STE WILLIAMS

“To tell the truth is not a crime”, Edward Snowden asserted in a piece titled “A Manifesto for the Truth” published by Der Spiegel on Sunday – the same day that the White House and elected officials scoffed at the NSA whistleblower’s request for clemency.

The US government strenuously believes that telling the truth is a crime, at least in this case, wherein former National Security Agency contractor Snowden has repeatedly disclosed classified government documents about surveillance practices.

The chairwoman of the Senate Intelligence Committee, Dianne Feinstein, Democrat of California, and her House counterpart, Mike Rogers, Republican of Michigan, have both flatly rejected the notion that Snowden has made a case for clemency.

Feinstein said on the TV program ‘Face the Nation‘ that instead of releasing documents to the Guardian and other newspapers, Snowden could have followed more orthodox methods of whistleblowing:

He was trusted; he stripped our system; he had an opportunity – if what he was, was a whistle-blower – to pick up the phone and call the House Intelligence Committee, the Senate Intelligence Committee, and say I have some information. … [But] that didn’t happen.

Snowden’s official request for clemency was released Friday when he gave a one-page typed letter to a German politician that was also reportedly sent to Der Spiegel over an encrypted channel.

In his appeal, Snowden says that his actions have been justified by the useful debate they’ve sparked over surveillance programs that are “not only a threat to privacy” but a threat to “freedom of speech and open societies.”

He said:

Society can only understand and control these problems through an open, respectful and informed debate.

In fact, he said, the debate that governments wanted to prevent “will now take place in countries around the world.”

Rather than doing harm, the benefits from a newly aware public is already bearing fruit, he said, in the form of proposed reforms that entail increased oversight and new legislation.

Indeed, Feinstein herself is among those who’ve questioned whether the NSA has overreached its mandate and whether reform might be in order, particularly in light of reports that the agency had long monitored the cellphone of German Chancellor Angela Merkel.

Feinstein said on Sunday that she’s all for a White House review of intelligence operations and would like her committee to be the one to conduct it.

Tapping the private phones of close allies, she said, can be more of a political liability than a source of good intelligence, so “We ought to look at it carefully. I believe the president is doing that.”

Federal prosecutors have charged Snowden – who’s still in temporary asylum in Russia – with theft and with two violations of the Espionage Act of 1917.

In his manifesto, Snowden said he didn’t believe that telling the truth should be considered a criminal offense:

Citizens have to fight suppression of information on matters of vital public importance. To tell the truth is not a crime.

What do you think? Is Snowden a whiner? Should he leave Russia and face the music?

Or do you think he should be lauded for shining a light into the dark corners of a spy agency that’s been blinded by the power of its technology toys?

Let us know your thoughts:

Take Our Poll

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/iLEdpmUGIcY/

iPads were plucked from users’ hands at a UK Cabinet meeting last week, because of fears that they might be bugged by foreign intelligence agencies.

The Daily Mail on Sunday reported that the Ministers were using the devices for a presentation by Cabinet Office Minister Francis Maude and Mike Bracken, who’s in charge of the Government Digital Service.

The talk was on the topic of saving the economy close to £2 billion ($3.19 billion) a year within the next four years.

Typically, the Cabinet isn’t particularly generous about applause for presentations, the Daily Mail said, but this time, when the talk wrapped up, Ministers clapped.

That’s when the government’s security team pounced, the Mail reports, whisking all iPads out of the room to avoid careless talk reaching the wrong ears.

It doesn’t stop there, The Telegraph subsequently reported.

Given the security force’s fear that foreign intelligence agencies have developed the ability to turn mobile devices into eavesdropping bugs without their owners’ knowledge, all tablet computers – which, one assumes, covers all manufacturers’ gadgets, and not just Apple’s – are now banned from Cabinet meetings.

The Telegraph’s Matthew Holehouse writes that Ministers in sensitive government departments have also been given soundproof, lead-lined boxes that they’re required to store their mobile phones in while having sensitive conversations.

The concern, he writes, is that

China, Russia, Iran and Pakistan have developed the ability to turn mobiles into microphones and turn them into transmitters even when they are turned off.

The news comes fast on the heels of reports last week from Italian newspapers (including La Stampa) that delegates to the G20 summit near St. Petersburg, Russia, received USB sticks and mobile phone chargers boobytrapped with Trojan horse malware.

