is on its way
(May 5, 2011 - By Ed Bott - ZDNet)
Here’s a timely excerpt from Ryan Singel’s article, “Why can’t we stop the botnets?” on p. 55 of the Feb., 2011, issue of Wired magazine.
‘The thieves’ main tool was a botnet --
a remotely controlled network of infected computers that spreads via web pages and email.
The best efforts to destroy these zombie armies have failed;
botnets continue to thrive, sending daily bursts of stolen info
(yes, possibly yours) to servers around the world.’
…. ‘According to security firm Websense,
the number of malicious web pages jumped 111 percent from 2009 to 2010.
Nearly 80% of those were legitimate sites hacked into to serve up malware.’ ….
“It takes just one click on a bad bit.ly link and criminals have access to all of your data,”...
‘Antivirus software helps, but it can’t keep up with the speed of malware mutation.’
‘…criminals are infecting pages tied to top Google searches and Twitter topics.’
‘For now, experts recommend running patch-checking tools like Secunia PSI as a compliment to your antivirus software.”
According to a November 2010 “PC World” magazine sidebar article,
“TIPS FROM THE PROS - Top 5 Ways to Stay Safe Online”:
“PC security is one area where it pays to be paranoid.” You should “STAY UP-TO-DATE, STAY paranoid, stay protected.”
“Be sure to run Windows Update, as well as the software update features in the other programs that you use EVERY DAY.”
“…use a password manager.” and “…antivirus and security [firewall; anti-spyware/malware programs] software…”
“Assume that no site is safe, and don’t trust a link or file download, even if a friend sends it to you.”
Under the heading: “Malicious PDFs that try to fool you into installing malware”, the article notes that:
“In 2009, attacks using malicious PDFs made up 49 percent of Web-based attacks…”
Security and Privacy Issues in the PDF Document Format - (ScienceDaily - Feb. 22, 2011) - UPM Facultad de Informática researchers compile information on security and privacy for authors or readers of PDF documents, the most popular format for publication of digital documents. - http://www.sciencedaily.com/releases/2011/02/110222083159.htm
For more extensive computer security advice,
be sure to read (online) PC World magazine’s
“The 17 Most Dangerous Places on the Web”
at this URL:
“The scary thing about a clickjacking attack is there isn't any foolproof way of detecting when it is happening to you.
Through clever hackery, some dastardly villain somewhere will show you a website that looks harmless,
but they can use it to steal your clicks, making you do something drastically different than what you think you're doing.
Clickjacking, put simply, is when a button, image, video, or some form of embedded content on a website
is overlaid by an invisible layer that sits on top of the site underneath it.
For instance, you may see a page with a movie embedded on it. You want to watch the movie, so you click on the play button.
You don't think twice about it -- you've done it a million times. Meanwhile, a hacker has superimposed an invisible web page over the movie.
It just so happens that a button allowing access to your camera and microphone has been placed over the movie's play button.
Now, when you think you're playing the movie, you're actually permitting the hacker to access your video camera and microphone.
That invisible layer sitting on top of the page has intercepted and highjacked your mouse click.
There are a few steps you can take to ensure clickjacking is stopped at the source."
[Be sure to read the rest of the article for the specific how-to steps to follow via this URL.]:
Secure Your Life in 12 Steps - (By Nick Mediati - June 2011 issue - PCWorld Magazine) - Lock down your computer, your home network, your identity--even your phone.
Good security advice can be hard to find. Lots of security experts offer help, but not all of their tips are accurate or up-to-date, and many address PC security only. So even if you follow their advice, you may be more vulnerable than you think. That's where we come in. We've assembled a dozen simple but essential tips -- a 12-step security program -- to keep your PC, smartphone, gadgets, and identity safe. The steps are practical and fairly easy to perform, so you can strengthen your security without losing your mind in the process. - https://www.pcworld.com/article/225806/secure_your_life_in_12_steps.html
[From the front-page A1 (continued on page A4) Mon., Feb., 7, 2011, St. Louis Post-Dispatch article,
“Facebook accounts of legislators hacked”.]: - http://mcaf.ee/9f6b4 -
‘Cybersecurity threats have increased sharply in recent months.
They include a program called Firesheep that targets Wi-Fi users' private account information.
Firesheep, which can be downloaded for free from the Web,
allows users with little computer knowledge to access the private Internet accounts
belonging to people on a shared wireless network,
and even assume control of those accounts as if they were each account's owner.’
‘Firesheep...is "like someone sitting outside your home with an antenna pointed at your house,
and you wouldn't necessarily know it."
"Firesheep is one of those things that scared the hell out of us
with getting into people's Facebook and grabbing passwords." ’
[If you want to find out more about the “Firesheep” Wi-Fi security threat,
be sure to check out Steve Gibson’s “Security Now!” online podcast archive,
where you’ll find both the Oct. 28, 2010, “Firesheep” audio podcast/s
(among many others) and written transcripts free for online-access and/or download.
Here’s the URL to take you to Gibson’s Security
Now! podcast archive.]:
[NOTE: It would be wise
(FREE) Online TWiT TV Podcast
Steve Gibson is the person who coined the term “spyware.”
Steve created the first anti-spyware program.
(Be sure to check out his free online ShieldsUP
Steve’s weekly podcast discusses
the hot topics in security today
with Leo Laporte, host of TWiT TV.
can either watch the free video podcast live ( http://twit.tv
Or download the free archived video/s
(.mp4) file versions:
[In the Feb. 2011 issue of PC World magazine, on page 75 under the subtitle, “New Threats for a New Year” (from the “Battle of the Security Superpowers” article) ]:
‘Malware has migrated to social networks…. …techniques that cyber-criminals use in attempts to poison SEO (search engine optimization), loading up on popular search keywords to make malware-compromised sites appear higher in search results. ….
Another threat is the resurgence of banking-related
. …the relatively new "man-in-the-browser" attacks, in which the malware doesn't activate until you have successfully logged into your bank account.’ - http://www.pcworld.com/article/214618/battle_of_the_security_superpowers.html
Hackers could track the person behind your usernames - (Feb. 7, 2011 - NewScientist) - A new wave of online crime is on the way – and all that's required is your username. Hackers may soon be able to identify which screen names belong to one person just by analysing the characters that make up the name. - http://www.newscientist.com/article/dn20094-hackers-could-track-the-person-behind-your-usernames.html
[As noted at the following URL]:
Geolocation is a rather secret feature
of some browsers and toolbars.
It allows the creator of that program
to get a fix on the location of your computer
to within a few meters of where you actually live.
For the potential dangers
read the article from BBC News entitled
attack knows where you live' here.
The question is therefore
how to effectively disable this feature.
At this moment this site offers solutions for
Apple Safari, Firefox, Flock,
Google Chrome, Google Toolbar,
Opera and Twitter:
How To Create
A Full Administrator
Having all the Admin capabilities in one window is great.
I ran across this searching for ways to automate Administration in Windows 7
It is called God Mode by some.
Create a new folder and rename the folder to the following exactly as shown below:
Be sure to rename the folder as shown above from the G to the }
[NOTE: To create the folder,
just right-click on an empty space on your desktop,
choose “New”, then choose “Folder”;
then just copy-and-paste the entire (above)
“GodMode” code line, as instructed, to rename the folder.]
You can also find additional free add-on extenstions for Thunderbird at this URL:
Firefox Plug-ins Have To Be
Regularly Updated Manually
IF you are using the Firefox web browser,
it is very important to note that
Firefox DOES automatically check
for security updates for installed third-party
it does NOT (as of this writing)
do so for any third-party Plug-ins
that are already pre-installed in
YOU have to MANUALLY check
(at a minimum of at least one/week)
for needed updates for those Plug-ins.
Here’s how you can easily do
In Firefox, click Tools.
Then, in the drop-down list, click on Add-ons.
When that opens up, click on the LEGO-type
(not the puzzle-piece icon, which is for the Add-ons.)
Then click on the “Check to see if your plugins are up to date” underlined option.You will then see a complete list and the current status of your plug-ins.
"New research further confirms that difficulties security vendors are having in keeping up with malware.
Security software can take an average of two days to block an attack Website, says a report from NSS Labs. The firm developed a test that mimics how people browse the Web, and recorded how and when security suites blocked the threats – if they did so at all. The latest test ran for 24 hours a day for nine days."
"Some security vendors employ reputation systems, which usually involves checking a database of blacklisted sites. But such systems are not widely used and are immature, according to NSS Labs. Overall, vendors took an average of 45.8 hours to block a site, if they blocked it at all, the report states.
If a suite did not block a bad site the first time, NSS Labs continued to test every 8 hours to see how long the vendor took to add protection; times ranged from 4.62 hours to 92.48 hours. The researchers also had a “zero hour” criterion, in which the test checked whether the software stopped newly found malware sites, and the results weren’t great: The best vendor blocked new sites only 60.6 percent of the time."
In the meantime, keep this in mind...
According to an article,
“ ‘Spam Clock’ Tallies Web Junk”
by John P. Mello Jr.,
published on p. 34 of the March 2011 issue of PC World magazine
( www.pcworld.com ):
‘…search engine newcomer Blekko has a clock at www.spamclock.com
that counts how many spam pages are created on the Internet every second.
…. Today the economic incentives for Web spammers are even more lucrative than e-mail spam,
and almost guarantee a continuing blizzard of trash on the Web.’
‘Spammers are hiring low-wage workers
to churn out pages at anywhere from 5 cents to a dollar a pop.
“Web spammers simply have to create pages on the Web
and sit back and let search engines send them the money,”
[Rich] Skrenta [Blekko founder] writes.
“The problem and challenges of spam to the entire world
are going to get worse,” he predicts.’
[The article highlights: ‘Every hour 1 million new spam pages are created’]
On page 66 in the same March 2011 issue of PC World, in answer to…
‘Q. How Can I Determine Whether An Unknown Website Is Safe To Visit?
A. You’ve probably read stories about “drive-by-downloads,”
viruses and spyware that sneak onto your PC when you visit a rigged Website.
And that’s a hard truth:
The seemingly innocent act of clicking a link
-- even one that’s at the top of a Google search-results page --
can lead to malware infestations.
How do you figure out whether a link is safe before you click it?
The Secret History
The secret History of Hacking
is a public domain documentary
about the pioneers of
the hacking craze.
(50 min. - YouTube audio/video)
[Personally, I do not recommend
so-called “social networking”
I have never used them…
and, never will.
Check this out...
and the other
--Bike Bob] :
For those that may use ‘Facebook',
here is a May 11, 2011, “Vancouver Sun” alert:
A Skinner box
that trains you
(12-1/2 min. - YouTube audio/video)
(82 min. - video documentary)http://video.google.com/videoplay?docid=7926958774822130737#
High fiber - (13 min. - video) - May 13, 2011 - Need To Know/NPR) - The United States is where the internet was born. But we’re falling behind in the race to the online future. Most of us go online these days using a service that’s called broadband – faster than old-fashioned dial-up, and always on. But broadband service in the U.S. lags behind a dozen or more industrialized countries – and we’re doing worse every year. Need to Know correspondent Rick Karr traveled to the U.K. and the Netherlands – with support from the Ford Foundation and in collaboration with the website Engadget – to find out how these two countries have jumped ahead of us online. This is a story about capitalism, competition, dynamism and innovation in what is arguably the most important industry of the 21st century. Old fashioned American values, right? Then why are we being left so far behind? - http://www.pbs.org/wnet/need-to-know/video/video-high-fiber/9263/
Eric Pariser: "The Filter Bubble" - (51-1/4 min. - audio - May 17, 2011 - The Diane Rehm Show/NPR) - A quiet revolution is taking place on the Internet. The top 50 websites collect an average of 64 bits of information each time we visit. The personal data they track -- from our politics to the shoes we just browsed on Zappos – help advertisers tailor offers just for us. But one online pioneer believes we pay a big price for that customized experience – living in our own information universe. In our so-called “filter bubble,” we receive mainly familiar news that confirms our beliefs. And we don’t know what’s being hidden from us. Diane and her guest, Eli Pariser, talk about understanding the costs of online personalization.What is the internet hiding from you? As internet giants like Google, Facebook, Netflix and Apple fine tune their ability to personalize content, we will increasingly each live in our own information universe, our own "filter bubble." Former director of MoveOn.org, Eli Pariser, explores the development and future of the most recent digital revolution. - http://thedianerehmshow.org/shows/2011-05-17/eli-pariser-filter-bubble
Virus Hoaxes & Realities
Cracking the code: Defending against the superweapons of the 21st century cyberwar - (13 min. video - May 20, 2011 - by Erin Chapman and Win Rosenfeld - Need To Know/PBS) - http://mcaf.ee/64lb9 - The threat of attack has been a growing concern to national security experts for some time. Imagine what would happen if a malicious hacker could take out a power grid or cause the meltdown of a nuclear plant. Critics of the administration’s cyber-security plan question whether it goes far enough to protect us from the next generation of cyber-superweapons — including one devastating computer virus, Stuxnet, that’s already been unleashed in a foreign country.
There’s a Secret Patriot Act, Senator Says - (May 25, 2011 - by Spencer Ackerman - Wired) - You may think you understand how the Patriot Act allows the government to spy on its citizens. Sen. Ron Wyden (D-Oregon) says it’s worse than you’ve heard.
Congress is set to reauthorize three controversial provisions of the surveillance law as early as Thursday. But Wyden says that what Congress will renew is a mere fig leaf for a far broader legal interpretation of the Patriot Act that the government keeps to itself — entirely in secret. Worse, there are hints that the government uses this secret interpretation to gather what one Patriot-watcher calls a “dragnet” for massive amounts of information on private citizens; the government portrays its data-collection efforts much differently.
“We’re getting to a gap between what the public thinks the law says and what the American government secretly thinks the law says,” Wyden tells Danger Room in an interview in his Senate office. “When you’ve got that kind of a gap, you’re going to have a problem on your hands.”What exactly does Wyden mean by that? As a member of the intelligence committee, he laments that he can’t precisely explain without disclosing classified information. But one component of the Patriot Act in particular gives him immense pause: the so-called “business-records provision,” which empowers the FBI to get businesses, medical offices, banks and other organizations to turn over any “tangible things” it deems relevant to a security investigation. - http://www.wired.com/dangerroom/2011/05/secret-patriot-act/
[NOTE: This is NOT “good” news. Scientific studies have shown that the (inter)act(ive) of reading stimulates the brain and enhances both memory and I.Q. (BTW…scientific studies show similar results for interactive computer games, too. :-) However, the “images, not words” of the “augmented reality” described in this BBC News article, would be more in line with watching an “entertainment” program on TV, which -- unless you’re watching an informative documentary -- tends to “dumb down” (literally) its audiences…and, can actually lower I.Q.! --Bike Bob]:
Aurasma: Augmented reality future or forgettable fun? - (May 26, 2011 - by Rory Cellan-Jones - BBC News) - Rory Cellan-Jones tests augmented reality software that plays video over live images filmed through a phone
You're standing at a bus-stop, the adverts come to life, you're looking at menu, you can see the food, instruction manuals can show you how to put the Ikea table together.
Already, newspapers are talking about turning display adverts into video ads - which can earn them more. And movie studios are planning sightseeing tours where you see parts of a film played out in the real world.
Its a vision of a future where images, not words, become the building blocks by which we search the world and understand our surroundings. - http://www.bbc.co.uk/news/technology-13558137
Password Haystacks: Padding Passwords
On Wed., June 1, 2011, Steve Gibson’s “Security Now!” (podcast #303)
-- which is online-archived
(for FREE...both in audio and written transcript form)
-- Steve talked about his new revelation/s
in regards to vital password security.
Specifically, he began talking about it in detail
at about 75 minutes into the 98 minute show...
and continued that discussion for about 10 more minutes
almost to the end of the show.
One of the things he recommended
was for listeners to check out his
Password Haystacks (Padding) page...
(see below.) -- Bike Bob]:
Every password you use can be thought of as a needle hiding in a haystack.
After all searches of common passwords and dictionaries have failed,
an attacker must resort to a “brute force” search
– ultimately trying every possible combination
of letters, numbers and then symbols
until the combination you chose, is discovered.
If every possible password is tried,
sooner or later yours will be found.
The question is:
Will that be too soon . . . or enough later?
This interactive brute force search space calculator
allows you to experiment with password length and composition
to develop an accurate and quantified sense
for the safety of using passwords
that can only be found through exhaustive search.
Please see the discussion
[at the following URL]
for additional information:
(Alert): WebGL - A New Dimension for Browser Exploitation
[NOTE: The NoScript (Firefox web browser) Add-on/extension
allows you to block WebGL via:
Options | Embeddings | "Forbid WebGL"
You can check out NoScript via
my recommended list of
Firefox add-ons at this link. -- Bike Bob]:
May 2011 Summary
( http://www.contextis.com/resources/blog/webgl/ )
WebGL is a new web standard for browsers which aims to bring 3D graphics to any page on the internet. It has recently been enabled by default in Firefox 4 and Google Chrome, and can be turned on in the latest builds of Safari. Context has an ongoing interest in researching new areas affecting the security landscape, especially when it could have a significant impact on our clients. We found that:
1. A number of serious security issues have been identified with the specification and implementations of WebGL.
2. These issues can allow an attacker to provide malicious code via a web browser which allows attacks on the GPU and graphics drivers. These attacks on the GPU via WebGL can render the entire machine unusable.
3. Additionally, there are other dangers with WebGL that put users' data, privacy and security at risk.
4. These issues are inherent to the WebGL specification and would require significant architectural changes in order to remediate in the platform design. Fundamentally, WebGL now allows full (Turing Complete) programs from the internet to reach the graphics driver and graphics hardware which operate in what is supposed to be the most protected part of the computer (Kernel Mode).
5. Browsers that enable WebGL by default put their users at risk to these issues.
Targeted cyber attacks an 'epidemic'
By Maggie Shiels Technology reporter, BBC News, Silicon Valley
June 2, 2011
Security experts said spear phishing attacks were easy to perpetrate because of the amount of information people put on the internet about themselves on social networking sites such as Facebook and Twitter.
The mountain of data lets canny hackers piece together enough information to make e-mails they concoct appear convincing and genuine.
In this attack, some Gmail users received a message that looked like it came from a work colleague or was linked to a work project.
On Ms Parkour's site, she shows some of the spoof e-mails indicating how easy it was for people to be hoodwinked.
"It makes sense these bad guys would go that way given the amount of time, effort and investment they have to make in orchestrating an attack," said Dr Hugh Thompson, chief security strategist at People Security who also teaches at Columbia University.
People tend to trust messages that look like they come from people bearing details of where they last met or what they did, he said.
"I can then point you to a site that looks very much like Gmail and you are not going to question that because I already have your trust," he said.
Steve Durbin, head of the Information Security Forum, said phishing attacks were a well-established attack method and e-mail had long been a favourite among criminals keen to winkle out saleable data.
"Whether you are a government official with access to sensitive or secret information, or the average e-mail user, everyone must be on their guard and become more security savvy," he said. - http://www.bbc.co.uk/news/technology-13626104
from Popular Web Sites
New Study Finds
ScienceDaily (June 2, 2011)
A study of more than 100 popular web sites
used by tens of millions of people
has found that three quarters directly leak
either private information or users' unique identifiers
to third-party tracking sites.
The study, co-authored by Craig Wills,
professor of computer science
at Worcester Polytechnic Institute (WPI),
also demonstrated how the leakage
of private information by many sites,
including email addresses, physical addresses,
and even the configuration of a user's web browser
-- so-called browser fingerprints --
could permit tracking sites to link
many disparate pieces of information,
including browsing histories
contained in tracking cookies
and the contents of searches
on health and travel sites,
to create detailed profiles of individuals.
U.N. Report Declares Internet Access a Human Right - (June 3, 2011 - by David Kravets - Wired) - A United Nations report said Friday that disconnecting people from the internet is a human rights violation and against international law.
The report railed against France and the United Kingdom, which have passed laws to remove accused copyright scofflaws from the internet. It also protested blocking internet access to quell political unrest (.pdf). [The report states]:
While blocking and filtering measures deny users access to specific content on the Internet, states have also taken measures to cut off access to the Internet entirely. The Special Rapporteur considers cutting off users from internet access, regardless of the justification provided, including on the grounds of violating intellectual property rights law, to be disproportionate and thus a violation of article 19, paragraph 3, of the International Covenant on Civil and Political Rights.
The report continues:
The Special Rapporteur calls upon all states to ensure that Internet access is maintained at all times, including during times of political unrest. In particular, the Special Rapporteur urges States to repeal or amend existing intellectual copyright laws which permit users to be disconnected from Internet access, and to refrain from adopting such laws. - http://www.wired.com/threatlevel/2011/06/internet-a-human-right/
Are there lots of hacking groups?
(June 6, 2011 - BBC News/Technology)
They range from disinterested academics and professionals
through teenage trouble-makers to out-and-out criminals.
At one end of the scale are "white hat" hackers
who find vulnerabilities and inform website owners so they can fix them.
"Black hat" hackers represent the other extreme -
they are typically criminals or hackers working for criminals
looking to access information for profit.In the middle are "grey hat" hackers
who are generally intent on mischief making.
At the moment, LulzSec seems to fall into this category.
Is Your Mobile Phone Transmitting Your Private Information to Corporations? - (June 3, 2011 - Sarah Jaffe - AlterNet) - Our mobile phones and computers are storing and sharing more and more personal information--but do we have control over who sees it? - http://mcaf.ee/0qtjs
Careless Behaviour of Cloud Users Leads to Crucial Security Threats, Experts Find - ScienceDaily (June 20, 2011) — Scientists from the Darmstadt Research Center for Advanced Security (CASED) have discovered major security vulnerabilities in numerous virtual machines published by customers of Amazon's cloud. Among 1100 public Amazon Machine Images (AMIs), which are used to provide cloud services, about 30 percent are vulnerable, allowing attackers to manipulate or compromise web services or virtual infrastructures, the researchers say.
The main reason lies in the careless and error-prone manner in which Amazon's customers handle and deploy AMIs. CASED scientists have developed a vulnerability scanner for virtual machines that customers create to run on Amazon's infrastructure. It can be freely downloaded at http://trust.cased.de/AMID.
Cloud computing is becoming increasingly popular. More and more companies and private users are offering services in the cloud. While security experts have been mainly focusing on security aspects of the underlying cloud infrastructure and provider, it seems that in practice the threats caused by the cloud customers when constructing services are still underestimated or ignored. How severe the consequences resulting from wrong user behaviour can be, has now been shown by recent analysis carried out by the research group led by Prof. Ahmad-Reza Sadeghi at CASED.
…the scientists found that at least one third of the machines under consideration have flawed configurations. The research team could extract security critical data such as passwords, cryptographic keys and certificates from the analyzed virtual machines. Attackers can use such information to operate criminal virtual infrastructures, manipulate web services or circumvent security mechanisms such as Secure Shell (SSH).
"The problem clearly lies in the customers' unawareness and not in Amazon Web Services. We believe that customers of other cloud providers endanger themselves and other cloud users similarly by ignoring or underestimating security recommendations," emphasizes Prof. Sadeghi. …. - http://www.sciencedaily.com/releases/2011/06/110620095240.htm
Barcode? Passé. Here comes the QR. - (June 17, 2011 - by Shan Li - Los Angeles Times/MCT) - Barcode for the digital age: Quick Response codes are designed for smart phones. And they convey far more data than a barcode.
For privacy advocates, however, QRs are one more source of concern. That's because the codes don't just impart information, they can also collect data on where and when a QR was scanned. They can, in some cases, even latch on to the phone user's name, age and other personal information.
