STE WILLIAMS

Microsoft’s handy automated Windows error report feature “Dr. Watson” mostly transmits crash log data in the clear, leaving organizations that use the function vulnerable to targeted attacks, researchers say.

Websense Security Labs found in a study of risks posed by some popular applications and services that Microsoft Windows Error Reporting, which automatically sends to the software giant details of a system crash, does so without encrypting the information. The sensitive information in these reports, which includes the make and model of the machine, BIOS version, ID, and applications, can help bad guys and even the National Security Agency profile potential targeted machines and networks.

Word that the NSA was likely doing just that came among other new revelations in a report over the weekend by German publication Der Spiegel that pulled back the curtain on an elite team of NSA hackers called the Tailored Access Operations (TAO) Group. According to the report, TAO appears to use NSA’s XKeyscore spy tool to grab Windows crash reports from Internet traffic it captures, and the intelligence can be used to profile a machine and exploit its vulnerabilities.

Windows Error Reporting/Dr. Watson is a default feature in the operating system, and is used by some 80 percent of all networked PCs, or more than one billion machines around the world, according to Websense. And any crash data could expose a new zero-day flaw, for instance.

“Applications that report this information without encrypting data risk leaking information at multiple points. This includes any upstream proxies, firewalls, and ISPs that are in between the corporate network and the destination as well as the application developer and their partner organizations,” Websense said in a post on the research yesterday.

Any services reporting application telemetry and information about network infrastructure and security should at the least be encrypted with SSL (TLS 1.2), Websense says. Organizations can protect themselves from Microsoft Error Reporting leaks by forcing encryption via group policies and regularly auditing their networks for accidental leakage of potentially sensitive information about the infrastructure.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/windows-crash-reports-open-to-hijacking/240165072

Are you working over the New Year?

Or are you relaxing?

Or are you doing a little bit of both?

Whatever you’re up to, but especially if you’re on year-end sysadmin or tech support duty while everyone else is at the beach/snow/pub, here’s a bit of fun that nevertheless counts as real work. (But don’t quote us on that!)

Presenting the Sophos Naked Security NYE crossword for 2013.

We’re offering two prizes, just to add a tiny competitive edge to things.

There’s a T-shirt for the for the first correct solution received, and a T-shirt for a randomly selected winner from the rest of the correct answers received before the end of 2014-01-05Z.

→ If you’re not familiar with RFC 3339 (Date and Time on the Internet: Timestamps), that means you have until the last second of the coming Sunday, 05 January 2014, UK time, to get in the running for a shirt.

If you get stuck, try a search engine; if you’re still stuck after that, try following and asking around on the hashtag #sophoscrossword on Twitter.

You are also welcome to email us for hints on [email protected] if you don’t use Twitter, or if you simply want to keep your hints to yourself.

To go into the prize draw, just take a screenshot when you have finished the puzzle, and email it to us.

We’ll only use your email address to contact you if you win.

Good luck with your puzzling, and, from the Naked Security team, Happy New Year!

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dIuds3GEioA/

2014 predictions: Top technology trends

Analysis A leaked NSA cyber-arms catalog has shed light on the technologies US and UK spies use to infiltrate and remotely control PCs, routers, firewalls, phones and software from some of the biggest names in IT.

The exploits, often delivered via the web, provide clandestine backdoor access across networks, allowing the intelligence services to carry out man-in-the-middle attacks that conventional security software has no chance of stopping.

And if that fails, agents can simply intercept your hardware deliveries from Amazon to install hidden gadgets that rat you out via radio communications.

The 50-page top-secret document, written by an NSA division called ANT, is part of an information dump sent to German magazine Der Spiegel, and expounded upon by journalist Jacob Appelbaum in his keynote to the 30th Chaos Communication Congress in Germany on Monday. You can watch a clearly furious Appelbaum in the video below.

Youtube video of Jacob Appelbaum at 30c3

The dossier is a glorified shopping catalog of technology for spies in the so-called “Five Eyes” alliance of the UK, the US, Canada, Australia, and New Zealand. It gives the clearest view yet of what the NSA, GCHQ and associated intelligence agencies can do with your private data, and how they manage it. Here’s an easy-to-digest roundup of what was discussed.

Satellite and optic-fiber communications stored

According to Appelbaum, the NSA is running a two-stage data dragnet operation. The first stage is TURMOIL, which collects data traffic passively via satellite and cable taps and stores it – in some cases for up to 15 years – for future reference. The NSA does not consider this surveillance because no human operator is involved, just automatic systems.

Der Spiegel gave the example of the SEA-ME-WE-4 underwater cable system, which runs from Europe to North Africa, then on to the Gulf states to Pakistan and India before terminating in the Far East. The documents show that on February 13 this year a tap was installed on the line by the NSA that gave layer-two access to all internet traffic flowing through that busy route.

However, this passive capability is backed up by TURBINE, the active intervention side of the NSA, run by its Tailored Access Operations (TAO) hacking squad. By using a selection of hardware and software tools, not to mention physical measures as we’ll see later on, the NSA promises that systems can be hacked “at the speed of light,” and the staffers in Maryland even took time to build a LOLcat picture highlighting the capability:

Sure they own you, but look at the little kitty. Credit: NSA

“Tailored Access Operations is a unique national asset that is on the front lines of enabling NSA to defend the nation and its allies,” the NSA said in a statement on the report, adding that TAO’s “work is centered on computer network exploitation in support of foreign intelligence collection.”

Windows crash reports boon for spies

On the subject of operating systems, Appelbaum said the documents revealed subversion techniques against Windows, Linux, and Solaris. In the case of Microsoft, the NSA is monitoring Windows software crash reports to gain insight into vulnerabilities on a target system and exploit them for its own ends.

“Customers who choose to use error reports send limited information about, for example, the process, application, or device driver, that may have encountered a problem,” a Microsoft spokesperson told El Reg in a statement responding to Der Spiegel‘s report.

“Reports are then reviewed and used to improve customer experiences. Microsoft does not provide any government with direct or unfettered access to our customer’s data. We would have significant concerns if the allegations about government actions are true.”

NSA buys up security exploits to attack vulnerabilities

When it comes to active penetration, the TAO team has a system dubbed QUANTUM THEORY, an arsenal of zero-day exploits that it has either found itself or bought on the open market from operators like VUPEN. Once inside a computer, software dubbed SEASONEDMOTH is automatically secreted and used to harvest all activity by the target in a 30-day period.

For computers and networks that have firewalls and other security systems in place, the NSA uses QUANTUMNATION, a tool that will scan defenses using software dubbed VALIDATOR to find an exploitable hole, and then use it to seize control using code dubbed COMMENDEER.

A system dubbed QUANTUMCOPPER also gives the NSA the ability to interfere with TCP/IP connections and disrupt downloads to inject malicious code or merely damage fetched files. Appelbaum said such a system could be used to crash anonymizing systems like Tor by forcing an endless series of resets – and makes the designers of the Great Firewall of China look like amateurs.

The website you are visiting is really not the website you want

But it’s a scheme dubbed QUANTUMINSERT that Appelbaum said was particularly concerning. The documents show that if a target tries to log onto Yahoo! servers, a subverted local router can intercept the request before it hits Meyer Co’s data center and redirect it to a NSA-hosted mirror site where all activity can be recorded and the connection tampered.

It’s not just Yahoo! in the firing line: QUANTUMINSERT can be set up to automatically attack any computer trying to access all sorts of websites. The code predominantly injects malware into religious or terrorism websites to seize control of vulnerable web browsers and their PCs.

But the technology has also been spotted monitoring visits to sites such as LinkedIn and CNN.com, and will work with most major manufacturer’s routers to pull off its software injection. (If you think using HTTPS will highlight any of these man-in-the-middle attacks, bear in mind it’s believed that the NSA and GCHQ have penetrated the security certificate system underpinning SSL/TLS to allow the agencies’ computers to masquerade as legit web servers.)

According to the catalog, Cisco hardware firewalls, such as the PIX and ASA series, and Juniper Netscreen and ISG 1000 products, can have backdoors installed in their firmware to monitor traffic flowing in and out of small businesses and corporate data centers. A boot ROM nasty exists for the Huawei Eudemon firewalls, we’re told; Huawei being the gigantic Chinese telcoms electronics maker. Other BIOS-level malware is available for Juniper and and Hauawei routers, according to the dossier.

