STE WILLIAMS

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

I have just received from the Dark Web, a samizdat copy of GCHQ’s Xmas card complete with cartoon from Chris Slane. The references (see below) provide a download of the complete Xmas card, which presumably can be printed out on cardboard in hard copy.

I think we can assume that the card is genuine as it contains the exemption notice from the FOIA regime which I came across when I sought access to an unrestricted document (“HMG IA Standard No.6: Protecting Personal Data and Managing Information Risk”).

The exemption under FOIA means that although the Xmas Card is information originated from GCHQ, posted insecurely in the ordinary post, and is clearly marked “unrestricted”, the tax payer who pays for the Card cannot get a copy under FOIA (just like the HMG No 6 standard).

The card also contains a poem which is a parody of the poem which describes all 20 Rings of Power, as found in Tolkien’s book (the Lord of the Rings). The Poem goes as follows:

                    The Terror Bytes of Power

Two terabytes per day to retain all Google searches

Five keeps the content from surveillance perches

Seven for Skype when one speaks to mates

Twelve stores the traffic which flows to the States

And in the darkness where the watchers are

Few laws to obey; nor rules that bar

And for privacy let the protection die

In a secret state where the shadows lie.

In the meantime, the Advocate General (the leading legal advisor to the European Court of Justice) has asked for the European legislature to re-draft the Data Retention Directive, which calls for the retention of metadata of all electronic communications to be retained for two years, as being in breach of Article 8 of the ECHR (right to a private and family life). This, of course, has been known to most of us for ages.

However, I want you to think about the Snowden revelations and then look at what the Advocate General points out, in this regard. He says that the use of telecoms data in accordance with the Data Protection Retention Directive:

• “may make it possible to create a both faithful and exhaustive map of a large portion of a person’s conduct strictly forming part of his private life, or even a complete and accurate picture of his private identity.”
• “There is, moreover, an increased risk that the retained data might be used for unlawful purposes which are potentially detrimental to privacy or, more broadly, fraudulent or even malicious”.
• “Indeed, the data are not retained by the public authorities, or even under their direct control, but by the providers of electronic communications services themselves. Nor does the Directive provide that the data must be retained in the territory of a Member State. They can therefore be accumulated at indeterminate locations in cyberspace”.

The European Union legislature:

• “should, in particular, have provided a more precise description than ‘serious crime’ as an indication of the criminal activities which are capable of justifying access of the competent national authorities to the data collected and retained”.
• “should have guided the Member States’ regulation of authorisation to access the data collected and retained, by limiting access, if not solely to judicial authorities, at least to independent authorities, or, failing that, by making any request for access subject to review by the judicial authorities or independent authorities and it should have required a case-by-case examination of requests for access in order to limit the data provided to what is strictly necessary”.
• “could have been expected to lay down the principle that Member States may provide for exceptions preventing access to retained data in certain exceptional circumstances or may prescribe more stringent requirements for access in situations in which access may infringe fundamental rights guaranteed by the Charter, as in the context of the right to medical confidentiality”.
• “should have established the principle that the authorities authorised to access the data are required, first, to erase them once their usefulness has been exhausted and, second, to notify the persons concerned of that access, at least retrospectively, after the elimination of any risk that such notification might undermine the effectiveness of the measures justifying the use of those data”.

The Advocate General has not found, “in the various views submitted to the Court of Justice defending the proportionality of the data retention period, any sufficient justification for not limiting the data retention period to be established by the Member States to less than one year” (AG emphasis).

So it looks as if the year is ending on a powerful note for those who think that privacy needs an uplift in data protection; one hopes the powers that be are listening and effective changes to the protection afforded when we use the Internet will appear in the New Year.

On that optimistic note, I say have a happy holiday and recharge your batteries for what should be an eventful year. We do live in “interesting times”.

References

My run-in on S.23 for FOIA (information originating from GCHQ)

The GCHQ Xmas Card can be downloaded from the Amberhawk Training website here (PDF).

Advocate General Press Statement here

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Quick guide to disaster recovery in the cloud

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/20/bizarre_gchq_xmas_card_poem_hawktalk/

While NetFlow data may traditionally be seen as a network infrastructure tool, smart security teams can get tons of benefits out of the collection of IP traffic statistics, too.

“Security professionals should consider every NetFlow and IPFIX router a security camera that allows them to go back in time and investigate suspect traffic reported by any number of security appliances,” says Michael Patterson, CEO of Plixer.

According to Dr. Vincent Berk, CEO of FlowTraq, security pros may have to battle to get their hands on the data if other infrastructure people—the ones ‘responsible for moving packets but not securing them—are at all territorial. But it is worth the effort.

