Follow by Email

Thursday, April 24, 2014

Is Google Too Big to Trust?

Interesting essay about how Google's lack of transparency is hurting their trust:
The reality is that Google's business is and has always been about mining as much data as possible to be able to present information to users. After all, it can't display what it doesn't know. Google Search has always been an ad-supported service, so it needs a way to sell those users to advertisers -- that's how the industry works. Its Google Now voice-based service is simply a form of Google Search, so it too serves advertisers' needs.

In the digital world, advertisers want to know more than the 100,000 people who might be interested in buying a new car. They now want to know who those people are, so they can reach out to them with custom messages that are more likely to be effective. They may not know you personally, but they know your digital persona -- basically, you. Google needs to know about you to satisfy its advertisers' demands.

Once you understand that, you understand why Google does what it does. That's simply its business. Nothing is free, so if you won't pay cash, you'll have to pay with personal information. That business model has been around for decades; Google didn't invent that business model, but Google did figure out how to make it work globally, pervasively, appealingly, and nearly instantaneously.

I don't blame Google for doing that, but I blame it for being nontransparent. Putting unmarked sponsored ads in the "regular" search results section is misleading, because people have been trained by Google to see that section of the search results as neutral. They are in fact not. Once you know that, you never quite trust Google search results again. (Yes, Bing's results are similarly tainted. But Microsoft never promised to do no evil, and most people use Google.)

Conversnitch post snippets of your conversations automated

Surveillance is getting cheaper and easier:
Two artists have revealed Conversnitch, a device they built for less than $100 that resembles a lightbulb or lamp and surreptitiously listens in on nearby conversations and posts snippets of transcribed audio to Twitter. Kyle McDonald and Brian House say they hope to raise questions about the nature of public and private spaces in an era when anything can be broadcast by ubiquitous, Internet-connected listening devices.
This is meant as an art project to raise awareness, but the technology is getting cheaper all the time.
The surveillance gadget they unveiled Wednesday is constructed from little more than a Raspberry Pi miniature computer, a microphone, an LED and a plastic flower pot. It screws into and draws power from any standard bulb socket. Then it uploads captured audio via the nearest open Wi-Fi network to Amazon's Mechanical Turk crowdsourcing platform, which McDonald and House pay small fees to transcribe the audio and post lines of conversation to Conversnitch's Twitter account.
Consumer spy devices are now affordable by the masses. For $54, you can buy a camera hidden in a smoke detector. For $80, you can buy one hidden in an alarm clock. There are many more options.

The security of various programming languages

Interesting research on the security of code written in different programming languages. We don't know whether the security is a result of inherent properties of the language, or the relative skill of the typical programmers of that language.
The report.

Wednesday, April 23, 2014

NIST Removes Dual_EC_DRBG From Random Number Generator Recommendations

"National Institute of Standards and Technology (NIST) has removed the much-criticized Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) from its draft guidance on random number generators following a period of public comment and review. The revised document retains three of the four previously available options for generating pseudorandom bits required to create secure cryptographic keys for encrypting data. NIST recommends that people using Dual_EC_DRBG should transition to one of the other three recommended algorithms as quickly as possible."

Tuesday, April 22, 2014

Research Report Confirms Snowden’s Positive Effect on Industry 

More than half of information security professionals believe the Snowden revelations have had a positive effect on the industry, according to a report released today. The research report, titled ‘Information security: From business barrier to business enabler’, surveyed 1,149 information security professionals across the globe about the industry landscape and the challenges they face.

The research report, commissioned by Infosecurity Europe, highlights the increasing importance of information security to business strategy – from the effect of Edward Snowden’s NSA leaks and the impact of big data, to the demand for boardroom education and the need to develop a long-term strategy to combat evolving threats.
According to the report, information security is gradually being recognized as a business enabler.The results reveal that more effective collaboration between government and the information security industry is crucial to protecting organizations from future cyber threats, with 68% of the information security professionals surveyed believing that intelligence is not currently shared effectively between government and industry.

With only 5% of those surveyed selecting the government as their most trusted source for intelligence, it is apparent that more work needs to be done to strengthen government’s position as a source of information on potential threats.

“This is something that needs to be addressed urgently,” said Brian Honan, Founder & CEO, BH Consulting, a keynote speaker at Infosecurity Europe 2014. “Without better collaboration between industry and governments we are at a disadvantage against our adversaries. As threats and the capabilities of those looking to breach our systems evolve we need to jointly respond better in how we proactively deal with the threat.”

According to the Infosecurity Europe research report, data security is being pushed up the corporate agenda, likely catalyzed by the Snowden revelations. The NSA exposé has triggered action, with 58% believing the Snowden affair has been positive in making their business understand potential threats.

When asked whether the Snowden affair has increased the pressure applied by business to information security professionals to protect critical information, almost half (46%) of all respondents said that it has.

Data, Data & More Data

Thirty percent of information security professionals feel their organization isn’t able to make effective strategic decisions based on deluge of data they receive, and only 59% say they trust the data they receive. Considering the majority have witnessed this volume of data increase over the past 12 months, adopting a future-proof approach to information security is going to become increasingly important. A worrying 44% believe the industry has a short-termist approach to security strategy.
“The way information security is perceived is changing, and events such as the Edward Snowden affair have taught both government and industry several valuable lessons”, said David Cass, Senior Vice President & Chief Information Security Officer at Elsevier, and speaker at Infosecurity Europe 2014. “Threats to security and privacy occur from outside and inside organizations. The complexity of today's threat landscape is beyond the capability of any one company or country to successfully counter on their own. Experience shows there’s clearly more work to be done until businesses understand the importance of information security to long-term strategy. This challenge, combined with the groundswell of data, supports the need for immediate change. Part of this change requires better sharing of information between government and industry."


