STE WILLIAMS

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

Microsoft is scrambling to encrypt its data centers’ interlinks – after a fresh Snowden leak suggested the NSA and GCHQ tapped into the cables and intercepted sensitive network traffic.

Documents obtained by the Washington Post from the whistleblower show that Microsoft’s Hotmail, Windows Live Messenger services and Passport communications were scanned by software called Monkey Puzzle, which was developed at the British snooping nerve-center GCHQ.

Reaching into the private unencrypted interlinks allows both intelligence agencies to effectively spy on Microsoft customers, and copy their messages and address books, it is claimed.

“These allegations are very disturbing. If they are true these actions amount to hacking and seizure of private data and in our view are a breach of the protection guaranteed by the Fourth Amendment to the Constitution.” Brad Smith, Microsoft’s general counsel, said in an email to The Register.

Smith, given his role as a legal eagle, also pointed out that the documents don’t constitute proof per se that the NSA is tapping into its traffic surreptitiously. But he said the company’s engineering teams will be beefing up security, “including strengthening security against snooping by governments.”

Sources familiar with the matter say Microsoft will get to work on shielding its network traffic in the coming days, and senior executives are meeting to discuss the issue and plan a response. The Windows giant is already smarting from the commercial and reputation hit it has taken from the PRISM scandal and the latest situation just adds salt to the wound.

One email in Edward Snowden’s leaked dossier, dated November 2009, comes from a developer at GCHQ. It explains how the Monkey Puzzle software can scoop data from Google, Yahoo! and Microsoft Passport, saying “the NSA can send us whatever realms they like right now.”

Snowden also revealed PowerPoint decks rated top secret showing that “metadata-rich” address books were downloaded and stored on multiple databases. One showed the interception of a message on the now-defunct Windows Live Messenger system.

The news comes a month after another leak from the globetrotting whistleblower showing that the NSA was doing the same thing with Google and Yahoo!’s interlinks. One Google engineer was moved to obscenity when shown the tapping plans, dubbed Project MUSCULAR by the NSA, and El Reg wonders if Redmond CEO Ballmer is turning the air blue this morning.

Following the October leak, Yahoo! announced it will begin encrypting its interlinks between data centers, and Google has been doing so for some time. But Microsoft said it was holding off on such a move as little as two weeks ago.

Based on the documents released so far, tapping data-center interlinks appears to occur mostly overseas – where the NSA can operate solely on presidential say-so alone rather than having to get permission from the courts. The spooks are also reportedly going through third-party companies to slurp the data.

“NSA’s focus is on targeting the communications of valid foreign intelligence targets, not on collecting and exploiting a class of communications or services that would sweep up communications that are not of bona fide foreign intelligence interest to the US government,” the agency told WaPo in a statement. ®

Disaster recovery protection level self-assessment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/27/microsoft_encryption_nsa_spying/

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

The integration of YouTube comments with Google Plus has led to a new wave of obscene comment spam and more junk, Google has admitted.

The search engine giant has pledged to stick by the new comment system, introduced earlier this month, while fighting, er, harder to eradicate new nuisances such as ASCII penis art and link spamming.

Google previously prevented commentaries from leaving messages which included clickable links, a policy that made life that much harder for miscreants trying to peddle phishing scams or attempting to direct web traffic to malicious or scam sites. The old system still allowed various forms of trollish and insulting behaviour, antics that could sometimes drown out informed or witty comments.

The Chocolate Factory’s response to this was to introduce integration with Google Plus. The idea was that forcing people out from behind a cloak of anonymity would encourage more civil discourse. A no doubt happy side-effect of the move, from Google’s perspective, was that it promised to drive extra traffic to Google Plus, which in turn would allow it to sell more higher premium “social” ads.

What’s happened in the weeks since the change is that the flame wars in YouTube comments have continued while spam has arguably gotten worse. New nuisances have now entered the fray, such as ASCII art pornography. And, of course, Google+ allows users to post links so comments on YouTube that link to live scam sites have become a bigger issue.

In a post to the official YouTube Creators blog, Google has acknowledged problems with the “new comments experience” while promising to step up its efforts to combat various forms of abuse.

