminals open your doors, spy on your family or drive your connected car to their lair.
“As these technologies become more sophisticated, it opens up a broader spectrum of threats,”
What the industry calls “the Internet of things” has been heralded as the next wave of tech riches. By 2020, some 26 billion such devices may be connected to the Internet, up from 3 billion today, researcher Gartner Inc. (IT) estimates. That’s almost four times the number of smartphones, tablets and PCs that will be in use.
The vision is to connect almost everything — from cars to fridges, lamps, even toilets. Forget to flush? There’s an app for that.
Problem is, data security isn’t typically a big focus for toilet, refrigerator or baby monitor manufacturers. Security lapses on such devices could allow bad guys to disrupt home life, gather valuable personal data, or even use stolen information to extort money from victims, Ollmann said.
Tomi Engdahl says:
Privacy & security nightmares: Hacking smart toilets, smart toys, smart homes
http://www.networkworld.com/article/2225098/microsoft-subnet/privacy—security-nightmares–hacking-smart-toilets–smart-toys–smart-homes.html
From anywhere on the planet, a hacker could open and close the lid to your smart toilet, turn your child’s smart toy into a covert surveillance device, or unlock the doors of your smart home.
Tomi Engdahl says:
Smart toilet security flaw could result in nasty surprise(s) for users
Read more: http://www.digitaltrends.com/home/smart-toilet-security-flaw/#ixzz34Xn0LCkC
Tomi Engdahl says:
Blame WWI, not Bin Laden, for NSA’s post-9/11 intel suck
War, peace and paranoia in modern US
http://www.theregister.co.uk/2014/06/13/surveillance_state_ww1_roots/
The roots of today’s surveillance state lie in an early 20th century conflict, not the destruction of two supposed symbols of American power in the 21st.
According to US military and intelligence historian Lon Strauss, mass surveillance in the US dates from America’s entry to World War I. This was a conflict famed for its grinding trench warfare, not intel-driven tactical strikes.
Tomi Engdahl says:
Reg probe bombshell: How we HACKED mobile voicemail without a PIN
Months after Leveson inquiry, your messages are still not secure
http://www.theregister.co.uk/2014/04/24/voicemail_still_easy_to_hack/
Voicemail inboxes on two UK mobile networks are wide open to being hacked. An investigation by The Register has found that even after Lord Leveson’s press ethics inquiry, which delved into the practice of phone hacking, some telcos are not implementing even the most basic level of security.
It’s believed the infiltrated inboxes merely had default PINs, or passcodes that were far too easy to guess, allowing eavesdroppers to easily drop by. People were urged to change their number codes for their voicemail, but, as we shall see, that advice is useless – you simply don’t need to know a PIN to listen to someone’s messages.
If you call your voicemail service from a handset linked to the account, you go through to your message inbox without the need to enter a PIN, presumably as a convenience. Use any other phone and you are asked for a PIN access code.
Tomi Engdahl says:
Apple adds privacy-protecting MAC spoofing (when Aaron Swartz did it, it was evidence of criminality)
http://boingboing.net/2014/06/12/apple-adds-privacy-protecting.html
Apple has announced that it will spoof the MAC addresses emitted by its wireless devices as an anti-tracking measure, a change that, while welcome, is “an umbrella in a hurricane” according to a good technical explainer by the Electronic Frontier Foundation’s Jeremy Gillula and Seth Schoen.
One notable and sad irony here is that MAC spoofing was held up as evidence of criminality in the indictment of Aaron Swartz: the US prosecutors characterized changing your MAC address as the sort of thing that only criminals do.
Either this is proof that “when privacy is criminalized, only criminals will have privacy” or that federal prosecutors are lying assholes. These are not mutually exclusive possibilities.
Tomi Engdahl says:
Massive security flaws allowed for Stratfor hack, leaked report reveals
http://www.dailydot.com/politics/stratfor-verizon-report-security-flaws/
The intelligence firm at the center of a notorious cybersecurity breach that affected top government officials failed to institute standard security measures prior to the attack, according to a newly leaked report.
