Security News

Opinion: Who broke the law, Snowden or the NSA?

Opinion: Who broke the law, Snowden or the NSA?: An NSA official’s suggestion that amnesty for Snowden could possibly be put on the table was undoubtedly welcome news for Snowden, yet NSA Director Gen. Keith Alexander rejected the suggestion.

But how can anyone believe that Snowden would not be deserving of amnesty? Clearly it is the government and its senior officials who committed the crime — people who took oaths to defend the Constitution from enemies both foreign and domestic and who failed to take to heart the words they swore to uphold. Indeed, Snowden did not — nor does any government employee — swear allegiance to the president of the United States, or even to the secretary of Defense or the director of NSA. No, he swore to uphold and defend the Constitution.

Unfortunately, while federal law protects whistleblowers who work in other government sectors from reprisals for truth-telling and have paths for reporting wrongdoing and mismanagement, those who work in intelligence are expressly denied such rights. When Senior Staff Representative Diane Roark and longtime senior NSA employees Bill Binney, Ed Loomis, and I submitted a formal complaint about mismanagement at the agency, the government’s response on July 26, 2007, was to send the FBI to raid our homes, searching them for seven hours and seizing our computers, phones and other digital media. We are just now getting our property back after having successfully sued the government in December 2012.

The government even indicted Tom Drake, although it dropped its criminal charges in the case against him. Still, for the five of us, it was the equivalent of a punch in the face and a warning to other would-be “truth-tellers” not to report wrongful government activities or the government will come after you.

Standard
Security News

ICO issues data protection warning to users of Windows XP

ICO issues data protection warning to users of Windows XP: The Information Commissioner’s Office ICO has warned businesses about the risks created by the end of Microsoft’s support for Windows XP and Microsoft Office 2003 on 8 April.

Microsoft has extended security updates for the legacy operating system by 15 months, but many businesses, charities and other organisations will be on their own after that.This means if a security flaw is discovered, Microsoft will not release an update to fix it, which is important for businesses using these two products to note, says the ICO.

A lack of security updates will put company systems and the personal data stored on them at risk, the ICO said, estimating that 30% of all PCs are still using Windows XP.Research by UK software firm AppSense indicates that around 77% of UK organisations are running XP somewhere in their IT estate.

While Gartner estimates that up to 25% of enterprise systems are still running XP, and that a third of large organisations will have more than 10% of their systems still on XP.

The ICO said this could become a serious problem and means many organisations should already be in the processes of migrating to a supported operating system, or taking steps to mitigate the risks.

Standard
Security News

HP unveils creepy app that stalks people as they shop

HP unveils creepy app that stalks people as they shop: Hewlett Packard has unveiled a new mobile app that retailers can use to stalk people as they shop in order to send them targeted adverts and promotions.

The iOS app, dubbed SmartShopper and unveiled at the Interop conference in Las Vegas today, has the ability to send location-based smartphone offers to customer’s iPhones in real time.

It is being promoted by Meg Whitman’s HP as a way for retailers to monetise their networks and a way to build “tighter relationships with their customers”.

Standard
Security News

Social Engineering and Online Dating

Social Engineering and Online Dating: I have blogged on the topic of online dating in the past, and how it’s not much different than phishing and other forms of online fraud.  While it was meant to mock my personal experiences of dating in the 21st century, identity theft is no laughing matter.  In the last year, I had my debit card replaced three times due to potential compromise and had to change my password on numerous accounts after several major breaches were reported that put millions of email addresses and passwords at risk.

Almost two years since my first blog on the topic was published, I remain single (note I’m convinced this will be a perpetual state).  I have not dated in months, but as part of a personal blogging experience I just started, I decided to set up an online dating profile – not for the intention of meeting anyone, but to see how the dating world has changed in the last six months.   Let’s say I was shocked along the way.

I discovered that dating websites are rife with scams.  Besides just the standard false representation (i.e., lack of hair, teeth and/or job), women and men both have their own concerns to worry about.  For women, it is often a matter of personal safety, but men are highly targeted by the attractive girl who sends a flirty email followed by, “Come visit my website and enter your credit card.”  I think most men are educated enough about these scams today that they know to keep the plastic in their wallet.

I lasted a week in my latest online stint (I received 120 emails in my first 12 hours, with an average of 50 – 60 new emails each day thereafter).  It is like having another full-time job, and frankly one I have no passion for these days.  I did manage to start conversations with a few interesting people, and I was alarmed by how willingly people divulge their personal information, in many cases when I didn’t even ask!!  Hence the topic for this blog: social engineering and online dating.