“At this time, we do not know of any new product vulnerabilities, and will continue to pursue all avenues to determine if we need to address any new issues. If we learn of a security weakness in any of our products, we will immediately address it,” said Cisco in a blog post.

“As we have stated prior, and communicated to Der Spiegel, we do not work with any government to weaken our products for exploitation, nor to implement any so-called security ‘back doors’ in our products.”

Quick guide to disaster recovery in the cloud

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/31/nsa_weapons_catalogue_promises_pwnage_at_the_speed_of_light/

2014 predictions: Top technology trends

Analysis A leaked NSA cyberarms catalog shows that the US and UK intelligence services can break into common hardware and software from some of the biggest names in IT automatically, and manage man-in-the-middle attacks that conventional security software has no chance of stopping.

The 50-page top-secret document, written by the NSA division called ANT, is part of an information dump sent to German magazine Der Spiegel and expounded upon by journalist Jacob Appelbaum in his keynote to the 30th Chaos Communication Congress in Germany on Monday. You can watch a clearly furious Appelbaum in the video below.

Youtube video of Jacob Applebaum at 30c3

The dossier gives the clearest view yet of what the NSA and associated intelligence agencies can do with your data, and how they manage it. Here’s an easy-to-digest roundup of what was discussed.

Satellite and optic-fiber communications stored

According to Appelbaum, the NSA is running a two-stage data dragnet operation. The first stage is TURMOIL, which collects data traffic passively via satellite and communications taps and stores it – in some cases for up to 15 years – for future reference. The NSA does not consider this surveillance because no human operator is involved, just automatic systems.

Appelbaum gave the example of the SEA-ME-WE-4 underwater cable system, which runs from Europe to North Africa, then on to the Gulf states to Pakistan and India before terminating in the Far East. The documents show that on February 13 this year a tap was installed on the line by the NSA that gave layer-two access to internet traffic flowing through that route – essentially, all of it.

However, this passive capability is backed up by TURBINE, the active intervention side of the NSA, run by its Tailored Access Operations (TAO) hacking squad. By using a selection of hardware and software tools, not to mention physical measures as we’ll see later on, the NSA promises that data can be hacked “at the speed of light,” and the staffers in Maryland even took time to build a LOLcats picture highlighting the capability:

Sure they own you, but look at the little kitty. Credit: NSA

“Tailored Access Operations is a unique national asset that is on the front lines of enabling NSA to defend the nation and its allies,” the NSA said in a statement on the report, adding that TAO’s “work is centered on computer network exploitation in support of foreign intelligence collection.”

Windows crash reports boon for spies

As for operating systems, Appelbaum said the documents claimed to have found subversion techniques against Windows, Linux, and Solaris systems. In the case of Microsoft, the NSA is monitoring software crash reports to gain insight into vulnerabilities on a target system and exploit them for its own ends.

“Customers who choose to use error reports send limited information about, for example, the process, application, or device driver, that may have encountered a problem,” a Microsoft spokesperson told El Reg in a statement responding to Der Spiegel’s report.

“Reports are then reviewed and used to improve customer experiences. Microsoft does not provide any government with direct or unfettered access to our customer’s data. We would have significant concerns if the allegations about government actions are true.”

NSA buys up security exploits to attack vulnerabilities

When it comes to active penetration, the TAO team has a system dubbed QUANTUM THEORY, an arsenal of zero-day exploits that it has either found itself or bought on the open market, that can be used to get into systems. Once inside, software dubbed SEASONEDMOTH is automatically inserted and used to harvest all activity by the end user for a 30-day period.

For computers and networks that have firewalls and other security systems in place, the NSA uses QUANTUMNATION, a tool that will scan the target system for security defenses using software dubbed VALIDATOR, find any exploitable hole, and then use it to seize control using code dubbed COMMENDEER.

A system dubbed QUANTUMCOPPER also gives the NSA the ability to interfere with TCP/IP connections and disrupt downloads from any site to inject malicious code or merely damage fetched files. Appelbaum said such a system could be used to crash anonymizing systems like Tor by forcing an endless series of resets and makes the designers of the Great Firewall of China look like amateurs.

