Security News

60 Minutes Puff Piece Claims NSA Saved U.S. From Cyberterrorism

60 Minutes Puff Piece Claims NSA Saved U.S. From Cyberterrorism: Well, don’t we feel just a little bit ashamed today. While we’ve been whining about trivia like the frightening scope of the NSA’s domestic spying programs – scooping up all our cell phone records, wiretapping American tech companies – the criminally poor oversight provided by rubber stamp lawmakers, and the flagrant lies of top level spooks like DNI James Clapper, the poor misunderstood folks at Ft. Meade have been quietly saving each and one of us from a Chinese plot to destroy all of our computers. Every last one of them. The computer on which I’m typing was rescued from ruin by NSA chief Gen. Keith Alexander. I tweet and blog under the blanket of the very freedom that he provides.

That was one of the things I learned from last night’s 60 Minutes’ half-hour video love letter to the NSA. While “a twentysomething-year-old high school dropout contractor” named Edward Snowden is making all this trouble, better schooled NSA experts are protecting us from malware.

The thwarted “BIOS plot” was an attempt by China (we’re told) to promulgate a fake BIOS update that would have bricked every machine in the America, destroying the U.S. economy. The claim is so preposterous on its face that even 60 Minutes interviewer John Miller remarks on camera that “it has a kind of a little Dr. Evil quality to it … It sounds almost unbelievable,” before believing the story and moving on without demanding more details.

And that’s the gist of 60 Minutes’ parody last night of the serious television journalism it once embodied. Defending his NSA programs, Alexander did a similar video interview in October, but that one was conducted by a paid Pentagon employee and produced by the Defense Department. It earned 16,000 downvotes on YouTube (versus 300 likes), and was widely ridiculed. For the sequel, NSA clearly wanted to get off the internet and onto old-fashioned broadcast television, where the average viewer is a bit less cynical. But it also wanted an interviewer at least as pliant as its paid employee.

And, boy, did it find one in Miller, a former intelligence official himself, who set the stage with this question to Alexander: “There is a perception out there that the NSA is widely collecting the content of the phone calls of Americans. Is that true?”

“No, that’s not true,” Alexander replies.

At last, a straightforward denial from the NSA about something that absolutely nobody has accused it of doing. Thank you, 60 Minutes! The only thing that would be a better use of your access would be an extended interview with bright-eyed young analysts explaining at length how a spear phishing attack works. Step aside Greenwald and Gellman. I think that Pulitzer just got spoken for.

Standard
Security News

Judge Rules Against NSA Collection Program

Judge Rules Against NSA Collection Program: A federal district court judge’s ruling that a National Security Agency program collecting metadata from telephone calls could be unconstitutional suggests that the law hasn’t kept pace with changing technology.

Federal District Judge Richard Leon of the District of Columbia ruled on Dec. 17 that the program apparently violates the Fourth Amendment’s privacy protections that ban unreasonable searches and seizures.

The case was brought by the conservative public-interest lawyer Larry Klayman and several others. Because of its national security implications, Leon stayed his injunction to allow the government time to appeal, a process he says could take about a half year.

“The almost-Orwellian technology that enables the government to store and analyze the phone metadata of every telephone user in the United States is unlike anything that could have been conceived in 1979,” Leon says in his ruling, referencing a 1979 Supreme Court ruling titled Smith v. Maryland.

“Put simply, people in 2013 have an entirely different relationship with phones than they did 34 years ago,” the judge says. “As a result, people make calls and send text messages now that they would not – really, could not – have made or sent back when Smith was decided.”

To defend the NSA collection program, government lawyers cite that 1979 ruling, which found police didn’t need a search warrant to install a device that recorded the numbers dialed on a particular phone line.

Standard
Security News

Pensioners sue IBM over reported NSA involvement

Pensioners sue IBM over reported NSA involvement: A pension investment group has sued IBM, claiming that the company failed to warn investors that sales in China would slow dramatically following revelations that IBM was helping the U.S. National Security Agency spy on the Chinese.

”IBM was well-aware that its association with the U.S. spy program and its sharing of customers’ information with the U.S. government would have immediate and adverse consequences on its business in China,” reads a lawsuit filed Thursday by the Louisiana Sheriffs’ Pension and Relief Fund in the U.S. District Court for the Southern District of New York.

The pension fund lawsuit is “pushing a wild conspiracy theory,” said Robert Weber, IBM senior vice president and general counsel, in a short statement. The company attributes the drop off in sales to a recent country-wide economic reorganization on the part of the Chinese government.

