Thursday, November 19, 2015

For my Computer Security students.
"Onion-Layered" Attacks on the Rise, IBM Says
Released this week, IBM’s report (PDF) cites four key trends that have been observed this year, with onion-layered and ransomware attacks joined by attacks coming from inside an organization and by an increased management awareness of the need to address security threats proactively.
IBM explains that onion-layered security incidents involve a second, more damaging attack hidden behind a visible one. Usually, these attacks are carried by two actors, namely a script kiddie, an unsophisticated attacker launching highly visible attacks which can be easily caught, and a more sophisticated stealthy attacker who might expand their grip of the victim’s network without being detected for weeks or even months.
Earlier this year, Corero Network Security warned that distributed denial-of-service (DDoS) attacks were being leveraged to circumvent cybersecurity solutions, disrupt service availability and infiltrate victim networks.
"The danger in partial link saturation attacks is not the ‘denial of service’ as the acronym describes, but the attack itself," Corero said. "The attack is designed to leave just enough bandwidth available for other sophisticated multi-vector attacks with data exfiltration as the main objective, to fly in under the radar, while the distracting DDoS attack consumes resources."
Based on investigations conducted by Mandiant/FireEye throughout 2014, the median number of days that attackers were present on a victim’s network before being discovered was 205 days.
IBM provided fundamental advice, suggesting that organizations keep systems updated and increase their visibility into the network, as well as build an internal security operations center, create operational procedures, and ensure an appropriate level of logging, in addition to periodically performing penetration testing exercises.

Not a huge breach, but it illustrates (for my Computer Security students) how failure to follow Best Practices can result it recreation of well known failures.
Hannah Francis reports:
Australians’ private tax records were left unsecured thanks to a serious flaw in how the tax office’s online services connect with myGov, in the latest of a series of security bungles related to the federal government’s online services.
Experts have raised concerns over the handling of IT security issues by the Australian Taxation Office and the Department of Human Services, which runs the overarching service portal myGov, after a taxpayer who tried to report the issue claimed he was hung up on twice by the agencies’ call centre staff.
Read more on Sydney Morning Herald.
[From the article:
In a video obtained exclusively by Fairfax Media, Liew demonstrated how downloading a PDF letter from the tax office by clicking on a link within the myGov mailbox creates a "cookie" which logs the user into (In this case, cookies are used to authenticate the "single sign-on" process, or SSO, whereby the user only has to login once with myGov to access multiple linked services, such as tax, Medicare and Centrelink.)
Because clicking on the PDF link didn't actually open a browser page at and therefore a page was never closed, the cookie did not expire, meaning the next user who logged in to myGov and clicked on a link to saw the previous user's records.

(Related) A somewhat larger breach, illustrating how failure to follow established (but apparently unsupervised) procedures can send things south in a hurry.
Secretary of State released names and all identifying info on 6.1 million voters
Every month, the Secretary of State (Brian Kemp) releases all the new registered voters on a disc so that various entities can update their records. This information is generally limited to names, addresses, and demographic information. But last week, the SoS decided to give out a bunch of information it has collected on you and everybody you know to anyone who signed up.
Their monthly CD for October contained the Drivers license number, social security number, full name, address, and everything else you need to steal someone’s identity for every single registered voter in Georgia. All 6.1 million of us. It was not encrypted. It was not password protected. It was a gift for anyone who ever thought of doing wrong.
[The Class Action complaint: Download (PDF, 767KB)

Now this is interesting. They must have had some evidence that this research existed. What would justify a subpoena?
Carnegie Mellon Says It Was Subpoenaed-And Not Paid-For Research On Breaking Tor
Carnegie Mellon University today implied in a statement that it was served with a subpoena to hand over research related to unmasking the identity of users on the Tor network, and that it was not paid $1 million by the FBI for doing so, as alleged by the Tor Project.
The statement, released shortly after noon Eastern, is vague and fails to answer a number of outstanding questions not only about the ethics and legality of the attack on Tor, but also whether the research was prompted by the government, which the Snowden documents revealed, has had its struggles breaking Tor traffic.

