Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!



Apple's Spotty Record of Giving Back To the Tech Industry

chicksdaddy Re:Article is flame bait. Or a troll. (267 comments)

You have to read the whole article - ASF is not the only example cited. It is the only example cited within the first three paragraphs of the story, however.

about two weeks ago

Is Analog the Fix For Cyber Terrorism?

chicksdaddy Re:sure, no problem (245 comments)

really excellent feedback. appreciated.

about a month ago

Georgia Cop Issues 800 Tickets To Drivers Texting At Red Lights

chicksdaddy Gloating - but a good idea (1440 comments)

Look, studies have shown that driver reaction time while texting and driving is far, far worse than the reaction time for impaired driving (aka driving drunk), which is clearly illegal. In other words, we (your fellow citizens) are a lot safer with you drunk driving than driving while texting. (See this Car & Driver study: http://www.caranddriver.com/features/texting-while-driving-how-dangerous-is-it) So, apply the same logic as you would with drunk driving. Sure, these drivers were stopped at a red light, but would you expect the cop to look the other way if they were swigging from a bottle of vodka at the same red light ("well, the car isn't moving right now, so...")? He's right to read the law literally and also to assume that if they're texting at a red light, they likely won't stop texting once the car is moving. Take away: texting behind the wheel is a serious danger to public health and should be tolerated to about the same extent that we, as a society, tolerate drunk driving - which is not at all. My 2c.

about 7 months ago

DARPA Cyber Chief "Mudge" Zatko Going To Google

chicksdaddy Update: He'll work in Motorola Mobility ATAP Unit (30 comments)

Update courtesy of Google: Mudge will be working in Motorola Mobility's Advanced Technology & Projects (ATAP). From the web: "The group's mission is to deliver breakthrough innovations to the company's product line on seemingly impossible short timeframes. ATAP is skunkworks-inspired. Optimized for speed. Small, lean, resourced. With agility, freedom from bureaucratic constraints, and a willingness to embrace risk as core attributes." Hmm...sounds kinda like DARPA! ;-)

1 year,8 days



OpenSSL: The New Face Of Technology Monoculture

chicksdaddy chicksdaddy writes  |  yesterday

chicksdaddy (814965) writes "In a now-famous 2003 essay, “Cyberinsecurity: The Cost of Monopoly” (http://cryptome.org/cyberinsecurity.htm) Dr. Dan Geer (http://en.wikipedia.org/wiki/Dan_Geer) argued, persuasively, that Microsoft’s operating system monopoly constituted a grave risk to the security of the United States and international security, as well. It was in the interest of the U.S. government and others to break Redmond’s monopoly, or at least to lessen Microsoft’s ability to ‘lock in’ customers and limit choice. “The prevalence of security flaw (sp) in Microsoft’s products is an effect of monopoly power; it must not be allowed to become a reinforcer,” Geer wrote.

The essay cost Geer his job at the security consulting firm AtStake, which then counted Microsoft as a major customer.(http://cryptome.org/cyberinsecurity.htm#Fired) (AtStake was later acquired by Symantec.)

These days Geer is the Chief Security Officer at In-Q-Tel, the CIA’s venture capital arm. But he’s no less vigilant of the dangers of software monocultures. Security Ledger notes that, in a post today for the blog Lawfare (http://www.lawfareblog.com/2014/04/heartbleed-as-metaphor/), Geer is again warning about the dangers that come from an over-reliance on common platforms and code. His concern this time isn’t proprietary software managed by Redmond, however, it’s common, oft-reused hardware and software packages like the OpenSSL software at the heart (pun intended) of Heartbleed.(https://securityledger.com/2014/04/the-heartbleed-openssl-flaw-what-you-need-to-know/)

“The critical infrastructure’s monoculture question was once centered on Microsoft Windows,” he writes. “No more. The critical infrastructure’s monoculture problem, and hence its exposure to common mode risk, is now small devices and the chips which run them," Geer writes.

What happens when a critical and vulnerable component becomes ubiquitous — far more ubiquitous than OpenSSL? Geer wonders if the stability of the Internet itself is at stake.

“The Internet, per se, was designed for resistance to random faults; it was not designed for resistance to targeted faults,” Geer warns. “As the monocultures build, they do so in ever more pervasive, ever smaller packages, in ever less noticeable roles. The avenues to common mode failure proliferate.”"

Link to Original Source

Crowd Funding Bug Bounties To Fix Open Source Insecurity? Don't Count On It.

chicksdaddy chicksdaddy writes  |  yesterday

chicksdaddy (814965) writes "The discovery of the Heartbleed vulnerability put the lie to the notion that ‘thousands of eyes’ keep watch over critical open source software packages like OpenSSL. In fact, some of the earliest reporting on Heartbleed noted that the team supporting the software consisted of just four developers – only one of them full time. (http://online.wsj.com/news/articles/SB10001424052702304819004579489813056799076)

To be sure, there are still plenty of examples of tightly monitored open source projects and real accountability. (The ever-mercurial Linus Torvalds recently made news by openly castigating a key Linux kernel developer Kay Sievers for submitting buggy code, suspending him from further contributions.) (http://lkml.iu.edu//hypermail/linux/kernel/1404.0/01331.html)

But how do poorer, volunteer-led open source projects improve accountability and oversight — especially in areas like security? Casey Ellis over at the firm BugCrowd has proposed a crowd-funded project to fund bug bounties (https://www.crowdtilt.com/campaigns/lets-make-sure-heartbleed-doesnt-happen-again/description) for a security audit of OpenSSL ($7,162 raised thus far, with a target of $100,000).

But a post on Veracode's blog doubts that offering fat purses for information on open source bugs will make much difference.

"A paid bounty program would mirror efforts by companies like Google, Adobe and Microsoft to attract the attention of the best and brightest security researchers to their platform. No doubt: bounties will beget bug discoveries, some of them important," the post reads. "But a bounty program isn’t a substitute for a full security audit and, beyond that, a program for managing OpenSSL (or similar projects) over the long term. And, after all, the Heartbleed vulnerability doesn’t just point out a security failing, it raises questions about the growth and complexity of the OpenSSL code base. Bounties won’t make it any easier to address those bigger and important problems."

In other words: finding bugs doesn't equate with making the underlying code more secure. That's a lesson that Adobe and Microsoft learned years ago (see Adobe's take on it from back in 2010 here: http://blogs.adobe.com/securit...).

What's needed is a more holistic approach to security that result in something like Microsoft's SDL (Secure Development Lifecycle) or Adobe's SPLC (Secure Product Lifecycle). That will staunch the flow of new vulnerabilities. Then investments need to be made to create a robust incident response and updating/patching post deployment. That's a lot to fit into a crowd-funding proposal — so it will need to fall to companies that rely on packages like OpenSSL to foot the bill (and provide the talent). Some companies, like Akamai, are already talking about that."

Link to Original Source

Apple's Spotty Record Of Giving Back To The Tech Industry

chicksdaddy chicksdaddy writes  |  about two weeks ago

chicksdaddy (814965) writes "One of the meta-stories to come out of the Heartbleed (http://heartbleed.com/) debacle is the degree to which large and wealthy companies have come to rely on third party code (http://blog.veracode.com/2014/04/heartbleed-and-the-curse-of-third-party-code/) — specifically, open source software maintained by volunteers on a shoestring budget. Adding insult to injury is the phenomenon of large, incredibly wealthy companies that gladly pick the fruit of open source software, but refusing to peel off a tiny fraction of their profits to financially support those same groups.

Exhibit 1: Apple Computer. On Friday, IT World ran a story that looks at Apple's long history of not giving back to the technology and open source community. The article cites three glaring examples: Apple's non-support of the Apache Software Foundation (despite bundling Apache with OS X), as well as its non-support of OASIS and refusal to participate in the Trusted Computing Group (despite leveraging TCG-inspired concepts, like AMDs Secure Enclave in iPhone 5s).

Given Apple's status as the world's most valuable company and its enormous cash hoard, the refusal to offer even meager support to open source and industry groups is puzzling. From the article:

"Apple bundles software from the Apache Software Foundation with its OS X operating system, but does not financially support the Apache Software Foundation (ASF) in any way. That is in contrast to Google and Microsoft, Apple's two chief competitors, which are both Platinum sponsors of ASF — signifying a contribution of $100,000 annually to the Foundation. Sponsorships range as low as $5,000 a year (Bronze), said Sally Khudairi, ASF's Director of Marketing and Public Relations. The ASF is vendor-neutral and all code contributions to the Foundation are done on an individual basis. Apple employees are frequent, individual contributors to Apache. However, their employer is not, Khudairi noted.

The company has been a sponsor of ApacheCon, a for-profit conference that runs separately from the Foundation — but not in the last 10 years. "We were told they didn't have the budget," she said of efforts to get Apple's support for ApacheCon in 2004, a year in which the company reported net income of $276 million on revenue of $8.28 billion."

Carol Geyer at OASIS is quoted saying her organization has done "lots of outreach" to Apple and other firms over the years, and regularly contacts Apple about becoming a member. "Whenever we're spinning up a new working group where we think they could contribute we will reach out and encourage them to join," she said. But those communications always go in one direction, Geyer said, with Apple declining the entreaties.

Today, the company has no presence on any of the Organization's 100-odd active committees, which are developing cross-industry technology standards such as The Key Management Interoperability Protocol (KMIP) and the Public-Key Cryptography Standard (PKCS)."

