Wednesday, November 21, 2012
Welcome to the era of “Cheap War” No need for Bombers or Aircraft Carriers, just a few teenagers and a case of Jolt Cola... Once you have access, you can do some very interesting things: Que voulez-vous dire que nous avons perdu une arme nucléaire? (If the US didn't do this, would that be good news or bad news?)
U.S. Government Hacked Into French Presidential Office, Spied on Senior Officials, Says a French News Report
Using the sophisticated Flame malware first developed to spy on and sabotage Iran's nuclear program, U.S. spymasters were able to gain almost unlimited access to the computers of senior French officials in the last days of former president Nicholas Sarkozy's reign, alleges a story in French magazine l'Express.
The impact of this alleged attack is unknown, but experts on the Flame malware -- believed to be the most sophisticated cyberweapon ever developed -- say that compromised computers could have been used to record conversations via infected PCs' microphones. Screenshots may also have been captured, and files could have been copied. According to France's intelligence agency, quoted in the story, the resulting data was then routed through multiple servers on all five continents in order to hide the ultimate destination of the stolen data.
The initial incursion was an extremely simple, tried-and-true bit of social engineering. Staffers at the official residence of the President of France, the Palais de l'Élysée, were friended by hackers on Facebook, who were no doubt using fake identities. Later, those staffers were sent emails with a login to a fake copy of the login page for the intranet of the Élysée. Once they entered their credentials, hackers had usernames and passwords they could use to log in to the real system.
For my Windows 8 using Ethical Hackers. Maybe this wasn't deliberate?
Microsoft hands Windows 8 Pro to pirates by mistake
You want a copy of Windows 8 Pro? Go ahead and download it -- Microsoft is giving the keys away for free.
According to VentureBeat, an interesting exploit on Microsoft's download page allows users to pick up a free copy of Windows 8 Pro -- directly from the website, and at no cost.
If you attempt to download the free Microsoft Windows Media Center upgrade, which is being offered until January 31, a strange side effect takes hold. Windows 8 Pro will be permanently activated.
If you write parts of a bill, shouldn't your name be on it? Who is operating the Senator Leahy puppet? OR Are we seeing evidence that “certain agencies” can not only read your email they can rewrite your Bill...
Leahy scuttles his warrantless e-mail surveillance bill (UPDATED)
November 20, 2012 by Dissent
UPDATE: CNET has uploaded the amendments referred to in their prior posts today. They’re a far cry from what Senator Leahy proposed in September. So the question I have is: did the Senator actually draft these newer amendments to submit next week or is this a draft written by someone else who just wants the Senator to submit it under his name?
Earlier today, Declan McCullagh set off a firestorm on Twitter when CNET reported that Senator Leahy had not only backed off on his proposal to update ECPA by requiring warrants, but would be introducing a revised version that actually weakened our protections. As I noted in updates to my blog entry on the news, the Senator disputed Declan’s report and his office tweeted that he was still supporting a warrant requirement.
Declan has the update on CNET, and continues to stand by his earlier report:
Sen. Patrick Leahy has abandoned his controversial proposal that would grant government agencies more surveillance power — including warrantless access to Americans’ e-mail accounts — than they possess under current law.
The Vermont Democrat said today on Twitter that he would “not support such an exception” for warrantless access. The remarks came a few hours after a CNET article was published this morning that disclosed the existence of the measure.
A vote on the proposal in the Senate Judiciary committee, which Leahy chairs, is scheduled for next Thursday. The amendments were due to be glued onto a substitute (PDF) to H.R. 2471, which the House of Representatives already has approved.
Leahy’s about-face comes in response to a deluge of criticism today, including the American Civil Liberties Union saying that warrants should be required, and the conservative group FreedomWorks launching a petition to Congress — with more than 2,300 messages sent so far — titled: “Tell Congress: Stay Out of My Email!”
Read more on CNET.
The phishing was good... Not real clear what was done or how it was done. I hope the state got a better report. (At least, more than four pages...)
Forensic report on SCDOR breach
Here’s Mandiant’s report on the breach at the South Carolina Department of Revenue. From the Executive Summary, a summary of the attack:
Summary of the Attack
A high level understanding of the most important aspects of the compromise are detailed below.
