STE WILLIAMS

European security consultancy SEC Consult has spent time over the past few years looking at embedded devices on the internet.

Embedded devices are what you might call the high end of the Internet of Things (IoT) – or, to use the cynic’s description: tiny computers, usually built down to a price, embedded in houselhold devices for which form, function and price come way ahead of security, if security is even considered at all.

SEC Consult has examined thousands of devices such as internet gateways, routers, modems, IP cameras, VoIP phones, and more, from over 70 vendors.

The researchers took two approaches:

• Analyse device firmware images for cryptographically-related content. (Many devices are Linux-based, so the firmware and its source code are supposed to be public.)
• Perform internet scans to examine devices that are connected to the internet. (This is not hacking, just looking for services that are already explicitly available from the public side of the network.)

One of the things they looked for was cryptographic keys for the SSH and TLS protocols.

SSH is typically used to secure remote logons or file copying; TLS is typically used to secure web traffic using HTTPS.

Both these protocols use what’s called public-key cryptography, where the server generates a special keypair when it is installed or first starts up, consisting of:

• A public key, which you tell to everyone, used to lock transactions to and from the server.
• A private key, the only way to unlock data that was locked with the public key.

The idea is simple: by having a two-key lock of this sort, you don’t have to share a secret key with the other end before you first communicate, and you don’t have to worry about sharing that secret key with someone who later turns out to be a crook.

The vital part of this two-key system is the rather obvious requirement that you keep the private key private, thus the name private key.

Generally speaking, your private key is for you to use on your server, to secure your (and your customers’) traffic.

If you let anyone else get a copy of your private key, you’re in real trouble, because they could set up an imposter site, and use your private key to convince visitors that they were you.

Or they could intercept traffic between you and your customers, and use your private key to unscramble it later on.

Carelessness with a private key is like letting someone else borrow your signing seal. (These are still widely used in the East, though they have long died out in the West.)

With your signet ring on his finger, a crook could sign a completely fake document in our name, or open up a sealed document you’d already sent and then re-seal it so the recipient would never know.

You’d think, therefore, that private keys on embedded devices would be something any vendor would take seriously: one device, one key, generated uniquely and randomly, either on first use or securely in the factory.

But SEC Consult found the following rather alarming facts:

• 3.2 million devices were using one of just 150 different TLS private keys.
• 0.9 million devices were using one of just 80 different SSH private keys.

Remember, these were all keys that the researchers found uncontroversially by looking, without any hacking, whether white-hatted, grey-hatted or black-hatted.

In other words, we should assume that every cybercrook worth his salt (yes, that’s a pun!) already has these 230 digital signet rings handy, ready to wield them whenever convenient.

Worse still, as SEC Consult points out, it’s extremely unlikely that all of the millions of devices mentioned above were supposed to be accessible, whether by TLS or SSH, over the internet, especially since many of the TLS-protected web services, and most of the SSH ones, relate to administration and configuration of the device itself.

On most networks, administration access is supposed to be limited to users on the internal network, if only to reduce the number of places from which a crook could try connecting.

WHAT TO DO?

If you create firmware for embedded devices:

• Don’t share or re-use private keys. If you generate firmware files for each device, customise the keys in each firmware image and use it once only. If you generate keys when the device first starts up, don’t rely on “random” data sources that are likely to be the same on every router at first boot (e.g how long since the power came on, or how much memory is installed).

• Don’t enable remote administration by default.

• Don’t let users activate a new device until they have set all necessary passwords. In other words, get rid of default passwords – every crook has a list of what they are.

If you use embedded devices:

• Set proper passwords before taking the device online.

• Only turn on remote administration when genuinely necessary. Also, consider two-factor authentication for external users, to reduce the risk posed by stolen passwords.

• Verify your remote access settings. Consider using a network diagnostic tool such as nmap. You may as well scan your own network for security mistakes. The crooks will!

• Re-generate cryptographic keys, if you can, as part of installing the device. This is a way to get rid of any low-quality keys inherited by default.

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wGMfglgOPsw/

The Videofied wireless video surveillance cameras and alarm systems can be easily hijacked and spied on – thanks to practically nonexistent security.

According to London-based infosec biz Cybergibbons, the Videofied W panel is hopelessly insecure. It gathers live video from cameras, and data from security sensors, and feeds that information to software running on the customer’s server.

