A security audit of TrueCrypt has determined that the disk encryption software does not contain any backdoors that could be used by the NSA or other surveillance agencies. A report prepared by the NCC Group for Open Crypto Audit Project found that the encryption tool is not vulnerable to being compromised.
Silent Circle is all about security, but security is about more than just a phone that features encryption. There is an entire ecosystem in place starting with the secure PrivatOS 1.1. The latest upgrade to the operating system introduces a feature called Spaces which allows for OS-level virtualization and the ability to keep work and personal apps and data completely separate from each other. These features are also due to rollout to first generation Blackphones through an upcoming update.
Saving data, especially e-mail and informal chats, is a liability.
It’s also a security risk: the risk of exposure. The exposure could be accidental. It could be the result of data theft, as happened to Sony. Or it could be the result of litigation. Whatever the reason, the best security against these eventualities is not to have the data in the first place.
I was just thinking about how useful and simple ssh is for doing end to end encryption for various services before being notified of this post. On a linux box you can ssh -X remotehost and bring up any X-windowed app from a terminal command. Very simple. Very useful. Very secure. For copying files there’s the scp command. And one final shout out to the sshfs command for mounting remote filesystems.
The NSA also has “major” problems with Truecrypt, a program for encrypting files on computers. Truecrypt’s developers stopped their work on the program last May, prompting speculation about pressures from government agencies. A protocol called Off-the-Record (OTR) for encrypting instant messaging in an end-to-end encryption process also seems to cause the NSA major problems. Both are programs whose source code can be viewed, modified, shared and used by anyone. Experts agree it is far more difficult for intelligence agencies to manipulate open source software programs than many of the closed systems developed by companies like Apple and Microsoft. Since anyone can view free and open source software, it becomes difficult to insert secret back doors without it being noticed.
First off, we have to say that attribution in breaches is difficult. Assertions about who is behind any attack should be treated with a hefty dose of skepticism. Skilled hackers use proxy machines and false IP addresses to cover their tracks or plant false clues inside their malware to throw investigators off their trail. When hackers are identified and apprehended, it’s generally because they’ve made mistakes or because a cohort got arrested and turned informant.
Nation-state attacks often can be distinguished by their level of sophistication and modus operandi, but attribution is no less difficult. It’s easy for attackers to plant false flags that point to North Korea or another nation as the culprit.
“It’s really a phenomenally awesome hack—they completely owned this company,” Schneier, who is regularly consulted by the federal government on security issues, said. “But, I think this is just a regular hack. All the talk, it’s hyperbole and a joke. They’re [threatening violence] because it’s fun for them—why the hell not? They’re doing it because they actually hit Sony, because they’re acting like they’re 12, they’re doing it for the lulz, no one knows why.”
Unless you know how infiltrators got into Sony’s system there is no way figuring out the who behind the hack. So far details of this has been lacking and as far as potential culprits targeting Sony, North Korea is probably least capable from an education standpoint and logistics. Social engineering, getting people inside Sony to cooperate is usually behind successful infiltrations. Sony’s Playstation network was taken down awhile ago. I suspect whoever did that probably is behind this despite what movie is about to be released soon.
After this story broke I spent some time immersed in the crazy, obsessive subculture of celebrity nudes and revenge porn trying to work out what they were doing, how they were doing it and what could be learned from it.
1. What we see in the public with these hacking incidents seems to only be scratching the surface. There are entire communities and trading networks where the data that is stolen remains private and is rarely shared with the public. The networks are broken down horizontally with specific people carrying out specific roles, loosely organized across a large number of sites (both clearnet and darknet) with most organization and communication taking place in private (email, IM).
people without health insurance can potentially get treatment by using medical data of one of the hacking victims.Halamka, who also runs the “Life as a healthcare CIO” blog, said a medical record can be worth between US$50 and $250 to the right customer — many times more than the amount typically paid for a credit card number, or the cents paid for a user name and password.
As expected, the hype is pretty high over this. But from the beginning, the story didn’t make sense to me. There are obvious details missing: are the passwords in plaintext or encrypted, what sites are they for, how did they end up with a single criminal gang? The Milwaukee company that pushed this story, Hold Security, isn’t a company that I had ever heard of before. I was with Howard Schmidt when I first heard this story. He lives in Wisconsin, and he had never heard of the company before either. The New York Times writes that “a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic,” but we’re not given any details. This felt more like a PR story from the company than anything real.
These actors — mostly spammers and malware purveyors (usually both) — focus on acquiring as many email addresses and account credentials as they can. Their favorite methods of gathering this information include SQL injection (exploiting weaknesses in Web sites that can be used to force the site to cough up user data) and abusing stolen credentials to steal even more credentials from victim organizations.
Overall Krebs trusts some researcher who claims to have seen this data first hand. According to Krebs:
I’ve known Hold Security’s Founder Alex Holden for nearly seven years.
and
Alex isn’t keen on disclosing his methods, but I have seen his research and data firsthand and can say it’s definitely for real.