The website you are visiting is really not the website you want

But it’s a scheme dubbed QUANTUM INSERT that Appelbaum said was particularly concerning. The documents show that if a target tries to log onto Yahoo! servers, a subverted local router can intercept the request before it hits Meyer Co’s servers and redirect it to a NSA-hosted mirror site where all activity can be tracked and recorded.

QUANTUM INSERT can also be set up to automatically attack a computer trying to access certain websites. The code is predominantly used for religious or terrorism websites, but has also been spotted monitoring sites such as LinkedIn and CNN.com and will work with most major manufacturer’s routers.

In the catalog, Cisco hardware firewalls, such as the PIX and ASA series, and Juniper Netscreen and ISG 1000 products, can have backdoors installed in their firmware to monitor traffic flowing in and out of small businesses and corporate data centers. A boot ROM nasty exists for the Huawei Eudemon firewalls, we’re told; Huawei being the gigantic Chinese telcoms electronics maker. Other BIOS-level malware is available for Juniper and and Hauawei routers, according to the dossier.

“At this time, we do not know of any new product vulnerabilities, and will continue to pursue all avenues to determine if we need to address any new issues. If we learn of a security weakness in any of our products, we will immediately address it,” said Cisco in a blog post.

“As we have stated prior, and communicated to Der Spiegel, we do not work with any government to weaken our products for exploitation, nor to implement any so-called security ‘back doors’ in our products.”

Quick guide to disaster recovery in the cloud

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/31/nsa_weapons_catalogue_promises_pwnage_at_the_speed_of_light/

Attackers have begun exploiting an oft-forgotten network protocol in a new spin on distributed denial-of-service (DDoS) attacks, as researchers spotted a spike in so-called NTP reflection attacks this month.

The Network Time Protocol, or NTP, syncs time between machines on the network, and runs over port 123 UDP. It’s typically configured once by network administrators and often is not updated, according to Symantec, which discovered a major jump in attacks via the protocol over the past few weeks.

“NTP is one of those set-it-and-forget-it protocols that is configured once and most network administrators don’t worry about it after that. Unfortunately, that means it is also not a service that is upgraded often, leaving it vulnerable to these reflection attacks,” says Allan Liska, a Symantec researcher in blog post last week.

Attackers appear to be employing NTP for DDoSing similar to the way DNS is being abused in such attacks. They transmit small spoofed packets requesting a large amount of data sent to the DDoS target’s IP address. According to Symantec, it’s all about abusing the so-called “monlist” command in an older version of NTP. Monlist returns a list of the last 600 hosts that have connected to the server. “For attackers the monlist query is a great reconnaissance tool. For a localized NTP server it can help to build a network profile. However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic,” Liska explains in the post.

Monlist modules can be found in NMAP as well as in Metasploit, for example. Metasploit includes monlist DDoS exploit module.

The spike in NTP reflection attacks occurred mainly in mid-December, with close to 15,000 IPs affected, and dropped off significantly after December 23, according to Symantec’s data,.

Symantec recommends that organizations update their NTP implementations to version 4.2.7, which does not use the monlist command. Another option is to disable access to monlist in older versions of NTP. “By disabling monlist, or upgrading so the command is no longer there, not only are you protecting your network from unwanted reconnaissance, but you are also protecting your network from inadvertently being used in a DDoS attack,” Liska says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/attackers-wage-network-time-protocol-bas/240165063

2014 predictions: Top technology trends

A BBC FTP server ftp.bbc.co.uk was compromised by a Russian hacker and access to it touted online, say computer security researchers.

The miscreant behind the attack on the internet-facing file store tried to sell access to the infiltrated system to other crims on Christmas Day, we’re told. Hold Security – which this year has helped break news of data heists at Adobe and a top-flight limo company – spotted someone trying to sell access to ftp.bbc.co.uk, according to Reuters.

FTP is a 1970s vintage protocol for transferring information in bulk over the internet; its use is discouraged because usernames and passwords to log into accounts are sent over the network unencrypted, although there are ways to establish secure connections.

