STE WILLIAMS

Do you let strangers wander round your server room?

Do you let them take detailed photographs as they go?

Do you let them publish those photographs afterwards, even for their own commercial benefit?

Thought not.

On the other hand, perhaps it doesn’t matter if you do all of those things.

After all, relying too much on security through obscurity – for example when you rely on trade secrecy rather than strong cryptography to protect an asset – has always been a risk.

Let’s hope it doesn’t matter for CERN, the European Organization for Nuclear Research that straddles the French/Swiss border.

(The C in the acronym was retained when it changed from a Conseil to an Organisation nearly 60 years ago, on the grounds that OERN sounded, well, a lot less hip.)

Ironically, CERN is probably as well-known amongst geeks for being the place where the World Wide Web was invented as it is for being the home of the Large Hadron Collider (LHC), a 27km-long circular tunnel used for smashing together sub-atomic particles.

Because they can!

Anyway, in the same spirit of research openness that led to the Web, CERN has let Google Street View – on foot, or with some kind of hand cart, one assumes, rather than in a car or on a bicycle – into its server farm.

YOU ARE IN A MAZE OF SERVERS, ALL ALIKE. 
A TEMPERATURE SENSOR 
DANGLES DUBIOUSLY FROM ABOVE. 
EXITS LEAD: EAST, WEST

 read temperature

THE TEMPERATURE IS 296 KELVIN

 go west

YOU ARE IN A MAZE OF SERVERS, ALL ALIKE. 
SOME OF THE SERVER NAMES ARE OBSCURED. 
SOME ARE NOT.
LOOKS LIKE GOOGLE'S BLURRING ALGORITHM
NEEDS SOME WORK.
EXITS LEAD: EAST, WEST

 go west

YOU ARE IN A MAZE OF SERVERS, ALL ALIKE. 
A PLASTIC MONKEY IS HOLDING A 
LUDICROUSLY OUT OF SCALE BANANA. 

EXITS LEAD: EAST, WEST

 take banana

THE MONKEY WILL NOT LET GO OF THE BANANA.

 take monkey

YOU CAN'T DO THAT.

 take screenshot

TAKEN.

There really is a monkey holding a giant bananarang, or perhaps it’s a boomerana, on one of the server racks, along with 19 other LEGO figures scattered around the place where Street View recorded them for posterity.

Find any three of them, send in screenshots, and you could win an item of modest value from CERN’s gift catalogue.

You could go for a CERN-branded USB stick, for example, or my personal favourite, an umbrella featuring an image of the Compact Muon Solenoid, one of the particle detectors installed into the LHC to help find interesting subatomic stuff.

(I assume it is the muons that are compact, not the solenoid itself, which is 25m long, 15m in diameter and has a mass of 12,500,000kg.)

Monkeys wielding giant fruits, in the server room, over the holiday season!

You know it makes sense!

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Vx2NDVXL0Sk/

Twas the week before Christmas, when all through Tweetland, London saw some odd hashtags, sent out from spam brands.

According to the Guardian, Londoners awoke on Friday morning to find their automatically generated trending topics lists stuffed with sexy tags.

Namely, spammers used Twitter algorithms to their advantage in order to flood the site with the hashtags #escort, #massage and #adultprofile, the Guardian reports.

As of Saturday, the pre-holiday hijinx had apparently run their course, with trending topics in London having reverted to plain old non-sexy themes.

The Guardian pointed to a post by Twitter CEO Dick Costolo, who had previously admitted that offensive topics such as #reasons…beat…girlfriend are edited from the trending list.

Twitter explains that trends are determined by an algorithm and are tailored for users based on whom they follow and their location.

The algorithm lives in the “now”: topics that are immediately popular, rather than topics that have been popular for a while or on a daily basis, rise to the surface, so that hot, emerging topics of discussion bubble up.

Hot, indeed, given these particular hashtags.

The Guardian reports that spammers took advantage of the algorithm by cluster-tweeting from new accounts in rapid succession.

At the time the Guardian posted its writeup, the hashtags #escort, #adultprofile, and #massages were still trending after at least 4 hours on the top ten list.

Those topics eventually must have lost their “breaking news” status, the news outlet suggested.

#HappyFestivus, and hopefully you didn’t #clicksexylinks@work and thereby #getintrouble!

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/bN-4J9xR2m0/

Two online gaming programmers from Poland have been jailed for trying to cyber-extort the owner of an online marketing company based in Manchester, UK, and the CEO of an unnamed US internet software platform company that hosts online companies.

