With crypto in UK crosshairs, secret US report says it’s vital

As UK Prime Minister David Cameron forges ahead with a campaign pledge to ban encrypted messaging apps unless his government is given backdoors, that country's Guardian newspaper has aired a secret US report warning that government and private computers were at risk because cryptographic protections aren't being implemented fast enough.

The 2009 document, from the US National Intelligence Council, said encryption was the "best defense" for protecting private data, according to an article published Thursday by the newspaper. Airing of the five-year forecast came the same day Cameron embarked on a US trip to convince President Obama to place pressure on Apple, Google, and Facebook to curtail their rollout of stronger encryption technologies in e-mail and messaging communications. According to Thursday's report:

Part of the cache given to the Guardian by Snowden, the paper was published in 2009 and gives a five-year forecast on the “global cyber threat to the US information infrastructure”. It covers communications, commercial and financial networks, and government and critical infrastructure systems. It was shared with GCHQ and made available to the agency’s staff through its intranet.

One of the biggest issues in protecting businesses and citizens from espionage, sabotage and crime – hacking attacks are estimated to cost the global economy up to $400bn a year – was a clear imbalance between the development of offensive versus defensive capabilities, “due to the slower than expected adoption … of encryption and other technologies”, it said.

An unclassified table accompanying the report states that encryption is the “[b]est defense to protect data”, especially if made particularly strong through “multi-factor authentication” – similar to two-step verification used by Google and others for email – or biometrics. These measures remain all but impossible to crack, even for GCHQ and the NSA.

The report warned: “Almost all current and potential adversaries – nations, criminal groups, terrorists, and individual hackers – now have the capability to exploit, and in some cases attack, unclassified access-controlled US and allied information systems.”

Cameron's campaign against encryption comes as the rest of the world has stepped up cryptographic protections. Both Apple and Google have added default disk encryption by default to their iPhone and Android smartphone platforms, and a growing number of companies are ensuring that links connecting data centers use strong encryption to ensure traffic can't be read by the National Security Agency or its UK counterpart, the Government Communications Headquarters. Even before the Guardian report, it was hard to envision how it would be plausible to implement restrictions as draconian as the ones the UK prime minister is proposing. Now, there's evidence that UK's staunchest ally may have cold feet, too, signalling Cameron may have an even steeper uphill battle.

Read on Ars Technica | Comments

Affordable Care Act Phishing Campaign

Original release date: January 15, 2015

US-CERT is aware of a phishing campaign purporting to come from a U.S. Federal Government Agency. The phishing emails reference the Affordable Care Act in the subject and claim to direct users to health coverage information, but instead direct them to sites which attempt to elicit private information or install malicious code.

US-CERT encourages users to take the following measures to protect themselves:

  • Do not follow links or download attachments in unsolicited email messages.
  • Maintain up-to-date antivirus software.
  • Refer to the Avoiding Social Engineering and Phishing Attacks Security Tip for additional information on social engineering attacks.

If affected by the campaign, users should report the incident to appropriate parties within their organization and notify US-CERT.

This product is provided subject to this Notification and this Privacy & Use policy.

New Year, New Cyberthreats: What’s in Store for 2015? January #SecChat

Unfortunately, the good guys aren’t the only ones with resolutions for the New Year. From cyber espionage to increasingly unforgiving ransomware, non-Windows malware to attacks on the Internet of Things—new and evolving cyberthreats are expected to surface rapidly in 2015.

Join us for a discussion of the current and upcoming cyberthreat landscape, and the ways in which we can prepare for the latest threats before they strike.

During our January #SecChat, we’ll discuss key findings and predictions from the McAfee Labs Threats Report, November 2014. Through this discussion, we hope to spark an insightful conversation around threats in the New Year, and how organizations can take action to prepare against those threats. Joining us for this #SecChat will be some of most senior threat researchers in McAfee Labs; they will provide valuable insights on their 2015 threat predictions. We look forward to your predictions as well.

Intel Security #SecChats are held in an open forum. We seek to foster conversation with participants on pressing issues facing the information security community. During the discussion, participants will have an opportunity to ask questions and contribute their own insights on the 2015 threat predictions highlighted in the McAfee Labs Threats Report. Ready to join in? Here’s what to do on January 29 at 11am PST:

  • Sign into your Twitter account at www.twitter.com.
  • Search for the #SecChat hashtag to watch the real-time stream.
  • Be sure to follow @IntelSec_Biz on Twitter, as we will tweet our questions to kick off the discussion.
  • Feel free to tweet your reactions, questions, and responses to chat topics by tagging all your tweets with the #SecChat hashtag.
  • If you have any questions prior to the chat, please tweet them to @IntelSec_Biz.

Don’t forget to mark your calendars for 11am PT on January 29th and RSVP here. We look forward to the upcoming discussion!

The post New Year, New Cyberthreats: What’s in Store for 2015? January #SecChat appeared first on McAfee.

Blackhat brings some hacking realism to Hollywood, but to what effect?

During one scene in the upcoming hacker action movie Blackhat, a team is sent into the control room of a burned-out nuclear power plant to gather clues about the evil computer saboteur who sparked its catastrophic meltdown. The investigators, led by a convicted carder sprung from prison to track down the enigmatic perp, take an axe to a server cabinet so they can retrieve a badly corrupted hard drive that ultimately reveals the suspect's true location.

As a way to advance the plot, the 60-second scene is mostly unremarkable. But had computer and security expert Christopher McKinlay not been retained as one of the movie's two hacking consultants, it would have been the kind of Hollywood fare that makes technically savvy viewers groan. Originally, McKinlay said, the screenplay called for the investigators to pull the data off of a perfectly functioning computer. When the 36-year-old—best known for hacking the OKCupid dating site to make him the most popular male user located in Los Angeles—told director Michael Mann electronics don't function in highly irradiated environments, the scene was rewritten to make it more technically accurate. The movie opens Friday.

Method acting

The scene isn't the only example of the pains Mann went to ensure his film portrayed computers and hacking in a realistic light. McKinley provided virtually all of the Unix line commands furiously typed throughout the movie by convicted hacker turned whitehat Nicholas Hathaway as he closes in on his quarry. The protagonist, played by actor Chris Hemsworth, was modeled after Max Butler, aka Max Vision, the security consultant turned credit-card stealing hacker profiled in Kingpin, a book written by fellow Blackhat hacking consultant Kevin Poulsen. (Poulsen himself served time in prison on a hacking conviction before becoming a journalist.) Early on in the planning, the director toyed with the idea of Hemsworth becoming a coder himself.

Read 8 remaining paragraphs | Comments