Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.
Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.
Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.
SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices. Good idea to test your devices against it.
There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.
Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.
Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.
Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.
Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.
Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.
Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.
Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.
European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.
1,930 Comments
Tomi Engdahl says:
Army Laser Passes Drone-Killing Test
http://slashdot.org/topic/datacenter/army-laser-passes-drone-killing-test/
How do you eliminate a drone? With a giant frickin’ laser beam.
Tomi Engdahl says:
Mobile Threat Monday: Android App Sells Your WhatsApp Conversations
Dec 16, 2013 2:19 PM EST
http://securitywatch.pcmag.com/mobile-security/318932-mobile-threat-monday-android-app-sells-your-whatsapp-conversations
F-Secure analyzed a particularly nasty Android app that targets users of the popular messaging service WhatsApp. For those not in the know, WhatsApp is among a growing class of messaging services that let you chat and send media to other users for free. It’s particularly popular outside the US, or among people who don’t want to pay to send text messages.
Once the dangerous app is installed, said F-Secure, it uploads your WhatsApp conversations to another website where anyone with your phone number can purchase copies.
Tomi Engdahl says:
Android anti-virus apps CAN’T kill nasties on sight like normal AV – and that’s Google’s fault
Bad news if you’re not a tech-savvy fandroid
http://www.theregister.co.uk/2013/12/17/android_anti_malware/
Android users expecting Windows levels of performance from Android-specific anti-virus packages are likely to be disappointed because only Google can automatically delete dodgy apps on Android devices, say malware experts.
Anti-malware bods agree that anti-virus programs on Android can’t remove viruses automatically, meaning that the process needs to be carried out manually by the user in each and every case.
“Android anti-malware applications can block URLs, scan downloads and identify malware that the user may have installed, but they cannot remove malicious applications that are installed by the user,”
“They have to alert the user and hope that the user is able to uninstall them manually, using the usual Android uninstall routine.”
Andreas Marx, chief exec of AV-Test, confirmed Edwards’ prognosis that Android security applications could only warn about maliciously installed apps, rather than shunting them into quarantine (the norm for equivalent Windows security software).
“The mobile security apps are all running in a sandbox, just like any other app,” Marx told El Reg. “Therefore, they are not able to remove malicious apps at their own.”
Edwards told El Reg: “There actually is a way to remove malware from infected devices automatically. Google has a kill switch that can do it. But only Google has that power currently.”
“If you have a rooted device, some anti-malware apps offer additional features, but rooted devices usually have other kind of security issues, therefore we wouldn’t recommend this step,” he explained.
Tomi Engdahl says:
HOLD THE PHONE, NSA! Judge bans ‘Orwellian’ US cellphone records slurp
In theory – Obama government granted time to fight injunction
http://www.theregister.co.uk/2013/12/16/judge_puts_nsa_mobile_record_collection_on_ice/
A US federal judge has ordered the NSA to stop collecting the mobile phone records of innocent American citizens – and to destroy the files already amassed.
Whistleblower Edward Snowden revealed in June that the controversy-hit spy agency harvests call metadata from telco giant Verizon – sparking a lawsuit by lawyer Larry Klayman and fellow campaigners against the Obama administration.
The plaintiffs claimed the widespread gathering of phone records is unconstitutional.
In today’s bombshell ruling in the case, district of Columbia Judge Richard J Leon described the mass surveillance as “almost Orwellian”, indiscriminate and an “arbitrary invasion”.
The case centers on the millions of private customer records that the NSA slurps from US carriers.
“I cannot imagine a more ‘indiscriminate’ and ‘arbitrary invasion’ than this systematic and high-tech collection and retention of personal data on virtually every single citizen,” Judge Leon noted in his judgment before granting the injunction.
“I am not convinced at this point in the litigation that the NSA’s database has ever truly served the purpose of rapidly identifying terrorists in time-sensitive investigations.”
“In the months ahead, other courts, no doubt, will wrestle to find the proper balance consistent with our constitutional system.”
“I acted on my belief that the NSA’s mass surveillance programs would not withstand a constitutional challenge, and that the American public deserved a chance to see these issues determined by open courts,” Snowden said in a statement distributed to The New York Times.
“Today, a secret program authorized by a secret court was, when exposed to the light of day, found to violate Americans’ rights. It is the first of many.”
The case is among the many challenges being lobbed at the NSA for operating planet-wide electronic dragnets.
Tomi Engdahl says:
UPDATE: Encrypt the Web Report: Who’s Doing What
https://www.eff.org/deeplinks/2013/11/encrypt-web-report-whos-doing-what
We’ve asked the companies in our Who Has Your Back Program what they are doing to bolster encryption in light of the NSA’s unlawful surveillance of your communications. We’re pleased to see that four companies—Dropbox, Google, SpiderOak and Sonic.net—are implementing five out of five of our best practices for encryption. In addition, we appreciate that Yahoo! just announced several measures it plans to take to increase encryption, including the very critical encryption of data center links, and that Twitter has confirmed that it has encryption of data center links in progress. See the infographic.
Why Crypto Is So Important
The National Security Agency’s MUSCULAR program, which tapped into the fiber-optic lines connecting the data centers of Internet giants like Google and Yahoo, exposed the tremendous vulnerabilities companies can face when up against as powerful an agency as the NSA. Bypassing the companies’ legal departments, the program grabbed extralegal access to your communications, without even the courtesy of an order from the secret rubber-stamp FISA court. The program is not right, and it’s not just.
With that in mind, EFF has asked service providers to implement strong encryption. We would like to see encryption on every step of the way for a communication on its way to, or within, a service provider’s systems.
For starters, we have asked companies to encrypt their websites with Hypertext Transfer Protocol Secure (HTTPS) by default. This means that when a user connects to their website, it will automatically use a channel that encrypts the communications from their computer to the website.
We have also asked them to flag all authentication cookies as secure. This means cookie communications are limited to encrypted transmission, which directs web browsers to use these cookies only through an encrypted connection. That stops network operators from stealing (or even logging) users’ identities by sniffing authentication cookies going over insecure connections.
To ensure that the communication remains secure, we have asked companies to enable HTTP Strict Transport Security (HSTS). HSTS essentially insists on using secure communications, preventing certain attacks where a network pretends that the site has asked to communicate insecurely.
All of these technologies are now industry-standard best practices. While they encrypt the communications from the end user to the server and back, the MUSCULAR revelations have shown this is not enough. Accordingly, we have asked service providers to encrypt communications between company cloud servers and data centers. Anytime a users’ data transits a network, it should be strongly encrypted, in case an attacker has access to the physical data links or has compromised the network equipment.
In addition, we have asked for email service providers to implement STARTTLS for email transfer. STARTTLS is an opportunistic encryption system, which encrypts communications between email servers that use the Simple Mail Transfer Protocol (SMTP) standard.
Finally, we have asked companies to use forward secrecy for their encryption keys.
Tomi Engdahl says:
CIOs do not have to panic at the NSA
The revelations of the massive U.S. government tietourkinnasta have scared the ordinary citizens , undermined the credibility of our policies and outraged defend the privacy of guard dogs , but senior IT managers are not panicking , at least not yet.
So far, they have been content to follow the situation , gather information about , and to make a variety of measures to minimize the risks. Despite the alarming news of IT management does not , however, have not withdrawn their decisions to outsource their respective companies and data applications in the cloud.
This became apparent when a pair of ten U.S. and European CIO of the respondents were asked how the NSA’s doings have influenced their cloud services strategy.
Many of the interviewed top-level IT executives told , however, to be more cautious cloud service plans , and the transition to the cloud . The spy scandal because they are also re- visited through the cloud service providers’ agreements, just double checked the best practices and tighten the security controls .
No surprise
The revelations do not come to the CIO for a complete surprise , but the fact that the Board of Directors oversees the telecom and internet traffic, has been common knowledge .
“The government’s control has not changed our opinion on cloud computing . The cloud is an attractive model for us . On the other hand , I have never been so naïve that I would have never thought that this type of control should be going , ”
For many respondents , the government ‘s information systems and traffic spy is not part of their security threat to the top of their lists .
“Every CIO has every minute of every day among other things, concerned about security, privacy, business continuity and disaster recovery. We are likely to be paranoid friends across the globe, ”
Also, the fact that all had been behind a firewall , its risks associated with their own . IT leaders concerned about the cost and complexity that arises when servers are rotated in their own data centers . Run the risk of loss of competitiveness if the competitors have to take the benefits from cloud services.
Source:
CIO ei joudu NSA-paniikkiin
http://www.tietoviikko.fi/cio/cio+ei+joudu+nsapaniikkiin/a954723
Tomi Engdahl says:
Why IT execs stick with cloud computing despite NSA snooping scandal
The benefits of cloud technology are a powerful draw, and IT execs are taking steps to mitigate their risk
http://www.infoworld.com/d/cloud-computing/why-it-execs-stick-cloud-computing-despite-nsa-snooping-scandal-232208?source=IFWNLE_nlt_cloud_2013-12-09
Explosive revelations in the past six months about the U.S. government’s massive cyber-spying activities have spooked individuals, rankled politicians and enraged privacy watchdogs, but top IT executives aren’t panicking — yet.
So far, they are monitoring the issue, getting informed and taking steps to mitigate their risk in various ways. But the alarming reports haven’t prompted them to roll back their decisions to host applications and data in the cloud.
That’s the consensus from about 20 high-ranking IT executives interviewed in North America and Europe about the effect that the U.S. National Security Agency’s snooping practices have had on their cloud computing strategy. The news broke in June, after former NSA contractor Edward Snowden began leaking the earth-shaking secrets to the media.
Tomi Engdahl says:
Android nasty sends your texts to CHINA
Best hope you weren’t messaging your bank manager
http://www.theregister.co.uk/2013/12/17/android_botnet/
Security researchers have discovered an Android botnet that masquerades as a benign settings app for carrying out administrative tasks on mobile devices.
Once authorised by the user, the malicious app surreptitiously steals SMS messages from the infected device and emails them to a command-and-control (C&C) infrastructure hosted in China, operated by unknown cybercrooks.
The so-called MisoSMS has cropped up in 64 spyware campaigns, according to security researchers at net security firm FireEye. Each of the campaigns uses webmail as its primary C&C infrastructure.
MisoSMS’s overall aim is to “intercept online banking or e-commerce details” before using this information in various criminal scams, a FireEye spokeswoman explained.
FireEye reckons the majority of infected devices are in South Korea.
Tomi says:
NSA Says It Foiled Plot To Destroy Our Economy By Bricking Computers Across The US
http://www.businessinsider.com/nsa-says-foiled-china-cyber-plot-2013-12
The National Security Agency described for the first time a cataclysmic cyber threat it claims to have stopped On Sunday’s “60 Minutes.”
Called a BIOS attack, the exploit would have ruined, or “bricked,” computers across the country, causing untold damage to the national and even global economy.
Even more shocking, CBS goes as far as to point a finger directly at China for the plot — “While the NSA would not name the country behind it, cyber security experts briefed on the operation told us it was China.”
The NSA says it closed this vulnerability by working with computer manufacturers.
This is the BIOS system which starts most computers. The attack would have been disguised as a request for a software update. If the user agreed, the virus would’ve infected the computer.
John Miller: So, this basically would have gone into the system that starts up the computer, runs the systems, tells it what to do.
Debora Plunkett: That’s right.
It’s long been known that cyber attacks on critical infrastructure could level much of America’s economy. The difference here is the target.
Previous defense estimates focus on critical infrastructure — water, electricity, nuclear power — whereas this BIOS attack is solely focused on destroying computers.
A similar attack occurred last year, when a militant group called “The Cutting Sword of Justice” launched an attack on a Saudi oil company, Aramco, which disabled the hard drives of 30,000 computers, destroying all stored data.
Though CBS reports that the BIOS plot came from a “nation-state” (allegedly China), experts and analysts largely don’t expect massive cyber attacks from the world’s largest nations due to the interconnectivity of the global economy.
Tomi says:
The Case for a Compulsory Bug Bounty
http://krebsonsecurity.com/2013/12/the-case-for-a-compulsory-bug-bounty/
Security experts have long opined that one way to make software more secure is to hold software makers liable for vulnerabilities in their products. This idea is often dismissed as unrealistic and one that would stifle innovation in an industry that has been a major driver of commercial growth and productivity over the years. But a new study released this week presents perhaps the clearest economic case yet for compelling companies to pay for information about security vulnerabilities in their products.
Earlier this month, I published a piece called How Many Zero-Days Hit You Today, which examined a study by vulnerability researcher Stefan Frei about the bustling market for “zero-day” flaws — security holes in software that not even the makers of those products know about. These vulnerabilities — particularly zero-days found in widely-used software like Flash and Java — are extremely valuable because attackers can use them to slip past security defenses unnoticed.
Frei’s analysis conservatively estimated that private companies which purchase software vulnerabilities for use by nation states and other practitioners of cyber espionage provide access to at least 85 zero-day exploits on any given day of the year. That estimate doesn’t even consider the number of zero-day bugs that may be sold or traded each day in the cybercrime underground.
At the end of that post, I asked readers whether it was possible and/or desirable to create a truly global, independent bug bounty program that would help level the playing field in favor of the defenders and independent security researchers. Frei’s latest paper outlines one possible answer.
Frei proposes creating a multi-tiered, “international vulnerability purchase program” (IVPP), in which the major software vendors would be induced to purchase all of the available and known vulnerabilities at prices well above what even the black market is willing to pay for them. But more on that in a bit.
“Because the IVPP would be handling highly sensitive information, checks and balances are critical,” the two wrote. “They would make it difficult for any party to circumvent the published policy of vulnerability handling. A multi-tiered structure prevents any part of the organization, or legal entity within which it is operating, from monopolizing the process or the information being analyzed. Governments could still share vulnerabilities with their agencies, but they would no longer have exclusive access to this information and for extended periods of time.”
Frei’s elaborate system is well thought-out, but it glosses over the most important catalyst: The need for government intervention. While indeed an increasing number of software and Internet companies have begun offering bug bounties (Google and Mozilla have for some time, and Microsoft began offering a limited bounty earlier this year), few of them pay anywhere near what private vulnerability brokers can offer, and would be unlikely to up the ante much absent a legal requirement to do so.
