Tag: Security

9 March 2017, 7:05 PM

I am Surprised and Impressed

It appears that Wikileaks is exercising a bit more due diligence in its releases, as it is making the CIA hacks leaked to it available to the tech firms that were targeted before making them available to the general public:

Technology firms will get “exclusive access” to details of the CIA’s cyber-warfare programme, Wikileaks has said.

The anti-secrecy website has published thousands of the US spy agency’s secret documents, including what it says are the CIA’s hacking tools.

Founder Julian Assange said that, after some thought, he had decided to give the tech community further leaks first.

“Once the material is effectively disarmed, we will publish additional details,” Mr Assange said.

………

Mr Assange said that his organisation had “a lot more information on the cyber-weapons programme”.

He added that while Wikileaks maintained a neutral position on most of its leaks, in this case it did take a strong stance.

“We want to secure communications technology because, without it, journalists aren’t able to hold the state to account,” he said.

Mr Assange also claimed that the intelligence service had known for weeks that Wikileaks had access to the material and done nothing about it.

He also spoke more about the Umbrage programme, revealed in the first leaked documents.

He said that a whole section of the CIA is working on Umbrage, a system that attempts to trick people into thinking that they had been hacked by other groups or countries by collecting malware from other nation states, such as Russia.

“The technology is designed to be unaccountable,” he said.

He claimed that an anti-virus expert, who was not named, had come forward to say that he believed sophisticated malware that he had previously attributed to Iran, Russia and China, now looked like something that the CIA had developed.

This is why cyber security needs to be completely separate from any intelligence agency.

Otherwise, there is too much pressure to cover up the bugs so that the folks on the other side of the office spy on the rest of us.

Any hole which the CIA, NSA, DIA, or other TLA^* can exploit can also be exploited by criminals, the Chinese, the Russians, terrorists, or the New England Patriots.

^*Three letter acronym.

8 February 2017, 6:54 PM

Scary Tweet of the Day

No Comments

DJI did a firmware update on a drone… while mid-flight 😬 pic.twitter.com/YDexjEViFc

— Internet of 💩 (@internetofshit) February 8, 2017

Of course, who cares about a lightweight relatively cheap drone.

Then again, what if this was a self driving car, or even the car that you are driving now? While you are driving it?

Tesla has already done over the air (OTA) updates on their cars, and while you may trust them, (I don’t) would you trust the creators of the Chevy Vega?

H/t Naked Capitalism

29 November 2016, 9:39 PM

I Didn’t Think That It Was Possible, but Donald Trump Just Disappointed Me

No Comments

Maddow has some more on this sorry excuse for a human being

OK, not just disappointed. I am also horrified, but I kind of expect to be horrified by him.

I did not expect to be disappointed, because my expectations are so f%$#ing low, but the inverted traffic cone has outdone himself.

Specifically, Trump’s appointee as deputy national security adviser, Kathleen Troia “KT” McFarland, who is infamous for outing her brother as gay to her family while he was dying of AIDS:

In between Twitter claims that he lost the popular vote due to voter fraud instead of due to alienating over half the nation by being the dictionary definition of “The Worst,” President-elect Donald Trump somehow finds time to fill out his staff with people you wouldn’t trust to pick up dog sh%$.

As the Washington Blade reports, Trump’s pick for deputy national security adviser is basically a monster. Kathleen Troia “KT” McFarland, FOX News contributor and former Pentagon official during the Reagan administration, outed her gay brother, who was dying of AIDS, to their family.

The Blade is referring to a 2006 New York Magazine article, when McFarland was gearing up to challenge Hillary Clinton for her Senate seat, which unearthed a 1992 letter to her then-estranged parents:

“Have you ever wondered why I have never had anything to do with Mike and have never let my daughters see him although we live only fifteen minutes away from each other?” she wrote. “He has been a lifelong homosexual, most of his relationships brief, fleeting one-night stands.”

McFarland tried to downplay the letter at the time, claiming it was a form of therapy to deal with abuse she and her siblings had suffered at the hands of their parents—abuse both her parents and at least one of her siblings denied.

“It’s a complete fabrication,” Tom Troia told the New York Post back in 2006 regarding his sister’s allegations. “If I had one word to describe my sister, it would be ‘evil.’”

………

Former Geroge W. Bush National Security Council member Peter D. Feaver told The Times McFarland’s job is supposed to be “the place where bad ideas die,” but as Donald Trump’s other appointees make glaringly clear, there is no longer such a place.

(%$ mine)

There is also the long history of resume padding, as Maddow discusses above, but that doesn’t disappoint me: I expect sh%$ like that from a Trump administration.

27 October 2016, 8:57 PM

We Are Doomed

No Comments

It now appears that the recent hack against DYN was the work of script kiddies.

Heaven help us if the pros decide to do something like this:

Business risk intelligence firm FlashPoint has put out a preliminary analysis of last week’s massive denial of service attack against Dyn DNS, and its conclusion is it was likely the work of amateur hackers — rather than, as some had posited, state-sponsored actors perhaps funded by the Russian government.

The DDoS attack against Dyn’s domain name system impacted access to a range of sites in parts of the U.S. last Friday, including PayPal, Twitter, Reddit, GitHub, Amazon, Netflix, Spotify and RuneScape.

Aside from suspicion falling on Russia, various entities have also claimed or implied responsibility for the attack, including a hacking group called the New World Hackers and — bizarrely — WikiLeaks, which put out a (perhaps joke) tweet suggesting some of its supporters might be involved.

FlashPoint dubs these claims “dubious” and “likely to be false”, and instead comes down on the side of the script kiddies theory.

Its reasoning is based on a few factors, including a detail it unearthed during its investigation of the attack: namely that the infrastructure used in the attack also targeted a well-known video game company.

“While there does not appear to have been any disruption of service, the targeting of a video game company is less indicative of hacktivists, state-actors, or social justice communities, and aligns more with the hackers that frequent online hacking forums,” writes FlashPoint’s Allison Nixon, John Costello and Zach Wikholm in their analysis.

This is going to get very ugly very fast.

I might suggest that making sure that equipment manufacturers can be held liable for these sort of bone-headed vulnerabilities.

27 October 2016, 8:21 PM

Yes, Ask the Worst Administration on Privacy Ever to Help Us

No Comments

The Mozilla Foundation is asking for the White House to coordinate efforts to prevent cyber attacks.

The Obama administration has been at the forefront of efforts to make computers less secure by requiring back doors in the software.

You don’t want Barack Obama Evil Minions^™ anywhere near commercial cyber security policy.

Hen house, meet fox.

25 September 2016, 7:16 PM

Krebs on Security is Back Online

2 Comments

The security blogger’s highly regarded site was taken down by a massive DDOS attack, which forced Akamai to drop him from their protection system:

………

However, events of the past week have convinced me that one of the fastest-growing censorship threats on the Internet today comes not from nation-states, but from super-empowered individuals who have been quietly building extremely potent cyber weapons with transnational reach.

More than 20 years after Gilmore first coined that turn of phrase, his most notable quotable has effectively been inverted — “Censorship can in fact route around the Internet.” The Internet can’t route around censorship when the censorship is all-pervasive and armed with, for all practical purposes, near-infinite reach and capacity. I call this rather unwelcome and hostile development the “The Democratization of Censorship.”

Allow me to explain how I arrived at this unsettling conclusion. As many of you know, my site was taken offline for the better part of this week. The outage came in the wake of a historically large distributed denial-of-service (DDoS) attack which hurled so much junk traffic at Krebsonsecurity.com that my DDoS protection provider Akamai chose to unmoor my site from its protective harbor.

Let me be clear: I do not fault Akamai for their decision. I was a pro bono customer from the start, and Akamai and its sister company Prolexic have stood by me through countless attacks over the past four years. It just so happened that this last siege was nearly twice the size of the next-largest attack they had ever seen before. Once it became evident that the assault was beginning to cause problems for the company’s paying customers, they explained that the choice to let my site go was a business decision, pure and simple.

………

Today, I am happy to report that the site is back up — this time under Project Shield, a free program run by Google to help protect journalists from online censorship. And make no mistake, DDoS attacks — particularly those the size of the assault that hit my site this week — are uniquely effective weapons for stomping on free speech, for reasons I’ll explore in this post.

Why do I speak of DDoS attacks as a form of censorship? Quite simply because the economics of mitigating large-scale DDoS attacks do not bode well for protecting the individual user, to say nothing of independent journalists.

In an interview with The Boston Globe, Akamai executives said the attack — if sustained — likely would have cost the company millions of dollars. In the hours and days following my site going offline, I spoke with multiple DDoS mitigation firms. One offered to host KrebsOnSecurity for two weeks at no charge, but after that they said the same kind of protection I had under Akamai would cost between $150,000 and $200,000 per year.

………

What exactly was it that generated the record-smashing DDoS of 620 Gbps against my site this week? Was it a space-based weapon of mass disruption built and tested by a rogue nation-state, or an arch villain like SPECTRE from the James Bond series of novels and films? If only the enemy here was that black-and-white.

No, as I reported in the last blog post before my site was unplugged, the enemy in this case was far less sexy. There is every indication that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called “Internet of Things,” (IoT) devices — mainly routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords. Most of these devices are available for sale on retail store shelves for less than $100, or — in the case of routers — are shipped by ISPs to their customers.

Some readers on Twitter have asked why the attackers would have “burned” so many compromised systems with such an overwhelming force against my little site. After all, they reasoned, the attackers showed their hand in this assault, exposing the Internet addresses of a huge number of compromised devices that might otherwise be used for actual money-making cybercriminal activities, such as hosting malware or relaying spam. Surely, network providers would take that list of hacked devices and begin blocking them from launching attacks going forward, the thinking goes.

The sheer disproportionality of the attack made one of his Krebs readers notes that this is odd, it’s like the Death Star being tested out on the Millennium Falcon, rather than Alderran, but Krebs notes that with connectivity providers ignoring a very basic 12 year old protocol, (BCP38) it’s more like there are an infinite supply of cloned warriors. (Mostly, I prefer not to use Star Wars analogies myself.)

My thought is that this was a test. Krebs on Security was a well protected target, but taking it off line for a few days is not a huge deal in the scheme of things.

I think that it was a dress rehearsal, and so the question is what is going to be the main event.

Medical Journal Editors' Financial Ties to Big Pharma Raise Systemic Conflict of Interest Concerns 29 March 2023, 4:54 AM at 4:54 AM on Back Loaded Bribery[…] American Association for the Advancement of Science (AAAS) per…
Tim Boudreau 7 July 2021, 8:39 PM at 8:39 PM on MoronsFond memories of the brief couple of days existence of Reaganbook, the…
Tim Boudreau 7 July 2021, 8:29 PM at 8:29 PM on The Parable of the Frog and the Scorpion in SiliconRecalling when Sun open sourced Sparc. It was a good move. So…
Matthew Saroff 4 July 2021, 1:41 AM at 1:41 AM on Today in Amazon Rat-F%$#eryI know that Glass-Steagall prevented banks from owning shares in the companies…
marku 3 July 2021, 9:56 AM at 9:56 AM on Today in Amazon Rat-F%$#eryGlass_Steagal? Or Sherman anti trust?
Stephen Montsaroff 3 July 2021, 1:27 AM at 1:27 AM on Not This Sh%$ AgainYes, first step to making colonies, I expect
Stephen Montsaroff 3 July 2021, 1:26 AM at 1:26 AM on Quote of the DaySuck a fanboi.
Jamie 3 July 2021, 1:26 AM at 1:26 AM on Tweet of the DayThere was no way to win militarily. $2.2 trillion later we would…