Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Don’t be a DDoS dummy: Patch your NTP servers, plead infosec bods
Popular attack method could be stopped with a config tweak
http://www.theregister.co.uk/2014/01/21/open_ntp_patching_project/
Security researchers have responded to recent denial of service attacks against gaming websites and service providers that rely on insecure Network Time Protocol servers by drawing up a list of vulnerable systems.
Network Time Protocol (NTP) offers a means of synchronising clocks over a computer network. Features of the simple UDP-based protocol mean it is possible to abuse it to return a large reply to a small request.
The technique was used to take down Battle.net, League of Legends, Steam and other gaming sites in late December for reasons that still remain unclear, weeks later.
Symantec recorded a “significant spike in NTP reflection attacks” in general over the Christmas season.
DNS-based reflection and amplification attacks were used in high volume attacks against Spamhaus and others in 2013. “NTP-based attacks use similar techniques, just a different protocol,” CloudFlare, the web security firm that helped Spamhaus mitigate last year’s packet flood, explains.
The message to web admins and ISPs in both cases is clear: fix your servers and prevent them from participating in amplification attacks. Resolving misconfiguration problems in either case is straightforward and shouldn’t take more than a few minutes. In the case of open DNS resolvers the fix involves configuration changes, while open NTP servers can be taken out of the pool of systems open to abuse by cybercrooks through either patching or disabling an abusable service.
Publicly accessible NTP servers can be abused to swamp a target system with UDP traffic. An attacker would send a series of “get monlist” requests to a vulnerable NTP server, with the source address spoofed to be the victim’s.
Open NTP servers are the new open DNS resolvers. In just the same way that the openresolverproject.org aimed to list open DNS resolvers a new service called openntpproject.org.
US-CERT advises sys admins to either disable the monlist functionality within the NTP server or to upgrade to the latest version of the technology (NTP 4.2.7), which doesn’t automatically enable the problematic monlist service. A small query can redirect megabytes of traffic, security experts at the SANS Institute’s Internet Storm Centre warn.
Tomi Engdahl says:
Alert (TA14-013A)
NTP Amplification Attacks Using CVE-2013-5211
http://www.us-cert.gov/ncas/alerts/TA14-013A
A Network Time Protocol (NTP) Amplification attack is an emerging form of Distributed Denial of Service (DDoS) that relies on the use of publically accessible NTP servers to overwhelm a victim system with UDP traffic.
As all versions of ntpd prior to 4.2.7 are vulnerable by default, the simplest recommended course of action is to upgrade all versions of ntpd that are publically accessible to at least 4.2.7. However, in cases where it is not possible to upgrade the version of the service, it is possible to disable the monitor functionality in earlier versions of the software.
To disable “monlist” functionality on a public-facing NTP server that cannot be updated to 4.2.7, add the “noquery” directive to the “restrict default” line in the system’s ntp.conf, as shown below:
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
Tomi Engdahl says:
Ex-Google, Mozilla bods to outwit EVIL BOTS with ‘polymorphic’ defence
ShapeShifter will see off automated attacks on websites
http://www.theregister.co.uk/2014/01/21/shapeshifter/
Startup Shape Security is re-appropriating a favourite tactic of malware writers in developing a technology to protect websites against automated hacking attacks.
Trojan authors commonly obfuscate their code to frustrate reverse engineers at security firms. The former staffers from Google, VMWare and Mozilla (among others) have created a network security appliance which takes a similar approach (dubbed real-time polymorphism) towards defending websites against breaches – by hobbling the capability of malware, bots, and other scripted attacks to interact with web applications.
When a ShapeShifter appliance protects a website, instead of encountering an application with fixed elements that are trivial to program an attack against, cybercriminals now face the difficult task of getting their malware to interact with a web app that is a moving target, constantly rewriting itself. This is done while keeping all of the user interaction functionality intact for legitimate users. And it works better than earlier approaches such as IP reputation or throttling, the pitch goes.
Shape Security said its technology is able to defend against common hacking attacks such as SQL injection attacks as well as attempts by hackers to brute force logins to websites and application layer DDoS attacks.
“ShapeShifter institutes the same new policy for every website visitor, regardless of whether it is a legitimate user or an attacker: real-time polymorphism,”
No change to a customer web applications is needed in order to deploy the technology, Ghosemajumder adds.
“The pricing model is still being finalised, but we are considering a subscription model as well as an appliance sales model,
Tomi Engdahl says:
Millions of passwords and email details stolen in Germany
http://www.bbc.co.uk/news/technology-25825784
The passwords and other details of 16 million email users in Germany have been stolen, the country’s security agency has revealed.
The Federal Office for Security said criminals had infected computers with software which allowed them to gather email addresses and account passwords.
It has set up a website for people to check whether they have been victims.
Tomi Engdahl says:
DNS poisoning ‘attack’ leaves millions in China dangling free of t’ interwebs
ISP blames unspecified attack for morning outage
http://www.theregister.co.uk/2014/01/21/china_dns_poisoning_attack/
A widespread DNS outage hit China on Tuesday, leaving millions of surfers adrift.
Chinese netizens were left unable to visit websites or use social media and instant messaging services as a result of the screw-up
A fix was implemented around two hours after the snag first surfaced.
All China’s generic top-level domain names were affected.
Tomi Engdahl says:
Bluetooth Hackers Allegedly Skimmed Millions Via Gas Stations
http://www.wired.com/threatlevel/2014/01/gas-station-skimming-scheme/
Thirteen suspects have been indicted in New York on a gas station skimming scheme that netted them more than $2 million, according to court documents.
The skimming devices, placed on card readers at gas station pumps throughout the southern U.S., recorded credit and debit card data, as well as PINs, which the thieves then used to withdraw more than $2 million from ATMs.
Some of the skimming devices were placed on pumps at Raceway and Racetrac gas stations throughout Texas, Georgia, and South Carolina. The devices were Bluetooth enabled, so the thieves could simply download the stolen data from the skimming device without having to remove it.
Tomi Engdahl says:
Hey, Silk Road dealers: Looking for new life? Pay for a biz course with Bitcoin
Cumbria Uni allows students to bankroll ‘sustainable exchange’ lectures with crypto currency
http://www.theregister.co.uk/2014/01/22/britains_bitcoin_university_courses/
A British university has become the first educational establishment in the world to allow its students to pay fees using Bitcoin.
However, Cumbria University admitted it has no way of checking whether pupils had earned their virtual crypto currency by stealing, through botnets, by legitimate mining and trading, or via drug sales on Silk Road.
It will allow students to stump up their fees using an online payment system provided by a US firm called Bitpay.
Tomi Engdahl says:
New report outlines cybersecurity challenges in developing countries
16 Jan 2014 6:00 AM
http://blogs.technet.com/b/microsoft_on_the_issues/archive/2014/01/16/new-report-outlines-cybersecurity-challenges-in-developing-countries.aspx
On Thursday, Microsoft released a new study entitled The Cybersecurity Risk Paradox. The new report focuses on specific ways that social and economic factors affect cybersecurity outcomes worldwide.
While increased Internet access and more mature technological development is correlated with improvement in cybersecurity at the global level, it has the opposite effect among countries with developing economies and lower levels of technological development. Specifically, we saw that as these countries increased their digital access, they experienced a rise in malware rates.