The devices reportedly were able to secretly tap emails, text messages and telephone calls.

According to Corriere della Sera, when he got back to Brussels, the G2 European Council President, Herman Van Rompuy, sent the devices over to his security managers.

They in turn asked for help from the German secret service.

Their analysis resulted in a memo going out to member states indicating that the USB stick and power cables were “suitable for the illegal collection of data from computers and cell phones” and that member states should “take every possible precaution in case these items have been used and if not to entrust the security structures for further inspection.”

Russia has denied the allegations.

What are the lessons here for businesses? Typically, most don’t struggle with the fear of a nation turning their employees’ devices into surveillance bugs.

But with or without the threat of foreign intelligence spying on your organisation, iPads, or any other tablet for that matter, are in many ways just smartphones in a bigger form.

That means they carry the same risks to a company’s network security.

Such devices also usher in the bring-your-own-device migraine.

Practical tips in these surveillance-happy times

The traditional, centralised approach of configuration management, software, patching and security is often impossible, if not irrelevant, on such platforms, as Sophos’s Ross McKerchar has described in his article about handling smartphones in the workplace.

That article has tons of good advice on handling device security, including segregating a user’s personal iPad or other device so that they don’t have direct, unrestricted connectivity to crucial servers unless absolutely necessary; having clear policies on passwords and jailbreaking; evaluating the risk profiles of platforms (Android vs. Apple); educating users; and more.

But wait, there’s more!

Ross followed up with this article, which delves into what an attacker might do with the juicy tidbits on a stolen or lost device. This includes the social engineering stunts that can be pulled, given that the device would likely contain the owner’s address, date of birth and information that could then help to answer account security questions.

Still worried about your mobile phone being a bug? Advice for the truly surveillance nervous: Before you read either article, lock your cellphone in your car trunk.

Don’t read the articles out loud, and try to avoid moving your lips while you read.

Follow @LisaVaas

Follow @NakedSecurity

Image of UK flag and ballot box courtesy of Shutterstock. Image of iPad by Flickr user InUse Consulting.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xdp1ar9AfW0/

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Adobe’s security breach just got worse for the company and the world, after a security researcher revealed that 1.9 million of the company’s customers us the string “123456” as their password.

The researcher in question is Jeremi Gosney of the Stricture Group, whose Twitter profile claims The Reg has in the past labelled him a “password security expert”. Gosney says he came across the purloined passwords on one of several online dumps and analysed them to see which passwords are most-used by Adobe customers.

The list makes for ugly reading. Here’s the top 20.

Gosney’s posted the top 100 here.

Adobe first said three million passwords were pinched in the raid, then upped that number to 38 million and raised the prospect of 150 million people being at risk.

Whatever the number, the results make Vulture South wonder if criminals should have bothered breaking in to steal them: with 1.9 million users relying on “123456” there’s a better than one in one hundred chance of unlocking an Adobe account with blind luck.

That this should be the case says a lot about Adobe’s password regulations, and maybe Adobe users too. To be fair to the company it’s conceivable that many of its users signed up in days of yore, before complex passwords were either necessary or fashionable.

A counter-argument is that the company should have encouraged users to adopt more secure passwords a long time ago. It’s doing so now: accounts have been frozen until users reset their passwords. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/05/adobe_users_purloined_passwords_were_pathetic/

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

A division of Lord Alan Sugar’s firm has launched a surveillance campaign which will see shoppers’ faces scanned at hundreds of Tesco petrol stations.

Amscreen, one of Lord Sugar’s firms, has installed the OptimEyes advertising system in 450 Tesco filling stations around the nation.

These devices contain facial recog technology able to detect the age and sex of customers, before beaming specially tailored advertisements at them. This means that if suddenly a number of women stop for petrol, for example, they could be shown advertisements for a women’s fashion brand.

Once Big Beardie has scanned his targets, adverts will then play on a 100-second loop.

Simon Sugar, Alan’s son and Amscreen CEO, said: “Yes, it’s like something out of Minority Report but this could change the face of British retail.

“Our plans are to expand the screens into as many supermarkets as possible.

“The OptimEyes does not store images or recognise people but just works out gender and sorts customers into one of three age brackets.”

