Winners of the BH2013 #sophospuzzle - and how to solve it!

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

During the recent BlackHat 2013, we ran a #sophospuzzle to test your problem-solving mettle.

The puzzle came in four stages:

Crossword capersAlgorithmic anguishCode conundrumHindsight horror

The following 20 people sent in evidence that they had completed Stage One, the crossword:

@glendubb [T]Anonymous [T]@MrAdz350 [T]Adam Mazack [T]@rbaranyi [T]Ian CollierColinM@SecAdept@smashmore@Vampaerus@sfolssonBob@superponibleWJM@abduelhamit@bigEdogjosh_dawes@dumbsouthernerAdam Jrakso75

Those marked [T] won T-shirts.

Thirteen people submitted correct solutions to the entire puzzle, successfully wrangling it right to the end:

@pkosinar [T]Ian Collier [T]@rbaranyi @abduelhamit [T]@martijn_grooten@sfolsson [T]@glendubbFred Bret-Mounet [T]@trapflag---prize cutoff---@superponibleAdam Mazack@strawp@hearth

Again, those marked [T] won T-shirts.

The last four solvers missed the deadline for the prize draw, but gamely decided to keep going anyway - nice work!

There were two Big Prizes.

The first was for BlackHat 2013 delegates who submitted their entries in person at the Sophos booth; the second was open to Naked Security readers everywhere.

The BlackHat winner was @trapflag.

He receives a Cubify 3D printer.

The Naked Security winner was @rbaranyi.

He receives a remote controlled 1/16th scale tank.

Well done.

And that, of course, brings us to the part that everyone not on one or both of the lists above is eager to find out.

How did they solve it?

We've explained what you need to do, stage by stage...enjoy!

http://twitter.com/duckblog

View the original article here

Security flaw with a difference - the Xerox scanner that makes your house smaller!

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Friend and former colleague Graham Cluley just drew my attention to an astonishing security problem with Xerox scanners.

I bet you it isn't the sort of problem you're thinking of, either.

You may have read "scanner insecurity" stories before, and they've probably dealt with conventional security problems.

These were probably things such as incompletely deleted data left behind on the hard disks of decommissioned scanners; poor security configuration in network-enabled scanners, such as default passwords; and exploitable vulnerabilities in image-handling code built in to scanners.

This problem is quite different.

(For all we know, this flaw may be present in other vendors' scanners, too, as it is a consequence of an algorithm chosen for compression. Xerox comes into it simply because that is the brand of scanner in the story.)

A Germam computer scientist, David Kriesel, was perusing the rooms depicted on some building plans he had scanned on a Xerox WorkCenter scanner.

He spotted an alarming anomaly: high quality errors.

That sounds odd, and it was.

Normally, when you notice scanning errors, it's because the quality is poor and the details illegible.

A room that is 15m2 on the original might looks like 1?m2 on the scanned copy, with the 5 scanned so badly it doesn't even look like a digit.

Or the 15 might be blurred, or have sufficiently many stray pixels in it, to look like an indecisive 16.

What you don't expect is that a crisply printed 21m2 on the original would be rendered as a crisply scanned 14m2, say, on the copy.

In other words, given the analog-to-digital nature of the scanning process, you'd expect imperfections, but you'd also expect the unreliable parts to look unreliable, thus making their unreliability self-documenting.

It turns out that the Xerox scanner in question was using a compression scheme called JBIG2, which emerged from the grandly-named Joint Bi-level Image Experts Group.

Bi-level images, as the name suggests, have just one bit per pixel, such as the images used in fax machines (if you remember them).

And JBIG2 has a clever, yet, with hindsight very reckless, feature: if two "swatches" of the image look like each other, the same data is used for both swatches, so that they effectively become identical.

This technique works perfectly in lossless compression, e.g. the deflate algorithm used in ZIP files, where the repeat of a string of characters such as NOTEWORTHY would be encoded as "repeat the ten characters I saw 164 bytes ago", not as another NOTEWORTHY.

But if imperfect matches were allowed, you might find NOTEWORTHY encoded as a repeat of NOT WORTHY, introducing an error that would be very hard to spot, despite the fact that the two phrases are antonyms.

The "fix", for our German computer scientist, seems to have been to use TIFF compression instead, a lossless image compression option supported by the scanner he was using.

Update: Xerox emailed us at 2013-08-10T11:15Z to point us at some official advice on the issue. In summary: JBIG2 compression isn't on by default. If you're worried someone might have changed the compression settings, a reset to factory defaults will change them back. Also, Xerox will be producing an optional patch that will prevent JBIG2 being turned on at all. (If you aren't sending faxes, you probably don't need it.)

The lesson to be learned here, other than that Graham has an excellent eye for interestingly quirky stories, is that algorithm choices are really important.

Imagine this sort of image transposition in a CCTV system that just recorded a crime.

Instead of a blurry and obviously inconclusive image of the perpetrator, which would make it obvious that evidence would have to be sought elsewhere, you might end up with a clear and convincing image of someone who just happened to look like the perpetrator.

Where security is concerned, it's not just how safely you store what you've collected, it's how reliably you collect it in the first place.

Follow @duckblog

View the original article here

NSA cutting 90% of sysadmin jobs to beef up security

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Nobody named names.

Didn't suggest that the move was caused by one particularly problematic sysadmin and his habit of leaking classified data about surveillance programs like PRISM and XKeyscore.

The way chief spyguy General Keith Alexander, director of the US's National Security Agency (NSA) told a cybersecurity conference in New York City on Thursday, the project has been in the works for some time.

The project being, namely, that the NSA plans to fire 90% of its sysadmins.

According to Reuters, Alexander told the security crowd that automating sysadmin work would improve security - the sooner, the better:

"What we're in the process of doing - not fast enough - is reducing our system administrators by about 90 percent."

The way it is now, the NSA relies on human analysts to use their carbon-based brains to transfer data, secure networks and do other things "that machines are probably better at doing," Alexander said.

One of those life forms, Edward Snowden, used to be one of some 1,000 system administrators that did the work.

Taking people like Snowden out of the loop and instead automating the work would make the NSA's networks "more defensible and more secure," as well as faster, he said, without naming Snowden.

The automation efforts predate Snowden's leaks, but post-Snowden, they've been accelerated.

Snowden, who leaked documents to The Guardian and the Washington Post about secret telephone and internet surveillance programs, has been granted temporary asylum in Russia but is still facing criminal charges.

Would organizations be better off without human sysadmins?

Undoubtedly, threats from insiders can't be taken lightly. Snowden wasn't the first sysadmin to prove that, by any means.

In April, for example, a former system administrator at the server hosting company Hostgator was arrested for hacking his former employer's network, having gotten in through a backdoor Trojan he had planted before he got sacked.

Of course, human employees of pretty much any job title can be ticking time bombs.

Back in 2010, a Bank of America insider admitted to planting malware on ATMs.

In July 2012, a mom was arrested for hacking school computers and tweaking her kids' grades.

Beyond taking humans out of the sysadmin role, Alexander has also previously talked about requiring at least two people to be present before certain data can be accessed.

Would automating system administration improve the NSA's security profile, or that of any organization, for that matter?

Your thoughts are welcone in the comments section below.

All I know is that there are hundreds of sysadmins who are looking at unemployment - ironic timing, that, given how it follows so close on the heels of System Administrator Appreciation day.

What would we do if human sysadmins were to go extinct?

For one thing, we'd miss out on the rantings against System Administrator Appreciation Day brought to us by one extraordinarily talented sysadmin who can both watch old episodes of Star Trek stashed in a hidden P2P director on a laptop and also has more than a passing familiarity with cryogenics-related cuisine in the kitchen or server room.

More seriously, though, human sysadmins do serious lifting in the organization. As Sophos' Anna Brading put it on Sysadmin Day, they keep our systems up, patched, secure, fast and safe.

Do we really want to take humans out of the picture? Is such a trade-off worth the security gain?

Follow @LisaVaas

Follow @NakedSecurity

Image of unemployment and hacker courtesy of Shutterstock.