The hacked service was used by reporters to file material from the field, and by advertisers to upload video to BBC Worldwide channels. The invaded computer was cleaned up over the weekend.

Right now the system appears to be running ProFTPD 1.3.3g on Solaris, but there’s nothing to indicate that was the vulnerable software. However, versions of ProFTPD prior to 1.3.3g suffer from a use-after-free bug (CVE-2011-4130) that allows an attacker to execute code remotely on the machine hosting the server; a flaw that’s been known about since 2011.

“The only other information that I can offer is that the hacker was offering a screenshot proving that he had administrative access to the BBC server,” Alex Holden, chief information security officer at Hold Security, told BBC News.

It is not clear how deep the hacker managed to penetrate Auntie: specifically, whether the miscreant obtained just an FTP admin account login, gained control of the user account running the FTP daemon, or gained full control of the machine running the file-transfer server. Don’t forget, a compromised computer could have acted as a stepping stone to other systems within the Beeb’s network.

Hold Security found no evidence anyone paid for access to the server. A spokesman for the BBC refused comment, although its news team published a report on the break-in. ®

Quick guide to disaster recovery in the cloud

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/30/bbc_ftp_server/

It should come as no surprise that the National Security Agency has a special team of top-gun hackers who breaks into systems around the world to spy on its targets. But revelations published yesterday by a German magazine about the NSA’s Tailored Access Operations (TAO) Group and the agency’s homegrown hacking tools shine some light on the scope and expertise of the agency’s hacking abilities, including its custom backdoor tools for popular commercial networking equipment and systems.

Der Spiegel reported yesterday that the NSA describes the TAO as specialized in “getting the ungettable” with access to “our very hardest targets.” According to the report, the hacking team successfully infiltrated 258 targets across 89 countries, and in 2010, executed some 279 different operations.

The report stops short of confirming whether the TAO team was involved in the creation and execution of Stuxnet, the highly targeted malware program that sabotaged uranium enrichment equipment in Iran’s Natanz nuclear facility. But it references leaked internal NSA presentation documents on the agency’s goals of hacking “servers, workstations, firewalls, routers, handsets, phone switches, SCADA systems, etc.”

Michael Sutton, vice president of security research at Zscaler, says the report by the German publication appears to “insinuate” TAO’s involvement with Stuxnet, but it’s not definitive. “The team does have a development arm constantly tinkering with new technologies,” Sutton says.

The leaked catalog of NSA’s custom software and hardware-based hacking tools date back to 2008, so the newly exposed information raises more questions about what else the agency has in its arsenal today. The NSA toolkit published by der Spiegel consists of so-called “implant” items, such as Nightstand, an 802.11 wireless exploitation and injection tool; Jetplow, a “firmware persistence implant” for taking over Cisco PIX and ASA firewalls; Halluxwater, a backdoor for Huawei firewalls; Feedtrough, a software tool that operates in Juniper firewalls to move other NSA spy software onto mainframes; and Dropout Jeep, a software tool for intercepting communications from an Apple iPhone.

According to the report, the tools have allowed the NSA to create its own global spy network “that operates alongside the Internet.” And in a nod to old-school spying techniques, the NSA’s TAO group reportedly can intercept from a target a computer shipment and load malware or hardware backdoor access onto the equipment before it reaches the buyer.

[EMC security subsidiary accused of accepting $10 million from the NSA to purposefully use encryption for which the intelligence agency enjoyed backdoor access. See RSA Denies Trading Security For NSA Payout.]

Networking vendors Cisco and Juniper both issued statements of concern about the report. John Stewart, senior vice president and chief security officer at Cisco, says his company is unaware of any new product vulnerabilities reportedly exploited by the agency, and does not deploy security “backdoors” in its products.

“We are deeply concerned with anything that may impact the integrity of our products or our customers’ networks and continue to seek additional information,” Stewart said in a blog post. “At this time, we do not know of any new product vulnerabilities, and will continue to pursue all avenues to determine if we need to address any new issues. If we learn of a security weakness in any of our products, we will immediately address it. As we have stated prior, and communicated to Der Spiegel, we do not work with any government to weaken our products for exploitation, nor to implement any so-called security ‘back doors’ in our products.”

