Google Trouble?

Why are you doing this? 

Google has repeatedly shown a “disappointing disregard” for safeguarding private information about its users

Company pays ‘lip service to privacy,’ Canada says

Privacy police take aim at social media giants

Pipes and Bytes

There is another security threat that has being brewing for a long time now. This time is about the computers that control Industrial Processes and Utilities.

In the last few years the trend was to move all these dedicated systems to Windows based system. Windows have a lot of advantages, mainly related to the fact that applications are easier and cheaper to develop than any of the alternative. The availability of inexpensive hardware and thousands of developers, make the platform very competitive. The infrastructure afforded by the Internet bring the additional bonus that all these processes can be managed remotely with very little additional investment, a big incentive for companies to move their connectivity to a Wide Area Network situation.

The problem with this state of affairs (Windows system connected to the internet controlling vital equipment) is security. Although Microsoft have made progress improving the security of their OS’s, you don’t have to search very hard to find a staggering number of security holes still open. Moreover, keeping a Windows system secure requires a lot of vigilance and a proactive approach, not always a concern that has high priority for the operating companies. In many instances, management may not even be aware of the magnitude of the problem.

Because of the criticality of some pieces of equipment, the issue is one of national security. Sabotage by terrorist groups or enemy states would acquire a whole new meaning when somebody has the power to shut-down a significant portion of a country’s electric grid or water supply.

As it is usually the case with widely interconnected systems, the weakest link can be exploited by hackers to gain access to the system, thus, no matter how strong the protection of the important nodes is, failure to protect every possible node could bring the whole system down.

The problem certainly caught the attention of security experts and practitioners since at least a decade ago. Here some references to the problems from the SANS Institute reading room.

The ideas being floated around the concept of bug ridden smart-meters for the distribution grid will add another spin to this issue.

 

 

Open letter to Mr. Phisher

I received a very amusing e-mail today:

Hello,
It is with profound sense of sadness i wrote this email to you. I don’t know how you will find this but you just have to forgive me for not telling you before leaving. I traveled down to United Kingdom Yesterday for a short vacation but unfortunately,i was mugged at a gun point on my way to the hotel i lodged all my money and all other vital documents including my credit card and my cell phone have been stolen by muggers.
I’ve been to the embassy and the Police here but they’re not helping issues at all,Things are difficult here and i don’t know what to do at the moment that why i email to ask if you can lend me £1,500.00 so i can settle the hotel bill and get a returning ticket back home. Please do me this great help and i promise to refund the money as soon as i get back home.
I look forward to your positive response.
Thanks

This coming supposedly coming from the Gmail of a fellow engineer that happens to live in my town and is at 2 degrees of separation from me in the LinkedIn network.

Sorry, Mr. Phisher, I don’t know the guy enough to send the funds, my bad for not being more proactive in extending my network, he was just a step away! (if he really is the one who set the account with his name). It will help your cause if you read the newspapers, for the last few days there have been no flights to or from London, you know, the volcano thing.

I heard stories of people getting similar e-mails from people they know, some of the stories may be more verisimilar even. The would be phishers make good use of the information that can be gathered from social networks to craft these targeted e-mails.

 

Google problems may have bigger problems than people creating accounts to send phishing e-mails.

 

Round-up of bad news on Social networks. (Updated)

HOW THE HACK WORKED

-The attackers used social media networks, blogs and email accounts to send out links to Web domains that they controlled.

-When users clicked on the links, the attackers were able to gain control of their computers and retrieve documents from them.

-The use of intermediaries such as Twitter allowed the hackers to cover their tracks so network administrators would not realize the computers had been compromised.

Read more here.

The cyberspies used popular online services, including Twitter, Google’s Google Groups and Yahoo mail, to access infected computers, ultimately directing them to communicate with command and control servers in China, according to the report, “Shadows in the Cloud”.

Read more here.

German anti-Facebook backlash gathers speed.

Possible legal trouble for Facebook

GSM encryption really broken

GSM (Global System for Mobile communications) is an open, digital cellular technology used for voice and data services.

GSM supports voice calls and data transfer as well as the transmission of SMS. It operates in the 900MHz and 1.8GHz bands in Europe and the 1.9GHz and 850MHz bands in the US.

Australia, Canada and many South American countries use the 850MHz band for GSM and 3G. There are an estimated 4 billion users in more than 218 countries and its encryption scheme is irreversible broken by now.

At the 26th Chaos Communication Congress Nohl and Paget presented their plan to work out a code book for the A5/1 cipher used by GSM. Karsten Hohl, has recently announce that the full GSM codebook had been produced and the result is a 2TB file that can be used to decrypt and hear the audio in a matter of hours. This represents a turning point, because the big expense and time spent on the creation of the tables does not need to be repeated. The tables are available to hackers that need only to sniff the GSM traffic and spend only a few hours of searching through the tables to be able to hear the conversation.

The GSM spec includes a stronger cipher, A5/3, but both, the phone and the base station have to be able to handle it, otherwise the exchange will reverse back to the weaker cipher.  Carriers are very slow to make the necessary changes and A5/3 does not seem to have a very long life anyways.

 

Related links:

 

Cracking GSM phone crypto via distributed computing

The A5/1 code table site

 

Ontario privacy commissioner orders ‘strong encryption’ of health records

My prediction is that we are going to see more and more of these privacy commissioner orders as the guys in charge get more serious about not being sued.

The Random Matchmaker : Phone Company’s new by product.

A network glitch(?) that logs AT&T users into other people facebook accounts at random was reported today.

Who knows, in the future many kids could attribute their existence to a programming error. If so should we call it the Destiny_2.0 bug?

The ‘Enigma’ of the broken GSM phones Encryption

Although it has been known for a few years, the weakness of encryption schemes for GSM phones is in the spotlight again. This time thanks to a group of hackers that made the whole business of listening in, easy and cheap.

GSM has been known to be hackable for years, but the problem is not being fixed as proactively as it should.

Could be drawn with the situation of the Enigma machines being sold around the world after WWII?

 

 

SSL 3.0 / TLS subjected to Man in the Middle Attack

An “Authentication Gap” was discovered in the latest version of SSL/TLS protocol.This could potentially be a huge problem. The gap is not due to some erroneous implementation, it is a property of the protocol.

Here is a list of links to websites where the issue is being followed:

http://www.phonefactor.com/sslgap/

IETF resources

Red Hat

SANS.org

Facebook and privacy

It looks like Canadian laws are finally forcing Facebook to play nice with their users’ personal information.
read the whole article http://www.financialpost.com/news-sectors/technology/story.html?id=1902992