In December 2011, a group of skilled hackers broke into the network of Strategic Forecasting, Inc. (Stratfor), compromising the personal data of some 860,000 customers, including a former U.S. vice president, CIA director, and secretary of state, among others.
Roughly 5 million internal emails were obtained by the hackers and later released by the whistleblower organization WikiLeaks as the “Global Intelligence Files.”
For Stratfor, a Texas-based geopolitical intelligence and consulting firm, the incident was an international embarrassment that caused roughly $3.78 million in total damages—and all of it could’ve been avoided by meeting common fraud prevention requirements.
Tomi Engdahl says:
The sentencing of Jeremy Hammond, hacker and flawed revolutionary
http://www.dailydot.com/news/jeremy-hammond-sentencing-protest/
It’s 10am in New York City, about two hours before Jeremy Hammond will be sentenced to 10 years in federal prison for hacking into the websites of law enforcement agencies and a private security firm that was contracted by the U.S. government to spy on human rights activists.
Hammond is guilty. There’s no questioning that, back in 2011, he hacked into the server of the private security firm Strategic Forecasting, Inc. and downloaded millions of emails and credit card numbers. He published the emails through whistleblower organization WikiLeaks and, as the prosecution would later present at trial, encouraged members of the hacker group Anonymous to charge hundreds of thousands of dollars on the credit cards with the intent of destroying the company.
“An equally important part is destroying their servers and dumping their user/address list and private e-mails…I’m hoping bankruptcy, collapse,” he would chat to a cohort.
Hammond also hacked law enforcement systems, targeting retired police officers, and crippled an Amber alert system in Arizona.
During Hammond’s sentencing, the defense raised this very point again and again. Technology, they argued, had simply moved faster than the law. And this couldn’t be more true
“It shows you how harsh American sentencing is, how we treat computer crimes,”
Tomi Engdahl says:
Tech Giants Join Microsoft In Calling For US Gov To End Use Of Warrants To Demand Overseas Data
http://techcrunch.com/2014/06/14/tech-giants-join-microsoft-in-calling-for-us-gov-to-end-use-of-warrants-to-demand-overseas-data/
Microsoft’s case to prevent the United States government from using search warrants to demand data that is not stored in the United States has picked up a number of high-profile backers, including the Electronic Frontier Foundation, Verizon, AT&T, and, recently, Apple and Cisco.
The United States government had issued a warrant for data stored on the company’s servers in Ireland. Microsoft didn’t think that it was reasonable for a United States-specific warrant to apply to overseas and extra-national data.
Why do companies give a whit if their data overseas is out of the reach of the United States government?
Thus, if Microsoft et al want to sell cloud products or communications tools to global customers, they need to be able to say that the data involved is safe. And if the United States government can simply access that data, even when stored, say, in Ireland, with a non-local warrant, tech firms from this country aren’t going to sell much of anything abroad.
Tomi Engdahl says:
Transforming the web into a HTTPA ‘database’
http://www.zdnet.com/transforming-the-web-into-a-httpa-database-7000030534/
Summary: Researchers under Tim Berners-Lee at MIT develop a new HTTP, dubbed HTTPA, a web protocol with accountability.
Researchers at MIT’s Decentralized Information Group (DIG) are developing a new protocol they call “HTTP with Accountability,” or HTTPA, designed to fight the “inadvertent misuse” of data by people authorized to access it.
With HTTPA, each item of private data would be assigned its own uniform resource identifier (URI), a component of the Semantic Web that, researchers say, would convert the Web from a collection of searchable text files into a giant database.
Every time the server transmitted a piece of sensitive data, it would also send a description of the restrictions on the data’s use. And it would also log the transaction, using the URI, in a network of encrypted servers.
“It’s not that difficult to transform an existing website into an HTTPA-aware website,” Seneviratne says. “On every HTTP request, the server should say, ‘OK, here are the usage restrictions for this resource,’ and log the transaction in the network of special-purpose servers.”
Tomi Engdahl says:
The Nightmare On Connected Home Street
http://tech.slashdot.org/story/14/06/14/2223218/the-nightmare-on-connected-home-street
http://www.wired.com/2014/06/the-nightmare-on-connected-home-street/
Tomi Engdahl says:
Pre-installed spy software on China smartphones
Security researchers from G Data have discovered pre-installed malicious code in the firmware of smartphones Star N9500.