View the original article here

'Hack Facebook' works great - on YOU, not your intended victim

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Want to hack a friend's Facebook account?

That's exactly what the "Hacking Facebook" site* promises it can do for you.

Actually, though, it turns out that it's not so much that the site can hack for you, but it most certainly can do it to you.

Security researcher Joshua Long writes that he tracked down the site after getting spam flaunting its Facebook hacking services.

What it's really up to, he writes, is a spendy little scam that offers to let you watch a Real! Live! Facebook! Hack! ... which, if you want to continue with this supposed "hack," requires that you send two SMS text messages to a number for codes:

"In short, the site tricks wannabe hackers into sending texts to a premium SMS number (81073), which leads to charges on their next phone bill.

"The site may also collect login details that could later be used to try to hack into the would-be hacker's various online accounts (Facebook or otherwise), and of course once the spammers have your phone number they might also send you text message spam (or sell your number to other spammers)."

Long offers this rough translation of the promises made by Hack Facebook:

Our site offers recovery services for the social network Facebook, our tool ensures you to hack a facebook account without software assistance.

Hack-face uses the most advanced exploits as well as 5 methods of decryption, so it is possible in a few minutes to get the password for the targeted account. Instantly receive email logins on your choice so that you can get access.

The site mixes wording associated with legitimate security services with that of malicious hacking, Long notes, as it first offers "recovery services" for regaining account access (sounds benign, eh? Don't count on it, he says), then jumps to the promise of hacking an account "without software assistance" and using "the most advanced exploits" on top of "5 methods of decryption" to get a target's password.

Long says there's also a portion of the site that offers a "Facebook Penetration Testing Tool" that uses "new technologies such as the cloud and exploit kits" to "effortlessly" hack Facebook.

What a mess of duplicitous verbiage, Long muses:

"The term 'penetration testing' implies that the tool attempts to find security weaknesses in a system with permission from the owners or operators of that system.

"I think it's fairly obvious that Facebook does not want everyone in the world to be able to hack into everyone else's account."

Definitely read Long's full post for his hypothesis on how the site might be rigged to get your login details, on top of the premium text-messaging scam it's pulling.

Naked Security offers some tips on dealing with mobile SMS/text spam here and Long provides a list of instructions for how to opt out of receiving premium text messages or disputing charges for most US providers.

*No, sorry, I'm not including a link to this site. I love you too much to expose you to such peril. Besides, Long fuzzed out the URL.

Follow @LisaVaas

Follow @NakedSecurity

Image of Facebook page and SMS scam courtesy of Shutterstock.

View the original article here

Infecting iOS, OpenX backdoor, toilet hole, Android malware - 60 Sec Security [VIDEO]

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Are Apple's iPhones really impervious to malware attack? What do you do if your software ends up pre-infected with a backdoor? What strength of password is appropriate for a toilet? And when will we get firmware updates for the Android code verification holes?

Watch this week's 60 Second Security and find out more!

? Can't view the video on this page? Watch directly from YouTube. Can't hear the audio? Click on the Captions icon for closed captions.

(If you enjoyed this video, you'll find plenty more on the SophosLabs YouTube channel.)

http://twitter.com/duckblog

Tags: 60 Sec Security, 60 Second Security, 60 Seconds, 60SS, ad server, Android, Apple, Backdoor, bluetooth, ios, iPad, iPhone, lixil, Malware, master key, OpenX, PHP, toilet

View the original article here

Secure webmail service Lavabit suspends operation, citing legal issues

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

If you're interested in webmail security, you've probably heard of Lavabit.

It's a boutique webmail provider based in Texas, USA.

Lavabit differs from the big cloud email players, such as outlook.com and Gmail, by using encryption a bit differently.

It uses public key cryptography not only when you view your messages in your browser (that's the https:// part in the URL), but also when it stores your messages on its servers.

? Public key cryptography, secretly invented by the British in the early 1970s under the mildly confusing moniker of NSE (non-secret encryption), uses two keys, not one, to secure your data. Anyone can lock a file for you to read later, using your public key. You may publish this key openly. But only you can unlock the file, using your private key. As the name implies, this is the one you keep to yourself.

What that means is that the contents of your messages aren't just encrypted on Lavabit's disks so that they are protected from abuse if someone steals the servers.

The theory is that they can't be decrypted "in the cloud" by Lavabit, or anyone else at all, unless you hand over your private key, or someone takes it from you, lawfully or unlawfully.

If this sounds like something you've heard a lot about lately, that's probably because larger-than-life Kiwi entrepreneur Kim Dotom uses something similar in his MEGA file locker service, which opened with some fanfare early in 2013.

(Dotcom therefore not only keeps your content safe from surveillance or theft from his servers, he's also able to put his hand on his heart and say, "Your Worship, it was not possible for me to have known that those files were the complete works of Gene Roddenberry in remastered full HD video.")

Lavabit, as it happens, received a fair bit of publicity recently when it appeared that NSA whistleblower Edward Snowden, the man behind the PRISM revelations, was a user of its services.

Anyway, jumping back to the present: when I said that Lavabit "is a boutique webmail provider," that's not strictly true.

It used to be, but it isn't any more.

Founder Ladar Levison shuttered the service this week, or at least suspended it pending the outcome of some legal wrangles:

I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what's going on - the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

What can one say to that? (That's a rhetorical question. You're welcome to answer it in the comments, but please try to be brief.)

Will existing users, seemingly including at least 350,000 people, ever get their data back?

Levison certainly seems to hope so, noting that:

We've already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.

What do we make of this?

If you know your Latin, you'll be familiar with the phrase post hoc ergo propter hoc.

It means "afterwards, therefore on account of," a logical fallacy that reminds you that you can't assume X caused Y simply because Y followed X.

Otherwise you'd be able to reach ludicrous conclusions such as that last night's high tide was the reason I had a cup of coffee after getting up this morning.

So the connection between Snowden and the suspension of Lavabit is so far merely chronological, not necessarily causal.

Let's hope, then, that Levison is able to revive the service, not just so his users can get back into their data, but also so we can find out the true cause-and-effect in this story.

Of course, there's a technological lesson in here for all of us, too.

Lots of people seem to think that cloud services remove the need for you to keep your own backups, on the principle that "you don't buy a dog and bark yourself."

But even if your cloud provider has impeccable credentials in respect of integrity and confidentiality, the availability of your data may be threatened by circumstances outside the control of either of you.

Follow @duckblog

Image of Dark Staffordshire Terrier cross breed howling (it looks like a bark to me) courtesy of Shutterstock.

View the original article here

Android random number flaw implicated in Bitcoin thefts

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Bitcoin is often in the news, not least because it is somewhat controversial.

It's a digital currency, backed by cryptography, not by any central issuing authority.

Its "coins" are strings of bits, and anyone can generate one, given enough time (and assuming no-one else generates the same coin first).

The calculations required to "mine" a Bitcoin are configured so that the complexity of finding them doubles every four years.

That means there's an exponential dropoff in the rate at which new Bitcoins appear, and that the supply is capped at 21 million Bitcoins.

The number remaining will quickly close in on zero, with 1/2 gone in 2012, 3/4 by 2016, 7/8 by 2020, and so on.

By about 2030, we'll be close to that asmyptotic maximum of 21 million coins.

For what it's worth, and it is rather a lot, Bitcoin exchanges currently value each Bitcoin (BTC) around US$100.

Now, creating BTCs is one thing, but buying and selling with these digital strings - actually realising that $100/BTC - is quite another matter.

In fact, if you've read any BTC-related horror stories, like the time the value on Mt Gox imploded from $15 to 1c in minutes, or the time Bitfloor was floored by cyberintruders who ran off with $250,000, it almost certainly involved to the trading infrastructure surrounding the Bitcoin algorithms, not the Bitcoin system itself.

Well, it's happened again.

You need somewhere to store your Bitcoins, and a digital wallet that uses public key cryptography is the obvious answer.

Simply put, you can trade in BTCs using an "address", which is actually a public key that others can use to transact with you.

The private key, as usual, you keep to yourself.

