STE WILLIAMS

The researcher who rocked the security world earlier this year by revealing he had built a botnet to conduct a census of the Internet remains anonymous, but has passed to a white-hat researcher more security findings from the controversial project.

Parth Shukla, an information security analyst with Australia’s Computer Emergency Response Team (AusCERT), says he was interested in how Australian consumers had fared in the so-called Carna Botnet experiment, so earlier this year he decided to email the researcher via the PGP key included in the Internet Census 2012 report that was posted online in March. Shukla admits he was surprised when the researcher responded, and ultimately handed over to him all of the data on the more than 1.2 million vulnerable consumer devices found around the globe by the botnet.

“No one else had been in touch with him,” Shukla says, and the researcher ultimately decided only Shukla should have the data once he began analyzing it. “Who he is, I have no idea. We used PGP keys to communicate, and I kept using some questions to be sure he was the guy and not giving fake data.”

Shukla for months has been analyzing the data to gain a better understanding of the security implications of the findings, and he plans to share more of his analysis and data at the Black Hat Regional Summit in Sao Paolo, Brazil on November 26-27. He has presented data in Australia and most recently, in China, that focus on how each region fares with these vulnerable devices.

Among the findings he culled from the botnet data: more than 2,000 different manufacturers’ products were wide open to access via a Telnet connection over the public Internet, and 28 percent of them were Chinese vendor ZTE’s products. China also made up the largest percentage of infected and prone devices, with 56 percent of the vulnerable devices (720,141), while Hong Kong was home to 7 percent of infections (91,453) and Brazil had 2 percent, (30,242 devices) The U.S., meanwhile, also accounted for some 2 percent of the prone devices, with 24,243.

By region, Asia accounted for 78 percent of the vulnerable equipment; Europe, 13 percent; South America, 5 percent; North America, 3 percent; and Africa, 1 percent.

“I was shocked he didn’t mention in [his] paper the wealth of information in the data … it was only the census data” in his paper, Shukla says.

Modems, home routers, Web cameras, and other consumer devices were found wide open to the Internet with default usernames and passwords via the Telnet protocol, he says. “It’s pretty concerning,” he says. “Manufacturers are creating the devices this way, the user is unaware of it and plugging it straight into the Internet.”

[Created by an anonymous researcher, the Carna botnet found that 1.2 million Internet-connected devices are trivially exploitable, but the illegality of the methods raises doubts. See Carna Compromise Delivers Data, But Casts Suspicions.]

Shukla says it would take an average of 60 seconds to find a vulnerable device in China via a scan of the Internet.

Legitimate scanning the Internet for vulnerable devices – not infecting them with bot code like the Carna Botnet did — is all the rage these days. Renowned researcher HD Moore has pioneered legal scanning of the Net, most recently illuminating exposure of some 35,000 enterprise servers via a flawed firmware interface that could leave the data center open to outside attack. Moore also helped spearhead the new community Internet-scanning Project Sonar initiative. The goal of Project Sonar, which also includes the University of Michigan, is for researchers to share their data, help educate vendors whose products are discovered via the scans, and, ultimately, to raise public awareness of the vulnerability of this Internet-facing equipment.

AusCERT’s Shukla says awareness is crucial to remedying the practice of leaving Internet-connected devices exposed. Even so, it’s a long road: “I’ve only heard back from one vendor in the top 25” found from the Carna Botnet project, he says. “And I haven’t heard back from them in months.”

Shukla’s research paper on his exclusive analysis of the Carna Botnet findings is
here.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/what-the-carna-botnet-also-found/240163960

PORTLAND, OREGON — November 14, 2013 — Tripwire, Inc., a leading global provider of risk-based security and compliance management solutions, today announced the results of a survey on North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) compliance. The online survey was conducted from July through September 2013 and evaluated the attitudes of more than 100 IT professionals involved with NERC CIP compliance.

“Based on these results, only 30% of the industry feel they lack a clear understanding of the standards,” said Patrick Miller, partner and managing principal at The Anfield Group, a critical infrastructure security and compliance consultancy. “In reality, I think that number is higher. After we dig into the details and actually start implementing and auditing NERC CIPv5, I suspect many will realize their initial degree of understanding was overly optimistic.”