“The amount we’re losing from malicious hacking is a lot less than what we gain from the free and open nature of Internet,” Graham said. “And that includes the ability of companies to quickly evolve their products because they don’t have to second-guess every decision just so they can make things more secure.”
“Commercial software is a tiny part of the whole vulnerability problem,” Graham said.
Graham acknowledged that the mere threat of governments imposing some kind of requirement is often enough to induce businesses and entire industries to self-regulate and take affirmative steps to avoid getting tangled in more bureaucratic red tape.
Tomi Engdahl says:
Infonetics: NSA spygate underscores need for multi-layered data center security
http://www.cablinginstall.com/articles/2013/12/infonetics-nsa-datacenter-security.html
Infonetics Research has released its latest Data Center Security Products report, which tracks data center security appliances and virtual security appliances.
“The most recent revelation that the NSA has been secretly siphoning data from Google and Yahoo! data centers worldwide has put a laser focus on the need for security at all levels of the data center, from layer 1 transport all the way up to individual applications and data,” asserts Jeff Wilson, principal analyst for security at Infonetics Research. “The world’s never been more tuned into privacy and security.”
Significantly, while software-defined networks (SDN) and network functions virtualization (NFV) are forcing networking vendors to offer new form factors or to re-architect solutions, the report also states that working with OpenFlow and other SDN technologies is an evolutionary change for security vendors, who have been adapting products for virtualized environments for over 5 years.
The report states that global revenue for the ported virtual security appliances segment of the larger data center security appliance market grew 4% between the first and second quarters of 2013, to $107 million. Additionally, the market for purpose-built virtual security appliances is forecasted to grow at a strong compound annual growth rate (CAGR) of 25% from 2012 to 2017. The virtual appliance vendor landscape is crowded with a mix of established security players, virtualization platform vendors, and specialist vendors, adds the analysis.
Tomi Engdahl says:
Study: Downtime for U.S. data centers costs $7900 per minute
http://www.cablinginstall.com/articles/2013/12/ponemon-downtime-study.html
A study recently conducted by Ponemon Institute and sponsored by Emerson Network Power (ENP) shows that on average, an unplanned data center outage costs more than $7,900 per minute. That number is a 41-percent increase over the $5,600-per-minute quantification put on downtime from Ponemon’s similar 2010 study. “Data center downtime proves to remain a costly line item for organizations,” ENP said when announcing the study’s results.
Tomi Engdahl says:
Datacenters Drive Switch, ODM Growth
http://www.eetimes.com/author.asp?section_id=36&doc_id=1320425&
In the third quarter of 2013, the enterprise firewall market grew just 2% from a year earlier. Application-aware firewalls, a.k.a. next-generation firewalls, drove much of this growth. Before these firewalls, such devices were typically deployed at the perimeter of the network, where they monitored ingress and egress traffic to look for threats. With application-aware firewalls, a device can be placed virtually anywhere within a network.
The new systems can monitor all traffic, not just ingress and egress, so companies can make security decisions based on parameters such as applications, users, and content, in addition to traffic type. One of the pioneers in next-generation firewalls, Palo Alto Networks, has gained share over the past several quarters in part due to next-gen firewall demand.
In addition to application-aware firewalls, many network security appliance vendors are introducing unified threat management platforms. These upgraded platforms allow single network elements to perform more security functions than merely firewall threat detection.
There are numerous advantages to this approach, because the network complexity is reduced. However, there is still pushback from some enterprises. Network administrators may prefer distinct elements for legacy and debugging purposes.
Tomi Engdahl says:
Tech firms push back against White House efforts to divert NSA meeting
http://www.theguardian.com/world/2013/dec/17/tech-firms-obama-meeting-nsa-surveillance
• Administration said meeting would focus on healthcare website
• ‘We are here to talk about the NSA,’ says one tech executive
• Yahoo and others have already demanded sweeping reforms
The top leaders from the world’s biggest technology companies pressed their case for reform of the National Security Agency’s controversial surveillance operations at a meeting with President Obama on Tuesday, resisting attempts by the White House to portray the encounter as a wide-ranging discussion of broader priorities.
Senior executives from the companies whose bosses were present at the meeting said they were determined to keep the discussion focused on the NSA, despite the White House declaring in advance that it would focus on ways of improving the functionality of the troubled health insurance website, healthcare.gov, among other matters.
“That is not going to happen,” said an executive at one of the major tech companies represented at the meeting. “We are there to talk about the NSA,” said the executive, who was briefed on the company’s agenda before the event.
After meeting Obama and vice president Joe Biden for two-and-a-half hours, the companies issued a one-line statement. “We appreciated the opportunity to share directly with the president our principles on government surveillance that we released last week and we urge him to move aggressively on reform,” they said.
Tomi Engdahl says:
Yahoo’s Mayer Said to Warn of Web Balkanization in Spying
http://www.bloomberg.com/news/2013-12-17/yahoo-s-mayer-said-to-warn-of-internet-balkanization-over-spying.html
Yahoo! Inc. Chief Executive Officer Marissa Mayer warned President Barack Obama the backlash over U.S. spying threatens to Balkanize the Internet, as countries adopt different standards to thwart surveillance, according to an industry official.
Mayer was among 15 technology company executives including Apple Inc. (AAPL) CEO Tim Cook, Facebook Inc. Chief Operating Officer Sheryl Sandberg and Google Inc. Chairman Eric Schmidt who met at the White House today to press the president to curb the National Security Agency’s surveillance programs.
Obama has defended the NSA’s work as necessary to prevent another terrorist attack, while also saying he will propose some limits to guard against unwarranted snooping in Americans’ private affairs.
In a Dec. 5 interview with MSNBC, Obama said he will propose “some self-restraint on the NSA and to initiate some reforms to give people more confidence.” He didn’t give specifics.
Tomi Engdahl says:
Slobberknockered
How a toothless bureaucratic commission went all Snowden on the NSA.
Read more: http://www.politico.com/magazine/story/2013/12/nsa-panel-report-snowden-slobberknockered-101208.html#ixzz2noRFOiLH
Tomi Engdahl says:
Snowden Not Renewing Request For Asylum In Brazil, Greenwald Says
http://www.buzzfeed.com/rosiegray/snowden-not-currently-applying-for-asylum-in-brazil-greenwal
“This is being wildly misreported,” the lawyer and journalist said in an email to BuzzFeed. “He already requested asylum months ago to Brazil and several other governments, and it’s still pending.”
In the letter, Snowden writes that he is willing to help Brazil investigate U.S. surveillance of Brazilian citizens, but that he can’t.
“Until a country grants permanent political asylum, the US government will continue to interfere with my ability to speak.”
Tomi Engdahl says:
Massive Android Mobile Botnet Hijacking SMS Data
http://it.slashdot.org/story/13/12/18/053231/massive-android-mobile-botnet-hijacking-sms-data
“A mobile botnet called MisoSMS is wreaking havoc on the Android platform, stealing personal SMS messages and exfiltrating them to attackers in China.”
Tomi Engdahl says:
Snowden: I’ll swap you my anti-NSA knowhow for asylum … Brazil says: Não
Whistleblower begs for protection in exchange for advice, says newspaper
http://www.theregister.co.uk/2013/12/17/edward_snowden_brazil_asylum_bid/
Tomi Engdahl says:
Firewall-floggers in FLAMING MESS: Where’d our mystery margin go?
Endpoints: The world has moved on… and become a lot more complex
http://www.channelregister.co.uk/2013/12/02/mesguich_complex_security/
If you work in the fields of technology distribution, services and resale, you’ll surely hear about cloud, mobile, social and virtual more than anything else. However, it is the changing patterns in security spending that are perhaps most dramatically re-shaping our businesses.
Gone are the good old days of pushing traditional endpoint security licences for homogenous Wintel environments – resellers and distributors now need to adapt to a vastly more complex demand from customers if they’re to survive and thrive.
For distributors especially, the stats aren’t looking particularly good at the moment. Taken as a whole, the enterprise distribution market across Europe declined by 3.5 per cent in the third quarter from Q3 2012.
Security in particular was badly hit, showing a decline of 18.1 per cent. If we look more closely at this segment, we can see why. Firstly, PC spend is down while mobile device shipments are up. On these new smartphones, tablets and convertibles, users often don’t consider endpoint security – their main assumption being that data is mainly stored in the cloud anyway with little saved to the actual device. Even those who buy security do so through mobile apps or mobile device management solutions.
Security vendors realised this shift some time ago and have been refocusing their portfolios accordingly
It’s no surprise then that according to CONTEXT data, total revenue in the UK endpoint security market fell 34 per cent in Q3 year-on-year, while the number of licences dropped 41 per cent. Yet when we look at just endpoint mobile security, revenue went up 237 per cent over the same period. Kaspersky has been one of the most successful vendors in the UK in anticipating these changing buyer patterns.
Distributors are seeing their traditional endpoint security channel shrinking due to these factors but also because more retail customers are buying directly from vendors online.
As for the resellers, they too have to arm themselves with skills in this new era in security. They need to offer their customers hosted services and cloud apps with the security piece built in to the deal. This isn’t easy, with the multiplicity of operating systems, device types and form factors, and data access requirements of modern computing environments – not to mention the growing volume and sophistication of threats.
It’s no easy task and finding the right talent in the industry to support this changing business model could be tricky.
Tomi Engdahl says:
Nasdaq critical trading systems running on Windows Server 2003
SIP system responsible for major outage was running on ten year old operating system
http://www.computerworlduk.com/news/applications/3494093/nasdaq-critical-trading-systems-running-on-windows-server-2003/
The critical data processing system responsible for a three hour trading halt on the Nasdaq stock exchange was running on an outdated version of Windows operating system, it has been claimed.
According to a report by the Wall Street Journal, Nasdaq is continuing to run its securities information processor (SIP) – used by exchanges to consolidate quote and trade data before being sent out publicly – on Microsoft’s Windows Server 2003 operating system.
Problems with Nasdaq’s SIP were the cause of a major outage on the exchange in August, with securities trading halted for three hours.
Sources told WSJ that the Windows operating system is not thought to be the root cause of the systems failure, but its use served to highlight the underinvestment in trading systems in recent years.
Tomi Engdahl says:
U.S. Exchanges Near Deal for Infrastructure Upgrade
Market Plumbing Known as Securities Information Processors Was Behind August Trading Outage
http://online.wsj.com/news/articles/SB10001424052702304202204579256791508315638
U.S. exchanges are near an agreement to upgrade a central piece of the country’s trading infrastructure that critics say has been neglected and caused a serious market outage in August, according to people with knowledge of the discussions.
Designed to avoid another large-scale breakdown, the plan would establish faster backups for a key part of the market’s plumbing known as securities information processors, or SIPs, which…
Tomi Engdahl says:
Snowfall
http://imgur.com/a/nb79Z#0
A multi-layered LED edge-lit acrylic movie poster
Tomi Engdahl says:
Tech leaders urge Obama to move on NSA overhaul
http://www.usatoday.com/story/news/politics/2013/12/17/obama-nsa-google-aol-yahoo/4060461/
Tech executives urged President Obama on Tuesday to “move aggressively” to overhaul the way the U.S. government conducts surveillance.
The push came during a private meeting with Obama at the White House, which was billed as an opportunity to brief industry leaders on the progress the administration has made solving problems with the federal online health care exchange as well as the fallout that national security leaks have had on their companies.
A federal judge ruled Monday that the National Security Agency’s controversial surveillance program that collects millions of Americans’ telephone records may be unconstitutional. On Tuesday, White House press secretary Jay Carney said the administration believes the surveillance program is constitutional.
Officials from eight companies — including AOL, Apple, Facebook and Google — wrote an open letter to Obama and Congress last week in which they plainly stated their call to curb surveillance.
Schmidt, of Google, opened the meeting and laid out industry officials’ concerns. Obama seemed sympathetic to the idea of allowing more disclosure of government surveillance requests by technology companies
Mayer, the Yahoo! executive, brought up concerns about the potentially negative impact that could be caused if countries, such as Brazil, move forward with legislation that would require service providers to ensure that data belonging to a citizen of a certain country remain in the country it originates, the official said.
That would require technology companies to build data centers in each country — a costly problem for American Internet companies, the official said. The White House noted in a statement after the meeting that the group discussed the “economic impacts of unauthorized intelligence disclosures.”
significant importance to companies such as Google, Facebook, Apple and others who are dealing with the fallout of reports based on Snowden’s leaks that the NSA gained access to some of their users’ information.
Tomi Engdahl says:
$1,000 BOUNTY offered for FINGERPRINTS of a GLOBAL SPY CHIEF
Privacy campaigner: NSA, GCHQ, NZSIS* – take your pick
http://www.theregister.co.uk/2013/12/18/spy_boss_dna_treasure_hunt/
Privacy campaigner Simon Davies is offering a $1,000 bounty for the capture of the DNA and fingerprints of spy chiefs.
The 21st century treasure hunt offers a $1,000 cash windfall for anyone who supplies the Privacy Surgeon site run by Davies with an item – such as a drinking glass – with the DNA and fingerprints of any senior intelligence official of the “Five Eyes” alliance of spy agencies (made up from the NSA and Britain’s GCHQ as well as the signals intelligence agencies of Australia, Canada and New Zealand).
The objective of the bounty-hunt is to send a message to intelligence chiefs that personal information must be treated with respect, not to actually use the biometrics obtained.
“The aim is to raise their level of awareness and sensitivity, not to exploit the data,” Davies explains in a blog post.
Would-be participants are firmly instructed not to risk breaking the law
Tomi Engdahl says:
SHOCK REVELATION: Telstra manages its networks!
Post-Snowden reporting is getting very, very, silly
http://www.theregister.co.uk/2013/12/05/shock_revelation_telstra_manages_its_networks/
Reporting on telcos’ role in communications interception is getting very, very, silly.
Back in July, Australian media “discovered” an agreement between Australia’s dominant carrier Telstra and the USA’s Federal Bureau of Investigation and Department of Justice to snoop submarine cable traffic. As we demonstrated at the time, the agreement is business as usual: foreign carriers that want to land a cable in the USA have to sign such agreements in order to do business. Such agreements are not carte blanche to snoop, but a guarantee foreign carriers will allow “Lawful US process” to be applied as signatories will be required to “provide technical or other assistance to facilitate such Electronic Surveillance.”
Let’s now deal with each element of the story in turn
Tomi Engdahl says:
T bods: Windows XP, we WON’T leave you. Migrate? Chuh! As if…
Die-hard XP admins just won’t let go, reveals survey
http://www.channelregister.co.uk/2013/12/18/xp_survey/
It’s not going to be easy to pry open the death grip of IT bods on the last copies of Windows XP, according to Spiceworks, whose survey had a whopping 33 per cent of tech professionals planning to keep the OS on at least one device after its end of life.
The social business network for IT pros, much beloved of sysadmins, quizzed over 1,300 of its users on how they were going to get over XP and found that 76 per cent of them were still running the operating system on some devices today and 36 per cent would be keeping at least one copy around.
Any movement so far in migration has been to Windows 7 rather than 8 or 8.1
Tomi Engdahl says:
Academics Should Not Remain Silent On Government Hacking
http://yro.slashdot.org/story/13/12/18/1540221/academics-should-not-remain-silent-on-government-hacking
“The Guardian’s technology editor, Charles Arthur, asks why researchers have remained largely silent in the wake of the revelation that the U.S. National Institute of Standards and Technology’s standard for random numbers used for cryptography had been weakened by the NSA”
Tomi Engdahl says:
Academics should not remain silent on hacking
http://www.nature.com/news/academics-should-not-remain-silent-on-hacking-1.14399
The revelation that US and British spy agencies have undermined a commonly used encryption code should alarm researchers, says Charles Arthur.
Secrecy doesn’t come naturally to journalists, but sometimes it is thrust upon us. Earlier this year, there was a room in The Guardian’s offices in London that nobody could enter alone. On a table outside by a security guard was a tidy collection of phones and other devices; nothing electronic was allowed. Inside were a coffee maker, a shredder, some paper and a few computers. All were brand new; none had ever been connected to the Internet. None ran Microsoft Windows. All were encrypted; each required two passwords, held by different people.
This is where the biggest news stories of this year lived — away from the Internet. This was where The Guardian analysed the ‘Snowden files’ (classified documents released to the press by former US National Security Agency (NSA) contractor Edward Snowden). These revealed, among other things, that the NSA and the United Kingdom’s GCHQ were running enormous efforts to crack encrypted communications online, and that they had worked to undermine the strength of encryption standards such as that used — and recommended — by the US National Institute of Standards and Technology (NIST). (The computers sadly are no more — smashed in The Guardian basement on the orders of the British government.)
NIST’s standard for random numbers used for cryptography, published in 2006, had been weakened by the NSA.
It was, to be frank, a big deal. In the world’s universities, computer scientists and mathematicians spend their careers trying to develop secure systems, and yet here was evidence of a systematic — and successful — attempt to undermine that work. Executives at companies such as Google, Yahoo, Facebook and Microsoft, which discovered that their internal networks were being tapped and their systems infiltrated, were furious. But a few isolated shouts of protest aside, the academic community has largely been silent.
That’s disappointing. Academia is where we expect to hear the free flow of ideas and opinions. Yet it has been the commercial companies that have made the most noise — because the revelations threaten trust in their businesses. Don’t academics also see the threat to open expression, and to the flow of dissident ideas from countries where people might fear that their communications are being tapped and, even if encrypted, cracked?
Some get it. Ross Anderson, a security researcher at the University of Cambridge, UK, has been highly critical and outspoken. When I spoke to him in September, soon after the NIST revelation, he called it “a wake-up call for a lot of people” and added: “This has been a 9/11 moment for the community, and it’s great that some people are beginning to wake up.”
Kenneth White, principal scientist at health-information company Social & Scientific Systems in Silver Spring, Maryland, says: “Just a year ago, such a story would have been derogated by most of my colleagues as unwarranted suspicion at best and outright paranoia at worst. But here we are.”
Anderson has an explanation for the muted response: he says that a number of British university departments have been quietly coerced by the GCHQ. The intelligence-gathering agency has a substantial budget, and ropes in academics by offering access to funds that ensures their silence on sensitive matters, Anderson says.
Tomi Engdahl says:
Open-AudIT
http://www.open-audit.org/
Open-AudIT is an application to tell you exactly what is on your network, how it is configured and when it changes. Open-AudIT will run on Windows and Linux systems. Essentially, Open-AudIT is a database of information, that can be queried via a web interface. Data about the network is inserted via a Bash Script (Linux) or VBScript (Windows). The entire application is written in php, bash and vbscript. These are all ‘scripting’ languages – no compiling and human readable source code. Making changes and customisations is both quick and easy.
Windows PCs can be queried for hardware, software, operating system settings, security settings, IIS settings, services, users & groups and much more. Linux systems can be queried for a similar amount of information. Network devices (printers, switches, routers, etc) can have data recorded such as IP-Address, MAC Address, open ports, serial number, etc, etc. Output is available in PDF, CSV and webpages. There are export options for Dia and Inkscape.
Open-AudIT can be configured to scan your network and devices automatically. A daily scan is recommended for systems, with network scans every couple of hours. That way, you can be assured of being notified if something changes (day to day) on a PC, or even sooner, if something “new” appears on your network.
Tomi says:
‘NSA ruined it!’ Brazil ditches Boeing jets, grants $4.5 bln contract to Saab
http://rt.com/news/brazil-nsa-defense-contract-454/
Brazil has rejected a contract for Boeing’s F/A-18 fighter jets in favor of the Swedish Saab’s JAS 39 Gripens. The unexpected move to reject the US bid comes amid the global scandal over the NSA’s involvement in economic espionage activities.
The announcement for the purchase of 36 fighters was made Wednesday by Brazilian Defense Minister Celso Amorim and Air Force Commander Junti Saito. The jets will cost US$4.5 billion, well below the estimated market value of around US$7 billion.
Tomi says:
NSA fallout hits American business to the tune of four billion dollars: Brazil ditches Boeing F/A-18, buys Gripen
http://falkvinge.net/2013/12/18/nsa-fallout-hits-american-business-to-the-tune-of-four-billion-dollars-brazil-ditches-boeing-buys-gripen/
Brazil ditches Boeing’s F/A-18 in favor of SAAB’s JAS 39 Gripen over the NSA’s rogue behavior. In a press conference tonight, Brazil’s defense department announces that Brazil will buy the Swedish fighter jet, according to multiple Brazilian sources. The direct reason for rejecting Boeing’s F/A-18 was the United States’ hostile and unacceptable spying behavior against Brazil and the rest of the world.
Tomi says:
SAAB Gripen wins Brazil fighter jet bid. Boeing Super Hornet victim of NSA scandal?
http://theaviationist.com/2013/12/18/gripen-has-won-in-brazil/
Boeing Super Hornet was considered the favorite until the Snowden scandal brought to light that the NSA (National Security Agency) had been spying on Brazilian companies, agencies, officials and the president herself: in a direct attack on US electronic surveillance at the UN general assembly, Rousseff accused Washington of breaching international law.
Diplomatic relations between the two countries suddenly worsened and the chances Boeing could win the Brazil’s bid became paltry.
Tomi Engdahl says:
Obama Panel Recommends New Limits on N.S.A. Spying
December 18, 2013
http://www.nytimes.com/2013/12/19/us/politics/report-on-nsa-surveillance-tactics.html?pagewanted=all&_r=0
A panel of outside advisers urged President Obama on Wednesday to impose major oversight and some restrictions on the National Security Agency, arguing that in the past dozen years its powers had been enhanced at the expense of personal privacy.
The panel recommended changes in the way the agency collects the telephone data of Americans, spies on foreign leaders and prepares for cyberattacks abroad.
But the most significant recommendation of the panel of five intelligence and legal experts was that Mr. Obama restructure a program in which the N.S.A. systematically collects logs of all American phone calls — so-called metadata — and a small group of agency officials have the power to authorize the search of an individual’s telephone contacts. Instead, the panel said, the data should remain in the hands of telecommunications companies or a private consortium, and a court order should be necessary each time analysts want to access the information of any individual “for queries and data mining.”
The experts briefed Mr. Obama on Wednesday on their 46 recommendations, and a senior administration official said Mr. Obama was “open to many” of the changes, though he has already rejected one that called for separate leaders for the N.S.A. and its Pentagon cousin, the United States Cyber Command.
“We have identified a series of reforms that are designed to safeguard the privacy and dignity of American citizens, and to promote public trust, while also allowing the intelligence community to do what must be done to respond to genuine threats,” says the report, which Mr. Obama commissioned in August in response to the mounting furor over revelations by Edward J. Snowden, a former N.S.A. contractor, of the agency’s surveillance practices.
It adds, “Free nations must protect themselves, and nations that protect themselves must remain free.”
“In our view, the current storage by the government of bulk metadata creates potential risks to public trust, personal privacy, and civil liberty,” the report said.
Tomi Engdahl says:
Obama won’t give tech firms assurances on snooping
http://www.sfgate.com/technology/article/Obama-won-t-give-tech-firms-assurances-on-snooping-5076634.php
Technology company executives left a meeting with President Obama this week with no commitment to limit government snooping on Internet traffic, according to an industry official briefed on the session.
The group included executives from seven companies, including Marissa Mayer of Yahoo and Sheryl Sandberg of Facebook, who are pressuring the administration and Congress to restrict the National Security Agency’s scooping up of their users’ data.
Warning of backlash
Mayer, Yahoo’s chief executive officer and an Obama campaign donor, warned the president that backlash over U.S. spying may splinter the Internet as countries adopt different standards to thwart surveillance, according to the industry official.
Obama’s relationship with Silicon Valley is being tested by the damage from disclosures by former NSA contractor Edward Snowden
For the companies, it’s a matter of the bottom line.
“They see real risk to their market share,” said James Lewis of the Center for Strategic and International Studies in Washington. “You’ve got German, Chinese even Russian companies saying ‘Hey, buy from us, that way you won’t be at risk.’ It’s crazy. That’s what this has become – an opportunity for commercial advantage as well as an uproar over privacy.”
Reports about U.S. spying abroad may cost U.S. companies as much as $35 billion in lost revenue through 2016 because of doubts about the security of their systems, according to the Information Technology & Innovation Foundation, a policy research group in Washington.
While the administration’s agenda included talking about fixes made to the government’s health care website and federal information technology development, Obama senior adviser Valerie Jarrett said “99 percent” of the meeting was spent on discussing the NSA surveillance.
Tuesday’s White House meeting occurred a day after a U.S. district judge ruled that collecting bulk phone records – such as numbers dialed and call durations – of millions of Americans is probably unconstitutional, and four days after an advisory panel gave Obama recommendations for changes.
Tomi Engdahl says:
China’s central bank hit by DDoS after Bitcoin blitz
Reports claim revenge attack after digi-currency restrictions
http://www.theregister.co.uk/2013/12/19/bitcoin_ddos_pbos_china_bank/
Angry Bitcoin users are suspected of DDoS-ing the website of China’s central bank following tough new restrictions it levied this week which appear to have forced the world’s biggest Bitcoin exchange into meltdown.
Tomi Engdahl says:
Bah! No NSA-proof Euro cloud gang. Cloud computing standards will ‘aid data portability’
European Commission ropes in ETSI, plans to look at copyright issues
http://www.theregister.co.uk/2013/12/19/cloud_standards_should_aid_data_portability_say_meps/
New cloud computing standards to be developed within the EU should facilitate users’ ability to transfer data and services between cloud providers, MEPs have said.17 Dec 2013
Cloud computing TMT & Sourcing Outsourcing TMT Advanced Manufacturing & Technology Services
The European Parliament has backed a new resolution on cloud computing in response to actions the European Commission has set out under its cloud computing strategy. The Commission has engaged the European Telecommunications Standards Institute (ETSI) to help set out what new standards are required for the way that cloud services work.
Standards that could be formed may relate to data security, interoperability and data portability, the Commission said previously.
The resolution also set out the Parliament’s view that cloud providers should be said to be ‘data controllers’ under EU data protection laws
Tomi Engdahl says:
Research shows how MacBook Webcams can spy on their users without warning
http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/18/research-shows-how-macbook-webcams-can-spy-on-their-users-without-warning/
The woman was shocked when she received two nude photos of herself by e-mail. The photos had been taken over a period of several months — without her knowledge — by the built-in camera on her laptop.
Fortunately, the FBI was able to identify a suspect: her high school classmate, a man named Jared Abrahams. The FBI says it found software on Abrahams’s computer that allowed him to spy remotely on her and numerous other women.
Most laptops with built-in cameras have an important privacy feature — a light that is supposed to turn on any time the camera is in use. But Wolf says she never saw the light on her laptop go on. As a result, she had no idea she was under surveillance.
That wasn’t supposed to be possible. While controlling a camera remotely has long been a source of concern to privacy advocates, conventional wisdom said there was at least no way to deactivate the warning light. New evidence indicates otherwise.
Marcus Thomas, former assistant director of the FBI’s Operational Technology Division in Quantico, said in a recent story in The Washington Post that the FBI has been able to covertly activate a computer’s camera — without triggering the light that lets users know it is recording — for several years.
The 2008-era Apple products they studied had a “hardware interlock” between the camera and the light to ensure that the camera couldn’t turn on without alerting its owner.
But Checkoway and his co-author, Johns Hopkins graduate student Matthew Brocker, were able to get around this security feature. That’s because a modern laptop is actually several different computers in one package. “There’s more than one chip on your computer,” says Charlie Miller, a security expert at Twitter. “There’s a chip in the battery, a chip in the keyboard, a chip in the camera.”
Attacks that exploit microcontrollers are becoming more common. “People are starting to think about what happens when you can reprogram each of those,” Miller says. For example, he demonstrated an attack last year on the software that controls Apple batteries, which causes the battery to discharge rapidly, potentially leading to a fire or explosion. Another researcher was able to convert the built-in Apple keyboard into spyware using a similar method.