Link to Original Source

TCP/IP Might Have Been Secure From The Start, But...NSA!

chicksdaddy chicksdaddy writes  |  about three weeks ago

chicksdaddy (814965) writes "The pervasiveness of the NSA's spying operation has turned it into a kind of bugaboo — the monster lurking behind every locked networking closet (http://en.wikipedia.org/wiki/Room_641A) and the invisible hand behind every flawed crypto implementation (http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331).

Those inclined to don the tinfoil cap won't be reassured by Vint Cerf's offhand observation in a Google Hangout on Wednesday that, back in the mid 1970s, the world's favorite intelligence agency may have also stood in the way of stronger network layer security being a part of the original specification for TCP/IP — the Internet's lingua franca.

As noted on Veracode's blog (http://blog.veracode.com/2014/04/cerf-classified-nsa-work-mucked-up-security-for-early-tcpip/), Cerf said that given the chance to do it over again he would have designed earlier versions of TCP/IP to look and work like IPV6, the latest version of the IP protocol with its integrated network-layer security and massive 128 bit address space. IPv6 is only now beginning to replace the exhausted IPV4 protocol globally.

“If I had in my hands the kinds of cryptographic technology we have today, I would absolutely have used it,” Cerf said. (Check it out here: http://www.youtube.com/watch?v...)

Researchers at the time were working on just such a lightweight cryptosystem. On Stanford’s campus, Cerf noted that Whit Diffie and Martin Hellman had researched and published a paper that described the functioning of a public key cryptography system. But they didn’t yet have the algorithms to make it practical. (Ron Rivest, Adi Shamir and Leonard Adleman published the RSA algorithm in 1977).

As it turns out, however, Cerf revealed that he _did_ have access to some really bleeding edge cryptographic technology back then that might have been used to implement strong, protocol-level security into the earliest specifications of TCP/IP. Why weren’t they used? The culprit is one that’s well known now: the National Security Agency.

Cerf told host Leo Laporte that the crypto tools were part of a classified NSA project he was working on at Stanford in the mid 1970s to build a secure, classified Internet.

“During the mid 1970s while I was still at Stanford and working on this, I also worked with the NSA on a secure version of the Internet, but one that used classified cryptographic technology. At the time I couldn’t share that with my friends,” Cerf said. “So I was leading this kind of schizoid existence for a while.”

Hindsight is 20:20, as the saying goes. Neither Cerf, nor the NSA nor anyone else could have predicted how much of our economy and that of the globe would come to depend on what was then a government backed experiment in computer networking. Besides, Cerf didn't elaborate on the cryptographic tools he was working with as part of his secure Internet research or how suitable (and scalable) they would have been.

But it’s hard to listen to Cerf lamenting the absence of strong authentication and encryption in the foundational protocol of the Internet, or to think about the myriad of online ills in the past two decades that might have been preempted with a stronger and more secure protocol and not wonder what might have been."

Link to Original Source

Vint Cerf: CS Programs Must Change To Adapt To Internet of Things

chicksdaddy chicksdaddy writes  |  about three weeks ago

chicksdaddy (814965) writes "The Internet of Things has tremendous potential but also poses a tremendous risk if the underlying security of Internet of Things devices is not taken into account, according to Vint Cerf, Google’s Internet Evangelist.

Cerf, speaking in a public Google Hangout on Wednesday, said that he’s tremendously excited about the possibilities of an Internet of billions of connected objects (http://www.youtube.com/watch?v=17GtmwyvmWE&feature=share&t=21m8s). But Cerf warned that the Iot necessitates big changes in the way that software is written. Securing the data stored on those devices and exchanged between them represents a challenge to the field of computer science – one that the nation’s universities need to start addressing.

Internet of Things products need to do a better job managing access control and use strong authentication to secure communications between devices."

Link to Original Source

Hell Is Other Contexts: How Wearables Will Transform Application Development

chicksdaddy chicksdaddy writes  |  about a month ago

chicksdaddy (814965) writes "Veracode's blog has an interesting post on how wearable technology will change the job of designing applications. Long and short: context is everything. From the article:

"It’s the notion – unique to wearable technology – that applications will need to be authored to be aware of and respond to the changing context of the wearer in near real-time. Just received a new email message? Great. But do you want to splash an alert to your user if she’s hurtling down a crowded city street on her bicycle? New text message? OK– but you probably shouldn't send a vibrate alert to your user's smartwatch if the heart rate monitor suggests that he’s asleep, right?

This isn't entirely a new problem, but it will be a challenge for developers used to a world where ‘endpoints’ were presumed to be objects that are physically distinct from their owner and, often, stationary.

