Posts tagged with ‘security’

Attack on Tor Has Likely Stripped Users of Anonymity →

Via Gizmodo:

Tor, the network used specifically for privacy and anonymity, just warned users of an attack meant to deanonymize people on the service. Anyone who used Tor from February 2014 through this July 4 can assume they were impacted.

Who’s behind the attacks? It appears researchers from Carnegie Mellon. Via The Verge:

The Tor team suspects the CERT division of Carnegie Mellon University’s Software Engineering Institute (SEI). Earlier this month, CERT abruptly canceled a Black Hat conference talk called “You Don’t Have to be the NSA to Break Tor: Deanonymizing Users on a Budget.” The NSA has famously attempted to break Tor, to limited success.

So what’s the big deal?: If it was the team from CERT, consider the attack a proof of concept. If they can get in, so to can more malicious actors. According to The Guardian, the CERT talk at the Black Hat conference would explain “how anyone with $3,000 could de-anonymise users of Tor.”

Somewhat related: US Government increases funding for Tor, via The Guardian.

Tor, the internet anonymiser, received more than $1.8m in funding from the US government in 2013, even while the NSA was reportedly trying to destroy the network.

According to the Tor Project’s latest annual financial statements, the organisation received $1,822,907 from the US government in 2013. The bulk of that came in the form of “pass-through” grants, money which ultimately comes from the US government distributed through some independent third-party.

Sorta Somewhat Related, Tinfoil Hat Edition: Back in January, Reuters reported that the NSA funneled $10 million to RSA, a computer security firm whose encryption tools are an industry standard. The Reuters report indicates that the funding helped ensure that a less secure encryption system was used as the default setting in an RSA “software tool called Bsafe that is used to enhance security in personal computers and many other products.”

Surveillance is the business model of the Internet. We build systems that spy on people in exchange for services. Corporations call it marketing.

Bruce Schneier, security technologist, in a presentation at the SOURCE Boston conference.

Via Security Week:

The data economy—the growth of mass data collection and tracking—is changing how power is perceived, Schneier said in his keynote speech. The Internet and technology has changed the impact a group can have on others, where dissidents can use the Internet to amplify their voices and extend their reach. Governments already have a lot of power to begin with, so when they take advantage of technology, their power is magnified, he said.

“That’s how you get weird situations where Syrian dissidents use Facebook to organize, and the government uses Facebook to arrest its citizens,” Schneier said.

Over the past few years, it’s become easier and cheaper to store data and search for the necessary item rather than to sort and delete. Email is a very good example of this shift in behavior. This change, spurred by the popularity of mobile devices and the push to move more data and services to the cloud has also made it easier to track user behavior. When corporations track users for marketing purposes, it seems benign, but the same actions come across as sinister when it’s the government…

…The government didn’t tell anyone they have to carry around a tracking device, but people now carry mobile devices. The government doesn’t require users to notify any agency about their relationships. Users will tell Facebook soon enough, Schneier noted. “Fundamentally, we have reached the golden age of surveillance because we are all being surveilled ubiquitously.”

Somewhat related programming note: Read up on Heartbleed, change your passwords everywhere.

The choice is not whether to allow the NSA to spy. The choice is between a communications infrastructure that is vulnerable to attack at its core and one that, by default, is intrinsically secure for its users. Every country, including our own, must give intelligence and law-enforcement authorities the means to pursue terrorists and criminals, but we can do so without fundamentally undermining the security that enables commerce, entertainment, personal communication, and other aspects of 21st-century life. We urge the US government to reject society-wide surveillance and the subversion of security technology, to adopt state-of-the-art, privacy-preserving technology, and to ensure that new policies, guided by enunciated principles, support human rights, trustworthy commerce, and technical innovation.

An Open Letter from US Researchers in Cryptography and Information Security.

As TechDirt points out, “One of the things that’s been glaring about all of the investigations and panels and research into these [surveillance] programs is that they almost always leave out actual technologists, and especially leave out security experts. That seems like a big weakness, and now those security researchers are speaking out anyway. At some point, the politicians backing these programs are going to have to realize that almost no one who actually understands this stuff thinks what they’re doing is the right way to go about this.

Visualizing Our Drone Future

Via Alex Cornell:

Our Drone Future explores the technology, capability, and purpose of drones, as their presence becomes an increasingly pervasive reality in the skies of tomorrow.