1. August 13, 2012: A malicious (phishing) email was sent to multiple Department of Revenue employees. At least one Department of Revenue user clicked on the embedded link, unwittingly executed malware, and became compromised. The malware likely stole the user’s username and password. This theory is based on other facts discovered during the investigation; however, Mandiant was unable to conclusively determine if this is how the user’s credentials were obtained by the attacker.
2. August 27, 2012: The attacker logged into the remote access service (Citrix) using legitimate Department of Revenue user credentials. The credentials used belonged to one of the users who had received and opened the malicious email on August 13, 2012. The attacker used the Citrix portal to log into the user’s workstation and then leveraged the user’s access rights to access other Department of Revenue systems and databases with the user’s credentials. [Not sure what they are saying here. Did they change access rights? The report does not say... Bob]
3. August 29, 2012: The attacker executed utilities designed to obtain user account passwords on six servers. [Copying unencrypted passwords? Bob]
4. September 1, 2012: The attacker executed a utility to obtain user account passwords for all Windows user accounts. The attacker also installed malicious software (“backdoor”) on one server.
5. September 2, 2012: The attacker interacted with twenty one servers using a compromised account and performed reconnaissance activities. The attacker also authenticated to a web server that handled payment maintenance information for the Department of Revenue, but was not able to accomplish anything malicious.
6. September 3, 2012: The attacker interacted with eight servers using a compromised account and performed reconnaissance activities. The attacker again authenticated to a web server that handled payment maintenance information for the Department of Revenue, but was not able to accomplish anything malicious.
7. September 4, 2012: The attacker interacted with six systems using a compromised account and performed reconnaissance activities.
8. September 5 – 10, 2012: No evidence of attacker activity was identified.
9. September 11, 2012: The attacker interacted with three systems using a compromised account and performed reconnaissance activities.
10. September 12, 2012: The attacker copied database backup files to a staging directory.
11. September 13 and 14, 2012: The attacker compressed the database backup files into fourteen (of the fifteen total) encrypted 7-zip1 archives. The attacker then moved the 7-zip archives from the database server to another server and sent the data to a system on the Internet. The attacker then deleted the backup files and 7-zip archives.
12. September 15, 2012: The attacker interacted with ten systems using a compromised account and performed reconnaissance activities.
13. September 16, 2012 – October 16, 2012: No evidence of attacker activity was identified.
14. October 17, 2012: The attacker checked connectivity to a server using the backdoor previously installed on September 1, 2012. No evidence of additional activity was discovered.
15. October 19 and 20, 2012: The Department of Revenue executed remediation activities based on short term recommendations provided by Mandiant. The intent of the remediation activities was to remove the attacker’s access to the environment and detect a re-compromise.
16. October 21, 2012 – Present: No evidence of related malicious activity post-remediation has been discovered.
Read the full report.
(Related) “We knew how to prevent this, but we didn't bother...”
Haley admits hacking errors; revenue chief resigns
Governor Haley has now walked back some of her more irritating claims about South Carolina’s massive data breach. Seanna Adcox of Associated Press reports:
A report on a massive security breach at the South Carolina tax collection agency shows the state could have done more to protect personal information for nearly 4 million taxpayers, Gov. Nikki Haley said Tuesday. She also said she accepted the resignation of Department of Revenue Director Jim Etter effective at the end of the year.
Haley said the report from computer security firm Mandiant found hackers may have 3.3 million bank account numbers from South Carolina taxpayers.
The state made two mistakes, according to the report. It didn’t require two different ways to verify when someone was trying to get into the system to look at tax returns and it did not encrypt Social Security numbers, Haley said.
Read more on Seattle PI.
[From the Seattle PI article:
… the Republican governor blamed the debacle on antiquated state software and outdated IRS security guidelines.
"This is a new era in time," Haley said. "You can't work with 1970 equipment. You can't go with compliance standards of the federal government. Both are outdated."
… Last week, Haley ordered all of her 16 Cabinet agencies to use computer monitoring by the state information technology division. The revenue department has been criticized for previously turning down its free services.