Standard
Security News

Security prediction for 2014: It will get worse

Security prediction for 2014: It will get worse: I hate to be the bearer of bad news, but you probably saw this coming. Multiple indicators suggest that, bad as this year has been for Internet security, 2014 will be worse. Much worse.At least that’s the opinion of Steve Wexler, a journalist specializing in corporate technology and the leading light behind IT-TNA, an information service geared towards IT news and trends. In a Monday report, Wexler takes a look at security predictions for the coming year. “One would expect doom and gloom forecasts from security vendors – and IT industry analysts – and you won’t be disappointed.”For instance, IDC has just this month predicted that 70 percent of chief information officers CIOs will increase their dependency on the cloud. While cloud-based solutions will lower costs and increase companies’ flexibility, they also increase security vulnerability. “Unfortunately for that increased risk exposure, by 2015, 60% of CIO security budgets…will be 30-40% too small to fund enterprise threat assessments,” warns Wexler.

Standard
Security News

Spy Satelite, permanent drone. Hacker Satellite

Spy Satelite, permanent drone. Hacker Satellite: A spy satellite (officially referred to as a reconnaissance satellite) is an Earth observation satellite or communications satellite deployed for military or intelligence applications. These are essentially space telescopes that are pointed toward the Earth instead of toward the stars. The first generation type (i.e. Corona [1] [2] and Zenit) took photographs, then ejected canisters ofphotographic film, which would descend to earth.

Corona capsules were retrieved in mid-air as they floated down on parachutes. Later spacecraft had digital imaging systems and uploaded the images via encrypted radio links.

In the United States, most information available is on programs that existed up to 1972. Some information about programs prior to that time is still classified, and a small trickle of information is available on subsequent missions.

A few up-to-date reconnaissance satellite images have been declassified on occasion, or leaked, as in the case of KH-11 photographs which were sent to Jane’s Defence Weekly in 1985.

Standard
Security News

Don’t delay! Grab the latest Microsoft and Adobe security patches

Don’t delay! Grab the latest Microsoft and Adobe security patches: It’s what I like to call “Worry Wednesday”, the day after Patch Tuesday, when system administrators around the world furrow their brows in concern that malicious hackers will dissect the latest security patches issued by Microsoft and develop attacks which exploit the flaws.

It’s obviously good news whenever the likes of Microsoft and Adobe release fixes for security holes, and make them available for home users and businesses to install.

But it’s a double-edged sword. Obviously it’s good to have an official software patch to fix a flaw, but the patches themselves can provide clues to reverse-engineering hackers as to how they could exploit the vulnerability.

So, most of the time, it’s a good idea to install the patches at the earliest oppportunity. Indeed, if you’re a home user it can make the best sense to automatically install security patches rather than force yourself to go through the rigmarole of remembering to download and roll out the updates yourself whenever they become available.

If you’re a big business, it’s not unusual to test that the patches don’t cause any unintended conflicts before you roll it out across hundreds of thousands of computers on your network.

Yesterday, it was the second Tuesday of the month. In Microsoft language that means it was “Patch Tuesday”, their regular time for issuing security updates, and sure enough they released security fixes for vulnerabilities in Windows, Internet Explorer, Microsoft Exchange, Office, Lync and Microsoft Developer Tools.

Amongst the flaws they fixed was a zero-day flaw that has allowed hackers to launch targeted attacks involving boobytrapped Word documents, and broader financially-motivated campaigns using boobytrapped TIFF image files.

Microsoft had said it had seen malicious Word documents (with dangerous TIFF files embedded inside) sent to targeted companies based in the Middle East and South Asia.

But now there’s a proper fix, so you should install it before you end up in hackers’ gunsights.

Unfortunately, there *wasn’t* a fix released for the critical zero-day XP kernel attack that has been putting users of older versions of Windows at risk since the end of November.

Microsoft Security Bulletin Summary for December 2013
But it wasn’t just Microsoft that released security patches yesterday.

Adobe, a company that has often been on the receiving-end of hacker attacks, issued security fixes for its Adobe AIR product and Flash and Shockwave players.

The Flash issue seems the most serious, as Adobe says it is aware of reports that an exploit designed to trick users into opening Microsoft Word documents containing malicious Flash content exists for one of the vulnerabilities.

Adobe Flash Player and AIR security update
Adobe Shockwave Player security update
Make your resolution for 2014 to be to get in the habit of taking security updates seriously. If companies like Microsoft and Adobe are prepared to go to the effort to investigate, fix and then publicise security holes in their software – you really should be listening to them.

Standard
Security News

Online Reputation Companies Busted for Fake Reviews

Online Reputation Companies Busted for Fake Reviews: Online reputation management has become big business. From faking positive reviews to obscuring negative information, some companies will go to any length to look good on the Internet. Now, 19 of these companies have learned that online deception may come with too high a price tag.19 Companies Fined Over $350,000 For Posting Fake ReviewsOn September 23, 2013, Attorney General Eric Schneiderman announced an agreement with 19 companies to “stop writing fake online reviews and pay over $350,000 in fines.” The agreement came about as a result of the “Operation Clean Turf” undercover probe into astroturfing writing and posting fake endorsements on review websites and manipulative online reputation management services. Underhanded TacticsSome of these companies used websites like CitySearch, Yelp and Google Local to post fake positive reviews of their own products and services. Reviews were written by the companys own employees and their friends, all of whom were hiding their true identities. Some companies employed tactics like hiding IP addresses and setting up fake online profiles on consumer review websites.