The Star N9500 is an affordable copy of the Samsung Galaxy S4, which is marketed at various online retailers for 130 to 165 euros worldwide.
In studies by test purchases the device, the researchers from G Data discovered on the Trojan Uupay.D, posing as Google Play service and the user of the mobile phone spying unnoticed. Thus, the malicious code appears to be factory installed. In addition, the researchers found that the Trojan can be difficult to remove because it is part of the firmware of the device.
Source: http://www.heise.de/newsticker/meldung/Vorinstallierte-Spionagesoftware-auf-China-Smartphones-2221792.html
Tomi Engdahl says:
Bitcoin security guarantee shattered by anonymous miner with 51% network power
In a first, one player got a monopoly of Bitcoin’s total computational power.
http://arstechnica.com/security/2014/06/bitcoin-security-guarantee-shattered-by-anonymous-miner-with-51-network-power/
For the first time in Bitcoin’s five-year history, a single entity has repeatedly provided more than half of the total computational power required to mine new digital coins, in some cases for sustained periods of time. It’s an event that, if it persists, signals the end of the crypto currency’s decentralized structure.
Researchers from Cornell University say that on multiple occasions, a single mining pool repeatedly contributed more than 51 percent of Bitcoin’s total cryptographic hashing output for spans as long as 12 hours.
“A 51 percenter can control which Bitcoin transactions happen,” wrote Ittay Eyal, a post-doctorate researcher in Cornell’s Department of Computer Science, in an e-mail to Ars. “It becomes a monopoly. It can set arbitrarily high transaction fees, for example, or even extort someone to allow them to perform transactions. It could block or delay all transactions but its own. One of Bitcoin’s goals was to be a free system, independent of anyone’s control. With small pools, no one has this kind of control. With a 51 percenter, there is.”
Tomi Engdahl says:
Microsoft CEO lambasts NSA for spying on his non-US customers
Apparently, US customers don’t mind some snooping
http://www.theinquirer.net/inquirer/news/2350100/microsoft-ceo-lambasts-nsa-for-spying-on-his-non-us-customers
LAS VEGAS: MICROSOFT CEO Satya Nadella complained this week that the NSA’s lax attitude to data privacy is causing friction between US technology companies and their overseas customers.
“The one thing that comes to mind for me, which is top of mind in fact, is the reform of the surveillance regime,” Nadella said.
“If you think about what is the fundamental role of the government, it’s to be able to create trust. Trust with its citizens, trust between nations. In particular the United States has to take a real approach where we regain that trust.”
Tomi Engdahl says:
Dell said, “More than 200,000 new malware variations are being developed daily and many of these are being created to target midmarket and small businesses. This means that enterprise level security is no longer solely the domain of Fortune 500 companies, but needs to be a vital consideration for every organisation, business and institution.” The firm added that it has built in a range of security features into the Optiplex line to fight such threats.
Heightened security features include a lockable port cover, lock slot support, as well as access to Dell Data Protection services including the firm’s Protected Workspace scheme, which provides malware protection.
Source: http://www.theinquirer.net/inquirer/news/2350014/dell-outs-malware-beating-optiplex-all-in-one-desktops-for-businesses
Tomi Engdahl says:
UglyGorilla Hack of U.S. Utility Exposes Cyberwar Threat
http://www.bloomberg.com/news/2014-06-13/uglygorilla-hack-of-u-s-utility-exposes-cyberwar-threat.html
Somewhere in China, a man typed his user name, “ghost,” and password, “hijack,” and proceeded to rifle the computers of a utility in the Northeastern U.S.
He plucked schematics of its pipelines. He copied security-guard patrol memos. He sought access to systems that regulate the flow of natural gas. He cruised channels where keystrokes could cut off a city’s heat, or make a pipeline explode.
That didn’t appear to be his intention, and neither was economic espionage. While he was one of the Chinese officers the U.S. charged last month with infiltrating computers to steal corporate secrets, this raid was different. The hacker called UglyGorilla invaded the utility on what was probably a scouting mission, looking for information China could use to wage war.
UglyGorilla is one of many hackers the FBI has watched.
“This is as big a national security threat as I have ever seen in the history of this country that we are not prepared for,”
“They’re practicing,” is how retired Army General Keith Alexander, then head of the National Security Agency
Cyberweapons are far easier and cheaper to obtain than nuclear materials, and so is data about the vulnerabilities in industrial control systems that run the electrical grid and water purification plants. The data could be used to develop and experiment with more sophisticated attacks, according to people familiar with the operations.
Nation-state hackers are also often freelancers, and the U.S. has identified cases where some employed by Russia and China provided their services to others for a price, according to intelligence officials.
They were “preparing a scenario where they might be able to perform a very serious attack,”
“‘Trust but verify’ was a phrase made popular under Reagan. We’re worse off here. It’s more like ‘don’t trust and can’t verify,’”
While UglyGorilla accessed a gateway to systems that regulate the flow of natural gas, it wasn’t clear if he was probing the security of the system or trying to gain control of it
Tomi Engdahl says:
Hand over your dough, hackers tell Domino’s Pizza
French and Belgian outfits lose 600,000 hashed-but-unsalted passwords
http://www.theregister.co.uk/2014/06/16/extortists_demand_dominos_dough_for_hacked_data/
Web mongrels have hacked Dominos France and Belgium and then demanded €30,000 to prevent the public disclosure today of passwords and pizza preferences of 648,000 consumers.
The raid forced the pizza palace to issue an apology on Twitter and suggest users change their passwords passwords which were blended with a unsavoury mix of MD5 hash and no added salt.
Notorious cracker outfit Rex Mundi (@RexMundi_Anon) wrote on a web clipboard that the ingredients of the stolen Dominos data included customer names, phone numbers, email and street addresses, along with passwords.
Tomi Engdahl says:
TIME TRAVELLERS needed to secure Windows 7
June’s IE 11 patch depends on unrelated April update
http://www.theregister.co.uk/2014/06/16/ie_11_apply_april_fix_or_be_hacker_fodder/
Microsoft has forced Windows 7 users to apply an April update in order to receive June’s patches for its Internet Explorer 11 browser.
Microsoft did not provide reasons for the move but it appeared to have simplified its patching process since updates need only to be crafted for the latest incarnation of the latest browser version.
Tomi Engdahl says:
The Best Free Firewalls
http://www.pcmag.com/article2/0,2817,2422144,00.asp?obref=obnetwork
Windows itself has an effective firewall built in, but for full-scale two-way firewall protection you’ll want a free, third-party firewall. We’ll tell you which is best.
And the Winner Is…
ZoneAlarm Free Firewall 2013 retains its title as Editors’ Choice for free personal firewall protection. It protects your PC against outside attack, manages program control with few popups, and can’t be disabled by malware. Yes, you’ve got basic firewall protection built right into your Windows operating system, but ZoneAlarm goes way beyond the basics.
Tomi Engdahl says:
Apple, EFF and AT&T back Microsoft’s no overseas warrants stance
All fancy a ‘hands-off’ regulatory approach
http://www.theinquirer.net/inquirer/news/2350204/apple-eff-and-at-t-back-microsoft-s-no-overseas-warrants-stance
APPLE, CISCO, AT&T and the Electronic Frontier Foundation (EFF) have joined Microsoft’ campaign against US warrants on data held on Irish servers.
Apple, Cisco and AT&T reportedly filed amicus curiae briefs, and the EFF has released a statement. It said that it is joining Microsoft’s case and warns that letting the warrants go ahead will have some very bad implications for privacy.
Tomi Engdahl says:
Teen wins a photo of an Xbox One on eBay
http://www.theinquirer.net/inquirer/news/2317524/teen-wins-a-photo-of-an-xbox-one-on-ebay
A TEENAGER FROM THE UK has fallen victim to an auction scam that separated him from the best part of £500 for a photo of an Xbox One instead of an actual console.
“We don’t allow listings which mislead, and will take action against this seller,” said a spokesman for eBay.
