15.2 C
London
Monday, August 21, 2017

Building a panopticon: The evolution of the NSA’s XKeyscore

How the NSA went from off-the-shelf to a homegrown "Google for packets."    

Pricey Linux banking trojan appears

Open sourcers can be quite vocal about the general lack of malware for Linux based systems, but a new banking trojan has popped up, surprising the community. Most of the world still runs on Windows, so by comparison, Linux doesn't get much in the way of malware. However, RSA's Limor Kessem wrote in his blog about a new Linux banking trojan called "Hand of Thief" which suggests malicious code writers have worked out there's some value in open source malware after all. Security research Graham Cluley said that the "Hand of Thief" is a lot of work for Linux malware. It compromises form grabbers for HTTP and HTTPS sessions running on a variety of browsers, blocking infected computers' access to anti-virus websites and security patches, and virtual machine detection. All this makes it harder for anti-virus researchers to reverse engineer its code. In addition, "Hand of Thief" incorporates an admin panel, allowing a criminal to control the remote computers that have been successfully hijacked around the world. Kessem said that the trojan has been tested on 15 different flavours of Linux, including Ubuntu, Fedora, and Debian, and is being offered for sale with free updates in underground web forums for as much as $2,000. The writers expect to push the cost to $3,000, with a $550 fee for major version updates, as features are introduced in the near future. Cluley said that is quite a high cost for a piece of malware, but small compared to the potential money that could be made by successfully compromising and infecting unprotected Linux computers. 

Privacy International challenges GCHQ collaborators including BT and Vodafone

Privacy International has sent a solicitor’s letter to underseas cable operators accusing them of unlawful conduct. The CEOs of BT, Verizon, Vodafone, Level 3, Global Crossing (now owned by Level 3), Viatel and Interoute have been implicated in the GCHQ's Tempora programme, to intercept internet traffic by tabbing into 200 undersea cables. In a pre-action letter issued to the companies, Privacy International demanded that the companies provide details on their relationship with GCHQ.  It has asked the network operators to outline company policies for assessing the lawfulness of government requests and describe any requests they received from authorities to intercept information. Privacy International has also asked the operators to specify the steps taken to oppose or resist such orders, and the amount they have been paid for their cooperation with governments. The letter states: “It is likely [Privacy International] has been the victim of unlawful conduct by your company.” Privacy International is seeking an Investigatory Powers Tribunal (IPT) challenge to investigate the legality of GCHQ's Tempora programme to tap undersea fibre optic cables. “It appears that [your company] has fundamentally failed its customers by cooperating with and facilitating a mass data collection and interception programme without, as far as we are aware, taking reasonable steps to challenge requests for data,” Privacy International's solicitor noted in the letter sent to the operators.  "Such indiscriminate blanket revelation and collection of all customer data is entirely incompatible with customer privacy and is unlawful." Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

Twitter's two-factor system is more secure, but not necessarily better

Twitter came out earlier this week with a new version of its two-factor authentication system. Usually when I hear about such systems, I wonder whether they're going to use the time-based one-time password algorithm (TOMP). TOMP is implemented by a couple of companies; among them, Amazon, Dropbox, Linode, Evernote, and Microsoft.

The beauty of using the algorithm is that all of your tokens can be placed in the one application. But Twitter has decided not to take this approach, and, in fact, has said that its own implementation is more secure. And it is. In a nutshell, Twitter uses public/private key crypto, getting your device to create a keypair and telling Twitter's servers what your public key is during setup.

The secret private key is never revealed, and can be used to sign any request sent from the device, with the signature verified by the public key. The great thing about such a system is that even if Twitter were compromised, all that an attacker would end up with would be a bunch of public keys and nothing that could be used to impersonate a user. But the bespoke nature of this approach means that anyone who is using two-factor authentication now has to install Twitter's app.

Given that Twitter wants people to use its own apps, and is limiting API calls as a disincentive to smaller developers to write their own platforms, this is no skin off its back.
It actually creates another differentiation point for its client over others. Developers, however, miss out because as far as I can see, there is no way, as yet, for third-party clients to handle this new method of authentication.

The users themselves are also left with having to install a client they'll never use, or leaving two-factor authentication off the table in the first place. Or, perhaps, in Twitter's ideal world, ditching their third-party client for Twitter's. And even if Twitter were breached, it would likely reset key pairs out of an abundance of caution, just like when we hear about hashed and salted passwords being stolen, which are mostly useless. Never mind the fact that we're talking about a second factor of security here. The debate really seems to come down to keeping everything consistent, and while Twitter's system of just pressing a button is pretty convenient, what everyone is used to are token systems, and not having to change their user experience with a different client.