Since we launched the new comments experience on YouTube two weeks ago, we’ve received a lot of feedback from creators on the increase in comment spam. While the new system dealt with many spam issues that had plagued YouTube comments in the past, it also introduced new opportunities for abuse and shortly after the launch, we saw some users taking advantage of them.

We’ve worked hard to combat the increase in spammy comments and have made a number of updates, including:

• Better recognition of bad links and impersonation attempts
• Improved ASCII art detection
• Changing how long comments are displayed

We know the spam issues made it hard to use the new system at first, and we’re excited to see more of you getting involved as we’ve fixed issues. New features like threaded conversations and formatted comments are coming to life, thanks to you and your fans.

So what’s next? We’re moving forward with more improvements to help you manage comments on your videos better. Bulk moderation has been a long standing creator request and we’ll be releasing tools for that soon. At the same time, we’re also working on improving comment ranking and moderation of old-style comments.

Users such as Swedish video games commentator PewDiePie (16 million subscribers and counting), disabled the new Google+-powered YouTube comments system entirely, in response to the level of abuse. They aren’t alone in their criticism, with some petitioning for a return to the old system.

“Clearly Google has no intention [of listening] to those petitioning against Google+ being the basis of YouTube comments, ASCII art or no ASCII art,” writes veteran security expert Graham Cluley in a blog post. “Let’s hope that Google manages to police malicious and spammy links better, or it may become riskier than ever watching YouTube videos.” ®

Disaster recovery protection level self-assessment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/28/youtube_comment_spam/

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

Symantec has stumbled across a worm that exploits various vulnerabilities in PHP to infect Intel x86-powered Linux devices. The security biz says the malware threatens to compromise home broadband routers and similar equipment.

However, home internet kit with x86 chips are few and far between – most network-connected embedded devices are powered by ARM or MIPS processors – so the threat seems almost non-existent.

But the security company claims that ARM and MIPS flavours of the Linux worm may be available, which could compromise broadband routers, TV set-top boxes, and similar gadgets now referred to as the “Internet of Things“.

The software nasty attempts to use username and password pairs commonly used to log into home internet gear while compromising a device.

Specifically, the software nasty Linux.Darlloz takes advantage of web servers running PHP that can’t grok query strings safely, allowing an attacker to execute arbitrary commands.

Once a system is infected, the worm scans the network for other systems running a web server and PHP. It then tries to compromise those devices by exploiting PHP to download and run an ELF x86 binary – if necessary, logging in with trivial username-password pairs such as admin-admin, as found in poorly secured broadband routers and similar kit. Once running on the newly infiltrated gadget, the worm kills off access to any telnet services running.

The malware does not appear to perform any malicious activity other than silently spreading itself and wiping a load of system files. Again, this software is built for x86 processors, which aren’t really used widely in embedded kit, but ARM, PPC and MIPS versions may be available to download that will be more effective at targeting equipment present in millions of homes.

“Many users may not be aware that they are using vulnerable devices in their homes or offices,” Symantec’s Kaoru Hayashi wrote in a report about the malicious code.

“Another issue we could face is that even if users notice vulnerable devices, no updates have been provided to some products by the vendor, because of outdated technology or hardware limitations, such as not having enough memory or a CPU that is too slow to support new versions of the software.”

To protect devices from attack, the company recommends users and administrators put basic security protections in place, such as changing device passwords from default settings, updating software and firmware on their devices, and monitoring network connections and architecture.

You can find more technical details here on Symantec’s blog. ®

Disaster recovery protection level self-assessment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/28/researchers_warn_over_connected_device_malware/

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

A spam run of fake Skype voicemail alert emails actually comes packed with malware, a UK police agency warns.

Action Fraud said the zip file attachments come contaminated with a variant of the notorious ZeuS banking Trojan.

Messages typically come with the subject line “You received a new message from Skype voicemail service”. The emails contain a copyright notice and a disingenuous warning that “Skype staff will NEVER ask you for your password via email”, all in a bid to appear genuine.

“The purpose of this email is to get you to download the attached ‘voicemail’ file, and according to email security company MXLab it contains a Zeus Trojan,” Action Fraud warns. An alert by the agency contains the tale of the sneaky spam alerts.

ZeuS is a notorious strain of banking Trojan that’s a particular favourite with cybercrooks and has been a fixture in scams against UK banks for several years. More details on the scam can be found in a blog post by MxLab here. ®

Disaster recovery protection level self-assessment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/28/skype_voicemail_alert_spam_flings_zeus_trojan/

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

An unpatched vulnerability in Windows XP and Windows Server 2003 creates a means for hackers to gain admin rights on vulnerable Windows XP machines, Microsoft warned on Wednesday.

The zero-day local privilege escalation vulnerability is not suitable for remote code execution but might allow a standard user account to execute code in the kernel. As such, the bug is not that much use on its own, but potentially troublesome when mixed in a cocktail with other software vulnerabilities in order to formulate workable attacks.

Unfortunately this has already happened and the vulnerability has already been used in anger in conjunction with an Adobe Reader exploit to target a recently patched vulnerability in the widely used PDF reader software, anti-malware firm FireEye warns. Simply put, the Windows bug allows hackers to bypass Adobe’s sandbox defences but only on older versions of Reader.

The combined exploit targets Adobe Reader 9.5.4, 10.1.6, 11.0.02 and prior on Windows XP SP3. XP users who are running the latest versions of Adobe Reader are immune from the attack, so upgrading to the latest version of Abode Reader is probably the best way of blocking potential attacks. Windows Server 2003 is also vulnerable to same privilege escalation vulnerability but are not anywhere near as at risk of attack (unless a BOFH opens a email containing rigged PDFs from a vulnerable server, or other unlikely scenarios), hence the focus on the millions upon millions of vulnerable Win XP systems.

Microsoft plays down the seriousness of the vulnerability while admitting it has been abused in “limited, targeted attacks”.

The Adobe flaw was patched in August, according to cloud security firm Qualys.

“Users that have the latest version of Adobe Reader are immune to the attack, as well as users that are running on Windows Vista or later,” Wolfgang Kandek, CTO a Qualys, explains in a blog post. ®

Disaster recovery protection level self-assessment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/28/winxp_0day/

Just over fifteen months ago, we reported on a data breach at online entertainment company Blizzard.

We were complimentary to Blizzard back then, even though it had just let its customers down.

That’s because the company tried to make the best out of a bad situation.

In particular, Blizzard:

• Owned up within three days of finding there was a problem.
• Got the CEO himself, not a PR person or a lawyer, to announce, explain and apologise.
• Gave some technical details about how it had stored its customers’ passwords.
• Argued that the risk was low without claiming there was no risk at all.
• Didn’t trot out excuses such as the sophistication of the attackers.
• Left the bit about how seriously it takes security until the very end.
• Said sorry in a way that we were inclined to believe and accept.

Blizzard’s follow-up, however, hasn’t been quite as swift or impressive.

There is, of course, the possibility that Russell from Vancouver (the Naked Security reader who reported this to us) has an email server that is stuck in some kind of Whovian time-warp.

But if not, Blizzard has taken a whopping fifteen months, two weeks and two days to provide its follow up.

In fact, even if Russell’s email server takes ages to deliver messages, Blizzard took at least five-and-a-half months to get back to him, because the message explicitly refers to the breach from “last year”:

As you might be aware, last year on August 4, 2012, Blizzard’s internal security team discovered an unauthorized and illegal access into Blizzard’s internal network. Blizzard promptly launched an investigation to determine the scope of the unauthorized access and notified players of this incident on August 9, 2012. […]

The following information was involved in the incident:

1. Email addresses (user ID);
2. Answers to secret security questions (no personally identifiable information involved);
3. Cryptographically scrambled versions of Battle.net passwords (not actual passwords) which are protected by Secure Remote Password protocol; and
4. Information associated with the Mobile Authenticator.

Our investigation has revealed that you had an active account with Blizzard at the relevant time and, in accordance with local regulations, we are providing you with this direct notice of this incident in addition to the notice we previously provided.

Based on an extensive investigation into this incident, Blizzard has no evidence that the information that was accessed has been misused. Further, we have found no evidence that actual passwords or financial information, such as credit cards, billing addresses, or real names, were compromised.

Never was the word “extensive” used so appropriately in respect of a password breach notification!

What can we learn from this investigation?

Blizzard uses the Secure Remote Password (SRP) protocol, which lets you keep your salted-and-hashed passwords on a server of their own, so that login verification is not handled directly on your edge servers.