LOS ANGELES – Suddenly, they're popping up everywhere — those square, futuristic-looking matrixes that appear to be a cross between abstract art and Rorschach tests.
You'll find them in the corner of newspaper and magazine ads, in department store aisles, on product displays, price tags and For Sale signs in front of homes. Giant-size versions have shown up on billboards.
Called quick response codes, or simply QRs, they're the barcode for the digital age — but ones that convey far more information, and which can be scanned by consumers with smartphones and tablet computers to open a Web page, play a video or even place a call."Theoretically, over time companies can build up their database and amass a collection of information that leads to a profile of who I am and what I buy," said Julie Ask, a mobile marketing analyst at Forrester. - http://mcaf.ee/jrip5
How to Prevent a Gawker-Style Hack From Endangering You
How to Know if Hackers Have Stolen Your Password - June 23, 2011 - - Scientific American) - The reports on a easy-to-use web tool that a security professional has created that will check your email address against 13 different databases containing 800,000 email address/password combinations. Called, appropriately, "Should I Change My Password?", the site runs a simple search for your email in the known files.If you find daunting the idea of creating separate passwords for all of the dozens of online accounts you need to maintain, take the advice of Christopher Mims over at the blog: Set up four or five passwords, using one for all the low-security sites, another for any site that also has your credit card number, another for social networking, another for email, and the most secure for your banking sites. - http://www.scientificamerican.com/blog/post.cfm?id=how-to-know-if-hackers-have-stolen-2011-06-23
Net neutrality enshrined in Dutch law - (June 23, 2011 - AP - The Guardian/UK) - Netherlands becomes first European country to ensure web providers cannot charge more to access certain services - http://mcaf.ee/59emx
How Hacker Activists Are Risking Jail for Everyone's Right to Internet Freedom - (June 24, 2011 - By Julianne Escobedo Shepherd - AlterNet) - Since WikiLeaks, authorities have been more aggressive about arresting citizen cyber activists. Yet new actions by the biggest "hacktivists" show they're willing to risk it.As First Base Technologies' Peter Wood put it to the BBC on June 22, "I can't condone anyone breaking the law... but I do understand where they are coming from." Another way to look at it: "hacktivism" is the future of peaceful protest; these brave, super-smart cyber activists are defending all of our right to expression, defending our freedom on the battleground of now and the future. As more and more governments want to clamp down on the way we can use the internet, the best of the hacktivists are working on keeping it free. - http://tinyurl.com/629rcy8
Security researchers discover 'indestructible' botnet
Know Your Rights!
[Hopefully, the Firefox “compartmentalization”
is good news if it truly does result in
...(as noted below). -- Bike Bob]:
Says Joe Drew, who's working on Azure:
Firefox 4's graphics performance is great ...We're not content with "great", though, and our investigations into how to make drawing even faster have revealed that some of our choices in Gecko's graphics engine aren't optimal for performance.
Can We Trust
That Profit Off
You're The Product
(July 7, 2011 - by Carne Ross - Comment Is Free)
The fight to control
a political battle.
Hacked Hardware Has Been Sold in the U.S. - (July 11, 2011 - by Michael Moyer - Scientific American) - Last week, an official at the Department of Homeland Security (DHS) told a congressional panel that hardware sold in the U.S. has been compromised by foreign agents. According to a report at Fast Company:
When asked by Rep. [Jason] Chaffetz [R-UT] whether [acting deputy undersecretary of the DHS National Protection and Programs Directorate Greg] Schaffer was aware of any foreign-manufactured software or hardware components that had been purposely embedded with security risks, the DHS representative stated that “I am aware of instances where that has happened,” after some hesitation.In other words, hardware manufactured abroad has been embedded with malicious code, a problem described last year in Scientific American by John Villasenor, a professor of electrical engineering at the University of California, Los Angeles. The design of modern integrated circuits has become so complex, says Villasenor, that malicious agents could insert unwanted instructions into the circuits at some point in the process. “Given the sheer number of people and complexity involved in a large integrated-circuit design, there is always a risk that an unauthorized outsider might gain access and corrupt the design without detection,” Villasenor writes. - http://mcaf.ee/yxjd9
Pentagon Makes Love, Not Cyber War, in New Strategy - (July 14, 2011 - by Noah Shachtman - Danger Room/Wired) - …the Pentagon strategy uses tones of cooperation, not confrontation, in the strategy it released today. “By sharing timely indicators about cyber events, threat signatures of malicious code, and information about emerging actors and threats, allies and international partners can increase collective cyber defense,” the document notes. “Cyberspace is a network of networks that includes thousands of ISPs [Internet Service Providers] across the globe; no single state or organization can maintain effective cyber defenses on its own.”
Yes, there are all kinds of bad guys out there on the internet, the strategy adds. But many of them are out for money, not for blood. “The tools and techniques developed by cyber criminals are increasing in sophistication at an incredible rate, and many of these capabilities can be purchased cheaply on the internet.” And the best way to stop these crooks is through strong passwords, up-to-date software, and keeping unclassified disks and drives off of secret systems. “Most vulnerabilities of and malicious acts against DoD systems can be addressed through good cyber hygiene,” document adds.
If there was a nod to the McConnell crowd — who’d like to “reengineer the internet” to make everyone trackable online — it was in the declaration that “DoD will pursue revolutionary technologies that rethink the technological foundations of cyberspace.” But the nod was a subtle one.
Behind closed doors, some Pentagon officials take a much harder line. There have been calls to massively shift Defense Department spending from defensive measures to online offense. Other countries — especially the Chinese, they believe — had infiltrated every corner of the military-industrial complex, and need to be shoved back. Every fresh online break-in brings a fevered call to declare the intrusion an “act of war.” - http://www.wired.com/dangerroom/2011/07/make-love-not-cyber-war/
24,000 Pentagon files stolen in major cyber breach, official says - (July 14, 2011 - By Jason Ukman and Ellen Nakashima - Washington Post) - The Defense Department lost 24,000 files to “foreign intruders” in the spring in what appears to be one of the most damaging cyberattacks to date on the U.S. military, a top Pentagon official acknowledged Thursday.
Deputy Defense Secretary William J. Lynn III, who disclosed the March breach during a speech to roll out the Pentagon’s new cyber strategy, said the files were taken from a defense contractor. He did not say who was believed to be behind the attack or describe the nature of the files that were stolen.
But Lynn said that, over the past few years, all manner of data has been stolen, some of it mundane, some of it concerning “our most sensitive systems, including aircraft avionics, surveillance technologies, satellite communications systems, and network security protocols.”
“It is a significant concern that over the past decade, terabytes of data have been extracted by foreign intruders from corporate networks of defense companies,” Lynn said.
Last August, the Pentagon acknowledged for the first time that the U.S. military had suffered a major cyberattack in 2008 after malicious code was placed on a flash drive inserted into a U.S. military laptop. The code spread undetected on both classified and unclassified systems, “establishing what amounted to a digital beachhead,” Lynn wrote last year in an article for Foreign Affairs.
The Pentagon’s vast networks are believed to be the subject of malicious probing every day, but it is often difficult if not impossible to determine the identity of an attacker.
In a statement Thursday, Defense Secretary Leon Panetta said more than 60,000 “new malicious software programs or variations are identified every day threatening our security, our economy and our citizens.” - http://mcaf.ee/vsquz
“What Are We Capable Of ?”
A Message From
The “Anonymous” Hacktivists Group
(14 min. - YouTube audio/video)
Google-NSA Secrets Can Stay That Way, Judge Rules - Spy agency won't confirm or deny its dealings with Google - (July 15, 2011 - by Truman Lewis - Consumer Affairs) -
It might sound like tilting at windmills, but a privacy organization says it will appeal a federal judge's ruling that the super-secret National Security Agency (NSA) doesn't have to disclose its relationship with Google, or for that matter whether it has or ever has had such a relationship.
The Electronic Privacy Information Center (EPIC) began its quest for information following press reports that the NSA and Google had formed a partersnhip of some kind after hackers in China launched a cyber attack on the U.S. government in January 2010.
EPIC first filed a Freedom of Information Act (FOIA) request seeking any documents that would reveal whether NSA and Google were developing technical standards that would enable greater surveillance of Internet users.
Not surprisingly, NSA denied the request, saying it could neither confirm nor deny that any such documents existed.
EPIC said it plans to appeal the decision by U.S. District Court Judge Richard J. Leon, noting NSA's argument that revealing a relationship with Google could dissuade other companies from working with the agency in the future.
"This is a serious concern which … warrants finding for the NSA," Leon wrote.
EPIC says it is also seeking information from the NSA about Internet vulnerability assessments and its private findings on how its practices impact Internet privacy. EPIC also wants details about the NSA's "Perfect Citizen" program. - http://mcaf.ee/107tq
Little-known firms tracking data used in credit scores - (2011 - by Ylan Q. Mui - Washington Post) - [NOTE: ChoicePoint -- one of the "fourth bureau" companies highlighted in this Washington Post article -- was one of the private "proprietary" information/data aggregator companies to whom the Bush/Cheney admin "farmed out" services to get around Congressional proscriptions denying the authorization of the "Total Information Awareness" (TIA) program; which was spear-headed by Adm. John Poindexter (of “Watergate” noteriety). Bush/Cheney did their end-run around Congress by breaking the TIA (and the law!) into various "compartmentalized" components, such as the TALON program. --BikeBob]: - http://mcaf.ee/zcg1u
Spoofing services make mobile voicemail hacking easy
Welcome to the age of the splinternet
Apple Laptop Security Flaw Found In Computer Batteries - (July 27, 2011 - by Gerry Smith - TheHuffingtonPost) - A security researcher claims to have found a new security flaw in Apple laptops that could allow hackers to ruin laptop batteries, infect them with malware or potentially cause them to overheat and catch fire.
Charlie Miller, principal research consultant at Accuvant Labs, said he has found a way to manipulate chips embedded inside Apple laptop batteries.
The chip monitors the battery's temperature and level of charge, among other things. Those chips can be remotely controlled by hackers using a default password that Miller found on a website of the chip's creator, Texas Instruments. Apple never changed the default password, Miller said.
Miller's discovery, first reported by Forbes.com, is the latest potential security flaw found in Apple's product line. Earlier this month, security experts disclosed a bug in Apple's iOS operating system that could allow criminal hackers to gain remote access to iPhones, iPads and iPod Touch devices, Reuters reported. Apple said it is fixing that issue in an upcoming software update.
At the very least, Miller found he could ruin laptop batteries by altering the chip's code. Not wanting to set his home on fire, Miller stopped there. But he imagines darker possibilities for hackers if Apple does not fix the security flaw.
"I have full access to the battery and I can make any changes I want," Miller told The Huffington Post.
For example, hackers could install malware on the battery that would not be detected by anti-virus software because it would not appear on the hard drive, he said. The malware could attack the laptop's operating system again and again, even after the user installed a new hard drive.
"The battery would keep attacking it," he said. - http://mcaf.ee/132mu
Cyber Weapons: The New Arms Race
The Cybercrime Economy
Stegobot steals passwords from your Facebook photos - (July 29, 2011 - by Jacob Aron - NewScientist) - THINK twice before uploading your holiday pictures to Facebook - you could be helping someone to steal information from your computer. A botnet called Stegobot was created to show how easy it would be for a crook to hijack Facebook photos to create a secret communication channel that is very difficult to detect.
Like most botnets, Stegobot gains control of computers by tricking users into opening infected email attachments or visiting suspect websites. But rather than contacting the botmasters directly, it piggybacks on the infected user's normal social network activity. "If one of your friends is a friend of a friend of the botmaster, the information transfers hop by hop within the social network, finally reaching the botmasters," says Amir Houmansadr, a computer scientist at the University of Illinois at Urbana-Champaign who worked on the botnet.
Stegobot takes advantage of a technique called steganography to hide information in picture files without changing their appearance. It is possible to store around 50 kilobytes of data in a 720 by 720 pixel image - enough to transmit any passwords or credit card numbers that Stegobot might find on your hard drive.
The botnet inserts this information into any photo you upload to Facebook, and then waits for one of your friends to look at your profile. They don't even have to click on the photo, as Facebook helpfully downloads files in the background. If your friend is also infected with the botnet - quite likely, since any email you send them will pass it on - any photo they upload will also pass on the stolen data. - http://tinyurl.com/grlm746
NSA & Microsoft - The San Antonio Connection
The NSA’s new data-mining facility is one component of a growing local surveillance industry
[This article excerpt is from Dec. 3, 2008 issue of “San Antonio Texas Current.” Early that year, James Bamford -- author of non-fiction books on the NSA, such as, "The Puzzle Palace" and "The Shadow Factory" -- talked about this (see below) twice on NPR…on both "Fresh Air" and "The Diane Rehm Show." He emphasized that he considered the physical proximity of the NSA and Microsoft facilities as an ominous development. He also said that both the Microsoft and NSA facilities in San Antonio are HUGE...each covering at least a city block...purportedly to contain vast electronic storage-capacity facilities. --- Interestingly, this may have also been connected with Microsoft’s development of its “Bing” search-engine and its promotion of “cloud computing.”]:
Bamford writes about how NSA and Microsoft had both been eyeing San Antonio for years because it has the cheapest electricity in Texas, and the state has its own power grid, making it less vulnerable to power outages on the national grid. He notes that it seemed the NSA wanted assurance Microsoft would be here, too, before making a final commitment, due to the advantages of “having their miners virtually next door to the mother lode of data centers.” The new NSA facility is just a few miles from Microsoft's data center of the same size. Bamford says that under current law, NSA could gain access to Microsoft's stored data without even a warrant, but merely a fiber-optic cable.
“What the Microsoft people will have will be just storage of a lot of the email that is being sent. They keep this email — I don't know why — and there should be some legislation saying how long it should be kept,” said Bamford in a phone interview last week. “The post office doesn't keep copies of our letters when we mail letters; why should the telecom companies or the internet providers keep copies of our email? It doesn't make sense to me. But there's no legislation. So they need a place to store it, and that's where they're storing all this stuff.” - http://www2.sacurrent.com/news/story.asp?id=69607
Newspaper Uncovers Systemic Monitoring Plans of Public Online Sources - (August 4, 2011 - by Katitza Rodriguez - Electronic Freedom Foundation) - http://www.commondreams.org/view/2011/08/04-6
Researcher follows RSA hacking trail to China - Botnet expert spent months tracking malware's command-and-control servers in Beijing, Shanghai - (August 4, 2011 - by Gregg Keizer - Computerworld) - http://www.computerworld.com/s/article/9218857/Researcher_follows_RSA_hacking_trail_to_China?taxonomyId=82
Can Darpa Fix the Cybersecurity ‘Problem From Hell?’ - (August 5, 2011 - by Adam Rawnsley - Wired) - There are computer security threats — and then there are computer security nightmares. Put sabotaged circuits firmly in the second category. Last week, retired Gen. Michael Hayden, the former CIA and NSA chief, called the hazard of hacked hardware “the problem from hell.”
“Frankly, it’s not a problem that can be solved,” he added. “This is a condition that you have to manage.”
The Pentagon’s top research division is trying, however. Over the past two months, Darpa, has awarded nine contracts totaling $49 million for its Integrity and Reliability of Integrated Circuits (IRIS) program to check for compromised chips. Seven companies and two universities received the awards.
The Defense Department has been worried about foreign adversaries tampering with its hardware for a while now. The Pentagon now buys 1 percent of all the world’s integrated circuit production; America’s defense community simply uses too many to monitor them all. In 2005, a Defense Science Board report warned that foreign adversaries could slip back doors into chips(.pdf) destined for installation in important military gear.
The hacked circuits, the report said, could be tweaked to malfunction early or provide a de facto kill switch to a weapon system. - http://www.wired.com/dangerroom/2011/08/problem-from-hell/
CNN: Is Facebook
Bad For You?
(4-1/2 min. - YouTube audio/video)
The Terrible Truth
About Facebook -
Think you have any privacy
when it comes to a
social networking site?
Just take a look at who
has invested in the site
and open your eyes.
(4 min. - YouTube audio/video)
Smartphones are newest target of hackers - (August 8, 2011 - St. Louis Post-Dispatch/ Associated Press) - Last week, security researchers uncovered yet another strain of malicious software aimed at smartphones that run Google's popular Android operating system. The application not only logs details about incoming and outgoing phone calls, it also records those calls.
That came a month after researchers discovered a security hole in Apple Inc.'s iPhones, which prompted the German government to warn Apple about the urgency of the threat.
Security experts say attacks on smartphones are growing fast — and attackers are becoming smarter about developing new techniques.
Wrongdoers have infected PCs with malicious software, or malware, for decades. Now, they are fast moving to smartphones as the devices become a vital part of everyday life.
All at once, smartphones have become wallets, email lockboxes, photo albums and Rolodexes. And because owners are directly billed for services bought with smartphones, they open up new angles for financial attacks.The worst programs cause a phone to rack up service charges, record calls, intercept text messages and even dump emails, photos and other private content directly onto criminals' servers. - http://mcaf.ee/arhnx
Survey Finds Smartphone Apps Store Too Much Personal Data - (August 8, 2011 - by Mike Isaac - Wired) - An uncomfortably large percentage of mobile applications are storing sensitive user account information unencrypted on owners’ smartphones, according to a new survey of 100 consumer smartphone apps.
Some 76 percent of the apps tested stored cleartext usernames on the devices, and 10 percent of the tested applications, including popular apps LinkedIn and Netflix, were found storing passwords on the phone in cleartext.
Conducted by digital security firm ViaForensics, the testing occurred over a period of over eight months and spanned multiple categories, ranging from social networking applications to mobile banking software. The firm tested apps only for iOS and Android, the market’s leading mobile platforms.
“If I get my hands on someone’s lost phone, it could take me ten minutes to find an account username and password,” said Ted Eull, techology services vice president at ViaForensics, in an interview.
ViaForensics sells mobile security tools and services to corporations, attorneys and government agencies. - http://mcaf.ee/n1sj4
New Anti-Censorship Scheme Could Make It Impossible to Block Individual Sites - ScienceDaily (Aug. 10, 2011) — A radical new approach to thwarting Internet censorship would essentially turn the whole web into a proxy server, making it virtually impossible for a censoring government to block individual sites.
The system is called Telex, and it is the brainchild of computer science researchers at the University of Michigan and the University of Waterloo in Canada. They will present it Aug. 12 at the USENIX Security Symposium in San Francisco.
"This has the potential to shift the arms race regarding censorship to be in favor of free and open communication," said J. Alex Halderman, assistant professor of computer science and engineering at U-M and one of Telex's developers.
"The Internet has the ability to catalyze change by empowering people through information and communication services. Repressive governments have responded by aggressively filtering it. If we can find ways to keep those channels open, we can give more people the ability to take part in free speech and access to information." - http://www.sciencedaily.com/releases/2011/08/110810133023.htm
Lawmakers Call for Probe of Medical Devices After Researcher Hacks Insulin Pump - (August 19, 2011 - by Kim Zetter - Wired) - Two federal lawmakers have asked the General Accountability Office to look into the security of medical devices after a researcher showed how he was able to hack his insulin pump and alter settings due to security flaws in the system.
Earlier this month, Jay Radcliffe, a computer security professional who is also diabetic, showed how an attacker could remotely control insulin pumps to deliver too much or too little insulin to the individual wearing the device.
Radcliffe, who conducted the research on his own pump and delivered his findings at the Black Hat security conference in Las Vegas, said that because his insulin pump doesn’t encrypt communication or require authentication from the systems that communicate with it, an attacker can sniff the traffic to study how the devices communicate, then devise commands to inject into the communication traffic to alter the insulin dosage. He also found that he could control what information is fed to a diabetic’s blood sugar monitoring device so the individual would think he’s receiving the right amount of insulin when he’s not.
“My initial reaction was that this was really cool from a technical perspective,” Radcliffe told the Associated Press. “The second reaction was one of maybe sheer terror, to know that there’s no security around the devices which are a very active part of keeping me alive.”
He noted that many other medical devices that use wireless communication and allow for remote-control access could have the same vulnerabilities. - http://www.wired.com/threatlevel/2011/08/medical-device-security/
Revealed: Fake Facebook Identity Used By Military Contractors Plotting To Hack Progressive Organizations
When algorithms control the world - (Aug. 22, 2011 - If you were expecting some kind warning when computers finally get smarter than us, then think again. …our electronic overlords are already taking control…- http://www.bbc.co.uk/news/technology-14306146
Hackers steal SSL certificates for CIA, MI6, Mossad - Criminals acquired over 500 DigiNotar digital certificates; Mozilla and Google issue 'death sentence' - (September 4, 2011 - by Gregg Keizer - Computerworld)
Computerworld - The tally of digital certificates stolen from a Dutch company in July has exploded to more than 500, including ones for intelligence services like the CIA, the U.K.'s MI6 and Israel's Mossad, a Mozilla developer said Sunday.
The confirmed count of fraudulently-issued SSL (secure socket layer) certificates now stands at 531, said Gervase Markham, a Mozilla developer who is part of the team that has been working to modify Firefox to blocks all sites signed with the purloined certificates.
Among the affected domains, said Markham, are those for the CIA, MI6, Mossad, Microsoft, Yahoo, Skype, Facebook, Twitter and Microsoft's Windows Update service. - http://www.computerworld.com/s/article/9219727/Hackers_steal_SSL_certificates_for_CIA_MI6_Mossad
Researchers’ Typosquatting Stole 20 GB of E-Mail From Fortune 500 - (September 8, 2011 - by Kim Zetter - Wired) - Two researchers who set up doppelganger domains to mimic legitimate domains belonging to Fortune 500 companies say they managed to vacuum up 20 gigabytes of misaddressed e-mail over six months.
The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions.
“Twenty gigs of data is a lot of data in six months of really doing nothing,” said researcher Peter Kim from the Godai Group. “And nobody knows this is happening.”
Doppelganger domains are ones that are spelled almost identically to legitimate domains, but differ slightly, such as a missing period separating a subdomain name from a primary domain name – as in the case of seibm.com as opposed to the real se.ibm.com domain that IBM uses for its division in Sweden.
Kim and colleague Garrett Gee, who released a paper this week (.pdf) discussing their research, found that 30 percent, or 151, of Fortune 500 companies were potentially vulnerable to having e-mail intercepted by such schemes, including top companies in consumer products, technology, banking, internet communication, media, aerospace, defense, and computer security.
The researchers also discovered that a number of doppelganger domains had already been registered for some of the largest companies in the U.S. by entities that appeared to be based in China, suggesting that snoops may already be using such accounts to intercept valuable corporate communications. - http://www.wired.com/threatlevel/2011/09/doppelganger-domains/
Now You Can Get Hacked by Your Mouse - (September 12, 2011 - by Roy Wood - Wired) - So, you’ve installed a reputable anti-virus package on the family computer, cranked up the security on your wifi router, adopted a smart strategy to keep track of your passwords, and educated the whole family on how to recognize phishing and harpoon scams.Your network and computer systems are now secure, and you can sit back and rest easy, right? RIGHT?
Sadly, computer security is an ongoing cat and mouse game between the hackers and the hackees, and you have to be ever vigilant. All it takes is one momentary lapse of judgment and your system can be infiltrated. ….