Key findings include:

70% believe they have a clear understanding of all the current NERC CIP requirements.

77% believe NERC CIP compliance is necessary to ensure the cybersecurity of the Bulk Electric System.

70%, however, do not believe that NERC CIP compliance is sufficient to ensure the cybersecurity of the Bulk Electric System.

“It is encouraging that a majority of respondents acknowledge the value of NERC CIP compliance and the key role it plays in energy cybersecurity,” said Jeff Simon, director of service solutions for Tripwire. “Most respondents also acknowledge that NERC CIP compliance alone is not sufficient to ensure cybersecurity – they know compliance is just the start of an effective cybersecurity strategy.”

Tripwire has helped more than 140 registered entities achieve and maintain NERC CIP compliance since 2008, and continues to invest in tools and processes that automate and simplify NERC CIP compliance.

For more information about this survey, please visit: http://www.tripwire.com/company/research/update-nerc-survey-data/.

About Tripwire

Tripwire is a leading global provider of risk-based security and compliance management solutions, enabling enterprises, government agencies and service providers to effectively connect security to their business. Tripwire provides the broadest set of foundational security controls including security configuration management, vulnerability management, file integrity monitoring, log and event management. Tripwire solutions deliver unprecedented visibility, business context and security business intelligence allowing extended enterprises to protect sensitive data from breaches, vulnerabilities, and threats. Learn more at www.tripwire.com or follow us @TripwireInc on Twitter.

Article source: http://www.darkreading.com/privacy/tripwire-survey-nerc-cip-compliance-not/240163961

Quick guide to disaster recovery in the cloud

Microsoft has admitted it doesn’t yet encrypt “server-to-server” communications, although it plans to review its security arrangements in the wake of ongoing revelations about NSA spying.

The non-cryption admission, made by a senior Microsoft legal officer during an EU inquiry, comes shortly after leaks by whistleblower Edward Snowden revealed that Google and Yahoo! data centre interconnects were being tapped by the NSA’s spies, as part of a program code-named MUSCULAR.

EMEA vice president of legal and corporate affairs, Dorothee Belz, told a hearing of the European Parliament’s Civil Liberties Committee, said “today from servers to server transportation is generally not encrypted that is why we are currently reviewing our security systems to avoid the [possibility] that interception into communication can take place.”

On PRISM, Belz maintained the line that Microsoft responded to lawful interception requests without give intelligence agencies or police “unfettered access” to its datacentres. “We do not give direct access to our server. We hand over the data. We pull them.”

The key exchange comes at around the 2 hour and 40 minute mark in a video of the hearing of the European Parliament inquiry, which took place on Monday (11 November).

Privacy researcher Caspar Bowden, former chief privacy adviser to Microsoft, told The Register: “Every European company which has used US-based cloud services must have a contract which specifies conditions for secure data processing. “It is negligent for cloud companies to have failed to encrypt the high-speed links between datacentres, and this has left EU citizens’ data wide open to political and economic surveillance from many SIGINT powers, not just the NSA.

“These risks were well known before Snowden, and European companies who want to show they are serious about data protection will be considering legal action.”

The committee of MEPs is running an ongoing inquiry into the dragnet mass surveillance programs run by the NSA and Britain’s GCHQ. Belz appeared before the committee of MEPs together with Nicklas Lundblad, Google’s director of public policy and government relations, and Richard Allan, Facebook’s EMEA director for public policy.

Microsoft, Google and Yahoo! are all (either willing or unwilling) participants in the NSA’s notorious PRISM web surveillance dragnet program. MEPs questioned them closely and repeatedly on this but all three repeated earlier denials that they provided backdoor (i.e. direct) access to customer data to the NSA – or any other government agency.

Whatever the extent of the tech giants’ participation in PRISM, the program evidently wasn’t revealing enough for the NSA: hence its decision to use MUSCULAR to covertly hoover up any of the bits it might have otherwise have missed by tapping into fibre-optic links leased, or run, by Google (and others) between its data centres.

Google’s executive chairman Eric Schmidt reacted with indignation to the MUSCULAR revelations while two Google techies went much further in issuing fuck-you diatribes against the NSA over the program.

