A day after Reuters reported that the U.S. Drug Enforcement Administration (DEA) was using tip-offs and intelligence collected by the National Security Agency (NSA) to crack down on suspected drug-related criminals, the U.S. government said it will investigate.

In response to The Guardian on Tuesday, the Justice Department said it was "looking into the issues raised by this story," but declined to comment further.

Read this

U.S. spy system XKeyscore allows NSA to 'wiretap anyone'

• Read more

This ties in with comments made by White House Press Secretary Jay Carney in the afternoon briefing.

Though the data used to crack down on suspected criminals, reported the Reuters news agency on Monday, DEA agents are trained to "recreate" the origin of the intelligence. The report said this is to mask the true source from the courts, which as a matter of public record could have blown the lid on the whole intelligence collaboration operation. 

Lawyers speaking to Reuters for the piece said these actions could violate a defendant's constitutional rights to a fair trial.

The tips the agency received originally came from the NSA, according to the reports, specifically from its Special Operations Division (SOD). The division was first named in June when revelations about the NSA's surveillance program first came to light. The SOD's remit is understood to collect intelligence on non-U.S. persons relating to national security, not drug crimes.

The Electronic Frontier Foundation said on Wednesday that this so-called practice of "parallel construction" as "intelligence laundering," and dubbed tactics as deceptive and dishonest.

ZDNet put in calls to the DEA (at the Justice Dept.) but did not hear back outside U.S. business hours at the time of writing.

Apple's latest mobile operating system, iOS 7, running on an iPhone 4S, logs and records where you've been, when you were there, and makes it available to view on your device, albeit buried deep in the settings. 

First discovered on Y Combinator's Hacker News, iOS 7 developers and Apple users alike discussed this "feature" with healthy discussion but mixed reactions.

Some are naturally concerned in the wake of the U.S. National Security Agency's PRISM program and other state surveillance systems, while some privacy-minded folk agree that, despite the accusations of "copying" from rival phone software makers — such as Google Now, a level of transparency is the best policy. 

User julianpye:

If you want to build transparent context-aware services, your system will need to create this information.

In agreement, jbrooksuk:

What's wrong with this? Apple are openly providing this information for you to view — rather than others who don't even warn the user. Plus, it's improving their services which you more than likely need. Why complain? You can opt out.

New user northwest chimed in:

Society has accepted to be tracked all the time/everywhere with the introduction of mobile phones. If we don't like this, we should start to talk more proactively to people about the dangers our technology brings.

User donquichotte started a line of thinking about the nature of opt-in versus opt-out:

But how much of the collected data do they show you? [In my opinion] services like this should be opt-in, rather than opt-out.

Germany, where much of the privacy scandal has been focused due to its strong data protection laws. A few lines of inquiry quickly becomes political. "Germans love their privacy-by-default and opt-in," said one user.

User eduard added:

Given current affairs, it's bad that this system doesn't inform the user about a new feature being activated on default. It is hidden in the background.

The reason to bring up "what the community says" is that it's interesting to see how developers in particular, who understand the underlying software roots better than most others, feel in the wake of the NSA surveillance scandal breaking.

There are some takeaway lessons here.

Read this

Apple's location tracking response: Five lingering questions

• Read more

For Apple, it's worth being up front about it. As the comments noted, Google also tracks its users in a similar way, both on mobile devices and on the desktop. We as users opt into it, often without knowing. Terms of service are long, boring, and only very few actually read them. But when the word gets out, it's better to be proactively transparent and open rather than allow the freak-out machine to do its thing until fears are calmed.

Some are reminded by "Locationgate," which was not so long ago. Apple, along with Google and Microsoft, were implicated in a privacy row, in which mobile devices and smartphones would quietly collect location data and stored in an unencrypted file on the device. 

The scandal led to lawmakers getting involved, patches issued, and a general shake-up of the third-party app industry in a bid to prevent this tracking from happening.

On the flip side, we assume many things in this world, and those assumptions come from somewhere. As the user, it's worth keeping in mind that from a personal security perspective, we can't avoid cell companies and governments accessing our tracking data. But if our phones are stolen, the last thing we might want is a map of "home" and "work" being readily available to the thief. 

(via Hacker News)

A security researcher exploring the weak links in Google's Android ecosystem says that a single feature can be used to take down a plethora of business applications -- and ignore two-step verification entirely.

Speaking at the Def Con 21 hacking conference, senior security researcher at Tripwire Craig Young said he is able to "fully compromise Google Apps" using only one feature. The weak link? The "weblogin" token that allows Android users to sign once for all Google-based services, as reported by Dark Reading.

Does Android trade security for convenience? Young believes so. Rather than using passwords, the feature basically uses cookies -- but if an attacker gains access to the domain control panel, then havoc can ensue. Once breached, a hacker could reset passwords, download files from Drive, disable two-step verification, modify user roles and create mailing lists -- potentially full of spam or malicious content.

Access can be granted physically -- if a device is already logged in using tokens -- or through root exploits, chip-off forensics or most commonly, malware. If a systems administrator with access to the domain control panel has a compromised mobile device and is running malicious applications unwittingly, then it may only be a matter of time before the log-in system is used to steal data, download files or reset account passwords.

The researcher's findings should make businesses sit up and take note, especially considering recent Trend Micro data which says the rate of malicious applications being uploaded into the Google Play store has jumped by 40 percent in the past several months. Dodgy applications found in the Android ecosystem rose to 718,000 at the end of the second quarter, in comparison to 509,000 in the first quarter of this year.

In an interview with the publication, Young said:

"The reason I [went] with this token research is I bought an Android tablet about a year ago and realized Chrome auto-signed me into Google's websites, which made me very unhappy. At that time, I hadn't realized Google Apps control panel was exposed this way, too: it was a real revelation. I had used Google Apps domain for a while now, and had always logged in using that admin account."

Young says the best ways to protect yourself and your business against such threats is to remain vigilant when receiving token requests, run antivirus software to seek out root exploits, and only purchase or download applications from trusted sources.

"Companies using Google for the cloud need to make sure that their IT admins who need to have admin access to the Google Apps control panel do so but not necessarily from their phones. If they do, then they need to enter a password," Young says.

For more information, view Young's presentation slides (.pdf).

Via: Dark Reading

Mobile malware in the Android ecosystem has grown by over 40 percent in the past few months, researchers say.

A new report issued by Trend Micro (.pdf) says that high-risk, malicious app rates found in the Google Play store rose to 718,000 at the end of the second quarter in comparison to 509,000 in the first quarter of this year.

The number of malicious Android apps in circulation surged by over 350,000 in this time period -- which originally took three years to reach when Google's Android operating system became established.

The majority of malware discovered was packaged as fake, spoof or trojan-laden versions of popular applications. Almost half -- 44 percent -- were designed to subscribe unwitting downloaders to expensive services, and 24 percent were created to steal data. Adware-laden applications came in third at 17 percent.

However, the researchers note that the discovery of the "master key" vulnerability in Android's security model was the most crucial revelation this year. Last month, a team from Bluebox Security found a vulnerability which could allow attacks to convert 99 percent of apps into a trojan -- which could then be used to steal data or connect to botnets without the user knowing.

Following the discovery, Duo Security and System Security Lab (NEU SecLab) released an app, ReKey, which they claim fixes the security flaw for you.

The United Arab Emirates was reported as the country with the highest rate of malicious app download volume at 13.79 percent. Myanmar and Vietnam came second and third. The United States and United Kingdom did not make the top ten list.

"The UAE recorded the highest malicious android app download volume, overtaking Myanmar, which placed first in the previous quarter," the report says. "Six new countries figured in this month's top 10, which may indicate an increase in mobile device use and/or attacks against such devices in these locations."

When analyzing the countries most vulnerable to privacy or data exposure, the report noted that "similar to last quarter, mobile users in Saudi Arabia downloaded the most number of high-risk apps. Vietnam placed second in light of the increasing mobile device use in the country."

According to Linda Barrabee, Research Director, Connected Intelligence at The NPD Group, approximately only 30 percent of all Android smartphones and tablets in the U.S., have any type of security app installed today. Coupled with the high rates of apps being added to the ecosystem every day worldwide, a large number of Android devices are likely to be exposed to risks -- and this trend is likely to continue in the future.

JD Sherry, vice president of technology and solutions at Trend Micro said:

"Due to the fractured nature of the Android network, it is very difficult for patches to reach all users in an effective timeframe. In some cases, users will never get patches as vendors leave their customers at risk of attack. Until we have the same urgency to protect mobile devices as we have for protecting PCs, this very real threat will continue to grow rapidly.

At the rate this malware is accelerating -- almost exponentially -- we appear to be reaching a critical mass. To fight this, Android users need to take great care when using their devices and take the simple, but effective, step of adding security software to all mobile devices."

Just in case my tone didn't come through there, while I think the issues involved here are important, I think and expect very little from the Federal Government's involvement. My principal reason for this is that I can't believe that the government can tell private companies how to secure their networks better than they can themselves. Market and liability incentives really ought to be enough, and if they aren't it's because management isn't being held sufficiently accountable.

(An aside: I despise the term 'cybersecurity.' It's more a political than a technical term and doesn't really have a clear definition. But I think we're stuck with it.)

Some of the ideas in the proposals released today by Michael Daniel, the Special Assistant to the President and Cybersecurity Coordinator, are not bad, but others seem to me like they're just muddying the waters. Even the good ideas don't necessarily merit involvement of our Cybersecurity Czar. 

The idea of cybersecurity insurance is obviously one which is being worked out already between insurance companies and their customers, and common sense for both sides should lead them to the conclusion that more secure companies should pay lower premiums. Why do we need the Federal Government to 'engage' with the insurance industry to do that which is plainly in their own interest? It's like when government pays farmers to do soil conservation.

Grants, process preference, public recognition, all these likely to be of marginal value to a company that qualifies as 'critical infrastructure.' Liability limitation could be a great incentive for industry, tied closely in with the insurance incentives, but I don't seriously expect it from this administration.

This effort to develop voluntary incentives came from Congress's failure to pass legislation in this area last year. The administration decided to move on with proposals they could exercise through executive action. And yet, some of the proposals sound like they would have to have legislative approval, limitation of liability being one of them. I wonder whether the same is true of the proposal for rate recovery for price-regulated industries, a proposal which would also involve state and local decisions. As for the proposal to streamline regulations, not only is it the most tired of policy bromides, but the administration has had a Regulatory Czar ("Administrator of the Office of Information and Regulatory Affairs") since 2009. Just a few months ago Howard Shelanski was named to this position to replace Cass Sunstein. Do we need a whole new bureaucracy to administer the streamlining of regulations?

Finally, it's worth asking whether private industry should take computer security advice from Michael Daniel. Like me, Daniel has a degree in public policy, but he has spent his career in the government, largely in the executive administration of intelligence services. He has been involved in federal cybersecurity efforts for several years, but that doesn't impress me.

The Bush administration was every bit as phony on these matters as the Obama administration, so the charade that the Federal Government is engaged in these problems is an old and established one by now. So far, the mission of the Cybersecurity Czar seems to be to issue a report every couple years calling for further study of the matter. At least they're only wasting our money like this rather than actively making things worse.

A new Microsoft security advisory warns that smartphones running the Windows Phone operating system could be susceptible to infiltration when connecting to a rogue Wi-Fi hotspot.

A rogue access point, also known as a rogue AP, is a Wi-Fi access point installed on a network, operating without authorization and not under the control of a systems administrator. If installed, rogue APs could allow anyone to connect to your network through Wi-Fi, and may not adhere to WLAN security policies.

The bulletin, advisory 2876146, says that hackers could exploit a known weakness in the Wi-Fi authentication protocol known as PEAP-MS-CHAPv2 (Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2). The protocol is used in Windows Phones for WPA2 wireless authentication.

The tech giant says that an attacker can exploit a weakness in the protocol when the mobile device attempts to automatically authenticate with a hotspot posing as Wi-Fi. Once the attempt to connect is made -- without user permission -- a hacker can intercept the victim's encrypted domain credentials before decrypting and lifting the data.

"To exploit this issue, an attacker controlled system could pose as a known Wi-Fi access point," the advisory warns. "An attacker could then exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to obtain the victim's domain credentials. Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource."

Microsoft has not received any reports of this vulnerability being used to steal corporate data, passwords or breach a network to date. There is no security patch available for this; instead, Microsoft suggests that you enable the certificate verification process before executing the PEAP-MS-CHAPv2 protocol to connect to Wi-Fi hotspots.

The bulletin contains instructions for configuring your Windows Phone versions 7.8 or 8 to fix the security flaw. Older versions are not affected.

The U.S.' dominance in the cloud space may soon be challenged by rival countries, particularly those in the European Union, as the global surveillance scandal threatens to wipe up to $35 billion off the U.S. cloud slate.

A new report by non-profit group the Information Technology and Innovation Foundation claims that Europeans are attempting to nudge away from their American counterparts in a bid to distance themselves from U.S. electronic surveillance and eavesdropping. 

Read this

PRISM fallout could cost US cloud industry billions, warns Europe's digital chief

US cloud service providers could miss out on business from EU firms because of anger of US government surveillance programmes, warns the EU's digital chief.

• Read more

While the risk of the Patriot Act was known three years ago and confidence was already shaky in some sectors of the IT industry, now that news of the U.S. National Security Agency's PRISM program, among others, came to light, cloud providers outside the U.S. are stoking the fires once more. By 2016, the global public cloud industry will stand to be a $207 billion industry, with spending expected to rise by 100 percent in the four years from 2012.

It comes just weeks after EU Digital Agenda Commissioner Neelie Kroes warned that from U.S. companies embroiled in the PRISM scandal, which automated the process of sharing user data with intelligence agencies.

The report notes at this early stage it is impossible to gauge exactly how the U.S. cloud computing market has suffered as a result of the NSA's surveillance programs. But based on surveys conducted by the Cloud Security Alliance during June and July, over the two primary months of news relating to the scandal, 56 percent of non-U.S. organizations said they would not use a U.S. provider in future. (ZDNet's Liam Tung has more on these figures). 

In concluding remarks, Castro said the U.S. government should "proactively set the record straight," and declassify information where possible and necessary.

"The economic consequences of national security decisions should be part of the debate, and this cannot happen until more details about PRISM have been revealed," the report says.

Effective use of BGP spoofing is not within the reach of script kiddies, but there's a lot of it going on. How much? Nobody knows and nobody can know. It's possible to detect that an attack is going on, but it's impossible to prevent it and it may be difficult to stop an attack in progress.

I spoke with Dave Rand, Technical Fellow at Trend Micro. Back in the mid-90's Rand worked at an ISP and first encountered BGP spoofing used to facilitate spamming. The routing in the mail headers of the spam looked particularly genuine because all the addresses were correct. At the bottom of it was a compromised router at an ISP. I've spoken to Dave many times over the years about BGP spoofing. He's always considered it a very serious problem that is fundamentally insolvable and I'd like to thank him for all the information below.

How is all this possible? It starts with the very basics of how the internet works.

The internet is a network of networks. Routers are used to move data between networks according to IP addresses that are stored in their routing tables. Routers will advertise to each other that they use certain addresses.