“This has created a climate where security professionals have increasingly had trouble getting their hands on streams of NetFlow throughout their organizations,” Berk says. “However, the advanced values that a security professional can get from NetFlow is enormous. Patterns of traffic, such as scans, worm-propagation behavior and brute-force password attacks show up very clearly in NetFlow. So do DDoS attacks.”

[Are you using your human sensors? See Using The Human Perimeter To Detect Outside Attacks.]

According to experts, just as log data analysis and SIEM help contextualize security events, so too can NetFlow data offer a safety net for catching unwanted behavior.

“Understanding who is talking to whom; how they are talking; and for how long; can all add a much needed dimension to network situational awareness,” says Matt Webster, CTO for Lumeta.

NetFlow analytic data is particularly great at detecting anomalous “hot-spots” of activity that could indicate existing issues or an active breach, says Jody Brazil, president and CTO of FireMon

“For example, NetFlow data can be leveraged to isolate compromised hosts by identifying those communicating with botnet command and control machines, or to highlight those hosts utilizing unusual ports,” Brazil says.

Similarly, NetFlow data can also help spot malicious server behavior indicating compromise there, says Nicole Pauls, director of product management at SolarWinds.

“It can help monitor for unexpected or unwanted server activity-since servers are going to have more well-known behavior patterns-looking for volume, ports and destinations unknown,” Pauls says.

Brazil also says that NetFlow data can offer enough visibility into traffic to see how cloud-based applications are being used by showing which applications are being accessed over the network at any given time. This can be a huge benefit for security teams seeking to sniff out rogue IT functions that may not be handling data in a secure or compliant manner. And speaking of compliance, NetFlow data can also offer solid documentation to prove compliance with network-related security policies.

“Since flow data can be archived indefinitely, in many cases it allows companies to
provide demonstrable evidence of IT compliance with internal governance
policies, external regulations, and industry best practices,” he says.

As organizations seek to up their security game through NetFlow data, Berk offers some friendly advice—don’t just look at traffic at the network edge.

“People that only look at their border traffic will miss large ranges of visibility on what is happening inside the network,” he says. “Data exfiltrations, theft and other intelligence gathering may be going on inside the network, and you will never see it if you only grab the NetFlow from your border devices. Deploy far and wide.”

Of course, as with any security data stream, NetFlow data could pose the potential of overwhelming a security analyst. But there are ways to winnow down the stream and sift through that information to make it useful.

“One of the big challenges with NetFlow is that it can be like trying to watch every CCTV camera in a large city – it’s overwhelming to consume, and most of the data is pretty boring,” says Dwayne Melancon, CTO of Tripwire. “Smart enterprises watching suspicious changes in system state as a filter for NetFlow data – they monitor configuration changes, new executable ‘payloads’ showing up on a system, new listening ports being opened and then use that to focus on NetFlow.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/perimeter/using-netflow-data-for-more-robust-netwo/240164923

One of the first computers I was ever allowed to use all on my own was a superannuated ICL-1901A, controlled from a Teletype Model 33.

One of the processor’s address lines was wired up to a speaker inside the teletype, producing an audible click every time that address bit changed.

The idea was that you could, quite literally, listen to your code running.

Loops, in particular, tended to produce recognisable patterns of sound, as the program counter iterated over the same set of memory adresses repeatedly.

This was a great help in debugging – you could count your way through a matrix multiplication, for instance, and keep track of how far your code ran before it crashed.

You could even craft your loops (or the data you fed into them) to produce predictable frequencies for predictable lengths of time, thus producing vaguely tuneful – and sometimes even recognisable – musical output.

Plus ça change, plus c’est la même chose

So it was with considerable amusement that I read a recent Debian security advisory that said:

Genkin, Shamir and Tromer discovered that RSA key material could be extracted by using the sound generated by the computer during the decryption of some chosen ciphertexts.

(The Shamir amongst the authors is the same Adi Shamir that is the S in RSA.)

Their paper, which is well worth reading even if you are neither a mathematician nor a cryptographer, just to see the research process that the authors followed, reaches a remarkable conclusion.

You can still “listen to your loops,” even on a recent multi-gigahertz laptop.

In fact, as the authors show by means of a working (if somewhat impractical) attack, you can listen in to other people’s loops, assuming you have a mobile phone or other microphone handy to do your audio eavesdropping, and recover, bit by bit, their RSA private keys.

Remember that with a victim’s private email key, you can not only read their most confidential messages, but also send digitally signed emails of apparently unimpeachable veracity in their name.