Tomi Engdahl says:
And, the Password Is ’123456′
http://www.theenterprisecloudsite.com/author.asp?doc_id=271187&_mc=sem_otb_edt_ppcm
As we head ever-deeper into life in the cloud, aka Everything-as-a-Service, it seems that we can’t walk across a room without reciting a user name and password.
The new winner as worst password, surpassing “password” is “123456.”
Tomi Engdahl says:
Identity-as-a-Service Is Overdue
http://www.theenterprisecloudsite.com/author.asp?section_id=3401&doc_id=273650&
It’s been a long time since I hid my distaste for passwords. For all of the progress that we have made in using technology to make our jobs easier, the standard user name/password combination has managed to make life harder, sometimes miserable.
still don’t understand why the tech sector hasn’t come up with something like a biometric device that actually works. Even if that miracle tech did appear it would still have to support the growing diversity of applications and app sources, such as SaaS providers, websites, and mobile app developers, not just the various apps run by corporate IT.
Okta is one of several companies working on identity-as-a-service (IDaaS). The idea is to enable single sign-on not only for the applications that the IT group has built or installed but for the various other applications and services that specific business units or individuals need to access.
Tomi Engdahl says:
Cloud Security: Taking the Initiative
http://www.theenterprisecloudsite.com/author.asp?section_id=3401&doc_id=273675&
The scary facts floating around the web and the news media this week are that use of the cloud makes it three times more likely that an enterprise will have a data breach and that the cost of that breach will multiply in comparison with a breach involving internal IT.
The research behind this news was conducted by Ponemon Institute on behalf of Netskope, which calls itself “the leader in cloud app analytics and policy enforcement.”
Ponemon has some solid numbers highlighting the cost of certain types of breaches, including loss of company secrets and intellectual property or loss of customer information. It then calculated what it calls the “cloud multiplier” for the cost of a breach by adding in survey respondents’ predictions on the increased likelihood of a breach based on certain conditions, such as rapidly ramping up a cloud commitment, storing critical data in the cloud, and relying on unstable cloud providers.
The problem isn’t the cloud itself, but rather that someone in IT or security hasn’t done their job right, or that they haven’t been allowed to do that job properly.
If the IT and security teams have done everything in their power to address the rogue IT issue — a key theme in the report — and ensure that the right cloud providers are selected after a careful vetting process, and companies are still going with unreliable cloud suppliers, then shame on the executives who let that happen. Those executives could include the CIO, business unit leaders, and even the CEO who doesn’t give IT proper backing.
Yet, if rogue IT is as rampant as the survey indicates, then central IT has to ask itself why business units chose to run off on their own course.
Even when rogue IT has become established, it’s not too late for central IT and the security team to get involved, as long as they don’t escalate the turf wars.
It is too late to tell a business unit, “Stop using the cloud.” It may be too early to say, “You’re over your head, let us manage the cloud app.”
Tomi Engdahl says:
The Dark Side Of Facebook, Where People Lie, Steal, And Make Millions
Read more: http://www.businessinsider.com/jason-fyk-dark-facebook-cybercrime-2014-6#ixzz34oNGFuHT
Tomi Engdahl says:
Top Canadian court: Cops need warrant to get names from ISPs
Decision could scupper nascent cyberbullying, privacy bills
http://www.theregister.co.uk/2014/06/16/canada_supreme_court_privacy_isp_warrant/
Canadian ISPs can no longer simply hand over customer information without a warrant after the country’s Supreme Court ruled that internet users were entitled to a “reasonable” expectation of privacy.
Tomi Engdahl says:
Judge orders DOJ to turn over FISA surveillance documents
The agency failed to justify keeping the 66 pages of documents secret, the federal judge said
http://www.itworld.com/security/423040/judge-orders-doj-turn-over-fisa-surveillance-documents
Rogers’ order was a victory for the Electronic Frontier Foundation (EFF), which is suing under the federal Freedom of Information Act to make the DOJ release information about surveillance on U.S. citizens. EFF says a document leaked last year revealed that the government used a “secret interpretation” of the USA Patriot Act to collect the phone records of virtually everyone in the U.S.
Revelations in recent years about U.S. surveillance of its own and foreign citizens has led to a backlash both political and economic, affecting sales of some U.S.-made technology.