As the security guys like to say, security is an ongoing journey, not a destination. You have to keep up to date with the evolving risks, and continue to evolve your defenses accordingly. It’s not exactly fun, but there’s enough at stake that you can’t afford to get lazy or sloppy–ever. - http://www.wired.com/geekdad/2011/09/now-you-can-get-hacked-by-your-mouse/
How to Protect Your Smartphone From Malware
QR Tags Can Be Rigged to Attack Smartphones - A blogger has demonstrated how these innocuous tags can be made into cybercrime weapons - (Sept. 13, 2011 - by Matt Liebowitz and SecurityNewsDaily)
You've probably seen QR tags thousands of times, from advertisements in the subway to coupon flyer in the mail to products in the supermarket. They look like stamp-size bar codes, a grid of small black-and-white rectangles and squares, usually with bigger black squares in the corners.
A marketer's dream-come-true, these tiny images are capable of storing and transmitting loads of data directly to the smartphones of interested customers. When a person scans a QR tag with a smartphone, the tag can do any number of things, including taking the user right to the product's website.
But like any technology, they can also be manipulated to bite the hands — or phones — that feed them. On the mobile security blog Kaotico Neutral, researcher Augusto Pereyra demonstrated how these innocuous QR tags can be made into cybercrime weapons.
In his proof-of-concept hack, Pereyra took a QR tag he created from a free online tag creator and embedded in it the URL for an attack server called evilsite.dyndns.org. When the target smartphone scanned the tag, the browser was directed to the spoofed site and fed malware.
QR tags are touted for their convenience, but it's that same convenience — coupled with their increasing prevalence — that Pereyra believes could allow them to become dangerous attack vectors. Popular QR tag-scanning software, such as ScanLife, automatically takes mobile browsers to the site embedded within the tag, and while it makes the process quick, it does nothing for its safety."This is a serious problem since this is the equivalent of clicking a link with your eyes closed," Pereyra wrote. - http://www.scientificamerican.com/article.cfm?id=qr-tags-can-be-rigged-to
CIA's Next Mission is to Keep Prying Eyes Off Your Screen - (Sept. 14, 2011 - by John P. Mello Jr., PCWorld) - The CIA takes such a dim view of people peeking at computer displays while someone is working that the agency is investing in Oculis Labs, a company that makes software to prevent prying eyes from gleaning any information from computer screens.
The spy agency is investing in Oculis through a nonprofit investment company called In-Q-Tel that was chartered in 1999 by a group of private citizens at the request of the director of the CIA and with the support of Congress. It was launched in response to the agency's desire to increase its access to private sector innovation.
In a statement announcing its partnership in Oculis, In-Q-Tel said it was making a "strategic investment" in the software maker. The amount of that investment wasn't revealed.
"Oculis Labs is an important addition to our investment portfolio and we are excited about this technology's ability to address a critical need in information security, protecting the last two feet of the network," T.J. Rylander, a partner on In-Q-Tel's investments team, said in a statement. "Oculis Labs' technologies offer a vital new capability in securing computer systems against a wide range of insider and outsider threats."
Oculis makes both a consumer and military version of software products. The consumer offering, called PrivateEye ($1.99), uses a webcam and facial recognition software to blur your computer screen when you walk away from it or turn your head to talk to someone behind you. It will also detect someone approaching you from behind as far as 10 feet away and obscure your display as they get closer. - http://mcaf.ee/3c9px
Law Enforcement Appliance Subverts SSL - (March 24, 2010 - by Ryan Singel - Wired) - Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay, the browser examines the website’s certificate to verify its authenticity.
At a recent wiretapping convention, however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds. The boxes were designed to intercept those communications — without breaking the encryption — by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.
The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.
The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania.
“If the company is selling this to law enforcement and the intelligence community, it is not that large a leap to conclude that other, more malicious people have worked out the details of how to exploit this,” Blaze said. - http://mcaf.ee/teabs
Fear of Repression Spurs Scholars and Activists to Build Alternate Internets - (Sept. 18, 2011 - by Jeffrey R. Young - The Chronicle of Higher Education/Wash. D.C.) - Protecting Privacy…Mr. Moglen, the [Columbia U.] law professor. He's leading the development of a device called the Freedom Box, and though it doesn't look like much—a gadget the size of a paperback book—he believes that it would be able to help Internet users preserve their privacy.
The concept: It's a personal server, which automatically scrambles digital data to make them harder for unauthorized people to intercept. The idea is to create a personal "cloud," or online storage space, for data before the information is sent to standard e-mail or Web services.
Mr. Moglen and a team of programmers are developing the software under the auspices of the FreedomBox Foundation, a nonprofit organization, and plan to release it under an open license that lets anyone use and modify it. The initial Freedom Box code is expected to hit the Web in the next week or two, although it is more of a framework for developers at this point and lacks most of the planned features.
For Mr. Moglen the work is part of a longtime mission. The Chronicle profiled him several years ago, soon after he founded the Software Freedom Law Center and published what he called The dotCommunist Manifesto.
In the manifesto, he argues that all software should be developed by groups under free licenses rather than by companies out to make profit. Critics have called his approach extreme and unworkable, but in some areas open-source software has gained ground in recent years."The Net we have is increasingly monitored, measured, and surveilled everywhere by everybody all the time, or at least by somebody who's doing it for somebody else and would answer a subpoena if they got one," he argued at a conference this year. "Our Net has been turned against us." - http://mcaf.ee/rnf07
Diebold voting machines can be hacked by remote control - Exclusive: A laboratory shows how an e-voting machine used by a third of all voters can be easily manipulated - (Sept. 27, 2011 - By Brad Friedman - Salon.com) - It could be one of the most disturbing e-voting machine hacks to date.
Voting machines used by as many as a quarter of American voters heading to the polls in 2012 can be hacked with just $10.50 in parts and an 8th grade science education, according to computer science and security experts at the Vulnerability Assessment Team at Argonne National Laboratory in Illinois. The experts say the newly developed hack could change voting results while leaving absolutely no trace of the manipulation behind.
"We believe these man-in-the-middle attacks are potentially possible on a wide variety of electronic voting machines," said Roger Johnston, leader of the assessment team "We think we can do similar things on pretty much every electronic voting machine." - http://www.salon.com/news/politics/elections/2011/09/27/votinghack/index.html
[This obviously is the reason why -- a few years ago -- there was a push on by cell phone service providers (in "the service" of the government?) to get folks to upgrade their analog mobile phones to newer digital models. The newer cell phones were required -- by government edict -- to be manufactured with GPS-tracking chips preinstalled. The official explanation for that requirement was to enable "911" call-tracking. Also, the newer cell phones are "always on" -- even when they are supposedly "turned off." That, too, was supposed to facilitate "emergency" GPS-location tracking. Unless you physically remove the battery from your cell phone, the 24/7 whereabouts of your cell phone is always known. --Bike Bob]:
'Stingray' Phone Tracker Fuels Constitutional Clash - (Sept. 22, 2011 - by Jennifer Valentino-Devries - Wall Street Journal) - Stingrays are designed to locate a mobile phone even when it's not being used to make a call. The Federal Bureau of Investigation considers the devices to be so critical that it has a policy of deleting the data gathered in their use, mainly to keep suspects in the dark about their capabilities, an FBI official told The Wall Street Journal in response to inquiries.
A stingray works by mimicking a cellphone tower, getting a phone to connect to it and measuring signals from the phone. It lets the stingray operator "ping," or send a signal to, a phone and locate it as long as it is powered on, according to documents reviewed by the Journal. The device has various uses, including helping police locate suspects and aiding search-and-rescue teams in finding people lost in remote areas or buried in rubble after an accident. - http://mcaf.ee/qpjkb
Watch out for fake virus alerts - (Microsoft Safety & Security Center - PC Security)
Rogue security software, also known as "scareware," is software that appears to be beneficial from a security perspective but provides limited or no security, generates erroneous or misleading alerts, or attempts to lure users into participating in fraudulent transactions.
How does rogue security software get on my computer?
Rogue security software designers create legitimate looking pop-up windows that advertise security update software. These windows might appear on your screen while you surf the web.
The "updates" or "alerts" in the pop-up windows call for you to take some sort of action, such as clicking to install the software, accept recommended updates, or remove unwanted viruses or spyware. When you click, the rogue security software downloads to your computer.
Rogue security software might also appear in the list of search results when you are searching for trustworthy antispyware software, so it is important to protect your computer.
What does rogue security software do?
Rogue security software might report a virus, even though your computer is actually clean. The software might also fail to report viruses when your computer is infected. Inversely, sometimes, when you download rogue security software, it will install a virus or other malicious software on your computer so that the software has something to detect.
Some rogue security software might also: - http://www.microsoft.com/security/pc-security/antivirus-rogue.aspx
How to Avoid Scareware - (Dec. 8, 2010 - by Neil J. Rubenking - PC Magazine) - If you're fooled by a rogue security program, you pay good money for nothing, miss out on actual security, and give your credit card info to shady characters. Here's how to avoid being duped. - http://www.pcmag.com/article2/0,2817,2373975,00.asp
The 'Worm' That Could Bring Down The Internet - (43 min. - audio) - (Sept. 27, 2011 - Fresh Air - WHYY/NPR) - For the past three years, a highly encrypted computer worm called Conficker has been spreading rapidly around the world. As many as 12 million computers have been infected with the self-updating worm, a type of malware that can get inside computers and operate without their permission.
"What Conficker does is penetrate the core of the [operating system] of the computer and essentially turn over control of your computer to a remote controller," writer Mark Bowden tells Fresh Air's Terry Gross. "[That person] could then utilize all of these computers, including yours, that are connected. ... And you have effectively the largest, most powerful computer in the world."
The gigantic networked system created by the Conficker worm is what's known as a "botnet." The Conficker botnet is powerful enough to take over computer networks that control banking, telephones, security systems, air traffic control and even the Internet itself, says Bowden. His new book, Worm: The First Digital World War, details how Conficker was discovered, how it works, and the ongoing programming battle to bring down the Conficker worm, which he says could have widespread consequences if used nefariously.
"If you were to launch with a botnet that has 10 million computers in it — launch a denial of service attack — you could launch a large enough attack that it would not just overwhelm the target of the attack, but the root servers of the Internet itself, and could crash the entire Internet," he says. "What frightens security folks, and increasingly government and Pentagon officials, is that a botnet of that size could also be used as a weapon." -
Facebook Keeps A History Of Everyone Who Has Ever Poked You, Along With A Lot Of Other Data - (Sept. 27, 2011 - Kashmir Hill, Forbes Staff - Forbes) - http://mcaf.ee/p9hd4
Cloud-Powered Facial Recognition Is Terrifying - (Sept. 29, 2011 - by Jared Keller - The Atlantic Monthly) - By harnessing the vast wealth of publicly available cloud-based data, researchers are taking facial recognition technology to unprecedented levels
…a new application developed by Carnegie Mellon University's Heinz College that's designed to take a photograph of a total stranger and, using the facial recognition software PittPatt, track down their real identity in a matter of minutes. Facial recognition isn't that new -- the rudimentary technology has been around since the late 1960s -- but this system is faster, more efficient, and more thorough than any other system ever used. Why? Because it's powered by the cloud.
The logic of the new application is based on a series of studies designed to test the integration between facial recognition technology and the wealth of data accessible in the cloud (by which we basically mean the Internet). ….
Naturally, the development of such software inspires understandably Orwellian concerns. Jason Mick at DailyTech notes that PittPatt started as a Carnegie Mellon University research project, which spun off into a company post 9/11. "At the time, U.S. intelligence was obsessed with using advanced facial recognition to identify terrorists," writes Mick. "So the Defense Advanced Research Projects Agency (DARPA) poured millions into PittPatt." While Google purchased the company in July, the potential for such intrusive technology to be used against law-abiding citizens is cause for concern.
While private organizations may vie for a piece of PittPatt's proprietary technology for marketing or advertising purposes, the idea that such technology could be utilized by a tech savvy member of the public towards criminal, fraudulent, or extralegal ends is as alarming as the potential for governmental abuse. - http://mcaf.ee/en5l4
proprietary public front.
(Do you know
the wind blows?
They apparently do!)
