InfoSec Daily Podcast Episode 839 for February 5, 2013. Tonight's podcast is hosted by Rick Hayes with Dave Kennedy, Boris Sverdlik, Beau Woods, Adrian Crenshaw, Bill Gardner, Karthik Rangarajan, Geordy Rostad, Justin Brown, Keith Pachulski, Varun Sharma, Adrian Sanabria, and Themson Mester.
We have reached the end of the road. The time has come for us to say goodbye. We'd like to thank all of our listeners and wish each of you nothing but the very best.
It’s being called Grand Theft Auto for the surveillance generation, only instead of being played out in the digital world, it’s played out in the real world. And the object of the game isn’t to steal cars or pull off other underworld pranks but to take out Big Brother’s eyes by destroying CCTV surveillance cameras spread across the city.
That’s the new game being played in Berlin and other German cities under the rules ofCamover [note: the website keeps changing addresses so link may not work], an activist sport for those who hate surveillance cameras,according to The Guardian.
Teams of players are charged with taking out as many cameras as possible — by ripping them out of mounts, cutting cables or covering the lenses with black paint using Super Soaker squirt guns — and videotaping the vandalism in the process.
Points are awarded for the number of cameras destroyed — with bonus points granted for the most inventive methods.
“We thought it would motivate inactive people out there if we made a video-invitation to this reality-game,” the creator of Camover told the Guardian. “Although we call it a game, we are quite serious about it: our aim is to destroy as many cameras as possible and to have an influence on video surveillance in our cities.”
The competition was launched as a protest against the European Police Congress being held in Berlin on February 19. There’s no real prize for the game. The winner gets front place in a protest that will take place three days before the congress begins.
The organizers of Camover explained their motivations on their web site:
“The gaze of the cameras does not fall equally on all users of the street but on those who are stereotypical predefined as potentially deviant, or through appearance and demeanour, are singled out by operators as unrespectable,” they write. “In this way youth, particularly those already socially and economically marginal, may be subject to even greater levels of authoritative intervention and official stigmatisation, and rather than contributing to social justice through the reduction of victimisation, CCTV will merely become a tool of injustice through the amplification of differential and discriminatory policing.”
The USFederal Trade Commission (FTC) has made another contribution to the growing debate over the privacy of personal data on smartphones and tablet PCs. With apackage of recommendations, the US authority isurging mobile operating system and application developers to introduce more transparency in their products.
Users have a right to know what data is collected and what it is used for, said the FTC. Apps shouldn't be able to access GPS data or other personal information such as photos or contacts without the user's permission, it added. A year ago the Path social network created a stir byharvesting users' address book data without their permission; the FTC recentlyordered Path to pay an $800,000 fine.
The commission also demands that platform developers implement "Do Not Track" (DNT) features that allow users to avoid being tracked for marketing purposes by advertising networks or other third parties for other reasons. The FTC has been demanding a similar feature for desktop browsers for some time and is now threatening toimplement legal requirements. The authority said that although Apple's iOS and the mobile version of the Firefox browser already offer an appropriate switch, "Do Not Track" is far from being a standard feature in mobile devices. DNT also requires the communication partner on the other end of the connection to co-operate; users only state a preference by enabling the feature. Server operators are free to respect or dismiss this preference, and critics have therefore expressed their doubts about the usefulness of the switch.
With the guidelines it has now released, the FTC wants to emphasise that it is committed to ensuring the privacy of mobile device data. While the recommendations aren't binding for app developers and device manufacturers, any very obvious violations could result in being scrutinised by the trade commission. This could potentially lead to substantial fines such as those in the Path case.
Cisco released findings from two global studies that provide a vivid picture of the rising security challenges that businesses, IT departments and individuals face, particularly as employees become more mobile in blending work and personal lifestyles throughout their waking hours.
Despite popular assumptions that security risks increase as a person's online activity becomes shadier, the highest concentration of online security threats do not target pornography, pharmaceutical or gambling sites as much as they do legitimate destinations visited by mass audiences, such as major search engines, retail sites and social media outlets.
In fact, Cisco found that online shopping sites are 21 times as likely, and search engines are 27 times as likely, to deliver malicious content than a counterfeit software site. Viewing online advertisements? Advertisements are 182 as times likely to deliver malicious content than pornography.
Security risks rise in businesses because many employees adopt "my way" work lifestyles in which their devices, work and online behavior mix with their personal lives virtually anywhere – in the office, at home and everywhere in between. The business security implications of this "consumerization" trend are magnified by a second set of findings from the Cisco Connected World Technology Report (CCWTR), which provides insight into the attitudes of the world's next generation of workers, Generation Y.
Twitter plans to introduce a "two-factor authentication" option that would make it impossible for hackers or vandals to break into accounts – even if they acquired the passwords.
The "2FA" system, which is also offered as an option by Google for its Gmail email system, blocks access from new devices or internet addresses, even when using the correct password, unless accompanied by a short numerical code that is sent separately to the account owner's mobile phone. The news comes just days after the company reset the passwords on at least 250,000 accounts, after hackers broke into its systems and were suspected of accessing users' data, including email addresses and encrypted passwords. Twitter said it reset the passwords as a safety measure, and that it was not certain whether the hackers had accessed them.
Since the suicide of activist Aaron Swartz in early January, hackers operating under the Anonymous banner have come out in full force, organizing a blockade against Westboro Baptist Church picketing and hijacking MIT's website with a memorial message. Now, they've released what appear to be documents on 4,000 members of the banking industry. The file was originally posted on the hacked site of the Alabama Criminal Justice Information Center — though the page is now gone, it's still possible to find a cache.
An application developer reports that the latest Java 7 update "silently" deletes Java 6, breaking applications in the process.
Java 7 update 11 was released two weeks ago to deal with an unpatched vulnerability which had gone mainstream with its incorporation into cybercrook toolkits such as the Blackhole Exploit Kit in the days beforehand. Attacks were restricted to systems running Java browser add-ons.
But Oracle's response appears to have caused some collateral damage.
JNBridge, which provides Java and .NET interoperability tools, reports that customers of software providers who use its technology came a cropper in cases where users had applied the latest Java update (Java 7u11). The software developer blogged about the issue here.
Symantec has taken the unusual step of commenting on a story about a customer, issuing a robust statement denying its anti-virus products were to blame for sophisticated targeted attack on the New York Times.
The Gray Lady revealed yesterday that it had been persistently attacked for four months by China-based cyber insurgents. They used classic APT-style techniques to breach defences before lifting New York Times staff passwords in an attempt to find out more information on an expose run by the paper into outgoing Premier Wen Jiabao.
The Wall Street Journal said today that it's been the target of Chinese hackers stemming from its coverage of China, echoing reports from other news organizations.
Hackers infiltrated the newspaper's computer system through its Beijing bureau in order to monitor the paper's coverage of China, according to the report. Paula Keve, chief spokeswoman for the Journal's parent company, Dow Jones, issued a statement that said the hacks "are not an attempt to gain commercial advantage or to misappropriate customer information." The company completed a "network overhaul" on Thursday to increase security.
Twitter disclosed on Friday evening that its systems had been attacked in the past week by an unidentified group of hackers. As a result of the the attack, the hackers may have had access to the usernames, email addresses and other sensitive information of nearly a quarter of a million twitter users.
“This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later,” the company said in a blog post. “However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.”
On Friday evening, Twitter sent out emails to those users whose accounts may have been compromised, notifying them that the company had automatically reset their user passwords, and that they would need to create a new password in order to access the service again.
Even though the prevalence of threats for the Mac remains relatively minimal, malware on OS X has raised its ugly head a bit in the past few years. Some in the Mac community have been affected by threats such as the Flashback malware, DNSChanger, and the MacDefender Trojan, among others. As a result, while the most effective way of keeping a Mac secure is to follow safe browsing and computing practices, you may also be considering using anti-malware utilities. But which ones perform best?
Recently, Mac security analyst Thomas Reed attempted to tackle this question in part by putting a number of popular antivirus utilities to the test. To do so, Reed took a collection of 128 malware samples that included both recent active malware threats and extinct threats, and ran a number of popular antivirus utilities to see how they managed this collection. Arguably, the sample size of 128 might not be enough to give a complete assessment of these programs' capabilities, but it should be adequate enough for comparative purposes.
For the last four months, Chinese hackers have persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees.
After surreptitiously tracking the intruders to study their movements and help erect better defenses to block them, The Times and computer security experts have expelled the attackers and kept them from breaking back in.
The timing of the attacks coincided with the reporting for a Times investigation, published online on Oct. 25, that found that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings.
Security experts hired by The Times to detect and block the computer attacks gathered digital evidence that Chinese hackers, using methods that some consultants have associated with the Chinese military in the past, breached The Times’s network. They broke into the e-mail accounts of its Shanghai bureau chief, David Barboza, who wrote the reports on Mr. Wen’s relatives, and Jim Yardley, The Times’s South Asia bureau chief in India, who previously worked as bureau chief in Beijing.
Oracle has broken its silence to admit there are security issues with Java in web browsers – but it insists the tech is solid on servers and within mobile and desktop apps.
In a blog post published on Friday, Oracle noted the "media firestorm" around the recent Java vulnerability, admitting users may have been left "frustrated with Oracle's relative silence on the issue".
Oracle released a new version of Java 7 (Java 7u11) on 13 January designed to plug a zero-day vulnerability that has been exploited in the wild. The update was important because the exploit for the bug had been "weaponised" and bundled in widely available black-market hacking toolkits in the week prior to Oracle's emergency out-of-band update.
In an advisory, Oracle explained that the update switched default Java security settings to "High" so that users will be prompted to allow cryptographically self-signed, or completely unsigned, Java applets to run.
The security flap generated plenty of publicity, especially after the US Department of Homeland Security warned that despite the updates, Java remained a weak target in browsers. Several antivirus firms, including F-Secure and Sophos, advised users to disable Java plugins for their main browser to minimise exposure to future attacks.