Tesco’s Peter Cattell said the technology was “the perfect means for us to enhance the customer shopping experience”.

“It can be extremely useful and timely for our customers,” he continued.

However, not everyone likes the thought of being spied upon.

Nick Pickles of Big Brother Watch issued a statement which read: “The race is on for retailers to gather as much information about us as possible, as personalised as possible.

“The very intrusive nature of this technology lays bare the lengths to which some companies are willing to go and how supermarkets see people as there to be tracked.” ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/05/big_beardie_is_watching_lord_alan_sugar_spies_on_tesco_shoppers/

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Analysis Security guru Bruce Schneier has joined with the Electronic Frontier Foundation and 23 other privacy and digital rights activists to call on antivirus firms to publicly state they do not turn a blind eye towards state-sponsored malware.

Antivirus vendors have been given until 15 November to go on the record about detection of state-sponsored malware, with early indictions pointing towards a somewhat weary “of course we detect it” response.

Meanwhile neutral observers of the security software market point out there’s no need for spy agencies to ask for their malware to be whitelisted by vendors because defences aren’t that strong in the first place.

An open letter (PDF) to the industry from Schneier et al follows recent revelations that the NSA uses malware and exploits to track users of the Tor anonymity service or otherwise monitor the communications of surveillance targets.

The existence of the NSA’s Tailored Access Operations (TAO) hacking squad unit has been an open secret for years, but recent revelations have fleshed out the details and revealed that NSA hackers have procedures that mean they generally only resort to malware only in cases where it’s unlikely their malicious code will be detected.

Effective security scanners might therefore be a factor when the NSA decides whether or not to run malware-based attacks – even though nobody seriously believes antivirus alone can be relied upon to defend against state-sponsored malware.

“As a manufacturer of antivirus software, your company has a vital position in providing security and maintaining the trust of internet users as they engage in sensitive activities such as electronic banking,” the privacy activists and security experts wrote in an open letter to antivirus companies. “Consequently, there should be no doubt that your company’s software provides the security needed to maintain this trust.”

The letter (extract below) challenges antivirus vendors to be clear about their detection of governmental surveillance-ware, requesting a response by 15 November.

Have you ever detected the use of software by any government (or state actor) for the purpose of surveillance?

Have you ever been approached with a request by a government, requesting that the presence of specific software is not detected, or if detected, not notified to the user of your software? And if so, could you provide information on the legal basis of this request, the specific kind of software you were supposed to allow and the period of time which you were supposed to allow this use?

Although propelled back into the news by the Snowden revelations, the question of whether or not antivirus vendors avoid detection of state-sponsored malware has been around for years.

Bundestrojaner and Magic Lantern

For instance, two years ago, the discovery of controversial backdoor Trojan used by German officials to eavesdrop on Skype conversations of criminal suspects provoked questions about antivirus detection. Samples of the so-called R2D2 (AKA “0zapftis”) Trojan came into the possession of the Chaos Computer Club (CCC), which published an analysis of the code. German federal agencies subsequently insisted the so-called Bundestrojaner was legal.

Eddy Willems, a security evangelist at German firm G Data Security Labs, told El Reg: “This is not a new issue – it has been around for over 10 years – and all players in the AV industry have clearly stated, on several occasions, that no, we do not allow malware created by the state to infect any systems and we do not share any privacy-sensitive information with anyone, not even with police forces or secret services,”

“G Data was asked very often if we allowed these Trojans on systems,” Willems said. “The answer was a very clear NO.”

Finnish anti-virus firm F-Secure has a similar and equally clear policy of detecting spying programs developed by governments and notifying its customers, regardless of fear or favour. Other antivirus firms likely have similar stances because to act otherwise would be commercial suicide, as previous controversies about the same issue have established.

The Bundestrojaner is just the latest example of a longer running issue. In November 2001, for example, controversy erupted over whether security software firms were deliberately avoiding detection of a Trojan horse program reportedly under development by the FBI.

The keystroke-logging Trojan, dubbed Magic Lantern, reportedly enabled investigators to break PGP-encoded messages sent by suspects under investigation by using malware to capture a suspect’s passphrase. Magic Lantern samples were never captured – or at a least never identified as such.

