Convergence isn’t a new fact in information security. For a while, we’re speaking about “security convergence” while two, at the beginning, distinct principles or functions are mixed to tend toward or achieve union or a common conclusion or result (as defined by Wikipedia). A good example is the combination of physical and logical security controls: to improve the authentication and authorization processes, we can use two different factors: something we “know” (a PIN, a password) and something we “have” (a token or smartcard). Security convergence is also used to detect incidents or suspicious activies. You could correlate data generated by a badge reader (physical security) with an Active Directory event (logical security). A user who swiped his badge to enter the building “A” but opening a session on a desktop located in the building “B” can be considered as suspicious.
Today, I read an interesting news reported on Twitter. It was published by the Dutch portal, transport-online.nl, which compiles news about freight. Nothing related with information security at first sight but quite interesting anyway. The portal reported that drug criminals hacked two containers terminals websites. Those companies operated in the port of Antwerp. Why? Today, computers control more and more infrastructures and containers are not an exception. Every container can be tracked throughout its journey: when it was (un)loaded on boats, trains or trucks. Where it was stored (position), etc. Such information can be very valuable for criminals, especially, if they contain drugs. Hackers used the infiltrated systems to locate their precious goods.
This is a very good example of “crime convergence“: To achieve their goals, criminals do not hesitate to mix regular crime activities with cyber-crime. I’m pretty sure that the two hacked companies would never have imagined to be a target for cyber criminals (“Hey, who will be interested by the position of our containers?“). Don’t forget that data handled by your organization might be very valuable for some people with bad intentions.
Here is a link to the article: Drugshandelaren hacken rederijen en ontvreemden containers met cocaïne (in Dutch – translation in English here).
BlackBerry has issued a security advisory to customers who have purchased the company's Z10 smartphone—the flagship device of BlackBerry's relaunch in February. A bug in the system designed to help users find their lost cell phone could be used to gain access to the phone, either physically or over Wi-Fi.
The bug isn't in the BlackBerry 10 OS itself, but in the BlackBerry Protect application. A malicious application could take advantage of weak permission controls in BlackBerry Protect to reset the password on the Z10 or prevent the phone's owner from remote-wiping it when the phone is lost. If an attacker has the phone in hand, the bug in Protect could be used to gain access to the phone's functionality and the owner's personal data; the bug and a malicious application could be used to expose the phone over Wi-Fi and allow a user to pilfer files from the device.
BlackBerry (the company formerly known as Research In Motion) went out of its way to get its Z10 smartphone and the BlackBerry 10 operating system certified as secure well before launch, getting the US government seal of approval with FIPS 104-2 certification last November. The company is downplaying the immediate risks of this vulnerability, as there is no known exploit using the bug in the outside world and the worst risks require a combination of a user installing a malicious application and then an attacker gaining access to the phone. The Wi-Fi attacks are only possible if the device's owner has turned on Wi-Fi access.
This finally explains what John Ellis was talking about in "The Possibility of Non-Secret Encryption" when he dropped a tantalizing hint about wartime work at Bell Labs.
schneierEvent Related
Resources
Techniques
Vendor/Software Patches
Vulnerabilities
Other News
Event Related
Resources
Techniques
Vendor/Software Patches
Vulnerabilities
Other News
There's one piece of blowback that isn't being discussed -- aside from the fact that Snowden killed the chances of a liberal arts major getting a job at the DoD for a decade -- and that's how the massive NSA surveillance of the Internet affects the US's role in Internet governance.
Ron Deibert makes this point:
But there are unintended consequences of the NSA scandal that will undermine U.S. foreign policy interests -- in particular, the "Internet Freedom" agenda espoused by the U.S. State Department and its allies.The revelations that have emerged will undoubtedly trigger a reaction abroad as policymakers and ordinary users realize the huge disadvantages of their dependence on U.S.-controlled networks in social media, cloud computing, and telecommunications, and of the formidable resources that are deployed by U.S. national security agencies to mine and monitor those networks.
Writing about the new Internet nationalism, I talked about the ITU meeting in Dubai last fall, and the attempt of some countries to wrest control of the Internet from the US. That movement just got a huge PR boost. Now, when countries like Russia and Iran say the US is simply too untrustworthy to manage the Internet, no one will be able to argue.
We can't fight for Internet freedom around the world, then turn around and destroy it back home. Even if we don't see the contradiction, the rest of the world does.
schneierSoftware developer Anthony Goubard may be one of the most ambitious DIYers on the planet. How else can you explain it? One man looks across the landscape of productivity suites—from Microsoft Office to LibreOffice to Google Docs—and says: "I'll just make my own."
Tags: Software-Programmingl33tdawgContrary to popular belief, the Electronic Entertainment Expo, known as E3, was alive and well, this year. But the rise of Ouya, Steam Box, and GamePop later this year could mark the end of an era. With relatively small revenue generated by a typical open-source game, indie developers simply won't be able to afford to go.
At the same time, there's going to be more and more of them, playing a huge part in the gaming ecosystem.
Tags: GamesIndustry Newsl33tdawgThe U.S. government searched for detailed information on calls involving fewer than 300 phone numbers last year, according to an unclassified document circulated Saturday.
The paper said such searches -- part of two controversial U.S. intelligence gathering programs -- led to two men allegedly plotting to attack New York City's subway system, Reuters reported. The data, which the Associated Press reported is destroyed every five years, thwarted terrorist plots in the U.S. and more than 20 other countries.
Tags: PrivacySecurityUSl33tdawgFacebook and Microsoft each fielded thousands of requests for user data as part of law enforcement investigations from U.S. authorities in the second half of last year, they said late Friday.
Tags: PRISMPrivacyFacebookMicrosoftl33tdawgThought your Java security woes were behind you? Think again. Oracle is planning to release a Critical Patch Update on Tuesday that affects multiple versions of Java, and it's another doozy.
According to Oracle's security announcement, the patch pack addresses 40 different vulnerabilities. All update levels of Java SE 5, 6, and 7 are affected by the flaws, as are all versions of JavaFX.
Tags: JavaSecurityOraclel33tdawgThe consumer electronics market is being flooded with devices that have incredible high-resolution screens.
All the new iPhones and high-end Android phones have them. The 10-in. iPad has one, as do the Archos 97 Titanium HD, Onda V972, Freelander PD80, Ainol NOVO9 Spark, Cube U9GT5 and others.
Tags: Hardwarel33tdawgAustralian intelligence agencies have reportedly recieved "huge volumes" of "immensely valuable" intelligence data from the US, including from its PRISM program.
The PRISM programme came to light after a US Booz Allen staffer leaked a powerpoint presentation to the Washington Post and the Guardian which detailed how the US was spying on the communications of foreigners without use of a warrant.
Tags: PRISMNSAPrivacySecurityAustralial33tdawg