For my Computer Security students.
"Onion-Layered"
Attacks on the Rise, IBM Says
Released
this week, IBM’s report (PDF)
cites four key trends that have been observed this year, with
onion-layered and ransomware attacks joined by attacks coming from
inside an organization and by an increased management awareness of
the need to address security threats proactively.
IBM
explains that onion-layered security incidents involve a second, more
damaging attack hidden behind a visible one. Usually, these attacks
are carried by two actors, namely a script kiddie, an unsophisticated
attacker launching highly visible attacks which can be easily caught,
and a more sophisticated stealthy attacker who might expand their
grip of the victim’s network without being detected for weeks or
even months.
…
Earlier
this year, Corero Network Security warned
that distributed denial-of-service (DDoS) attacks were being
leveraged to circumvent cybersecurity solutions, disrupt service
availability and infiltrate victim networks.
"The
danger in partial link saturation attacks is not the ‘denial of
service’ as the acronym describes, but the attack itself,"
Corero said. "The attack is designed to leave just enough
bandwidth available for other sophisticated multi-vector attacks with
data exfiltration as the main objective, to fly in under the radar,
while the distracting DDoS attack consumes resources."
Based
on investigations conducted by Mandiant/FireEye throughout 2014, the
median number of days that attackers were present on a victim’s
network before being discovered was
205 days.
IBM
provided fundamental advice, suggesting that organizations keep
systems updated and increase
their visibility into the network, as well as build an
internal security operations center, create operational procedures,
and ensure an appropriate
level of logging, in addition to periodically performing
penetration testing exercises.
Not
a huge breach, but it illustrates (for my Computer Security students)
how failure to follow Best Practices can result it recreation of well
known failures.
Hannah Francis reports:
Australians’ private tax records were
left unsecured thanks to a serious flaw in how the tax office’s
online services connect with myGov, in the latest of a series of
security bungles related to the federal government’s online
services.
Experts have raised concerns over the
handling of IT security issues by the Australian Taxation Office and
the Department of Human Services, which runs the overarching service
portal myGov, after a
taxpayer who tried to report the issue claimed he was hung up on
twice by the agencies’ call centre staff.
[From
the article:
In a video obtained exclusively by Fairfax Media,
Liew demonstrated how downloading a PDF letter from the tax office by
clicking on a link within the myGov mailbox creates a "cookie"
which logs the user into ato.gov.au. (In this case, cookies are used
to authenticate the "single sign-on" process, or SSO,
whereby the user only has to login once with myGov to access multiple
linked services, such as tax, Medicare and Centrelink.)
Because clicking on the PDF link didn't actually
open a browser page at ato.gov.au and therefore a page was never
closed, the cookie did not expire, meaning the next user who logged
in to myGov and clicked on a link to ato.gov.au saw the previous
user's records.
(Related) A somewhat larger breach, illustrating
how failure to follow established (but apparently unsupervised)
procedures can send things south in a hurry.
Secretary
of State released names and all identifying info on 6.1 million
voters
Every month, the Secretary of State (Brian Kemp)
releases all the new registered voters on a disc so that various
entities can update their records. This information is generally
limited to names, addresses, and demographic information. But last
week, the SoS decided to give out a bunch of information it has
collected on you and everybody you know to anyone who signed up.
Their
monthly CD for October contained the Drivers license number, social
security number, full name, address, and everything else you need to
steal someone’s identity for every single registered voter in
Georgia. All 6.1 million of us. It was not encrypted.
It was not password protected. It was a gift for anyone who ever
thought of doing wrong.
Now
this is interesting. They must have had some evidence that this
research existed. What would justify a subpoena?
Carnegie
Mellon Says It Was Subpoenaed-And Not Paid-For Research On Breaking
Tor
Carnegie
Mellon University today implied in a statement that it was served
with a subpoena to hand over research related to unmasking the
identity of users on the Tor network, and that it was not paid $1
million by the FBI for doing so, as alleged
by the Tor Project.
The statement, released shortly after noon
Eastern, is vague and fails to answer a number of outstanding
questions not only about the ethics and legality of the attack on
Tor, but also whether the research was prompted by the government,
which the Snowden documents revealed, has had its struggles
breaking
Tor traffic.
Of
course NSA would like to review these “exploits.” It's possible
(if unlikely) there might be something to learn, but at minimum there
will be “fingerprints” to record. I wonder if they can trace
anyone who subscribes? Perhaps companies could fund an organization
to buy and analyze and then share the results?
Here’s
a Spy Firm’s Price List for Secret Hacker Techniques
… In an unprecedented move Wednesday, the
zero-day broker startup Zerodium published a price chart for
different classes of digital intrusion techniques and software
targets that it buys from
hackers and resells in a subscription service to customers
that include government agencies. The list, which details the sums
it pays for attack methods that effect dozens of different
applications and operating systems, represents one of the most
detailed views yet into the controversial and murky market for secret
hacker exploits.
… An attack that can fully, remotely take over
a victim’s computer through his or her Safari or Internet Explorer
browser, for instance, fetches a price of as much as $50,000. For
the harder target of Google Chrome, Zerodium’s price rises to
$80,000. Remote exploits that entirely defeat the security of an
Android or Windows Phone device go for as much as $100,000. And an
iOS attack can earn a hacker half a million dollars, by far the
highest price on the list.
… Zerodium, in other words, is keeping its
fresh hacker techniques under wraps for its customers, which it
says
include “government organizations in need of specific and tailored
cybersecurity capabilities,” as well as corporate customers it says
use the techniques for defensive purposes. Zerodium founder Bekrar
says
Zerodium clients pay
subscription rates of at least $500,000 a year for access
to its exploits. He wouldn’t name any specific customers. But
Bekrar’s last startup, the French company Vupen, more explicitly
offered its zero-day exploits to customers it described as government
agencies within NATO and “NATO ally” countries. A Freedom of
Information request from the investigative news site Muckrock in 2013
showed
that Vupen’s customers included the NSA.
Not everyone who should encrypt their
communications bothers to do so. Not all terrorists are
knowledgeable about secure communications and many are mere “cannon
fodder” who are not worth investing the time and effort to train.
That does not mean every terrorist communication will be recognized,
analyzed, and communicated to appropriate authorities in a time to
stop attacks.
Signs Point
to Unencrypted Communications Between Terror Suspects
In the wake of the Paris attack, intelligence
officials and sympathizers upset by the Edward Snowden leaks and the
spread of encrypted communications have
tried
to blame Snowden for the terrorists’ ability to keep their
plans secret from law enforcement.
Yet news emerging from Paris — as well as
evidence from a Belgian ISIS raid in January — suggests that the
ISIS terror networks involved were communicating in the clear, and
that the data on their smartphones was not encrypted.
… Details about the major ISIS terror plot
averted 10 months ago in Belgium also indicate that while Abaaoud
previously attempted to avoid government surveillance, he did not use
encryption.
A prescient
bulletin
sent out in May by the Department of Homeland Security assessed “that
the plot disrupted by Belgian authorities in January 2015 is the
first instance in which a large group of terrorists possibly
operating under ISIL direction has been discovered and may indicate
the group has developed the capability to launch more complex
operations in the West.”
Abaaoud’s planned operation in Belgium was blown
when authorities, who had been closely surveilling his three
accomplices, stormed their safe house in the city of Verviers after
determining that they were planning a major attack — very much like
the one that took place in Paris on Friday. A pitched firefight
between Belgian commandos and the ISIS veterans firing Kalashnikov
rifles and lobbing grenades ended with two suspects dead and a third
captured.
Belgian investigators concluded that Abaaoud
directed the foiled operation there by cellphone from Greece — and
that despite his attempts to avoid surveillance, his communications
were in fact intercepted.
Just a few days after the raid, Belgian news website RTL
Info
ran a whole article titled “What the Terrorist Suspects under
Surveillance Were Saying.” It described surveillance over several
months, through wiretaps and listening devices placed in the
suspects’ car and their apartment.
(Related) Perhaps they were too arrogant to call
for help? No doubt this is what the CIA and FBI will be talking
about in those Congressional hearings.
ISIS Has
Help Desk for Terrorists Staffed Around the Clock
… Counterterrorism analysts affiliated with
the U.S. Army tell NBC News that the ISIS help desk, manned by a
half-dozen senior operatives around the clock, was established with
the express purpose of helping would-be jihadists use encryption and
other secure communications in order to evade detection by law
enforcement and intelligence authorities.
Interesting and strange guy. He appears to be
doing what is expected, but I doubt his heart is in it.
Founder of
app used by ISIS once said ‘We shouldn’t feel guilty.’ On
Wednesday he banned their accounts.
Pavel Durov knew that terrorists were using his
app to communicate. And he decided it was something he could live
with.
“I think that privacy, ultimately, and our right
for privacy is more important than our fear of bad things happening,
like terrorism,” the founder of Telegram, a highly secure messaging
app, said at a
TechCrunch
panel in September when asked if he “slept well at night”
knowing his technology was used for violence.
… “Ultimately, ISIS will find a way to
communicate with its cells, and if any means doesn’t feel secure to
them, they’ll [find something else]. We shouldn’t feel guilty
about it. We’re still doing the right thing, protecting our users’
privacy.”
… In a
Facebook
post, Durov blamed “shortsighted socialists” in the French
government for the attacks as much as Islamic State militants.