One of the features of SRP is to keep the password database at arm’s length, so that a network request (something that can be rate limited and controlled) is needed to perform each password check, thus greatly inhibiting dictionary or brute force attacks.

But because the actual scrambled passwords were stolen, it sounds as though the SRP server itself was breached.

That makes a password cracker’s job easier by allowing him to cut out any network latency or rate limiting that a customer-facing system would implement.

The fact that Blizzard lost unencrypted answers to its customer’s “secret security” questions is also a matter of concern.

Although Blizzard describes those secret security answers as not involving personally identifiable information, some users may well have used answers with a personal angle simply to make those answers more memorable.

After all, secret security questions are infrequently asked, but the answers are vitally important.

Even though Blizzard required its users to reset their passwords and their secret questions-and-answers back when the breach happened, that couldn’t retrospectively change the secret answers that users had already uploaded.

(If you’d factored your birthday into the answer, for example – no matter how ill-considered that might have been – then the reset would have changed your answer, but obviously not your birthday. Crooks recognising a birthday in your stolen answer would therefore acquire some usable information about you.)

Nevertheless, Blizzard’s follow-up is better late than never.

And perhaps there’s a silver lining: given the circumstances, Blizzard’s appeal to its customers to adopt its Mobile Authenticator solution may carry more weight

Blizzard’s Mobile Authenticator is what you and I call 2FA, or Two Factor Authentication.

You can remind yourself why 2FA is a good idea (or revise the argument you’ll put to your CTO and CFO to convince them why it’s a good idea) with this Techknow podcast:

(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/AL5bEf9uLkE/

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

Microsoft is scrambling to encrypt its data centers’ interlinks – after a fresh Snowden leak suggested the NSA and GCHQ tapped into the cables and intercepted sensitive network traffic.

Documents obtained by the Washington Post from the whistleblower show that Microsoft’s Hotmail, Windows Live Messenger services and Passport communications were scanned by software called Monkey Puzzle, which was developed at the British snooping nerve-center GCHQ.

Reaching into the private unencrypted interlinks allows both intelligence agencies to effectively spy on Microsoft customers, and copy their messages and address books, it is claimed.

“These allegations are very disturbing. If they are true these actions amount to hacking and seizure of private data and in our view are a breach of the protection guaranteed by the Fourth Amendment to the Constitution.” Brad Smith, Microsoft’s general counsel, said in an email to The Register.

Smith, given his role as a legal eagle, also pointed out that the documents don’t constitute proof per se that the NSA is tapping into its traffic surreptitiously. But he said the company’s engineering teams will be beefing up security, “including strengthening security against snooping by governments.”

Sources familiar with the matter say Microsoft will get to work on shielding its network traffic in the coming days, and senior executives are meeting to discuss the issue and plan a response. The Windows giant is already smarting from the commercial and reputation hit it has taken from the PRISM scandal and the latest situation just adds salt to the wound.

One email in Edward Snowden’s leaked dossier, dated November 2009, comes from a developer at GCHQ. It explains how the Monkey Puzzle software can scoop data from Google, Yahoo! and Microsoft Passport, saying “the NSA can send us whatever realms they like right now.”

Snowden also revealed PowerPoint decks rated top secret showing that “metadata-rich” address books were downloaded and stored on multiple databases. One showed the interception of a message on the now-defunct Windows Live Messenger system.

The news comes a month after another leak from the globetrotting whistleblower showing that the NSA was doing the same thing with Google and Yahoo!’s interlinks. One Google engineer was moved to obscenity when shown the tapping plans, dubbed Project MUSCULAR by the NSA, and El Reg wonders if Redmond CEO Ballmer is turning the air blue this morning.

Following the October leak, Yahoo! announced it will begin encrypting its interlinks between data centers, and Google has been doing so for some time. But Microsoft said it was holding off on such a move as little as two weeks ago.

Based on the documents released so far, tapping data-center interlinks appears to occur mostly overseas – where the NSA can operate solely on presidential say-so alone rather than having to get permission from the courts. The spooks are also reportedly going through third-party companies to slurp the data.