But — and this is very important — there is no authority to check to confirm that a particular address belongs to a particular network. There are organizations, such as RIPE in Europe and ARIN for the US and Canada, which allocate IP addresses (all they have left is IPv6 addresses), but there's no where you can check to confirm an allocation authoritatively. Because of this, the updating of routing tables is done entirely on trust.

Consider this simplistic example: ISP1 has the address space 1.0.0.0/8 and ISP2 has 2.0.0.0/8. They each advertise their space to the other. Now ISP3 advertises 3.0.0.0/8 to ISP1 and asks ISP1 to advertise its addresses, which it does. ISP1 becomes a transit provider for ISP3, a service for which ISP3 pays ISP1. But ISP1 has no real way to confirm that ISP3's advertisements are accurate.

Here's another important point: shorter routes get higher priority from the router. If ISP3 were to advertise a small subset of addresses to ISP1 with shorter paths than what ISP1 already had, ISP1 would follow those routes instead of what was already in the routing table.

It's important to note that in order to execute this attack you need control of an ISP router. You might think that this would be hard to do, and it's harder than it used to be, but it's not impossible. It's still possible to find routers with default admin passwords or passwords on a common dictionary list.  And once you do and take control, there's nothing to stop you from advertising Bank of America addresses on your network.

I suspect that the large majority of erroneous advertisements are, well, erroneous. They're not malicious, they're just screwups. There was a recent incident where some bad routes in NedZone Internet BV's network included Amazon.com and a bunch of big banks. It looks way too brazen to be an attack.

If you really wanted to be effective and surreptitious with such an attack you'd be lower-profile. You'd attack the router of a small or mid-size ISP and you'd only advertise it for a short time, but during that time you'd have other attacks, like cross-site scripting and targeted spam, ongoing against that ISP's users. When they attempt to communicate with their bank or retailer they will instead go to your servers; you can spoof those servers, see the cookies, it all depends on how ornate you want to get, but all you really need is to get users to log on to the site, which can satisfy SSL and get the little lock icon because the attacker can control those addresses too. Once you have validated logins for those accounts you can sell them for a lot.

Sometimes malicious attacks are not for profit, but just network vandalism. In 2008 there was a dispute between YouTube and the government of Pakistan about certain content. Sometime later false BGP routes pointed YouTube traffic in much of Europe to Pakistan Telecom, stealing traffic from YouTube but also flooding Pakistan Telecom with all of YouTube's traffic. RIPE, the regional internet registry for Europe, has a fascinating YouTube video of how it happened.

After an attack like this there may be no footprints left. Nobody logs router advertisements. There are groups that log and analyze the global routing table, such as the fascinating CIDR Report, and look for routes that don't make sense. But these only catch changes that propagate out to the global routing table. A transient advertisement which only goes to an ISP's peer and not a transit provider won't get to the global table. And even if it does, by the time anyone can see what's going on it will be too late.

It's impossible to block BGP spoofing attacks in a consistent, automated fashion, but it is possible to apply some common sense and experience, what you might call heuristics, to determine that a route isn't kosher. If a small ISP in Brazil starts advertising routes to PayPal then an experienced CNE might think twice about replicating it. But these things don't usually get vetted by a human being; there's too much going on. All ISPs advertise their routes to the other networks to which they connect and these companies (there are 30 or 40 thousand ISPs now) have a relationship and contracts, so they trust each other. And if they wanted to check the addresses they couldn't; there's no authoritative place to check.

You might complain that best administration practices, such as good route filtering, would prevent these attacks, and there's something to that. You can certainly prevent a lot of them with best practices. There are other practices that can make it harder to exploit such attacks successfully, such as using strong encryption and authentication for all local traffic, but there's no technique that will block these attacks in all cases.

If you find out that an ISP has bogus routes to your network what can you do? All you can do is call them and ask them (nicely or otherwise) to withdraw the route, but you can't make them. If they don't respond adequately you can complain to their upstream providers and ask them to block the route, but once again there is no official mechanism for doing this because there is no authority in charge of it, and you probably don't even have a relationship with the ISP to which you're complaining.

Of all the attacks happening under the radar on the internet, the most dangerous ones are likely based on BGP spoofing. It's the best reason to assume that a lot more network compromising, by criminal and government actors, is happening than is officially acknowledged, and even the officials don't really know how much is happening.  What can be done? If Dave Rand doesn't know then I sure don't.

The system fails now and then and, when it does, it rightly attracts a lot of attention. It works 99.(some very large number) percent of the time, but the only way it works is if we submit to it. We have to put our trust in the certificates issued by Symantec and Comodo and their ilk. And it's not just them, it's also Apple and Microsoft and many large telecom companies and, in many countries, the government. (Of course, we now know that, even in the US, if you trust Microsoft and Apple you implicitly trust the US government.) 

There's really no choice. Even for those who know what's going on with their SSL and certificates, it's impractical to try to trust the system just a little or to pick and choose. The vast bulk of the Internet population wouldn't even know what to do. 

So it's unhelpful to complain, as German magazine C'T does, that Microsoft's automatic updating of root certificates lacks transparency. (That article is in German; I can't find an official English translation and I'm mostly relying on the account of Johannes Ullrich, who discussed the article in his daily ISC StormCast on July 31.)

Trusted root certificates are digital certificates that are trusted inherently in the system. Individual certificates for sites cannot be trusted on their own, so they refer up a certificate chain of issuers which the client can verify up to the root. The issuers of these roots  - generally Certificate Authorities - are the ones you have to trust. Below is a screen grab of the Windows 7 trusted root certificate list. 

C'T's complaint is that Microsoft automatically issues updates to their root certificate list without user interaction or any clear indication that it has made any changes. 

The implication, and based on Google Translate I think C'T says this out loud, is that Microsoft could issue a root certificate at the behest of the NSA or some other shadowy agency to assist them in compromising your computer and accounts.

Yes, of course they could do this. We're talking about Microsoft, the people who write the operating system. They could put code to compromise your computer right into the operating system. But the government doesn't need to use Microsoft to issue malicious root certificates; as the screen grab above shows, the US government has its own certificates in the list. (Of course, if you don't trust Microsoft, why should you trust that the list itself is accurate?) 

Automatic updating of root certificates is essential to the proper functioning of the PKI. At times the list changes: root certificates are issued and revoked, or they may even expire. In the case of a root certificate revocation it's essential that the update go out quickly in order to protect users. In that same Certificates manager in the screen grab you can find the "Untrusted Publishers" tab; several of those certificates are root certificates.

Too many users ignore updates to let this go unaddressed. Incidentally, it's not just Internet Explorer; Google Chrome, Apple Safari and a lot of other software - basically any software which uses the Windows CryptoAPI - relies on the Windows Certificate Store, which is the database displayed in the Certificates list in the image above.

Mozilla software, including Firefox, is the exception. They have their own crypto code and their own certificate store, and they update it too, although they do so through documented updates such as this one.  Microsoft doesn't announce their root certificate updates (that I've found), but they do provide the updates separately in the Download Center so you could look them up there.  And there's nothing new about this practice by Microsoft. C'T links to a Technet article on how Windows Server 2003 performs this function. .

Microsoft provides ways for you to turn off the updates using registry hacks or group policy, but it would be a bad idea to do so. If you do, you can expect errors in the browser (IE, Safari, Chrome) and elsewhere indicating certificates being signed by untrusted authorities.

Ullrich says that automatic updating is "kind of a good thing," but I wouldn't qualify it the way he does. It's an obviously good thing, and the counterarguments are petty. Ullrich points out that the only real alternative, unless you reject the PKI entirely, is to create your own list of trusted root certificates and install it manually. Almost nobody does this; it's completely impractical.