In the near future, cities use semi-autonomous drones for urban security. Human officers monitor drone feeds remotely, and data reports are displayed with a detailed HUD and communicated via a simulated human voice (designed to mitigate discomfort with sentient drone technology). While the drones operate independently, they are “guided” by the human monitors, who can suggest alternate mission plans and ask questions.

Specializing in predictive analysis, the security drones can retask themselves to investigate potential threats. As shown in this video, an urban security drone surveys San Francisco’s landmarks and encounters fierce civilian resistance.

Run Time: ~3:00.

I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on—the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

Ladar Levison, Owner and Operator, Lavabit LLC, in an open letter to users.

Background: Lavabit is an encrypted email service that was reportedly used by Edward Snowden, among 350,000 other customers. The Guardian reports that the closure occurred after the company rejected “a court order for cooperation with the US government to participate in surveillance on its customers.”

Related: Lavabit isn’t alone. Silent Circle, a company that creates encrypted communication applications for text, phone and video, is preemptively shutting down its email service. In a notice to its customers, the company writes:

Silent Mail has similar security guarantees to other secure email systems, and with full disclosure, we thought it would be valuable.

However, we have reconsidered this position. We’ve been thinking about this for some time, whether it was a good idea at all. Today, another secure email provider, Lavabit, shut down their system lest they “be complicit in crimes against the American people.” We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now.

Welcome to surveillance.

Tumblr Staff: Important security update for iPhone/iPad users →

staff:

We have just released a very important security update for our iPhone and iPad apps addressing an issue that allowed passwords to be compromised in certain circumstances¹. Please download the update now.

If you’ve been using these apps, you should also update your password on Tumblr and…

FJP: In case you missed the news, change your Tumblr password stat.

Tracking Cyber Attacks in Real Time
Deutsche Telekom, the parent company of T Mobile, launched a site last week that shows cyberattacks and their point of origin in real time. Most attacks currently originate in Russia and China.
Via Deutsche Telekom:

The website has a digital map of the world which shows the origin of cyber attacks recorded around the clock by more than 90 sensors. A real-time ticker reports which targets they are setting their sights on. In addition, statistics show the current most common forms of attack and the countries in which the most active attack servers are located. However, their location is not necessarily also the country of origin of the attackers. “Most attacks are automated,” explained Kremer. “Figuratively speaking, the attackers shoot into the network with a shotgun to work out where the weaknesses in the systems are.”…
…Deutsche Telekom developed the online situation overview of global security attacks as part of a partnership with the alliance for cyber security. The joint initiative of the industry association BITKOM and the Federal Office for Information Security (BSI) brings together companies and public organizations to provide mutual support in the fight against digital attacks…
…Deutsche Telekom has more than 90 sensors in use around the world as decoy systems. These so-called honeypots feign weaknesses to provoke attacks and as such act as early warning systems.

Image: Screenshot, Overview of Current Cyber Attacks, by Deutsche Telekom.

Tracking Cyber Attacks in Real Time

Deutsche Telekom, the parent company of T Mobile, launched a site last week that shows cyberattacks and their point of origin in real time. Most attacks currently originate in Russia and China.

Via Deutsche Telekom:

The website has a digital map of the world which shows the origin of cyber attacks recorded around the clock by more than 90 sensors. A real-time ticker reports which targets they are setting their sights on. In addition, statistics show the current most common forms of attack and the countries in which the most active attack servers are located. However, their location is not necessarily also the country of origin of the attackers. “Most attacks are automated,” explained Kremer. “Figuratively speaking, the attackers shoot into the network with a shotgun to work out where the weaknesses in the systems are.”…

…Deutsche Telekom developed the online situation overview of global security attacks as part of a partnership with the alliance for cyber security. The joint initiative of the industry association BITKOM and the Federal Office for Information Security (BSI) brings together companies and public organizations to provide mutual support in the fight against digital attacks…

Deutsche Telekom has more than 90 sensors in use around the world as decoy systems. These so-called honeypots feign weaknesses to provoke attacks and as such act as early warning systems.

Image: Screenshot, Overview of Current Cyber Attacks, by Deutsche Telekom.

Information is an existential threat to these regimes.

James Lewis, a cybersecurity expert, to the Wall Street Journal. Chinese Hackers Hit U.S. Media.

Yesterday we noted that the hackers in China have infiltrated the New York Times’ computer systems.