That information is sent over wired, wireless or mobile IP networks unencrypted. The panel and the server also authenticate using a crypto key derived from the panel’s serial number that’s sent in plaintext at the start of transmissions.

It all means any network eavesdroppers can intercept and spy on video feeds and sensor readings, and tamper with the data in transit to trigger alarms or destroy evidence.

A US CERT advisory issued today details the cockups blighting the Videofied system:

• The authentication protocol uses a pre-shared key that is entirely derived from the serial number of the device. This serial number is transmitted in the plain in messages, allowing an attacker to determine the key. (CVE-2015-8252)
• Messages and videos are sent unencrypted after the AES authentication handshake. The messages are sent in plain text, and the videos are sent as MJPEG video. (CVE-2015-8253)
• Messages are sent without any integrity protection of the data. Messages may be spoofed to, for example, send false alarm signals or deactivate alarms. (CVE-2015-8254)

“In summary, the protocol is so broken that it provides no security, allowing an attacker to easily spoof or intercept alarms,” the Cybergibbons team explained.

“It looks like they tried something and used a common algorithm – AES – but messed it up so badly that they may as well have stuck with plaintext.”

The penetration-testing biz said it privately disclosed details of the security weaknesses to Videofied’s maker – France-based RSI Video Technologies – but received no response, apparently.

According to the US Department of Homeland Security’s CERT, RSI Video Technologies is in the process of rolling out a software update to address the blunders. The company did not respond to a Reg request for comment on the report. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/30/rsi_videofied_surveillance_broken/

While it continues to battle public indifference to personally-controlled electronic health records (PCEHRs), the Australian government is quietly looking for bright sparks to put forward ideas on how to use the records for analysis.

The Australian Privacy Foundation has pointed to this tender from the government. In it, Canberra requests a “Framework for secondary uses of My Health Record”.

The outcome of the tender would be a set of standards: “The final Framework will enable the System Operator (currently the Secretary, Department of Health) to make informed decisions about the benefits, risks and costs of options presented for secondary uses of My Health Record system data. Respondents should note that the Department intends to assess expressions of interest and short list submissions to identify organisations who have the experience and expertise required.”

It’s perhaps no coincidence that the government also recently decided My Health Record would be an opt-out rather than an opt-in system, because so few people were opting into the slowly-advancing multi-billion-dollar white elephant scheme.

After a decade of work, My Health Record nee PCEHR has reached 10 per cent of the Australian population. The National E-Health Transition Authority’s 2015 annual report also notes that the hundreds of millions so far spent have not yet completed a system for handling complex clinical documents.

The Australian Privacy Foundation’s statement notes that while we’re promised that outsiders would only be able to mine anonymised data, that’s a troublesome concept.

Dr Roger Clarke, ANU academic and long-time privacy watcher, notes that “rich data-sets are vulnerable to re-identification procedures. These problems afflict all big data collections that are intended to assist in the management of long-term relationships.

“The problems are compounded by the expropriation of data to support purposes extraneous to the original context of use, such as longitudinal research studies,” Clarke adds.

Since the government also holds records through Centrelink, Medicare and the tax system, re-identifying individuals from their My Health Records would be simple. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/30/oz_gov_wants_to_flog_health_records_for_big_data/

Following a decade-long legal battle, the details of a US national security letter (NSL) sent to ISP owner Nicholas Merrill can finally be revealed.

The broad details have been known for some time, and a recent court decision all but listed the personal information that Merrill was told to hand over on all of his ISPs’ customers.

However, the decision by the FBI to not continue appealing the federal court’s judgment means people are now able to formally see the personal information that the US government believes it has a right to be granted access to without a warrant.

Merrill celebrated his legal victory on Twitter, noting: “Today my National Security Letter gag order is gone after over 11 years of litigation. I hope others who get NSLs find ways to challenge them”, adding: “I risked my freedom to speak out about my National Security Letter because I feel strongly about the need to protect privacy and free speech.”

At the same time the gag order built into the NSL was officially lifted, an unredacted version [PDF] of a court decision from Judge Victor Marrero was published listing in full all the details that the FBI requested be handed over by Calyx Internet Access back in 2004.

It is the first time that a National Security Letter gag order has been lifted. There are approximately 10,000 NSLs sent each year but the FBI refuses to provide hard statistics.

