11.5 C
Thursday, October 19, 2017

“Hand of Thief” banking trojan doesn’t do Windows—but it does Linux

Priced at $2,000, bank fraud malware has its own sales and support agents.    

In face of scrutiny, researchers back off NSA “Torsploit” claim

They admit it was either a misread of data or data somehow changed after assessment.    

Federal judge: Bitcoin, “a currency,” can be regulated under American law

Bitcoin Savings and Trust's founder has been accused of running a Ponzi scheme.    

Tenable Broadens Availability of PVS Network Scanning Tool

Company officials said the move was done to help more organizations deal with security concerns connected to BYOD and virtualization. Tenable Network Security is releasing a stand-alone version of its real-time networking monitoring technology to help organizations deal with the security concerns arising from such trends as bring-your-own-device and virtualization. Tenable at the end of the month will make its Passive Vulnerability Scanner (PVS), which until now had been available to customers using Tenable's SecurityCenter and SecurityCenter Continuous View offerings, available to any business. Company officials made the announcement July 30 at the Black Hat 2013 security conference. The move comes at a time when corporate networks are increasingly seeing more applications crossing the infrastructure and more devices—from notebooks to smartphones to tablets—connecting to the network.

The bring-your-own-device (BYOD) trend, with employees tapping into the network with their own computing devices, promises greater productivity and lower operating and capital costs for businesses, but also creates more management and security headaches for IT staff. Such trends are forcing businesses to increase the amount of scanning they do of their networks, according to Tenable CEO Ron Gula. "As innovations such as BYOD and virtualization gain traction within the organization, more and more transient devices are being brought into the organization and onto corporate networks," Gula said in a statement. "If a company is only scanning for these devices monthly, they do not have an accurate picture of their network weakness." BYOD has been on the rise since the first Apple iPhone was introduced in 2007, and gained steam when the iPad tablet hit the market in 2010. Employees are balking at the idea of using company-issued technology, preferring to use their own devices for work.

Organizations are looking to institute BYOD policies that enable workers to use whatever device they want while protecting corporate data and networks from unauthorized intrusions. The situation has created tension.

According to a survey of 700 IT decision makers by managed cloud services provider NaviSite released in July, 80 percent of respondents said that BYOD has become the norm in business, but only 45 percent said they have a formal BYOD policy in their workplace. About 68 percent said they were concerned about security enterprise data on employees' mobile devices. Tenable's PVS is designed to complement the company's Nessus active scanning products.

The technology constantly scans networks at the packet layer, detecting everything from applications and services to protocols and hosts that may not always be found or present at the time of active scanning, according to the company. It's designed to pick up on security vulnerabilities, suspicious network relationships and compliance violations. In BYOD environments, it monitors IPv4 and IPv6 network traffic to find devices connecting to the network and assessing their vulnerabilities. It also evaluates data crossing the network that might be sensitive, such as social security numbers and credit card information. "A hacker only needs one pathway into your network," Gula said. "Not knowing what an unmanaged device is doing on your network is a security blind spot." The standalone PVS offering will be available at the end of August through the company's partners and its e-commerce store.  

Chrome password security issue stirs debate

Security researchers say the plain text used to display Web site passwords leaves Chrome vulnerable, but Google defends its strategy. August 7, 2013 7:11 AM PDT Another person with access to your computer can see your Google Chrome saved passwo...

Ambry hits back at Myriad’s “bad faith enforcement” of breast cancer...

Patents were knocked out by the Supreme Court—but Myriad is still suing competitors.    

If Bruce Schneier ran the NSA, he’d ask a basic question:...

Ars asks a tech and legal all-star team how to fix America's security state.    

Former NSA boss compares privacy activists to al Qaida terrorists

Former NSA chief Michael Hayden, who ran the shady US spying bureaucracy from 1999 to 2009, responded to a question about Edward Snowden by painting privacy activists as terrorists and comparing them to al Qaida."If and when our government grabs Edward Snowden, and brings him back here to the United States for trial, what does this group do?" Hayden asked, reffering to "nihilists, anarchists, activists, Lulzsec, Anonymous, twentysomethings who haven't talked to the opposite sex in five or six years".He continued: "They may want to come after the US government, but frankly, you know, the dot-mil stuff is about the hardest target in the United States".'Dot mil' is American jargon for its military networks."So if they can't create great harm to dot-mil, who are they going after?" Hayden said, according to the Guardian. "Who for them are the World Trade Centers? The World Trade Centers, as they were for al-Qaida".Hayden was in charge of the NSA when it began its unprecedented surveillance operation.

He also ran the CIA.

He conclude that the situation he outlined was speculation and "imaginative", but also that Snowden "has created quite a stir among these folks who are very committed to transparency and global transparency".Big Brother Watch, the British privacy rights group, responded. Speaking with TechEye, its director, Nick Pickles, said: “Given the testimony given under oath about what the NSA was doing, it is understandable that Hayden may be showing signs of nerves, as Edward Snowden’s disclosures blow apart assurances that there  was no surveillance of American citizens.“Perhaps if Mr Hayden had spent more time trying to recruit the people he now so gleefully traduces and compares to terrorists it wouldn’t have been possible to walk out of a high-security facility with so much classified information on a USB stick," Pickles continued."More Americans now think that security measures have gone too far than think we need more surveillance," he said. "If we are to have a sensible debate about what is necessary and proportionate to keep us safe in the modern communications age, we need to start by stopping the utterly ridiculous pastime of some securocrats to brand anyone who disagrees with them a terrorist.”

Apple patents tech to let cops switch off iPhone video, camera...

Police forces around the world have had the problem that when their officers get a bit carried away and start pepper spraying tied captives there is someone on hand filming the event on their mobile phones. While six police lay into prone grannies on the floor with long batons, the pictures can be on the net in seconds, meaning supervisors have to answer embarrassing questions. But they may not need to fear scrutiny much longer - Apple has patented a piece of technology which would allow government and police to block transmission of information, including video and photographs, whenever they like. All the coppers have to do is decide that a public gathering or venue is deemed "sensitive", and needs to be "protected from externalities" and Apple will switch off all its gear. The police can then get on with the very difficult task of kettling protesters without having to worry about a few beating anyone to death. Apple insists that the affected sites are mostly cinemas, theatres, concert grounds and similar locations, but it does admit that it could be used in "covert police or government operations which may require complete 'blackout' conditions". According to RT it could also be used to prevent whistleblowers like Edward Snowden from taking pictures and broadcasting them on the interent. Apple said that the wireless transmission of sensitive information to a remote source is one example of a threat to security. But it said that this sensitive information could be anything from classified government information to questions or answers to an examination administered in an academic setting. Apple patented the means to transmit an encoded signal to all wireless devices, commanding them to disable recording functions. The policies would be activated by GPS, and wi-fi or mobile base-stations, which would ring-fence ("geofence") around a building or a "sensitive area" to prevent phone cameras from taking pictures or recording video. Odd that the company made famous by its 1984 Big Brother video can't really see what it is doing. Perhaps its own secretive culture and an overzealous security treatment of its staff have fostered sympathy for Big Brother after all. [embedded content]  

TOR advises abandoning Windows

TOR has warned its users to stay away from Windows after it was revealed that US spooks were spreading malware on the anonymising network using a Firefox zero-day vulnerability The zero-day vulnerability allowed the FBI and other spooks to to use JavaScript code to collect crucial identifying information on computers visiting some websites using The Onion Router (TOR) network. According to a security advisory posted by the TOR Project, the work around is switching away from Windows. This is because the malicious Javascript that exploited the zero-day vulnerability was written to target Windows computers running Firefox 17 ESR (Extended Support Release), a version of the browser customised to view websites using TOR. Those using Linux and OS X were unaffected. While there is nothing to stop the spooks writing a version of the code which targets Linux and OS X, it is less likely to happen. The fake Javascript was likely planted on websites where the attacker was interested to see who visited.

The script collected the hostname and MAC address of a person's computer and sent it to a remote computer. The exploit is targeted specifically to unmask Tor Browser Bundle users without actually installing any backdoors on their host. The TOR Project also advised users to turn off Javascript by clicking the blue "S" by the green onion within the TOR browser. "Disabling JavaScript will reduce your vulnerability to other attacks like this one, but disabling JavaScript will make some websites not work like you expect," TOR wrote. "A future version of Tor Browser Bundle will have an easier interface for letting you configure your JavaScript settings." Mozilla has patched the hole in later versions of Firefox, but some people may still be using the older versions of the TOR Browser Bundle. 

Is the smart meter roll-out doomed?

A new select committee report has given the UK's smart meter roll-out a thumbs up. But is the project doomed to failure? Computer Weekly has spoken to experts who have raised concerns over the economic impact and benefits, the technical infrastructure and the IT project management behind the UK's smart meter programme. When engineering consultant Mott MacDonald calculated the cost of the smart meter programme, the firm stated the net present value of the programme would be £4.0bn in the red, according to Alex Henney, an economist and advisor for the electricity industry, who gave evidence to the Smart Meter Select Committee.  Yet the civil service has put the net present value at £4.9bn.  “The civil service went to town to tweak the numbers," said Henney. "It's a political freak to go from -£4bn to +£4.9bn in four years.

If that does not ring a bell, then you can believe pigs can fly.” More expensive than Continental counterparts He said the UK programme is twice as expensive as the Spanish and Italian smart meter programmes. “There are two obvious differences. Firstly, the Italians and Spanish rely on a powerline network [for data communications], which is simpler and cheaper than wireless technology.” Italy and Spain also use a central distributed network operator (DNO) to roll out the smart meters, which, he claims, is simpler than relying on electricity suppliers.  “We have devised the most complex roll-out in the world,” Henney said.

The UK approach, which relies on suppliers rolling out meters, will need an extra large database to collate information on who owns the meter, incurring costs and introducing errors and complexity. It's a political freak to go from -£4.0bn to +£4.9bn in 4 years.

If that does not ring a bell, then you can believe pigs can fly.” Alex Henney The UK's smart meter project will enable consumers to see how much energy they use.

Henney said the programme will require an energy usage display in each household that costs £25 each. That may not seem like much, but over the course of 43 million households, it represents over £1.1bn. Henney believes many people will throw these displays away and they are unlikely to have any impact on people's usage patterns.  "The average residential consumption is 4,000KwH compared with 16,000 KwH in Norway where home heating exclusively uses electricity," he said. "The average UK electricity consumption has not increased very much.

In the case of gas, consumption has gone down." The EU wants member states to provide 80% of all households in member states with smart meters.

A new Ernst & Young study for the German Federal Ministry of Information and Technology has not recommended smart meters in Germany. No major environmental boost From Henney's analysis, smart meters will not give the UK a major environmental boost as many homes now use efficient condenser boilers for heating and energy efficient lighting.

He believes the government's premise that people will manage their energy consumption is flawed. In other parts of the world the largest gains in energy reduction have not come from smart meter roll-outs, but from targeted measures that reduce peak consumption. "In California, the main demand side response is not coming from real-time smart meters, but from electricity suppliers directly controlling air conditioners," he added. Ross Anderson, professor in security engineering at the University of Cambridge Computer Laboratory, warns that the energy industry has no reason to lower energy usage.  "There is no prospect it will meet its energy saving goals as the meters will be controlled by the retailers whose interest is to maximise sales volumes," Anderson said. "The project was sold on the basis of a thoroughly dishonest impact assessment and it's pressing ahead, despite lack of agreement on many aspects of the specification.  "It's a classic IT disaster in the making." IT complexity Beyond the choice of wireless over powerline for smart meter connectivity and the potential ineffectiveness of people to manage their consumption, the software development and project management of the programme may not be robust enough. The costs associated with the IT behind the programme are likely to escalate and timescales will overrun, according to software engineer Martyn Thomas, a member of the IET Information Technology Policy Panel.  "It is a very large IT project, and the government's track record is not good," said Thomas. "The government usually overlooks the amount of business change." Risk is another factor he believes will contribute to the project's demise. "There isn’t a properly constructed risk register with provisions to sort out problems if they should arise," he said. Thomas, who previously worked on tax office IT, said: "One of the ways we managed projects in taxes was by identifying possible outcomes for the project and assigning risk to each." Thomas is a strong proponent of formal methods, which he said will decrease project cost.  "Most of the costs in an IT project are the efforts in finding errors. We’ve known for 40 years that testing only shows the presence of errors, not their absence," he said. According to Thomas, a formal methodology would reduce errors getting into the smart meter programme. Problems areas are identified early. "You save an awful lot of time." Less errors also means less risk of cyber attacks impacting smart meters and people's electricity and gas supplies. The chance of failure is high. In his evidence to the Select Committee Andrew Ward, operations director at Scottish Power highlighted a project oversight which occurred at the company's US division.  "As part of the deployment [the US operations] rolled out 200,000 meters and had to replace 5,000 because they could not update communications over the wire," said Ward.  In other words, the team had failed to identify the potential flaw of meters not being remotely accessible and had to replace 2.5% of them at considerable cost.

If this were to occur in the UK's roll-out, almost a million households would be affected. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

German justice minister proposes ban for US firms that don’t abide...

Meanwhile, German spy agency (BND) is passing metadata on to the NSA.