Gunkerty Jeb (1950964) writes "FBI Director James Comey said Thursday that the recent movement toward default encryption of smartphones and other devices could “lead us to a very, very dark place.” Echoing comments made by law enforcement officials for the last several decades, Comey said that the advanced cryptosystems available today threaten to cripple the ability of intelligence and law enforcement agencies to gather vital information on criminals." Link to Original Source top
National Security Letter Issuance Likely Headed to Supreme Court
Gunkerty Jeb (1950964) writes "The Ninth Circuit appeals court in San Francisco took oral arguments from the Electronic Frontier Foundation and the Department of Justice yesterday over the constitutionality of National Security Letters and the gag orders associated with them. The EFF defended a lower court's ruling that NSLs are unconstitutional, while the DoJ defended a separate ruling that NSLs can be enforced. Whatever the court rules, the issue of NSLs is all but certainly headed for the Supreme Court in the not too distant future." Link to Original Source top
Interactive, Real-Time Map of Global Cyber Attacks
Gunkerty Jeb (1950964) writes "RSA Security executive chairman Art Coviello today at RSA Conference 2014 made his first public comments about the security company’s relationship with the National Security Agency, painting the landmark firm as a victim of the spy agency’s blurring of the lines between its offensive and defensive missions.
A Reuters report in December alleged RSA Security was paid $10 million in a secret contract with the NSA to use encryption software—specifically the Dual EC DRBG random number generator—that the spy agency could easily crack as part of its surveillance programs. The deal goes back nearly a decade to 2006, and according to Reuters, represented one third of the company’s crypto revenue at the time." Link to Original Source top
New 'Mask' APT Campaign Called Most Sophisticated Yet
Gunkerty Jeb (1950964) writes "A group of high-level, nation-state attackers has been targeting government agencies, embassies, diplomatic offices and energy companies with a cyber-espionage campaign for more than five years that researchers say is the most sophisticated APT operation they’ve seen to date. The attack, dubbed the Mask, includes a number of unique components and functionality and the group behind it has been stealing sensitive data such as encryption and SSH keys and wiping and deleting other data on targeted machines." Link to Original Source top
Gunkerty Jeb (1950964) writes "After months of public calls from privacy advocates and security experts, Verizon on Wednesday released its first transparency report, revealing that it received more than 164,000 subpoenas and between 1,000 and 2,000 National Security Letters in 2013. The report, which covers Verizon’s landline, Internet and wireless services, shows that the company also received 36,000 warrants, most of which requested location or stored content data." Link to Original Source top
Gunkerty Jeb (1950964) writes "It’s taken more than six months, but top officials at the National Security Agency are finally discussing some of the details of how former agency contractor Edward Snowden got access to all of the documents he stole and what kind of damage they believe the publication of the information they contain could do. A senior NSA employee tasked with investigating what Snowden did and how he did it said that Snowden simply used the legitimate access he had as a systems administrator to steal and store the millions of documents he’s been slowly leaking to the media, and that the information in those documents could give U.S. enemies a “road map” of the country’s intelligence capabilities and blind spots." Link to Original Source top
Gunkerty Jeb (1950964) writes "Researchers at Kaspersky Lab’s Global Research and Analysis Team spotted a new, 64-bit version of the Zeus trojan that behaves much like its 32-bit contemporaries: it too uses Web injects to steal banking credentials to drain online accounts, steal digital certificates and even log keystrokes. Unlike its contemporaries, this new variety of Zeus is — of course — 64-bit compatible, but also communicates with its command and control server over the Tor anonymity network." Link to Original Source top
Ruby on Rails CookieStore Bug Plagues Prominent Sites
Gunkerty Jeb (1950964) writes "A lingering security issue in Ruby on Rails that stems from a setting in the framework’s cookie-based storage mechanism is still present in almost 2,000 websites.
Sites using an old version of Ruby on Rails that relies on CookieStore, the framework’s default cookie storage mechanism, are at risk. CookieStore saves each user’s session hash in the cookie on the client side, something that keeps each cookie valid for life. This makes it possible for an attacker to glean a user’s log-in information – either via cross-side scripting or session sidejacking – and log in as them at a later date." Link to Original Source top
Gunkerty Jeb (1950964) writes "In a Senate hearing debating the NSA's contentious surveillance programs and a proposed bill that would impose more transparency onto those practices, Sen. Patrick Leahy of (D-Vt.) asked Google's director for law enforcement and information security matters, Richard Salgado, if government imposed gag orders on requests for user data were making the country safer. Salgado answered that he did not believe that his inability answer questions about data requests had any impact on national security.
In addition, the general counsel for the Director of National Intelligence claimed enumerating the exact number of U.S. citizens monitored under NSA surveillance programs would be too difficult and resource-intensive.
