STE WILLIAMS

According to a new report, referencing leaks from Edward Snowden, the National Security Agency (NSA) has been widely monitoring international banking and credit card transactions. The agency allegedly targeted customers of Visa Inc. as well as the Society for Worldwide Interbank Financial Telecommunication (SWIFT).

According to Germany’s Der Spiegel newspaper, information leaked by former NSA contractor Snowden shows that surveillance of financial transactions was carried out by a branch of the security agency known as “Follow The Money” (FTM).

The details of all the monitored transactions were then transferred to an NSA database called “Tracfin.” Snowden claims that in 2011 that database held 180 million records of which 84% were related to credit card transactions.

Der Spiegel alleges that the NSA targeted transactions in Europe, the Middle East and Africa to:

collect, parse and ingest transactional data for priority credit card associations, focusing on priority geographic regions.

In response to that allegation the newspaper quotes a Visa spokesperson who, “ruled out the possibility that data could be taken from company-run networks,” whilst Mashable has a quote from Visa security and privacy representative Rosetta Jones:

With respect to the claims in the Der Spiegel article, we are not aware of any unauthorized access into our network. Visa takes data security seriously and, in response to any attempted intrusion, we would pursue all available remedies to the fullest extent of the law. Further, it’s Visa’s policy to only provide transaction information in response to a subpoena or other valid legal process.

The NSA also spied on SWIFT, a network used by more than 10,000 banking institutions in over 200 countries. The system, used by the banks for sending transaction data in a secure manner, was spied upon on many levels according to the Der Spiegel report. One such way in which the NSA was accessing the information was described as reading “SWIFT printer traffic from numerous banks.”

“A deep invasion of privacy”

According to the documents there seemed to be at least some concern over the collection of such financial data.

The UK’s intelligence agency, GCHQ, queried the legal issues surrounding “financial data” and its own involvement in the program saying that, “The collection, storage and sharing of politically sensitive data is a deep invasion of privacy”, and involved “bulk data” full of “rich personal information,” much of which “is not about our targets.”

Whilst this news may be further confirmation that the NSA is involved in widespread spying, it is probably not a huge revelation to many.

In fact the real surprise may be that the Tracfin database ‘only’ stored 180 million records, considering that SWIFT itself processes over 15 million transactions every day.

The whole point of having an intelligence agency is to monitor the actions of potential enemies and the money trail is often a very good starting point for any investigation. It appears that this financial monitoring was almost exclusively targeting non-US citizens anyway so few, if any, domestic laws would have been broken.

Furthermore, the US Treasury already has an agreement with SWIFT which affords it consensual access to international transaction records, as confirmed by former Homeland Security chief Juan Zarate and SWIFT’s own CEO Leornard Schrank just a couple of months ago. This agreement is further backed up by a European treaty which came into effect on August 1, 2010.

Follow @Security_FAQs
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/oi7bhCJsweg/

Free ESG report : Seamless data management with Avere FXT

Digital security outfit Gemalto has extended its SIM-based Facebook client to include Facebook Messenger, so dumbphone users can chat directly to each other as well as update each other’s walls.

Gemalto’s LinqUp SIM app has already connected Facebook to basic handsets in Argentina, Colombia and Chile, enabling the cheapest of hardware to use the biggest of social networks, but now there’s a new version which will let those handsets join the conversation, rather than just spraying graffiti around the place.

The power of SIM applications is that they run on any GSM phone. Even the most basic of dumb handsets can handle SIM Toolkit apps which means (very nearly) any GSM phone can become Facebook-enabled with Gemalto’s app.

The drawback is in interfacing. The SIM Toolkit can ask the phone to display a text menu, and collect selections as well as the contents of text fields, but that’s about it. The SIM can also ask the handset for an IP connection to the internet, but the LinqUp app uses (silent, Class 2) SMS instead so it can be deployed in areas where data connectivity is an unnecessary luxury.

Such areas include Argentina, where mobe telco Telecom Personal has been selling LinqUp SIMs (without messaging) for almost two years.

Operators doing similar things in South America include Tigo and Entel in Colombia and Chile respectively. Gemalto won’t tell us how many Facebook users are SIM dependent, but did say that they’re young – 90 per cent being under 34, despite the fact that half of the Facebook users in those countries are older than 34.