Standard
Security News

NSA infiltrated RSA security more deeply than thought

NSA infiltrated RSA security more deeply than thought: Security industry pioneer RSA adopted not just one but two encryption tools developed by the U.S. National Security Agency, greatly increasing the spy agency’s ability to eavesdrop on some Internet communications, according to a team of academic researchers.

Reuters reported in December that the NSA had paid RSA $10 million to make a now-discredited cryptography system the default in software used by a wide range of Internet and computer security programs. The system, called Dual Elliptic Curve, was a random number generator, but it had a deliberate flaw – or “back door” – that allowed the NSA to crack the encryption.

A group of professors from Johns Hopkins, the University of Wisconsin, the University of Illinois and elsewhere now say they have discovered that a second NSA tool exacerbated the RSA software’s vulnerability.

The professors found that the tool, known as the “Extended Random” extension for secure websites, could help crack a version of RSA’s Dual Elliptic Curve software tens of thousands of times faster, according to an advance copy of their research shared with Reuters.

While Extended Random was not widely adopted, the new research sheds light on how the NSA extended the reach of its surveillance under cover of advising companies on protection.

RSA, now owned by EMC Corp, did not dispute the research when contacted by Reuters for comment. The company said it had not intentionally weakened security on any product and noted that Extended Random did not prove popular and had been removed from RSA’s protection software in the last six months.

“We could have been more skeptical of NSA’s intentions,” RSA Chief Technologist Sam Curry told Reuters. “We trusted them because they are charged with security for the U.S. government and U.S. critical infrastructure.”

Curry declined to say if the government had paid RSA to incorporate Extended Random in its BSafe security kit, which also housed Dual Elliptic Curve.

An NSA spokeswoman declined to comment on the study or the intelligence agency’s motives in developing Extended Random.

The agency has worked for decades with private companies to improve cybersecurity, largely through its Information Assurance Directorate. After the 9/11 attacks, the NSA increased surveillance, including inside the United States, where it had previously faced strict restrictions.

Documents leaked by former NSA contractor Edward Snowden showed that the agency also aimed to subvert cryptography standards. A presidential advisory group in December said that practice should stop, though experts looking at the case of Dual Elliptic Curve have taken some comfort in concluding that only the NSA could likely break it.

“It’s certainly well-designed,” said security expert Bruce Schneier, a frequent critic of the NSA. “The random number generator is one of the better ones.”

Standard
Security News

Breaking through the firewall between Security and Privacy: Canadian Anti

Breaking through the firewall between Security and Privacy: Canadian Anti: On July 1 2014 the new Canadian Anti-Spam legislation CASL will begin to be enforcedfirst of three phases. Why should I care if I live outside Canada, or what does it mean if I am a Canadian Business, or should I care if I am a SMB, as this is only  for spammers/the ‘bad’ guys?

Well you will be very surprised at the answers to these questions. So let’s get started.

One of the first things that most experts agree with is that the ‘new’ Canadian legislation/regulations is one of the strongest invoked anywhere in the world that is concerning commercial messaging.

But I am getting ahead of myself.  In the 1st part what is exactly CASL? In the best non-legal verbiage, CASL establishes the rules concerning commercial electronic messages CEM. ALL OEM, with exceptions see below for some examples, must have explicit consent OPT-IN before the OEM is sent. It also deals with installation of software programs just to make things more interesting. This last part is something that should worry software development companies. In fact I would hazard a guess that most software developers are not aware of this implication more on this later.

Standard
Security News

The value of stolen card data that includes localization info

The value of stolen card data that includes localization info: The hackers behind Target data breach are selling stolen card data including localization info. Why?In numerous posts I have highlighted the possibility to acquire stolen card data on the black market, different website on the underground and within the Deep Web proposed the precious commodities at varying prices depending on several factors like, the validity of the card, card amount limits and available amount of money in the bank account.

The recent data breach occurred at the US retailer Target has rekindled the attention to the market of stolen data card, in particular it is emerged another interesting trend in the cybercrime ecosystem, the commercialization of the card information on the location of stores and point of sales where cards were used.Why to provide the above data?The financial security experts consider the information very precious for the arrangement of scams, the knowledge of the places where the cards were used allows the attackers to choose the points where use the cards to reduce the risk of detection for the ongoing scam.

Security expert Brian Krebs, who first reported the data breach suffered by Target retailer,  wrote a couple of interesting blog posts on the incident evidencing that cyber criminals behind the attack are being sold to the black market with information on the state, city and ZIP code of the Target store where they were used. The commercialization of stoled card data with localization information is a very clever tactic to increase the monetary value of the stolen commodities.Location information included in the stolen card data allows buyers to use cloned versions of cards issued to people in their immediate vicinity.

Standard
Security News

Facebook accused of mining private messages

Facebook accused of mining private messages: Facebook is facing a class-action lawsuit in the US which alleges the company mines data from private messages without users’ knowledge or consent, and shares the information with advertisers.

The lawsuit by two US users accuses Facebook of violating the Electronic Communications Privacy Act and California privacy laws by allegedly scanning private messages for links to third-party websites, which it then shares with “advertisers, marketers and other data aggregators”.

The complaint was filed by Matthew Campbell of Arkansas and Michael Hurley of Oregon on December 30 in the District Court for Northern California on behalf of all Facebook members in the US that have used the site to send or receive private messages that include a URL link.

The lawsuit accused Facebook of using the information for “data mining and user profiling”, and said that Facebook earned $2.7bn from targeted advertising sales in 2011.

“Representing to users that the content of Facebook messages is ‘private’ creates an especially profitable opportunity for Facebook, because users who believe they are communicating on a service free from surveillance are likely to reveal facts about themselves that they would not reveal had they known the content was being monitored,” the lawsuit said.

Facebook has denied the plaintiffs’ claims, saying in a statement on Friday: “The allegations in this lawsuit have no merit and we will defend ourselves vigorously”.

The case is similar to another lawsuit accusing Google of violating user privacy by scanning the contents of Gmail messages.

Facebook has faced a slew of complaints and court actions on privacy-related issues. Last year, it settled a class action lawsuit over its usage of user names and images in so-called “sponsored stories”.

Standard
Security News

Snapchat To Update App In Wake Of Breach

Snapchat To Update App In Wake Of Breach: Snapchat, a mobile photo-messaging app created for wiping out traces of the messages for privacy reasons, this week was hit with a major breach of its users privacy that exposed names and phone numbers of some 4.6 million of its customers. The data dump came after security researchers published a proof-of-concept for a weakness associated with the “Find Friends” feature.

The app provider late today announced that it would update Snapchat to better protect its users. “We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number. We’re also improving rate limiting and other restrictions to address future attempts to abuse our service,” Snapchat said in a blog post.Snapchat also said researchers could email the firm at security@snapchat.com for any vulnerability discoveries. “We want to make sure that security experts can get a hold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns. The best way to let us know about security vulnerabilities is by emailing us: security@snapchat.com,” Snapchat said.

Standard
Security News

Yahoo’s Mayer Calls Email Outage ‘Unacceptable’

Yahoo’s Mayer Calls Email Outage ‘Unacceptable’: Mayer, in her blog post, went on to say: “For many of us, Yahoo Mail is a lifeline to our friends, family members and customers. This week, we experienced a major outage that not only interrupted that connection but caused many of you a massive inconvenience—that’s unacceptable and it’s something we’re taking very seriously. Unfortunately, the outage was much more complex than it seemed at first, which is why it’s taking us several days to resolve the compounding issues.”
Customer ire over the outage was stoked early in the process, after some believed Yahoo wasn’t responding with appropriate speed or seriousness. One Yahoo Mail user wrote to eWEEK Monday to say that Yahoo Mail had been down nearly two days and Yahoo hadn’t told users “what the heck is going on.”

Users were also exasperated by a message that wrongly told them that the outage was part of “scheduled maintenance.”

“I don’t recall the last time anything made my blood boil,” Saudi media personality Muna Abu Sulayman Tweeted Dec. 11. “When you are messing with our emails, u r messing w/ our work productivity.”
Mayer, in her post, offered a timeline of events. On Monday evening, Yahoo’s operating center alerted its Mail engineering team that a hardware outage was affecting approximately 1 percent of Yahoo’s users. The team quickly got to work, but the problem “was a particularly rare one, and the resolution for the affected accounts was nuanced since different users were impacted in different ways,” she wrote.
Some users, she continued, saw the “scheduled maintenance” page instead of their accounts, “which was a confusing and incorrect message. … Further, messages sent to those accounts during this time were not delivered but held in a queue.”

As of Friday afternoon, Yahoo was in the process of rolling out IMAP access and restoring the state of users’ inboxes—making certain that emails were in the folders they should be in and starred, if they were supposed to be, etc.

Standard