Greater Manchester Police on Wednesday said in a statement that the duo initially tried to shake down the Manchester business owner and that the US business got into the act as part of an elaborate sting.

(The Register and Sky News have identified the Manchester business as being a casino, although the police report identifies it as an online marketing company.)

The blackmailers demanded a 50% cut of their UK victim’s company – a 65-person, nearly £30 million ($48.6 million) business – lest they knock it offline with the help of a “notorious computer hacker” they knew who could unleash a distributed denial-of-service (DDoS) attack.

In what they called the first prosecution of its kind, police set up a complicated sting that concluded with the seizure of the two programmers at a bugged room in the luxury Sofitel hotel at Heathrow Airport.

Piotr Smirnow, 31, of Warsaw, Poland, and Patryk Surmacki, 35, of Szezecin, Poland, pleaded guilty at Manchester Crown Court to two offences each of blackmail and one offence of unauthorised acts on computers under the Computer Misuse Act 1990.

Both men were sentenced on Wednesday to five years and four months in prison.

The Register reports that both of the men are programmers who worked in the online gaming business.

Police say that the pair knew their UK target because they all worked in the same line of business.

On 23 July, police say that Smirnow contacted the victim and asked to meet him to talk about “a business proposition”.

The victim initially declined, but Smirnow finally talked him into meeting with himself and Surmacki at Heathrow Airport Terminal 5.

Once all arrived at the terminal, the pair revealed the details of the “proposition”: if their target didn’t give them a 50% share of his business, they’d enlist the services of a US hacker named “Wapo”, Sky News reports.

First, the hacker would shut down the Manchester business, they said. They’d move the business to a separate server, attack the platform server, and corner the market with the original firm.

Police said that the victim at some point turned on his mobile device and started to record the conversation. In order to buy time, he agreed to meet with the extortionists’ hacker.

After the meeting, the victim called the police, who in turn called in the National Crime Agency.

Smirnow called his victim within a few days, offering a meeting with the hacker in Kiev, Ukraine.

During a final call with Smirnow, the victim said he declined, explaining that he was frightened of flying to Kiev.

Several days later, on 2 August, Smirnow and Surmacki made good on their threat.

They unleashed the DDoS attack, shoving the targeted company’s servers offline and keeping customers from using the site for 5 hours.

Police say that the DDoS cost the company around £15,000 ($24,300).

According to Sky News, the duo paid the US hacker £12,000 ($19,440) for the attack.

That’s when the second victim, the CEO of the US-based platform server, got involved, as he attempted to mediate between the crooks and their victim.

The CEO spoke to Smirnow over Skype, at which point, the police say, the blackmailer admitted to the DDoS attack, saying it was triggered because another customer had failed to pay him as promised.

Smirnow told the CEO that he felt entitled to take down the platform unless they handed over operations to him.

Smirnow said he hadn’t contacted the Manchester business owner before the attack was launched because he wanted to show off his cyber-brawn and that the pair could take down every site on the platform if the victim refused to comply with their demands.

The police quoted Smirnow from the Skype conversation:

We offered him something that would keep his business alive and he refused the deal. He has problem now. You have to understand last time we tried diplomacy, we talked, did call, meet, etc. After that we understand only power talks in this world, now we have enough power so people can’t try to push us around anymore.

The US CEO agreed to meet the duo at the Heathrow Airport hotel on 7 August.

They all went into the bugged room, where more threats and admissions to pulling the DDoS ensued.

The pair said they wouldn’t stop until they got the code for the CEO’s business.

The CEO refused. The extortionists got annoyed, promising that now they were “going to war”.

The CEO asked for a break, at which point the two Polish men left the room, walking into the waiting arms of the police, who’d been listening in on the conversation and who promptly arrested them.

The Greater Manchester Police were assisted by the National Crime Agency and the Crown Prosecution Service throughout the operation, they said.

Detective Inspector Chris Mossop, of the Serious Crime Division, said in the police statement that cyber extortion is an emerging global cyber threat:

Denial of service attacks have become increasingly common offences in recent years and can have a devastating effect on the victim’s online business. With millions of pounds and potentially dozens of jobs involved, Smirnow and Surmacki were playing for incredibly high stakes and clearly knew what they were doing.

They used their intimate, expert knowledge of on-line business to attempt to bully the victims into submission. But make no mistake, they may have been using the latest technology, but this was simply good old-fashioned blackmail. They behaved like a couple of sinister playground bullies who thought they could use the threat of financial annihilation to extort compliance from these companies. But their greed was ultimately their downfall as they failed to reckon with the victims’ bravery in the face of extreme intimidation.

