Posted by Kevin on October 6, 2014.
The ITsecurity daily security briefing: Monday, October 6, 2014.
If you find this security briefing useful, please spread the word via social media. If you have any comments or recommendations, please email kevtownsend at gmail dot com.
NEWS ONLY TODAY
CryptoWall updated to 2.0
Earlier this year F-Secure discovered a few CryptoWall samples that used Tor to hide their C&C servers. It seems they may have been betas. F-Secure has now found CryptoWall version 2.0 where use of Tor is standard.
“CryptoWall 2.0 appears to use a new packer/obfuscator with an increased amount of anti-debugging and anti-static analysis tricks. Upon reaching the final malicious payload, however, CryptoWall 2.0 is almost identical to the Torified CryptoWall 1.0 samples seen earlier this summer.”
Why Apple and Google must defy FBI demands for a Golden Key
The New York Times Sunday published a rather gushing piece titled, The Washington Post Regains Its Place at the Table. The general drift is that the decline of once illustrious newspaper (think Watergate) has been reversed since Amazon’s Jeff Bezos took over.
“The Post has been guilty of boring its readers in the past, but the current version is a surprising, bumptious news organization — maybe not the pirate ship that Ben Bradlee helmed as executive editor, but it is a sharp digital and daily read. It’s creating challenges for, ahem, its competitors, and bringing significant accountability to the beats it covers.”
Strange, then, that such a challenging paper should have published Friday a dangerous, wrong and government-sucking editorial titled Compromise needed on smartphone encryption. It said,
“How to resolve this? A police ‘back door’ for all smartphones is undesirable — a back door can and will be exploited by bad guys, too. However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use only when a court has approved a search warrant. Ultimately, Congress could act and force the issue, but we’d rather see it resolved in law enforcement collaboration with the manufacturers and in a way that protects all three of the forces at work: technology, privacy and rule of law.”
If Apple and Google have (and they might have for all I know) a golden key, the government will simply demand and get that key and then use it indiscriminately. The FBI may claim that they only want to search phones under court order, but that’s just not their way. So The Washington Post is simply – and dangerously – wrong.
It might also be worth reading Why Apple’s iPhone encryption won’t stop NSA (or any other intelligence agency) published today by Andrew Zonenberg.
The Washington Post:
New head of MI6 announced
“With the agreement of the Prime Minister, the Foreign Secretary announced today that Alex Younger has been appointed as successor to Sir John Sawers as Chief of the Secret Intelligence Service. Alex will take up his appointment next month.
“Foreign Secretary, Philip Hammond said: ‘I am pleased to announce that Alex Younger has been appointed as the next Chief of the Secret Intelligence Service. The work of SIS is world-class, and its operation vital to the safety and security of the United Kingdom. Alex brings a wealth of relevant experience including his work in Afghanistan and helping keep the country safe during the London 2012 Olympics.'”
The Secret Intelligence Service used to be ‘the Very Secret Secret Intelligence Service’. It was only in 1994 that even its existence was acknowledged – which is probably the degree of accountability all intelligence services would prefer.
Twitter troll found dead
Brenda Leyland, accused by a Sky News reporter of being one of the Twitter trolls involved in a vitriolic campaign against Gerry and Kate McCann, has been found dead in a hotel room.
“A spokesman for Leicestershire Police said: ‘Police were called at 13:42 on Saturday 4 October to reports of a body of a woman in a hotel room in Smith Way, Grove Park [in Leicester].
“‘Officers have attended the scene and a file is being prepared for the coroner. The death is not being treated as suspicious.'”
A new petition on We the People
Unlock public access to research on software safety through DMCA and CFAA reform
“Software now runs consumer products and critical systems that we trust with our safety and security. For example, cars, medical devices, voting machines, power grids, weapons systems, and stock markets all rely on code. While responsible companies cooperate with the technical community and the public to improve the safety of code, others do not. They instead try to prevent researchers and others from sharing safety research, threatening criminal and civil actions under the Digital Millennium Copyright Act and the Computer Fraud and Abuse Act. Chilling research puts us all at risk. Protect the public from unsafe code and help us to protect ourselves. Reform the DMCA and CFAA to unlock and encourage research about potentially dangerous safety and security weaknesses in software.”
It’s a worthy demand – but it’s struggling folks…
We the People:
Lawrence Lessig to interview Edward Snowden
Date: Monday, October 20, 2014, 12:00pm to 1:30pm
Location: Ames Courtroom, Harvard Law School
Institutional corruption and the NSA: Edward Snowden will be interviewed (via videoconference) by Lawrence Lessig about the NSA in a time of war, and whether and how the agency has lost its way.
This event is free and open to the public. Registration is required, and all attendees must present a ticket at the door. Registration is full, but we are accepting guests on our waitlist.
Harvard Law School:
Continuing claims that JPMorgan hackers also hit other banks
“About nine other banks and brokerages were infiltrated by the same group of hackers who recently attacked computer systems at JPMorgan Chase & Co, the New York Times reported late on Friday, citing unnamed people briefed on the matter.
“The report, which could not be independently verified and did not identify any of the victims beyond JPMorgan, said it was not clear how serious the attacks had been.”
There have been rumours that other banks were hacked since the first news of the JPMorgan attack – but nothing has ever been verified. If there are other victims, those banks will surely not wish to admit being breached. Customers, however, have a right to know for certain whether their accounts have been breached. It’s time for the truth.
Hewlett-Packard Plans to Break in Two
“Hewlett-Packard Co. plans to separate its personal-computer and printer businesses from its corporate hardware and services operations, the latest attempt by the technology company to improve its fortunes by breaking itself in two.
“The company intends to announce the move on Monday, people familiar with the plan said. It is expected to make the split through a tax-free distribution of shares to stockholders next year, said one of the people.
“If the division goes off as planned, it would give rise to two publicly traded companies, each with more than $50 billion in annual revenue.”
Wall Street Journal:
As if we needed more proof that the police abuse anti-terrorism laws
“Police used anti-terrorism powers to secretly spy on The Mail on Sunday after shamed Cabinet Minister Chris Huhne falsely accused journalists of conspiring to bring him down.
“Detectives sidestepped a judge’s agreement to protect the source for our stories exposing how Huhne illegally conspired to have his speeding points put on to his wife’s licence. Instead they used far-reaching powers under the controversial Regulation of Investigatory Powers Act (RIPA) – originally intended to safeguard national security – to hack MoS phone records and identify the source.
“They trawled through thousands of confidential numbers called by journalists from a landline at the busy newsdesk going back an entire year, covering hundreds of stories unrelated to the Huhne case.
“MPs last night warned that police use of RIPA to spy on journalists was a disproportionate use of power that would deter whistleblowers from approaching the media because of fears they could be unmasked by police.”
Dubai police will use facial recognition and Google Glass to look for wanted criminals
“The FBI is ramping up its facial recognition database and doctors are trying out Google Glass in emergency rooms. Now the Dubai police want to take it all to the streets. Reuters reports that the city is going to start equipping officers with Glass so they can use facial recognition to look for wanted criminals.
“A Dubai police spokesperson told the 7 Days newspaper that custom-made software will allow the officers’ Glass to sync with a database of faces. That way if police officers encounter wanted crooks, their eyewear can alert them.
“The Dubai police department will do a pilot phase where officers wear Glass to track traffic violations and look for offending vehicles. If that goes well, Glass will be distributed to detectives for the facial recognition program.”
Slate’s Future Tense:
Submitted in: News, Uncategorized |