First steps

The authors started out by creating a set of contrived program loops, just to see if there was any hope of telling which processor instructions were running based on audio recordings made close to the computer.

The results were enough to convince them that it was worth going further:

In the image above, time runs from top to bottom, showing the audio frequency spectrum recorded near the voltage regulation circuitry (the acoustic behaviour of which varies with power consumption) as different instructions are repeated for a few hundred milliseconds each.

ADDs, MULtiplies and FMULs (floating point multiplications) look similar, but nevertheless show differences visible to the naked eye, while memory accesses cause a huge change in spectral fingerprint.

Digging deeper

Telling whether a computer is adding or multiplying in a specially-coded loop doesn’t get you very far if your aim is to attack the internals of an encryption system.

Nevertheless, the authors went on to do just that, encouraged by their initial, albeit synthetic, success.

Their next result was to discover that they could determine which of a number of RSA keys were being used, just by listening in to the encryption of a fixed message using each key in turn:

Above, with time once again running from top to bottom, you can see slight but detectable differences in acoustic pattern as the same input text is encrypted five times with five different keys.

This is called a key distinguishing attack.

Differentiating amongst keys may not sound like much of a result, but an attacker who has no access to your computer (or even to the network to which it is connected) should not be able to tell anything about what or how you are encrypting your traffic.

Anwyay, that was just the beginning: the authors ultimately went much further, contriving a way in which a particular email client, bombarded with thousands of carefully-crafted encrypted messages, might end up leaking its entire RSA private key, one bit at a time.

Mitigations

The final attack presented by the authors – recovering an entire RSA private key – requires:

1. A private key that is not password protected, so that decryption can be triggered repeatedly without user interaction.
2. An email client that automatically decrypts incoming emails as they are received, not merely if or when they are opened.
3. The GnuPG 1.4.x RSA encryption software.
4. Accurate acoustic feedback from the decryption of message X, needed to compute what data to send in message (X+1).

→ Feature (4) means that this is an adaptive ciphertext attack: you need feedback from the decryption of the first message before you can decide what to put into the second message, and so on. You can’t simply construct all your attack messages in advance, send them in bulk, and then extract the key material. Of course, this means you need a live listening device that can report back to you in real time – a mobile phone rigged for surveillance, for example – somewhere near the victim’s computer.

The easiest mitigation, therefore, is simply to replace GnuPG 1.4.x with its more current cousin, GnuPG 2.x.

The Version 2 branch of GnuPG has already been made resilient against forced-decryption attacks by what is known as RSA blinding.

Very greatly simplified, this involves a quirk of how RSA encryption works, allowing you to multiply a random number into the input before encryption, and then to divide it out after decryption, without affecting the result.

This messes up the “adaptive” part of the attack, which relies on each ciphertext having a bit pattern determined by the attacker.

→ If you are a GnuPG 1.x user and don’t want to upgrade to Version 2, be sure to get the latest version, as mentioned in the Debian advisory above. GnuPG 1.4.16 has been patched against this attack.

Other circumstances that may make things harder for an attacker include:

• Disabling auto-decryption of received emails.
• Putting your mobile phone in your pocket or bag before reading encrypted emails.
• The presence of background noise.
• “Decoy processes” running on other CPU cores at the same time.

Note, however, that the authors explain that background noise often has a narrow frequency band, making it easy to filter out.

Worse still, they show some measurements taken while running a decoy process in parallel, aiming to interfere with their key-recovery readings:

The extra CPU load merely reduced the frequency of the acoustic spikes they were listening out for, ironically making them easier to detect with a lower-quality microphone.

What next?

As the authors point out in two appendixes to the paper, data leakage of this sort is not limited to the acoustic realm.

They also tried measuring fluctuations in the power consumption of their laptops, by monitoring the voltage of the power supply between the power brick and the laptop power socket.

They didn’t get the accuracy needed to do full key recovery, but they were able to perform their key distinguishing attack, so exploitable data is almost certainly leaked by your power supply, too.

The authors further claim that changes in the electrical potential of the laptop’s chassis – which can be measured at a distance if any shielded cables (e.g. USB, VGA, HDMI) are plugged in, as the shield is connected to the chassis – can give results at least as accurate as the ones they achieved acoustically.

In short: expect more intriguing research into what’s called side channel analysis, and in the meantime, upgrade to GnuPG 2!

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/f6RDoaR9gaA/

The White House on Wednesday released a 303-page report from a panel of presidential advisors who recommended that the National Security Agency’s (NSA’s) massive data trawling carry on, but that the data be kept in private hands for “queries and data mining” only by court order.

