Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Thirteen year old Windows XP operating system is still widely used, even if the manufacturer of the Microsoft support ends in April. From this point on it is a very limited and expensive to support.
XP machines continues to be guided up to the automation lines and control systems, as well as factory control room SCADA terminals. The system is also used in medical devices.
- Even in modern production machine is not always dare to update because the update at worst, may cause interruptions in production, says IT company CGI ‘s leading Finnish security expert Jan Mickos .
Mickos, the plants are still in use even more older Windows 95 operating system, which updates have stopped a long time ago.
In response to security concerns, Microsoft announced last week that the Windows Defender anti-virus software updates will continue until July 2015. Experts agree that it does not eliminate the problems.
Although the actual XP support ends in April, Microsoft will sell a special tailor-made to support large additional cost.
- We have fixed a price on a customizable so that the customer will understand, that it is wise to upgrade to a newer operating system. Small and medium-sized businesses or entrepreneurs are not able to buy it, says Tom Toivonen Finland Microsoft.
Microsoft did not disclose the price of the special support. Techniques & economic information, tailor-made support can cost big companies millions of euros a year, and it is intended to protect critical systems.
Special support can be purchased with these views for 2-3 years.
Source: Tietoviikko
http://www.tietoviikko.fi/uutisia/windows+xp+tuki+jatkuu+ndash+mutta+vain+kovalla+rahalla/a962450
Tomi Engdahl says:
Snowden: The NSA gathers information on the companies
According to Edward Snowden, U.S. Safety Agency NSA gathers information on companies, even if they have nothing to do with national security.
- In the case of Siemens, for example, the data for the benefit of the United States, but it has nothing to do with national security, they use the information in spite of the Snowden says the German ARD television channel in an interview,
Source: Turun Sanomat
http://www.ts.fi/uutiset/ulkomaat/588029/Snowden+NSA+keraa+tietoa+myos+yrityksilta
Tomi Engdahl says:
Exclusive: FBI warns retailers to expect more credit card breaches
http://www.reuters.com/article/2014/01/23/us-target-databreach-fbi-idUSBREA0M1UF20140123?feedType=RSS&feedName=topNews&utm_source=dlvr.it&utm_medium=twitter&dlvrit=992637
(Reuters) – The FBI has warned U.S. retailers to prepare for more cyber attacks after discovering about 20 hacking cases in the past year that involved the same kind of malicious software used against Target Corp in the holiday shopping season.
“The accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially motivated cyber crime attractive to a wide range of actors,” the FBI said.
In all these attacks, cyber criminals used memory-parsing software, also known as a “RAM scraper.” When a customer swipes a credit or debit card, the POS terminal grabs the transaction data from the magnetic stripe and transfers it to the retailer’s payment processing provider. While the data is encrypted during the process, RAM scrapers extract the information while it is in the computer’s live memory, where it very briefly appears in plain text.
Retailers need to move quickly to get better tools in their networks that can analyze traffic patterns on the fly and identify any unusual activity, said another expert in retail security, who has audited POS systems to find vulnerabilities that hackers can exploit.
Tomi Engdahl says:
1.1 MILLION customers’ credit card data was swiped in Neiman Marcus breach
It was the old ‘malware on point-of-sale terminal’ wheeze again
http://www.theregister.co.uk/2014/01/24/neiman_marcus_breach_update/
US luxury retailer Neiman Marcus has confirmed that details from 1.1 million customers’ cards were stolen in a recently detected high-profile breach.
Card details were lifted after hackers successfully planted malware on payment systems over a period that ran between 18 July and 30 October last year, far earlier than previously suspected.
Around 2,400 of the compromised credit card details have subsequently been abused to make fraudulent purchases
Neiman Marcus is offering affected customers free credit card monitoring services.
The spate of retailer credit card breaches, apparently geographically confined to North America, has led some observers to suggest the introduction of Chip and PIN would be enough to frustrate future frauds along the same lines. Anti-fraud firm Easy Solutions argues upgrading to Chip and PIN alone won’t be enough.
Other experts suggest that vulnerable Point of Sale systems are the main villains in the Target and Neiman Marcus breaches.
Security researchers at Cisco have published a blog on detecting future payment card compromises and shortening the remediation window for such attacks.
Tomi Engdahl says:
Android app claims to use artificial intelligence to fight cyber threats
Security startup Zimperium says it will spot malware before it causes harm
http://www.theinquirer.net/inquirer/news/2325001/android-app-claims-to-use-artificial-intelligence-to-fight-cyber-threats
A SECURTIY UPSTART called Zimperium has launched mobile software that learns from smartphones to fend off malicious cyber attacks.
Tomi Engdahl says:
Syrian Electronic Army claims CNN as its latest victim
Takes over news outlet’s social media accounts and blog
http://www.theinquirer.net/inquirer/news/2324968/syrian-electronic-army-claims-cnn-as-its-latest-victim
HACKTIVIST GROUP the Syrian Electronic Army (SEA) has claimed CNN as its latest victim, having taken over its social media accounts and blog.