Google’s Lundblad told MEPs that the internet giant is encrypting server connections and data centre interconnects, which he described as an ongoing process that never finishes. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/14/ms_data_centre_link_uncryption/

Quick guide to disaster recovery in the cloud

A hack attack against an Irish loyalty programme firm, Loyaltybuild, has led to the theft of the full credit card details of at least 376,000 consumers, says the country’s data protection watchdog.

According to the results of a preliminary investigation by the Office of the Data Protection Commissioner (ODPC), credit card and – contrary to all payment storage rules – CVV details were held unencrypted on Loyaltybuild’s systems in the run-up to attacks in the middle of October.

CVV – Card Verification Value – numbers are the three-digit security code found on the back of a credit or debit card, used to prove that a customer making an online purchase has physical possession of the card. They are an important anti-fraud measure.

The ODPC said it had also found that the personal details of a further one million people had been swiped. It is not known why the loyalty card scheme was retaining customers’ credit card payment data.

The inspection team confirmed the extent of the breach in which the full card details of over 376,000 customers were taken of which over 70,000 were Supervalu Getaway customers and over 8,000 were AXA Leisure Break customers. The details of an additional 150,000 clients were potentially compromised. The inspection team also confirmed that name, address, phone number and email address of 1.12 million clients were also taken. The initial indications are that these breaches were an external criminal act.

A follow-up statement by the ODPC indicates that the Loyaltybuild breach, already worse than first feared, took place in mid-October and may affect the customers of Loyaltybuild’s clients elsewhere in Europe.

Loyaltybuild acknowledged the breach, which it blamed on a “sophisticated criminal attack”. It said that it had informed both its clients and Irish police (Gardaí). For its part, Loyaltybuild apologised for any “distress or inconvenience” caused by the breach and said it was “working around the clock with our security experts to get to the bottom of this and to further enhance our security in order to protect our valued customers”. The firm has also drafted in external data forensics experts.

SuperValu and AXA have suspended their respective schemes in the wake of the breach, RTE reports. Loyaltybuild runs special offers and loyalty schemes for retailers and service providers in the UK, Scandinavia and Switzerland. Many of the schemes offered through its service involve heavily discounted holiday breaks or hotel stays.

Getaway Breaks customers and those who signed up to a hotel promotion with Stena Line are among those affected by the breach.

Data Protection Commissioner Billy Hawkes told the Irish Times that Loyaltybuild had stored financial information in unencrypted form, along with the three-digit security code printed on customers’ credit and debit cards. We put this specific accusation to Loyaltybuild but have yet to hear back from the firm.

Consumers are advised to examine card transactions since mid-October for unauthorised purchases as well as being extra-vigilant about the possibility of more than usually plausible phishing attacks that take advantage of the leaked personal information.

Two Irish banks – AIB and Permanent TSB – told RTE that they had already uncovered evidence of possible card fraud linked to the Loyaltybuild breach, reportedly the largest compromise of its type to hit the Emerald Isle.

Tom Davison, technical director at firewall and security appliance firm Check Point, commented: “This breach is far more extensive than originally thought, with details of over a million customers exposed. People need to check their credit card statements, and be very cautious about clicking on links in emails which claim to be from LoyaltyBuild or its affiliates, no matter how authentic they seem to be. There’s a very real risk that attackers will use the details exposed in the attack to send phishing emails to users, to try to harvest more sensitive data,” he added.

Other security firms criticised Loyaltybuild for failing to follow industry best practice.

“It’s unclear why Loyaltybuild stored the compromised credit card information in the first place,” said Gene Meltser, technical director for Neohapsis Labs, the research arm of mobile and cloud security services firm Neohapsis. “In general, loyalty based programs function by rewarding users for specific purchasing activity, and to do that, loyalty rewards programmes only need to correlate a member’s account information, such asa name, to purchasing activity records related to the reward in question.”

“In an overwhelming majority of cases, it is unnecessary to store detailed credit card data, and in absolutely all cases it is prohibited to store the 3- or 4-digit codes, or CVV values, off the credit card. To store this data unencrypted would not only be fundamentally prohibited under PCI-DSS requirements, but also demonstrating considerable negligence in protecting customer and payment data,” he added. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/14/irish_loyalty_card_breach/

For three years, Dragos Ruiu has attempted to track down a digital ghost in his network, whose presence is only felt in strange anomalies and odd system behavior.

