Monthly Archives: December 2013

UK firms to be “encouraged” to adopt upcoming security standard

The UK government minister responsible for cyber security issues, the Rt Hon Francis Maude, has released a statement and a pair of reports looking back over the first two years of the government’s Cyber Security Strategyand detailing further plans going forward.


One of the key developments expected in the near future is the unveiling of a security standard for businesses, which early reports on Maude’s statement predicted would be a requirement for firms hoping to pick up government contracts.

Variously described as a “baseline“, a “kitemark” and a “badge“, the new standard is being developed in collaboration with the British Standards Institute, the Information Security Forum and other players, and is expected to be released publicly in March of 2014.

Those expecting the “Organisational Standard” to be mandatory for firms doing business with the government may be a little disappointed though, as the statement’s wording leaves plenty of wriggle-room to allow firms to avoid conforming.

While firms in general will be encouraged to adopt the standard, in government procurement compliance will be mandated only “where proportionate and relevant” – so, if anyone wants out and has enough clout, it’s likely they’ll be able to persuade the government to continue doing business with them.

A group of firms currently supplying the Ministry of Defence (MoD), including BAE Systems, Rolls Royce and HP, have shown willingness to adopt the standard when it is released, but again there seems to be no definite requirement of the sort imposed by the US Defense Department a few weeks ago.

Hopefully once the standard is finalised and released the rules regarding its use will be made stricter and less flexible.

There’s a lot more covered by the two reports, with the retrospective overview of progress highlighting the creation of the new National Crime Agency (NCA) and its cyber sub-division the National Cyber Crime Unit (NCCU), set up a few months ago, and its successes so far.

These include a number of high-profile international operations, as well as sending out an email warning people about Cryptolocker.

A number of other initiatives are mentioned, including information-sharing partnerships, the Centre for the Protection of National Infrastructure (CPNI) and its Cyber Risk Advisory Service for businesses, and the budding CERT-UK, as well as the recent banking simulation project known as “Operation Waking Shark 2“.

Looking forward, we can expect expansions and improvements in all these areas, plus new initiatives such as “kite-marking” of cyber security professionals and products. Police expertise will be increased, with half of the NCA’s 4000 staff expected to receive training in cyber investigation.

Education in general is a major theme, with new plans ranging from primary schools to universities and on into professional training and certifications.

A “major public awareness campaign” is planned for January 2014, with Sophos namechecked alongside Facebook and BT as partners in the project.

Just how successful some of these endeavors will be will of course depend on the details, with much of the information in these reports still fairly vague and non-committal.

Nevertheless, it’s good to see government making the right noises and putting some fairly considerable effort into cyber security in all sorts of areas.

 

Via: nakedsecurity

Microsoft Could Bring Back The Start Menu In The Next Version Of Windows

Microsoft watchers Mary Jo Foley and Paul Thurrott recently detailed a number of changes that could be coming in the next major version of Windows, something that Foley is hearing called “Threshold.” It could be heading towards our waters in 2015.

Unsurprisingly, Threshold continues the trend of unification inside the Windows aegis. The platform becomes more tightly locked, with a common core sporting several faces, or SKUs. One, as described by Foley as “Modern,” is akin to Windows RT, and would focus on Windows Store apps.

Also potentially coming with Threshold is a “more traditional consumer SKU,” which would include “some semblance of productivity and familiarity with Windows.” That makes sense. And, finally, an enterprise facing SKU that would suit organizations of scale and their needs. This should all make sense, as the builds that Foley is describing mirror closely Windows 8.1 RT, Windows 8.1, and Windows 7.

Microsoft declined to comment.

The real force behind what Foley is discussing is the idea of having one core Windows regardless of SKU or device, that would allow developers to build once and deploy broadly. You can see the outlines of this in WinRT, and so forth. So, not surprising, but also encouraging. Now, to something that does surprise: The Start menu could be coming back.

According to Thurrott, the Start menu – not just the Start button, which has already returned – could come back to Windows. It would probably “appear only on those product versions that support the desktop,” which makes sense given that sans desktop, you wouldn’t need the damn thing.

All this kicks together to imply that in the Windows RT/Windows Phone OS we are not going to have the desktop at all. Office will go Metro, ending the need for the desktop on those devices. Naturally, there needs to be more user interface integration and so forth, but I think the writing is on the wall.

So the story of Windows unification could contain new wrinkles that bring back old functionality in some SKUs. Thurrott likes this:

 When you combine this information with Mary Jo’s SKU info, you can see that Microsoft is, if not moving forward per se, at least continuing to do the right thing and responding to complaints. And given the changes in the groups responsible for Windows, this wasn’t a given at all. It’s a good sign.

I agree with that, mostly, though any focus on the desktop comes at the expense of Metro, which means the Windows Store. Still, Microsoft has to assuage enterprise customers and consumers alike, which requires sacrifice.

Via: techcrunch

Agency spies snooped on online gaming worlds, including World of Warcraft, Second Life and Xbox Live

Online games are, or at the very least have been in the past, thick with spies, the latest disclosure from whistleblower Edward Snowden shows.

The US and British spying agencies – the National Security Agency (NSA) and GCHQ – have deployed undercover agents working behind avatars in online games such as those on Xbox Live, World of Warcraft, and Second Life, according to the newly released files.

In fact, there have been so many FBI, CIA, and Pentagon spooks kicking around as elves, Orcs and supermodels, a “deconfliction” group is needed to avoid them all colliding into each other, according to the newly released, top-secret documents.

The Guardian obtained the latest files to come out in NSA-gate. Written in 2008, they’re titled “Exploiting Terrorist Use of Games & Virtual Environments.”

The Guardian published the documents on Monday in partnership with the New York Times and ProPublica.

In the files, the NSA said that terrorists were already operating with the help of internet-enabled communications such as email, Voice over IP (VoIP), chat, proxies, and web forums, so it was “highly likely” they’d use the same type of communication channels in games and virtual environments (GVEs).

The NSA analyst or analysts who authored the files noted that GVEs at the time were offering private chat, group chat, chat to an alias, and broadcast chat, via both text and voice.

Xbox Live also allowed a bunch of those technologies to converge, allowing gaming over the Xbox 360 console and/or messaging over a PC with normal MSN chat.

Second Life, meanwhile, offered anonymous SMS texting and anonymous phone calling, the NSA noted, while some games allowed third-party interfaces that permitted limited functions within a browser – a good way to get by without high bandwidth, as is the case in internet cafés, for example.

All those places to connect, interact or share would be prime operating ground for terrorist web forums, the NSA pointed out.

What’s more, the games offer realistic training in weapon use, military operations and tactics, photorealistic land navigation and terrain familiarization, and leadership skills: a perfect place to learn how to carry out terrorist violence without risking any operatives.

From the files:

Some of the 9-11 pilots had never flown a real plane, they had only trained using Microsoft’s Flight Simulator. When the mission is expensive, risky, or dangerous, it is often a wiser idea to exercise virtually, rather than really blow an operative up assembling a bomb or exposing a sleeper agent to law enforcement scrutiny.

The intelligence agencies have prepared to track targets training in these online gaming forums for terrorist actions by building mass-collection capabilities against the Xbox Live console network, which has more than 48 million players.

The spying organizations have also deployed agents in the virtual realms, whether they be hidden amongst hordes of Orcs in World of Warcraft or posing as human avatars in Second Life.

They targeted Al Qaida terrorists, Chinese hackers, an Iranian nuclear scientist, Hizballah, and Hamas members, the documents show.

According to the New York Times, by the end of 2008 GCHQ had set up its “first operational deployment into Second Life” and had helped the police in London to crack down on a crime ring that had moved into virtual worlds to sell stolen credit card information.

The operation, code-named Operation Galician, was aided by an informer using a digital avatar “who helpfully volunteered information on the target group’s latest activities”, the newspaper quoted the files as saying.

Online gaming was so thick with spies at the time of the files’ release, agents were all “very interested in forming a deconfliction and tipping group” to avoid bumping into each other, the documents say.

GVEs are, in fact, “an opportunity!” the NSA enthused, presenting the capability of computer network exploitation, social network analysis, tracking of identity via photos and other IDs, geo-location of targets, and sweeping up communications.

From the files:

It has been well documented that terrorist [sic] are OPSEC and tech saavy [sic] and are only getting more so over time. These applications and their servers however, are trusted by their users and makes an [sic] connection to another computer on the Internet, which can then be exploited. Through target buddylists and interaction found in the gaming and on gaming web sites, social networks can be diagramed [sic] and previously unknown SIGINT leads and connections and terrorists cells discovered.

But while online gaming sounds perfect for use by terrorist networks, and while it might very well present a ripe opportunity for intelligence agents to track them or trip them up, actually finding terrorists is, apparently, another matter entirely.

At any rate, beyond the London crime ring, if the NSA or GCHQ have ever stopped a terrorist attack or found terrorists operating in online gaming, the documents don’t describe it.

The New York Times reports that according to one document, while GCHQ was testing its ability to spy on Second Life in real time, its officers collected three days’ worth of Second Life chat, instant message and financial transaction data, totaling 176,677 lines of data, including the content of the communications.

The documents don’t describe, however, the broader scope of communications collected. Neither did the NSA bring up issues about gamers’ privacy in the documents, describe how the agencies access the data, nor make clear how it was avoiding the illegal monitoring of innocent US persons whose identity and nationality may have been hidden behind an avatar.

A spokesman for Blizzard Entertainment, the company behind World of Warcraft, told then Guardian that whatever surveillance that might have taken place would have happened behind the company’s back:

We are unaware of any surveillance taking place. If it was, it would have been done without our knowledge or permission.

Microsoft declined to comment, as did Philip Rosedale, the founder of Second Life and former CEO of Linden Lab, the game’s operator, while company executives didn’t respond to the news outlets’ requests for comment.

As far as whether gaming surveillance is ongoing, the US government, at least, isn’t saying.

There have been discussion threads in gaming forums that show that since the Snowden revelations began, gamers have worried whether they were being monitored.

Now, we know.

 

Via: sophos

Viber Officially Launches Viber Out, Letting Users Call Mobile And Landline Numbers

Viber is launching a new feature called Viber Out to its entire user base.

See, Viber Out lets Viber users make calls to people who don’t have the Viber app, effectively mimicking a Skype Out feature by charging a low per-minute rate to mobile or landline numbers.

According to Viber, the prices are generally lower than Skype.

About a month ago, Viber prematurely launched Viber Out to help Typhoon Haiyan victims in the Philippines connect with their loved ones.

To use Viber Out, just visit the “More” tab, and choose Viber Out. From there, you’ll be able to purchase Viber Out credit. No update is necessary to access the new feature.

Viber Out is available across iOS, Android and Desktop, with a Windows Phone version coming soon.

Additionally, Viber is including even more stickers to the revenue-generating Sticker Market, launched about a month ago.

As it stands now, Viber stickers and Viber Out represent the entirety of Viber’s business model, but CEO Talmon Marco promises more sources of revenue in the future.

“Profitability is certainly something on our roadmap, but we currently plan to invest more in the business,” said Marco.

 

Via: techcrunch

NSA Claims Collecting Cellphone Location Data Is Legal Under Executive Order — From 1981

The National Security Agency (NSA) discussed its program that collects billions of cellphone location records each day. The NSA targets foreign phones but also absorbs data on the phones of American citizens.

“The NSA does not target Americans’ location data by design, but the agency acquires a substantial amount of information on the whereabouts of domestic cellphones ‘incidentally,'” according to the Washington Post, which broke the story concerning program based on documents provided by Edward Snowden.

Given that fact, the legal defense that the NSA outlined today for the program could be viewed as underweight. The agency cites Executive Order 12333, issued by then-President Ronald Reagan in 1981. The NSA stated that “the Agency’s EO 12333 collection is outward-facing. We are not intentionally acquiring domestic information through this capability.” The agency also has in place “minimization procedures,” according to its spokesperson.

However, as the agency does collect the location data of many Americans, its defense rests on the fact that it does so accidentally. Therefore, the “collection does not violate FISA [the Foreign Intelligence Surveillance Act].”

Citing an executive order from 1981 to legally undergird a program of immense technological complexity 32 years later may feel weak, but courts could uphold the justification.

Do They Or Do They Not

Here’s the Los Angeles Times, citing the federal government in late June when news of the phone metadata program was fresh:

The U.S. Justice Department has told a court in Florida that the government does not secretly track the location of Americans’ cellphones as part of its massive phone surveillance dragnet, but asking experts to believe that assertion has proved to be another matter.

It appears that assertion was false, as was the assertion that the NSA doesn’t collect data on millions of Americans. The defense against the above statement, regarding the Post’s recent piece, is that the NSA only meant that it doesn’t wittingly track the location of Americans’ cellphones.

However, as my colleague Greg Ferenstein pointed out yesterday:

The NSA also claims that only foreigners are targeted, but it does incidentally pick up data on potentially millions of Americans. Millions of people are connected to a target through two degrees of separation.

What will be interesting to see is if the legal foundation that the NSA cited today will be challenged, and if so, how sturdy it will prove. So far, efforts to force reform at the NSA through such means have been flat.

 

Via: techcrunch

Hackers Compromise 2 Million Facebook, Twitter and Gmail Accounts

More than 2 million accounts have been compromised from popular sites such as Google, Yahoo, Twitter, Facebook and LinkedIn after malware captured login credentials from users worldwide, according to a new report.

According to web security firm Trustwave, hackers have stolen login usernames and passwords across various sites in the past month with the help of Pony malware, a bit different than a typical breach.

“Although these are accounts for online services such as Facebook, LinkedIn, Twitter and Google, this is not the result of any weakness in those companies networks,” said Abby Ross, a spokesperson for Trustwave. “Individual users had the malware installed on their machines and had their passwords stolen.

Pony steals passwords that are
stored on the infected users’ computers as well as by capturing them when they are used to log into web services.”

Although the culprit behind the hack remains unknown, Trustwave wrote on its blog that two targets were Russian-speaking social networking sites (vk.com and odnoklassniki.ru), which could hint at the virus’ origin.

“The malware was configured so that the majority of the credential information was sent to a server in the Netherlands,” Ross said. “The server does not show from which countries the information came from so we cannot break down exactly how many users from each country were affected. However, we can confirm the attackers targeted users worldwide including in the U.S., Germany, Singapore, Thailand and others.”

It’s also important to note that the stolen credentials were never publicly posted online. Trustwave researchers were able to access a command and control server used by the Pony botnet and recovered the passwords from there.

“We have reached out to the major service providers affected and they are taking steps to inform their users or remediate the compromised accounts.”

Facebook accounted for about 57% of the compromised accounts, followed by Yahoo (10%), Google (9%) and Twitter (3%).

A Facebook spokesperson said that the company has already reached out to those with compromised accounts.

“While details of this case are not yet clear, it appears that people’s computers may have been attacked by hackers using malware to scrape information directly from their web browsers,” a Facebook spokesperson stated. “As a precaution, we’ve initiated a password reset for people whose passwords were exposed.”

Yahoo also said it implemented password resets on accounts to protect users.

“It’s likely that user systems had out-of-date browsers or operating systems,” a Yahoo spokesperson said.
We urge our users to keep their systems and applications updated, regularly run anti-virus software and not install programs from untrusted sources. We also encourage our users to set up second sign-in verification so they’re notified when someone attempts to log into their account from another device.”

To do so, check out Yahoo’s video below.

Trustwave also discovered most of the compromised passwords were considered “weak.”

“In our analysis, passwords that use all four character types and are longer than 8 characters are considered ‘excellent,’ whereas passwords with four or less characters of only one type are considered ‘terrible,'” Trustwave wrote on its blog. “Unfortunately, there were more terrible passwords than excellent ones, more bad passwords than good, and the majority, as usual, is somewhere in between in the medium category.”

Because the stolen log-in information wasn’t posted online, services such as LastPass — which typically offers a tool to see if accounts have been compromised — is unable to do so for this breach. Instead, it advises everyone should use unique, strong passwords for all online accounts.

“If you use the same password on Facebook as you do for your online banking, that is a massive risk and you should update your accounts immediately,” LastPass spokesperson Amber Gott said. “A password manager like LastPass can also thwart keyloggers since it autofills data for you on your sites, preventing you from having to type everything in. We also highly recommend using multifactor (two-factor) authentication, like Google Authenticator with LastPass and other online accounts that support it.”

Via: mashable

Pentagon Disconnects iPhone, Android Security Service, Forcing a Return to BlackBerry for Some

Some military members who were working off Apple and Android-based smartphones and tablets now must return to using older model BlackBerrys because of a security service switchover, according to an email obtained by Nextgov and confirmed by Pentagon officials.

The Defense Department is building a new mobile device management system to monitor government-issued consumer smartphones on military networks, but it’s not yet ready for prime time.

Employees within at least one Army organization were forced to disconnect iPhones, iPads and Android devices from their existing security service, Good Mobile Messaging, because the Pentagon is deploying a new departmentwide system by Fixmo, states an email that appeared in an Army listserve.

Army personnel “have been told that between now and whenever this ‘fixmo’ is online, their Droids and iThings are simply to become useless,” the email said. The Defense Information Systems Agency is in the midst of transitioning smartphone users in each military component to the full $16 million system.

“The victim, er organization under migration offered their [Good] licenses and servers and expertise to DISA, but were told no, don’t want it,” the email continues. “Expectation is that Droid and iThing users will be deviceless until March 2014 at earliest, and they can either do without or go back to a BB 9930,” an older model BlackBerry smartphone, “So…..once again, we are going to save money through consolidation no matter how much it costs.”

After a proposed buyout of BlackBerry collapsed last month, Pentagon officials emphasized efforts to wean service members off reliance on the company’s devices. But officials on Monday night acknowledged BlackBerry will retain its position in the department’s mobile computing arsenal for now.

“DISA will support BlackBerry devices with the existing [Blackberry Enterprise Server]. During the transition period, DISA is not provisioning new iOS/Android users on the existing server,” Pentagon spokesman Damien Pickart said in an email. “We are delaying provisioning of those devices until the [mobile device management] environment is ready in Jan 2014. We will provision new devices as rapidly as possible starting in January 2014.”

The aim is to hook up 100,000 military personnel and their government-furnished Apple, Samsung, BlackBerry and other consumer devices to the security service by September 2014.

Some defense contract analysts say the more popular commercial devices may not meet battlefield security standards.

Ray Bjorklund, a longtime procurement specialist who now serves as president of BirchGrove Consulting, speculated that “there may be a more fundamental issue of device suitability among the major manufacturers and OS versions.”

According to DISA approval documents, only BlackBerry phones and Playbook tablets have an “authority to operate,” or ATO, on Defense networks — not Android, Apple or any other device lines.

Bjorklund returned to the question raised by the listserv email, about the short-term sacrifices Defense is making to potentially control long-term costs.

“At what cost consolidation? I am quite certain the DoD has completed some semblance of a business case for this program. However, I know it’s often difficult to rationalize business cases in the military based on some future horizon,” he said. The rationale of “spend money now to save money later” is a “stretch rationale in daily government operations. I hope the disruption is worth it.”

Via: nextgov

Microsoft Rolls Out Student Advantage, Giving Students Free Access To Its Office Suite

Microsoft has flipped the switch on Student Advantage, a program, announced in October, that extends the availability of Office to students of educational institutions that pay for Office 365 for their staff and faculty.

According to Microsoft, 35,000 educational institutions are eligible for Student Advantage, which provides access to the ProPlus SKU of Office 365, again provided that its paid staff are current users of Office 365 ProPlus or Office Professional Plus.

Office 365 ProPlus includes Access and Lync, making it a robust set of tools. Microsoft took a dig at Google in its announcement, stating that “[e]ven Google’s own job postings require competency with Microsoft Office tools.”

What this means in practice is that Microsoft is lowering the marginal cost of Office for students to zero, while guaranteeing itself revenue through contracts with universities and the like. Microsoft cannot afford to cede mind and market share to Google, which provides a free Office competitor, and it must preserve its revenue from the product, which is a key profit source.

Office 365 ProPlus generally costs around $12 per month, per user, so the amount of ‘free’ software that Microsoft will provide is non-trivial. To protect Office from low, or zero-cost competitors, it’s probably sensible for it to sacrifice some revenue opportunity to keep up its primacy in the productivity market.

 

Via: techcrunch

Microsoft Rolls Out Student Advantage, Giving Students Free Access To Its Office Suite

Microsoft has flipped the switch on Student Advantage, a program, announced in October, that extends the availability of Office to students of educational institutions that pay for Office 365 for their staff and faculty.

According to Microsoft, 35,000 educational institutions are eligible for Student Advantage, which provides access to the ProPlus SKU of Office 365, again provided that its paid staff are current users of Office 365 ProPlus or Office Professional Plus.

Office 365 ProPlus includes Access and Lync, making it a robust set of tools. Microsoft took a dig at Google in its announcement, stating that “[e]ven Google’s own job postings require competency with Microsoft Office tools.”

What this means in practice is that Microsoft is lowering the marginal cost of Office for students to zero, while guaranteeing itself revenue through contracts with universities and the like. Microsoft cannot afford to cede mind and market share to Google, which provides a free Office competitor, and it must preserve its revenue from the product, which is a key profit source.

Office 365 ProPlus generally costs around $12 per month, per user, so the amount of ‘free’ software that Microsoft will provide is non-trivial. To protect Office from low, or zero-cost competitors, it’s probably sensible for it to sacrifice some revenue opportunity to keep up its primacy in the productivity market.

 

Via: techcrunch

Amazon Is Joining, Not Starting, The Drone-Delivery Revolution

Jeff Bezos shocked Middle America during a CBS “60 Minutes” segment with Charlie Rose: 30-minute Amazon deliveries by drones. Whether it’s a real product or genius PR stunt on the eve of the biggest online shopping day of the year, it doesn’t matter. The idea of a sky full of drones just hit the mainstream.

Amazon isn’t the first company to experiment delivery by drones. In fact, over the last year, several companies beat Amazon to the punch with very similar services testing carrying tacos, pizzas and packages by multi-rotor crafts.

Skycatch demonstrated its aptly-named Tacocopter at Disrupt SF 2013. It flew past attendees, delivering a warm taco feet from the panel of robotics experts.

But what about a pizza? A UK franchise of the U.S.-based Domino’s demonstrated over the summer a drone carrying two pizzas, forcing career pizza delivery men and women to question the longevity of their profession.

China-based SF Express started limited live trials of package deliveries earlier this year. And SF Express’ reveal wasn’t helped along with a prominent news agency like in Amazon’s case. Drones carrying packages were simply spotted in Dongguang, in southern China.

As reported by Quartz at the time, local companies are not bound by rigid government regulations and restrictions in China. Forget the black hole that is the FCC, apparently Chinese businesses that want to use drones must be granted approval from the local civil aviation authorities first. There’s a certain appeal to delivery drones in China. Heavily populated areas are fighting a losing battle against smog and traffic congestion. Drones could be part of the answer.

Amazon’s program would offer 30 minute deliveries of small items – that would cover 86% of Amazon’s orders, Bezos indicated during the 60 Minutes interview. In theory, this would completely eliminate the lack of instant gratification currently lacking from shopping online. In its place would be the fact that your order would be delivered by a drone. A drone! I would order a pack of pencils just to have them dropped on my front door by a robot. But this revolution will not happen anytime soon. At least not in the States.

Bezos is a marketing genius. Amazon Prime Air is unquestionably more marketing gimmick than service in the pipeline. Even Bezos cautioned on 60 Minutes that drone deliveries are still years out. The air regulations are not in place, and the drone technology still needs to mature.


Amazon is currently under fire for working and hiring practices. They are fighting a losing battle against making customers pay taxes in certain states. The Guardian discovered the retail behemoth skirted paying the UK’s corporation tax despite £7 billion in local sales. And there’s always talk about Amazon’s lack of substantial revenues. But now the company has drones!

If any company in the U.S. could pull this off, it would be Amazon. The retailer has demonstrated its knack for modernization time and time again. Of course there is a list of potential issues including regulations, scaling, and people with Airsoft guns. Innovation will overcome obstacles. However, the slope here is rather slippery. If Amazon can do this, why can’t Walmart? Will this solution to decongest roads simply result in congestion 30 meters above the ground?

Library books on demand. Inter-industrial complex deliveries. Even the delivery of a drone by a drone. The sky is the limit (sorry) for drone deliveries.

Via: techcrunch