As long as you are the only person who knows it , only you can authorise transactions from that address; if you want to sell a Bitcoin sum, you can trade the private key for real money.

That means you need software that will create BTC addresses for you (public-private key pairs), and store your private key safely.

The public key algorithm used in the BTC infrastructure is called ECDSA, short for Elliptic Curve Digital Signature Algorithm.

To cut a long story short, generating a new ECDSA keypair requires you to use a random number between 1 and 2ks - 1, where ks is the key size.

Once you're done, you can discard the random number - indeed, you don't want anyone else to find out what it is.

The mathematical basis of ECDSA means not only that you need the random number in order to go forwards to produce the public and private keys, but also that, with the public key and the random number, you can go backwards to work out the private key.

Of course, that also means your random number should be unique, not just secret, but since you don't keep it lying around after use, how can you ever be sure?

The answer is that the bare minimum officially sanctioned ECDSA key size is 160 bits, so that, at worst, there are 2160 - 1 random values to choose from.

That's about 10 million million million million million million million million, so collisions shouldn't be a problem.

Unless you use a flawed pseudorandom number generator (PRNG), that is.

A PRNG produces an algorithmic sequence of "random" values, which has to start somewhere; if you start from the same place twice, you get the same sequence.

? For some applications, where repeatability is needed, reseeding a PRNG from the same point is a feature, not a bug. Generally, however, you try to seed a PRNG using a bit string that is as close to hardware-random as you can get.

Bitcoin wallet software that re-uses random numbers was found last year by a researcher called Nils Schneider, who documented the computational steps that show why this is a bad thing.

Well, it's happened again.

It looks as though, at least on occasion, the Java-based PRNG on Android will repeat its pseudorandom sequences, thanks to a flaw in Android's so-called SecureRandom Java class.

The Bitcoin Forum has already reported the theft of close to BTC56 (worth about US$6000) from a number of people.

A list of known-vulnerable Android Bitcoin wallets has been published by the Bitcoin Project, with instructions on what to do when the various wallet apps are fixed to use better-quality random numbers.

The Bitcoin Project doesn't go as far as suggesting that you stop using Android altogether to manage your BTC savings.

But perhaps you should consider it?

With two bad security holes recently exposed in Android's digital signature validation for apps, perhaps the platform isn't yet quite ready for the financial big time?

What do you think?

Are you ready to trust Android and Android apps with your hard-earned funds?

Follow @duckblog

You may remain anonymous in Naked Security comments. Just put "Anonymous" as your name and leave the email address blank.

View the original article here

Will insurance firms be the big winners in the struggle for cyber security?

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

A blog post by one of US President Obama's top cybersecurity advisers has sparked a debate on the importance of insurance in mitigating the threat posed by digital dangers to the world's businesses and government agencies.

The insurance world is a massive moneyspinner, with global premiums of over $4.6 trillion paid out last year.

Insurers are always on the lookout for new dangers to insure us against, and it seems like cybercrime, hacking and compromises of business networks are considered a booming sector, ripe for expansion and exploitation.

Michael Daniel, a special assistant to Obama and cybersecurity coordinator, posted to a Whitehouse.gov blog earlier this week discussing the Cybersecurity Framework being put together by the US government.

The aim of the Framework is to encourage and enable companies, especially those providing critical infrastructure services in the US, to ensure they keep their computers and networks safe from compromise and infiltration.

With input from various teams working on the framework, including Homeland Security and the Treasury and Commerce Departments, the article suggests a list of eight methods to help encourage firms to adopt the proposed framework.

Several of these measures revolve around simplified regulation, tax breaks, government grants, research support, and preferential contracts.

But top of the list is the suggestion that the insurance industry should be encouraged to get involved:

Agencies suggested that the insurance industry be engaged when developing the standards, procedures, and other measures that comprise the Framework and the Program.

The goal of this collaboration would be to build underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing and foster a competitive cyber insurance market.

The cybersecurity insurance market is relatively new and undeveloped, according to a study last year from consulants Cap Gemini. Although we started seeing insurance against infection thrown in with some AV products several years ago, this was little more than a gimmick and never really took off.

The involvement of the big insurance players, covering big companies against potentially massive losses, is steadily transforming it into a major business though. It's already raking in an estimated $1.3 billion per year in the US, with the rest of the world lagging some way behind.

Firms in Europe are slowly starting to expand into the field though, more than a year after the EU debated making cyber-insurance mandatory in some fields.

In Australia the market has been described as "promising to be a new boomlet", with insurance experts sharing tips with each other on how to promote their new products:

What is cyber crime really costing Australia and the rest of the world? Use these jaw-dropping stats if your clients need convincing of the need for cover against cyber crime.

So, assuming you're not an insurance salesman and haven't invested heavily in insurance company stocks, how will this benefit you?

First of all, there should be a major improvement in the stats. Analysis of the size of the cybercrime threat, the numbers of people it effects and the amounts of money involved tends to be rather hazy. It's a shadowy business of course, and pinning down its exact scope is complex and difficult.

Insurers love stats though. They need lots of data to calculate the odds on which to base their premiums.

If you want to insure yourself against getting your beard snagged in the wing mirror of a passing bus, you probably can, because they have detailed tables of historical data on how often that sort of thing happens, going back years (your premium will probably depend on the length and luxuriousness of the beard, and how often you hang out on bus routes).

For cybercrime though, the stats are few on the ground, with little history and not much verification.

We routinely see studies and reports trying to put figures to various things, such as how many firms have been hit by cyber attacks, the amount lost to cybercrime each year (135,000 Euros per incident in Ireland, apparently, but $5.4 million in the US), or how those who should be measuring this stuff are simply giving the whole thing up as a lost cause.

Attempts to reckon up the cost of all cybercrime at national or global levels tend to be fairly vague, hyperbole-ridden and even contradictory of previous guesses, with methodologies often sloppy and open to criticism.

So, as money starts to flood into the insurance firms, hopefully some of it will trickle back out into funding more comprehensive and scientific research into measuring the scale and impact of the threat.

The more we know about the size of the danger, and the more detail we have about what's hitting who, where, and how hard, the easier it should be to target efforts to combat it.

There should also be more work done by businesses estimating their own risks from cybercrime, reckoned by some to be the biggest threat the world's businesses and governments face. The process of risk appraisal should give them some ideas of what needs to be done to cover the holes.

Secondly, there should be financial pressure on businesses to improve their defences. Just as house insurance is cheaper if you have an alarm system and high-quality locks, so your cyber insurance premiums will go down if you can prove you have top-notch security processes and technologies protecting your networks and data.

In the long term, that should benefit everyone, as companies will be encouraged to invest in security so they can save money on insurance. Breaches and data leaks will go down, our data will be kept out of the hands of the bad guys, and we'll be able to carry on our digital lives in blissful safety and privacy.

That's the theory at least. It could be, of course, that some firms will start slacking on the security front, feeling they don't need to bother too much as they'll be covered financially if there's a problem.

This would mean more hassle for us, as our data is left lying around on under-protected servers for anyone and everyone to harvest and exploit.

Whatever happens, it seems clear that as long as they can keep their premiums bigger than their payouts (a pretty safe bet), the one big winner will be the insurance firms.

Follow @VirusBtn
Follow @NakedSecurity

Image of insurance button and cybercrime courtesy of Shutterstock.

View the original article here

Encrypted email service Silent Circle silences email in wake of Lavabit closure

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Filed Under: Featured, Privacy

Silent Circle - an encrypted e-mail service similar to Lavabit - says it "see[s] the writing on the wall" and has also shut down its email service.

Lavabit, a service used by whistleblower Edward Snowden that was using public key cryptography to keep messages private in spite of their being stored in the cloud, abruptly shut down on Thursday.

Lavabit said that a gag order kept it from giving details about the legal wrangling that caused it to close.

Founder Ladar Levison said in a statement that it had come down to a decision: either "become complicit in crimes against the American people" or "walk away from nearly ten years of hard work by shutting down Lavabit."