All in the details

Judge Marrero’s decision was carefully worded to effectively reveal the sort of details the FBI had requested but the unredacted version makes them explicit: an individual’s complete web browsing history; the IP addresses of everyone a person has corresponded with; and records of all online purchases.

The FBI also claims it has the authority to ask for mobile phone location data. According to the Feds, they have stopped asking for that data when sending out NSLs, although that doesn’t mean the agency doesn’t feel it continues to have the authority to do so under its reading of the law (originally the Patriot Act).

Merrill refused to hand over the information, and sued both the FBI and the US Department of Justice to lift the gagging order and let him say what they had demanded – claiming the ban restricted his First Amendment rights.

That was the start of an 11-year court battle in which Merrill himself was not allowed to be named, since he was under a gagging order, and the case name changed three times to reflect different attorneys general.

“For more than a decade, the FBI has been demanding extremely sensitive personal information about private citizens just by issuing letters to online companies like mine,” said Merrill.

“The FBI has interpreted its NSL authority to encompass the websites we read, the web searches we conduct, the people we contact, and the places we go. This kind of data reveals the most intimate details of our lives, including our political activities, religious affiliations, private relationships, and even our private thoughts and beliefs,” he added. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/30/isp_national_security_letter_details_published_following_11year_legal_battle/

In an effort to raise money, the Tor Project – the organisation behind the anonymous Tor network and Tor Browser – has started that most modern of whip-rounds; a crowdfunding campaign.

Tor is a sophisticated suite of free, open source software that uses layers of encryption to throw a cloak of invisibility around any users or hidden services that use it.

It’s the keystone technology that holds up the so-called Dark Web, the private sanctuary for anyone who needs to work in secret.

It’s no secret (and no lie) that those seeking sanctuary include some of the very worst criminals, but it also includes journalists and activists like Laura Poitras.

Poitras is the Oscar-winning director of the Edward Snowden documentary Citizenfour, and the face of Tor’s new fundraising effort. Tor and its ilk are, she says, essential:

Before Snowden, as a journalist, I knew that I had to be careful, but didn’t quite know how to protect myself … I knew I needed anonymity, but didn’t know what tools to use…

By my third email from him, I was communicating on Tails with a computer that I bought with cash, checking it only from public places. I was using the Tor Browser for all of my research, and to verify the information I was hearing…

Edward Snowden would not have been able to contact me without Tor and other free software encryption projects. Journalists need Tor to protect their sources and to research freely.

Some media outlets have speculated that the Tor project is trying to lessen its dependency on US government money, which accounts for about 80 – 90% of funding, according to The Verge.

There’s no implication that the US government is exercising any kind of corrupting influence over Tor but a more diverse range of funding sources would make the project more resilient.

The Tor Project has a very interesting and complex relationship with the US government (one that exposes the danger of treating large organisations as if they always act as a single entity).

The software was originally developed with tax payers’ money by the US Navy , who remain Tor users, and DARPA (The Defence Advanced Research Projects Agency). DARPA has since created Memex, a set of search tools designed to help law enforcement shine a light in to the dark corners created by Tor.

Whilst Tor is still used by US tax payer-funded agencies to create a cloak of anonymity around their work, serious tax dollars are also being put in to concerted attempts by other agencies to tear that cloak away.

Earlier this month, Carnegie Mellon was accused of accepting $1 million USD from the FBI to break through Tor’s anonymising barriers. The university has since denied that any money exchanged hands.

If you want to spend some of your hard earned bitcoins to help the Tor Project you can do so via its donations page. Aside from the Dark Web’s dark currency, the Tor Project is also accepting donations in formats as hum drum and old hat as PayPal and actual paper cheques.

Follow @MarkStockley
Follow @NakedSecurity

Image of Big Red Onions courtesy of Shutterstock.com.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/WlEEHxzNi38/

It’s pretty obvious what an anti-virus does.

It aims to identity and block viruses, worms, Trojans, rootkits, keyloggers, spyware, ransomware, exploit kits and so forth – malware, in other words, a portmanteau word that is short for malicious software.

Strictly speaking, a virus is a specific type of malware than can spread by itself, infecting other files and computers along the way. But you can also use the word virus unexceptionably and metaphorically – in a figure of speech known as metonymy – to refer to malware in general.

