Recently in Exploits and Security Category

Note: While I hope this woman gets her due process and justice, I find it appalling that we're constantly facing abuses to our Constitutional rights.

Snagged via: http://www.foxnews.com/scitech/2012/01/24/judge-reportedly-orders-colorado-woman-to-decrypt-laptop/?test=latestnews

A judge has reportedly ordered a Colorado woman to decrypt her laptop computer so prosecutors may use the files against her in a criminal case involving alleged bank fraud.

The defendant, Ramona Fricosu, had unsuccessfully argued that being forced to do so would violate the Fifth Amendment protection against compelled self-incrimination, Wired reports.

"I conclude that the Fifth Amendment is not implicated by requiring production of the unencrypted contents of the Toshiba Satellite M305 laptop computer," Colorado U.S. District Judge Robert Blackburn ruled Monday.

The case is being closely watched by civil rights groups, Wired reports, as the issue has never been fully considered by the Supreme Court. Authorities seized the laptop from Fricosu in 2010 with a court warrant while investigating financial fraud.

Blackburn ordered Fricosu to surrender an unencrypted hard drive by Feb. 21. The judge added that the government is precluded "from using Ms. Fricosu's act of production of the unencrypted hard drive against her in any prosecution," Wired reports.

Cyberwar

Nothing has ever changed the world as quickly as the Internet.

Less than a decade ago, "60 Minutes" went to the Pentagon to do a story on something called information warfare, or cyberwar as some people called it. It involved using computers and the Internet as weapons.

Much of it was still theory, but we were told that before too long it might be possible for a hacker with a computer to disable critical infrastructure in a major city and disrupt essential services, steal millions of dollars from banks all over the world, infiltrate defense systems, extort millions from public companies, and even sabotage our weapons systems.

Today it's not only possible, all of that has actually happened. And there's a lot more we don't even know about.

It's why President Obama has made cyberwar defense a top national priority and why some people are already saying that the next big war is less likely to begin with a bang than with a blackout.

"Can you imagine your life without electric power?" Ret. Adm. Mike McConnell asked "60 Minutes" correspondent Steve Kroft...

Microsoft confirms the existence of a bug in Windows Server 2008, Windows Vista and release candidates of Windows 7 that could be used to hijack PCs. While users await a patch, there are a few steps they can take to protect themselves.

Hours after its latest Patch Tuesday release, Microsoft confirmed the presence of a serious zero-day bug in Windows Vista, Windows Server 2008 and release candidates of Windows 7. 

The vulnerability, which lies in Windows' SMB (Server Message Block) 2, is due to the SMB implementation improperly parsing SMB negotiation requests. As of yesterday, Microsoft reported the flaw had not been the subject of attacks, but that could change as exploit code has been publicly available since Monday.

"An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft's advisory said. "Most attempts to exploit this vulnerability will cause an affected system to stop responding and restart."

While Microsoft officials said the company is working on a patch, they offered no timeline as to when it would be available. While users wait, the company recommends they disable SMB 2 via the Windows Registry Editor or block TCP ports 139 and 445 at the firewall. Both those workarounds, however, come with drawbacks. A mistake in the Registry Editor could force a user to reinstall Windows, while blocking ports 139 and 445 could stop applications from working.

The issue first came to light Monday when a researcher claimed he used it to trigger the infamous "Blue Screen of Death" on Windows Vista and Windows 7. Other researchers subsequently used the bug to crash other versions of Windows. After a day of investigation, Microsoft announced late Tuesday that the flaw was real, and reported it could not only cause a denial-of-service condition but could also be used to take over a system.

According to Microsoft, the Windows 7 RTM (release to manufacturing), Windows 2000, XP and Windows Server 2008 R2 are not affected by this vulnerability.

In addition to the latest zero-day, Microsoft has promised to fix a flaw in the file transfer protocol (FTP) service utilized by Internet Information Services (IIS). The flaw has come under attack by hackers, and Windows users are advised to leverage the information on workarounds and mitigations provided by Microsoft.

Note: While I agree that we must protect ourselves from Cyber-espionage and Cyber-warfare, having full access to the US Internet "plug" is not warranted. How about we just take our military systems offline? Do they really need to be connected to the world-wide-web?
---

Internet companies and civil liberties groups were alarmed this spring when a U.S. Senate bill proposed handing the White House the power to disconnect private-sector computers from the Internet.