Tomi Engdahl says:
New powerful banking malware called Dyreza emerges
http://www.pcworld.com/article/2364360/new-powerful-banking-malware-called-dyreza-emerges.html
Security researchers said they’ve spotted a new type of banking malware that rivals the capabilities of the infamous Zeus malware.
The malware, which is being called “Dyreza” or “Dyre,” uses a man-in-the-middle attack that lets the hackers intercept unencrypted web traffic while users mistakenly think they have a secure connection with their online banking site.
Although Dyreza has similarities with Zeus, “we believe this is a new banker trojan family and not yet another offspring from the Zeus source code,” according to a writeup by CSIS, a Danish security company.
Dyreza uses a technique called “browser hooking” to view unencrypted web traffic, which involves compromising a computer, capturing unencrypted traffic and then stepping in when a user tries to make a secure SSL (Secure Sockets Layer) connection with a website.
Dyreza is programmed to intercept credentials when a person navigates to the websites of Bank of America, NatWest, Citibank, RBS and Ulsterbank
Tomi Engdahl says:
Hacker Geohot releases root tool for Galaxy S5 and most other Android devices
http://www.geek.com/android/hacker-geohot-releases-root-tool-for-galaxy-s5-and-most-other-android-devices-1596797/
Google and the big Android OEMs have been beefing up security of the years, which is a good thing for everyone. As a consequence, however, it’s harder to gain root access to new Android devices.
After XDA members took up a collection now valued at over $18,000, famed developer George “Geohot” Hotz has come forward with a working root method. Oh, it also roots almost every other Android phone.
Having root access to your Android device means you can make system-level changes — it’s like running an administrator account on a computer.
The Towelroot tool developed by Geohot differs from all the standard root methods in that it uses an exploit to root phones. Simply install the APK from Geohot’s site and run it. It looks like most devices running Android 4.4.2 or earlier can be rooted with this method.
Towelroot is based on a Linux kernel vulnerability previously uncovered by hacker Pinkie Pie, which is bad news from a security standpoint.
This is all great news if you want to use root-only apps on your device, but it’s even better news for malware creators. Since this is just a one-click APK, it could be packaged with other apps and distributed to unsuspecting users.
Tomi Engdahl says:
US lifts restrictions on more detailed satellite images
http://www.bbc.com/news/technology-27868703
Sites like Google and Bing Maps will be able to use higher-quality satellite images, thanks to US government restrictions being lifted.
Companies had not been allowed to make use of images where features smaller than 50cm were visible.
But one imaging firm, Digital Globe, said it would be able to sell images that showed features as small as 31cm.
One lawyer told the BBC he expected “repercussions” from people worried about their privacy.
“In the past, collecting sub-50cm resolution required chartering and flying aircraft,”
Tomi Engdahl says:
Evernote’s forum site hacked; Note Service untouched
http://www.zdnet.com/evernotes-forum-site-hacked-note-service-untouched-7000030596/
Summary: Password hashes, email address stolen from third-party forum site less than week after DDoS attack
Evernote’s forum site, which hosts 164,644 members, has been hacked, and the note-taking and archiving site sent an email to affected members Monday recommending they change their passwords if those credentials were reused on other sites.
Tomi Engdahl says:
Tomorrow is the 10th anniversary of the first mobile phone virus ever (Cabir)
Source: https://twitter.com/mikko/status/477524404193464320
Bluetooth-Worm:SymbOS/Cabir
http://www.f-secure.com/v-descs/cabir.shtml
Tomi Engdahl says:
GCHQ to share threat intel – and declassify SECRET inventions
Inspector Gadget watch? IP with no ‘secret applications’, sadly
http://www.theregister.co.uk/2014/06/17/gchq_to_share_threat_information/
Blighty intelligence and security bods at GCHQ will share classified information on cyber threats with organisations running the UK’s critical national infrastructure as well as declassifying some of the spy agency’s intellectual property.
It’s all part of a series of moves designed to share its expertise.
GCHQ has previously warned organisations about specific threats, but has not run a structured programme. It now aims to pass on regular information with more analysis as part of broader moves to increase its protection of the UK’s critical national infrastructure.