Standard
Security News

“We cannot trust” Intel and Via’s chip-based crypto, FreeBSD developers say

“We cannot trust” Intel and Via’s chip-based crypto, FreeBSD developers say: Developers of the FreeBSD operating system will no longer allow users to trust processors manufactured by Intel and Via Technologies as the sole source of random numbers needed to generate cryptographic keys that can’t easily be cracked by government spies and other adversaries.

The change, which will be effective in the upcoming FreeBSD version 10.0, comes three months after secret documents leaked by former National Security Agency (NSA) subcontractor Edward Snowden said the US spy agency was able to decode vast swaths of the Internet’s encrypted traffic. Among other ways, The New York Times, Pro Publica, and The Guardian reported in September, the NSA and its British counterpart defeat encryption technologies by working with chipmakers to insert backdoors, or cryptographic weaknesses, in their products.

The revelations are having a direct effect on the way FreeBSD will use hardware-based random number generators to seed the data used to ensure cryptographic systems can’t be easily broken by adversaries. Specifically, “RDRAND” and “Padlock”—RNGs provided by Intel and Via respectively—will no longer be the sources FreeBSD uses to directly feed random numbers into the /dev/random engine used to generate random data in Unix-based operating systems. Instead, it will be possible to use the pseudo random output of RDRAND and Padlock to seed /dev/random only after it has passed through a separate RNG algorithm known as “Yarrow.” Yarrow, in turn, will add further entropy to the data to ensure intentional backdoors, or unpatched weaknesses, in the hardware generators can’t be used by adversaries to predict their output.

“For 10, we are going to backtrack and remove RDRAND and Padlock backends and feed them into Yarrow instead of delivering their output directly to /dev/random,” FreeBSD developers said. “It will still be possible to access hardware random number generators, that is, RDRAND, Padlock etc., directly by inline assembly or by using OpenSSL from userland, if required, but we cannot trust them any more.”

Standard
Security News

Will Utah cut off the NSA data center’s water?

Will Utah cut off the NSA data center’s water?: Each day, the National Security Agency’s massive data center in Utah requires 1.7 million gallons of water. Recently, opponents to the NSA’s massive online spying operation have started to wonder: What if we just turned off their water?

The agency has been under scrutiny ever since former intelligence contractor Edward Snowden leaked a trove a confidential NSA documents detailing its global internet spying operation. The agency collects emails, chats, telephone metadata, and encrypted communications, storing them all in data centers like the one in Bluffdale, Utah.

As several grassroots organizations have pointed out, the data center runs on utilities regulated by state governments. And historically, the Supreme Court has upheld states’ rights to decide whether they want to assist the federal government. In a petition to cut off the NSA’s water supply, Change.org wrote, “Nothing in the Constitution requires a state to help the feds violate your rights.  This is an undisputed principle known as the anti-commandeering doctrine – the states cannot be compelled to carry out federal acts, regulations, and the like.”

Officially, Change.org (and other groups) are advocating for Utah to pass a Fourth Ammendment Protection Act that would essentially ban the state from helping the federal government spy on its citizens. In this case, that means cutting off the Utah data center’s water supply.

So how likely is it that such an Amendment would ever pass? It’s hard to say, but the notion of stopping the agency’s water supply is not so far-fetched. As the OffNow coalition reported, the city of Bluffdale’s contract to provide the data center with water runs out in 2021, despite its mayor’s insistence to the contrary.

At bottom, the (likely fruitless) efforts of activists to pass an act to cut the NSA off from local resources underscores a larger point about the agency’s data collection. While we don’t often think of information as taking up physical space, it in fact does. And further, it requires resources. The question of whether we want to funnel 1.7 million gallons of water to a government body storing what appears to be all of our digital communications is, at least, a question worth asking.

Standard
Security News

Microsoft disrupts botnet that generated $2.7M per month for operators

Microsoft disrupts botnet that generated $2.7M per month for operators: On Thursday, Microsofts Digital Crimes Unit, the legal and technical team that has driven the takedown of botnets such as Bamital and Nitol during the past year, announced that it has moved with Europol, industry partners, and the FBI to disrupt yet another search fraud botnet. The ZeroAccess botnet, also known as ZAccess or Siref, has taken over approximately 2 million PCs worldwide; Microsoft estimates that it has cost search engine advertisers on Google, Bing, and Yahoo over $2.7 million each month.

Standard