Tomi Engdahl says:
On Children’s Website, N.S.A. Puts a Furry, Smiley Face on Its Mission
http://www.nytimes.com/2014/01/25/us/on-childrens-website-nsa-puts-a-furry-smiley-face-on-its-mission.html?pagewanted=all
But the reptile, known as T. Top, who says creating and breaking codes is really “kewl,” is pushing something far weightier: the benefits of the National Security Agency.
“In the world of diplomacy, knowing what your enemy is planning helps you to prepare,” the turtle says. “But it is also important that your enemies do not know what you have planned. It is the mission of the National Security Agency and the Central Security Service to learn what it can about its potential enemies to protect America’s government communications.”
Such an enthusiastic endorsement of the N.S.A.’s mission might seem particularly timely given the criticism directed at the agency since one of its former contractors, Edward J. Snowden, began leaking documents he had stolen from it.
Civil libertarians, not surprisingly, said the website was propaganda.
Vanee Vines, a spokeswoman for the N.S.A., said that “like many government agencies,” the N.S.A. “has a special website for children.”
“The site,” she said, “is designed to help children learn about cryptology and N.S.A.’s mission to defend the nation.”
Tomi Engdahl says:
The New Aaron Swartz Documentary at Sundance
http://www.newyorker.com/online/blogs/culture/2014/01/the-new-aaron-swartz-documentary-at-sundance.html?currentPage=all
“The Internet’s Own Boy,” a documentary about the life and death of Aaron Swartz, premièred on Monday at the Sundance Film Festival, where it received a standing ovation. The life of Swartz as a coder and an Internet thinker is well known. A believer in free access to knowledge, in 2010 Swartz installed a computer in an M.I.T. supply closet and downloaded a large number of old academic articles. He was detected, caught, and charged by a federal prosecutor with thirteen felonies; in January of 2013, before his trial, Swartz killed himself.
Tomi Engdahl says:
Wireless local area network, or WLAN, also known as wi-fi, it is convenient because it enables the user to connect any network enabled devices on the internet and communicate with each other.
WLAN lack of protection is the same as the home key would deter intruders. Uninvited guest can grab your valuable data or use your devices for criminal purposes. Fortunately, the network is relatively easy to lock. Wlan router or access point settings can be accessed through the fiddling with the maintenance of the network interface.
1 Change your password
The default password is a bad idea, regardless of the device.
2 Change the network name
Also visible from outside the network name, or SSID should be replaced because the original name to an outside observer can not tell which type of network is.
3 Protect the base stations with encryption
Select your network passes data to protect the strongest encryption that your router offers.
choose WPA (WiFi Protected Access) or better still WPA2
4 Enable MAC address filtering on
When filtering is enabled, the router allows the network only list the devices mentioned.
5 Remove the use of remote control
Some routers can be controlled from any remote management (Remote Administration). If this is not essential need, the feature should be disabled.
Source: Tietoviikko
http://www.tietoviikko.fi/kaikki_uutiset/nain+lukitset+langattoman+lahiverkkosi+muista+nama+viisi+asiaa/a962671
Tomi Engdahl says:
Finpro: Finland can beat appropriations for information security
Security and ICT solutions offered are one of the few industries that have grown up through the financial crisis . Finland has a chance of winning in this situation the business, estimates Finpro in a statement.
According to the Finnish company’s innovative security solutions are in demand in many different sectors.
The security market has grown in Europe launch cyber-attacks and other security threats due . Companies and organizations want to ensure data secrecy and security threats evolve.
Security snooping and launch cyber-attacks have led to the fact that companies are considering more closely the European security and privacy practices.
There is a growing need for new and neutral security vendors. Finnish companies have world-class expertise in security solutions and a neutral reputation.
Source: Tietoviikko
http://www.tietoviikko.fi/kaikki_uutiset/finpro+suomi+pystyy+lyomaan+rahoiksi+tietoturvalla/a962667
Tomi Engdahl says:
Metasploit News on the Embedded Systems Land
https://community.rapid7.com/community/metasploit/blog/2014/01/17/news-on-the-embedded-systems-land
Tomi Engdahl says:
Edward Snowden says NSA engages in industrial espionage
Ex-NSA contractor cites German engineering firm Siemens as one target
http://www.cbc.ca/news/world/edward-snowden-says-nsa-engages-in-industrial-espionage-1.2511635
The U.S. National Security Agency is involved in industrial espionage and will grab any intelligence it can get its hands on regardless of its value to national security, former NSA contractor Edward Snowden told a German TV network.
In text released ahead of a lengthy interview to be broadcast on Sunday, ARD TV quoted Snowden as saying the NSA does not limit its espionage to issues of national security and he cited German engineering firm, Siemens as one target.
“If there’s information at Siemens that’s beneficial to U.S. national interests — even if it doesn’t have anything to do with national security — then they’ll take that information nevertheless,” Snowden said, according to ARD, which recorded the interview in Russia where he has claimed asylum.
The revelations shocked Germany, a country especially sensitive after the abuses by the Gestapo during the Nazi reign and the Stasi in Communist East Germany during the Cold War.
