Wednesday, February 27, 2013

This is very interesting. Stuxnet was considered really sophisticated for 2010, if it really dates back to 2007 it is 4 or 5 generations more sophisticated than we thought! (Counted in Internet years)
Stuxnet Missing Link Found, Resolves Some Mysteries Around the Cyberweapon
As Iran met in Kazakhstan this week with members of the UN Security Council to discuss its nuclear program, researchers announced that a new variant of the sophisticated cyberweapon known as Stuxnet had been found, which predates other known versions of the malicious code that were reportedly unleashed by the U.S. and Israel several years ago in an attempt to sabotage Iran’s nuclear program.
The new variant was designed for a different kind of attack against centrifuges used in Iran’s uranium enrichment program than later versions that were released, according to Symantec, the U.S-based computer security firm that reverse-engineered Stuxnet in 2010 and also found the latest variant.
The new variant appears to have been released in 2007, two years earlier than other variants of the code were released, indicating that Stuxnet was active much earlier than previously known. A command-and-control server used with the malware was registered even earlier than this, on Nov. 3, 2005.
… The new finding, described in a paper released by Symantec on Tuesday (.pdf), resolves a number of longstanding mysteries around a part of the attack code that appeared in the 2009 and 2010 variants of Stuxnet but was incomplete in those variants and had been disabled by the attackers.


So, this is the hackers watching the bank talk to some third-party security types about watching the hackers watch the bank?
Michael Kelley and Geoffrey Ingersoll report:
Anonymous hackers have released 14 gigabytes of information allegedly related to Bank of America and a web intelligence firm it hired to spy on hackers and social activists last year.
Emails detail how employees of TEKSystems actively watched hacker forums and social media sites for anyremotely relevant pieces of “intelligence.”
Read more on Business Insider.
Cyber War News has some additional details on the data dump here and here. There hasn’t been much mainstream media coverage of this data leak yet and BofA has not confirmed claims yet, nor responded to a claim in the press release that no hacking was involved:
The source of this release has confirmed that the data was not acquired by a hack but because it was stored on a misconfigured server and basically open for grabs.
Even more alarming, the data was retrieved from an Israeli server in Tel Aviv – neither the source nor we have any idea what the data was doing there in the first place.


I guess the Pentagon has finally looked around and noticed that the average Afgani has a Smartphone that could be used to talk to the bad guys, photograph the good guys, set off roadside bombs, even fly homemade drones. NOTE: This is similar to the BYOD we are seeing in some organizations.
Pentagon Wants a ‘Family of Devices’ as It Makes Big Move Into Mobile Market
The next big customer for smartphones and tablets? The U.S. military. Finally.
The military has begun talks with device and mobile operating-system manufacturers, as well as the major carriers, to supply troops with secured mobile devices. The idea is for the manufacturers to offer the Pentagon an already-secure device and OS, rather for the military to laboriously build a bespoke mobile suite that inevitably won’t keep pace with commercial innovation. [,,,we have plenty of examples of how poorly that turns out. Bob]
… The architects of the Pentagon’s new Commercial Device Mobile Implementation Plan, unveiled Tuesday, want to be clear they’re not talking about soldiers, sailors, airmen and Marines all buying, say, an iPhone 5 — and being stuck with it for years after the companies come out with improved, upgraded mobile products. And they’d prefer to let the troops pick from a selection of secured, approved smartphones and tablets, not issue everyone a mobile device like they issue rifles.
“We’re device-agnostic,” Air Force Maj. Gen. Robert Wheeler, the Pentagon’s deputy chief information officer, told reporters. “What we’re looking for is a family of devices that are available depending on the operator. … And we’re going to continue to update as they update.”


Meanwhile, here on the home front...
February 26, 2013
ACLU - New Document Sheds Light on Government’s Ability to Search iPhones
"Cell phone searches are a common law enforcement tool, but up until now, the public has largely been in the dark regarding how much sensitive information the government can get with this invasive surveillance technique. A document submitted to court in connection with a drug investigation, which we recently discovered, provides a rare inventory of the types of data that federal agents are able to obtain from a seized iPhone using advanced forensic analysis tools. The list, available here, starkly demonstrates just how invasive cell phone searches are—and why law enforcement should be required to obtain a warrant before conducting them."


I'd like a bit more than the raw numbers.
February 26, 2013
FTC Releases Top 10 Complaint Categories for 2012
  • "Identity theft is once more the top complaint received by the Federal Trade Commission, which has released its 2012 annual report of complaints. 2012 marks the first year in which the FTC received more than 2 million complaints overall, and 369,132, or 18 percent, were related to identity theft. Of those, more than 43 percent related to tax- or wage-related fraud. The report gives national data, as well as a state-by-state accounting of top complaint categories and a listing of the metropolitan areas that generated the most complaints. This includes the top 50 metropolitan areas for both fraud complaints and identity theft complaints."

