STE WILLIAMS

DALLAS, Oct. 10, 2013 /PRNewswire/ — Trend Micro (TYO: 4704; TSE: 4704) today announced the acquisition of Broadweb, a Taiwan-based provider of advanced network security solutions. Broadweb’s innovative deep packet inspection and real-time blocking of malicious packets will strengthen Trend Micro’s Custom Defense Solution, which provides comprehensive network-wide visibility and protection against targeted attacks and sophisticated advanced threats.

Broadweb’s proven technology has been validated independently by NSS Labs and has received ICSA Labs IPS Certification. In addition to offering its own branded network security solution in Asia, Broadweb’s OEM customers include a variety of leading network security vendors. Financial terms of the acquisition are not being disclosed.

“As attacks evolve, conventional network security is no longer sufficient to keep digitized data, intellectual property and communications safe,” said Kevin Simzer, senior vice president, marketing and business development, Trend Micro.

“Our Custom Defense solution is unlike anything on the market. It enables organizations to detect, analyze, adapt and respond to targeted attacks and advanced threats. Integrating Broadweb’s proven capabilities into our Custom Defense Solution enhances our ability to provide customers with the most comprehensive solution for targeted attacks available today.”

Trend Micro’s Custom Defense delivers holistic, actionable intelligence to mitigate targeted attacks and advanced threats before a network can be compromised. With the ability to proactively identify customized threats across devices, protocols, operating systems and networks, the unique offering empowers organizations to identify and respond to cyber attacks that are purpose-built to evade standard IT security.

“We are excited and honored that our talents and technologies will be a part of the Trend Micro family,” said Dr. Terence Liu, CEO of Broadweb. “Both companies are built on strong cyber security DNA and engineering culture. We anticipate this spark to unleash inspiration and creativity for next-generation network security technologies.”

About Trend Micro

Trend Micro Incorporated, a global leader in security software, rated number one in server security (IDC, 2013), strives to make the world safe for exchanging digital information. Built on 25 years of experience, our solutions for consumers, businesses and governments provide layered data security to protect information on mobile devices, endpoints, gateways, servers and the cloud. Trend Micro enables the smart protection of information, with innovative security technology that is simple to deploy and manage, and fits an evolving ecosystem.

All of our solutions are powered by cloud-based global threat intelligence data mining framework, the Trend Micro(TM) Smart Protection Network(TM) infrastructure, and are supported by over 1,200 threat experts around the globe.

For more information, visit TrendMicro.com.

Article source: http://www.darkreading.com/perimeter/trend-micro-acquires-broadweb-to-enhance/240162510

Wondering if that mobile app is safe? There’s a score for that. If that business partner takes security seriously? There’s a score for that too.

A wave of companies have launched services aimed at giving their customers a better understanding of the risks associated with different components of the business supply chain, from transactions to applications and from cloud services to partners. ThreatMetrix, for example, uses information gleaned from visitors to its customers’ Web sites to place a risk score on transactions that can be used to decide if a transaction is fraudulent. Startup BitSight mines public security data–such as blacklists, fast-flux domain lists and other indicators of compromise–to assign a rating to its clients’ partners.

The push to rate the security of each component of a business promises to give executives and managers more information with which to make decisions, says Sonali Shah, vice president of products for BitSight.

“We are bringing science to the management of security,” she says. “The idea is to allow the chief information security officers to go into meetings with businesses and present data used around their decisions.”

Security-conscious businesses are already moving toward finding better ways to measure the security posture of their own organizations. Some companies have already launched big-data analytics projects to crunch security data and find the signs of potential attacks.

Yet, information on the security of the supply chain is not as readily available. Large companies routinely require suppliers to fill out assessments for compliance to a variety of regulations, but verifying the partners’ assertions can be difficult. In addition, most companies do not have the expertise to vet the security of a mobile application or to gauge the security of a cloud service, so simplifying the process into a single–or set of–ratings is important, says Domingo Guerra, co-founder and president of Appthority. The company offers a service for creating mobile-device security policies based on its analysis of the privacy and security attributes of mobile applications.

“Many companies are afraid of what’s going on, because they don’t understand their current exposure or their current risk,” he says.

[A number of services to help companies analyze threats and share intelligence have popped up, but the services have to solve some key problems. See Threat-Intel Sharing Services Emerge, But Challenges Remain.]

Security ratings for different aspects of the business also give companies the ability to turn a binary decision–good or bad–into a spectrum of risk. Different companies can have different tolerances of risk and may take different actions based on a particular score, says Peter Liske, vice president of product management for ThreatMetrix. The company uses on-the-fly analysis to determine whether a person visiting one of its client’s Web sites is a legitimate customer or trying to conduct fraud. From a computer with a strangely configured browser to a single device logging into different accounts, a variety of anomalies can tip off the service to possible fraud and result in a lower score, but what constitutes an acceptable risk is up to the company, he says.

“The reputation and anomaly checking is not binary, it is more of a percentage game,” Liske says. “It comes down to a decision of how much risk do I want to take in regards to fraud, versus how much inconvenience do I want to burden my users with.”

Using ratings also allow a CIO or CISO to have more flexible options–to limit, rather than block, a low-scoring app, says Sanjay Beri, CEO and founder of startup Netskope, which came out of stealth this week. Netskope, and rival SkyHigh Networks, help their customers discover and manage their cloud services, and as part of that, rate cloud services in terms of security and maturity.

“Allowing an app or blocking an app is not the level of control that a CIO needs,” he says. Instead, they should be able to allow, but limit the data that can be put into the service, or allow, but limit the people who can use the service. “We are giving them a scalpel rather than making them use a sledgehammer,” he says.

Finally, most companies do not have the time to continuously re-evaluate the security of each component of their business, but regularly updating the metrics is important, says Stephen Boyer, co-founder and chief technology officer of BitSight. Having a service that automatically updates the security rating is the best way to catch changes that could impact the security of the business.

“A lot of the techniques are a single point of time, and what people really want is to have good performance over time,” he says. “Security needs to be continuously monitored.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/threat-intelligence/security-ratings-proliferate-as-firms-se/240162532

Oct 10th, 2013, San Francisco, US — Lookout, a leader in security software that protects people and businesses from mobile threats, today announced that it secured $55M in strategic financing in a round led by Deutsche Telekom. Mobile industry leader Qualcomm Incorporated, through its venture capital arm, Qualcomm Ventures and top venture capital firms Greylock Partners and Peter Thiel-backed Mithril Capital Management also invested in Lookout. Current investors Accel Partners, Andreessen Horowitz, Index Ventures, and Khosla Ventures all participated in the round. The capital will be used to continue international expansion, extend Lookout’s reach by moving into the enterprise and invest in security beyond the mobile device.

“With the huge uptake of smartphone penetration, the ‘security for mobile devices’ topic has become much more important. It’s critical that we offer services that our customers trust,” said Heikki Mkijrvi, SVP global strategic partnerships Deutsche Telekom. “Lookout’s experience in developing leading-edge security applications for this new dynamic environment makes them the ideal partner for us in this category of device solutions. By partnering with Lookout, we’re investing in the future of mobile to make sure it’s a delightful, secure experience for everyone.”

Lookout protects 45 million people worldwide and later this year will launch Lookout for Business to protect businesses from mobile threats. Lookout’s security platform is comprised of the world’s largest mobile threat dataset, providing Lookout with the unique ability to identify threats before they have a chance to disrupt business or affect a person’s mobile experience. As more people and devices connect to the network, Lookout’s platform becomes more intelligent, providing a safer experience for everyone.

“We like to sponsor technologies that can reset established markets,” said Peter Thiel, Mithril’s investment committee chairman. “Ajay Royan and I see Lookout connecting three platforms crucial to the future of computing: mobile, big data, and security. We were really impressed by Lookout’s leadership as well as their mobile security expertise and their data-driven approach to security positions.”

Lookout is expanding worldwide by partnering with leading global mobile operators, including Deutsche Telekom, Orange, Sprint, and T-Mobile who have chosen Lookout to secure their customers. Today Lookout has more than 200 employees across offices in San Francisco and London.

