Was Dropbox Really Hacked?

Dropbox suffered a major outage over the weekend.

In one of the more bizarre recent incidents, after the service went down on Friday evening a group of hackers claimed to have infiltrated the service and compromised its servers.

However, on the Dropbox blog, Dropbox VP of engineering Ardita Ardwarl told users that hackers were not to blame.

Ardwari said, “On Friday evening we began a routine server upgrade. Unfortunately, a bug installed this upgrade on several active servers, which brought down the entire service. Your files were always safe, and despite some reports, no hacking or DDOS attack was involved.”

The fault occurred when a bug in an upgrade script caused an operating system upgrade to be triggered on several live machines, rendering them inoperative. Although the fault was rectified in three hours, the knock-on effects led to problems that lasted through the weekend for some users.

Dropbox has assured users that there are no further problems and that all users should now be back online. It said that at no point were files in danger, adding that the affected machines didn’t host any user data. In other words, the “hackers” weren’t hackers at all, but attention seeking trolls.

Dropbox claims to have over 200 million users, many of which it has acquired through strategic partnerships with device manufacturers offering free storage with purchases.

Source

The company is looking forward to an initial public offering (IPO) on the stock market, so the timing of such a major outage could not be worse. Dropbox, which includes Bono and The Edge from U2 amongst its investors, has recently enhanced its business offering to appeal to enterprise clients, and such a loss of uptime could affect its ability to attract customers.

Yahoo Spreading Malware?

Some advertisements on Yahoo Inc’s European websites last week spread malicious software, Yahoo said on Sunday, potentially infecting the computers of thousands of users.

Last Friday, Fox-IT, a Delft, Netherlands-based computer security firm, wrote in a blog that attackers had inserted malicious ads served by ads.yahoo.com.

In a recently released statement, a Yahoo spokesman, said: “On Friday, January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines, specifically they spread malware.” Yahoo said it promptly removed the bad ads, and that users of Mac computers and mobile devices were not affected.

Malware is software used to disrupt a computer’s operations, gather sensitive information, or gain access to private computer systems.

Fox-IT estimated that on Friday, the malware was being delivered to approximately 300,000 users per hour, leading to about 27,000 infections per hour. The countries with the most affected users were Romania, Britain, and France.

“It is unclear which specific group is behind this attack, but the attackers are clearly financially motivated and seem to offer services to other actors,” Fox-IT wrote in the January 3 blog post.

Source

NSA Developing System To Crack Encryption

The U.S. National Security Agency is working to develop a computer that could ultimately break most encryption programs, whether they are used to protect other nations’ spying programs or consumers’ bank accounts, according to a report by the Washington Post.

The report, which the newspaper said was based on documents leaked by former NSA contractor Edward Snowden, comes amid continuing controversy over the spy agency’s program to collect the phone records Internet communications of private citizens.

In its report, The Washington Post said that the NSA is trying to develop a so-called “quantum computer” that could be used to break encryption codes used to cloak sensitive information.

Such a computer, which would be able to perform several calculations at once instead of in a single stream, could take years to develop, the newspaper said. In addition to being able to break through the cloaks meant to protect private data, such a computer would have implications for such fields as medicine, the newspaper reported.

The research is part of a $79.7 million research program called “Penetrating Hard Targets,” the newspaper said. Other, non-governmental researchers are also trying to develop quantum computers, and it is not clear whether the NSA program lags the private efforts or is ahead of them.

Snowden, living in Russia with temporary asylum, last year leaked documents he collected while working for the NSA. The United States has charged him with espionage, and more charges could follow.

His disclosures have sparked a debate over how much leeway to give the U.S. government in gathering information to protect Americans from terrorism, and have prompted numerous lawsuits.

Last week, a federal judge ruled that the NSA’s collection of phone call records is lawful, while another judge earlier in December questioned the program’s constitutionality. The issue is now more likely to move before the U.S. Supreme Court.