Unfortunately, as part of the arms race of computer security, there’s also an area of great interest to cybercrooks known colloquially as anti-anti-virus.

This means, quite simply, figuring out tricks to make the life of an anti-virus product harder.

One way is by using active programming measures inside the virus, often called stealth, to make things not what they seem.

An anti-virus may know exactly what to look for, but the anti-anti-virus system acts as a sort of digital disguise, so the anti-virus sees only innocent content instead.

Another anti-anti-virus technique is reactive: whenever you realise that malware X is being blocked by anti-virus Y, automatically spit out malware version X+1, mutated in the hope that Y will no longer detect it.

That’s just the sort of online service offered until recently by reFUD-dot-me, where FUD, punning on the usual meaning of fear, uncertainty and doubt, stood for Fully UnDetectable.

Loosely speaking, we’re talking about a service like Google’s VirusTotal, except that instead of helping users to draw the attention of the research community to potential new virus samples, reFUD-dot-me was intended as a service especially for other crooks.

The idea was that you could privately test new variants of Malware X – versions X+1 and X+2, say – against a raft of anti-virus products, but no one else would be told about the results.

In other words, you could get an idea of how well your new malware might do in the wild, without needing to keep pirated versions of every anti-virus product up to date for yourself.

Online checking services of this sort, including VirusTotal, are actually a fairly poor way of reviewing detection rates, because they act in something of a detection vacuum, but as a starting point for cybercrooks, reFUD-dot-me was certainly a very handy way for them to find out for free whether they were on the right track with their latest malware samples.

In addition to this underground variant of VirusTotal, reFUD-dot-me also allegedly offered tools known as packers, to help you disguise your malware to make it harder to detect.

Packers, or crypters – the one offered by reFUD-dot-me was called Cryptex – aim to create scrambled, obfuscated versions of your malware that will perform the same functions yet look completely different, a bit like gift-wrapping a handgun in the hope that it will attract less attention.

We’re using the past tense here, because the UK’s National Crime Agency recently announced the arrest of two people in England, a man and a woman, both 22 years old, on charges related to running the reFUD-dot-me service.

They’re innocent until proved guilty, of course…

…but reFUD-dot-me is off the air, thus proving itself neither undetectable nor invincible.

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/y3Uj_BzSbCI/

Congratulations goes out to Jakub F: Between posting his anti-piracy propaganda video on Tuesday and Friday night, he scored 606,224 views.

He only needed 200,000 views in one of the most unique approaches ever to dealing with shaking down a software pirate who doesn’t have the cash to pay his fines.

Jakub had been ordered by a court to get those views on his public service announcement (PSA) as an alternative to coughing up what the aggrieved copyright holding companies had decided was their financial loss due to his piracy.

That would have been, roughly, a mortgage worth of damages: around $373,000, with Microsoft alone calling for $223,000.

As Torrent Freak reported last week, the deal to swap onerous fines for a widely viewed anti-piracy video came out of a court in the Czech Republic.

Jakub had been accused by the Business Software Alliance (BSA) of pirating software, including Microsoft’s Windows.

He spent years uploading links to file-hosting sites.

After the BSA managed to track him down, the police raided Jackub’s house and took his computer, DVDs and external hard drive.

In September, a district court found Jakub guilty, gave him a three-year suspended sentence and ordered that his equipment be confiscated.

It didn’t stop there, though.

Companies involved in the lawsuit – among them were Microsoft, HBO, Sony Music and Twentieth Century Fox – estimated that Jakub had cost them that mortgage of theirs.

Economists have been scoffing at the intellectual property police’s dodgy estimates of lost profits (and US jobs) since the days of the Stop Online Piracy Act (SOPA).

Back in 2012, when the US Congress was looking at SOPA and the Protect IP Act (PIPA) bills, the bills’ supporters were flinging around numbers about online piracy costing the US economy between $200 and $250 billion per year, and being responsible for the loss of 750,000 American jobs.

Dire figures!

But apparently made up.

A few years earlier, the Government Accountability Office had released a report noting that the figures “cannot be substantiated or traced back to an underlying data source or methodology” – polite government-speak translated by Freakonomics to mean “these figures were made up out of thin air.”

When it came to Jakub’s fate, the Czech Republic court was likewise a bit skeptical about how much money Jakub had allegedly caused the companies to lose.