Of course NSA would like to review these “exploits.” It's possible (if unlikely) there might be something to learn, but at minimum there will be “fingerprints” to record. I wonder if they can trace anyone who subscribes? Perhaps companies could fund an organization to buy and analyze and then share the results?
Here’s a Spy Firm’s Price List for Secret Hacker Techniques
… In an unprecedented move Wednesday, the zero-day broker startup Zerodium published a price chart for different classes of digital intrusion techniques and software targets that it buys from hackers and resells in a subscription service to customers that include government agencies. The list, which details the sums it pays for attack methods that effect dozens of different applications and operating systems, represents one of the most detailed views yet into the controversial and murky market for secret hacker exploits.
… An attack that can fully, remotely take over a victim’s computer through his or her Safari or Internet Explorer browser, for instance, fetches a price of as much as $50,000. For the harder target of Google Chrome, Zerodium’s price rises to $80,000. Remote exploits that entirely defeat the security of an Android or Windows Phone device go for as much as $100,000. And an iOS attack can earn a hacker half a million dollars, by far the highest price on the list.
… Zerodium, in other words, is keeping its fresh hacker techniques under wraps for its customers, which it says include “government organizations in need of specific and tailored cybersecurity capabilities,” as well as corporate customers it says use the techniques for defensive purposes. Zerodium founder Bekrar says Zerodium clients pay subscription rates of at least $500,000 a year for access to its exploits. He wouldn’t name any specific customers. But Bekrar’s last startup, the French company Vupen, more explicitly offered its zero-day exploits to customers it described as government agencies within NATO and “NATO ally” countries. A Freedom of Information request from the investigative news site Muckrock in 2013 showed that Vupen’s customers included the NSA.

Not everyone who should encrypt their communications bothers to do so. Not all terrorists are knowledgeable about secure communications and many are mere “cannon fodder” who are not worth investing the time and effort to train. That does not mean every terrorist communication will be recognized, analyzed, and communicated to appropriate authorities in a time to stop attacks.
Signs Point to Unencrypted Communications Between Terror Suspects
In the wake of the Paris attack, intelligence officials and sympathizers upset by the Edward Snowden leaks and the spread of encrypted communications have tried to blame Snowden for the terrorists’ ability to keep their plans secret from law enforcement.
Yet news emerging from Paris — as well as evidence from a Belgian ISIS raid in January — suggests that the ISIS terror networks involved were communicating in the clear, and that the data on their smartphones was not encrypted.
… Details about the major ISIS terror plot averted 10 months ago in Belgium also indicate that while Abaaoud previously attempted to avoid government surveillance, he did not use encryption.
A prescient bulletin sent out in May by the Department of Homeland Security assessed “that the plot disrupted by Belgian authorities in January 2015 is the first instance in which a large group of terrorists possibly operating under ISIL direction has been discovered and may indicate the group has developed the capability to launch more complex operations in the West.”
Abaaoud’s planned operation in Belgium was blown when authorities, who had been closely surveilling his three accomplices, stormed their safe house in the city of Verviers after determining that they were planning a major attack — very much like the one that took place in Paris on Friday. A pitched firefight between Belgian commandos and the ISIS veterans firing Kalashnikov rifles and lobbing grenades ended with two suspects dead and a third captured.
Belgian investigators concluded that Abaaoud directed the foiled operation there by cellphone from Greece — and that despite his attempts to avoid surveillance, his communications were in fact intercepted. Just a few days after the raid, Belgian news website RTL Info ran a whole article titled “What the Terrorist Suspects under Surveillance Were Saying.” It described surveillance over several months, through wiretaps and listening devices placed in the suspects’ car and their apartment.

(Related) Perhaps they were too arrogant to call for help? No doubt this is what the CIA and FBI will be talking about in those Congressional hearings.
ISIS Has Help Desk for Terrorists Staffed Around the Clock
… Counterterrorism analysts affiliated with the U.S. Army tell NBC News that the ISIS help desk, manned by a half-dozen senior operatives around the clock, was established with the express purpose of helping would-be jihadists use encryption and other secure communications in order to evade detection by law enforcement and intelligence authorities.

Interesting and strange guy. He appears to be doing what is expected, but I doubt his heart is in it.
Founder of app used by ISIS once said ‘We shouldn’t feel guilty.’ On Wednesday he banned their accounts.
Pavel Durov knew that terrorists were using his app to communicate. And he decided it was something he could live with.
“I think that privacy, ultimately, and our right for privacy is more important than our fear of bad things happening, like terrorism,” the founder of Telegram, a highly secure messaging app, said at a TechCrunch panel in September when asked if he “slept well at night” knowing his technology was used for violence.
… “Ultimately, ISIS will find a way to communicate with its cells, and if any means doesn’t feel secure to them, they’ll [find something else]. We shouldn’t feel guilty about it. We’re still doing the right thing, protecting our users’ privacy.”
… In a Facebook post, Durov blamed “shortsighted socialists” in the French government for the attacks as much as Islamic State militants.
Which is why a statement from Telegram posted on its site Wednesday is such a surprising reversal of course.
“We were disturbed to learn that Telegram’s public channels were being used by ISIS to spread their propaganda,” it read. “… As a result, this week alone we blocked 78 ISIS-related channels across 12 languages.”
The statement had a ring of insincerity to it, given Durov’s comments two months ago (the New York Times noted that the statement sounded like Claude Rains’s famous line in “Casablanca,” claiming to be “shocked, shocked” to find that gambling was happening at Rick’s, just before collecting his winnings).

