Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Kano Computing
http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/30/holder-urges-tech-companies-to-leave-device-backdoors-open-for-police/
Attorney General Eric H. Holder Jr. said on Tuesday that new forms of encryption capable of locking law enforcement officials out of popular electronic devices imperil investigations of kidnappers and sexual predators, putting children at increased risk.
“It is fully possible to permit law enforcement to do its job while still adequately protecting personal privacy,” Holder said at a conference on child sexual abuse, according to a text of his prepared remarks. “When a child is in danger, law enforcement needs to be able to take every legally available step to quickly find and protect the child and to stop those that abuse children. It is worrisome to see companies thwarting our ability to do so.”
Though he didn’t mention Apple and Google by name, his remarks followed their announcements this month of new smartphone encryption policies that have sparked a sharp government response, including from FBI Director James B. Comey last week.
Company officials have said stronger encryption better protects the privacy of users by toughening the security of the devices against a wide range of intrusions, by governments, criminals or curious hackers.
Tomi Engdahl says:
How RAM Scrapers Work: The Sneaky Tools Behind the Latest Credit Card Hacks
http://www.wired.com/2014/09/ram-scrapers-how-they-work/
Attackers installed these RAM scrapers surreptitiously on the point-of-sale systems used to scan and process credit and debit card transactions at Albertson’s and Supervalu. The tools make it easy to steal card numbers by the millions as they pass through the system.
RAM scrapers—used recently in the Target and Home Depot breaches to net the hackers data on more than 100 million bank cards collectively—are not new. VISA issued a warning to retailers about their use in 2008. But they’ve become increasingly sophisticated and efficient at stealing massive caches of cards.
They’ve also become more ubiquitous as developer kits for building them—from a starter stub that is easily customized from a menu of features—have pushed scrapers into the mainstream and made them accessible to a wider swath of hackers. Need something to exfiltrate data from your victim’s network to a server in Minsk? Check. Want a turnkey solution for managing your command-and-control server in Mumbai? The kits have got that covered, too.
RAM scrapers can be installed remotely on a Big-Box retailer’s network and deployed widely to dozens of stores in a franchise.
Tomi Engdahl says:
Hackers charged with stealing over $100m in US army and Xbox technology
http://www.theguardian.com/technology/2014/sep/30/four-hackers-charged-stealing-xbox-army-technology
Indictment unsealed on Tuesday reveals Department of Justice charged four people in international computer hacking ring
Four men have been charged with breaking into the computer systems of Microsoft, the US army and leading games manufacturers, as part of an alleged international hacking ring that netted more than $100m in intellectual property, the US Department of Justice said on Tuesday.
The four, aged between 18 and 28, are alleged to have stolen Xbox technology, Apache helicopter training software and pre-release copies of games such as Call of Duty: Modern Warfare 3, according to an indictment dating from April that was unsealed on Tuesday.
Two of the hackers pleaded guilty earlier in the day, the DoJ said.
“These were extremely sophisticated hackers … Don’t be fooled by their ages,”
According to prosecutors, the defendants stole intellectual property and other proprietary data related to the Xbox One gaming console and Xbox Live online gaming system, and pre-release copies of popular video games. The Department of Justice (DoJ) claimed the technology was worth between $100m and $200m, a figure hotly disputed by one of those facing charges.
Tomi Engdahl says:
That PERSONAL DATA you give away for free to Facebook ‘n’ pals? It’s worth at least £140
Study finds tectonic shift in pricing our personal data
http://www.theregister.co.uk/2014/10/01/personal_data_priced_and_its_a_lot/
“Who would have predicted, 20 years ago, that you’d get free stock quotes, free maps and a free encyclopaedia?” WiReD magazine’s “Senior Disruptor” Kevin Kelly* told a London conference last week.
But new consumer research for telecoms multinational Orange indicates that even at a price of free, the punter is being ripped off. It also suggests – and this is better news – that we’re growing up faster than the tech gurus and marketeers realise – and beginning to put a price on our personal data.
Orange found that internet users know that their data is valuable, care how it’s used, and the vast majority think the service provider gets a better deal from the data exchange than the punter
Survey respondents said the most valuable data was personal income, followed by the email addresses of close friends and family. Demographic data is less highly valued, although it’s incredibly valuable to fraudsters. The total value however is significant: £140 (€170) per consumer.
Tomi Engdahl says:
Local police in US giving families free ComputerCop keylogging software in “Internet Safety” initiative:
ComputerCOP: The Dubious ‘Internet Safety Software’ That Hundreds of Police Agencies Have Distributed to Families
https://www.eff.org/deeplinks/2014/09/computercop-dangerous-internet-safety-software-hundreds-police-agencies
For years, local law enforcement agencies around the country have told parents that installing ComputerCOP software is the “first step” in protecting their children online.
Police chiefs, sheriffs, and district attorneys have handed out hundreds of thousands of copies of the disc to families for free at schools, libraries, and community events, usually as a part of an “Internet Safety” outreach initiative.
As official as it looks, ComputerCOP is actually just spyware, generally bought in bulk from a New York company that appears to do nothing but market this software to local government agencies.
The way ComputerCOP works is neither safe nor secure. It isn’t particularly effective either, except for generating positive PR for the law enforcement agencies distributing it. As security software goes, we observed a product with a keystroke-capturing function, also called a “keylogger,” that could place a family’s personal information at extreme risk by transmitting what a user types over the Internet to third-party servers without encryption. That means many versions of ComputerCOP leave children (and their parents, guests, friends, and anyone using the affected computer) exposed to the same predators, identity thieves, and bullies that police claim the software protects against.
EFF conducted a security review of ComputerCOP while also following the paper trail of public records to see how widely the software has spread.
What is ComputerCOP?
Bo Dietl’s One Tough Computer Cop (Source: UCSF Library)
In an era when hackers use botnets, zero day exploits, and sophisticated phishing to compromise billions of online accounts, ComputerCOP is a software relic that not only offers little protection, but may actually expose your child’s (and potentially your) most sensitive information to danger.
Indeed, its origins trace back 15 years, when software companies began to target a new demographic: parents worried about their children’s exposure to all manner of danger and inappropriate material on the Internet.
“Basic” Search Functions: ComputerCOP’s search utility does not require installation and can run right off the CD-ROM. The tool allows the user to review recent images and videos downloaded to the computer, but it will also scan the hard drive looking for documents containing phrases in ComputerCOP’s dictionary of thousand of keywords related to drugs, sex, gangs, and hate groups. While that feature may sound impressive, in practice the software is unreliable. On some computer systems, it produces a giant haystack of false positives, including flagging items as innocuous as raw computer code. On other systems, it will only produce a handful of results
KeyAlert: ComputerCOP’s KeyAlert keylogging program does require installation and, if the user isn’t careful, it will collect keystrokes from all users of the computer, not just children. When running on a Windows machine, the software stores full key logs unencrypted on the user’s hard drive.