A Juniper spokesperson echoed the same sentiments. “We take allegations of this nature very seriously and are working actively to address any possible exploit paths … We are also committed to the responsible disclosure of security vulnerabilities, and if necessary, will work closely with customers to implement any mitigation steps,” the spokesperson said. “Juniper Networks is not aware of any so-called ‘BIOS implants’ in our products and has not assisted any organization or individual in the creation of such implants.”

Zscaler’s Sutton says the round of NSA revelations of backdoors in security and networking products has placed the affected vendors in a “delicate position.”

“There are really a couple of different ways they get drawn into this. One is that they are a passive participant caught in the middle, and their technologies are attacked,” he says. “The NSA has been quite aggressive … tapping into cables at data centers, and that’s all bad news for the vendors. Even though they are not complicit in that process, [vendors] still bear the brunt of the public backlash.”

Sutton says the other side of the coin is that vendors in some cases are legally obligated to hand over some data to the NSA, for example. “That, too, is not desirable for them,” he says. “They want the public to see” they have no choice in those cases, he says.

Security expert Richard Stiennon says this means security vendors will need to take security more seriously than ever now that they have a “new adversary.” “Historically the greatest threats to hardware and software vendors were hackers and security researchers who sought the positive exposure of being the ones to discover a new vulnerability. The actual exploit of published vulnerabilities of network gear is rare and in most cases of responsible disclosure the vendor is given an opportunity to release a patch before the vulnerability is published,” he said in a post.

Still, the NSA is not unlike other attackers, Sutton says. “Each time we have one of these [NSA] leaks … the focus tends to be on this silver bullet we didn’t know about, this very powerful tool and method. But the NSA is no different in its tactics at the base level than any other attacker,” he says. “They have a toolkit available to them, they reach out and pull out particular tasks. And those tools continually evolve and are remade to suit their purposes. We are constantly seeing glimpses into that toolbox.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/privacy/nsa-elite-hacking-team-operations-expose/240165056

This week the Internet’s all aflutter with the latest NSA disclosures over their uber-hacking group – the Office of Tailored Access Operations, or “TAO” for short. Der Spiegel’s NSA articles of yesterday reveal some of the inner workings of the TAO team and their tools. It’s pretty interesting stuff, and I’m sure the legacy conspiracy nuts are trading in their tinfoil hats for “I told you so” t-shirts today.

As more details leak about the 50-page catalog of hacking goodies that the NSA, CIA, FBI, DHS, etc. government entities could purchase for “lawful intercept” work, I get the feeling that a lot of product managers at the vendors for which these tools exploit vulnerabilities or frailties in their products will be a little wobbly in the knees department right about now. I suspect that there will be plenty of additional discussion in the coming months about the “lawful” part of the lawful intercept concept too.

In many ways TAO reminds me of a digital “Q” branch from the Ian Fleming’s James Bond series. I can just imagine a grey-mustached Q handing out USB dongles with embedded wireless transmitters to go with the Omega watch with the laser, or the exploding pen.

In light of the recent revelations, it would seem that the NSA TAO team has been very successful in completing their objectives. I suppose it’s quite refreshing to know that at least one part of the US Government is capable and functioning as it’s supposed to?

While this glimpse in to the shadowy world of modern spying and espionage is as exciting as cut-scenes from an upcoming James Bond movie, I don’t believe that it changes the paradigm that much. These are simply the tools of the trade for the cyber domain. In fact the tools that have been disclosed thus far are already close to a decade old – and clearly been in service for some time. Anyone who’s attended a Blackhat conference in the last ten years would be familiar with all the concepts and attack vectors. What makes it different is how the NSA has successfully made the leap from theory to reality; clearly having a sufficiently sized budget makes that leap much easier.

Of the documents produced thus far, the most surprising revelations to me have been about how small the TAO team is, and the proportion of which are civilian contractors. Given the size and budget of the DoD (and NSA in particular), how advanced their adversaries are, and how successful they appear to have been in their missions, I’d have expected the team to be five to ten times the size. Perhaps the absolute numbers get a bit fuzzy when it comes to the civilian contractors… and the contracting firms they belong to.