Silent Circle, for its part, said it hasn't yet received subpoenas, warrants, security letters "or anything else by any government" - at least, not yet.

That's why it's acting now, the spy-proof communications provider said:

"We've been debating this for weeks, and had changes planned starting next Monday. We'd considered phasing the service out, continuing service for existing customers, and a variety of other things up until today.

It is always better to be safe than sorry, and with your safety we decided that in this case the worst decision is no decision."

"We apologize for any inconvenience, and hope you understand that if we dithered, it could be more inconvenient."

Silent Circle is not shutting down all its services, mind you - only Silent Mail.

The reason for the selective shutdown is that Silent Mail has "always been something of a quandary," the company said.

Email that uses standard Internet protocols - with SMTP, POP3, and IMAP - can't be secured end-to-end, as it has "far too many leaks of information and metadata" that's intrinsic to the email protocols.

But the email shutdown goes deeper than these issues.

In a statement given to TechCrunch, Silent Circle CEO Michael Janke said that the company's high-profile, at-risk users are simply bound to be targeted by governments:

"There are some very high profile people on Silent Circle - and I mean very targeted people - as well as heads of state, human rights groups, reporters, special operations units from many countries.

We wanted to be proactive because we knew USG [US Government] would come after us due to the sheer amount of people who use us - let alone the 'highly targeted high profile people'.

"They are completely secure and clean on Silent Phone, Silent Text and Silent Eyes, but email is broken because govt can force us to turn over what we have. So to protect everyone and to drive them to use the other three peer to peer products - we made the decision to do this before men on [sic] suits show up.

Now - they are completely shut down - nothing they can get from us or try and force from us - we literally have nothing anywhere."

Silent Circle's pre-emptive closure, on top of Lavabit's self-suspension, has bolstered critics who say that the survival of the technology sector is being threatened by the US government's uncontrollable hunger for surveillance.

Jennifer Granick, the Director of Civil Liberties at the Stanford Center for Internet and Society, wrote this of Lavabit's voluntary shutdown:

"The fact that neither Americans nor foreigners trust the U.S. government and its NSA anymore puts the U.S. communications companies at a severe competitive disadvantage. American law provides almost no protection for foreigners, who comprise a growing majority of any global company's customers.

And even though Americans receive more nominal legal protection, we now know that these legal protects haven't stopped the NSA from wiretaps fiber optic cables inside the United States, warrantlessly gathering Americans' emails and chats from service providers like Google, Microsoft, Yahoo and Apple, collecting phone records on every American for the past seven years, or demanding that companies build, or at least maintain, surveillance backdoors in products advertised as secure from eavesdropping."

Silent Circle is not closing down completely.

The company says that in contrast to its email, its phone, text and teleconferencing offerings - Silent Phone, Silent Text and Silent Eyes - are secured end to end.

The company doesn't have encrypted data and doesn't collect metadata from the conversations that take place through these venues, Silent Circle says, so those offerings will continue as they have, while the company continues to work on improving secure communications.

As for Lavabit, Levison says that the company has already begun to prepare paperwork so as to "fight for the Constitution in the Fourth Circuit Court of Appeals."

He says that a favorable decision would allow him to "resurrect Lavabit as an American company."

Follow @LisaVaas

Follow @NakedSecurity

View the original article here

Facebook users worldwide (minus some mobile phones) now getting secure web browsing by default

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Facebook initially introduced full-time HTTPS (secure HTTP) as an option in January 2011.

Before that, the site protected your password during login using HTTPS, but left the rest of your session unencrypted.

The change came about because, back in October 2010, a Firefox plugin called Firesheep was released as a proof of concept that sniffing an unencrypted session after login was all an attacker needed to hijack your account.

This made Facebook's new option welcome, but being opt-in meant it really didn't go far enough.

So, in an open letter in April 2011, Naked Security asked Facebook to improve privacy and safety by turning on HTTPS for everything.

In November 2012, Facebook finally did move to make secure browsing a default, at least for users in North America.

And on Wednesday, Facebook announced that it is now using HTTPS by default for all users, so the rest of the world has finally caught up. (Well, almost. Some mobile phones and carriers don't fully support HTTPS.)

Why did it take so long?

Because it involved a lot of moving parts, explains Facebook software engineer Scott Renfro.

Namely, it involved getting third-party application developers to upgrade, getting web-browser cookies to be compliant, controlling referrer headers, and migrating users to HTTPS without disrupting "in-flight" sessions, i.e. upgrading people while they're actually using the site.

Performance has also been a huge challenge, Renfro says, given the extra hoops browsers have to jump through with HTTPS:

In addition to the network round trips necessary for your browser to talk to Facebook servers, https adds additional round trips for the handshake to set up the connection. A full handshake requires two additional round trips, while an abbreviated handshake requires just one additional round trip. An abbreviated handshake can only follow a successful full handshake.

Here's an example from Renfro of how that extra latency can make users with already-slow connections suffer yet more, and how Facebook has eased the pain:

If you're in Vancouver, where a round trip to Facebook's Prineville, Oregon, data center takes 20ms, then the full handshake only adds about 40ms, which probably isn't noticeable. However, if you're in Jakarta, where a round trip takes 300ms, a full handshake can add 600ms. When combined with an already slow connection, this additional latency on every request could be very noticeable and frustrating. Thankfully, we've been able to avoid this extra latency in most cases by upgrading our infrastructure and using abbreviated handshakes.

Facebook's work on secure browsing is most certainly not done, mind you: the company says it's still working with mobile phone vendors to make it happen there.

Renfro calls HTTPS by default a "dream come true" — a goal that the company's network, security, traffic, and security infrastructure teams have been working on for years.

When Facebook first rolled out HTTPS by default, Naked Security was stuck with a heap of "Dislike" t-shirts that didn't seem appropriate anymore, so the team gave them away to readers.

Sorry, I don't know of any plans to print up "Like" t-shirts over the news that HTTPS by default is finally, for the most part, a dream come true.

But, Facebook engineers, here are two big, virtual thumbs-up for the work you've done. Let's hope it works out well for the mobile outliers, as well.

Follow @LisaVaas

Follow @NakedSecurity

View the original article here

Humans still the weakest link as phishing gets smarter and more focused

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The latest figures from the Anti-Phishing Working Group (APWG) show a distinct decline in the numbers of phishing sites reported to it, and in the number of separate brands targeted.

A survey compiled by Verizon, on the other hand, implies that almost all incidents of cyber espionage reported in the last year included some phishing component.

An academic study into human susceptibility to phishing has found that 92% of people misclassify phishing emails, despite efforts to educate people about the dangers.

Put together, this seems to confirm a general feeling that phishing attacks are becoming less scatter-gun, focusing more on specific targets, with more care and attention put into making them more enticing, more believable and harder to spot.

The APWG quarterly report, covering the first three months of 2013 but only released earlier this week, found that phishing attack dropped 20% between January and March, with February figures the lowest since October 2011.

The number of brands targeted is also down on the previous quarter, although 2012 numbers were considered exceptionally high.

As the stats are based on phishing pages and incidents reported to the APWG by the public, it's not clear if the drop in numbers is down to a real drop in actual attacks, or simply due to them becoming harder for people to spot, leading to fewer reports.

Ihab Shraim, CISO at news behemoth Thomson Reuters and quoted in the APWG report, talks about the trends in a way that supports both explanations:

These changes are likely due to a shift to more advanced and targeted techniques for credential theft including malware and stealthier spear phishing.

Phishing has been around for years now, with a fairly well-known set of targets, tricks and tell-tale signs, but we still see new techniques emerging, making the smarter scams harder for both machines and humans to detect.

Spear-phishing of highly focused targets has been the driving force behind a number of major compromises lately, from high-profile hacktivism like the recent Viber heist to more stealthy targeted penetrations.

Educating users to keep a wary eye out for phishing attempts has been a major focus for security admins and providers, but it seems like the bad guys are managing to keep ahead of the curve.

Academics at North Carolina State University have been looking into the characteristics of people who fall for phishes, combining personality studies with experiments using swathes of legitimate and phishing emails.

