12 November 2013

NSA Hacked Search Engines’ Datacenters

The press has recently run a chilling story about the NSA hacking into the Google and Yahoo datacentres. According to the NSA papers, seen by the reporters, the National Security Agency carried out “full take”, “bulk access” and “high volume” operations on both Yahoo and Google networks.
PRISM_logo_%28PNG%29.png

Such large-scale harvesting of online data would be illegal in the US, but it looks like the operations took place overseas, where the spooks were allowed to presume that anyone using a foreign data link is a foreigner.

An ex-NSA chief analyst admitted that the agency has platoons of lawyers, whose task is to figure out how to stay within the law while maximizing data collection by exploiting every loophole.

The search giants maintain fortresslike data centers across 4 continents, connected with thousands of miles of fiber-optic cable. For instance, Yahoo’s internal network is transmitting entire e-mail archives from one data center to another, which is when the agency could pounce.

Security experts point out that tapping the Google and Yahoo clouds would allow the National Security Agency to intercept communications and view the content at its leisure. NSA agents had to circumvent gold-standard security to get the information. In the meantime, the weak point might have been some of the premium data links that Google and Yahoo have been buying or leasing.

According to the insiders, they had reason to believe that their private, internal networks were safe from prying eyes, but apparently not.

31 October 2013

Microsoft Paid $100,000 for Finding Bug in Windows 8.1

The software giant has paid $100,000 to the UK researcher James Forshaw, who found a critical security flaw in Microsoft’s upcoming Windows 8.1 OS.

winblue-feat.jpg

Forshaw, a researcher for the security company, has found a “mitigation bypass”. This hack circumvented the built-in protection systems that could have allowed intruders access to the system.

Microsoft said it couldn’t provide any details of that mitigation bypass technique until it found a way to address it. However, the software giant promised to strengthen platform-wide mitigations, and make it harder to exploit vulnerabilities in all software that runs on Windows platform, not only their own apps.

The researcher admitted it had taken him 25 days to find the bug, responding to “a very specific brief” from the software giant. Forshaw originally came up with the winning idea sitting at home and pondering what he could do. $100,000 bounty is a lot of money, but James Forshaw said that he wasn’t talking retirement money there. Indeed, when it comes to security flaw bounties like Microsoft’s, most of it goes to the company. Actually, even if it didn’t, after paying taxes it is already not a life-changing amount.

The researcher admitted that using outside experts was just part of the process due to the scale of the task involved. The software giant has a huge security department which actively looks for software bugs in its products, but it might be just a problem of being too close to the product – you simply cannot see the wood for the trees. Forshaw recommends to step back and take a look at the entire product and its interactions in order to find the higher-level flaws.

It seems that outsourcing is also important from a monetary point of view. In fact, the company couldn’t dedicate enough resources to find everything, because it is cheaper to pay external researchers bounties like this one. Apparently, there is only a finite pool of talented people who are able to find vulnerabilities in software products.

One can argue that the bugs and vulnerabilities should not exist in the first place, but everyone knows that humans are fallible and nobody can write perfect code.

Silk Road Founder Will Face Charges in New York

A federal judge ordered a California man accused of operating an Internet drug marketplace dubbed Silk Road to go to New York to face charges. The order came during a brief court hearing in San Francisco. Federal authorities in New York have charged Ross Ulbricht, the site operator, with three felonies related to the operation of the service. Ulbricht's attorney has denied all charges.

silk3n-1-web.jpg


Silk Road became known a couple years ago as a black market bazaar where users could trade drugs for BitCoins, a form of online cash. A “hidden” site used Tor network to mask the location of its servers. Thus far, the site operator agreed to remain in custody. The police have said he ran the service under various aliases, including “Dread Pirate Roberts”. However, his attorney denied this information.

Silk Road became so popular because other services were selling drugs more or less openly. In the meantime, Silk Road was technically sophisticated, had user-friendly system and promised near-total anonymity. The authorities closed down the website when they arrested Ulbricht at a small library in San Francisco while he chatted online with a “co-operating witness”.

In addition, Ulbricht is also charged in Baltimore federal court with soliciting the murder of a former employee, who was arrested on drug charges. It is suggested that Ulbricht feared the victim would turn on him. The police claimed that Ulbricht unwittingly hired an undercover agent for the murder, which the authorities staged but never took place.

In the meantime, prosecutors in New York have charged the site operator with trying unsuccessfully to solicit the murder of a Canadian citizen who allegedly hacked into Silk Road, obtained dealers names and started blackmailing Ulbricht.

It turned out that the FBI agents have penetrated the behind-the-scenes operations of the website and obtained a list of its users and sellers. In the following days, the police in Britain, Sweden and the US arrested 8 people charged with using the service for selling drugs. For example, in Washington state, a couple was arrested on charges of selling cocaine, heroin and methamphetamine via Silk Road. The UK authorities indicated more arrests were on the way. The FBI claimed that it had copy of the contents of the website’s server, which could provide international authorities with detailed data about the website’s dealers.

Apparently, months’ worth of sales history are currently in law enforcement hands. As a result, the traceable nature of BitCoin transfers can allow the FBI to easily follow the money.

British Mobile Services Providers Face Fee Hike

According to media reports, British mobile network operators may face a 4-fold increase in license fees to rent the radio spectrum. These plans were revealed by Ofcom.
Ofcom1.jpg
The watchdog confirmed that the new fees were in line with what other states paid. Moreover, the group believed that the UK operators had been getting off lightly for a long time. The United Kingdom raised a less-than-expected £2.34 billion in a 4G spectrum auction for airwaves in order to carry high-speed mobile broadband traffic, so it seems that Ofcom is looking to make up the shortfall.

The largest broadband providers Vodafone, Telefonica’s O2, EE and H3G pay around £64.5 million pounds altogether for using the 900 megahertz and 1800 megahertz spectrum bands. It was estimated that any changes would result in a £309 million increase.

According to Ofcom, spectrum is a valuable and finite national resource, and that is why charging for it might incentivize the optimal use of frequencies. In the meantime, the telcos can blame the UK government for the rent hike. Apparently, the government asked the watchdog to recalculate the fees to reflect “full market value”, and the latter said the new rules were expected to take effect in 2014 after a consultation period which will end in December.

The mobile companies keep reviewing the new bill, but Vodafone has already expressed its discontent after Ofcom was proposing a 430% increase in its fees. Maybe it believes that the regulator should be encouraging such private sector investment in infrastructure and new services – for example, 4G.

29 October 2013

2 Million Chinese Officers Police the Internet

The Chinese state media claimed that the authorities hire 2 million people to operate and monitor its infamous “Great Firewall”. The reports reveal that most of the employees perform keyword searches and check millions of messages being posted on a daily basis.
china-police.jpg

This huge number of employees shows just how low tech and human intensive the operations are. However, even with the collective being so huge, employees are still unable to prevent comments which are seen by the government as undesirable from being published and reposted.

The “Internet Police” are hired by the propaganda arm of the Chinese government and by a number of commercial websites. The country accounts for over 500 million Internet users, which makes China the largest online population in the world.

In case a western country wanted to carry out a similar operation, it would have its work cut out to justify it. For example, the UK industry observers estimated that if David Cameron wanted to set up a “Great Firewall of Britain” he would have to hire almost 210,000 people to run it. Taking into account the fact that British labor is much more expensive than Chinese one, it might make sense to consider outsourcing such an operation to China.

Samsung Is a Top Advertiser with Ukrainian Pirates

The Korean tech giant has been outed as one of the major advertisers on the Ukraine’s largest file-sharing websites. The entertainment industry has launched an initiative dubbed “Clear Sky” in Ukraine, which is focused on naming and shaming the advertising antics of such giants as Samsung, Nokia, Canon, Carlsberg and even Coca Cola.
samsung-logo.jpg
The initiative sees funding of peer-to-peer websites by the major international brands as a core problem. After the Ukraine has been labeled by the United States as one of the top piracy havens worldwide, the anti-piracy groups decided to “counter this image” and established Clear Sky.

Apparently, the task of the coalition is to find ways to fight Internet piracy. First of all, it is going to name and shame global companies who advertise with pirates. A couple of largest local portals, Ex.ua and FS.ua, accounts for millions of visitors weekly and generates a healthy revenue stream via adverts, which are partly paid by multinational corporations.

Indeed, it turned out that almost 10% of all advertisements on those file-sharing services are financed by famous international brands, and almost half of all those adverts belong to Samsung. The report revealed that a big chunk of the company’s advertising budget in Ukraine goes to those file-sharing services. In the meantime, the industry observers found out that both services are rather short on adverts.

Russia to Mount Spy Fest for Winter Olympics

It seems to be not enough for the Russian government to make its Winter Olympics a forbidden zone for gay people – in addition to this, the local authorities are ready to mount a spy fest. Media reports emerged that the Black Sea resort of Sochi has been wired to allow Russian equivalent of FBI (Federal Security Service or FSB) to log all visitor communications.
kremlin-wc.jpg

Apparently, any sportsmen and spectators attending the Winter Olympics 2014 in Sochi next February will have to deal with invasive and systematic spying and surveillance. The report, prepared by a team of Russian journalists investigating the preparations for the Games, revealed tenders from the local communication firms describing a phone and online spying capability not seen before.

This move could enable the FSB to intercept any telephone or data traffic and even track the use of key words or phrases mentioned in emails, chats and on social media. The reporters claimed that major amendments have been made to phone and Wi-Fi networks in the Black Sea resort in order to ensure monitoring and filtering of all traffic.

The spies are using Sorm, a Russian technology for intercepting telephone and Internet communications, which is being modernized throughout the country, but the most attention has been paid to Sochi given the enormous number of foreign visitors expected in 2014.

The system will allow deep packet inspection to filter people by keywords. The Russian government has already threatened gay sportsmen and spectators with arrest if they attend the games and protest, so apparently this is how they are going to find out.

The researchers insist that the FSB has been working for three years to upgrade the Sorm system to ensure it can digest the extra traffic during the Olympics. The law requires all telephone and ISP providers to install Sorm boxes in their technology. Once the equipment is in place, the FSB will be able to access information without the provider ever knowing.

In the meantime, the Russian authorities claimed that the London Olympics featured far more intrusive measures – for example, the UK installed CCTV cameras in the toilets, while Russia wouldn’t.

27 October 2013

Facebook Will Build Its Kingdom

The social network is considering building its own town so its employees never have to leave work. The campus in Menlo Park will include a $120 million, 394-unit housing community within walking distance of its offices. Dubbed Anton Menlo, the 630,000 square-foot rental property is supposed to include a sports bar and a day care for pet dogs.
facebook-privacy-3005.png

Media reports admit that the move towards a 24-hour work lifestyle is new, even for Silicon Valley. The social network insists that employee retention is not a major factor in the plan. Instead, it is a great idea to have more housing options closer to campus. Facebook believes that people will want to live there because they believe in the company’s mission.

The sources revealed that there will be many amenities on the site, including cafes, a store, a sports pub, bike repair shop with onsite storage, pool, spas, and gyms. This move may fix some of the company’s accommodation problems for workers. Indeed, a housing shortage is reported in Menlo Park and some employees couldn’t find places to stay near the corporate campus.

In the meantime, the industry experts point out that in many ways the move is turning the clock back. America had its “company towns” at the turn of the 20th century – the US factory workers were living in communities owned by their employer and provided housing, health care, law enforcement, church and just about every other service necessary. But the drawback is that your life becomes the company, and this is why the 20th century company towns died out.

This move means that employees will always be working. Only 10% of Facebook’s employees will be housed on-site. Apparently, there will not be too many families. The housing will go for market rates, with some being set aside for low-income staff.

Web Freedom Doomed

A recent report, carried out by the advocacy group Freedom House, has taken a look at Internet trends in 60 countries. The results were that despite a pushback from activists which successfully blocked some repressive laws, web freedom still plummeted in 2012.
internet_freedom-150x150.jpg

In 35 of those 60 countries, governments had grown their legal and technical spying powers through the web. A global decline in web freedom in 2012 was determined by broad surveillance, new legislation controlling Internet content and growing arrests of social media users. For instance, Iceland has the most web freedom. On the contrary, China, Cuba and Iran had the least.

In the meantime, declines in Internet freedom were led by 3 democracies - Brazil, India and the US. Apparently, revelations by Edward Snowden demonstrated that changes in online freedom of the United States were eroding extremely fast. Anyway, the United States still made it to 4th in Freedom House’s list.

A number of the governments have acted against the worldwide web because social media was exploited to arrange national protests. Since 2012, two dozen countries have adopted some kind of legislation restricting web freedom. For instance, Bangladesh imposed a 14-year prison sentence on a group of bloggers who wrote posts critical of Islam. Bahrain has also arrested ten people for “insulting the king on Twitter”, while Morocco jailed a teenager for 18 months for “attacking the nation’s sacred values” via a Facebook post which also ridiculed the king. Finally, a woman in India was arrested for just “liking” a friend’s Facebook status.

According to Sanja Kelly, project director for Freedom on the Net at Freedom House, banning and filtering are still the favorite methods of censorship in lots of countries, though the governments are increasingly looking at who is saying what on the Internet and finding ways to punish them. According to the report, law restricting Internet freedom are still sometimes blocked with a combination of pressure from advocates, lawyers, businesses, politicians and the international community. However, this is the 3rd consecutive year web freedom has declined.

Security Agencies Target Tor Network

The NSA has repeatedly tried to attack people using Tor, a popular tool protecting their Internet anonymity. This is despite the fact the software is primarily funded and promoted by the government of the United States itself.

NSA-laptop-010.jpg

According to secret NSA files, disclosed by Edward Snowden, the agency successfully identified Tor users and then attacked vulnerable software on their machines. One NSA technique targeted the Firefox Internet browser used with Tor and gave the agency full control over targets’ computers, including access to files, all keystrokes and all Internet activity. However, the files suggest that the fundamental security of the anonymity service remains intact.

Tor (The Onion Router) is an open-source public project which redirects its users’ traffic via other PCs, called “relays” or “nodes”, in order to keep it anonymous and avoid filtering tools. Journalists, activists and campaigners in America, Europe, China, Iran and Syria rely on Tor network to maintain the privacy of their communications and avoid reprisals from the authorities. The network currently receives around 60% of its funding from the American government, primarily the State Department and the Department of Defense.

Despite the importance of the network to dissidents and human rights groups, the National Security Agency and its British counterpart GCHQ have devoted their efforts to attacking Tor. They claim that the service is also used by people engaged in terrorism, trade of child abuse images, and virtual drug dealing.

While it seems that the agency hasn’t compromised the core security of the Tor software or network, the leaked files detail proof-of-concept attacks, including some relying on the large-scale Internet surveillance systems used by the NSA and GCHQ via Internet cable taps.

Foremost among the concerns is whether the agency has acted against users in the United States when attacking the network. The matter is that one of the functions of the anonymity service is to hide the country of all of its users, which means that any attack could be hitting members of Tor’s American user base.

A less complex attack against the network was also disclosed in July 2013, with its details leading to speculation that it had been built by the FBI or another American agency. While at the time the FBI refused to admit it was behind the attack, it subsequently claimed in a hearing in an Irish court that the agency did operate malware to target an alleged host of pictures of child abuse, with the attack also hitting Tor network.