We’re obliged to assume that’s a good thing, though it probably means young people can’t afford posh phones. We’re also told that the LinqUp app consistently rates higher than the smartphone equivalents, but that can only be because LinqUp users are more impressed by the functionality as text menus don’t generally impress that much.

SIM toolkit apps are much underused, and smartphones have rendered them redundant in many markets, but Facebook is proving popular in places where computers, and connectivity, aren’t available so a SIM solution is the best solution.

Operators charge for the service – generally a monthly fee rather than a per-message rate – but it’s up to them. Sadly Gemalto can’t update the deployed Facebook-supporting SIMs, so any operator interested in handing them out to customers will have to figure in the cost of replacing their SIM stock – which (for Gemalto) is rather the point. ®

Free ESG report : Seamless data management with Avere FXT

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/16/gemalto_arms_sim_with_facebook_messenger/

Missed anything last week? Catch up with everything we talked about with our weekly roundup.

General interest

• Facebook realities, OS X patched, Yahoo! CEO security! shocker! – 60 Sec Security [VIDEO]

• Should employees be punished for sloppy cyber security? [POLL]

• SSCC 116 – Google Authenticator, Apple bugs, Facebook data probes, WordPress phishing [PODCAST]

• Men are twice as likely to spy on their partner’s phone

Law and order

• Anonymous hacker @ItsKahuna sentenced to 3 years for hacking police sites

• 12 arrested as UK cops foil Santander bank heist plot

• Police probe second news group over phone hacking

• Google loses appeal in Wi-Fi data grab case

Social networks

• 57% of college students think their Facebook postings aren’t vile at ALL!

Mobile devices

• New Apple iPhone 5s to feature “Touch ID” fingerprint authentication

• Apple’s “Touch ID” fingerprint login – not everyone is cock-a-hoop about it

• Size doesn’t matter – at least, not quite as much as smartphone privacy

Cryptography

• Rudest man in Linuxdom rants about randomness – “We actually know what we are doing. You don’t.”

• Windows Picture Passwords – are they really as “easily crackable” as everyone’s saying?

OS and software

• September Patch Tuesday is out – one update lost en route, 13 patches left, 8 RCE, 4 critical

• Adobe has Patch Tuesdays, too – a reader reminds us!

• Microsoft endures Patch Horror Day on Friday 13th – issues updates to 8 of 13 updates

• Apple ships OS X 10.8.5 security update – fixes “sudo” bug at last

• WordPress issues security fixes, advises “update your sites immediately”

Privacy and online safety

• Would you believe it? Women more in favour of porn filters than men

• It’s not up to Google to stop child abuse, says expert

• US health care company faces giant class action suit for losing over 4,000,000 unencrypted records

• Google to encrypt data “end-to-end” in effort to block NSA and other agencies

• Yahoo hops on transparency report bandwagon

Would you like to keep up with all the stories we write? Why not sign up for our daily newsletter to make sure you don’t miss anything. You can easily unsubscribe if you decide you no longer want it.

Follow @NakedSecurity

Days of the week image from Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/YPdTsu2QRNs/

Apple’s triumphant announcement last week of the fingerprint scanner in the iPhone 5s didn’t impress everyone.

Some Naked Security readers were amongst the sceptics, with @wjrcoop saying:

I’m stunned by the celebration of mediocrity all over the Internet by this. I had a biometric reader on my Dell notebook (like forever ago) and hated it.

And the interestingly-named keeglecrunch asked:

Isn’t biometrics old news (like really old)? I have an old Dell laptop within arm’s reach that has a thumb scanner on it that I’ve used a grand total of zero times.

Apparently, there may be yet another reason to be underwhelmed by the iPhone 5s: a lawyer named Marcia Hofmann, writing for Wired, offers the opinion that its fingerprint authentication might end up eroding a long-cherished legal right.

In this case it wouldn’t be the government chipping away at your statutory protections, but technology itself.

The protection that Hofmann thinks might be at risk relates to self-incrimination.

Many jurisdictions give you some sort of “right to silence” – in the USA, it’s usually known as the Fifth, because the Founding Fathers neglected to enshrine it in the original constitution, leaving it to be retrofitted in the so-called Fifth Amendment some three years later.