The keylogger is problematic on multiple levels. In general, keyloggers are commonly a tool of spies, malicious hackers, and (occasionally) nosy employers
The lack of encryption is even more troubling. Security experts universally agree that a user should never store passwords and banking details or other sensitive details unprotected on one’s hard drive, but that’s exactly what ComputerCOP does by placing everything someone types in a folder. The email alert system further weakens protections by logging into a third-party commercial server.
Some of the most common online services, such as Facebook, Twitter, and Gmail (as well as most financial sites), use HTTPS by default, automatically encrypting communications between users and those websites. In fact, one of the truly effective tools parents can use to protect their children is HTTPS Everywhere, an EFF plug-in that makes an Internet browser connect by default to secure versions of websites.
Tomi Engdahl says:
Rackspace Joined Amazon in Patching, Rebooting Cloud Servers
About a quarter of Rackspace’s 200,000-plus customers were impacted when the cloud provider had to patch a flaw in the Xen hypervisor.
– See more at: http://www.eweek.com/cloud/rackspace-joined-amazon-in-patching-rebooting-cloud-servers.html#sthash.QrRBj1WT.dpuf
Tomi Engdahl says:
Inside Shellshock: How hackers are using it to exploit systems
http://blog.cloudflare.com/inside-shellshock/
On Wednesday of last week, details of the Shellshock bash bug emerged. This bug started a scramble to patch computers, servers, routers, firewalls, and other computing appliances using vulnerable versions of bash.
CloudFlare immediately rolled out protection for Pro, Business, and Enterprise customers through our Web Application Firewall. On Sunday, after studying the extent of the problem, and looking at logs of attacks stopped by our WAF, we decided to roll out protection for our Free plan customers as well.
Since then we’ve been monitoring attacks we’ve stopped in order to understand what they look like, and where they come from. Based on our observations, it’s clear that hackers are exploiting Shellshock worldwide.
Tomi Engdahl says:
Hong Kong’s Protesters Don’t Need the Internet to Chat With One Another
http://time.com/3449812/hong-kong-protesters-firechat/
FireChat connects directly to other protesters’ phones, building a massive network
When you pack that many people into a tiny area, your phone’s Internet grinds to a halt.
Smartphones should make it easier to organize protests, but they’re as good as bricks when cell towers get overloaded with traffic or when governments decide to flip the switch.
In the face of these hangups, Hong Kong’s demonstrators have turned to FireChat, a smartphone app that allows users to communicate even when they can’t get online or send texts. Unlike chat programs that work over the Internet, FireChat connects directly to other nearby users within up to about 250 feet.
FireChat is based on mesh networking, in which every device on a network works as a node for expanding that network. The idea’s been around for decades, now popular as a way to communicate during disasters like hurricanes. But Hong Kong shows it’s useful during civil disobedience, too. Some 200,000 people there downloaded the app between Sunday and Tuesday, said Micha Benoliel, CEO of Open Garden, the company behind FireChat, sending it skyrocketing to the top of the region’s app store charts.
Still, FireChat isn’t perfect for protesters. The chat rooms are open, making it easy for a first-timer to join — but that first-timer could also be a local authority poking around at the goings-on.
Tomi Engdahl says:
Etsy security rule #1: Don’t be a jerk to devs
Attack thyself with 0days, preaches former hacker bod
http://www.theregister.co.uk/2014/10/02/etsy_security_rule_1_dont_be_a_jerk_to_devs/
Businesses should deploy bug bounty programs, phish their staff and launch intelligent attacks against their networks, Zane Lackey says.
“The fundamental shift is that vulnerabilities occur in all methodologies, but in continuously deployment there is no such thing as an out-of-band patch,” Lackey said in a talk given at Duo Security offices in the US.
Continuous deployment mean continuous security and allowed small change sets to be confidently pushed out. To this end, Etsy introduced feature flags, ramp-ups which allow parts of code to be deployed to certain users, and A/B testing that allow users to determine the features they most like.
He said security teams must focus on incentives to attract business units, or be prepared to be ducked. Rule one was to not be “a jerk” to developers when stupid security flaws or bad code was found.
“Don’t be a jerk,” Lackey said. “Save it for over drinks … the moment you are jerk to a developer, you lose them and all of their peers, and you might never know you did.”
Trade-offs are also important. Not every bug needed to be painted as world-ending, and those which were of minimal threat should not stand in the way of production. Smaller flaws should be placed on a to-do list, which will keep developers on-side.
A vulnerabilities and its impact should be explained in language developers understand, not in deliberately technical security-speak, he added.
Etsy handed out bribes to developers who report flaws including gift cards and tee-shorts which he said worked “shockingly well”.
The don’t-be-a-jerk approach went further still with the recommendation that security teams take “the false-positive hit” and only approach developers with verified vulnerabilities. While this appeared to put the burden of sorting real bugs from the many more false ones, it ensured that developers would not simply hit delete on security emails.
“When someone has a world-ending bug, you find out via an inbound email rather than Pastebin,” Lackey said.
Penetration tests, or “attack simulations” as Lackey prefers, should mimic different types of attacks, including those skilled attackers who use custom tools to maintain quiet persistent inside a network compared to those who loudly smash and grab data and leave.
He distinguishes between testing and simulation as the former being simple enumeration of vulnerabilities that prove compromise was possible, and the latter based on the need to show where detection mechanisms should be placed.
Attackers in simulations should be encouraged to use zero-days but maintain contact with developers in the event that a particular targeted box may be production.
Tomi Engdahl says:
iOS Trojan Targets Hong Kong Protestors
http://apple.slashdot.org/story/14/10/01/174212/ios-trojan-targets-hong-kong-protestors
Security researchers have claimed to discover the first Apple iOS Trojan attack in a move to thwart the communications of pro-democracy Hong Kong activists.
“The malicious software, known as Xsser, is capable of stealing text messages, photos, call logs, passwords and other data from Apple mobile devices”
Advanced iOS virus targeting Hong Kong protestors -security firm
http://www.reuters.com/article/2014/09/30/hongkong-china-cybersecurity-apple-idUSL2N0RV2D320140930
Tomi Engdahl says:
IRONY ALERT: Former MI6 chief warns of ‘mass snooping’ – by PAEDOS
YOUR KIDS are, er, spied on by predators, says dodgy dossier chap
http://www.theregister.co.uk/2014/10/02/former_mi6_chief_warns_mass_snooping_paedophiles/
The former head of MI6 has warned parents that paedophile predators are capable of using location-based services to find and abuse their kids.
In a warning that might sound a bit rich coming from a former chief spook, Sir John Scarlett said he was worried about how easily a youngster’s movements could be traced.
Young girls are “obviously vulnerable to tracking,” he claimed, with perverts or private enterprises able to track their quarry “right down to more or less precisely where you are”.
“Personally what worries me, in a way, most, is tracking devices,”
Tomi Engdahl says:
LulzSec supersnitch led attacks on UK, Australia – report
Sabu helped Feds target 30 countries, documents reveal
http://www.theregister.co.uk/2014/10/02/sabu_hack_targets_revealed/
Hacktivist kingpin turned FBI snitch Hector Xavier “Sabu” Monsegur orchestrated attacks against 30 countries, including systems in the UK and Australia, according to a report that joins the dots between sealed court docs and leaked IRC chat logs.