On Thursday, the editorial board of the New York Times said that the U.S. government should grant Snowden clemency or a plea bargain, given the public value of revelations over the National Security Agency’s vast spying programs.

Source

FTC Pushes For Security Standards

Despite growing resentment from companies and powerful industry groups, the Federal Trade Commission continues to insist that it wants to be the nation’s enforcer of data security standards.

The FTC, over the past years, has gone after companies that have suffered data breaches, citing the authority granted to it under a section of the FTC Act that prohibits “unfair” and “deceptive” trade practices. The FTC extracted stiff penalties from some companies by arguing that their failure to properly protect customer data represented an unfair and deceptive trade practice.

On Thursday, FTC Chairwoman Edith Ramirez called for legislation that would bestow the agency with more formal authority to go after breached entities.

“I’d like to see FTC be the enforcer,” Law360 quoted Ramirez as saying at a privacy event organized by the National Consumers League in Washington. “If you have FTC enforcement along with state concurrent jurisdiction to enforce, I think that would be an absolute benefit, and I think it’s something we’ve continued to push for.”

According to Ramirez, the FTC supports a federal data-breach notification law that would also give it the authority to penalize companies for data breaches. In separate comments at the same event, FTC counsel Betsy Broder reportedly noted that the FTC’s enforcement actions stem from the continuing failure of some companies to adequately protect data in their custody.

“FTC keeps bringing data security cases because companies keep neglecting to employ the most reasonable off-the-shelf, commonly available security measures for their systems,” Law360 quoted Broder as saying.

An FTC spokeswoman was unable to immediately confirm the comments made by Ramirez and Broder but said the sentiments expressed in the Law360 story accurately describe the FTC’s position on enforcement authority.

The comments by the senior officials come amid heightening protests against what some see as the FTC overstepping its authority by going after companies that have suffered data breaches.

Over the past several years, the agency has filed complaints against dozens of companies and extracted costly settlements from many of them for data breaches. In 2006 for instance, the FTC imposed a $10 million fine on data aggregator ChoicePoint, and more recently, online gaming company RockYou paid the agency $250,000 to settle data breach related charges.

Source

NSA Spies With Tracking Cookies

The browser cookies that online businesses use to track Internet customers for targeted advertising are also used by the National Security Agency to track surveillance targets and break into their systems.

The agency’s use of browser cookies is restricted to tracking specific suspects rather than sifting through vast amounts of user data, theWashington Post reported Tuesday, citing internal documents obtained from former NSA contractor Edward Snowden.

Google’s PREF (for preference) cookies, which the company uses to personalize webpages for Internet users based on their previous browsing habits and preferences, appears to be a particular favorite of the NSA, the Post noted.

PREF cookies don’t store any user identifying information such as user name or email address. But they contain information on a user’s general location, language preference, search engine settings, number of search results to display per page and other data that lets advertisers uniquely identify an individual’s browser.

The Google cookie, and those used by other online companies, can be used by the NSA to track a target user’s browsing habits and to enable remote exploitation of their computers, the Post said.

Documents made available by Snowden do not describe the specific exploits used by the NSA to break into a surveillance target’s computers. Neither do they say how the NSA gains access to the tracking cookies, the Post reported.

It is theorized that one way the NSA could get access to the tracking cookies is to simply ask the companies for them under the authority granted to the agency by the Foreign Intelligence Surveillance Act (FISA).

Separately, the documents leaked by Snowden show that the NSA is also tapping into cell-phone location data gathered and transmitted by makers of mobile applications and operating systems. Google and other Internet companies use the geo-location data transmitted by mobile apps and operating systems to deliver location-aware advertisements and services to mobile users.

However, the NSA is using the same data to track surveillance targets with more precision than was possible with data gathered directly from wireless carriers, the Post noted. The mobile app data, gathered by the NSA under a program codenamed “Happyfoot,” allows the agency to tie Internet addresses to physical locations more precisely than was possible with cell-phone location data.