Torrent Freak said that it was unclear if the companies had actually intended to try to claw back the money they said they lost, but at any rate, Jakub and the corporate lawyers reached an agreement to make that $373,000 go away.

They called it an “alternative sentence.”

Namely, Jakub agreed to star in the PSA about his life as a pirate. Get 200,000 views, and the fines go away.

It’s a pretty dramatic video, as in, professionally lit, musical score.

Jackub himself set up a site to promote it: mojepiratstvi.cz .

Torrent Freak shared its translation of how Jakub begins his tale:

I had to start this site because for eight years I spread pirated software and then they caught me. I thought that I wasn’t doing anything wrong. I thought that it didn’t hurt the big companies. I didn’t even do it for the money, I did it for fun.

I felt in the warez community that I meant something. I was convinced that I was too small a fish for someone to get to me. But eventually, they got me. Even for me, the investigators came to work.

He went on to explain that he plays himself in the video and that it’s really his story:

If I promote my story and my video gets at least 200 thousand views, I will only serve the general part of my sentence.

In the video I play myself and this is really my story. I shot the video with a professional firm. Sharing is how this started and sharing is how I would like my story to end up.

Public humiliation backfired

Well, obviously, it worked. The video went viral, and the companies got their message spread, just like they wanted.

Unfortunately for them, much of those views seem to be coming from people outraged at what they see as the corporate tactic of public humiliation.

GlitchByte, a commenter on the video:

…this public humiliation stuff is like a sad step backward toward some sort of screwed up gladiator arena thing. I’m straight edge. I always pay for my stuff even if I think the price is ridiculous, but SORRY – this kind of thing doesn’t intimidate me, it makes me angry. If ever I was gonna pirate, it would be a video like that that made me want to.

Thus, Jakub is apparently off the $373,000 hook, but whether his video convinced pirates not to be pirates is an open question.

Now, the companies who made him do it seem to be, at least from a PR perspective, on the hook themselves.

Follow @NakedSecurity

Follow @LisaVaas

Image of Pirate courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/KFvOo91S5jg/

You can’t force ISPs to block Pirate Bay.

“Well duh,” you might say, given that the UK’s 2012 attempt was met by the pirated content site thumbing its nose and posting workarounds.

But no, this isn’t news from the way-back machine.

Rather, we’re talking now, as a Swedish court on Friday ruled that the country’s internet service providers can’t be forced to block the controversial and much-prosecuted Swedish file-sharing site.

As The Local reports, the landmark decision comes after a month of deliberation by the District Court of Stockholm, which has ruled that copyright holders can’t make Swedish ISP Bredbandsbolaget block Pirate Bay.

As it is, the UK’s 2012 attempt boiled down to going after the middleman. As we said at the time, it was like blaming the postman for delivering an illegal item, like a pirated DVD.

The Stockholm court thought likewise, finding that Bredbandsbolaget’s operations as an ISP don’t make it a participant in whatever copyright infringement might be carried out by its pirate subscribers.

Many Europeans countries do, in fact, block Pirate Bay, but anti-piracy groups have their hearts set on throttling it in its own homeland.

If you eyeball the list of countries that block – or try to block – Pirate Bay, you’ll see that many are wrangling with their ISPs over the issue.

Pirate Bay’s response is typically “free marketing, nice!”

That was the response from a Pirate Bay spokesperson in 2011, after a Belgian court ordered two ISPs to block 11 domains connected to Pirate Bay within 14 days or face fines.

This will just give us more traffic, as always. Thanks for the free advertising.

In September, Norway became the most recent country to order ISPs to block Pirate Bay.

The Norwegian Pirate Party responded by launching a free DNS service that allows internet users to get around the blockade.

Back in Sweden, the ruling handed down on Friday prevented rights holders from forcing Bredbandsbolaget to block subscribers from accessing not only The Pirate Bay, but also streaming portal Swefilmer.

According to Torrent Freak, it also means that the plaintiffs have to pay Bredbandsbolaget’s legal costs, which are expected to exceed $160,000.

It might be premature for a pirate party celebrating the decision, though.

Higher courts in Sweden may well handle an appeal: Friday’s decision could be taken to the Svea Court of Appeal no later than December 18.