Google has already called attention to this in its developer previews of Android Wear – that company’s attempt to extend its Android mobile phone OS to wearables. Google has encouraged wearable developers to be “good citizens.” “With great power comes great responsibility,” Google’s Justin Koh reminds would-be developers in a Google video.(https://www.youtube.com/watch?v=1dQf0sANoDw&feature=youtu.be&t=2m26s)

“Its extremely important that you be considerate of when and how you notify a user.” Developers are strongly encouraged to make notifications and other interactions between the wearable device and its wearer as ‘contextually relevant as possible.’ Google has provided APIs (application program interfaces) to help with this. For example, Koh recommends that developers use APIs in Google Play Services to set up a geo-fence that will make sure the wearer is in a specific location (i.e. “home”) before displaying certain information. Motion detection APIs for Wear can be used to front (or hide) notifications when the wearer is performing certain actions, like bicycling or driving."

Link to Original Source

Fearing HIPAA, Google Rules Out Health Apps For Android Wear

chicksdaddy chicksdaddy writes  |  about a month ago

chicksdaddy (814965) writes "The Security Ledger reports (https://securityledger.com/2014/03/google-android-wear-isnt-ready-for-health-data/) that amid all the hype over what great new products might come out of Google's foray into wearable technology with Android Wear (http://www.android.com/wear/), there's one big category of application that is off the list: medical applications. The reason? HIPAA — the Health Insurance Portability and Accountability Act, which protects the privacy of patients personal health information in the U.S.

Deep down in Google’s Developer Preview License Agreement (http://developer.android.com/wear/license.html) is language prohibiting Android Wear applications that involve personal health information:

“Unless otherwise specified in writing by Google, Google does not intend use of Android Wear to create obligations under the Health Insurance Portability and Accountability Act, as amended, (“HIPAA”), and makes no representations that Android Wear satisfies HIPAA requirements."

Android Wear users who "are (or become) a Covered Entity or Business Associate under HIPAA... agree not to use Android Wear for any purpose or in any manner involving Protected Health Information unless you have received prior written consent to such use from Google.”

Google’s prohibition of medical applications is interesting. The market for personal health devices is evolving quickly, and the U.S. government has already warned that – in some cases – mobile applications may count as a type of medical device regulated by the FDA.(https://securityledger.com/2013/09/fda-says-some-medical-apps-a-kind-of-medical-device/)

No word from Google yet on how it plans to enforce the ban on medical applications for Google Wear, or what process it will set up to vet and approve health-related wearables. Given the potential for wearables to be used in health monitoring and the delivery of medical care, however, its a problem that the company might want to jump on — fast!"

Link to Original Source

Is Analog The Fix For Cyber Terrorism?

chicksdaddy chicksdaddy writes  |  about a month ago

chicksdaddy (814965) writes "The Security Ledger has picked up on an opinion piece by noted cyber terrorism and Stuxnet expert Ralph Langner (@langnergroup) who argues in a blog post that critical infrastructure owners should consider implementing what he calls "analog hard stops" to cyber attacks.

Langner is one of the world's foremost experts on the security of critical infrastructure, and a noted expert on cyber weapons and the Stuxnet Worm. He said the wholesale migration from legacy, analog control systems to modern, digital systems is hard-coding "the potential for a disaster into our future."

Langner cautions against the wholesale embrace of digital systems by stating the obvious: that “every digital system has a vulnerability,” and that it’s nearly impossible to rule out the possibility that potentially harmful vulnerabilities won’t be discovered during the design and testing phase of a digital ICS product.

"The question of whether to go digital or stay analog should not presuppose an answer, but rather a rigorous assessment as to the full set of options and the associated risks to the process being controlled as well as to society at large," Langner writes.

For example, many nuclear power plants still rely on what is considered “outdated” analog reactor protection systems. While that is a concern (maintaining those systems and finding engineers to operate them is increasingly difficult), the analog protection systems have one big advantage over their digital successors: they are immune against cyber attacks.

Rather than bowing to the inevitability of the digital revolution, the U.S. Government (and others) could offer support for (or at least openness to) analog components as a backstop to advanced cyber attacks could create the financial incentive for aging systems to be maintained and the engineering talent to run them to be nurtured, Langner suggests."

Link to Original Source

Belkin WeMo Home Automation Products Riddled With Security Holes

chicksdaddy chicksdaddy writes  |  about 2 months ago

chicksdaddy (814965) writes "The Security Ledger reports that the security firm IOActive has discovered serious security holes in the WeMo home automation technology from Belkin. The vulnerabilities could allow remote attackers to use Belkin’s WeMo devices to virtually vandalize connected homes, or as a stepping stone to other computers connected on a home network.

IOActive researcher Mike Davis said on Tuesday that his research into Belkin’s WeMo technology found the “devices expose users to several potentially costly threats, from home fires with possible tragic consequences down to the simple waste of electricity.” (http://www.ioactive.com/news-events/IOActive_advisory_belkinwemo_2014.html) IOActive provided information on Davis’s research to the US Computer Emergency Readiness Team (CERT), which issued an advisory on the WeMo issues on Tuesday. (http://www.kb.cert.org/vuls/id/656302). There has been no response yet from Belkin.