… The cost of the state's response has exceeded $14 million. That includes $12 million to the Experian credit-monitoring agency to cover taxpayers who sign up — half of which is due next month — and nearly $800,000 for the extra security measures ordered last week.
The Revenue Department has estimated spending $500,000 for Mandiant, $100,000 for outside attorneys and $150,000 for a public relations firm. But those costs will depend on the total hours those firms eventually spend on the issue. The agency also expects to spend $740,000 to mail letters to an estimated 1.3 million out-of-state taxpayers.
No where near the largest in absolute numbers, but still a fair chunk of the population...
Man arrested over theft of 9 million Greek files
A Greek man has been arrested on suspicion of having stolen 9 million personal data files in what is believed to be the biggest breach of private information the country has ever seen.
Police said Tuesday that the 35-year-old, whose name was not released, was found in possession of the data files that included identity card details, tax numbers, vehicle license plate numbers and home addresses.
Read more on CNBC.
Greece now joins Israel in having almost its entire citizenry’s data stolen.
[From the CNBC article:
… The files appeared to include duplicate entries, meaning the number of actual individuals affected could be lower. Greece has a population of around 10 million.
… The investigation began Monday after an employee at the data protection authority notified police that someone appeared to have a large number of digital files containing personal data, the head of financial and electronic crimes police Dimitris Georgatzis said.
[Note: The DPA (http://www.dpa.gr/portal/page?_pageid=33,40911&_dad=portal&_schema=PORTAL ) may have been browsing through online storage records, since there is no indication thay know how (or even where) they data was obtained. Bob]
Be careful when you blow that whistle...
Jail Looms for Man Who Revealed AT&T Leaked iPad User E-Mails (updated)
Tom Simonite reports:
AT&T screwed up in 2010, serving up the e-mail addresses of over 110,000 of its iPad 3G customers online for anyone to find. But today Andrew Auernheimer, an online activist who pointed out AT&T’s blunder to Gawker Media, which went on to publicize the breach of private information, is the one in federal court this week.
His case highlights some potentially troubling disconnects between the practicalities of online life and the rule – and application – of the law.
Read more on MIT Technology Review. The jury has the case now as I post this and I’ll update later.
Update: He was found guilty. Kim Zetter provides background on the case and how chat logs may have helped convict them. Auernheimer tweeted after the verdict that he plans to appeal.
This is truly creapy...
The Mannequins Will Be Watching You
This holiday season, if you shop at Benetton, you may be under surveillance.
Of course, we are all pretty used to the idea of security cameras trained on the entrance of a store, or over a counter of particularly expensive goods, and we've become accustomed -- even if we don't like it, on a gut level -- to the tracking that comes with online shopping, populating the ad boxes from website to website of those sneakers you just looked at. But Benetton's surveillance looks a little different: The store has purchased mannequins from an Italian company which promises that "from now on the mannequins will not only display your collections ... [but will] make it possible to 'observe' who is attracted by your windows and reveal important details about [them]."
It probably isn't smart to ignore irate parents. And I don't think the Founding Fathers actually said, “We respect no religion...”
"Lawyers representing Andrea Hernandez, a science and engineering student at John Jay High School, are fighting an expulsion notice issued a week ago for refusing to wear a Smart ID badge. To represent her, lawyers filed a preliminary court injunction, seeking legal restraints on the school. She maintains stance of refusal to wear any badge containing an RFID tag for reasons of basic privacy and conflicts with her belief system. [RFID is the “Mark of the Beast” Bob] The controversial decision for her school to adopt the NFC badges is part of the Student Locator Project, tracking attendance. Local schools started issuing the lanyard badges this fall despite parental outcry at NISD school board meetings."
No doubt the “It's not fair!” whiners will be out in force. “Don't bother me with facts. Computers is magic!”
"Europe's proposed 'right to be forgotten' has been the subject of intense debate, with many people arguing it's simply not practical in the age of the internet for any data to be reliably expunged from history. Well, add another voice to that mix. The European Network and Information Security Agency (ENISA) has published its assessment of the proposals (PDF), and the tone is skeptical to say the least. And, interestingly, one of the biggest problems ENISA has found has to do with big data. They say, 'Removing forgotten information from all aggregated or derived forms may present a significant technical challenge. On the other hand, not removing such information from aggregated forms is risky, because it may be possible to infer the forgotten raw information by correlating different aggregated forms.'"