They found that confidence is high, with 89% thinking they can spot the dodgy messages, but 92% didn't get it right every time, with 52% getting it wrong more than half the time and 54% having at least one false positive incident, trashing a real email in the belief that it was a scam.

They also found that people who thought of themselves as “less trusting, introverts, or less open to new experiences” threw out more genuine mails, while women were less adept than men at spotting phishing messages.

The researchers, whose work is part-funded by the beleaguered NSA, suggest that as the human mind is the main issue, education remains the most important weapon in the battle against the phishers.

The team is working towards a system of teaching which will effectively prepare people to avoid being tricked.

While technical countermeasures such as improvements in secure browsing will play a part, as will making sure the bad guys are brought to book wherever possible, it's clear that the psychological battleground is vital.

Phishing has come a long way from the old days when simply keeping an eye out for dodgy grammar and sloppy spelling was enough. Education techniques clearly need to evolve to keep pace with the growing sophistication of phishing scams.

A major difficulty is the tendency to focus on specifics; any list of tell-tale signs is likely to date quickly, as techniques evolve and old mistakes are learnt from.

The main thing is to maintain a skeptical disposition. Social engineering relies on leveraging the most potent human emotions, its main weapons being sex, greed, fear and other basic urges. These can only be combated by logic, clear thinking and good sense.

So next time you see an unexpected message asking for your login info or other sensitive data, stop a moment. Take a few deep breaths, and have a good look around.

Ask yourself a few key questions: Am I sure I am where I think I am? How exactly did I get here? Do I really need to provide this info? What could possibly happen if this info got into the wrong hands? Am I being hurried into something I wouldn't normally do?

You may find that simply stepping back and looking at things with a cool head will keep you from blundering into danger.

Follow @VirusBtn
Follow @NakedSecurity

View the original article here

NSA's XKeyscore is a global dragnet for vulnerable systems

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

XKeyscore doesn't just turn somebody's internet life inside out. It's also a bloodhound for sniffing out vulnerable systems.

A training slide on page 24 of the National Security Agency's 2008 presentation on the program, as revealed on Wednesday by The Guardian (via Edward Snowden), states it quite baldly:

Show me all the exploitable machines in country X Fingerprints from TAO [Ed. Note: Tailored Access Operations, the NSA organisation that hacks the networks of foreign governments and organizations] are loaded into XKEYSCORE'S application/fingerprintID engineData is tagged and databasedNo strong-selectorComplex boolean tasking and regular expressions required

According to Ars Technica's Sean Gallagher, the vulnerability "fingerprints" are added to serve as a filtering criteria for XKeyscore's application engines, comprised of "a worldwide distributed cluster of Linux servers attached to the NSA's Internet backbone tap points."

This turns XKeyscore into a passive port scanner, Gallagher writes, which can be used to search for network behavior on systems that match the NSA TAO's profiles for exploits or for systems already exploited by malware that the TAO can then take advantage of.

He explains how this could give the NSA a toehold of surveillance in countries such as Iran or China:

This could allow the NSA to search broadly for systems within countries such as China or Iran by watching for the network traffic that comes from them through national firewalls, at which point the NSA could exploit those machines to have a presence within those networks.

The slides also explain how XKeyscore can track encrypted VPN (Virtual Private Network) sessions and their participants, can capture metadata on who's using PGP encryption in email or who's encrypting Word documents, which can later be decrypted.

XKeyscore keeps all trapped Internet traffic for three days, but metadata is kept for up to 30 days.

That month gives the NSA time to trace the identity of those who created the documents its analysts intercept.

As the slides imply, this enables XKeyscore the unique ability of scouring traffic that hasn't yet been targeted for monitoring.

"No other system performs this on raw unselected bulk traffic," they state.

XKeyscore's nature was disputed when it was first revealed.

What is XKeyscore, exactly?

Is it a tool that can scour all things internet for surveillance purposes, or is it merely a database search tool plunked on top of databases full of already-captured data from other surveillance sources, as maintained by US journalist Marc Ambinder?

It sure does sound like a surveillance tool, going by the NSA's own description.

According to the slides published by The Guardian, XKeyscore is:

DNI [ed.: Digital Network Intelligence] Exploitation System/Analytic FrameworkPerforms strong (e.g. email) and soft (content) selectionProvides real-time target activity (tipping)"Rolling Buffer" of ~3 days of ALL unfiltered data seen by XKEYSCORE: Stores full-take data at the collection site—indexed by meta-dataProvides a series of viewers for common data typesFederated Query system—one query scans all sites Performing full-take allows analysts to find targets that were previously unknown by mining the meta-data

Has The Guardian mischaracterized XKeyscore as a top-secret, extraordinarily powerful surveillance tool?

I'm trying to keep my mind open, but it's hard to dismiss The Guardian's reporting, and it's hard to deem Edward Snowden's depiction of the NSA's activities as "hyperbolic," as some have deemed them, given the descriptions in these slides.

I'm no programmer, but when somebody calls a program an "exploitation system" that can be used "to find targets that were previously unknown by mining the meta-data," that sure does sound like a surveillance tool to me.

A frighteningly powerful one, at that.

Follow @LisaVaas

Follow @NakedSecurity

View the original article here

Rabid trolls prompt Twitter to promise 'Report Abuse' button on all messages

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

UK journalist and feminist leader Caroline Criado-Perez spearheaded a campaign to replace Charles Darwin's image with Jane Austen's on a British banknote.

Good idea, said the Bank of England. Then, all hell broke loose.

For nearly 48 hours following last Thursday's announcement that Jane Austen's likeness would grace the £10 note starting in 2017, the death and rape threats poured in from Twitter.

According to Criado-Perez, during that period, she received a flood of internet trollery ejaculated at the rate of 50 pieces of scum per hour.

At least one of her supporters, MP Stella Creasy, also received murder and rape threats.

On Sunday night, police arrested a 21-year-old man in Manchester in connection with the hostile tweets.

Over the weekend, the vitriolic storm had serious repercussions for Twitter, which is now looking at a threatened boycott for its failure to stop this kind of abuse.

As of Wednesday morning, a Change.org petition calling for Twitter to add a "report abuse" button to its service had attracted 106,258+ supporters.

Twitter has responded, promising exactly that.

TechDay reports that Twitter will work on such a button, added to all messages, though it's already available on iPhone apps.

The company plans to expand the function to Android and beyond.

As it is, Twitter's existing rules call for suspension of accounts that get reported for abuse of its rules.

That, obviously, wasn't sufficient for many people.

In the fallout from the Criado-Perez incident, Mark S. Luckie, manager of Journalism and News on Twitter, was forced to lock down his account in response to public outcry, TechDay reports.

Beyond the new Report Abuse button, Twitter asked for all police reference numbers and specific tweets so that the company can ensure that both Criado-Perez and Creasy were "connected to the right people for conversations to continue on Monday", according to HuffPost.

HuffPost reports that Creasy had asked for a meeting with Twitter, along with fellow MP Steve Rotherham "on how we ensure that Twitter is able to comply with the Protection From Harassment Act in Britain."

Whether or not a Report Abuse button will help curb such attacks is now a matter of debate, as can be seen on Twitter itself.

One user, Simon Evans, suggested that such a button would be used "with all the restraint [with which] the Simpsons used their electric shock buttons on each other."

On the broader subject of just what, exactly, happens to reports of abuse, the BBC filed a Freedom of Information request.

The request has revealed that more than 1,700 cases involving abusive messages sent online or via text message reached English and Welsh courts in 2012, the BBC reported on Tuesday.

That represents a 10% increase on the figures for 2011, according to the Crown Prosecution Service (CPS).

Many users of Twitter, along with other platforms, make threats of murder or death, often meant as jokes.

Just yesterday three more female UK journalists - Guardian columnist Hadley Freeman, Independent columnist Grace Dent and Time magazine's Catherine Mayer - received the same bomb threat from anonymous users on Twitter that details how there had been bombs placed outside their houses, ready to explode at exactly 10.47pm.