[ link ]
Exclusive: Computer Virus Hits U.S. Drone Fleet - (Oct. 7, 2011 - by Noah Shachtman - Wired) - http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/
Cyber Threats Forecast for 2012 Released - ScienceDaily (Oct. 11, 2011) — The year ahead will feature new and increasingly sophisticated means to capture and exploit user data, as well as escalating battles over the control of online information that threatens to compromise content and erode public trust and privacy. Those were the findings announced by the Georgia Tech Information Security Center (GTISC) and the Georgia Tech Research Institute (GTRI) in today's release of the Georgia Tech Emerging Cyber Threats Report for 2012. The report was released at the annual Georgia Tech Cyber Security Summit, a gathering of industry and academic leaders who have distinguished themselves in the field of cyber security.
According to GTISC, GTRI and the experts cited in the report, specific threats to follow over the coming year include, among others:Search Poisoning -- Attackers will increasingly use SEO [Search Engine Optimization] techniques to optimize malicious links among search results, so that users are more likely to click on a URL because it ranks highly on Google or other search engines.
Mobile Web-based Attacks -- Expect increased attacks aimed specifically against mobile Web browsers as the tension between usability and security, along with device constraints (including small screen size), make it difficult to solve mobile Web browser security flaws.
Stolen Cyber Data Use for Marketing -- The market for stolen cyber data will continue to evolve as botnets capture private user information shared by social media platforms and sell it directly to legitimate business channels such as lead-generation and marketing. - http://www.sciencedaily.com/releases/2011/10/111011132050.htm
Meet In-Q-Tel, the CIA’s Venture Capital Firm - (Oct. 9, 2011 - by James Corbett - The Corbett Report) - [Transcript:] - Gainspan Corporation manufactures low power Wi-Fi semiconductors that form the heart of modern remote sensing, monitoring and control technologies.
Recorded Future Inc. is a Massachusetts web startup that monitors the web in real time and claims its media analytics search engine can be used to predict the future.
The common denominator? All of these companies, and hundreds more cutting edge technology and software startups, have received seed money and investment funding from In-Q-Tel, the CIA’s own venture capital firm.
Welcome, this is James Corbett of The Corbett Report with your Eyeopener Report for BoilingFrogsPost.com
Publicly, In-Q-Tel markets itself as an innovative way to leverage the power of the private sector by identifying key emerging technologies and providing companies with the funding to bring those technologies to market.
In reality, however, what In-Q-Tel represents is a dangerous blurring of the lines between the public and private sectors in a way that makes it difficult to tell where the American intelligence community ends and the IT sector begins.In-Q-Tel has generated a number of stories since its inception based on what can only be described as the “creepiness” factor of its investments in overtly Orwellian technologies. - http://www.corbettreport.com/meet-in-q-tel-the-cias-venture-capital-firm-preview/
Internet Security: Researchers Break W3C Standard - ScienceDaily (Oct. 19, 2011) — Standards are supposed to guarantee security, especially in the WWW. The World Wide Web Consortium (W3C) is the main force behind standards like HTML, XML, and XML Encryption. But implementing a W3C standard does not mean that a system is secure. Researchers from the chair of network and data security have found a serious attack against XML Encryption. "Everything is insecure," is the uncomfortable message from Bochum. - http://www.sciencedaily.com/releases/2011/10/111019104907.htm
that were effected
by the malware infection
of RSA’s “SecureID”!
Social networking surveillance: trust no one - (August 12, 2011 - by Dan Gillmor - The Guadian) - Governments will always try to monitor citizens' 'secure' communications – and corporations will always help them - http://www.guardian.co.uk/commentisfree/cifamerica/2011/aug/12/social-networking-surveillance
Your phone company is selling your personal data - (November 1, 2011 - Your phone company knows where you live, what websites you visit, what apps you download, what videos you like to watch, and even where you are. Now, some have begun selling that valuable information to the highest bidder. - http://money.cnn.com/2011/11/01/technology/verizon_att_sprint_tmobile_privacy/index.htm
Screen-spy program can read texts and emails - (November 2, 2011 - by Melissae Fellet - NewScientist) - NEXT time you're tapping off a private text message or sensitive email in a public place, consider this: someone could be reading every letter you type from up to 60 metres away.
"We can be in the second floor of a building and read a phone on the ground," says computer vision researcher Jan-Michael Frahm, of the University of North Carolina at Chapel Hill.Frahm and Fabian Monrose, also of UNC-Chapel Hill, have built a program, dubbed iSpy, that can identify text typed on a touchscreen from video footage of the screen or even its reflection in windows or sunglasses. Video from an ordinary mobile phone camera can be used to spy on a person from 3 metres away. And a snoop with a digital SLR camera that shoots HD video could read a screen up to 60 metres away. - http://tinyurl.com/zx562qe
Block scripts in Firefox
The NoScript add-on
will give you
some extra control
and protection against
(2-1/2 min. - YouTube audio/video)
DARPA Begs Hackers: Secure Our Networks, End ‘Season of Darkness’ - (November 7, 2011 - by Spencer Ackerman - Wired) - The Pentagon’s far-out research agency and its brand new military command for cyberspace have a confession to make. They don’t really know how to keep U.S. military networks secure. And they want to know: Could you help them out?Darpa convened a “cyber colloquium” at a swank northern Virginia hotel on Monday for what it called a “frank discussion” about the persistent vulnerabilities within the Defense Department’s data networks. The Pentagon can’t defend those networks on its own, the agency admitted. - http://www.wired.com/dangerroom/2011/11/darpa-hackers-cybersecurity/
Online Security: Rising Danger - (December, 2011 - by Eric Geier - PCWorld) - From mobile malware to social networking attacks, threats to your security and privacy will only grow…Computer security involves more than installing an antivirus utility on your PC. Malicious hackers are on a mission to steal money and wreak havoc, and they’ll do it by any means possible. The growing number of mobile devices, such as phones and tablets, and the popularity of social networks give them new avenues in which to expand their cybercrime. - http://mcaf.ee/6dknp
This 28-Year-Old Is Making Sure Credit Cards Won't Exist In The Next Few Years - (November 10, 2011 - by Alyson Shontell - San Francisco Chronicle) - There's a tiny 12-person startup churning out of Des Moines, Iowa that most people have never heard of.Dwolla was founded by 28-year-old Ben Milne, and it's an innovative new way of thinking about online payments that sidesteps credit cards completely. - http://mcaf.ee/54way
Mobile ‘Rootkit’ Maker Tries to Silence Critical Android Developer - (November 22, 2011 - by David Kravets - Wired) - A data-logging software company is seeking to squash an Android developer’s critical research into its software that is secretly installed on millions of phones, but Trevor Eckhart is refusing to publicly apologize for his research and remove the company’s training manuals from his website.
Though the software is installed on millions of Android, BlackBerry and Nokia phones, Carrier IQ was virtually unknown until the 25-year-old Eckhart analyzed its workings, recently revealing that the software secretly chronicles a user’s phone experience, from its apps, battery life and texts. Some carriers prevent users who actually find the software from controlling what information is sent.
Eckhart called the software a “rootkit,” a security term that refers to software installed at a low-level on a device, without a user’s consent or knowledge in order to secretly intercept the device’s workings. Malware such as keyloggers and trojans are two examples. - http://www.wired.com/threatlevel/2011/11/rootkit-brouhaha/
Researcher’s Video Shows Secret Software on Millions of Phones Logging Everything - (November 29, 2011 - by David Kravets - Wired) - The Android developer who raised the ire of a mobile-phone monitoring company last week is on the attack again, producing a video of how the Carrier IQ software secretly installed on millions of mobile phones reports most everything a user does on a phone.
Though the software is installed on most modern Android, BlackBerry and Nokia phones, Carrier IQ was virtually unknown until 25-year-old Trevor Eckhart of Connecticut analyzed its workings, revealing that the software secretly chronicles a user’s phone experience — ostensibly so carriers and phone manufacturers can do quality control.
But now he’s released a video actually showing the logging of text messages, encrypted web searches and, well, you name it.
Eckhart labeled the software a “rootkit,” and the Mountain View, California-based software maker threatened him with legal action and huge money damages. The Electronic Frontier Foundation came to his side last week, and the company backed off on its threats. The company told Wired.com last week that Carrier IQ’s wares are for “gathering information off the handset to understand the mobile-user experience, where phone calls are dropped, where signal quality is poor, why applications crash and battery life.”
The company denies its software logs keystrokes. Eckhart’s 17-minute video clearly undercuts that claim.
In a Thanksgiving post, we mentioned this software as one of nine reasons to wear a tinfoil hat.
The video shows the software logging Eckhart’s online search of “hello world.” That’s despite Eckhart using the HTTPS version of Google which is supposed to hide searches from those who would want to spy by intercepting the traffic between a user and Google.
Cringe as the video shows the software logging each number as Eckhart fingers the dialer.
“Every button you press in the dialer before you call,” he says on the video, “it already gets sent off to the IQ application.”
From there, the data — including the content of text messages — is sent to Carrier IQ’s servers, in secret.
By the way, it cannot be turned off without rooting the phone and replacing the operating system. And even if you stop paying for wireless service from your carrier and decide to just use Wi-Fi, your device still reports to Carrier IQ. - http://www.wired.com/threatlevel/2011/11/secret-software-logging-video/
Printers Can Be Hacked to Catch on Fire - (November 29, 2011 - by Paul Wagenseil and SecurityNewsDaily - Scientific American) - These devices are completely open and available to be exploited, a researcher says
Two researchers at Columbia University in New York say they've found a flaw in ordinary office printers that lets hackers hijack the devices to spy on users, spread malware and even force them to overheat to the point of catching fire.
"The problem is, technology companies aren't really looking into this corner of the Internet. But we are," Salvatore Stolfo, the Columbia professor overlooking the research, said to MSNBC's Bob Sullivan, who first reported the story.
Stolfo and his fellow researcher Ang Cui sent a Hewlett-Packard LaserJet printer various bogus firmware updates. One made the fuser overheat, causing the paper in the printer to yellow and smoke until the machine shut down.
When a tax return was sent to the printer as a print job, another bogus update secretly forwarded the document, complete with Social Security numbers, to a second computer.
"The research on this is crystal clear," Stolfo said. "The impact of this is very large. These devices are completely open and available to be exploited." - http://www.scientificamerican.com/article.cfm?id=printers-can-be-hacked-to-catch-fire
The Department Of Homeland Security Wants All The Information It Has On You Accessible From One Place - (11/29/2011 - by Kashmir Hill - Forbes Staff ) - http://mcaf.ee/7cf4z
BFP Report: Meet the Department of Homeland Security’s ‘Distinguished’ Privacy Advisory Committee Members
Wikileaks Julian Assange tells iPhone, Blackberry and Gmail users: "You're all screwed." - (December 12, 2011 - By Mirror.co.uk) - The whistle-blowing website has released details of companies it says are selling information obtained by monitoring people's mobile phones and computers.
According to Mr Assange, more than 150 organisations around the world have the ability to use phones as tracking devices as well as intercept messages and listen to calls.
Those companies then sell the wholesale information, often the telecommunications data of "entire populations".
He told a press conference at City University in London that the publication of the "Spy Files" is a "mass attack on this mass surveillance industry".
The 40-year-old asked the audience of students and press: "Who here has an iPhone? Who here has a BlackBerry? Who here uses Gmail?
"Well, you're all screwed.
"The reality is, intelligence contractors are selling right now to countries across the world mass surveillance systems for all those products."
Mr Assange said this interception, although lawful, is leading towards a "totalitarian surveillance state".
WikiLeaks is releasing 287 documents today, in conjunction with website spyfiles.org.
Mr Assange said the US, UK, Australia, South Africa and Canada are all developing the "spying systems", and the information is being sold to "dictators and democracies alike".
He said: "Today we release over 287 files documenting the reality of the international mass surveillance industry - an industry which now sells equipment to dictators and democracies alike in order to intercept entire populations."
The Australian national said the surveillance industry has grown over the last 10 years from "a covert, very secretive, small industry" to one involving 160 companies and 25 countries.
"There is an international corporatised mass surveillance industry," he said. - http://mcaf.ee/qo0j6
Is Carrier IQ’s Data-Logging Phone Software Helpful or a Hacker’s Goldmine? - (December 3, 2011 - Controversy over what else the company could do with the information it gathers arose a few weeks ago, when software developer Trevor Eckhart pointed out on his Android Security Blog that Carrier IQ can tap into a variety of information stored on a handset, including “manufacturer and model, available memory and battery life, the type of applications resident on the device, the geographical location of the device, the end user’s pressing of keys on the device, usage history of the device, including those that characterize a user’s interaction with a device.” Eckhart, who claims to have obtained this information from a Carrier IQ patent filing, then tested the software for himself.
Eckhart’s subsequent claims that Carrier IQ is a “rootkit” that logs mobile phone users’ activity and location prompted the company to obtain a cease-and-desist order, which was later rescinded when Eckhart retained the Electronic Frontier Foundation. Rootkit is a loaded cyber-security term referring to keylogging, trojan or other software installed without a user’s consent or knowledge for the purpose of tracking activity on that device. More recently, software developer Grant Paul (a.k.a. chpwn) claimed that Carrier IQ is installed on iPhones as well the Android, Blackberry and Nokia phones originally identified by Eckhart. Apple has since distanced itself from Carrier IQ, as Macworld.com noted on Thursday.
More disconcerting than the evidence that Carrier IQ is collecting sensitive data is the lack of evidence that the company knows how to protect that data, says Chris Soghoian, a privacy and security researcher at the School of Informatics and Computing at Indiana University Bloomington. “You have this application running on your phone with basically full privileges—able to access users’ e-mails, phone calls, location information, text messages and photographs—and it’s just sitting there,” he adds. “Even if you believe that Carrier IQ is well-intentioned or believe that the carriers are not receiving this information, you still have a security crisis just waiting to happen when a hacker figures out how to exploit this information. This is an absolute gold mine for hackers or intelligence agencies or law enforcement.”
The notion that spy agencies or law enforcement could take advantage of Carrier IQ to access private information is particularly relevant given the California Supreme Court case earlier this year that awarded police the authority to search mobile phones without a warrant.
Carrier IQ’s software is like “a gremlin living inside your phone that has the capability to report back to someone else if asked to do so,” says Soghoian, who is also a graduate fellow at the Indiana University’s Center for Applied Cybersecurity Research. Despite Carrier IQ’s claims that it is working to improve network performance for callers, Soghoian adds, the company is hired by the carrier and the performance improvements are only a marginal aspect of what the collected user data could be used to do. - http://mcaf.ee/njb5k
Assange on mass surveillance:
'You are all screwed!'
(1 min. - YouTube audio/video)
(3-3/4 min. - YouTube audio/video)
Security Alert: Practical advice for protecting your PC and your privacy
Scareware has gone mobile: Users of Android devices are starting to see sleazy ads warning that they need to upgrade their device's battery. The supposed battery-saver apps that those ads prod you to download, however, could endanger your privacy or siphon money from your wallet--and generally they'll do nothing to improve your gadget's battery life, security experts say.
In some cases you don't even need to agree to download the apps. For example, PCWorld spotted one ad on an Android phone for a battery utility called Battery Upgrade. Tapping the ad--even by accident--launches the phone's Web browser, which automatically initiates the download of the app's installer file on the Android device.
"These ads cross a line," says Andrew Brandt, director of threat research for Solera Networks. It's one thing to market a worthless battery app, he says, but another to scare or trick people into installing a program they don't need.
The ads are similar to scareware marketing tactics that have appeared on PCs: Such ads pop up on desktops or laptops, warning that your computer is infected and advising you to download a program to fix the problem. In many cases those rogue system utilities and antivirus products are merely disguises for software that spies on users. - http://www.pcworld.com/article/241967
Carrier IQ Explains Secret Monitoring Software to FTC, FCC - (December 14, 2011 - by David Kravets - Wired) - The software maker said the data it vacuums to its servers from handsets is vast -- as the software also monitors app deployment, battery life, phone CPU output and data and cell-site connectivity, among other things. But, the company said, the software is logging every keystroke. - http://mcaf.ee/3hfm6
American Companies Providing Technology Helping Repressive Regimes (& the U.S. Gov’t.) Spy On Protestors - (31 min. audio) - (Dec. 14, 2011 - Fresh Air/NPR) - journalist Ben Elgin talks about a Bloomberg News series, "Wired for Repression," which details how Western companies are selling surveillance technology to regimes including Iran, Syria, Bahrain and Tunisia.
Those regimes have then used the information obtained from those technologies to torture protesters and dissidents, Elgin tells Fresh Air contributor Dave Davies.
The surveillance industry is booming, Elgin says, with some analysts estimating that the sector brings in between $3 billion and $5 billion a year. A recent surveillance trade show — which is not open to the public — was attended by 1,300 people, with representatives from 35 U.S. federal agencies."Some of the sessions at these shows are just remarkable," Elgin says. "They do publish the agenda online so you can see the types of things that they talk about. In an upcoming show in Dubai in February, there's a session on government IT hacking, on how governments can essentially penetrate the computers or cellphones of would-be targets — their citizens. ..." - http://www.npr.org/2011/12/14/143639670/
Some Facts About Carrier IQ - (Dec. 13, 2011 - by Peter Eckersley - Electronic Frontier Foundation) - https://www.eff.org/deeplinks/2011/12/carrier-iq-architecture
Cell phones are 'Stalin's dream,' says free software movement founder - (March 14, 2011 - by Jon Brodkin - Network World) - Richard Stallman: iPhones and Androids are 'Big Brother' tracking devices
Nearly three decades into his quest to rid the world of proprietary software, Richard Stallman sees a new threat to user freedom: smartphones.
"I don't have a cell phone. I won't carry a cell phone," says Stallman, founder of the free software movement and creator of the GNU operating system. "It's Stalin's dream. Cell phones are tools of Big Brother. I'm not going to carry a tracking device that records where I go all the time, and I'm not going to carry a surveillance device that can be turned on to eavesdrop."
Stallman firmly believes that only free software can save us from our technology, whether it be in cell phones, PCs, tablets or any other device. And when he talks about "free," he's not talking about the price of the software -- he's talking about the ability to use, modify and distribute software however you wish. - http://www.networkworld.com/news/2011/031411-richard-stallman.html
Screen-spy program can read texts and emails - (November 2, 2011 - by Melissae Fellet - New Scientist) - NEXT time you're tapping off a private text message or sensitive email in a public place, consider this: someone could be reading every letter you type from up to 60 metres away. - http://mcaf.ee/ki4yl
Disable AND Remove
If you're using Mozilla's Thunderbird e-mail client, take note:
It includes -- enabled by default -- a type of spyware called "Test Pilot."
Test Pilot supposedly "reports" back what/how users do in/with Thunderbird.
Presumably, Test Pilot is likely not as bad as Carrier IQ
(which logs users each and every keystroke, etc.)
Test Pilot effectively is spyware, though.
Test Pilot first appeared in version #9 of Thunderbird.
You can check your current version of Thunderbird
by clicking "Help" in the toolbar
and then choosing "About Thunderbird."
Here's what you can do to avoid
Test Pilot's phone-home “performance” reporting:
In Thunderbird, click "Tools," and then choose "Add-Ons."
Make sure the “Extensions” category is open, and then scroll down to "Test Pilot."
You then need to perform TWO operations on Test Pilot:
First, click on "Disable," then "Restart now."
Second, after Thunderbird re-starts,
go through the same above process,
but this time finally choose "Remove" (Test Pilot);
and then, close and restart Thunderbird one more time.
Just in case, in the future,
with each successive Thunderbird version upgrade,
I'd be on the alert and double check Add-Ons (again, via "Tools")
to see if Test Pilot sneaks back in again.
BTW...once you have removed Test Pilot,
it's still "made available" as a stand-alone add-on
that you could choose to reinstall.(Yeah, right...like I'm going to voluntarily choose to be spied upon! -- Bike Bob)
Tweeting the word 'drill' could mean your Twitter account is read by U.S. government spies - (December 28, 2011 - by Rob Waugh - Daily Mail/UK) - The Department of Homeland Security makes fake Twitter and Facebook profiles for the specific purpose of scanning the networks for 'sensitive' words - and tracking people who use them.
Simply using a word or phrase from the DHS's 'watch' list could mean that spies from the government read your posts, investigate your account, and attempt to identify you from it, acccording to an online privacy group.
The words which attract attention range from ones seemingly related to diseases or bioweapons such as 'human to animal' and 'outbreak' to other, more obscure words such as 'drill' and 'strain'.
The DHS also watches for words such as 'illegal immigrant'.
The DHS outlined plans to scans blogs, Twitter and Facebook for words such as 'illegal immigrant', 'outbreak', 'drill', 'strain', 'virus', 'recovery', 'deaths', 'collapse', 'human to animal' and 'trojan', according to an 'impact asssessment' document filed by the agency.When its search tools net an account using the phrases, they record personal information. - http://mcaf.ee/5cy9z
New PC virus doesn't just steal your money - it creates fake online bank statements so you even don't know it's gone - (January 6, 2012 - by Rob Waugh - Daily Mail/UK) - Crimeware steals passwords from your browser. Cyber criminals use your debit card details to drain your account. When you visit your bank, it adjusts figures so the criminal transactions don't appear. Attack has been used in U.S. and UK. - http://mcaf.ee/7cjwz
How SOPA [Stop Online Piracy Act] would affect you: FAQ - (December 21, 2011 - by Declan McCullagh - CNET) - http://news.cnet.com/8301-31921_3-57329001-281/how-sopa-would-affect-you-faq/
(4-1/2 min. - video)
Long-time Computer Security Guru Steve Gibson Speaks Out On The Major Threat To Internet Security By Ongoing Government Attempts At Online Censorship!
[Here is the pertinent excerpt (bold emphasis added) from the recent (Wed., Jan. 18, 2011) weekly episode (#336) of Steve Gibon’s “Security Now!” podcast. --- (NOTE: Steve Gibson is THE computer security expert who first discovered -- and coined the terms for -- “spyware”; he then wrote the first computer security defense programs to combat same.) --- The URLs for the podcast (free downloadable .mp3 file) and free transcript follow the excerpt. --Bike Bob]:
STEVE [GIBSON]: …let's talk about DNSSEC [Domain Name System Security]...
LEO [LaPorte]: …the SOPA [Stop Online Piracy Act] protests. These bills, SOPA in the House and IP Protect Act, or PIPA, Protect IP Act, in the Senate, and other bills like it around the world, one of the features of them is that they modify DNS. They allow the government to say "Take this website off DNS," the presumption being these are pirate sites, and we're going to take them down.
STEVE: Well, essentially, what they're trying to do is to legislate spoofing of DNS. They're wanting ISPs to redirect people to a different website than their actual target. And how many times in this podcast have we talked about the security problems associated with spoofing DNS? That's a big problem. [Example: Rouge websites that “spoof” well-known banking websites. --Bike Bob] And what DNSSEC, that is to say, DNS Security, does is it signs DNS records so that spoofing can be prevented. So it adds a layer, I mean a valuable layer, of true security.
…So essentially what happened was, in response to this call for breaking DNS by legislatively requiring that DNS be spoofed, the real engineer techies of the Internet said, wait a minute, we've been working now for quite a while to prevent exactly what you're suggesting you're going to require by law, and it breaks the Internet security. And it absolutely does. ….
…the entire DNS system is in the clear [meaning: unencrypted] right now with no protection. So what we're moving towards is providing for the first time the ability to cryptographically sign and verify that the DNS record that arrives at our computer is the one that the owning DNS server sent, and that the technology will absolutely prevent that from being tampered with. Yet what this legislation would do would be to break what we're heading towards and just arbitrarily say, oh, you asked for this URL. We're going to give you a different IP to redirect you to a page that says we're sorry, service has been suspended because that site is believed to be a pirate site. And that breaks DNS.