“Lookout is one of the leaders in the mobile security sector and an industry pioneer in repeatedly seizing new opportunities to deliver innovative security products,” said Nagraj Kashyap, Senior Vice President, Qualcomm Ventures. “We believe all points of the ecosystem should be secure, and we look forward to collaborating with Lookout to build a safer and more protected mobile ecosystem.”

“Mobile has taken over as the dominant computing platform. Governments and businesses around the world now rely on mobile for their most important communications and infrastructure,” said Jeff Jordan, general partner at Andreessen Horowitz. “Deutsche Telekom is taking a leadership role in promoting the security of the mobile ecosystem. We’re excited to partner with the new investors in supporting Lookout’s efforts to secure the next generation of computing.”

For more information on Lookout, please visit https://www.lookout.com/.

Lookout

Lookout builds security software that protects people, businesses and networks from mobile threats. With the world’s largest mobile threat dataset and the power of 45 million devices, Lookout proactively prevents fraud, protects data and defends privacy. Lookout secures the mobile experience for people everywhere through Lookout Mobile Security, a consumer app, and Lookout for Business, a cloud-based business offering for device security and management. Lookout was selected as a 2013 World Economic Forum Technology Pioneer company and received the 2013 Laptop Editor’s Choice Award. Lookout has offices in San Francisco and London. For more information, please visit Lookout.com.

Article source: http://www.darkreading.com/mobile/lookout-closes-55m-in-strategic-financin/240162499

Plaistow, NH – October 10, 2013 – AuthEntry, officially launches its patent pending Multi-Purpose, Multi-Factor Authentication suite. The company created the solutions to address the need for a more secure, convenient and cost effective way to eliminate vulnerable Usernames and Passwords, secure physical and logical entry points and enhance end user security from common password breaches.

“Usernames and Passwords are the most vulnerable access points into corporate and personal data, so we set out to eliminate the need for them. Our simple approach has been validated and embraced by both consumer and corporate users,” said AG Hebert, founder and CEO. “We listened to the market and have combined several standard technologies into one secure and convenient “key”. The LogiKey TM grants physical access into company buildings, in addition to logical access into computers, networks, email and online accounts all on one secure, convenient device that you carry with you.”

All AuthEntry products are encrypted by authentication certificates via NFC tags and smart chip technology as a standalone key or combined with reader pads for secure data transmission with symmetric cryptographic algorithms, triple DES, ISO/IEC 7816 that meet NIST standards. The flagship product, The LogiKey, adds and extra layer of protection, while making the user experience more convenient compared to having to remember multiple usernames and passwords at work and at home. AuthEntry Solutions come in various form factors such as Bracelets, Key Fobs, Cellphone Cases, Employee ID or student badges.

“We think AuthEntry is a fantastic solution to protect the safety of our teachers and students at school and at home,” said Sue Collins, teacher and store manager, Lawrence Public Schools. “It gives our students a more secure feeling knowing no one else beside them and the teachers can get into the buildings and computers and don’t have to remember or write down multiple passwords.”

The LogiKey is currently available to purchase online for $49.99. Additional AuthEntry products can also be purchased via the online store. For more information about the entire AuthEntry product suite visit us at: www.AuthEntry.com

###

About AuthEntry

AuthEntry is a security company that is uniquely positioned and forging the Multi-Purpose, Multi-Factor Authentication market. We enable consumers and businesses with highly encrypted defense mechanisms to keep their logical and physical worlds safe from unauthorized personnel, hackers and data thieves while providing a low total cost of ownership with secure and convenient solutions that are proven and effective against personal and corporate breaches.

Article source: http://www.darkreading.com/end-user/authentry-releases-multipurpose-multifac/240162500

NEW YORK, NY — October 10, 2013 — Identity Finder, LLC (www.identityfinder.com), the leading provider of sensitive data management solutions, today reveals virtually all versions of Google Chrome insecurely store sensitive data such as credit card and social security numbers. This unprotected data can be read by anyone with physical access to the hard drive, access to the file system or simple malware. This risk affects more than 99% of Chrome users, and as the leading browser worldwide, more than half of all Internet users.