This suggests that countries with a developing level of technology usage may be unprepared to secure their technology infrastructure commensurate with the increase in citizen use of computer systems, which provides greater opportunity for malware to spread unchecked. These countries are typically less mature in their security capabilities for newly deployed technologies, which helps explain why regional malware infection-rate increases are observed as digital access increases.
However, there appears to be a certain level of technology maturity at which countries develop enough technological sophistication that they can curb the growth of malware, which we refer to as the tipping point. When a country crosses the tipping point, increased access ceases to encourage the growth of malware and begins to reduce it. Improving digital access after that point correlates with improved cybersecurity – the effect observed in more technologically mature countries.
The Cybersecurity Risk Paradox
http://download.microsoft.com/download/E/1/8/E18A8FBB-7BA6-48BD-97D2-9CD32A71B434/Cybersecurity-Risk-Paradox.pdf
Linking Cybersecurity Outcomes and Policies
http://blogs.technet.com/b/security/archive/2013/02/07/connections-among-socio-economic-factors-public-policies-amp-cybersecurity-outcomes.aspx
Tomi Engdahl says:
Time for an international convention on government access to data
http://blogs.technet.com/b/microsoft_on_the_issues/archive/2014/01/20/time-for-an-international-convention-on-government-access-to-data.aspx
Last week, President Obama spoke about the role of the National Security Agency and announced some important changes to the surveillance practices of the U.S. government.
There is more work to do to define some of the details and additional steps that are needed, so we’ll continue to work with both the administration and Congress to advocate for reforms consistent with the principles our industry outlined in December.
This week, the World Economic Forum holds its annual meeting in Davos, Switzerland where these same issues of data privacy and reform of government surveillance will be on the agenda. We hope that these discussions will spur a focus on the international steps that governments can take together.
Historically, the tension between public safety and individual liberty often arises first in moments of national crisis.
The issues this time are even more complicated today than in the past. The War against Terrorism is more permanent than these prior wars. Hence, a moment has passed, but an era of concern continues.
In addition, technology is more ubiquitous than ever, and the issues involved are more global. The issues of the last year have reminded the world that the strong protections afforded by the U.S. Constitution and in U.S. law seldom apply to other countries’ citizens. In addition, we’ve all been reminded that surveillance takes place by governments internationally. And as industry reports make clear, governments around the world demand access to customer data.
As a result, we need to broaden the topic and bring together governments to create a new international legal framework.
Many complicated questions remain.
Tomi Engdahl says:
Ex-Googlers’ Startup Shape Turns Hackers’ Code-Morphing Tricks Against Them
This story appears in the February 10, 2014 issue of Forbes.
http://www.forbes.com/sites/andygreenberg/2014/01/21/ex-googlers-startup-shape-turns-hackers-code-morphing-tricks-against-them/
For decades the information security industry’s default analogy has been virus versus antivirus, a futile race to detect hackers’ weapons as they constantly mutate.
Now a few security veterans are flipping the game: Deciphering a shape-shifting chunk of code is about to become the attacker’s problem.
In late January a team of entrepreneurs out of Google and the defense world unveiled a startup called Shape Security. The 58-person Mountain View, Calif. company sells a pizza-box-size appliance called a ShapeShifter that plugs into a company’s network and obfuscates the code behind the customer’s website. It replaces variables with random strings of characters that change every time a page is loaded, all without altering the way the site appears to human visitors. This trick, known as polymorphism, makes it vastly more difficult for cybercriminals to use automated tools to crack passwords, scrape content from thousands of sites or use malware-infected PCs to spy on victims’ online banking.
“We realized that so much frontline hacking is occurring in this automated, scripted fashion,” says Shape’s CEO, Derek Smith. “That germinated into the idea of turning polymorphism against the hackers.”
Shape was born in 2010
Shape’s challenges include persuading chief security officers to add yet another security appliance to their crowded data centers and ensuring that its code-scrambling trick doesn’t slow down a customer’s busy website or jumble the way it looks, says Jeremiah Grossman, chief technology officer of WhiteHat Security and well-known Web-hacking researcher. But “if anyone can make this work, it’s this team,” he says.
If ShapeShifters do find their way into data centers around the Internet, expect cyber-criminals to find new ways around them. If criminals can’t read the HTML to figure out what part of the site to attack, they might use image recognition to study how the website looks or even hire humans to fill in for bots. Shape says it’s already filing patents for the next phases of that game, though it’s keeping mum on those tricks to avoid tipping off the bad guys.
Tomi Engdahl says:
Why Bitcoin Matters
By MARC ANDREESSEN
http://dealbook.nytimes.com/2014/01/21/why-bitcoin-matters/?_php=true&_type=blogs&_r=0
On the Matter of Why Bitcoin Matters
https://medium.com/the-magazine/23e551c67a6
Marc Andreessen was a big part of turning the Web into a mainstream experience, but seems to misunderstand Bitcoin profoundly, writes Glenn Fleishman.
Tomi Engdahl says:
Scientists Detect Two Dozen Computers Trying To Sabotage Tor Privacy Network
http://yro.slashdot.org/story/14/01/22/0122225/scientists-detect-two-dozen-computers-trying-to-sabotage-tor-privacy-network
“Computer scientists have identified almost two dozen computers that were actively working to sabotage the Tor privacy network by carrying out attacks that can degrade encrypted connections between end users and the websites or servers they visit”
“Two of the 25 servers appeared to redirect traffic when end users attempted to visit pornography sites, leading the researchers to suspect they were carrying out censorship regimes required by the countries in which they operated.”
Tomi Engdahl says:
Spy-proof your life: The ‘Blackphone’ and other gadgets to help battle Big Brother
http://uk.news.yahoo.com/spy-proof-your-life–the–blackphone–and-other-gadgets-to-help-battle-big-brother-100355552.html
Hi-tech company Silent Circle have opened up to Yahoo News about the snooper-proof gadget – part of a wave of new apps and gadgets built to protect our privacy from criminals – and governments.
A new hi-tech smartphone which claims to protect emails and phone calls even against the all-seeing eye of the American secret services was unveiled this week – part of a wave of new apps built to protect privacy.
a modified Android phone which offers encrypted communications anywhere in the world, and protection from ‘prying eyes’ – designed by military experts and encryption veterans from a company, Silent Circle.
the sleek black slab runs PrivatOS, a modified version of Android
Blackphone will be unveiled at Mobile World Congress in February.
“Saying anything is NSA-proof is a bit like a red flag to a bull,” Cluley says. “If a device like this becomes the de facto standard for those who wish to keep their conversations private from the authorities, you can bet your bottom dollar that glory-seeking hackers and intelligence agencies around the world will investigate ways in which they might be able to snoop upon it.”
“Even devices designed for secure communications might be compromised if the spies manage to get physical access to the device, or managed to meddle with it (or its components) before it was delivered to you in the first place.”
The revelations from Edward Snowden about the global scale of American electronic espionage has sparked a trend for apps and gadgets designed to protect data – and offer privacy. Apps such as Confide offer privacy-focused messaging for business – messages appear a line at a time (to prevent covert screenshots of the whole message), then self-destruct.
Snoopwall – for Android – monitors apps for signs of snooping, and stops them
Confide, for iPhone offers self-deleting messages, similar to the popular photo service Snapchat, but aimed at business.
Surespot, for Android, allows users to send voice messages and texts, protected by the same near-unbreakable 256-bit AES encryption approved by the U.S. government for transmitting information classified as “top secret”.
