Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Urgent security warning that may affect all internet users
http://community.namecheap.com/blog/2014/09/01/urgent-security-warning-may-affect-internet-users/
Back in August, The Register reported that the largest ever quotient of email addresses, usernames and passwords had been put together by groups of Russian hackers
These hackers collected this data over many months, gaining access to these user credentials through vulnerable/poorly secured databases and backdoors/malware installed on insecure computers around the world.
Overnight, our intrusion detection systems alerted us to a much higher than normal load against our login systems. Upon investigation, we determined that the username and password data gathered from third party sites, likely the data identified by The Register (i.e. not Namecheap) is being used to try and gain access to Namecheap.com accounts.
Tomi Engdahl says:
Apple Says It Is “Actively Investigating” Celeb Photo Hack
http://recode.net/2014/09/01/apple-says-it-is-actively-investigating-celeb-photo-hack/
Apple said Monday it was “actively investigating” the violation of several of its iCloud accounts, in which revealing photos and videos of prominent Hollywood actresses were taken and posted all over the Web.
“We take user privacy very seriously and are actively investigating this report,” said Apple spokeswoman Natalie Kerris.
Photos, some real, some said to be fakes, are said to have been taken from the iCloud accounts of several celebrities, such as actress Jennifer Lawrence. They were posted to the Web image-sharing community 4Chan and have since spread across the Web, showing up on social media sites like Twitter, Reddit and elsewhere.
Security experts said the hacking and theft of revealing pictures from the Apple iCloud accounts of a few celebrities might have been prevented if those affected had enabled two-factor authentication on their accounts.
Tomi Engdahl says:
Naked celebrity hack: security experts focus on iCloud backup theory
http://www.theguardian.com/technology/2014/sep/01/naked-celebrity-hack-icloud-backup-jennifer-lawrence
After intensive examination of file data leaked by one or more hackers, suspicion grows that iCloud backups were source of pictures – though precise method of attack still unclear
Security experts are warning that there could be many more compromised celebrity iCloud accounts after examining file data from pictures stolen from stars including Jennifer Lawrence and Kate Upton.
One theory gaining ground is that many of the pictures had been accumulated by one hacker over a period of time – and were then “popped” by another hacker who somehow broke into a machine belonging to the first. Lending weight to that was that one of the earliest photos found in a cache released online dated to December 2011, while the most recent was from 14 August.
Some have also pointed to the presence of a Dropbox tutorial file in one hacked account as suggesting that the third-party cloud storage service was a source of some pictures.
Apple has still issued no statement on how many accounts on its iCloud service were broken into.
But it has come in for strong criticism over the lack of protection against “brute-force” attacks that would yield a password. “If the celebs’ iCloud account passwords were brute forced, the problem seems to be lack of rate limiting by Apple, not lack of crypto,” commented Christopher Soghoian, principal technology at the American Civil Liberties Union.
Dan Kaminsky, chief scientist at whiteops.com, said on Twitter that “my personal thinking is that someone [originally] hacked desktops, and someone else hacked the hacker” – adding “if it isn’t iCloud, which apparently there’s some reason to believe.”
Tomi Engdahl says:
Out in the Open: Hackers Build a Skype That’s Not Controlled by Microsoft
http://www.wired.com/2014/09/tox/
Eventually, they settled on the name Tox, and you can already download prototypes of the surprisingly easy-to-use tool. The tool is part of a widespread effort to create secure online communication tools that are controlled not only by any one company, but by the world at large—a continued reaction to the Snowden revelations. This includes everything from instant messaging tools to email services.
Tomi Engdahl says:
Europol launches taskforce to fight world’s top cybercriminals
http://www.theguardian.com/technology/2014/sep/01/europol-taskforce-cybercrime-hacking-malware
Joint Cybercrime Action Taskforce to coordinate investigations into hacking, malware and other online crimes
Tomi Engdahl says:
Gaining Access to the Oculus Developer Database
http://hackaday.com/2014/09/01/gaining-access-to-the-oculus-developer-database/
One of the hackers over at Bitquark popped a shell on on the Oculus Developer Portal giving him full reign over the special admin panel inside.
The process started by using a SQL injector called BSQLi to test out parameters, cookies, and headers. Injecting into the header revealed that the Oculus team members were inserting X-Forwarded-For headers directly into the database without proper escape formatting. This got him in the door, and with a little assistance from sqlmap, the database was enumerated, and a pattern was recognized. Oculus passwords that were stored in the DB were heavily hashed. However, the user session variables remained unprotected.
AJAX eval() preview script wasn’t secured by a CSRF token which could easily be exploited by a malicious hacker
The findings were then turned into Facebook who paid the guy $15,000 for the first vulnerability plus the privilege escalation attack.
Tomi Engdahl says:
Cross-site request forgery
https://en.wikipedia.org/wiki/Cross-site_request_forgery
Tomi Engdahl says:
‘Sony and Twitch’ hacking crew Lizard Squad: ‘We quit’
OMG, the Feds *Cough* We did what we set out to do
http://www.theregister.co.uk/2014/09/02/lizard_squad_disbands/
The Lizard Squad hacking crew appears to have called it quits over the weekend following a high profile assaults on Sony as well as online attacks on Blizzard and Twitch, a broadcast platform for gamers, among others.
The eight-strong group of trickster hackers posted a notice of their intention to throw in the towel on their lizardsquad.com website
Tomi Engdahl says:
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
http://www.theregister.co.uk/2014/09/01/leaker_axe_claims_nz_justice_minister_scalp/
A hacker has claimed the scalp of New Zealand Justice Minister Judith Collins by releasing information showing a purported campaign to undermine government officials.
The revelations, revealed last month, came from a hacker known as RawShark (@whaledump), who broke into the email account of conservative blogger Cameron Slater.
Tomi Engdahl says:
FCC to examine “unauthorized” cell snooping devices
Aug 12 2014
Meanwhile, FCC won’t give stingray documents to ACLU, saying they’re classified.
http://arstechnica.com/tech-policy/2014/08/fcc-to-examine-unauthorized-cell-snooping-devices/
The Federal Communications Commission said it will investigate the “illicit and unauthorized use” of cell phone tracking and interception devices, commonly known as IMSI catchers or stingrays.