“NSA’s focus is on targeting the communications of valid foreign intelligence targets, not on collecting and exploiting a class of communications or services that would sweep up communications that are not of bona fide foreign intelligence interest to the US government,” the agency told WaPo in a statement. ®

Disaster recovery protection level self-assessment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/27/microsoft_encryption_nsa_spying/

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

A security researcher has warned that a Ruby on Rails vulnerability first outlined in September is continuing to linger on the Web, courtesy of admins that don’t realise a vulnerability exists in its default CookieStore session storage mechanism.

The weakness affects some big names, with the research turning up names like Warner Bros, Kickstarter, and the popular Tweet-aggregator tool Paper.li.

As US researcher G.S. McNamara detailed in September, the problem is that CookieStore retains valid session cookies at the client-side forever. This is referred to as an “insufficient session expiration” weakness.

That means if a malicious attacker were to steal the cookie from any authenticated request (via, for example, an XSS attack that gives the attacker access to a user’s cookie store, but there’s a host of other ways to get a copy of the cookie), they could use it to impersonate the victim and log into the Ruby Web app.

It also poses a risk for people using public terminals, or office computers that could be accessed by workmates.

As ThreatPost explained at the time, “the app issues a new cookie in the browser to overwrite the one that was created when the user was authenticated. Rails tells the browser to recognise that new cookie … but the old one still works, it hasn’t been invalidated and can’t be, by default”.

McNamara’s recommendation is that admins should abandon CookieStore in favour of other mechanisms such as ActiveRecordStore – but his latest work finds that this isn’t happening.

Instead, he’s found 1,897 sites – including the names mentioned above – that are still using the weak CookieStore mechanism.

“This is not an exhaustive list,” he writes, “and there is future work to be done in detecting remotely the use of Rails’ CookieStore with encrypted values”. Django’s cookie storage is also bad at expiring cookies, and McNamara says he will continue the research to identify sites that haven’t altered their cookie storage. ®

Disaster recovery protection level self-assessment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/28/thousands_of_ror_sites_leave_logins_lying_around/

Just over fifteen months ago, we reported on a data breach at online entertainment company Blizzard.

We were complimentary to Blizzard back then, even though it had just let its customers down.

That’s because the company tried to make the best out of a bad situation.

In particular, Blizzard:

• Owned up within three days of finding there was a problem.
• Got the CEO himself, not a PR person or a lawyer, to announce, explain and apologise.
• Gave some technical details about how it had stored its customers’ passwords.
• Argued that the risk was low without claiming there was no risk at all.
• Didn’t trot out excuses such as the sophistication of the attackers.
• Left the bit about how seriously it takes security until the very end.
• Said sorry in a way that we were inclined to believe and accept.

Blizzard’s follow-up, however, hasn’t been quite as swift or impressive.

There is, of course, the possibility that Russell from Vancouver (the Naked Security reader who reported this to us) has an email server that is stuck in some kind of Whovian time-warp.

But if not, Blizzard has taken a whopping fifteen months, two weeks and two days to provide its follow up.

In fact, even if Russell’s email server takes ages to deliver messages, Blizzard took at least five-and-a-half months to get back to him, because the message explicitly refers to the breach from “last year”:

As you might be aware, last year on August 4, 2012, Blizzard’s internal security team discovered an unauthorized and illegal access into Blizzard’s internal network. Blizzard promptly launched an investigation to determine the scope of the unauthorized access and notified players of this incident on August 9, 2012. […]

The following information was involved in the incident:

1. Email addresses (user ID);
2. Answers to secret security questions (no personally identifiable information involved);
3. Cryptographically scrambled versions of Battle.net passwords (not actual passwords) which are protected by Secure Remote Password protocol; and
4. Information associated with the Mobile Authenticator.

Our investigation has revealed that you had an active account with Blizzard at the relevant time and, in accordance with local regulations, we are providing you with this direct notice of this incident in addition to the notice we previously provided.

Based on an extensive investigation into this incident, Blizzard has no evidence that the information that was accessed has been misused. Further, we have found no evidence that actual passwords or financial information, such as credit cards, billing addresses, or real names, were compromised.

Never was the word “extensive” used so appropriately in respect of a password breach notification!

What can we learn from this investigation?

Blizzard uses the Secure Remote Password (SRP) protocol, which lets you keep your salted-and-hashed passwords on a server of their own, so that login verification is not handled directly on your edge servers.

One of the features of SRP is to keep the password database at arm’s length, so that a network request (something that can be rate limited and controlled) is needed to perform each password check, thus greatly inhibiting dictionary or brute force attacks.