An NSA division called Tailored Access Operations uses the data gathered from tracking cookies and mobile applications to launch offensive hacking operations against specific target computers, the Post said.

An NSA spokeswoman Wednesday did not comment on the specific details in the Post story but reiterated the agency’s commitment to fulfill its mission of protecting the country against those seeking to do it harm.

“As we’ve said before, NSA, within its lawful mission to collect foreign intelligence to protect the United States, uses intelligence tools to understand the intent of foreign adversaries and prevent them from bringing harm to innocent Americans and allies,” the spokeswoman said.

The Post’s latest revelations are likely to shine a much-needed spotlight on the extensive tracking and monitoring activities carried out by major Internet companies in order to deliver targeted advertisements to users.

Privacy rights groups have protested such tracking for several years and have sought legislation that would give users more visibility and control over the data that is collected on them by online companies.

Source

Twitter Tightens Security

Twitter Inc said it has put in place a security technology that makes it harder to spy on its users and called on other Internet firms to do the same, as Web providers look to thwart spying by government intelligence agencies.

The online messaging service, which began scrambling communications in 2011 using traditional HTTPS encryption, said on Friday it has added an advanced layer of protection for HTTPS known as “forward secrecy.”

“A year and a half ago, Twitter was first served completely over HTTPS,” the company said in a blog posting. “Since then, it has become clearer and clearer how important that step was to protecting our users’ privacy.”

Twitter’s move is the latest response from U.S. Internet firms following disclosures by former spy agency contractor Edward Snowden about widespread, classified U.S. government surveillance programs.

Facebook Inc, Google Inc, Microsoft Corp and Yahoo Inc have publicly complained that the government does not let them disclose data collection efforts. Some have adopted new privacy technologies to better secure user data.

Forward secrecy prevents attackers from exploiting one potential weakness in HTTPS, which is that large quantities of data can be unscrambled if spies are able to steal a single private “key” that is then used to encrypt all the data, said Dan Kaminsky, a well-known Internet security expert.

The more advanced technique repeatedly creates individual keys as new communications sessions are opened, making it impossible to use a master key to decrypt them, Kaminsky said.

“It is a good thing to do,” he said. “I’m glad this is the direction the industry is taking.”

Source

Is Skype Involved In Spying?

Luxembourg’s data protection authority is investigating Microsoft-owned Skype for its alleged cooperation with the U.S. NSA’s Prism spying program, according to the agency.

Luxembourg’s data protection authority, CNPD, is investigating Skype’s links to NSA spying programs after receiving several complaints, said Tom Kayser, a spokesman for the authority. “I can’t really talk about the details of the investigation because it is still ongoing,” he said.

Skype, which has its European headquarters in Luxembourg, allegedly cooperates with the NSA through a program exploring the legal and technical issues involved in making customer calls available to intelligence and law enforcement agencies. The Guardian newspaper first reported the investigation.

The CNPD has powers to ensure that multinational companies based in Luxembourg respect national law, and often receives complaints from the data protection authorities of other European Union member states.

Privacy campaign group Europe-v-Facebook filed one of the complaints in June. That filing was part of a barrage of complaints filed in various countries against European subsidiaries of tech companies that are allegedly involved in the NSA’s spying program, including Facebook, Apple, Microsoft and Yahoo.

Under Luxembourg data protection law service providers and operators are required to ensure the confidentiality of communications and related traffic data.

“No person other than the user concerned may listen to, tap or store communications or the traffic data relating thereto, or engage in any other kinds of interception or surveillance thereof, without the consent of the user concerned,” reads the law’s unofficial English translation.

Violators can face up to a year in prison and/or a fine up to a!125,000 ($170,000). The court dealing with the matter can also order companies like Skype to stop any processing that conflicts with the law on pain of a periodic monetary penalty determined by the court.

“We regularly engage in a dialogue with data protection authorities around the world and are always happy to answer their questions,” a Microsoft spokeswoman said in an email. “It has been previously widely reported that the Luxembourg DPA was one of the DPA’s that received complaints from the ‘Europe v Facebook’ group so we’re happy to answer any questions they may have.”

Source

Google Snubs Privacy

Search giant Google has told the British government it is immune to prosecution on privacy issues and it can do what it like. The US Company is accused of illegally snooping on its British customers by bypassing privacy settings on Apple devices, such as iPads, to track their browsing history.

A group of British people took Google to court but the search engine is trying to get the case thrown out. Its argument is that it is not subject to British privacy law because it is based in California. This is the second time that Google has tried to avoid British law by pretending to operate in another country. It has come under fire for failing to pay tax in the UK

Nick Pickles, director of Big Brother Watch, said: ‘It is deeply worrying for a company with millions of British users to be brazenly saying they do not regard themselves bound by UK law. Solicitor Dan Tench, of law firm Olswang, said this was another instance of Google being here when it suits them and not being here when it doesn’t. Ironically when the US ordered Google to stop what it was doing, it forced the search engine to pay a $22.5million to regulators.

There are some indications that Google may not get its way. In July the Information Commissioner’s Office told Google its privacy rules breached UK law so it will be very hard for it to stand up in court and say it didn’t.

Source

Is The FBI Snooping TOR?

The Federal Bureau of Investigation (FBI) has been accused of gathering data from the anonymous network known as TOR.

The FBI might be behind a security assault on the TOR network that grabs users’ information.

Security researcher Vlad Tsyrklevich said that the attack is a strange one and is most likely the work of the authorities.

“[It] doesn’t download a backdoor or execute any other commands, this is definitely law enforcement,” he said in a tweet about the discovery.

He went a bit further in a blog post, explaining that the Firefox vulnerability is being used to send data in one direction.

“Briefly, this payload connects to 65.222.202.54:80 and sends it an HTTP request that includes the host name (via gethostname()) and the MAC address of the local host (via calling SendARP on gethostbyname()->h_addr_list). After that it cleans up the state and appears to deliberately crash,” he added.

“Because this payload does not download or execute any secondary backdoor or commands it’s very likely that this is being operated by an LEA and not by blackhats.”

The bug is listed at Mozilla, and the firm has a blog post saying that it is looking into it.

Over the weekend a blog post appeared on the TOR website that sought to distant it from a number of closed down properties or hidden websites. It is thought that the shuttered websites, which were hosted by an outfit called Freedom Hosting, were home to the worst kind of abuses.

A report at the Irish Examiner said that a chap called Eric Eoin Marques is the subject of a US extradition request. He is accused of being in charge of Freedom Hosting.

“Around midnight on August 4th we were notified by a few people that a large number of hidden service addresses have disappeared from the TOR Network,” the TOR project said.

“There are a variety of [rumors] about a hosting company for hidden services: that it is suddenly offline, has been breached, or attackers have placed a javascript exploit on their web site,” it said.

“The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The TOR Project, Inc., the organization coordinating the development of the TOR software and research.”

Source

Are CCTV Cameras Hackable?

When the nosy British bought CCTV cameras, worried citizens were told that they could not be hacked.

Now a US security expert says he has identified ways to remotely attack high-end surveillance cameras used by industrial plants, prisons, banks and the military. Craig Heffner, said he discovered the previously unreported bugs in digital video surveillance equipment from firms including Cisco, D-Link and TRENDnet.

They could use it as a pivot point, an initial foothold, to get into the network and start attacking internal systems. Heffner said that it was a significant threat as somebody could potentially access a camera and view it. Or they could also use it as a pivot point, an initial foothold, to get into the network and start attacking internal systems.

He will show how to exploit these bugs at the Black Hat hacking conference, which starts on July 31 in Las Vegas. Heffner said he has discovered hundreds of thousands of surveillance cameras that can be accessed via the public internet.

Source

« Previous Page — Next Page »