It is inevitable that many people are going to be upset with the NSA’s newly disclosed capabilities. Those previously mentioned vulnerable vendor product managers are probably working with their marketing and PR teams right now crafting indignant responses to the US government, whilst seeking to calm customer fears that their companies hadn’t been negligent in dealing with the vulnerabilities they knew about, and have never knowingly placed backdoors into their products (all of which could get a bit hand-wavy in the case of RSA and the $10m they supposedly received for weakening random number generators).

While many likely also fear that the NSA is out of control and needs to be reeled in through new legislative restrictions or the honing of existing laws – and I’m sure that much of the software industry is allocating additional funds to lobby against the hacking of their products – I think it is critical that folks take a step back and look around. The last six months of NSA leaks have certainly dumped a lot of the agencies dirty linen on the pavement, but let’s be clear – the NSA (and by default, the US Government) aren’t the only the only countries to have invested in these kinds of cyber spying and espionage tools. I think you’d be hard pressed to find a country that isn’t already doing it. If you’re thinking that Pakistan’s ISI isn’t spying on India and exploiting their computer vulnerable systems, or that France’s DGSE isn’t doing the same to Chinese systems in Central Africa, then let me tell you about a bridge I’d like to sell you.

My fear is that the reaction to all these NSA disclosures will have legislators and committee’s curtailing many vital parts of the NSA’s capabilities – leaving the US high and mighty on the ethical front, but shackled and third-rate in areas of statecraft and cyber security.

In the meantime, if Q has a few of those Omega laser watches spare, I wouldn’t mind one as a late Christmas present. Ta very muchly. He can keep the Huawei backdoor – I’ve got one of those already.

— Gunter Ollmann, CTO IOActive Inc.

Article source: http://www.darkreading.com/attacks-breaches/nsas-tao/240165059

2014 predictions: Top technology trends

Legendary code-breaker and computing boffin Alan Turing – seen by many as the father of modern computing and credited with a huge contribution to the Allied victory in World War Two – may have been murdered by the British security services, it has been claimed.

“The government should open a new inquiry into the death of gay war-time code-breaker, mathematical genius and computer pioneer Alan Turing, including an investigation into the possibility he was murdered by the security services,” LGBTI*-rights campaigner Peter Tatchell stated last week in a press release.

The statement continues:

Although there is no evidence that Turing was murdered by state agents, the fact that this possibility has never been investigated is a major failing. The original inquest into his death was perfunctory and inadequate. Although it is said that he died from eating an apple laced with cyanide, the allegedly fatal apple was never tested for cyanide. A new inquiry is long overdue, even if only to dispel any doubts about the true cause of his death.

Turing was regarded as a high security risk because of his homosexuality and his expert knowledge of code-breaking, advanced mathematics and computer science. At the time of his death, Britain was gripped by a MacCarthyite-style anti-homosexual witch-hunt. Gay people were being hounded out of the armed forces and the civil and foreign services.

In this frenzied homophobic atmosphere, all gay men were regarded as security risks – open to blackmail at a time when homosexuality was illegal and punishable by life imprisonment. Doubts were routinely cast on their loyalty and patriotism. Turing would have fallen under suspicion.

Mr Tatchell suggests that the “security services” would have feared that Turing might pass critical information to the Soviets, and would have sought to kill him for being homosexual and thus a security risk subject to blackmail. The reference to “security services” and counter-espionage suggests that he has specifically in mind the Security Service itself, also known as MI5 – or perhaps the Secret Intelligence Service (aka MI6), though that organisation is more focused on carrying out espionage abroad rather than preventing it at home.

The idea that British intelligence operatives can or do deliberately set out to assassinate British citizens with official sanction would seem to be poorly supported, other than in the case of certain military operations during the fighting in Northern Ireland. Even those latter would normally have been characterised for the record as combat operations rather than targeted killings. However such accusations are often made: for example by biz kingpin Mohamed al-Fayed, who alleges that MI6 orchestrated the car crash in which his son Dodi and Princess Diana were killed.