After all, if you're someone who's security-conscious enough to have two-factor authentication turned on, you're going to be familiar with seeing TOMP-based systems. Security is all about managing your risk, which is why we don't all store our mobile devices in radio-proof bunkers when we go to sleep at night.
Is Twitter's two-factor system more secure? Sure.
Is it necessary to mitigate the risk for the average user? No. We're again having other companies make our own security decisions for us, as if they know better — as if they know how we use our devices, the information we store on them, and how much we value it — and, sometimes, we don't, which is why we use really dumb passwords at times. It all leaves a rather sour taste in my mouth — a more closed-off, proprietary system that subtly backhands developers, while being sold as more secure. Just because it's true doesn't justify kicking developers some more. Many people would have been satisfied to have a TOMP-based system in Twitter, even though it's comparatively less secure.

There simply isn't much of a case for replacing it. Unlike passwords, which are fundamentally broken and need an alternative, the currently pushed argument for two-factor authentication is to actually have it in place. In an ideal world, maybe we'd have both options so we could choose to reduce our security for the sake of convenience.

But businesses aren't yet ready for user-tailored security.

After Lavabit shutdown, another encrypted e-mail service closes

Silent Circle hasn't been pressured by US gov't, but saw "writing on the wall."    

Twitter’s two-factor system is more secure, but not necessarily better

Twitter came out earlier this week with a new version of its two-factor authentication system. Usually when I hear about such systems, I wonder whether they're going to use the time-based one-time password algorithm (TOMP). TOMP is implemented by a couple of companies; among them, Amazon, Dropbox, Linode, Evernote, and Microsoft.

The beauty of using the algorithm is that all of your tokens can be placed in the one application. But Twitter has decided not to take this approach, and, in fact, has said that its own implementation is more secure. And it is. In a nutshell, Twitter uses public/private key crypto, getting your device to create a keypair and telling Twitter's servers what your public key is during setup.

The secret private key is never revealed, and can be used to sign any request sent from the device, with the signature verified by the public key. The great thing about such a system is that even if Twitter were compromised, all that an attacker would end up with would be a bunch of public keys and nothing that could be used to impersonate a user. But the bespoke nature of this approach means that anyone who is using two-factor authentication now has to install Twitter's app. Given that Twitter wants people to use its own apps, and is limiting API calls as a disincentive to smaller developers to write their own platforms, this is no skin off its back. It actually creates another differentiation point for its client over others. Developers, however, miss out because as far as I can see, there is no way, as yet, for third-party clients to handle this new method of authentication.

The users themselves are also left with having to install a client they'll never use, or leaving two-factor authentication off the table in the first place. Or, perhaps, in Twitter's ideal world, ditching their third-party client for Twitter's. And even if Twitter were breached, it would likely reset key pairs out of an abundance of caution, just like when we hear about hashed and salted passwords being stolen, which are mostly useless.

Never mind the fact that we're talking about a second factor of security here. The debate really seems to come down to keeping everything consistent, and while Twitter's system of just pressing a button is pretty convenient, what everyone is used to are token systems, and not having to change their user experience with a different client.

After all, if you're someone who's security-conscious enough to have two-factor authentication turned on, you're going to be familiar with seeing TOMP-based systems. Security is all about managing your risk, which is why we don't all store our mobile devices in radio-proof bunkers when we go to sleep at night. Is Twitter's two-factor system more secure? Sure. Is it necessary to mitigate the risk for the average user? No. We're again having other companies make our own security decisions for us, as if they know better — as if they know how we use our devices, the information we store on them, and how much we value it — and, sometimes, we don't, which is why we use really dumb passwords at times. It all leaves a rather sour taste in my mouth — a more closed-off, proprietary system that subtly backhands developers, while being sold as more secure. Just because it's true doesn't justify kicking developers some more. Many people would have been satisfied to have a TOMP-based system in Twitter, even though it's comparatively less secure.

There simply isn't much of a case for replacing it. Unlike passwords, which are fundamentally broken and need an alternative, the currently pushed argument for two-factor authentication is to actually have it in place. In an ideal world, maybe we'd have both options so we could choose to reduce our security for the sake of convenience. But businesses aren't yet ready for user-tailored security.

Threat Intelligence Needed Quickly or Not at All, Ponemon Study Finds

Companies can prevent 40 percent of their losses if they use information on the current threats, but the value of the intelligence fades quickly. Fresh information on the latest online threats can enable companies to respond more quickly to attacks and prevent compromises, but the intelligence grows stale quickly and becomes less useful within 4 to 12 minutes, according to a recent survey of security professionals. The survey, conducted by the Ponemon Institute and funded by threat-intelligence provider Norse, found that 57 percent of the polled security professionals believe that the information on threats provided to their companies is too old to be useful, leading to $10 million in annual costs to mitigate exploits of their network. However, if data on threats is received within 60 seconds of a compromise, companies can save, on average, $4 million, the Ponemon study found. "Whether intelligence is actionable is inextricably linked to time," Larry Ponemon, chairman of the Ponemon Institute, told eWEEK. "The make-or-break point—when you start to lose value—is measured in minutes, not in days or weeks." The security industry has increasingly focused on gathering intelligence on the threats targeting companies to give businesses as much information as possible to prevent attacks. One major focus is synthesizing information from the variety of information produced during the daily operating of a large enterprise's network.

This "big data" collection promises to allow companies to have better insight into the operations of the network and catch any attacker who starts impacting that operation. Another focus, however, is delivering information on the changing global threat landscape so that companies can be warned if legitimate-looking traffic is communicating with a known bad part of the Internet. Almost all malware communicates with actors outside of the victim's network, giving the vigilant businesses a chance to detect the attack. In addition, global threat intelligence can warn a company if its own Internet addresses start producing malicious traffic, said Sam Glines, CEO of Norse. "By uploading your company's public-facing IP address, we instantly provide back the data on whether any of your IPs are behaving badly," he said. Companies are notoriously in the dark about whether their own systems are compromised. In its annual report on trends in network breaches, Verizon found that the median time between a compromise and the exfiltration of data is hours, but that the median time to discovery is days.

The group surveyed in the latest Ponemon report had a similar outlook, with a half of the respondents estimating that it would take weeks to months to recognize a compromise and only a quarter of the respondents estimating that it would take a day or less. Technology is not seen to be the answer to the problem. On a 10-point scale, three-quarters of respondents rated traditional technologies—such as firewalls, security information and event monitoring (SIEM) and intrusion detection systems—a 6 or less. The survey polled more than 700 people from 378 companies on their current use of threat information. More than three-quarters of respondents criticized current threat intelligence solutions for their high false-positive rates.

Brooklyn connection in worldwide credit card ring gets 22 years in...

95,000 credit card holders had personal information stolen.    

Mozilla bridges Gmail to Persona log-in

Missing from its first months in beta, Mozilla's Persona Web site log-in system now adds Gmail to its list of sign-in credentials you can use. August 8, 2013 3:21 PM PDT You can now use your Google account credentials with Mozilla Persona to lo...

Next round of copyright criminals: YouTube cover bands

Music publishers sue "multichannel networks," seeking royalties for songwriters.    

Ed Snowden’s e-mail service shuts down, leaving cryptic message

Lavabit offered Snowden—and other customers—512-bit security on stored e-mails.    

Microsoft Set to Update IE (Again) for August Patch Tuesday

Microsoft has issued its advanced notification for the upcoming Patch Tuesday update cycle, set to be released on Aug. 13. I personally have never been a big fan of the advanced notification because, quite frankly, the information is somewhat vague and I prefer to just wait for the real deal and all the related important vulnerability information. While the advanced notification is short on real details, it does provide a trending indication of what we should expect in general terms.

This month, Microsoft is set to issue eight new security bulletins, three of which are rated as being Critical (the highest rating of severity for a Microsoft bulletin). Paul Henry, security and forensics analyst at Lumension, noted that at this time last year there were 35 total critical bulletins issued for the year-to-date. In contrast for the year-to-date in 2013, the number of critical bulletins has declined to 25. Of those three bulletins rated critical in the upcoming August 2013 Patch Tuesday update, one in particular has my interest. Once again, Microsoft is patching its often attacked Internet Explorer Web browser. I got a great email comment from Lamar Bailey, director of security research and development at Tripwire, about the recent spate of IE updates on Patch Tuesday.

He wrote: "Are you ready to patch IE again next week? Maybe we should rename patch Tuesday to the IE security update since we see them every month now." Bailey is, of course, quite correct. In the July Patch Tuesday update, Microsoft addressed a zero-day flaw alongside 17 additional vulnerabilities in IE. That's on top of 19 flaws in IE that Microsoft patched in June. In May there was another 12 IE security issues  patched in that month's Patch Tuesday. So just doing the simple math, over the last 90 days, Microsoft has already issued fixes for at least 48 flaws in IE. On the positive side of this (always look on the bright side!), to the best of my knowledge there have not been 48 zero-day flaws in IE that have been publicly exploited over the last 90 days. Most of the flaws are responsibly disclosed and Microsoft is responsibly handling fixing flaws too. Patch Tuesday sometimes brings a surprise or two, with things showing up that were not on the advance notification. We'll have to wait until Tuesday, Aug. 13, to see if that will be the case this time around. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.