Welcome to the era of “Cheap War”
No need for Bombers or Aircraft Carriers, just a few teenagers and a
case of Jolt Cola... Once you have access, you can do some very
interesting things: Que voulez-vous dire que nous avons perdu une
arme nucléaire? (If the US didn't do this, would that be good
news or bad news?)
U.S.
Government Hacked Into French Presidential Office, Spied on Senior
Officials, Says a French News Report
Using the sophisticated
Flame malware first developed to spy on and sabotage Iran's
nuclear program, U.S. spymasters were able to gain almost unlimited
access to the computers of senior French officials in the last days
of former president Nicholas Sarkozy's reign, alleges a story
in French magazine l'Express.
The impact of this alleged attack is
unknown, but experts on the Flame malware -- believed to be the most
sophisticated cyberweapon ever developed -- say that compromised
computers could have been used to record conversations via infected
PCs' microphones. Screenshots may also have been captured, and files
could have been copied. According to France's intelligence agency,
quoted in the story, the resulting data was then routed through
multiple servers on all five continents in order to hide the ultimate
destination of the stolen data.
The initial incursion was an extremely
simple, tried-and-true bit of social
engineering. Staffers at the official residence of the President
of France, the Palais de l'Élysée, were friended by hackers on
Facebook, who were no doubt using fake identities. Later, those
staffers were sent emails with a login to a fake copy of the login
page for the intranet of the Élysée. Once they entered their
credentials, hackers had usernames and passwords they could use to
log in to the real system.
For my Windows 8 using Ethical Hackers.
Maybe this wasn't deliberate?
Microsoft
hands Windows 8 Pro to pirates by mistake
You want a copy of Windows
8 Pro? Go ahead and download it -- Microsoft is giving the keys
away for free.
According to VentureBeat,
an interesting exploit on Microsoft's download page allows users to
pick up a free copy of Windows 8 Pro -- directly from the website,
and at no cost.
If you attempt to download the free
Microsoft Windows
Media Center upgrade, which is being offered until January 31, a
strange side effect takes hold. Windows 8 Pro will be permanently
activated.
If you write parts of a bill, shouldn't
your name be on it? Who is operating the Senator Leahy puppet? OR
Are we seeing evidence that “certain agencies” can not only read
your email they can rewrite your Bill...
Leahy
scuttles his warrantless e-mail surveillance bill (UPDATED)
November 20, 2012 by Dissent
UPDATE:
CNET
has uploaded the amendments referred to in their prior posts
today. They’re a far cry from what Senator Leahy proposed in
September.
So the question I have is: did the Senator actually draft these
newer amendments to submit next week or is this a draft written by
someone else who just wants the Senator to submit it under his name?
Earlier today, Declan McCullagh set off
a firestorm on Twitter when CNET
reported that Senator Leahy had not only backed off on his
proposal to update ECPA by requiring warrants, but would be
introducing a revised version that actually weakened our protections.
As I noted in updates to my blog
entry on the news, the Senator disputed Declan’s report and his
office tweeted that he was still supporting a warrant requirement.
Declan has the update
on CNET, and continues to stand by his earlier report:
Sen. Patrick Leahy
has abandoned his controversial proposal that would grant government
agencies more surveillance power — including warrantless access to
Americans’ e-mail accounts — than they possess under current law.
The Vermont
Democrat said
today on Twitter that he would “not support such an exception”
for warrantless access. The remarks came a few hours after a CNET
article was published this morning that disclosed the existence
of the measure.
A vote on the
proposal in the Senate Judiciary committee, which Leahy chairs, is
scheduled
for next Thursday. The amendments were due to be glued onto a
substitute (PDF)
to H.R.
2471, which the House of Representatives already has approved.
Leahy’s
about-face comes in response to a deluge of criticism today,
including the American Civil Liberties Union saying that warrants
should be required, and the conservative group FreedomWorks launching
a petition
to Congress — with more than 2,300 messages sent so far — titled:
“Tell Congress: Stay Out of My Email!”
Read more on CNET.
The phishing was good... Not real
clear what was done or how it was done. I hope the state got a
better report. (At least, more than four pages...)
Forensic
report on SCDOR breach
November 20, 2012 by admin
Here’s Mandiant’s
report on the breach at the South Carolina Department of Revenue.
From the Executive Summary, a summary of the attack:
Summary of the Attack
A high level understanding of the most
important aspects of the compromise are detailed below.