Cheap War: Compared to the Marine Expeditionary Force or the 101st Airborne, Drones are cheap. So we can start a whole bunch of “Drone Wars” for the cost of a single F22 Fighter!
Leon Panetta Has a Few More Drone Wars Ready to Go
There once was a time, just last year, when Defense Secretary Leon Panetta thought the U.S. was this close to wiping al-Qaida off the face of the earth, once and for all. That appears to have gone up in the flames of the U.S. consulate in Benghazi. Now, a more dour Panetta believes that it’s not enough to continue the drone strikes and commando raids in Pakistan, Yemen and Somalia; they’ve got to expand “outside declared combat zones” to places like Nigeria, Mali and even Libya.
That was Panetta’s message at Tuesday evening address to the Center for American Security, an influential Washington defense think tank. Panetta, a former director of the CIA, gave a strong defense of counterterrorism drone strikes and commando raids, calling them “the most precise campaign in the history of warfare,” and indicated strongly that they’re only going to intensify in the coming years.
Rattle the anti-trust saber before the election to gather the anti-business vote, then drop everything for the next four years to reward a major contributor? Nah. That only happens in the movies...
A couple weeks back, we heard the FTC may be close to making a decision on whether or not it wants to take Google to court over claims of anti-competitive behavior. If a new report from Bloomberg is to be believed, however, the FTC may have a problem actually hitting Google with antitrust charges due to a lack of evidence. If that’s true, then Google may just be able to get out of this whole thing without ending up in court.
e-Lawyer v. e-Lawyer Could be fun!
Online Legal Services Company LegalZoom Sues Rival RocketLawyer For Misleading Advertising, Trademark Infringement And More
This is going to get ugly. Online legal services company LegalZoom is suing rival Rocket Lawyer, according to a release issued by the LA-based LegalZoom today. The charges are false and misleading advertising, trademark infringement and unfair competition. The suit was filed in the United States District Court for the Central District of California.
Apparently the Naval Observatory clock re-booted...
"It seems a glitch of some sort wreaked havoc on some NTP servers yesterday, causing many machines to revert to the year 2000. It seems the Y2K bug that never happened is finally catching up with us in 2012."
If you fail one of my tests, “I really don't care why!” We could just change the law to: “Your driving looked 'funny' to the arresting officer.”
"A recent assessment by the National Highway Traffic Safety Administration, based on random roadside checks, found that 16.3% of all drivers nationwide at night were on various legal and illegal impairing drugs, half them high on marijuana. Now AP reports that with marijuana soon legal under state laws in Washington and Colorado, setting a standard comparable to blood-alcohol limits has sparked intense disagreement. Unlike portable breath tests for alcohol, there's no easily available way to determine whether someone is impaired from recent pot use. If scientists can't tell someone how much marijuana it will take for him or her to test over the threshold, how is the average pot user supposed to know? 'We've had decades of studies and experience with alcohol,' says Washington State Patrol spokesman Dan Coon. 'Marijuana is new, so it's going to take some time to figure out how the courts and prosecutors are going to handle it.' Driving within three hours of smoking pot is associated with a near doubling of the risk of fatal crashes. However, THC can remain in blood and saliva for highly variable times after the last use of the drug. Although the marijuana 'high' only lasts three to five hours, studies of heavy users in a locked hospital ward showed THC can be detected in the blood up to a week after they are abstinent, and the outer limit of detection time in saliva tests is not known. 'A lot of effort has gone into the study of drugged driving and marijuana, because that is the most prevalent drug, but we are not nearly to the point where we are with alcohol,' says Jeffrey P. Michael, the National Highway Traffic Safety Administration's impaired-driving director. 'We don't know what level of marijuana impairs a driver.'"
Hey! I know students who could do this!
"Last week, Nate Silver ranked Google Consumer Surveys as one of the most accurate polling firms of the 2012 US election. This week, Google has released the raw data that went into its election-day prediction, and is running a contest for interesting visualizations of that data. They provide a few examples of their own, including a WebGL globe view."