“There’s no reason you can’t do it — it’s just a lot of work and resources but it depends on how well [Apple] secured the hardware,” Miller says.
RATted out
The software used by Abrahams in the Wolf case is known as a Remote Administration Tool, or RAT. This software, which allows someone to control a computer from across the Internet, has legitimate purposes as well as nefarious ones. For example, it can make it easier for a school’s IT staff to administer a classroom full of computers.
He says that cheap RATs like the one used in Merion High School may not have the ability to disable the hardware LEDs, but “you would probably expect more sophisticated surveillance offerings which cost hundreds of thousands of euros” to be stealthier.
He points to commercial surveillance products such as Hacking Team and FinFisher that are marketed for use by governments. FinFisher is a suite of tools sold by a European firm called the Gamma Group. A company marketing document released by WikiLeaks indicated that Finfisher could be “covertly deployed on the Target Systems” and enable, among other things, “Live Surveillance through Webcam and Microphone.”
Tomi Engdahl says:
Use of Tor helped FBI ID suspect in bomb hoax case
Tor can be an effective tool for covering your tracks, but not always.
http://arstechnica.com/security/2013/12/use-of-tor-helped-fbi-finger-bomb-hoax-suspect/
It’s true that the Tor anonymity service helps people cover their tracks on the Internet. But when it’s not used carefully, it can be the very thing that tips off the people the user wants to evade, as was demonstrated in a federal investigation earlier this week.
“This is one of the problems of using a rare security tool,” security analyst Bruce Schneier observed in a blog post published Wednesday. “The very thing that gives you plausible deniability also makes you the most likely suspect. The FBI didn’t have to break Tor; they just used conventional police mechanisms to get Kim to confess.”
Tor can be an effective tool for staying anonymous, but not always. If the people you’re trying to evade have access to your local network or your ISP’s network, they can see that you’re using Tor and can track the duration and other key details. The failure here wasn’t on the part of Tor but rather on a user who didn’t think through what he was trying to do. The episode helps underscore how Tor could be more effective if it were more widely used.
Tomi Engdahl says:
Hackers break into Washington Post servers
http://www.washingtonpost.com/business/technology/hackers-break-into-washington-post-servers/2013/12/18/dff8c362-682c-11e3-8b5b-a77187b716a3_story.html
Hackers broke into The Washington Post’s servers and gained access to employee user names and passwords, marking at least the third intrusion over the past three years, company officials said Wednesday.
Post officials, who on Wednesday learned of the intrusion from Mandiant, a cybersecurity contractor that monitors the company’s networks, said the intrusion was of relatively short duration.
The company’s suspicions immediately focused on the possibility that Chinese hackers were responsible for the hack.
The Syrian Electronic Army was also suspected in a “phishing” attack aimed at securing the log-in information of the e-mail accounts of Post journalists.
Tomi Engdahl says:
Soghoian & Greenwald tell EU bigwigs: Fight state snooping on mobe networks NOW
Never mind roaming fees, what about data security?
http://www.theregister.co.uk/2013/12/19/europarl_privacy_hearing_soghoian_greenwald/
Politicians and regulators in Europe need to decide whether they want a secure mobile phone system or something their own police agencies – as well as spy agencies in the US, China and elsewhere – are able to easily tap into, according to a renowned security and privacy expert.
Christopher Soghoian, principal technologist of the speech, privacy & technology project at the American Civil Liberties Union, told a European Parliament hearing on Civil Liberties, Justice and Home Affairs that keeping foreign intelligence agencies out of mobile phone traffic while allowing local cops access to it is a practical impossibility.
“The NSA employs the best hackers in the world and if they can’t get in directly they will just hack into the cops’ systems,” he said.
“Weaknesses in GSM have been known about for 20 years,” Soghoian said.
It used to be the case that you need government-grade surveillance equipment to intercept communications but it’s now possible for researchers, hobbyists and hackers to build interception kit for a few hundred dollars. As Soghoian explained, “mobile phone interception tech has been democratised.”
That means that the mobile phone conversations of politicians were vulnerable to spying on by paparazzi as well as creating the means for unscrupulous businessmen to hire hackers to spy on their rivals, according to the technology policy expert.
“For years there’s been a widespread failure of telco regulators to prevent threat of interception. It should not have taken the Edward Snowden revelations” to reveal this, Soghoian argued, asking rhetorically: “Regulators have intervened when it comes to roaming fees but what about data security for cellphone networks?”
“Mobile networks are insecure by design and this is not an accident. The needs of local law enforcement and intelligence come first,” he said.
There are already secure apps for smartphones but at the time of writing they require action on the part of users, so they’re not widely deployed, according to Soghoian.
The NSA use metadata to build a network of associates and friends, something Greenwald described as “very invasive”.
“If you value privacy then it would almost be preferable to have the NSA listen in to your phone calls,” Greenwald said in an uncharacteristically semi-flippant aside.
Tomi Engdahl says:
Scientists Extract RSA Key From GnuPG Using Sound of CPU
http://it.slashdot.org/story/13/12/18/2122226/scientists-extract-rsa-key-from-gnupg-using-sound-of-cpu
“In their research paper titled RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis, Daniel Genkin, Adi Shamir and Eran Tromer et al. present a method for extracting decryption keys from the GnuPG security suite using an interesting side-channel attack. By analysing the acoustic sound made by the CPU”
Comment:
TEMPEST was a details-secret government requirement meant to defeat means of eavesdropping on classified computer data from its electromagnetic emissions. I guess they need to include audio too.
My impression is that the noise comes from the power supply, not the CPU.
Tomi Engdahl says:
How Azure helps Microsoft take down cyber criminals
http://www.itworld.com/cloud-computing/394553/how-azure-helps-microsoft-take-down-cyber-criminals
In mid-November, Microsoft unveiled a facility on its Redmond, Wash., campus that had become the new home for its Digital Crimes Unit. It took the opportunity to offer up new details about the multi-agency initiative that disrupted the huge Citadel botnet earlier this year.
What Microsoft hasn’t yet talked much about is the role the cloud played in the Citadel project and how the cloud enables the company to tackle cyber crime. I had a chance to hear more about it from Richard Boscovich, assistant general counsel for Microsoft’s Digital Crimes Unit, this week.
The Digital Crimes Unit has some dedicated hardware on-premises, although Boscovich revealed only a few specifics. “We do in fact use quite a lot of storage power, a lot of compute power,” he said. “We have a Hadoop cluster on SQL server and a parallel data warehouse right here on-premises. We’re talking terabytes of storage.”
Still, that’s not always enough. “Even with that, we have to go to the cloud to get some more capacity when we do some of these take downs,” he said.
Without the cloud, it would have taken much longer to disrupt Citadel, a botnet that Microsoft said siphoned $500 million from people around the world whose computers it infected.
Microsoft works with authorities around the world to inform them when computers in their regions are being infected. When Microsoft works on a takedown, its goal is to quickly stop the harm done by the malware and work to correct the problem, Boscovich said.
Tomi Engdahl says:
Target confirms breach: 40 million accounts affected
http://www.zdnet.com/target-confirms-breach-40-million-accounts-affected-7000024499/
Target on Thursday confirmed that its payment card data was compromised in its stores with 40 million accounts affected.