Relatively little is known about how stingrays are used by law enforcement agencies nationwide, although documents have surfaced showing how they have been purchased and used in some limited instances. Worse still, cops have lied to courts about the use of such technology. Not only can stingrays be used to determine location, but they can also intercept calls and text messages. Grayson seems primarily concerned with stingray use by criminals, terrorists, and foreign government agents.
Tomi Engdahl says:
Celebrity photo theft a targeted attack on names, passwords, and security questions, and didn’t result from breaches of Find my iPhone or iCloud:
Update to Celebrity Photo Investigation
http://www.apple.com/pr/library/2014/09/02Apple-Media-Advisory.html
After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone.
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification.
Tomi Engdahl says:
The Police Tool That Pervs Use to Steal Nude Pics From Apple’s iCloud
http://www.wired.com/2014/09/eppb-icloud/
As nude celebrity photos spilled onto the web over the weekend, blame for the scandal has rotated from the scumbag hackers who stole the images to a researcher who released a tool used to crack victims’ iCloud passwords to Apple, whose security flaws may have made that cracking exploit possible in the first place. But one step in the hackers’ sext-stealing playbook has been ignored—a piece of software designed to let cops and spies siphon data from iPhones, but is instead being used by pervy criminals themselves.
hackers openly discuss using a piece of software called EPPB or Elcomsoft Phone Password Breaker to download their victims’ data from iCloud backups. That software is sold by Moscow-based forensics firm Elcomsoft and intended for government agency customers.
In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on iCloud.com. And as of Tuesday, it was still being used to steal revealing photos and post them on Anon-IB’s forum.
“Use the script to hack her passwd…use eppb to download the backup,”
Tomi Engdahl says:
Notes on the Celebrity Data Theft
Tuesday, September 2, 2014
http://www.nikcub.com/posts/notes-on-the-celebrity-data-theft/
An interesting aspect of information security is how periodically it collides with other industries and subcultures. With more information than ever being stored and shared online and on connected devices hacking stories are frequent and are mainstream news. This was the case yesterday as dozens of celebrities fell victim to hackers who leaked hundreds of private photographs and videos stolen from web based storage services.
1. What we see in the public with these hacking incidents seems to only be scratching the surface. There are entire communities and trading networks where the data that is stolen remains private and is rarely shared with the public.
2. The goal is to steal private media from a targets phone by accessing cloud based backup services that are integrated into iPhone, Android and Windows Phone devices. To access the cloud based backup requires the users ID, password or an authentication token.
Tomi Engdahl says:
Think iCloud’s two-factor authentication protects your privacy? It doesn’t
http://www.tuaw.com/2014/09/02/think-iclouds-two-factor-authentication-protects-your-privacy/
As the forensic analysis of the weekend’s celebrity intimate photo leak continues, plenty of attention is being focused on iCloud’s photo storage as a likely vector for the criminal theft of the images. Proof of concept code for a brute-force attack on iCloud passwords (via the Find My iPhone API) was revealed late last week, and subsequently blocked off by Apple in a fix to the FMI service.
Tomi Engdahl says:
Apple denies iCloud breach in celebrity nude photo hack
http://www.theverge.com/2014/9/2/6098107/apple-denies-icloud-breach-celebrity-nude-photo-hack
Apple Should Be More Transparent About Security
http://techcrunch.com/2014/09/02/why-apple-should-be-more-transparent-about-security/
It seems that Apple has gotten embroiled in a security scandal of one sort or another every few months.
In each of these cases, Apple fixed vulnerabilities, released support notes or patched bugs. But in almost all cases, and many others over the years, the company was as opaque as possible about explaining the details of security issues, reluctant to admit to them publicly and very unresponsive to independent security researchers. That leads to misunderstandings and FUD about the extent of the problems and the risks involved for users.
This needs to change or it will continue to happen.
Tomi Engdahl says:
Lessons From the Celebrity iCloud Photo Breach
https://www.aclu.org/blog/technology-and-liberty/lessons-celebrity-icloud-photo-breach
Based on initial media reports, it seems that intimate, private photographs from several celebrities’ online accounts have been accessed without their consent and widely shared on the Internet. For now, many details about the breach (or breaches) remain unclear.
The blame game
In the flurry of news after the photos surfaced, several commentators smugly suggested that some blame should fall on the victims, either because they used weak passwords, or because they were using their phones to take sexually explicit photographs. This is ridiculous.
These celebrities exhibited behavior that is perfectly normal.
Could Apple have prevented this?
Most of Apple’s services had used such a rate-limiting mechanism, except the Find My iPhone service. Apple has, over the past few days, fixed this issue.
One password to rule them all
It is likely the case that many of the victims also had poor quality passwords, which increased the ease with which the hackers could gain access to their accounts. The use of poor, low entropy passwords is not specific to Apple accounts – but Apple requires their customers to regularly enter their password on their phones whenever they wish to download an app from the company’s App Store, even for free apps. This encourages users to pick short, easy-to-enter passwords.
The downside to default, automatic cloud backups
It appears to be that iOS devices are automatically opted-in to Apple’s Camera Roll feature, which uploads all photos to Apple’s iCloud backup service. As a result, many users are likely using this service without realizing it and a result, do not understand the associated security and privacy risks.
There are, no doubt, useful aspects to nudging users towards automatic online photo backups – they ensure that a lost or stolen iPhone does not result in the permanent loss of photos
The need for a private photo mode
Apple, Google, Microsoft, and Mozilla already include “private browsing” modes in their web browsers. Clearly, these companies recognize that there are certain activities that their customers will engage in online that should remain private (or at least should not be revealed in the browser’s history).
Apple, Google and the other big tech companies should acknowledge that millions of their customers regularly use their products to engage in sensitive, intimate activities. These companies can and should offer a “private photo” option for sensitive photos that prevents them from being uploaded to the cloud.
Tomi Engdahl says:
Apple sets developer rules for HealthKit, HomeKit, TestFlight, and Extensions ahead of iOS 8 launch
http://9to5mac.com/2014/09/02/apple-sets-rules-for-developers-using-healthkit-homekit-testflight-and-extensions-ahead-of-ios-8-launch/
Today, Apple has updated its official App Store developers Review Guidelines to outline the requirements for iOS 8 applications that will make use of the new HealthKit, HomeKit, TestFlight, and Extensions services.
“Apps using the HealthKit framework that store users’ health information in iCloud will be rejected.” This point should reduce fears of intruders being able to access a user’s health data, especially after the scandal surrounding the leak of celebrity photos potentially stored in iCloud.
“Apps that share user data acquired via the HealthKit API with third parties without user consent will be rejected.”
“Apps that provide diagnoses, treatment advice, or control hardware designed to diagnose or treat medical conditions that do not provide written regulatory approval upon request will be rejected.” This point is crucial in that these fine print allows Apple to work around the FDA’s regulatory guidelines for mobile health applications.
“Apps using the HealthKit framework must provide a privacy policy or they will be rejected.”
“Apps must not use data gathered from the HomeKit APIs for advertising or other use-based data mining.” Same deal with HealthKit
Apps using the HomeKit framework must have a primary purpose of providing home automation services
Apps using the HomeKit framework must indicate this usage in their marketing text and they must provide a privacy policy or they will be rejected
Apps using data gathered from the HomeKit API for purposes other than improving the user experience or hardware/software performance in providing home automation functionality will be rejected
Apps using the HealthKit framework must comply with applicable law for each Territory in which the App is made available
Apps may not use user data gathered from the HealthKit API for advertising or other use-based data mining purposes other than improving health, medical, and fitness management, or for the purpose of medical research
Apps that share user data acquired via the HealthKit API with third parties without user consent will be rejected
Apps using the HealthKit framework must provide a privacy policy or they will be rejected
Tomi Engdahl says:
Banks: Credit Card Breach at Home Depot
http://krebsonsecurity.com/2014/09/banks-credit-card-breach-at-home-depot/
Multiple banks say they are seeing evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards that went on sale this morning in the cybercrime underground. Home Depot says that it is working with banks and law enforcement agencies to investigate reports of suspicious activity.
There are signs that the perpetrators of this apparent breach may be the same group of Russian and Ukrainian hackers responsible for the data breaches at Target, Sally Beauty and P.F. Chang’s, among others. The banks contacted by this reporter all purchased their customers’ cards from the same underground store – rescator[dot]cc — which on Sept. 2 moved two massive new batches of stolen cards onto the market.
In what can only be interpreted as intended retribution for U.S. and European sanctions against Russia for its aggressive actions in Ukraine, this crime shop has named its newest batch of cards “American Sanctions.” Stolen cards issued by European banks that were used in compromised US store locations are being sold under a new batch of cards labled “European Sanctions.”
Several banks contacted by this reporter said they believe this breach may extend back to late April or early May 2014.
Tomi Engdahl says:
For $3,500, a Spy-Resistant Smartphone
March 18, 2014
Prime ministers, business executives, and ordinary citizens clamor for phones that can’t be snooped on.
http://www.technologyreview.com/news/525556/for-3500-a-spy-resistant-smartphone/
Ever since Edward Snowden came forward with a trove of secret documents about the National Security Agency, business has been booming for Les Goldsmith, CEO of ESD America.
Goldsmith’s company sells a $3,500 “cryptophone” that scrambles calls so they can’t be listened in on. Until recently, the high-priced smartphone was something of a James Bond–style novelty item. But news of extensive U.S. eavesdropping on people including heads of state has sent demand from wary companies and governments soaring. “We’re producing 400 a week and can’t really keep up,” says Goldsmith.
The Las Vegas–based company prepares and packages the device, called the GSMK CryptoPhone, by first wiping the software from an ordinary $350 Samsung Galaxy S3 handset. It then adds a version of Google’s Android operating system, licensed from the German company GSMK, that has been tweaked to add call encryption and fix security flaws.
Sales have tripled since Snowden’s revelations began last June, and close to 100,000 of the handsets are in use worldwide, according to Goldsmith. Secure calls work only between two cryptophones. To set up a secure connection, each handset creates a cryptographic key based on a sample of random background noise. Everything takes place on the handsets, so no unprotected data leaves the device.
Secure phones aren’t new. In the 1970s, the NSA developed a “secure telephone unit”
Handsets can be infected by malware that listens to calls, copies data, or transmits a device’s location. Some spies even employ fake base stations, known as interceptors, that harvest calls and text messages.
That’s reason enough for politicians, dissidents, and top executives to worry.
The CryptoPhone’s $3,500 price tag (which pays for three years of service, not including calling charges) puts the device beyond the reach of most individuals and small businesses. A competing device, the Hoox m2 smartphone that French IT contractor Bull began selling in January, sells for 2,000 euros ($2,740) and is also aimed at corporate users.
For the most part, consumers haven’t joined the security rush. According to Gartner, a firm that tracks technology trends, few have even purchased antivirus software for their phones. Sales of mobile security software are about $1 billion a year, a fraction what’s spent on desktops, even though mobile devices now outnumber PCs.
Yet secure communication products could eventually have mass appeal as consumers tire of being tracked online. Some of the most successful apps of the past year have featured self-destructing messages or anonymous bulletin boards.
Companies on a budget could turn to the $629 Blackphone handset, which launched in February and also offers encrypted calling. The device is the product of a joint venture between Spanish smartphone startup Geeksphone and Silent Circle, a company that markets apps for encrypted calling and e-mail on Apple and Android devices.
Tomi Engdahl says:
Health care systems are leaking: They set challenges for system compatibility and patient access to information, but the world’s biggest challenge is the fact that the patient information systems seem to be an easy target for hackers. The vast majority of attacks are directed at hospitals.
Websense Security Labs, the hacker attacks in a variety of patient information systems have in the past 10 months increased by as much as 600 per cent.
Patient information systems, the information is valuable for hackers because of the patient data is linked insurance information and bank account details. This is the data, which many people are willing to pay.
A little irony in the fact that the patient information has been difficult if not impossible to move to the authorities or among doctors, but for hackers getting the the data is often easy prey.
Source: http://etn.fi/index.php?option=com_content&view=article&id=1728:terveydenhuollon-jarjestelmat-vuotavat&catid=13&Itemid=101
Tomi Engdahl says:
Claimed Home Depot credit card hack could be biggest retail breach yet
DIY megastore may be latest to fall to point-of-sale penetration
http://www.theregister.co.uk/2014/09/02/home_depot_investigating_if_its_the_latest_victim_of_retail_hackers/
One of the US’s largest home improvement chains is investigating whether its systems have been cracked by hackers, as one security researcher has claimed.
“I can confirm that we’re looking into some unusual activity and we are working with our banking partners and law enforcement to investigate,” the company told El Reg in a statement.
According to security blogger Brian Krebs, multiple banks have reported that a large number of stolen credit and debit cards have appeared for sale online that appear to have come from Home Depot. The card numbers, on sale in the murky rescator.cc site, appeared in two large batches on Tuesday morning.
The purloined cards were on sale labeled “American Sanctions,” presumably as a reference to the increased sanctions threatened by the West in response to Russia’s involvement in the Ukrainian civil war. A similar batch of cards from EU banks was labeled “European Sanctions.”
Retailers are currently the flavor of the month with the criminal hacking community, with infected point-of-sale terminals the preferred method of harvesting.
Tomi Engdahl says:
Apple, FBI: YES we’re looking into the NAKED CELEBRITY PICS. Aren’t you?
But we will shut our eyes if we happen to see any
http://www.theregister.co.uk/2014/09/02/apple_fbi_probe_nude_celeb_hacks/
The Federal Bureau of Investigation and Apple are examining the theft of a large cache of naked celebrity photos, thought by many to perhaps have been snaffled from the fruity firm’s iCloud backup silos.
Apple spokeswoman Natalie Kerris said the company was “actively investigating” the hacks.
newly-released iBrute brute force password-guessing tool may have been used to break into the celebs’ iCloud accounts.
The tool’s authors hackappcom wrote that the tool used the Find My iPhone service API, which is not protected against brute force attacks. Attackers may have used a list of 500 popular passwords that meet Apple requirements.
“iBrute was published a day before the incident. It’s very difficult to perform this kind of targeted attack in one day, so it’s very unlikely that iBrute was used for this attack, but maybe some evil guys found the same bug and used it,”
“Anyway if your accounts were hacked by @hackappcom’s method it also means that your passwords are crap [but] it is not your fault if you are using bad passwords because you are celebrities, not nerds.”
Tomi Engdahl says:
Mysterious Phony Cell Towers Could Be Intercepting Your Calls
Every smart phone has a secondary OS, which can be hijacked by high-tech hackers
http://www.popsci.com/article/technology/mysterious-phony-cell-towers-could-be-intercepting-your-calls
Like many of the ultra-secure phones that have come to market in the wake of Edward Snowden’s leaks, the CryptoPhone 500, which is marketed in the U.S. by ESD America and built on top of an unassuming Samsung Galaxy SIII body, features high-powered encryption. Les Goldsmith, the CEO of ESD America, says the phone also runs a customized or “hardened” version of Android that removes 468 vulnerabilities that his engineering team team found in the stock installation of the OS.
To show what the CryptoPhone can do that less expensive competitors cannot, he points me to a map that he and his customers have created, indicating 17 different phony cell towers known as “interceptors,” detected by the CryptoPhone 500 around the United States during the month of July alone.
“Interceptor use in the U.S. is much higher than people had anticipated,” Goldsmith says. “One of our customers took a road trip from Florida to North Carolina and he found 8 different interceptors on that trip. We even found one at South Point Casino in Las Vegas.”
Who is running these interceptors and what are they doing with the calls? Goldsmith says we can’t be sure, but he has his suspicions.
“What we find suspicious is that a lot of these interceptors are right on top of U.S. military bases. So we begin to wonder – are some of them U.S. government interceptors? Or are some of them Chinese interceptors?”
Interceptors vary widely in expense and sophistication – but in a nutshell, they are radio-equipped computers with software that can use arcane cellular network protocols and defeat the onboard encryption. Whether your phone uses Android or iOS, it also has a second operating system that runs on a part of the phone called a baseband processor. The baseband processor functions as a communications middleman between the phone’s main O.S. and the cell towers. And because chip manufacturers jealously guard details about the baseband O.S., it has been too challenging a target for garden-variety hackers.
“The baseband processor is one of the more difficult things to get into or even communicate with,”
But for governments or other entities able to afford a price tag of “less than $100,000,” says Goldsmith, high-quality interceptors are quite realistic. Some interceptors are limited, only able to passively listen to either outgoing or incoming calls. But full-featured devices like the VME Dominator, available only to government agencies, can not only capture calls and texts, but even actively control the phone, sending out spoof texts, for example. Edward Snowden revealed that the N.S.A. is capable of an over-the-air attack that tells the phone to fake a shut-down while leaving the microphone running, turning the seemingly deactivated phone into a bug.
”As we drove by, the iPhone showed no difference whatsoever. The Samsung Galaxy S4, the call went from 4G to 3G and back to 4G. The CryptoPhone lit up like a Christmas tree.”
Though the standard Apple and Android phones showed nothing wrong, the baseband firewall on the Cryptophone set off alerts showing that the phone’s encryption had been turned off, and that the cell tower had no name – a telltale sign of a rogue base station. Standard towers, run by say, Verizon or T-Mobile, will have a name, whereas interceptors often do not.
And the interceptor also forced the CryptoPhone from 4G down to 2G, a much older protocol that is easier to de-crypt in real-time.
“If you’ve been intercepted, in some cases it might show at the top that you’ve been forced from 4G down to 2G. But a decent interceptor won’t show that,”
Though Goldsmith won’t disclose sales figures or even a retail price for the GSMK CryptoPhone 500, he doesn’t dispute an MIT Technology Review article from this past spring reporting that he produces about 400 phones per week for $3,500 each.
Tomi Engdahl says:
Frequently asked questions about two-step verification for Apple ID
http://support.apple.com/kb/ht5570
Two-step verification is an additional security feature for your Apple ID that’s designed to prevent anyone from accessing or using your account, even if they know your password.