What are the checks and balances on the software companies and CAs? One is the market; if a CA gets a bad rep they may lose customers to their numerous competitors. The CAs know that their business depends on their reputation. In theory the market also applies to the software companies in this way, but it's hard to see certificate management being a major factor in customers shifting between operating systems or even browsers. The companies, like Microsoft and Mozilla, that manage certificate stores, also have policies for inclusion of root certificates that could result in a certificate being removed for insecure practices of the organization.

But the main check is the research community. These are the hackers, like Moxie Marlinspike, who focus on the weaknesses in the CA system and put pressure on them to work as best they can, even if, as Moxie would argue, the system itself is fundamentally flawed. Like I said, CAs need to have a good reputation, and hacker exposs are bad for business.

There are experiments going on for how to replace the CAs as part of the PKI, but they are clearly not ready for prime time, and it's not at all clear that they will scale to Internet levels of demand. The best-known is TACK (Trust Assertions for Certificate Keys) by Marlinspike and others, but the standards draft they wrote has a lot of dust on it and I see no evidence the IETF is interested.

No, your choices are to trust all those big, bad corporations or anarchy. I don't think that's hyperbole; an Internet without a CA system today would be anarchy. Nobody could perform any sensitive operations like banking and you'd be nuts even to do email on it. So just accept that you have to trust Microsoft and Symantec and, for what it's worth, the NSA. 

A bug that could have allowed hackers to exploit a vulnerability in millions of SIM cards, commonly used in mobile phones and other cellular equipment, has been fixed, according to the security researcher who first discovered the flaw.

Germany-based Karsten Nohl of Security Research Labs discovered the flaw after three years of investigative research into SIM card technologies, which are most often used to authenticate and connect GSM phones to cellular networks.

Read this

Best of Show, Black Hat USA 2013 Vendors and Sponsors

Black Hat USA 2013 vendor area included companies such as Veracode, Booz Allen Hamilton and Microsoft, with creative schwag such as Botnets for Breakfast (cereal) and 'hacker' playing cards.

• Read more

He discovered that a vulnerability existed where a Java flaw could be exploited by sending a specially-crafted over-the-air (OTA) cryptographically secured text message. SIM cards can contain phone numbers, contact information, and other personally identifiable information to the phone owner.

SIM cards are considered one of the safest technologies around, with almost no exploits publicly available known.

For the size and scale of the potential problem, carriers faced either replacing hundreds of millions of SIM cards which could have cost in the high tens of millions of dollars if not more, or somehow fixing the exploit on device SIM cards. 

He was scheduled to show off his findings at the Black Hat security conference on Tuesday (ZDNet's Violet Blue is on the scene and has more on the event), but instead he disclosed that carriers and cellular networks had in fact promptly fixed the bug.

According to CNN, Nohl confirmed that the carriers hacked into their own SIM cards using the same vulnerability to fix the flaw inside-out. 

"They're adopting hacking methods to make it more secure," he told attendees at the conference, the news site reported.

Attackers could have run up charges, redirected costs to premium dialers, track devices, and potentially access credit card information if stored on the device.

Though it's not the first time a white hat solution has been employed, it's becoming increasingly common to employ "good" hackers to — with prior authorization — access secure systems in order to find weaknesses and help patch security flaws. It's also certainly a novel solution to a vast and complicated problem.

Exactly how the "hack" was carried out remains unclear. Nohl reportedly declined to name the carriers. 

(via CNN)

Dell SecureWorks researchers Joe Stewart and Don Jackson have released a new threat intelligence report documenting the "Comfoo" remote access trojan (RAT) -- malware used to infiltrate corporate and governmental networks across the globe.

The so-called Advanced Persistent Threat (APT) attack is simply one of many that organizations are scrambling to defend against as cyberthreats become more sophisticated, and in some cases, state-sponsored.

Corporations and governments rely heavily upon digital networks to store valuable data. Bank accounts, national security data, trade secrets and confidential governmental programs are only some targets which can be lucrative for a hacker to acquire -- whether for personal gain or on a competitor's orders. As a result, the cybercrime market is booming -- and we often see reports of household name businesses and agencies gaining cybercriminal attention.

APT attacks stand apart from garden variety script-kiddies or low-profile fraudulent schemes. Those behind APT attacks are often well-trained and have access to resources and funding. As data from corporations and governments can be so valuable, with the time and money to spend, hackers are able to "exercise virtually unlimited patience in penetrating and persisting inside their specific target's network until they accomplish their goals," according to the researchers.

A trademark of APT attacks is the use of malware. Once backdoor access has been granted through the use of malicious code, hackers can patiently and persistently lurk in a network until the targeted information can be stolen.

The Comfoo trojan campaign is a prime example of an advanced persistent threat. Comfoo has been in operation since at least 2006, and first came to light as part of the RSA data breach in 2010. According to the report, the trojan has been used in at least 64 targeted attacks worldwide, and there are hundreds of variants of the RAT.

To lurk within a corporate system, the Comfoo RAT often replaces the DLL path of an "existing unused service rather than installing a new service," -- which is less likely to be noticed by system administrators. A rootkit is also sometimes used to hide Comfoo disk files. Network traffic generated by the RAT is encrypted in order to securely send data back to the malware's command and control centers.

The researchers could not see the data that was lifted, but were able to plot out the network and see how Comfoo logged keystrokes, accessed and downloaded files, executed commands and was able to open command shares. A relay server -- part of the C&C -- is able to take control of a vulnerable network through the use of the encryption method and static encryption key hard-coded within the Comfoo binary.

While monitoring the RAT, researchers found that government entities and private firms based in the U.S., Europe, and Asia Pacific were often infected. Many Japanese and Indian governmental bodies were targeted, as well as educational institutions, media, telecommunications companies and energy firms.

Interestingly, audio and videoconferencing firms are also a frequent target. The researchers speculate that this may be due to hackers seeking intellectual property, or the trojan may have been used to quietly listen-in on commercial and government organizations.

Dell's researchers have not revealed the identity of targeted organizations, but has informed them of the security breach. However, they also caution that there is likely to be "hundreds more unidentified victims" due to the amount of variants found and the time the cyberespionage campaign has been in operation. 

Read the full report.

The always-smiling Electronic Frontier Foundation had a table in one of the main halls, with a classic NSA shirt on display for the occasion.

Ravens adorned the Cisco booth, and beyond, making it a magnet for attendees who sometimes openly gawked at the creative spectacle.

Cisco's spooky booth was the most eye-catching of all.

The fabulous, funny, smart and friendly Veracode staff posing for an action shot!

Splunk's fun t-shirts, with slogans such as "I like big data and I cannot lie."

A close-up of Splunk's great - and coveted - t-shirts, which they gave away free for both show days.

Qualys had some of the friendliest booth staff ever, and a huge piece of real estate.

IBM - far from its songbook days - had a sprawling booth.

Watch me interview IBM's Bill Lowe at the Computer History Museum for the C-64 anniversary.

Dell made the most of iconic villain imagery.

SSH at Black Hat USA 2013 - these boyshorts were so popular with attendees that they only had the demo left on the second day.

SSH at Black Hat USA 2013 - these boyshorts were so popular with attendees that they only had the demo left on the second day.

SSH at Black Hat USA 2013 - these boyshorts were so popular with attendees that they only had the demo left on the second day.

The Alien Vault booth created an outdoorsy corner on the enormous vendor floor with fake grasses - and an alien spaceship.

Botnets for Breakfast cereal, made for promotion by Palo Alto Networks.

Arbor Networks had an artist on site painting custom skateboard decks that were raffled at the end of the conference.

We went back to FileTrek's Edward Snowden "Hero or villian?" vote at the side of the Black Hat Sponsor Hall to see how the vote was going. Their friendly representative said that at the end of the first day, they were astonished to count the tally and find an even split - a 91-91 heat (attendees voted by putting chips in either of the "hero" or "villain" canisters on FileTrek's table).

FileTrek told us that they would publish the total results after Black Hat ends today, and that voters came in three distinct flavors: one who would put a chip right in the "villain" canister calling him a traitor, another who'd unhesitatingly vote for "hero" and a third who asked if FileTrek would put a can in the middle.

Its booth and cardboard cutout of Edward Snowden was situated directly across the aisle from Snowden's former government contractor employer, Booz Allen Hamilton. 

See also:

• Black Hat 2013: talks and panels 'hot list'
• Researchers reveal how to hack an iPhone in 60 seconds at Black Hat 2013
• NSA Director accused of lying to Congress at Black Hat USA 2013 keynote
• NSA Director Alexander Black Hat USA 2013 Keynote: Gallery

It's generally accepted in post-mortems on the 2012 presidential election that high turnout among Obama voters was key to his victory. How did the campaign generate such high turnout? the CFAA (Computer Fraud and Abuse Act).

The tactic was revealed in Dan Balz’s forthcoming book about the 2012 presidential campaign, “Collision 2012: Obama vs. Romney and the Future of Elections in America,” which is being excerpted in the Washington Post. The campaign wanted to expand the reach of their already large database of supporters and found a way to use Facebook for it.

Here's how it worked:

Balz quotes campaign manager Jim Messina: "…what if we could build a piece of software that … allowed you to match your friends on Facebook with our lists, and we said to you, ‘Okay, so-and-so is a friend of yours, we think he’s unregistered, why don’t you go get him to register?’ Or ‘So-and-so is a friend of yours, we think he’s undecided. Why don’t you get him to be decided?’ And we only gave you a discrete number of friends. That turned out to be millions of dollars and a year of our lives. It was incredibly complex to do.”

The campaign could then, with permission from the user, gain access to their friends. Using other data the campaign had they made a determination as to who was likely to be registered to vote and follow up with them. Balz says that this technique was a big factor for the campaign. But does it violate the CFAA?

The Justice Department has claimed in other cases that a violation of a website's terms of service or an employer's workplace policies can be a violation of the CFAA because it amounts to unauthorized access of a computer or data.

Vatis cites several lines from the Facebook Statement of Rights and Responsibilities which he claims are violated by the campaign's practices. One obvious one is: “You will not … let anyone else access your account.” Another interesting one: “If you collect information from users, you will: obtain their consent, make it clear you (and not Facebook) are the one collecting their information, and post a privacy policy explaining what information you collect and how you will use it.”

If the campaign violated the Facebook terms then, by extension, they violated the CFAA.

The Obama campaign's tactics clearly run afoul of the DoJ's interpretations of the law, but are they actually fraudulent, unauthorized access? 

Vatis is not calling for prosecution here, but rather using the incident to criticize the Justice Department's broad interpretation of the CFAA, an interpretation which was controversial back in 2008 when it was first used against Lori Drew, whose fraudulent use of MySpace led 13-year-old Megan Meier to kill herself.

It reached a new low last year when it was used to prosecute Internet developer and activist Aaron Swartz, leading to his suicide this January. After that, the movement in legal and Internet circles to amend the CFAA picked up steam.

There is such a thing as computer fraud and abuse, and it needs to be illegal. The Obama campaign's tactics clearly run afoul of the DoJ's interpretations of the law, but are they actually fraudulent, unauthorized access? That doesn't make sense to me.

All this does present a problem for Facebook. If they do nothing about this huge, public violation of their terms of service, can they then go after anyone else who violates them? What happens in the next election when other candidates use the same methods?

The unhelpful bottom line of it all is that these things are complicated. It's really hard to come up with a set of rules which are comprehensible, fair and which cover all the circumstances the service needs to cover. Same with the law. Until they figure out how to word these things right, companies and even more so the Department of Justice, need to be restrained in their use of the rules.

Posing ominously in front of Black Hat USA 2013 signage at Ceasers Palace are Simon Carless (EVP, Black Hat) and Marco Pardi (President, Business Technology Events, UBM Tech).

Photo used with permission, courtesy of Black Hat Events.

This is not a standard Black Hat badge; this "Hacker" badge belongs to Nmap author Gordon "Fyodor" Lyon.

The Black Hat bookstore featured books such as x, x and x.

Photo used with permission, courtesy of Black Hat Events.

All areas of the Ceasers Palace conference center were dressed top to toe with Black Hat projections, banners and more.

Black Hat attendees are cautioned not to use ATM machines around the conference area for security reasons.

An estimated 7,000 high-level security experts are attending Black Hat this year.

Photo used with permission, courtesy of Black Hat Events.

For the opening keynote by NSA Director Keith Alexander, 3200 Black Hat attendees packed the room and around 1500 were sent to an overflow video room.

Read more in NSA Director accused of lying to Congress at Black Hat USA 2013 keynote.

Photo used with permission, courtesy of Black Hat Events.

Just before the NSA Director's keynote, it was seen that eggs were being passed around the audience. The eggs were confiscated by security before the keynote began.

Read more in NSA Director accused of lying to Congress at Black Hat USA 2013 keynote.

During his packed Black Hat USA keynote NSA Director Keith Alexander assured the crowd that the NSA's surveillance programs are lawful interception; attendees did not hesitate to shout "Bullshit."

Read more in NSA Director accused of lying to Congress at Black Hat USA 2013 keynote.

Photo used with permission, courtesy of Black Hat Events.

Black Hat organizer Trey Ford onstage at the NSA keynote. After the General's keynote, Ford facilitated a question-and-answer session with the audience where the questions were pre-screened, and Ford cautioned the audience that the General had the option of declining to answer any question.

Read more in NSA Director accused of lying to Congress at Black Hat USA 2013 keynote.

Photo used with permission, courtesy of Black Hat Events.

Researcher Christine Dudley presenting her Wednesday talk Beyond the application: Cellular privacy regulation space.

Photo used with permission, courtesy of Black Hat Events.

Three Georgia Tech hackers have revealed how to hack iPhones and iPads with malware imitating ordinary apps in under sixty seconds using a "malicious charger."

At a Wednesday, July 31 Black Hat press conference, the researchers revealed for the first time exactly how the USB charger they built can compromise iOS devices in less than a minute.

Read more in Researchers reveal how to hack an iPhone in 60 seconds.

Billy Lau, Yeongjin Jang and Chengyu Song showed how they made an ordinary looking charger into a malicious vector for transmitting malware using an open source BeagleBoard, available for $125 (similar to a Raspberry Pi).

For the demo, the Facebook app was used as an example.

Within seconds of plugging in the charger, the Facebook app was invisibly removed from the device and seamlessly replaced with a Facebook app imitation with a malicious payload.

Apple responded by Wednesday evening saying it will issue a patch in its Fall iOS 7 update.

Read more in Researchers reveal how to hack an iPhone in 60 seconds.

Lavish booths, costumes and plenty of giveaways made the Sponsor Hall an attraction.

Photo used with permission, courtesy of Black Hat Events.

At the Black Hat Arsenal, Researchers demoed web application security audits, and much more.

Photo used with permission, courtesy of Black Hat Events.

In the Black Hat Arsenal area, popular company Pwnie Express was a huge draw. The company launched its newest product at Black Hat this week, the Pwn Plug R2.

Photo used with permission, courtesy of Black Hat Events.

At the side of the Black Hat Sponsor Hall, cheeky data tracking and security company FileTrek ran a "Hero or villian?" vote (we'll be back tomorrow to see how conference attendees voted).

Its booth and cardboard cutout of Edward Snowden was situated directly across the aisle from Snowden's former government contractor employer, Booz Allen Hamilton. 

