NSA Spying on Europe-Asia Undersea Telecom Cables: Report
Posted on December 29, 2013 by Kara Dunlap in Security
BERLIN – The US National Security Agency has collected sensitive data on key telecommunications cables between Europe, north Africa and Asia, German news magazine Der Spiegel reported Sunday citing classified documents.
Spiegel quoted NSA papers dating from February and labelled “top secret” and “not for foreigners” describing the agency’s success in spying on the so-called Sea-Me-We 4 undersea cable system.
The massive bundle of fibre optic cables originates near the southern French city of Marseille and links Europe with north Africa and the Gulf states, continuing through Pakistan and India to Malaysia and Thailand.
“Among the companies that hold ownership stakes in it are France Telecom, now known as Orange and still partly government-owned, and Telecom Italia Sparkle,” Spiegel said.
It said NSA specialists had hacked an internal website belonging to the operator consortium to mine documents about technical infrastructure including circuit mapping and network management information.
“More operations are planned in the future to collect more information about this and other cable systems,” Spiegel quoted the NSA documents as saying.
Der Spiegel has over the last several months reported on mass NSA spying on targets in the United States and abroad using documents provided by fugitive intelligence contractor Edward Snowden.
A White House-picked panel this month recommended curbing the secretive powers of the NSA, warning that its spying sweeps in the “war on terror” had gone too far.
US President Barack Obama plans to address the report in January.
Samsung KNOX Security Software Embedded in Galaxy S4 Vulnerable, Researchers Say
Posted on December 26, 2013 by Kara Dunlap in Security
Researchers have reportedly found a vulnerability in a security system embedded in Samsung’s Galaxy S4 smartphone that could allow an attacker to steal data.
Security researchers at Ben-Gurion University of the Negev in Israel uncovered vulnerabilities in Samsung’s KNOX security solution. The findings were first reported by the Wall Street Journal, which noted that KNOX is currently being reviewed by the U.S. Department of Defense and other government agencies for potential use. Aimed at Google Android devices, KNOX includes the ability to enforce the separation of information through containerization as well as a secure boot and kernel monitoring capabilities.
According to researchers at BGU’s Cyber Security Labs, the issue makes interception of data communications between the secure container and the external world – including file transfers and emails – relatively easy.
“To us, Knox symbolizes state-of-the-art in terms of secure mobile architectures and I was surprised to find that such a big ‘hole’ exists and was left untouched,” Ph.D. student Mordechai Guri said in a statement. “The Knox has been widely adopted by many organizations and government agencies and this weakness has to be addressed immediately before it falls into the wrong hands. We are also contacting Samsung in order to provide them with the full technical details of the breach so it can be fixed immediately.”
Guri, who is part of a team of BGU researchers that focus on mobile security and other cyber-issues, uncovered the vulnerability while performing an unrelated research task. According to BGU, KNOX’s secure container is supposed to ensure that all data and communications that take place within the secure container are protected. Even a malicious application should attack an area outside the secure container all the protected data should be inaccessible under all circumstances.
However, researchers found that that is not the case.
“To solve this weakness, Samsung may need to recall their devices or at least publish an over the air software fix immediately,” said Dudu Mimran, chief technology officer of the BGU labs, in the statement. “The weakness found may require Samsung to re-think a few aspects of their secure architecture in future models.”
Samsung did not respond to a request for comment from SecurityWeek. However, the company told the Wall Street Journal that it was investigating the matter, and that preliminary investigation has found that the researchers’ work seems to be based on a device that was not equipped with features that a corporate client would use alongside Knox.
“Rest assured, the core Knox architecture cannot be compromised or infiltrated by such malware,” the Samsung spokesperson told the Wall Street Journal.
Alleged NSA Payment to RSA Raises New Fears of Gov’t Undermining Crypto Security
Posted on December 23, 2013 by Kara Dunlap in Security
During the past several months, leaks about the NSA’s electronic surveillance operations have pooled into a river that has spilled into calls for reform.
The most recent drop in that river is a report from Reuters that the NSA paid RSA $ 10 million to ensure a vulnerable encryption algorithm was used by default in RSA’s BSAFE toolkit. RSA, now a division of EMC, denied ever entering into a contract or being involved in any project with the intention of weakening its products. Still, the report, which was based on sources familiar with the contract, has sparked additional questions about collusion between the tech industry and intelligence agencies.
“The bad part is – if the story is true – the very, very large downside is that it’s compromising a security product,” said John Pescatore, director of emerging security trends at SANS Institute. “It’s one thing if somebody buys a switch or a typewriter or whatever you are not expecting it to sort of protect you…crypto, you are. You’re buying security products with the assumption that the company selling them to you is selling the most secure products. So if NSA has been successful at getting companies like RSA or Microsoft or any of them to compromise the security of their products, that’s sort of taking it to a different level than we have seen in the past.”
In September, leaks by former NSA contractor Edward Snowden led to media reports that the NSA had engaged in an to insert vulnerabilities into commerical encryption systems so that it could more easily decrypt communications. Last week, Reuters reported the agency created a backdoor in the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) that could be exploited and then pushed for RSA to adopt it. Problems with the algorithm have been known for several years, though RSA continued to use it in BSAFE until NIST [National Institute of Standards and Technology] withdrew its support for the standard in September in the wake of growing concerns.
Last week, the Obama administration’s Review Group on Intelligence and Communications Technologies released a report in which recommended the NSA abandon efforts to undermine cryptographic standards.
“The US Government should take additional steps to promote security, by (1) fully supporting and not undermining efforts to create encryption standards; (2) making clear that it will not in any way subvert, undermine, weaken, or make vulnerable generally available commercial encryption; and (3) supporting efforts to encourage the greater use of encryption technology for data in transit, at rest, in the cloud, and in storage,” according to the report.
“Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries,” RSA said in a statement. “We categorically deny this allegation. We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security.”
RSA also said it made the decision to use Dual EC DRBG back in 2004, two years before the Reuters’ report alleged NSA approached them with a deal.
“We no longer know whom to trust,” blogged noted cryptographer Bruce Schneier today. “This is the greatest damage the NSA has done to the Internet, and will be the hardest to fix.”
Pescatore, who has worked for the NSA and U.S. Secret Service in the past, said it is a mistake for the NSA to be charged with both the offensive and defensive aspects of the cyber-war, and that the conflicting priorities of those roles can create a mindset where injecting security flaws into encryption standards make sense. Currently, both the NSA and the US Cyber Command are under the direction of NSA Director Gen. Keith Alexander.
The idea of strong encryption getting into the wrong hands however should not be enough of a reason for the intelligence community to undermine encryption, Pescatore said. After all, if the NSA can find the backdoor, others can as well, he argued.
“I do not think that there needs to be sort of reduced strength [in] security products in case the bad guys get a hold of them any more than I think people’s houses should use easy to pick locks just in case the police need to get in,” he said.
AT&T to Join Rivals with ‘Transparency Report’
Posted on December 21, 2013 by Kara Dunlap in Security
WASHINGTON – AT&T said Friday it would join rivals in the tech and telecom sector in publishing a “transparency report” about demands for information from law enforcement agencies.
The announcement came a day after a similar announcement from sector rival Verizon, which follow releases from big technology firms including Google, Apple and Microsoft, and intense scrutiny of these firms in light of revelations of wide-ranging US government surveillance programs.
AT&T said in a statement it would release a semiannual report starting in early 2014 with information “to the extent permitted by laws and regulations.”
The report will include the total number of law enforcement agency requests in criminal cases, subpoenas, court orders and warrants.
AT&T said it believes that “any disclosures regarding classified information should come from the government, which is in the best position to determine what can be lawfully disclosed and would or would not harm national security.”
The telecom giant said that “protecting our customers’ information and privacy is paramount,” and that it complies with legal requests in the countries where it operates.
“We work hard to make sure that the requests or orders are valid and that our response to them is lawful,” the AT&T statement said.
“We’ve challenged court orders, subpoenas and other requests from local, state and federal governmental entities — and will continue to do so, if we believe they are unlawful. We do not allow any government agency to connect directly to our network to gather, review or retrieve our customers’ information.”
The announcements from AT&T and Verizon come after a period when the telecom firms were notably absent from a debate on disclosures about the scope of US surveillance programs from fugitive former intelligence contractor Edward Snowden.
But the telecom and tech firms are still barred from releasing data on national security requests from the FBI and US intelligence services.
A push by the tech sector to get authorization to release the sensitive data requests got a boost this week from an independent review board appointed by President Barack Obama, which recommended that this data be published.
Tech firms have said the sales overseas are being hurt by a perception that the US government can easily gain access to their networks.
Obama to Release Review Panel Report Into NSA Spy Sweeps
Posted on December 18, 2013 by Kara Dunlap in Security
WASHINGTON – The White House will release a review Wednesday calling for reforms in National Security Agency spying sweeps, exposed by Edward Snowden, which have angered US allies and raised legal and privacy concerns.
President Barack Obama’s spokesman Jay Carney said the report by a review panel was being released earlier than a planned date in January due to incomplete and inaccurate media reporting about its contents.
Obama met members of the review panel earlier on Wednesday to work through the 46 recommendations in the report.
“While we had intended to release the review group’s full report in January … given the inaccurate and incomplete reports in the press about the report’s content, we felt it was important to allow people to see the full report to draw their own conclusions,” Carney said.
“For that reason, we will be doing that this afternoon — releasing the full report.”
Obama commissioned the review panel report earlier this year in the wake of explosive revelations by fugitive intelligence contractor Snowden on the stunning scope of the NSA’s operations.
He has said he wants to strike a balance between keeping Americans safe from terrorist threats and safeguarding privacy rights guaranteed by the US Constitution.
The review board comprises former White House counter-terrorism advisor Richard Clarke; Michael Morell, the ex-deputy director of the CIA; Peter Swire, an official specializing in privacy and technology issues; constitutional law professor Geoffrey Stone; and Cass Sunstein, a former regulatory official in the Obama administration.
The president has said he would try to get the shady spy agency to restrain its Internet and phone data collection operations but is expected to allow them to continue in some form.
Obama is due to consider which of the recommendations he will accept and will then make a speech to the American people in January.
The release of the report comes with intense pressure building on the administration over the programs, from political opponents, the Internet industry and even the courts.
A federal judge in Washington this week ruled that NSA programs, which have scooped up millions of details on telephone calls and Internet traffic on Americans and foreigners, were probably unconstitutional.
The ruling opened a long legal battle which is likely to end up in the Supreme Court.
EU Bank Watchdog Warns Over Bitcoin
Posted on December 15, 2013 by Kara Dunlap in Security
LONDON – The European Union’s banking watchdog on Friday issued a warning over virtual currency trading amid huge swings in the value of Bitcoin, a lack of regulation and money laundering risks.
“The European Banking Authority (EBA) is issuing this warning to highlight the possible risks you may face when buying, holding or trading virtual currencies such as Bitcoin,” a statement said.
The EBA added: “We recommend that, if you buy virtual currencies, you should be fully aware and understand their specific characteristics.
Bitcoin has become a global phenomenon, with the price rising so much that a Norwegian man was able to buy an apartment with some of the 5,000 Bitcoins he bought for just $ 24 in 2009.
The explosive growth has raised alarm bells, with analysts warning of a potential crash due to a lack of fundamental underpinning.
The EBA urged users to “exercise the same caution with your digital wallet as you would do with your conventional wallet or purse.”
Related: European Bitcoin Payment Processor Hacked, $ 1M Stolen
The watchdog said people should not keep large amounts of money in their digital wallet for an extended period.
The warning comes as Chinese speculators have seen Bitcoin values plunge, soar and plunge again within days.
China is the world’s biggest market for trading Bitcoins, but around $ 5.0 billion was wiped off the value of the currency’s global stock within an hour of an announcement from Beijing’s central bank in early December, banning financial institutions from dealing in it.
Bitcoin was invented in the wake of the global financial crisis by a computer scientist using the pseudonym Satoshi Nakamoto.
It is based on cryptography and only 21 million units can ever be created, which can be stored either virtually or on a user’s hard drive.
It offers a largely anonymous payment system with no centralized structure and transactions are publicly logged in what is known as the “block chain”.
Related Reading: European Bitcoin Payment Processor Hacked, $ 1M Stolen
Related Reading: Australian Claims Huge Bitcoin Robbery
Malware Dons Disguise as Microsoft IIS Module
Posted on December 13, 2013 by Kara Dunlap in Security
Researchers for Trustwave’s SpiderLabs have turned the flood lights on malware disguised as a module for Microsoft’s Internet Information Services (IIS) software.
According to Trustwave, the malware is manually installed by attackers after they have compromised a web server. Known as ISN, the malware is used by attackers to target sensitive information in POST requests, and has data exfiltration capabilities in its arsenal, blogged Trustwave’s Josh Grunzweig.
“Encryption is circumvented as the malware extracts this data from IIS itself,” he blogged. “This was seen targeting credit card data on e-commerce sites, however, it could also be used to steal logins, or any other sensitive information sent to a compromised IIS instance.”
The installer has four embedded DLLs that are dropped depending on the victim, the researcher continued. Specifically, there are IIS modules for IIS 32-bit; IIS 64-bit; IIS 7+ 32-bit and IIS7+ 64-bit. The malware also has a VBS file embedded as a PE resource that is used to install or remove the DLLs as an IIS module.
“Once the module is successfully installed, it will monitor the URIs specified in the configuration file and dump any POST requests encountered to the ‘[filename].log’ file,” according to Grunzweig. “The module will also monitor the QUERY_STRING parameter, and can accept a number of commands. I’ve setup a simple IIS instance to demonstrate how this process takes place.”
“Overall, this malware does not appear to be widely spread and has only been seen in a few forensic case instances,” Grunzwieg noted. “However, the extremely low detection rate in collaboration with the malware’s targeted functionality makes this a very real threat.”
FireEye Extends Threat Prevention Platform to SMBs
Posted on December 10, 2013 by Kara Dunlap in Security
FireEye, the recently-gone-public provider of threat protection solutions, has made its flagship threat prevention platform available for small and midsize businesses (SMBs).
The platform, dubbed “Oculus” by FireEye, is a real time, continuous threat protection platform that helps organizations protect intellectual property and data. Oculus for SMB combines technology, services, and threat expertise in a solution specially tailored to small and midsized businesses, the company said.
According to Verizon’s 2013 Data Breach Investigations Report, of the 621 confirmed data breaches examined, nearly half occurred at companies with fewer than 1,000 employees, including 193 incidents at organizations with fewer than 100 workers. These stats clearly show that attackers are targeting smaller businesses that often lack advanced IT security protections that larger enterprises tend to have in place.
According to the U.S. Small Business Administration, SMBs represent 99 percent of U.S. businesses, and according to research firm IDC, SMB spending on security technology is predicted to top $ 5.6 billion in 2015.
Oculus for SMB leverages FireEye’s advanced threat prevention platforms for Web, email, and mobile, and includes:
• Web threat protection: With the FireEye NX series platform, SMBs can stop Web-based attacks often missed by next-generation firewalls (NGFW), IPS, AV, and Web gateways. The NX series protects against zero-day Web exploits and multi-protocol callbacks to keep sensitive data and systems safe.
• Email threat protection: SMBs can leverage cloud-based or the on-premise EX series platform to protect against today’s advanced email attacks.
• Mobile threat protection: SMBs can leverage a cloud-based platform to address threats targeting mobile devices and help ensure that mobile apps are safe to use.