Among the problems discovered by Davis and IOActive: Belkin’s firmware reveals the signing key and password allowing an attacker with physical or logical access to a WeMo device to sign a malicious software update and get it to run on the device, bypassing security and integrity checks. Also, Belkin WeMo devices don’t validate Secure Socket Layer (SSL) certificates used with inbound communications from Belkin’s cloud service. That could allow an attacker to impersonate Belkin’s legitimate cloud service using any valid SSL certificate, potentially pushing a bogus firmware update or malicious RSS feed to deployed WeMo devices.

WeMo customers who are counting on their wireless router and NAT (network address translation) or a firewall to provide cover should also beware. Davis found that Belkin has implemented a proprietary 'darknet' that connects deployed WeMo devices by ‘abusing’ an (unnamed) protocol originally designed for use with Voice over Internet Protocol (VoIP) services. With knowledge of the protocol and a ‘secret number’ uniquely identifying the device, an attacker could connect to- and control any WeMo device over the proprietary network."

Link to Original Source

IE 10 Zero Day Used in Watering Hole Attacks On Veterans

chicksdaddy chicksdaddy writes  |  about 2 months ago

chicksdaddy (814965) writes "Visitors to the web site of the Veterans of Foreign Wars (VFW) are being targeted in an attack that exploits a previously unknown hole in Microsoft’s Internet Explorer 10 web browser, according to warnings Thursday by security firms.

Some visitors to the web site of the VFW, vfw [dot] org, were the victim of a ‘watering hole’ attack starting on February 11. The attacks took advantage of a previously unknown ‘use-after-free’ vulnerability in Microsoft’s Internet Explorer 10 web browser. According to a write-up by the firm FireEye (http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html), the VFW site was hacked and then altered to redirect users to a malicious website programmed to exploit vulnerable versions of IE 10 on systems running 32 bit versions of the Windows operating system.

Initial analysis of the attack suggests that it is part of a “strategic Web compromise targeting American military personnel.” FireEye said evidence points to hacking groups responsible for similar campaigns, including ‘Operation DeputyDog,’ which targeted high-profile Japanese firms as well as the US security firm Bit9, and ‘Operation Ephemeral Hydra,’ targeting military and public policy personnel.

FireEye dubbed the attack 'Operation Snowman,' saying that it was timed to coincide with a massive East Coast blizzard that affected the Washington D.C. area, as well as the President's Day federal holiday on Monday. Security Ledger notes that the attack was also timed to fall immediately after Microsoft issued its February security patches with the malware used in the attacks — standard operating procedure with attacks using Microsoft 0day exploits."

Link to Original Source

Google 'Mob Sourcing' Patent Uses Video Metadata To Identify Public Gatherings

chicksdaddy chicksdaddy writes  |  about 3 months ago

chicksdaddy (814965) writes "File this one in your (bulging) 'creepy big data applications' folder: Google has applied to the US government for a patent on what is described as a method for “inferring events based on mob source video,” according to the Web site Public Intelligence. (http://info.publicintelligence.net/GoogleMobVideoPatent.pdf)

According to the application, Google has developed the ability to mine metadata from videos, photos or audio submitted by Google users (to YouTube, etc.) to infer that “an event of interest has likely occurred.” The technology surveys time- and geolocation stamps on the videos and other data to correlate the activities of individuals who might be part of a gathering, The Security Ledger reports.

The Patent, US2014/0025755 A1, was published on January 23, 2014. The technology, dubbed “mob sourcing” will allow Google to correlate video and images to infer the existence of groups (i.e. a public gathering, performance or accident), then send notifications to interested parties.

“Embodiments of the present invention are thus capable of providing near real-time information to pertinent organizations when users of wireless terminals (aka ‘mobile phones’) upload video clips to the repository upon being recorded,” the application reads.

The mob sourcing capability could be used to analyze and correlate video clips submitted by users either with the user’s permission or without it, Google claims. Consumer applications could allow YouTube users who upload a video to associate it with an ongoing event –say “South by Southwest Festival 2014 – making it easier for others to enjoy a crowd-sourced view of events. As for the non-consumer applications? Well...we know what those are."

Link to Original Source

In an age of cyber war, where are the cyber weapons?

chicksdaddy chicksdaddy writes  |  about 3 months ago

chicksdaddy (814965) writes "MIT Tech Review has an interesting piece that asks an obvious, but intriguing question: if we're living in an age of cyber warfare, where are all the cyber weapons?

Like the dawn of the nuclear age that started with the bombs over Hiroshima and Nagasaki, the use of the Stuxnet worm reportedly launched a global cyber arms race involving everyone from Syria to Iran and North Korea (https://securityledger.com/2013/03/dprkurious-is-north-korea-really-behind-cyber-attacks-on-the-south/). But almost four years after it was first publicly identified, Stuxnet is an anomaly: the first and only cyber weapon known to have been deployed. Experts in securing critical infrastructure including industrial control systems are wondering why. If Stuxnet was the world's cyber 'Little Boy,' where is the 'Fat Man'?

Speaking at the recent S4 Conference, Ralph Langner, perhaps the world’s top authority on the Stuxnet worm, argues that the mere hacking of critical systems is just a kind of 'hooliganism' that doesn’t count as cyber warfare.
True cyber weapons capable of inflicting cyber-physical damage require extraordinary expertise.

Stuxnet, he notes, made headlines for using four exploits for “zero day” (or previously undiscovered) holes in the Windows operating system. Far more impressive was the metallurgic expertise needed to understand the construction of Iran’s centrifuges. Those who created and programmed Stuxnet needed to know the exact amount of pressure or torque needed to damage aluminum rotors within them, sabotaging the country’s uranium enrichment operation.

Thomas Rid, of the Kings College Department of War Studies said the conditions for using a cyber weapon like Stuxnet aren't common and the deep intersection of intelligence operations and cyber ops means that "all cyber weapons are bespoke." "If you want to maximize the effect of a cyber weapon," he said at S4," the way you do it is with more intelligence.""

Link to Original Source

Cloud Providers Being Asked To Wall Off Data From US

chicksdaddy chicksdaddy writes  |  about 3 months ago

chicksdaddy (814965) writes "The U.S. government is giving large Internet firms more leeway to discuss secret government requests for data.(http://www.nytimes.com/2014/01/28/business/government-to-allow-technology-companies-to-disclose-more-data-on-surveillance-requests.html?hp) But when it comes to trust, the battle may already be lost. IT World reports that U.S. hosting companies and cloud providers say they now face pressure from international customers to keep data off of U.S. infrastructure – a request many admit is almost impossible to honor.

The article quotes an executive at one, prominent U.S. hosting firm who says that the picture of NSA spying that has come as a result of leaks by Edward Snowden prompted a slew of requests from European customers to have data cordoned off from U.S. infrastructure. Customers in Germany are often the source of the requests, he said, but the phenomenon isn't limited to Germany, where revelations of NSA spying there, including a tap on the phone of German Chancellor Angela Merkel, have stoked a kind of economic nationalism.

Chris Swan, the chief technology officer at Cohesive FT, a cloud networking company, said that his company began fielding calls from European clients, Germany companies, in particular, last year. "They were asking for help finding and using non U.S.-affiliated infrastructure," he said.

"It’s a bit of a gradient with Germany at the top of the hill and the Swiss standing right alongside them," said Swan.

The requests take a couple different forms, according to the hosting company executive. Customers have asked for their data to be kept 'locally,' segregating it on infrastructure located within the geographic border of Germany or other EU nations that are not perceived to be subject to access from U.S. intelligence agencies. Others are asking for changes that at least give them plausible deniability with local press and government officials. For example, they might ask for hosting firms to transfer the registration IP addresses used to host content from U.S.–based entities to a German or EU-based subsidiary, according to the report."

Link to Original Source

Cisco: 1 Million Worker Shortage In IT Security

chicksdaddy chicksdaddy writes  |  about 3 months ago

chicksdaddy (814965) writes "Cisco released its annual security report this morning and the news isn't good. Hidden amid the standard bad news (100% of 30 Fortune 500 companies were found to host malware on their network) is a particularly biting piece of bad news: a dire shortage of trained cyber security experts.

Cisco estimates that there is already global shortage of up to one million more cyber security experts in 2014. As the security demands on companies increase, that shortage is set to become even more acute, according to Levi Gundert of Cisco's Threat Research and Analysis Center. Expertise in areas like security architecture, incident response and threat intelligence are already in demand and where organizations are going to feel the pinch of the skills shortage, he said."

Link to Original Source

Point of Sale Malware Suspect in Widening Retail Breach Scandal

chicksdaddy chicksdaddy writes  |  about 3 months ago

chicksdaddy (814965) writes "Neiman Marcus became the latest, prominent U.S. retailer to admit that its network was hacked and credit card data on customers stolen. (http://krebsonsecurity.com/2014/01/hackers-steal-card-data-from-neiman-marcus/) But the story isn't over. Reuters reported on Monday that at least three other, well-known U.S. retailers took place in November and December and "were conducted using similar techniques as the one on Target." (http://mobile.reuters.com/article/idUSBREA0B01720140112?irpc=932) The common thread? Point of Sale malware like Dexter and Project Hook.

According to the Reuters report, which cited unnamed law enforcement officials and experts who were investigating the incidents, the malware used was described as a "RAM scraper," a possible reference to a feature of malware like Dexter, which uses RAM scraping to retrieve unencrypted credit card numbers from compromised point of sale systems.

