Sunday, December 21, 2014

Boeing and BlackBerry Partnership for Self-Destructing Phone

It sounds like a Mission: Impossible scenario, but aerospace company Boeing is teaming with Canadian phone maker BlackBerry to produce an ultra-secure mobile phone that "self-destructs." The phone uses encryption on calls and is intended to serve the high-security needs of government and industry. As Blackberry CEO John Chen said, "We're pleased to announce that Boeing is collaborating with BlackBerry to provide a secure mobile solution for Android devices utilizing our BES 12 platform.



Staples: Breach May Have Affected 1.16 Million Customers' Cards

Staples said Friday afternoon that nearly 1.16 million customer payment cards may have been affected in a data breach under investigation since October. The office-supply retailer said two months ago that it was working with law enforcement officials to look into a possible hacking of its customers' credit card data. Staples said in October that it had learned of a potential data theft at several of its U.S. stores after multiple banks noticed a pattern of payment card fraud suggesting the company computer systems had been breached. Now, Staples believes that point-of-sale systems at 115 Staples locations were infected with malware that thieves may have used to steal customers' names, payment card numbers, expiration dates and card verification codes, Staples said on Friday. At all but two of those stores, the malware would have had access to customer data for purchases made between August 10 and September 16 of this year. At the remaining two stores, the malware was active from July 20 through September 16, the company said. 

Hackers Used Nasty "SMB Worm" Attack Toolkit Against Sony

Just hours after the FBI and President Obama called out North Korea as being responsible for the destructive cyber attack against Sony Pictures, US-CERT issued an alert describing the primary malware used by the attackers, along with indicators of compromise. While not mentioning Sony by name in its advisory, instead referring to the victim as a "major entertainment company," US-CERT said that the attackers used a Server Message Block (SMB) Worm Tool to conduct the attacks. According to the advisory, the SMB Worm Tool is equipped with five components, including a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool. US-CERT also provided a list of the Indicators of Compromise (IOCs), which include C2 IP addresses, Snort signatures for the various components, host based Indicators, potential YARA signatures to detect malware binaries on host machines, and recommended security practices and tactical mitigations.

North Korea Denies Responsibility for SPE Hack

A North Korean official said that the secretive regime wants to mount a joint investigation with the United States to identify who was behind the cyber attack against Sony Pictures. An unnamed spokesman of the North Korean foreign ministry was quoted by the country's state news agency, KCNA, describing U.S. claims they were behind the hack as "slander." "As the United States is spreading groundless allegations and slandering us, we propose a joint investigation with it into this incident," the official said, according to Agence France-Presse. Both the FBI and President Barack Obama have said evidence was uncovered linking the hack to to North Korea, but some experts have questioned the evidence tying the attack to Pyongyang. Meanwhile, reader hessian notes that 2600: The Hacker Quarterly has offered to let the hacker community distribute The Interview for Sony. It's an offer Sony may actually find useful, since the company is now considering releasing the movie on a "different platform." Reader Nicola Hahn warns that we shouldn't be too quick to accept North Korea as the bad guy in this situation: Most of the media has accepted North Korea's culpability with little visible skepticism. There is one exception: Kim Zetter at Wired has decried the evidence as flimsy and vocally warns about the danger of jumping to conclusions. Surely we all remember high-ranking, ostensibly credible, officials warning about the smoking gun that comes in the form of a mushroom cloud? This underscores the ability of the agenda-setting elements of the press to frame issues and control the acceptable limits of debate. Some would even say that what's happening reveals tools of modern social control (PDF). Whether or not they're responsible for the attack, North Korea has now warned of "serious consequences" if the U.S. takes action against them for it.
Who Is Behind the SPE Hack Exposed By FBI

As a result of the investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions. While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following:
  • Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
  • The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
  • Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.

Thursday, December 18, 2014

Unfolding The Hidden Tor Users

Kevin Poulson has a good article up on Wired about how the FBI used a Metasploit variant to identity Tor users.

Words About Sony Hack

I don't have a lot to say about the Sony hack, which seems to still be ongoing. I want to highlight a few points, though.
  1. At this point, the attacks seem to be a few hackers and not the North Korean government. (My guess is that it's not an insider, either.) That we live in the world where we aren't sure if any given cyberattack is the work of a foreign government or a couple of guys should be scary to us all.
  2. Sony is a company that hackers have loved to hate for years now. (Remember their rootkit from 2005?) We've learned previously that putting yourself in this position can be disastrous. (Remember HBGary.) We're learning that again.
  3. I don't see how Sony launching a DDoS attack against the attackers is going to help at all.
  4. The most sensitive information that's being leaked as a result of this attack isn't the unreleased movies, the executive emails, or the celebrity gossip. It's the minutiae from random employees:
    The most painful stuff in the Sony cache is a doctor shopping for Ritalin. It's an email about trying to get pregnant. It's shit-talking coworkers behind their backs, and people's credit card log-ins. It's literally thousands of Social Security numbers laid bare. It's even the harmless, mundane, trivial stuff that makes up any day's email load that suddenly feels ugly and raw out in the open, a digital Babadook brought to life by a scorched earth cyberattack.
    These people didn't have anything to hide. They aren't public figures. Their details aren't going to be news anywhere in the world. But their privacy has been violated, and there are literally thousands of personal tragedies unfolding right now as these people deal with their friends and relatives who have searched and read this stuff.
    These are people who did nothing wrong. They didn't click on phishing links, or use dumb passwords (or even if they did, they didn't cause this). They just showed up. They sent the same banal workplace emails you send every day, some personal, some not, some thoughtful, some dumb. Even if they didn't have the expectation of full privacy, at most they may have assumed that an IT creeper might flip through their inbox, or that it was being crunched in an NSA server somewhere. For better or worse, we've become inured to small, anonymous violations. What happened to Sony Pictures employees, though, is public. And it is total.
    Gizmodo got this 100% correct. And this is why privacy is so important for everyone.
I'm sure there'll be more information as this continues to unfold.

Limited Number Of CISO & Hard to Find

This article is reporting that the demand for Chief Information Security Officers far exceeds supply:
Sony and every other company that realizes the need for a strong, senior-level security officer are scrambling to find talent, said Kris Lovejoy, general manager of IBM's security service and former IBM chief security officer.
CISOs are "almost impossible to find these days," she said. "It's a bit like musical chairs; there's a finite number of CISOs and they tend to go from job to job in similar industries."
I'm not surprised, really. This is a tough job: never enough budget, and you're the one blamed when the inevitable attacks occur. And it's a tough skill set: enough technical ability to understand cybersecurity, and sufficient management skill to navigate senior management. I would never want a job like that in a million years.
Here's a tip: if you want to make your CISO happy, here's her holiday wish list.
"My first wish is for companies to thoroughly test software releases before release to customers...."
Can we get that gift wrapped?

Wednesday, December 10, 2014

Version 2.0 of Heart Bleed The Poodlebleed Bug

Poodlebleed is a vulnerability in the design of SSL version 3.0. Poodle is actually an acronym for Padding Oracle On Downgraded Legacy Encryption. The vulnerability allows the decryption to plaintext of secure connections. The bug was discovered by Google Security Team researcher Bodo Möller in collaboration with Thai Duong and Krzysztof Kotowicz.

This bug has been found in the Secure Sockets Layer (SSL) 3.0 cryptography protocol (SSLv3) which could be exploited to intercept data that’s supposed to be encrypted between computers and servers. 

Although SSL 3.0 is almost 15 years old, many servers and web browsers still use it today. When web browsers fail at connecting on a newer SSL version (i.e. TLS 1.0, 1.1, or 1.2), they may fall back to a SSL 3.0 connection. This is where the trouble begins.
Because a network attacker can cause connection failures, including the failure of TLS 1.0/1.1/1.2 connections, they can force the use of SSL 3.0 and then exploit the poodle bug in order to decrypt secure content transmitted between a server and a browser. For nitty-gritty details on what exactly the poodlebleed bug is, please see the pdf announcement under resources.

Clients and Browsers

For the best client-end browser security, it is recommended to completely disable SSL 3.0. Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, however, this presents significant compatibility problems for servers running old encryption protocols. Therefore the recommended response is to support TLS_FALLBACK_SCSV. Most major browsers will support TLS_FALLBACK_SCSV in the coming months. Until then, you can protect yourself by disabling SSL 3.0 support in your browser.
In firefox, this can be done by going to about:config and setting security.tls.version.min to 1

This browser test by Qualys, Inc. can provide further details on the TLS and SSL methods supported by your browser. If your browser currently supports SSL 3.0 or SSL 2.0 and does not support TLS_FALLBACK_SCSV, you are vulnerable to the poodle bug and need to upgrade to Google Chrome or disable SSL 2/3 support. Currently, only Google Chrome version 33.0.1750 (February 2014 Build) and newer supports TLS_FALLBACK_SCSV, all other browsers are safest disabling SSL 3.0.

Servers

The below form can be used to test if your server is running with SSL 3.0 enabled. Although disabling SSL 3.0 may cause failed connections to your ssl service for small portion of users running older browsers, this action prevents the large portion of modern browsers from being eavesdropped while attempting to access your services in a secure manner. Here is a great resource on disabling SSL 3.0 on your server running apache or nginx.

It is important to note that this is NOT a flaw in SSL certificates, their private keys, or their design but in the old SSLv3 protocol.  SSL Certificates are not affected and customers with certificates on servers supporting SSL 3.0 do not need to replace them.
It’s believed to not be as serious as the Heartbleed bug in OpenSSL, since the attacker needs to have a privileged position in the network to exploit the latest.  The usage of Hotspots, public Wi-Fi, makes this attack a real problem. This type of attack falls into the “Man-in-the-middle” category.
Background
brook-4.png
While SSL 3.0 was introduced in 1996, it is currently supported by nearly 95% of Web browsers according to Netcraft’s latest report.  Many Transport Layer Socket (TLS) clients downgrade their cryptography protocol to SSL 3.0 when working with legacy servers. According to Google, an attacker that controls the network between the computer and server could interfere with the handshake process used to verify which cryptography protocol the server can accept using a “protocol downgrade dance”. This will force computers to use the older SSL 3.0 protocol to protect data that is being sent. Attackers can then exploit the bug by carrying out a man-in-the-middle (MITM) attack to decrypt secure HTTP cookies, which could let them steal information or take control of the victim’s online accounts.  Although, at the time to writing, webmasters have been disabling moving to TLSv1 and above and a rapid pace, there still remains a lot of work to be done.  If Heartbleed taught us anything, it’s that the largest companies act fast while many small companies drag their heels in patching critical vulnerabilities.
What Businesses Need to Do
In order to mitigate the bug there are a few courses of action:
  1. Check to see if your webservers are vulnerable using our free SSL Toolbox.
  2. Use tools that support TLS_FALLBACK_SCSV, a mechanism that prevents attackers from forcing Web browsers to use SSL 3.0.
  3. Disable SSL 3.0 altogether, or disable SSL 3.0 CBC-mode ciphers
  4. A cloud-based Web Application Firewall can help protect against this kind of vulnerability.  For more information please visit the website.
  5. Be leery of any spam messages from scammers trying to capitalize on uncertainty and a lack of technical knowledge.
 Christoffer Olausson gives a few tips on how to fix this on Apache:
> SSLProtocol All -SSLv2 -SSLv3                   <- Removes SSLv2 and SSLv3
> apachectl configtest                                   <- Test your configuration
> sudo service apache restart                      <- Restart server
Google added that it will remove SSL 3.0 support from all of its products in the next few months. Mozilla also said it would disable SSL 3.0 in FireFox 34, which will be released at the end of November.


Monday, December 8, 2014

Eavesdrop on Any Conversation?

Interesting essay on the future of speech recognition, microphone miniaturization, and the future ubiquity of auditory surveillance.

Why do HTTPS Encryption Fails

Interesting paper: "Security Collapse of the HTTPS Market." From the conclusion:
Recent breaches at CAs have exposed several systemic vulnerabilities and market failures inherent in the current HTTPS authentication model: the security of the entire ecosystem suffers if any of the hundreds of CAs is compromised (weakest link); browsers are unable to revoke trust in major CAs ("too big to fail"); CAs manage to conceal security incidents (information asymmetry); and ultimately customers and end users bear the liability and damages of security incidents (negative externalities).
Understanding the market and value chain for HTTPS is essential to address these systemic vulnerabilities. The market is highly concentrated, with very large price differences among suppliers and limited price competition. Paradoxically, the current vulnerabilities benefit rather than hurt the dominant CAs, because among others, they are too big to fail.

Uber Tracks Users Our Data Is Our Rights

In the Internet age, we have no choice but to entrust our data with private companies: e-mail providers, service providers, retailers, and so on.
We realize that this data is at risk from hackers. But there's another risk as well: the employees of the companies who are holding our data for us.
In the early years of Facebook, employees had a master password that enabled them to view anything they wanted in any account. NSA employees occasionally snoop on their friends and partners. The agency even has a name for it: LOVEINT. And well before the Internet, people with access to police or medical records occasionally used that power to look up either famous people or people they knew.
The latest company accused of allowing this sort of thing is Uber, the Internet car-ride service. The company is under investigation for spying on riders without their permission. Called the "god view," some Uber employees are able to see who is using the service and where they're going -- and used this at least once in 2011 as a party trick to show off the service. A senior executive also suggested the company should hire people to dig up dirt on their critics, making their database of people's rides even more "useful."
None of us wants to be stalked -- whether it's from looking at our location data, our medical data, our emails and texts, or anything else -- by friends or strangers who have access due to their jobs. Unfortunately, there are few rules protecting us.
Government employees are prohibited from looking at our data, although none of the NSA LOVEINT creeps were ever prosecuted. The HIPAA law protects the privacy of our medical records, but we have nothing to protect most of our other information.
Your Facebook and Uber data are only protected by company culture. There's nothing in their license agreements that you clicked "agree" to but didn't read that prevents those companies from violating your privacy.
This needs to change. Corporate databases containing our data should be secured from everyone who doesn't need access for their work. Voyeurs who peek at our data without a legitimate reason should be punished.
There are audit technologies that can detect this sort of thing, and they should be required. As long as we have to give our data to companies and government agencies, we need assurances that our privacy will be protected.

Thoughtful Cartoon

Funny.

Misuse Of Our Data

Last week, we learned about a striking piece of malware called Regin that has been infecting computer networks worldwide since 2008. It's more sophisticated than any known criminal malware, and everyone believes a government is behind it. No country has taken credit for Regin, but there's substantial evidence that it was built and operated by the United States.
This isn't the first government malware discovered. GhostNet is believed to be Chinese. Red October and Turla are believed to be Russian. The Mask is probably Spanish. Stuxnet and Flame are probably from the U.S. All these were discovered in the past five years, and named by researchers who inferred their creators from clues such as who the malware targeted.
I dislike the "cyberwar" metaphor for espionage and hacking, but there is a war of sorts going on in cyberspace. Countries are using these weapons against each other. This affects all of us not just because we might be citizens of one of these countries, but because we are all potentially collateral damage. Most of the varieties of malware listed above have been used against nongovernment targets, such as national infrastructure, corporations, and NGOs. Sometimes these attacks are accidental, but often they are deliberate.
For their defense, civilian networks must rely on commercial security products and services. We largely rely on antivirus products from companies such as Symantec, Kaspersky, and F-Secure. These products continuously scan our computers, looking for malware, deleting it, and alerting us as they find it. We expect these companies to act in our interests, and never deliberately fail to protect us from a known threat.
This is why the recent disclosure of Regin is so disquieting. The first public announcement of Regin was from Symantec, on November 23. The company said that its researchers had been studying it for about a year, and announced its existence because they knew of another source that was going to announce it. That source was a news site, the Intercept, which described Regin and its U.S. connections the following day. Both Kaspersky and F-Secure soon published their own findings. Both stated that they had been tracking Regin for years. All three of the antivirus companies were able to find samples of it in their files since 2008 or 2009.
So why did these companies all keep Regin a secret for so long? And why did they leave us vulnerable for all this time?
To get an answer, we have to disentangle two things. Near as we can tell, all the companies had added signatures for Regin to their detection database long before last month. The VirusTotal website has a signature for Regin as of 2011. Both Microsoft security and F-Secure started detecting and removing it that year as well. Symantec has protected its users against Regin since 2013, although it certainly added the VirusTotal signature in 2011.
Entirely separately and seemingly independently, all of these companies decided not to publicly discuss Regin's existence until after Symantec and the Intercept did so. Reasons given vary. Mikko Hyponnen of F-Secure said that specific customers asked him not to discuss the malware that had been found on their networks. Fox IT, which was hired to remove Regin from the Belgian phone company Belgacom's website, didn't say anything about what it discovered because it "didn't want to interfere with NSA/GCHQ operations."
My guess is that none of the companies wanted to go public with an incomplete picture. Unlike criminal malware, government-grade malware can be hard to figure out. It's much more elusive and complicated. It is constantly updated. Regin is made up of multiple modules -- Fox IT called it "a full framework of a lot of species of malware" -- making it even harder to figure out what's going on. Regin has also been used sparingly, against only a select few targets, making it hard to get samples. When you make a press splash by identifying a piece of malware, you want to have the whole story. Apparently, no one felt they had that with Regin.
That is not a good enough excuse, though. As nation-state malware becomes more common, we will often lack the whole story. And as long as countries are battling it out in cyberspace, some of us will be targets and the rest of us might be unlucky enough to be sitting in the blast radius. Military-grade malware will continue to be elusive.
Right now, antivirus companies are probably sitting on incomplete stories about a dozen more varieties of government-grade malware. But they shouldn't. We want, and need, our antivirus companies to tell us everything they can about these threats as soon as they know them, and not wait until the release of a political story makes it impossible for them to remain silent.

Saturday, December 6, 2014

Sony Kept Thousands of Passwords in a Folder Named "Password"

 

It's been a rough week for Sony execs (million-dollar salaries notwithstanding). And things are only going to get worse. Which would almost be enough to make you feel bad for the poor schmucks in IT—that is, until you realize that they hid their most sensitive password data under the label "Passwords." Go ahead and slam your head against something hard. We'll wait.
The second trove of data snuck out sometime yesterday, and it didn't take long for Buzzfeed to stumble upon the Facebook, MySpace (an ancient form of Facebook), YouTube, and Twitter "usernames and passwords for major motion picture social accounts." Likely due to the fact that they were saved in a huge file called "Password." Which contained even more passwords called things like "Facebook login password." So they would know that that was the password. Because who needs encryption or security or common sense or even the vaguest attempt at grade-school level online safety.
Yep, "Password" should do just fine. Maybe stick a "1" on the end. That'll throw 'em off.
Of course and unfortunately, it shouldn't really be a surprise that humans are lazy and unimaginative and just generally the worst when it comes to protecting our precious online data. And yet—goddammit, Sony IT. You had one job. [Fusion, Buzzfeed]

Wednesday, November 26, 2014

Great Firewall of China Blocks Edgecast CDN, Thousands of Websites Affected

Starting about a week ago, The Great Firewall of China began blocking the Edgecast CDN. This was spurred by Great Fire's Collateral Freedom project, which used CDNs to get around censorship of individual domains. It left China with either letting go of censorship, or breaking significant chunks of the Internet for their population. China chose to do the latter, and now many websites are no longer functional for Chinese users.  Just helping to diagnose this problem with the company's site, so it's likely many people are still just starting to discover what's happened and the economic impact is yet to be fully realized. Hopefully pressure on China will reverse the decision.

Revealing Gorilla Glass 4, Promises No More Broken IPhones 

Corning introduced next-generation Gorilla Glass, which it said is ten times tougher than any competitive cover glass now in the market. The company says that the Gorilla Glass 4 so launched is to address the No.1 problem among the smartphones users- screen breakage due to everyday drops.

Nuclear Weapons Create Their Own Security Codes With Radiation

Nuclear weapons are a paradox. No one in their right mind wants to use one, but if they're to act as a deterrent, they need to be accessible. The trick is to make sure that access is only available to those with the proper authority. To prevent a real life General Jack D Ripper from starting World War III, Livermore National Laboratory's (LLNL) Defense Technologies Division is developing a system that uses a nuclear weapon's own radiation to protect itself from tampering.

Interesting  Assumptions In Cryptography

Nice article on some of the security assumptions we rely on in cryptographic algorithms.

Yet Another Malware

Regin is another military-grade surveillance malware (tech details from Symantec and Kaspersky). It seems to have been in operation between 2008 and 2011. The Intercept has linked it to NSA/GCHQ operations, although I am still skeptical of the NSA/GCHQ hacking Belgian cryptographer Jean-Jacques Quisquater.

Sunday, November 23, 2014

Whatsapp Is Now End-to-End Encrypted

Whatapp is now offering end-to-end message encryption:
Whatsapp will integrate the open-source software Textsecure, created by privacy-focused non-profit Open Whisper Systems, which scrambles messages with a cryptographic key that only the user can access and never leaves his or her device.
I don't know the details, but the article talks about perfect forward secrecy. Moxie Marlinspike is involved, which gives me some confidence that it's a robust implementation.

Encrypt Your Website For Free

Announcing Let's Encrypt, a new free certificate authority. This is a joint project of EFF, Mozilla, Cisco, Akamai, and the University of Michigan.
This is an absolutely fantastic idea.
The anchor for any TLS-protected communication is a public-key certificate which demonstrates that the server you're actually talking to is the server you intended to talk to. For many server operators, getting even a basic server certificate is just too much of a hassle. The application process can be confusing. It usually costs money. It's tricky to install correctly. It's a pain to update.
Let's Encrypt is a new free certificate authority, built on a foundation of cooperation and openness, that lets everyone be up and running with basic server certificates for their domains through a simple one-click process.
[...]
The key principles behind Let's Encrypt are:
  • Free: Anyone who owns a domain can get a certificate validated for that domain at zero cost.
  • Automatic: The entire enrollment process for certificates occurs painlessly during the server's native installation or configuration process, while renewal occurs automatically in the background.
  • Secure: Let's Encrypt will serve as a platform for implementing modern security techniques and best practices.
  • Transparent: All records of certificate issuance and revocation will be available to anyone who wishes to inspect them.
  • Open: The automated issuance and renewal protocol will be an open standard and as much of the software as possible will be open source.
  • Cooperative: Much like the underlying Internet protocols themselves, Let's Encrypt is a joint effort to benefit the entire community, beyond the control of any one organization.

Wednesday, November 19, 2014

Work and life, balance

What does work/life balance mean to you? Most likely, it means something different to what it means to me.
There are many ways to define work and life, and the balance between the two, but I’m going to focus on two, that I’ll label, ungenerously to one of them, the “old way” and the “new way”.

The old way

In the old way, work and life are clearly distinct, as night and day. Work is a curse (sometimes biblical), the time you spend toiling and sweating and bleeding to earn a living, and life is a blessing, the thing you work for, which must be distinct from work and much better than work, to justify all the toiling and sweating and bleeding.
You work (an activity that by definition you do not enjoy most of the time) to earn money, that you then spend on things that you do enjoy, during your “life” time. The work is an unfortunate necessity, something that you would avoid if you could. The ideal life is the infinite holiday. If you had millions of dollars instead of thousands, in this mental framework, you would probably go on an extended holiday, until you’re either ruined by unfortunate circumstances or you die.
This is still the dominant paradigm, and one that drives most of our discussions of work/life balance. In fact, the very term “work/life balance” implies belief in this old way of defining work and life. Whenever you say “work/life balance”, you imply to your subconscious that you believe in these two concepts of work and life and their contrast and the need to balance them.
How to balance them? Well, with the definition of work as something unpleasant and life as something pleasant, obviously work should be minimised and life maximised. So we have fixed working hours, 40 hours a week, then 35, then 30. We scrupulously “leave our work behind” when we go home. We take holidays where we make sure to disconnect. We look at people who work longer hours, take their work home and work on holiday as workaholics – a clearly, obviously pejorative term. Something to be avoided.

The new way

The new way of talking about work and life is from the point of view of passionate people doing work they care about deeply. The traditional view here is that only artists and vocational people like charity workers, priests or doctors can do that, but today’s reality is that many people engaged in a wide range of jobs can and do feel passionate about their work, and find personal accomplishment and fulfilment in them.
One obvious case of the passionate worker is the entrepreneur, but they are rare so let’s leave them aside. Another is people who work in open cultures, or at least in jobs that somehow have some mysterious characteristics like a sense of purpose and challenge and autonomy.
People in these kinds of jobs can frequently feel they are in an awkward place, because they feel that they enjoy working hard, but then the “old way” of thinking tells them that they’re working too hard. Adopting the language of the old way, they might end up “realising” that they’re workaholics and try to cut back, or go on holiday and deliberately disconnect from everything to try and recover some “work/life balance”.
The sad thing about this is that it is wrong and actually makes the passionate person’s life worse, not better. Being passionate about your work is not a curse, it’s a blessing. We can argue all year long about what the meaning of life is, and each person can and needs to come up with their own answer, but there is no argument that achieving a state of flow is a desirable thing. Being passionate about your work leads to being in a state of flow more often.
How tragic, then, when definitions imagined by people who worked in a state of pain rise up out of your subconscious to say, effectively, “hey, you shouldn’t spend that much time in a state of flow, you’re a workaholic with no work/life balance!” An exaggerated view of that is akin to interrupting Leonardo in the middle of painting the Mona Lisa to tell him he’s done his eight hours and needs to go home now.
This conflict between working according to the new way but letting your thinking err along the old way is not helpful, and in my opinion should be avoided. I propose a new way of thinking about work/life balance, in terms of stages of work, with a clear, opinionated scale from worse to better. Each stage has different ways of thinking about work/life balance.

The new ladder of work

Level 1: Slavery

Level 1 - Slavery
Level 1 – Slavery
On the bottom of the ladder, I would like to put slavery – by which I do not mean wage slavery, but actual, real slavery. There is still an awful lot of this in the world. Some countries still have institutionalised slavery, and some high-profile international organisations do not bat an eyelid at using slavery to serve their goals, and most of humanity through most of history has operated at this level, sadly. As a slave with no control over your life, we can perhaps miraculously lift ourselves up to a higher level (like Joseph in the Biblical story), but most, by far, will not. The concept of work/life balance is irrelevant here: we have no life as a slave, our life belongs to our master.

Level 2: Survival

Level 2 - Survival
Level 2 – Survival
One level above, I would put the type of work that one does to ensure survival (of oneself or of one’s family). Throughout the industrial revolution, and still in many countries in Asia in industries such as textiles or manufacturing, much of the work is at this level. This is barely above slavery, the only difference being that we have a notional choice of working under equally bad conditions somewhere else. Work/life balance as a concept becomes theoretically important but is mostly out of our reach. We work (serve the curse) as much as we humanly can, and the rest of the time is a temporary interval between stretches of work. Much of the social progress of the industrial revolution was aimed at allowing people working at this level to live humane lives, and lifted much of the western world’s population to at least level 3.

Level 3: Balance

Level 3 - Balance
Level 3 – Balance
This is the level where the concept of work/life balance really has full meaning, and where most people are operating. In this perspective, work is undesirable but not oppressive. We have choice, so long as the economy is doing alright and our skills are in demand. We can choose to work reasonable working hours. We have control over the line between work and life. This is the old way done right. In this context, the concept of work/life balance is a good thing and it is important to balance the two, to stay in control of where that line shifts.

Level 4: Acceleration

Level 4 - Acceleration
Level 4 – Acceleration
Some fortunate people operating at level 3 may find that some aspects of their jobs are more engaging than others, and get caught up in those aspects from time to time. Another way to put it is that we may have work that is largely undesirable, that would not be worth doing if we weren’t paid for it, but there are some aspects of that work that put us in a state of flow, where we lose track of time and find ourselves working till silly hours or thinking about work on holiday, etc. This is where the level 3 way of thinking holds us back, by suggesting that this is a symptom of an out of control work/life balance. At this stage, the concept of work/life balance still makes sense overall, but it starts to lose its usefulness, and I think this is the stage where we must be careful not to let it hold us back from progressing to level 5.
Because at level 4, we start to get a glimpse of what life could be at level 5, since we begin to find out which activities are both productive (i.e. things society rewards with money) and put us in a state of flow (i.e. things we deeply enjoy doing for their own sake).

Level 5: Flow

Level 5 - Flow
Level 5 – Flow
Once we discover which activities we can do, which put us in a state of flow but are rewarded by society (i.e. are paid well enough), we have the option to start rebuilding our work (or finding another job or career) where we can spend most of our time doing the things we love and are passionate about. Of course, there are always going to be some unpleasant bits to any job, but because we see the bigger picture of what we’re doing (flow is impossible without a sense of purpose), we handle them without much effort, to get back to the bits we enjoy.
At this level, work/life balance makes no sense whatsoever. You wouldn’t put a time limit on flow any more than you’d put a time limit on any other enjoyable activity. Keep doing it as long as it’s fun! When it’s no longer fun, switch to another fun and productive thing. And so on, endlessly.
I don’t think it is possible to reach this level without letting go of the concept of work opposed to life, prevalent in level 3 thinking. A career/life where you spend most of your time in a state of flow is highly desirable, but it is not one we can reach while we meter out our efforts and keep thinking of work as something to be avoided.
A symptom of this state, in my opinion, is that we are constantly working: at home, during hobbies, on holiday, even while asleep! But much of that work is subconscious, thinking about how to do things even better or which things to do, rather than sitting down in front of a computer and “working”. The work is then just the natural outlet of the thinking, much like an artist’s work.
Whilst the shift from level 3 to 4 can happen accidentally without intention, the shift to level 5 only occurs if we really seek out this new way of working, which is why it’s important to embrace it rather than fight it.

Some final notes

There are a million objections to the ideas above. Some obvious ones are “what about if I have children?” or “what if my job sucks? no one could possibly enjoy my job!”. I believe that a careful reading of the article combined with some thinking will present answers to those objections though. Have a think before you disagree.

In conclusion

Life and work need not and should not be in opposition. When they are in harmony, both get better. But if you let the oppositional thinking of work vs life drive your thinking, it will impair your ability to progress from level 3 to level 5.
Don’t let old assumptions determine how you live your life today. Think for yourself about what makes sense for you.

  1. Obviously, this is an artificial dichotomy and there is a whole continuum of definitions between the two, and there are of course other dimensions to the definition that I’m not exploring here! But for the sake of argument…↩
  2. Another historical distortion is the concept that to matter in this way, work must be of great cultural or societal import. Actually, to put you in that same state of flow, work must simply matter greatly to you personally.↩

Tuesday, November 18, 2014

World's Youngest Microsoft Certificated Professional Is Five Years Old

Gurvinder Gill writes at BBC that Ayan Qureshi is the world's youngest Microsoft Certified Professional after passing the tech giant's exam when he was just five years old. Qureshi's father introduced his son to computers when he was three years old. He let him play with his old computers, so he could understand hard drives and motherboards. "I found whatever I was telling him, the next day he'd remember everything I said, so I started to feed him more information," Qureshi explained. "Too much computing at this age can cause a negative effect, but in Ayan's case he has cached this opportunity." Ayan has his own computer lab at his home in Coventry, containing a computer network which he built and spends around two hours a day learning about the operating system, how to install programs, and has his own web site.

Microsoft Certified Professional (MCP) is a certification that validates IT professional and developer technical expertise through rigorous, industry-proven, and industry-recognized exams. MCP exams cover a wide range of Microsoft products, technologies, and solutions. When the boy arrived to take the Microsoft exam, the invigilators were concerned that he was too young to be a candidate. His father reassured them that Ayan would be all right on his own. "There were multiple choice questions, drag and drop questions, hotspot questions and scenario-based questions," Ayan's father told the BBC Asian Network. "The hardest challenge was explaining the language of the test to a five-year-old. But he seemed to pick it up and has a very good memory.

Facebook Planning a Professional Version To Rival LinkedIn, Google

Facebook may be coming out with an office version to take on LinkedIn. Facebook at Work would “allow users to chat with colleagues, connect with professional contacts and collaborate over documents.
Facebook is reportedly gearing up to take on LinkedIn, Google's Drive and services, Microsoft's Outlook and Yammer with a workplace-friendly version of the social networking site, but such a dream is unlikely to appeal to the enterprise. As reported last week by the Financial Times, "Facebook at Work" is a new product designed to allow professional users to message colleagues, connect with professional contacts and collaborate over documents. The website will have the same look as standard Facebook — including a news feed and groups — but according to people familiar with the matter, the idea is to keep work and personal accounts separate. It makes sense for the social networking giant. Launching a professional version can boost ad revenue, keep engagement up and give the company a valuable new market to tap. But in application, cracking the corporate world won't be easy.

Group Tries To Open Source Seeds

The Open Source Seed Initiative is a passionate group that wants to ensure their seeds are never patented, but making sure seeds are free for use and distribution by anyone isn't as easy as you might think. Part of the equation are plant characteristics, like an extended head on lettuce — is that an invention? Or, would you argue that it is the product of the collective sharing of material that improves the whole crop over time? In this report, one farmer says, "If you're not exchanging germplasm, you're cutting your own throat.

Monday, November 17, 2014

Open Source Self-Healing Software For Virtual Machines

Computer scientists have developed Linux based software that not only detects and eradicates never-before-seen viruses and other malware, but also automatically repairs damage caused by them. If a virus or attack stops the service, A3 could repair it in minutes without having to take the servers down. The software then prevents the invader from ever infecting the computer again. "It's pretty cool when you can pick the Bug of the Week and it works.
 

Thursday, November 13, 2014

How To End Online Harassment

Gendered bigotry against women is widely considered to be "in bounds" by Internet commenters (whether they openly acknowledge it or not), and subsequently a demographic that comprises half of the total human population has to worry about receiving rape threats, death threats, and the harassment of angry mobs simply for expressing their opinions. This needs to stop, and while it's impossible to prevent all forms of harassment from occurring online, we can start by creating a culture that shames individuals who cross the bounds of decency.

We can start by stating the obvious: It is never appropriate to use slurs, metaphors, graphic negative imagery, or any other kind of language that plays on someone's gender, race/ethnicity, sexual orientation, or religion. Not only is such language inappropriate regardless of one's passion on a given subject, but any valid arguments that existed independently of such rhetoric should have been initially presented without it. Once a poster crosses this line, they should lose all credibility.

Similarly, it is never acceptable to dox, harass, post nude pictures, or in any other way violate someone's privacy due to disagreement with their opinions. While most people would probably agree with this in theory, far too many are willing to access and distribute this humiliating (and often illegal) content. Instead of simply viewing stories of doxing, slut-shaming, and other forms of online intimidation as an unfortunate by-product of the digital age, we should boycott all sites that publish these materials.

Microsoft takes .NET open source

Good article  here is the github page

Wednesday, November 12, 2014

NSA Oversight and Transparency

Orin Kerr has a new article that argues for narrowly constructing national security law:
This Essay argues that Congress should adopt a rule of narrow construction of the national security surveillance statutes. Under this interpretive rule, which the Essay calls a "rule of lenity," ambiguity in the powers granted to the executive branch in the sections of the United States Code on national security surveillance should trigger a narrow judicial interpretation in favor of the individual and against the State. A rule of lenity would push Congress to be the primary decision maker to balance privacy and security when technology changes, limiting the rulemaking power of the secret Foreign Intelligence Surveillance Court. A rule of lenity would help restore the power over national security surveillance law to where it belongs: The People.
This is certainly not a panacea. As Jack Goldsmith rightly points out, more Congressional oversight over NSA surveillance during the last decade would have gained us more NSA surveillance. But it's certainly better than having secret courts make the rules after only hearing one side of the argument.

Google reveals inner workings of manual hijacking

In Google's study, the firm gets up close and personal with hijackers that target not businesses or governments, but you personally.

Our digital identity is more important than ever. The data that can be traced back to us can include social media contacts, messages, our work details, bank accounts and purchase patterns.
So, it's no surprise when a recent poll in the US found that citizens were more concerned about online accounts being hijacked than their houses being robbed -- if you have insurance, goods can be replaced. If you lose an online account, you're at risk not only of losing the account forever -- but the heartbreak of identity theft.
One of the most common methods to take control of an account is mass hijacking. In this case, an automated process uses compromised systems to send out countless spam messages, malware, and phishing campaigns to add more hijacked accounts to the roster. In other cases, state-sponsored attacks target political institutions, universities, governments and corporations to access accounts and steal sensitive data or act as a gateway to spy on networks.
However, there is another category -- dubbed by Google "manual hijacking." What makes them different? These attacks are personal, time-consuming, and a cybercriminal is dedicated to infiltrating an individual's accounts -- often with the aim of plundering a person's bank account.
The tech giant says these account hijacks are rare -- with only nine incidents per mission users per day -- but they can be devastating to the victim.
In a new study, Google decided to explore this tactic further, looking at the sources of phishing emails, websites, and how these cybercriminals operate.
In these cases, we're not talking about remote, impersonal servers, brute-force attacks or phishing campaigns sent to thousands. Instead, imagine individuals working business hours, rifling through your accounts and tempting you to hand over your credentials for seemingly legitimate purposes.
A phishing email, crafted for you, can be far more believable than a supposedly long-lost uncle in Africa or a congratulatory note telling you you've won the Spanish lottery. Password guesses and malware installation were also popular methods used to access an account, according to the firm's researchers.
In addition, tactics change frequently. As an example, Google said that once the company started asking people which city they most frequently logged in most from, hijackers "almost immediately started phishing for the answers."
Once a hacker has obtained a single credential, around 20 percent of accounts are accessed within 30 minutes. This single point of entry into your life is then barricaded against your entry by changing the details, before a search of other links begins -- such as banking and social media accounts.
The next step? The cyberattacker uses your account and credentials to send out phishing emails to those in your address book. Since many in your network are liable to trust you -- and this happened last week to me through a PR contact whose account was taken over -- they may be more susceptible to seemingly innocent links and downloads, which monetizes the effort required in manual hijacking.
According to the paper (.PDF), many of these hijackers appear to be working out of China, the Ivory Coast, Malaysia, Nigeria and South Africa. To keep these attacks as legitimate-looking as possible, campaigns are organized by language, so French-speakers work on the French community, for example.
While we often consider ourselves too smart to fall for such lures, Google found that some malicious websites were effective 45 percent of time, with people submitting their details 14 percent of the time -- and even the most 'obviously' fake websites still managed to fool 3 percent of us.
When cyberattacks can send out millions of messages, this figure is rather concerning.
Rare manual hijacking cases may be, but severe they certainly are -- and how are we to protect against them?
Google says the study's findings have been used to implement changes in the firm's account security settings and systems, but in the end, it is up to us to maintain our own levels of security. First of all, change your password frequently, and don't give in to easily-remembered passwords or patterns like QWERTY1, Jesus or ninja. Humans are more similar to each other than we'd like to believe, and if its easy for us to remember, it is easy for someone to crack.
Secondary levels of verification are also useful. This does mean you have to hand over your phone number or another email address to companies like Google and PayPal, but in the end, this does give account access a second step which makes brute-force password cracking on its own less successful. In addition, if you do lose your account, you do have a way to verify your identity and potentially wrestle control back.

Verizon 'supercookies' could be a boon to advertisers, hackers

Supercookies could take a bigger bite out of your privacy than you think, say researchers. Here's what they're worried about.

It's bad enough that Verizon and AT&T have unleashed a new breed of "supercookie" that can track your every online move, even as you switch between your smartphone, tablet and TV. Far worse is the possibility of abuse by advertisers, governments and hackers, privacy experts warn.
"Any website you're going to end up on is going to get this supercookie," said Marc Maiffret, chief technology officer of cybersecurity company BeyondTrust. That opens the potential for these supercookies to be exploited by many more people than Verizon anticipated with its tracking program, he said.
Verizon, the largest mobile carrier in the US, uses information gleaned from its supercookies to understand your interests and concerns by tracking the websites you visit and links you click on. It then supplies that information to its advertisers so they can craft finely targeted advertising campaigns.
About 106 million of Verizon's consumer customers have been tracked this way for over two years by the company's Precision Market Insights program, according to a report by the Electronic Frontier Foundation published last week. AT&T tracks fewer customers, but only because the company says its program is still being tested.
Verizon and AT&T are the largest wireless carriers in the US.
"You're making it very difficult for people who want privacy to find it on the Internet," Paul Ohm, a senior policy adviser to the Federal Trade Commission and associate professor at the Colorado Law School, told The Washington Post, which reported the tracking programs last week.
Supercookies aren't called "super" for nothing. It's hard if not outright impossible to delete them. Verizon does allows customers to opt out of the tracking program: To opt out, consumers must unsubscribe from Precision Market Insights via Verizon's Wireless Web portal, its mobile app or over the phone.
"Customer privacy is a top priority. We never, ever share customer information with third-parties," said Verizon Wireless representative Adria Tomaszewski.
Verizon also changes its supercookie once a week, at the least. That's frequently enough to prevent third parties from exploiting Verizon's supercookie to their advantage, Tomaszewski said.
AT&T's supercookie is similar, although the company changes its supercookie every 24 hours and doesn't attach it after a customer deactivates it, the company told CNET News.
Cryptography researcher Kenneth White said his research indicates those supercookies never really go away.
And that's the problem, added Jacob Hoffman-Andrews, a senior technologist at the Electronic Frontier Foundation. "Your identity can be [rebuilt] from the cookies," he said.
T-Mobile said it has no plans to use supercookies. Sprint didn't return a request for comment.

Adobe Patches 18 Vulnerabilities in Flash


Adobe pushed out security updates for Flash Player this afternoon, addressing 18 different vulnerabilities, all critical, that could allow an attacker to take control of an affected system running the multimedia platform according to a security bulletin posted today.

The Patch Tuesday updates, available for Windows, Macintosh, and Linux machines, remedy vulnerabilities in several builds of Flash Player and AIR, Adobe’s run-time system.
The lion’s share of the vulnerabilities – 15 of the 18 – a use-after-free, double free, memory corruption, type confusion and buffer overflow vulnerability, could lead to code execution if left unpatched. Other vulnerabilities patched include issues that could trigger session tokens to be disclosed, and cause privilege escalation.
Researchers with Google Project Zero, the Chromium Rewards Project, Microsoft, and several other firms dug up the vulnerabilities.
Adobe is urging users running older versions of Flash Player (15.0.0.189 and earlier, 13.0.0.250 and earlier 13.x versions, 11.2.202.411 and earlier for Linux) and older versions of AIR (15.0.0.293 and earlier, SDK 15.0.0.302 and earlier, SDK & Compiler 15.0.0.302 and earlier, 15.0.0.293 and earlier for Android) to update as soon as possible.
In October, one week after Adobe pushed its last handful of patches for Flash, attackers began bundling one of the fixed vulnerabilities (CVE-2014-0569) into the Fiesta exploit kit. Independent malware researcher Kafeine wrote at the time that it was a “really fast integration” into an exploit kit and that whoever coded it must have reversed the patch in two days. It remains to be seen whether any of the 18 vulnerabilities that were fixed today are either currently being exploited in the wild or if they’ll eventually be incorporated into a future exploit kit.
- See more at: http://threatpost.com/adobe-patches-18-vulnerabilities-in-flash/109300#sthash.YgMJDDtV.dpuf

The lion’s share of the vulnerabilities – 15 of the 18 – a use-after-free, double free, memory corruption, type confusion and buffer overflow vulnerability, could lead to code execution if left unpatched. Other vulnerabilities patched include issues that could trigger session tokens to be disclosed, and cause privilege escalation.

Researchers with Google Project Zero, the Chromium Rewards Project, Microsoft, and several other firms dug up the vulnerabilities.

Adobe is urging users running older versions of Flash Player (15.0.0.189 and earlier, 13.0.0.250 and earlier 13.x versions, 11.2.202.411 and earlier for Linux) and older versions of AIR (15.0.0.293 and earlier, SDK 15.0.0.302 and earlier, SDK & Compiler 15.0.0.302 and earlier, 15.0.0.293 and earlier for Android) to update as soon as possible.

In October, one week after Adobe pushed its last handful of patches for Flash, attackers began bundling one of the fixed vulnerabilities (CVE-2014-0569) into the Fiesta exploit kit. Independent malware researcher Kafeine wrote at the time that it was a “really fast integration” into an exploit kit and that whoever coded it must have reversed the patch in two days. It remains to be seen whether any of the 18 vulnerabilities that were fixed today are either currently being exploited in the wild or if they’ll eventually be incorporated into a future exploit kit.

Adobe pushed out security updates for Flash Player this afternoon, addressing 18 different vulnerabilities, all critical, that could allow an attacker to take control of an affected system running the multimedia platform according to a security bulletin posted today. - See more at: http://threatpost.com/adobe-patches-18-vulnerabilities-in-flash/109300#sthash.YgMJDDtV.dpuf

Hijacking The Secret Sauce: Intellectual Property

I’m always amazed when an employee steals intellectual property (IP) from their company. Only to take it with them as they head out the door for a new job. I wonder what is the thought process that they go through? I’m sure you may know a story or two about people who helped themselves. At one company that I was working for years back, I had set up SNMP (simple network management protocol) monitoring of the printers in the company. In turn that data was fed back into the centralized logging solution. One Friday afternoon I noticed a series of print jobs from a person who I knew had given their notice already two weeks previous. I read the names on the print jobs and I could not stop laughing. He was printing out internal documentation that was not meant to be distributed, let alone taken to his next job.
I picked up my coffee and stifled a smile. I decided to stroll by his desk. I walked by his, let’s call him Frank, desk. I took a sip and said, “Hey Frank. Just packing up?” He looked at me visibly unnerved. “Yup, last day you know.” I took another sip and answered back, “Oh right. Well, best of luck at the new gig.” I winked and walked away.
I positioned myself in a meeting room down the hall and around the corner. I was in a spot where I could see people leaving the building but, I was not readily visible unless someone looked back as they exited. I set up access to the CCTV on my screen and I waited. Thankfully, I didn’t have to wait long at all. Here he came along the hallway with three massive binders full of printouts. I just shook my head. Did “Frank” really think he was pulling one over on people? I was absolutely confused as to his logic.
topsecret
I picked up the phone and called “Frank’s” boss. After I let him know what was transpiring he quickly slipped down the stairs and was sitting at the front door before the elevator made it to the lobby. They’re slow as molasses in January but, sometimes you really have to love hydraulic elevators.
Needless to say “Frank” was met in the lobby and he surrendered his binders claiming he wasn’t doing anything wrong. He also returned the other large binders that were in the trunk of his car.
This is a type of behaviour that seems to happen a lot. An example that I can point to from another former job is from this article on Ars Technica.
AMD filed a complaint yesterday alleging that four of its former employees—one former vice-president and three former managers—transferred sensitive AMD documents before joining competing graphics chip maker Nvidia and then violated a “no-solicitation of employees” promise. The company alleges that Robert Feldstein, Manoo Desai, and Nicolas Kociuk collectively downloaded over 100,000 files onto external hard drives in the six months before leaving the company. All three and another manager, Richard Hagen, were accused of recruiting AMD employees after leaving for Nvidia.
Since this is already in the public domain I will merely nod my head. I wish I could comment at length on this one but, I can merely say that operations security or OPSEC was not high on their list of priorities.
Another example is the recent case of Dr. Franklin R. Cockerill III who was the president/CEO of Mayo Medical Labs. He was alleged to have been siphoning trade secrets for months prior to moving to a competitor.
Source

 

Data Breach in U.S. Postal Service  

The Federal Bureau of Investigation is leading an investigation into a data breach at the U.S. Postal Service, which affected employees and customers.
In a Nov. 10 statement, which provides few details, USPS says it recently learned of a "cybersecurity intrusion" into some of its information systems. All operations are now functioning normally, according to the statement.
More than 800,000 employees were impacted in the breach, says David Partenheimer, spokesperson for the USPS. Employee information potentially compromised includes names, dates of birth, Social Security numbers, addresses, beginning and end dates of employment and emergency contact information.
Customers who contacted the Postal Service Customer Care Center with an inquiry via telephone or e-mail between Jan. 1 and Aug. 16 were also potentially affected, although USPS is still investigating the exact number of individuals impacted, Partenheimer says. Potentially compromised customer details include names, addresses, telephone numbers and e-mail addresses.

CNN, citing a U.S. official familiar with the breach, says 2.9 million postal service customers were affected by the breach.
Transactional systems in post offices, as well as on usps.com, where customers pay for services with credit and debit cards, have not been affected by the breach, USPS says. There is also no evidence that any customer credit card information from retail or online purchases, such as Click-N-Ship, the Postal Store, PostalOne!, change of address or other services was compromised, officials say.


China Involved?

Some news reports are indicating China may be behind the attacks, but Partenheimer says he cannot confirm that because "the source of the intrusion is under investigation."
But security consultant Richard Stiennon, author of Surviving Cyberwar, doesn't suspect China is behind the USPS breach. "They are still in the espionage and reconnaissance phase of their cyber-evolution," he says. "On the other hand ... one has to question the timing of the notification considering that President [Obama] arrived in China today."
Karl Rauscher, ambassador-at-large and chief architect for cyberspace policy at the Institute of Electrical and Electronics Engineers, says that cyber-attacks, like the one that targeted USPS, are becoming more sophisticated, "and even those best capable of reacting to them are overwhelmed. Cybersecurity today is typically practiced in a reactive posture to an ever growing number of threats."

No Evidence of Fraud

The USPS says it's not aware of any evidence that any of the potentially compromised customer or employee information has been used to engage in malicious activity.
But Dan Waddell, director of government affairs at (ISC)2, a global information security training and certification organization, warns that the incident, which involved the theft of e-mail addresses, could lead to targeted spear-phishing attacks. "USPS employees should be on the lookout for any suspicious e-mail that would serve as a mechanism to extract additional information, such as intellectual property, credit card information and other types of sensitive data," he says.
Impacted individuals are being offered one year of free identity theft protection services, Partenheimer says.
In addition to the FBI, the USPS is working on the investigation with the Department of Justice, the USPS Office of Inspector General, the Postal Inspection Service and the U.S. Computer Emergency Readiness Team. Private-sector specialists have also been brought in to assist in the investigation and remediation.
"We have recently implemented additional security measures designed to improve the security of our information systems, including certain actions this past weekend that caused certain systems to be offline," Partenheimer says. "We know this caused inconvenience to some of our customers and partners, and we apologize for any disruption."

 

Technical Hack Of ballot from Wireless Routers

Good paper, and layman's explanation.
 It gives hackers the potential to seriously disrupt our democratic processes.Its really scary and will leave the democracy no more exist.

Luxurious Attack Using Hotel Network 

Kaspersky Labs is reporting (detailed report here, technical details here) on a sophisticated hacker group that is targeting specific individuals around the world. "Darkhotel" is the name the group and its techniques has been given.
This APT precisely drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crew's most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world. These travelers are often top executives from a variety of industries doing business and outsourcing in the APAC region. Targets have included CEOs, senior vice presidents, sales and marketing directors and top R&D staff. This hotel network intrusion set provides the attackers with precise global scale access to high value targets. From our observations, the highest volume of offensive activity on hotel networks started in August 2010 and continued through 2013, and we are investigating some 2014 hotel network events.
Good article. This seems pretty obviously a nation-state attack. It's anyone's guess which country is behind it, though.
Targets in the spear -- phishing attacks include high-profile executives -- among them a media executive from Asia­as well as government agencies and NGOs and U.S. executives. The primary targets, however, appear to be in North Korea, Japan, and India. "All nuclear nations in Asia," Raiu notes. "Their targeting is nuclear themed, but they also target the defense industry base in the U.S. and important executives from around the world in all sectors having to do with economic development and investments." Recently there has been a spike in the attacks against the U.S. defense industry.
We usually infer the attackers from the target list. This one isn't that helpful. Pakistan? China? South Korea?

 Incident Management its 10X ?

Security is a combination of protection, detection, and response. It's taken the industry a long time to get to this point, though. The 1990s was the era of protection. Our industry was full of products that would protect your computers and network. By 2000, we realized that detection needed to be formalized as well, and the industry was full of detection products and services.
This decade is one of response. Over the past few years, we've started seeing incident response (IR) products and services. Security teams are incorporating them into their arsenal because of three trends in computing. One, we've lost control of our computing environment. More of our data is held in the cloud by other companies, and more of our actual networks are outsourced. This makes response more complicated, because we might not have visibility into parts of our critical network infrastructures.
Two, attacks are getting more sophisticated. The rise of APT (advanced persistent threat)--attacks that specifically target for reasons other than simple financial theft--brings with it a new sort of attacker, which requires a new threat model. Also, as hacking becomes a more integral part of geopolitics, unrelated networks are increasingly collateral damage in nation-state fights.
And three, companies continue to under-invest in protection and detection, both of which are imperfect even under the best of circumstances, obliging response to pick up the slack.
Way back in the 1990s, they used to say that "security is a process, not a product." That was a strategic statement about the fallacy of thinking you could ever be done with security; you need to continually reassess your security posture in the face of an ever-changing threat landscape.
At a tactical level, security is both a product and a process. Really, it's a combination of people, process, and technology. What changes are the ratios. Protection systems are almost technology, with some assistance from people and process. Detection requires more-or-less equal proportions of people, process, and technology. Response is mostly done by people, with critical assistance from process and technology.
Lorrie Faith Cranor once wrote, "Whenever possible, secure system designers should find ways of keeping humans out of the loop." That's sage advice, but you can't automate IR. Everyone's network is different. All attacks are different. Everyone's security environments are different. The regulatory environments are different. All organizations are different, and political and economic considerations are often more important than technical considerations. IR needs people, because successful IR requires thinking.
This is new for the security industry, and it means that response products and services will look different. For most of its life, the security industry has been plagued with the problems of a lemons market. That's a term from economics that refers to a market where buyers can't tell the difference between good products and bad. In these markets, mediocre products drive good ones out of the market; price is the driver, because there's no good way to test for quality. It's been true in anti-virus, it's been true in firewalls, it's been true in IDSs, and it's been true elsewhere. But because IR is people-focused in ways protection and detection are not, it won't be true here. Better products will do better because buyers will quickly be able to determine that they're better.
The key to successful IR is found in Cranor's next sentence: "However, there are some tasks for which feasible, or cost effective, alternatives to humans are not available. In these cases, system designers should engineer their systems to support the humans in the loop, and maximize their chances of performing their security-critical functions successfully." What we need is technology that aids people, not technology that supplants them.
The best way I've found to think about this is OODA loops. OODA stands for "observe, orient, decide, act," and it's a way of thinking about real-time adversarial situations developed by US Air Force military strategist John Boyd. He was thinking about fighter jets, but the general idea has been applied to everything from contract negotiations to boxing--and computer and network IR.
Speed is essential. People in these situations are constantly going through OODA loops in their head. And if you can do yours faster than the other guy--if you can "get inside his OODA loop"--then you have an enormous advantage.
We need tools to facilitate all of these steps:


  • Observe, which means knowing what's happening on our networks in real time. This includes real-time threat detection information from IDSs, log monitoring and analysis data, network and system performance data, standard network management data, and even physical security information--and then tools knowing which tools to use to synthesize and present it in useful formats. Incidents aren't standardized; they're all different. The more an IR team can observe what's happening on the network, the more they can understand the attack. This means that an IR team needs to be able to operate across the entire organization.

  • Orient, which means understanding what it means in context, both in the context of the organization and the context of the greater Internet community. It's not enough to know about the attack; IR teams need to know what it means. Is there a new malware being used by cybercriminals? Is the organization rolling out a new software package or planning layoffs? Has the organization seen attacks form this particular IP address before? Has the network been opened to a new strategic partner? Answering these questions means tying data from the network to information from the news, network intelligence feeds, and other information from the organization. What's going on in an organization often matters more in IR than the attack's technical details.

  • Decide, which means figuring out what to do at that moment. This is actually difficult because it involves knowing who has the authority to decide and giving them the information to decide quickly. IR decisions often involve executive input, so it's important to be able to get those people the information they need quickly and efficiently. All decisions need to be defensible after the fact and documented. Both the regulatory and litigation environments have gotten very complex, and decisions need to be made with defensibility in mind.

  • Act, which means being able to make changes quickly and effectively on our networks. IR teams need access to the organization's network--all of the organization's network. Again, incidents differ, and it's impossible to know in advance what sort of access an IR team will need. But ultimately, they need broad access; security will come from audit rather than access control. And they need to train repeatedly, because nothing improves someone's ability to act more than practice.
Pulling all of these tools together under a unified framework will make IR work. And making IR work is the ultimate key to making security work. The goal here is to bring people, process and, technology together in a way we haven't seen before in network security. It's something we need to do to continue to defend against the threats.