It's important to bear in mind that such threats are a criminal offense in many places, regardless of whether they spout from a pugilistic mouth or via email, blog, phone call, or newspaper ad.

Here's a blurb from the law in the US state of Alaska:

A person commits the crime of coercion if the person compels another to engage in conduct from which there is a legal right to abstain or abstain from conduct in which there is a legal right to engage, by means of instilling in the person who is compelled a fear that, if the demand is not complied with, the person who makes the demand or another may inflict physical injury on anyone...

Under California law, a death threat of any kind, whether it's meant as a joke or not, is a misdemeanor punishable by up to a year in prison and restitution payments for any personnel, emergency response, or property damage the threat causes, according to attorney Daniel Jensen.

A theoretical example, from Jensen's law office:

If you plant a fake bomb and issue a death threat, even as a joke, you can be fined for the full cost of containing and disposing of the fake bomb. Depending on what cleanup services are needed, if any, these fines could be substantial.

OK, sounds serious. Do such laws actually stop anybody? If so, you'd think that internet trolls would be lawsuited into oblivion, right?

There have been scads of court cases involving intimidation-via-social media, but what's the likelihood of anybody actually getting convicted and penalized?

Well, that's a good question, I told myself.

Here are a few cases of Twitter prosecutions:

Two teenage girls from Steubenville, Ohio: arrested in March and charged with sending online threats to a 16-year-old rape victim via Twitter. A 16-year-old was charged with a misdemeanor count of aggravated menacing for threatening the victim's life; a younger girl was charged with a misdemeanor count of menacing for threatening bodily harm. They were both charged with intimidation of a witness, which is a felony. Paul Chambers: convicted in UK court of a terrorist offense based on a tweet threatening to blow up Robin Hood Airport because they couldn't get snow cleared. It was obviously a lame joke, and the decision was overturned on appeal in 2012.

Short of prosecution, what do you think about Twitter's Report Abuse button?

Will it help to shut these trolls the &^%$$ up?

Would a boycott of Twitter help? Or is that misplaced blame, given that Twitter can't possibly police every single tweet that flows through it?

Your thoughts are welcome - particularly since somebody(ies) behind the magic curtain at Naked Security headquarters, praise be, keeps troll comments from getting published.

(Thanks, guys!)

Follow @LisaVaas

Follow @NakedSecurity

Image of online troll courtesy of Shutterstock.

View the original article here

Apple to fix iPhones' vulnerability to boobytrapped chargers

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Following a Black Hat demonstration on Wednesday in which researchers plugged an iPhone into a malicious charger programmed to attack iOS devices, an Apple spokesman told Reuters that the next software update will fix the bug that enables the hack.

Apple's iPhones and iPads will be vulnerable until they get the iOS 7 update, which is scheduled for release later this year.

A spokesman told Reuters that the issue has already been fixed in the latest beta of iOS 7, which has been released to software developers.

The attack employs a malicious USB charger dubbed "Mactans" that was first publicized in June.

Mactans is a simple device: a custom-built charger equipped with a tiny Linux computer that's programmed to compromise iOS devices.

It attacks devices within a minute of connecting, needing neither jailbreaking nor input from the phone's user to succeed.

Its creators say it cost about $45 to buy and took about a week to design.

The successful attack leads to a persistent infection of software that's invisible to a phone's user, relying as it does on the built-in concealment techniques that Apple itself has put in place to hide some of its own apps.

Mactans, which was created by researchers from the Georgia Institute of Technology, was demonstrated at Black Hat by research scientist Billy Lau, along with graduate students Yeongjin Jang and Chengyu Song.

During their presentation, the researchers succeeded in infecting an iPhone with malware designed to dial one of the researcher's phones - an assignment it carried out successfully.

The flaw that allows the hack could be exploited in the wild to enable attackers to remotely hijack a device and turn it into a spying tool, the researchers said.

With control of an iOS device, an attacker could, for example, get the phone to snap screenshots of banking logins and passwords and credit card numbers; could access email, texts and contact information; or could track a phone owner's geolocation, Lau said.

Lau said that Android devices don't suffer from the same vulnerability given that they warn users when they plug into a computer, even if it's a tiny computer pretending to be a charging station.

After Apple's iOS 7 update, a similar warning message will pop up to alert iOS users that they're connecting to a computer, as opposed to an ordinary charger, Lau said.

Until then, make sure you practice safe powering.

It's not that Mactans presents a grave risk of contracting malware, mind you.

As Peter Bright at Ars Technica describes it, this attack has some serious limitations (Mr. Bright, by the way, does a good job at describing the technical aspects of the USB idiosyncrasies that concern this attack, so do read his piece if that appeals).

A successful Mactans attack requires that the phone's screen be unlocked, for one thing.

It also requires the attacker to have a valid developer account, and each developer account is limited to generating the required provisioning profiles for 100 different phones.

That means that such an attack would have to be targeted, as opposed to being widespread and indiscriminate.

It could be done, but it sounds like it would be rather esoteric and James Bond-ish.

It's always been a good idea to avoid plugging gadgets into sketchy power-charging stations to avoid catching an electronic disease (there's even a name for it: juicejacking).

But, at least as far as an attack like Mactans goes, it's likely only going to happen in research situations or in Hollywood scripts at this point in time.

Follow @LisaVaas

Follow @NakedSecurity

View the original article here

Latvia blocking extradition of Gozi writer thanks to "disproportionate" US sentencing

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

One of three men indicted in the US earlier this year in connection with the Gozi banking trojan remains in his native Latvia, after courts there twice blocked US requests for extradition.

The Latvian foreign minister has added his weight to the battle to resist the extradition, arguing that the potential 67 year prison sentence cited in the indictment is "disproportionate" to the crime the man is accused of.

27-year-old Deniss Calovskis is named in the January 2013 indictment, along with Russian Nikita Kuzmin, already held in the US, and Romanian national Mihai Ionut Paunescu, also currently fighting extradition.

The trio are charged with running a crime syndicate using the Gozi malware in a campaign compared to a "modern-day bank robbery ring", which may have infected over 1 million PCs worldwide, with as many as 40,000 in the US hit by the malware.

Gozi used HTML injection to doctor banking web pages and harvest login data, which was then used to siphon off funds. The botnet of compromised systems could by hired out and attacks tuned to target specific banks or user groups. Calovskis is thought to have been the technical expert creating the HTML injection code.

All three men are accused of a range of conspiracy charges in the US, with the potential sentences ranging from 60 years for suspected Romanian hosting organiser Paunescu, through Calovskis' 67 years to a massive 95 years for alleged chief arranger Kuzmin, should he be found guilty and receive the maximum sentence for all charges.

These numbers are of course the maximum possible sentences, actual jail terms are extremely unlikely to come anywhere close to these figures. However, the exorbitant numbers have been enough to delay and possibly prevent extradition.

Prison sentences in the US are extremely high, as are all figures connected to the US' sprawling corrections industry.

Over two million people are behind bars in the USA and close to 3% of the population is either locked up, on parole or on probation. The turnover of the prison system runs into many billions of dollars and the long-standing use of cheap prison labour has added billions to the output of several major US companies.

The sharp increase in prison population over the last 30 years or so has been fed by ever-stricter sentencing, heavily influenced by the "war on drugs" and the "three strikes" rule, to the extent that sentencing structures are now well out of line with the rest of the civilized world.

Cybercrime is a global problem that requires worldwide co-operation and collaboration by diverse justice and law enforcement agencies.

With the bad guys operating in cross-national and even inter-continental teams, coordinated global scoops are needed to round up crooks detected by complex international, inter-agency investigations.

Once the perps are all safely in custody they need to be brought to book under somebody's jurisdiction. In most cases this involves an extradition process.

As most countries' extradition rules preventing the deportation of citizens to countries where they might face penalties local judges would find insane, the US risks upsetting the delicate balance required to ensure these worldwide prosecutions can be effectively completed.

I have no problem with tough sentences for cybercriminals, but they should remain within the bounds of sanity.

Threatening crazily hefty punishments may seem like a way to create a strong deterrent against new starters joining the malware underworld. They will fail to provide that deterrent, though, if they are seen to be no more than empty threats which cannot be enforced.

