Chinese hackers said to have accessed law enforcement targets

 Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), Law Enforcement, National security, Terrorism, Cyber Terrorism & Related Crimes, Science & Related Space Technology, Social Media, Technology & Digital Security  Comments Off
May 242013
 

Chinese hackers said to have accessed law enforcement targets

Cyber marauders sought more than just information on activists — they wanted access to FBI, DOJ investigations on spies in the U.S.

Computer World
by John P. Mello Jr
May 21, 2013

 

Chinese hackers said to have accessed law enforcement targets

Chinese hackers said to have accessed law enforcement targets

 

CSO -

In January 2010, Google shocked the cyber world by confessing it had been the target of an advanced persistent threat lasting months and mounted by hackers connected to China’s People Liberation Army.

“[We] have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists,” Google Senior Vice President and Chief Legal Officer David Drummond wrote in blog post at the time.

Now, more that three years after that posting on what came to be known as Operation Aurora, it appears that the cyber marauders were after more than just information on activists. They were also after information on investigations on Chinese spies in the United States being conducted by the FBI and U.S. Department of Justice.

The Aurora hackers gained access on Google’s servers to a database that contained information on U.S. surveillance targets, the Washington Post reported on Monday, citing former and current government officials as sources for the story.

Such information would be invaluable to China because it would allow its intelligence operatives to destroy information before counter intelligence agents got their hands on it and allow the spies to evade capture and prosecution.

The database included years of surveillance information, including thousands of court orders issued to law enforcement officials around the nation seeking to monitor suspects’ email, as well as classified orders targeting foreign subjects and issued under the Foreign Intelligence Surveillance Act.

The incident set off a tiff between Google, the DOJ and FBI, the Post reported, because the federal agencies wanted to access the company’s technical logs and other information about the breach to assess the potential damage done to its counter espionage efforts.
** Also see: Opinion varies on action against Chinese cyberattacks


Google representative Jay Nancarrow said in an email that the company is not commenting on the matter at this time.

Google wasn’t a lone target in Operation Aurora. More than 20 companies were attacked, including Adobe Systems, Juniper Networks, Rackspace, Yahoo, Symantec, Northrop Grumman, Morgan Stanley and Dow Chemical.

Last month, a Microsoft executive said that the Aurora bandits had also breached his company’s servers snooping for accounts it had lawful wiretap orders on. Since that time, the executive has recanted those remarks.

“I was referring to statements in the media from the January 2010 timeframe,” Dave Aucsmith, senior director for Microsoft’s Institute for Advanced Technology, said in a statement.

“My comments were not meant to cite any specific Microsoft analysis or findings about motive or attacks, but I recognize that my language was imprecise,” he added.

Matt Thomlinson, Microsoft’s general manager for trustworthy computing and security added in an email, “The so-called ‘Aurora’ attacks did not breach the MS network.”

The Chinese government has denied being behind Aurora. It has noted that cyber attacks and espionage are against Chinese law and has done all it can to combat such online activities.

While an attack on the database is feasible, because of the breadth of Aurora, it’s unlikely it was a specific target, reasoned Jeffrey Carr, CEO of Taia Global and author of  “Inside Cyber Warfare: Mapping the Cyber Underworld.”

“Google was only one of 20-plus companies attacked at the same time by the same group,” he said in an interview. “So I would be surprised if the database was the objective of the attack. It was likely a crime of opportunity.”

It’s also an object lesson for organizations dealing with cloud storage that’s operated by a third party, added Alan Brill, senior managing director for Kroll Advisory Solutions.

 ”There’s more trust being given to cloud services than some of them deserve,” he said in an interview. “It has become so easy [to store data somewhere else] that you might store something somewhere without thinking whether or not you really ought to do that.”

Direct Link:  http://www.computerworld.com/s/article/9239440/Chinese_hackers_said_to_have_accessed_law_enforcement_targets?taxonomyId=82

Microsoft moves to optional two-factor authentication

 Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), Firearms, Weapons & Personal Safety, Social Media, Technology & Digital Security  Comments Off
Apr 292013
 

Microsoft moves to optional two-factor authentication

In the days to come, users of Outlook.com, Skype and SkyDrive will be given the option of adding a second form of authentication

Computer World
by Joab Jackson
April 17, 2013

Microsoft moves to optional two-factor authentication

Microsoft moves to optional two-factor authentication

 

IDG News Service –

Following similar initiatives by Apple, Google and Facebook, Microsoft is enabling two-factor authentication for its Microsoft Account service, the log-on service for many of its online and desktop products.

“With this release you can choose to protect your entire account with two-step verification, regardless of what service (or device) you are using with your Microsoft account,” wrote Eric Doerr, Microsoft Account group program manager, in a blog entry announcing the secondary authentication. “It’s your choice whether you want to enable this, but for those of you that are looking for ways to add additional security to your account, we’ve worked hard to make set-up really easy.”

With two-factor authentication, a user logging in to a service or device supplies a second piece of information in addition to a password, thus making it impossible for another party to gain illicit access to the user’s accounts without all the separate pieces of information. Microsoft is using additional verification methods such as a short code sent to the user’s mobile phone, which is then entered in addition to the password, or by asking the user to supply additional information, such as an alternative email address.

Microsoft Account, formerly called Windows Live ID, is a single sign-on Web service to authenticate users of Outlook.com, SkyDrive, Skype, and other Microsoft services. It can also be used as an authentication mechanism for Windows PCs, the Xbox and Microsoft Office. Overall, Microsoft has over 700 million users registered to Microsoft Account.

Users will find instructions on how to add a second form of authentication on the Microsoft Account settings page. The chief form of secondary authentication will be a short code sent to the user’s mobile phone, the number of which Microsoft will keep on file, each time the user logs on.

As an alternative to security codes, Microsoft is providing a number of other forms of authentication as well. For smartphones, users can deploy an authenticator app. Microsoft has released an authenticator app for Windows Phones, and third-party authenticator apps can be used for other platforms. For those devices that do not directly support two-factor authentication, such as the Xbox, users can get a secondary password, one unique to each device.

Microsoft can also keep a list of trusted devices designated by the user. With such devices, users enter a security code once and have that device remembered in future visits, eliminating the need to enter the security code for each log in. Microsoft currently offers this capability, but only with Internet Explorer and the use of additional software. Users can manage their list of trusted devices through their account settings page.

Doerr cautioned that, though more secure, two-factor authentication can be more difficult to manage. Losing a security code results in a 30 day wait for a new code. And Microsoft is asking for at least two pieces of information on file, in case one of the pieces is lost or forgotten. And if the user loses both the password and all the security information, he or she will not be able to access the account again.

Direct Link:  http://www.computerworld.com/s/article/9238465/Microsoft_moves_to_optional_two_factor_authentication?taxonomyId=82

 

 

FBI ‘secretly spying’ on Google users, company reveals!

 Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), Firearms, Weapons & Personal Safety, Law Enforcement, National security, Terrorism, Cyber Terrorism & Related Crimes, Social Media, Technology & Digital Security  Comments Off
Mar 062013
 

FBI ‘secretly spying’ on Google users, company reveals

FOX News
March 6, 2013

Electronic Communications Privacy Act

Electronic Communications Privacy Act

  • Google National Security Letters 1.jpg

     


    Mar. 5, 2013: Google has revealed some information about the FBI’s use of National Security Letters to seek information — an unprecedented win for privacy, experts said. (Google)

The FBI used National Security Letters — a form of surveillance that privacy watchdogs call “frightening and invasive” — to surreptitiously seek information on Google users, the web giant has just revealed.

Google’s disclosure is “an unprecedented win for transparency,” privacy experts said Wednesday. But it’s just one small step forward.

“Serious concerns and questions remain about the use of NSLs,” the Electronic Frontier Foundation’s Dan Auerbach and Eva Galperin wrote. For one thing, the agency issued 16,511 National Security Letters in 2011, the last year for which data was available. But Google was gagged from saying just how many letters it received — leaving key questions unanswered.

“The terrorists apparently would win if Google told you the exact number of times the Federal Bureau of Investigation invoked a secret process to extract data about the media giant’s customers,” Wired’s David Kravets wrote. He described the FBI’s use of NSLs as a way of “secretly spying” on Google’s customers.

National Security Letters are a means for the FBI to obtain information on people from telecommunications companies, authorized by the Electronic Communications Privacy Act (ECPA) and expanded under the Patriot Act. It lets the agency seek information on a subscriber to a wire or electronic communications service, although not things like the content of their emails or search queries, Google said.

And thanks to secrecy constraints built into NSLs, companies that receive them usually aren’t even allowed to acknowledge the request for information. Citing such extreme secrecy, privacy experts have decried the use of these letters in the past.

“Of all the dangerous government surveillance powers that were expanded by the USA PATRIOT Act, the National Security Letter (NSL) power … is one of the most frightening and invasive,” the EFF wrote. “These letters … allow the FBI to secretly demand data about ordinary American citizens’ private communications and Internet activity without any meaningful oversight or prior judicial review.”

Thanks to negotiations with the government, Google finally opened the smallest chink in the armor, allowing the search giant to reveal the fact that it had received these requests for data, as well as some general information about them.

“Visit our page on user data requests in the U.S. and you’ll see, in broad strokes, how many NSLs for user data Google receives, as well as the number of accounts in question,” Richard Salgado, Google’s legal director of law enforcement and information security, wrote in a Tuesday blog post.

A new table posted to Google’s Transparency Report site outlines the details; it tabulates how many requests for information the company has received over each of the past four years: some undisclosed number between 0 and 999. With those NSLs, the FBI sought information on somewhere between 1,000 and 1,999 users/accounts.

“People don’t always use our services for good, and it’s important that law enforcement be able to investigate illegal activity,” Salgado wrote.

No other technology company presently disclose such basic information about government requests, experts noted.

The New York Times Is Wrong: Strong Passwords Can’t Save Us

 Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), Firearms, Weapons & Personal Safety, National security, Terrorism, Cyber Terrorism & Related Crimes, Social Media, Technology & Digital Security  Comments Off
Nov 282012
 

The New York Times Is Wrong: Strong Passwords Can’t Save Us

WIRED
by Mat Honan
November 15, 2012

 

 

On Nov. 7, The New York Times ran a story called “How to Devise Passwords That Drive Hackers Away.” Written by Silicon Valley correspondent Nicole Perlroth, the piece reigned over the paper’s Most Emailed List for a full week, and for a good reason: It’s properly freaked out about just how vulnerable we all are to hackers.

But by focusing on the password, it tries to prop up the unsustainable heart of our moldering security system — and it implicitly blames the victim for problems that big corporations let fester for selfish reasons. As I argue in my new cover story for Wired, the only solution is to kill the password entirely.

Much of the advice the Times offers up is quite good. No, you should not re-use passwords or use dictionary words as passwords. And, yes, your passwords should be long and complicated. Pass phrases are great! And security questions? You should never answer them honestly. (Just ask David Pogue.)

But the Times goes much further, advocating methods that no consumer should reasonably be expected to follow. To wit:

For sensitive accounts, [security expert] Mr. Grossman says that instead of a passphrase, he will randomly jam on his keyboard, intermittently hitting the Shift and Alt keys, and copy the result into a text file which he stores on an encrypted, password-protected USB drive. “That way, if someone puts a gun to my head and demands to know my password, I can honestly say I don’t know it.”

And:

Do not store your passwords in your in-box or on your desktop. If malware infects your computer, you’re toast. Mr. Grossman stores his password file on an encrypted USB drive for which he has a long, complex password that he has memorized. He copies and pastes those passwords into accounts so that, in the event an attacker installs keystroke logging software on his computer, they cannot record the keystrokes to his password.

And: under the section headed “A Password Manager? Maybe” (The triumph of Carly Rae Jepsen!) we learn about the dangers of using password-management software like 1Password or LastPass:

Mr. Grossman said he did not trust the software because he didn’t write it.

Truly, words of wisdom for us all: We really should all should be writing our own password-management programs.

* * *

Yes, you are quite vulnerable to being hacked, and no matter what The New York Times tells you, passwords aren’t the solution; they are the very problem. The idea that you can devise passwords to keep hackers away is quaint and preposterous. It is an outdated, old-fashioned notion akin to protecting a city with a wall.

But in the age of Google, and Facebook, and Spokeo, social engineering has never been easier. There is a treasure trove of data about all of us, scattered across the internet, that can be easily used to gain password resets. Which means all of those precautions can be easily undone with the right phone call, or an errant click on a mobile browser, where the URL is often hidden to save screen real estate, or in any manner of other ways, on service to service. Hey, look, yesterday it was Skype. Tomorrow, maybe it will be your bank.

The real problem with passwords isn’t reuse or cracking. These are mere symptoms of a larger disease. Think of our password problem as being like polio.

Prior to 1900, polio was never a devastating pandemic. Though it has been with us since the dawn of civilization (like passwords!) its transmission wasn’t enough of a problem to cause large-scale epidemics. But as we entered the 20th century, a confluence of factors (larger populations living in cities with sewage treatment and without as much childhood exposure to the disease that created lowered overall immunity) created a new threat, and polio went from occasional outbreak, to epidemic, to pandemic. True, there were precautions individuals could take, but they were ineffective at stopping or slowing outbreaks. You couldn’t even protect yourself without taking extreme measures, like total isolation. It took the work of society and institutions to eradicate it in the developed world — not only to create vaccines but to get those vaccines into widespread circulation.

Like polio, the password problem is also an old problem and a new problem at the same time. Passwords have been cracked since they were invented, but until recently it wasn’t an issue that had widespread implications for most people. Today, however — for a variety of reasons I detail in my story for Wired‘s December issue — the problem has reached epidemic, if not pandemic, proportions. Yet instead of a systemic, universal vaccination, The New York Times is basically advocating that you go live in a cabin deep in the woods.

More importantly, the advice in this story makes the same mistake journalists make again and again, which is to put account security onus on the individual. But as individuals we are, for the most part, pretty powerless. This is Microsoft and Apple and Google and AT&T and Verizon and Bank of America and PayPal and Amazon’s job. And there’s a sure way to get their attention.

Here is a better idea than keeping an encrypted USB disk of passwords taped securely to the underside of your genitals: If a service does not offer you adequate protection, don’t use it. Want to know how to protect your password from hackers? Quit using insecure products.

For vital services — like your primary e-mail, or online banking account — you should demand at a minimum a second factor of authentication. That’s typically something you have like a code sent to your phone, or an app, or a token. If you can’t get that protection from the service you entrust with your vital data, don’t use it. I’ll say it again, because it is so important: If you are using e-mail or banking services from a provider that does not offer that second layer of protection in addition to the password, stop now. Today. Archive and delete all your messages. Transfer your money. Close your account. Seriously. Not kidding. Do it right now.

Good security is going to require tradeoffs. We’re going to have to get used to the notion that we either need to give up some of our privacy, or ease of access in order to achieve it. There’s just no other way.

The criminals — be they 15-year-old sociopaths or organized criminals — are coming for you. And your passwords won’t protect you. Even if you keep them on an encrypted USB stick.

 

Direct Link:  http://www.wired.com/gadgetlab/2012/11/why-no-password-is-safe-from-hackers/

 Older Entries