According to the court documents, Monsegur persuaded other hacktivists – among them the recently jailed Jeremy Hammond – with ties to the LulzSec group or the Antisec cause to break into systems at the behest of Feds.
According to the report, LulzSec hackers were encouraged to deface government websites and steal confidential information from servers in Turkey and Brazil, among other locations. The snaffled data was then apparently uploaded to a server controlled by the FBI.
Tomi Engdahl says:
Xen Project discloses serious vulnerability that impacts virtualized servers
http://www.networkworld.com/article/2690613/xen-project-discloses-serious-vulnerability-that-impacts-virtualized-servers.html
The Xen Project has revealed the details of a serious vulnerability in the Xen hypervisor that could put the security of many virtualized servers at risk.
Xen is a free, open-source hypervisor used to create and run virtual machines. It is widely used by cloud computing providers and virtual private server hosting companies.
The security vulnerability, which is being tracked as CVE-2014-7188 and was privately disclosed to major cloud providers in advance, forced at least Amazon Web Services and Rackspace to reboot some of their customers’ virtualized servers over the past week.
The issue allows a virtual machine created using Xen’s hardware-assisted virtualization (HVM) to read data stored by other HVM guests that share the same physical hardware. This breaks an important security barrier in multi-tenant virtual environments.
The vulnerability only affects Xen running on x86 systems, not ARM, and does not impact servers virtualized with Xen’s paravirtualization (PV) mode instead of HVM.
Even so, the issue is likely to affect a very large number of servers. Amazon was forced to reboot up to 10 percent of its Elastic Cloud Compute (EC2) servers over the last several days in order to apply the patch and Rackspace’s similar effort affected a quarter of its 200,000 customers.
“The zone by zone reboots were completed as planned “
Tomi Engdahl says:
Putin rules out Internet curbs despite cyber attacks
http://www.reuters.com/article/2014/10/01/us-russia-internet-idUSKCN0HQ3SF20141001
President Vladimir Putin said on Wednesday he would not restrict Internet access for Russians but Moscow must protect state domains against a surge of cyber attacks since the Ukraine crisis began.
His remarks were intended to douse speculation that he plans a crackdown on use of the Internet, which he has called a “CIA project” used to organize protests against him, as tensions mount with the West over the Ukraine crisis.
“We do not intend to limit access to the Internet, to put it under total control, to nationalize the Internet,” Putin told a meeting of his advisory Security Council, which groups top state, defense and security officials.
Despite his assurances for Internet users, Putin said Russian security services had detected a sharp rise in cyber attacks, particularly in the last six months, the period in which the crisis in Ukraine has worsened and ties with the West have deteriorated.
“And their intensity directly depends on the current international situation,”
Tomi Engdahl says:
DARPA joins math-secured microkernel race
Embedded systems need better security
http://www.theregister.co.uk/2014/10/02/darpa_joins_mathsecured_microkernel_race/
In a discussion that will sound familiar to Australian readers, US military development agency DARPA wants to create provably-secure software.
According to Threatpost, DARPA director Arati Prabhakar told a Washington Post security conference that embedded systems are among the kinds of applications for which it’s feasible to create such OSs.
Prabhakar described the project as seeking “a mathematical proof that this particular function can’t be hacked from a pathway that wasn’t intended. That won’t solve the entire problem, but it might make it more manageable.”
The scale of a desktop operating system makes “provably secure” a pretty big stretch goal, but she told the conference that it’s feasible “for embedded systems with a modest number of lines of code”.
Tomi Engdahl says:
Celebrities Threaten “Despicable” Google for “Facilitating” Hacked Nude Photos
http://www.hollywoodreporter.com/thr-esq/celebrities-threaten-despicable-google-facilitating-737544
Marty Singer, representing over a dozen celebrities whose iCloud accounts were hacked and whose nude photos were stolen in late August, is excoriating Google in a letter that threatens a $100 million lawsuit.
“Google’s ‘Don’t be evil’ motto is a sham,” he writes.
The letter calls out “Google’s despicable, reprehensible conduct in not only failing to act expeditiously and responsibly to remove the Images, but in knowingly accommodating, facilitating and perpetuating the unlawful conduct.”
According to Singer, Google hasn’t been expeditiously removing owned work from its platforms pursuant to the safe harbor provisions of the Digital Millennium Copyright Act.
What Kate Upton’s Nude Photo Hack Reveals About Google
http://www.hollywoodreporter.com/thr-esq/what-kate-uptons-nude-photo-733678
Only half of the model-actress and pitcher Justin Verlander’s private photos are removed from indexes as the search engine grapples with legal theories over “selfies,” copyright and fair use
When hackers grabbed naked photos of Jennifer Lawrence, Kate Upton and other celebrities this summer, Apple faced harsh criticism for allowing its iCloud security protocol to be breached. Thus far, Google has escaped the microscope. But now Google — no stranger to privacy issues — could face equally tough questions.
Just days after the stolen images were published, attorneys for Detroit Tigers pitcher Justin Verlander — who has dated Upton — delivered a legal takedown notice to Google that identified 461 URLs that were hosting racy pictures of the couple. A week later, Google had removed 51 percent of them from its search engine, according to its own records.
The 49 percent that remain online might reveal something about Google’s policies toward flagged copyrighted content. Many of the URLs were inoperative, probably indicative of the success of Verlander’s lawyers at the Baker & Hostetler firm in going after the website hosts themselves.
Tomi Engdahl says:
How Hackers Accidentally Sold a Pre-Release XBox One To the FBI
http://yro.slashdot.org/story/14/10/02/129214/how-hackers-accidentally-sold-a-pre-release-xbox-one-to-the-fbi
Earlier this week, an indictment was unsealed outlining a long list of charges against a group of men that stole intellectual property from gaming companies such as Epic Games, Valve, Activision and Microsoft.
How hackers accidentally sold a pre-release XBox One to the FBI
Group member Dylan Wheeler said the FBI ended up buying a mockup of the XBox One for $5,000
http://www.computerworld.com.au/article/556503/how-hackers-accidentally-sold-pre-release-xbox-one-fbi/
The 65-page indictment is an eye-opening document, which describes how the loose-knit group pilfered the source code for Microsoft’s XBox One, Apache helicopter simulation software designed for the U.S. Army and intellectual property from game makers such as Epic Games, Valve Corp. and Activision.
According to the indictment, the four men and Wheeler are accused of breaching Microsoft’s Game Developer Network Portal, which is designed for developers to access pre-release tools and software, and PartnerNet, a software platform for game development.
They stole login credentials for those systems, and spent hundreds of hours trolling the networks for confidential intellectual property for the XBox One, which was then referred to by its code-name “Durango.”
At one point, Wheeler said the group had amassed enough documentation and code to actually build a mockup of an Xbox One together using off-the-shelf hardware components.
Tomi Engdahl says:
In Pictures: 12 surprising ways personal technology betrays your privacy
http://www.computerworld.com.au/slideshow/556469/pictures-12-surprising-ways-personal-technology-betrays-your-privacy/?utm_source=www.computerworld.com.au&utm_medium=article_bottom_related_media
It’s not just your boss or the government that’s spying on you, it’s also the devices and technologies you embrace.
Tomi Engdahl says:
Pressure on CSOs as executives, getting smarter on IT security, defer projects
http://www.cso.com.au/article/556492/pressure-csos-executives-getting-smarter-it-security-defer-projects/?utm_medium=leapfrog&utm_source=www.computerworld.com.au&utm_content=article_bottom
Increased pressure from the board room is making the CSO job harder and increasing security concerns are pushing many organisations to delay or abandon new business initiatives, a new global survey has found.
Much of the change has come from growing security awareness amongst senior management, the Fortinet Security Census 2014 – a survey of 1610 IT and business executives in Australia and 14 other countries – found. Two-thirds rated their senior management’s awareness as ‘high’ or ‘very high’. That’s up significantly from the survey a year earlier, when the number was around 40 percent.
This growing awareness was correlated with an increasing tendency to slow down or cancel the rollout of a new application or service due to cybersecurity fears: 52 percent of respondents said this had happened within their organisation – most frequently in relation to mobile or cloud computing-related initiatives. This figure jumped to 65 percent among those organisations reporting a ‘very high’ level of boardroom pressure and scrutiny around IT security.
Instead, many executives were spending more money on compliance related security initiatives such as privacy – which was driving a change in IT security strategy by 83 percent of surveyed executives
Three-quarters of the surveyed IT security executives said they were getting adequate staff and financial resources
The emerging Internet of Things (IoT) was also cited as a significant uncertainty, with 31 percent of respondents saying the technology has already become an issue or will do so within the next 12 months. Of those, only half believe they have the tools to manage IoT securely.
Tomi Engdahl says:
Pirate Party slams EU digital chief over ‘dumb’ celebrity iCloud hack remarks
Says he blamed hack on victims rather than the perpetrators
http://www.theinquirer.net/inquirer/news/2373522/pirate-party-slams-eu-digital-chief-over-dumb-celebrity-icloud-hack-remarks
EUROPEAN DIGITAL CHIEF Günther Oettinger has hit out at the A-list victims of the recent iCloud selfie leak, saying that they should have known better, but his comments have not gone down well.
said, “If someone is dumb enough as a celebrity to take a nude photo of themselves and put it online, they surely can’t expect us to protect them.
“Stupidity is something you can only partly save people from,” he added.
Julia Reda, an MEP for the Pirate Party laid into Oettinger’s comments, saying, “The person applying to be in charge of shoring up trust in the internet so that Europeans do more business online, just blamed people whose personal data was accessed and spread without authorisation.
“He placed the moral blame for that crime squarely on the victims rather than the perpetrators.”
Tomi Engdahl says:
Nokia’s HERE Maps For Android Beta APK Leaked, Works Fine On Non-Samsung Hardware
http://www.androidpolice.com/2014/09/29/nokias-here-maps-for-android-beta-apk-leaked-works-fine-on-non-samsung-hardware/
Last month Nokia announced that it would release a version of its highly-regarded HERE mapping and navigation app for Android, but only to licensed partners, starting with Samsung. Late last week an APK for a beta version of HERE, labeled as 1.0, was posted to MediaFire and spotted by Spanish language Android enthusiast site El Android Libre. The app appears to work with any Android device running 4.0 or higher.
Tomi Engdahl says:
Leaked Docs Reveal List of 30 Countries Hacked On Orders of FBI Informant Sabu
http://news.slashdot.org/story/14/10/01/2141257/leaked-docs-reveal-list-of-30-countries-hacked-on-orders-of-fbi-informant-sabu
An FBI informant led hacks against 30 countries—now we know which ones
http://www.dailydot.com/politics/fbi-hammond-sabu-hack-country-list/
A Federal Bureau of Investigation (FBI) informant targeted more than two dozen countries in a series of high-profile cyberattacks in 2012. The names of many of those countries have remained secret, under seal by a court order—until now.
A cache of leaked IRC chat logs and other documents obtained by the Daily Dot reveals the 30 countries—including U.S. partners, such as the United Kingdom and Australia—tied to cyberattacks carried out under the direction of Hector Xavier Monsegur, better known as Sabu, who served as an FBI informant at the time of the attacks.
Tomi Engdahl says:
Xen Cloud Fix Shows the Right Way To Patch Open-Source Flaws
http://developers.slashdot.org/story/14/10/02/1319229/xen-cloud-fix-shows-the-right-way-to-patch-open-source-flaws
Amazon, Rackspace and IBM have all patched their public clouds over the last several days due to a vulnerability in the Xen hypervisor.
instead of the knee jerk type reactions we’ve seen with Heartbleed and now Shellshock, the Xen project privately fixed the bug and waited until all the major Xen deployments were patched before any details were released
The Xen Vulnerability That Rebooted the Public Cloud – See more at: http://www.eweek.com/cloud/the-xen-vulnerability-that-rebooted-the-public-cloud.html#sthash.F5iAUzNJ.dpuf
Tomi Engdahl says:
Could Maroney Be Prosecuted For Her Own Hacked Pictures?
http://yro.slashdot.org/story/14/10/01/197254/could-maroney-be-prosecuted-for-her-own-hacked-pictures
“Lawyers for Olympic gymnast McKayla Maroney succeeded in getting porn sites to take down her stolen nude photos, on the grounds that she was under 18 in the pictures, which meant they constituted child pornography. If true, that means that under current laws, Maroney could in theory be prosecuted for taking the original pictures. Maybe the laws should be changed?”
Online warnings about the dangers of teen sexting, from sources ranging from the FBI to MTV, frequently warn that even a minor who takes a sexually explicit picture of themselves can be prosecuted for violating child pornography laws.
And these prosecutions really do happen.
Nude or topless photos of minors are not necessarily illegal, if they’re not sexually explicit; Thora Birch was under 18 for her topless scene in American Beauty.
Many states have attempted to pass laws specifically addressing sexting by and/or to teenagers by reducing the penalty from a felony child pornography charge to something less severe.
sexting can have serious unforeseen consequences for teens, including public humiliation if the pictures are forwarded to their friends. Well, we know that.
Even the FBI, in their “Advice for Young People” regarding sexting, betrays a certain embarrassment over the hypocritical nature of the laws. To a person forwarding an image of someone else, they warn: “You could face child pornography charges, go to jail, and have to register as a sex offender;”
Tomi Engdahl says:
Autothysis128t (GSM control)
http://securedrives.co.uk/index.php?route=product/product&product_id=55
The Autothysis128t is the ultimate in data storage protection. The Drive offers a broad configuration set of options to safeguard your data from unauthorised access.
The Autothysis128t is a 128GB SSD Self-Encrypting Drive (SED) with 256-bit AES CBC hardware level encryption and computer independent 2 factor authentication via a separate Token. The encryption engine is FIPS 140-2 level 3 certified.
