Windows 10’s Privacy Policy: the New Normal?

from the no-i-do-not-want-to-send-a-crash-report dept.

An anonymous reader writes:

The launch of Windows 10 brought a lot of users kicking and screaming to the “connected desktop.” Its benefits come with tradeoffs: “the online service providers can track which devices are making which requests, which devices are near which Wi-Fi networks, and feasibly might be able to track how devices move around. The service providers will all claim that the data is anonymized, and that no persistent tracking is performed… but it almost certainly could be.” There are non-trivial privacy concerns, particularly for default settings. 
According to Peter Bright, for better or worse this is the new normal for mainstream operating systems. We’re going to have to either get used to it, or get used to fighting with settings to turn it all off. “The days of mainstream operating systems that don’t integrate cloud services, that don’t exploit machine learning and big data, that don’t let developers know which features are used and what problems occur, are behind us, and they’re not coming back. This may cost us some amount of privacy, but we’ll tend to get something in return: software that can do more things and that works better.”

Posted by Soulskill 2 days ago

 

Advertisements

Trend Micro: Hackers Using Android App For Sextortion   

 

Researchers found that the extortionists first lure their victims through a number of online chatting tools   
Saturday, March 28, 2015:  Security software company Trend Micro has come up with a new finding in which they detected that criminals have developed advanced mobile applications and tools that siphon their victims’ online passwords and contacts to increase the chance that they will pay up.

In a latest report ‘sextortion in the far east’, Trend Micro’s researchers detailed a new Android app that criminals are using to pressure their victims into blackmail.

Sextortion is the act of coercing cybercrime victims to perform sexual favors or to pay large amounts of money in exchange for the non-exposure of their explicit images, videos, or conversations.

Cybercriminals lure, record, and threaten their victims online, which includes a mobile malware component. During their chat or Skype session, cybercriminals convince victims to install a data stealer or disguised Android malware that steals victim data off their device. Cybercriminals can then threaten their victims with the possibility of sending the explicit content to their victim’s contact list. The malware these cybercriminals used are persistent and exhibit various intrusive behaviors.

Researchers found that the extortionists first lure their victims through a number of online chatting tools. Once the trap is set, they feign audio or messaging problems to persuade their target to download one of four malicious Android apps. Using their email, social media and bank accounts, Trend Micro traced several of the Android app developers and their money go-betweens to China.

The company found evidence that the criminals opened different bank accounts for each extortion campaign, which typically, lasted for a few weeks. 

Sushma rani, EFYTIMES News Network 

New Evidence Strengthens NSA Ties To Equation Group Malware

from the tax-funded-hacks dept.
An anonymous reader writes:When researchers from Kaspersky Lab presented the Equation Group espionage malware, many in the security community were convinced it was part of an NSA operation. Now, Kaspersky has released new evidence that only strengthens those suspicions. In a code sample, they found a string named BACKSNARF_AB25, which happens to be the name of a project in the NSA’s Tailored Access Operations. Further, when examining the metadata on the malware files, they found the modification timestamps were almost always consistent with an 8-5 workday in the UTC-3 or UTC-4 timezones, consistent with work based in the eastern United States. The authors also tended to work Monday through Friday, and not on the weekends, suggesting a large, organized development team. “Whereas before the sprawling Equation Drug platform was known to support 35 different modules, Kaspersky has recently unearthed evidence there are 115 separate plugins. The architecture resembles a mini operating system with kernel- and user-mode components alike.”ORIGINAL ARTICLE 

Beware! Your Smart TV May Be Watching & Listening To Everything You Do & Say!

IMG_2595

YOUR SAMSUNG SMARTTV IS SPYING ON YOU

eWeek – Enterprise IT Technology News, Opnion and Reviews

Be careful, you may be watched!

With the advances in technologies, your own purchases may be used against you. Privacy advocates are up in arms!!

A Hybrid Approach: Rewriting the Rules for DDoS Defense

IMG_2574

The dilemma for organizations when implementing an effective DDoS defense is whether to deploy on-premises DDoS protection or subscribe to a cloud-based provider. These decisions are not taken lightly, as the threat landscape is wide ranging and increasingly sophisticated.

Organizations outlining their DDoS defense strategy typically begin by looking to out-of-band defenses and anti-DDoS scrubbing-lane approaches for re-routing traffic once an attack has been identified. This approach is a good first step for DDoS prevention; however, it’s only the tip of the iceberg. The recommendation from industry analysts is to execute a two-pronged approach, to include in-line, real time detection and attack mitigation as the primary means for DDoS defense, and cloud anti-DDoS for full pipe saturation attacks.

