Tag: security

Sir Tim Berners-Lee warns about a dying web

 

Sir Tim Berners-Lee, who invented the World Wide Web, said he is alarmed at what has happened to it in the past year.

He said that the world needs to step in to reverse three new trends which could kill off the Internet as a useful tool for humanity

Sir Tim cited compromised personal data, fake news and the lack of regulation in political advertising, which he says threatens democracy.

“Even in countries where we believe governments have citizens’ best interests at heart, watching everyone, all the time is simply going too far. It creates a chilling effect on free speech and stops the web from being used as a space to explore important topics, like sensitive health issues, sexuality or religion.”

When Berners-Lee submitted his original proposal for the Web, he imagined it as an open platform that would allow everyone, everywhere to share information, access opportunities and collaborate across geographic and cultural boundaries.

He said that his faith has been badly shaken by a series of high-profile hacks and the dissemination of fake news by data science and armies of bots. The scourge of fake news and cyberweapons pose a significantly greater threat.

Marissa Mayer gives her bonus to staff

Yahoo CEO Marissa Mayer announced today via her Tumblr page that she will be redistributing her annual bonus and equity stock grant to Yahoo employees to make up for two security hacks which thumped the company.

An independent committee Yahoo brought on to investigate the hacks found the company to be at fault for not sufficiently responding to the security incidents.

The committee said that while significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, or act on information provided internally by the company’s information security team. Because of the hacks, Yahoo’s top lawyer, Ron Bell, was fired.

Mayer has accumulated about $162 million during the five years she’s spent as the company’s CEO in both salary and stock awards. She’s also due about $55 million in severance if she decides to leave the company following its acquisition by Verizon.

While it is nice that Mayer is giving her cash to the employees, most of the victims of the security fiasco were customers and users, who are no doubt organising a class action as we write.

Russian cyber treason charges are ancient

Treason charges against two Russian state security officers and a cyber-security expert are based on allegations made by a Russian businessman seven years ago.

The arrests concern allegations that the suspects passed secrets to US firm Verisign and other unidentified American companies, which in turn shared them with the US spooks.

Ruslan Stoyanov, head of the computer incidents investigation team at Russian cyber-security firm Kaspersky Lab, was arrested and charged with treason in December along with two officers of Russia’s Federal Security Service (FSB), Sergei Mikhailov and Dmitry Dokuchayev.

The arrests were a result of accusations first made in 2010 by Pavel Vrublevsky, a Russian businessman and founder of ChronoPay, an online payments company. Vrublevsky has told the press that that the arrests were a response to his claim that Stoyanov and Mikhailov had passed secrets on to American firms.

Verisign denies that it received any secret information. The firm’s iDefense unit compiled dossiers on cybercrime for clients including private firms and government agencies that include U.S. intelligence services, but it says its research did not contain classified information.

However, it did know Stoyanov, a former Russian cybercrime copper who later had a career as a consultant.

But Kimberly Zenz, a former analyst at Verisign’s iDefense unit who knows Stoyanov said that nothing like the arrangement as described by Pavel Vrublevsky ever took place.

Verisign Vice President Joshua Ray said his company acquired information in unclassified ways and does not believe its reports to government agencies and other customers included state secrets.

Kaspersky is just pointing out the charges against Stoyanov related to a period before he joined the company in 2012.

What is weird about the story is that the the Russian authorities had taken no action over the allegations made by Vrublevsky against Stoyanov and Mikhailov for so long.

The only coincidence is that the arrests came shortly after the United States accused Russia of trying to influence its presidential election through computer hacking.

It is thought that Moscow intends the arrests as a signal, in response to the US hacking accusations, that it would now take action against forms of cooperation that it previously tolerated.

After Vrublevsky first made his allegations against Stoyanov and Mikhailov, he was arrested and convicted on charges of organizing a cyber-attack on a rival Internet payments firm that competed with ChronoPay. He is now free on parole and has always denied guilt.

 

Silicon Valley lost to the carmakers

While the press is still full of stories about self-driving cars, it is starting to look like Silicon Valley has failed to get behind the driving seat.

If you believed the tech press Apple, Google, and Uber were going to totally change the way cars were made and effectively take over.

But all that started to grind to a halt as Silicon Valley realised it was out of its depth. Last year Apple laid off most of the engineers it hired to design its own car. Google stopped talking about making its own car. And Uber, despite its sky-high market valuation, is still a long, long way from making its own autonomous cars.

The issue is that people outside of the auto industry doing realise what a can of worms making cars is.  Apple for example thought all it had to do was design a car and start making it.

But Tesla, which is the only successful automotive company to come out of Silicon Valley so far, has made only 80,000 cars last year and it’s been in business for nearly 15 years

Basically the tech industry, particularly Apple  thought it would monopolize the technology, then dictate terms to the traditional Original Equipment Manufacturers. But Ford, GM, Audi, Mercedes, Nissan and others launched in-house autonomous programmes. They also bought Silicon Valley companies to bolster their efforts, not the other way around.

Silicon Valley also runs on a different model. They expect a 40 per cent profit margin or they cannot be bothered getting out of bed. Car makers would only give them ten per cent if they were lucky.

According to AutoBlog where Silicon Valley is re-aligning, itself is into the field car-based data. Unlike automotive manufacturing, Big Data analytics driven by Artificial Intelligence does not require large capital investments in factories and equipment. That translates into 90 per cent profit margins.

 

 

 

 

Snowden knows that Trump was given a hand by Putin

NSA whistleblower Edward Snowden, an analyst with a U.S. defence contractor, is pictured during an interview with the Guardian in his hotel room in Hong KongWhile the FBI, CIA and President Barack Obama all agree that Russia hacked the DNC and asserted its will on the US presidential election they seem to be having difficulty convincing the world.

If you post news about the hack anywhere online you will normally get otherwise sane people parroting the mantra that “there is no proof.”

So far most of the proof has come from private security companies who normally would be accepted without question, but for some reason no one is believing them this time. Official comments from the spooks are short on anything that people call proof.

Donald (Prince of Orange) Trump has done his best to claim that it was not his good chum President Putin. He claims that hacking is hard to prove.
Only it really isn’t. According to a new document leaked by Edward Snowden, the NSA has successfully traced a hack back to Russian intelligence at least once before.

A classified excerpt from page from the NSA’s internal wiki shows that the NSA once verified that Russian journalist Anna Politkovskaya’s email account had been targeted by Russian Federal Intelligence Services a year before her 2006 murder.

The information is classified as “Top Secret Signals Intelligence” which means that the NSA knows Politkovskaya’s email was hacked by Russian operatives because they were able to trace the hack back to Russian intelligence.

The entry itself doesn’t specifically say how this trace was accomplished or provide the evidence — but the existence of the entry shows that the NSA is wholly capable of tracing such hacks back to their source.

While it does not prove that the Russia gamed the US election, it shows that the US intelligence agencies can gather the proof. It also shows that when the proof is found it is classified. The US does not want to risk showing its hand to foreign operators.

This would lead to a strange situation where President Obama, all the spooks and the White House dog all know that Russia gamed the election and can take action against Russia, but the rest of the world will not know why.

When Trump takes office in a couple of weeks he will know too, but it is unlikely he will say anything. After all he owes Putin’s Oligarch mates rather a lot of money.

White House rushes to lock out Russian hackers

Vladimir Putin - Wikimedia CommonsThe White House is rushing to stop Russian hackers from gaming future US elections before Donald (Prince of Orange) Trump takes over and lets them get away with it.

President Obama wants to implement measures to penalise Russia for allegedly interfering in the US presidential elections. In 2015, the White House announced new economic sanctions, which authorised the Obama administration to punish and prevent foreign hackers who attack US national security and economy.

The National Security Council, the sanctions fall short of providing the current administration enough power to punish the biggest and most controversial cyberattack that hit the Democratic National Committee so now it is trying to work out how to tailor the sanctions to punish the Russian election hackers.

According to reports, one way of striking back at the Russian election hackers would be to declare electoral systems as critical infrastructure and what the Russians did actually harmed it,

The White House is seeking to employ measures that not only provide authority to penalise hackers who harm national security, but also prevent such attacks in the future.

US authorities blame Russian state-sponsored hackers for targeting political parties in efforts to interfere in the elections and help Trump secure a victory. The White House’s allegations were bolstered by US intelligence and the FBI’s analysis of the attacks, which also hold Russia responsible for its interference in the elections.

The worry is that if the Russians think “that worked pretty well” they will try to do it every-time the US has an election until they get the sort of government they want. The fear is that when Trump enters the White House he will abandon any moves to shore up the defenses against Russia because he owes them rather a lot of money.  If the rules are in place before he takes over, it might be more difficult for him to bin them.

Yahoo hacked again

13.-Hacker-1-696x464Yahoo has said that it was hacked again and data from more than a billion user accounts was nicked.

Apparently the attack happened in August 2013, making it the largest breach in history and we just found out about it.

The number of affected accounts was double the number implicated in a 2014 breach that the internet company disclosed in September and blamed on hackers working on behalf of a government. News of that attack, which affected at least 500 million accounts, prompted Verizon Communication Inc to say in October that it might withdraw from an agreement to buy Yahoo’s core internet business for $4.83 billion.

Verizon said about the latest attack that it would be reviewing the impact of this new development before reaching any final conclusions.

A Yahoo spokesman said the company has been in communication with Verizon during its investigation into the breach and that it is confident the incident will not affect the pending acquisition.

A spokesYahoo added it believes hackers responsible for the previous breach had also accessed the company’s proprietary code to learn how to forge “cookies” that would allow hackers to access an account without a password.

However some analysts have said that the company has screwed up and was found not to have been taking security seriously enough.

Yahoo said it had not yet identified the intrusion that led to the massive data theft and noted that payment-card data and bank account information were not stored in the system the company believes was affected.

Yahoo said it discovered the breach while reviewing data provided to the company by law enforcement. FireEye Inc’s Mandiant unit and Aon Plc’s Stroz Friedberg are assisting in the investigation, the Yahoo spokesman told Reuters.

 

Oracle bug responsible for San Franciso hack

thCCYC72M0The attacker who infected servers and desktop computers at the San Francisco Metropolitan Transit Agency (SFMTA) with ransomware ogained access to the agency’s network by way of a known vulnerability in an Oracle WebLogic server.

That vulnerability is similar to the one used to hack a Maryland hospital network’s systems in April and infect multiple hospitals with crypto-ransomware. It appears that the hackers did not appear to have targeted SFMTA specifically.  It was just spotted with a vulnerablity scan.

SFMTA spokesperson Paul Rose said that the agency became aware of a problem on 25 November.  The ransomware encrypted some systems mainly affecting computer workstations.

The SFMTA network was not breached from the outside, nor did hackers gain entry through its firewalls. Muni operations and safety were not affected. Customer payment systems were not hacked and no data was nicked.

Based on communications uncovered from the ransomware operator behind the Muni attack published by security reporter Brian Krebs, an SFMTA Web-facing server was likely compromised by what is referred to as a “deserialization” attack after it was identified by a vulnerability scan.

Krebs said that it was possible to access to the mailbox used in the malware attack on the Russian e-mail and search provider Yandex by guessing its owner’s security question, and he provided details from the mailbox and another linked mailbox on Yandex.

Based on details found in e-mails for the accounts, the attacker ran a server loaded with open source vulnerability scanning tools to identify and compromise servers to use in spreading the ransomware, known as HDDCryptor and Mamba, within multiple organizations’ networks.

China brings in tough new cyber security law

ChinaThe glorious People’s Republic of China has bought in new tough new cybersecurity regulations on companies operating behind the bamboo curtain.

The proposed Cybersecurity Law features with data localisation, surveillance, and real-name requirements. It will require instant messaging services and other internet companies to require users to register with their real names and personal information, and to censor content that is “prohibited”.  Real name policies restrict anonymity and can encourage self-censorship for online communication.

There is also an element of data localisation, which would force “critical information infrastructure operators” to store data within China’s borders.

According to Human Rights Watch, an advocacy organisation that is opposing the legislation, the law does not include a clear definition of infrastructure operators, and many businesses could be lumped into the definition.

Sophie Richardson, Human Rights Watch’s China director said the new law will effectively put China’s Internet companies, and hundreds of millions of Internet users, under greater state control.

Many of the regulations are not new, most were informally carried out or specified in low-level law. However, implementing the measures on a broader level will lead to stricter enforcement.

Companies are required to report “network security incidents” to the government and inform consumers of breaches, but the law also states that companies must provide “technical support” to government agencies during investigations. “Technical support” is not clearly defined, but might mean providing encryption backdoors or other surveillance assistance to the government.

The Cybersecurity Law also criminalises several categories of content, including that which encourages “overthrowing the socialist system,” “fabricating or spreading false information to disturb economic order,” or “inciting separatism or damage national unity.”

Biggish Blue admits big blue down-under

IBM storage circa 1968IBM has confirmed it will compensate the Australian government for a “malicious” cyber-attack that shut down the national census, but has claimed that two ISPs were also responsible for the security lapse.

For five years IBM was the lead contractor for the five-yearly household survey by the Australian Bureau of Statistics (ABS). However the project went off-line on census day after four distributed denial of service (DDoS) attacks.

The breach put a spanner in the works of government plans to trial online elections on the basis of its privacy street cred.

IBM was helping a police investigation but declined to say who was behind the attack.IBM claims that the attacks were launched through a router in Singapore and blamed Australian ISP Vocus Communications, a subcontractor of Nextgen Networks, for failing to shut it down.

In a written submission to the inquiry, IBM said its preferred anti-DDoS measure, which it calls “Island Australia”, involves “geoblocking”, or getting the company’s ISPs to shut down offshore traffic coming into the country.

In a written submission to the inquiry, Nextgen said IBM told it about “Island Australia” six days before the census website went live in July, and that IBM declared a test of the strategy four days before the census a success.

It said Nextgen followed IBM’s instructions, but noted that IBM rejected Nextgen’s offer of additional anti-DDoS detection measures.

Vocus said in a submission that it told Nextgen the week before the census that it “did not provide geoblocking” and that “Vocus was in fact requested to disable its DDoS protection product covering the e-Census IP space”.