The same issue of security software detection of “patriotic” malware arose in the immediate aftermath of 9/11, and continues to resonate more than 12 years later.

It wouldn’t make sense, and here’s why…

But Willems argues that for anyone in the industry to ignore state-sponsored malware would be unworkable as the malicious software can be produced by any number of intelligence agencies in any number of countries.

“The cynical receiver of that message might think this is the only viable response in order to keep on selling products to the public,” Willems explained, “but it would be quite obvious if there were players that do allow state-made malware through while others do block it. It would show up in detection percentages and it would be obvious from sites like VirusTotal, which compare the detection of certain files amongst different AV-products. The only way this would work is if all AV vendors allowed all state-made malware through, not only that of their own country, but also that of all the other countries.”

Warming up to his theory, he continues: “[But] to make that work, all these companies would always need to be made aware of all the samples that are state-made in order for them to whitelist them (because they are intrinsically the same as all other malware, so cannot be recognised as such). That would mean that, for instance, secret services from the US would need to inform the Russian, Romanian, Chinese, German, etc developers of AV software about their state-made malware. Not a very likely scenario,” he added.

Not detecting state-sponsored malware is also a bad idea for other reasons, such as the possibility that cybercrooks might get their hands on it and misuse it to steal data, as a blog post on the issue by Sophos explains. “Our customers’ protection comes first. If the authorities want us to not detect their malware, the onus is on them to try to write something that we can’t detect, not for us to cripple our software.”

Top secret.. or top, top top secret?

Security blogger Kurt Wismer is also dismissive about claims that antivirus vendors are complicit in state-sponsored malware attacks, albeit for different (and seldom aired) reasons. Wismer argues it would be bad operational security practice to tell anyone about your super-secret malware. “If you want to keep something secret, the last thing you want to do is tell dozens of armies of reverse engineers to look the other way,” Wismer writes on his Anti-virus Rants blog.

Wismer also points out that there’s no need for government ninja types to tell security vendors about their wares in order to be effective in smuggling them past security defences. To believe otherwise would be to credit the idea that well-resourced intelligence agencies are incapable of following a practice common or garden cybercrooks have been successfully following for years.

“There are already well-established techniques for making malware that AV software doesn’t currently detect. Commercial malware writers have been honing this craft for years and it seems ridiculous to suggest that a well-funded intelligence agency would be any less capable,” Wismer concludes.

Antivirus vendors, while fierce rivals commercially, have always co-operated on a technical level with the exchange of malware samples. Victims’ willingness to go along with this process has dried up somewhat in the era of state-sponsored snoopware, according to Willems.

“Whenever a certain state encounters a piece of malware they suspect is written by another state to spy on them, they are very reluctant to ask the AV industry for help in analysing this software. Why this is the case remains a mystery, although my guess goes towards diplomatic relationships between states getting prioritised over cases of cyber espionage,” Willems concluded. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/05/av_response_state_snooping_challenge/

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Vulnerability testing is commonplace these days, and a lucrative business for some, but a Hungarian biz is offering an unusual prize for anyone who manages to crack its email encryption system – a five per cent stake in the company.

The upstart, MySecureZone, has spent the last 22 months potting together a browser-based encryption system for email, instant messaging, VoIP and VPN traffic that it claims is bulletproof. In the case of email, for example, messages are encrypted and then sent to the firm’s servers in Switzerland and Luxembourg, after which the recipient can pull them down and read them using a passphrase agreed with the sender.

“The goal of our company is to help people protect their online privacy and to bring the highest grade user-friendly IT security to the public. For ultimate security, our system rests on the strong foundations of open source,” said Istvan Balazs, MySecureZone’s CTO.

“We know that, on the Internet, the user login process is one of the most vulnerable areas of personal information protection. That’s why we have created a state-of-the-art, web-based, two-factor authentication solution that is unique and innovative. This will ensure that, even with a weak password, your private messages will be safe and secure.”

The competition, which began on Monday, challenges people to decrypt one of these emails and get hold of the message contents. Participants can apply to the firm for access to the encrypted email and the first person to break it open can claim a five per cent share of the firm; it’s also running an Indiegogo campaign to raise $50,000 to get a commercial ‘military-grade’ version of the system up and running.