The Security Ledger quotes experts from Arbor Networks who have observed a jump in Point of Sale malware with botnet like command and control features.(http://www.arbornetworks.com/asert/2013/12/happy-holidays-point-of-sale-malware-campaigns-targeting-credit-and-debit-cards/) CERT echoed those warnings in an advisory issued last week. (https://securityledger.com/2014/01/us-cert-warns-about-point-of-sale-malware/)

According to Arbor, much of the newest PoS malware uses RAM scraping to steal data before sending it out, in encrypted form, to command and control servers managed by the cyber criminal group behind the attack."

Link to Original Source

Credit Cards Stolen From Target Used For Fraud...At Target

chicksdaddy chicksdaddy writes  |  about 4 months ago

chicksdaddy (814965) writes "In a great example of the cybercrime "chickens coming home to roost," credit card information stolen from box retailer Target have been linked to fraudulent purchases at large retail outlets, including Target itself, the web site Krebsonsecurity.com reports. (http://krebsonsecurity.com/2013/12/cards-stolen-in-target-breach-flood-underground-markets)

Writing on Friday, Brian Krebs said that millions of the stolen cards are "flooding" underground carder web sites. Working with a source at a small New England bank, Krebs was able to identify hundreds of stolen credit card accounts being offered for sale from that bank alone on a carder site, rescator(dot)la.(http://rescator.la) The cards were being uploaded daily in batches of 100,000 or more, branded as the "Tortuga base."

A "point of purchase" analysis on 20 of stolen accounts belonging to the bank and purchased from four of the "Tortuga" dumps confirmed Target as a common reference point for the cards. Even worse: “Some of these already have confirmed fraud on them, and a few of them were actually just issued recently and have only been used at Target,” Krebs source at the bank informed him. A number of the cards were flagged for fraud after they were used to make unauthorized purchases at big box retailers, including Target, itself, he said.

After reports by Krebs about a major theft of credit cards, Target acknowledged the breach on Thursday, admitting that data on up to 40 million consumers may have been taken. (https://securityledger.com/2013/12/target-confirms-massive-breach-40-million-credit-cards-affected/)"

Link to Original Source

Thingful: Facebook For Smart Devices

chicksdaddy chicksdaddy writes  |  about 4 months ago

chicksdaddy (814965) writes "Its hard to put a number on exactly how many Internet connected "smart devices" will be served up by the end of the decade. 30 billion (http://www.gartner.com/newsroom/id/2621015)? 50 billion (http://blogs.cisco.com/diversity/the-internet-of-things-infographic/)? 75 billion (http://www.businessinsider.com/75-billion-devices-will-be-connected-to-the-internet-by-2020-2013-10)? Like McDonald's hamburgers, its probably better to just say "billions and billions." After all, the exact number doesn't matter and everyone agrees there will be lots of them.

But all those devices – and the near-limitless IPV6 address space that will accommodate them – do present a management and governance problem (https://securityledger.com/2013/11/it-pros-internet-of-things-is-a-governance-disaster/): how do you find the specific device you’re looking for in a sea of similar devices?

What the world needs is a Google or, better yet, a Facebook for Internet of Things devices, and that’s what the folks over at the UK-based firm Umbrellium (http://umbrellium.co.uk/about-us/) introduced on Friday with thingful.net (http://www.thingful.net), a search engine that scours the Internet for smart devices.

Unlike Shodan (http://www.shodanhq.com/), the hardware search engine, Thingful is about building connections between Internet of Things devices. Thingful users register using a Twitter account, then associate discoverable smart devices they own with that account. Users can search for others nearby who own and operate smart devices and “follow” those devices, or network with other individuals who own specific types of smart infrastructure via Thingful.

Not that its all voluntary. Thingful currently aggregates public data from connected devices. In large part that is through indexing IoT platforms like Xively, Smart Citizen (open source environmental monitoring), Weather Underground and Air Quality Egg. The search engine has indexed tens of thousands of devices globally, ranging from home thermostats and simple sensors, to wired ocean monitoring buoys in the mid-Atlantic and tanker ships plying the Mediterranean, The Security Ledger reports."

Link to Original Source

FTC Brings Hammer Down On Maker Of Location-Snarfing Flashlight App

chicksdaddy chicksdaddy writes  |  about 5 months ago

chicksdaddy (814965) writes "The Federal Trade Commission (FTC) announced on Thursday (http://www.ftc.gov/opa/2013/12/goldenshores.shtm) that it settled with the maker of a popular Android mobile application over charges that the company used deceptive advertising to collect location and device information from Android owners, The Security Ledger reports.

The FTC announced the settlement with Goldenshores Technologies, LLC of Moscow, Indiana, makers of the “Brightest Flashlight Free” Android application, saying that the company failed to disclose wanton harvesting and sharing of customers’ location and mobile device identity with third parties.

Brightest Flashlight Free, which allows Android owners to use their phone as a flashlight, is a top download from Google Play, the main Android marketplace. (https://play.google.com/store/apps/details?id=goldenshorestechnologies.brightestflashlight.free) Statistics from the site indicate that it has been downloaded more than one million times with an overall rating of 4.8 out of 5 stars.