The UK victim, for his part, said that fear motivated his bravery:

This case made me fear for my personal safety as well as for the future of my business. Which is why I felt compelled to take action against the perpetrators. No-one should have to succumb to blackmail and this sentence should act as a warming to those involved in cyber extortion that the police and the courts will view this type of conduct very seriously.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/REn2Aa0XKCM/

Quick guide to disaster recovery in the cloud

Security watchers are proposing the introduction of “flat rate” bug bounties by software vendors to try to stop vulnerability researchers from from flogging off flaws to exploit brokers or on the black market.

They believe that the current situation is bad for security, and means that vulns often end up in the hands of criminals – or governments, which may not necessarily be that keen to reveal they have new prying capabilities, as recent revelations have proven.

Stefan Frei, research director at NSS Labs, has put out a manifesto suggesting bug bounties be set at the level of $150k per exploit found, irrespective of their severity. The idea of the reward, which needs to be substantial to have any effect, is to encourage vulnerability researchers to choose to get paid for their work by the software vendor rather than selling their discoveries to exploit brokers or computer security grey markets.

The International Vulnerability Purchase Program (IVPP) would pay above the current going rate for flaws, as Frei explains in a recent whitepaper. “It is time to examine the economics of depriving cyber criminals’ access to new vulnerabilities through the systematic purchase of all vulnerabilities discovered at or above black market prices,” Frei argues. “Security depends largely on ethical researchers reporting vulnerabilities under the practices of coordinated disclosure. Meanwhile, the black market is expanding rapidly and offering large rewards for the same information. Traditional approaches based on ‘more of the same’ cannot deliver better overall security.”

Vendors’ paltry rewards are not helping

Bug bounty programmes have become fairly commonplace across the IT industry over recent years. Google’s bug bounties are among the best known but they just one set of examples among many across the IT biz, all offering varying levels of financial reward, almost all offering thousands rather than the six-figure sum Frei suggests.

The schemes reward researchers for reporting flaws to vendors, rather than hawking them through exploit brokers or vulnerability marketplaces. Governments are the biggest buyers of exploits and the US government is widely reported to spend the most, reportedly using the security vulnerabilities it acquires to run targeted attacks, mostly through its TAO (Tailored Access Operations) elite hacking squads.

The NSS proposal calls for the use of government regulation to formalise and mandate software developers bug bounty programmes. Many in the security industry would be instinctively opposed to government intervention on ideological grounds alone even before we consider whether a compulsory bounty scheme would help in practice.

Investigative journalist Brian Krebs weighed into the debate in support of Frei via a post to his Krebs On Security blog.

“The market for finding, stockpiling and hoarding (keeping secret) software flaws is expanding rapidly,” Krebs explains. “Vendor-driven ‘bug bounty’ programmes which reward researchers for reporting and coordinating the patching of flaws are expanding, but currently do not offer anywhere near the prices offered in the underground or by private buyers.”

Perfect market, imperfect outcomes

Krebs reckons the market can’t be relied upon to come up with a more secure software ecosystem essentially because improved security is not tied to profitability.

“Software security is a ‘negative externality’: like environmental pollution, vulnerabilities in software impose costs on users and on society as a whole, while software vendors internalize profits and externalise costs,” Krebs writes. “Thus, absent any demand from their shareholders or customers, profit-driven businesses tend not to invest in eliminating negative externalities.”

The whole scheme would be affordable, they claim. If Oracle were to pay researchers top dollar ($150,000) for each of the 427 vulnerabilities it fixed last year, that would still come to less than two-tenths of a per cent of the company’s annual revenues ($67m out of $37bn in revenues).

Freebie antivirus firm Malwarebytes is more equivocal about the utility of compulsory software bug bounties.

“Paying $150k for bug bounties would help the industry because more professional vulnerability researchers would opt to go the white hat route,” writes Adam Kujawa, chief of Malwarebytes’ malware intelligence team. “The other side of the coin is that companies would most likely rather employ full-time vulnerability researchers, paying them a salary to find bugs in the software, rather than paying out $150k times however many bugs they have.”

Kujawa reckons a kitemark scheme for federally approved industry seal for software testing would offer an alternative means of weeding out security bugs from the software ecosystem. He also mentions holding software developers financially liable for exploits and data loss that can be blamed on the security shortcomings of their products as another way to go. Of course security breaches aren’t always the result of buggy software, as Kujawa notes.