The anomalies ranged from system instability, to “bricked” USB sticks and data seemingly modified on the fly, according to online posts. Ruiu, who organizes a number of well-attended security conferences including the current PacSec conference in Tokyo, believes the issues are due to malware infecting the low-level system software, or BIOS, on the machine and has provided hard drive images to other researchers. So far, no one has confirmed the issues.

“I lost another one yesterday confirming that’s simply plugging in a USB device from an infected system into a clean one is sufficient to infect,” he wrote on Google+ in late October. “This was on a BSD system, so this is definitely not a Windows issue. And it’s a low level issue, I didn’t even mount the volume and it was infected.” Ruiu has not yet responded to requests for comment.

While security experts continue to debate the existence of BadBIOS, no one denies that malware that infects the basic embedded code on computers is a possibility. A number of researchers have, in the past, demonstrated the ability to infect various low level components of computer systems with custom code. In 1998, the CIH, or Chernobyl, virus infected Windows 98 systems and attempted to reflash the BIOS, the basic input/output system, on vulnerabile motherboards. Since then, only a smattering of researchers and attackers have focused on attempting to compromise the low-level system components: In 2006, for example, a researcher demonstrated ways that the Advanced Configuration and Power Interface (ACPI) on newer motherboards could be used as a high-level language to infect the BIOS.

Whether BadBIOS is the natural extension of that evolution is still a question, says Oded Horovitz,CEO of PrivateCore, a startup focusing on data and hardware integrity.

“It’s anywhere from an odd reality to a myth,” Horovitz says. “Clearly, the concept of the threats circulating around is similar to BadBIOS–re-flashing the firmware and infecting these devices.”

Last year, Jonathan Brossard, a security research engineer with consultancy Toucan Systems, demonstrated that a collection of open-source software and purpose-built code could be used to infect a system with hard-to-detect code that is very difficult to remove.

The attack platform, called Rakshasa, infects the system’s BIOS, the code that first runs on any computer, but also other firmware on the device, including the code used to start up a computer, to make the code nearly impossible to eradicate from the system. In fact, the code is so difficult to remove that Brossard recommends that someone that suspects BIOS malware on their system simply toss their computer and buy a new one.

“The whole concept of such malware is that, if you cannot trust your BIOS, you cannot trust your operating system, and if you cannot trust your operating system, then you cannot trust any calculations or anything you do on the system,” Brossard says.

Researchers and attackers focus on BIOS and other firmware because it is the first code to run, is hard to change and changes are difficult to detect.

[Researchers expect to release proofs-of-concept at Black Hat that show how malware can infect BIOS, persist past updates, and fool the TPM into thinking everything’s fine. See BIOS Bummer: New Malware Can Bypass BIOS Security.]

Erecting defenses to firmware-level attacks is difficult, even on systems with the Trusted Platform Module, cryptographic hardware designed to allow a system to check and attest to its integrity. In a presentation at the Black Hat Conference in July, three researchers from Mitre showed that the access controls that protect BIOS could be circumvented.

A major part of the issue is that the developers who write code for BIOS, firmware, and embedded devices are generally not practiced in writing secure code, says Robert Graham, CEO of security consultancy Errata Security. Many of the methods, such as the Secure Development Lifecycle, that have made code more secure in the operating-system and PC-application world have not yet become standard practice in the embedded device and firmware community.

“The people who write code for embedded devices write really bad code,” he says. “You look at drivers or the firmware, there is none of the modern security practices.”

That does not mean that an attack like BadBIOS is real, he says. Despite the fact that an attack such as BadBIOS is feasible, it could easily be some strange hardware issues, Graham adds.

On the other hand, it could be that Ruiu has discovered an interesting attack, he says. While the scale of the campaign seems impractical because of the number of different hardware motherboards that would require custom code, dedicated attackers could accomplish such a feat.

