Monday, June 06, 2011

This is neither “Chicken Little” nor “The boy who cried Wolf!”

EDITORIAL: LulzSec Targets Elderly in the Wake of Latest Sony Hacks

June 6, 2011 by admin

The Daily Tech published an editorial yesterday. Here’s how it begins:

There’s no real winners with the latest Sony hack

Sometimes there’s just a story that’s just plain sad all around. This is arguably the case with the latest hack of Sony Corp (6758), in which the company lost another 1 million user records and hackers published private information on elderly users.

You can read the whole editorial on their site.

Interesting. Is the definition of war changing? I would not have expected China to reveal enough to even make us suspect them of the Lockheed attack. The original RSA attack maybe. How should I interpret this? Does China think itself a Cyber-Superpower that can get away with anything they try, just because they believe there will be no retaliation?

China linked to new breaches tied to RSA

… When RSA warned customers that their SecurID deployments could be affected by the intrusion, the industry was waiting for the proverbial other shoe to drop. Thus, word of the defense contractor attacks came as no surprise. And the timing is such that it seems unlikely to be coincidental, the experts said.

Two-and-a-half months is plenty of time for whoever stole the data to sell it to interested parties in underground channels and for buyers to prepare attacks that take advantage of the pilfered information--basically figuring out which key on the key chain goes to which door. But it's also a small enough window of time to let those attackers catch some RSA customers before they can change the locks.

… Meanwhile, the Pentagon is now saying it plans to issue new strategy declaring that in certain circumstances it will view cyberattacks from foreign nations as an act of war meriting military response.

"The reality is, part of the basis of U.S. hegemony...has been the ability to leverage command of signals intelligence to have perspective on the motivations and activities of others. Cyberspace has equalized that, so all of a sudden we're in a competitive intelligence environment," said Rafal Rohozinski, a principal at SecDev who did research on targeted attacks on Tibet and others with supposed links to China. Those attacks were detailed in a "GhostNet" report in 2009.

Espionage is common among the major nations, but reports of cyberespionage from China have increased over the past decade, campaigns that are ostensibly focused on silencing dissidents and other detractors, or reducing China's technology gap with the U.S. and other major countries.

"China has made no secret that they see cyberspace as the domain that allows them to compete with the U.S.," Rohozinski said.

It's easy to connect the dots between the various attacks, particularly considering what the motivation may be behind them. However, there is often no way to know for sure where a cyber attack originated because attackers can easily hide their tracks.

"I think [the attacks on the contactors] are completely related" to the RSA intrusion, said Chris Wysopal, chief technology officer at Veracode. "While I think they're related, I don't necessarily think it is the same group" that's responsible.

… "The RSA attackers knew that what they were stealing could be sold to lots of governments," he said.

"If it's any kind of military espionage, military adversaries are going to be high on the list," Wysopal said. "The question then is who in China--is it government agents or independent contractors selling to the Chinese government?" [See? There is a market for you Ethical Hacking skills Bob]

It is easier to ignore a law than to understand and implement it.

Most EU countries ignore law on website cookies

June 6, 2011 by Dissent

Jennifer Baker reports:

Critics were worried that the European Union’s privacy directive on browser cookies could make virtually every website in Europe illegal. But most EU member countries ignored the May 25 deadline to implement the directive, so e-commerce didn’t skip a beat.

Only Denmark, Estonia and the U.K. have taken steps to implement the privacy directive, said Jonathan Todd, a spokesman for the European Commission, and even those efforts may not be fully compliant with the policy.

Read more on Computerworld.

Local (Univ. of Northern Colorado)

After 8-year legal battle, judge finds Howling Pig editor’s rights were violated

June 6, 2011 by Dissent

It’s been a looong-running legal case, but Nick Dean of the Student Press Law Center reports:

A federal district court ruled Friday that a former college student who published a First Amendment-protected satirical newsletter was deprived of his right against unreasonable search and seizure when police confiscated his computer.