Snowden’s claim the NSA is engaged in industrial espionage follows a New York Times report earlier this month that the NSA put software in almost 100,000 computers around the world, allowing it to carry out surveillance on those devices and could provide a digital highway for cyberattacks.
Snowden also told the German public broadcasting network he no longer has possession of any documents or information on NSA activities and has turned everything he had over to select journalists.
Tomi Engdahl says:
Altcoins will DESTROY the IT industry and spawn an infosec NIGHTMARE
After Bitcoin cometh the storm. And after the storm…
http://www.theregister.co.uk/2014/01/27/altcoin_gpu_market_crash_security_nightmare/
Much has been written about how Bitcoin will affect libertarian society, banks, money and government, but there are some other effects that bear consideration: what it will do to the IT industry.
If, however, that graphics card is a money-making machine it ís a perfectly legitimate expense. And graphics cards are being sold in huge quantities for mining virtual currency.
While processor development moves along at a good rate, graphics processors are a much more competitive market.
Mining bitcoins is now beyond the processor power of even the fastest of consumer graphics cards but there are plenty of wannabe currencies that can be created thanks to the super-fast processing of high-end graphics cards.
Not surprisingly, demand for the highest of high-end graphics cards has soared. Availability is poor and they are selling at a premium.
But as time goes on and alt currencies either die out, or go the way of Bitcoin and require dedicated hardware, demand for cards will slump.
A market flooded with cards that months ago were selling for thousands of pounds will see prices drop to barely hundreds of pounds
Cointerra went from “hey, let’s build a Bitcoin mining company”, through processor development, test and build to shipped product in customer’s rack in under nine months. Traditional wisdom would have that cycle take two to three years.
One of the ASIC applications which will benefit is custom chips used to crack passwords. Mining is essentially a brute-force attack on the generating algorithm.
Bitcoin, and all the other alt-coins, is training a skillset for building password-cracking hardware that is both powerful and portable. These devices are effectively an infinite number of monkeys at an infinite number of keyboards. The implications for the security industry are significant. Suddenly, just keeping a device isolated from the internet isn’t good enough.
The opposite side of this is that equipment for hardware-level data encryption also becomes cheap and plentiful. Expect password-encoding ASICs to become a norm.
Tomi Engdahl says:
Sources: Card Breach at Michaels Stores
http://krebsonsecurity.com/2014/01/sources-card-breach-at-michaels-stores/
Multiple sources in the banking industry say they are tracking a pattern of fraud on cards that were all recently used at Michaels Stores Inc., an Irving, Texas-based arts-and-crafts retailer that maintains more than 1,250 stores across the United States.
Sources with four different financial institutions have over the past few days said hundreds of customer cards that recently had been used for fraudulent purchases all traced back to Michaels stores as the common point of purchase.
Tomi Engdahl says:
NSA and GCHQ target ‘leaky’ phone apps like Angry Birds to scoop user data
http://www.theguardian.com/world/2014/jan/27/nsa-gchq-smartphone-app-angry-birds-personal-data
• US and UK spy agencies piggyback on commercial data
• Details can include age, location and sexual orientation
• Documents also reveal targeted tools against individual phones
The National Security Agency and its UK counterpart GCHQ have been developing capabilities to take advantage of “leaky” smartphone apps, such as the wildly popular Angry Birds game, that transmit users’ private information across the internet, according to top secret documents.
The data pouring onto communication networks from the new generation of iPhone and Android apps ranges from phone model and screen size to personal details such as age, gender and location. Some apps, the documents state, can share users’ most sensitive information such as sexual orientation
Many smartphone owners will be unaware of the full extent this information is being shared across the internet, and even the most sophisticated would be unlikely to realise that all of it is available for the spy agencies to collect.
One slide from a May 2010 NSA presentation on getting data from smartphones – breathlessly titled “Golden Nugget!” – sets out the agency’s “perfect scenario”: “Target uploading photo to a social media site taken with a mobile device. What can we get?”
The question is answered in the notes to the slide: from that event alone, the agency said it could obtain a “possible image”, email selector, phone, buddy lists, and “a host of other social working data as well as location”.
In practice, most major social media sites, such as Facebook and Twitter, strip photos of identifying location metadata (known as EXIF data) before publication. However, depending on when this is done during upload, such data may still, briefly, be available for collection by the agencies as it travels across the networks.
The documents do set out in great detail exactly how much information can be collected from widely popular apps.
using perhaps the most popular mobile phone game of all time, Angry Birds – which has reportedly been downloaded more than 1.7bn times – as a case study.
From some app platforms, relatively limited, but identifying, information such as exact handset model, the unique ID of the handset, software version, and similar details are all that are transmitted.
Other apps choose to transmit much more data, meaning the agency could potentially net far more. One mobile ad platform, Millennial Media, appeared to offer particularly rich information. Millennial Media’s website states it has partnered with Rovio on a special edition of Angry Birds; with Farmville maker Zynga; with Call of Duty developer Activision, and many other major franchises.