Many security breaches are actually a result of social engineering (eg, tricking someone into handing their passwords or opening an infectious email attachment) and/or web attacks by hackers, which also pay a massive role in the lamentable state of web security.

Robert Graham, chief exec of Errata Security, told Krebs that while he supports the idea of vendors offering bug bounties he’s against government-mandated and regulated schemes.

“The amount we’re losing from malicious hacking is a lot less than what we gain from the free and open nature of Internet,” Graham said. “And that includes the ability of companies to quickly evolve their products because they don’t have to second-guess every decision just so they can make things more secure.”

Graham’s perspective was endorsed by other security researchers including Jeremiah Grossman, founder CTO of WhiteHat Security (here) and others. ®

5 questions to answer about your DR plan

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/23/compulsory_bug_bounties/

Quick guide to disaster recovery in the cloud

RSA has categorically denied allegations stemming from Edward Snowden’s latest whistleblowing – specifically, the claim that it took US$10m from the NSA in exchange for using the “known flawed” Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) in its products.

The EMC-owned security outfit said it started using Dual EC DRBG by default in 2004. But, by 2007, the algorithm was found to effectively have a backdoor that weakened the strength of any encryption that relied on it, making life easier for snoops. The NSA, which championed Dual EC DRBG, is accused of orchestrating the derailment of the random number generator during its development.

In a strongly worded blog post today, RSA said “we categorically deny [the] allegation” it knew Dual EC DRBG was deliberately knackered, and goes on to offer four reasons for its choice of random number generator, namely:

• We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.
• This algorithm is only one of multiple choices available within BSAFE toolkits, and users have always been free to choose whichever one best suits their needs.
• We continued using the algorithm as an option within BSAFE toolkits as it gained acceptance as a NIST standard and because of its value in FIPS compliance. When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion.
• When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media.

The post concludes with the following statement:

RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.

Meanwhile, Joseph Menn, the Reuters writer who broke the original news, stands by his story. Over to you, Mr Snowden. ®

5 questions to answer about your DR plan

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/23/snowden_is_a_liar_and_we_never_fiddled_crypto_says_rsa/

Bugs in pseudorandom number generators (PRNGs) are usually cause for concern, at least in cryptographic circles.

There have been numerous examples over the years.

We had the Debian “code fix” that removed all but 15 bits’ worth of unpredictability from the random generator used to secure OpenSSH.

We had the CryptoCat bug that caused zeros to turn up about 0.4% too often.

And recently we had a cryptographic design flaw in Drupal that saw the wrong sort of random generator used in the wrong sort of way.

But this story is different.

It’s the curious case of the OpenSSL randomness bug with a happy ending!

The beginning

The story starts back in 2006, when the US National Institute of Standards and Standards and Technology, better known as NIST, first released its Special Publication SP800-90A.

This document presents four algorithms for generating cryptographically strong random numbers.

→ NIST doesn’t call the algorithms PRNGs, presumably to get rid of the rather unscientific term pseudo. It calls them DRBGs instead, short for for deterministic random bit generators.

Three of NIST’s DRBGs are conventional: two of them use cryptographic hashes internally to mash up a soup of pseudorandom bits, while the third uses a symmetric block cipher (Triple-DES or AES) with a similar result.

The fourth algorithm, which goes by the redolent name of the Dual Elliptic Curve Deterministic RBG (Dual EC DRBG), is a bit different.

Indeed, it is sufficiently different that it aroused the suspicion of cryptographers almost at once.

Here’s why.

Suspicions aroused

Imagine that you make your pseudorandom soup by repeatedly mixing up some starting data, not with a symmetric block cipher or a cryptograhpic hash, but with a randomly-generated public key for a public key encryption algorithm.

(This isn’t an accurate high-level description of how the Dual EC algorithm works, but it will do as a sort of analogy to explain why cryptographers were suspicious.)

You’d probably accept that the public key encryption aspect could serve as a one-way function, just like a cryptographic hash, provided that the associated private key had been destroyed.

Bear in mind that this is an inexact analogy and an imprecise explanation…

…but now ask yourself, “What if NIST kept something analogous to a private key up its sleeve?”

What if NIST surreptitiously retained algorithmic secrets that weakened the Dual EC DRBG, without telling anyone?

That would create a loophole that might make the DRBG not merely deterministic, but predictable, even to an attacker who could do no more than monitor the algorithm’s output.

Was there a backdoor?

That worrying question led to several well-known cryptographers, notably Dan Shumow and Niels Ferguson of Microsoft, openly wondering, back in 2007, whether this flaw was actually a deliberate back door in the NIST standard.

