Via Schneier on Security: Metadata = Surveillance:
What’s missing from much of the discussion about the NSA’s activities is what they’re doing with all of this surveillance data. The newspapers focus on what’s being collected, not on how it’s being analyzed — with the singular exception of the Washington Post story on cell phone location collection. By their nature, cell phones are tracking devices. For a network to connect calls, it needs to know which cell the phone is located in. In an urban area, this narrows a phone’s location to a few blocks. GPS data, transmitted across the network by far too many apps, locates a phone even more precisely. Collecting this data in bulk, which is what the NSA does, effectively puts everyone under physical surveillance.
This is new. Police could always tail a suspect, but now they can tail everyone – suspect or not. And once they’re able to do that, they can perform analyses that weren’t otherwise possible. The Washington Post reported two examples. One, you can look for pairs of phones that move toward each other, turn off for an hour or so, and then turn themselves back on while moving away from each other. In other words, you can look for secret meetings. Two, you can locate specific phones of interest and then look for other phones that move geographically in synch with those phones. In other words, you can look for someone physically tailing someone else. I’m sure there are dozens of other clever analyses you can perform with a database like this. We need more researchers thinking about the possibilities. I can assure you that the world’s intelligence agencies are conducting this research.
When the government patiently reassures you that the data they are collecting is completely worthless and uninteresting, we should become very interested in finding out why they want it and what they are doing with it.
One more benefit of doing business in the cloud: inexpensive upgrades.
When Google introduced Drive two years ago, it offered 5GB for free, 25GB for $2.49 per month, 100GB for $4.99 per month, and 1TB for $49.99 per month. Google boosted the free tier to 15GB last year, and now users can rent much more than a terabyte. 10TB costs $99.99 per month, 20TB costs $199.99 per month, and 30TB costs $299.99 per month.
via Google Drive slashes storage prices, costs way less than Dropbox | Ars Technica.
iPhoneDevSDK—the site apparently responsible for the hacks at Facebook, Apple, and Twitter—says it was not aware it was being used to attack visitors until it read press reports this week. In a news post do not click if you’re wary of security breaches on Wednesday, site admins said they had no knowledge of the breach and were not contacted by any of the affected companies. Though, iPhoneDevSDK is now working with Facebook’s security team in order to share information about what happened.
Also, this is a great reminder to log and monitor, or SIEM. An admin’s account was compromised, then their website was hacked.
Tripwire would have caught the changes, and login auditing would have caught the hacker/admin’s actions.
via Dev site behind Apple, Facebook hacks didn’t know it was booby-trapped | Ars Technica.
This is why you employ defense-in-depth and full network monitoring, even if you don’t care what websites your employees visit at work.
But while the company was informed by AT&T of suspicious activity over its network connection on October 25—the day the Wen story was published—the attack had begun weeks earlier and appears to have been focused on getting into the e-mail accounts of Times Shanghai Bureau Chief David Barboza and South Asia Bureau Chief Jim Yardley. The attack used 45 different pieces of custom malware code, including remote access tools that gave Chinese hackers the run of the Times’ network.
The attackers used a botnet of computers compromised at US universities to obscure the source of the attack. They then infected computers at the Times with malware, most likely through e-mail “spear phishing” attacks, and used the malware to install remote access tools on at least three target systems that allowed them to gather more information from the network—finally finding the Windows network domain controller and grabbing its user directory and password tables. The hackers then used the cracked passwords to access other systems and created a custom program built to infiltrate the Times‘ mailserver to search all the e-mails and documents sent to Barboza and Yardley’s accounts—apparently searching for the names of people who may have spoken to Barboza as he reported on the Wen family.
via Chinese hackers attacked New York Times computers for four months | Ars Technica.
Bad news for RoR sites… it’ll probably be years before they’re all upgraded and patched.
Hundreds of thousands of websites are potentially at risk following the discovery of an extremely critical vulnerability in the Ruby on Rails framework that gives remote attackers the ability to execute malicious code on the underlying servers.
The bug is present in Rails versions spanning the past six years and in default configurations gives hackers a simple and reliable way to pilfer database contents, run system commands, and cause websites to crash, according to Ben Murphy, one of the developers who has confirmed the vulnerability. As of last week, the framework was used by more than 240,000 websites, including Github, Hulu, and Basecamp, underscoring the seriousness of the threat.
via Extremely critical Ruby on Rails bug threatens more than 200,000 sites | Ars Technica.
These are pretty dismal statistics…
Ponemon Institute and security firm ID Experts … surveyed 80 health care organizations and found that 94 percent had experienced a data-loss incident in the past two years. Another 45 percent sustained more than five breaches during that period.
via Nine out of 10 hospitals lost personal data in last two years – SC Magazine.
All the requirements in the world won’t make a difference if the organizations do not allocate the resources to ensure compliance, and if the employees continue to fail to comply.
It’s interesting seeing how extensive our police-state surveillance is:
While the details of this investigation that have leaked thus far provide us all a fascinating glimpse into the usually sensitive methods used by FBI agents, this should also serve as a warning, by demonstrating the extent to which the government can pierce the veil of communications anonymity without ever having to obtain a search warrant or other court order from a neutral judge.
The guest lists from hotels, IP login records, as well as the creative request to email providers for “information about other accounts that have logged in from this IP address” are all forms of data that the government can obtain with a subpoena. There is no independent review, no check against abuse, and further, the target of the subpoena will often never learn that the government obtained data (unless charges are filed, or, as in this particular case, government officials eagerly leak details of the investigation to the press). Unfortunately, our existing surveillance laws really only protect the “what” being communicated; the government’s powers to determine “who” communicated remain largely unchecked.
via Surveillance and Security Lessons From the Petraeus Scandal.
A low-tech variation on the “watch facebook for announcements of when people will be away from home”:
The scheme is simple enough: you open the newspaper or look online at the obituaries, and it’s a roadmap for criminals as to where you’ll be and when you’ll be there — a funeral home for the visitation, a cemetery for the burial.
via Burglary via obituary a growing problem in Utah | ksl.com.
Every company can afford – and must afford – some security monitoring.
Even three years ago, small businesses shied away from security monitoring as too complex and too difficult to deploy, with a 2009 article calling such systems “not for the faint of heart.”
Now, log-management services in the cloud, easier-to-use managed security services, and simpler security information and event management (SIEM) solutions have made security monitoring possible for all but the smallest firms. For such businesses, gathering intelligence on security events can be an offshoot of network monitoring or the other way around, but each can give companies better visibility into what is going on with their information systems, says Nicole Pauls, director of product management for SolarWinds, an information-technology provider.
via Security Monitoring On A Budget: Security Knowhow Needed – Dark Reading.