“Rovio doesn’t have any previous knowledge of this matter, and have not been aware of such activity in 3rd party advertising networks,” said Saara Bergström, Rovio’s VP of marketing and communications. “Nor do we have any involvement with the organizations you mentioned [NSA and GCHQ].”
GCHQ’s targeted tools against individual smartphones are named after characters in the TV series The Smurfs. An ability to make the phone’s microphone ‘hot’, to listen in to conversations, is named “Nosey Smurf”. High-precision geolocation is called “Tracker Smurf”, power management – an ability to stealthily activate an a phone that is apparently turned off – is “Dreamy Smurf”, while the spyware’s self-hiding capabilities are codenamed “Paranoid Smurf”.
The means of interception mean GCHQ and NSA could obtain data without any knowledge or co-operation from the technology companies.
Tomi Engdahl says:
US looks at ways to prevent spying on its spying
http://hosted.ap.org/dynamic/stories/U/US_NSA_SURVEILLANCE?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2014-01-27-15-16-57
The U.S. government is looking at ways to prevent anyone from spying on its own surveillance of Americans’ phone records.
As the Obama administration considers shifting the collection of those records from the National Security Agency to requiring that they be stored at phone companies or elsewhere, it’s quietly funding research to prevent phone company employees or eavesdroppers from seeing whom the U.S. is spying on, The Associated Press has learned.
Tomi Engdahl says:
TrustyCon rises from the NSA/RSA ashes and sells out
TrustyCon has reached capacity—in both presenters and attendees–for its RSA Conference alternative.
- See more at: http://blogs.csoonline.com/security-industry/2955/trustycon-rises-nsarsa-ashes-and-sells-out#sthash.ocAvaw48.dpuf
Tomi Engdahl says:
Snowden docs reveal British spies snooped on YouTube and Facebook
http://investigations.nbcnews.com/_news/2014/01/27/22469304-snowden-docs-reveal-british-spies-snooped-on-youtube-and-facebook?lite
The British government can tap into the cables carrying the world’s web traffic at will and spy on what people are doing on some of the world’s most popular social media sites, including YouTube, all without the knowledge or consent of the companies.
Called “Psychology A New Kind of SIGDEV” (Signals Development), the presentation includes a section that spells out “Broad real-time monitoring of online activity” of YouTube videos, URLs “liked” on Facebook, and Blogspot/Blogger visits. The monitoring program is called “Squeaky Dolphin.”
Tomi Engdahl says:
FBI Has Tor Mail’s Entire Email Database
http://yro.slashdot.org/story/14/01/27/1533202/fbi-has-tor-mails-entire-email-database
“Tor Mail was an anonymized email service run over Tor. It was operated by a company called Freedom Hosting, which was shut down by the FBI last August.”
Tomi Engdahl says:
Did Big Internet Companies Handicap Start-Ups in FISA Rule Changes?
http://bits.blogs.nytimes.com/2014/01/27/did-big-internet-companies-handicap-start-ups-in-fisa-rule-changes/
A small but significant caveat in a new agreement brokered between the Obama administration and Google, Facebook, Yahoo and Microsoft could cast a long shadow over America’s technology start-ups.
Intelligence officials agreed only to allow communication providers to disclose more specific information about data sought by government agents because of a new provision that bars companies less than two years old from disclosing such information for a period of two years.
That caveat effectively means that no one will know whether the government is eavesdropping on a new email platform or chat service for two years.
“While our courts are allowed to keep ethically dubious court orders secret, it will remain impossible to trust private data to American companies,” Mr. Levison said. “As an American businessman, this reality is terribly upsetting.”
“They’re asking companies to do some pretty scary things, well beyond what they would ask for in a normal criminal order and doing it because there is no civilian oversight,” Mr. Levison said.
Tomi Engdahl says:
Internet giants, US gov agree to loosen secrecy of private info slurps
Finer-grained reporting now permitted, sometimes, sort of
http://www.theregister.co.uk/2014/01/28/internet_firms_us_govt_agree_to_loosen_rules_on_data_disclosure/
The US Department of Justice has agreed to allow internet companies to be more candid about what information they disclose to the government, albeit only slightly.
Facebook, Google, LinkedIn, Microsoft, and Yahoo! are among several companies that have been urging the feds to loosen the secrecy surrounding their data collection practices.
In a joint statement of their own, national intelligence head James Clapper and US Attorney General Eric Holder said, in effect, that they were only adjusting their policies because the White House ordered it.
“This action was directed by the President earlier this month in his speech on intelligence reforms,”
Not that all that much has changed. Previously, companies had been able to disclose how many so-called National Security Letters they have received but only in increments of 1,000, and they weren’t allowed to say how many information requests they received under the Foreign Intelligence Surveillance Act (FISA). The new agreement only alters that somewhat.
Under the settlement, companies can now narrow their reporting to increments of 250, but only if they lump all of the National Security Letters and FISA requests together. If they want to list how many of each kind of request they get separately, they’re still limited to reporting them in the thousands.