As publicity stunts go it’s an interesting idea but, as one El Reg hack noted, if you’ve broken the encryption would you want a stake in the firm that’s trying to sell it? ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/05/hungarian_startup_email_crack_contest/

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Quatum cryptography is already useful in protecting “good” parties against interference from an evil outside world, but until now, it hasn’t protected a “good” Bob from an “evil” Alice, or vice-versa.

According to the pre-press version of the paper at Arxiv, now published in Physical Review Letters, that can be overcome by using special relativity – specifically, the constraint of the speed of light – as the honesty-check on what Bob and Alice are doing.

“Bit commitment” is a cryptographic primitive, in which Bob creates a bit, communicates it to Alice – but doesn’t “open the envelope” until a specific time. In its simplest form, bit commitment looks exactly like a secret vote, but it’s a thornier problem than it looks at first glance:

• The bit has to remain secret until it’s revealed;
• Alice has to know when Bob made his commitment;
• It has to be impossible for Bob to change his decision between the time the information is created and the time the envelope is opened;
• It also has to be impossible for anyone else to view or change the vote between creation and revelation.

To date, nobody’s delivered a protocol based purely on quantum cryptography that can solve the bit commitment problem, so the researchers – from the University of Geneva, the National University of Singapore, the University of Cambridge, and Canada’s Perimeter Institute for Theoretical Physics – created a mixed system using a combination of quantum entanglement and special relativity.

The quantum part of the system is familiar enough: a quantum key distribution system was set up in Geneva (Alice) to send bits that Bob detects in Singapore. The problem is that the time it would take in a purely quantum set up to send enough high-quality bits between the two ends of the link makes it impractical.

Instead, the experiment used a delayed-choice commitment: Bob first spends a little longer measuring the incoming stream of photons sent by Alice. He has to let Alice know which of the qubits she sent resulted in a “click” at his detectors – but that doesn’t involve revealing his own decision. By then choosing a bunch of the detected qubits at random (without Alice knowing which ones), Bob gets a one-time-pad he can use to encrypt his decision, effectively “sealing the envelope”.

The experimental setup used is shown in the image below. The FPGAs’ role is to implement the classical steps of the protocol.

Image: “Experimental bit commitment based on quantum

communication and special relativity”. Arxiv http://arxiv.org/pdf/1306.4801v2.pdf

So where does the classical part of the system come into play? Special relativity defines the fastest that any party to the communication can communicate (that is, some number less than the speed of light: in this experiment, 21.25 milliseconds). Bob and Alice also have agents, and communicate some of what they know with those agents. With a high-accuracy clock overseeing what’s seen by those agents, they system can be designed such that any “cheating” is detected, because neither Bob nor Alice can communicate instantly with their agents.

The researchers note that a provably secure bit commitment would be valuable in applications such as high-speed stock trading. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/05/quantumclassical_crypto_sends_secret_vote_from_switzerland_to_singapore/

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

The Bitcoin crypto-currency is vulnerable to manipulation by greedy miners, researchers have claimed, which poses a threat to the stability of the funny money.

In a paper distributed on Monday titled Majority is not Enough: Bitcoin Mining is Vulnerable, two researchers from Cornell University describe how Bitcoin’s currency generation and authorization system – the “blockchain” – can be exploited by groups of “selfish” Bitcoin miners.

Bitcoin 101

The foundation on which Bitcoin rests is a public ledger called the blockchain, which is a sequential list of all the past confirmed transactions: each block is used to securely and permanently record a small set of Bitcoin transactions and each block links to the previous block so that a record of verified exchanges between Bitcoin wallets can be publicly agreed upon.

Crucially, and simply put, Bitcoin relies on a peer-to-peer network to synchronize everyone to the longest valid blockchain.

You can’t create a new block out of thin air: a cryptographic puzzle unique to each new block must be solved for it to be considered valid by the Bitcoin network and used to store transactions added to the end of the chain.

Mining is therefore the act of attempting to solve mathematically non-trivial puzzles to create cryptographically secure blocks; there’s a reward in Bitcoins for solving each crypto-riddle for the network.

People can choose to pool together compute resources to cracking these blocks. These miners typically have to join other miners to unite their computation power and increase the rate at which they can tear through the increasingly difficult puzzles for each block.

