Jump to content

Summer (in)Security 2013


Recommended Posts

I return from Holiday and am catching up on security news. I'll update this thread as the day and season proceeds. Stay Frosty. :shank:

 

Microsoft hijacks domains in attempted botnet takedown. The problem here, is how disruptive this effort was and the security researchers it screwed in the process.

 

NSA is Balls Deep in 100% Verizon call monitoring and far beyond. Image attached is from EFF article. Shit is out of any sort of logic or reasonable action, by our Gov't Overlords. Thank you Mr Snowden, for peeling away the veneer of privacy bluffs.

 

In the UK, A Bank lost 74 laptops, over 6000 accounts and 20000 user records. Asset Manage, much? Guess not.

 

Personal experience: Apple sessions can be hijacked. Unless a friend's kid grabbed my phone and somehow guessed my iTunes password, I saw a 'Blackjack' program downloaded to my phone while on Holiday. I deleted it to see some mandarin text show for the program description. I was unable to report the program as a security exploit.

So all is not flawless in the land of Apple, as the same for Android devices. Like kernel flagging level exploits

 

In a sudo-humorous result of the NSA sniffing, Cloud Storage is just about as insecure (business especially) as we feared.

 

So I guess the EU wants to behead 'Hackers'? How else can you increase the penalties?

 

Back on the global auditing of the internet by the US, I'd advise joining Mozilla and friends in signing the petition against the NSA auditing.

nsa.jpg

Edited by Pic0o
Link to comment
  • 1 month later...

It's that magical time of the year, security conferences.

 

As I mentioned Femtocells recently, there is some handy info on means of exploit possible with these devices. I'm going to guess this device hating packet inspection on my firewall, is one of it's lighter 'security features'. Thanks for confirming my thoughts that this thing has no right being directly hooked to my modem.

 

Please keep ad-blocking. Now you have a good reason. JavaScript ad network DoS leveraging.

 

Let's talk BIOS is a good read about BIOS history and issues in the current day.

 

XKeyscore. "What is this I don’t even" about covers that. Also of note is information on RFID spoofing and data collection.

 

Speaking of groups with questionable objectives, Feds are thought to be 0-day on some Tor nodes It's getting bad when US policy starts to read like China's 'security' protocols.

 

As for the other factions of government, I'd still spend a few minutes to write http://news.cnet.com/8301-1009_3-57596890-83/even-with-effs-congressphone-activism-is-a-hard-sell/](or call) them[/url] about your distaste for awful legislation. I actually got some feedback a few months after submitting my dismay at SOPA or one of it's related acronyms. Hopefully my state official does more than use my feedback as a campaign slogan.

 

I've also learned I don't have a problem with politicians, per se. It's more about how almost all of them are devoid of acting on logic and not profit. I guess that's the problem with a centralized power structure, that totally isn't intended to be centralized in the first place.

Edited by Pic0o
Infos
Link to comment
  • 2 weeks later...

While I never used Lavabit, you will be missed. Secretly shut down because Snowden was there and they refused to give all access up. Best wishes coming back from the ashes of digital dictatorship. Silent Circle also joins the same shutdown club due to lack of being able to promise security.

 

From the chapters of 'Dumb shit almost too stupid to be true', we have 90% of sysAdmins getting dropped from NSA. That will surely keep all that illicitly gathered citizen information secure and drive a boost in hacker (AKA not thieves) recruiting for Federal Jobs.

WTF business right there bros and sisters.

Link to comment

Wired has a fantastic guide to some great sources for information relating to security and global surveillance. Much information to be found from those links.

 

Oh yes, indeed. http://www.aclu.org/blog/technology-and-liberty-national-security/my-life-circles-why-metadata-incredibly-intimate]Metadata aggregation is terrifying.[/url]

 

Found a new acronym today. Secret Collection Service.

Happy Reading :ninjawub:

Link to comment

Getting a little wider on the global spectrum of issues, http://www.campaignforliberty.org/national-blog/transcript-of-farewell-address/]Ron Paul has some words of wisdom[/url] that I highly advise you read. It's no wonder he never stood a chance of US Presidency, because those ideals are not profitable for such a power hungry power structure, called US Government.

Link to comment

Within the last week or so, Google has seen some downtime that showed how reliant the web (~40%) is on them as a backbone provider (and auditor). The recent flavor of this is also that Amazon downtime is far reaching too.

 

It's quite apparent that the consolidated cloud providers and their flaws, are showing up quite clearly. Let's not forget that as the IT shift continues to try and force all transactions and lookups to be done via 'the cloud'. Increased costs and bandwidth too, of course.

 

Problem? Yes, that would be http://www.theregister.co.uk/2013/08/20/ad_security_fix_reissued/]Active Directory patching[/url]. One should test heavily before prodding changes for the backend of Windows machines. Better luck on round 3. Try more testing.

Link to comment

So we have Bradley Manning sized up for 35 years in jail. In addition to the inhumane abuses he suffered, before this judgement was handed down. Acquittal is far in order for Mr. Manning.

 

To quote the ACLU:

When a soldier who shared information with the press and public is punished far more harshly than others who tortured prisoners and killed civilians, something is seriously wrong with our justice system. A legal system that doesn’t distinguish between leaks to the press in the public interest and treason against the nation will not only produce unjust results, but will deprive the public of critical information that is necessary for democratic accountability. This is a sad day for Bradley Manning, but it’s also a sad day for all Americans who depend on brave whistleblowers and a free press for a fully informed public debate.

