Tag

cybersecurity

Browsing

It should come as no surprise to see yet another web site with terrible security get get hacked and a massive amount of user account data leaked online:

Adult dating service company Friend Finder Network has reportedly been hacked, with over 412 million accounts, e-mail addresses and passwords from their websites made available on criminal marketplaces. Notably, the database does not include more detailed personal information, but could still be used to confirm whether a person was a user of the service.

Breach notification site LeakedSource first reported the attack, indicating that over 300 million AdultFriendFinder accounts were affected, as well as over 60 million accounts from Cams.com. Other company holdings, such as Penthouse, Stripshow, and iCams were also breached, for a total of 412,214,295 affected users.

The hack also revealed that the company had kept information on 15 million accounts that users had deleted, as well as information on users for assets it no longer owned, such as Penthouse. By comparison, the Ashley Madison hack that took place in July 2015 revealed 32 million accounts, although that attack was also accompanied by a more aggressive extortion campaign.

Staggering number of exposed accounts. Web properties like Adult Friend Finder need to take security seriously before these embarrassing breaches.

How will a Trump administration tackle the encryption and surveillance policy issues started by Bush and continued with Obama?

“I imagine (Trump) is going to be a guy who is probably going to mandate back doors,” said Hank Thomas, chief operating officer at Strategic Cyber Ventures and a veteran of the National Security Agency. “I don’t think he’s ultimately going to be a friend to privacy, and the fearful side of me says he will get intelligence agencies more involved in domestic law enforcement.”

Just based on how Trump acts, and the bombastic remarks he makes without nary a pause, lead me to the same conclusion as Thomas. I sense a reckoning is coming, and there will be a tough battle between the Trump administration and Silicon Valley.

If you, like many American citizens, are worried that a Donald Trump presidency is going to lead towards increased domestic surveillance, you really need to consider howto encrypt your internet communications to evade eavesdropping:

The result of this election is starting to feel like a hodgepodge of science-fiction films and dystopian young-adult novels. You have the prospect of a walled country dominated by the wealthy—as in Elysium or the Divergent trilogy—and you have groups of political supporters threatening to attack others for their beliefs. Perhaps everyone could just be pitted against each other, Hunger Games-style. As BoingBoing’s Cory Doctorow put it today: “A madman has been given the keys to the surveillance state.”

If you’re worried about living in a country where surveillance and governance are overseen by a man who can barely control his anger when people say his hands are small, then you might want to know how to encrypt and protect your digital communication over the next four, eight, or infinite years. Here are some simple steps to follow if you’re looking to launch the resistance—like The Brotherhood, the Rebel Alliance, or whatever Katniss Everdeen’s group was called—or just want a safe space to talk to friends and family

Most of these recommendations are common sense. However, if you are unfamiliar with the idea of encrypting your communications, and using security best practices, this is a good primer.

Regardless of whoever is in office – Trump, Clinton, Sanders, Cruz – American citizens should take their privacy much more seriously. The more apathetic the country becomes, the more those constitutional protections will be eroded away by a government far too willing to acquiesce to the fantastical threats the intelligence community dreams up to keep their self-licking ice cream cone frozen.

All fifty US states are concerned hackers will disrupt tomorrow’s election day:

Since Russian hackers breached the computers of the Democratic National Committee last summer, federal officials have been practically pleading with states and localities to take the free help the U.S. government offers, including scans of state and local computer networks to check for security weaknesses or signs that hackers may have already gotten in.

This election cycle has drawn more attention than any other to the threat of hackers changing votes and sowing chaos and confusion, and claims of rigged elections—by computerized or other means. Nearly two dozen states have seen their voter registration files probed. And following a major cyber attack last month that disrupted core components of the internet, experts are concerned that such denial of service attacks on Election Day could make it difficult for people to find their polling location or for precincts to transmit voting results.

This year, more than any Presidential election cycle in the past, has seen more cyber activity. Expect to see this increase in the future, especially as we come to rely more on the internet to help us locate polling stations, find out how to vote, and even submit actual votes themselves. If you think things are scary today, just wait until the 2020 election.

DARPA believes it can protect critical infrastructure from cyber attacks using a brand new tool it has developed:

Hackers have been breaking through a lot of government agency’s defenses these past years, and DARPA thinks it’s high time to do something about it. Pentagon’s mad science division has launched a new program called Rapid Attack Detection, Isolation and Characterization (RADICS), which aims to develop innovative technologies that can quickly detect and respond to cyber attacks. Not just any cyber attacks, though: RADICS was specifically created to deflect security threats on critical infrastructures in the US, especially those that are vital to the Department of Defense’s missions. The agency likely wants to make sure the government can quickly detect and fight off terrorists and/or hackers trying to switch off the country’s electricity or transportation systems.

Terrorism is not a problem only technology can solve but one requiring strong police work:

The account emerging from French officials, witnesses and those who interacted with the suspected terrorists shows how the operation hinged on Mr. Abaaoud’s ability to use the tools of everyday modern life to lay the groundwork for the massacre. The ease with which he and his teams moved—all while avoiding detection by France’s security apparatus—suggests the challenges in identifying would-be terrorists and preventing further attacks in the fluid, digital and transnational world of today, especially when they are European citizens.

The array of car rentals, cellphones and online lodging reservations allowed Mr. Abaaoud to organize his militants as separate cells to ensure the plot wouldn’t unravel if one of the teams was compromised. Likewise, Mr. Abaaoud exploited Europe’s porous border system, sneaking stadium bombers into the continent amid the crush of Syrian refugees washing over Greece and tapping European nationals who could wield their own passports to move freely about the region.

This is my hometown and I am stunned Los Angeles leadership believes this to be a viable option for preventing human trafficking (emphasis added):

Councilwoman Martinez feels that prostitution is not a “victimless” crime, and that by discouraging johns, the incidence of the crime can be reduced. Martinez told CBS Los Angeles, “If you aren’t soliciting, you have no reason to worry about finding one of these letters in your mailbox. But if you are, these letters will discourage you from returning. Soliciting for sex in our neighborhoods is not OK.

The Los Angeles City Council voted Wednesday to ask the office of the City Attorney for their help implementing the plan.

Have Ms. Martinez and the Los Angeles City Council taken leave of their senses? This scheme makes, literally, a state issue out of legal travel to arbitrary places deemed by some — but not by a court, and without due process — to be “related” to crime in general, not to any specific crime.

There isn’t “potential” for abuse here, this is a legislated abuse of technology that is already controversial when it’s used by police for the purpose of seeking stolen vehicles, tracking down fugitives and solving specific crimes.

Potent essay in favor of strong encryption even though the US intelligence apparatus would like Americans to believe terrorists use it to hide their communications from law enforcement (demonstrably false in certain circumstances, such as Paris):

People who protect liberty have to take care not to imply, much less acknowledge, that the draconian anti-liberty measures advocated by the surveillance state crowd are justified, tactically or morally, no matter what the circumstances. Someday a terrorist will be known to have used strong encryption, and the right response will be: “Yes, they did, and we still have to protect strong encryption, because weakening it will make things worse.”

Why? Because encryption is actually a straightforward matter, no matter how much fear-mongering law enforcement officials and craven, willfully ignorant politicians spout about the need for a backdoor into protected communications. The choice is genuinely binary, according to an assortment of experts in the field. You can’t tamper this way with strong encryption without making us all less secure, because the bad guys will exploit the vulnerabilities you introduce in the process. This isn’t about security versus privacy; as experts have explained again and again, it’s about security versus security.

Moreover, as current and former law enforcement officials lead a PR parade for the surveillance-industrial complex, pushing again for pervasive surveillance, they ignore not just the practical problems with a “collect it all” regime — it drowns the spies in too much information to vet properly — but also the fundamental violation of liberty that it represents. These powers are always abused, and a society under surveillance all the time is a deadened one, as history amply shows.

Of course we need some surveillance, but in targeted ways. We want government to spy on enemies and criminal suspects, but with the checks and balances of specific judicial approval, not rubber stamps for collect-it-all by courts and Congress. The government already has lots of intrusive tools at its disposal when it wants to know what specific people are doing. But our Constitution has never given the government carte blanche to know everything or force people to testify against themselves, among other limits it establishes on power.

GCAT is a fully-functional malware backdoor leveraging Gmail as its command-and-control server:

There are many tools that allow to generate backdoors and they are used during a penetration testing program or security awareness where the presenter demonstrate how it is easy to have a full control on a remote vulnerable system.

The main purposes of backdoors is to create a connection to victim machine and run some commands remotely, send files to victim computer , rebooting the system or even modifying the system passwords. If you are looking for similar tool you can check GCAT.

GCAT is a fully featured backdoor that uses Gmail as a C&C server. All you have to do is to create a Gmail account that will be used to send instruction to remote system. This helps to cover track Also it will make your server up and reachable anytime without non standard ports that can be blocked by the firewall.

This is quite humorous:

Isis[sic] sites have been moving onto the dark web in an attempt not to be discovered. But a hacking group called Ghost Sec, which is related to Anonymous, took the site down and replaced it with a message telling readers that there was “Too Much ISIS”.

“Enhance your calm,” the full message read. “Too many people are into this ISIS-stuff. Please gaze upon this lovely ad so we can upgrade our infrastructure to give you ISIS content you all so desperately crave.”

The ad — which linked to an online pharmacy where payments can be made in bitcoin, and which appears to be hosted by the hacking group — would allow people to click through to by online prescription drugs, including Prozac and Viagra.

Not that I condone this type of behavior, nor that I believe this will have any lasting affects on ISIS, but it is funny nonetheless.

In the aftermath of the Paris terror attacks it is important to recognize a few important points as the media bombards the world with comments from scared politicians, especially in the United States more than anywhere. Like with any form of security, the primary operating foundation is risk management. This is in stark contrast to what the average citizen believes – the ability to prevent every terrorist attack.

Like in the ephemeral world of cyber security, it is impossible to stop every single attack, every day, from now through eternity. In cyber, attacks happen constantly – not a minute passes without some cyber weaponry being fired. Malicious actors continuously launch operations designed to disrupt or compromise their targets.

The differentiators in cyber are the low threshold to arm oneself, and the ability to attack without causing any form of physical harm. This makes it easy to constantly pull a so-called cyber trigger without ever needing to stop. People almost never face actual bodily harm.

The type of terrorism experienced in Paris causes actual physical harm, as we can all witness on the 24-hour news cycle. However, although one form of terrorism is kinetic and the other is not, they both are identical in one aspect: the ability to prevent every form of both malicious acts is unattainable. While the goal is lofty, it is impractical to believe security professionals are capable of thwarting every act of terrorism, no matter the form it takes.

We need to recognize the goal of terrorism is to scare people. However, by giving in to the terror by enacting laws and policies designed to drastically modify the American way of life, we allow the terrorists to win. This is what they want to happen – they want us to change. If we become more personally vigilant through education, rather than expecting our government to save us from future cowardly acts of murder, we win.

Do not let the media sway us from the truth: terrorism will continue no matter the loose or strict our laws we pass. Whether America – or other countries throughout the world – take additional steps towards the inevitable police state or not, there will be future acts of terrorism. They will happen in the United States or somewhere else in the world. It is inevitable. Why?

We cannot stop every act of terrorism. Nobody can. It is an impossible task, and something we should not expect of law enforcement and our intelligence agencies. Hindsight is absolutely 20/20, so it is easy to look back on an incident and theorize how it could have been prevented. In some cases that may be true, but mostly it is a false assumption.

The best thing we can do now is to continue living our lives as we always have – be the consummate American, but grow and learn from these terrorists. As in cyber security, our goal in fighting terrorism is to assume compromise but minimize the damage the malicious actors can inflict. There is a delicate balance between security and liberty; we should err on the side of liberty otherwise we lose and allow the terrorists to dictate the message.

That can never happen. We can, and will, overcome these trying times thanks to our resilience, so long as we keep our eye on what is important.

Raytheon wins $1 billion cyber security contract to battle attacks on US agencies:

The contract, one of the largest civilian cybersecurity orders in years, would help more than 100 federal civilian agencies protect their networks against malicious hackers, and it comes after the Office of Personnel Management suffered one of the most damaging breaches in history.

The OPM recently said that hackers stole the fingerprints of 5.6 million people, far more than previously thought. The attacks are believed to have affected more than 21 million former and current government employees, whose personal information, including Social Security numbers and information used in security clearances, may have been compromised.

The Obama administration has said it has made cybersecurity a top priority, and Congress has pushed to expand the nation’s defenses and make them more robust. The Pentagon is also taking steps to develop ways to fend off hackers, who often only have to find one crack in a network, while defenders have to guard the entire wall.

At a hearing on cybersecurity Tuesday, Sen. John McCain (R-Ariz.) said that in the past year, Iran, North Korea, China and Russia have all launched cyber­attacks on the United States. And he said the rate of the attacks has increased, “crippling or severely disrupting networks across the government and private sector and compromising sensitive national security information.”

He added: “Far more needs to be done to develop the necessary capabilities to deter attacks, fight and win in cyberspace.”

A second Russian has plead guilty to the largest ever US cyber crime:

Prosecutors said that as far back as 2003, the men worked to install “sniffers” designed to comb through and steal data from computer networks of financial companies, payment processors and retailers.

Prosecutors said the defendants then used an array of computers to store and ultimately sell data they collected.

They said Smilianets was in charge of sales, selling data to trusted identity theft wholesalers, selling credit card numbers for $10 to $50 a piece depending on country of origin.

The scheme ultimately caused banks and credit card companies to suffer hundreds of millions in losses, including more than $300 million reported by three companies alone, prosecutors said.

Sixteen companies’ networks were infiltrated, including those of Nasdaq OMX Group Inc, 7-Eleven, France’s Carrefour SA, JC Penney Co, JetBlue Airways Corp, a Visa Inc licensee, and Heartland Payment Systems Inc, prosecutors said.

Smilianets faces up to 30 years in prison when he is sentenced by U.S. District Judge Jerome Simandle on Jan. 13. His lawyer did not immediately respond to a request for comment.

The US government seemingly has a penchant for being unable to keep its own data safe, so why should the American people trust it with a backdoor into yours? (emphasis added)

The U.S. intelligence apparatus still wants a key to your private data. Specifically, it wants “backdoor,” or “exceptional,” access to encrypted data when a court order is obtained for it. Last week, the nation’s intelligence heads—FBI Director James Comey, CIA Director John Brennan, Director of National Intelligence James Clapper, National Security Agency Director Michael Rogers, and Defense Intelligence Agency Director Vincent Stewart—went before the House Intelligence Committee to lay out the threats and make their asks. After raising the specter of crippling large-scale cyberattacks, Clapper said the more pressing concern was persistent, ongoing small attacks, or as Foreign Policy put it, “Get Ready for Everything to Be Hacked All the Time.” To fight these attacks, Clapper wants streamlined access to the private accounts of Americans—an idea that is unnecessary at best and counterproductive at worst. And the intelligence leaders’ bad ideas didn’t end there

While the increasing regularity of both computing and security breaches makes Clapper’s concerns very real, the approach the intelligence agencies want to take is sorely inadequate. While they spent a long time discussing deterrence and surveillance, Clapper et al. practically ignored the most crucial and central aspect of fighting cyberattacks: security. In light of the recent, catastrophic Office of Personnel Management data breach, which compromised the sensitive personal data of more than 20 million people, Clapper’s sense of priorities, as evidenced by his refusal to call the OPM breach an “attack,” is clearly warped. (“There was no destruction of data or manipulation of data,” he said. “It was simply stolen.”) If sensitive information is a house, then the government wants surveillance cameras everywhere and stiff sentences for thieves, yet can’t be bothered to lock the door.

Instead, Clapper and Comey stressed the need for greater deterrence of cyberattacks: not securing systems, but creating incentives against hacking. Regarding the OPM breach, Clapper said, “Until such time as we do create both the substance and the mindset of deterrence, this sort of thing is going to continue.” There are two things wrong with this statement. First, it’s not easy to attribute these attacks to their perpetrators. Even if the U.S. government is convinced that the OPM attacks originated from China, it likely hasn’t figured out whether they were state-sponsored. The government’s attribution of last year’s Sony Pictures hack to North Korea remains dubious and inconclusive, as I pointed out shortly before everyone forgot about it. In the absence of reliable attribution, deterrence is impossible, because the actor will always have plausible deniability.

According to John McAfee, cyberwar[sic] is here, and China is the enemy:

We have to get a clue. We are in the early stages of a cyberwar. As a candidate for President of the very nation under attack, I would be remiss in my duties if I did not shed light on our reality.

I am going to make the following prediction:

On September 25, when Xi Jinping meets President Obama, we will not have a single concrete response to the war that has been declared on us by the Chinese. By “concrete” I mean economic sanctions that take place on the 25th, or other immediate, visible actions. Our president is smart enough to know that the Chinese will merely laugh at any threat of “future” actions, such as “next week we are going to…”

The Chinese have been involved in diplomatic relations for 5,000 years. The U.S. has only existed for less than 250 years. Guess which nation has the advantage here. Any announcement that does not include “starting today, no Chinese cargo ship will be allowed in any U S. port,” or something of similar magnitude, will be seen by the Chinese as confirmation of our idiocy.

If this sounds extreme, then wake up. We are at war.

Well there you have it. Since Mr. John McAfee, Presidential candidate thinks so, I guess the US government needs to get right on it!