“One thing that could be happening here that some virus has been doing this for a number of years and we never noticed,” he says. “Dragos could simply be noticing something that other people have overlooked.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/advanced-threats/research-into-bios-attacks-underscores-t/240163919

REDMOND, Wash., Nov. 14, 2013 /PRNewswire/ — Microsoft Corp. on Thursday announced the opening of the Microsoft Cybercrime Center, a center of excellence for advancing the global fight against cybercrime. The Cybercrime Center combines Microsoft’s legal and technical expertise as well as cutting-edge tools and technology with cross-industry expertise, marking a new era in effectively fighting crime on the Internet.

Each year, cybercrime takes a personal and financial toll on millions of consumers around the globe. The Cybercrime Center will tackle online crimes, including those associated with malware, botnets, intellectual property theft and technology-facilitated child exploitation. The work done at the Cybercrime Center will help ensure that people worldwide can use their computing devices and services with confidence.

“The Microsoft Cybercrime Center is where our experts come together with customers and partners to focus on one thing: keeping people safe online,” said David Finn, associate general counsel of the Microsoft Digital Crimes Unit. “By combining sophisticated tools and technology with the right skills and new perspectives, we can make the Internet safer for everyone.”

The Cybercrime Center is located on Microsoft’s campus in Redmond, Wash. The secured facility houses groundbreaking Microsoft technologies that allow the team to visualize and identify global cyberthreats developing in real time, including SitePrint, which allows the mapping of online organized crime networks; PhotoDNA, a leading anti-child-pornography technology; cyberforensics, a new investigative capability that detects global cybercrime, including online fraud and identity theft; and cyberthreat intelligence from Microsoft’s botnet takedown operations.

The Cybercrime Center includes a separate and secure location for third-party partners, allowing cybersecurity experts from around the world to work in the facility with Microsoft’s experts for an indefinite period of time. The dedicated space enriches partnerships across industry, academia, law enforcement and customers — critical partners in the fight against cybercrime. With nearly

100 attorneys, investigators, technical experts and forensic analysts based around the world, the Microsoft Cybercrime Center is well positioned to make it safer for people online worldwide.

“In the fight against cybercrime the public sector significantly benefits from private sector expertise, such as provided by Microsoft,” said Noboru Nakatani, executive director of the INTERPOL Global Complex for Innovation. “The security community needs to build on its coordinated responses to keep pace with today’s cybercriminals. The Microsoft Cybercrime Center will be an important hub in accomplishing that task more effectively and proactively.”

More information about the Cybercrime Center can be found at http://www.microsoft.com/news/presskits/dcu. Customers are encouraged to visit http://www.microsoft.com/security to learn about malware and help ensure their computers are not infected; if malware is present, the site offers tools to help remove the infection. All computer users should exercise safe practices, such as running up-to-date and legitimate computer software, firewall, and antivirus or antimalware protection technologies. People should also exercise caution when surfing the Web and clicking on ads or email attachments that may prove to be malicious.

Article source: http://www.darkreading.com/attacks-breaches/microsoft-inveils-state-of-the-art-cyber/240163924

MECHANICSBURG, Pa. – As the number of mobile devices continues to grow and companies develop unique apps to engage with employees and customers, security remains a major concern for IT departments.

While research from the “Verizon 2013 Data Breach Investigations Report” shows data breaches involving mobile devices are uncommon today, experts agree these security threats will become more prevalent in the near future.

According to Jack Walsh, mobility program manager, ICSA Labs: “With more mobile payment systems coming online, and as more devices connect to the cloud, we will begin to see an uptick in security threats to mobile devices. Add to this the bring- your-own-device and bring-your-own-app trends, and it’s easy to understand that mobile devices will be the next frontier for hackers. By layering on additional security proactively, enterprises will be in much better position to protect their assets.”

To help enterprises stay ahead of the curve, ICSA Labs offers these five tips:

1. Dynamic analysis is a must. If deploying security tested mobile applications is required by your company’s IT organization, consider mobile applications that have undergone dynamic analysis. This involves testing a mobile application while it is running in a live environment including all the appropriate back-end systems with which the app normally communicates.

2. Conduct due diligence when selecting a mobile application developer. Make sure the mobile app developer is legitimate, trustworthy and has a history of quality app development. Another good due diligence step is to ask app developers if they have their own testing and certification practices.