In the digital era, the issue of where self-incrimination ends hasn’t always been obvious.

You can be compelled by a court to open a locked door, for example, so that investigators can search behind it. (Matters relating to search and seizure of your property are deal with by the Fourth Amendment.)

But you can’t, or at least not according to some US judges, be compelled to “open” a hard disk that has been “locked” by something you know, no matter how close an analogy you might draw between opening a cupboard and decrypting a hard disk.

Refusing to tell an investigator your password isn’t like refusing to hand over a physical key, it’s like declining to answer a question.

But what about password keys that don’t come from something you know, like fingerprints?

Hofmann offers the opinion that since you can swipe your finger over the iPhone 5s scanner without giving any “testimonial statement” – in other words, revealing something you know – then you shouldn’t expect Fifth Amendment protection against unlocking your trendy new iPhone.

→ Interestingly, you can give someone the key to decrypt your hard disk without ever actually telling them the answer to the question, “What’s your password?” That’s because most modern cryptosystems don’t actually use your password as the key: they take your password and hash it up with a bunch of other data unique to your disk to produce a one-off decryption key. Nevertheless, it seems that the Fifth applies if a password is involved at some point.

Hofmann gives what she calls an easy fix: give users the option to unlock their phones with a fingerprint plus something they know.

But that misses the point of why Apple included the fingerprint scanner in the first place.

For many users, a fingerprint-based password means they can abandon the “something they know” part, which means they no longer have “something they have to remember and type in all the time.”

Yahoo!’s CEO, Marissa Mayer, very disappointingly, spoke for very many phone users when she recently expressed her delight at the iPhone’s fingerprint scanner: “I can’t do this passcode thing, like, 15 times a day.”

But Marcia Hofmann may have just given you a reason to decide that perhaps, now you think about it, you can do this passcode thing after all.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/LZBlyzDPWXM/

A newlywed will soon be parted from his bride to serve three years in prison for hacking police websites under the Anonymous banner.

John Anthony Borell III, a 22-year-old man from Toledo, in the US state of Ohio, on Thursday was sentenced by a federal judge.

According to The Daily Dot, Borell, better known by his handle @ItsKahuna, was convicted for his part in the #OpPiggyBank hacking of police websites by the group CabinCr3w.

As Borell admitted in a signed plea deal, in early 2012, he attacked a server for Utahchiefs.org, a website for police in Syracuse, New York, the municipal website of Springfield, Mo., and a site for the Los Angeles County Police Canine Association, according to The Huffington Post.

He took credit for the actions via the Twitter account, according to The Daily Dot. Twitter subsequently cooperated with investigators by supplying IP data that enabled them to track the account to Borell.

Borell was arrested in March 2012.

According to The Daily Dot, the hacks included defacing the Texas Police Association’s website to read, in part:

Dear Texas Police Dept,

Paid administrative leave should be reserved for injured cops, cops with pregnant wives, and cops who declare themselves conscientious objectors to a raid. Not a kiddie porn collecting cop. It looks as if Texas PD hasn’t improved since the cousin of the PD, the Texas Youth Commission was caught with rape rooms.

Targets: Texas PD and Syracuse

Why: Insufficient effort

…

Judgment: We must troll you

According to the Office of Inadequate Security, the hacker(s) dumped 787 police officers’ names, usernames, plain-text passwords, agencies and addresses, some of which were reportedly home addresses.

In his plea agreement, Borell admitted to jeopardizing “the security of the personal information of many people, most of whom worked in law enforcement” by gaining unauthorized access to agency computer systems and posting it online.

He said this in his description of the hacks in the plea agreement:

“Regarding all of these hacks, I knew what I was doing was illegal.”

Prosecutors said Borell’s actions victimized thousands and cost some $260,000 to repair as they beefed up security following the attacks.

Borell also admitted to compromising the computer systems belonging to law enforcement agencies from Los Angeles, Syracuse, the official city site for Springfield, Missouri, and a community webpage in Illinois called pendletonundergound.com.

Many other officers’ personal details were exposed during the course of the hacking operation. Check out RT.com’s coverage for more details.

US District Judge Robert J. Shelby said that the sentence handed down on Thursday would also resolve charges filed against Borell in California, Missouri and New York.

The newly married Borell will be allowed to spend 10 weeks with his family before he has to turn himself in to start his sentence.