Using Identity Finder’s Sensitive Data Manager software, company researchers conducted a search for personally identifiable information (PII) across typical business users’ computers. Among staff who used Google Chrome as a primary browser, Sensitive Data Manager pinpointed several files (notably the History Provider Cache) storing a range of information including names, email addresses, mailing addresses, phone numbers, bank account numbers, social security numbers and credit card numbers. Despite users having entered this information on secure websites, Google Chrome saved an unencrypted copy of data entered into web forms and the address bar (omnibox) on each employee’s hard drive.

After discovering the vulnerable sensitive data, Identity Finder researchers demonstrated a proof-of-concept exploit that would allow malicious code to upload this Chrome cache data to a third party site. In this attack scenario, a criminal would only have to trick users into allowing the exploit access to their file system. The exploit does not require users to enter sensitive information, their system credentials or to decrypt any stored data.

“With most sensitive data stored by Chrome, such as passwords, the only way for malware or a hacker to gain access is if a user is logged in. However, in this case some information is stored in clear text and is accessible whether or not the user is logged in,” said Todd Feinman, CEO at Identity Finder. “By default, Google Chrome stores form data, including data entered on secure websites, to automatically suggest for later use. This stored data is unencrypted text and accessible if your computer or hard drive is stolen or is infected with malware.”

Any business that must comply with PCI-DSS is at increased risk of failed audits and increased costs because employees entering credit card data in Chrome are inadvertently expanding their cardholder data environment. Identity Finder’s findings underscore the need for sensitive data management practices at home and in the enterprise.

Employees and consumers can easily protect themselves by following good sensitive data management practices. Anytime a credit card number or other PII is entered into a form, simply “Clear saved Autofill form data”, “Empty the cache” and “Clear browsing history” from the past hour and restart Chrome, and the information will be erased. Alternatively, disabling Autofill or using Incognito mode will protect form data.

For more information on how to clear Autofill data or how you might be affected, visithttp://www.identityfinder.com/blog/?p=88.

About Identity Finder

Identity Finder, LLC, based in New York, NY, is the leader in sensitive data management. Its security and privacy technologies provide businesses and consumers the ability to prevent data leakage and identity theft.

Article source: http://www.darkreading.com/authentication/identity-finder-discovers-google-chrome/240162506

Supercharge your infrastructure

The infamous Blackhole Exploit Kit has gone dark following the reported arrest in Russia of a suspect whom police believe is linked to the malware.

Blackhole has been the preferred tool for running drive-by download attacks and therefore a menace to internet hygiene for the last three years.

A suspect linked to Blackhole was arrested by Russian police earlier this week, Europol confirmed, without giving details.

The Russian authorities have not as yet released the name of the suspect or any other details of their investigation.

Drive-by badness

Blackhole is one of the most popular crimeware toolkits, serving browser-based exploits and the like from compromised websites in order to distribute malware. The hacker tool was authored by a person calling themselves “Paunch” and is essentially a web-based application. It first reared its ugly head in late 2010, and quickly became a common find for malware researchers investigating compromised websites.

Cybercrooks must first find a site that can be exploited before planting the exploit kit, often exposing users of legitimate sites to Blackhole-powered attacks.

The exploit kit attempts to download malware on the PCs of visiting surfers by taking advantage of any unpatched browser, Java or Adobe Flash plug-in vulnerability it manages to find.

Malware distributors also create links in spam messages that point to exploit portals hosting Blackhole, an alternative approach that gets around the need to hack legitimate websites before planting malicious code.

The end goal is both cases is to push various strains of malware onto vulnerable PCs.

$50 a day… even the baddies want you to rent their software!

A revamped version of the Blackhole Exploit Kit (version 2) was released just over a year ago in September 2012. The follow-up features support for Windows 8 and more sophisticated technologies for circumventing security defences.

The release also includes a spruced-up user interface – so the tool can now be used by the less technically able criminal – as well as a revised licensing structure that puts a greater emphasis on renting rather than buying the software.