What’s more, companies are restricted to reporting information about government surveillance requests only every six months, and when they do, the data they report must be six months old.
Another new rule allows companies to also disclose the number of “selectors” – individual data points such as usernames, email addresses, or other identifying information – that the government requested.
Tomi Engdahl says:
What Does Edward Snowden Deserve?
http://slashdot.org/topic/bi/what-does-edward-snowden-deserve/
The U.S. government seems more willing to actually negotiate with the whistleblower about a possible sentence.
U.S. Attorney General Eric Holder made government whistleblower Edward Snowden a very peculiar offer last week: plead guilty, and the U.S. government would consider how to handle his criminal case.
“Were he coming back to the U.S. to enter a plea, we would engage with his lawyers,” Holder told an audience at the University of Virginia, according to The New York Times.
It’s unlikely that the U.S. government would ever consider giving full clemency to Snowden. But now it seems that various officials are willing to offer something other than locking him in a deep, dark cell and throwing away the key.
Tomi Engdahl says:
BitInstant CEO Charlie Shrem Arrested for Alleged Money Laundering
The Bitcoin big shot was arrested at John F. Kennedy International Airport in New York City on Monday
Read more: BitInstant CEO Charlie Shrem Charged With Laundering Bitcoin | TIME.com http://business.time.com/2014/01/27/bitinstant-ceo-charlie-shrem-arrested-for-alleged-money-laundering/#ixzz2rg1YlOsQ
Tomi Engdahl says:
Israel defence ministry, contractors phished
Security vendor points at Palestine
http://www.theregister.co.uk/2014/01/28/israel_defence_ministry_contractors_phished/
Individuals in the Israeli Ministry of Defence are among the latest to fall victim to phising attacks that gave attackers access to a number of the nation’s government systems.
According to UPI, Israeli security vendor Seculert believes as many as 15 machines were compromised earlier this month.
The attack software was an Xtreme RAT (remote access trojan), similar to an attack used in 2012 to penetrate Israel’s police force. In the 2012 attack, the trojan was embedded in a Word document; this time, a PDF was used.
Tomi Engdahl says:
FileZilla Has an Evil Twin that Steals FTP Logins
http://slashdot.org/topic/datacenter/filezilla-evil-twin-steals-ftp-logins/
On the same day the world discovered Western intelligence agencies were siphoning user information from Angry Birds and other popular smartphone apps, a leading antivirus developer revealed hackers are doing the same thing with one of the most popular open-source applications on the Internet.
Maliciously modified versions of the popular file-transfer protocol (FTP) application FileZilla look and act just like the real thing, but include extra code that steals the login data typed in by users and sends it to an unauthorized server using the same FTP operation launched by the user without going through a firewall that might spot what it’s doing, according to an alert posted this afternoon by antivirus developer Avast Software.
FileZilla is the ninth most-downloaded application from the open-source site SourceForge, with 256.8 million downloads over its lifetime and almost 600,000 this week alone.
The malicious version is fully functional, uses the same graphical interface and component file names as the original, and masks itself further by avoiding any suspicious entries in the system registry, overt attempts to communicate with outside servers or other changes, according to the Jan. 27 alert from Avast.
Tomi Engdahl says:
Android VPN redirect vuln now spotted lurking in Kitkat 4.4
Now may be a good time to check this out, says securo-bod
http://www.theregister.co.uk/2014/01/28/android_vpn_vuln_also_in_kitkat_44/
Israeli researchers who specialise in ferreting out Android vulns have discovered a new flaw in KitKat 4.4 that allows an attacker to redirect secure VPN traffic to a third-party server.
“A malicious app can bypass active VPN configuration – no ROOT permissions required – and redirect secure data communications to a different network address.”
Tomi Engdahl says:
Issa, Five Other Congressmen Call For DNI Clapper’s Removal
https://threatpost.com/issa-five-other-congressmen-call-for-dni-clappers-removal/103890
A group of six Congressmen have asked President Barack Obama to remove James Clapper as director of national intelligence as a result of his misstatements to Congress about the NSA’s dragnet data-collection programs. The group, led by Rep. Darrell Issa (R-Calif.), said that Clapper’s role as DNI “is incompatible with the goal of restoring trust in our security programs”.
In March, Clapper, the country’s highest-ranking intelligence official, testified before the Senate Intelligence Committee, and was asked by Sen. Ron Wyden (D-Ore.) whether the NSA collects information in bulk on Americans. The hearing took place three months before the Edward Snowden leaks began, and Clapper responded that the agency does not collect such information, at least not knowingly.
In early July, weeks after the Snowden leaks began, Clapper sent a letter to Sen. Dianne Feinstein (D-Calif.), chairman of the intelligence committee, saying that he had made a mistake in his testimony in March.
Tomi Engdahl says:
Edward Snowden does not give the European data protection plans of hope: “The NSA goes to where the information is”
Edward Snowden does not believe that the European sovereign-national companies protect their citizens from espionage information to the U.S. to succeed.