The 2.5” Drive can be used inside a computer via the SATAII interface or externally via the micro USB3.0 port with a micro USB3.0 or micro USB2.0 cable.
The Drive has built in GSM with the capability of physical data destruction on demand.
Tomi Engdahl says:
Bitcoin-euphoria died down: -40%
Virtual Money Bitcoin value has drained a third of their peak in less than a year ago.
Bitcoin value is now $ 370. In three months, the value has fallen more than 40 per cent. The all-time peak of Bitcoin visited more than 1100 dollars in December last year.
Bitcoin year has been mixed. Mt. Gox Exchange in went bankrupt. On the other hand, more and more service provider has adopted Bitcoin.
Bitcoins have been made so far, more than 13 million -> the capital value of just under four billion
Source: http://www.tivi.fi/uutisia/bitcoinhuuma+hiipui+40/a1016735
Tomi Engdahl says:
User Error Is the Primary Weak Point In Tor
http://tech.slashdot.org/story/14/10/02/2051221/user-error-is-the-primary-weak-point-in-tor
“comprehensive analysis of hundreds of police raids and arrests made involving Tor users in the last eight years,” which explains that “the software’s biggest weakness is and always has been the same single thing: It’s you.”
In almost all the cases we know about, it’s trivial mistakes that tend to unintentionally expose Tor users.
The real chink in Tor’s armor
http://www.dailydot.com/crime/silk-road-tor-arrests/
Silk Road wasn’t built in a day, but it dropped off the Internet in an instant.
The fall of Silk Road shook the entire Deep Web—the unindexed, anonymous part of the Internet on which it was hosted—setting off a chain reaction of high-profile arrests and scams. Multiple new black markets opened and closed, stealing millions of dollars from customers and sellers alike.
From any number of angles, it appeared that a chink in the armor of Tor—the powerful anonymizing service that allowed these services to flourish—had been discovered and exploited. It seemed, for a time, like open season for federal authorities. The Deep Web was proclaimed dead.
“No one is beyond the reach of the FBI,” an agency spokesman triumphantly told Forbes. “We will find you.”
However, a comprehensive analysis of hundreds of police raids and arrests made involving Tor users in the last eight years reveals that the software’s biggest weakness is and always has been the same single thing: It’s you.
Why do exit node operators take it on? Tor has about 2 million connected users at any given moment, and while the drug busts make the headlines, the majority of Tor users actually utilize it to circumvent increasingly prevalent digital censorship and online surveillance.
When new exit nodes are set up, philanthropy and anti-censorship activism tend to be key motivators, especially around sweeping events like the Arab Spring.
After being developed as a U.S. Navy research project, Tor first launched publicly in 2002.
When most exit node operators get arrested, it’s because police have followed the trail to the IP address.
While most operators are eventually cleared of wrongdoing, the process still takes a toll.
“Exit relay operators don’t see SWAT teams in America because detectives already know Tor,” Lewman said. “[Instead], they see two guys show up,” knock, and have a relatively informed discussion.
“An IP address alone is not probable cause that a person has committed a crime.”
Once authorities had control of Freedom Hosting and the over 100 popular websites it hosted, the FBI launched a custom malware attack against Tor users designed to identify anyone who visited child porn sites. The malware, included in a hidden iframe tag, loaded a strange bit of Javascript that exploited a critical memory management vulnerability in Firefox. The bug had been fixed and patched almost two months prior, but whoever didn’t upgrade their browsers would be susceptible.
Such efforts by the FBI are standard procedure. Documents from the Edward Snowden leaks revealed the NSA targeted Tor users who didn’t keep their software up to date—using custom-built tools with the codename “EgotisticalGiraffe.”
Now, the Justice Department is looking to take a more proactive approach.
“We think legitimizing a process that attacks anonymity and has the potential to allow the government to engage in extraterritorial searches is very problematic,” Electronic Frontier Foundation staff attorney Hanni Fakhoury told the Daily Dot.
Tomi Engdahl says:
JPMorgan says data breach affected 76M households, 7M small businesses
Hackers’ Attack on JPMorgan Chase Affects Millions
http://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/?_php=true&_type=blogs&_r=0
A cyberattack this summer on JPMorgan Chase compromised the accounts of 76 million households and seven million small businesses, a tally that dwarfs previous estimates by the bank and puts the intrusion among the largest ever.
The details of the breach — disclosed in a securities filing on Thursday — emerge at a time when consumer confidence in the digital operations of corporate America has already been shaken. Target, Home Depot and a number of other retailers have sustained major data breaches. Last year, the information of 40 million cardholders and 70 million others were compromised at Target, while an attack at Home Depot in September affected 56 million cards.
But unlike retailers, JPMorgan, as the largest bank in the nation, has financial information in its computer systems that goes beyond customers’ credit card details and potentially includes more sensitive data.
“We’ve migrated so much of our economy to computer networks because they are faster and more efficient, but there are side effects,” said Dan Kaminsky, a researcher who works as chief scientist at White Ops, a security company.
As the severity of the intrusion — which began in June but was not discovered until July — became more clear in recent days
The hackers appeared to have obtained a list of the applications and programs that run on JPMorgan’s computers — a road map of sorts — which they could crosscheck with known vulnerabilities in each program and web application, in search of an entry point back into the bank’s systems, according to several people with knowledge of the results of the bank’s forensics investigation, all of whom spoke on the condition of anonymity.
Tomi Engdahl says:
Security researchers publicly release code to Github for “practically unpatchable” exploit BadUSB:
The Unpatchable Malware That Infects USBs Is Now on the Loose
http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/
It’s been just two months since researcher Karsten Nohl demonstrated an attack he called BadUSB to a standing-room-only crowd at the Black Hat security conference in Las Vegas, showing that it’s possible to corrupt any USB device with insidious, undetectable malware. Given the severity of that security problem—and the lack of any easy patch—Nohl has held back on releasing the code he used to pull off the attack. But at least two of Nohl’s fellow researchers aren’t waiting any longer.
In a talk at the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they’ve reverse engineered the same USB firmware as Nohl’s SR Labs, reproducing some of Nohl’s BadUSB tricks. And unlike Nohl, the hacker pair has also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable.
“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” Caudill told the Derbycon audience on Friday.
Phison 2251-03 (2303) Custom Firmware & Existing Firmware Patches (BadUSB)
https://github.com/adamcaudill/Psychson
Tomi Engdahl says:
NSA working to repair relationships with U.S. tech firms
http://venturebeat.com/2014/10/01/nsa-working-to-repair-relationships-with-u-s-tech-firms/
The National Security Agency is working to repair its fractured relationship with major tech companies following disclosures by former agency contractor Edward Snowden that the NSA had been secretly pulling data from company servers for surveillance purposes.
“The outreach is happening. It’s absolutely imperative. This is about the big guys of a big tech company sitting in a room saying ‘holy shit, we’ve been hacked. What the F#*& is going on?’ So they look around at who may be able to help, and it used to be they would call NSA,” a former agency official told VentureBeat.