Malware authors have caught on to the trend of leasing out rather than selling software. Rental prices for Blackhole run from $50 a day while leasing the software for a year costs around $1,500.

Earlier this year the Cool Exploit Kit surfaced online. Cool, also allegedly built and maintained by “Paunch”, is essentially a more sophisticated and expensive version of Blackhole that reportedly costs a hefty $10,000 in monthly rental fees compared to $500 a month for Blackhole.

Blackhole ‪accretion disc‬ stops spinning

Several sources in the security industry claim that the malicious kit, which is normally updated at least once or twice a day, has not been updated for several days.

Malwarebytes reports that updates to the kit have ceased over recent days. Crypt.am – a service used to encrypt the exploit kit – is down.

Meanwhile security researcher and long-time Blackhole-watcher Kafeine has published a graphic showing how the malicious Java applet, which is normally updated between once and twice a day, hasn’t changed for at least five days.

Malwarebytes is careful to note that these events are only offer circumstantial evidence that something has been done to deactivate the Blackhole ecosystem. The antivirus firm says that even though an arrest has been made, it’s possible cops should be looking for multiple suspects.

Nonetheless the current hiatus in Blackhole malfeasance is cause for cautious optimism, not least because it might severely inconvenience cybercrooks who relied on the black hat tool.

“Criminals who ‘rent’ the Blackhole exploit kit will no longer receive updates and eventually the exploit and payload are going to go stale,” Malwarebytes explains in a blog post. “Those that host the exploit kit themselves have more control in that they could (if savvy enough) make some alterations to the kit to ‘keep it alive’.”

Displacement effect

The end effect may be to displace net fraudsters onto less-sophisticated and developed kits, rather than forcing them to give up on their preferred scams for want of suitable utilities, according to Malwarebytes.

“In all likelihood, we are going to see cyber-crooks migrate their infrastructure towards other exploit kits very soon. In fact, Kafeine already spotted that the Reveton distribution moved from a Cool EK (maintained by Paunch) to a Whitehole exploit kit,” it adds.

“If it’s true that the brains behind the Blackhole has been apprehended it’s a very big deal – a real coup for the cybercrime-fighting authorities, and hopefully cause disruption to the development of one of the most notorious exploit kits the web has ever seen,” writes veteran security watcher Graham Cluley.

Fraser Howard, a senior virus researcher in SophosLabs, struck a more cautious note in a blog post looking at malicious activity since the arrest of a suspect allegedly linked to Blackhole.

“Assuming that the players behind Blackhole have indeed been removed from the game, it is possible that the apparent decline we have seen in the past week will continue,” he writes. “That would mean that the prevalence of Blackhole landing pages and exploit content would go down, and stay down.”

Recent daily stats from Sophos show that the Neutrino, Glazunov and Sibhost exploit kits are currently dominant, but use of Blackhat/Cool also dipped in August. All these stats really tell us for sure is that other exploit kits are available.

“With other exploit kits already dominant in the market, a decline in Blackhole activity would not necessarily mean a change in the overall threat landscape. Criminals who used to use Blackhole services could simply migrate to other exploit kits.

“That said, an arrest is definitely good news,” he concludes.

A whitepaper by Sophos on the Blackhole Exploit Kit can be found here.

More details on the cybercrime ecosystem created around the Blackhole Exploit Kit can be found in a blog post by independent security researcher Dancho Danchev here. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/10/blackhole_exploit_kit_arrests/

[The following is excerpted from “Creating and Maintaining a Custom Threat Profile,” a new report posted this week on Dark Reading’s Threat Intelligence Tech Center.]

Security researchers and vendors are developing a wealth of new data on threats and exploits in the wild. Organizations can tap into this data through the use of threat intelligence feeds, but all too often these feeds are served up in a generic fashion — identical for all customers, no matter what their industry, size, location or other distinguishing characteristics.

What enterprises need is threat intelligence that is relevant and actionable, which requires not only a prioritization model but also deep knowledge of the systems and data that must be protected in the first place — and at what cost.

There are numerous sources and types of threat intelligence feeds. Some are internally sourced, while others come from external third parties and are part of a subscription service.