Prosecutors said that he originally faced a $250,000 fine and up to a decade in prison if convicted on both counts of computer intrusion.

Follow @LisaVaas

Follow @NakedSecurity

Image of hands on bars courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/RZbIdwu8gt8/

Tags: 10.8.5, 60 Sec Security, 60 Second Security, 60 Seconds, 60SS, advocate, Apple, biometrics, Facebook, fingerprint, Health Care, iPhone, marissa meyer, Mountain Lion, OS X, passcode, phone, recruiter, Recruitment, scanner, yahoo

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/fuUj1ElX8dU/

Have you ever watched a cricket match on TV? (North American readers: imagine a game of baseball with more swashbuckle and proper trousers.)

If so, you’ll know there’s always a bit where one of the commentators says something like, “Swaandijve has been by far the most reliable outfielder in the Dutch team [*] over the last two seasons.”

You know instinctively what’s about to happen.

As soon as the words are out of the expert’s mouth, the hapless Mr Swaandijve drops a catch that even you or I could have taken with our eyes closed.

Well, I’ve just taken my own Swaandijve.

Last weekend, I made a joke about Friday the Thirteenth no longer implying anything in computer security circles except that it was a week with a Patch Tuesday in it.

And what happened?

Friday the Thirteenth turned into Patch Horror Day for Microsoft, as Redmond release engineers waited, no doubt with bated breath, to see if they had solved the problems that required eight out of 13 security patches to be reissued.

Last month, of course, Microsoft turned out a couple of patches that didn’t work properly; this month, patching worked far too keenly for some users.

Soon after we’d written up our Tuesday recommendations, concluding with our usual imprecation to “patch early, patch often” (this time, in fact, we said, “Best get patching right away, then!”), we began to see worried comments appearing on Naked Security.

The updates started OK, but then wouldn’t stop, coming “over and over,” or even “over and over and over,” as one reader put it.

We’re assuming that that Microsoft has sorted it all out now, with the updates to the updates correctly breaking out of the continuous update cycle.

(We haven’t heard of any complaints about the patches to the patches; please tell us your experiences in the comments.)

The reissued security updates are:

Two non-security updates for PowerPoint were affected, too.

→ For some corporate customers, the problem apparently also showed up in inverse form, with updates failing to appear on their update servers at all. The “missing patches” issue was fixed at the same time as the “far too many patches”, though it may have been a blessing in disguise. If the faulty patches had turned up, they might well have clogged up the network with updates happening over and over again.

In Microsoft’s own words:

We have investigated the issue, established the cause, and we have released new updates that will cease the unnecessary re-targeting of the updates or the correct offering of these updates.

That’s a textbook example of both orotundity and anacoluthon, but I think I have wrestled it into English:

Microsoft now knows what went wrong. It has issued new patches that will show up correctly on your update servers, and will install just once to each computer.

Best get patching right away, then!

Follow @duckblog

[*] Yes, the Dutch play cricket seriously, to a high standard.

Image of Horroresque face on old-school TV courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/XQD51Yrp3sE/

Tags: 10.8.5, 60 Sec Security, 60 Second Security, 60 Seconds, 60SS, advocate, Apple, biometrics, Facebook, fingerprint, Health Care, iPhone, marissa meyer, Mountain Lion, OS X, passcode, phone, recruiter, Recruitment, scanner, yahoo

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/V3s1vL21SOg/

Have you ever watched a cricket match on TV? (North American readers: imagine a game of baseball with more swashbuckle and proper trousers.)

If so, you’ll know there’s always a bit where one of the commentators says something like, “Swaandijve has been by far the most reliable outfielder in the Dutch team [*] over the last two seasons.”

You know instinctively what’s about to happen.

As soon as the words are out of the expert’s mouth, the hapless Mr Swaandijve drops a catch that even you or I could have taken with our eyes closed.

Well, I’ve just taken my own Swaandijve.

Last weekend, I made a joke about Friday the Thirteenth no longer implying anything in computer security circles except that it was a week with a Patch Tuesday in it.

And what happened?

Friday the Thirteenth turned into Patch Horror Day for Microsoft, as Redmond release engineers waited, no doubt with bated breath, to see if they had solved the problems that required eight out of 13 security patches to be reissued.