The Cornell researchers now believe that if a third of all the miners in the Bitcoin ecosystem banded together into a “selfish miner” group, they could crush the competition and take an ever-larger share of proceeds.

So, how exactly could this come to pass? It relates to the fact that a selfish miner can keep newly found blocks private rather than making every single one public for the network to use. The honest, non-selfish Bitcoiners will continue to toil away on already solved problems while the pool of selfish miners start using the new blocks to store transactions.

At the right moment, when enough extra blocks have been secretly acquired, the pool of selfish miners can reveal their private blockchain, which will be longer than the public blockchain: the network will switch to the longer chain, the selfish miners earn their reward for cracking the crypto-puzzles and the honest Bitcoiners earn nothing for all the electricity they spent finding the same blocks.

‘Bitcoin will never be safe against attacks by a selfish mining pool’

“Selfish mining judiciously reveals blocks from the private branch to the public, such that the honest miners will switch to the recently revealed blocks, abandoning the shorter public branch,” the researchers wrote. “This renders their previous effort spent on the shorter public branch wasted, and enables the selfish pool to collect higher revenues by incorporating a higher fraction of its blocks into the blockchain.”

The Cornell bods believe that once a third of toiling Bitcoin miners cluster together into a single pool, selfish mining is inevitable. “The [Bitcoin] protocol will never be safe against attacks by a selfish mining pool that commands more than 33 percent of the total mining power of the network,” their paper concluded.

To deal with this, the researchers “propose a simple, backwards-compatible change to the Bitcoin protocol to address this problem and raise the threshold. Specifically, when a miner learns of competing branches of the same [blockchain] length, it should propagate all of them, and choose which one to mine on uniformly at random.”

This will help protect against the formation of selfish miners and hopefully save the network from itself. Though banding together a third of all Bitcoin miners is a tall order, given the fact the fact the currency has a market capitalization of $1.5bn, and the mining network is running at 42 times 10^18 floating-point operations per second, it could evolve organically due to the incentive by innocent miners to join a selfish gang to make more money.

“Last time I checked, the two largest pools were 28 per cent and 23 per cent,” Eyal told The Reg via email. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/05/bitcoin_exploit/

Had you asked me last week if things could get any worse for the federal government’s embattled insurance marketplace website, HealthCare.gov, I probably would have said, “I don’t see how.” Today, I’m not so sure.

On a very personal level, I have done more than just peruse HealthCare.gov over the past month. I actually created an account. After three sets of username and password combinations and more than three hours spread across two days, I finally completed the account creation process — or should I say, the account creation process finally worked. I found the process to be as was widely reported: disjointed, clunky and largely broken. If I had been my father, I would never have been able to complete the process. (Sorry, Dad.)

As you might expect, the process did nothing to inspire confidence, much less assuage my fears for the security of my own personal information.

Serious concerns for the personal data privacy of HealthCare.gov users began to increase significantly two weeks prior to the launch of the federal government’s website. The State of Minnesota’s new health insurance exchange had its own privacy breach causing many to question whether the systems were ready for primetime (see The Breach In The Ointment Of The Affordable Care Act). The recent Congressional oversight hearings on the HealthCare.gov rollout brought data privacy concerns to the forefront as political leaders on both sides of the aisle grilled Health and Human Services heads over security testing of the website. And finally, somehow, White House press secretary Jay Carney’s reassurance that “consumers can trust that their information is protected by stringent security standards,” didn’t make me feel any more confident.

As if on cue, reports surfaced late Saturday that one HealthCare.gov user received eligibility letters via the website addressed to and intended for other HealthCare.gov users. While this one incident does not constitute a major breach in terms of number of personal records exposed, it does call into question the integrity of a backend system that would serve up documents belonging to another user. And if this turned out to be a widespread problem, the consequences could be serious.

Since I exerted significant time and energy in acquiring a HealthCare.gov account, I didn’t want all that effort to be for naught. I logged in to the system to see if I had any eligibility notices and if, by chance, they belonged to someone else. When my applications page came up, I found that I did have an eligibility notice waiting for me. But, when I downloaded it, sadly, I found it was addressed to me and no one else.