See also:

• Black Hat 2013: talks and panels 'hot list'
• Researchers reveal how to hack an iPhone in 60 seconds at Black Hat 2013
• NSA Director accused of lying to Congress at Black Hat USA 2013 keynote
• NSA Director Alexander Black Hat USA 2013 Keynote: Gallery

Today at a Black Hat USA 2013 press conference, the researchers revealed for the first time exactly how the USB charger they built can compromise iOS devices in less than a minute.

Billy Lau, Yeongjin Jang and Chengyu Song showed how they made an ordinary looking charger into a malicious vector for transmitting malware using an open source BeagleBoard, available for $125 (similar to a Raspberry Pi).

For the demonstration, the researchers used an iPhone. They plugged in the phone, and when the passcode was entered, the sign-code attack began.

For the demo, the Facebook app was used as an example.

Within seconds of plugging in the charger, the Facebook app was invisibly removed from the device and seamlessly replaced with a Facebook app imitation with a malicious payload.

The app's icon was in the exact same spot as it was before the attack - there is no way of knowing the application is not malware.

The researchers said that all the user needs to do to start the attack is enter their passcode - they pointed out that this is a pattern of ordinary use, such as to check a message while the phone is charging.

Once the app was launched, the malware was launched and the phone was compromised - and could do things such as take screenshots when other passwords are entered, send a spoofed screen, and more.

In this manner, depending on what payload the attacker has put on the fake app, sensitive data could be accessed and compromised in a variety of ways.

The researchers found malicious ways to call and use the private API; the attack works on physical weaknesses, and operates on all versions of iOS, stock (up to the beta developer version of 7, which is the only version that Apple has patched).

The operating system used for the attack is Linux, and the researchers acknowledged that someone could easily use a Raspberry Pi instead of a BeagleBoard.

No root permission is accessed for the attack.

The targeted iOS device does not need to be jailbroken in order for the attack to be successful. It only needs to be plugged in to the innocuous seeming, but poisoned, iOS charger.

The Mactans charger is no longer a charger, but its own little computer - running custom software that immediately cracks and infects any attached Apple gadget; Mactans can install software unknown to the user.

Details of the vulnerability, something the researchers held back on disclosing until now, will be described in more deatil in researchers' Black Hat talk today, "Mactans: Injecting Malware Into iOS Devices Via Malicious Chargers."

The researchers disclosed the attack and vulnerability to Apple, but it appears that Apple hasn’t addressed or fixed the issue for versions prior to 7 (beta, developer release) - the hackers had previously stated they refused to reveal details until their Black Hat presentation.

The venomous iOS charger is called "Mactans" - Latin name for the virulent and pernicious Black Widow spider.

The researchers explained,

Mactans was built with [a] limited amount of time and a small budget, we also briefly consider what more motivated, well-funded adversaries could accomplish.

The researchers contacted Apple - and Apple has patched iOS 7 to prevent the attack. Currently, all other versions are vulnerable.

Needless to say, iPhone, iPad and other iOS device users will want to be sure not to leave their chargers laying around - or use any "community" chargers from here on out.

Mactans: Injecting Malware into iOS Devices via Malicious Chargers will be presented today, July 30, in room Augustus 3/4 at 5:00 pm.

UPDATE Wednesday July 1, 8:50 pm: In a late evening announcement Apple stated it will be fixing the vulnerability in the Fall release of its iOS 7 update. Apple has not specified a date for the fix. This means devices are vulnerable to the attack until the release, as are all previous versions of the OS. The issue has only been fixed in the beta version of 7, released to developers.

Read the full report in: NSA Director accused of lying to Congress in Black Hat USA 2013 Keynote.

Alexander explained that he wanted to, "give attendees an insider’s look into the U.S. Cyber Command and the interworking of offensive cyber strategy" and he did, showing slides with prepared information about some of the surveillance programs used by the NSA.

Read the full report in: NSA Director accused of lying to Congress in Black Hat USA 2013 Keynote.

The main thrust of the NSA Director's speech was that the NSA's surveillance programs were to protect Americans and combat foreign threats.

He told Black Hat in regard to the NSA's data collection requests, "these are not rubber stamped."

Read the full report in: NSA Director accused of lying to Congress in Black Hat USA 2013 Keynote.

When NSA Director General Keith Alexander told the attendees of Black Hat USA 2013 that, speaking as the NSA, "we stand for freedom" - a member of the audience immediately shouted, "Bullshit!"

The vociferous crowd did not hesitate to talk back. One attendee shouted, "what I'm saying is that we don't trust you." Another accused the General of lying to Congress and shouted, "How do we know you're not lying to us right now?"

Near the talk's end, an attendee shouted that General Alexander should read the Constitution.

He responded saying, "I have. You should, too."

Read the full report in: NSA Director accused of lying to Congress in Black Hat USA 2013 Keynote.

The General's speech stressed that the NSA's focus was on terrorism suspects, and minimized the scope of the surveillance programs.

Read the full report in: NSA Director accused of lying to Congress in Black Hat USA 2013 Keynote.

Today's keynote comes during the NSA's most turbulent time in history - under Alexander's watch - when it has been rocked by Wikileaks, the Manning trial, former contractor turned whistleblower Edward Snowden and the Prism leaks, and widespread outrage at the revealed extent of the NSA's domestic and global surveillance programs.

The NSA Director told attendees of North America's leading security conference that he was at Black Hat to ask for the help of the security professionals in attendance for their help, most especially if they felt the programs were wrong.

Read the full report in: NSA Director accused of lying to Congress in Black Hat USA 2013 Keynote.

Americans, US politicians and the over 7,000 attendees of Black Hat USA 2013 are currently struggling with revelations and further, previous allegations that the NSA has been surveilling them and spying on their digital communications far more than was previously believed, known or even understood.

Last year, the Director controversially delivered a keynote at DEF CON, the hacker conference after Black Hat. He was not invited back this year.

Only two weeks ago, Federal agents were openly disinvited to DEF CON by the organizer, in a blog post saying that the conference needed "time off" in its bizarre relationship with "Feds."

Read the full report in: NSA Director accused of lying to Congress in Black Hat USA 2013 Keynote.

Read this

Researchers reveal how to hack an iPhone in 60 seconds

• Read more

When NSA Director General Keith Alexander told the attendees of Black Hat USA 2013 that, speaking as the NSA, "we stand for freedom" - a member of the audience immediately shouted, "Bullshit!"

The rogue comment was received by the crowd with applause. The General acknowledged the comment and response, and moved on to continue telling the hackers and security professionals that the NSA's surveillance programs had prevented multiple terrorist attacks around the world.

• See the full gallery of the General's keynote and slides in NSA Director Alexander Black Hat USA 2013 Keynote: Gallery.

At leading security conference Black Hat USA 2013 Gen. Keith Alexander, Commander, U.S. Cyber Command (USCYBERCOM) and Director of the NSA told attendees in the event's opening keynote that "the same people who uphold the Constitution are the same people that run these programs"

He later went on to tell the room that the people at risk were heroes, and that was "no bullshit."

An equal amount of applause scattered throughout the room.

Alexander explained that he wanted to, "give attendees an insider’s look into the U.S. Cyber Command and the interworking of offensive cyber strategy" and he did, showing slides with prepared information about some of the surveillance programs used by the NSA.

The main thrust of the NSA Director's speech was that the NSA's surveillance programs were to protect Americans and combat foreign threats.

He told Black Hat in regard to the NSA's data collection requests, "these are not rubber stamped."

The Director emphasized that, "we do not see the content of your calls."

He continued, loosely describing the methods used to trace and individual number. He said,

To get a number approved, there are only 22 people at the NSA that can approve that number. Only numbers on the lists compiled [of terrorism suspects] can be queried.

Only 35 people at the NSA are allowed to do queries into that database.

