Posts tagged ‘Privacy’

Schneier on Security: Voter Surveillance

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

There hasn’t been that much written about surveillance and big data being used to manipulate voters. In Data and Goliath, I wrote:

Unique harms can arise from the use of surveillance data in politics. Election politics is very much a type of marketing, and politicians are starting to use personalized marketing’s capability to discriminate as a way to track voting patterns and better “sell” a candidate or policy position. Candidates and advocacy groups can create ads and fund-raising appeals targeted to particular categories: people who earn more than $100,000 a year, gun owners, people who have read news articles on one side of a particular issue, unemployed veterans…anything you can think of. They can target outraged ads to one group of people, and thoughtful policy-based ads to another. They can also fine-tune their get-out-the-vote campaigns on Election Day, and more efficiently gerrymander districts between elections. Such use of data will likely have fundamental effects on democracy and voting.

A new research paper looks at the trends:

Abstract: This paper surveys the various voter surveillance practices recently observed in the United States, assesses the extent to which they have been adopted in other democratic countries, and discusses the broad implications for privacy and democracy. Four broad trends are discussed: the move from voter management databases to integrated voter management platforms; the shift from mass-messaging to micro-targeting employing personal data from commercial data brokerage firms; the analysis of social media and the social graph; and the decentralization of data to local campaigns through mobile applications. The de-alignment of the electorate in most Western societies has placed pressures on parties to target voters outside their traditional bases, and to find new, cheaper, and potentially more intrusive, ways to influence their political behavior. This paper builds on previous research to consider the theoretical tensions between concerns for excessive surveillance, and the broad democratic responsibility of parties to mobilize voters and increase political engagement. These issues have been insufficiently studied in the surveillance literature. They are not just confined to the privacy of the individual voter, but relate to broader dynamics in democratic politics.

Krebs on Security: ISIS Jihadi Helpdesk Customer Log, Nov. 20

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

From NBC News come revelations that ISIS has its very own web-savvy, 24-hour Jihadi Help Desk manned by a half-dozen senior operatives to assist foot soldiers in spreading their message far and wide. My first reaction to this story was disbelief, then envy (hey, where the heck is my 24/7 support?). But soon enough I forgot about all that, my mind racing with other possibilities.

jihadihelpdeskImagine the epic trolling opportunities available to a bored or disgruntled Jihadi Help Desk operator. For this persona, we need to reach way back into the annals of Internet history to the Bastard Operator from Hell (BOFH) — a megalomaniacal system administrator who constantly toyed with the very co-workers he was paid to support. What might a conversation between a jihadi and the Bastard Jihadi Operator from Hell (BJOFH) sound like?

[RECORDED MESSAGE]: Thank you for contacting the ISIS Jihadi Help Desk. We are currently experiencing higher than normal call volume. Please wait and your inquiry will be answered in the order that it was received. This call may be monitored for customer service and Jihadi training purposes.

JIHADI: [audible sigh].


BJOFH: ISIS Jihadi Helpdesk, Mohammed speaking, how may I help you?

JIHADI: Finally! I thought someone would never answer! I’ve been sitting here sweating bullets and listening to the same infidel hold music over and over.

BJOFH: My sincerest apologies, sir. Someone hit “reply-all” on an operational email, and that really lit up our switchboard this morning. Also, most of the encrypted email services we use are under attack by some other terrorist group and are offline at the moment.

JIHADI: Too bad for them. Seriously, you guys call this 24/7 support?? I’ve been parked on this couch for hours waiting for some son-of-a-dog to answer!

BJOFH: [Pause. Deep breath.]…Well, you’ve got me now, sir. What can I do to…er…for you?

JIHADI: Right. So I’ve got a hardware problem. This itchy vest I have keeps beeping, really loud. It’s getting super annoying, and I’ve got to have some quiet prayer…you know….me-time…pretty soon now, understand?

BJOFH: Yes, I see. Well, good news, brother! I think I can help you. Tell me…is there a mobile phone attached to the vest?

JIHADI: [inaudible…fumbling with receiver]….uh..yeah there is..Huh…feels like there’s one sewn into the left inside pocket.

BJOFH: So, I’m going to try something on my end. Sit tight, and I’ll  be right back.

JIHADI: [pause] Uh…okay. But don’t be gone so long this time!

BJOFH: [one minute later]…Thanks for holding. Yeah, looks like I’m going to have to go ahead and troubleshoot this issue a bit more. Can you do me a favor and call me from the vest phone?

JIHADI: Uh..wait, through the jacket, you mean?

BJOFH: Yes, sir. My desk line here is 1-866-GO-JIHAD.

JIHADI: Okay. But it’s kinda hard to reach the keypad. So many wires….

BJOFH: Totally fine, sir. Take your time. You should still be able to feel the phone’s keypad through the pocket fabric.

JIHADI: Okay yeah, I think I got it. So how do I send the call?

BJOFH:  If your vest is the model I think it is, the “Send Message” button should be the big one in the middle above the keypad.

JIHADI: [Fumbling with the phone] Okay, is it ringing?

BJOFH: [Line rings in background] Yep, got it, thanks. Okay, now I’m going to call you back.


BJOFH: Great. Do me a favor and just wait until the phone rings at least once before answering, okay?

JIHADI: Fine, whatever. Just…today, maybe?

BJOFH: You bet. Go JIHAD!

JIHADI: Wait a second! how do I answer…[fumbling with the receiver]

[Vest phone rings. Line goes dead].

All satire aside, the jihadis take their security and privacy seriously, shouldn’t you? has helpfully published a translated 34-page Opsec Guide (PDF), a document originally printed in Arabic and intended to introduce newbies to basic operational security measures, techniques and technologies. It’s not the easiest tutorial to read, but it does reference a great many resources worth investigating further.

Update, 5:12 p.m. ET: An earlier version of this article incorrectly attributed the source of the Opsec article referenced in the last paragraph.

AWS Security Blog: AWS Announces Successful SOC Assessment with 3 New Services in Scope

This post was syndicated from: AWS Security Blog and was written by: Chad Woolf. Original post: at AWS Security Blog

Today, I’m happy to announce the completion of another successful Service Organization Controls (SOC) assessment.

The AWS SOC program is an intense, period-in-time audit performed every six months. We have been releasing SOC Reports (or their SAS 70 predecessors) regularly since 2009, and we have, over the years, gradually built in more controls and added more services. These third-party assessments from Ernst & Young are mature and extensive, and attest to our alignment with the American Institute of Certified Public Accountants (AICPA) Security Trust Principles. The SOC programs continue to be a key component of our efforts to provide transparency to our customers in information security, confidentiality, and privacy.

The following 3 AWS services have been added to the scope of our SOC Reports:

This increases the number of services covered in our SOC Reports to 26, and with 34 AWS Edge Locations also in scope, AWS customers can satisfy a variety of use cases.

Our updated AWS SOC 1 and SOC 2 Security & Availability Reports cover the report period of April 1, 2015, through September 30, 2015, and will continue to be reaffirmed in a six-month cadence going forward. To request the latest SOC 1 or SOC 2 Reports, contact AWS Sales and Business Development. Alternatively, depending on your regulatory requirements, the SOC 3 Report is publically available for download via our AWS Compliance website, or you can view it directly.

Have additional questions about SOC reports? See our FAQ on the topic.

To see all publicly available certifications, see AWS Published Certifications, and to keep up with the latest AWS Compliance news, see AWS Compliance – Latest News.

– Chad Woolf, Director of AWS Risk and Compliance Detectify: Chrome Extensions – AKA Total Absence of Privacy

This post was syndicated from: and was written by: corbet. Original post: at

The “Detectify Labs” site has put up a
lengthy analysis
of the user tracking taking place in many Chrome
browser extensions. “Google, claiming that Chrome is the safest web
browser out there, is actually making it very simple for extensions to hide
how aggressively they are tracking their users. We have also discovered
exactly how intrusive this sort of tracking actually is and how these
tracking companies actually do a lot of things trying to hide it. Due to
the fact that the gathering of data is made inside an extension, all other
extensions created to prevent tracking (such as Ghostery) are completely
” At the end they note that the situation with Firefox is
not a whole lot better.

Schneier on Security: Ads Surreptitiously Using Sound to Communicate Across Devices

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This is creepy and disturbing:

Privacy advocates are warning federal authorities of a new threat that uses inaudible, high-frequency sounds to surreptitiously track a person’s online behavior across a range of devices, including phones, TVs, tablets, and computers.

The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser. While the sound can’t be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product.

Related: a Chrome extension that broadcasts URLs over audio.

Schneier on Security: On CISA

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

I have avoided writing about the Cybersecurity Information Sharing Act (CISA), largely because the details kept changing. (For those not following closely, similar bills were passed by both the House and the Senate. They’re now being combined into a single bill which will be voted on again, and then almost certainly signed into law by President Obama.)

Now that it’s pretty solid, I find that I don’t have to write anything, because Danny Weitzner did such a good job, writing about how the bill encourages companies to share personal information with the government, allows them to take some offensive measures against attackers (or innocents, if they get it wrong), waives privacy protections, and gives companies immunity from prosecution.

Information sharing is essential to good cybersecurity, and we need more of it. But CISA is a really a bad law.

This is good, too.

Schneier on Security: Refuse to Be Terrorized

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Paul Krugman has written a really good update of my 2006 esssay.


So what can we say about how to respond to terrorism? Before the atrocities in Paris, the West’s general response involved a mix of policing, precaution, and military action. All involved difficult tradeoffs: surveillance versus privacy, protection versus freedom of movement, denying terrorists safe havens versus the costs and dangers of waging war abroad. And it was always obvious that sometimes a terrorist attack would slip through.

Paris may have changed that calculus a bit, especially when it comes to Europe’s handling of refugees, an agonizing issue that has now gotten even more fraught. And there will have to be a post-mortem on why such an elaborate plot wasn’t spotted. But do you remember all the pronouncements that 9/11 would change everything? Well, it didn’t — and neither will this atrocity.

Again, the goal of terrorists is to inspire terror, because that’s all they’re capable of. And the most important thing our societies can do in response is to refuse to give in to fear.


But our job is to remain steadfast in the face of terror, to refuse to be terrorized. Our job is to not panic every time two Muslims stand together checking their watches. There are approximately 1 billion Muslims in the world, a large percentage of them not Arab, and about 320 million Arabs in the Middle East, the overwhelming majority of them not terrorists. Our job is to think critically and rationally, and to ignore the cacophony of other interests trying to use terrorism to advance political careers or increase a television show’s viewership.

The surest defense against terrorism is to refuse to be terrorized. Our job is to recognize that terrorism is just one of the risks we face, and not a particularly common one at that. And our job is to fight those politicians who use fear as an excuse to take away our liberties and promote security theater that wastes money and doesn’t make us any safer.

This crass and irreverent essay was written after January’s Paris terrorist attack, but is very relevant right now.

Linux How-Tos and Linux Tutorials: 11 Things To Do After Installing Ubuntu 15.10

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Jack Wallen. Original post: at Linux How-Tos and Linux Tutorials

ubuntu 15.10 updater

You’ve installed the latest iteration of one of the most popular Linux desktop distributions on the planet and will most likely find a platform ready to do nearly everything you need it to do.


There are still some tasks you can tackle to make that environment even more efficient, more productive, and more enjoyable. Best of all, these to-do (which some might consider “must-do”) items are all very simple to undertake. Within a short span of time, you’ll have a masterful Ubuntu desktop, ready to do your bidding with ease and aplomb.

Before we dive into this, understand that not every idea laid out here will apply to every user. I will try to make this as universal as possible, but sometimes specificity might get in the way.

With that said, let’s get to work.

1. Update.

Even though you might have checked the box for downloading and installing updates during the installation, more than likely there will still be updates to be had right out of the gate. Don’t even bother to wait for the update manager to pop up and remind you there are updates. Open the dash (either click on the Ubuntu logo icon in the upper left corner or click the Super key on your keyboard), search for updates, and click the Software Updater launcher. When the updater runs (Figure 1, above), okay any updates that are available. Bug fixes tend to happen frequently soon after the release.  

2. Install AppGrid

Although the Ubuntu Software Center is a great tool in theory, in practice it falls a wee bit short. First and foremost, the thing is slow…far too slow for most. Second, it’s interface has never been remotely close to best in breed. Because of this, I highly recommend installing AppGrid (Figure 2). Not only does it make finding software a lot easier, it’s incredibly fast. Installing AppGrid on Ubuntu is simple, just follow these steps: 

  1. Click [Ctrl]+[Alt]+[t] to open a terminal window

  2. Add the necessary repository with the command sudo add-apt-repository ppa:appgrid/stable


  3. When prompted, click Enter

  4. Update apt’s sources with the command sudo apt-get update

  5. Install AppGrid with the command sudo apt-get install appgrid 

That’s it. You should now have a much more efficient means of finding and installing software.

Figure 2: AppGrid is a much better package manager frontend for Ubuntu.

3. Install proper graphics drivers

ubuntu 15.10 video driver updateIf you plan on doing any Steam gaming, watching movies, editing video or any other graphics-intensive work, you will want to make use of the latest versions of graphics drivers better suited for the task. To do this, follow these steps:

  1. Open the Dash and type software

  2. Click to open the Software & Updates tool

  3. Click on the Additional Drivers tab

  4. Should any additional drivers be found, select the available driver that best suits your needs (Figure 3)

  5. Click Apply changes

  6. If prompted, reboot your machine so the changes will take effect 

It is important to make sure you install the proper driver for your card…so you will want to know which card you have on your machine. An easy way to find out what card you have is to open up System Settings and then click on Details. You will see make and model of your chipset listed there. 

4. Install additional media codecs

Remember what I said about having to install updates, even though you checked to have them installed during installation? There’s also a check box for installing additional media codecs. Guess what? That step won’t always download and install everything you want…and the last thing you want to do is struggle to get your media files to play. So, in order to get all the additional media codecs necessary, follow these steps:

  1. Open up AppGrid (or the Ubuntu Software Center if you so choose)

  2. Search for Ubuntu restricted extras 

  3. Click Install

  4. Allow the installation to complete 

5. Install tweak tools

ubuntu Unity tweak toolI still cannot figure out why there are no tweak tools installed by default. Well, they’re not and you’ll want them. With Tweaks you can customize your desktop with far more flexibility than you can with the default options. There are two outstanding tweak tools you will want to add: unity-tweak-tool and gnome-tweak-tool. Both of these apps can be installed from the standard repositories like so:

  1. Open a terminal window

  2. Issue the command sudo apt-get install unity-tweak-tool gnome-tweak-tool

  3. Type your sudo password and hit Enter

  4. Allow the installation to complete

Oddly enough, you won’t find entries for either tool in the Dash, so you have to run them from the terminal. The apps are run with the following commands:

  •  unity-tweak-tool 

  •  gnome-tweak-tool 

With each tool you’ll gain significant control over the look and feel of your desktop (Figure 5). 

6. Adjust your menus

I’ve been a fan of Unity’s global menu system for a long time now. However, some users prefer a more standard menu system. With Ubuntu 15.10 you can switch between having the menus in the window’s title bar or in the main menu bar (the panel at the top of the window). Here’s how:

  1. Open System Settings

  2. Go to Appearance > Behavior

  3. Select the menu type you want from the Show the menus for a window section (Figure 6).

Figure 6: Switching where Unity displays app menus in Ubuntu 15.10. 

7. Install a better audio player

Ubuntu 15.10 defaults to Rhythmbox as its music player. For many, many users, this won’t be satisfactory. There are plenty of options available, but the one I always turn to is Clementine. Not only does Clementine offer superior playlists (Figure 7), but it has a built-in EQ and you can even connect it to streaming sources like Spotify.

Clementine can be found in the default repositories, so just open up either AppGrid or the Ubuntu Software Center, search for clementine, and click to install.

ubuntu 15.10 clementine

8. Set privacy to suit your needs

Ubuntu was under fire for a long time about privacy. Out of the box, Unity would allow online searches from the Dash…something many considered to be a security risk. I was always one to make good use of the online searching. If, however, you would prefer to not include online searching, you can easily turn it off. To do this, open up System Settings and go to Security & Privacy. Click on the Search tab and then disable online search results (Figure 8).

Figure 8: Enable or disable online search results for Unity’s Dash.

9. Get themes

Ubuntu has only shipped with two themes for a long time…neither of which are really all that appealing. You can always install new themes…there are plenty of them out there. The best way to do this is search for Ubuntu themes and only install those that offer an updated ppa that can be added. One of my favorite themes for Unity is the Arc theme. You will need to first have the Unity Tweak Tool installed (so you can actually switch to a third-party theme). Installing the Arc theme is simple:

  1. Open up a terminal window

  2. Add the necessary ppa with the command sudo sh -c “echo ‘deb /’ >> /etc/apt/sources.list.d/arc-theme.list” 

  3. Download the repository key with the command wget

  4. Add the key with the command  sudo apt-key add – < Release.key 

  5. Update apt with the command sudo apt-get update 

  6. Install the theme with the command sudo apt-get install arc-theme

  7. Now open the Ubuntu Tweak Tool, click on Theme, and then select Arc under the Theme tab (Figure 9).

Figure 9: Selecting the Arc theme in the Unity Tweak Tool.

10. Set up your cloud connections

Naturally you will want to connect your desktop to whatever cloud account you use. Many cloud accounts now have Linux clients and some (such as Dropbox) can be installed from within the package manager. For example, open up AppGrid and search for Dropbox. You will be greeted with a listing for Dropbox that is actually just the Nautilus integration component. However, after you install this app, you will be prompted to restart Nautilus and then start Dropbox. This process will then download and install the newest official Dropbox client (Figure 10).

11. Get to know the new network device naming scheme

For the first time in the Ubuntu lifespan, stateless, persistent network names are now used for network devices. This means the old naming scheme of eth0/eth1/wlan0/wlan1 is no more. In its place will be more descriptive names (such as wlp4s0 ). If you issue the command ifconfig you will see the stateful names for your devices…use these instead of the old standbys you’ve been using for years. This will take some time to get used to, so start getting familiar with this new naming scheme now. Anyone making use of older networking scripts will need to modify those scripts to reflect this new naming scheme. 

At this point, Ubuntu should be a gorgeous, efficient platform ready to do your bidding. Yes, there may well be other apps you need to install, but those are mostly just an AppGrid or Ubuntu Software Center away.

Enjoy Ubuntu 15.10!

Let's Encrypt: Public Beta: December 3, 2015

This post was syndicated from: Let&#039;s Encrypt and was written by: Let's Encrypt. Original post: at Let's Encrypt

Let’s Encrypt will enter Public Beta on December 3, 2015. Once we’ve entered Public Beta our systems will be open to anyone who would like to request a certificate. There will no longer be a requirement to sign up and wait for an invitation.

Our Limited Beta started on September 12, 2015. We’ve issued over 11,000 certificates since then, and this operational experience has given us confidence that our systems are ready for an open Public Beta.

It’s time for the Web to take a big step forward in terms of security and privacy. We want to see HTTPS become the default. Let’s Encrypt was built to enable that by making it as easy as possible to get and manage certificates.

We have more work to do before we’re comfortable dropping the beta label entirely, particularly on the client experience. Automation is a cornerstone of our strategy, and we need to make sure that the client works smoothly and reliably on a wide range of platforms. We’ll be monitoring feedback from users closely, and making improvements as quickly as possible.

Let’s Encrypt depends on support from a wide variety of individuals and organizations. Please consider getting involved, and if your company or organization would like to sponsor Let’s Encrypt please email us at

Krebs on Security: The Lingering Mess from Default Insecurity

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The Internet of Things is fast turning into the Internet-of-Things-We-Can’t-Afford. Almost daily now we are hearing about virtual shakedowns wherein attackers demand payment in Bitcoin virtual currency from a bank, e-retailer or online service. Those who don’t pay the ransom see their sites knocked offline in coordinated cyberattacks.  This story examines one contributor to the problem, and asks whether we should demand better security from ISPs, software and hardware makers.

armyThese attacks are fueled in part by an explosion in the number of Internet-connected things that are either misconfigured or shipped in a default insecure state. In June I wrote about robot networks or “botnets” of hacked Internet routers that were all made and shipped by networking firm Ubiquiti. Attackers were able to compromise the routers because Ubiquiti shipped them with remote administration switched on by default and protected by a factory default password pair (ubnt/ubnt or no password at all).

That story followed on reports from security firm Imperva (see Lax Security Opens the Door for Mass-Scale Hijacking of SOHO Routers) which found a botnet of tens of thousands of hijacked Ubiquiti routers being used to launch massive ransom-based denial-of-service attacks. Imperva discovered that those tens of thousands of hacked devices were so easy to remotely control that each router was being exploited by several different extortion groups or individual criminal actors. The company also found those actors used the hacked routers to continuously scan the Internet for more vulnerable routers.

Last week, researchers in Vienna, Austria-based security firm SEC Consult released data suggesting that there are more than 600,000 vulnerable Ubiquiti routers in use by Internet service providers (ISPs) and their customers. All are sitting on the Internet wide open and permitting anyone to abuse them for these digital shakedowns.

These vulnerable devices tend to coalesce in distinct geographical pools with deeper pools in countries with more ISPs that shipped them direct to customers without modification. SEC Consult said it found heavy concentrations of the exposed Ubiquiti devices in Brazil (480,000), Thailand (170,000) and the United States (77,000).

SEC Consult cautions that the actual number of vulnerable Ubiquiti systems may be closer to 1.1 million. Turns out, the devices ship with a cryptographic certificate embedded in the router’s built-in software (or “firmware”) that further weakens security on the devices and makes them trivial to discover on the open Internet. Indeed, the Censys Project, a scan-driven Internet search engine that allows anyone to quickly find hosts that use that certificate, shows exactly where each exposed router resides online.

The Imperva research from May 2015 touched a nerve among some Ubiquiti customers who thought the company should be doing more to help customers secure these routers. In a May 2015 discussion thread on the company’s support site, Ubiquiti’s vice president of technology applications Matt Harding said the router maker briefly disabled remote access on new devices, only to reverse that move after pushback from ISPs and other customers who wanted the feature turned back on.

In a statement sent to KrebsOnSecurity via email, Hardy said the company doesn’t market its products to home users, and that it sells its products to industry professionals and ISPs.

“Because of this we originally shipped with the products’ configurations as flexible as possible and relied on the ISPs to secure their equipment appropriately,” he said. “Some ISPs use self-built provisioning scripts and intentionally locking down devices out of the box would interfere with the provisioning workflows of many customers.”

Hardy said it’s common in the networking equipment industry to ship with a default password for initial use. While this may be true, it seems far less common that networking companies ship hardware that allows remote administration over the Internet by default. He added that beginning with firmware version 5.5.2 — originally released in August 2012 — Ubiquiti devices have included very persistent messaging in the user interface to remind customers to follow best practices and change their passwords.

“Any devices shipping since then would have this reminder and users would have to intentionally ignore it to install equipment with default credentials,” he wrote.  Hardy noted that the company also provides a management platform that ISPs can use to change all default device passwords in bulk.

Ubiquiti's nag screen asking users to change the default credentials. The company's devices still ship with remote administration turned on.

Ubiquiti’s nag screen asking users to change the default credentials. The company’s devices still ship with remote administration turned on.


When companies ship products, software or services with built-in, by-design vulnerabilities, good citizens of the Internet suffer for it. Protonmail — an email service dedicated to privacy enthusiasts — has been offline for much of the past week thanks to one of these shakedowns.

[NB: While no one is claiming that compromised routers were involved in the Protonmail attacks, the situation with Ubiquiti is an example of the type of vulnerability that allows attackers to get in and abuse these devices for nefarious purposes without the legitimate users ever even knowing they are unwittingly facilitating criminal activity (and also making themselves a target of data theft)].

Protonmail received a ransom demand: Pay Bitcoins or be knocked offline. The sad part? The company paid the ransom and soon got hit by what appears to be a second extortion group that likely smelled blood in the water.

The criminal or group that extorted Protonmail, which self-identifies as the “Armada Collective,” also tried to extort VFEmail, another email service provider.  VFE’s Rick Romero blogged about the extortion demand, which turned into a full-blown outage for his ISP when he ignored it. The attack caused major disruption for other customers on his ISP’s network, and now Romero says he’s having to look for another provider. But he said he never paid the ransom.

“It took out my [hosting] provider and THEIR upstream providers,” he said in an email. “After the 3rd attack took down their datacenter, I got kicked out.”

For his part, Romero places a large portion of the blame for the attacks on the ISP community.

“Who can see this bandwidth? Who can stop this,” Romero asked in his online column. “I once had an argument with a nice German fellow – they have very strict privacy laws – about what the ISP can block.  You can’t block anything in the EU.  In the US we’re fighting for open access, and for good reason – but we still have to be responsible netizens. I think the ISP should have the flexibility to block potentially harmful traffic – whether it be email spam, fraud, or denial of service attacks.”

So, hardware makers definitely could be doing more, but ISPs probably have a much bigger role to play in fighting large scale attacks. Indeed, many security experts and recent victims of these Bitcoin shakedowns say the ISP community could be doing a lot more to make it difficult for attackers to exploit these exposed devices.

This is how the former cyber advisor to Presidents Clinton and Bush sees it. Richard Clarke, now chairman and CEO of Good Harbor Consulting, said at a conference last year that the ISPs could stop an awful lot of what’s going with malware and denial-of-service attacks, but they don’t.

“They don’t, they ship it on, and in some cases they actually make money by shipping it on,” Clarke said at a May 2014 conference by the Information Systems Security Association (ISSA). “Denial-of-service attacks actually make money for the ISPs, huge volumes of data coming down the line. Why don’t we require ISPs to do everything that the technology allows to stop [denial-of-service] attacks and to identify and kill malware before it gets to its destination. They could do it.”

One basic step that many ISPs can but are not taking to blunt these attacks involves a network security standard that was developed and released more than a dozen years ago. Known as BCP38, its use prevents abusable resources on an ISPs network (hacked Ubiquiti routers, e.g.) from being leveraged in especially destructive and powerful denial-of-service attacks.

Back in the day, attackers focused on having huge armies of bot-infected computers they controlled from afar. These days an attacker needs far fewer resources to launch even more destructive attacks that let the assailant both mask his true origin online and amplify the bandwidth of his attacks.

Using a technique called traffic amplification, the attacker reflects his traffic from one or more third-party machines toward the intended target. In this type of assault, the attacker sends a message to a third party, while spoofing the Internet address of the victim. When the third party replies to the message, the reply is sent to the victim — and the reply is much larger than the original message, thereby amplifying the size of the attack.

BCP-38 is designed to filter such spoofed traffic, so that it never even traverses the network of an ISP that’s adopted the anti-spoofing measures. This blog post from the Internet Society does a good job of explaining why many ISPs ultimately decide not to implement BCP38.

As the Internet of Things grows, we can scarcely afford a massive glut of things that are insecure-by-design.  One reason is that this stuff has far too long a half-life, and it will remain in our Internet’s land and streams for many years to come.

Okay, so maybe that’s putting it a bit too dramatically, but I don’t think by much. Mass-deployed, insecure-by-default devices are difficult and expensive to clean up and/or harden for security, and the costs of that vulnerability are felt across the Internet and around the globe.

Continue reading ‘Krebs on Security: The Lingering Mess from Default Insecurity’ »

Darknet - The Darkside: ProtonMail DDoS Attack – Sustained & Sophisticated

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

So the ProtonMail DDoS Attack – if you’re not familiar ProtonMail is an secure, free, encrypted e-mail service that promises absolutely no compromises. It’s been getting hit hard since November 3rd, with a large scale rather sophisticated set of DDoS attacks rendering it unable to receive or send e-mail. It seems to have…

Read the full post at

TorrentFreak: MPAA: Online Privacy Hurts Anti-Piracy Enforcement

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

mpaa-logoEvery year the United States Trade Representative (USTR) inventorizes what problems local industries face when doing business abroad.

The major Hollywood studios, represented by the MPAA, just submitted their latest overview listing trade barriers across the globe.

The MPAA points out that many countries don’t do enough to deter piracy. This is also a common theme in Europe, where privacy laws and regulations make it harder for copyright holders to go after online pirates.

“Privacy has always been a major issue in the European Union. EU Member States have implemented a number of privacy directives to protect individuals’ personal data,” MPAA writes.

According to the MPAA, European privacy rules are extremely complex and difficult. As a result they are often used against efforts that could help to prevent copyright infringement.

For example, IP-addresses are protected as private personal information in several countries including Italy, where they can only be used in criminal cases.

“All EU Member States have detailed data protection laws. These rules, often very strict, are subject to the interpretation of the national data protection authorities,” MPAA notes (pdf).

“Most of them consider IP addresses as personal data and believe that the privacy rules apply to their use,” they add.

The MPAA points out that privacy rights of citizens often trump the rights of copyright holders, which they believe is a “very problematic” development.

As a result, Internet providers often refuse to cooperate with copyright holders claiming that this violates the privacy of their users. This makes it hard for the content industries to cooperate with these companies in various anti-piracy efforts.

“Telecommunications operators and ISPs constantly invoke data protection rules to avoid any meaningful cooperation with the content sector,” MPAA writes.

“Such restrictive interpretations preclude meaningful cooperation with Internet intermediaries, such as telecommunications operators and ISPs, in particular cooperation to combat IP theft.”

In addition, the MPAA is not happy with the EU Court of Justice decision to no longer make data retention mandatory. As a result, many ISPs no longer keep extensive IP-address logs.

The movie studios believe that data retention is an important law enforcement tool, suggesting that it’s harder to track down online pirates without logs.

“Data retention remains a very valuable tool for law enforcement. Rights holders have always claimed the need for reasonable rules and legal certainty. This decision has created even more legal uncertainty in this field.

“Member States have started to respond to the consequences of this decision with legislation and some have invalidated their rules,” MPAA adds.

The data retention argument is not new, but it’s worth noting that the U.S. itself has no mandatory data retention laws. This makes it hard for the U.S. Government to demand that other countries adopt them.

It’s clear though, that the MPAA is not happy with the increased interest in online privacy. With or without help from the U.S. government, they will continue to try and minimize the impact it has on their enforcement efforts.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Darknet - The Darkside: SpiderFoot – Open Source Intelligence Automation Tool (OSINT)

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

SpiderFoot is an open source intelligence automation tool. Its goal is to automate the process of gathering intelligence about a given target, which may be an IP address, domain name, hostname or network subnet. SpiderFoot can be used offensively, i.e. as part of a black-box penetration test to gather information about the target or defensively…

Read the full post at

Krebs on Security: FCC Fines Cox $595K Over Lizard Squad Hack

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

In September 2014, I penned a column called “We Take Your Privacy and Security. Seriously.” It recounted my experience receiving notice from my former Internet service provider — Cox Communications — that a customer service employee had been tricked into giving away my personal information to hackers. This week, the Federal Communications Commission (FCC) fined Cox $595,000 for the incident that affected me and 60 other customers.

coxletterI suspected, but couldn’t prove at the time, that the band of teenage cybercriminals known as the Lizard Squad was behind the attack. According to a press release issued Thursday by the FCC, the intrusion began after LizardSquad member “Evil Jordie” phoned up Cox support pretending to be from the company’s IT department, and convinced both a Cox customer service representative and Cox contractor to enter their account IDs and passwords into a fake, or “phishing,” website.

“With those credentials, the hacker gained unauthorized access to Cox customers’ personally identifiable information, which included names, addresses, email addresses, secret questions/answers, PIN, and in some cases partial Social Security and driver’s license numbers of Cox’s cable customers, as well as Customer Proprietary Network Information (CPNI) of the company’s telephone customers,” the FCC said. “The hacker then posted some customers’ information on social media sites, changed some customers’ account passwords, and shared the compromised account credentials with another alleged member of the Lizard Squad.”

My September 2014 column took Cox to task for not requiring two-step authentication for employees: Had the company done so, this phishing attack probably would have failed. As a condition of the settlement with the FCC, the commission said Cox has agreed to adopt a comprehensive compliance plan, which establishes an information security program that includes annual system audits, internal threat monitoring, penetration testing, and additional breach notification systems and processes to protect customers’ personal information, and the FCC will monitor Cox’s compliance with the consent decree for seven years.

It’s too bad that it takes incidents like this to get more ISPs to up their game on security. It’s also too bad that most ISPs hold so much personal and sensitive information on their customers. But there is no reason to entrust your ISP with even more personal info about yourself — such as your email. If you need a primer on why using your ISP’s email service as your default or backup might not be the best idea, see this story from earlier this week.

If cable, wireless and DSL companies took customer email account security seriously, they would offer some type of two-step authentication so that if customer account credentials get phished, lost or stolen, the attackers still need that second factor — a one-time token sent to the customer’s mobile phone, for example. Unfortunately, very few if any of the nation’s largest ISPs support this basic level of added security, according to, a site that tracks providers that offer it and shames those that do not.

Then again, perhaps the FCC fines will push ISPs toward doing the right thing by their customers: According to The Washington Post‘s Brian Fung, the FCC is offering in this action another sign that it is looking to police data breaches and sloppy security more closely.

According to, very few ISPs offer basic email security protection.

According to, very few ISPs offer basic email security protection.

AWS Security Blog: How to Protect the Integrity of Your Encrypted Data by Using AWS Key Management Service and EncryptionContext

This post was syndicated from: AWS Security Blog and was written by: Greg Rubin. Original post: at AWS Security Blog

One of the most important and critical concepts in AWS Key Management Service (KMS) for advanced and secure data usage is EncryptionContext. Using EncryptionContext properly can help significantly improve the security of your applications. In this blog post, I will show the importance of EncryptionContext and will provide a simple example showing how you can use it to protect the integrity and authenticity of your encrypted data.

At its core, EncryptionContext is a key-value map (both strings) that is provided to KMS with each encryption and decryption request. The maps at encryption and decryption must match, or the decryption request will fail.

EncryptionContext provides three benefits:

  1. Additional authenticated data (AAD)
  2. Audit trail
  3. Authorization context

I will focus on the first benefit, AAD, but all three of these benefits build on the existing cryptographic primitive of authenticated encryption with associated data (AEAD).

What is AEAD?

A security best practice is to require that secret data remain secret (confidentiality) and unmodified (integrity/authenticity). Unfortunately, many older forms of encryption (such as AES-CBC) don’t provide any integrity guarantees, and thus open their users to potential vulnerabilities such as being able to change the meaning of a message without decrypting or re-encrypting it. To avoid these situations, you can use AEAD encryption. AEAD encryption is really two related parts of a single concept: authenticated encryption (the "AE" part of “AEAD”) and associated data (the "AD" part of “AEAD”). I will look at these parts one at a time.

Authenticated encryption

At its core, using authenticated encryption prevents tampering with ciphertext itself. Authenticated encryption is built into KMS, so if you can successfully decrypt a message using KMS, an authorized user must have created that message. You can almost think of this as providing a “signature” over the ciphertext.

For example, take a look at the following code in which KMS throws an InvalidCiphertextException upon receiving ciphertext that has been tampered with.

import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;


public class Example1 {
  public static void main(final String[] args) {
    final AWSKMS kms = new AWSKMSClient();

    final String plaintext = "My very secret message";
    final byte[] plaintextBytes = plaintext.getBytes(StandardCharsets.UTF_8);
    System.out.println("Plaintext: " + plaintext);

    // Encrypt the data
    final EncryptRequest encReq = new EncryptRequest();
    final ByteBuffer ciphertext = kms.encrypt(encReq).getCiphertextBlob();

    // Decrypt the data
    final DecryptRequest decReq1 = new DecryptRequest();
    final ByteBuffer decrypted = kms.decrypt(decReq1).getPlaintext();
    final String decryptedStr = new String(decrypted.array(), StandardCharsets.UTF_8);
    System.out.println("Decrypted: " + decryptedStr);

    // Attempt to tamper with the ciphertext
    final byte[] tamperedCt = ciphertext.array().clone();
    // Flip all the bits in a byte 24 bytes from the end
    tamperedCt[tamperedCt.length - 24] ^= 0xff; 

    final DecryptRequest decReq2 = new DecryptRequest();

    try {
    } catch (final InvalidCiphertextException ex) {

Associated data

Though authenticated encryption prevents tampering with the ciphertext itself, the problem with the preceding code is that it doesn’t protect the context of the message. Encrypted data is seldom completely self-contained, but rather depends on unencrypted context. Somebody might be able to modify that context—for example, by copying the ciphertext from one location to another—and exploit the system in that way.

To fix this, most modern forms of authenticated encryption (including KMS) support AAD. AAD is not included in ciphertext directly, but AAD’s integrity is protected by using AEAD encryption. You can think of this as extending the signature over the ciphertext to cover additional data as well. In general, AAD should not contain any secret information, but should be contextual information used to understand the secret information.

What is EncryptionContext?

EncryptionContext is KMS’s implementation of AAD. I highly recommend that you use it to ensure that unencrypted data related to the ciphertext is protected against tampering. Data that is commonly used for AAD might include header information, unencrypted database fields in the same record, file names, or other metadata. It’s important to remember that EncryptionContext should contain only nonsensitive information because it is stored in plaintext JSON files in AWS CloudTrail and can be seen by anyone with access to the bucket containing the information.

The following scenario illustrates the use of EncryptionContext as AAD. For this example, imagine that I have a shared address book that users can use to save and retrieve their physical address. For privacy and security purposes, I will encrypt the addresses before storing them in an Amazon DynamoDB table. (The table will have the string hash key, EmailAddress, which means each physical mailing address is associated with a corresponding email address.) 

First, I’ll do this the wrong way and build an insecure implementation. (I have commented out the methods you shouldn’t use in order to prevent accidental use.) In this insecure implementation, if user Mallory can modify the DynamoDB table, she can replace Alice’s address with her own. Mallory can do this even without access to the encryption keys by simply swapping the encrypted addresses between the records, which doesn’t require her to encrypt or decrypt anything. Depending on the circumstances, this could completely defeat the purpose of encrypting the addresses. After swapping the records, Mallory can easily view Alice’s address as if it was her own, and anything that Alice orders for herself will be delivered to Mallory’s address instead.

The following code demonstrates this purposefully insecure implementation.

import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.util.*;


public class Example2 {
  private static final String ADDRESS = "Address";
  private static final String EMAIL = "EmailAddress";
  private static final String TABLE = "EcDemoAddresses";
  final static AWSKMS kms = new AWSKMSClient();
  final static AmazonDynamoDB ddb = new AmazonDynamoDBClient();

  public static void main(final String[] args) {
    // Alice stores her address
    saveAddress("", "Alice Lovelace, 123 Anystreet Rd., Anytown, USA");
    // Mallory stores her address
        "Mallory Evesdotir, 321 Evilstreed Ave., Despair, USA");

    // Output saved addresses
    System.out.println("Alice's Address: " + getAddress(""));
    System.out.println("Mallory's Address: " + getAddress(""));

    // Mallory tampers with the database by swapping the encrypted addresses.
    // Note that this doesn't require modifying the ciphertext at all.
    // First, retrieve the records from DynamoDB
    final Map mallorysRecord = ddb
                new AttributeValue().withS(""))).getItem();
    final Map alicesRecord = ddb.getItem(TABLE,
        Collections.singletonMap(EMAIL, new AttributeValue().withS("")))

    // Second, extract the encrypted addresses
    final ByteBuffer mallorysEncryptedAddress = mallorysRecord.get(ADDRESS).getB();
    final ByteBuffer alicesEncryptedAddress = alicesRecord.get(ADDRESS).getB();

    // Third, swap the encrypted addresses
    mallorysRecord.put(ADDRESS, new AttributeValue().withB(alicesEncryptedAddress));
    alicesRecord.put(ADDRESS, new AttributeValue().withB(mallorysEncryptedAddress));

    // Finally, store them back in DynamoDB
    ddb.putItem(TABLE, mallorysRecord);
    ddb.putItem(TABLE, alicesRecord);

    // Now, when Alice tries to use her address (say to get something shipped to her)
    // it goes to Mallory instead.
    System.out.println("Alice's Address: " + getAddress(""));
    // Likewise, if Mallory tries to look up her address, she can view Alice's instead
    System.out.println("Mallory's Address: " + getAddress(""));

// DO NOT USE:   private static void saveAddress(final String email, final String address) {
// DO NOT USE:     final EncryptRequest enc = new EncryptRequest();
// DO NOT USE:     enc.setKeyId("alias/EcDemo");
// DO NOT USE:     enc.setPlaintext(ByteBuffer.wrap(address.getBytes(StandardCharsets.UTF_8)));
// DO NOT USE:     final ByteBuffer ciphertext = kms.encrypt(enc).getCiphertextBlob();
// DO NOT USE:     final Map item = new HashMap<>();
// DO NOT USE:     item.put(EMAIL, new AttributeValue().withS(email));
// DO NOT USE:     item.put(ADDRESS, new AttributeValue().withB(ciphertext));
// DO NOT USE:     ddb.putItem(TABLE, item);
// DO NOT USE:   }
// DO NOT USE:   private static String getAddress(final String email) {
// DO NOT USE:     final Map item = ddb.getItem(TABLE,
// DO NOT USE:         Collections.singletonMap(EMAIL, new AttributeValue().withS(email))).getItem();
// DO NOT USE:     final DecryptRequest dec = new DecryptRequest();
// DO NOT USE:     dec.setCiphertextBlob(item.get(ADDRESS).getB());
// DO NOT USE:     final ByteBuffer plaintext = kms.decrypt(dec).getPlaintext();
// DO NOT USE:     return new String(plaintext.array(), StandardCharsets.UTF_8);
// DO NOT USE:   }

In this purposefully insecure implementation, Mallory can still attack the system even without the ability to modify the ciphertext. She can do this because she can change the context of the ciphertext so that it is interpreted differently. In this case she is “just” changing addresses, but it should be clear that this same attack could be used to expose sensitive information or even take over accounts.

We can fix this by including the unencrypted email address associated with the encrypted physical address as EncryptionContext. Now, when the system attempts to decrypt the record that has been tampered with, an InvalidCiphertextException is thrown and the threat is mitigated. This is because the EncryptionContext parameter that was provided at encryption (in this case, Alice’s email address) does not match the EncryptionContext provided at decryption (in this case, Mallory’s email address).

The following code improves the security of the implementation.

private static void saveAddress(final String email, final String address) {
  final EncryptRequest enc = new EncryptRequest();
  enc.setEncryptionContext(Collections.singletonMap(EMAIL, email));
  final ByteBuffer ciphertext = kms.encrypt(enc).getCiphertextBlob();

  final Map item = new HashMap<>();
  item.put(EMAIL, new AttributeValue().withS(email));
  item.put(ADDRESS, new AttributeValue().withB(ciphertext));
  ddb.putItem(TABLE, item);

private static String getAddress(final String email) {
  final Map item = ddb.getItem(TABLE,
      Collections.singletonMap(EMAIL, new AttributeValue().withS(email))).getItem();
  final DecryptRequest dec = new DecryptRequest();
  dec.setEncryptionContext(Collections.singletonMap(EMAIL, email));
  final ByteBuffer plaintext = kms.decrypt(dec).getPlaintext();
  return new String(plaintext.array(), StandardCharsets.UTF_8);

Of course, there might be other things an attacker could do, such as move the entire record from one DynamoDB table to another. This is why EncryptionContext should include all of the information associated with the ciphertext that you will later need to interpret it. A good rule is to always include at least enough information to uniquely identify the location of the ciphertext (for example, a URI, file path, or database table and primary keys).

Of course, the best code is the code you don’t need to write, allowing you to concentrate on the things that matter to you (which is rarely cryptography) and leave the cryptographic code to groups that specialize in it. In this case, we can use the aws-dynamodb-encryption-java library. It includes in EncryptionContext not only DynamoDBHashKey (and RangeKey, if available) but also the table name and cryptographic algorithms used.

This final code sample demonstrates an improved and more secure implementation of our example application that takes advantage of the aws-dynamodb-encryption-java library.

import java.nio.ByteBuffer;
import java.util.*;


public class Example4 {
  private static final String ADDRESS = "Address";
  private static final String EMAIL = "EmailAddress";
  private static final String TABLE = "EcDemoAddresses";
  final static AWSKMS kms = new AWSKMSClient();
  final static AmazonDynamoDB ddb = new AmazonDynamoDBClient();

  // Set up the aws-dynamodb-encryption-java library
  final static DynamoDBEncryptor cryptor = DynamoDBEncryptor.getInstance(
      new DirectKmsMaterialProvider(kms, "alias/EcDemo"));
  // Despite the similar name, the DynamoDb EncryptionContext is used to guide
  // the DynamoDBEncryptor for key and algorithm selection (among other things)
  // and not just for the KMS EncryptionContext (though it is used for that as well).
  final static EncryptionContext ddbCtx = new EncryptionContext.Builder()

  public static void main(final String[] args) throws GeneralSecurityException {
    // Alice stores her address
    saveAddress("", "Alice Lovelace, 123 Anystreet Rd., Anytown, USA");
    // Mallory stores her address
        "Mallory Evesdotir, 321 Evilstreed Ave., Despair, USA");

    // Output saved addresses
    System.out.println("Alice's Address: " + getAddress(""));
    System.out.println("Mallory's Address: " + getAddress(""));

    // Mallory tampers with the database by swapping the encrypted addresses.
    // Note that this doesn't require modifying the ciphertext at all.
    // First, retrieve the records from DynamoDB
    final Map mallorysRecord = ddb
                new AttributeValue().withS(""))).getItem();
    final Map alicesRecord = ddb.getItem(TABLE,
        Collections.singletonMap(EMAIL, new AttributeValue().withS("")))

    // Second, extract the encrypted addresses
    final ByteBuffer mallorysEncryptedAddress = mallorysRecord.get(ADDRESS).getB();
    final ByteBuffer alicesEncryptedAddress = alicesRecord.get(ADDRESS).getB();

    // Third, swap the encrypted addresses
    mallorysRecord.put(ADDRESS, new AttributeValue().withB(alicesEncryptedAddress));
    alicesRecord.put(ADDRESS, new AttributeValue().withB(mallorysEncryptedAddress));

    // Finally, store the encrypted addresses back in DynamoDB
    ddb.putItem(TABLE, mallorysRecord);
    ddb.putItem(TABLE, alicesRecord);

    // Now, when Alice tries to use her address we attempt to decrypt the tampered data
    // get a SignatureException
    try {
      System.out.println("Alice's Address: " + getAddress(""));
      // Likewise, if Mallory tries to look up her address, she can view Alice's instead
      System.out.println("Mallory's Address: " + getAddress(""));
    } catch (final SignatureException ex) {

  private static void saveAddress(final String email, final String address)
      throws GeneralSecurityException {
    final Map item = new HashMap<>();
    item.put(EMAIL, new AttributeValue().withS(email));
    item.put(ADDRESS, new AttributeValue().withS(address));
    final Map encryptedItem = cryptor.encryptAllFieldsExcept(
        item, ddbCtx, EMAIL);
    ddb.putItem(TABLE, encryptedItem);

  private static String getAddress(final String email) throws GeneralSecurityException {
    final Map encryptedItem = ddb.getItem(TABLE,
        Collections.singletonMap(EMAIL, new AttributeValue().withS(email))).getItem();
    final Map item = cryptor.decryptAllFieldsExcept(
        ddbCtx, EMAIL);
    return item.get(ADDRESS).getS();

Authenticated encryption with associated data encryption is one of the more important advances in cryptography from the past twenty years. You’ve seen here a few examples of just how critical AAD can be to the security of your systems. From my personal experience, the majority of data encrypted with KMS should have an associated EncryptionContext. I encourage you to review your systems and new development efforts to see how best to leverage this powerful tool.

If you have questions or comments about this post, either post them below or visit the KMS forum.

– Greg

yovko in a nutshell: Signal

This post was syndicated from: yovko in a nutshell and was written by: Йовко Ламбрев. Original post: at yovko in a nutshell

Реших да редуцирам каналите си за връзка, най-вече по отношение на всевъзможните messenger-и за директни съобщения.

Винаги предпочитам електронната поща за основна комуникация, понеже мога да подреждам (или пренебрегвам) по приоритет писмата, които заслужават внимание и евентуален отговор, и разполагам с end-to-end криптиране при нужда. Тук е актуалният ми PGP ключ. А ако не знаете някой от моите email адреси, винаги можете да ползвате този начин.

Преглеждам пощата си поне един-два пъти дневно, освен когато съм в почивка, без Интернет или работя по някой спешен проблем или проект. Но не получавам нотификации за нея на смартфона си – това е адски разсейващо и контрапродуктивно. „Любимо“ ми е някой да ми звънне по телефона с изречението: Току-що ти изпратих mail. Видя ли го?

За директни съобщения занапред ще използвам основно Signal на Open Whisper Systems като прилична база за отворена и сигурна платформа, която заслужава да бъде ползвана, популяризирана и подкрепена от потребителите. Временно, като резервна опция, оставям и WhatsApp заради няколко близки приятели, които предпочитат навика и не осъзнават необходимостта от сигурна комуникация, поради което ще отнеме време да бъдат убедени.

Okay, ако сте с iPhone или Mac можете да ми изпратите и iMessage като друга резервна опция, с едно наум, че сигурността и там е според зависи от Apple.

Принципно не ползвам Skype освен след предварителна уговорка за конкретен разговор. Нито Viber и Facebook Messenger (те дори не успяха да ми харесат). Спирам също и Hangouts, и Telegram, както и всякакви други, защото ми идват в повече.

Опитайте Signal – семпло и леко приложение – за криптирани писмени съобщения и разговори. Освен, че е свободно и open source е и безплатно. Има го за iPhone и Android, а скоро и за web. И даже Snowden го благослови ;)

SANS Internet Storm Center, InfoCON: green: Malicious spam with links to CryptoWall 3.0 – Subject: Domain [name] Suspension Notice, (Thu, Nov 5th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

2015-11-05 update: After postingthis diary, we started seeing reports of CryptoWall4.0. One of the people who analyzed this new CryptoWallvariant provided medetails, which you can read about at:


Since Monday 2015-10-26, weve noticed a particular campaign sending malicious spam (malspam) with links to download CryptoWall 3.0 ransomware. This campaign has been impersonating domain registrars. Conrad Longmore blogged about it last week [1], and has a good write-up on the campaign [2]. Several other sources have also discussed this wave of malspam [3, 4, 5, 6, 7, 8 to name a few].

For this diary, well take a closer look at the emails and associated CryptoWall 3.0 malware.

The malspam

Based on what Ive seen, this malspam was delivered to recipients who didnt use privacy protection when they registered their domains. Their contact information is publicly-listed in the whois records for their domains. Criminals behind the campaign are collecting this publicly-available information, impersonating the registrars, and sending malspam to the email addresses listed as points of contact. Below are two examples of the emails I” />
Shown above: Screenshot from one of the emails that spoofed Tucows, Inc.

Enom and Tucows are just two of the many examples people have reported. When looking at the email headers, youll find these were not sent from the actual registrars.” />
Shown above: Header lines that show the second example was not sent by Tucows, Inc.

If you receive one of the emails, the link follows a specific pattern: http://[unrelated compromised website]/abuse_report.php?[your domain name]. The domain names are not important.” />
Shown above: I substituted a string of Xs for the domain name in a URL from one of the emails.

The emails have different senders, and they contain a variety of domains in the URLs to download the malware. Ive compiled a list of the first 100 emails I found to provide an idea on the scope of this campaign.” />
Shown above: Some of the emails seen from this CryptoWall 3.0 malspam campaign.

The malware

I grabbed a sample of the CryptoWall 3.0 on Tuesday 2015-11-03.” />

File name: [domain name]_copy_of_complaints.pdf.scr

Darknet - The Darkside: TalkTalk Hack – Breach WAS Serious & Disclosed Bank Details

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

So it turns out the TalkTalk hack is a lot more serious than they initially tried to make it out to be, TalkTalk claimed that it’s core system wasn’t compromised and only the website was breached. But now they’ve admitted the hackers got away with bank account numbers, partial credit card numbers and dates of […]

The post…

Read the full post at Firefox 42 is available

This post was syndicated from: and was written by: ris. Original post: at

Firefox 42 has been released. This version features Private Browsing with
Tracking Protection, site security and privacy controls in the Control
Center, WebRTC improvements, and more. See the release
for more information.

Darknet - The Darkside: Scumblr by Netflix – Automatically Scan For Leaks

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

Scumblr is a search automation web application that helps you to automatically scan for leaks by performing periodic searches and storing / taking actions on the identified results. Scumblr uses the Workflowable gem to allow setting up flexible workflows for different types of results. How do I use Scumblr? Scumblr is a web application based…

Read the full post at

Schneier on Security: The Rise of Political Doxing

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Last week, CIA director John O. Brennan became the latest victim of what’s become a popular way to embarrass and harass people on the Internet. A hacker allegedly broke into his AOL account and published e-mails and documents found inside, many of them personal and sensitive.

It’s called doxing­ — sometimes doxxing­ — from the word “documents.” It emerged in the 1990s as a hacker revenge tactic, and has since been as a tool to harass and intimidate people on the Internet. Someone would threaten a woman with physical harm, or try to incite others to harm her, and publish her personal information as a way of saying “I know a lot about you­ — like where you live and work.” Victims of doxing talk about the fear that this tactic instills. It’s very effective, by which I mean that it’s horrible.

Brennan’s doxing was slightly different. Here, the attacker had a more political motive. He wasn’t out to intimidate Brennan; he simply wanted to embarrass him. His personal papers were dumped indiscriminately, fodder for an eager press. This doxing was a political act, and we’re seeing this kind of thing more and more.

Last year, the government of North Korea allegedly did this to Sony. Hackers the FBI believes were working for North Korea broke into the company’s networks, stole a huge amount of corporate data, and published it. This included unreleased movies, financial information, company plans, and personal e-mails. The reputational damage to the company was enormous; the company estimated the cost at $41 million.

In July, hackers stole and published sensitive documents from the cyberweapons arms manufacturer Hacking Team. That same month, different hackers did the same thing to the infidelity website Ashley Madison. In 2014, hackers broke into the iCloud accounts of over 100 celebrities and published personal photographs, most containing some nudity. In 2013, Edward Snowden doxed the NSA.

These aren’t the first instances of politically motivated doxing, but there’s a clear trend. As people realize what an effective attack this can be, and how an individual can use the tactic to do considerable damage to powerful people and institutions, we’re going to see a lot more of it.

On the Internet, attack is easier than defense. We’re living in a world where a sufficiently skilled and motivated attacker will circumvent network security. Even worse, most Internet security assumes it needs to defend against an opportunistic attacker who will attack the weakest network in order to get­ — for example­ — a pile of credit card numbers. The notion of a targeted attacker, who wants Sony or Ashley Madison or John Brennan because of what they stand for, is still new. And it’s even harder to defend against.

What this means is that we’re going to see more political doxing in the future, against both people and institutions. It’s going to be a factor in elections. It’s going to be a factor in anti-corporate activism. More people will find their personal information exposed to the world: politicians, corporate executives, celebrities, divisive and outspoken individuals.

Of course they won’t all be doxed, but some of them will. Some of them will be doxed directly, like Brennan. Some of them will be inadvertent victims of a doxing attack aimed at a company where their information is stored, like those celebrities with iPhone accounts and every customer of Ashley Madison. Regardless of the method, lots of people will have to face the publication of personal correspondence, documents, and information they would rather be private.

In the end, doxing is a tactic that the powerless can effectively use against the powerful. It can be used for whistleblowing. It can be used as a vehicle for social change. And it can be used to embarrass, harass, and intimidate. Its popularity will rise and fall on this effectiveness, especially in a world where prosecuting the doxers is so difficult.

There’s no good solution for this right now. We all have the right to privacy, and we should be free from doxing. But we’re not, and those of us who are in the public eye have no choice but to rethink our online data shadows.

This essay previously appeared on Vice Motherboard.

TorrentFreak: PIA Runs VPN Traffic Through VPN to Avoid BitTorrent Ban

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

piaIt’s no secret that millions of people use VPN services to make sure that their BitTorrent download habits remain private.

This is a valid reason, but since many torrent users share copyrighted material, it also presents problems for VPN providers.

Increasingly, datacenters around the world are banning services with heavy BitTorrent traffic due to the vast amount of copyright infringement notices they trigger.

In response several VPN providers are now only allowing P2P traffic on specific servers. Private Internet Access (PIA) is also presented with this problem, but the solution they chose is different.

Instead of banning torrent traffic, PIA has decided to route it through BitTorrent-friendly regions instead.

“Certain regimes/regions and data centers have strict discriminatory policies towards the BitTorrent protocol. In order to provide a free and open internet to everyone, we were forced to create a technical fix,” the company informs TF.

The policy affects a few servers in Japan, Italy, Australia, Mexico, Singapore and Hong Kong. Subscribers who are connected to these servers may notice that their BitTorrent traffic is rerouted through another region.

PIA doesn’t mention any of the datacenters by name. However, a quick lookup shows that its Australian servers are hosted at SoftLayer Technologies, which strictly prohibits copyright infringement.

The “double VPN” solution doesn’t affect regular browsing but since it’s targeted at a range of ports, other applications including BitCoin, gaming and VoIP may also be affected at times.

PIA believes that routing the traffic is the best solution from a privacy point of view, as it doesn’t require DPI or other invasive techniques.

“Due to the fact that packets were routed in an unidentifiable manner and double hop is a known and accepted technology by privacy advocates, we believe this technical solution adheres to the strongest of privacy ideals.”

Not all users are happy with the change and the initial lack of communication on the issue. However, PIA notes that it has the best interests of its customers in mind.

Unless datacenters are forbidden from banning certain types of traffic, there are few other options than to bypass the block or shutdown the servers altogether.

“We want to make clear, that privacy is in fact our single policy. However, in order to help our users who are censored in certain regions, we needed to find a way to provide close servers while still being able to provide users with true and free/open internet access.

“This was our solution and we still think that using technology to create a solution is better than waiting for politicians to fix this problem,” PIA informs us.

PIA has published the full statement on its website. The company notes that it will try to help users who are experiencing additional latency in the affected regions.

Note: PIA is one of TorrentFreak’s sponsors but this article was written independently without any form of compensation.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Errata Security: Prez: Rick Perry selling his mailing list

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

I created separate email accounts to receive email from each of the 25 presidential candidates (and donated money to all them). This allows me to track their behavior — or misbehavior.

Rick Perry exited the race 50 days ago. Today, I got two emails to my special Perry address. One email was from Ted Cruz, another presidential candidate. The other was from Paul Ryan, the new Speaker of the House.

Here’s Ted Cruz’s email, sent to my Perry account. It’s actually identical to one I received on my Cruz account. (I’ve hidden the To: address, except for the ‘rick’ part).

The email headers look like:

Received: from ( [])
by projectp (Postfix) with ESMTP id 1266C26041B
for ; Fri, 30 Oct 2015 16:28:59 +0000 (UTC)

Rick Perry uses the company “TargetedVictory” for his mass emailings, where Ted Cruz uses another company. This shows that Perry didn’t give his address list to Cruz, but instead let Cruz use the address list.

I saved a copy of Perry’s privacy policy when I made the donation. It implies that he won’t give out my private information to somebody else, but nothing in the policy says he won’t use my private information in this manner. I don’t think it’s changed, so you can read Rick Perry’s privacy policy here and decide for yourself if this use of my private information is valid.

The other email was from Paul Ryan asking for donations to the NRCC. Apparently, the reason Paul Ryan took the job of Speaker was solely for the children.

What is the NRCC? I had to look it upon Wikipedia. It’s a SuperPAC setup in 1866 to support House Republicans. They get a couple hundred million dollars in donations every year. There’s a similar DCCC for the Democrats.

As a side note: Thunderbird claims this might be a “scam”. I love the irony.

So why these emails from Perry? One answer could be money, that they paid him to use his mailing list. Another could be politics, that in exchange for pimping his donors, he could receive political consideration for other things, like being named ambassador or something. Thirdly, he could just be a nice guy who wants to see Republicans and his fellow Texan win.

My bet is this, that we’ll see Perry officially endorse Ted Cruz in the next couple weeks, announced at some major event, timed to give Cruz a boost in the polls. If that’s the case, then this would be an interesting lesson in how projects like this can scoop what’s going on inside the campaigns.

Update: Comment thread over at Reddit:

Krebs on Security: Cybersecurity Information (Over)Sharing Act?

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The U.S. Senate is preparing to vote on cybersecurity legislation that proponents say is sorely needed to better help companies and the government share information about the latest Internet threats. Critics of the bill and its many proposed amendments charge that it will do little, if anything, to address the very real problem of flawed cybersecurity while creating conditions that are ripe for privacy abuses. What follows is a breakdown of the arguments on both sides, and a personal analysis that seeks to add some important context to the debate.

Up for consideration by the full Senate this week is the Cybersecurity Information Sharing Act (CISA), a bill designed to shield companies from private lawsuits and antitrust laws if they seek help or cooperate with one another to fight cybercrime. The Wall Street Journal and The Washington Post each recently published editorials in support of the bill.

“The idea behind the legislation is simple: Let private businesses share information with each other, and with the government, to better fight an escalating and constantly evolving cyber threat,” the WSJ said in an editorial published today (paywall). “This shared data might be the footprint of hackers that the government has seen but private companies haven’t. Or it might include more advanced technology that private companies have developed as a defense.”

“Since hackers can strike fast, real-time cooperation is essential,” the WSJ continued. “A crucial provision would shield companies from private lawsuits and antitrust laws if they seek help or cooperate with one another. Democrats had long resisted this legal safe harbor at the behest of plaintiffs lawyers who view corporate victims of cyber attack as another source of plunder.”

The Post’s editorial dismisses “alarmist claims [that] have been made by privacy advocates who describe it as a ‘surveillance’ bill”:

“The notion that there is a binary choice between privacy and security is false. We need both privacy protection and cybersecurity, and the Senate legislation is one step toward breaking the logjam on security,” the Post concluded. “Sponsors have added privacy protections that would scrub out personal information before it is shared. They have made the legislation voluntary, so if companies are really concerned, they can stay away. A broad coalition of business groups, including the U.S. Chamber of Commerce, has backed the legislation, saying that cybertheft and disruption are “advancing in scope and complexity.”

But critics of CISA say the devil is in the details, or rather in the raft of amendments that may be added to the bill before it’s passed. The Center for Democracy & Technology (CDT), a nonprofit technology policy group based in Washington, D.C., has published a comprehensive breakdown of the proposed amendments and their potential impacts.

CDT says despite some changes made to assuage privacy concerns, neither CISA as written nor any of its many proposed amendments address the fundamental weaknesses of the legislation. According to CDT, “the bill requires that any Internet user information volunteered by a company to the Department of Homeland Security for cybersecurity purposes be shared immediately with the National Security Agency (NSA), other elements of the Intelligence Community, with the FBI/DOJ, and many other Federal agencies – a requirement that will discourage company participation in the voluntary information sharing scheme envisioned in the bill.”

CDT warns that CISA risks turning the cybersecurity program it creates into a backdoor wiretap by authorizing sharing and use of CTIs (cyber threat indicators) for a broad array of law enforcement purposes that have nothing to do with cybersecurity. Moreover, CDT says, CISA will likely introduce unintended consequences:

“It trumps all law in authorizing companies to share user Internet communications and data that qualify as ‘cyber threat indicators,’ [and] does nothing to address conduct of the NSA that actually undermines cybersecurity, including the stockpiling of zero day vulnerabilities.”


On the surface, efforts to increase information sharing about the latest cyber threats seem like a no-brainer. We read constantly about breaches at major corporations in which the attackers were found to have been inside of the victim’s network for months or years on end before the organization discovered that it was breached (or, more likely, they were notified by law enforcement officials or third-party security firms).

If only there were an easier way, we are told, for companies to share so-called “indicators of compromise” — Internet addresses or malicious software samples known to be favored by specific cybercriminal groups, for example — such breaches and the resulting leakage of consumer data and corporate secrets could be detected and stanched far more quickly.

In practice, however, there are already plenty of efforts — some public, some subscription-based — to collect and disseminate this threat data. From where I sit, the biggest impediment to detecting and responding to breaches in a more timely manner comes from a fundamental lack of appreciation — from an organization’s leadership on down — for how much is riding on all the technology that drives virtually every aspect of the modern business enterprise today. While many business leaders fail to appreciate the value and criticality of all their IT assets, I guarantee you today’s cybercrooks know all too well how much these assets are worth. And this yawning gap in awareness and understanding is evident by the sheer number of breaches announced each week.

Far too many organizations have trouble seeing the value of investing in cybersecurity until it is too late. Even then, breached entities will often seek out shiny new technologies or products that they perceive will help detect and prevent the next breach, while overlooking the value of investing in talented cybersecurity professionals to help them make sense of what all this technology is already trying to tell them about the integrity and health of their network and computing devices.

One of the more stunning examples of this comes from a depressingly static finding in the annual data breach reports published by Verizon Enterprise, a company that helps victims of cybercrime respond to and clean up after major data breaches. Every year, Verizon produces an in-depth report that tries to pull lessons out of dozens of incidents it has responded to in the previous year. It also polls dozens of law enforcement agencies worldwide for their takeaways from investigating cybercrime incidents.

The depressingly static stat is that in a great many of these breaches, the information that could have tipped companies off to a breach much sooner was already collected by the breached organization’s various cybersecurity tools; the trouble was, the organization lacked the human resources needed to make sense of all this information.

We all want the enormous benefits that technology and the Internet can bring, but all too often we are unwilling to face just how dependent we have become on technology. We embrace and extoll these benefits, but we routinely fail to appreciate how these tools can be used against us. We want the benefits of it all, but we’re reluctant to put in the difficult and very often unsexy work required to make sure we can continue to make those benefits work for us.

The most frustrating aspect of a legislative approach to fixing this problem is that it may be virtually impossible to measure whether a bill like CISA will in fact lead to more information sharing that helps companies prevent or quash data breaches. Meanwhile, history is littered with examples of well-intentioned laws that produce unintended (if not unforeseen) consequences.

Having read through the proposed CISA bill and its myriad amendments, I’m left with an impression perhaps best voiced in a letter sent earlier this week to the bill’s sponsors by nearly two-dozen academics. The coalition of professors charged that CISA is an example of the classic “let’s do something law” from a Congress that is under intense pressure to respond to a seemingly never-ending parade of breaches across the public and private sectors.

Rather than encouraging companies to increase their own cybersecurity standards, the professors wrote, “CISA ignores that goal and offloads responsibility to a generalized public-private secret information sharing network.”

“CISA creates new law in the wrong places,” the letter concluded. “For example, as the attached letter indicates, security threat information sharing is already quite robust. Instead, what are most needed are more robust and meaningful private efforts to prevent intrusions into networks and leaks out of them, and CISA does nothing to move us in that direction.”

Further reading: Independent national security journalist Marcy Wheeler’s take at

Schneier on Security: The Need for Transparency in Surveillance

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

In Data and Goliath, I talk about the need for transparency, oversight, and accountability as the mechanism to allow surveillance when it is necessary, while preserving our security against excessive surveillance and surveillance abuse.

James Losey has a new paper that discusses the need for transparency in surveillance. His conclusion:

Available transparency reports from ICT companies demonstrate the rise in government requests to obtain user communications data. However, revelations on the surveillance capabilities of the United States, Sweden, the UK, and other countries demonstrate that the available data is insufficient and falls short of supporting rational debate. Companies can contribute by increasing granularity, particularly on the legal processes through which they are required to reveal user data. However, the greatest gaps remain in the information provided directly from governments. Current understanding of the scope of surveillance can be credited to whistleblowers risking prosecution in order to publicize illegitimate government activity. The lack of transparency on government access to communications data and the legal processes used undermines the legitimacy of the practices.

Transparency alone will not eliminate barriers to freedom of expression or harm to privacy resulting from overly broad surveillance. Transparency provides a window into the scope of current practices and additional measures are needed such as oversight and mechanisms for redress in cases of unlawful surveillance. Furthermore, international data collection results in the surveillance of individuals and communities beyond the scope of a national debate. Transparency offers a necessary first step, a foundation on which to examine current practices and contribute to a debate on human security and freedom. Transparency is not the sole responsibility of any one country, and governments, in addition to companies, are well positioned to provide accurate and timely data to support critical debate on policies and laws that result in censorship and surveillance. Supporting an informed debate should be the goal of all democratic nations.