(Related)
Penny Crosman reports:
A report released by KPMG on Tuesday finds that globally, there’s been a 40% increase in the number of publicly disclosed data loss incidents in the past two years. However, financial services firms have seen an 80% decrease in number of incidents in the past five years.
Read more on American Banker. You can find the KPMG report here (pdf). Haven’t had time to read it yet, but it will be interesting to see how their findings compare with QuickView report and other analyses.
[From the article:
One reason the reporting of data breaches has increased is because of an SEC order in October 2011 that required more transparency over cyber risk and disclosure of the impact of data breaches. "That was the first time publicly traded organizations were obligated to disclose information about data breaches that did not pertain to personally identifiable information," Bell observes.


With linesd like, “A society that permits the unchecked ascendancy of surveillance infrastructures cannot hope to remain a liberal democracy.” you know I'ver got to read this closely.
Jathan Sadowski writes:
… Privacy should have a deeper purpose than the one ascribed to it by those who treat it as a currency to be traded for innovation, which in many circumstances seems to actually mean corporate interests. To protect our privacy, we need a better understanding of its purpose and why it is valuable.
That’s where Georgetown University law professor Julie E. Cohen comes in. In a forthcoming article for the Harvard Law Review, she lays out a strong argument that addresses the titular concern “What Privacy Is For.” Her approach is fresh, and as technology critic Evgeny Morozov rightly tweeted, she wrote “the best paper on privacy theory you’ll get to read this year.” (He was referring to 2012.)
Read more on The Atlantic.


Curious. Is this an indication of a screw-up? Something made their “slam dunk” a lot less probable? Should Kim Dotcom's lawyers talk to this guy?
Feds strike a deal with alleged illegal streaming site operator
After taking down Channelsurfing.net and arresting its alleged owner in 2011, the feds now seem to be easing up. Before going to trial, the government struck a deal earlier this month with the alleged site owner Brian McCarthy.
In a "Deferred Prosecution" memo filed on February 11, which was obtained by TorrentFreak, U.S. Attorney Preet Bharara writes that "after a thorough investigation, it has been determined that the interest of the United States and your own interest will best be served by deferring prosecution in this District.
… It's unclear why the feds are letting McCarthy off the hook. Under the terms of the deal he came to with the government, he has to show good behavior, find a legal job, not violate any laws, and steer clear of anything to do with illegal Internet streaming. He also has to pay back $351,033, which he allegedly made via Channelsurfing.net, according to TorrentFreak


An interesting question. Since not all users are equally valuable, who would flee and how would Google price “freedom” to compensate for their loss?
"I've been thinking a lot about how much information I give to technology companies like Google and Facebook and how I'm not super comfortable with what I even dimly know about how they're handling and selling it. Is it time for major companies like this, who offer arguably utility-like services for free in exchange for info, to start giving customers a choice about how to 'pay' for their service? I'd much rather pony up a monthly fee to access all the Google services I use, for example, and be assured that no tracking or selling of my information is going on. I'm not aware of how much money these companies might make from selling data about a particular individual, but could it possibly be more than the $20 or $30 a month I'd fork over to know that my privacy is a little more secure? Is this a pipe dream, or are there other people who would happily pay for their private use of these services? What kinds of costs or problems could be involved with companies implementing this type of dual business model?"


Perspective. Can anyone remember when it was unusual to hear anyone talk about “a billion” anything?
Dropbox clears 1 billion file uploads per day
People save 1 billion files every day to Dropbox's online storage service, Chief Executive Drew Houston said today at the Mobile World Congress show here.
… When the company started, Dropbox could synchronize people's data among PCs, but now of course it helps bridge the gaps to smartphones, tablets, and presumably other Internet-connected devices of the future. The company has been gradually expanding the abilities of its software to make it more of a central hub for people's data with features such as graphics viewers and automatic photo uploads from phones.


Perspective Convergence means industry techniques are getting smarter and easier for individuals to use... Now every Computer Design major can “print” their own car...
3-D Printed Car Is as Strong as Steel, Half the Weight, and Nearing Production
Picture an assembly line not that isn’t made up of robotic arms spewing sparks to weld heavy steel, but a warehouse of plastic-spraying printers producing light, cheap and highly efficient automobiles.
If Jim Kor’s dream is realized, that’s exactly how the next generation of urban runabouts will be produced. His creation is called the Urbee 2 and it could revolutionize parts manufacturing while creating a cottage industry of small-batch automakers intent on challenging the status quo.


Good news for my Computer Security majors...
Mike Millard reports:
The sixth Global Information Security Workforce Study, conducted by (ISC)² shows that a shortage of information security professionals is having an adverse impact on healthcare and other industries, even as vulnerabilities such as mobile devices and social media are on the rise.
The (ISC)² study, conducted in partnership with Booz Allen Hamilton and Frost & Sullivan, examined security practices across many industries. One of its key findings is that more than two-thirds of chief information security officers say they’re short-staffed – leading to an increased threat of expensive breaches.
Read more on HealthcareIT News
[The report:

No comments: