Monthly Archives: July 2013

3 ways to fail in the cloud

You have to take the good with the bad, and a number of enterprises out there are finding the move to the cloud requires slightly more brain cells than they possess. This means epic fails, all of which could have been avoided.

Here are the top three ways to fail with cloud computing.

Reason 1: No security, governance, and compliance planning
Remember those guys who pushed back on cloud computing due to issues with security and compliance? Well, those are the same guys who forget to plan for security, governance, and compliance when moving to the cloud. The result is a cloud-based system that won’t provide the proper services to the user and, most important, won’t pass an audit.

There is good news. A recent survey in Security Week revealed that many small and midsize firms improved their security once they moved data and applications to the cloud. However, you have to do some planning — and make sure to use the right technology.

Reason 2: Selecting the wrong cloud technology or provider
Amazon Web Services is not always the right solution. Other clouds exist, as do other models, such as private, hybrid, and multicloud. It’s the job of the IT staff moving applications to the cloud to pick the right technology and platform for the job.

The ability to understand requirements before selecting applications, cloud technologies, or public cloud providers is a migration requirement unto itself. This process is no different than for other migration projects or for any system development projects. You’re just deploying on cloud-based platforms.

Reason 3: Selecting the wrong application or data
On the first try, the applications selected to migrate to the cloud are often the wrong applications (or database). I look at applications and databases as tiers, with first tier being the mission-critical systems, the second tier being those systems that can be down for a day without much of a disruption of the business, and the third tier for systems that are only occasionally used.

Try to work at Tier 2 or 3 for your initial application or data migration project. That way, if you run into any issues — such as performance, security, or integration — you’ll be able to recover. If you move a mission-critical application to the cloud and fail to deliver on the service, it will be a long time before you’re allowed to use cloud-based platforms again — if you’re even given a second chance.

Via: infoworld

Check your tweets with Safe Twiit

There are lots of things you can do to keep your Twitter account safe: use a strong password, be skeptical of everything and keep your system and security software updated at all times.

But how can you tell if your Twitter links are cool to click on?

The new Safe Twiit app for Twitter will check your last 30 tweets in your timeline, profile and mentions and let you know if they’re safe.

If they’re not you can block the source of the bad tweets fast.

Check it this beta.

 

Via: f-secure

Equal-opportunity malware targets Macs and Windows

 

Janicab ushers in cross-platform era as OS X becomes more appealing target.

Researchers have uncovered a family of malware that targets both Windows and OS X. Janicab.A, as the trojan is known, is also unusual because it uses a YouTube page to direct infected machines to command-and-control (C&C) servers and follows a clever trick to conceal itself.

The threat first came to light last week, when researchers from F-Secure and Webroot documented a new trojan threatening Mac users. Like other recently discovered OS X malware, Janicab was digitally signed with a valid Apple Developer ID. It also used a special unicode character known as a right-to-left override to make the infection file appear as a PDF document rather than a potentially dangerous executable file.

On Monday, researchers from Avast published a blog post reporting that Janicab can also infect computers running Windows. The strain exploits a vulnerability Microsoft patched in 2012 to install a malicious Visual Basic script that can remain active even after infected machines are restarted.

Like the Mac versions, Janicab randomly chooses a YouTube link from a hard-coded list to find the C&C server that issues updates and instructions. One such page contained the words “just something i made up for fun, check out my website at 111.90.152.210/cc bye bye.” Researchers presume the IP address may have been the location of one of the C&C servers.


F-Secure

Interestingly, the Windows variant observed by Avast simply awaits instructions from its operator. The Mac version, by contrast, sends captured screenshots and audio to the attackers. The reports don’t say how many machines have been infected by Janicab. Most likely, the malware is in some sort of beta phase as its developers try to gain experience in creating cross-platform threats. With the growing use of OS X, it’s not surprising to see malware that targets that platform. It’s a bit more unusual to see the malware that can also infect Windows. We’re probably at least a few years away from cross-platform malicious software that adds Linux to the list, but it’s certainly within the realm of possibility.

Via: arstechnica

——–

Promoted Comments

  • madmilk wrote:

    No, OS X *always* warns on opening a file from the internet (as does Windows from what I remember).

    The difference is that Gatekeeper has three options:
    1. Allow from the Mac App Store only
    2. Allow from the MAS and “identified developers” (default)
    3. Allow from anywhere

    Personally, I think Apple should just change the default to #1. #2 is pretty broken by design – Apple does not vet people who try to get developer keys. The keys can be blacklisted, but since they’re so easy to obtain that’s not a much help. There’s already a warning when running blocked apps with #1 or #2, so power users shouldn’t have much trouble figuring out what’s the problem and switching to a lower security level.


    Users should only be able to run software that conforms to the App Store’s terms and conditions by default? These are the terms and conditions that block apps that show comics that Apple deems objectionable, GPL-licensed software, demos, and many more things. Can you imagine the uproar if MS were to do that? Yes, I know there’s a way around the restriction, but many users aren’t savvy enough to figure that out, so developers would be heavily discouraged from developing apps that can’t target those users.

    Last edited by Solomonoff’s Secret on Tue Jul 23, 2013 12:12 pm

    9687 posts | registered Nov 18, 2007

     

     

  • zpletanSmack-Fu Master, in training jump to post

    Solomonoff’s Secret wrote:

    MrMcLargeHuge wrote:

    What are you talking about? The only thing required to get a valid ID is to pay the $99 fee.


    Registering to do something means you ask permission and put yourself in the position to allow the registering authority to place conditions on your registration. The very idea that one must register with a 3rd party to publish software, or else the software won’t run as smoothly as it otherwise would, puts too much power in the hands of one company. Apple in particular has shown a tendancy to abuse that power.

    More practically, if one were to write a controvertial app, as the initial version of PGP was at the time, it’s almost certain that the US Gov’t would pressure any company it could to get that software removed or at least to inconvenience users as much as possible (say, removing it from the app store and revoking the certificate). Apple has put itself in the position of being a gatekeeper and has also shown that it will bend to that kind of pressure (see removal of police checkpoint apps from the app store).

    Developer registration and Gatekeeper make my computer more secure. As has been stated, Apple can easily revoke offending certificates, at which point my system (on its default settings) will let me know that software may not be legit. (Not that I’m dumb enough to install random crap, but other people sometimes are…)

    On the other hand, look at the beauty of Windows’ free—i.e. sans-developer-certificate—system (sarcasm). What’s the first line of defense there—an antivirus application, albeit finally first-party by default. OS X’s frontline defense is inherently more secure because it is a whitelist, not a blacklist.

    Also, we have not traded freedom for security on OS X. You can argue what may happen someday, but I’m focusing on the here and now; and here, there’s complete freedom on the developer’s part to not use Apple’s certificates at all. Installing non-signed software is a Google search away (or a phone call to your nephew if you’re one of those people). It’s also bunk that software doesn’t run as smoothly if unsigned. The only thing less smooth is starting it for the first time.

New breed of infected Android apps spotted in the wild by Researchers

Cyber criminals have successfully exploited a recently discovered vulnerability to infect legit apps without invalidating their digital signatures.

Cyber criminals are successfully using a recently found Master Key vulnerability to inject malicious code into legitimate Android apps without invalidating their digital signatures. The code enables the attacker to remotely take control of infected devices, steal sensitive data, send texts, and disable select security applications using root commands.

The news, which comes from Symantec, certainly won’t help Android’s reputation for being insecure: Earlier this year, McAfee reported that Android was the mobile platform target of choice among cyber criminals. More recently, Kindsight Security Labs reported an increasing number of Android devices are infected with malware capable of transforming them into spy tools.

In this latest spate of Android infections, bad guys are exploiting the Master Key vulnerability to hide code inside apps, letting them use existing permissions to manipulate infected devices. An attacker can “remotely control devices, steal sensitive data like IMEI (International Mobile Equipment Identity) and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands,” according to the company.

The perpetrator is using a recently discovered Master Key vulnerability in Android, which lets a would-be attacker inject malicious code into legitimate Android apps without invalidating their digital signatures. “Using the vulnerability, the attacker has modified the original Android application by adding an additional classes.dex file (the file that contains the Android application code) and also adding an additional Android manifest file (the file which specifies permissions),” according to Symantec.

This approach represents an evolution in malicious-code injection: Previously, attackers had to change “both the application and publisher name and also sign any Trojanized app with their own digital signature. Someone who examined the app details could instantly realize the application was not created by the legitimate publisher,” Symantec reported earlier this month. “Now that attackers no longer need to change these digital signature details, they can freely hijack legitimate applications, and even an astute person could not tell the application had been repackaged with malicious code.”

Notably, the six infected apps spotted by Symantec are all geared toward Chinese-language speakers: Two are legitimate applications for finding doctors and making appointments, available via Android marketplaces in China. The others include a news app, a couple of games, and a betting and lottery app, according to Symantec.

That doesn’t mean Android users who use apps in languages other than Chinese should rest easy, though: It’s entirely plausible that infected versions of apps in English and other languages are forthcoming if not already in the wild as well.

Via: infoworld

 

20 security and privacy apps for Androids and iPhones

Encrypted storage, malware scanners, missing-phone-finders and more: Here are 20 apps to help protect your smartphone, your privacy and your data.

 

HiddenEye

HiddenEye Plus uses your smartphone’s camera in self-defense: This app photographs any person who tries to unlock your phone.

Available for: Android

Cost: Free


 

Kryptos

Kryptos uses 256-bit AES encryption to encrypt voice communications before transmission (using 2048 bit RSA for key exchange). Provides VoIP connectivity for secure calls over 3G, 4G and WiFi.

Available for: Android and iPhone

Cost: Free to download, monthly service fee of $10


 

Find my iPhone

If you misplace your iPhone, the Find My iPhone app will let you use another iOS device to find it and protect your data. Locates the missing device on a map, plays a sound, displays a message, remotely locks the device and/or erases all the data on it.

Available for: iPhone

Cost: Free


SeekDroid

SeekDroid (similar to Find My iPhone) allows the user to locate a lost or stolen Android device. Features device location on a map, remote audible alarm, remote wiping of the device, remote tracking and GPS.

Available for: Android

Cost: $2.99


Plan B

Plan B is a find-my-phone app that you download AFTER you lose your phone. Described as a “last resort” to find a missing phone, allows the user to locate their lost device using cell towers and GPS. On some phones, Plan B can switch GPS on automatically.

Available for: Android

Cost: Free


 

Secure Folder PRO

A private storage solution for photos, videos, contacts, notes, credit cards and passwords. Features secret website bookmarks and private navigation system without history tracking, a “decoy” storage area to trick nosy intruders, and encrypted storage for credit card and other data.

Available for: iPhone

Cost: $1.99


 

Gallery Lock

Gallery Lock provides privacy for picture and video files by hiding them in individual, password-protected folders.

Available for: Android

Cost: Free


 

Privacy Filter

Privacy Filter blocks the screen from prying eyes glancing at the device from the side.

Available for: Android

Cost: $1.99


 

Splash ID Safe

A sensitive-data vault that stores personal information (such as web logins, credit cards, PINs, and email settings) using 256-bit encryption.

Available for: Android

Cost: $9.99


 

Norton Snap

Norton Snap is a QR code scanner that warns the device user about dangerous QR codes, and blocks unsafe Web sites before they load on the device.

Available for: Android and iPhone

Cost: Free


 

Avast Free Mobile Security

Famous from the PC space, Avast also offers this antivirus and anti-theft Android security application. Includes scanning of installed apps and memory card content on demand. Also features a privacy report, which scans and displays access rights and intents of installed apps, as well as anti-theft components that give the user remote control via SMS or Web to lock, locate, siren, memory or wipe the device.

Available for: Android

Cost: Free


 

Lookout Mobile Security

The Android version of this app includes antivirus and blocks malware, spyware, and trojans and scans each app downloaded. Both the Android and iPhone versions feature a find-my-phone component, which locates a lost or stolen phone on a Google map and activates a loud alarm, even if the device is on silent.

Available for: Android, limited version for iPhone

Cost: Free


 

AVG Mobilation Antivirus

AVG’s version of antivirus for smartphones detects harmful apps and text messages. Features include scanning of apps, settings, files, and media in real time, location of lost or stolen phone via Google Maps, lock and wipe device to protect privacy.

Available for: Android

Cost: Free


 

Norton Mobile Security

Security, antivirus, antitheft protection. Includes automatic antivirus scan for downloaded apps and app updates, keystroke logging protection, remote lock and wipe, find-my-phone phone locator, and a “scream” locator that lets the user send a text to the missing phone, which sets off a scream alarm.

Available for: Android

Cost: Free


 

NQ Mobile

Security and antivirus protection against from virus, malware, spyware, trojans and phone hacking. Features include: antivirus, anti-harassment, privacy protection, phone locator, data backup, safe browsing and traffic.

Available for: Android

Cost: Free


 

McAfee Mobile Security

McAfee’s version of protection for the Android; features antivirus, anti-theft, safe mobile surfing, app protection and call and SMS filter. Other features include remote device lock, locate and track.

Available for: Android

Cost: Free trial


 

Accellion Mobile

Allows business users to work on enterprise content by providing secure mobile access to files. Features: Securely browse, view, edit, save back, upload, send, and share files and folders on-the-go. Participate in real-time collaboration by opening, editing, and saving back Microsoft Office file types through Quickoffice.

Available for: Android and iPhone

Cost: Free


 

Junos Pulse

Junos Pulse secures connectivity to corporate web-based applications via Juniper Networks SSL VPN gateways. Also delivers mobile security against malware, viruses, and spyware, as well as from device loss or theft, preventing device damage, and loss and exploitation of sensitive user or corporate data.

Available for: Android and iPhone

Cost: Free


 

Accellion Mobile

Allows business users to work on enterprise content by providing secure mobile access to files. Features: Securely browse, view, edit, save back, upload, send, and share files and folders on-the-go. Participate in real-time collaboration by opening, editing, and saving back Microsoft Office file types through Quickoffice.

Available for: Android and iPhone

Cost: Free


 

Junos Pulse

Junos Pulse secures connectivity to corporate web-based applications via Juniper Networks SSL VPN gateways. Also delivers mobile security against malware, viruses, and spyware, as well as from device loss or theft, preventing device damage, and loss and exploitation of sensitive user or corporate data.

Available for: Android and iPhone

Cost: Free


 

WiFi Protector

Guards against WiFi sniffing attacks by detecting Address Resolution Protocol (ARP)-related attacks, such a DDOS (Denial Of Service) or MITM (Man In The Middle). Protects the phone from tools like FaceNiff, Cain & Abel, ANTI, ettercap, DroidSheep, NetCut, and others that try to hijack sessions via “Man In The Middle” through ARP spoofing / ARP poisoning.

Available for: Android

Cost: $3.89


 

Privacy Safe

Automatically moves confidential SMS and call logs from private contacts into private space and hides the normal track on your phone. Notifies of private space status secretly. Private space is password protected. Also blocks unwanted SMS using keywords specified by the owner.

Available on: Android

Cost: Free

 

Via: csoonline


Cybercrime Costs U.S Economy $100 Billion and 500,000 Jobs

Attacks on businesses and consumers are a blight on the economy, with criminals foreign and domestic using the Internet to steal identities, intellectual property, trade secrets and just about anything else they can get their hands on.

A new economic model developed at a prominent D.C. think tank puts the cost to the U.S. economy as high as $100 billion annually, with a corresponding loss of as many as half a million jobs.

The report, released by the Center for Strategic and International Studies (CSIS) and written by James Lewis and Stewart Baker, two old hands in the Washington cybersecurity policy discussion, offers a quantitative approach based on data from the Commerce Department and analogous losses from activities such as car crashes, piracy and other losses and crimes.

Cybercrime: The Cost of Doing Business?

The authors explain: “One way to think about the costs of malicious cyber activity is that people bear the cost of car crashes as a tradeoff for the convenience of automobiles; similarly they may bear the cost of cybercrime and espionage as a tradeoff for the benefits to business of information technology.”

But what is the price of all that nefarious activity?

The report, sponsored by security software vendor McAfee, eschews survey data, which the authors say is flawed because respondents “self-select,” and businesses often either conceal or do not realize the full extent of the losses from a cyber attack.

“We believe the CSIS report is the first to use actual economic modeling to build out the figures for the losses attributable to malicious cyber activity,” Mike Fey, executive vice president and CTO at McAfee, said in a statement.

“As policymakers, business leaders and others struggle to get their arms around why cybersecurity matters, they need solid information on which to base their actions.”

Lawmakers Divided Over Government’s Role

And cybersecurity is the subject of a long-running policy debate in Congress, with lawmakers divided over what role the government should play in setting and enforcing security standards for critical infrastructure operators in the private sector.

The CSIS report evaluated malicious cyber activity in a variety of forms, including crime, intellectual property loss, reputational damage and the cost of bolstering network security and recovery after an attack. The authors also considered the opportunity costs associated with downtime and lost trust, as well as the loss of sensitive business information.

Through an analysis of Commerce Department data on exports and job losses, the authors estimated that cyber espionage could rob the economy of as many as 508,000 jobs. Though he described that figure as a “high-end estimate,” co-author Lewis suggested that the real impact could be more severe.

“As with other estimates in the report, however, the raw numbers might tell just part of the story,” he said. “If a good portion of these jobs were high-end manufacturing jobs that moved overseas because of intellectual property losses, the effects could be more wide ranging.”

The authors are planning to produce a second report that will focus on the less tangible impacts of malicious cyber activity, attempting to quantify the impact on the pace of innovation and the flow of trade.

 

Via: networkworld

US court renews permission to NSA to collect phone metadata

A disclosure that the government was collecting phone data from customers of Verizon has already generated controversy.

 

The Foreign Intelligence Surveillance Court has renewed permission to the U.S. government for a controversial program to collect telephone metadata in bulk.

The office of the Director of National Intelligence said the government filed an application with the FISC seeking renewal of the authority to collect telephony metadata in bulk, and the court renewed that authority, which expired on Friday.

The information was being disclosed “in light of the significant and continuing public interest in the telephony metadata collection program,” and an earlier decision by DNI James R. Clapper to declassify certain information relating to the program, it said.

The secret court has been set up under the Foreign Intelligence Surveillance Act (FISA) which requires the government to obtain a judicial warrant for certain kinds of intelligence gathering operations. (

The Guardian newspaper published in June a copy of a secret April 25 order from FISC in Washington, D.C., which required Verizon to produce call records or telephony metadata on an ongoing daily basis until expiry of the authorization on July 19.

The requirement to turn in metadata applied to calls within the U.S., and calls between the U.S. and abroad, and did not cover communications wholly originating or terminating outside the U.S. Metadata was defined to include communications routing information such as session-identifying information, trunk identifier, telephone calling card numbers, and time and duration of calls.

The program does not allow the government to listen in on anyone’s phone calls, and the information acquired does not include the content of any communications or the identity of any subscriber, Clapper said in a statement in June, which also confirmed the authenticity of the order published by the British newspaper.

The authorization required the production of telephony metadata under the “business records” provision of the FISA Act.

In response to the disclosure about the collection of phone data of Verizon customers, American Civil Liberties Union filed a lawsuit in June in U.S. District Court for the Southern District of New York, claiming that the “mass call tracking” by the U.S. National Security Agency was in violation of the U.S. Constitution’s First Amendment, giving U.S. residents the rights of free speech and association, and the Fourth Amendment that protects against unreasonable searches and seizures. It asked the court to order an end to the tracking of phone records under the Verizon order or any successor order.

In a letter last week to Rep. Jim Sensenbrenner, the U.S. Department of Justice said intelligence tools that NSA uses to identify the existence of potential terrorist communications within the data “require collecting and storing large volumes of the metadata to enable later analysis.” If the data is not collected and held by the NSA, the metadata may not continue to be available for the period that it “has deemed necessary for national security purposes” as it need not be retained by telecommunications service providers.

Internet companies like Google, Microsoft and Yahoo have been demanding for greater transparency in the orders of the FISC, after Edward Snowden, the former NSA contractor behind the leak of the Verizon order, also disclosed documents that suggested that the NSA has access in real-time to content on their servers. The companies have denied the claims, and want FISC to remove restrictions that prevent them from disclosing requests for customer data under FISA. Yahoo appears to have persuaded FISC to release its secret order and parties’ briefs in a 2008 case. The court ordered the government recently to declassify the documents, as it prepares to publish the court’s opinion in a redacted form.

 

Via: networkworld

Passwords are a Weakness for Businesses, with Potentially Disastrous Consequences

Companies large and small are faced with a growing burden: how to manage shared access to an ever-increasing number of services and data, across a workforce that is more mobile and digitally connected than ever before. In the interest of efficiency and productivity, the security implications of shared and weak passwords are often overlooked, leaving the company open to significant risks.

Shared social media accounts are a prime example. A number of recent hacks highlight some of the serious consequences for the affected brands.

In the case of The Onion, the Syrian Electronic Army targeted their team members with phishing attacks, collecting their Twitter credentials and then using that data to login to @TheOnion to post content like this meme:

 


 

Or take the recent hack of the Associated Press’ Twitter account. The perpetrator’s tweet about a potential bomb at the White House negatively affected financial markets, with the DOW dropping drastically:

 


 

Hacks of social media accounts are embarrassing, potentially damaging a company’s reputation, spreading malware to others, not to mention affecting the company’s financials or the greater financial markets. There’s also time lost in recovering from the situation and issuing apologies.

But social media teams are not the only ones with something to lose. Companies need to improve password practices and shared access to accounts all around, because the next compromised account may be something even more critical than the company’s Facebook page or Twitter handle.

It’s difficult to inspire employees to change the way they handle passwords. How we use and manage passwords in our personal life will affect how we use and manage them in our business life – which is to say, most of us are not doing the password thing right. The only logical solution is for companies to implement a password management system with tools and features that allow employees to painlessly manage their data and share access to accounts.

That’s where LastPass Enterprise comes in. Only with a system that effectively blends SSO and SAML with secure password vaulting can a company effectively manage access and reduce the risk that passwords pose. Enterprise offers the same core functionality as the standard LastPass product, but with extensive administrative capabilities and robust sharing features for easily assigning, reassigning, and monitoring company data across individuals, functional teams, and the entire organization. Not to mention, with LastPass Enterprise, administrators are able to enforce high security standards – without asking too much of their employees.

After incidents like the above Twitter hacks, there was much talk of Twitter implementing multifactor (or two-factor) authentication in an effort to help brands better protect their accounts. But in the end, businesses themselves have just as much, if not more, responsibility to be proactive in protecting their data and assets. Strong passwords and standardized authentication practices would have gone a long way in preventing these attacks.

 

Via: lastpass

Samsung reveals high-speed 1TB SSDs

The company’s entry-level 840 Evo, with four times the storage of its predecessor, will go on sale next month.

Samsung Electronics will offer a range of faster SSD drives for consumers from next month, including a zippy new 1TB drive meant for everyday use.

The company’s “840 EVO lineup” will be two to three times faster than its existing 840 drives, depending on the capacity, it said Thursday. The 1TB version has a sequential write speed of 520MBps, over double its predecessor, while the 120GB model can reach up to 410MBps, about triple the older version.

As NAND flash prices fall and adoption of SSDs spreads in consumer computers and laptops, terabyte-sized SSDs have become the new battleground for manufacturers. Samsung announced its newest drives under the slogan “SSDs for everyone.”

Micron unveiled a 1TB drive, the Crucial M500, for consumers in January at the International CES show in Las Vegas, pricing it under US$600, or 60 cents per gigabyte, far below rivals at the time. The first 1TB SSD, from OCZ, launched in 2011, still sells for over US$2,500 online.

Samsung has yet to reveal the price for its 840 EVO, which it said will go on sale in August in major markets. The company’s sequential read/write speeds are slightly faster than Micron’s product, as are its 98,000 input/output operations per second (IOPS) and 90,000 IOPS random read and write speeds.

The new SATA-based, 2.5-inch drives will come in sizes ranging from 120GB to 1TB, and will use Samsung’s NAND flash built using process technology smaller than 20 nanometers. The company’s previous consumer drives maxed out at 250GB.

Samsung also announced a new lineup of SSDs for enterprise storage, including a 1.6TB drive that has a sequential read speed of 2,000MBps and a random read speed of 740,000 IOPS. The company said it is the fist to build a 2.5-inch SSD based on NVMe (non-volatile memory express), an interface specification for solid-state drives that replaces the SATA interface now widely in use.

The 2.5-inch enterprise drives will also come in 400GB and 800GB sizes. Samsung said it plans to expand its enterprise offerings based on NVMe in the future.

Via: c omputerworld

Encryption no protection from government surveillance

Latest Snowden revelation shows Microsoft handing encryption keys to the NSA.

Microsoft, Skype and other online service providers regularly tell their customers that customer privacy is “our priority.” Perhaps they should add a disclaimer, that orders from the federal government seeking surveillance of those customers are a higher priority.

The latest revelations from the files of Edward Snowden, the self-described National Security Agency (NSA) whistleblower, show that Microsoft, “collaborated closely with U.S. intelligence services to allow users’ communications to be intercepted, including helping the NSA to circumvent the company’s own encryption,” according to The Guardian.

Snowden, a former Booz Allen Hamilton employee who worked as a contractor to the NSA, leaked a trove of classified documents to The Guardian and the Washington Post last month, and is now reportedly hiding out in the Moscow airport, seeking asylum in a number of countries in an effort to avoid arrest by the U.S. Justice Department.

The Guardian reported that those documents show that Microsoft helped the NSA circumvent encryption to intercept web chats on the Outlook.com portal, and to get easier access to its cloud storage service, SkyDrive, which has more than 250 million users worldwide. The agency already had access to Outlook.com and Hotmail.

They also show that, “In July last year, nine months after Microsoft bought Skype, the NSA boasted that a new capability had tripled the amount of Skype video calls being collected through Prism (a top-secret program to collect data from Internet service providers); Material collected through Prism is routinely shared with the FBI and CIA, with one NSA document describing the program as a ‘team sport.'”

Microsofts response, in a statement, was that it provides customer data to the federal government only in response to “lawful demands & and we only ever comply with orders for requests about specific accounts or identifiers.”

But, the simple online reality is that when the government makes “lawful demands” for information, those companies are “duty bound” to provide access to the government, said Steve Weis, CTO of encryption vendor PrivateCore.

U.S. government officials, from President Obama down through the heads of intelligence services, have emphasized that there are safeguards in place to limit data collection, and that the emails and phone calls of U.S. citizens are not being monitored in real time.

But, as has been reported many times in the last month, the Foreign Intelligence Surveillance Act (FISA) court routinely approves the collection of communications on citizens without a warrant if the NSA has a 51 percent belief that the target is not a U.S. citizen or is not in the U.S. at the time.

Privacy advocates like the Electronic Frontier Foundation (EFF) have argued for years that the government is abusing the laws that permit limited online surveillance in the hope of tracking suspected terrorists.

“The government has painted all this with a veneer of legality,” said Trevor Timm, a digital rights analyst at EFF, “but in our minds, there is a huge question about whether it is lawful and constitutional. Even the author of the Patriot Act (U.S. Rep. Jim Sensenbrenner, R-Wisc.), says the phone metadata collection violates the law that he wrote.”

Indeed, Sensenbrenner was quoted recently saying that the law was never intended to permit the kind of dragnet collection now ongoing, but to prevent it. He has said those defending it are, “spewing a bunch of bunk.”

Rebecca Herold, CEO of The Privacy Professor, agrees that, “it certainly seems they are stretching applicability of the laws beyond the limits of their intentions,” but added that part of the problem is that the laws, “were already written in a very vague and subjective manner.”

Timm said EFF has “huge problems with this law because it is targeted at groups instead of individuals. It’s using a lower threshold than probable cause. And these cases are decided by the FISA court in complete secrecy with no opposing counsel, so there is no pushback. Beyond that, the authority of the FISA court is through sweeping legal opinions on the Fourth Amendment that the public hasn’t seen. We just think that’s not democratic.”

Timm said privacy advocates are not at all surprised at the recent revelations, but said they carry more weight because they are not just the statements of whistleblowers, but actual government documents. He said that might allow cases challenging the law, and the interpretation of it, to go forward.

Herold said she is surprised that Microsoft agreed to decryption, which she said amounts to “tampering with files. That would be like not only stealing someone’s locked diary, but also then taking it to the manufacturer of the diary and having them break the lock open for you.”

Weis and Todd Thiemann, PrivateCore’s vice president of marketing, said the company takes no position on the legitimacy of the laws now being used to compel online providers to allow government surveillance. But, Weis said there is at least a way for end users to make the government come directly to them, rather than get their information from a service provider without their knowledge. His firm, through the use of virtualization and cryptography, “can take an untrusted server and create a secure environment on the CPU. The rest of the system can be compromised, but you’ll still be protected.”

That, he said, means the end user not only has the encryption keys, but that the government cannot get access to them by taking a snapshot of the server’s memory.

“The government can still demand the information,” he said, “but they have to come knocking on your door to do it, so at least you’ll know.”

Herold said it would be difficult to stop using Microsoft, “if your systems are all from Microsoft and all your applications you need to use run on Windows. However, this does point to the need to consider using security and privacy add-on products that come from other vendors instead of using the security and privacy tools embedded within Microsoft systems.”

Trevor Timm said there are ways for individuals to make it more difficult for the government, through the use of online anonymity services like Tor and PGP encryption. But he said they can be “cumbersome and very user unfriendly.”

“The answer is to require the NSA to allow people to have real privacy,” he said.

Via: csoonline