It requires you to verify your identity using one of your devices
How does it work?
When you set up two-step verification, you register one or more trusted devices. A trusted device is a device you control that can receive 4-digit verification codes using either SMS or Find My iPhone. You’re required to provide at least one SMS capable phone number.
Then, any time you sign in to manage your Apple ID at My Apple ID or make an iTunes, App Store, or iBooks Store purchase from a new device, you’ll need to verify your identity by entering both your password and a 4-digit verification code
Without both your password and the verification code, access to your account will be denied.
You will also get a 14-character Recovery Key for you to print and keep in a safe place. Use your Recovery Key to regain access to your account if you ever lose access to your trusted devices or forget your password.
Tomi Engdahl says:
Akamai Warns: Linux Systems Infiltrated and Controlled In a DDoS Botnet
http://it.slashdot.org/story/14/09/03/164225/akamai-warns-linux-systems-infiltrated-and-controlled-in-a-ddos-botnet
Akamai Technologies is alerting enterprises to a high-risk threat of IptabLes and IptabLex infections on Linux systems. Malicious actors may use infected Linux systems to launch DDoS attacks against the entertainment industry and other verticals. The mass infestation of IptabLes and IptabLex seems to have been driven by a large number of Linux-based web servers being compromised,
Tomi Engdahl says:
Linux systems infiltrated and controlled in a DDoS botnet
http://www.net-security.org/secworld.php?id=17322
Akamai Technologies is alerting enterprises to a high-risk threat of IptabLes and IptabLex infections on Linux systems. Malicious actors may use infected Linux systems to launch DDoS attacks against the entertainment industry and other verticals.
The mass infestation of IptabLes and IptabLex seems to have been driven by a large number of Linux-based web servers being compromised, mainly by exploits of Apache Struts, Tomcat and Elasticsearch vulnerabilities.
Attackers have used the Linux vulnerabilities on unmaintained servers to gain access, escalate privileges to allow remote control of the machine, and then drop malicious code into the system and run it. As a result, a system could then be controlled remotely as part of a DDoS botnet.
“We have traced one of the most significant DDoS attack campaigns of 2014 to infection by IptabLes and IptabLex malware on Linux systems,” said Stuart Scholly, senior VP and GM, Security Business Unit, Akamai.
“This is a significant cybersecurity development because the Linux operating system has not typically been used in DDoS botnets. Malicious actors have taken advantage of known vulnerabilities in unpatched Linux software to launch DDoS attacks. Linux admins need to know about this threat to take action to protect their servers,” Scholly added.
Tomi Engdahl says:
IptabLes and IptabLex DDoS Bots [High Risk]
http://www.prolexic.com/knowledge-center-ddos-threat-advisory-iptables-iptablex-linux-bots-botnet-cybersecurity.html
Malicious actors behind the IptabLes IptabLex botnet have produced significant DDoS attack campaigns, forcing target companies to seek expert DDoS protection. PLXsert anticipates further infestation and the expansion of this botnet.
Attackers have exploited Linux servers that run unpatched versions of Apache Struts and Tomcat with vulnerabilities.
Misconfigured Elasticsearch instances have also been targeted.
Once the Linux system has been compromised, attackers escalate privileges and infect the system with IptabLes or IptabLex malware.
Mitigating this threat to Linux systems involves patching and hardening the Linux system, antivirus detection, and cleaning infected systems.
SANS Institute provides fundamental Linux server hardening procedures, which can be accessed from the advisory.
Rate limiting and a YARA rule are provided to stop DDoS attacks from IptabLes and IptabLex bots.
Tomi Engdahl says:
NATO nations ‘will respond to a Cyber attack on one as though it were on all’
If we agreed it was serious and we knew who did it, anyway
http://www.theregister.co.uk/2014/09/03/nato_article_v_mutual_defence_principle_applies_to_cyberspace/
NATO is set to agree a new cyber defence policy that would mean any severe cyber attack on a NATO member could be considered tantamount to a traditional military attack and invoke the alliance’s collective defence provisions.
Article V is the collective defence clause of the NATO treaty by which an attack on one member is considered an attack on all. Extending this rule to cyberspace is on the agenda for a NATO summit in and around Cardiff, Wales later this week, the New York times reports.
Cyberspace is considered by military strategists as the fifth domain of war – land, sea, air and space are the first four.
Infosec experts reckon the collective defence clause is unlikely to be invoked in anything but the most extreme instances, in which case a broader armed conflict is likely to have erupted.
Tomi Engdahl says:
There’s child porn in the massive celebrity nudes hack
http://www.dailydot.com/news/reddit-fappening-celebgate-mckayla-liz-lee-child-porn/
The saga of the illegally obtained nude photos of dozens of celebrities has taken a darker turn. According to Reddit administrators, photos of gymnast McKayla Maroney and MTV actress Liz Lee, shared to 130,000 people on popular forum r/TheFappening, constitute child pornography.
Maroney’s lawyers have confirmed that the illegally obtained photos were taken while the gymnast was underage.
The ongoing leak—dubbed #CelebGate, or more distastefully, “the Fappening”—includes naked photos of A-listers including Jennifer Lawrence and Kate Upton. It’s prompted outrage, and threats of legal actions from the women targeted. It has since emerged that the photos of at least one of the celebrities were taken when they were under 18.
Despite the proliferation of child pornography across r/TheFappening—in addition to the stolen intimate photos of adult celebrities—the Reddit admins have chosen not to remove the community
Tomi Engdahl says:
Reddit’s privacy rules fail as celebrity nudes spread like wildfire
http://www.dailydot.com/business/reddit-jennifer-lawrence-kate-upton-nude-photos-leak-privacy-dox-ban/
The flagrant sharing of these intimate photos has sparked a strange conflict among Redditors: The site has a robust position as a platform for unfiltered free speech, but redditors also fiercely guard their privacy. Disclosing the identity, or “doxing,” other users is strictly prohibited by Reddit’s rules, and users who violated are regularly banned from the site. For now, however, it looks like the “free speech” side is winning.