The panel – former White House counter-terrorism advisor Richard A. Clarke, Michael J. Morell, Geoffrey R. Stone, Cass R. Sunstein, and Peter Swire – delivered 46 recommendations to US President Barack Obama in the report.

According to the Agence France-Presse (AFP), Obama spokesman Jay Carney said that the report was released earlier than a planned January date due to the media getting the contents wrong:

While we had intended to release the review group’s full report in January … given the inaccurate and incomplete reports in the press about the report’s content, we felt it was important to allow people to see the full report to draw their own conclusions.

Obama met with members of the panel earlier on Wednesday to work through the recommendations.

As far as surveillance of US persons goes, the panel isn’t recommending that the government stop collecting and storing bulk telephony metadata – i.e., telephone numbers that originate and receive calls, along with the time and date of calls.

Rather, the panel wants to see Congress merely transfer all that metadata over to private hands, from whence it can be queried “when necessary for national security purposes.”

The panel also recommended boosting the privacy of non-US persons to the point where they would get the same protections now given to Americans under the Privacy Act of 1974.

That act keeps the government from disclosing information about people without the written consent of a given individual – unless, that is, disclosing the information falls under a smorgasbord of statutory exceptions, one of which being law enforcement purposes.

(Am I missing something here? One imagines that “for law enforcement purposes” could actually be used to exempt pretty much all intelligence agency access to people’s records without their permission. Legal experts, your input would be welcome in the comments section below.)

Another recommendation must surely have been dubbed the “Appease the Very Indignant and Very Spied Upon German Chancellor Angela Merkel” clause when the panelists were working on it, given that it addresses “unjustified or unnecessary” surveillance of foreign leaders – particularly leaders of countries with which that the US shares “fundamental values and interests”.

The group also suggested that any operation that entails spying on foreign leaders should pass a rigorous test to see if the intelligence gained would outweigh the economic and diplomatic problems that could erupt if the operation were to become public.

The panel also wants the NSA to back off from its work to undercut attempts to create secure encryption standards.

One such effort is the NSA’s attempts to peel apart the layers of the Tor anonymizing service.

The recommendation:

We recommend that, regarding encryption, the US Government should:

(1) fully support and not undermine efforts to create encryption standards;

(2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and

(3) increase the use of encryption, and urge US companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.

The panel would also like to see the NSA be headed up by a Congressional appointee, which could be a civilian – a possibility the panel suggested President Obama seriously consider.

Beyond maybe sticking a civilian into the top job at the NSA, the panel also thinks it would be nice to split the NSA between a military commander in charge of the Pentagon’s cyberwarfare unit – US Cyber Command – and another individual as director of the NSA.

That recommendation was dead in the water before the panel’s report ever saw the light of day, however.

Last week, the White House said that the Obama administration likes the positions of NSA Director and Cyber Command commander just fine the way they are, all rolled up into one “dual-hatted” position.

The recommendations are just that: recommendations. It’s unclear which, if any, will actually be adopted, particularly given that, as the New York Times pointed out, some would require Congress to enact new legislation.

At any rate, the recommendations shy away from the strong condemnation delivered by the US federal judge who on Monday ordered the NSA to stop collecting phone metadata, calling the agency’s collection technology “almost Orwellian” and deeming it likely unconstitutional.

It’s also worth noting how dated much of the material Edward Snowden has disclosed in the months following his triggering of NSA-gate in June.

For example, the presentation published by The Guardian concerning XKeyscore, the NSA search engine, goes back to 2008. So is the panel five years behind the curve? Are the recommendations based on current technologies and practices?

Also, might we perhaps demand deeper change than tweaks that mostly involve who gets to authorize searches and that the NSA is directed up by one or two heads?

It’s the trawling of both domestic and foreign data that seems to be the biggest problem, not who issues the warrants for searching it.

Follow @LisaVaas

Follow @NakedSecurity

Image of spyglass courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/52SiLVF6SdU/

If you have bought your child a new iPhone, iPod or iPad then you will be pleased to know that their new device will allow you to set many restrictions on what they can and cannot do with it.

1. Tap Settings, choose General and then Restrictions.

2. Choose Enable Restrictions. You need to set up a passcode which is then used to protect them from being altered in the future. Your child will not be able to access the Restrictions screen without the passcode.

3. The number of controls available to you once you’ve set up the passcode is vast. So you can choose to disable the Safari browser, Camera and FaceTime, among others – all at the swipe of an on-screen button.

Parents of younger children may also be keen to block in-app purchases, the iTunes store and the ability to install or delete apps.

