Adobe hack shows subscription software vendors lucrative targets News Analysis October 7, 2013 06:44 AM ET Computerworld - Adobe on Thursday admitted that hackers broke into its network and stole personal information, including an estimated 2.9 million credit cards, illustrating the lucrative target that software-by-subscription providers have become to cyber criminals, analysts said today. "Even before they went to the cloud, bill-you-monthly firms have been a target," said John Pescatore, director of emerging security trends at the SANS Institute, and formerly a Gartner analyst focused on security. Adobe, long a powerhouse in the software industry, has been aggressively promoting Creative Cloud, its software-by-subscription offering, a shift it hopes will "transform our business model and drive higher revenue growth," according to a filing with the U.S. Like all software-as-a-service (SaaS), Creative Cloud relies on recurring payments -- monthly or annually -- which for most customers, means providing a credit card. Adobe disagreed.
How China is Blocking Tor This study investigated how the Great Firewall of China (GFC) is blocking the Tor anonymity network. Tor is an overlay network which provides its users with anonymity on the Internet. A more detailed explanation is available on the project website or in the design paper. A large number of so-called entry guards and bridge relays serve as the entry points to the network. According to recent reports, China's firewall is now able to dynamically recognise Tor usage and block the respective relays and bridges. Effective countermeasures build on a sound understanding of the filtering in place. We reveal how Chinese users are hindered from accessing the Tor network. This web site contains the published papers, the developed software and the gathered data. Papers We first published a technical report about our findings which was then followed by a peer-reviewed workshop paper. Software All of the code listed below is licensed under the GPLv3. Data Contact
NSA Hacked Email Account of Mexican President The National Security Agency (NSA) has a division for particularly difficult missions. Called "Tailored Access Operations" (TAO), this department devises special methods for special targets. That category includes surveillance of neighboring Mexico, and in May 2010, the division reported its mission accomplished. A report classified as "top secret" said: "TAO successfully exploited a key mail server in the Mexican Presidencia domain within the Mexican Presidential network to gain first-ever access to President Felipe Calderon's public email account." According to the NSA, this email domain was also used by cabinet members, and contained "diplomatic, economic and leadership communications which continue to provide insight into Mexico's political system and internal stability." This operation, dubbed "Flatliquid," is described in a document leaked by whistleblower Edward Snowden, which SPIEGEL has now had the opportunity to analyze. Brazil Also Targeted Economic Motives? Spying on Peña Nieto
Onion Routing USBCondoms Have you ever plugged your phone into a strange USB port because you really needed a charge and thought: "Gee who could be stealing my data?". We all have needs and sometimes you just need to charge your phone. "Any port in a storm." as the saying goes. (If you'd like some more detailed explanations these news articles and videos do a thorough job.) Use USB-Condoms to: * Charge your phone on your work computer without worrying... * Use charging stations in public without worrying... * Place it as an "always on" adapter on your existing USB/Sync cable and remove only when you want to sync * Turn a normal USB cable into a "charge only" cable If you're going to run around plugging your phone into strange USB ports, at least be safe about it. ;-)
CAPTCHA Busted? AI Company Claims Break of Internet's Favorite Protection System - Wired Science Vicarious - Turing Test 1: Captcha from Vicarious Inc on Vimeo. What’s this I hear about a breakthrough in artificial intelligence? A software company called Vicarious claims to have created a computer algorithm that can solve CAPTCHA with greater than 90% accuracy. What is CAPTCHA and why should I care? You’ve already encountered CAPTCHAs if you’ve ever created an email account with Google, set up a PayPal account, or commented on some WordPress blogs. You should care for at least two reasons. But more exciting, this might be a major breakthrough in computer science. So is it a breakthrough or not? That depends on how they broke CAPTCHA. Do they offer any proof? Ah, there’s the rub. To be fair, you wouldn’t want Vicarious to share the code. And CAPTCHA creator Luis van Ahn, a computer scientist at Carnegie Mellon University in Pittsburgh, Pennsylvania, is not convinced. This is the 50th time somebody claims this. What does all this have to do with the human brain? So does it really work?
Old MacDonald Had a CAPTCHA Farm: Inside the World of Human CAPTCHA Solvers | Are You a Human, the Fun, Free CAPTCHA Alternative At Are You a Human, when we talk about CAPTCHA cracking, we mostly focus on bots—those nefarious computer programs that create bogus accounts, send out spam, and snap up concert tickets for scalpers, among other things. But there’s another method for bypassing CAPTCHAs that’s been gaining in popularity over the past several years: CAPTCHA farms, where workers in developing countries are paid pennies to solve CAPTCHAs en masse. BeatCaptchas.com, where 1,000 CAPTCHAs can be passed for just eight dollars CAPTCHA farms like BeatCaptchas and BypassCaptcha fill banks of computer terminals with workers in countries like India and Bangladesh, then build APIs that pass CAPTCHA images to the terminals, where they are quickly decoded by a real person and then passed back. But while most CAPTCHAs can be quickly cheated by CAPTCHA farms, PlayThru is not so easily defeated. Interested in learning more about CAPTCHA farms? ZDNet: Inside India’s CAPTCHA solving economy
CryptoLocker attacks that hold your computer to ransom | Money The email from the bank looked innocent enough. It was from paymentsadmin@lloydsplc.co.uk, and Sarah Flanders, a 35-year-old charity worker from north London, didn't think twice about opening it. But the email contained software that immediately began encrypting every file on her computer – from precious family photos to private correspondence and work documents. In just a short time all her files were blocked, and then a frightening message flashed up on her screen: "Your personal files have been encrypted and you have 95 hours to pay us $300." Flanders is refusing to pay, but fears her personal files are now lost forever. She is one of the lastest victims of a particularly malacious piece of "ransomware" called CryptoLocker, which is estimated to have targeted nearly 1m computers over the past month alone. What's more, while you will no longer be able open, read or view your files, anyone with the decryption key could easily do so. Flanders says she feels violated.
GHCQ Targets Engineers with Fake LinkedIn Pages The Belgacom employees probably thought nothing was amiss when they pulled up their profiles on LinkedIn, the professional networking site. The pages looked the way they always did, and they didn't take any longer than usual to load. The victims didn't notice that what they were looking at wasn't the original site but a fake profile with one invisible added feature: a small piece of malware that turned their computers into tools for Britain's GCHQ intelligence service. The British intelligence workers had already thoroughly researched the engineers. According to a "top secret" GCHQ presentation disclosed by NSA whistleblower Edward Snowden, they began by identifying employees who worked in network maintenance and security for the partly government-owned Belgian telecommunications company Belgacom. Then they determined which of the potential targets used LinkedIn or Slashdot.org, a popular news website in the IT community. 'Quantum Insert' A Visit from Charles and Camilla
The NSA might know everything but it is not all powerful Given how similar they sound and how easy it is to imagine one leading to the other, confusing omniscience (having total knowledge) with omnipotence (having total power) is easy enough. It’s a reasonable supposition that, before the Snowden revelations hit, America’s spymasters had made just that mistake. If the drip-drip-drip of Snowden’s mother of all leaks — which began in May and clearly won’t stop for months to come — has taught us anything, however, it should be this: omniscience is not omnipotence. At least on the global political scene today, they may bear remarkably little relation to each other. In fact, at the moment Washington seems to be operating in a world in which the more you know about the secret lives of others, the less powerful you turn out to be. Let’s begin by positing this: There’s never been anything quite like it. It’s visibly changed attitudes around the world toward the U.S. — strikingly for the worse, even if this hasn’t fully sunk in here yet. Omniscience
More NSA Spying Fallout: Groklaw Shutting Down A few months ago, after the NSA spying stories first broke, we wrote about a bit from This American Life where the host, Ira Glass, was interviewing lawyers for prisoners detained at Guantanamo, about the impact of knowing that the government was listening in on every single phone call you made. The responses were chilling. The people talked about how it stopped them from being emotional with their children or other close friends and relatives. How they had trouble functioning in ways that many people take for granted, just because the mental stress of knowing that you have absolutely no privacy is incredibly burdensome. PJ, the dynamo behind Groklaw, has written a powerful piece explaining the similar feeling she's getting from all the revelations about government surveillance, in particular the shutting down of Lavabit by Ladar Levison, and his suggestion that if people knew what he knew about email, they wouldn't use it. Because of this, she's shutting down Groklaw.
Google Removes Vital Privacy Feature From Android, Claiming Its Release Was Accidental Yesterday, we published a blog post lauding an extremely important app privacy feature that was added in Android 4.3. That feature allows users to install apps while preventing the app from collecting sensitive data like the user's location or address book. The App Ops interface removed in Android 4.4.2 After we published the post, several people contacted us to say that the feature had actually been removed in Android 4.4.2, which was released earlier this week. When asked for comment, Google told us that the feature had only ever been released by accident — that it was experimental, and that it could break some of the apps policed by it. The disappearance of App Ops is alarming news for Android users. A moment ago, it looked as though Google cared about this massive privacy problem. In the meantime, we're not sure what to say to Android users. Google, the right thing to do here is obvious.