The information available also varies widely based on the vendor providing the service. It may be directly downloadable into a security information and event management (SIEM) product, or it may come in the form of detailed reports that are harder to parse and act on immediately. In any case, the purpose is the same: to provide data that enables a company to make quick and informed decisions about threats against their assets.

It’s important to keep in mind that not all threat intelligence feeds are created equal. The average feed will include reputation-based data such as known bad IP addresses, domain names, spam sources and active attackers. That information may be simply a regurgitation of data a vendor received from another source, or a vendor may vet the data to ensure its accuracy before providing it to customers. Clearly, the latter is the preferred model.

And not all intelligence comes in for the form of a “feed.” Detailed threat reports are valuable for learning more about specific attacker groups or types of attacks. These reports come in either a long, detailed document form for investigators or in an executive summary-style format for getting management up to speed on active threats. The detailed versions can include identifiable characteristics for determining if particular attacker groups have compromised systems, but they need to be read in detail and parsed for information that is actionable.

Another distinguishing factor is the degree to which intelligence data is tailored to the customer. Some intelligence feeds come as a generic set of information that is delivered to all customers, regardless of their size or what industry they are in. Depending on the vendor, there may be options for customizing data based on industry and technologies in use by the customer.

Joe Magee, CTO of threat intelligence services provider Vigilant, explained to Dark Reading that it’s often this value-added prefiltering, validation and customization of information that sets vendors apart. Instead of simply providing a data feed, a provider should work closely with customers to determine what intelligence data is important, customize what is delivered and ensure that it’s integrated into the customer’s security information and event management (SIEM) system, Magee says. The SIEM itself can be on site at the customer’s facility and managed remotely, or part of its cloud-based service.

One very big problem that many companies face is that they don’t fully understand the threats against their organizations. Creating a threat profile is a key step in understanding what threats a company faces and the potential impact if an attack were to be successful. A threat profile can also help companies prioritize resources in order to successfully defend sensitive data.

To learn more about how to build a customized threat profile — and how to use it to prioritize security tasks and measure security risk — download the free report.

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/creating-and-maintaining-a-custom-threat/240162489

First there was the bug bounty, and now there’s the patch bounty: Google has launched a new program that pays researchers for security fixes to open source software.

The new experimental program offers rewards from $500 to $3,133.70 for coming up with security improvements to key open source software projects and is geared to complement Google’s bug bounty program for Google Web applications and Chrome.

Google’s program initially will encompass network services OpenSSH, BIND, ISC DHCP; image parsers libjpeg, libjpeg-turbo, libpng, giflib; Chromium and Blink in Chrome; libraries for OpenSSh and zlib; and Linux kernel components, including KVM. Google plans to next include Web servers Apache httpd, lighttpd, ngix; SMTP services Sendmail, Postfix, Exim; and GCC, binutils, and llvm; and OpenVPN.

Industry concerns over security flaws in open-source code have escalated as more applications rely on these components. Michal Zalewski of the Google Security Team says the search engine giant initially considered a bug bounty program for open source software, but decided to provide financial incentives for better locking down open-source code.

“We all benefit from the amazing volunteer work done by the open source community. That’s why we keep asking ourselves how to take the model pioneered with our Vulnerability Reward Program — and employ it to improve the security of key third-party software critical to the health of the entire Internet,” Zalewski said in a blog post. “We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic — enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it.”

So Google went with offering money for improving the security of open-source software “that goes beyond merely fixing a known security bug,” he says. “Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just to enable ASLR – we want to help,” he blogged.

To qualify, the patch must past muster with the handlers of the open source projects. Participants are required to first submit their patches to the open source project handlers, and work with them to get the submission integrated into their programs. Then, participants can submit the entry to Google’s Security Team, which will determine whether the patch is eligible for a bounty, and how much it’s worth.

Some examples of fixes, according to Google, could be improving privilege separation, hardening memory allocation, cleaning up integer arithmetic, fixing race conditions, and eradicating error issues in design patterns or library calls in the code.

“Reactive patches that merely address a single, previously discovered vulnerability will typically not be eligible for rewards,” according to Google’s rules for the new program.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/applications/google-offers-new-bounty-program-for-sec/240162492

Eight more people have been arrested in the wake of the shutdown of Silk Road, the online, illegal-drug bazaar.

Keith Bristow, Director General of the UK’s newly established National Crime Agency (NCA), said in a statement that there are more arrests in the works:

These latest arrests are just the start; there are many more to come.

Of the eight suspects, four were arrested in the UK, one in Sweden, and three in the US.

The British suspects, arrested within hours of the FBI having collared the suspected mastermind behind Silk Road, Ross Ulbricht, included one man in his early 50s from Devon and three in their early 20s from Manchester.

NPR reports that US authorities have also charged two people in Bellevue, Washington, after identifying one of them as a top seller on Silk Road. He was arrested on 2 October, and his alleged accomplice turned herself in the next day.

In Sweden, another two men – one 29-year-old, the other 34 – from the coastal city of Helsingborg were arrested on suspicion of distributing cannabis over Silk Road, the local Helsingborgs Dagblad reported on Tuesday.

The Swedish newspaper didn’t mention the date of the two men’s capture, but most, if not all, of the eight arrests took place within days of last week’s arrest of Ulbricht, who was taken into custody at a public library in San Francisco.

In an affidavit filed in connection with Ulbricht’s arrest, the US Federal Bureau of Investigations (FBI) said last week that it had located multiple servers, both within and outside of the US, associated with Silk Road’s operation, including the server that hosted the site.

Unraveling the network of drug dealers and consumers on the marketplace is presumably going to take some time, given the volume of its user accounts.

As of 23 July, 2013, the server showed some 957,079 registered user accounts, the FBI says.

That number doesn’t necessarily correspond to actual users, given that some may have multiple accounts, but the FBI agent who filed the affidavit said that the number points to hundreds of thousands of unique visitors.

Those people should be nervous.

Nicholas Weaver, a researcher with the International Computer Science Institute in Berkeley and the University of California, in San Diego, told NPR that Silk Road’s eBay-like customer review system means that law enforcement now has its hands on months’ worth of sales records, all easily traceable, given the nature of the Bitcoin transfers on which Silk Road ran its billion-dollar operations.

Law enforcement said that the now-shuttered Silk Road was one of the world’s largest online markets for illegal drugs, branding itself an “anonymous marketplace” because users accessed the site through the Deep Web – aka the Darknet or Hidden Web.

Users accessed that Deep Web via Tor – the anonymising network that, as recent Edward Snowden revelations have shown, works well enough to irk surveillance experts.

But even though the NSA, to quote the “Tor Stinks” presentation published by The Guardian on Friday, “will never be able to de-anonymize all Tor users all of the time,” in this case, law enforcement has its hands on the servers that allow it to do just that with Silk Road buyers and drug dealers.

As the NCA’s Bristow warned, users shouldn’t buy into Silk Road’s promise of hiding their identity on the internet:

These arrests send a clear message to criminals; the hidden internet isn’t hidden and your anonymous activity isn’t anonymous. We know where you are, what you are doing and we will catch you.

It is impossible for criminals to completely erase their digital footprint. No matter how technology-savvy the offender, they will always make mistakes and this brings law enforcement closer to them.

These so called hidden or anonymous online environments are a key priority for the National Crime Agency. Using the expertise of over 4,000 officers and the latest technology, we will arrest suspects and disrupt and prevent their illegal activity to protect the public.

Follow @LisaVaas

Follow @NakedSecurity

Image of handcuffs courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/1DNZJEcuU7Q/

Popular mobile messaging software WhatsApp is in the firing line again for another security SNAFU.

The company has been in hot water before for undercooking its cryptography and overcooking its data collection.

As Naked Security writer Chester Wisniewski wrote in January 2013, the company was investigated in Canada and The Netherlands for grabbing hold of too much data from your address book when you joined the service, and for retaining the data for too long. (Indefinitely, in fact.)

The company also got a roasting for poor cryptographic practices, apparently generating cryptographic keys from data such as your mobile phone’s IMEI (International Mobile Equipment Identity) number or your network MAC (Media Access Code) address.

Your IMEI is burned into mobile phone by the manufacturer, and although it isn’t supposed to be public knowledge, it is at least occasionally broadcast in cleartext by your phone.

In particular: you don’t get to choose your own IMEI; it can’t be considered a secret; and you can’t change it (short of buying a new device).

In other words, using your IMEI as a cryptographic key is a bit like using your passport number or Social Security Number as a password: the wrong way to do it.

Similarly, MAC addresses are loaded into into your network card at manufacture, and are even less suitable as passwords.

MACs are supposed to be publicly visible – every network packet you send out has your MAC in it, and anyone who can sniff your traffic on its first hop is supposed to be able to see it.

→ Learn why MAC addresses are unsuitable as security tokens in our Busting wireless security myths video, which you will find at the bottom of this article.

WhatsApp did the right thing, and re-worked its encryption once these problems were pointed out.

Indeed, the company officially states that “WhatsApp communication between your phone and our server is fully encrypted.”

But Dutch mathematics and computer science student Thijs Alkemade has recently revealed that WhatsApp still hasn’t got it quite right.

In a delightfully clear and concise article, he has explained how WhatsApp went wrong.

Very loosely explained: WhatsApp generates a session key, uses it to initialise a stream cipher, and then uses the same cipher stream for outgoing and incoming messages.

(WhatsApp also uses the RC4 cipher, which is known to have cryptographic flaws, and shouldn’t be used for new applications. Better alternatives are available.)

“This,” as a Canadian friend of mine would put it, “will not do.”

The reason is simple: a stream cipher works as a pseudorandom number generator, emitting an unpredictable string of bytes that you XOR with the plaintext to encrypt.

In other words, you mustn’t use the same string of bytes to encrypt anything else, because that would make it predictable, and that is a cryptographic disaster.

A stream cipher works like a pseudo one time pad, a cryptosystem that relies on a string of hardware random numbers to create an unbreakable cipher if and only if the pad is used just once.

Here’s the problem.

Your message Y, outbound from your device, becomes Y XOR K.

My message M, inbound to your device, becomes M XOR K.

You can see where this is going, if you remember the “rules” of XOR, namely:

K XOR K = 0
A XOR 0 = A
(A XOR B) XOR C = A XOR (B XOR C)
A XOR B XOR C = A XOR C XOR B = C XOR A XOR B, etc. 

(Like + and ×, order doesn't matter when you XOR.)

Now, the reason for encrypting WhatsApp messages is so that if someone sniffs them, it doesn’t matter: they end up with shredded cabbage.

So, let me sniff that shredded cabbage, and show you that in this case, it matters very much indeed.

I XOR the two encrypted messages together:

(Y XOR K) XOR (M XOR K) - Y XOR K XOR M XOR K
                         = Y XOR M XOR K XOR K
                         = Y XOR M XOR 0
                         = Y XOR M

The key has been cancelled out! Eradicated completely!

Now, assuming that I know M (maybe I sent it) or can guess it (because it contains boilerplate), I can do this:

(Y XOR M) XOR M  - Y XOR M XOR M
                  = Y XOR 0
                  = Y

Oops: Y is your message, free and clear.

Even if I only know some of M, I can nevertheless recover the corresponding parts of Y, which is not what you want.

What to do

Here’s some advice, for users and programmers alike:

• Stop using WhatsApp until it’s fixed.
• Use WhatsApp only for messages you are happy to be considered public.
• Don’t use IMEIs and MACs as cryptographic key material.
• Don’t use RC4 any more. Choose something else.
• Don’t try to roll your own cryptography.

Alkemade suggests that WhatsApp should simply use Transaction Layer Security, or TLS (what used to be SSL, the same end-to-end encryption used by secure websites).

Why reinvent a square wheel when there’s a well-known and well-studied round one you can roll out instead?

Follow @duckblog

Find out why MAC addresses are unsuitable as security tokens, and learn how to improve your Wi-Fi security at the same time…

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/X5ROgodCRDE/