Today, the Wall Street Journal reports that it — along with Reuters and Bloomberg among others — has also been hacked:

Chinese hackers for years have targeted major U.S. media companies with hacking that has penetrated inside newsgathering systems, several people familiar with the response to the cyberattacks said. Tapping reporters’ computers could allow Beijing to identify sources on articles and information about pending stories. Chinese authorities in the past have penalized Chinese nationals who have passed information to foreign reporters.

Journal sources on occasion have become hard to reach after information identifying them was included in emails. However, Western reporters in China long have assumed that authorities are monitoring their communications and act accordingly in sensitive cases…

…Among the targets were a handful of journalists in the Beijing bureau, including Jeremy Page, who wrote articles about the murder of British businessman Neil Heywood in a scandal that helped bring down Chinese politician Bo Xilai, people familiar with the matter said. Beijing Bureau Chief Andrew Browne also was a target, they said.

For its part, a spokesperson for the Chinese government rejects the allegation that it is behind the attacks.

UPDATE: Add the Washington Post to the list.

Hackers in China Infiltrate the New York Times
Via The New York Times:

For the last four months, Chinese hackers have persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees…
The timing of the attacks coincided with the reporting for a Times investigation, published online on Oct. 25, that found that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings.
Security experts hired by The Times to detect and block the computer attacks gathered digital evidence that Chinese hackers, using methods that some consultants have associated with the Chinese military in the past, breached The Times’s network. They broke into the e-mail accounts of its Shanghai bureau chief, David Barboza, who wrote the reports on Mr. Wen’s relatives, and Jim Yardley, The Times’s South Asia bureau chief in India, who previously worked as bureau chief in Beijing…
…The hackers tried to cloak the source of the attacks on The Times by first penetrating computers at United States universities and routing the attacks through them, said computer security experts at Mandiant, the company hired by The Times. This matches the subterfuge used in many other attacks that Mandiant has tracked to China…
…Security experts found evidence that the hackers stole the corporate passwords for every Times employee and used those to gain access to the personal computers of 53 employees, most of them outside The Times’s newsroom. Experts found no evidence that the intruders used the passwords to seek information that was not related to the reporting on the Wen family.

Image: The Times’ Patrick LaForge keeping things positive in a post on Twitter.

Hackers in China Infiltrate the New York Times

Via The New York Times:

For the last four months, Chinese hackers have persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees…

The timing of the attacks coincided with the reporting for a Times investigation, published online on Oct. 25, that found that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings.

Security experts hired by The Times to detect and block the computer attacks gathered digital evidence that Chinese hackers, using methods that some consultants have associated with the Chinese military in the past, breached The Times’s network. They broke into the e-mail accounts of its Shanghai bureau chief, David Barboza, who wrote the reports on Mr. Wen’s relatives, and Jim Yardley, The Times’s South Asia bureau chief in India, who previously worked as bureau chief in Beijing…

…The hackers tried to cloak the source of the attacks on The Times by first penetrating computers at United States universities and routing the attacks through them, said computer security experts at Mandiant, the company hired by The Times. This matches the subterfuge used in many other attacks that Mandiant has tracked to China…

…Security experts found evidence that the hackers stole the corporate passwords for every Times employee and used those to gain access to the personal computers of 53 employees, most of them outside The Times’s newsroom. Experts found no evidence that the intruders used the passwords to seek information that was not related to the reporting on the Wen family.

Image: The Times’ Patrick LaForge keeping things positive in a post on Twitter.

infoneer-pulse:

A Real-Time Map of Global Cyberattacks

Cyberattacks are happening constantly across the globe, and now you can see what that looks in real-time with [this map by the Honeynet Project](http://map.honeycloud.net/) that shows so many attacks, it looks and feels like it’s straight out of an apocalyptic war movie.
Each red dot that pops up when you go to the map represents an attack on a computer. Yellow dots represent honeypots, or systems set up to record incoming attacks. The black box on the bottom says where each attack is coming from as they come in. The data comes from the members of Honeynet Project’s network of honeypot sensors that choose to publish the attacks. Not all of members of the project, which has more than 40 chapters around the world, chose to push data, which is why more red dots show up in Europe. 

» via The Atlantic

FJP: You sank my battleship?

infoneer-pulse:

A Real-Time Map of Global Cyberattacks

Cyberattacks are happening constantly across the globe, and now you can see what that looks in real-time with [this map by the Honeynet Project](http://map.honeycloud.net/) that shows so many attacks, it looks and feels like it’s straight out of an apocalyptic war movie.