Originally leaked to 4chan’s notorious /b/ imageboard by a hacker allegedly seeking Bitcoin donations, the photos have spread across the Internet like wildfire, to the dismay of the celebrities involved.
Reddit’s site-wide rules forbid the posting of “person information,” which these photos certainly seem to constitute. Posting “publicly available” information on celebrities is acceptable—but “it is not okay” to post links to “screenshots of Facebook profiles,” or anything potentially “inviting harassment.”
Twitter is actively deleting the photos
“It seems pretty scummy (to me, at least) to allow this stuff here since it was obtained without the consent of the women involved,”
Tomi Engdahl says:
NUDE SELFIE CLOUD PERV menace: Apple 2FA? More like Sweet FA
But be fair to the Fruitchompers: Clouds are Clouds
http://www.theregister.co.uk/2014/09/03/apple_celeb_pic_flap_2fa_bad_advice/
Apple’s two-factor authentication currently fails to protect iCloud backups or photo streams, contrary to what many iPhone and iPad strokers might wish to believe.
Systems security weaknesses, along with weak passwords is believed to be to blame for enabling hackers to gain full access to the iCloud accounts. In response, Apple advised punters to use its two factor authentication technology, as previously reported.
This, as it turns out, is spin that only helps in taking the heat off Apple rather preventing a repetition of something similar happening again.
iCloud backups can be installed on new devices with only an Apple ID and password. The use of two factor-authentication technology does have a role in iCloud but only when it comes to signing in to “My Apple ID” to manage an account; or when making iTunes, App Store, or iBookstore purchases from a new device or (lastly) getting Apple ID-related support from Apple..
It is NOT necessary to enter a verification code to restore a new device from an iCloud backup, a built-in design feature that hackers seem to have latched onto.
Hackers may have obtained celebrity passwords through guessing security questions, phishing or malware-based attacks. The exact route is unclea
It may even be possible to access iCloud backups using only an iTunes authentication token completely getting around the need to obtain an Apple ID and password. Law enforcement officials would be able to get ahold of this token from a suspect’s PC while hackers might be able to obtain it through more nefarious means, either malware or phishing.
Apple’s particular shortcomings have been fairly well known in the field of computer forensics, if not the wider IT market, for some time. E
Tomi Engdahl says:
Scared of brute force password attacks? Just ‘GIVE UP’ says Microsoft
Choose simple password, reuse it, ignore password strength meter and pray
http://www.theregister.co.uk/2014/09/04/scared_of_password_brute_force_microsoft_says_just_give_up/
Sysadmins trying to harden user passwords against brute force attacks, or everyday folks trying to make sure their passwords don’t lead to nude selfie leaks may not need to bother, according to the latest research from Microsoft mavericks.
Microsoft password provocateurs Dinei Florencio and Cormac Herley say password hardening isn’t worth the effort to protect against brute force attacks – advice that came two months after they derailed the best practise wagon by stating everyone should choose simple login credentials and reuse them across websites.
Strength meters – the small bars that tell you if your password is weak or strong – are useless, the pair argue. So are guidelines suggesting users must have a mix case and special characters or be of some pre-defined length.
“Honesty” they said “demands a clear acknowledgement that we don’t know how to [resist offline password guessing]: attempts to get users to choose passwords that will resist offline guessing … must largely be judged failures.”
Rather than rely on what were formerly considered truth bombs from the like of xkdc and other security bods that passwords ought to be lathered in entropy,
Tomi Engdahl says:
Password Strength
http://xkcd.com/936/
Tomi Engdahl says:
Major cyber attack hits Norwegian oil industry
Statoil, the gas giant behind the Scandie social miracle, targeted
By John Leyden, 27 Aug 2014
http://www.theregister.co.uk/2014/08/27/nowegian_oil_hack_campaign/
More than 50 Norwegian oil and energy companies have been hacked by unknown attackers, according to government security authorities.
A further 250 firms have been advised by the Norwegian government that they ought to check their networks and systems for evidence of a breach, The Local reports.
State-owned Statoil, Norway’s largest petro company, appears to be the main target of what’s described as the country’s biggest ever hack attack.
The methods and motives of the unknown perpetrators remain unclear.
Three years ago, at least ten oil, gas and defence sector firms in in Norway were hacked via targeted spear-phishing emails.
Tomi Engdahl says:
4chan adopts DMCA policy after nude celebrity photo postings
Site agrees to remove “bona fide” infringing material if asked.
http://arstechnica.com/tech-policy/2014/09/4chan-adopts-dmca-policy-after-nude-celebrity-photo-postings/
In the wake of the release of stolen, intimate photos from a number of celebrities’ cell phones this past weekend on 4chan’s /b/ Web forum, the site has added something to its rules and policies—a Digital Millennium Copyright Act takedown policy.
Tomi Engdahl says:
Phone Firewall Identifies Rogue Cell Towers Trying to Intercept Your Calls
http://www.wired.com/2014/09/cryptophone-firewall-identifies-rogue-cell-towers/
Rogue cell phone towers can track your phone and intercept your calls, and it’s only a matter of time before they’re as ubiquitous as GPS trackers. But at least now there’s a way to spot them.
A firewall developed by the German firm GSMK for its secure CryptoPhone lets people know when a rogue cell tower is connecting to their phone. It’s the first system available that can do this, though it’s currently only available for enterprise customers using Android phones.
GSMK’s CryptoPhone 500, a high-end phone that costs more than $3,000 and combines a Samsung Galaxy S3 handset with the CryptoPhone operating system, offers strong end-to-end encryption along with a specially hardened Android operating system that offers more security than other Android phones and the patented baseband firewall that can alert customers when a rogue tower has connected to their phone or turned off the mobile network’s standard encryption.
Tomi Engdahl says:
Here’s What We Know So Far About The Celebrity Photo Hack
http://techcrunch.com/2014/09/01/heres-what-we-know-so-far-about-the-celebrity-photo-hack/?ncid=rss&cps=gravity
Tomi Engdahl says:
Everyone has things on their phones they don’t want other people to see. Everyone.