Follow @VirusBtn
Follow @NakedSecurity

View the original article here

Malware alert while seeking child abuse images at work earns US man 5 years in jail

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

A five-year jail term has been handed to a US man found downloading and watching child abuse imagery at work.

Investigators at the Seattle branch of the Social Security Administration where he worked were apparently alerted to his activities when his company computer was hit by a malware attack.

Thomas J. Barrett, 50, of Lynnwood, WA, seems to have been seriously addicted to grotesque photos and videos of underage girls being assaulted, with over 3,700 items found on his system.

In between browsing for fresh material for his collection, he also researched possible penalties for such activities, and alternated between porn and work time to keep his habits from his colleagues, indicating at least some awareness of just how wrong his behaviour was.

On one of his trawls through the seedier side of the web, a malware alert brought administrators' attention to what was going on, and subsequent investigations included setting up a spy camera monitoring his workstation.

The investigators were then exposed to the unedifying sight of Barrett "fondling himself" at his desk. He was arrested in January, but remains free on bail until his sentence comes into force.

Barrett's defense team claimed his time in the US Army sparked his addiction, with a visit to Europe opening an "evil door" in his delicate mind.

This is the second time in as many weeks that we've reported on malware playing a significant part in bringing paedophiles to book.

Before anyone gets the wrong idea, there's nothing noble about being a malware author or purveyor; it's still a nasty and criminal business, just perhaps not quite as nasty as these chaps.

Follow @VirusBtn

Follow @NakedSecurity

Image of man surfing web courtesy of Shutterstock.

View the original article here

XKeyScore surveillance, Bradley Manning verdict, LinkedIn hole - 60 Sec Security [VIDEO]

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

What's XKeyScore all about? How did Bradley Manning fare? What about the authentication hole in LinkedIn?

Watch this week's 60 Second Security and find out more!

? Can't view the video on this page? Watch directly from YouTube. Can't hear the audio? Click on the Captions icon for closed captions.

(If you enjoyed this video, you'll find plenty more on the SophosLabs YouTube channel.)

http://twitter.com/duckblog

Tags: #sophospuzzle, 60 Sec Security, 60 Second Security, 60 Seconds, 60SS, bh2013, Bradley Manning, Cablegate, data breach, Delaware, linkedin, Manning, NSA, oauth, PRISM, surveillance, Uni Delaware, vulnerability, Wikileaks, XKeyscore

View the original article here

White House mulls waving cash at businesses to get them to beef up cybersecurity

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The White House is thinking about basically bribing businesses to get them to patch leaky cybersecurity.

According to Politico, the US government is pondering, specifically, tax breaks, insurance perks and other legal benefits for businesses that do some serious overhaul of their digital defenses.

Politico recently got its hands on a May 21 presentation from the Department of Homeland Security (DHS) that raised the notion of such incentives.

The incentives aren't yet finalized.

They would be designed to entice critical infrastructure players in particular, such as power plants and water systems, to adopt voluntary standards that are now being drafted by government and industry in response to an executive order from President Barack Obama.

The standards will be hammered out by DHS and the National Institute for Standards and Technology (NIST). The bodies will be working with businesses to create a security framework that businesses will, ideally, adopt on their own volition.

Politico pointed out that the financial lures also need to be run through federal agencies, including DHS and the Treasury Department, to determine how tasty the enticements can be, either with or without the help of a Congress that has proved, unfortunately, markedly unhelpful.

The 12-page document from DHS - which Politico refrained from publishing - reportedly mulls not only financial and market benefits, but also legal benefits, including limited lawsuit protection for participating companies.

It's wonderful to hear about incentives like this, particularly if they might spur organizations into getting insurance that could help to protect them from potentially devastating costs of data breaches or other cybersecurity dangers.

As it is, insurance professionals will tell you that many, if not most, businesses mistakenly think that general liability policies will cover them in times of cybersecurity mayhem.

Such policies won't, but there are policies that will, and it's wise to learn about them and know what questions to ask about such policies to make sure an organization is as well-covered as possible.

As Politico reports, experts believe that those organizations that adopt upcoming cybersecurity standards could be well-positioned to get breaks on such insurance, being able to point to the standards as evidence that they're following best practices.

This is the juicy stuff that could greatly help to improve security postures.

As it is, the Homeland Security page about cybersecurity incentives is as dry as a sun-baked bone.

DHS talks about secure software engineering, security breach forensics, better training and the instillation of personal data "ownership" - all worthy, mind you, but all very blah, blah, blah.

Tasty cash, on the other hand? Much more interesting, I'd wager.

Let's hope that the Feds can get something done, with or without the help of Congress.

Follow @LisaVaas

Follow @NakedSecurity

Image of White House and bag of cash courtesy of Shutterstock.

View the original article here

Should the "Reboot! Shut up and reboot!" theory be applied to programs?

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Tech-savvy website Ars Technica recently invited comments on an interesting thought about programming.

"Should programs randomly fall on their swords?"

Actually, they didn't quite put it like that - indeed, they didn't make it clear whether programs ought to exit gracefully but needlessly after a random time, or whether they ought to be asynchronously killed off on a random basis by some monitor process.

?Such a monitor would be the opposite of a traditional watchdog, a process that keeps its eye on other programs and warns you when they break. This would be a process that breaks other programs, then tells you it's done so.

But they did wonder about making programs exit even if they didn't need or want to, for the greater good of the operating system as a whole.

My first reaction was, "Why not?"

There's a school of thought that says a degree of unpredictability in software, especially long-running network software, can be very handy indeed.

Don't wait, say, two seconds after a failed connection attempt so that you coincide precisely but permanently with a similar every-two-second problem in some other process. Wait two seconds plus a random interval that's different every time.

Don't arrange everything so predictably in memory that if there's an exploitable bug, hackers can reliably work out where to poke their knitting needles. Mix things up a bit so an attacker has to guess, and might very well get it wrong.

And, of course, in anything cryptographic, good quality randomness is vital, lest you turn a problem that should be computationally infeasible into one that is merely difficult or time-consuming.

?Debian once removed code from its kernel because it looked unpredictable. It was supposed to be - it was part of the random number generator. After getting "fixed' it became so predictable that cryptographic keys that should have been unguessable could be brute-forced in seconds or minutes.

Forcing programs to have a short outage every now and then is a bit like companies that require senior executives to use at least some of their annual vacation time each year in unbroken chunks.

Not only does it force the individual to take a much-needed rest, it also mitigates against corruption in the company by getting an alternative hand on the tiller every now and then.

By my second opinion was, "No way!"

Naturally, you should subject your code to randomly-generated failures as a regular and important part of testing. (You do test your software against the sort of error you might never have experienced in real life, such as "disk full," don't you?)

This is especially true for online software, which is frequently developed on a fast, reliable, state-of-the-art local area network, but deployed over slow, laggy, flaky links.

But deliberately breaking code just to make it restart, hopefully with any ills of the past behind it, could ironically make things worse.

That's a little bit like pulling your car to the side of the road every few minutes to make sure the tyres don't overheat: a useful precaution in an emergency where you know there's a tyre fault, but a pointless waste of time if there isn't.

In fact, you can argue that getting into the habit of random "corrective process termination" could actually mask the symptoms of a fault, or lead to known problems being mitigated by accident, and thus never getting proper corrective attention.

?Tech support staff don't usually say "shut up and reboot" (with apologies to Dogbert) because it's scientific. They say it because it isn't scientific, but it very often works, and improves their call closure rates in the long run.

So randomly self-breaking programs sound a little bit like those rules that say things like, 'You must change your password every 45 days."

When an online service tells you that, are they implying that they actually get breached fairly frequently? That if they do get breached they probably won't realise?

Actually, you should change your password if you think you need to.

And if you think you need to, you should change it then and there, rather than saying to yourself, "My next 45-day mandatory password update is coming in a while, so I'll wait until then."