 

 

 

Also of note, American domestic communications were certainly swept up. As I listen to international music stations and frequent forums well outside the US for technical support and chatting, I'm sure this guy is on someone's list. Speaking your mind and not standing for oppressive bullshit legislation, has also likely indexed me in some sketchy DB, somewhere in a US location. :lol:

 

It's a global world. Stop letting the US cock it up. The IT industry is going to take a huge hit for all this auditing shit. What rational nation would house it's business data in the United States, now.

 

- Thread rename for obvious reasons.

 

iCloud joins the downtime un-party. Turning off iMessage and iCloud has worked out pretty well for me. That unrealistic downtime has become real life. Danger! :o

 

Finally, http://www.theinquirer.net/inquirer/news/2290460/eff-says-nsa-surveillance-was-unconstitutional]a result of 2011 secret court proceedings[/url] filed by the EFF, essentially proves the case of domestic spying to be completely illegal.

"For over a year, [the] EFF has been fighting the government in federal court to force the public release of an 86-page opinion of the secret FISC," it said in a post on its website.

"Issued in October 2011, the secret court's opinion found that surveillance conducted by the NSA under the FISA Amendments Act was unconstitutional and violated 'the spirit of' federal law."

Small victories in the realm of rationality.

Edited by Pic0o
Link to comment

http://blogs.wsj.com/washwire/2013/08/23/nsa-officers-sometimes-spy-on-love-interests/]Audit the Auditors[/url] and you find them pursuing (stalking) love interests via the handy surveillance tools. Yet another "oh, that would never happen" that totally has.

 

With great power, comes great abuse. I'll stick to narration.

Link to comment

Cryptome as temporary taken down for hosting 'Japanese terror files'. Then it was proven to be a shit reason for takedown, thus restored. Additional take-down history can be found in this TheReg article.

 

Stay Frosty Friends. This IS real life.

 

Pro-tip. If you want to be a gigantic thief and get a minimum term, wear a suit and work for wall street.

 

If convicted of these fairly minor offenses, each of the three men could face a maximum of four years in prison, but experts say it is likely that they wouldn't have to serve any prison time at all.

 

 

I'm not saying this person is guilty or not. I am saying this sentencing is entirely out of scope for someone who extracted source code by email, versus remotely by gaining console on a server. Real Life has some sketchy justifications and criminal processing exceptions.

Link to comment

Schools are http://news.cnet.com/8301-1009_3-57600251-83/school-district-hires-company-to-follow-kids-facebook-twitter/]contracting out stalkers[/url] for your children. This is nightmare dimension, shit here. Such an awful extension of current issues, and likely a pedo workforce.

 

http://www.bbc.co.uk/news/technology-23862105]NewsCorps of the world agree[/url], DNS is really vulnerable to exploit. As for most of the infrastructure. Primarily based off '90s tier security mapping. That could be part of the point.

Link to comment
  • 2 weeks later...

Crypto is kind of fucked. since the failed 'Clipper chip' efforts, NSA and team decided to embed some flaws into encryption protocols. Obviously jumping to current day, we are seeing the effects of this poor decision in the real digital landscape.

 

Designing a backdoor intentionally is always a shitty idea for something intended to be secure. It's way easier to break something engineered to fail.

 

Aussies. The http://www.itnews.com.au/News/355885,coalition-to-filter-internet-smartphones.aspx]filtering squeaking out[/url] with the election, is super gross. Looking at the article this was redacted, but it has come up quite a few times and this surely isn't the last. Keep fighting derp. :wub:

Link to comment
  • 3 weeks later...

Automation and browser agent spoofing are nearly as old as the internet. Reading the details on 'How common sense like' calls to stop accessing the site because it's not how it was intended to be used, is the most moronic counter imaginable. I'm sorry, but this coming from a federal agency just makes it a Pot and Kettle type suggestion.

 

Criminals who were looking to profit from ID theft, surely would have not tried similar techniques to steal information. Andrew "Weev" Auernheimer's crime was telling someone it was broken and ripe for data theft. That should be an accommodation, not a prosecution case. Sometimes I feel like I don't even live in the real world anymore, because of all the stupid shit people are being threatened for doing. Especially when it's disclosing security issues to some huge corporation.

 

Recap: Automation is not a crime. Fucking sad, rofl. I automated banning bots from this site, so it's not littered with ad spam. Should I sue myself, or just wait to be arrested for saving myself time?

 

Jumping into new mobile phones, the fingerprint scanner on the later iPhone 5+ models was defeated by CCC. Reading the shoestring implementation of how the scanner works also summons up a laugh. One has to love buzzword technology with pretend security features. Thank the Gods for security conferences and tinkering people!

 

DUAL_EC_DRGB is in some trouble and the link has some history on it. This encryption has almost instantly been renounced upon finding it has some flaws that play to the tune of NSA exploit / backdoor by design. This has not been set to stone as rooted yet, but RSA renouncing it earlier this week was pretty telling. Perhaps it is just indirectly shitty at number generation. You can http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html]review a list of known vendors and applications[/url] using this algorithm.

 

Finally, let me end with me reading about NSA looking to hire a Civil Liberties officer. I wish them all the luck imaginable in not being there only to be a single point of scapegoating. Jumping back to my prior statement about questioning real life. :lol:

Edited by Pic0o
Dual_EC added
Link to comment
×
×
  • Create New...