Matt

Black Hat 2013 NSA head General Keith Alexander believes the NSA's data-slurping programs should "be something we put forward as an example to the rest of the world," due to the oversight afforded by the courts, Congress, and the administration. The spy chief made his remarks at the Black Hat security conference in Las Vegas on Wednesday, after a tough couple of months for the secretive organization during which mega-leaker Edward Snowden spilled the beans on telephony metadata collection programs in the US, content interception abroad via PRISM, and other schemes abroad. At Black Hat, Alexander vigorously defended both the metadata interception via the authority provided by the Patriot Act (Section 215), and the Foreign Intelligence Surveillance Act (FISA, Section 702). He argued that the oversight afforded to the government, court, and administration concerning the schemes more than compensates for any potentially uncomfortable feelings people may have about privacy invasion. Alexander's disclosures came about due to the unprecedented intelligence leaks from Edward Snowden, a former Booz & Allen contractor who had worked in the NSA. Last week Alexander said the Snowden leaks represented a "huge break in trust and confidence" between the NSA and its contractors. "The tools and things we use are very much the same as the tools you use in securing networks," Alexander said. "The difference in part is the oversight and compliance we have in these programs – that part is missing in much of the discussion." The general went on to discuss at length the immense oversight that NSA analysts are under, and stressed that very few within the organization have the ability to query the information slurped up by these programs. He attempted to reassure a skeptical audience by saying "our people have to take courses and pass exams to use this data." Data from the interception programs has "provided value" across some 53 "terror-related activities" detected by the NSA. "Remember," Alexander said. "Their intent is not to go after our communications, their intent is to find the terrorist that walks among us." Keith "break in trust and confidence" Alexander also tried to reassure people that the data being shared by Silicon Valley tech companies was not as great as that feared by the press. "Industry just doesn't dump stuff to us and say 'Hey, here are some interesting facts.' They are compelled by court order to comply where all three branches of our government have come together," he said. Only 35 analysts within the NSA are authorised to run queries on user metadata, Alexander said, and there are 22 people within the NSA that can approve this. "In 2012 there were less than 300 numbers approved for queries," he said. "These queries resulted in 12 reports to the FBI. Those reports contained less than 500 numbers – not millions, not hundreds of thousands, not tends of thousands: less than 500." As for the mass interception of foreign national data such as emails and other content via the 702 program, Alexander said that Congress had reviewed this program over a four-year period and "found no willful or knowledgable violations of the law or intent of the law in this program." He also bridles at the way the FISA court has been portrayed as being a "rubber stamp" organization. "I'm on the other end of that table with federal judges, and anyone here who has been up against a federal judge knows these are people with tremendous legal experience that don't take any – I'm tying to think of a word here – from even a four star general, he said. "They are not a rubber stamp." The immense oversight under which NSA analysts labor when investigating telephony or email data jars rather heavily with the "XKeyscore" program that was revealed by The Guardian on Wednesday. XKeyscore apparently lets analysts trawl an individual's emails, social media activity, and internet queries, without the need for review by either a court or senior NSA personnel. The XKeyscore system can be queried by name, telephone number, IP address, and keywords, and email address. "Allegations of widespread, unchecked analyst access to NSA collection data are simply not true," the NSA said in a statement to The Guardian. "Access to XKeyscore, as well as all of NSA's analytic tools, is limited to only those personnel who require access for their assigned tasks. ... In addition, there are multiple technical, manual and supervisory checks and balances within the system to prevent deliberate misuse from occurring Near the close of his speech Alexander said "We stand for freedom." A member of the black-clad, security-aware audience, however, took issue with that assertion. "Bullshit!" he shouted ® Sursa TheRegister.co.uk

Black Hat 2013 Security researchers have shown how hackers can use ad networks to create ephemeral, hard-to-trace botnets that can perform distributed-denial-of-service attacks at the click of a button. In a presentation at the Black Hat conference in Las Vegas on Wednesday, researchers from WhiteHat Security showed off their technique, which uses iframes in web ads to call a JavaScript file that hammers a site with requests. The exploit "forces JavaScript to use cross-origin requests to force as many requests as possible out of a single browser or a lot of browsers to a single website," WhiteHat Security's threat research center chief Matt Johansen said. The company embedded JavaScript code in an advert that they ran on an unnamed ad network. This code pointed to an Amazon Web Services server on which they hosted the core JavaScript file, which they could then modify after the ad was deployed. WhiteHat confirmed that the ad network did evaluate the code, but seeing nothing overtly malicious, permitted it to go ahead. "We had kind of benign JavaScript here, but if you started using the evil ideas the code might start to look a bit suspicious," Johansen said. "We didn't dip our toe into the [ad] porn networks." The researchers' code asked the browser to throttle up to its maximum amount of connections (six in Firefox, for example) and access the website via HTTP. They also demonstrated a workaround that can go above the browsers' permitted number of concurrent connections by using an FTP request format, potentially allowing one browser to flood a site with concurrent connections. This approach let the researchers deploy an ad that could automatically execute when served on a page and force viewers' browsers to hammer a site of WhiteHat's choice with requests. "What's the benefit of hacking this way – why not do a traditional DDoS attack?" asked WhiteHat's threat research center manager Matt Johansen, who then answered his own question. "There is no trace of these. The JS gets served up, it goes away. It's very, very easy." The only real way to trace this back to WhiteHat would be to go to the ad network and get the credit card used to buy the malicious adverts, Johansen said. As Reg readers will know, it's not too difficult for hackers to illicitly and anonymously gain access to credit cards. In a live demonstration, the researchers showed 256 concurrent connections to a single Apache Web Server, with over a million connections tracked in an hour. The total cost of the ads was lower than the cost of the Amazon instance used to serve the illicit JavaScript, and both only cost tens of dollars. Next, WhiteHat plans to work with partners to deploy a version of the exploit that explicitly targets a site protected by a DDoS-protection service. They also plan to try and use the technique to run distributed MD5 hash cracking via a software tool such as Ravan. Previously, the same researchers have cracked open Google's Chrome OS. Much to the dismay of this ad-funded publication, the researchers plugged the use of ad blockers as one of the only easy ways to remediate this problem. ® Sursa TheRegister.co.uk

Black Hat 2013 Security researchers have warned against the industry's use of femtocells after successfully hacking into two popular models of femtocell, allowing them to intercept voice and SMS information from nearby mobile devices. The exploit was detailed by iSEC Partners at the Black Hat conference in Vegas after being revealed earlier in July, and affects two femtocells used by Verizon and one repackaged Verizon box put out by Sprint which have already been remotely patched. Femtocells are used to extend the range of broadcast signals in hard to reach places, and work by creating a secure IP-SEC tunnel between themselves and their carriers larger network. If signal is lacking or poor, then phones will automatically hop onto a nearby femtocell. The researchers believe it is the first time an exploit has been disclosed against femtocells produced by US carriers. The exploit has been verified to work on 2009 SCS-26UC4 and a 2010 SCS-2U01 femtocell from Verizon. The exploit saw the researchers gain access to the femtocells via interfacing with an HDMI port on the base of the device, then gaining root access to the stripped-down Linux system inside. Once inside the system, they were able to implement methods for intercepting and decoding both voice and SMS track – data proved too difficult. They also developed a technique for cloning the phone, allowing people to surreptitiously listen in to calls. Though these vulnerabilities have been subsequently patched, the researchers are not confident in the continuing integrity of the femtocell as an architecture. This is because the hardware can never be totally locked down by the vendor, and so there will always be some kind of exploit, they reckon. "There are over 30 carriers worldwide who have femtocells," Tom Ritter, a security consultant at iSEC Partners explained. "Clearly there are issues here. You could of course harden the actual device [but] there's nothing you can do on the platform to prevent physical attackers getting in. There are lots of ways to break onto a physical device." Another route would be to have carriers mandate that femtocell users register expected numbers with the operator in advance, "but we don't think it is enough," they said. They instead recommend the use of secured VoIP on WiFI, when out of tower range, or the use of secure end-to-end encryption via apps, of which ones made by Whisper Systems and Silent Circle would be examples. "Really, you should be ditching them altogether. We're just pretty nervous about giving random people like yourselves cellphone towers and [you] breaking into them." ® Sursa TheRegister.co.uk

D-Link has issued patches for a pair of its network video recorders after a Qualys analysis identified remote authentication bypass vulnerabilities. The DNR-322L and DNR-326 recorders are midrange 4TB recorders which among other things can be used as recorders for the company's IP cameras. As reported by PC World, Qualys also identified information disclosure and denial-of-service vulnerabilities. An attacker could also perform a remote admin password reset on vulnerable systems, and push firmware into the machines without authentication. The patches were issued by D-Link mid-July after Qualys notified the company of the vulnerabilities. The DNR-322L firmware patch is here, and the DNR-326 patch is here. Qualys' Bharat Jogi presented the vulnerabilities to the BSides Las Vegas conference. He told PC World that the Shodan search engine can locate “16,000 D-Link NAS and NVR devices connected to the Internet.” The number of DNR-322L and DNR-326 devices (the units subject to the Qualys-discovered vuln) El Reg was able to find on Shodan is far more modest: fewer than 200. However, it comes as no surprise that other NVRs might also have vulnerabilities, or that there may be units exposed to the Internet but still carrying their out-of-the-box passwords. ® Sursa TheRegister.co.uk

Black Hat 2013 Researchers from Georgia Tech's Information Security Center (GTISC) claim to have found a way to sneak a malware-ridden app through Apple's inspection regime, and have also raised concerns about “malicious chargers” for iPhones. The GTISC team explains its research here and claim to have created an app “which rearranges its own code to create new functionality that is not exhibited during Apple’s approval process. This allows the malicious aspects of the app to remain undetected when reviewed and therefore obtain Apple’s approval.” The researchers claim to have published the app and that it “can successfully perform many malicious tasks, such as posting tweets, taking photos, sending email and SMS, and even attacking other apps – all without the user’s knowledge.” The researchers also “decided to investigate the extent to which security threats were considered when performing everyday activities such as charging a device” and have created a “malicious charger” called "Mactans" to explore the issue. The term is problematic on two fronts, the first of which is that the “charger” is not a charger but a single-board computer concealed within the carapace of a charger and packing software that allows it to rummage about in iOS' innards and do nasty things to them. The team found users who connect to this device can have lots of nasty damage done to their phones, which is hardly surprising. That such an outcome is possible is not welcome: whatever iOS flaws make it possible for a single board machine to do naughty things clearly need to be addressed. Whether it is useful for world+dog to have the term “malicious charger” enter the lexicon is a different matter. Happily, the second problem with “malicious chargers” has already been addressed by Apple, which has been noted by those who saw the Georgia Tech team speech at Black Hat. Apple's pre-fix is a new iOS 7 feature that asks users if they trust the computer into which they have plugged their iThing. The Reg imagines that anyone plugging their high-fructose phone into a charger and finding that message would take a second, and far closer, look at their source of electrons before proceeding. ® Sursa TheRegister.co.uk

Microsoft's upcoming launch of Windows 8.1 is set to include a host of features designed to simplify authentication and data protection, the company said. Speaking with V3 at the 2013 Black Hat conference, Microsoft Windows security and identity group program manager Dustin Ingalls said that the company would be nivesting in both its in-house security tools as well as the options the company provides to third-party security vendors for managing and securing applications. Among the new features will be an update to Internet Explorer which will allow anti-malware applications to load prior to any Active-X components in the browser's boot process. By having the ability to load early, the security tools will be able to spot and block potential threats from malicious ActiveX controls. Also featuring in the 8.1 release will be Selective Wipe, a remote management component which will allow administrators to revoke encryption keys on specific files and remotely revoke the keys to block access when device is lost or a user leaves a company. Ingalls said that with consumerisation increasingly bringing personal tablets and PCs into the office, a conventional wipe tool that deletes all data on a device is no longer practical. “If you wipe a whole phone today the worst you lose is a couple text messages or some photos,” he said. “You cant go wiping somebody's personal PC, you could find yourself in the middle of a nasty lawsuit or all sorts of other things.” Perhaps the feature Microsoft is most proud of, however, is a leap forward in support for biometric authorisation. Once the domain of clumsy and unreliable swipe-scanners, Microsoft has improved biometrics support and is working with hardware vendors on a new generation of sensors which will be able to authorise a user with a simple press of a fingerprint to a sensor embedded in a keyboard, notebook casing or tablet bezel. Ingalls believes that with passwords no longer proving a practical measure and elaborate two-factor authentication schemes frustrating users, the time has come for a new generation of intelligent and precise biometric scanners. “This is going to be a big deal. When even Twitter has to release a two-factor authentication passwords are reaching the end of their road,” he said. “[Two-factor] might be more secure than just a password, but they are definitely not more usable, and that is why users won't use them.” Sursa V3.co.uk

Researchers are calling on mobile operators worldwide to drop support for femtocell units following harrowing proof-of-concept demonstration. Security firm iSEC Partners drew a packed house at the conference when it demonstrated a simple system which compromised aVerizon femtocell unit and then used the system to gather nearby mobile traffic. The real-time demo included the capture of voice calls, a display of SMS messages sent by volunteers in the audience and even a video demonstrating an attack in which web data traffic could be pulled to harvest user credentials. The stakes were only raised further as the demonstration progressed, with researchers using the hacked femtocell to collect unique device identifiers for mobile handsets. The collected data was then used to 'clone' a test handset, potentially allowing an attacker to eavesdrop on coversations and place calls from the account of the cloned system. While US carrier Verizon has since patched the vulnerability in question and was said by the researchers to be very cooperative, iSec researcher Doug DePerry warned that the exploit method used in the attack could be modified in the future or other modes of entry could be found to take over other femtocell units. Rather, iSec believes that in order to prevent these sort of attacks network operators need to drop support for femtocells altogether and implement their security protections at the network level rather than rely on the relatively weak security of embedded devices. “Your phone will associate to a femtocell without your knowledge,” explained DePerry. “This is not like Wi-Fi, you do not have a choice.” The researcer noted that certain Android devices provide users with an icon to notify them when their handset is connected to a femtocell network, though other popular models such as the iPhone do not. For users who are looking for protection against possible femtocell attacks, the company said it is developing a free application which will force a handset to go into airplane mode when a femtocell detection is detected. The researchers noted that the app is largly precautionary and not intended for novice users. Sursa V3.co.uk

A trio of university researchers have developed a method for infecting iOS devices through the Apple power port. Posing as a charger device, the Mactan proof-of-concept is able to pair with an iOS device, gain access to heightened privileges and install both hidden and visible applications onto the targeted device all through a USB connection. Researchers Billy Lau, Yeongin Jang and Chengyu Song of the Georgia Tech Information Security Center said that their device, and the exploit it is based on, preys upon a set of basic security flaws in the way Apple handles peripheral connections, device pairing and developer access on the iOS platform. The attack is launched when the iOS device is plugged into the Mactans and unlocked. The Mactans, which was built using a BeagleBoard microcomputer, then uses the USB link to pair with the device, install a developer provisioning profile, and begin loading applications onto the iOS device without any user warning or notification. According to the researchers, the device is able to take advantage of a flaw in pre-iOS 7 versions which pair the device without ever notifying the user. The MacTans then lifts the device's UDID indicator and uses the information to authorise the installation of a “provisioning profile,” a component intended for developer use which allows for additional privileges usually walled off from iOS apps. With the heightened access, the MacTans is able to perform tasks such as remotely controlling the device or hiding applications. In one demonstration, the attacker was able to hide the iPhone Facebook application and install a malicious copy in its place. The malware executed its task, then launched the legitimate “hidden” copy of Facebook, leaving the user not the wiser. The trio said that possible scenarios for infection in the wild could include disguising the Mactans as a free charger in public spaces, or porting the software and attack techniques to PC or OS X malware infections and executing attacks when the device is synched. Apple customers will be given some reprieve as the company will address the USB airing issue in iOS 7 by asking users to verify all attempted pairings. The three researchers, however, noted that additional holes remain, including flaws in the way provisioning profiles are issued and a lack of tools to detect suspicious or potentially abuse activity on developer profiles. Sursa V3.co.uk

As putea spune au votat chiar foarte multi.Zilnic sunt maxim 250 utilizatori online dintre care > 65 useri inregistrati.

A cyber-jihad has erupted between groups of rival Islamic hackers in Bangladesh and Indonesia, resulting in attacks on hundreds of sites. The rival hackers have abandoned their normal pursuit of Israeli targets and have instead turned on each other. It is unclear which side started the war, although the Bangladeshi group have accused Indonesia of supporting Israel, even though relations between the two countries are frosty at best. A group called Bangladesh Grey Hat Hackers claimed to have hacked around 900 Indonesian sites and threatened to expand their assault to include ecommerce and financial sites. The full list also includes pet food sites, foreign embassies, and government websites. At the time of writing, loading up many of the sites resulted in a 404 error. On the group's Facebook page, a hacker called Rotating Rotor wrote an open letter to Indonesia, which we've rewritten slightly for the sake of clarity. Earlier today, Rotor wrote: "Assalamu Alaikum. First of all take my greetings of Ramadan. As you all know we are in a cyber war with the hackers of your country. You guys only knew that we are defacing your countries sites. "Now you can ask if we don't deface Muslim's sites then why we are attacking Indonesian sites? Believe me. We are forced to do so with your hacking teams, who wanted war with us several times before." The group have some "simple demands" which they have not yet announced. If these are not met, the hacking will continue for another six months, the group threatened. It claimed that five groups of Indonesians had carried out small-scale cyber attacks in recent months, eventually provoking a full-scale retaliation, despite repeated calls for peace. Rotor added: "We are getting thousands of requests from many Indonesian's to stop the attack. We feel hurt after seeing this. We decided to stop. But Indo Hackers defaced our sites again. Then we changed our mind and continue to attack. "Right now we are just only defacing. If your Hackers don't stop we are going to inject malware and viruses to all of your e-commerce sites and destroy your e-commerce system. "We already gain access to many of your servers, We just observing your Hackers activities. "Believe me, I swear. We have the capabilities to continue this war for minimum 6 months. We got access to your unlimited servers." On the page, there are also dozens of comments from people using the famous Anonymous Guy Fawkes mask as their profile picture. One wrote: "The Zionists are laughing at us. Muslim vs Muslim. Better we all unite, not fight each other." Indonesian hackers also released a list of the Bangladeshi sites they have attacked in turn, which include religious courts and government websites, including the Presidential page. We visited some of the sites on the list, which show a message that said: "Stop attack my country. Don't touch my country Bangladesh. Fuck BD Gay Hay UR lamer. A little dog Murkho Manob was using message slander. Bitch dog really. YOUR MOTHER FUCKER!" Murkho Manob is a Bangladeshi hacker who targets websites he claims support Israel. A quick Google search shows he has attacked the website of a British Thai boxing club and also a rather quaint-looking hotel, as well as Israeli websites. We have written to both sides for comment, but they have not yet replied. ® It's war M A D A F A C A R !!! ) Sursa TheRegister.co.uk

An internal report by the Massachusetts Institute of Technology has found that it committed no wrongdoing in the case of Internet activist Aaron Swartz, who committed suicide while facing charges he hacked into the university's computers and stole millions of online documents. The report "makes clear that MIT did not 'target' Aaron Swartz, we did not seek federal prosecution, punishment or jail time, and we did not oppose a plea bargain," wrote MIT President L. Rafael Reif in a letter Tuesday to the MIT community. Reif had requested an analysis of the university's involvement in the federal case against Swartz from the time MIT first perceived unusual activity on its Web network in 2010. But the report also questioned MIT's "neutral" policy on the issues raised by Swartz's prosecution and suggested the university could have showed more leadership. It also asked whether MIT should become involved in debates over reform of the Computer Fraud and Abuse Act -- one of the laws under which Swartz was charged. Swartz, 26, was discovered dead in his Brooklyn, New York, apartment in January. He was facing 13 felony counts stemming from his illegal downloading from MIT of more than 4 million articles from JSTOR, a repository of research journals, and was scheduled to go to trial in April. If convicted on the federal computer-fraud charges, he faced up to 35 years in prison. Internet prodigy, activist Aaron Swartz commits suicide Swartz was an Internet savant who helped develop social-news site Reddit and RSS, the technology that allows websites to send updates to subscribers. He was an outspoken advocate for the free exchange of information over the Internet and co-founded Demand Progress, a political action group that campaigns against Internet censorship. As described in the report, Swartz's death "ignited a firestorm on the Internet." Admirers held memorial services, a petition on the White House's website demanded the firing of the federal prosecutor responsible for the case and members of Congress introduced a proposed revision of the law under which he was prosecuted. After his suicide, Swartz's family issued a statement criticizing prosecutors for seeking "an exceptionally harsh array of charges (for) an alleged crime that had no victims," and claiming that decisions made by prosecutors and MIT officials had "contributed to his death." How Aaron Swartz helped build the Internet The MIT report on Swartz was issued by a review panel led by Hal Abelson, an MIT professor of electrical engineering and computer science. In preparing its report, the panel reviewed about 10,000 pages of documents and interviewed about 50 people, including MIT faculty, students, alumni and staff; lawyers, police officers and prosecutors; and Swartz's friends and family. "The review panel's careful account provides something we have not had until now: an independent description of the actual events at MIT and of MIT's decisions in the context of what MIT knew as the events unfolded," Reif wrote in his accompanying letter. "From studying this review of MIT's role, I am confident that MIT's decisions were reasonable, appropriate and made in good faith." But others disagreed, including Swartz's family and romantic partner. "Having now read Abelson's report, it is clear that MIT in fact played a central role in Aaron's suicide," Robert Swartz, Aaron's father, said in an e-mailed statement through a family friend. "MIT made numerous mistakes that warrant further examination and significant changes. MIT was not neutral in the legal case against Aaron. And whether MIT was neutral or not is a red herring: the university had a moral obligation to advocate on Aaron's behalf." Robert Swartz had some conciliatory reaction as well. "We are encouraged by MIT President Raphael Reif's desire to ensure that some positive comes of the terrible, tragic situation in which Aaron found himself, and applaud MIT for its commitment to self-examination." Swartz's partner was upset at the report. "MIT's behavior throughout the case was reprehensible, and this report is quite frankly a whitewash," said Taren Stinebrickner-Kauffman. "We have an institution to contrast MIT with -- JSTOR, who came out immediately and publicly against the prosecution. Aaron would be alive today if MIT had acted as JSTOR did. MIT had a moral imperative to do so," she said. There was further reaction, too. "Today's report was intended to provide closure for the MIT community regarding the overprosecution and tragic loss of Aaron Swartz. Instead, the report simply whitewashes MIT's role in Aaron's prosecution and revises history to protect MIT's image," said Demand Progress campaigner Charlie Furman. "MIT does not seem to understand that a few simple, reasonable actions would have saved Aaron's life," Furman added. "If the university had said publicly, 'we don't want this prosecution to go forward,' there would have been no case, and Aaron would be alive today." Sursa CNN.com

An annual show-and-tell of some of the most alarming security breaches currently known is underway at two hacker conferences being held in Las Vegas this week. Cybersecurity researchers, hackers, government agencies and privacy advocates converge at Black Hat and Defcon to share the results of some shocking research. Black Hat has already made headlines with the recent death of presenter Barnaby Jack, a hacker who was most famous for making an ATM machine spit out money, and the highly anticipated keynote speech, which will be given by National Security Agency director Keith Alexander. Defcon's founder Jeff Moss made waves when he wrote a blog post asking the Feds to stay home this year, in light of the revelation that data was secretly gathered by the government from telecommunications and Internet companies. But shrouded beneath the headlines is a multitude of unnerving hacks that threaten everything from cars, to spying TVs, to medical devices. Here are five of the scariest security threats presented at this year's hacker conferences. Hacking humans Before his death, Barnaby Jack was scheduled to give a presentation on the vulnerabilities of implanted medical devices. Anything from pacemakers to surgery schedules are at risk, and cybersecurity experts believe the medical community needs a wake-up call. "His was going to be an amazing talk around, really, the state of the medical side of the field and all of the devices we're bringing in that are electronic, that are networked," David Kennedy, founder of information security firm TrustedSec and friend of Jack's, told CBSNews.com. "If you think about it, when we go to a hospital all of that stuff is connected together. If a an attacker can get into that, manipulate and change it, they can actually cause deaths. They can cause other symptoms, things like that. They can replace medical records, they can have you have a different operation." Surveillance TVs A presentation by iSEC Partners will demonstrate how a malicious attacker can hijack the front-facing camera or microphone of a Samsung Smart TV and turn it into a surveillance device. Researchers Aaron Grattafiori and Josh Yavor will also reveal the fixes that Samsung has made, and talk about what other Smart TV makers should focus on. Cars gone wild At Defcon, iSEC's Charlie Miller and Chris Valasek will release details of how they were able to reverse engineer the software of the Ford Escape and Toyota Prius. Demonstrated recently to Forbes, the researchers were able to use their laptops to kill power steering, spoof the car's GPS system and adjust the speedometer. Power grids and water plants at risk Trend Micro threat researcher Kyle Wilhoit is presenting a trap called an industrial control systems (ICS) honeypot that is set up to spy on and profile nefarious cyberattackers. His findings reveal that our critical infrastructure is not only vulnerable to attacks, but has already been targeted. "The power grid is said to be inherently insecure, and there are confirmations of that. And also water plants are statistically insecure, primarily because there's not a lot of governing factors that come into place on municipal water supplies," Wilhoit told CBSNews.com. "Likewise on the power grid, they're using archaic technology that was deployed when power generation was the primary concern and not necessarily security." Hacked by an iPhone charger Georgia Tech Information Security Center researchers will reveal how they were able to hack into an iPhone using its charger at a Black Hat briefing on Wednesday. "We were able to successfully publish a malicious app and use it to remotely launch attacks on a controlled group of devices," Georgia Tech research scientists Tielei Wang said in a statement. "Our research shows that despite running inside the iOS sandbox, a Jekyll-based app can successfully perform many malicious tasks, such as posting tweets, taking photos, sending email and SMS, and even attacking other apps -- all without the user's knowledge." The researchers say they notified Apple of their findings and the company has made strides to fix the issues. Black Hat is currently underway, with presentations starting Wednesday. Defcon starts on Thursday. Sursa CBSnews.com

Microsoft (NSDQ:MSFT) is set to judge live attempts to bypass the security defenses in its latest operating system -- Windows 8.1 Preview -- giving hackers an attempt to earn $100,000 as part of the company's new bug bounty reward program. Hackers will use their working exploits on a Lenovo ThinkPad X1 Carbon Touch, a business Ultrabook, at the Black Hat conference in Las Vegas. The software giant's security engineers will judge the attempts to crack into the laptop at its booth at about 12:30 Pacific Time on July 31 and Aug. 1. In addition to up to $100,000 for demonstrating mitigation bypass, Microsoft will award each successful hacker with the ThinkPad X1 [Related: Black Hat 2013: 5 Cool Hacking Tools To Check Out] "If you're successful at the live demo portion of the event, you and the judges will be whisked away to de-brief in the private Judging Suite upstairs, where they'll examine your work more closely and ask any relevant questions while you enjoy a well-earned break from the chaos," said Katie Moussouris, a senior security strategist at Microsoft, in the company's Blue Hat Prize blog. To be eligible, hackers must submit an exploit that bypasses the mitigation with the source code and must exploit a real remote code execution vulnerability. A white paper also must be submitted explaining the exploitation method. "A novel exploitation method must be an integral and required component of enabling reliable remote code execution," Microsoft explained as part of its bypass bounty program rules. Submissions must be capable of exploiting a user mode application through bypassing either stack corruption defenses, heap corruption mitigations or code execution prevention technologies. The technique cannot be described in prior works, Microsoft said. The first Microsoft bounty rewards were issued to researchers earlier this month, with Ivan Fratric, a Google (NSDQ:GOOG) engineer who qualified for finding a flaw in Internet Explorer 11, receiving the first award. Microsoft, Redmond, Wash., said in June that it would reverse course on a longstanding stance against bug bounty programs and unveiled three vulnerability reward programs. In addition to a mitigation bypass bounty program, the company has a Blue Hat Bonus for Defense program, which rewards researchers an additional $50,000 bonus for defensive ideas that accompany a qualifying mitigation bypass bounty submission. The IE11 preview bug bounty program closed July 26. It was open for the first 30 days following the release of the latest preview version of its Internet Explorer browser. It rewards researchers up to $11,000 for critical vulnerabilities. Moussouris said Microsoft will adjust its vulnerability rewards programs based on the threat landscape and the new applications and components it releases. Sursa Crn.com

Security firm PhishMe has unveiled new Phish Reporter technology designed to help employees more quickly alert IT departments about harmful messages. The company unveiled the new service at Black Hat in Las Vegas, promising it will help companies better defend themselves from phishing and drive-by attacks. Phish Reporter, is an Outlook extension designed to add a new alert button to the email client's toolbar that, when clicked, marks a message as suspicious. The service automatically uses PhishMe network data and incoming company information to scan the email and check if it is suspicious before forwarding it on to the firm's security team, stopping employees overloading administrators with requests. PhishMe claims the data collected by the tool can be used by companies to retrieve time-stamped entries of reported phishing emails, create in-depth incident reports showing which emails have been flagged as suspicious over an extended period of time, improve phishing message filtering policies and improve attack detection times. This will reportedly help companies reduce incident response costs across the board. PhishMe chief executive officer and co-founder, Rohyt Belani said the tool will let companies make the most of cyber-savvy employees who are not directly tied to their security department. "With the new Phish Reporter button, organisations can effectively turn their employees into spear-phishing sensors," he said. "Many of our customers have successfully created an awareness culture in which employees can identify spear-phishing emails, but they lacked a fast, effective way to report these emails to the appropriate department within the organisation. Phish Reporter will help fill this void." PhishMe chief technology officer and fellow co-founder, Aaron Higbee added that the tool will also provide feedback to the users who reported phishing incidents, letting them know if the messages were in fact dangerous. He said the feedback will have an added educational value, improving companies' overall cyber security awareness. "PhishMe has established a unique methodology for scoring a user's ability to identify phishing attempts," he said. "With each employee being a potential sensor, they can now become proactive contributors to the threat-detection process and security teams can prioritise their analysis based on a user's scoring history." Phish Reporter's unveiling follows widespread rumblings within the security community that suggest the phishing threat facing businesses is growing. Most recently Kaspersky Lab reported that crooks are targeting an average of 3,000 Brits with phishing messages every day in its The evolution of phishing attacks 2011-2013 report. Sursa V3.co.uk

The software powering the US National Security Agency's (NSA) powerful search techniques have been revealed. Called XKeyscore, the software is a basic web form which trawls through hundreds of billions of recorded internet traffic to list relevant results. Revealed by the Guardian today, screenshots reportedly show an NSA tutorial presentation detailing how to use the software. The article claims that analysts connected to the browser-based system could search through the NSA's records without any review process, meaning data searching was effectively a free-for-all for employees and contractors. The Guardian says that the purpose of the software was "to allow analysts to search the metadata as well as the content of emails and other internet activity". Screenshots show specific applications which could be used to monitor Facebook users' messaging history simply "by entering the Facebook user name and a date range into a simple search screen". The software also claims to be able to rifle through user search history simply by referring to HTTP activity, and makes examples of the BBC website as one potential source of information, as well as Wikipedia, Twitter and Yahoo. It is claimed that the software searched through 850 billion so-called "call events" such as emails and phone conversations as well as a further 150 billion internet records. The Guardian says one to two billion records were added every day, with all data only stored for around for three to five days. The paper quotes a former NSA mathematician as saying that the NSA had assembled 20 trillion transactions between US citizens. Finally, it alleges that exchanges between foreign citizens are stored in the same database as those which involve US citizens, meaning records of non-US citizens are just as accessible without a warrant. In a statement to the Guardian, the NSA said that the use of XKeycore was legal and justified, and insisted that allegations of "widespread, unchecked analyst access to NSA collection data are simply not true". The former NSA contractor and whistleblower Edward Snowden, who initially released the documents relating to PRISM, is still seeking asylum and is currently believed to be in Russia. Sursa V3.co.uk

Las Vegas: The head of the US National Security Administration (NSA) took to an audience of thousands of security professionals to explain his agency's controverisal surveillance programmes. Gen. Keith Alexander told attendees at the 2013 Black Hat conference that the agency's FISA and PRISM procedures are being carried out with far more discretion and oversight than commonly believed and are solely used for the purpose of gathering data on known or suspected terrorists. “Their intention is not to go after our communications, their intention is to find the terrorists that walk among us,” Alexander said of the NSA. “We comply with court orders and do this exactly right, and if we make a mistake we hold ourselves accountable and report it.” According to Alexander, the NSA operates under a strict set of limitations and is subject to regular audits which pore over all collected data, much of which is highly anonymised. According to screen shots provided by the NSA, phone data is limited to dates and times, origin and destination numbers, and means of collection. No audio, SMS or account information is harvested at any point in the process. The number of people in charge of actually the surveillance information is limited as well. Alexander said that just 22 inividuals within the NSA are allowed to authorise the colllection of data, and just 35 analysts are authorised to view phone data collected through the FISA programme. Alexander also talked up the strict judicial regulations that govern the programme and require the NSA to obtain authorisation from Federal Courts for all surveillance activities. Contrary to popular belief, says Alexander, the NSA often finds itself with a skeptical audience when it seeks judiciary approval. “They want to make sure that what we are doing comports with the constitution and federal law, and they are dead serious about it,” Alexander told attendees. “These are tremendous judges, they are not a rubber stamp.” The NSA boss was not without his detractors, however. Sporadic heckling from the crowd roasted Alexander for issues ranging from the constitutionality of the programme to the US policies behind its Middle East activities. Ultimately, however, Alexander would reach out to the audience, inviting security professionals to submit their questions and comments with the administration and help it to revise and improve its policies. “We need to hear from you because the tools and the things we use are very much the same as the tools you use in securing your networks,” he said. “The difference is the oversight and compliance we have in these programmes, that part is missing in much of the discussion.” Sursa V3.co.uk

Ce plm e asta ma ? Linkmania ? Va cresteti numarul de posturi postand trailere mai nou?

AV-Test.org a dat publicitatii un nou test complex care include cele mai utilizate 26 programe de tip Security Suite de pe piata pentru utilizatorii casnici. Este realizat in perioada Martie – Aprilie 2013 si este realizat pe un sistem Windows 7, rezultatele fiind destul de interesante, toate produsele primind certificarea AV-TEST.org, cu exceptia Microsoft Security Essentials si K7 Computing Total Security. Au fost folosite trei criterii mari de departajare: protectie, performanta si impactul asupra utilizarii PC-ului. Fiecare din ele avea un maxim posibil de 6 puncte. Criteriul “Protectie” combina detectia statica si dinamica a virusilor, inclusiv testarea unor atacuri de ultima ora. In cazul “Performantei” a fost testat impactul unui produs de securitate asupra resurselor sistemului in timpul unor activitati obisnuite: accesare internet, copiere documente, descarcare fisiere etc. “Alarmele false si usurinta in utilizare” a evaluat alarmele false generate la accesarea unor site-uri, rularea unor programe sau blocarea unor actiuni legitime ale diverselor programe instalate. Pentru a primi certificarea AV-Test.org, un produs trebuie sa atinga minim 11 puncte. Au fost evaluate produsele timp de 2 luni in ceea ce priveste virusii de ultima ora printr-un test de tip Real-World (site-uri infectate, virusi propagati prin email) – 132 mostre si testul “clasic” pe un set mai mare de malware (19.741 virusi). Toti virusii au fost colectionati in cele doua luni de testare. In ceea ce priveste Protectia unui PC, o componenta cheie, avand in vedere ca a proteja e mai de dorit decat a devirusa… cinci producatori au primit maximul de puncte: 6 si anume BitDefender, Comodo, F-Secure, G Data, Kaspersky. Alte 6 produse au primit cate 5.5 puncte. La polul opus cu o protectie insuficient de buna s-au situat: ZoneAlarm Free Antivirus + Firewall, AhnLab, K7 Computing si Microsoft. Care este impactul asupra performanteti PC-ului? Aici, un singur produs a obtinut 6 puncte: Webroot SecureAnywhere Complete 8.0, iar BitDefender si Comodo au obtinut 5.5 puncte. Pe de alta parte, cele mai slabe la acest capitol au fost: MicroWorld eScan Internet Security Suite 14.0 si ESET Smart Security. In ce priveste alarmele false si usurinta in utilizare 9 programe au obtinut cate 6 puncte. La polul opus s-au situat Comodo si Webroot cu 3.5, respectiv 4 puncte. In final, clasamentul produselor pentru utilizatori casnici (top 3) arata astfel : 1. BitDefender – 17.5 2. Kaspersky – 16.5 3. F-Secure, G Data, Qihoo – 15.5 4. Avast Free, Comodo, Symantec Norton – 15 Pozitia de lider este mentinuta de BitDefender, care isi continua dominatia fiind de data asta la doar 0.5 puncte de perfectiune. Este demn de remarcat rezultatul Comodo Internet Security 6, care obtine 6 puncte din 6 posibile in ceea ce priveste protectia, si creste in ceea ce priveste performanta. Per ansamblu scoate un rezultat identic cu Symantec Norton Internet Security, adica 15 puncte, iar intre cele doua exista o mare diferenta: pretul ! Este singurul produs gratuit de pe piata care obtine un scor maxim in ceea ce priveste protectia oferita utilizatorului. Din pacate rateaza o pozitie in top 3 datorita alarmelor false, un capitol la care mai au de lucrat pe viitor. In ultimele luni cresterea Comodo a fost una surprinzatoare: de la 10 puncte, la 12.5 si acum 15. Cat credeti ca va obtine in urmatorul test? McAfee si Trend Micro au obtinut si ei 2 puncte in plus fata de ultimul test comparativ si se apropie cu pasi repezi de top 3, recastigand increderea utilizatorilor. Insa mai au si ei de lucrat in ceea ce priveste performantele produsului si impactul asupra resurselor sistemului. Pentru detalii complete asupra fiecarui produs si rezultatele defalcate pe fiecare categorie si subcategorie accesati link-ul urmator: AV-TEST - The Independent IT-Security Institute: May/Jun 2013 Sursa FaraVirusi.Com

The Australian Department of Defence has issued an official statement denying it banned the use of Lenovo computers over concerns they contained backdoor vulnerabilities. A report from the Australian Financial Review last weekend claimed that the ban applied to top secret networks run by the intelligence and defence services of the “Five Eyes” allies – US, UK, Australia, New Zealand and Canada. the report claimed to have obtained confirmation of a written ban by “multiple intelligence and defences sources” in the UK and Oz, and further added that an Australian Department of Defence spokesman confirmed that Lenovo kit had “never been accredited” for such networks. However, the DoD released the following short statement on its site today: That statement calls into question whether the other Five Eyes members ever had similar bans in place. GCHQ, MI5, MI6, the Australian Security Intelligence Organisation, the Australian Secret Intelligence Service, and the NSA were all named as observing the now-discredited ban. The original report had claimed that serious backdoor vulnerabilities in Lenovo hardware and firmware had been discovered in testing in the mid-2000s – vulnerabilities which could allow attackers to remotely access a device without the owner’s knowledge. For its part, Lenovo on Monday said it was surprised by the news as it has good working relationships with public and private sector clients around the world. “We have not received word of any sort of a restriction of sales so we are not in a position to respond to this question,” it added. ® Sursa TheRegister.co.uk

Nasa's cloud computing strategy came under fire from US authorities, with concerns raised about major security failings and a lack of communication and organisation. The report from the US Office of Inspector General (OIG) stated that Nasa's cloud services "failed to meet key IT security requirements". It went on to say that of five Nasa contracts for acquiring cloud services, "none came close to meeting recommended best practices for ensuring data security." Nasa currently spends $1.5bn annually on IT services, only $10m of which is based in the cloud. However, the agency itself predicts that 75 percent of its future IT programmes will be in the cloud, making the findings of the Office of the Inspector General even more of a cause for concern. The report went on, listing numerous problems with the way in which the agency failed to meet federal IT security requirements. "We found that the cloud service used to deliver internet content for more than 100 NASA internal and public-facing websites had been operating for more than two years without written authorisation or system security or contingency plans," it said. The audit also found that required annual tests of security controls had not been performed, which it said "could result in a serious disruption to Nasa operations". Nasa chief executive Larry Sweet joined the agency in June and seemingly has a mountain to climb to reorder his department's operations, with many decisions seemingly made with his predecessor completely in the dark. "Several Nasa Centers moved Agency systems and data into public clouds without the knowledge or consent of the Agency's Office of the Chief Information Officer," the report said. The reported noted that Sweet agreed with the findings and, with the availability of funds, will work "to improve Nasa's IT governance and risk-management practices". Nasa has long been a supporter of cloud computing projects, lending its backing to the OpenStack open-source cloud project in 2010. Sursa

Mozilla has teamed up with BlackBerry to develop a tool which will allow researchers to better spot security vulnerabilities in web browsers. The companies said that the tool would provide an open framework which security researchers could use to perform “fuzzing” techniques. Such practices are often used to seek out the memory errors which attackers could target to trigger attacks such as denial of service and remote code execution incidents. By combining their efforts, the open-source browser firm and the mobile specialist hope to create a new set of open source security research tools which can be implemented to root out and report possible flaws in web browsers. “BlackBerry has long relied on large-scale automated testing to identify security issues across its platform. The collaboration with Mozilla plugs directly into BlackBerry’s existing security processes and infrastructure,” wrote Michael Coates, Mozilla director of security assurance. “BlackBerry regularly uses third-party fuzzers, in addition to its own proprietary fuzzing tools, static analysis and vulnerability research, in order to identify and address potential security concerns across its portfolio of products and services.” Coates said that Mozilla would also be releasing an additional security testing tool known as Minion. The tool will look to streamline and reduce the time needed to test applications but automating and reducing the reporting process and limiting the amount of data which is returned to researchers. The company hopes that the tool will make the security research process more efficient. “The Minion testing platform takes a different approach to automated web security testing by focusing on correct and actionable results that don’t require a security professional to validate,” explained Coates. “Many security tools generate excessive amounts of data, including incorrectly identified issues that require many hours of specialized research by a security professional.” Sursa V3.co.uk

IBM will get €21m in state aid from Romania's government for a €51.2m project in the country that's expected to create around 900 jobs. Big Blue is planning an IT consultancy project in Bucharest and Brasov, the Ministry of Finance told financial daily Ziarul Financier (translated by Google Translate). The aid package is one of two going to tech firms this year, with the other going to IT outsourcing company Endava. The government hands out bags of cash to firms making large investments, providing they create new jobs in the country. IBM announced in 2011 that it would be opening up its eleventh centre of excellence in research, specialising in medical R&D, in Târgu Mure? in Romania. The centre would also be eligible for state aid but it was unclear if that centre was included in the €21m package announced, ZF said. The tech giant had not returned a request for comment at the time of publication. ® Sursa TheRegister.co.uk Stire in limba romana : IBM primeste ajutoare de stat de 21 milioane euro pentru un proiect care va genera 900 de locuri de munca - IT - HotNews.ro

Microsoft is bringing more companies its threat sharing program and loading potentially dangeous items into its Azure cloud, despite past problems with security leaks. The changes to the Microsoft Active Protections Program were announced by Redmond on Monday, and will see the company share critical security information with a wider pool of firms than before, while also spinning up a cloud service for profiling threats as they appear. MAPP was created in 2008 as a way for Microsoft to share vulnerability information with security vendors in advance of patches. With Monday's announcement, the program has been split into three tranches: MAPP for Security Vendors, which is the traditional MAPP service, MAPP for Responders, which sees Microsoft foster communication between itself and incident response and intrusion prevention organizations, and MAPP Scanner, which sees Redmond use its Azure cloud to evaluate potentially harmful files. Though MAPP has helped Microsoft share threat information with the wider technology industry, the program has had problems. Microsoft kicked Chinese MAPP partner firewall company Hangzhou DPTech out of the program in March 2012 after it was found to have been behind the leaks of a critical bug in Microsoft's Remote Desktop Protocol. MAPP for Responders will see Microsoft share threat intelligence rather than specific vulnerability information with security organizations such as response companies, CSIRTS, ISACS, and security vendors. The program will use the Structured Threat Information Expression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII) specifications to share threat information. Along with broadening information sharing, Microsoft is also putting Azure cloud to work via the MAPP Scanner program, which uses Redmond's servers to scan Office documents, PDF files, flash movies, and URLS for potential malicious content. The tool is already used internally by Microsoft to identity new attacks and methods. The scanner works by spinning up VMs for every supported version of Windows, and opens the content in all supported versions of the appropriate application, then looks for signs of a threat. "MAPP Scanner can help find a known vulnerability and return the CVEs and affected platforms for that issue, while also flagging suspicious activity not associated with a known vulnerability for deeper analysis," Jerry Bryant a Microsoft senior security strategist, writes in a blog post explaining the technology. Redmond already has another Azure-based security service, via its Cyber-Threat Intelligence Program (C-TIP), which ingests and transmits data on infected Windows computers. Though the two systems share various characteristics, a Microsoft spokesman confirmed that they are run separately and indicated information is not shared between them. Microsoft's group manager for Response Communications, Dustin Childs, writes that the broadened MAPP schemes have been created to help Microsoft "eliminate entire classes of attacks by working closely with partners to build up defenses, making it increasingly difficult to target Microsoft’s platform." No mention was made in the report about whether MAPP information will or will not be shared with government organizations, such as the NSA. At the time of writing, Microsoft had not responded to multiple queries for further information about the number of MAPP partners and how threat information is being stored and transmitted within Azure. ® Sursa TheRegister.co.uk

Students from the University of Texas successfully piloted an $80m superyacht sailing 30 miles offshore in the Mediterranean Sea by overriding the ship's GPS signals without any alarms being raised. The team, led by assistant professor Todd Humphreys from UT Austin's department of aerospace engineering and engineering mechanics, took a GPS spoofing device the size of a briefcase up to the upper deck of the White Rose of Drachs, a 65 meter luxury yacht owned by British property magnate Michael Evans, while it was in international waters en route from Monaco to Rhodes, Greece. Having previously identified the location of the ship's two GPS receivers, the team then oriented the briefcase towards them and began broadcasting false GPS data at low power. By gradually increasing the strength of their signals they were able to overpower the aerials and spoof the on-board navigation systems. To turn the ship they then input a new signal indicating the ship was going off its logged-in course, which set off an alarm from the navigation computer telling the crew to change course. As far as the crew was concerned things were back on track, but the vessel was now heading off its original course. "With 90 percent of the world's freight moving across the seas and a great deal of the world's human transportation going across the skies, we have to gain a better understanding of the broader implications of GPS spoofing," Humphreys said. "I didn't know, until we performed this experiment, just how possible it is to spoof a marine vessel and how difficult it is to detect this attack. This experiment is applicable to other semi-autonomous vehicles, such as aircraft, which are now operated, in part, by autopilot systems." The experiment, which took place with the ship-owner's permission, is part of continuing research by the team into GPS spoofing. Last year Humphreys demonstrated how the same spoofing technique could be used from 1km away against a GPS-guided drone to an audience from the US Department of Homeland Security at White Sands, New Mexico. The demonstration got a lot of attention, coming after the Iranians showed off a seemingly intact US bat-wing RQ-170 Sentinel drone, which it claimed it had been hacked and hijacked by an army electronic warfare unit. These claims have been dismissed by experts, but fears of military hardware getting redirected or stolen are on the agenda, as well as being much-loved by screenwriters. Before the panic starts, it should be pointed out that the Texans are spoofing civilian GPS systems. Cracking encrypted military signals has never been demonstrated, although jamming them is possible, and redirecting cruise missiles in flight will remain in the fictional realm for the time being. In the case of the White Rose of Drachs hijacking, there's also little need for concern. The ship carries a crew of 18 and no captain relies solely on GPS. Any significant course deviation would most likely be noticed by those on watch during regular position checks. Nevertheless, the research by Humphreys and the US Austin team is interesting. Spoofing equipment is increasingly easy to get hold of and while Humphries claims to "owns the world's most powerful civil GPS spoofer," that should come with a caveat "that I know about." ® Sursa TheRegister.co.uk

As part of the NSA's ongoing mission to research the finer arts of computer security, it funds and promotes a lot of academic research. And on July 18 it announced the winner of its first Science of Security (SoS) competition after a distinguished academic panel had considered 44 entries covering the latest academic output on the topic. The winner was Google security engineer Dr. Joseph Bonneau for his paper, "The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords", which was hailed by Dr. Patricia Muoio, chief of the NSA research directorate's trusted systems research group, as "an example of research that demonstrates a sound scientific approach to cybersecurity." But in a personal blog post the next day, Bonneau said that while he was honored by the award, he had "conflicted feelings" about accepting it in light of the NSA's conduct in industrial-scale snooping into private data, adding that he was "ashamed we've let our politicians sneak the country down this path." "In accepting the award," he said, "I don't condone the NSA's surveillance. Simply put, I don't think a free society is compatible with an organisation like the NSA in its current form." Since then, Bonneau has been speaking out on the issue on Twitter, and on Sunday set up an account on Reddit to take questions from all and sundry. He said that he fears the current focus on the extent of NSA activities will be swept under the carpet as a normal "scandal", a few people will be fired, and nothing else will change. The biggest problem is that there can't be reasoned debate on the topic, he said, because no one knows what's being collected, how long it is being stored for, and for what purposes it is used. The uncertainty is also hurting companies – like his employer – who were looking to expand cloud services but have their servers under US jurisdiction. "We'll kill the golden goose if other countries think US corporations can't be trusted with their data due to the local government, particularly when the law provides virtually no protection from eavesdropping for foreigner's data held by US companies," Bonneau said. "Can we honestly tell people in other countries that they should trust all of their data with US companies?" Companies such as Google, Microsoft, and Facebook collect large amounts of data, he said, but such commercial systems are opt-in, unlike government surveillance. Companies also operate under the laws of the countries in which they operate, and he said that EU privacy laws were a good – if flawed – example of privacy oversight. Not all of Europe got praise, however. Bonneau said he was "very dismayed" about the UK government's recently announced plans for a default anti-porn censorship shield from ISPs. (Although some have told the government where they can stick their shield.) What's needed are public hearings, he suggested, with a root-and-branch pruning of the top NSA administration and their overseers, changes to the Foreign Intelligence Surveillance Court, and a proper independent review. If his going public moved the conversation 0.0001 per cent further, that's fantastic, he said. In the meantime, end-to-end encryption will at least protect the content of messages, if not the metadata around them. PGP is a good idea, he said, especially coupled with Tor anonymity. He also recommended CryptoCat and mobile apps from TextSecure/RedPhone or SilentCircle. When it comes to browsers, Bonneau recommends using Firefox or Chrome with HTTPS Everywhere downloaded. Steer clear of Internet Explorer, he suggests, because it is lagging in HTTPS support. As for passwords – Bonneau's area of expertise – he recommends not bothering with them for little-used websites. Simply bash in 30 or so random characters into the password field and use a password reset if you want access at a later date. For day-to-day sites use a standard password, and for important websites use a string of at least 12 random characters, and preferably phone authentication. Bonneau said he has respected the NSA staff he had met, saying they were smart people who stuck by the rules set for them by their political masters, but that the current system isn't compatible with a civilized society and informed debate is needed. "It's very hard to predict which direction society will change, though history shows we often underestimate the scale of changes that are possible," he said. "One of my favorite books is King Leopold's Ghost, which describes conditions in the Congo Free State barely over 100 years ago. The human rights violations are unfathomable today, yet changing them at the time was a crazy idea." ® Sursa TheRegister.co.uk