Interesting. App data for people who haven't even installed the Apps! Android only, so far.
Google boosts mobile search: Now it surfaces app data and streams apps
… With today's changes, Google will start showing content in mobile search results that only lives within apps, for example, apps with content that doesn't have a corresponding web page.
An example of a mobile app that has corresponding web content is Facebook, which earlier this week enabled Google's app indexing. Now Android users can hop from search results of indexed Facebook pages directly to the relevant part of Facebook's app. Other popular apps that are indexed by Google include Airbnb, Instagram and Pinterest.
Under the extended app-indexing service, content from apps such as HotelTonight, which does not have corresponding web content, will also appear in search results. The aim is to make it easier to find information in applications.
Along with this development, Google has kicked off app-streaming from Search, so users can interact with an app that they haven't yet installed.
"With one tap on a Stream button next to the HotelTonight app result, you'll get a streamed version of the app, so that you can quickly and easily find what you need, and even complete a booking, just as if you were in the app itself. And if you like what you see, installing it is just a click away. This uses a new cloud-based technology that we're currently experimenting with," Google engineering manager Jennifer Lin said.
According to Marketing Land, for now these options will only be available within the Google app on Android 5.0 and Android 6.0 handsets.

Perhaps a voice will say, “No. It doesn't make you look fat.”
At This Store, the Fitting-Room Mirrors Know All
… In one corner, a lanky blonde woman examines a white cashmere turtleneck before placing it back on its hanger. Had she taken the item into one of the dressing rooms, she'd immediately find an image of the turtleneck displayed on the touchscreen mirror in front of her, with options to request a different size, a different color or a pair of jeans to go with it.
That's right -- the fitting rooms in Ralph Lauren's Polo flagship are smart. Very smart. Equipped with radio-frequency identification technology that tracks items via their tags, the room identifies every item that enters and reflects it back on the mirror that doubles as a touchscreen. Shoppers can interact with the mirror, which functions like a giant tablet, to control the lighting, request alternate items or style advice from a sales associate.

Perspective. Soon Watson may have friends to chat with.
China nearly triples number of supercomputers, report says
The country has 109 high-performance computing systems on the biannual Top500 list of supercomputers, up 196% from 37 just six months ago.
The most powerful supercomputer, China's Tianhe-2, also retained the top spot for the sixth consecutive time.
In contrast, the US has seen the number of its supercomputers decline.

I find 8 in Colorado.
Open Data Inception – 1600+ Open Data Portals Around the World
by Sabrina I. Pacifici on Nov 18, 2015
“You can find the list geotagged on a map at When building the best Open Data portals, the same question always comes up. Where can I find clean and usable data? Our answer is usually: “Did you search on existing Open Data portals?” But the truth is, some Open Data portals can be hard to come by. We decided to put together a resource that would be truly useful for all the data geeks out there (and we know we are plenty). We called this project: Open Data Inception. We rolled up our sleeves and started aggregating all of the Open Data portals we could get our hands on. We are thrilled to present you the first version of our comprehensive list of 1600+ Open Data portals around the world. To facilitate your search, we decided to geotag intergovernmental organization portals on their parent organization headquarters. The table of contents will give you a summary of all countries represented on this list. Simply click on a country’s name and the page will bring you to the correct section. If you are curious about how we created this list, we wrote an article about it. We hope that you will find solace in your data quest with this list. Don’t hesitate to send us feedback through the form at the bottom of the page or at @opendatas

Perhaps the would help fund the Privacy Foundation?
Introducing New Tools for Nonprofits
… Today we’re testing fundraisers – a new tool – and improving our Donate button, to allow people to donate to charities without leaving Facebook. We hope these features help nonprofits reach new supporters, engage their community and get the valuable funding they need to continue their good work.
In 2013, we first tested different ways for nonprofits to fundraise on Facebook.

I subscribe (via RSS) to a couple of these. Perhaps I should look at some others.
Read More Intelligent Content in 2016 with These 35 Sites
… For a couple of years now, we’ve occasionally brought to light some of these refuges of intelligence. In 2013 we introduced you to Reddit’s In Depth Stories, and The Feature. In 2014 we told you about and The Browser. Now at the end of 2015, we’re offering a much more comprehensive list of where to find the best online content, and journalism.

Dilbert elegantly illustrates how the Internet facilitates miscommunication.

No comments: