What you need to know for your personal cyber security life…
Seventh in a series of semi-regular daily current and topical computer threats that may affect your online, or even offline, digital and real life. Why cybersecurity on SurvivalRing? Because EVERYTHING you do in your life everyday is a part of the cyber world…even your offline plans. So, be aware, and pay attention. The bad guys WILL eventually get around to YOU…personally.
# # #
Navy cyber warfare chief is Obama’s pick to lead NSA
By Ken Dilanian
The Los Angeles Times
January 27, 2014
WASHINGTON — Navy cryptologist Michael S. Rogers is President Obama’s top choice to take over the embattled National Security Agency — which conducts electronic surveillance operations worldwide — and the Pentagon’s cyber warfare command, officials say.
Rogers’ experience includes 30 years in the Navy, where he rose to vice admiral and managed the intelligence portfolio for the Joint Chiefs of Staff. Currently, he runs the Navy’s cyber warfare arm.
If confirmed by the Senate, Rogers, 54, will succeed Gen. Keith Alexander, who is retiring after leading the NSA through one of the toughest periods in its history — the hemorrhaging of secrets by former contractor Edward Snowden. That will put Rogers in the public eye for the foreseeable future.
In the latest leak, the New York Times, ProPublica and the Guardian reported Monday that the NSA and its British counterpart, the Government Communications Headquarters, or GCHQ, can secretly collect an individual’s location, age, sex and other personal data from smartphone applications, including such popular apps as the game Angry Birds.
# # #
es Malware That Logs Touchscree n Swipes To Record Your PIN
By Tamlin Magee
Neal Hindocha, a senior security consultant for Trustwave, has built proof-of-concept ‘screenlogging’ malware that monitors finger swipes on smart devices in combination with taking screenshots, painting a picture of exactly how the user is interacting with their phone or tablet.
Hindocha’s concept malware logs the X and Y coordinates of any swipe or touch. Speaking with Forbes, Hincocha says it wasn’t much hassle to get the code running on jailbroken iOS and rooted Android devices, and that it’s possible to get it working on regular Android smartphones, provided they are plugged into a PC — for example, while charging by USB.
Trustwave was examining financial malware on the Windows platform and wanted to see if similar methods could be applied to mobile. Keylogging has been a typical component for financial Windows malware, and there are apps that already log keyboard inputs on smart devices. But Hindocha says the finance industry is moving away from using typical keyboard inputs, whether it is with a PIN code or another kind of password.
Recording touch screen coordinates “has a certain value in itself,” Hindocha says. “If you’re monitoring all touch events and the phone hasn’t been touched for at least one hour, then you get a minimum of four touch events, you can assume that is a PIN code being entered.”
# # #
Boost to U.S.-Japan cyberdefen
The Yomiuri Shimbun
January 27, 2014
Japan will send members of its Self-Defense Forces to receive specialized training in cyberdefense with U.S. forces, in a cooperative program to bolster Japan’s defense against cyber-attacks, sources said.
SDF members will learn from the technologies and experiences of the more advanced U.S. forces in countering cyber-attacks.
The project aims not only at improving the SDF’s cyberdefense capabilities but also at strengthening the Japan-U.S. alliance.
Japan-U.S. cooperation in the field of cyber-related affairs had previously been limited to exchanging information, but this project is expected to deepen working-level collaboration between the two sides.
# # #
Forget hackers: Squirrels are a bigger threat to America’s power grid
By Eugene K. Chow
January 28, 2014
While American lawmakers and security officials repeatedly warn of a catastrophic cyberattack that will cripple the nation’s power grids, in reality, squirrels and tree branches are proving more troublesome than hackers when it comes to actual power outages.
According to numerous reports and headlines: America’s power grid is “too vulnerable to cyberattack;” thousands will die if terrorists attack the grid; cyber attacks could keep America in the dark for nine to 18 months; and electric companies face “daily” cyber attacks, which over a month can build to 10,000.
With cyber security so abysmal, incentive so high, and attacks constant, why hasn’t there been a massive hacker-triggered power failure yet? Simply put, because it’s not that easy.
To be clear, attacks on the power grid would be disastrous and there are significant gaps that must be addressed — procedures improved, vulnerabilities patched, software updated — but even with these glaring weaknesses, an ordinary hacker wouldn’t be able to take down the electrical grid. Turning America’s lights off remotely is a complex operation that requires not only hacking expertise but an array of intelligence and analysis — something only the most sophisticated terrorist organizations or nation states can muster.
# # #
” Will Bamboozle Attackers with Fake Secrets
By Tom Simonite
MIT Technology Review
January 29, 2014
Ari Juels, an independent researcher who was previously chief scientist at computer security company RSA, thinks something important is missing from the cryptography protecting our sensitive data: trickery.
“Decoys and deception are really underexploited tools in fundamental computer security,” Juels says. Together with Thomas Ristenpart of the University of Wisconsin, he has developed a new encryption system with a devious streak. It gives encrypted data an additional layer of protection by serving up fake data in response to every incorrect guess of the password or encryption key. If the attacker does eventually guess correctly, the real data should be lost amongst the crowd of spoof data.
The new approach could be valuable given how frequently large encrypted stashes of sensitive data fall into the hands of criminals. Some 150 million usernames and passwords were taken from Adobe servers in October 2013, for example.
After capturing encrypted data, criminals often use software to repeatedly guess the password or cryptographic key used to protect it. The design of conventional cryptographic systems makes it easy to know when such a guess is correct or not: the wrong key produces a garbled mess, not a recognizable piece of raw data.
Juels and Ristenpart’s approach, known as Honey Encryption, makes it harder for an attacker to know if they have guessed a password or encryption key correctly or not. When the wrong key is used to decrypt something protected by their system, the Honey Encryption software generates a piece of fake data resembling the true data.