The retailer was confirming a report Wednesday that the breach had occurred. The breach was first reported by Krebs on Security. Customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code) were breached, according to a letter to customers.
Tomi Engdahl says:
First China banned Bitcoin. Now its crooks are using malware to steal traders’ wallets
New nasty specifically targets Bitcoin China exchange
http://www.theregister.co.uk/2013/12/19/zeus_variant_specialises_in_bitcoin_china_account_hijacking/
Cybercrooks have developed a strain of malware that actively targets BTC China and other Bitcoin exchanges.
A Zeus P2P/Gameover variant discovered by Trusteer is designed to steal the passwords of traders in the virtual currency. A blog post by the IBM-owned transaction security firm explains that the malware is specially designed to trick potential victims into supplying one time passwords that might be needed for successful account takeovers.
ZeuS variants are commonly used for conventional electronic banking account takeovers and looting.
The arrival of the Bitcoin-targeting malware variant came shortly before BTC China, China’s largest exchange, began blocking new deposits. This and a related regulatory clampdown by the Chinese government are blamed for taking a huge toll on the crypto-currency’s value over recent days.
Tomi Engdahl says:
Malware That’s Transmitted Through Sound
http://www.designnews.com/author.asp?section_id=1386&doc_id=270551&cid=nl.dn14
At some point, we have all had the displeasure of dealing with malware, which can be a headache to remedy. Malware (short for malicious software), is designed to gain access to private PCs, acquire sensitive material (passwords, account numbers, etc.), and generally disrupt normal computer functions. It is normally installed covertly by opening suspicious email attachments, visiting dubious websites, or directly through software downloads.
Suffice it to say, the dastardly software was acquired through online-connected PCs or mobile devices before it wreaked havoc and made us insane. As scary as it may sound, malware can now be transmitted wirelessly through inaudible sound, thanks to some scientists from the Fraunhofer Institute for Communication, Information Processing and Ergonomics.
Actually, the scientists created proof-of-concept software and it isn’t actually in use. The acoustical malware is capable of transmitting itself using a PC’s built-in microphone and speakers, which the scientists used to send small amounts of data and passwords to other test machines at distances of about 65 feet.
The science team states in a recently released paper that data transfer can happen at greater distances using a network mesh of signal devices to relay the malicious code
The scientists designed their NFC (Near-Field Communications) malware delivery system using a special algorithm that is able to hop different frequencies and install small amounts of data, not only to secure air gap networks, but to wireless mesh networks, as well. The potential damage that their acoustic malware can cause is significant, so much so that hardened federal agency and military networks can no longer be considered safe against malicious attacks.
Should we worry about our systems becoming hacked and key-logged in the near future? Yes and no, as only 20kb of data can currently be transmitted or received at only at short distances
Tomi Engdahl says:
CryptoLocker Gang Earns $30 Million In Just 100 Days
http://yro.slashdot.org/story/13/12/19/1444233/cryptolocker-gang-earns-30-million-in-just-100-days
“A report from Dell Secureworks earlier this week reported that up to 250,000 systems have been infected with the pernicious ransomware known as CryptoLocker.”
” average ransom being paid was $300, and than on a very conservative basis just 0.4% of people paid the ransom. What does this all add up to? $30 million “
Tomi Engdahl says:
CryptoLocker Gang Earns Millions in Just 100 Days
http://www.ibtimes.co.uk/cryptolocker-criminals-earn-30-million-100-days-1429607
According to new research, the Cryptolocker malware has infected 250,000 PCs in just 100 days, potentially earning the gang behind the ransomware millions.
Based on the number of systems contacting a server set up specifically by Dell Secureworks soon after the emergence of CryptoLocker in September, researcher Keith Jarvis puts the number of infected systems globally at between 200,000 and 250,000.
The Cryptolocker ransomware works by encrypting a user’s hard drive and the only way to un-encrypt and regain access to the files is to pay a ransom within 72 hours.
If the ransom isn’t paid, the files are permanently locked with no way of ever accessing them again – though recently the criminals behind the malware have added a late payment option for a much higher price.
In his report, Jarvis estimates that on a very conservative basis just 0.4% of victims have paid the ransom since CryptoLocker appeared four months ago.
The average ransom paid is around $300 (£183)
CryptoLocker will have earned somewhere in the region of $300,000 in just 100 days.
However this figure could be many times larger as Jarvis says the 0.4% estimate is a “minimum” and is “very likely many times” more than this
The earliest known samples of CryptoLocker were released on the internet on 5 September. The early samples were sent through spam emails targeting business professionals with a lure of a “consumer complaint.”
it was being distributed by the Gameover Zeus malware, in some cases via the renowned Cutwail bonnet.
This method of distributing malware is typical among cyber-criminals in Russia and easter Europe, and was one of the indications that the creators of CryptoLocker came from this region.
“The majority of command and control servers hosting the CryptoLocker malware are located in the Russian Federation or the former Eastern bloc states,”
“We think it is wholly controlled and operated by a single crew, and not bought and sold on the underground.”
The criminals behind the scheme also initially offered a large variety of ways for users to pay, including Paysafecard, CashU and Ukash, they now only accept MoneyPak and bitcoin.
Tomi says:
Proposed California law demands anti-theft ‘kill switch’ in all smartphones
With robberies escalating, SF attorney demands deterrent tech
http://www.theregister.co.uk/2013/12/19/california_smartphone_kill_switch_law/
California may soon become the first US state to require mobile phone makers to include a feature that can remotely disable their handsets in the event they are stolen.
A new law proposed by California state Senator Mark Leno and San Francisco District Attorney George Gascón would require all smartphones sold in the state to include a remote-controllable “kill switch” as a deterrent against theft.
The issue is not a new one for Gascón, who along with New York Attorney General Eric Schneiderman, has been crusading for greater smartphone security in light of what has been described as an epidemic of mobile phone theft.
In Gascón’s home city of San Francisco, which falls within Leno’s jurisdiction, more than half of all robberies now involve a smartphone, according to police statistics.
But although some phone vendors offer remote deactivation
most do not, which means smartphone thieves can quickly and easily sell the devices to eager bargain-hunters.
Gascón has accused the mobile phone industry of dragging its feet on the issue, saying that although he had managed to convince smartphone titan Samsung to bundle LoJack security software with its devices, the major wireless carriers rejected the proposal, believing it would eat into their profits: fewer thefts would mean fewer sales.
Tomi Engdahl says:
BitTorrent serverless chat replaces usernames with crypto keys
“With BitTorrent Chat, your identity is a cryptographic key pair.”
http://arstechnica.com/information-technology/2013/12/bittorrent-serverless-chat-replaces-usernames-with-crypto-keys/
BitTorrent, Inc. is developing a serverless instant messaging system that relies on public key encryption to protect the privacy of communications, identifying users not with traditional usernames but with cryptographic key pairs.
The company, which develops the BitTorrent peer-to-peer protocol as well as the BitTorrent and μTorrent file sharing software, announced the forthcoming chat software in September and revealed some details on how it will work in a blog post today.
Underlying this system is a Distributed Hash Table (DHT) which finds IP addresses, removing the need for a central server to route messages, the company explained.