3. Build an enterprise app store. If, as an enterprise, restricting certain mobile apps seems like a futile effort, build your own enterprise app store. The store should only include independently tested and approved mobile applications. Also, build and share a list of mobile apps from the enterprise app store, as well as other apps deemed secure. This can help prevent employees from downloading apps from other, possibly rogue locations.

4. Develop and share broadly your mobile device policy with employees. They need to know and understand the ground rules for bringing their own devices into the work environment, and know if this practice is forbidden. Be sure to develop and clearly communicate your policies. Nothing wreaks as much havoc on an organization as ill-informed employees.

5. Don’t fight a losing battle. Research and implement the right mobile device management solution that adequately supports the bring-your-own-device policy, so you are not swimming upstream. Enterprises should be in the driver’s seat when it comes to managing the mobile device environment. It is far easier to get ahead of the curve and then to make corrections after the fact.

Earlier this year, ICSA Labs launched its Mobile App Testing program to test the security and privacy of mobile applications. Enterprises can learn more here: https://www.icsalabs.com/technology-program/mobile-app-testing

###

About ICSA Labs

ICSA Labs, an independent division of Verizon, offers third-party testing and certification of security and health IT products, as well as network-connected devices, to measure product compliance, reliability and performance for many of the world’s top security vendors. ICSA Labs is an ISO/IEC 17025:2005 accredited and 9001:2008 registered organization. Visit http://www.icsalabs.com and http://www.icsalabs.com/blogs for more information.

Article source: http://www.darkreading.com/mobile/5-tips-for-mobile-app-security-from-icsa/240163925

When South African police visited a hotel room to investigate reports of a marijuana smell, they got more than they bargained for.

On entering the room at the Lagoon Beach Hotel in Milnerton, a suburb of Cape Town, they found laptops, mobile devices and documents indicating a bustling advance fee fraud campaign, according to local news reports.

The room contained three laptops and nine mobiles, all connected to the internet. One of the laptops showed a half-finished bank transfer of R359,000 (over £21,000, $34,000), while another displayed someone’s banking login details.

A notebook was also found, with details of multiple foreign women, as well as a quantity of cannabis, referred to as “dagga” in local slang.

Further investigation uncovered a series of cons which may have netted the gang up to R9 million (close to £550,000, $870,000), with one Australian victim scammed out of R1.93 million (£115,000, $180,000).

Western Union money transfer records connected to the investigation showed multiple transfers from many victims. The Australian woman, named as Marie June Leicester, claimed to have been tricked out of her cash by someone using the name Anthony Donald Caine, and the name Caine appeared in several of the records.

Hotel rooms have traditionally been used by all kinds of criminals, providing privacy and anonymity and allowing all sorts of people to come and go without anyone knowing who is meeting who.

Now it seems as though that useful anonymity has spread to the internet, with hotel connections making it harder to track people down.

Advance fee fraud is also known as the “Nigerian letter” or “419” scam, after the relevant entry in Nigeria’s criminal code. Perhaps unsurprisingly, two of the men arrested in the room on drugs charges turned out to be from Nigeria.

The 419 scam is likely to be familiar to most if not all email users – it’s the one where someone you’ve never heard of mails you out of the blue claiming they have an improbably large amount of money they need “help” accessing, or transferring somewhere, or that they simply want to give away.

Once a victim has expressed an interest, the scam then moves into money-making mode, persuading the victim that if they can just put up a small amount of cash to cover legal fees, bribes or some other invented purpose, the vast wealth will be theirs.

Over time these small fees mount up, with victims sinking ever deeper into the trap, throwing good money after bad in the belief that if only they can overcome the next little hurdle they will be rich.

Of course, they only ever end up out of pocket, sometimes by huge amounts.

So, if you’re ever tempted by one of those emails from the relatives of a wealthy oil man, a dodgy lawyer or a soldier who’s found a stash of hidden gold, remember Marie Leicester and the many others reduced to penury by these scams, and turn your skepticism meter back up to full.

On the other hand, if you’re a cybercriminal running a scam from a beachfront hotel room, and you feel like a smoke to celebrate ripping off your latest innocent victim, go ahead and blaze one up, the smellier the better.