But because the actual scrambled passwords were stolen, it sounds as though the SRP server itself was breached.

That makes a password cracker’s job easier by allowing him to cut out any network latency or rate limiting that a customer-facing system would implement.

The fact that Blizzard lost unencrypted answers to its customer’s “secret security” questions is also a matter of concern.

Although Blizzard describes those secret security answers as not involving personally identifiable information, some users may well have used answers with a personal angle simply to make those answers more memorable.

After all, secret security questions are infrequently asked, but the answers are vitally important.

Even though Blizzard required its users to reset their passwords and their secret questions-and-answers back when the breach happened, that couldn’t retrospectively change the secret answers that users had already uploaded.

(If you’d factored your birthday into the answer, for example – no matter how ill-considered that might have been – then the reset would have changed your answer, but obviously not your birthday. Crooks recognising a birthday in your stolen answer would therefore acquire some usable information about you.)

Nevertheless, Blizzard’s follow-up is better late than never.

And perhaps there’s a silver lining: given the circumstances, Blizzard’s appeal to its customers to adopt its Mobile Authenticator solution may carry more weight

Blizzard’s Mobile Authenticator is what you and I call 2FA, or Two Factor Authentication.

You can remind yourself why 2FA is a good idea (or revise the argument you’ll put to your CTO and CFO to convince them why it’s a good idea) with this Techknow podcast:

(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/bnUqwdLKCI0/

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

Microsoft is scrambling to encrypt its data centers’ interlinks – after a fresh Snowden leak suggested the NSA and GCHQ tapped into the cables and intercepted sensitive network traffic.

Documents obtained by the Washington Post from the whistleblower show that Microsoft’s Hotmail, Windows Live Messenger services and Passport communications were scanned by software called Monkey Puzzle, which was developed at the British snooping nerve-center GCHQ.

Reaching into the private unencrypted interlinks allows both intelligence agencies to effectively spy on Microsoft customers, and copy their messages and address books, it is claimed.

“These allegations are very disturbing. If they are true these actions amount to hacking and seizure of private data and in our view are a breach of the protection guaranteed by the Fourth Amendment to the Constitution.” Brad Smith, Microsoft’s general counsel, said in an email to The Register.

Smith, given his role as a legal eagle, also pointed out that the documents don’t constitute proof per se that the NSA is tapping into its traffic surreptitiously. But he said the company’s engineering teams will be beefing up security, “including strengthening security against snooping by governments.”

Sources familiar with the matter say Microsoft will get to work on shielding its network traffic in the coming days, and senior executives are meeting to discuss the issue and plan a response. The Windows giant is already smarting from the commercial and reputation hit it has taken from the PRISM scandal and the latest situation just adds salt to the wound.

One email in Edward Snowden’s leaked dossier, dated November 2009, comes from a developer at GCHQ. It explains how the Monkey Puzzle software can scoop data from Google, Yahoo! and Microsoft Passport, saying “the NSA can send us whatever realms they like right now.”

Snowden also revealed PowerPoint decks rated top secret showing that “metadata-rich” address books were downloaded and stored on multiple databases. One showed the interception of a message on the now-defunct Windows Live Messenger system.

The news comes a month after another leak from the globetrotting whistleblower showing that the NSA was doing the same thing with Google and Yahoo!’s interlinks. One Google engineer was moved to obscenity when shown the tapping plans, dubbed Project MUSCULAR by the NSA, and El Reg wonders if Redmond CEO Ballmer is turning the air blue this morning.

Following the October leak, Yahoo! announced it will begin encrypting its interlinks between data centers, and Google has been doing so for some time. But Microsoft said it was holding off on such a move as little as two weeks ago.

Based on the documents released so far, tapping data-center interlinks appears to occur mostly overseas – where the NSA can operate solely on presidential say-so alone rather than having to get permission from the courts. The spooks are also reportedly going through third-party companies to slurp the data.

“NSA’s focus is on targeting the communications of valid foreign intelligence targets, not on collecting and exploiting a class of communications or services that would sweep up communications that are not of bona fide foreign intelligence interest to the US government,” the agency told WaPo in a statement. ®

Disaster recovery protection level self-assessment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/27/microsoft_encryption_nsa_spying/