Not so much anymore. These days, the phones over at the NSA’s Commercial Solution Center, or NCSC, at Fort Meade aren’t ringing like they used to, and many U.S. tech operators, including Google and Apple, are pushing back hard against agency data requests through the super secret FISA court.
The NCSC is tasked with protecting the standards and competitiveness of U.S. technology companies.
Snowden’s leaks showed how the agency was routinely siphoning data from Apple, Google, Facebook, and Twitter servers without warrants, setting up phony Linkedin pages and boosting information from Yahoo servers at will, among many other secret programs.
Tomi Engdahl says:
POISON PI sniffs WiFi from your mail room, goes on rampage
Snail mail is preferred medium for hack attack pack
http://www.theregister.co.uk/2014/10/03/mail_this_hacker_board_to_attack_wifi_networks_across_the_globe/
Security bod Larry Pesce has developed a chopping board-sized hacker package as an inexpensive weapon for hacking wireless networks through the post.
The device is designed for so-called “war shipping” attacks described (vid) last year in which hacking hardware is posted to a target organisation with the aim of attacking wireless networks from a mail room or absent staff member’s desk.
Pesce’s board is low-cost, fits in a standard USPS postal box, and provides sniffing and attack capabilities with location tracking.
The Raspberry Pi hack board overcame a variety of capability and power issues granting it up to 300 hours of power and the ability to report location without GPS, which would drain batteries and be ineffective most of the time.
The board can be used to target specific organisations, shipping companies, or any entity along the shipping route, provided the truck either stopped or moved slowly on last mile trips.
Pesce got around the location issue by calling Apple’s WiFi location mapping through an undocumented API used in the iSniff project.
He published the software to GitHub for users to build the system which was still being improve continually upgraded.
https://github.com/haxorthematrix/loc-nogps
Tomi Engdahl says:
Apple releases tool to check the Activation Lock status of iOS devices
http://www.idownloadblog.com/2014/10/01/activation-lock-status-check/
Apple recently released a tool that lets anyone check the Activation Lock status of iOS devices. Introduced along iOS 7, Activation Lock is a security feature that prevents anyone from erasing or activating your iOS device without entering your Apple ID and password first. The feature must be disabled before a device is passed or sold to another person. Failure to do so renders the device unusable for the new owner.
With the release of this new tool, Apple wants to make the process of checking for Activation Lock easier, and prevent people from buying a device that might have been locked because it was lost, stolen, or simply because the previous owner forgot remove the device from his account.
Tomi Engdahl says:
Apple Pay: An in-depth look at what’s behind the secure payment system
http://www.tuaw.com/2014/10/02/apple-pay-an-in-depth-look-at-whats-behind-the-secure-payment/
With Apple Pay slated to go live later this month, one can soon expect to see an avalanche of fear mongering from pundits who, like PayPal, will question the wisdom of trusting Apple with user credit card information.
The reality, though, is that Apple Pay is an exceedingly secure mobile payment platform. In fact, it may very well be the safest way to make any type of credit card payment.
Credit Card information isn’t part of the equation
With Apple Pay, no credit card data — even in encrypted form — is ever stored on the iPhone or on Apple’s servers. Similarly, no credit card data is ever transmitted to or stored on a merchant’s servers.
When a user first signs up for Apple Pay, either via an existing iTunes credit card or by loading a new one onto the iPhone, the card information is immediately encrypted and securely sent to the appropriate credit card network. Upon determining that the credit card account is valid, a token is sent back down to the device whereupon it’s safely stored within the iPhone’s Secure Element.
The token is used in place of an actual credit card number and is what Apple, in its marketing materials, refers to as a unique Device Account Number.
What the heck is a token?
The token itself, as implemented in Apple Pay, is a randomly generated and unique 16-digit number that ostensibly resembles a valid credit card number but is, in fact, fundamentally useless.
Tokens by themselves are worthless and cannot be decrypted
The key thing to remember about tokens is that they hold no intrinsic value and cannot be used, by themselves, to perform any type of monetary transaction.
Tomi Engdahl says:
FDA Issues Guidance On Cybersecurity of Medical Devices
http://science.slashdot.org/story/14/10/03/0114251/fda-issues-guidance-on-cybersecurity-of-medical-devices
“The Security Ledger reports that the U.S. Food and Drug Administration (FDA) has issued final guidance on Wednesday that calls on medical device manufacturers to consider cyber security risks as part of the design and development of devices. The document, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” asks device makers seeking FDA approval of medical devices to disclose any “risks identified and controls in place to mitigate those risks” in medical devices.
Content of Premarket Submissions for Management of Cybersecurity in Medical Devices
http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf
Tomi Engdahl says:
We’re not Mr Brightside: Asda Car Insurance broker hacked
Customer data NOT exposed – as far as they know
http://www.theregister.co.uk/2014/10/03/asda_car_insurance_minor_breach/
No customer data was exposed after the firm behind Asda Car Insurance was hacked, said the broker as it explained why the ACI website went offline earlier this week.
Tomi Engdahl says:
Third patch brings more admin Shellshock for the battered and Bashed
‘Okay we got it THIS time’
By Darren Pauli, 30 Sep 2014
http://www.theregister.co.uk/2014/09/30/third_patch_brings_more_admin_shellshock_for_the_battered_and_bashed/
A third patch, from Red Hat engineer Florian Weimer, has been released for the vulnerable Bash Unix command-line interpreter, closing off flaws found in two previous fixes.
Weimer’s unofficial fix was adopted upstream by Bash project maintainer Chet Ramey and released as Bash-4.3 Official Patch 27 (bash43-027) which addressed a bunch of previously undisclosed flaws including two remote exploit bugs.
The first patch (CVE-2014-6271) released Wednesday when the Shellshock flaw dropped was rapidly bypassed.
The latest bug closed off remote code execution found after the second patch was applied which has not been made public.
“This patch changes the encoding bash uses for exported functions to avoid clashes with shell variables and to avoid depending only on an environment variable’s contents to determine whether or not to interpret it as a shell function.” Bash patch report.
Google security engineer Michal Zalewski described the patches in a blog and said the previous patches, while imperfect, reduced attack vectors.
“At this point, I very strongly recommend manually deploying Florian’s patch unless your distro is already shipping it.”
Tomi Engdahl says:
FLASH drive… ARRRGH: BadUSB poses clear and present danger
Researchers demonstrate serious flash drive flaws
http://www.theregister.co.uk/2014/10/03/badusb_poc/
The seriousness of a USB security weakness, which potentially allows hackers to reprogram USB drives, has just been ratcheted up a notch, with the release of prototype code.
Researchers Karsten Nohl and Jakob Lell, from German security skunkworks SR Labs, demonstrated how it might be possible to reprogram the firmware within some flash drives with malicious code at the Black Hat conference in Las Vegas, back in July. They dubbed the attack BadUSB.
Then just last week, Adam Caudill and Brandon Wilson went one step further during a talk at the DerbyCon hacker conference in Louisville, Kentucky, by not only demonstrating the flaw but also publishing proof of concept code on Github. The move was designed to push USB makers into formulating a fix.
The release of the prototype code that accompanied Caudill and Wilson’s Making BadUSB Work For You talk is controversial, as Nohl previously described BadUSB as practically unmatchable.
We believe all of this should be public, Caudill told DerbyCon delegates Wired reports. “It shouldn’t be held back. So we’re releasing everything we’ve got.”
Both pieces of research came from reverse engineered USB firmware. The threat of malicious USB thumb drives more generally has been well understood for years, even giving rise to the observation from cyber security types that USB devices are “plug and prey” (a security-themed spin on “plug and play”).
“The idea of re-flashing the firmware of devices such as PCs bios or HIDs for malicious purposes has been around for some time now,”
“For example, fraudsters have been using hacked firmware to sell USB drives which shows higher storage capacity than they actually have.”
Tomi Engdahl says:
This published hack could be the beginning of the end for USB
http://linustechtips.com/main/topic/226485-this-published-hack-could-be-the-beginning-of-the-end-for-usb/
USB has a huge security problem that could take years to fix
http://www.theverge.com/2014/10/2/6896095/this-published-hack-could-be-the-beginning-of-the-end-for-usb
In July, researchers Karsten Nohl and Jakob Lell announced that they’d found a critical security flaw they called BadUSB, allowing attackers to smuggle malware on the devices effectively undetected. Even worse, there didn’t seem to be a clear fix for the attack. Anyone who plugged in a USB stick was opening themselves up to the attack, and because the bad code was residing in USB firmware, it was hard to protect against it without completely redesigning the system. The only good news was that Nohl and Lell didn’t publish the code, so the industry had some time to prepare for a world without USB.
As of this week, that’s no longer true. In a joint talk at DerbyCon, Adam Caudill and Brandon Wilson announced they had successfully reverse-engineered BadUSB, and they didn’t share Nohl and Lell’s concerns about publishing the code. The pair has published the code on GitHub, and demonstrated various uses for it, including an attack that takes over a user’s keyboard input and turns control over to the attacker.
According to Caudill, the motive for the release was to put pressure on manufacturers. “If the only people who can do this are those with significant budgets, the manufacturers will never do anything about it,” he told Wired’s Andy Greenberg. “You have to prove to the world that it’s practical, that anyone can do it.”
Tomi Engdahl says:
Marriott Settles FCC Complaint About Blocking Rival Wi-Fi Networks
http://recode.net/2014/10/03/marriott-settles-fcc-complaint-about-blocking-rival-wi-fi-networks/
Marriott International agreed to pay $600,000 to settle a federal complaint that it illegally blocked rival Wi-Fi networks at a Nashville resort so consumers would have to buy access from the hotel, the Federal Communications Commission announced Friday.
Consumers with personal Wi-Fi hotspots found they couldn’t use them at Marriott’s Gaylord Opryland Hotel and Convention Center, FCC investigators said, because the hotel giant deliberately tampered with the Wi-Fi signals.
Tomi Engdahl says:
Hong Kong Protests Lead to Censorship on WeChat
http://blogs.wsj.com/digits/2014/10/03/hong-kong-protests-lead-to-censorship-on-wechat/
As the pro-democracy protest crowds in Hong Kong have ebbed and flowed, one thing that has not changed is the level of censorship on China’s most popular instant messaging app.
Throughout the week, users of WeChat inside mainland China were unable to see some photos posted by users whose accounts were tied to Hong Kong phone numbers, according to multiple China Real Time tests conducted on Monday and Friday.
Messages containing plain text or links without photos continued to be visible in the mainland, as were images sent in private chats.
Tomi Engdahl says:
17,000 Macs recruited into malware botnet, with a little help from Reddit
http://grahamcluley.com/2014/10/mac-malware-botnet-reddit/
Researchers at Russian anti-virus company Dr Web believe that they have uncovered a new botnet, which has recruited thousands of Mac computers.
According to their report, the sophisticated malware – which they have dubbed Mac.BackDoor.iWorm – has infected more than 17,000 computers running OS X.
Fascinatingly, compromised computers receive commands from servers under the control of botmasters, using information posted in messages on Reddit as a navigational aid
Tomi Engdahl says:
Silk Road Lawyers Poke Holes in FBI’s Story
http://krebsonsecurity.com/2014/10/silk-road-lawyers-poke-holes-in-fbis-story/
New court documents released this week by the U.S. government in its case against the alleged ringleader of the Silk Road online black market and drug bazaar suggest that the feds may have some ‘splaining to do.
Prior to its disconnection last year, the Silk Road was reachable only via Tor, software that protects users’ anonymity by bouncing their traffic between different servers and encrypting the traffic at every step of the way.
Last month, the U.S. government released court records claiming that FBI investigators were able to divine the location of the hidden Silk Road servers because the community’s login page employed an anti-abuse CAPTCHA service that pulled content from the open Internet — thus leaking the site’s true Internet address.
But lawyers for alleged Silk Road captain Ross W. Ulbricht (a.k.a. the “Dread Pirate Roberts”) asked the court to compel prosecutors to prove their version of events. And indeed, discovery documents reluctantly released by the government this week appear to poke serious holes in the FBI’s story.
Many in the Internet community have officially called baloney [that's a technical term] on the government’s claims, and these latest apparently contradictory revelations from the government are likely to fuel speculation that the government is trying to explain away some not-so-by-the-book investigative methods.
Tomi Engdahl says:
After legal threat, Google says it removed ‘tens of thousands’ of iCloud hack pics
http://www.zdnet.com/after-legal-threat-google-says-it-removed-tens-of-thousands-of-icloud-hack-pics-7000034323/
Summary: Google says it has taken down many of the pictures of stolen from celebrity iCloud accounts and posted on its online properties.
Tomi Engdahl says:
Bill Gates: Bitcoin Is ‘Better Than Currency’
http://news.slashdot.org/story/14/10/04/1843235/bill-gates-bitcoin-is-better-than-currency
After long remaining mostly mum on Bitcoin, Microsoft’s legendary co-founder Bill Gates has spoken. At the Sibos 2014 financial-services industry conference in Boston, America’s richest man just threw his weight behind the controversial cryptocash. Well, at least as a low-cost payments solution. … “Bitcoin is exciting because it shows how cheap it can be,”
Bill Gates: Bitcoin Is ‘Better Than Currency’
http://www.entrepreneur.com/article/238103
Gates again reiterated his stance on cryptocurrencies when he delivered the event’s closing keynote address, in which he stated that, in the future, financial transactions will eventually “be digital, universal and almost free.”
“The customers we’re talking about aren’t trying to be anonymous,” he told Schatzker. “They’re willing to be known, so Bitcoin technology is key and you can add to it or you could build a similar technology where there’s enough attribution where people feel comfortable that this is nothing to do with terrorism or any type of money laundering.”
Tomi Engdahl says:
JP Morgan Chase Breach: Shades of a Cyber Cold War?
http://politics.slashdot.org/story/14/10/04/1456229/jp-morgan-chase-breach-shades-of-a-cyber-cold-war
The New York Times is quoting “people briefed on the matter” who allege that the JP Morgan data thieves “are thought to be operating from Russia and appear to have at least loose connections with officials of the Russian government.” The article suggests it could be retaliation for sanctions. Personally, I’m skeptical
The article also notes that the same group responsible for the breach at JP Morgan Chase was responsible for attacks on 9 other financial institutions.