Last month, of course, Microsoft turned out a couple of patches that didn’t work properly; this month, patching worked far too keenly for some users.

Soon after we’d written up our Tuesday recommendations, concluding with our usual imprecation to “patch early, patch often” (this time, in fact, we said, “Best get patching right away, then!”), we began to see worried comments appearing on Naked Security.

The updates started OK, but then wouldn’t stop, coming “over and over,” or even “over and over and over,” as one reader put it.

We’re assuming that that Microsoft has sorted it all out now, with the updates to the updates correctly breaking out of the continuous update cycle.

(We haven’t heard of any complaints about the patches to the patches; please tell us your experiences in the comments.)

The reissued security updates are:

Two non-security updates for PowerPoint were affected, too.

→ For some corporate customers, the problem apparently also showed up in inverse form, with updates failing to appear on their update servers at all. The “missing patches” issue was fixed at the same time as the “far too many patches”, though it may have been a blessing in disguise. If the faulty patches had turned up, they might well have clogged up the network with updates happening over and over again.

In Microsoft’s own words:

We have investigated the issue, established the cause, and we have released new updates that will cease the unnecessary re-targeting of the updates or the correct offering of these updates.

That’s a textbook example of both orotundity and anacoluthon, but I think I have wrestled it into English:

Microsoft now knows what went wrong. It has issued new patches that will show up correctly on your update servers, and will install just once to each computer.

Best get patching right away, then!

Follow @duckblog

[*] Yes, the Dutch play cricket seriously, to a high standard.

Image of Horroresque face on old-school TV courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0KD_6f--Wv8/

When your children go online, who should be their nanny?

Is it the internet big boys who should keep children from being preyed on, perhaps by adopting a blacklist of “abhorrent” search queries that leave no doubt that a searcher’s intent is malevolent?

That’s one piece of what UK Prime Minister David Cameron put forth in a speech in July, when he announced new measures to protect children and challenged outfits such as Google, Yahoo, and Microsoft to do their part.

Now, the former head of Britain’s online child protection agency, Jim Gamble, has deemed the government policy nonsensical, being based on a fundamental misunderstanding of how paedophiles target victims.

According to The Independent, Gamble suggested that Cameron targeted Google because the company didn’t fork over enough tax in the UK.

Cameron was badly briefed, Gamble said. It’s not search terms or filtering that will help protect children – rather, we need to instead look at stopping predators much earlier.

Gamble resigned as head of the Child Exploitation and Online Protection Centre in 2010.

The Telegraph quoted Gamble as saying that we’re missing the chance to explore the motivation and methodology of child killers such as Mark Bridger, who killed 5-year-old April Jones, and Stuart Hazell, who murdered 12-year-old Tia Sharp.

Gamble said:

It’s nonsensical. The advice to the Prime Minster is bad from people who clearly don’t understand the first thing about the internet and child protection. We are now focusing on Google rather than investing in greater research: why they do it, when they do it. Why? Google [doesn’t] pay enough tax.

At the time he gave his speech, Cameron said that if the search giants don’t implement a blacklist voluntarily, legislation forcing them to do so would follow in short order.

In addition, he announced changes to the law that would make extreme pornography harder to obtain, such as making it illegal to depict rape in porn.

The government also plans to institute pervasive network-level filtering at the default level of internet access of even legal, adult content in the UK.

Mobile phone operators will implement adult content filters that users over 18 can opt out of, while family-friendly filters were due to be applied by the end of August across 90% of public WiFi wherever children are likely to be present.

Other filters are coming for broadband within the next two years.

All this focus on search terms and filtering misses a much bigger opportunity, Gamble said at a conference in Belfast:

Rather than having a debate about predatory paedophiles and how we can stop them earlier, we have had a debate about Google and blocking search terms… Mark Bridger or Stuart Hazell weren’t made paedophiles because they searched for something on Google.

Is Gamble right? Is it a waste of time to go after companies such as Google?

Yes, the search giants should be forced to intercept search terms suggesting child abuse.

Gamble’s right: a Google search doesn’t turn somebody into a paedophile.

But we should adopt both approaches plus any other means to protect children.

Follow @LisaVaas

Follow @NakedSecurity

Image of man on computer and access denied courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ddpTZNswMnc/