Which is why a statement from Telegram
posted
on its site Wednesday is such a surprising reversal of course.
“We were disturbed to learn that Telegram’s
public channels were being used by ISIS to spread their propaganda,”
it read. “… As a result, this week alone we blocked 78
ISIS-related channels across 12 languages.”
The statement had a ring of insincerity to it,
given Durov’s comments two months ago (the
New
York Times noted that the statement sounded like Claude Rains’s
famous line in “Casablanca,” claiming to be
“shocked,
shocked” to find that gambling was happening at Rick’s, just
before collecting his winnings).
Interesting. App data for people who haven't even
installed the Apps! Android only, so far.
Google
boosts mobile search: Now it surfaces app data and streams apps
… With today's changes, Google will start
showing content in mobile search results that only lives within apps,
for example, apps with content that doesn't have a corresponding web
page.
An example of a mobile app that has corresponding
web content is Facebook, which
earlier
this week enabled Google's app indexing. Now Android users can
hop from search results of indexed Facebook pages directly to the
relevant part of Facebook's app. Other popular apps that are indexed
by Google include Airbnb, Instagram and Pinterest.
Under the extended app-indexing service, content
from apps such as HotelTonight, which does not have corresponding web
content, will also appear in search results. The aim is to make it
easier to find information in applications.
Along with this development, Google has kicked off
app-streaming from Search, so users can interact with an app that
they haven't yet installed.
"With one tap on a Stream button next to the
HotelTonight app result, you'll get a streamed version of the app, so
that you can quickly and easily find what you need, and even complete
a booking, just as if you were in the app itself. And if you like
what you see, installing it is just a click away. This uses a new
cloud-based technology that we're currently experimenting with,"
Google engineering manager Jennifer Lin said.
According
to Marketing Land, for now these options
will
only be available within the Google app on Android 5.0 and Android
6.0 handsets.
Perhaps a voice will say, “No. It doesn't make
you look fat.”
At This
Store, the Fitting-Room Mirrors Know All
… In one corner, a lanky blonde woman examines
a white cashmere turtleneck before placing it back on its hanger.
Had she taken the item into one of the dressing rooms, she'd
immediately find an image of the turtleneck displayed on the
touchscreen mirror in front of her, with options to request a
different size, a different color or a pair of jeans to go with it.
That's right -- the fitting rooms in Ralph
Lauren's Polo flagship are smart. Very smart. Equipped with
radio-frequency identification technology that tracks items via their
tags, the room identifies every item that enters and reflects it back
on the mirror that doubles as a touchscreen. Shoppers can interact
with the mirror, which functions like a giant tablet, to control the
lighting, request alternate items or style advice from a sales
associate.
Perspective. Soon Watson may have friends to chat
with.
China
nearly triples number of supercomputers, report says
The country has 109 high-performance computing
systems on the biannual
Top500
list of supercomputers, up 196% from 37 just six months ago.
The most powerful supercomputer, China's Tianhe-2,
also retained the top spot for the sixth consecutive time.
In contrast, the US has seen the number of its
supercomputers decline.
I find 8 in Colorado.
Open Data
Inception – 1600+ Open Data Portals Around the World
“You can find the list geotagged on a map at
opendatainception.io.
When building
the
best Open Data portals, the same question always comes
up. Where can I find clean and usable data? Our answer is usually:
“Did you search on existing Open Data portals?” But the truth
is, some Open Data portals can be hard to come by. We decided to put
together a resource that would be truly useful for all the data geeks
out there (and we know we are plenty). We called this project:
Open
Data Inception. We rolled up our sleeves and started
aggregating all of the Open Data portals we could get our hands on.
We are thrilled to present you the first version of our
comprehensive
list of 1600+ Open Data portals around the world. To
facilitate your search, we decided to geotag intergovernmental
organization portals on their parent organization headquarters. The
table of contents will give you a summary of all countries
represented on this list. Simply click on a country’s name and the
page will bring you to the correct section. If you are curious about
how we created this list,
we
wrote an article about it. We hope that you will find solace in
your data quest with this list. Don’t hesitate to send us feedback
through the form at the bottom of the page or at
@opendatas”
Perhaps the would help fund the Privacy
Foundation?
Introducing
New Tools for Nonprofits
… Today we’re testing fundraisers – a new
tool – and improving our Donate button, to allow people to donate
to charities without leaving Facebook. We hope these features help
nonprofits reach new supporters, engage their community and get the
valuable funding they need to continue their good work.
In 2013, we first tested different ways for
nonprofits to fundraise on Facebook.
I subscribe (via RSS) to a couple of these.
Perhaps I should look at some others.
Read More
Intelligent Content in 2016 with These 35 Sites
Dilbert elegantly illustrates how the Internet
facilitates miscommunication.