1. August 13,
2012: A malicious (phishing) email was sent to multiple Department
of Revenue employees. At least one Department of Revenue user
clicked on the embedded link, unwittingly executed malware, and
became compromised. The malware likely stole the user’s username
and password. This theory is based on other facts discovered during
the investigation; however, Mandiant was unable to conclusively
determine if this is how the user’s credentials were obtained by
the attacker.
2. August 27,
2012: The attacker logged into the remote access service (Citrix)
using legitimate Department of Revenue user credentials. The
credentials used belonged to one of the users who had received and
opened the malicious email on August 13, 2012. The attacker used the
Citrix portal to log into the user’s workstation and then leveraged
the user’s access rights to access other Department of Revenue
systems and databases with the user’s credentials. [Not
sure what they are saying here. Did they change access rights? The
report does not say... Bob]
3. August 29,
2012: The attacker executed utilities designed to obtain user
account passwords on six servers. [Copying
unencrypted passwords? Bob]
4. September 1,
2012: The attacker executed a utility to obtain user account
passwords for all Windows user accounts. The attacker also installed
malicious software (“backdoor”) on one server.
5. September 2,
2012: The attacker interacted with twenty one servers using a
compromised account and performed reconnaissance activities. The
attacker also authenticated to a web server that handled payment
maintenance information for the Department of Revenue, but was not
able to accomplish anything malicious.
6. September 3,
2012: The attacker interacted with eight servers using a compromised
account and performed reconnaissance activities. The attacker again
authenticated to a web server that handled payment maintenance
information for the Department of Revenue, but was not able to
accomplish anything malicious.
7. September 4,
2012: The attacker interacted with six systems using a compromised
account and performed reconnaissance activities.
8. September 5 –
10, 2012: No evidence of attacker activity was identified.
9. September 11,
2012: The attacker interacted with three systems using a compromised
account and performed reconnaissance activities.
10. September 12,
2012: The attacker copied database backup files to a staging
directory.
11. September 13
and 14, 2012: The attacker compressed the database backup files into
fourteen (of the fifteen total) encrypted 7-zip1 archives.
The attacker then moved the 7-zip archives from the database server
to another server and sent the data to a system on the Internet. The
attacker then deleted the backup files and 7-zip archives.
12. September 15,
2012: The attacker interacted with ten systems using a compromised
account and performed reconnaissance activities.
13. September 16,
2012 – October 16, 2012: No evidence of attacker activity was
identified.
14. October 17,
2012: The attacker checked connectivity to a server using the
backdoor previously installed on September 1, 2012. No evidence of
additional activity was discovered.
15. October 19 and
20, 2012: The Department of Revenue executed remediation activities
based on short term recommendations provided by Mandiant. The intent
of the remediation activities was to remove the attacker’s access
to the environment and detect a re-compromise.
16. October 21,
2012 – Present: No evidence of related malicious activity
post-remediation has been discovered.
Read the full
report.
(Related) “We knew how to prevent
this, but we didn't bother...”
Haley
admits hacking errors; revenue chief resigns
November 20, 2012 by admin
Governor Haley has now walked back some
of her more irritating
claims about South Carolina’s massive data breach. Seanna
Adcox of Associated Press reports:
A report on a
massive security breach at the South Carolina tax collection agency
shows the state could have done more to protect personal information
for nearly 4 million taxpayers, Gov. Nikki Haley said Tuesday. She
also said she accepted the resignation of Department of Revenue
Director Jim Etter effective at the end of the year.
Haley said the
report from computer security firm Mandiant found hackers may have
3.3 million bank account numbers from South Carolina taxpayers.
The state made two
mistakes, according to the report. It didn’t require two different
ways to verify when someone was trying to get into the system to look
at tax returns and it did not encrypt Social Security numbers, Haley
said.
Read more on Seattle
PI.
[From the Seattle PI
article:
… the
Republican governor blamed the debacle on antiquated state software
and outdated IRS security guidelines.
"This is a new era in time,"
Haley said. "You can't work with 1970 equipment. You can't go
with compliance standards of the federal government. Both are
outdated."
…
Last
week, Haley ordered all of her 16 Cabinet agencies to use computer
monitoring by the state information technology division. The revenue
department has been criticized for previously turning
down its free services.
… The
cost of the state's response has exceeded $14 million. That includes
$12 million to the Experian credit-monitoring agency to cover
taxpayers who sign up — half of which is due next month — and
nearly $800,000 for the extra security measures ordered last week.