Read more on SPLC, where they provide the background and timeline of the case.

Congratulations to Thomas Mink and his legal team for hanging in there to fight this one.

Suspicions confirmed!

June 05, 2011

Study - Privacy leakage vs. Protection measures: the growing disconnect

Privacy leakage vs. Protection measures: the growing disconnect, Balachander Krishnamurthy - AT&T Labs Research; Konstantin Naryshkin - Worcester Polytechnic Institute; Craig E. Wills - Worcester Polytechnic Institute, May 2011.

  • "Numerous research papers have listed different vectors of personally identifable information leaking via traditional and mobile Online Social Networks (OSNs) and highlighted the ongoing aggregation of data about users visiting popularWeb sites. We argue that the landscape is worsening and existing proposals (including the recent U.S. Federal Trade Commission's report) do not address several key issues. We examined over 100 popular non-OSN Web sites across a number of categories where tens of millions of users representing diverse demographics have accounts, to see if these sites leak private information to prominent aggregators. Our results raise considerable concerns: we see leakage in sites for every category we examined; fully 56% of the sites directly leak pieces of private information with this result growing to 75% if we also include leakage of a site userid. Sensitive search strings sent to healthcare Web sites and travel itineraries on flight reservation sites are leaked in 9 of the top 10 sites studied for each category. The community needs a clear understanding of the shortcomings of existing privacy protection measures and the new proposals. The growing disconnect between the protection measures and increasing leakage and linkage suggests that we need to move beyond the losing battle with aggregators and examine what roles first-party sites can play in protecting privacy of their users."

Why does this not surprise me?

June 05, 2011

Survey Finds Nearly Half of 6- to 9-Year-Olds Talk to Friends Online and Use Social Networks

News release: "AVG Technologies, Inc. announced it will make its leading Family Safety software available for free in exchange for a 99 cent donation to the American Red Cross family relief efforts in Joplin, Mo. The move comes in response to research the company conducted and has released over the course of the year on early childhood technology usage trends, “Digital Diaries" and is complemented with the release of a first-of-its-kind e-book and mobile application for teaching very young children the basics of online safety, Little Bird’s Internet Security Adventure.” AVG CEO JR Smith is making appearances across the country today urging parents to consider introducing their child to Little Bird to help them learn about online safety.... Roughly half of today’s children (ages 6-9) are regularly talking to their friends online and using social networks, yet 58 percent of their parents admit they are not well-informed about their children’s online social networks. The “Digital Playground,” the third stage of AVG’s year-long “Digital Diaries” research program, further reveals the increasingly digitally-literate group of 6- to 9-year-olds and their parents in North America, Europe, Australia and New Zealand to find that:

  • More than half (51 percent) of 6- to 9-year-olds use some kind of children’s social network such as Club Penguin or WebKinz.

  • Roughly one in five use email, and despite being underage, 14 percent are on Facebook, according to their parents.

  • 47 percent of 6- to 9-year-olds talk to their friends on the Internet.

  • Almost one in six 6- to 9-year-olds and one in five 8- to 9-year-olds have experienced what their parents consider objectionable or aggressive behavior online.

  • American children average four hours online each week, slightly more than the worldwide average of 3.5 hours per week.

  • 58 percent of parents admit they are neither well-informed nor understand their children’s online social networks.

  • Only 56 percent of parents were certain their family computer has parental controls or safety programs in place."

For the Forensic and Ethical Hacking toolkit...

Cheap GPUs Rendering Strong Passwords Useless

StrongGlad writes with a story at ZDNet describing how it's getting easier to use GPU processing against passwords once considered quite strong.

"Take a cheap GPU (like the Radeon HD 5770) and the free GPU-powered password busting tool called 'ighashgpu' and you have yourself a lean, mean password busting machine. How lean and mean? Working against NTLM login passwords, a password of 'fjR8n' can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second. Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU."

No comments: