STE WILLIAMS

Just under two months ago, we wrote about the closure of secure email service Lavabit.

Lavabit’s founder, Ladar Levison, explained that he was in a spot of legal bother that made it impossible for him to continue to operate with a clear conscience, so he would suspend the service.

He also noted that, much as he wanted to, he couldn’t give details about said legal bother.

All he could do was to point out that he had lodged an appeal and hoped to open up the service again one day.

Of course, the smart money was that law enforcement wanted access to data belonging to a certain Mr Edward Snowden, the National Security Agency (NSA) whisteblower, who was known to be a Lavabit user.

We hedged our bets about the reasons here on Naked Security, since the only thing we knew was that we didn’t know whether the kerfuffle involved Snowden at all.

But recently unsealed court documents [PDF, 162 pages, 16MB] now tell a bit more of the story.

The name Snowden is still mentioned only in passing (various redactions have suppressed names throughout the unsealed documents).

So we still don’t have official confirmation that Snowden, amongst others, was the target of the investigation.

That, however, hardly matters any more.

What matters is the intriguing tale of the court requiring Lavabit to hand over its SSL private keys, and Lavabit arguing that it ought not to comply, since that would give access to all messages to and from all customers, which would be unfair and unreasonable.

Very greatly simplified (and I hope I have not oversimplified to the point of misunderstanding), the court wanted Lavabit to enable law enforcement to intercept so-called email metadata for a particular user.

But due to the use of SSL/TLS at all times, with data kept encrypted in transit and at rest, even accessing mail headers was no simple matter – unless law enforcement were given Lavabit’s private keys.

(A MiTM, or man-in-the-middle, attack on encrypted traffic is trivial if you have all the encryption keys and certificates to use “in the middle.”)

Eventually, Lavabit had little choice but to comply, turning over five SSL private keys.

It still wasn’t game over for Lavabit user’s privacy, however, because Levison gamely supplied the cryptgraphic material in printed form, stretched over 11 pages in a four-point font.

To say that the law enforcement officers were underwhelmed is the understatement of the year, and matters were soon back in court, with “handing over the keys” quickly redefined to mean, “handing over the keys as computer-readable PEM files suitable for immediate use, and no more mucking around.”

Indeed, to guard against further stalling tactics, the government petitioned the court to fine Levison $5000 for every day he continued to dither.

At this point, Levison folded and complied, but pulled the plug on Lavabit at the same time, and that was that for the men-in-the-middle.

The New York Times reports that a prosecutor referred to the abrupt shutdown of Lavabit as “just short of a criminal act,” but, then, nearly-a-crime isn’t actually a crime.

What can we learn from this?

To me, one of the most interesting aspects of this story is the recognition by a non-tech-savvy court that at least part of the problem was the regrettable fact that Lavabit would need to put the privacy of 400,000 users at risk to secure the lawful surveillance of just one person.

As the court pointed out (this is a transcript, not a written judgement):

[Y]ou’re blaming the government for something that’s overbroad [the requirement to hand over the all-revealing SSL keys], but it seems to me that your client is the one that set up the system that’s designed not to protect that information, because you know that there needs to be access to calls that go back and forth to one person or another. And to say you can’t do that just because you’ve set up a system that everybody has to — has to be unencrypted, [read: in which all users are encrypted in the same way] if there’s such a word, that doesn’t seem to me to be a very persuasive argument.

In short, the court is as good as saying, “If you wanted to come up with this ‘but what about the privacy of all the 399,999 other users’ argument, why didn’t you implement the system so their individual privacy was better protected?”

After all, Lavabit could have taken an approach more like the one used by Kiwi internet showman Kim Dotcom’s Mega service, so that each user’s encrypted traffic and content could stand (or fall) alone.

Of course, that wouldn’t have stopped Levison shuttering the entire service, effectively DDoSing all his users to protect the privacy of one of them.

But from a cryptographic point of view, it would have made a lot more sense to me.

Follow @duckblog

Image of eye charts courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/5-2aAH5bvT0/

5 ways to reduce advertising network latency

Adobe’s systems have been hit by numerous “sophisticated attacks” that have compromised the information of 2.9 million customers, and accessed the source code of Adobe products.

The company said on Thursday that it has been the victim of a major cyberattack and said hackers had accessed those millions of customer IDs and encrypted passwords.

“We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders,” the company said.

It does not believe decrypted credit or debit card numbers were accessed.

“As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. If your user ID and password were involved, you will receive an email notification from us with information on how to change your password,” the company wrote.

The company says people should change their passwords on any other website where they have used the same user ID and password. But you’d do that anyway, wouldn’t you?

It is “in the process” of notifying customers whose credit or debit data may have been stolen, and is offering them condolence in the form of a “one-year complimentary credit monitoring membership where available.”

Where we come from, that’s called offering free stable doors after the horses have bolted.

The company has also contacted federal law enforcement officials and notified banks that process customer payments for Adobe.

Hackers have also accessed the source code for the company’s Adobe Acrobat, ColdFusion, ColdFusion Builder, and other unnamed products, the company said in a separate blog post.

Security firm Hold Security claims to have found 40 gigabytes in encrypted archives on a hacker’s server, apparently containing source code on some of Adobe’s biggest products.

“This breach poses a serious concern to countless businesses and individuals,” Hold Security wrote. “Effectively, this breach may have opened a gateway for new generation of viruses, malware, and exploits.”

Adobe is seeking to reassure users. “We are not aware of any zero-day exploits targeting any Adobe products. However, as always, we recommend customers run only supported versions of the software, apply all available security updates, and follow the advice in the Acrobat Enterprise Toolkit and the ColdFusion Lockdown Guide,” it wrote. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/03/adobe_major_hack/

5 ways to reduce advertising network latency

Microsoft is preparing to close a wide-open security hole in Internet Explorer – a vulnerability state-backed spies are exploiting to mine organisations across Asia.

A update to fix the flaw is among four critical patches Redmond has lined up for the October edition of Patch Tuesday, due next week. Versions 6 through to 11 of the web browser are known to be vulnerable.

The use-after-free bug in Internet Explorer [CVE-2013-3893] allows attackers to execute arbitrary code on a victim’s computer; a mark simply has to surf to a web page booby-trapped with JavaScript that triggers the flaw.

In fact, the bug itself is quite an interesting case study: modern Windows kernels attempt to randomise the layout of software in memory and mark the areas containing just data as non-executable, which in theory is supposed to make life extremely difficult for hackers.

But the web page, in this case, can coax IE into loading a Microsoft Office library that snubs address space layout randomisation (ASLR). This sits in a known region of memory, allowing the attack code to initially hop around the library and use instructions within it to grant itself permission to execute its payload of code.

The attack code is packed into JavaScript strings, which sit in memory that Internet Explorer’s MSHTML component accidentally uses when it really shouldn’t: it tries to call a function pointer, but by that fatal moment, this pointer instead refers to an attacker-controlled part of memory rather than the expected friendly function.

Exploited since August

The vulnerability first came to public attention late last month when targets in Japan were attacked by miscreants exploiting this vulnerability. Security biz FireEye published an alert about the infiltration attempts on 23 September, and claimed that assaults using the same bug in Microsoft’s browser software started around 23 August.

Redmond had realised there was a problem, though not its seriousness, days before FireEye sounded the alarm. Microsoft published technical details and workarounds to defend against the flaw on 17 September.

Security researchers have since linked the same CVE-2013-3893 bug to multiple attacks by various state-sponsored hacking crews against targets in Taiwan and elsewhere in the Far East. In this context the patch for Internet Explorer versions 6 to 11, due to arrive next Tuesday, can’t come a day too soon.

October 2013 marks the tenth anniversary of Microsoft’s regular security patch rollouts, Patch Tuesday. Alongside the critical IE update, the world’ll get three similarly critical security fixes for Windows that affect the vast majority of deployed platforms except Windows Server 2012 R2 and Windows RT 8.1. Everything from Windows XP up to and including Windows 8 and Windows RT will need patching.

Redmond’s security gnomes are also fuelling up four lower severity security bulletins, all rated as “important”. Microsoft Office, Microsoft Silverlight 5 and Redmond’s Sharepoint portal server software will all need patching as a result of security fixes due to arrive on 8 October.

More details will be released once the updates are deployed next week. In the meantime, Microsoft’s pre-release notice provides more details of the affected software packages.

Wolfgang Kandek, CTO of Qualys, commented: “The recent [Internet Explorer] 0-day … is certainly the top-priority patch for next week and it affects all versions of Internet Explorer from 6 to 11. Fortunately, attack volume using this vulnerability has continued to be low and this has given Microsoft the opportunity to do a full test cycle on all possible combinations of operating systems and target sites.”

Adobe – fresh from warning about a compromise on its website that might have exposed the IDs, password hashes, and encrypted credit card information of nearly three million customers – separately announced plans to deliver a solitary patch for Acrobat 11.0.4 and PDF Reader 11.0.4 on Windows. More details can be found in Adobe’s advisory here. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/04/oct_patch_tuesday_ie_0day_fix_due/

5 ways to reduce advertising network latency

QuotW This was the week when a judge ordered a probe into allegations of a confidentiality breach after Samsung execs were said to have viewed secret Apple docs they should never have clapped eyes on.

As part of its IP spat with Samsung, Apple had to disclose a number of its patent agreements – with Nokia, Sharp, Philips, Ericsson and others – to Samsung’s lawyers.

This is all above board, but according to Nokia’s testimony in a court filing, at least one of the company’s execs seemingly knew details about the Apple-Nokia licence he should not have known.

The head of Samsung’s IP Center, Dr Seungho Ahn, is alleged to have told Nokia bods that he knew the terms of its deal with Apple, allegedly adding the comment “all information leaks”.

The judge ordered the South Korean chaebol to cough up email records and witnesses so that the court can determine if its lawyers spoke out of turn.

This was also the week in which the world witnessed the destruction of the Silk Road, an anarchic Tor-based online drug superstore where the substances were paid for in Bitcoin. FBI officers arrested a man they allege to be the shadowy leader of the Silk Road, who goes by the name of the Dread Pirate Roberts.

The Feds, meanwhile, have alleged in their complaint that the Dread Pirate in reality sports the rather boring moniker of Ross William Ulbricht.

FBI agent Christopher Tarbell said:

Silk Road has emerged as the most sophisticated and extensive criminal marketplace on the internet today. From in or about January 2011, [the defendant] owned and operated an underground website known as “Silk Road,” that provided a platform for drug dealers around the world to sell a wide variety of controlled substances via the internet.

“We’re trying to be careful not to get people too excited,” said Valve chief Gabe Newell back in 2012. He was, of course, talking about the release of Half Life 3, which still hasn’t been announced. However, the internet exploded in excitement this week when a European patent was filed for the name of this long-awaited piece of vapourware. Patient, gamers…

Patience is a virtue in all walks of life, we were reminded, when US President Barack Obama told the American public – and his Republican rivals – that just as they wait for the iOS 7 bugs to be ironed out, they could wait for the glitches in his new healthcare system to be fixed. The president said:

Like every new law, every new product rollout, there are going to be some glitches in the sign-up process along the way that we will fix. Consider that just a couple of weeks ago, Apple rolled out a new mobile operating system, and within days, they found a glitch, so they fixed it.

I don’t remember anybody suggesting Apple should stop selling iPhones or iPads or threatening to shut down the company if they didn’t. That’s not how we do things in America. We don’t actively root for failure.

This was also the week where it was revealed that scientists had found, er, tupperware on one of Saturn’s moons. The robotic Cassini probe detected small amounts of propylene in the grim, toxic atmosphere of Titan.

Conor Nixon, a planetary scientist at NASA’s Goddard Space Flight Center in Greenbelt, Maryland, said:

This chemical is all around us in everyday life, strung together in long chains to form a plastic called polypropylene. That plastic container at the grocery store with the recycling code 5 on the bottom – that’s polypropylene.

In other news, Rockstar, the gang behind Grant Theft Auto V, was smacked hard by the popularity of its new product after the game’s release. Its servers buckled under the weight of gazillions of fans who wanted to play the new version of the drive’n’massacre franchise.

As well as promising to address the small issues, Rockstar also said that no one would simply be able to buy their way to GTA dominance when it introduces in-game purchases using real cash. In a statement, it said:

No one can begin GTA Online and simply spend a lot of money out of the gate to get a leg up. You will have to earn your stripes.

Of course, people go to all sorts of lengths to get those elusive stripes. Take Hunter Moore for instance, who made millions from allowing vengeful exes to upload pictures of their former lovers. He spoke to The Register this week to slam plans to ban the “revenge porn” genre, of which his former website, Is Anyone Up?, was once the most infamous example. (The site has since been bought by an anti-bullying organisation.)

Under a new Californian bill, anyone caught uploading posting nude pictures without the subject’s consent or with the intention of causing “serious emotional distress” could face up to six months in prison and a $1,000 fine.

Moore spoke out against the legislation – passed on 1 October by the state’s governor – to make revenge porn illegal:

These stupid old white people are even more stupid to think they can stop it. We are animals. We are sexual. Maybe they need a class on reality: don’t give your kid a phone.

Someone else that could do with some real world education is the author of a missive sent to one of our scribes in response to THAT GTA V article. We haven’t had a Flame Of The Week for a while, but this one was a corker:

Does it matter to you when your fellow humans are debased and belittled, for sport? Are you human, sir? Are you a being with a conscience? Let me guess – you’re a regular consumer of pornograpgy [sic], aren’t you? It’s all just a big joke, love and sex… Seeing your idea of journalism, I don’t expect to enlighten or persuade anything like you. I’m just calling you out while you run away from yourself.

Losers like you have had your say and your day, but you don’t own this planet and if you want to sell out the species to the satanists, you’re gonna have a long fight on your hands.

I think it’s time we actually did run away from ourselves. So until next week, sleep tight kiddies. And watch out for those Satanists. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/04/quotw_first_week_october_2013/

WASHINGTON, Oct. 2, 2013 /PRNewswire/ — Visa Global Security Summit — Visa Inc. (NYSE: V) today announced a series of enhancements to Visa’s Advanced Authorization (VAA) technology that significantly improve the ability of its global processing network to detect potential electronic payments fraud.

Financial institutions can use the information to more reliably know which transactions to decline in real time, potentially reducing fraud by billions per year, while more confidently approving legitimate transactions to remove friction from payments for merchants and consumers alike.

“Cardholders, merchants and issuers all want to have confidence in the convenience and the security of every Visa transaction,” said Mark Nelsen, Head of Risk and Authentication Products, Visa Inc. “The great improvements we’ve made in Advanced Authorization this year were designed to do just that: fight fraud and its costs to financial institutions and merchants, while also ensuring legitimate transactions are handled with the speed and convenience that consumers and merchants want.”

Visa has increased the breadth of each account profile in the Advanced Authorization model by adding more transactional history data, along with additional neural networks to analyze that data. The account profile is a major component of the risk score assigned to a given transaction and provided to the issuer for them to make an authorization decision. The result is more robust performance and improvement of as much as 130% in detecting fraud in debit transactions and 175% for credit transactions.

The enhanced model includes additional risk indicators specific to Automated Fuel Dispensers (AFD) transactions. Visa’s network now can pinpoint suspicious activity at a gas station and apply that to all transactions processed through that station. The model also uses account velocity at AFDs compared to that account’s normal behavior in the score determination. This can potentially increase the effectiveness of fraud detection in this segment by as much as 266% for debit transactions and 163% in credit.

The VAA improvements offer the potential to substantially reduce fraud in both transactions where the physical Visa card is present, such as a retail store, as well as in “card not present” environments such as online shopping. The improvements are effective for both consumer and commercial accounts and transactions.

About Visa Inc.:

Visa is a global payments technology company that connects consumers, businesses, financial institutions, and governments in more than 200 countries and territories to fast, secure and reliable electronic payments. We operate one of the world’s most advanced processing networks — VisaNet — that is capable of handling more than 30,000 transaction messages a second, with fraud protection for consumers and assured payment for merchants. Visa is not a bank and does not issue cards, extend credit or set rates and fees for consumers.

Visa’s innovations, however, enable its financial institution customers to offer consumers more choices: pay now with debit, ahead of time with prepaid or later with credit products. For more information, visit corporate.visa.com.

Article source: http://www.darkreading.com/end-user/visa-announces-improved-payment-card-fra/240162252

Interop, NEW YORK and COSTA MESA, Calif., October 2, 2013 – Emulex Corporation (NYSE:ELX), a leader in network connectivity, monitoring and management, today announced the new EndaceFlow 3040 NetFlow generator appliance. The EndaceFlow 3040, which is purpose-built for use with high-density 10Gb Ethernet (10GbE) networks, generates 100% accurate NetFlows on up to four Ethernet links at speeds up to 10Gb per second (10Gbps) line rate. This level of performance speeds detection, identification and resolution of critical security and network issues, improving network uptime and reducing operational expenditures (OPEX) in enterprise data centers.

“As enterprises move more deeply into the latest data center technologies, such as 10GbE, server virtualization and software-defined networking, they are finding that visualizing what is happening in their networks has become more challenging,” said Lee Doyle, principal analyst, Doyle Research. “This is compounded by the fact that many tools that worked well at 1Gbps speeds simply have not scaled up to 10Gbps. This has critical implications for the ways that enterprises approach security monitoring, forensics and network performance management, which can only be addressed by tools that are designed to enable network visualization at 10Gbps speeds and above.”

As enterprises become more complex, NetOps and SecOps personnel are looking for new ways to improve their network visibility to ensure network security, guarantee performance of network-centric applications and to verify compliance with service level agreements (SLAs). Existing 10GbE NetFlow generators only provide sampled data on 10GbE links, as do switches and routers that are capable of generating NetFlow. Additionally, NetFlow generation on switches and routers significantly impacts their performance, especially during denial-of-service attacks. These sampled NetFlows don’t provide the visibility necessary to resolve critical network issues. By providing unsampled NetFlows, the EndaceFlow 3040 provides complete visibility in 10GbE networking environments.

By providing 100% NetFlow generation, new threats to network security and performance can more easily be detected, identified and resolved – resulting in the detection of a wider range of network anomalies and intrusions in the security operations space and the identification of network choke points that impact application performance – and can be further treated with packet-based network recording and analysis tools.

“Traditionally, end users have used routers and switches to generate sampled NetFlows, which severely limits behavioral analysis and can impact switch and router performance,” said Mike Riley, senior vice president and general manager, Endace portfolio, Emulex. “The Emulex EndaceFlow 3040 addresses these issues by offloading NetFlow generation onto a purpose-built appliance that can generate unsampled NetFlow across multiple 10GbE links. This gives our customers all of the data they need to diagnose and resolve complex security and network performance issues on 10GbE networks in a fraction of the time previously required.”

The Emulex EndaceFlow 3040 delivers complete network visibility through the unique combination of the following features and capabilities:

Extreme Performance: The EndaceFlow 3040 provides complete full-stream flow visibility at 10Gbps over any combination of IPv4 and IPv6-based networks with up to 30Gbps of flow generation and a total active flow cache size of 64 million.

Custom Filtering: The EndaceFlow 3040 supports up to 120 filters across four collectors for load balancing flow records across multiple collectors, enabling users to customize exports to gain visibility of specific networks within the data center.

Advanced Hash Load Balancing (HLB): The advanced HLB feature of the EndaceFlow 3040 minimizes manual configuration with flow safe load balancing, reducing OPEX.

Ease of Integration: The EndaceFlow 3040 supports V5 (IPv4), V9 (IPv6) and Internet Protocol Flow Information Export (IPFIX) flow formats and a broad range of fields, allowing the EndaceFlow 3040 to seamlessly integrate with any NetFlow collector in the market.

When the EndaceFlow 3040 is combined with behavioral-based analytics tools from partners such as Lancope and SevOne, NetOps and SecOps personnel are able to create complete solutions that significantly speed resolution of critical network and security issues. In the case of one customer, this reduced their time-to-resolution (TTR) for critical incidents from 30-50 hours to only a couple of hours. The result is significantly improved network uptime and lower OPEX through reduced TTR for these critical incidents.

“Lancope’s StealthWatch System collects and analyzes NetFlow to provide cost-effective, behavior-based network performance and protection,” said Kerry Armistead, vice president of product management, Lancope. “Our enterprise customers know how critical the security and performance of their data center networks are to the success of their business and the Emulex EndaceFlow 3040 delivers the performance and load balancing needed to support even the largest and most distributed networks in use today.”

“Speed, scale and simplicity are essential elements of the SevOne Network Performance Management and Monitoring solution,” said Casey Murray, vice president global strategic alliances, SevOne. “These attributes are mirrored in Emulex’s EndaceFlow 3040, allowing our customers to easily scale their existing NetFlow analytics investments into 10GbE environments. This makes the combination ideal for large public and private sector organizations managing the performance of their critical IT infrastructures.”

The EndaceFlow 3040 is shipping to customers today with a manufacturer’s suggested retail price (MSRP) of $52,000. To see a demonstration of this solution this week at Interop, visit the Emulex booth #618.

Tweet this: #interop news: Emulex Introduces #NetFlow Generator Appliance: http://ow.ly/podEi

Read our Endace on Network Visibility blog on today’s news here.

Read an EndaceFlow customer success story here.

Follow Emulex on Twitter.

About Emulex

Emulex, a leader in network connectivity, monitoring and management, provides hardware and software solutions for global networks that support enterprise, cloud, government and telecommunications. Emulex’s products enable unrivaled end-to-end application visibility, optimization and acceleration. The Company’s I/O connectivity offerings, including its line of ultra high-performance Ethernet and Fibre Channel-based connectivity products, have been designed into server and storage solutions from leading OEMs, including Cisco, Dell, EMC, Fujitsu, Hitachi, HP, Huawei, IBM, NetApp and Oracle, and can be found in the data centers of nearly all of the Fortune 1000. Emulex’s monitoring and management solutions, including its portfolio of network visibility and recording products, provide organizations with complete network performance management at speeds up to 100Gb Ethernet. Emulex is headquartered in Costa Mesa, Calif., and has offices and research facilities in North America, Asia and Europe. For more information about Emulex (NYSE:ELX) please visit http://www.Emulex.com.

Article source: http://www.darkreading.com/perimeter/emulex-introduces-high-performance-netfl/240162230

After seizing the domain and servers of Silk Road – a black market, eBay-like online bazaar for heroin, ecstasy, other illegal drugs and every known type of prescription drugs – federal prosecutors on Wednesday released two separate set of charges against its alleged kingpin.

That man is 29-year-old Ross William Ulbricht, allegedly aka Dread Pirate Roberts, DPR, or Silk Road, among other aliases.

In the court documents – an affidavit from FBI agent Christopher Tarbell and a criminal complaint against Ulbricht filed in the state of Maryland, Ulbricht is accused of narcotics trafficking, money laundering, hacking, and of attempted murder by paying $80,000 to have a former employee killed.

The intended victim was a Silk Road employee who, Ulbricht allegedly feared, would turn him in to law enforcement.

Ulbricht allegedly contracted a hitman – in actuality, an undercover agent who then provided faked photos of the purported murder.

Another intended victim was somebody who, prosecutors say, was a Silk Road user who was trying to blackmail Ulbricht after hacking one of the site’s vendors and learning the identities of thousands of the site’s users.

Officials have been unable to confirm that killing, for which Ulbricht allegedly paid $150,000.

Prosecutors on Wednesday estimated that the illegal drug empire – a forum for making matches between drug dealers and buyers worldwide – saw $1.2 billion in sales over the last three years, earning its alleged founder $80 million.

For his part, whoever’s behind Silk Road, be it Ulbricht or not, has claimed that there were simply no victims left in the wake of its dealings.

When Forbes’s Andy Greenberg in August interviewed the Dread Pirate Roberts persona behind Silk Road, he described the drug market as a “victimless libertarian experiment.”

In a collection of DPR’s writings that Forbes posted in April, the Silk Road founder described the market in economic terms:

Silk Road was founded on libertarian principles and continues to be operated on them. It is a great idea and a great practical system…It is not a utopia. It is regulated by market forces, not a central power (even I am subject to market forces by my competition. No one is forced to be here). The same principles that have allowed Silk Road to flourish can and do work anywhere human beings come together. The only difference is that the State is unable to get its thieving murderous mitts on it. [10/1/2012]

He also takes aim against the US War on Drugs, the potential for drug cartels to form on Silk Road, the “heroes” who risked their lives and liberty selling drugs on the market, issues of trust, whether he founded Silk Road just to make money, and much more.

It’s makes an interesting read if you’re open to libertarian notions – is drug usage a victimless crime? Are drug laws inflicted on us by governments that should, perhaps, spend their resources elsewhere?

DPR expressed a noble desire to help others:

I just want to look back on my life and know that I did something worthwhile that helped people.

The thing is, Ulbricht intended to leave bodies in his wake, prosecutors allege. That’s hardly victimless, if it proves true, and it certainly points to the downside of a market that functions outside of the law.

Laws can be darn good. They dissuade people from killing each other, for one thing.

Ulbricht is being held without bail. According to the Los Angeles Times, he appeared briefly on Wednesday in federal court in San Francisco but did not enter a plea.

He’s scheduled to return to court Friday.

In light of all this, would you deem the shuttering of Silk Road a victory against lawlessness or a defeat at the hands of government?

Please cast your vote in the poll below.

Follow @LisaVaas

Follow @NakedSecurity

Take Our Poll

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ZxSuJc9_Lzg/

Today, it’s Adobe’s turn to attend confession.

The multimedia giant has owned up to getting pwned, admitting that “attackers illegally entered our network”:

We recently discovered that attackers illegally entered our network. The attackers may have obtained access to your Adobe ID and encrypted password. We currently have no indication that there has been unauthorized activity on your account. If you have placed an order with us, information such as your name, encrypted payment card number, and card expiration date also may have been accessed. We do not believe any decrypted card numbers were removed from our systems.

To prevent unauthorized access to your account, we have reset your password… We recommend that you also change your password on any website where you use the same user ID or password. As always, please be cautious when responding to any email seeking your personal information.

Not a happy time for Adobe – one of the problems you face after you realise you’ve suffered a breach is working out what the crooks did while they were at large in your network.

If you are the victim of a break-and-enter at home, it’s often fairly obvious what happened: the TV-shaped hole in your entertainment centre cabinet, for example, is a glaring clue.

Even if you don’t know immediately what’s missing, it’s often possible to make a reasonably accurate inventory afterwards – passport? wallet? watch? – and react accordingly.

Network breaches aren’t like that, not least because when data is stolen, you still have your own copy.

→ Pedants may point out that “to steal” means “to take someone else’s property unlawfully without intending to return it”, but here I use the word unapologetically. You know what I mean.

Worse still, since the crooks bypassed your security to get in, they may have bypassed your security while they were in, so you can’t even be sure whether you can trust your logs.

So I feel Adobe’s pain, as they’ve had to make a very general admission, and reset everyone’s password, even though it may turn out that not much in the way of unencrypted Personally Identifiable Information (PII) was taken during the intrusion.

But that’s cold comfort for people who have bought from Adobe recently.

Some notes about the disclosure

Just a couple of points of things I suggest that Adobe could and should have done differently in the disclosure.

• “The attackers may have gained access to your… encrypted password.”

The devil’s in the details. Technically, the passwords probably weren’t encrypted, which would imply that Adobe could decrypt them and thus learn what password you had chosen.

Today’s norms for password storage use a one-way mathematical function called a hash that pretty much uniquely depends on the password, so that you can calculate the hash from the password, but not the other way around.

This means that you never actually store the password at all, encrypted or not: the user reveals the password on login, but you only ever need to process it in memory to verify the hash, so it need never be saved to disk.

Of course, that means that crooks could produce a giant table of hashes for popular passwords, thus speeding up their attacks, so you also usually add some salt: a random string that you store with the user’s ID and mix into the password when you compute the hash.

Even if two users choose the same password, their salts will be different, so they’ll end up with different hashes, which makes things much harder for an attacker.

And, lastly, you don’t usually just apply the hash function once to the salt-and-password combination.

You use some sort of key derivation function (KDF) that does a lot more than just a single hash calculation, so you slow down any attempt by someone who has stolen your database to try a long list of passwords one-by-one. (This is sometimes called key stretching, for obvious metaphorical reasons.)

→ Common KDFs used with salting-and-hashing are PBKDF2, bcrypt and scrypt. They are typically used so it takes 10,000 times longer, or more, to check each password than a plain hash function would. This hinders attempts to crack passwords against a dictionary list without noticeably slowing down each legitimate login.

With all this in mind, it would have been nice to see Adobe state explicitly what salting, hashing and stretching algorithms were in use, even if only as an appendix to the breach notification.

That means that users could take their own advice about how likely it is that their stolen “encrypted password” could be worked out by an attacker.

• “Encrypted payment card number, and card expiration date.”

Maybe I am reading too much into this, but I interpret this sentence (and note carefully the comma before “and”) to mean that your card number was encrypted, but your expiry date was not.

My suspicion is reinforced by the later explicit remark that “decrypted card numbers” were probably not stolen.

Why not be perfectly clear?

If card numbers and expiry dates were both encrypted, say so explicitly.

If not, make it clear that the crooks now probably do have your expiry date, even though they may not have your full card number.

• “Change your password on any website where you use the same … password.”

How about making this advice much stronger?

If you are using the same password on other sites, don’t just go and change it.

Go any change it to something that is not the same as any other site, so that crooks who work out your password for one account don’t automatically get access to other parts of your online life, too.

That’s what we’re advising as one of our three “Do These 3” tips for Cybersecurity Awareness Month, because we think it’s important.

It would be nice to see Adobe treating it as important advice, too.

Listen to our “Do These 3” tips now in this short, special-issue podcast

(03 October 2013, duration 8’58”, size 5.4MB)

Before we go

By the way, one final reminder if you hold personal information about other people.

Encrypting credit card data and salting-hashing-and-stretching passwords are vital security protections.

But they are not a replacement for keeping the data safe in the first place – they’re a second layer, in case your first line of defence should fail.

Just saying.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/XjzDtw9sOqQ/

The Information Technology and Innovation Foundation (ITIF) estimates that such fallout could cost Silicon Valley up to $35 billion* in annual revenue, much of it from lost overseas business, the Wall Street Journal reports.

As the ITIF outlined in an August 2013 paper titled “How Much Will PRISM Cost the U.S. Cloud Computing Industry?”, the US has been the one to beat in the worldwide cloud computing market, and countries were already investing money to do that – at the government level – before the surveillance revelations about the NSA.

Neelie Kroes, European commissioner for digital matters, said in July that indeed, were she an American cloud provider, she’d be “quite frustrated with my government right now,” predicting that US cloud services providers could well be looking at major business losses:

Why would you pay someone else to hold your commercial or other secrets if you suspect or know they are being shared against your wishes?

It is often American providers that will miss out, because they are often the leaders in cloud services. If European cloud customers cannot trust the United States government, then maybe they won’t trust US cloud providers either. If I am right, there are multibillion-euro consequences for American companies.

Another data point to round out the $35 billion figure comes from the Cloud Security Alliance, an industry group.

The alliance conducted a survey this summer which found that 56% of non-US members said security concerns made it less likely that they would use cloud services based in the US.

Another 10% reported having already canceled a contract, the WSJ reports.

There are overseas cloud service providers that are more than happy to pick up that slack.

But data is anything but static. It doesn’t obediently sit inside the confines of a country with stronger privacy protection than the US.

Ronaldo Lemos, director of the Institute for Technology Society, a Rio de Janeiro think tank, put it this way to the WSJ:

It basically ignores the entire internet … This data has to circulate. It’s going to be sent to Miami, to Europe. It’s not going to be sitting idle.

A case in point is that of Brazil, a country that’s reacted fiercely to the US’s use of surveillance.

In September, Brazilian President Dilma Rousseff, reacting to allegations that the NSA eavesdropped on her phone calls and emails, announced plans to create an undersea fiber-optic cable that would bypass the US entirely by directing internet traffic between South America and Europe.