Hackers’ Attack Cracked 10 Financial Firms in Major Assault
http://dealbook.nytimes.com/2014/10/03/hackers-attack-cracked-10-banks-in-major-assault/?_php=true&_type=blogs&_r=0
The huge cyberattack on JPMorgan Chase that touched more than 83 million households and businesses was one of the most serious computer intrusions into an American corporation. But it could have been much worse.
Also troubling is that about nine other financial institutions — a number that has not been previously reported — were also infiltrated by the same group of overseas hackers
The JPMorgan hackers burrowed into the digital network of the bank and went down a path that gave them access to information about the names, addresses, phone numbers and email addresses of account holders. They never made it into where the more critical financial information and personal information are stored.
JPMorgan, the nation’s largest bank, has begun contacting customers and making clear that no money was taken from any accounts.
“It was a huge surprise that they were able to compromise a huge bank like JPMorgan,” said Al Pascual, a security analyst with Javelin Strategy and Research. “It scared the pants off many people.”
The intrusion also highlights a possible gap in United States regulations.
Breach notification laws differ by state
The hackers were able to attain high administrative privileges within JPMorgan’s network, rooting more than 90 servers and rummaging through customer databases with detailed information for 76 million households and seven million small-business online accounts.
file contained a list of every application and program deployed on standard JPMorgan computers that hackers can crosscheck
“It’s as if they stole the schematics to the Capitol”
bank was pleased with its current cybersecurity personnel. “This is the highest-quality team we have ever had,”
Tomi Engdahl says:
‘Encryption will make life very easy for criminals and terrorists’
http://www.theregister.co.uk/2014/10/04/quotw_ending_oct_4/
This was the week when the US Attorney General jumped on the bandwagon and took Apple and Google to task for improving encryption on mobile devices.
Eric Holder said tightening security on their ecosystems was actually a bad thing, as it could allow child predators to evade authorities and hide illegal images and content on their devices.
His comments came after FBI director James Comey said last week that stronger encryption would make the Feds job of collaring crims that much harder.
You’d think two top officials moaning about how tech firms were making it harder for them to easily access private information would be enough. But then Europe decided to get in on the act.
EU top cop Troels Oerting
still warned that privacy that veers into anonymity risks making life easy for criminals and terrorists
“Full encryption of communication and storage online will make life very easy for the criminals and terrorists and very difficult for law enforcement and law abiding citizens. We have to find the right balance between security and freedom — and this balance has to be set by citizens in a political and ethical discussion on the trade-offs.”
Tomi Engdahl says:
Doctor Zuck, I’m so poorly right now! Facebook examines healthcare biz: report
Any symptoms you wish to share? Yes, a huge headache
http://www.theregister.co.uk/2014/10/04/facebook_stepping_into_healthcare_market_says_report/
Facebook is reportedly mulling over plans to step into the healthcare business – a move that would hardly be surprising given Google and Apple’s interest in that market.
According to Reuters, which cited three unnamed people familiar with the matter, the Mark Zuckerberg-run free content ad network is looking at setting up “support communities” for Facebookers to use to discuss their ailments with strangers online.
Tomi Engdahl says:
Content is the core currency of your business. Product requirements, detailed financial analysis, customer communications and long-term plans must be managed, secured and controlled to maintain your competitive advantage – and more importantly, the trust of your customers and shareholders.
redefine the standards for content security in the cloud.
Source: http://whitepapers.theregister.co.uk/paper/view/3386/whitepaper-redefining-security-for-the-cloud-external-a4.pdf
Tomi Engdahl says:
Home Depot breach lesson: Safer payment options
http://www.usatoday.com/story/tech/columnist/2014/09/14/home-depot-breach-safer-options/15542253/
Q. Looking at the Home Depot data breach, I’m wondering if I should have used PayPal instead of a debit card there. PayPal’s two-step verification should be more secure, right?
A. Yes, PayPal would be a safer payment option, and so would most other alternatives to cards with numbers on one side and a magnetic stripe on the other – the upcoming Apple Pay among them. But that’s not for the reason this reader mentioned.
When Home Depot’s “point of sale” credit-card readers were infected by some form of malware starting last year, the attackers collected credit and debit card numbers that they could then then sell on various black markets.
Those numbers embossed on the front had so much value because they must work for years at a time. Only a three- or four-digit number stops them from being reused for fraudulent transactions.
Guessing the three-digit code printed on the back of a credit card isn’t easy. But with a sufficiently large set of stolen cards – like, say, what you’d collect after infecting a nationwide retailer – this can yield a sizable return
Remember, however, that PayPal retail transactions require only the mobile number you designated at its site and a four-digit code. You can pay this way even if you leave your wallet and phone in the car.
The microchips embedded in these so-called EMV cards should ensure a lost, stolen or cloned card won’t work for in-person transactions. But that chip doesn’t protect online purchases.
Storing a card with a Web retailer eases shopping (that’s why they offer this option!) but it also requires trusting that store to keep your data safe
Mobile-payment systems built on “NFC” (near-field communication) wireless, such as Apple Pay and Google Wallet, don’t leave your credit card in a store’s systems and can’t be taken over by just guessing a PIN. The thief must get your phone too.
Tomi Engdahl says:
Why can’t Apple decrypt your iPhone?
http://blog.cryptographyengineering.com/2014/10/why-cant-apple-decrypt-your-iphone.html
But since some folks (and apparently the Washington Post!) are still wondering about the nitty-gritty details of Apple’s design might work, I thought it might be helpful to sum up what we know and noodle about what we don’t.
To get started, it’s worth pointing out that disk encryption is hardly new with iOS 8. In fact, Apple’s operating system has enabled some form of encryption since before iOS 7. What’s happened in the latest update is that Apple has decided to protect much more of the interesting data on the device under the user’s passcode. This includes photos and text messages — things that were not previously passcode-protected, and which police very much want access to.*
Normal password-based file encryption systems take in a password from a user, then apply a key derivation function (KDF) that converts a password (and some salt) into an encryption key. This approach doesn’t require any specialized hardware, so it can be securely implemented purely in software provided that (1) the software is honest and well-written, and (2) the chosen password is strong, i.e., hard to guess.
The problem here is that nobody ever chooses strong passwords. In fact, since most passwords are terrible, it’s usually possible for an attacker to break the encryption by working through a ‘dictionary’ of likely passwords and testing to see if any decrypt the data. To make this really efficient, password crackers often use special-purpose hardware that takes advantage of parallelization (using FPGAs or GPUs) to massively speed up the process.
Thus a common defense against cracking is to use a ‘slow’ key derivation function like PBKDF2 or scrypt.
Apple doesn’t use scrypt. Their approach is to add a 256-bit device-unique secret key called a UID to the mix, and to store that key in hardware where it’s hard to extract from the phone.