The
Revenue Department has estimated spending $500,000 for Mandiant,
$100,000 for outside attorneys and $150,000 for a public relations
firm. But those costs will depend on the total hours those firms
eventually spend on the issue. The agency also expects to spend
$740,000 to mail letters to an estimated 1.3 million out-of-state
taxpayers.
No where near the largest in absolute
numbers, but still a fair chunk of the population...
Man
arrested over theft of 9 million Greek files
November 20, 2012 by admin
CNBC reports:
A Greek man has
been arrested on suspicion of having stolen 9 million personal
data files in what is believed to be the biggest breach of
private information the country has ever seen.
Police said
Tuesday that the 35-year-old, whose name was not released, was found
in possession of the data files that included identity card details,
tax numbers, vehicle license plate numbers and home addresses.
Read more on CNBC.
Greece now joins Israel in having
almost its entire
citizenry’s data stolen.
[From the CNBC article:
… The files appeared to include
duplicate entries, meaning the number of actual individuals affected
could be lower. Greece has a population of around 10 million.
… The investigation began Monday
after an employee at the data protection authority notified
police that someone appeared to have a large number of digital files
containing personal data, the head of financial and electronic crimes
police Dimitris Georgatzis said.
[Note: The DPA
(http://www.dpa.gr/portal/page?_pageid=33,40911&_dad=portal&_schema=PORTAL
) may have been browsing through online storage records, since there
is no indication thay know how (or even where) they data was
obtained. Bob]
Be careful when you blow that
whistle...
Jail
Looms for Man Who Revealed AT&T Leaked iPad User E-Mails
(updated)
November 20, 2012 by admin
Tom Simonite reports:
AT&T screwed
up in 2010, serving up the e-mail addresses of over 110,000 of its
iPad 3G customers online for anyone to find. But today Andrew
Auernheimer, an online activist who pointed out AT&T’s blunder
to Gawker Media, which went on to publicize
the breach of private information, is the one in federal court
this week.
His case
highlights some potentially troubling disconnects between the
practicalities of online life and the rule – and application – of
the law.
Read more on MIT
Technology Review. The jury has the case now as I post this and
I’ll update later.
Update: He
was found guilty. Kim Zetter provides background on the case and
how chat logs may have helped convict them. Auernheimer tweeted
after the verdict that he plans to appeal.
This is truly creapy...
The
Mannequins Will Be Watching You
This holiday season, if you shop at
Benetton, you may be under surveillance.
Of course, we are all pretty used to
the idea of security cameras trained on the entrance of a store, or
over a counter of particularly expensive goods, and we've become
accustomed -- even if we don't like it, on a gut level -- to the
tracking that comes with online shopping, populating the ad boxes
from website to website of those sneakers you just looked at. But
Benetton's surveillance looks a little different: The store has
purchased mannequins from an Italian company which
promises that "from now on the mannequins will not only
display your collections ... [but will] make it possible to 'observe'
who is attracted by your windows and reveal important details about
[them]."
It probably isn't smart to ignore irate
parents. And I don't think the Founding Fathers actually said, “We
respect no religion...”
"Lawyers representing Andrea
Hernandez, a science and engineering student at John Jay High School,
are fighting
an expulsion notice issued a week ago for refusing
to wear a Smart ID badge. To represent her, lawyers filed a
preliminary court injunction, seeking legal restraints on the school.
She maintains stance of refusal to wear any badge containing an RFID
tag for reasons of basic privacy and conflicts
with her belief system. [RFID
is the “Mark of the Beast” Bob] The
controversial decision for her school to adopt the NFC badges is part
of the Student Locator Project, tracking attendance. Local schools
started issuing the lanyard badges this fall despite parental outcry
at NISD school board meetings."
No doubt the “It's not fair!”
whiners will be out in force. “Don't bother me with facts.
Computers is magic!”
"Europe's proposed 'right to be
forgotten' has been the subject of intense debate, with many people
arguing
it's simply not practical in the age of the internet for any data
to be reliably expunged from history. Well, add another voice to
that mix. The European Network and Information Security Agency
(ENISA) has published its
assessment of the proposals (PDF), and the tone is skeptical to
say the least. And, interestingly, one of the biggest problems ENISA
has found has to do with big data. They say, 'Removing forgotten
information from all aggregated or derived forms may present a
significant technical challenge. On the other hand, not removing
such information from aggregated forms is risky, because it may be
possible to infer the forgotten raw information by correlating
different aggregated forms.'"