Fast forward five years, of course, and revelations by ueberwhistleblower Edward Snowden about surveillance shenanigans by the National Security Agency (NSA) have led to reports that as good as state the backdoor concern as a fact.

Other recent reports intriguingly claim that the NSA paid security company RSA $10,000,000 to prefer the use of the questionable Dual Elliptic Curve generator in its software.

→ Cryptographers have long wondered why anyone would used the Dual EC algorithm at all, even if its other shortcomings were ignored, because it is much less efficient than the others. According to Bruce Schneier, who also raised the question of a deliberate backdoor back in 2007, the Dual EC DRBG is about 1000 times slower than its more conventional cousins from SP800-90A.

Perhaps most tellingly of all, NIST itself recently and officially disowned Dual EC mode, recommending that you avoid it because:

recent community commentary has called into question the trustworthiness of [the] default elliptic curve points [used in the algorithm].

How big is the problem?

With this in mind, experts have been wondering how much software out there in the real world is using the Dual EC DRBG, and potentially vulnerable to cryptographic manipulation as a result.

OpenSSL, for example, one of the most widely-used encryption libraries, implements all four of the SP800-90A algorithms, ironically as part of achieving what is known as FIPS 140-2 certification.

And here is the happy ending.

Despite passing FIPS 140-2 tests many times over the years, the OpenSSL implementation of Dual EC DRBG is buggy.

Not just buggy, but totally broken and busted.

Simply put, it cannot be made to work in real-world software, and the fact that it has taken years for anyone to notice makes it reasonable to assume that no real-world software has ever even bothered to use it.

In the words of the OpenSSL Foundation itself, “We have no plans to fix this bug.”

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dh64YNuXdhg/

Tags: 5-minute fix, 60 Sec Security, 60 Second Security, 60 Seconds, 60SS, acoustics, Android, breach, bust, carderplanet, carding, children online, credit card, Cryptography, CVV, Cybercrime, data leakage, five minute fix, Hacker, ios, israel, key recovery, OS X, parental control, Roman Vega, RSA, target, Vega, Windows 7, Windows 8

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/9LXbsRJRAkM/

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

The mystery of why RSA would use a flawed, NSA-championed algorithm as the default random number generator for several of its encryption products appears to be solved, and the answer is utterly banal, if true: the NSA paid it to.

Reuters reports that RSA received $10m from the NSA in exchange for making the agency-backed Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) its preferred random number algorithm, according to newly disclosed documents provided by whistleblower Edward Snowden.

If that figure sounds small, that’s because it is. Tech giant EMC acquired RSA for $2.1bn in 2006 – around the same time as the backroom NSA deal – so it seems odd that RSA would kowtow to the g-men so cheaply.

But according to Reuters, at the time, things weren’t looking so good for the division of RSA that was responsible for its BSafe encryption libraries. In 2005, those tools brought in a mere $27.5m of RSA’s $310m in annual revenue, or just 8.9 per cent.

By accepting $10m from the NSA, as Reuters claims, the BSafe division managed to increase its contribution to RSA’s bottom line by more than a third.

It wasn’t long after RSA switched to Dual EC DRBG as its default, however, that security experts began to question whether this new algorithm was really all it was cracked up to be. In 2007, a pair of Microsoft researchers observed that the code contained flaws that had the potential to open “a perfect backdoor” in any encryption that made use of it [PDF].

Such concerns remained largely within the province of security experts until earlier this year, when documents leaked by Snowden confirmed the existence of NSA-created backdoors in encryption based on RSA’s technology.

In late September, RSA itself even warned its customers that they should choose a different cryptographically secure random number generator while it reviews its own products for potential vulnerabilities. OpenSSL, the software library used by countless applications to perform encryption and decryption, has also written off Dual EC DRBG. How the NSA came to be involved with the algorithm is discussed in detail here by computer security expert Bruce Schneier.

For its part, however, RSA maintains that it never conspired with the NSA to compromise the security of its products, and that if the government knew how to break RSA’s encryption, it never let on.

“RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products,” the company wrote in a canned statement. “Decisions about the features and functionality of RSA products are our own.” ®

Disaster recovery protection level self-assessment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/21/nsa_paid_rsa_10_million/

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

As fears grow that US and UK spies have deliberately hamstrung key components in today’s encryption systems, users of OpenSSL can certainly relax about one thing.

It has been revealed that the cryptography toolkit – used by reams of software from web browsers for HTTPS to SSH for secure terminals – is not using the discredited random number generator Dual EC DRBG.