The general consensus of those not advocating for the NSA was that the bill introduced by Sen. Al Franken (D-Mich.) would be a great step forward, but that transparency alone would not undo the damages done to U.S. companies and its government by PRISM and other similar surveillance programs. Nor, they seemed to agree, would the addition of transparency make the NSA’s programs lawful or constitutional." Link to Original Source top
Microsoft to Broaden its Base of Bug Bounty Submitters
Gunkerty Jeb (1950964) writes "Having found some initial success with its first foray into the bug bounty world, Microsoft is expanding the program to open up payments of up to $100,000 to incident response teams and forensics experts who come across active attacks in the wild that include new techniques that bypass exploit mitigations in place on the newest version of Windows." Link to Original Source top
Gunkerty Jeb (1950964) writes "The Google domain for Malaysia was hijacked on Thursday night, redirecting visitors to a page that said a group called Madleets from Pakistan had performed the attack. The domain has been restored now, but the name servers for the domain had been changed to a pair controlled by the attackers." Link to Original Source top
Gunkerty Jeb (1950964) writes "The good news is that cooperation between the various law enforcement agencies in different countries all over the world is at an all time high; the bad news is that cybercriminals have embraced a potent combination of the anonymous online currency Bitcoin and equally anonymous, Web-based currency exchanges located outside U.S. jurisdiction that allow them to turn those Bitcoins into real money, making it more difficult than ever to track the bad actors down.
Such are the realities of the world we live in. The once-tried-and-true law enforcement method of following the money in order to get to the bottom of organized criminal operations is made more difficult by the emergence of digital currency, international wire transfers, and Web-based currency exchange services, shielded from U.S. law by their locations and hidden from sight with layers upon layers of obfuscation, Kaspersky Lab principle security researcher Kurt Baumgartner explained in an interview with Threatpost Wednesday." Link to Original Source top
Gunkerty Jeb (1950964) writes "In the last few years, there have been a series of DDoS attacks and intrusions on government networks in South Korea that have resulted in the loss of untold amounts of data. The four attacks haven’t been linked together or attributed to the same attackers, but there are some similarities in the methods and results. In a presentation at Virus Bulletin in Berlin yesterday, Fortinet's Christy Chung explained that attack similarities included the use of malware overwriting the master boot record and massive DDoS attacks targeting DNS providers and individual sites." Link to Original Source top
Given Recent Crypto Revelations, 'Everything is Suspect'
Gunkerty Jeb (1950964) writes "So now that RSA Security has urged developers to back away from the table and stop using the maligned Dual Elliptic Curve Deterministic Random Bit Generation (Dual EC DRBG) algorithm, the question begging to be asked is why did RSA use it in the first place?
Going back to 2007 and a seminal presentation at the CRYPTO conference by Dan Shumow and Niels Ferguson, there have been suspicions about Dual EC DRBG primarily because it was backed by the National Security Agency, which initially proposed the algorithm as a standard. Cryptographer Bruce Schneier wrote in a 2007 essay that the algorithm contains a weakness that “can only be described as a backdoor.”
“I wrote about it in 2007 and said it was suspect. I didn’t like it back then because it was from the government,” Schneier told Threatpost today. “It was designed so that it could contain a backdoor. Back then I was suspicious, now I’m terrified." Link to Original Source top
Gunkerty Jeb (1950964) writes "A group of researchers, hackers, and other security enthusiast are pooling their money and offering it as a bounty to the first person that can successfully crack the Touch ID fingerprint authentication mechanism on Apple’s recently released iPhone 5S." Link to Original Source top
No Telecom Ever Challenged Metadata Collection Orders
Gunkerty Jeb (1950964) writes "A newly declassified opinion from the Foreign Intelligence Surveillance Court from this summer shows the court’s interpretation of the controversial Section 215 of the USA PATRIOT Act that’s used to justify the National Security Agency’s bulk telephone metadata collections, and reveals that none of the companies that have been served with such orders has ever challenged one." Link to Original Source top
IETF: Protecting Internet From Pervasive Surveillance
Gunkerty Jeb (1950964) writes "The IETF is considering a range of options to help reengineer some of the fundamental protocols that underpin the Internet in response to revelations that the NSA and other intelligence agencies are conducting widespread, dragnet-style surveillance online.
The group, which is responsible for developing the standards that govern much of the technical workings of the Internet, has been looking at all of the information revealed by the documents leaked by former NSA contractor Edward Snowden with dismay and officials said that they’re already at work on some changes that could help make the Internet more resistant to pervasive surveillance. The IETF is not putting out a huge amount of detail on the changes, but said that regardless of the modifications, they won’t matter if the devices people use or the people they communicate with aren’t trustworthy." Link to Original Source top
Kelihos Relying on CBL Blacklists to Evaluate New Bots
Gunkerty Jeb (1950964) writes "Kelihos, the peer-to-peer botnet with nine lives, keeps popping up with new capabilities that enable it to sustain itself and make money for its keepers by pushing spam, harvesting credentials and even stealing Bitcoins.
According to a number of sources, Kelihos is now leveraging legitimate and freely available security services that manage composite blocking lists (CBLs) to determine if a potential victim’s IP address has previously been flagged as a spam source or as a proxy. A CBL is a blacklist of IP addresses known to be participating in spreading spam or malware." Link to Original Source top
Gunkerty Jeb (1950964) writes "A 213-foot luxury yacht veered off course while cruising in the Mediterranean Sea this summer after a radio navigation research team led by global positioning systems expert Todd Humphreys of the University of Texas Austin built a custom-made device capable of overriding the ship’s GPS receivers with spoofed signals." Link to Original Source