She also urged legislators to pass an amendment that would force technology players such as Google and Microsoft to store data for Brazilian users on in-country servers.

Brazil’s postal service has already begun developing an encrypted domestic email system.

But none of that is likely to stop the NSA, says Christopher Soghoian, principal technologist and senior policy analyst at the American Civil Liberties Union (ACLU), given that the US already has a nuclear submarine dedicated to tapping undersea internet cables.

Soghoian put it this way to The Verge:

Just because you take steps to make it more difficult for the NSA doesn’t mean the NSA packs up their stuff and goes home.

Besides, as the WSJ points out, Brazil isn’t all that hot at protecting its own citizens’ privacy: Facebook, for its part, reported that Brazil made 715 requests for Facebook user data in the first half of 2013.

A WSJ quote from Roberto Valerio, whose German cloud-storage company, CloudSafe GmbH, reports a 25% rise in business since the NSA revelations, sums it all up:

At the end of the day, some agency will spy on you.

What do you think? Do you agree with the ITIF that the US is on track to lose the whopping sum of $35 billion because of the NSA?

And what about these overseas cloud service providers and politicians? Are they offering anything but smoke and mirrors, at the competitive expense of US businesses?

Please let us know what you think in the comments section below.

*How trustworthy is such a massive figure? For what it’s worth, ITIF is a well-respected think tank. It ranked No. 5 on the 2012 Top 50 Science and Technology Think Tanks [PDF] report from the University of Pennsylvania, has been described as “scrupulously nonpartisan” by Inc. Magazine, and was deemed “one of the leading, and most prolific, tech policy think tanks” by Ars Technica.

Follow @LisaVaas

Follow @NakedSecurity

Images of hole and eagle courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/UYPaM55FVBo/

The popular Bitcoin discussion forum, Bitcointalk.org, was hacked and defaced on Wednesday. The site continues to be unavailable following a decision by administrators to take it down to investigate the full extent of the hack.

Before the site went offline it displayed animations of bombs exploding and various photos of classical music conductors. Tying those two themes together was Tchaikovsky’s 1812 overture.

Here’s the animation played out on a video from YouTube user fluttershy77x:

When the animation ended visitors saw a banner saying,

Hello friend, Bitcoin has been seized by the FBI for being illegal. Thanks, bye.

In another message, seen at the end of the video above, a group calling themselves “The Hole Seekers” claimed responsibility for the attack and helpfully pointed out that the music is also the soundtrack from the explosion scene in the movie “V for Vendetta.” Coincidentally, perhaps, that movie is known to have inspired the hacktivism collective known as Anonymous.

Theymos, the administrator for the Bitcoin Talk site, told Cryptolife that the attack was worse than first imagined,

It’s unfortunately worse than I thought. There’s a good chance that the attacker(s) could have executed arbitrary PHP code and therefore could have accessed the database, but I’m not sure yet how difficult this would be. I’m sending out a mass mailing to all Forum users about this.

The attack on Bitcointalk came just hours after the FBI had seized $3.6 million of the currency following the arrest of the alleged operator of Silk Road, an online market known primarily for selling illicit items.

Ross William Ulbricht, allegedly the mastermind of Silk Road, was himself a Bitcoin Talk user and, in one of his posts, he sought out an IT pro in the Bitcoin community. This, according to Federal prosecutors, is evidence that he is also the same individual who used the moniker “Dread Pirate Roberts” and so, by definition, is the operator of Silk Road.

Theymos believes that the forum may now be down for some time, though he doesn’t believe that passwords have been compromised, saying that,

At this time I feel that password hashes were probably not compromised, but I can’t say for sure. If you used the same password on bitcointalk.org as on other sites, you may want to change your passwords. Passwords are hashed using sha256crypt with 7500 rounds (very strong).

He went on to say that whoever was behind the attack had injected some code into $modSettings[‘news’], which is the news found at the top of the forum pages. News updates, he said, are normally logged but these actions weren’t which leads him to believe that the hacker did not compromise an admin account or otherwise make a ‘legitimate’ change.

Instead, he theorises that,

Probably, part of SMF related to news-updating or modSettings is flawed. Possibly, the attacker was somehow able to modify the modSettings cache in /tmp or the database directly.

Theymos also said that the hacker was able to upload a PHP script and other files to the avatar directory though he did admit that his lack of knowledge prevented him from discovering more details of the attack.

If any Naked Security readers have the skills to help Theymos, he is offering 50 Bitcoins, roughly equivalent to around $6,500, to the first person who can explain in detail how the attack was executed.

Follow @Security_FAQs
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/gEljQXhotWU/