LEO: Well, there you have it, if you needed another reason to not like this. ….
Security Now!: http://www.grc.com/securitynow.htm
“Security Now!” Episode #336 (Free .mp3 file): http://media.GRC.com/sn/SN-336.mp3
“Security Now!” Episode #336 (Free transcript): http://www.grc.com/sn/sn-336.txt
Could the Internet Ever Be Destroyed?January 20, 2012 - The coming threats to the global Internet could take many formsThe redundancy of so much online content and of connectivity routes makes the Internet resilient to physical attacks, but a much more serious threat to its status quo existence is government regulation or censorship. - http://www.scientificamerican.com/article.cfm?id=could-internet-ever-be-destroyed
Hoping to Teach a Lesson, Researchers Release Exploits for Critical Infrastructure Software - (January 19, 2012 - by Kim Zetter - Wired) - http://www.wired.com/threatlevel/2012/01/scada-exploits
Anonymous Tricks Bystanders Into Attacking Justice Department - (January 20, 2012 - by Quinn Norton - Wired) - http://www.wired.com/threatlevel/2012/01/anons-rickroll-botnet/
The Threat of Deep Packet Inspection - (Excerpt from the “PRIVACY WATCH” column by Alex Wawro on page 38 in the February, 2012, issue of “PC World Magazine”)
Bills in Congress like SOPA [Stop Online Piracy Act] and the Protect IP Act may require your ISP to start monitoring your online activity.
…. But if your Internet service provider becomes legally obligated to prevent you from accessing restricted websites, it might use deep packet inspection tools to keep tabs on you.
Absent legal restrictions, however, your ISP can root through all the information you exchange online, perhaps selling your age, location, shopping records, and other personal data in anonymized batches to advertising companies. And, law enforcement can monitor and curtail your Net access without your knowledge.
Better Business Bureau issues warning about e-reader scams - (Jan. 23, 2012 - by Grant Bissell - KSDK-TV/St. Louis, MO) - …the Better Business Bureau is warning scammers are using e-readers to rip you off.
E-readers work a little differently than a regular computer, but they're not immune from scams designed to steal your credit card information.
Chris Thetford of the St. Louis BBB says it all starts with what you download.
"Consumers need to be very careful with what they bring into their e-book reader to make sure that what they're getting is actually the book rather than some sort of malware or some sort of virus which can get in and get their financial information like their credit card number stored on the e-book reader," said Thetford.
Those problem programs are all over the internet. A quick search for "free e-books" turned up more than 265,000 results. The lure of getting a best-seller for free could be hard to resist, but Thetford says offers for free e-books, especially from unknown sites, should be a red flag.
"You want to do your homework to make sure you are dealing with someone you can trust, because it's a financial transaction just like any other financial transaction that you might do electronically," he said.
The bottom line: only download from trustworthy places. If you have doubts, check out blogs and web pages for recommendations from other consumers.
If you do download a nasty program onto your e-reader, computer experts say you could be in trouble.
Often, the only way to get rid of it is to do a factory reset on your machine. That could wipe out everything you've got saved. - http://www.ksdk.com/news/article/299003/71/New-scams-target-e-readers
I Spy Your Company’s Boardroom - (January 23, 2012 - by Kim Zetter - Wired) - [The following URL is in regards to apparently widespread, insecure video-conferencing. --- Interestingly, on a related "Security Now!" (http://www.grc.com/securitynow.htm) podcast last year, computer security guru Steve Gibson talked about another similar issue: Insecure Bluetooth devices that literal drive-by ("war driving") hackers -- or, nearby parked "listening in" industrial espionage spies -- could easily access. This was especially true for those now seemingly ubiquitous phone headsets with talk-into microphones. -- Bike Bob]: - http://mcaf.ee/uqjh9
US Launched Cyber Attacks On Other Nations
Cautions ATM users
To be aware of
Lurking thermal cameras!
[Excerpt from the August 25, 2011, episode (#315) of
Computer-Security Guru, Steve Gibson’s
“Security Now!” podcast
STEVE [Gibson]: ...Bruce [Schneier] also blogged about
stealing ATM PINs with a thermal camera:
"Researchers from UCSD pointed thermal cameras towardsplastic ATM PIN pads and metal ATM PIN pads..."
"...to test how effective they were at stealing PIN numbers.
The thermal cams did not work at all against metal pads."
STEVE: "But on plastic pads
the success rate of detecting all the digits
was 80 percent after 10 seconds
and 60 percent after 45 seconds."
LEO [Laporte]: That's amazing because
you really don't touch, when you're using an ATM,you touch those keys very rapidly.
STEVE: .... He said, "If you think about your average ATM trip,
that's a pretty wide window and an embarrassingly
high success rate for thieves to take advantage."
So the idea being someone does their transaction.
If they're sufficiently quick, they walk away,
you run over and take a picture of it with a thermal camera
and see if there's still some heat signature left on the PIN pad.
LEO: So you should take your time at the ATM.
Or somebody's saying I never touch them anyway, I use a pen.[Free transcript: http://www.grc.com/sn/sn-315.txt]
[Free audio .mp3: http://media.GRC.com/sn/SN-315.mp3]
Anonymous Goes After World Governments in Wake of Anti-SOPA Protests - (January 25, 2012 - by Quinn Norton - Wired) - http://www.wired.com/threatlevel/2012/01/anonymous-internationalist/
Google announces privacy changes across products; users can’t opt out - (Jan. 25, 2012 - by Cecilia Kang - The Washington Post) - Google will soon know far more about who you are and what you do on the Web.
The Web giant announced Tuesday that it plans to follow the activities of users across nearly all of its ubiquitous sites, including YouTube, Gmail and its leading search engine.
Google has already been collecting some of this information. But for the first time, it is combining data across its Web sites to stitch together a fuller portrait of users.
Consumers who are logged into Google services won’t be able to opt out of the changes, which take effect March 1. And experts say the policy shift will invite greater scrutiny from federal regulators of the company’s privacy and competitive practices. - http://mcaf.ee/1vea6
Symantec: We Didn’t Know in 2006 Source Code Was Stolen - (January 26, 2012 - by Kim Zetter - Wired) - Anti-virus giant Symantec says it did not know back in 2006 that source code for its software was stolen when it experienced a breach at that time.
The company surprised the public last week when it disclosed that hackers had obtained source code for its pcAnywhere software and other products, and that the code had likely been stolen in a six-year-old breach that Symantec had never disclosed.
Symantec said in its announcement that users should disable pcAnywhere until the company had time to update the software to ensure that hackers are unable to exploit holes they might find in the code.
The pcAnywhere software is a popular remote access program that lets administrators get into computers to troubleshoot and also allows mobile users on the road to access content on their office desktop. It’s also installed on point-of-sale terminals in stores and restaurants to allow administrators to update software that’s used to process the information on credit and debit cards as they’re scanned at a register check-out.
What was unclear from Symantec’s disclosure, however, was just how long Symantec had known its source code had been breached. The statement left open the question of whether Symantec knew in 2006 that its source code was taken and only disclosed it this month after hackers claimed to have it.But Symantec spokesman Cris Paden told Threat Level that the company did not know before this month that the pcAnywhere source code had been stolen. - http://www.wired.com/threatlevel/2012/01/symantec-source-code-hack/
Threat from new virus-infected emails which take over your PC even if you DON'T open their attachments - (February 2, 2012 - by Rob Cole - Daily Mail/UK) - A new class of cyber attack is threatening PCs - emails which infect PCs without the user having to open an attachment.
The user will not even be warned this is happening - the only message that appears is 'loading'.
The email automatically downloads malicious software into your computer from elsewhere the moment a user clicks to open it.
The mails themselves are not infected - and thus will not 'set off' many web-security defence packages.
Security experts say that the development is 'particularly dangerous'.
'This sort of spam also affects cautious users which would never open an unknown attachment or link,' say security experts Eleven Research Team.
Previous generations of email-borne viruses and trojans required users to click on an attachment - often an office document such as a PDF.
The new emails - dubbed 'drive-by emails' - have been detected 'in the wild' by computer researchers Eleven Research Team.
'This driveby spam automatically downloads malware when the e-mail is opened in the e-mail client,' says Eleven Research Team.
'Previous malware e-mails required the user to click on a link or open an attachment for the PC to be infected.'
The current wave of emails arrive with the title 'Banking Security Update.'
To stay safe, the security company advises switching all security settings in email software to maximum, and updating your browser to the latest version so it's protected against malicious software. - http://mcaf.ee/0jzhe
VeriSign Hacked: What We Don't Know Might Hurt Us - (Feb. 3, 2012 - by Tony Bradley, PCWorld) - VeriSign – the company behind the root DNS servers that provide the foundation for the Web, and formerly the largest encryption certificate authority – has revealed that it was repeatedly hacked in 2010. Details are sparse thus far, but the revelation calls into question the security of the Internet itself. - http://mcaf.ee/bfq3k
How Latest Malware
To Avoid Detection
(2 min. - video)
Symantec code theft: Hackers 'attempted extortion' - (February 7, 2012 - BBC News/UK) - It comes as hackers made public emails from law enforcement agents posing as a Symantec employee.
Officials pretended to be the security firm in order to "offer" the hackers $50,000 (£32,000).
However, more source code has allegedly been released after negotiations apparently broke down.
Last month, users of PC Anywhere software were told by the company to disable its use where possible.
The company confirmed that "old" source code stolen by the hackers had exposed vulnerabilities in the program which allows remote access to computers.
Other programs affected include Norton Antivirus Corporate Edition, Norton Internet Security and Norton Systemworks (Norton Utilities and Norton Go Back).
However, only PC Anywhere is said to be at risk. Symantec has been releasing patches and further information via its website. - http://www.bbc.co.uk/news/technology-16927660
Hackers Release Symantec Source Code After Failed $50K Extortion Attempt - (February 7, 2012 - by Kim Zetter - Wired) - The release of source code would allow hackers to study the program to find security vulnerabilities that would allow them to potentially breach companies using the programs. But Symantec told customers in January to disable their pcAnywhere programs until the company could patch the systems, which it has subsequently done. - http://mcaf.ee/7ovik
The Perpetual, Invisible Window Into Your Gmail Inbox
The Onion Router (TOR) Is Neither “Anonymous” Nor Secure!
[The following excerpt was taken from the transcript of the Episode #138 podcast (April 3, 2008) of “Security Now!” with Steve Gibson…which can be found at http://www.grc.com/sn/sn-138.htm ]:
Steve: …. Now, subsequent to our talking about The Onion Router network, there was some news about malicious TOR nodes, meaning that bad people were - or people of varying badness, maybe even state-run agencies, were creating TOR nodes and monitoring the traffic. Which is really not what you expect or want from a TOR node. You would like it to be run by a white hat, by somebody who is pro-anonymity who's offering a TOR node because they believe in the concept of supporting the anonymous use of the Internet.
[Now what that means is that anyone can set themselves up as a “voluntary” TOR node, and then have direct access to the incoming and outgoing addresses of everyone who (by chance) is using that random TOR node! -- Bike Bob]
New Concerns Over Online Privacy - (51-1/2 min. - audio) - (February 20, 2012 - Diane Rehm Show/NPR) - Technology companies collect vast amounts of information about you and your habits. In return, you get free content, play games and connect with friends. But recent findings are raising concerns over security and privacy. A Stanford researcher discovered Google and other companies bypassing the privacy settings on Apple's Safari web browser. An app company called Path was collecting and storing personal address book information without permission. And an FTC report on children’s app privacy showed parents are not getting information on what data is being collected, how it is being shared, or who will have access. Diane and her guests discuss privacy and transparency in our rapidly changing computer world.Guests interviewed include: Marc Rotenberg, Exec. Dir. of the Electronic Privacy Information Center and teaches Information Privacy Law at Georgetown University Law Center; Edward Markey