Follow @duckblog

View the original article here

LinkedIn closes OAuth hole that could have let people tinker with your CV

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

LinkedIn has closed a bit of a hole that could have let anyone swipe users' OAuth private login tokens.

OAuth, an open authorization standard, is used by social networking services such as Klout or Foursquare.

OAuth enables users to log in to such services by first signing in to the big social networks, such as Facebook and Twitter.

A software developer identified by The Register as Richard Mitchell, based in the UK, earlier this week blogged about discovering that LinkedIn's help site handed out private OAuth tokens for logged-in users.

These supposedly secret OAuth tokens can be used to impersonate LinkedIn users and potentially get at their profile information via APIs.

Mitchell noted that during authentication, when first loading the page, a request went out to a JavaScript file that included the API key for the help system, which "immediately" returned an OAuth token for the user.

In fact, all that the help desk JavaScript code was doing before handing over the token was checking that the last page the visitor went to was served from LinkedIn.com.

Unfortunately (or fortunately, if you're talking about maintaining your privacy or testing code), "referer spoofing" is a trivial thing for coders.

Somebody with malicious intent could log into LinkedIn and then hop over to a malicious page that's designed to poke the LinkedIn help site for somebody's OAuth token, The Register's John Leyden suggests.

Malware could also potentially access profile information using APIs, Leyden adds.

Mitchell writes:

I quickly found a request to a JavaScript file including the API key for the help system which immediately returned an OAuth token for the user.

Thanks to Mitchell's responsible disclosure on 3 July, LinkedIn was able to fix the hole before any mischief came about. It did so by disabling requests without referrers.

A LinkedIn spokesman told The Register that Mitchell's account of the bug proved accurate:

"We can confirm that we were notified of the OAuth vulnerability and took immediate action to fix the issue, which was resolved by our team within 48 hours of being notified."

In return for his trouble, LinkedIn thanked Mitchell with a t-shirt - "All the way from California" - he says.

Hurray for bug bounties!

I guess this bug was pretty small and easy to squash.

Otherwise, maybe Mitchell likely would have gotten a more substantial reward.

A duvet cover, perhaps?

Follow @LisaVaas

Follow @NakedSecurity

Image of mouse and CV and CV courtesy of Shutterstock.

View the original article here

$300 million 'superhackers' are not so super after all

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Two of the five men named in an indictment last week, widely labelled "the largest ever hacking and data breach scheme in the United States", were caught thanks to some pretty obvious carelessness - they posted their holiday snaps online and let their mobile phones broadcast their location to the cops on their trail.

29-year-old Dmitriy Smilianets, thought to have been in charge of monetizing the credit card data heisted by the rest of the gang, maintained a jaunty presence on social networks and ran a globe-trotting online gaming team, according to Reuters.

When one of his travelling companions was identified as Vladimir Drinkman, a suspected confederate of convicted ringleader Albert Gonzalez, cops put two and two together and closed in.

Drinkman's phone was transmitting location data, allowing the law to pin the group down to a hotel in the Netherlands, where local police picked the two up as they prepared to board a tour bus.

Smilianets has been extradicted to the US, while Drinkman remains in the Netherlands battling extradiction.

The team's lack of basic precautions seems to contradict recent speculation that an 'inverse CSI effect' may either deter potential cybercrooks, or force them to take ever more extreme care in covering their tracks.

The standard 'CSI effect' derives from the long-running TV show, which encouraged juries to expect miracles from crime scene scientists - CCTV images enhanced to show car license plates reflected in raindrops from a hundred yards, accurate facial reconstructions extrapolated from a single nasal hair and so on - and finding real-world science disappointing and unconvincing as a result.

The "inverse" effect, described in a forthcoming scientific paper, suggests that any digital wrongdoers not put off perpetrating crimes by the threat of improbably advanced detection techniques may instead have to increase the value of their heists to cover the growing costs of adequate caution, or take increasingly stringent measures to hide from the law.

While the scale of this crew's eight-year run of crimes may fit the theory, the clumsy approach to anonymity and secrecy seems to fly in the face of its propositions.

The police may claim to have "got lucky", but their luck was very much helped along by incompetence, arrogance and hubris.

The remaining three men listed in last week's indictment remain at large in Russia, with the New Jersey US Attorney's unusual step of naming uncaptured suspects seen as an open criticism of the ineffective input of Russian law enforcement.

If their approach to keeping a low profile is anything like that of their alleged cohorts, it's only a matter of time before they're brought bang to rights.

Follow @NakedSecurity

Images of pin and scientist courtesy of Shutterstock.

View the original article here

Who likes porn sites better than Facebook or Twitter?

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Read into this whatever cultural generalizations you will: recent numbers show that citizens of Germany, Spain, the UK, and the US have higher appetites for porn than anybody on the planet.

The Guardian recently got an exclusive peek at metrics from SimilarWeb, a web measurement company based in Tel Aviv that tracks clicks online (rather than total traffic volume).

The numbers show that in the UK, for one, traffic to legal porn sites outpaces even that for social media sites, such as Facebook. In fact, porn makes up 8.5% of all UK traffic.

Steamy sites also get more UK traffic than those for shopping, news, email, finance, gaming, travel, and business/industry.

The UK isn't the top porn-loving place, though. That honor goes to Germany, where a whopping 12.5% of traffic heads to the X-rated.

The top porn-surfing countries and how much of their traffic went to the internet's gazillion shades of grey during June 2013:

Germany 12.5%Spain 9.6%UK 8.5%US 8.3%Worldwide average 7.7%Ireland 7.5%France 7.3%Australia 7.0%

The only destinations more popular than porn in the UK were arts and entertainment (boosted, as it is, by YouTube traffic) at 9.5% and search engines at 15.7%.

The figures don't include traffic from mobile phones which might have told a different story.

Nor do they account for illegal searches for child abuse, which, as The Guardian notes, are typically hidden away in identity-masking networks such as Tor or peer-to-peer.

Daniel Buchuk, head of brand and strategy at SimilarWeb, told The Guardian that the world's preference for porn over chatting with our friends on social media sites - as in, not just a preference for porn over one social media site, but a preference for porn over all social media sites combined - is a tad remarkable:

"Traffic on adult sites represents a huge portion of what people use the internet for, not just in the UK but around the world ... It is astonishing to see that adult sites are more popular in the UK than all social networks combined."

Mind you, people aren't just fumbling their way into porn sites by mistyping, for example, Facebook as F**kbook, he says:

"People don't just 'stumble' upon adult content. More than 8% of Google UK searches led to adult sites in the past three months."

Of course, one doesn't want to pick on the UK, particularly given that its surfing predilections aren't the most sexy, by far.

Germany's about half as much more prone to porn surfing, for example.

But thanks to David Cameron, the UK lately has itself been introspective on the topic.

Last week, the Prime Minister gave a speech in which he announced new measures to protect children and challenged the internet's tech giants to shape up and do their part.

Upcoming changes to UK law include the criminalisation of possessing online pornography depicting rape and subjecting online videos to the same rules that pertain to those sold in licensed sex shops.

Beyond that, the more contentious changes include pervasive network-level filtering of adult content as a default position for internet access throughout the UK.

Is all this fuss warranted?

Well, kind of. Porn sites are, in fact, notoriously riskier than those serving vanilla content.

When the US Pentagon last August chewed out its missile defense workers for surfing porn on the job, a spokesman noted that the sites in question were known to have had virus and malware issues.

A government cybersecurity specialist also confirmed to Bloomberg at the time that many porn sites are infected.

Criminals and foreign intelligence services plant malware on such sites in order to gain access to and harvest data from government and corporate computer networks, the specialist explained.

So yes, porn sites carry a high risk of being boobytrapped (no pun intended).

But then again, so too do religious sites.

Nowadays, you’re reportedly more likely to get infected by visiting a church website than you are when you surf porn.

When it comes to minimizing malware infection, one could argue not only for the separation of church and state, as laid out by the founders of the US, but also for the further separation of church, state, business hours and booty.

Follow @LisaVaas

Follow @NakedSecurity

Images of computer porn and adults only courtesy of Shutterstock.

View the original article here