The application, which is available for free, displays mobile advertisements on the devices that it is installed on. However, the device also harvested a wide range of data from Android phones which was shared with advertisers including what the FTC describes as “precise geolocation along with persistent device identifiers.”

As part of the settlement with the FTC, Goldenshores is ordered to change its advertisements and in-app disclosures to make explicit any collection of geolocation information, how it is or may be used, the reason for collecting location information and which third parties that data is shared with."

Link to Original Source

In Letter To 20 Automakers, Senator Demands Answers On Cyber Security

chicksdaddy chicksdaddy writes  |  about 5 months ago

chicksdaddy (814965) writes "Cyber attacks on"connected vehicles" are still in the proof of concept stage (http://www.forbes.com/sites/andygreenberg/2013/07/24/hackers-reveal-nasty-new-car-attacks-with-me-behind-the-wheel-video/). But those proofs of concept are close enough to the real thing to prompt an inquiry from U.S. Senator Ed Markey, who sent a letter (http://www.markey.senate.gov/documents/2013-12-2_GM.pdf) to 20 major auto manufacturers asking for information about consumer privacy protections and safeguards against cyber attacks in their vehicles.

Markey's letter, dated December 2, cites recent reports of "commands...sent through a car's computer system that could cause it to suddenly accelerate, turn or kill the breaks," and references research conducted by Charlie Miller and Chris Valasek on Toyota Prius and Ford Escape. (http://illmatics.com/car_hacking.pdf) and presented at the DEFCON hacking conference in Las Vegas.

"Today's cars and light trucks contain more than 50 separate electronic control units (ECUs), connected through a controller area network (CAN)...Vehicle functionality, safety and privacy all depend on the functions of these small computers, as well as their ability to communicate with one another," Markey wrote.
Among the questions Markey wants answers to:

+ What percentage of cars sold in model years 2013 and 2014 do not have any wireless entry points?
+ What are automakers' methods for testing for vulnerabilities in technologies it deploys — including third pressure technologies? Markey asks specifically about tire pressure monitors, bluetooth and other wireless technologies and GPS (like Onstar).
+ What third party penetration testing is conducted on vehicles (and any results)?
+ What intrusion detection features exist for critical components like controller area network (CAN) busses on connected vehicles?

A member of the Commerce, Science and Transportation Committee (http://www.commerce.senate.gov/public/), Markey is a longtime privacy advocate. He rose from the House to become the junior Senator from Massachusetts after winning a special election in June to replace Sen. John Kerry, who left office to become President Obama's Secretary of State."

Link to Original Source

Bitcoin's Popularity May Be Undermining its Anonymity

chicksdaddy chicksdaddy writes  |  about 5 months ago

chicksdaddy (814965) writes "The Security Ledger is reporting on an article in the December issue of Usenix's ;login: logout (https://www.usenix.org/publications/login) from researchers at UCSD and George Mason University that suggests reports of Bitcoin’s anonymity may (to paraphrase Twain) “be greatly exaggerated.”

Specifically: the researchers found that, by culling a variety of open source data including public data from the Bitcoin Peer to Peer network and public Internet postings, as well as their own Bitcoin transactions, they were able to “identify major institutions” engaged in Bitcoin transactions “and the interactions between them.”

By mapping unique Bitcoin change addresses, the researchers were able to positively identify 2,197clusters of Bitcoins with common ownership. Those clusters were linked to over 1.8 million BitCoin addresses.

The experiment, though small, suggests that a large slice of the public keys used in Bitcoin transactions – around 14 percent — can be linked back to larger, institutional players, including banks, Bitcoin (or BTC) exchanges or large vendors like the now defunct Silk Road. That centralization makes the Bitcoin network susceptible to surveillance by law enforcement or governments that have the computing power and determination to track down the individuals, groups and institutions at either end of specific exchanges.

The paper, “A Fistful of Bitcoins: Characterizing Payments Among Men with No Names” (http://cseweb.ucsd.edu/~smeiklejohn/files/imc13.pdf)was presented at the IMC (Internet Measurement Conference) 2013 Conference in Barcelona, Spain in October and is reprinted in the December issue of ;login: logout a USENIX publication. It is based on research conducted at The University of California, San Diego and George Mason University. In it, the researchers, led by Sarah Meiklejohn of UCSD used a combination of strategies to “de-anonymize” the BitCoin network.

Aspects of the work have been noted before in news reports, including work that Meiklejohn did with Brian Krebs of Krebsonsecurity tracking an online purchase of heroin in Krebs name (http://krebsonsecurity.com/2013/07/mail-from-the-velvet-cybercrime-underground/). However, Meiklejohn and her colleagues have expanded their analysis of Bitcoin protocol and its potential weaknesses."

Link to Original Source


chicksdaddy has no journal entries.

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account