Follow @VirusBtn
Follow @NakedSecurity

Image of hotel room key courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/SKdAeqKXE6M/

You can’t get out of cooperating with government-ordered electronic surveillance by shutting down, any more than a business can stop police from executing a search warrant by locking its front gate, the US Department of Justice (DOJ) tutted at Lavabit on Tuesday.

Here’s what the DOJ said on Tuesday, in a filing in an appeal by Lavabit (posted courtesy of Lawfareblog.com):

Just as a business cannot prevent the execution of a search warrant by locking its front gate, an electronic communications service provider cannot thwart court-ordered electronic surveillance by refusing to provide necessary information about its systems.

Lavabit, the former encrypted email provider to National Security Agency (NSA) secret-leaker Edward Snowden, shuttered its service in August following court orders demanding metadata about an unnamed user who just about everybody assumes was Snowden.

After much wrangling, founder Ladar Levison eventually gave the government Lavabit’s crytopgraphic key in digital form, after having first printed out and handed over a copy of the key in 4-point type that left the government’s judge none too pleased.

As soon as Levison gave the government the encryption key to unlock metadata on their target’s email, he turned around and shut everything down.

That meant that even though the government had the key, there was nothing to open with it – including the founder’s own email account, given that, as they say, he ate his own dog food.

Lavabit’s suicide has pleased the government about as much as being given an encryption key it can’t read without a microscope.

Which is, likely, why the government’s brief sounds a tad prickly.

In the document, the DOJ says that Lavabit is wrong, wrong, wrong about everything, including:

• Feeding them encryption keys printed in teensy weensy ant-sized type,
• The notion that the company only had to help agents install a pen/trap device to monitor communications without actually helping them to decipher anything the device snooped on, and
• Nuking the whole shebang to prevent the government from using the encryption key Lavabit eventually coughed up (in non-teensy weensy, usable form).

The DOJ also countered Lavabit’s assertion that handing over the encryption key would enable the government to snoop on all users’ encrypted email.

Well of course the government wouldn’t do that, the DOJ said. That would be illegal!

To wit:

That other information not subject to the warrant was encrypted using the same set of keys is irrelevant; the only user data the court permitted the government to obtain was the data described in the pen/trap order and the search warrant. All other data would be filtered electronically, without reaching any human eye.

The DOJ also dismissed Lavabit’s argument that disclosing its encryption key was not what one does if one advertises its service as being encrypted:

Lavabit’s belief that the orders here compelled a disclosure that was inconsistent with Lavabit’s “business model” makes no difference. Marketing a business as “secure” does not give one license to ignore a District Court of the United States.

In sum, an exasperated-sounding court has said that, no, of course you are NOT allowed to NOT do what a court orders you to do.

Granted, it’s not breaking news at 11.

But readers will hopefully pardon journalists and security cognoscenti for keeping an eye out on the various strategies that internet service providers take to deal with government demands in these surveillance-happy times, be it Facebook patenting an easier way to pass data to the government or Lavabit’s Levison slipping out the back door when agents tried to serve him with a subpoena.

Literally. He was spotted exiting through his home’s rear door.

I suggest reading the court document – his evasive maneuvers are impressive, be they legalistic, business-oriented or corporeal.

What do you think? Should the Lavabit founder’s civil disobedience tactics be applauded, or given the thumbs down?

Please let us know your thoughts in the comments section below.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0jYyiL5PvxU/

Welcome to another episode of Techknow, the podcast in which Sophos experts debate, explore and explain the often baffling world of computer security.

In this episode, entitled The End of XP, Paul Ducklin and Chester Wisniewski investigate the what, the why and the how of dealing with the impending end of support for Windows XP in 2014.

Don’t worry: even if you have computers that you simply won’t be able to update in time, for example because they run bespoke industrial control software, or a legacy financial application, Duck and Chet have some healthy suggestions for you.

They also share some insights into why Microsoft hasn’t simply packed all the improved security components from Windows 7 and 8 into the aging XP, leading to the 08 April 2014 deadline.

If you’re still wrestling with making the switch away from XP, this podcast will give you some handy tips for the future; if you’ve already out in the time and effort to move, listen and be reassured that the experts think you’ve done the right thing!

(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)

Get this and other Sophos podcasts

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Zuypi0GmPmo/