Given the high profile of the healthcare debate and the enormous political capital at stake, you can be sure every self-proclaimed hacker worth her salt is banging away at HealthCare.gov, looking to uncover any vulnerability. If there are security deficiencies, they are sure to be found quickly and exploited.

I guess the good news from my personal testing is we now know the problem with misdirected eligibility letters is not 100% pervasive. The bad news is we now know that HealthCare.gov is its own greatest inside threat.

Article source: http://www.darkreading.com/views/data-privacy-scare-on-healthcaregov/240163526

In 2005, police in Morocco and Turkey arrested two men connected with the Zotob worm: The 18-year-old creator of the worm and the 21-year-old man who paid him to develop the code.

The transaction is one of the earliest cases of for-hire criminals services. Since then, such services have proliferated, and cybercrime has become a much larger issue. One measure of the problem: The number of malware variants has skyrocketed, more than quadrupling from 2006 to 2007 and growing to 403 million variants in 2011, according to data from Symantec, which no longer publishes the number.

Such growth is powered by the evolution of specialized services in the cybercriminal marketplace, according to Grayson Milbourne, security intelligence director at software-security firm Webroot.

“The mature cybercrime as a service market has empowered novice criminals with all the tools necessary to launch their own campaigns,” he says. “As the prices for services are very inexpensive, cost is not a disincentive.”

In many ways, the evolution of online criminal services has mirrored, and even predated, such services in the legitimate business world. Companies adopt cloud offerings for a variety of different reasons: The services remove many of the up-front costs of deploying an application, offer better support than in-house IT groups and are better able to deal with complex deployments than a firm’s IT staff. Often such services are just faster and more user friendly, and allow the provider to sell off excess capacity.

Cybercrime services are adopted for similar reasons. A leased botnet can replace a criminal’s technical nightmare of deploying and maintaining a large network of compromised PCs. Financial and identity information, which is so voluminous that data thieves typically cannot use a fraction of their take, can be sold rather than sitting on a server collecting virtual dust. And denial-of-service attacks can be delivered within minutes of being bought.

“It is just a matter of finding new ways to monetize the access that they already have or they will potentially get in the future,” says Joe Stewart, director of malware research for Dell SecureWorks’ Counter Threat. “The driver for these groups is monetization and trying to extract every bit of money they can out of these systems.”

The variety of services offered is dizzying. Some underground providers focus on malware-as-a-service, others have branched out into mobile malware. Similarly, some groups sell denial-of-service attacks, while others focus on flooding phones with SMS messages to circumvent some financial institution’s two-factor authentication mechanisms. Some services lease botnets; others pay a bounty for every computer compromised. Personal information, credit-card details, and lists of millions of e-mail addresses are all up for sale.

[DDoS attacks of more than 10 Gbps now happen several times a day across the globe, study says. See Report: DDoS Attacks Getting Bigger, Faster Than Ever.]

The groups behind the Cutwail botnet, also known as Pushdo, for example, may have occasionally paid as much as $15,000 to maintain the botnet’s low-six-figure size, but likely made $1.7 million to $4.3 million over nearly two years, according to a 2011 paper written by a group of academic security researchers.

In a whitepaper published in September, security firm McAfee found that prices for credit-card information ranged from about $15 for a U.S. based victim without the PIN to $250 for a premier credit-card with the PIN and a hefty balance.

Gaining access to such services is no longer as onerous as it once was, says Raj Samani, McAfee’s chief technology officer for Europe, Middle East and Africa, and co-author of the McAfee paper. In the past, criminals groups required customers to have a reputation in the underground. Today, however, anyone with a credit-card or WebMoney account can buy services, Samani says.

“What really shocked me–more than how the services have evolved–is that in the past, you had to know someone to get access,” he says.

In another sign of the maturing marketplace, the underground providers are also taking the service side seriously, offering support, updating malware, and, in some cases, giving refunds.

“Some of these information brokers give refunds when they cannot find the information you’ve asked for,” says Alex Holden, chief information security officer of Hold Security, a security consultancy.

In the end, the evolution of the cybercriminals business model makes attacks more efficient, gives greater access to less technically inclined criminals and allows anyone to gain the advantage of more tech-savvy developers, says Webroot’s Milbourne.

“It is leading to a less secure world,” he says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/services/dark-side-services-continue-to-grow-and/240163528