Tuesday, December 30, 2014

If there are security measures that can frustrate the NSA's best efforts, would you implement them? “Major problems” is not the same as “impossible,” but would the NSA spend much time or effort trying to read my communications with my bank?
Snowden docs show limit of NSA’s snooping
Documents leaked by Edward Snowden show that the National Security Agency, despite its seemingly best efforts, is unable to crack certain types of cyber defenses.
The German newspaper Der Spiegel uncovered among the former contractor’s document trove new details about the extent of the spy agency’s ability to crack online encryption, which defenders of the agency say is necessary to monitor potential terrorists’ communications. [True if you define “monitor” as read as easily as if they sent you a copy. Bob]
… According to one Snowden document, as of 2012, agents had “major” problems tracking users on the Tor network, which encrypts and relays data all around the Web. The Off-the-Record (OTR) protocol for encrypting instant messages also caused significant problems for the agency, as did the Pretty Good Privacy (PGP) email encryption program, which is decades old and relatively common among security proponents.


Looks like this isn't as resolved as the FBI would hope.
A Bunch Of New Evidence In The Sony Hack Is Pointing Away From North Korea
New evidence emerging in the Sony Pictures cyberattack suggests that the hackers may have been far closer to home than North Korea.
News broke Monday that a security firm working with the FBI has come up with a list of six people who may have been closely involved with the hack. One of the individuals investigated by the firm also happens to be a disgruntled former Sony employee.
Security Ledger reports that Norse investigated a Sony employee known only as "Lena," viewing messages that she posted on social media and group chats. She worked at Sony for over a decade, performing an IT role with a "very technical background."
… A former federal prosecutor has also cast doubt on the FBI's assertion that North Korea was involved with the Sony hack. Mark Rasch of Rasch Technology and Cyberlaw says the claim that North Korea was behind the hack is "doubtful" and that the attack seemed to be carried out by someone with close knowledge of how Hollywood works, leaking only data that was embarrassing to Sony executives.
Many security researchers have been doubtful over the FBI's assertion since the agency announced on Dec. 19 that it was blaming North Korea for the Sony hack. The official US government position is that hackers affiliated with North Korea carried out the attack in retaliation for Sony's releasing the movie "The Interview."


Maury Nichols (one of the few people who admits they read my blog) sent me this article.
What Is Wrong With 'Legal Malware'?
Can malware, malicious by definition, ever be a good thing? Surprisingly, there are law enforcement agencies that would answer yes. There are a growing number of hacking techniques involving malware deployed by governments around the world. Effectively they are using criminal tools, which they claim is a legitimate means to the ultimate, legitimate end – fighting crime, even going so far as deeming their use legal. I disagree. And I think it is a worrying trend generally – one that needs to be nipped in the bud.
My colleague, security-researcher Costin Raiu, just recently published a report summarizing his research findings over the years plus predictions for the future in the murky world of sophisticated advanced persistent threat (APT) cyberattacks.
… Based on the reasons I give above, I think it is fair to say that terms like ‘legitimate malware’ or ‘offensive security’ are oxymoronic and disturbingly dystopian, reminiscent of Orwell’s ‘war is peace’ and ‘freedom is slavery’.

(Related) Convergence (the 'hot sheet' and mug shots?) Eventually police will have a Swiss Army Knife type of system. Need a particular tool? Just pull out a new blade.
TheNewspaper.com reports:
The leading suppler of automated license plate reader technology in the US (ALPR, also known as ANPR in Europe) is expanding its offerings to law enforcement. Vehicle owners have already had their movements tracked by the company Vigilant Solutions, which boasts 2 billion entries in its nationwide database, with 70 million additional license plate photographs being added each month. Now passengers can also be tracked if they hitch a ride with a friend and are photographed by a camera aimed at the front of the car. The Livermore, California-based firm recently announced expanded integration of facial recognition technology into its offerings.
[…]
Only a handful of states have laws in place to regulate automated license plate reader technology.
Read more on TheNewspaper.com.

(Related) If we gather information on you, deliberately or not, it's an ongoing investigation and we don't have to release the information.
John Ruch reports:
The Boston Police Department embodies the Surveillance Age’s chilling twin principles: more power to spy on law-abiding citizens, and less accountability for doing it. That’s what we at the Jamaica Plain Gazette and Mission Hill Gazette have learned as our attempts to investigate police spying abuses are stymied by the department’s flouting of state public records laws.


I'd like to know how they got this past the Board of Directors. Are they relying on “forgiveness?”
The FBI Is Investigating Whether US Banks Are Launching Cyberattacks Of Their Own
Bloomberg is reporting that the FBI is investigating whether US financial institutions have started fighting back against hackers.
It's reported that JPMorgan Chase proposed to the FBI that the bank work from offshore locations to disable the servers used to launch denial of service attacks against its website. But attendees of the meeting dismissed the idea over concerns of its legality.
Despite ruling out the proposed hack, Bloomberg reports that US investigators found that a third party had carried out the attack after all. Now the FBI is investigating whether US companies broke the law in ordering the hack against the Iranian servers.
Sony Pictures, the movie studio targeted by hackers, allegedly used Amazon Web Services to try to disrupt people downloading the files leaked as part of the hack.

(Related) Interesting article.
Since the alleged North Korean cyber operation against Sony in late November, it has become de rigeur to engage in “enemy at the gate” rhetoric. Referring to “how the Internet and cyber operates,” even President Obama described the situation as “sort of the Wild West,” adding “part of the problem is you’ve got weak States that can engage in these kinds of attacks, you’ve got non-State actors that can do enormous damage.” Such a dire portrayal of the current state of cyber affairs on the part of a world leader not known for hyperbole deserves serious attention.


An interesting use of “Big Data” Will all such uses attract lawsuits?
United and Orbitz sue Skiplagged, a service you should totally use
Skiplagged finds cheap one-way fares by surfacing weird airline pricing strategies, like pricing a NY-SFO-Lake Tahoe flight cheaper than an NY-SFO flight, so you book all the way through to Tahoe, debark at SFO, and walk away from the final leg.
Of course, it only works if you fly without luggage. But given that the airlines' entire business strategy is to hoard information about their pricing and operations from their customers, in the hopes of tricking them into paying more for the same flight than the person in the next seat, it's hard to work up any sympathy for the industry when the tables are turned on them.
Skiplagged doesn't sell plane tickets, they don't even sell information. All they do is document the pricing strategies of the airlines. In the view of United and Orbitz, this is illegal -- they're suing the service (run by a 22 year old New Yorker named Aktarer Zaman), calling it "unfair competition."
Zaman said he knew a lawsuit was inevitable but he points out that there’s nothing illegal about his web site.
He also said he has made no profit via the website and that all he’s done is help travelers get the best prices by exposing an “inefficiency,” in airline prices that insiders have known about for decades.


For my students. We've got a lot to read, so pick a tool that works for you!
5 Best PDF & Ebook Readers For Windows


For my Ethical Hackers.
What Is The OBD-II Port And What Is It Used For?
… OBD-II is a sort of computer which monitors emissions, mileage, speed, and other useful data. OBD-II is connected to the Check Engine light, which illuminates when the system detects a problem.
… Traditionally, hand held scan tools are hooked up, allowing the average vehicle owner to read DTC’s. However, a reference for the code numbers is still needed. You can find such a reference in various handbooks and websites, such as OBD-Codes.
Some modern scan tools can be connected to a Windows desktop or laptop, like ScanTool’s OBDLink SX USB Adapter on Amazon for $29.95, which allows you to turn your laptop into a very detailed scan tool.

No comments: