Monthly Archives: March 2014

NSA SPYING: New report claims VPNs infiltrated too

Posted on by

The latest report on the National Security Agency's spying capabilities revealed even more sobering details about the government's ability to pry into private communications, including VPNs.

First it was the phone records, and then it was Internet usage. Later, it came to light that the NSA has even used Angry Birds apps to track locations. These days, it seems like keeping track of the things the NSA isn't monitoring might make for a shorter list -- especially since new reports are adding even more items.

"They're sending out e-mails. They're looking for you to click on links. They're posing as Facebook," Matthew Willis, of computer forensic services, told Fox 9 News.

There is no shortage of hackers online, but many people may be surprised to learn that one of the most sophisticated threats siphoning data from computers across the globe is the NSA.

"They want to monitor everything they possibly can, and if there's something that's not on that list, they'll eventually get to it," Willis said.

According to newly-released documents from NSA whistleblower Edward Snowden, the NSA has been using a program code-named "Turbine" to infect computers using the same type of code cyber-crooks do.

"They're taking all that data and they're moving it off to their own servers," Willis said.

Fox 9 News will not show the leaked documents because they are classified as top secret, but Willis -- who worked for the NSA -- claims that "weaponized" malware has been used by the government as far back as the Gulf War.

As a cyber security expert, Willis admits he is even more surprised by the evidence that the NSA has been hacking into virtual private networks, which are the backbone of corporate Internet security.

"Clearly, VPN monitoring, I think, is the most interesting new revelation," Willis said.

Excerpt from:
NSA SPYING: New report claims VPNs infiltrated too

Xtra users thought encryption calls a scam

Posted on by

Telecom's Xtra customers may face another week of chaos.

Tens of thousands of Xtra users who use email clients such like Microsoft Outlook and Android will find it impossible to send or receive emails from Monday, until they change security settings on their accounts.

Telecom has been contacting Xtra customers by phone and email over the past month, asking them to implement SSL (secure socket layer) encryption on their devices.

However, it appears some Xtra users believed the calls from Telecom were a scam.

About a third of Xtra users access emails using programmes such as Outlook, rather than webmail.

Telecom retail boss Chris Quin said there was "still a way to go" to persuade them all to make the settings change.

Telecom had decided to block customers' access to Xtra from late Monday if they hadn't made the change. Its customers didn't want the company to "muck around" with their online security, Quin said.

Spokeswoman Lucy Fullarton said all Xtra users would still be able to send and receive email through webmail. Email clients would be unblocked as soon as customers implemented SSL encryption.

Telecom outsourced Xtra to Yahoo in 2007 and more than 100,000 accounts have been compromised and hijacked in a series of cyber attacks over the past two years.

Yahoo has so far failed to explain the cause.

Read the original post:
Xtra users thought encryption calls a scam

Why Client-Side Encryption Is Critical For Cloud Privacy

Posted on by

Why Client-Side Encryption Is Critical For Cloud Privacy Posted by Rick Harvey March 12, 2014

The old tale "The Emperors New Clothes" can be applied to the current state of cloud security. Like the gullible emperor, people rely on cloud services to live their online lives and are too trusting in what companies try to sell. Big cloud companies often market fancy-sounding security and encryption features -- like the invisible fabric the emperor could not see but was made to believe was there.

These cloud providers tout the most secure or NSA-proof services, but leave out the most vital detail: encryption is only one thread in the security and privacy fabric. The only way to close the loop on data privacy is to take a look at where keys are stored.

One cloud storage provider touts its server-side encryption as freeing customers from the hassle and risk of managing their own encryption and decryption keys. In reality, this leaves the users information vulnerable to snoops. When you arent managing your own keys, you dont have control over your data.

Essentially, letting a company manage your encryption keys is handing over your protection, or clothes, like the emperor wearing the invisible wardrobe. Your data is left vulnerable to outside attacks and elements because the server or company dictates what happens to your data.

Today, many cloud service providers deliberately provide server-side security to maintain control. But server-side security requires trying to defend everywhere user data is stored: every disk, every server, every link, every router, and every database. Security is only as good as the weakest link, so it only takes one tiny mistake, vulnerability or mishandling for there to be a data breach; the Snapchat hack earlier this year is an example of what can happen.

This focus on infrastructure security is fundamentally weak. Pieces of security dont add up to overall security. Individual bits might be strong (e.g., SSL for links, disk encryption for storage), but the space between the bits might be vulnerable (i.e., data coming off links or off disks is unencrypted). Hackers dont attack individual components; instead, they attack tiny vulnerabilities between components, processes, or human control.

For cloud users to control everything client-side, they must make a paradigm shift from infrastructure protection to data-centric protection (where the encryption keys are held client-side rather than server-side). Client-side encryption is just like putting data in a tamper-proof box: The contents will remain protected regardless of who handles it, how the box is transported or where it is stored. The data is protected anywhere, everywhere and remains individually encrypted until the user with the key unlocks it.

[Read about an industry effort to develop a framework that provides secure connectivity from any device to cloud applications in "Cloud Security Alliance Launches Secure Network Effort."]

Client-side cryptography allows users to protect their own data with individual, per-file encryption and protect access to that data with user-controlled keys. Note that the encryption, decryption and key management are all done on the end users computer or device, meaning the data in the cloud only exists in its encrypted state. This level of encryptions makes the data safe from all the usual cloud risks, including hacking, rogue administrators, accidents, complicit service providers, and snooping governments.

See original here:
Why Client-Side Encryption Is Critical For Cloud Privacy

Julian Assange Labels NSA As A ‘Rogue Agency’ During SXSW Speech

Posted on by

March 10, 2014

redOrbit Staff & Wire Reports Your Universe Online

Speaking via Skype to the attendees of the SXSW conference in Austin, Texas on Saturday, Wikileaks founder Julian Assange said that the US National Security Agency (NSA) had become a rogue agency and hinted that his document-sharing website could soon be publishing additional unidentified documents.

Assange, who has been confined to the Ecuadorian embassy in London since June 2012, said that a grassroots effort would be the catalyst in rolling back the powers of the NSA and similar governmental surveillance agencies.

We have to do something about it. All of us have to do something about it, he said during an hour-long interview at the conferences, reports Stuart Dredge of The Guardian. How can individuals do something about it? Well, weve got no choice.

Assange also ripped President Barack Obama for his administrations lack of response to the revelations of NSA whistleblower Edward Snowden, who is scheduled to participate in a remote teleconference on Monday.

We know what happens when the government is serious, he said, according to a report by the Associated Press (AP). Someone is fired, someone is forced to resign, someone is prosecuted, an investigation (is launched), a budget is cut. None of that has happened in the last eight months since the Edward Snowden revelations.

CNNs Doug Gross also noted that Assange said the NSA would be able to fire back politically against the American president if he ever came after them. Assange said that the agency would come up with all of this dirt (on Obama) and that a criminal act would come to light if the president ever attempted to disband the agency.

As for Snowden and other reporters and activists who have traveled internationally in order to continue their whistleblowing and national security reporting efforts, Assange referred to them as a new kind of refugee, according to Russell Brandom of The Verge. He went on to single out the work of Glenn Greenwald (who has reported extensively on Snowdens allegations), Laura Poitras, Wikileaks own Sarah Harrison, and Tor researcher Jacob Appelbaum.

Assange, who was granted asylum by Ecuador and remains in their embassy in order to avoid extradition to Sweden on charges of rape and molestation, called the continued ability of those individuals to continue their work a positive phenomenon that is part of an expanding political awareness spurred on by the Internet. Just a few years ago, he said, the online community was a politically apathetic space, but that culture has rapidly changed.

Read the rest here:
Julian Assange Labels NSA As A 'Rogue Agency' During SXSW Speech