“The NSA goes to where the information is. If the NSA can get text messages from China’s telecommunications networks, they can probably get a Facebook message from Germany,”
Source: Tietoviikko
http://www.tietoviikko.fi/uutisia/edward+snowden+ei+anna+euroopan+suunnitelmille+toivoa+quotnsa+menee+sinne+missa+tieto+onquot/a963310
Tomi Engdahl says:
Protecting PCI Data from Domain Admins
http://community.centrify.com/t5/Leveraging-Microsoft/Protecting-PCI-Data-from-Domain-Admins/ba-p/14905?ls=304-013-techmemeSaaS
One of the realities of Windows domain administration is that virtually every organization of any size can run afoul of the principle of separation of duties (also called segregation of duties). This principle manifests in multiple ways
This is a near-perfect example of why the “least access” privilege model is required by regulatory compliance acts designed to protect consumers and businesses from exposing sensitive data, e.g. credit card (PCI) or health care (HIPAA) or financial (MAS) data.
Server Suite enables you to restrict your domain administrators from having access to your PCI servers, while giving them full privileges on your Domain Controllers.
Tomi Engdahl says:
The NSA has a new, first time ever, privacy officer
http://www.washingtonpost.com/blogs/in-the-loop/wp/2014/01/28/the-nsa-has-a-new-first-time-ever-privacy-officer/
The National Security Agency, which has come under a bit of criticism of late for violating the privacy rights of just about everyone on the planet, has named its first- ever person to the newly created job of primary adviser to the NSA’s director for civil liberties and privacy protection.
“Civil libertarians are skeptical,”
Tomi Engdahl says:
How I Lost My $50,000 Twitter Username
A story of how PayPal and GoDaddy allowed the attack and caused me to lose my $50,000 Twitter username.
https://medium.com/p/24eb09e026dd
I had a rare Twitter username, @N. Yep, just one letter. I’ve been offered as much as $50,000 for it. People have tried to steal it. Password reset instructions are a regular sight in my email inbox. As of today, I no longer control @N. I was extorted into giving it up.
Most websites use email as a method of verification. If your email account is compromised, an attacker can easily reset your password on many other websites.
Use an @gmail.com for logins.
Using two-factor authentication is a must.
Stupid companies may give out your personal information (like part of your credit card number) to the wrong person.
Tomi Engdahl says:
Bitcoin Investors Ask For ‘Safe Harbor’ Exceptions In Proposed ‘BitLicense’ Regulations
http://www.forbes.com/sites/andygreenberg/2014/01/28/bitcoin-investors-ask-for-safe-harbor-exceptions-in-proposed-bitlicense-regulations/
Bitcoin’s reputation may have been bruised by its connection to the Silk Road black market and Monday’s indictment of Bitcoin Foundation vice chairman Charlie Shrem. But a panel of Bitcoin-focused investors argued to New York financial regulators Tuesday that Bitcoin’s criminal use is the exception rather than the norm, and that it’s still possible to regulate the digital currency deftly enough to avoid suffocating its potential as a new means of seamless online transactions.
“Are people still doing bad things with Bitcoin? Sure. Is the majority of activity with Bitcoin vice? Not a chance.”
“The problem right now is that there’s no clear regulation.”
“There’s certainly a whole industry helping banks try to stay compliant right now for better or worse,”
Tomi Engdahl says:
Cisco sends TrustSec offspring to IETF dating site
Borg logic: If you can’t beat ‘em, bait ‘em
http://www.theregister.co.uk/2014/01/29/cisco_unborgs_trustsec/
In what looks like an effort to recruit other vendors, Cisco has published its TrustSec protocol in the form of an IETF Draft.
TrustSec is a security policy management framework that the Borg says lets security managers use plain language policies to manage security, rather than having to understand VLANs, ACLs and firewall rules.
It works by assigning a Security Group Tag (SGT) to traffic associated with a user or a device where that traffic enters the network, with network devices – switches, routers and firewalls – making forwarding decisions based on the SGT.
So long as SGTs are understood throughout the network, a user’s traffic can be given the appropriate security treatment wherever it originates
Tomi Engdahl says:
Why Facebook’s Android App Wants to Read Your Text Messages
http://www.ibtimes.co.uk/why-does-facebooks-android-app-wants-read-my-text-messages-1434162
As the world celebrates Data Privacy Day while reeling from the latest revelations about the NSA using smartphone apps to monitor everything from your name to your sexual orientation – it may not be the best time for Facebook’s Android app to request permission to read your text messages.
So why does Facebook need to access your text messages?
We require [the READ_SMS permission] so we can automatically intercept login approvals SMS messages for people that have turned on 2-factor authentication for their accounts, or for phone confirmation messages when you add a phone number to your Facebook account.”
Tomi Engdahl says:
Lavabit founder goes to court for control of encryption keys
Has already suspended its email service
http://www.theinquirer.net/inquirer/news/2325714/lavabit-founder-goes-to-court-for-control-of-encryption-keys
EMAIL SERVICE Lavabit is in court defending its right to retain encryption keys and offer a secure system.