Each red dot that pops up when you go to the map represents an attack on a computer. Yellow dots represent honeypots, or systems set up to record incoming attacks. The black box on the bottom says where each attack is coming from as they come in. The data comes from the members of Honeynet Project’s network of honeypot sensors that choose to publish the attacks. Not all of members of the project, which has more than 40 chapters around the world, chose to push data, which is why more red dots show up in Europe. 

» via The Atlantic

FJP: You sank my battleship?

The Perils of Free Messaging Apps, Specifically WhatsApp

via Worldcrunch:

WhatsApp is set up to make the service friendly to new users who don’t have to provide their own combination of user name and password – they just use the existing info relating to their phone as login data. Telephone numbers are simply and clearly the basis for user names, and WhatsApp passwords — at least on Android phones — are clearly based on a phone’s IMEI serial number.

Granger discovered that to generate a password out of the IMEI number the app just changes the order of the digits – “your password is likely to be an inverse of your phones IMEI number with an MD5 cryptographic hash thrown on top of it.” What that means is that anybody who knows a phone’s IMEI number can figure out the password.

Many apps use IMEI numbers to identify phones, and any installed program can access that information and pass it on to an external database. In the event that what happened to iPhone this week (a hacker group released one million Apple UDIDs) happens to WhatsApp, and a database generated from the phone serial numbers were to be made public, WhatsApp user accounts would be compromised and become targets for spammers. Not that hackers have lost any time — on gray market sites, databases of Android phone serial numbers and corresponding cell phone numbers are sold under the keyword WhatsApp.

FJP: Filing this under- be smart and secure about your online and mobile life.

Journalist Security Guide
The Committee to Protect Journalists just released an extensive online guide for journalism security:

This guide details what journalists need to know in a new and changing world. It is aimed at local and international journalists of varied levels of experience. The guide outlines basic preparedness for new journalists taking on their first assignments around the world, offers refresher information for mid-career journalists returning to the field, and provides advice on complex issues such as digital security and threat assessment for journalists of all experience levels.

Topics covered include:
Basic Preparedness
Assessing and Responding to Risk
Information Security
Armed Conflic
Organized Crime and Corruption
Civial Matters and Disturbances
Natural Disasters
Health Epidemics and Mass Hazards
Sustained Risks
Stress Reactions
Check it. Share it. Great stuff.

Journalist Security Guide

The Committee to Protect Journalists just released an extensive online guide for journalism security:

This guide details what journalists need to know in a new and changing world. It is aimed at local and international journalists of varied levels of experience. The guide outlines basic preparedness for new journalists taking on their first assignments around the world, offers refresher information for mid-career journalists returning to the field, and provides advice on complex issues such as digital security and threat assessment for journalists of all experience levels.

Topics covered include:

  • Basic Preparedness
  • Assessing and Responding to Risk
  • Information Security
  • Armed Conflic
  • Organized Crime and Corruption
  • Civial Matters and Disturbances
  • Natural Disasters
  • Health Epidemics and Mass Hazards
  • Sustained Risks
  • Stress Reactions

Check it. Share it. Great stuff.

Facebook Hacking Happens Really Fast →

Background: Facebook’s hundreds of millions of users log in and out of the the site a billion plus times each day.

The Good News: Facebook reports that logins are only compromised .06% if the time.

The Bad News: .06 of a really large number (Facebook members) is a really large number.

Via Consumer Reports:

Graham Cluley, a senior technology consultant with security software maker Sophos, took a closer look at the numbers reported by Facebook in a blog post touting its new online features such as Trusted Friends.

By Cluley’s calculations, 0.06 percent of a billion log-ins results in 600,000 compromised Facebook sign-ons per day. Or, more telling: One hacked Facebook account is being logged in to the social media website every 140 milliseconds.

That’s literally faster than the blink of an eye, which takes only 150 milliseconds.

Takeaway: Change your password from 12345 to something a little more clever.

As crisis maps become more prominent, it’s increasingly important to consider them as contested spaces, and to take seriously the idea that adversaries will try to manipulate them.

Ethan Zuckerman, senior researcher at the Berkman Center for Internet and Society at Harvard University.

Erica Naone, Technology Review. Why Crisis Maps Can Be Risky When There’s Political Unrest: Crisis maps in hostile political situations can let the dictatorial governments, as well as the protesters, see where the action is.

The article reviews what hacktivists and organizations like Ushahidi are doing to tackle security issues as maps are deployed around the globe.