Of course, even if you can still get to Pirate Bay, bear in mind that downloading copyrighted material is a crime, and you could be held accountable for copyright infringement.

Follow @NakedSecurity
Follow @LisaVaas

Image of The Pirate Bay courtesy of Gil C / Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ihqGdCX-0DQ/

What’s worse that a data breach of your personal data?

A data breach of your personal data and the personal data of your children.

That’s what may have happened – or may not, it’s still not clear – at electronic toy vendor VTech.

VTech makes educational electronic toys, and runs an online store called Learning Lodge, where you can shop for downloads for your VTech products.

Actually, right now you can’t shop for anything, because the site is temporarily shuttered following a data breach.

VTech’s own statement on the breach isn’t terribly reassuring:

VTech Holdings Limited today [2015-11-27] announced that an unauthorized party accessed VTech customer data housed on our Learning Lodge app store database on November 14, 2015 HKT

. . .

Our customer database contains general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history.

From the above, VTech certainly makes it sound as though the company has “done an Adobe“, storing passwords encrypted (so that if someone figures out the decryption key, they can recover all the passwords at once), and keeping password recovery information entirely unencrypted.

Adobe famously lot more than 100 million records in which password hints were not encrypted, meaning that many people’s passwords were easy to figure out.

To add to the trouble, everyone with the same password had the same encrypted data string to represent it, so that if anyone else had the same password as you, and was silly enough to put his password in the hint…then he revealed your password at the same time.

VTech certainly makes it sound as though the company stored your password in a way that it could recover it, rather than using industry-standard practice (known as salt-hash-stretch) that merely allows password to be verified.

After all, the official statement talks about a “secret question and answer for password retrieval”, as though the company will send you a copy of your password (presumably via email) if you can answer that secret question.

What we’re hoping is that VTech really meant to say that it stores your passwords hashed, not encrypted.

And we’re hoping it meant that those secret question and answers are for password reset, which is quite a different beast from retrieval.

(Hint to VTech: these would be surprisingly useful details to clarify as soon as possible.)

Having said that, what was lost – especially as it seems to include everyone’s password reset/recovery data in plain text – is a serious matter, because it is data that crooks can use in other attacks.

Whether a crook wants to convince other people that he knows a lot about you, even though he’s never met you, or wants to convince you that he’s contacting you legitimately by referring to things you wouldn’t expect an outsider to know…

…the more factoids he can piece together about you and your lifestyle, the greater the criminal success he is likely to have.

Worse still in the case of this breach is the suggestion on the BBC’s website that data from the theft has already surfaced online and includes children’s names, dates of birth and genders.

Let’s hope that VTech are able to provide some clarity about the situation soon – whether the news gets better or worse, it’s only the truth that can really help now.

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/a3f8cbT8cGQ/

Italian counter-terror agents are to monitor Sony’s PlayStation Network for jihadi chatter, according to the nation’s justice minister, following alarmingly silly reports that a PS4 was used to coordinate the terrorist attacks in Paris.

Andrea Orlando told Italian broadsheet Il Messaggero that the government would be investing €150m (£105m) in a reformation of the nation’s security services, with the aim of allowing them to monitor “any form of communication”, with the PlayStation gaming console receiving specific attention.

The Italian plans follow an article in Forbes, cited by the Telegraph and the New York Times, which claimed, “An ISIS agent could spell out an attack plan in Super Mario Maker’s coins and share it privately with a friend, or two Call of Duty players could write messages to each other on a wall in a disappearing spray of bullets.”

That report, in turn, appears to have been prompted by statements made by the Belgian deputy prime minister, Jan Jambon. Jambon complained that Belgian security services and their international partners were unable to decrypt communications made through the PlayStation Network. Jambon reportedly claimed that “PlayStation 4 is even more difficult to keep track of than WhatsApp” in this regard. His claims were made days before the attacks in Paris, however, and had to do with ISIS’ general tactics.

It is not the first time that gaming platforms have come under suspicion from counter-terrorist powers. An NSA briefing note leaked by whistleblower Edward Snowden and titled “Exploiting Terrorist /use of Games Virtual Environments” showed the spooks had discussed infiltrating the platforms due to concerns about terrorists planning their activities on World of Warcraft and Second Life, for example. It is not clear whether any useful intelligence was ever produced through such activities. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/30/italy_playstation_4_terrorism/