Cheap War: Compared to the Marine
Expeditionary Force or the 101st Airborne, Drones are
cheap. So we can start a whole bunch of “Drone Wars” for the
cost of a single F22 Fighter!
Leon
Panetta Has a Few More Drone Wars Ready to Go
There once was a time, just last year,
when Defense Secretary Leon Panetta thought the U.S. was this
close to wiping al-Qaida off the face of the earth, once and for
all. That appears to have gone up in the flames of the U.S.
consulate in Benghazi. Now, a more dour Panetta believes that it’s
not enough to continue the drone strikes and commando raids in
Pakistan, Yemen and Somalia; they’ve got to expand “outside
declared combat zones” to places like Nigeria, Mali and
even Libya.
That was Panetta’s message at Tuesday
evening address to the Center for American Security, an influential
Washington defense think tank. Panetta, a former director of the
CIA, gave a strong defense of counterterrorism drone
strikes and commando raids, calling them “the most
precise campaign in the history of warfare,”
and indicated strongly that they’re only going to
intensify in the coming years.
Rattle the anti-trust saber before the
election to gather the anti-business vote, then drop everything for
the next four years to reward a major contributor? Nah. That only
happens in the movies...
A couple weeks back, we heard the FTC may be close to making a
decision on whether or not it
wants to take Google to court over claims of anti-competitive
behavior. If a new report from Bloomberg
is to be believed, however, the FTC may have a problem actually
hitting Google with antitrust charges due to a lack of evidence. If
that’s true, then Google may just be able to get out of this whole
thing without ending up in court.
e-Lawyer v. e-Lawyer Could be fun!
Online
Legal Services Company LegalZoom Sues Rival RocketLawyer For
Misleading Advertising, Trademark Infringement And More
This is going to get ugly. Online legal
services company LegalZoom
is suing
rival Rocket
Lawyer, according to a release issued by the LA-based LegalZoom
today. The charges are false and misleading advertising, trademark
infringement and unfair competition. The suit was filed in the
United States District Court for the Central District of California.
Apparently the Naval Observatory clock
re-booted...
"It seems a glitch of some sort
wreaked
havoc on some NTP servers yesterday, causing
many machines to revert to the year 2000. It seems the Y2K bug
that never happened is finally catching up with us in 2012."
If you fail one of my tests, “I
really don't care why!” We could just change the law to: “Your
driving looked 'funny' to the arresting officer.”
"A recent assessment by the
National Highway Traffic Safety Administration, based on random
roadside checks, found that 16.3% of all drivers nationwide at night
were on various legal and illegal impairing drugs, half them high on
marijuana. Now AP reports that with marijuana soon legal under state
laws in Washington and Colorado, setting a standard comparable to
blood-alcohol limits has sparked intense disagreement. Unlike
portable breath tests for alcohol, there's
no easily available way to determine whether someone is impaired from
recent pot use. If scientists can't tell someone how much
marijuana it will take for him or her to test over the threshold, how
is the average pot user supposed to know? 'We've had decades of
studies and experience with alcohol,' says Washington State Patrol
spokesman Dan Coon. 'Marijuana is new, so it's going to take some
time to figure out how the courts and prosecutors are going to handle
it.' Driving within three hours of smoking pot is associated with a
near doubling of the risk of fatal crashes. However, THC
can remain in blood and saliva for highly variable times after the
last use of the drug. Although the marijuana 'high' only lasts
three to five hours, studies of heavy users in a locked hospital ward
showed THC can be detected in the blood up to a week after they are
abstinent, and the outer limit of detection time in saliva tests is
not known. 'A lot of effort has gone into the study of drugged
driving and marijuana, because that is the most prevalent drug, but
we are not nearly to the point where we are with alcohol,' says
Jeffrey P. Michael, the National Highway Traffic Safety
Administration's impaired-driving director. 'We
don't know what level of marijuana impairs a driver.'"
Hey! I know students who could do
this!
"Last week, Nate Silver ranked
Google Consumer Surveys as one of the most accurate polling firms of
the 2012 US election. This week, Google
has released the raw data that went into its election-day
prediction, and is running a contest for interesting visualizations
of that data. They provide a few examples of their own, including a
WebGL globe view."
No comments:
Post a Comment