Encrypted USB drives allow you to store important information offline
For the seriously paranoid, new gadgets even offer ‘cloaking’ against spies scanning mobile networks
“Today millions of people are tracked through their mobile devices. It’s not just when you’re using your phone, its 24/7 everywhere you go,”
Tomi Engdahl says:
Orwellian year 2014:
Ukraine’s Opposition Says Government Stirs Violence
http://www.nytimes.com/2014/01/22/world/europe/ukraine-protests.html?_r=1
The government’s opponents said three recent actions had been intended to incite the more radical protesters and sow doubt in the minds of moderates: the passing of laws last week circumscribing the right of public assembly, the blocking of a protest march past the Parliament building on Sunday and the sending of cellphone messages on Tuesday to people standing in the vicinity of the fighting that said, “Dear subscriber, you are registered as a participant in a mass disturbance.”
“It seems someone is interested in this chaos,” Mr. Lavrov said Tuesday at a news conference in Moscow.
The phrasing of the message, about participating in a “mass disturbance,” echoed language in a new law making it a crime to participate in a protest deemed violent. The law took effect on Tuesday. And protesters were concerned that the government seemed to be using cutting-edge technology from the advertising industry to pinpoint people for political profiling.
Three cellphone companies in Ukraine — Kyivstar, MTS and Life — denied that they had provided the location data to the government or had sent the text messages, the newspaper Ukrainskaya Pravda reported. Kyivstar suggested that it was instead the work of a “pirate” cellphone tower set up in the area.
The messages appeared to have little effect.
Tomi Engdahl says:
Korean credit card bosses offer to RESIGN over huge data breach
After IT worker nabbed for putting details of nearly HALF of all SK citizens on USB
http://www.theregister.co.uk/2014/01/22/sk_data_breach_apology/
An IT contractor has been arrested over the theft of credit card and personal details of 20 million South Koreans.
Investigators allege an IT worker at the Korea Credit Bureau copied names, social security numbers and credit card details of millions onto a USB stick before flogging them to a marketing firm. He has been charged with stealing and selling data from customers of three credit card firms while working as a consultant.
The huge breach was apparently only possible because the sensitive data wasn’t encrypted, according to an official at the country’s Financial Services Commission.
The offers of resignations came in the midst of local reports that Korean regulators would “stern punitive measures against financial institutions” in the leak was ultimately blamed on poor controls or management negligence.
Since the data theft, about half a million customers have applied for replacement credit cards issued, CNN reports.
Tomi Engdahl says:
This is the best anti-virus software for Windows
Anti-virus programs are often said to be the best and competitors better. But what is really a good anti-virus software? An independent research institute AV-Test is constantly testing the home and business-oriented options. Finnish F-Secure has again performed very well, but it just did not reach number one in the latest Windows 8 anti-virus software comparison.
Bitdefender finished as the only full six points from all three categories.
Avira listed on the second-best and F-Secure is the third best.
F-Secure’s strength is security, but in performance it loses half a point
Microsoft was weakest in both consumer and enterprise solutions
Source: Tietokone
http://www.tietokone.fi/artikkeli/uutiset/tama_on_paras_virustorjuntaohjelma_windowsille
Tomi Engdahl says:
Independent review board says NSA phone data program is illegal and should end
http://www.washingtonpost.com/world/national-security/independent-review-board-says-nsa-phone-data-program-is-illegal-and-should-end/2014/01/22/4cebd470-83dd-11e3-bbe5-6a2a3141e3a9_story.html
An independent executive branch board has concluded that the National Security Agency’s long-running program to collect billions of Americans’ phone records is illegal and should end.
In a strongly worded report to be issued Thursday, the Privacy and Civil Liberties Oversight Board (PCLOB) said that the statute upon which the program was based, Section 215 of the USA Patriot Act, “does not provide an adequate basis to support this program.”
Tomi Engdahl says:
The Holes in Microsoft’s Data Protection Pledge
http://blogs.wsj.com/digits/2014/01/22/the-holes-in-microsofts-data-protection-pledge/
Brad Smith, Microsoft’s general counsel, said the company would allow its foreign customers to store their computerized information only in Microsoft data centers outside the U.S. A spokeswoman for Microsoft confirmed Smith’s comments, made in an interview with the Financial Times.
In principle, Smith’s remarks mean a Microsoft user in Germany – where revelations of National Security Agency surveillance efforts have spooked politicians, companies and consumers—can be assured its data would never leave Europe.
But data-policy experts said Microsoft, as a U.S. company, is obligated to turn over data demanded lawfully by the NSA or a U.S. law-enforcement agency, no matter whether Microsoft’s computers are in Seattle, Dubai or Taipei.
“What matters more than where the data is, is where the system administrators are and who can order them to do things,” said Chris Soghoian, a privacy researcher at the American Civil Liberties Union. “As long as (a company) has a presence, the data is vulnerable.”
Tomi Engdahl says:
Ominous Text Message Sent to Protesters in Kiev Sends Chills Around the Internet
http://thelede.blogs.nytimes.com/2014/01/22/ominous-text-message-sent-to-protesters-in-kiev-sends-chills-around-the-internet/?_php=true&_type=blogs&_r=0
While it was unsigned, and local phone companies denied sending it, the text message — which echoed language in a new law making it a crime to participate in protests deemed violent — was widely read as a warning from the government.
Although it is unclear exactly what impact the message had on the stalwart protesters standing in the cold, the we-are-watching-you subtext provoked shivers far beyond Ukraine as news of it spread online. The text was quoted again and again on social networks by users outside Ukraine who called it “creepy” and “Orwellian.”
“This is not the first message that the government has sent out massively over text,”
But if the senders did manage to limit it to individuals standing within a few blocks at the very moment violence intensified, she said, “This would be the most targeted messaging I’ve ever encountered.”
It is actually quite easy, from a technological standpoint, to pull off this sort of feat — particularly if the phone provider is involved. At the most basic level, when a cellphone is turned on and starts looking for a signal from a relay tower, it is announcing its location to the provider that controls the nearest tower. It is not difficult for that provider to then put together a list of cellphones in that area at a given time.
This appears to have been the strategy used in Egypt during the final days of Hosni Mubarak’s presidency in 2011, when Vodafone Egypt customers suddenly received a message appealing to the “honest and loyal men to confront the traitors and criminals and protect our people and honor.”
Tomi Engdahl says:
Chrome Bugs Allow Sites to Listen to Your Private Conversations
http://talater.com/chrome-is-listening/
By exploiting bugs in Google Chrome, malicious sites can activate your microphone, and listen in on anything said around your computer, even after you’ve left those sites.
Even while not using your computer – conversations, meetings and phone calls next to your computer may be recorded and compromised.
How Does it Work?
A user visits a site, that uses speech recognition to offer some cool new functionality. The site asks the user for permission to use his mic, the user accepts, and can now control the site with his voice. Chrome shows a clear indication in the browser that speech recognition is on, and once the user turns it off, or leaves that site, Chrome stops listening. So far, so good.
But what if that site is run by someone with malicious intentions?
Most sites using Speech Recognition, choose to use secure HTTPS connections. This doesn’t mean the site is safe, just that the owner bought a $5 security certificate. When you grant an HTTPS site permission to use your mic, Chrome will remember your choice, and allow the site to start listening in the future, without asking for permission again. This is perfectly fine, as long as Chrome gives you clear indication that you are being listened to, and that the site can’t start listening to you in background windows that are hidden to you.
When you click the button to start or stop the speech recognition on the site, what you won’t notice is that the site may have also opened another hidden popunder window. This window can wait until the main site is closed, and then start listening in without asking for permission. This can be done in a window that you never saw, never interacted with, and probably didn’t even know was there.
Tomi Engdahl says:
Massive Internet mishap sparks Great Firewall scrutiny in China
http://www.reuters.com/article/2014/01/22/us-china-internet-idUSBREA0K04T20140122
Human error likely caused a glitch in China’s Great Firewall that saw millions of Internet users ironically rerouted to the homepage of a U.S.-based company which helps people evade Beijing’s web censorship, sources told Reuters.
Hundreds of millions of people attempting to visit China’s most popular websites on Tuesday afternoon found themselves redirected to Dynamic Internet Technology (DIT), a company that sells anti-censorship web services tailored for Chinese users.
DIT is tied to the Falun Gong, a spiritual group banned in China which has been blamed for past hacking attacks.
“Our investigation shows very clearly that DNS exclusion happened at servers inside of China,” said Xiao Qiang, an adjunct professor at UC Berkeley School of Information in the U.S. and an expert on China’s Internet controls.
“It all points to the Great Firewall, because that’s where it can simultaneously influence DNS resolutions of all the different networks (in China). But how that happened or why that happened we’re not sure. It’s definitely not the Great Firewall’s normal behavior.”
Tomi Engdahl says:
Snowden: Media ‘abdicating their responsibility’
http://www.politico.com/blogs/media/2014/01/snowden-media-abdicating-responsibility-181668.html
NSA leaker Edward Snowden accused NBC’s “Meet The Press” and ABC’s “This Week” of “abdicating their responsibility to hold power to account” because of their failure to question allegations made against him by government officials.
Tomi Engdahl says:
How To Tell If a Virus Is Actually a False Positive
http://www.howtogeek.com/180162/how-to-tell-if-a-virus-is-actually-a-false-positive/
“Your antivirus will complain that this download is a virus, but don’t worry — it’s a false positive.” You’ll occasionally see this assurance when downloading a file, but how can you tell for sure whether the download is actually safe?
A false positive is a mistake that happens occasionally — the antivirus thinks a download is harmful when it’s actually safe. But malicious people may try to trick you into downloading malware with this assurance.
Evaluate the Download’s Source — Are They Trustworthy?
Check a Malware Database
Be Very Careful
There’s no foolproof way to know for sure whether a file is actually a false positive. All we can do is gather evidence — what other antivirus programs say, whether the file is from a trustworthy source, and exactly what type of malware the file is flagged as — before making our best guess.
Tomi Engdahl says:
When ZOMBIES go shopping: 40m Target customer breach? That’s NOTHING!
Retail is RIDDLED with malware and bots – survey
http://www.theregister.co.uk/2014/01/23/retail_malware_epidemic/
Malware linked to fraud in the retail sector may be a bigger problem than even the recent revelation about the compromise of systems US retailer Target suggests.
Shopping giant Target and luxury retailer Neiman Marcus both announced significant data breaches during the 2013 holiday shopping season.
The Target breach at least has been narrowed down to a specific malware tool (a modified version of BlackPOS) that affected its point-of-sale systems and, according to some security experts, enterprise payment processing servers.
Target has admitted 40 million credit and debit card accounts may have been compromised
Reuters reports that at least three other unnamed retailers may have been hit using similar techniques to those used in the Target attack.
Chip and PIN wouldn’t have been enough to stop fraud in the Target case, according to a blog post by security vendor Easy Solutions.
All this is bad enough by itself, but the picture looks even worse once you consider research that suggests botnet and malware activity is endemic in the retail sector.
Analysis of 139 US retailers from November 2013 until 12 January 2014 by net security firm BitSight found 1,035 instances of unique malware infections actively communicating with attackers from inside corporate networks: 7.5 on average per company.
The Trojan Neurevt was by far the most prevalent attack observed in the retail sector during this time period. Neurevt, which exploits Windows systems, steals sensitive data (such as login details) from a compromised machine by modifying the device’s settings and preventing security processes from running. Infection with Neurevt grants hackers unfettered access to compromised machines.
Kaptoxa, which is a modified version of a known hacking tool called BlackPOS, has been linked to the fraud at Target.
Dacebal brings previously unseen features to the retail attack-orientated malware
Tomi Engdahl says:
Yep, People Are Still Using ’123456′ and ‘Password’ As Passwords In 2014
http://it.slashdot.org/story/14/01/22/2146201/yep-people-are-still-using-123456-and-password-as-passwords-in-2014
“it’s a shock that people still rely on them to protect their data: ’12345,’ ‘password,’ ‘qwerty’ ’11111,’ and worse”
Tomi Engdahl says:
Security Vendors Self-Censor Target Breach Details
http://it.slashdot.org/story/14/01/22/239235/security-vendors-self-censor-target-breach-details
“At least three security companies have scrubbed information related to Target from the Web, highlighting the ongoing sensitivity around one of the largest-ever data breaches. “
Tomi Engdahl says:
As Target breach unfolds, information vanishes from Web
Did security companies publish too much, too soon on the Target breach?
http://www.computerworld.com.au/article/536478/target_breach_unfolds_information_vanishes_from_web/
At least three security companies have scrubbed information related to Target from the Web, highlighting the ongoing sensitivity around one of the largest-ever data breaches.
On Dec. 18, a malicious software sample was submitted to ThreatExpert.com, a Symantec-owned service. But the public report the service generated vanished.
The report was a technical description of how the Target malware functioned, including network drive maps, an IP address and a login and password for an internal company server.
Last week, iSight Partners, a Dallas-based cybersecurity company that is working with the U.S. Secret Service, published a series of questions and answers on its website related to the attacks on point-of-sale devices at U.S retailers. That too vanished on Thursday.
In another example, Intel-owned McAfee redacted on Tuesday a blog post from last week that contained technical detail similar to the ThreatExpert.com report.
Brian Krebs, a security writer, noted ThreatExpert.com’s report on the Target malware was removed and that it also disappeared from Google’s cache shortly after he published a post on Jan. 15. He preserved a PDF of it, however, when it was still available in Google’s cache.
Alex Holden, founder of Hold Security, said it was the right move for Symantec to pull the report, as attackers might have been able to use the information to compromise other point-of-sale devices at other retailers.
“I was surprised that this information was posted on the Internet in the first place,” Holden said. “Besides having a Target machine’s name and its IP address, system structure and drive mapping, it discloses a very vital set of credentials setup specifically for exploitation of the device.”
As many as six other U.S. companies are believed to be victims of point-of-sale related attacks, where malware intercepts unencrypted card details. So far, Target and high-end retailer Neiman Marcus have acknowledged the attacks.
Tomi Engdahl says:
Final Key : A Mooltipass-like Device
http://hackaday.com/2014/01/21/final-key-a-mooltipass-like-device/
Since the Hackaday community started working on our offline password keeper, Mooltipass, we’ve received several similar projects in our tips line. The Final Key may be the most professional looking one yet. Similarly to the Mooltipass, it is based on an Atmel ATMega32U4 but only includes one button and one LED, all enclosed in a 3D printed case.
The Final Key is connected to the host computer via USB and is enumerated as a composite Communication Device / HID Keyboard
AES-256 encrypted passwords are stored on the device and can only be accessed once the button has been pressed and the correct 256 bit password has been presented through the command line interface.
The Final Key
http://cyberstalker.dk/finalkey/
The Final Key is a hardware password manager with encryption and focus on combining portability, compatibility security and easy of use.
Any action which may either compromise the data contained in The Final Key or extract this data, can only be executed by pressing the button on The Final Key itself.
Changing your password, formatting the device, creating new accounts, and ofcause triggering an account for login, are all impossible to complete without pressing the button on The Final Key.
There is no way of getting your login information out of The Final Key without physical access and even then, you will need to either break AES256 or know the master-password in order to obtain the login-credential.
This also means that if you forget your master-password, your Final Key can not be unlocked and it is pretty much useless, unless you want to disassemble the device and override the encrypted EEPROM with trash to trigger the First-Time setup mode. The Arduino bootloader has been erased so that an attacker with access to your machine can not reflash the device with compromised firmware
The Final Key requires no installation on Linux and OSX, however on the microsucks systems, you need to install the Arduino driver found in the arduino package.
Tomi Engdahl says:
Policeware — good or bad?
http://www.f-secure.com/weblog/archives/00002661.html
The malware scene is changing constantly, and one of the remarkable changes is that today the bad guys might be the good guys. That is, the guys who were supposed to be good. To express it slightly less confusing, authorities have become one of the major malware players and US agencies are already the world’s largest buyers of exploits.
This makes an old ethical question for us malware fighters more important than ever. How to deal with policeware? Should this kind of malware be detected or not? F-Secure’s stance has been clear. Yes, we do detect any kind of malware. And no, we do not keep any whitelists for authorities’ policeware. We have not received any requests to whitelist policeware, and we would refuse to do so if requested.
This might raise mixed feelings as there no doubt are cases where the police work for our common good. There are dangerous criminals that should be behind bars, so why not use any available weapon against them? Aren’t we protecting them by refusing to whitelist policeware? Let’s take a closer look at the problem and we’ll see why there really is no alternative to our current policy.
The best strategy for agencies is to play the same game as the bad boys. To change the policeware constantly and try to fly under the anti-malware products’ radar. When their program gets caught, they change it and try again, and the target may think it was an ordinary malware attack. Law enforcement agencies have plenty of resources and are well able to play this game successfully. And many criminals are probably not that tech savvy. Even big organized gangs might operate without properly protected computers. Reality is not like in the movies where the villain is both a global drug dealer and a super-hacker at the same time. Many criminals are soft targets even without whitelisting policeware.
Tomi Engdahl says:
ShapeShifter: Beatable, But We’ll Hear More About It
http://tech.slashdot.org/story/14/01/22/184234/shapeshifter-beatable-but-well-hear-more-about-it
“A California company called Shape Security claims that their network box can disable malware attacks, by using polymorphism to rewrite webpages before they are sent to the user’s browser.”
The idea has attracted glowing reviews from tech writers, including some who say they can “barely stay awake for a lot of startup pitches” but who were evidently enthralled by this one. My first reaction was that it’s not hard to think of ways that this system can be defeated, and some readers will have thought of some ways to attack it even before finishing the previous paragraph. However, the attacks will perhaps require some malware and bot writers to rewrite their malicious programs to target websites in new ways. It remains to be seen how long that will take, and whether Shape will have a countermove after bots evolve to defeat their systems.
If you watch the video on Shape Security’s website and pay close attention to their claims, note that they never actually say that ShapeShifter can stop malware from stealing a user’s credentials — perhaps a deliberate omission for honesty’s sake, since their technology, as they’ve described it, cannot prevent that.
these claims are essentially saying that once your credentials have been stolen, ShapeShifter can mitigate the damage by preventing a bot from executing transactions using those stolen credentials, or from testing those credentials on other sites. However, I would argue that once your credentials have been stolen successfully, 90% of the damage has been done. ShapeShifter can’t do anything to stop a human from testing your stolen credentials manually, and if the attacker has already infected your machine, they can use your machine as a proxy when testing out your credentials, so that the target website doesn’t even notice a login from an unusual IP address.
And is it even true that ShapeShifter can stop bots from automating an attack against a target website? ven if a website relayed through ShapeShifter has its HTML obfuscated with JavaScript and re-named form fields, it’s still easy to write scripts that automate the act of launching a web browser and filling content into those form fields — such as entering a username and password into two fields, and submitting them to see if the website accepts the login.
Now, automating interaction with a website through the browser, may be harder than writing a script to interact with the website at the network level. But as long as someone figures out a way to do it, they can sell the method and the toolkit to others. (The credit card security breach at Target was carried out using software that a 17-year-old wrote and sold off-the-shelf on the black market.)
What about straight denial-of-service attack
Could ShapeShifter protect against those types of attacks? It depends on the type of attack.
can ShapeShifter stop malware from stealing your users’ logins on your site? Definitely not.
But in spite of my misgivings, I wouldn’t predict on that basis that the product won’t sell a lot of units. Some companies may buy the box without realizing that it does nothing to prevent their users’ credentials from being compromised by malware, and that it provides only limited protection against automated attacks.
Tomi Engdahl says:
The FBI Doesn’t Know How Many Drones It Has, Or Who’s Allowed to Fly Them
http://motherboard.vice.com/blog/the-fbi-doesnt-know-how-many-drones-it-has-or-whos-allowed-to-fly-them
In November 2012, Michael E. Horowitz, the inspector general at the Justice Department, sent each agency he oversees, including the FBI, DEA and ATF, a battery of questions about their use of drones. He wanted to verify how many unmanned vehicles were in inventory, how much they cost, and how often they were flown.
Foremost is apparent confusion within the FBI as to the scope of its drone deployments.
Tomi Engdahl says:
Bitcoin’s Fatal Flaw Was Nearly Exposed
http://motherboard.vice.com/blog/bitcoins-fatal-flaw-was-nearly-exposed
Panic loomed in Bitcoin land on Thursday after the community’s largest mining operation, GHash.IO, approached half of all computing power in the system, the limit of the cryptocurrency’s well-documented fatal flaw.
If any one mining pool commands the majority of the market—the dreaded so-called “51 percent attack”—the integrity of the system becomes compromised, since the act of mining is how new transactions are processed. An attack like this can therefore essentially hijack the currency by controlling how consensus is reached.
This would theoretically allow the individual or group to spend money that they didn’t have or that wasn’t theirs, known as “double-spending,” among other potential abuses, some of which could go undetected. In such an event, even the mere possibility of abuse would undermine trust, and the resulting panic could cause Bitcoin to collapse.
The online Bitcoin community understandably lost its shit. “LEAVE GHASH,”
The fiasco “opens a whole new can of worms that people just don’t want,”
As Guo explains it, mining pools have evolved into a powerful political force within the community. Bitcoin’s open source development is meritocratic in that each new software upgrade only becomes relevant if the majority of miners are willing to update to the new version.
Now that mining has moved towards pools, the owner of each pool has effectively become a politician, a representative for his constituents
This creates a never-ending cycle of threats as each successive mining pool eventually closes in on that majority threshold. Guo compares this to the US political system. You keep having “elections” and new leaders, but, for practical purposes, “the end result is the same even if the names are different.”
“It turns Bitcoin into a currency with a central authority,” Guo told Motherboard, noting that no matter how many bitcoins you own, if you don’t own a similar proportion of mining computing power, “then you don’t really control your bitcoins. Mining power is voting power.”
Tomi Engdahl says:
The security sold in plain language
Especially in security-related expertise attracts Footea who believes in the security professionals in demand for continuous growth.
“Overall, the NSA spying fuss, no one would think that companies no longer need to underline the importance of information security. But companies understand the importance of information security still not right.”
“That’s why there is a need professionals who know how to tell security issues for managers in plain language,” Foote explains pitches of the dominant information security professionals need.
Source: Tietoviikko
http://www.tietoviikko.fi/cio/it+tarvitsee+uudenlaisia+hybridiosaajia/a961895
Tomi Engdahl says:
5 Hybrid IT Roles Your Business Needs to Succeed in 2014
http://www.cio.com/article/746805/5_Hybrid_IT_Roles_Your_Business_Needs_to_Succeed_in_2014
This year, the ability to simply configure and run a server or develop software in isolation won’t be enough. Employers will aggressively pursue workers with multi-dimensional talent — combinations of technology, domain, business, process and people skills.
It’s clear that the 2014 corporate agenda will be dominated by the integration of big data analytics, cloud computing, mobile technology, and social media into the enterprise. But the focus must not be on the technologies themselves. Everyone has access to the same systems and tools. The differentiator will not be the technology itself, but the business value it delivers — or doesn’t.
“The technologies are a side show to a lot of what’s really critical,” says David Foote, chief analyst at IT labor research and analyst firm Foote Partners. “It’s IT’s ability to do something meaningful with them that’s important.”
Here are five hybrid roles IT organizations will need to fill to stay competitive this year:
1. Enterprise Architects Who Get the Cloud
2. Business Analysts With Integrated Thinking
3. Security Professionals With Marketing Skills
4. Database Pros to Bring Structure to the Unstructured
5. Software Engineers That Do More then Generate Code
Tomi Engdahl says:
5 Hybrid IT Roles Your Business Needs to Succeed in 2014
3. Security Professionals With Marketing Skills
With such high-profile horror stories as the Target data breach and concerns resonating from revelations about the NSA’s spying program, you wouldn’t think you’d have to sell the business on security. But you’d be wrong. “Security has been a hot area for a long time, and companies obsess about it,” says Foote. “But they underspend horribly.”
What companies need are not deeper technical security skills or yet another certification. “They want people who can translate technology risk to business risk, talk to business people about it in a way that doesn’t alienate them, and persuasively present security as an enhancement rather than a hindrance,” says Foote.
In short, they need a few good marketers in IT security. What CIOs and chief information security officers want is a legion of people who, “as I am talking to C-level management about security, are equally adept at speaking convincingly one level below,” says Foote. “They’re looking for people who understand basic business concepts and can translate security objectives into language that can be digested by the people who control funding and resources, not more fear mongering.”
Source: CIO
http://www.cio.com/article/746805/5_Hybrid_IT_Roles_Your_Business_Needs_to_Succeed_in_2014?page=2&taxonomyId=3177
Tomi Engdahl says:
Spies spy: CrowdStrike report says cyberspooks are EVERYWHERE
And where state spies lead, criminals soon follow
http://www.theregister.co.uk/2014/01/23/crowdstrike_cyberespionage_unveiled/
CrowdStrike has confirmed that governments across the world are spying on everyone online with a new report on cyber-espionage.
A year-long study by the security intelligence firm has identified more than 50 groups of cyber threat actors, blaming groups in China, Iran, Russia, North Korea, and Syria for high profile attacks.
Among the groups profiled in the report is a Russian group (dubbed Energetic Bear) that collects intelligence on the energy industry.
CrowdStrike reckons that the groups it is tracking make up the majority of the sophisticated threats attacking enterprises across the globe. Groups can be distinguished by the differences in their tactics, techniques, and procedures, such as the tools and infrastructure they use for attacks, their level of sophistication and the working hours hackers put in to running attacks.
A lot of the information points to cyber-espionage activity being economically driven but it can also be a spillover from political disputes, according to CrowdStrike. Cybercrooks and hacktivists, such as the Syrian Electronic Army with loose ties to government, also play a part in the threat landscape.
Attacks by cyber-espionage players are rarely destructive – with some notable exceptions that may became a pattern
CrowdStrike’s report is notable for lacking incidents attributable to the NSA’s elite TAO hacking crew.
“We haven’t seen any customers victimised by anything that ties back to those countries [USA and UK],”
Popular tactics of Russian and Chinese attackers include watering hole style-attacks that assault targets by infecting the websites most frequently surfed by workers at a targeted organisation.
“Compromising and weaponising a legitimate website has significant advantages over spear phishing, which historically has been the most common method of launching a targeted attack,” CrowdStrike’s Meyers explained. “A strategic web compromise does not require social engineering a victim, which can expose an adversary to detection. We believe this will tactic will be used with increasing frequency among the adversaries that we are tracking.”
Meyers told El Reg that the methods and tactics of cyberspies are starting to be applied by cybercriminals. For example, the high profile breach against supermarket chain Target.
“The Target attackers got in elsewhere before moving across the network to hit cash registers with a malicious update,” Meyers explained. “This is straight out of the cyber-espionage actors’ playbook.”
“Cyber criminals are often ahead of cyberspies in the sophistication of their malware but behind in their tradecraft,” Meyers added.
CrowdStrike predicts that 2014 will bring increased targeting of vulnerabilities in Windows XP, which will reach end-of-life from Microsoft this April; greater use of black markets for buying and selling custom-made malware; and increased targeting of attacks around major events, such as the Winter Olympics in Sochi, the US withdrawal from Afghanistan, the World Cup in Brazil, the 2014 G20 Summit, and major national elections.
Tomi Engdahl says:
Estonia’s IT boss does not want to use the American encryption method
Estonian Information Technology Executive Director Jan Priisalu wants to get rid of the U.S. to provide encryption systems. Priisalu spoke this week in France, organized cyber security event.
“I do not want to use the American standard anymore. Development of a European form of cipher, ”
US-based security company RSA has reported failure to the National Security Agency at the request of the encryption system of the so-called back door.
He suggested ITPortal Pro, the transition from an elliptic curve cryptosystem methods.
Related patent applications have been filed in Europe at the moment 294
Source: Tietoviikko
http://www.tietoviikko.fi/kaikki_uutiset/viron+itpomo+ei+halua+enaa+kayttaa+amerikkalaisten+salausmenetelmaa/a961947
Tomi Engdahl says:
Estonian IT security chief: “I don’t want to use American encryption anymore”
http://www.itproportal.com/2014/01/22/estonian-it-security-chief-i-dont-want-to-use-american-encryption-anymore/
Jaan Priisalu, the director general of Estonian Information System’s Authority, said “I don’t want to use the American standard anymore. Let’s develop a European form of encryption.”
The comments come amid a scandal in which RSA was reported to have received $10 million to install a back door in their encryption for the American National Security Agency.
“It is clear that the keys for RSA are ridiculously long already,”
He suggested that Elliptic Curve Crytpography (ECC) could be a way forward in the future, but that the proliferation of patent applications had made it a thorny issue.
“A possible next step after the RSA would be Elliptic Curve Cryptography,” he said. “However, there are actually 294 patent applications for ECC methods in Europe and each of them could be applied in Estonia if need be.”
“We need cyber security because our dependence level is so high,” he argued, “Without computers, society begins to collapse. We did a study and found that in terms of critical infrastructure like hospitals and emergency services, 90 per cent of services are dependent in some way on IT.”
“In terms of IT, there is no low tech solution anymore. Up to 30 per cent of these critical services simply don’t work at all if there is an IT failure.”
Tomi Engdahl says:
Why Whistleblowers Can’t Get a Fair Trial
http://news.slashdot.org/story/14/01/23/050246/why-whistleblowers-cant-get-a-fair-trial
“‘Seven whistleblowers have been prosecuted under the Obama administration,’ writes Jesselyn Radack, a lawyer who advised two of them. She explains why they can’t get a fair trial.”
Tomi Engdahl says:
New crafty burglar tactic: Suspect looked at car registers leaving the port
The vehicle register is public, so you can get address of the car owner from there.
” The suspects took up the especially fine car registration numbers . If you have a family ride, it is not difficult to conclude that the home is empty ,” said Detective Superintendent Timo Nyyssönen East Uusimaa Police Department.
Since then, the suspects were in recon , and preparing and struck a suitable opportunity arises .
The two Estonian men suspected of a total of two dozen residential break-in in Southern Finland . Criminal series was revealed last November.
The most recent burglary series started about a week ago .
People-to- police hopes vigilance to follow their own living environment, if the region is moving , for example, suspicious cars.
Alarm systems and surveillance cameras will help in sorting out the cases .
Source: Helsingin Sanomat
http://www.hs.fi/kotimaa/Uusi+ovela+murtotaktiikka+Ep%C3%A4illyt+kytt%C3%A4siv%C3%A4t+satamassa+l%C3%A4htevien+rekisterinumeroita/a1390432181588
Tomi Engdahl says:
The Inside Story of Tor, the Best Internet Anonymity Tool the Government Ever Built
http://www.businessweek.com/articles/2014-01-23/tor-anonymity-software-vs-dot-the-national-security-agency
Snowden almost certainly relied on one very specific and powerful tool to cover his tracks. In photographs he’s often with his laptop, and on the cover of his computer, a sticker shows a purple and white onion: the “o” in the word “Tor.”
Tor, an acronym for “the onion router,” is software that provides the closest thing to anonymity on the Internet. Engineered by the Tor Project, a nonprofit group, and offered free of charge, Tor has been adopted by both agitators for liberty and criminals. It sends chat messages, Google (GOOG) searches, purchase orders, or e-mails on a winding path through multiple computers, concealing activities as the layers of an onion cover its core, encrypting the source at each step to hide where one is and where one wants to go. Some 5,000 computers around the world, volunteered by their owners, serve as potential hop points in the path, obscuring requests for a new page or chat. Tor Project calls these points relays.
Its users are global, from Iranian activists who eluded government censors to transmit images and news during the 2009 protests following that year’s presidential election, to Chinese citizens who regularly use it to get around the country’s Great Firewall and its blocks on everything from Facebook (FB) to the New York Times. In addition to facilitating anonymous communication online, Tor is an access point to the “dark Web,” vast reaches of the Internet that are intentionally kept hidden and don’t show up in Google or other search engines, often because they harbor the illicit, from child porn to stolen credit card information.
It’s perhaps the most effective means of defeating the online surveillance efforts of intelligence agencies around the world, including the most sophisticated agency of them all, the NSA. That’s ironic, because Tor started as a project of the U.S. government. More than half of the Tor Project’s revenue in 2012, or $1.24 million, came from government grants, including an $876,099 award from the Department of Defense, according to financial statements available on the project’s website.
Yet because of Snowden, we now know that the NSA has been working to unpeel the protective layers built by the Tor system. Along with evidence of the NSA’s mass data collection, Snowden leaked an agency presentation that demonstrated just how surveillance-proof the software is. It was titled “Tor Stinks.” The spooks, according to the slide deck, were thwarted by the software at every turn.
Tomi Engdahl says:
Snowden: ‘Not all spying bad’ but NSA program ‘divorced from reason’
http://news.cnet.com/8301-13578_3-57617680-38/snowden-not-all-spying-bad-but-nsa-program-divorced-from-reason/
During a live Web chat, NSA leaker Edward Snowden emphasizes the need for the rule of law. He also strikes, at one point, a tone you might take as conciliatory.
“I think a person should be able to dial a number, make a purchase, send an SMS, write an e-mail, or visit a Web site without having to think about what it’s going to look like on their permanent record.”
“The NSA and the rest of the US Intelligence Community is exceptionally well positioned to meet our intelligence requirements through targeted surveillance — the same way we’ve always done it — without resorting to the mass surveillance of entire populations,” Snowden wrote.
“Intelligence agencies do have a role to play,” Snowden wrote, “and the people at the working level at the NSA, CIA, or any other member of the [Intelligence Community] are not out to get you. They’re good people trying to do the right thing, and I can tell you from personal experience that they were worried about the same things I was.”
“Not all spying is bad,” he wrote elsewhere. “The biggest problem we face right now is the new technique of indiscriminate mass surveillance, where governments are seizing billions and billions and billions of innocents’ communication every single day. This is done not because it’s necessary — after all, these programs are unprecedented in US history, and were begun in response to a threat that kills fewer Americans every year than bathtub falls and police officers — but because new technologies make it easy and cheap.”
Tomi Engdahl says:
Snowden speaks: NSA spies create ‘databases of ruin’ on innocent folks
‘Not all spying is bad’ but bulk collection has to go, says whistleblower in web chat
http://www.theregister.co.uk/2014/01/24/snowden_speaks_nsa_whistleblower_calls_for_global_privacy_standards/
“Not all spying is bad. The biggest problem we face right now is the new technique of indiscriminate mass surveillance, where governments are seizing billions and billions and billions of innocents’ communication every single day,” he said.
“This is done not because it’s necessary – after all, these programs are unprecedented in US history, and were begun in response to a threat that kills fewer Americans every year than bathtub falls and police officers – but because new technologies make it easy and cheap.”
As for the decision to go public, Snowden said he had no choice. Contractors are not covered under existing whistleblowing statutes and said that although some NSA analysts were very concerned about the situation, no one was prepared to put their careers on the line.
He cited the experience of Thomas Drake as an example of what the agency does to those that complain. Drake went public with the NSA’s decision to spend billions on a bulk data collection system called Trailblazer rather than use a more targeted and cheaply built internally developed scanning tool called ThinThread.
Drake was arrested and charged with breaking the Espionage Act
“That current, serving officials of our government are so comfortable in their authorities that they’re willing to tell reporters on the record that they think the due process protections of the 5th Amendment of our Constitution are outdated concepts. These are the same officials telling us to trust that they’ll honor the 4th and 1st Amendments. This should bother all of us,” he said.
“Returning to the US, I think, is the best resolution for the government, the public, and myself, but it’s unfortunately not possible in the face of current whistleblower protection laws, which through a failure in law did not cover national security contractors like myself,” he said.
“The hundred-year old law under which I’ve been charged, which was never intended to be used against people working in the public interest, and forbids a public interest defense.”
Tomi Engdahl says:
Ex-NSA guru builds $4m encrypted email biz – but its nemesis right now is control-C, control-V
Virtru claims it can prevent leaks, but first it’s gotta get out of beta
http://www.theregister.co.uk/2014/01/24/ex_nsa_cloud_guru_email_privacy_startup/
A security startup founded by a former NSA bod has launched an encrypted email and privacy service, aimed initially at ordinary folks.
The ongoing revelations of PRISM and other US-led internet dragnets, fueled by leaks from whistleblower Edward Snowden, may render the premise of upstart Virtru laughable. However, that would be unfair to Virtru, which is trying to make encryption and decryption of email, plus the revocation of messages and other privacy controls, easy to use.
Its execs told El Reg that Virtru aims to do for secure email what Dropbox has done for sync-and-share. Crypto-protected email will be offered for free, and more advanced features, such as finding out where sent emails are forwarded, will carry a price tag. There are also plans in the works to license Virtru’s encryption technology to businesses.
Virtru uses the tough AES-256 algorithm to encrypt every message with perfect forward secrecy before it leaves a computer or device, which is a good start. It wraps each missive in a container that requires permission from Virtru’s servers to unlock it. This way, the startup can claim it never holds the actual data sent – just the encryption keys needed to decrypt a message. If you don’t like the idea of Virtru’s cloud holding your keys, you can set about creating your own one if you ask nicely.
So, having received an encrypted mail via your email provider, your mail client needs to contact the Virtru key store to get the unlock key and decrypt the message on your device or computer. Each message has its own unique key.
Thus, in theory, this mechanism can be used to revoke emails at any time, by refusing to hand over the decryption key and rendering the message and any attachments unreadable. The sender can also, again in theory, restrict the forwarding of a message because whoever ends up with the email may not have permission to download the unlock key from the key store.
The technology uses the Trusted Data Format (TDF PDF), an open-source security wrapper created by Virtru co-founder Will Ackerly. It’s used by the intelligence community to secure sensitive data, we’re told. Ackerly served for eight years at the NSA as a cloud security architect prior to founding Virtru in 2012.
The in-browser reader plugin is written in JavaScript, with a mix of Component, JQuery, SJCL and Caja and others
Tomi Engdahl says:
Watchdog Panel: NSA Phone Spying Is Illegal — Stop It
http://www.wired.com/threatlevel/2014/01/watchdog-phone-spying-illegal/
A once-neglected and overlooked executive branch oversight board declared today that the NSA’s bulk telephone metadata snooping is illegal, does little to combat terrorism, and should be ended.
The Privacy and Civil Liberties Oversight Board’s 3-2 conclusion that the program “implicates constitutional concerns” is not binding on the government and comes a week after President Barack Obama announced major changes to the snooping program based on recommendations from a different review board.
Tomi Engdahl says:
Swindlers Use Telephones, With Internet’s Tactics
http://www.nytimes.com/2014/01/20/technology/swindlers-use-telephones-with-internets-tactics.html?pagewanted=all&_r=1
Phone swindles are practically as old as the telephone itself. But new technology has led to an onslaught of Internet-inspired fraud tactics that try to use telephone calls to dupe millions of people or to overwhelm switchboards for essential public services, causing deep concern among law enforcement and other groups.
People, businesses and government agencies across the country are combating the new schemes, in which scammers use the Internet to send huge volumes of calls at the same time.
“You can blast out 100 million calls from the comfort of your keyboard,” said Kati Daffan, a lawyer in the bureau of consumer protection at the Federal Trade Commission.
For years, government officials have warned the public of email frauds that request personal information, known as phishing. Over time, the public education has made it harder to trick people over email. But there has been less public outreach about similar new types of phone schemes, sometimes called vishing.
These more traditional swindles, which ask individual recipients to provide personal or financial information, appear to be up sharply as well.
Automatic dialing software and Internet phone services make it easy to place huge volumes of calls from anywhere in the world. Often, swindlers create messages in a synthesized voice and say they are from a financial institution. The call prompts the recipients to enter personal data through their phone keypads.
Because making phone calls over the Internet is so inexpensive, the practice can be lucrative even if only a tiny percentage of the people provide information. Personal financial data obtained this way can be easily sold on the black market. Financial and government officials say it is unclear how much money is lost to such schemes.
Tomi Engdahl says:
TDoS extortionists jam phone lines of public services
http://nakedsecurity.sophos.com/2014/01/22/tdos-extortionists-jam-phone-lines-of-public-services-including-hospitals/
TDoS extortionists jam phone lines of public services, including hospitals
Besides one hospital, other essential public services such as a sheriff’s office
Tomi Engdahl says:
Standards for the Internet as a weapon against the NSA Snooping
Who is the highest position increased to Finnish on the Internet? Answer: Jari Arkko . He will lead the engineering organization in the IETF
When Edward Snowden began last spring, the unveiling of a series of the NSA’s extensive snooping , the IETF engineers were perplexed .
” The revelations were our wake up call. It now discuss how to make the default more secure Internet . Hard interest is the fact that the internet traffic to a greater extent exercise encrypted . It does not , of course, is not the ultimate solution to all your spyware problems , but it would help to some extent , “says Mr Jari Arkko says.
He has boldly promised to the IETF by the President in his blog that the organization establishes and strenghens the Internet. He points out that the IETF does not really react to the unveiling of just one set, but the aim is to improve the technology as a whole.
“We have a responsibility for how we can make it more difficult for any passer-by look at the traffic. I am not saying that this is an easy task , ” says Arkko .
Browsers http protocol published in a completely new version of HTTP 2.0. In addition, among other things, https pages used throughout the TLS will appear in the updated version 1.3 . Both the new standard should improve security.
“Http : ‘s evolution is a very important thing, and data security are being made, possibly even a large change . The solution is not easy , and it will be discussed
Be released in April, http 2.0 standard is to be more security .
Source: Tietokone
http://www.tietokone.fi/artikkeli/uutiset/internetin_standardit_aseeksi_nsa_urkintaa_vastaan
Tomi Engdahl says:
Facebook coughs up $33.5k… its BIGGEST bug bounty EVER
Brazilian who found remote code vuln scoops five figures
http://www.theregister.co.uk/2014/01/24/facebook_bug_bounty_payout/
Facebook has awarded its highest bug bounty to date after the discovery of a vuln which could have been used to spray Facebookers with drive-by download-style malware exploits.
Brazilian web security researcher Reginaldo Silva earned $33,500 for giving the social network a heads-up about an XML external entity vulnerability within a PHP page hosted on its servers that handled OpenID authentication. The flaw disclosed Facebook’s etc/passwd.
If the flaw were to be left unresolved, malicious crackers who came across the vulnerability could have abused it to change Facebook’s use of Gmail as an OpenID provider to a hacker-controlled URL, before servicing requests with malicious XML code.
Remote code execution vulnerabilities would lend themselves to types of attack that throw malware at surfers visiting a vulnerable website – the most serious category of risk – and therefore earn a bigger payout under Facebook’s bug bounty programme.
“Facebook is one of the companies that probably have invested the most in their application security over the past years,” Shulman said. “The fact that critical vulnerabilities still pop up in their application should serve as a warning sign to anyone who believes that writing vulnerability-free applications is possible.”
“Remote execution flaws are a tidal phenomenon,” added Shulman.
Tomi Engdahl says:
Syrian Electronic Army claims CNN as its latest victim
Takes over news outlet’s social media accounts and blog
http://www.theinquirer.net/inquirer/news/2324968/syrian-electronic-army-claims-cnn-as-its-latest-victim
CNN responded to the attack and said that the unauthorised posts and tweets were deleted within minutes of being posted. The news organization also said that its accounts had been secured