Oculus for SMB also provides Continuous Monitoring to help ensure that constrained security resources do not hinder an organization’s ability to counter targeted threats. Capabilities include:
• Continuous Monitoring: FireEye threat intelligence augments customer IT teams to proactively recognize advanced persistent threat (APT) attacks.
• Cybercon Reports: Vertical-specific threat information provides a view of the landscape so SMBs are better prepared to manage risk in their specific threat environment.
• Health Check: Alerts notify customers when their deployments fail remote health checks to ensure uninterrupted protection against advanced threats.
“FireEye is putting virtual machine technology into the hands of SMBs,” said Manish Gupta, FireEye senior vice president of products. “With the FireEye solution, SMBs obtain a simple and scalable security solution for advanced threats to safeguard corporate assets and drive down business risks. SMBs will enjoy unmatched advanced threat protection solution with continuous monitoring to augment their limited resources.”
Earlier this year, the security firm claimed that in over 95% of its prospective customer evaluations, it found incidents of advanced threats that were conducting malicious activities and that successfully evaded the prospective customers’ existing security infrastructure
The company was founded in 2005 by Ashar Aziz who served Chief Executive Officer until November 2012, and was followed by David DeWalt who previously served as president and CEO at McAfee from April 2007 until February 2011, after Intel’s surprise $ 7.68 billion acquisition of McAfee.
Even Disconnected Computers May Face Cyberthreats
Posted on December 9, 2013 by Kara Dunlap in Blog
“The proof-of-concept software — or malicious trojans that adopt the same high-frequency communication methods — could prove especially adept in penetrating highly sensitive environments that routinely place an ‘air gap’ between computers and the outside world. Using nothing more than the built-in microphones and speakers of standard computers, the researchers were able to transmit passwords and other small amounts of data from distances of almost 65 feet. The software can transfer data at much greater distances by employing an acoustical mesh network made up of attacker-controlled devices that repeat the audio signals.”
US, Britain Spying on Global Online Gaming World: Report
Posted on December 9, 2013 by Kara Dunlap in Security
US, Britain ‘Spying on Virtual World’: Report
WASHINGTON – US and British intelligence have been spying on the global online gaming world because they fear terrorists could use the hugely popular platform to plot attacks, a report said Monday.
Spies have created characters in the fantasy worlds of Second Life and World of Warcraft to carry out surveillance, recruit informers and collect data, The New York Times said, citing newly disclosed classified documents from fugitive US intelligence leaker Edward Snowden.
The report came as eight leading US-based technology companies called on Washington to overhaul its surveillance laws following months of revelations of online eavesdropping from the former National Security Agency (NSA) contractor.
“Fearing that terrorist or criminal networks could use the games to communicate secretly, move money or plot attacks, the documents show, intelligence operatives have entered terrain populated by digital avatars that include elves, gnomes and supermodels,” the Times said.
“The spies have created make-believe characters to snoop and to try to recruit informers, while also collecting data and contents of communications between players,” the report said.
It added: “Because militants often rely on features common to video games — fake identities, voice and text chats, a way to conduct financial transactions — American and British intelligence agencies worried that they might be operating there, according to the papers.”
The report cited a 2008 NSA paper that warned that the virtual games — played by millions of people the world over — allowed intelligence suspects “a way to hide in plain sight.”
The documents do not give any examples of success from the initiative, the report said, adding that experts and former intelligence officials said “that they knew of little evidence that terrorist groups viewed the games as havens to communicate and plot operations.”
The surveillance, which also included Microsoft’s Xbox Live, could raise privacy concerns, noted the newspaper.
Apple, Facebook, Google, Microsoft, Twitter, Yahoo, AOL and LinkedIn meanwhile wrote an open letter to President Barack Obama and the US Congress calling on Washington to lead the way in a worldwide reform of state-sponsored spying.
“We understand that governments have a duty to protect their citizens. But this summer’s revelations highlighted the urgent need to reform government surveillance practices worldwide,” the letter said.