More than Half of IT Workers Make Undocumented System Changes

Frequent IT system changes without documentation or audit processes can cause system downtime and security breaches from internal and external threats, while decreasing overall operational efficiency. Yet, a new survey has revealed that a majority of IT professionals have made undocumented changes to their IT systems that no one else knows about.

The survey from Netwrix shows that while a full 57% have undertaken those untracked changes, it’s especially worrying because of the frequency with which they occur. About half (52%) of respondents said that they make changes that impact system downtime daily or weekly. And 40% make changes that impact security daily or weekly. Interestingly, more highly regulated industries are making changes that impact security more often, including healthcare (44%) and financial (46%).
“This data reveals that IT organizations are regularly making undocumented changes that impact system availability and security,” said Michael Fimin, CEO at Netwrix, in a statement. “This is a risky practice that may jeopardize the security and performance of their business. IT managers and CIOs need to evaluate the addition of change auditing to their change management processes. This will enable them to ensure that all changes – both documented and undocumented – are tracked so that answers can be quickly found in the event of a security breach or service outage.”
But even so, as many as 40% of organizations don’t have formal IT change management controls in place at all. And 62% said that they have little or no real ability to audit the changes they make, revealing serious gaps in meeting security best practice and compliance objectives.
Just 23% have an auditing process or change auditing solution in place to validate changes are being entered into a change management solution.
Given the prevalence of changes, this lack of change management is creating a dangerous environment for enterprises. The survey found that 65% have made changes that caused services to stop, and 39% have made a change that was the root cause of a security breach.
“With roughly 90% of outages being caused by failed changes, visibility into IT infrastructure changes is critical to maintaining a stable environment,” said David Monahan, research director for security and risk management at Enterprise Management Associates, in a statement. “Change auditing is also foundational to security and compliance requirements. Auditing changes in enterprise class environments requires the ability to get a high-level strategic view without sacrificing the tactical system level detail and insight extended throughout the whole system stack.”


Android malware repurposed to Thwart Two-factor Authentication

A malicious mobile application for Android that offers a range of espionage functions has now gone on sale in underground forums with a new trick: it’s being used by several banking trojans in an attempt to bypass the two-factor authentication method used by a range financial institutions.

Dubbed iBanking, the bot offers a slew of phone-specific capabilities, including capturing incoming and outgoing SMS messages, redirecting incoming voice calls and capturing audio using the device’s microphone. But as reported by independent researcher Kafeine, it’s now also being used to thwart the mobile transaction authorization number (mTAN), or mToken, authentication scheme used by several banks throughout the world, along with Gmail, Facebook and Twitter.

Recently, RSA noted that iBanking’s source code was leaked on underground forums.
“In fact, the web admin panel source was leaked as well as a builder script able to change the required fields to adapt the mobile malware to another target,” said Jean-Ian Boutin, a researcher at ESET, in an analysis. “At this point, we knew it was only a matter of time before we started seeing some ‘creative’ uses of the iBanking application.”
To wit, it’s being used for a type of webinject that was “totally new” for ESET: it uses JavaScript, meant to be injected into Facebook web pages, which tries to lure the user into installing an Android application.
Once the user logs into his or her Facebook account, the malware tries to inject a fake Facebook verification page into the website, asking for the user’s mobile number. Once entered, the victim is then shown a page for SMS verification if it’s an Android phone being used.
The hackers are very helpful: “If the SMS somehow fails to reach the user’s phone, he can also browse directly to the URL on the image with his phone or scan the QR code,” explained Boutin. “There is also an installation guide available that explains how to install the application.”
Since the webinject is available through a well-known webinject coder, this Facebook iBanking app might be distributed by other banking trojans in the future, ESET warned. “In fact, it is quite possible that we will begin to see mobile components targeting other popular services on the web that also enforce two-factor authentication through the user’s mobile,” Boutin said.
Also, because Google has stepped up its game in filtering malicious apps from the Google Play store, some speculate that Android malware authors have had to resort to novel and convoluted methods for getting their malware installed on users’ devices.
“The iBanking/Webinject scheme uses what is becoming a standard technique: first it infects the user’s PC, then it uses this position to inject code into the user’s PC web browser on a trusted site, telling the user that the trusted site wants them to ‘sideload’ an Android app, ostensibly for security reasons,” said Jeff Davis, vice president of engineering at Quarri Technologies, in an emailed comment. “The attack even includes instructions on how to change their Android settings to allow sideloading, which should be a big red flag but apparently isn’t.”

Clearly, the PC is still the weak link in internet security, both for individuals and for enterprises, he added.
In any event, users should avoid installing apps on a mobile device using the PC. “Sideloading is a major vector for malware getting installed on Android devices,” he said. “Although Android provides a warning about sideloading making your device more vulnerable when you enable it, it seems that warning isn’t strong enough. Maybe they need bold, blinking red text saying, ‘Legitimate apps are rarely installed this way! You’re probably installing malware on your device!’”