Here’s why: partial saturation attacks are becoming more commonplace. These DDoS attacks are large (relatively speaking), but only last for a short period of time, and they do not fully saturate the internet link. While these attacks can be devastating to unprotected downstream border defenses, hosted customers or internet-facing services, the motive is most often financial gain or stealing sensitive data. Additionally, these partial saturation events are not long enough in duration for attacks to be detected and re-routed quickly enough for cloud-based DDoS mitigation solutions to provide much, if any benefit.

When assessing DDoS defense strategies, the solutions aren’t like-for-like comparisons. However, there is a suggested approach to protect against the entire spectrum: hybrid on-premise and cloud DDoS mitigation. Let’s look at each of the components.

Cloud Anti-DDoS Solution

DDoS protection, provisioned as a service, is most often an on-demand option for large-scale attacks. Massive volumetric attacks occur when more traffic than the total bandwidth of a network link is sent, which no amount of hardware resources will effectively combat.

Human intervention is critical to an on-demand defense approach – once detected an analyst must then decide to enable the transition to the cloud. In a recent study nearly 50% cited customer complaints as their initial means of DDoS notification. The time from detection to mitigation could range to upwards of one hour with this approach. However, the majority of volumetric attacks last 30 minutes or less. By the time your on-demand defenses are engaged the damage is done.

With out-of-band cloud anti-DDoS, visibility and analysis begin only after the traffic has been re-routed to the scrubbing service, allowing for little if any insight into the attack, eliminating all analysis capabilities.

Some businesses that frequently experience these attacks subscribe to an always-on anti-DDoS cloud solution service. The costs associated with this are substantial. If frequent, massive volumetric DDoS attacks are the Achilles’ heel of your organization, it’s hard to put a price on uninterrupted service availability.

“If frequent, massive volumetric DDoS attacks are the Achilles’ heel of your organization”

On-Premises Real-Time Defense

Purpose-built DDoS defense solutions are deployed between the internet and the enterprise network. A first-line-of-defense approach prevents outages by inspecting traffic at line-rate and blocking attacks in real time while allowing approved traffic to flow. On-premises, real-time defence enables complete and sophisticated visibility into DDoS security events when deployed at the network edge. Additionally, archived security event data will enable forensic analysis of past threats and compliance reporting of security activity, acting as a strong advantage against attackers when DDoS is utilized as a distraction.

Given its nature, precise enforcement of mitigation policies against attack traffic must be accomplished without incurring false positives, with line-rate performance and maximum security efficacy. On-premises technology is designed to handle volumetric network-based attacks, reflective and amplified spoof attacks as well as application layer attacks.

A Possible Silver Bullet – The Hybrid Approach

In 2014 the SANS Institute reported: “DDoS mitigation solutions integrating on-premises equipment and ISP and/or mitigation architectures are nearly four times more prevalent than on-premises or services-only solutions. The growing sophistication of DDoS attacks and the sensitive nature of potential disruption to business services require both local and upstream protections that work in sync.”

The concept of on-demand cloud defense for a pipe saturation attack coupled with always on, on-premises defense provides protection against the whole spectrum. Businesses that engage with their on-demand DDoS mitigation provider can quickly initiate that service based on visibility in the event of a massive volumetric attack. The main benefit of a hybrid approach is that the on-premises device heavily reduces the number of times an organization switches over to the cloud – lowering cost and providing comprehensive and consistent defense.

During the switchover, an on-premises solution would continue to provide the necessary protection for any threats not mitigated by the cloud. Continuous monitoring can show when your organization can return to normal operation and collaborative communication and sharing of information between you and your provider enables comprehensive visibility, enhancing the overall security performance of your network.

The implementation of an always-on solution combined with on-demand cloud defense provides businesses with a means of safeguarding against the vast scope of DDoS attacks posed to their networks. With DDoS attacks now being delivered in various sizes and with differing intentions, ensuring that the appropriate prevention best practices are utilized correctly could well be what saves your organization from falling victim to a major breach of information.

ORIGINAL ARTICLE

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
About the Author

Dave Larson is CTO at Corero Network Security. He is responsible for directing the Corero technology strategy, bringing over 20 years’ experience in the network security, data communication and data center infrastructure industries. Most recently, he served as CTO for HP Networking and vice president of the HP Networking Advanced Technology Group. Prior to HP, Larson was vice president of Integrated Product Strategy for TippingPoint and has held senior roles with Tizor Systems, Sandburst Corporation and Xedia Corporation.

Justice Department: Default Encryption Has Created a ‘Zone of Lawlessness’

ORIGINAL ARTICLE

from the what-would-you-call-this-zone-that’s-allegedly-associated-with-danger? dept.
Jason Koebler writes:
Leslie Caldwell, an assistant attorney general at the Justice Department, said Tuesday that the department is “very concerned” by the Google’s and Apple’s decision to automatically encrypt all data on Android and iOS devices.

“We understand the value of encryption and the importance of security,” she said. “But we’re very concerned they not lead to the creation of what I would call a ‘zone of lawlessness,’ where there’s evidence that we could have lawful access through a court order that we’re prohibited from getting because of a company’s technological choices.

Posted by Soulskill 2 days ago

FBI Seeks To Legally Hack You If You’re Connected To TOR Or a VPN

Law would allow law enforcement to search electronic data if target computer location has been hidden through Tor or VPN

2015/01/img_2530.jpg
Original Article

by NICOLE KARDELL | FEE | JANUARY 20, 2015

The FBI wants to search through your electronic life. You may think it’s a given that the government is in the business of collecting everyone’s personal data — Big Brother run amok in defiance of the Constitution. But under the limits of the Fourth Amendment, nothing it finds can be used to prosecute its targets. Now the FBI is taking steps to carry out broad searches and data collection under the color of authority, making all of us more vulnerable to “fishing expeditions.”

The investigative arm of the Department of Justice is attempting to short-circuit the legal checks of the Fourth Amendment by requesting a change in the Federal Rules of Criminal Procedure. These procedural rules dictate how law enforcement agencies must conduct criminal prosecutions, from investigation to trial. Any deviations from the rules can have serious consequences, including dismissal of a case. The specific rule the FBI is targeting outlines the terms for obtaining a search warrant.

It’s called Federal Rule 41(b), and the requested change would allow law enforcement to obtain a warrant to search electronic data without providing any specific details as long as the target computer location has been hidden through a technical tool like Tor or a virtual private network. It would also allow nonspecific search warrants where computers have been intentionally damaged (such as through botnets, but also through common malware and viruses) and are in five or more separate federal judicial districts. Furthermore, the provision would allow investigators to seize electronically stored information regardless of whether that information is stored inside or outside the court’s jurisdiction.

The change may sound like a technical tweak, but it is a big leap from current procedure. As it stands, Rule 41(b) only allows (with few exceptions) a court to issue a warrant for people or property within that court’s district. The federal rules impose this location limitation — along with requirements that the agent specifically identify the person and place to be searched, find probable cause, and meet other limiting factors — to reduce the impact an investigation could have on people’s right to privacy. Now the FBI is asking for the authority to hack into and search devices without identifying any of the essential whos, whats, wheres, or whys — giving the FBI the authority to search your computer, tablet, or smartphone even if you are in no way suspected of a crime.

All you have to do is cross the FBI’s virtual path. For instance, the proposed amendment would mean that agents could use tactics like creating online “watering holes” to attract their targets. Anyone who clicked on law enforcement’s false-front website would download the government malware and expose their electronic device to an agent’s search (and also expose the device to follow-on hackers). One obvious target for this strategy is any forum that attracts government skeptics and dissenters — FEE.org, for example. Such tactics could inadvertently impact thousands of people who aren’t investigation targets.

This sort of sweeping authority is in obvious conflict with the Constitution. The Fourth Amendment makes it clear that the government cannot legally search your house or your personal effects, including your electronic devices, without (1) probable cause of a suspected crime (2) defined in a legal document (generally, a search warrant issued by a judge) (3) that specifically identifies what is to be searched and what is to be seized.

The FBI is not the first government agency to find itself challenged by the plain language of the Fourth Amendment. Past overreach has required judges and Congress to clarify what constitutes a legal search and seizure in particular contexts. In the 1960s, when electronic eavesdropping (via wiretaps and bugs) came about, Congress established the Omnibus Crime Control and Safe Streets Act of 1968 (the Wiretap Act). The law addressed concerns about these new surreptitious and invasive investigative tactics and provided several strictures on legal searches via wiretap or bug. Since covert investigative tools can be hard to detect, it was important to institute more rigorous standards to keep agents in line.

The same concerns that Congress addressed in the 1960s are present today, but they take on far greater significance. With our growing reliance on electronic devices to communicate with others, to transact business, to shop, travel, date, and store the details of our private lives, these devices are becoming our most important personal effects. The ability of government actors to enter our digital space and search our electronic data is a major privacy concern that must be checked by Fourth Amendment standards. As the Supreme Court recently pronounced in Riley v. California, the search of a modern electronic device such as a smartphone or computer is more intrusive to privacy than even “the most exhaustive search of a house.”

What seems most troubling, though, is that the FBI is attempting to override the Fourth Amendment, along with the body of law developed over the years to reign in surveillance powers, through a relatively obscure forum. Instead of seeking congressional authority or judicial clarification, it has sought a major power grab through a procedural rule tweak — a tweak that would do away with jurisdictional limitations and specificity requirements, among other important checks on law enforcement. The request seems objectively — and constitutionally — offensive.