They're not much happier about a revised version that aides to Sen. Jay Rockefeller, a West Virginia Democrat, have spent months drafting behind closed doors. CNET News has obtained a copy of the 55-page draft of S.773 (excerpt), which still appears to permit the president to seize temporary control of private-sector networks during a so-called cybersecurity emergency.

The new version would allow the president to "declare a cybersecurity emergency" relating to "non-governmental" computer networks and do what's necessary to respond to the threat. Other sections of the proposal include a federal certification program for "cybersecurity professionals," and a requirement that certain computer systems and networks in the private sector be managed by people who have been awarded that license.

"I think the redraft, while improved, remains troubling due to its vagueness," said Larry Clinton, president of the Internet Security Alliance, which counts representatives of Verizon, Verisign, Nortel, and Carnegie Mellon University on its board. "It is unclear what authority Sen. Rockefeller thinks is necessary over the private sector. Unless this is clarified, we cannot properly analyze, let alone support the bill."

Representatives of other large Internet and telecommunications companies expressed concerns about the bill in a teleconference with Rockefeller's aides this week, but were not immediately available for interviews on Thursday.

A spokesman for Rockefeller also declined to comment on the record Thursday, saying that many people were unavailable because of the summer recess. A Senate source familiar with the bill compared the president's power to take control of portions of the Internet to what President Bush did when grounding all aircraft on Sept. 11, 2001. The source said that one primary concern was the electrical grid, and what would happen if it were attacked from a broadband connection.

When Rockefeller, the chairman of the Senate Commerce committee, and Olympia Snowe (R-Maine) introduced the original bill in April, they claimed it was vital to protect national cybersecurity. "We must protect our critical infrastructure at all costs--from our water to our electricity, to banking, traffic lights and electronic health records," Rockefeller said.

The Rockefeller proposal plays out against a broader concern in Washington, D.C., about the government's role in cybersecurity. In May, President Obama acknowledged that the government is "not as prepared" as it should be to respond to disruptions and announced that a new cybersecurity coordinator position would be created inside the White House staff. Three months later, that post remains empty, one top cybersecurity aide has quit, and some wags have begun to wonder why a government that receives failing marks on cybersecurity should be trusted to instruct the private sector what to do.

Rockefeller's revised legislation seeks to reshuffle the way the federal government addresses the topic. It requires a "cybersecurity workforce plan" from every federal agency, a "dashboard" pilot project, measurements of hiring effectiveness, and the implementation of a "comprehensive national cybersecurity strategy" in six months--even though its mandatory legal review will take a year to complete.

The privacy implications of sweeping changes implemented before the legal review is finished worry Lee Tien, a senior staff attorney with the Electronic Frontier Foundation in San Francisco. "As soon as you're saying that the federal government is going to be exercising this kind of power over private networks, it's going to be a really big issue," he says.

Probably the most controversial language begins in Section 201, which permits the president to "direct the national response to the cyber threat" if necessary for "the national defense and security." The White House is supposed to engage in "periodic mapping" of private networks deemed to be critical, and those companies "shall share" requested information with the federal government. ("Cyber" is defined as anything having to do with the Internet, telecommunications, computers, or computer networks.)

"The language has changed but it doesn't contain any real additional limits," EFF's Tien says. "It simply switches the more direct and obvious language they had originally to the more ambiguous (version)...The designation of what is a critical infrastructure system or network as far as I can tell has no specific process. There's no provision for any administrative process or review. That's where the problems seem to start. And then you have the amorphous powers that go along with it."

Translation: If your company is deemed "critical," a new set of regulations kick in involving who you can hire, what information you must disclose, and when the government would exercise control over your computers or network.

The Internet Security Alliance's Clinton adds that his group is "supportive of increased federal involvement to enhance cyber security, but we believe that the wrong approach, as embodied in this bill as introduced, will be counterproductive both from an national economic and national secuity perspective."

Update at 3:14 p.m. PDT: I just talked to Jena Longo, deputy communications director for the Senate Commerce committee, on the phone. She sent me e-mail with this statement:

The president of the United States has always had the constitutional authority, and duty, to protect the American people and direct the national response to any emergency that threatens the security and safety of the United States. The Rockefeller-Snowe Cybersecurity bill makes it clear that the president's authority includes securing our national cyber infrastructure from attack. The section of the bill that addresses this issue, applies specifically to the national response to a severe attack or natural disaster. This particular legislative language is based on longstanding statutory authorities for wartime use of communications networks. To be very clear, the Rockefeller-Snowe bill will not empower a "government shutdown or takeover of the Internet" and any suggestion otherwise is misleading and false. The purpose of this language is to clarify how the president directs the public-private response to a crisis, secure our economy and safeguard our financial networks, protect the American people, their privacy and civil liberties, and coordinate the government's response.

Unfortunately, I'm still waiting for an on-the-record answer to these four questions that I asked her colleague on Wednesday. I'll let you know if and when I get a response.

How serious are you about your company's information security?  You will get very serious quickly when your company is audited by a third party.  These aren't third party vendors either, we're talking about the pending alliance will be profitable for your organization, get us through this audit...type of third party audit.

Playing these situations to your fullest abilities will not only increase the profitability of your business, it will also result in a tightened down security posture for your company.  I know, audits tend to cause headaches, neck pain as well as stress and the related "burn out" syndrome. But, I say expand your horizons, take a look at the big picture.  How close are you to the ISO standards?  What are those little pet projects that are curtailed by cultural issues which require C-level buy-in?  This may be the straw that increases security in your environment.  You may even get your pet project going again after frustrating funding delays.

I seem to be going through my fair share of these lately and have a few pieces of advice for those facing this same reality.

1. Stay calm and be prepared to the best of your ability.
2. Provide the auditor with a hard and soft copy of your IT Security policy, hopefully one based on Internationally agreed standards.
3. Use post-it flags to mark answers in the policy to any questions provided in advance. Saving the auditor time is a good thing.
4. Make sure your policies include the approval date and revision histories for each section of policy.
5. Set up a clean "routine" image workstation for the auditor to verify at their leisure.
6. Have copies of your Security Awareness Training materials ready.
7. Give heads up to the collateral departments which will need to provide requested documentation.  Like HR for background checks and Physical Security for access logs. 
8. Practice accessing your logs from any SEIM or logging device.  Double check logging enabled settings on all critical servers.
9. Allow the examiner to work in a secured environment away from prying eyes and curious onlookers.
10. Re-evaluate and study your questionnaire answers from the previous phases of the audit.
11. Showing your professionalism and your dedication to security will undoubtedly assist in obtaining the vital business alliances required in our global economy.

 Let me know some of your audit survival skills and secrets and I'll update this page with your ideas.

SEOUL, South Korea -- A wave of cyberattacks aimed at 27 American and South Korean government agencies and commercial Web sites temporarily jammed more than a third of them over the past five days, and several sites in South Korea came under renewed attack on Thursday.

The latest bout of attacks, which affected service on one government and six commercial Web sites in South Korea, was relatively minor, and all but one of the sites was fully functional within two hours, an official from the state-run Korea Communications Commission told The Associated Press.

Officials and computer experts in the United States said Wednesday that the attacks, which began over the July 4th weekend, were unsophisticated and on a relatively small scale, and that their origins had not been determined. They said 50,000 to 65,000 computers had been commandeered by hackers and ordered to flood specific Web sites with access requests, causing them to slow or stall. Such robotic networks, or botnets, can involve more than a million computers.

The Web sites of the Treasury Department, Secret Service, Federal Trade Commission and Transportation Department were all affected at some point over the weekend and into this week, The Associated Press reported Tuesday, citing American officials.

A White House spokesman, Nick Shapiro, said in a statement on Wednesday that "all federal Web sites were back up and running" by Tuesday night and that the White House site had also been attacked.

He said, "The preventative measures in place to deal with frequent attempts to disrupt whitehouse.gov's service performed as planned, keeping the site stable and available to the general public, although visitors from regions in Asia may have been affected."

The Web site of the New York Stock Exchange also came under attack, as well as the sites of Nasdaq, Yahoo's finance section and The Washington Post.

Researchers who are following the attacks said that they began July 4 and focused on the small group of United States government Web sites, but that the list later expanded to include commercial sites in the United States and then commercial and government sites in South Korea. Files stored on computers that are part of the attacking system show that 27 Web sites are now targets.

In South Korea, at least 11 major sites have slowed or crashed since Tuesday, including those of the presidential Blue House, the Defense Ministry, the National Assembly, Shinhan Bank, the mass-circulation newspaper Chosun Ilbo and the top Internet portal Naver.com, according to the government's Korea Information Security Agency.

On Wednesday, some of the South Korean sites regained service, but others remained unstable or inaccessible.

"This is not a simple attack by an individual hacker, but appears to be thoroughly planned and executed by a specific organization or on a state level," the South Korean spy agency, the National Intelligence Service, said in a statement, adding that it was cooperating with the American authorities to investigate the attacks.

The spy agency said the attacks appeared to have been carried out by a hostile group or government, and the news agency Yonhap reported that the agency had implicated North Korea or pro-North Korean groups.

A spokesman at the intelligence agency said it could not confirm the Yonhap report about North Korea's possible role. The opposition Democratic Party accused the spy agency of spreading rumors to whip up support for an antiterrorism bill that would give it more power.

Although most of the North Korean military's hardware is decrepit, the South Korean authorities have recently expressed concern over possible cyberattacks from the North. In May, South Korean media reported that North Korea was running a cyberwarfare unit that operated through the Chinese Internet network and tried to hack into American and South Korean military networks. United States computer security researchers who have examined the attacking software and watched network traffic played down the sophistication and extent of the attacks.

"I would call this a garden-variety attack," said Jose Nazario, manager of security research at Arbor Networks, a network security firm that is based in Chelmsford, Mass. He said that the attackers were generating about 23 megabits of data a second, not enough to cause major disruptions of the Internet at most of the sites that were being attacked.

"The code is really pretty elementary in many respects," he added. "I'm doubting that the author is a computer science graduate student."

As for possible origins, there were only hints. One researcher, Joe Stewart, of Secureworks' Counter Threat Unit in Atlanta, said the attacking software contained the text string "get/China/DNS," with DNS referring to China's Internet routing system. He said that it appeared that the data generated by the attacking program was based on a Korean-language browser.

Amy Kudwa, a Department of Homeland Security spokeswoman, said that the agency was aware of the attacks and that it had issued a notice to federal departments and agencies, as well as to other partner organizations, advising them of steps to take to help mitigate attacks.

Note: Should I really submit this information? BAHHAHAH!

I received this as an email at work today.
------------
FEDERAL BUREAU OF INVESTIGATION
ANTI-TERRORIST AND MONETARY CRIMES DIVISION
FBI HEADQUARTERS IN WASHINGTON, D.C.
J. EDGAR HOOVER BUILDING935
PENNSYLVANIA AVENUE,
NW WASHINGTON, D.C. 20535-0001

NOTIFICATION! NOTIFICATION!! NOTIFICATION!!!

This is an official advice from the FEDERAL BUREAU OF INVESTIGATION (FBI). It has come to our notice that some certain individuals have used your name as the beneficiary of funds worth Millions of United States Dollars from abroad. These individuals with their collaborating banks knowing fully well that they do not have enough facilities to effect this payment from any part of the world to your account, used what we know as a Secret Diplomatic Transit Payment (S.T.D.P) as well as the ATM card system to pay this fund which has not been completed till this day.

Direct transfers are difficult and Secret Diplomatic Transit Payment (S.T.D.P) are not made unless the funds are related to terrorist activities and we ask why must your payment be made in secret transfer if your transaction is legitimate.We do not want you to get into trouble as soon as these funds reflect in your account, so it is our duty as an International Commission to correct these little problems before this fund is credited into your personal account.

However, due to the increased difficulty and security by the American authorities when funds come from outside of America and Europe. The F.B.I Bank Commission for Europe has stopped your transfer. We govern and oversee funds transfer for the World Bank and the rest of the world. We advice you to contact us immediately, as the funds have been stopped and are being held in our custody, until you are able to provide us with a Diplomatic Immunity Seal of Transfer (DIST) document within 3 days from the Country that authorized the transfer from where the funds was transferred from to certify that the funds that you are about to receive are terrorist/drug free or we shall have cause to impound the payment and subsequent prosecution. We shall release the funds immediately we receive this legal document and make sure that you get your payment without any further delay.

----------------------------------------------------------------------------------------------------------------
We decided to contact you directly to acquire the proper verifications and proof from you to show that you are the rightful person to receive this fund, because of the amount involved. Be informed that the funds are now with a top bank in the United State in your name and under the monitoring/custody of the FBI.
At the moment, we have asked the bank not to release the fund to anybody that comes to them, unless we instruct them to do so, this is to enable us carry out a comprehensive investigations first before releasing the fund to you. Hence, you are to forward the document to us immediately if you have it in your possession, if you do not have it, let us know so that we will direct you where to obtain the document and send to us. Thereafter, we will ask the bank holding the funds, to go ahead and credit your account immediately. FBI Identification Record and Diplomatic Immunity Seal of Transfer (DIST) often referred to as a Criminal History Record or Rap Sheet is a listing of certain information taken from fingerprint submissions retained by the FBI in connection with arrests, and in some instances, federal employment, naturalization, or military service.
This Condition Is Valid until after 30 days upon receipt of this notice, thereafter we shall take actions on canceling the payment and then charge you for illegally moving funds out of the country under the
jurisdiction of the United Nations.
GUARANTEE: Funds will be released on confirmation of the
document.

-------------------------------------------------------------------------
Final Instruction;
1. Credit payment instruction: Irrevocable credit guarantee.
2. Beneficiary has full power when validation is cleared.
3. Beneficiaries bank in U.S.A. can only release funds.
4. Upon confirmation from the World Bank / United nations.
5. Bearers must clear bank protocol and validation request.
-------------------------------------------------------------------------

NOTE: We have asked for the Diplomatic Immunity Seal of Transfer (DIST) document to ensure the most complete and up-to date records possible for the enhancement of public safety, welfare and security of society while recognizing the importance of individual privacy rights. If you fail to provide the Documents to us, we will charge you and take appropriate action against you for not proving the legality of the funds. The United States Department of Justice Order 556-73 establishes rules and regulations for the subject of an FBI Identification Record to obtain a copy of his or her own Record for review.
The FBI Criminal Justice Information Services (CJIS) division processes these requests to check illegal activities in USA and beyond. An individual may request a copy of his or her own FBI Identification Record for personal review or to challenge information on the Record. Other reasons an individual may request a copy of his or her own Identification Record may include international adoption or to satisfy a requirement to live or work in a foreign country or receive funds from another country, i.e. Diplomatic Immunity Seal of Transfer, letter of good conduct, criminal history Background, etc.) We look forward to hearing from you. Be rest assured that your individual rights will be protected, while we ensure that you receive your funds. We are sorry for what you have gone through and we want to provide justice.

Yours Sincerely
FBI Director
Robert S. Mueller, III

Note: Duh! Advertise to the entire Internet that you're going on vacation.
--

Here's either a cautionary tale or an example of social-media paranoia. An Arizona man believes that his Twitter messages about going out of town led to a burglary at his home while he was away.

Israel Hyman posted to approximately 2,000 followers on Twitter that he and his wife were "preparing to head out of town," that they had "another 10 hours of driving ahead" and later, that they "made it to Kansas City."

When he came home, he found that someone had broken into his house and stolen thousands of dollars worth of video equipment he used for his video business, IzzyVideo.com, which he uses for his Twitter account.

"My wife thinks it could be a random thing, but I just have my suspicions," he told the Associated Press. "They didn't take any of our normal consumer electronics."

Personally, I don't think it's a good idea to advertise to the world that your home will be unoccupied for a period of time. I also don't think it's necessary to reveal too many other personal details on social media sites that could be used for identity fraud, like your birth date.

The real-time aspect to mobile uploads makes this situation even more risky and location-aware technology seems like it would be a great tool for spies of all kinds. In this excellent article in Wired, Mathew Honan records his experience being a social geoapps guinea pig.

"Did I really want to tell the world that I was out of town?" he writes. "Because the card in my camera automatically added location data to my photos, anyone who cared to look at my Flickr page could see my computers, my spendy bicycle, and my large flatscreen TV all pinpointed on an online photo map. Hell, with a few clicks you could get driving directions right to my place--and with a few more you could get black gloves and a lock pick delivered to your home."

As a test, he innocently stalked a woman taking a photo in Golden Gate Park with her iPhone 3G. He searched the Flickr map and found one of the shots the woman took and verified it was her by viewing her photo stream. He then looked at her photos on the Flickr map and saw a cluster of images in one spot. The shots were of an interior of what was likely her apartment.

"Now I know where she lives," he writes.