Source: http://techcrunch.com/2014/09/03/a-letter-to-jennifer-lawrence/?ncid=rss&cps=gravity
Tomi Engdahl says:
Did you code a bug, did you loose reputation? Cyber insurance may replace some if it
Insurance Aon offers companies a “cyber insurance”. Aon makes cyber risk evaluation of co-operation with IT services company CGI.
Cyber insurance deductible and the insurance cost will depend on the assessment. The risk assessment has highlighted security problems can also be corrected when the premiums go down.
Insurance is typically for the critical control system, in which the impact produced would cause financial and information losses and reputation smearing. Insurance may cover the agreement, including human errors, and programming errors.
Source: http://www.tivi.fi/kaikki_uutiset/tuliko+koodiin+kammi+meniko+maine+kybervakuutus+voi+korvata/a1008861
Tomi Engdahl says:
How I Hacked My Own iCloud Account, for Just $200
http://mashable.com/2014/09/04/i-hacked-my-own-icloud-account/
Over the course of the last few days, I’ve written a number of articles related to the celebrity photo thefts that surfaced Sunday. Many of those posts have focused on how safe — or unsafe — various cloud service providers are.
On Tuesday, while doing research into the origins of these thefts and the culture around them, I kept coming across references to Elcomsoft Phone Password Breaker, a piece of software colloquially known as EPPB in various underground communities.
EPPB is a program that makes it possible for a user to download iCloud backups from Apple’s iCloud servers onto a computer. Once there, the backups can be scoured for information including camera rolls, messages, email attachments and more.
In essence, the app reverse-engineers Apple’s “restore iOS backup” functionality, only instead of downloading the backed up data to a physical device, it downloads it to the cloud.
The application, which costs between $79.99 and $400 depending on the version, can also be used to retrieve backups from Windows Live (now OneDrive) and to unlock access to BlackBerry, BlackBerry 10 and iOS backups.
For just $200, and a little bit of luck, I was able to successfully crack my own iCloud password and use EPPB to download my entire iCloud backup from my iPhone. For $400, I could have successfully pulled in my iCloud data without a password and with less than 60 seconds of access to a Mac or Windows computer where I was logged into iCloud.
Breaking into iCloud is way easier than I thought it would be
All you need is someone’s iCloud password and then, two-factor authentication or not, you can download the content of their iCloud backups in minutes.
As Nik Cubrilovic outlines in his excellent post on the data theft, there are a few common vectors (that is, attack holes) for obtaining an iCloud password. Cubrilovic lists them in order of popularity and effectiveness:
Password reset (secret questions / answers)
Phishing email
Password recovery (email account hacked)
Social engineering / RAT install / authentication keys
Even though my iCloud password was purposefully chosen to be easy to crack, I want to make one thing clear: I had two-factor verification turned on on this account.
What makes this even worse is that Apple is encouraging users to use “strong passwords and two-step verification.” That’s all well and good, but in this case, two-step verification wouldn’t have mattered. If someone can get physical or remote access to a computer that uses iCloud or successfully convince a user to click on a phishing email for iTunes and get a password, an iCloud backup can be downloaded remotely, two-factor verification or not.
For $400 I could steal iCloud data from everyone in my office
The basic “professional” version of Elcomsoft’s EPPB allows users to download iCloud data with a username and password. For $400, the forensic version of the software goes one step further: You don’t even need access to the password. You just need to have remote or physical access to a machine where someone is logged into the iCloud control panel.
That’s because Elcomsoft has created a tool that can offer access to iCloud backups simply by copying an iCloud authentication token from Windows or OS X.
Steps Apple should take now to improve iCloud security
1. Encrypt iCloud backups.
2. Stop storing iCloud Authentication Tokens in plaintext. It’s insane that I could access my colleagues iCloud backups just by spending 60 seconds at their computer.
3. Make two-factor authentication actually protect something more than just payment methods.
4. Make two-factor verification easier to set-up. Apple’s current process is ad-hoc at best and is not easy to set-up.
5. Be more transparent about how secure iCloud backups are and how easy it is for others to access that data.
Tomi Engdahl says:
Tim Cook Says Apple to Add Security Alerts for iCloud Users
Apple CEO Denies a Lax Attitude Toward Security Allowed Hackers to Post Nude Photos of Celebrities
http://online.wsj.com/news/article_email/tim-cook-says-apple-to-add-security-alerts-for-icloud-users-1409880977-lMyQjAxMTA0MDAwNDEwNDQyWj
Apple Inc. AAPL +0.20% said it plans additional steps to keep hackers out of user accounts but denied that a lax attitude toward security had allowed intruders to post nude photos of celebrities on the Internet.
In his first interview on the subject, Apple Chief Executive Tim Cook said celebrities’ iCloud accounts were compromised when hackers correctly answered security questions to obtain their passwords or when they were victimized by a phishing scam to obtain user IDs and passwords. He said none of the Apple IDs and passwords leaked from the company’s servers.
To make such leaks less likely, Mr. Cook said Apple will alert users via email and push notifications when someone tries to change an account password, restore iCloud data to a new device or when a device logs into an account for the first time. Until now, users got an email when someone tried to change a password or log in for the first time from an unknown Apple device; there were no notifications for restoring iCloud data.
Apple said it plans to start sending the notifications in two weeks. It said the new system will allow users to take action immediately, including changing the password to retake control of the account or alerting Apple’s security team.
“There’s a well-understood tension between usability and security,” said Ashkan Soltani, an independent security researcher who has worked with The Wall Street Journal in the past. “More often than not, Apple chooses to err on the side of usability to make it easier for the user that gets locked out from their kid’s baby photos than to employ strong protections for the high-risk individuals.”
He said the new notifications “will do little to actually protect consumers’ information since it only alerts you after the fact.”
Tomi Engdahl says:
Hackers breach Healthcare.gov, but no personal data stolen
Hackers infiltrated the US government’s healthcare portal, but did not steal any data uploaded by customers.
http://www.cnet.com/au/news/healthcare-gov-hacked-no-personal-data-stolen/
The US health care registration website HealthCare.gov was breached by as-yet unidentified hackers over the summer, but investigators said that no personal data was stolen.