Lavabit was Edward Snowden’s email service provider of choice, and its founder Ladar Levison shutdown the service last summer in the wake of the NSA whistleblower’s revelations when the US government demanded its encryption keys, exposing all of its users’ communications.
“I had to choose whether or not to compromise my ethics and my moral code to stay in business or do what I thought was right and shut down the business,” he said last autumn.
Tomi Engdahl says:
Coca-Cola apologises for unencrypted laptop theft that left thousands compromised
http://www.theinquirer.net/inquirer/news/2325583/coca-cola-apologises-for-unencrypted-laptop-theft-that-left-thousands-compromised
“The Coca-Cola Company has sent notices to about 74,000 North America-based employees, former employees and other third parties”
To try to make amends Coca Cola is offering free identity theft protection services to all those affected.
Tomi Engdahl says:
Bitcoin Turns Into Art as Sweden Rejects Creative Currency
http://www.bloomberg.com/news/2014-01-21/bitcoin-becomes-art-as-swedish-taxman-rejects-creative-currency.html
Sweden is leaning toward an interpretation of Bitcoin that will allow the nation to charge capital gains taxes on any transactions using the software. The move would place Bitcoin in an asset class that includes antiques, jewelry, stamps and copyrights.
In Norway, the tax department has decided to label it a taxable asset.
Finland plans to treat it as a commodity
Danish regulators are drafting a proposal for lawmakers
Sweden’s central bank raised concerns in June that Bitcoin and its competitors may pose risks to those using it as a payment method. The European Banking Authority echoed those concerns in December, warning that people using the software do so at their own risk.
Tomi Engdahl says:
Obama Stays Silent on Reform of NSA’s Crypto Subversion
http://www.wired.com/threatlevel/2014/01/obama-silent-on-crypto-reforms/
President Barack Obama in his State of the Union on Tuesday failed to address an issue that affects everyone on the internet — the NSA’s subversion of cryptographic standards and technologies.
The presidential panel’s two recommendations in that area were to “fully support and not undermine efforts to create encryption standards” and to “not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software.”
Tomi Engdahl says:
New Clues in the Target Breach
http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/
An examination of the malware used in the Target breach suggests that the attackers may have had help from a poorly secured feature built into a widely-used IT management software product that was running on the retailer’s internal network.
BMC’s software is in use at many major retail and grocery chains across the country
Tomi Engdahl says:
Why Hasn’t Twitter Just Given @N His Name Back?
http://techcrunch.com/2014/01/29/why-hasnt-twitter-just-given-n-his-name-back/
Yesterday Naoki Hiroshima, an Echofon developer, posted an article about how he lost his extremely short Twitter handle @N in an extortion scheme. Hackers compromised his GoDaddy account with social engineering (calling and lying to an account rep), gaining access to his email on a personal domain.
The question about what can be done to improve security in these matters is a long-running one. There have been some changes like two-factor authentication being offered by more vendors — but sloppy procedures like allowing account resets with credit-card numbers (especially partial ones!) remain commonplace.
Hiroshima also notes that many of these systems are designed to make it easy to change things by phone, but nearly impossible to revert them afterwards.
“They should design the system so that reverting should be easier than changing,” Hiroshima says.
Tomi Engdahl says:
Use MediaWiki and hate malware? This patch is for you
Remote code execution flaw could poison your Wiki
http://www.theregister.co.uk/2014/01/30/use_mediawiki_get_patching/
Check Point Software Technologies has announced a remote code execution bug in the popular MediaWiki platform that powers Wikipedia.
The vulnerability affects all versions of the software higher than 1.8.
As Check Point notes, Wikipedia gets 94 million visitors per month, making the potential reach of an exploit pretty serious.
Tomi Engdahl says:
“Honey Encryption” Will Bamboozle Attackers with Fake Secrets
A new approach to encryption beats attackers by presenting them with fake data.
http://www.technologyreview.com/news/523746/honey-encryption-will-bamboozle-attackers-with-fake-secrets/
Ari Juels, an independent researcher who was previously chief scientist at computer security company RSA, thinks something important is missing from the cryptography protecting our sensitive data: trickery.
“Decoys and deception are really underexploited tools in fundamental computer security,” Juels says.
The new approach could be valuable given how frequently large encrypted stashes of sensitive data fall into the hands of criminals.
After capturing encrypted data, criminals often use software to repeatedly guess the password or cryptographic key used to protect it. The design of conventional cryptographic systems makes it easy to know when such a guess is correct or not
When the wrong key is used to decrypt something protected by their system, the Honey Encryption software generates a piece of fake data resembling the true data.
“Each decryption is going to look plausible,” says Juels. “The attacker has no way to distinguish a priori which is correct.”
Tomi Engdahl says:
Terror Defendant Challenges Evidence Gathered by NSA Spying
http://www.wired.com/threatlevel/2014/01/electronic-surveillance-challenge/
A U.S. terrorism defendant who was formally notified that he was spied on by the NSA filed a challenge to the constitutionality of the surveillance today, in a case likely to be litigated all the way to the Supreme Court.