And that’s due to a bug that’s now firmly a WONTFIX.

A coding flaw uncovered in the library prevents “all use” of the dual elliptic curve (Dual EC) deterministic random bit generator (DRBG) algorithm, a cryptographically weak algorithm championed by none other than the NSA.

No other DRBGs used by OpenSSL are affected, we’re told.

“The nature of the bug shows that no one has been using the OpenSSL Dual EC DRBG,” Steve Marquess of the OpenSSL Software Foundation wrote yesterday in a mailing list post. He credited the find to Stephen Checkoway and Matt Green of the Johns Hopkins University Information Security Institute.

The bug in fips_drbg_ec.c can be fixed with a one-line change so that the Dual EC DRBG state is updated and its output used. It is a rare example of a software screwup that has beneficial side-effects.

Cryptographers have harboured suspicions about Dual EC DRBG for at least six years. The technology was disowned [PDF] earlier this year by US government tech standards body NIST, and people were warned by RSA, EMC’s security division, to ditch the algo.

Computer scientists have come to believe that the algorithm’s design was crippled during its development, effectively creating a backdoor [PDF] so that encryption systems that relied on it could be easily cracked. Such encryption systems rely on cryptographically secure random number generators to make them extremely hard to predict.

Given that Dual EC DRBG is “pretty much toxic for any purpose”, we’re told, there are no plans to fix the OpenSSL bug; doing so would be far more trouble than its worth. The best, and most straightforward, resolution of the problem is to snub the technology, which until recently came with a US government endorsement.

“A FIPS 140-2 validated module cannot be changed without considerable expense and effort, and we have recently commenced that process of entirely removing the Dual EC DRBG code from the formally validated module,” Marquess added. ®

Quick guide to disaster recovery in the cloud

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/20/openssl_crypto_bug_beneficial_sorta/

Disaster recovery protection level self-assessment

If drugs traffickers thought the anonymous online black market calling itself Silk Road 2.0 would be any safer from law enforcement than the original, it looks like they had better think again.

According to reports by Forbes and TechCrunch, the FBI have made “multiple arrests” of people believed to be involved with Silk Road 2.0 in a crackdown spanning at least two countries.

Silk Road 2.0 forum moderators going by the handles “Inigo” and “Libertas” were reportedly arrested in Virginia and Wicklow, Ireland, respectively.

A woman identified as the girlfriend of Inigo reportedly said that police told her that they were making simultaneous arrests of the site’s users “all around the world.”

The FBI has since confirmed to Forbes that it had moved against the encrypted marketplace, but it did not disclose the names of any of the people cuffed, or how many arrests had been made in all.

US authorities shut down the original Silk Road in October following the arrest of San Francisco man Ross Ulbricht, who is now awaiting trial in New York on charges that he created the site and profited from it for nearly three years.

In the process, authorities seized several Bitcoin wallets that they claimed belonged to operators and users of the site – a haul of illicit funds worth around $30m.

It wasn’t clear at the time how law enforcement managed to achieve this since Silk Road routes its network traffic through the Tor service, which is supposed to make it easy for users to cover their tracks and work anonymously.

But in a post to the user forums of Tor Market – a competing site to Silk Road 2.0 – a user who is believed to be Inigo suggested that authorities may have a far better view into the workings of the online marketplace than anyone previously suspected:

Guys I was arrested yesterday and out on bond now. But something is fucked! I know I’m risking more warning you guys and my attorney doesn’t even want me on the internet but you guys need to know this. When I was in the interview they showed me all sorts of shit that they should not know or have access to … Something is definitely wrong and they have the ability to see things on here only mods or admins should like transfers and a dispute I had.

Prosecutors are still sifting through information gleaned from the original Silk Road bust to bring further cases against alleged drug traffickers, including four accused methamphetamine dealers who were charged in Oregon this week.

But many former Silk Road users seem undeterred by the recent police attention. A group of them wasted no time in launching Silk Road 2.0 following Ulbricht’s arrest, complete with a new site admin taking on Ulbricht’s alleged former moniker of “the Dread Pirate Roberts,” or “DPR” for short.

The identity of this new DPR is still unknown. But on Friday he issued a statement to Silk Road 2.0 users saying the site had not been compromised by the recent arrests, since neither of the forum moderators that were charged had access to sensitive material. He further said he would make another announcement to address users’ concerns soon. ®

Quick guide to disaster recovery in the cloud

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/20/silk_road_2_arrests/