The other area of control that parents may appreciate is the topic of allowed content. Here, parents can set age-level appropriate settings for music, apps, podcasts, websites, TV shows and movies.

You can also set Privacy settings for things like Location services and Bluetooth sharing.

You can get full instructions on all settings available on Apple’s website.

Find instructions for parental controls for other operating systems here.

Follow @Security_FAQs
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dcCDYJwFEyw/

Parents who have a Mac in their household can also employ parental controls to help keep their children safe.

Turning on parental controls will allow you to monitor what your kids are up to and manage the websites they can visit, the amount of time they spend on the Mac and, also, who they can talk to.

To get started under the latest OS X operating system – Mavericks – you will need to ensure that you have first set up an account which supports parental controls.

On a shared computer, and especially one used by children, it’s important for everyone to have their own user account and login. This offers greater control for you over what your children can do, it separates them from anything potentially unsuitable that’s on your account and also prevents them from accidentally damaging anything of yours.

1. Open your Users Groups preferences, and select a user.

2. Tick the box marked Enable Parental Controls.

3. Select Open Parental Controls and click on the lock icon to unlock it. You will be prompted to enter your administrator name and password and then you can select your child’s account from all of those available.

4. Click Enable Parental Controls. You will now see see some tabs at the top of the screen from where you will be able to set the controls that you feel are appropriate for your child.

The Apps tab will allow you to choose which apps your child can access. You can also set an app rating in order to control the type of apps that can be downloaded from this account.

Under the Web tab you can choose to allow your child full web access or you may limit access to certain sites.

The People tab is useful should you wish to limit who your child can contact. You can limit their contact through email, Messages and the Game Center.

Time Limits, as the name would suggest, is for restricting use of the Mac. Limits can be set based upon the day of the week as well the time of day.

Lastly, the Other tab allows parents to control several factors, including the ability to burn discs, block the use of the in-built camera and hide swear words in the dictionary.

Find instructions for parental controls for other operating systems here.

Follow @Security_FAQs
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/-AKM_1Hx7Lg/

Parents using Windows 8 can switch on Family Safety, which is a great improvement over the controls offered by Windows 7.

On a shared computer, and especially one used by children, it’s important for everyone to have their own user account and login. This offers greater control for you over what your children can do, it separates them from anything potentially unsuitable that’s on your account and also prevents them from accidentally damaging anything of yours.

1. To turn on Family Safety, or change any user account, move your mouse to the bottom left of the screen, right click and then choose Control Panel. (Alternatively you can search for Control Panel on the Start menu.)

2. Select User Accounts and Family Safety, then Set up Family Safety for any user.

3. Choose the user you would like to set up Family Safety for. If you haven’t yet set up a user account for your child, you can also do so here.

4. To turn on Family Safety, select On, enforce current settings. You can also choose whether you’d like to monitor the activity of your child on the computer by either selecting On, collect information about PC usage or Off.

5. Family Safety also allows Web filtering, which can be used to block certain sites and even prevent the downloading of any type of files. Selecting this option also causes SafeSearch to kick in which acts as a filter against adult content on Google, Yahoo and Bing.

6. As with Windows 7, you can what times your child can access the computer, though Windows 8 also allows you to set a total amount of usage time per day in addition to the previous time bands. When this amount of computer use has been exceeded the child will be logged off.

7. You can also choose which games and Windows Store apps that your child uses here, blocking them by rating or name.

8. You can also choose to allow your child to use all apps on your computer, or just ones you have specifically allowed.

You will need to decide what settings are appropriate for your child, depending on their age and the suitability of each game or app.

Find instructions for setting parental controls for other operating systems here.

Follow @Security_FAQs
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_KrF8UCzCGw/

Unfortunately, the parental controls that come with Windows 7 are fairly basic, but it’s still worth setting them up.

1. Click Start Control Panel.

2. Locate User Accounts and Family Safety and choose Set up parental controls for any user.

3. Choose to set up parental controls for an existing user account or a new one.

On a shared computer, and especially one used by children, it’s important for everyone to have their own user account and login. This offers greater control for you over what your children can do, it separates them from anything potentially unsuitable that’s on your account and also prevents them from accidentally damaging anything of yours.

4. Under Windows 7 you can use the controls to limit the amount of time your kids may use the computer for. You set the times of day that they can sign in between and, outside of those parameters, they will automatically be logged off.

5. Parents are also given the ability to block selected programs as well as choosing whether to allow or block certain games, depending upon age ratings and type of content.

Find instructions for parental controls for other operating systems here.

Follow @Security_FAQs
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/o5e3JmGAlvc/