However, the people behind the hack were able to upload malware, the Wall Street Journal reported on Thursday. The hack is believed to be the first successful attack against HealthCare.gov and was discovered at the end of August by Department of Health and Human Services employees.
The website opened last year as part of the Affordable Care Act to help Americans compare and purchase health insurance.
The breach comes on the heels of numerous recent and severe website breaches where attackers stole personal data including the bank JPMorgan, the European Central Bank, Apple’s iCloud online storage service, and the UPS Store.
Tomi Engdahl says:
Privacy Vulnerabilities In Coursera, Including Exposed Student Email Addresses
http://it.slashdot.org/story/14/09/04/1935246/privacy-vulnerabilities-in-coursera-including-exposed-student-email-addresses
Tomi Engdahl says:
Hackers Break Into HealthCare.gov
http://it.slashdot.org/story/14/09/04/2210226/hackers-break-into-healthcaregov
A computer server that routinely tests portions of the website wasn’t properly set up. It was never supposed to be connected to the Internet — but someone had accidentally connected it anyway.
“Our review indicates that the server did not contain consumer personal information”
Tomi Engdahl says:
We need less U.S. in our WWW – Euro digital chief Steelie Neelie
EC moves to shift status quo at Internet Governance Forum
http://www.theregister.co.uk/2014/08/29/we_need_less_us_in_our_www_neelie_kroes/
Europe’s digital chief Neelie Kroes will reiterate her commitment to “international governance of the internet” later today – that’s code for a smaller role for the US.
The European Commissioner will represent the EU at the ninth Internet Governance Forum (IGF) in Istanbul, Turkey, next week and will push for a more “global governance of key internet functions”.
The UN-backed IGF will see countries from around the world come together to discuss how best to manage the internet. Many of them will be alongside the EU in calling for a “multi-stakeholder model” – aka, less US influence.
Tomi Engdahl says:
As Promised, Facebook’s Privacy Checkup Has Arrived
http://recode.net/2014/09/04/as-promised-facebooks-privacy-checkup-has-arrived/
Facebook doesn’t want you over-sharing — seriously! — and it’s ready to prove it.
The social network is asking all of its 1.3 billion users to complete a privacy checkup, a short online exercise where users review who they’re sharing with on the platform. Facebook announced the checkup in May, but only tested it with a small subset of users over the past several months. Now, it’s ready for a full rollout.
The checkup includes a review of who can see your posts (categories like “public,” “friends” or “only me”), which third-party apps you’ve linked your account to, and which information you’re currently sharing in your bio. None of these privacy controls are new — Facebook is simply drawing attention to them in a new way.
For the majority of users, this will be a new experience. Earlier this year, Facebook started alerting users who share posts publicly to review their settings, but the company has never actively asked users to check their app permissions or bio information, said Paddy Underwood, a product manager on Facebook’s privacy team.
Tomi Engdahl says:
Europol will have its own cyber hits task force
Europol has been launched under the international special department to monitor and prevent cyber crime. This so-called J-CAT (Joint Cyber Crime Action Taskforce) was established cyber crime department of Europol, the EU’s Norton Resources of special forces, the United Kingdom’s national police organization in the NCA and the United States Federal Bureau of Investigation FBI initiative.
So far, J-CATissa are included Austria, Canada, Germany, France, Italy, the Netherlands, Spain, the United Kingdom and the United States. J-CATIA is operated by Europol headquarters.
“This is the first step in a long journey towards an open, transparent and free but also safe for the Internet,”
Source: http://www.tivi.fi/uutisia/europol+saa+oman+kyberiskuryhman/a1009106
Tomi Engdahl says:
Today the Joint Cybercrime Action Taskforce (J-CAT) is launched to further strengthen the fight against cybercrime in the European Union and beyond. Hosted at the European Cybercrime Centre (EC3) at Europol, the J-CAT, which is being piloted for six months, will coordinate international investigations with partners working side-by-side to take action against key cybercrime threats and top targets, such as underground forums and malware, including banking Trojans. The J-CAT will be led by Andy Archibald, Deputy Director of the National Cyber Crime Unit from the UK’s National Crime Agency (NCA).
Source: https://www.europol.europa.eu/content/expert-international-cybercrime-taskforce-launched-tackle-online-crime
Tomi Engdahl says:
Robin Hood virus: Chinese hackers target nation’s wealthy
Steal from the rich, give to yourself
http://www.theregister.co.uk/2014/09/05/chinas_rogue_hackers_forget_espionage_lets_hack_the_rich/
It seems China’s state-supported hackers are being overshadowed by the black hat scene as the latter appears to have doubled in size – with some brazen crackers turning to carding the nation’s wealthiest.
Chief security officer Tom Kellerman told Dark Reading the crackers were targeting the nations’ “bourgeois, nouveau-riche Chinese elite who have profited from capitalism” as well as those in other countries.
“[Beijing] has been focused externally … on information dominance and espionage,” Kellerman told the publication.
“[The black hats] who are not beholden to the regime … believe money is god and believe that crime has evolved with technology.”
“The Chinese underground has continued to grow [and] is still highly profitable, the cost of connectivity and hardware continues to fall, and there are more and more users with poor security precautions in place,” Gu said.
“In short, it is a good time to be a cyber criminal in China. So long as there is money to be made, more people may be tempted to become online crooks themselves.”
Tomi Engdahl says:
What could possibly go wrong? Banks could provide ID assurance for Gov.UK – report
Personal data stored by financial institutions? Wow.
http://www.theregister.co.uk/2014/09/05/banks_could_play_role_as_id_assurance_providers_for_government_services_report_finds/
Personal data could be stored by banks and used to verify the identity of individuals that wish to use government digital services, according to a new report.
A pilot study undertaken by Lloyds Banking Group found that there is scope for banks to act as identity (ID) assurance providers for online government services (14-page/535KB PDF) because of the trust consumers would have in that arrangement.
“Banks have long been the holders and guardians of personal information relating to their millions of customers such as name, address, phone numbers, financial history, etc,” the report said
“Moreover they go through rigorous verification processes to ensure this information is accurate and that their customers are who they say they are (in compliance with Anti Money Laundering (AML), and Know Your Customer (KYC) regulations).”