Ironically perhaps, at the time when Mr Tatchell speculates that MI5 may have been murdering Alan Turing for being gay and possibly a Soviet agent, MI5 itself genuinely had been infiltrated at a high level by a ring of Soviet agents, some of whom were in fact gay.

Alan Turing recently received a posthumous Royal pardon for his conviction on charges of gross indecency (the charge used against gay male sexual activity during that era) in 1952. ®

*Lesbian, Gay, Bisexual, Transgender and Intersex

Quick guide to disaster recovery in the cloud

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/30/gay_hero_superboffin_turing_may_have_been_murdered_by_mi5/

For a bit of festive season fun, we thought we’d look at some spam.

Long-term readers will know that we have a tongue-in-cheek list of spam categories, taking us well beyond just unsolicited email.

Over the years, we’ve added the following spam variants to our menagerie:

• SPIT – spam using internet telephony
• SPIM – spam over instant messaging
• SPASMS – spam via SMS
• SPATTER – spam via Twitter
• SPEWS – spam through electronic web submissions

SPEWS, of course, often end up converted into emails and directed inwards by the form submission page on your webserver.

→ It’s generally a good idea to treat your web server as an untrusted email sender, even if it is inside your network, and to put any emails that it generates (especially if they might contain content entered online by someone outside your network) through your usual email filtering process.

SPEWS are also common on blogs and and forums where commenting is allowed, not least because many forums allow web links to be entered into comments.

A site that can easily be tricked into re-publishing clickable links for free is a useful resource to spammers (or to bots working on their behalf).

That’s what the spammer was trying to do in the examples below.

We’re saying “spammer,” even though numerous IP addresses were used and a range of topics covered, because the “comments” we’ve chosen in this case all follow a very similar pattern.

The formula is pretty simple.

There’s a short, generic and not terribly grammatical burst of praise, like this:

An interesting discussion is worth comment. I think that you simply really should write a lot more on this topic, it could possibly not be a taboo topic but normally people aren’t sufficient to speak on such topics. To the next. Cheers.

Then there’s a URL.

It’s hard to imagine why anyone (except perhaps another spammer wanting to see what the competition was up to) would click on any of the URLs we’ve seen in this campaign, as the links have no relevance to computer security at all, let alone to the article on which they claim to be commenting.

Nevertheless, this spammer has been quite persistent in his or her flattery.

We “made certain nice points,” apparently:

There is noticeably a bundle to know about this. I assume you made certain nice points in features also.

And we received “a huge thumbs up,” too:

Hello! I just would like to give a huge thumbs up for the great info you have here on this post. I will be coming back to your blog for more soon.

Occasionally, the spammer gets rather caught up in it all, and bigs us up enormously:

Youre so cool! I dont suppose Ive read anything like this before. So nice to find somebody with some original thoughts on this subject. realy thank you for starting this up. this website is something that is needed on the web, someone with a little originality. useful job for bringing something new to the internet!

But once in a while, the flattery stops and we are confronted with criticism instead:

The next time I read a blog, I hope that it doesnt disappoint me as much as this 1. I mean, I know it was my option to read, but I really thought youd have some thing intriguing to say. All I hear is often a bunch of whining about something that you could fix if you happen to werent too busy looking for attention.

Ouch! Take that, Naked Security!

Perhaps the spammer hopes to be taken more seriously by unleashing some tough love in amongst the todaying remarks?

But what if we had approved the comment anyway, and retained the suspicious-looking URL it contained?

The URL that was added to this comment included the text string rolexwatches in its domain name, while the path part of the URL mentioned Air Jordan footwear.

That might seem a curious combination, but it was the footwear that was the the sales goal this time.

Clicking the URL takes you to an astonishing piece of prose on a free blog hosting service:

Possibly me and my teammates aloof bought pairs from a abnormal shipment? One guy alternate them and exchanged them for the atramentous and blah colorway and had no troubles.

If you end up motivated to click through by the admittedly confusing text above you will indeed be offered Air Jordans for sale:

And if you’ve had any misgivings about how you got this far, you can relax!

You’re on a secure site, at least according to the site itself:

And there you have it.

It seems that flattery alone doesn’t get you everywhere, after all.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/BrFlIUexN9A/