Jamshid Muhtorov, a native of Uzbekistan who immigrated to Colorado, is one of only two criminal defendants the government has conceded was charged on the basis of evidence scooped up by the NSA’s surveillance programs. The spying was authorized by the controversial FISA Amendments Act.
Today’s challenge comes months after U.S. Solicitor General Donald Verrilli Jr. was reportedly arguing internally at the Justice Department that there was “no legal basis” for failing to disclose to defendants if they were a target of the warrantless surveillance.
Tomi Engdahl says:
Social Engineering Always Wins: An Epic Hack, Revisited
http://www.wired.com/gadgetlab/2014/01/my-epic-hack-revisited/
Yesterday, Naoki Hiroshima published a gripping account of how he was forced to give up his single character Twitter handle, @N, to an attacker who used social engineering techniques
In short, all of this has happened before, and all of it will happen again. This was certainly not the first time PayPal has proved vulnerable to social engineering techniques. And as we have also documented, password resets and password problems are an epidemic completely out of control. For most people, account security is an illusion.
I’m both saddened that things like that still go on, and completely unsurprised.
Tomi Engdahl says:
Snowden serves up another lesson on insider threats
Fugitive NSA contractor used log-in credentials of more than 20 employees to access confidential data, Reuters reports
http://www.computerworld.com/s/article/9243915/Snowden_serves_up_another_lesson_on_insider_threats
The Edward Snowden saga continues to serve up valuable lessons on the dangers posed to enterprise data by insiders with privileged access to systems and networks. The latest lesson involves the risks of allowing password sharing among employees.
Reuters quoted unnamed government sources as saying that Snowden succeeded in getting between 20 and 25 of his coworkers to give him their login details on the pretext that he needed the information to do his job as a systems administrator.
Tomi Engdahl says:
Does the operator have to answer your security? F-Secure and Nokia Siemens Networks believe so
Security company F-Secure and network equipment manufacturer Nokia Solutions and Networks (NSN) have agreed to cooperate. The companies plan to develop a proactive anti-malware solutions for mobile operator level.
Companies expect consumers to expect that the service provider is responsible for information security and respects rejects to mobile malware.
F-Secure says the survey results indicate that 69 percent of consumers believe service provider to be responsible for the security measures.
Source: Tietoviikko
http://www.tietoviikko.fi/kaikki_uutiset/pitaako+operaattorin+vastata+laitteesi+turvallisuudesta+fsecure+ja+nsn+uskovat+niin/a963810
Tomi Engdahl says:
Security 101 fail: 3G/4G modems expose control panels to hackers
Embedded kit depressingly riddled with cross-site request forgery vulns, says researcher
http://www.theregister.co.uk/2014/01/30/3gmodem_security_peril/
Vulnerabilities in a number of 3G and 4G USB modems can be exploited to steal login credentials – or rack up victims’ mobile bills by sending text messages to premium-rate numbers – a security researcher warns.
Andreas Lindh claims that all the devices he has looked at so far are managed via their built-in web servers and – you guessed it – are vulnerable to cross-site request forgery (CSRF) attacks. This means a malicious website visited by a victim can quietly and automatically access the USB modem’s control-panel web page and tamper with the device.
Thus, a vulnerable gadget can be tricked into sending SMS messages over the mobile network to a miscreant-controlled premium-rate number.
“The 3G/4G modem issue might be abused in a number of ways in criminal attacks and fraud,”
Tomi Engdahl says:
Multi-platform Java bot marshals ZOMBIE FORCE against spammers
Windows, Mac, Linux users – it wants your BRAAINS
http://www.theregister.co.uk/2014/01/30/java_ddos_bot/
Miscreants have brewed a multi-platform strain of malware capable of infecting Windows, Mac OS and Linux PCs.
The evil bot, which surfaced in early January, was written entirely in Java and designed to take advantage of the CVE-2013-2465 vulnerability (a Java flaw patched by Oracle last June) to infect victims.
The malware – dubbed Backdoor-Java-Agent-A by Kaspersky Lab – was ultimately designed to conduct DDoS attacks from compromised computers.
Tomi Engdahl says:
New Google patent suggests automatically sending your videos and photos to law enforcement
http://phandroid.com/2014/01/29/google-mob-sourced-video-patent
Google recently filed a patent for a system that identifies when and where a “mob” event takes place and sends multimedia alerts to relevant parties.
“law enforcement agencies” and “news organization(s)” are the first two examples provided by Google
Tomi Engdahl says:
CSEC used airport Wi-Fi to track Canadian travellers: Edward Snowden documents
Electronic snooping was part of a trial run for U.S. NSA and other foreign services
http://www.cbc.ca/news/politics/csec-used-airport-wi-fi-to-track-canadian-travellers-edward-snowden-documents-1.2517881
A top secret document retrieved by U.S. whistleblower Edward Snowden and obtained by CBC News shows that Canada’s electronic spy agency used information from the free internet service at a major Canadian airport to track the wireless devices of thousands of ordinary airline passengers for days after they left the terminal.