He stressed the training that those individuals are required to complete. The General's speech stressed that the NSA's focus was on terrorism suspects, and minimized the scope of the surveillance programs.

He then told the audience,

In 2012 there were less than 300 numbers approved for queries. Those queries resulted in 12 reports to the FBI (...) they contained less than 500 minutes. The intent of this program is to find a terrorist actor and identify them to the FBI.

General Alexander went on to state that the NSA's programs, the very ones under fire in the press - such as Prism - were directly responsible for finding known terrorists. "This is our lawful intercept program."

"We have the courts, Congress and lawmakers looking at what we do." Referring to a slide projected for the audience he continued, "This shows you we have 100% auditability on every query we make. (...) We worked with committees in Congress for a directorate of compliance."

The vociferous crowd did not hesitate to talk back. One attendee shouted, "what I'm saying is that we don't trust you." Another accused the General of lying to Congress and shouted, "How do we know you're not lying to us right now?"

The NSA Director told attendees of North America's leading security conference that he was at Black Hat to ask security professionals in attendance for their help, most especially if they felt the programs were wrong.

Near the talk's end, an attendee shouted that General Alexander should read the Constitution.

He responded saying, "I have. You should, too."

The General's retort was met with applause.

Gen. Alexander's talk was presented in the atmosphere of today's new allegations in the Guardian UK that the NSA tool "XKeyscore" collects nearly everything a user does on the internet - and alleges that NSA analysts require no prior authorization for searches.

Americans, US politicians and the over 7,000 attendees of Black Hat USA 2013 are currently struggling with revelations and further, previous allegations that the NSA has been surveilling them and spying on their digital communications far more than was previously believed, known or even understood.

At last year's DEF CON keynote - the hacker conference following Black Hat every year - Director Alexander had denied NSA surveillance and spying to the audience when directly asked.

Alexander responded saying that this was "absolute nonsense." He continued, saying that managing hundreds of millions of individual citizen files would be impossible for the department to do.

Today's keynote comes during the NSA's most turbulent time in history - under Alexander's watch - when it has been rocked by Wikileaks, the Manning trial, former contractor turned whistleblower Edward Snowden and the Prism leaks, and widespread outrage at the revealed extent of the NSA's domestic and global surveillance programs.

Last year, the Director controversially delivered a keynote at DEF CON, the hacker conference after Black Hat. He was not invited back this year.

Only two weeks ago, Federal agents were openly disinvited to DEF CON by the organizer, in a blog post saying that the conference needed "time off" in its bizarre relationship with "Feds."

Conflict between NSA DEF CON keynote and Snowden leaks

Alexander's DEF CON keynote, presented in a black t-shrt and jeans, had the NSA Director saying that DEF CON was the "world's best cybersecurity community" and asked hackers for their help.

The NSA Director was asked during DEF CON's Q and A if the NSA keeps files on all US citizens.

CNET reported that General Alexander had stated,

"No we don't. Absolutely not," he said. "Our job is foreign intelligence. We get oversight by Congress...everything we do is auditable by them, by the FISA (Foreign Intelligence Surveillance Act)...and by the (Obama) Administration."

He acknowledged that occasionally there are slip ups. "We may, incidentally in targeting a bad guy, hit on a good guy," he said. "We have requirements from (the FISA) court and the attorney general to minimize that."

At DEF CON last year he told hackers,

In this room right here is the talent we need to secure cyberspace. You know we can protect the networks and have civil liberties and privacy and you can help us get there.

He had also told the audience of hackers and digital privacy activists that the United States needed "better sharing between private companies and the government" and Alexander ominously added that this was something that then-current proposed cybersecurity legislation can help fix.

Alexander was referring to the doomed Cybersecurity Act of 2012, which was effectively Son of CISPA with a few privacy provisions. Many considered CSA 2012 as the Guardian described it, "a surveillance bill in disguise" - effectively outsourcing the NSA's data surveillance to private companies, who are not held under the 4th amendment, and would have received immunity for handing over the data.

UPDATE Wednesday July 31, 8:45 pm: Just before the General's keynote, it was seen that eggs were being passed around the audience. The eggs were confiscated by security before the keynote began.

Mikko Hypponen's mysteriously vanished tweet at Blackhat 2013 just as N S A director was about to speak. Eggs? http://t.co/YHjH3li6CL

— Paul Blackburn (@mpb) July 31, 2013

Security friend admitted to handing out 60 eggs to people before general Alexander #blackhat talk. Disappointed by lack of use.

— Al Billings (@makehacklearn) July 31, 2013

#BlackHat Security confiscates a dozen eggs before GEN Alexander Keynote

— James Bray (@Jhbray) July 31, 2013

Is the threat of cybercrime more of concern than a nuclear bomb? The U.K. government believes so.

The U.K. Home Affairs Committee, a panel dedicated to scrutinizing governmental policy, has released a report which claims the country is failing in efforts to protect businesses and consumers against cybercrime. After a ten-month inquiry, the committee released its report on E-crime, saying that 25 countries have chosen the United Kingdom as a primary target due to the valuable information stored on servers, including bank and financial data.

The report says there is a "black hole" where cybercriminals have free reign to attack targets, and are able to do so due to a lack of active police enforcement. Cybercrimes are often left unreported, and instead of rooting out the problem, banks will often just reimburse customers who may have had their identity or banking details stolen.

As a result, cybercriminals are able to reap large profits with few repercussions, especially if they systematically attack through low-level fraud rather than aim for high-profile targets.

Committee Chair and MP Keith Vaz said:

"We are not winning the war on online criminal activity. We are being too complacent about these E-wars because the victims are hidden in cyberspace. The threat of a cyber attack to the U.K. is so serious it is marked as a higher threat than a nuclear attack."

This opinion reflects U.S. intelligence chiefs who said in March that cybercrime has replaced terrorism as the "top threat" facing the United States.

The panel says that sentencing guidelines should be reviewed in order to properly punish cybercriminals, and hackers should "receive the same sentences as if they had stolen the same amount of money or data offline."

Vaz commented:

"If we don’t have a 21st century response to this 21st century crime, we will be letting those involved in these gangs off the hook. We need to establish a state of the art espionage response centre. At the moment the law enforcement response to e-criminals is fractured and half of it is not even being put into the new National Crime Agency."

The committee also approves U.K. Prime Minister David Cameron's recent proposal to place "porn filters" on search engines and block websites that have content deemed "inappropriate," including pornography and terrorism indictment. While many believe the filters are the first step towards online censorship and the U.K.'s very own version of the Great Firewall of China, the report argues:

It is still too easy for people to access inappropriate online content, particularly indecent images of children, terrorism incitement and sites informing people how to commit online crime. There is no excuse for complacency.

The committee urges those responsible to take stronger action to remove such content. The government should draw up a mandatory code of conduct with them to remove material which breaches acceptable standards.

As a result, the MPs are "alarmed" that the Child Exploitation & Online Protection Centre (CEOP) is due to suffer budget cuts of 10 percent over the next four years. If porn-related filters go ahead, cutting away the CEOP's resources may result in inappropriate websites slipping through the net and therefore more children placed at risk.

To try and reinforce these claims, the report uses the murder cases of April Jones and Tia Sharp to suggest there are "terrible consequences" to being able to access child pornography online, and says that the next generation of citizens are being "radicalized" as they can access the preaching of clerics including Anwar al-Awlaki on YouTube.

Whether having access to such content prompts action is arguable, but Vaz believes that ISPs, search engine and social media networks are "far too laid back" and failing to censor or take down "inappropriate content." The MP says that if service providers fail to act, the "government should legislate.'

An estimated 7,000 high-level security experts are set to attend Black Hat this year. It takes place this week, July 27 – August 1, 2013, at Caesars Palace in Las Vegas.

A security conference leader, Black Hat blends hackers, corporations, researchers of all kinds, law enforcement and Feds, in hats ranging from snow-white to so black they actually absorb light.

These attendees will be wearing their nicest professional, casual-Friday armor to meet on neutral territory - all comprising an event that may be the world's biggest confluence of virtual arms dealers.

Black Hat has cautioned press, "You are about to enter one the most hostile environments in the world."

The list of precautions is long, and includes not to use any ATM machines around the conference, keep our hotel keys deep in our belongings, not to use the wi-fi unless we are security experts, not to leave any devices out of sight (EVER!), and to change all of our passwords immediately after leaving Las Vegas.

Still, the list of cautions will probably not be enough.

There is so much to see and absorb at Black Hat 2013, it will likely be a Vegas gamble worth taking. The packed schedule proves that Black Hat wanted to raise the excitement meter to eleven this year.

To mediate overwhelm, we've compiled an insider's 'hot list'.

Outside of the usual press releases, we asked organizers what they think will be hot, as well as compiling our own list. Combining the results, we've got a hell of a starting point for attendees listed here:

• Mactans: Injecting Malware into iOS Devices via Malicious Chargers - Billy Lau. They'll demonstrate how an Apple iOS device can be compromised within one minute of being plugged into a malicious charger, and disclose the details of the vulnerability on-site – something they've held back on so far.

• Rooting SIM Cards - Karsten Nohl. Karsten will disclose his vulnerability onsite; the UN's ITU issued a global warning about it.

• Compromising Industrial Facilities from 40 Miles Away - Lucas Apa. Compromises around nuclear/energy, gas and oil facilities, among others - including shutting them down remotely - even from 40 miles away.

• Energy Fraud and Orchestrated Blackouts: Issues With Wireless Metering Protocols (WM-Bus) - Cyrill Brunschwiler. Energy fraud + widespread orchestrated blackouts are far easier than anyone thinks; Brunschwiler will disclose new flaws in wireless smart meters, resulting in not only a good cheat on your energy bill... but also widespread blackouts as the energy grid is directly impacted. Californians take note.

• Lets Get Physical: Breaking Home Security Systems and Bypassing Buildings' Controls - Drew Porter, Stephen Smith. Hardware-based vulnerabilities impacting a very broad audience – specifically impacts smart homes.

• Home Invasion v2.0: Attacking Network Controlled Hardware Jennifer Savage, Daniel Crowley, David Bryan. This team has hacked home-based network-connected devices and reveal how havoc or danger could be unleashed at home - specifically, ones that have been 'impossible' to hack until now - from space heaters to door locks, surveillance systems and much more.

• What Security Researchers Need to Know About Anti-Hacking Law - Marcia Hofmann. Reduce risk by finding out ways to reduce potential legal trouble from a number of things researchers wonder about; Hofmann surveys issues relevant to researchers now, including cases on port scanning, violating website terms of use, and designing tools capable of bypassing technical access controls.

• Above my Pay Grade: Cyber Response at the National Level - Jason Healey. Examining the decisions and actions at all levels of response escalation when a cyber attack is also a national security event, using an example attack on the finance sector, from banks to the military and presidential level.

• Exploiting Network Surveillance Cameras Like a Hollywood Hacker - Craig Heffner. A live demonstration of leveraging vulnerabilities described in this talk to freeze and modify legitimate video streams from cameras such as those found in in homes, businesses, hotels, casinos, banks and prisons, as well as military and industrial facilities.

• Aaron Swartz, Weev, the CFAA and The Future - Kurt Opsahl, EFF [panel]. With the dangers of the CFAA and overzealous, uneducated prosecutors now known, the infosec community has been thrust into the role of educating and persuading lawmakers to reform this dangerous law. The EFF's Opsahl leads a panel and on-the-spot outreach to the community to discuss and propose tactics on all levels.

Threats to mobile devices such as injecting malware into Apple’s iOS devices with malicious chargers, intercepting traffic and SMS messages through compromised femtocells cracking BlackBerry’s new OS 10, rooting SIM cards and building a spyphone that can record conversations and send messages without you ever knowing.

Infrastructure hot list highlights:

Preventing attacks on critical infrastructure and national security with talks around insider threats at the FBI, energy fraud and orchestrated blackouts, compromising industrial facilities, threats to major oil and gas pipelines and exploiting network surveillance cameras.

Home attacks hot list:

Exposing vulnerabilities within our homes from automation systems such as HVAC and lighting, to other network-controlled devices such as door locks and garage sensors, to hacking some of the most well known home security systems and even the newest smart TVs.

At the Black Hat Arsenal:

Researcher demo highlights: bypassing a car’s security for less than 25 dollars, to analyzing smartphone penetration testing and performing web application security audits.

Can't make it, or just want to keep pace with Black Hat? 

Follow Black Hat Briefings on Twitter @BlackHatEvents, check Black Hat on Facebook, and connect with Black Hat on its LinkedIn Group - social updates can be found at hashtag #BlackHat. Watch for photos on the Black Hat Events Flickr account.

An item I had selected for this list was Implantable Medical Devices: Hacking Humans by Barnaby Jack - it had been recommended to me by all experts and organizers I queried. There are many heavy hearts at the passing of Mr. Jack, and the sadness is palpable. He will be so very deeply missed. Black Hat has held his room time and talk slot open: Black Hat will not be replacing Barnaby’s talk on Thursday, Aug. 1. The hour will be left vacant for friends and family to gather: Black Hat has set aside the time to commemorate his life and work and stated to this year's attendees, "we encourage you to join us as we celebrate the legacy that he leaves behind."

According to the Department of Justice, U.S. Attorney Paul J. Fishman of the District of New Jersey revealed the indictment today which charges five men with conspiracy, wire tapping and fraud.

The accused five Eastern European men operated a global hacking scheme which managed to infiltrate a number of the world's largest financial institutions and corporate networks -- allowing the alleged theft of 160 million credit cards in addition to hundreds of millions of dollars in losses.

The defendants are being charged with attacking the Nasdaq, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard. By targeting financial institutions, the hackers were able to steal valuable financial data for profit.

The case brought against the men (.pdf) is the largest hacking scheme ever prosecuted in the United States, according to DoJ officials.

Vladimir Drinkman, 32, of Moscow, Russia, and Alexandr Kalinin, 26, of St. Petersburg, Russia, each allegedly specialized in penetrating network security. Both were previously charged in New Jersey as “Hacker 1” and “Hacker 2” in a 2009 indictment charging Albert Gonzalez in connection with five corporate data breaches. Roman Kotov, 32, of Moscow, allegedly focused on in data mining the exposed networks. Court documents allege that the defendants hid their activities using anonymous web-hosting services provided by Mikhail Rytikov, 26, of Odessa, Ukraine. After data was lifted, Moscow-based Dmitriy Smilianets, 29, allegedly sold the information stolen and handled the books.

By using SQL injections, the hackers were able to lift login credentials from corporate networks, and then install malware to grant the group backdoor access. Sometimes, malware was left on company servers for over a year. Sniffers and a global control center were then developed and installed to store and sell the data.

After acquiring card numbers and additional data, the information dumps were then allegedly sold through online forums or directly to individuals and businesses. According to court documents, $10 was charged for each stolen American credit card number, approximately $50 for each European credit card number, and $15 for each Canadian credit card number. These numbers could then be encoded into blank plastic cards to withdraw funds at ATMs or make purchases.

"This type of crime is the cutting edge," said U.S. Attorney Fishman. "Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy, and our national security. And this case shows, there is a real practical cost because these types of frauds increase the costs of doing business for every American consumer, every day. We cannot be too vigilant and we cannot be too careful."

If convicted, the defendants could end up behind bars for decades.