Crypto-Gram Newsletter

April 15, 2013

by Bruce Schneier
Chief Security Technology Officer, BT
schneier@schneier.com
http://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at <http://www.schneier.com/crypto-gram-1304.html>. These same essays and news items appear in the "Schneier on Security" blog at <http://www.schneier.com/blog>, along with a lively and intelligent comment section. An RSS feed is available.

In this issue:

• Our Internet Surveillance State
• Sixth Movie-Plot Threat Contest
• IT for Oppression
• News
• When Technology Overtakes Security
• Security Awareness Training
• Schneier News
• What I've Been Thinking About
• Changes to My Blog

According to a recent article published by InfoWorld, a large number of Amazon S3 "storage buckets" are not marked "private" and may be accessable by those whom are not intended to access them.  According to the research presented in the article, these "storage buckets" are not marked private by default -- the user must mark their "storage buckets" private or they will default to public.

Notable highlights:

• Thanks to the predictable, public-facing nature of S3 buckets, the researchers were able to discover a total of 12,328 unique buckets; 1,951 of them were public, and 10,377 were private.
  • By default (the URL to the bucket) will be either http://s3.amazonaws.com/[bucket_name]/ or http://[bucket_name].s3.amazonaws.com/.
• Amazon AWS security team has warned their users about the risk and is "currently putting measures in place to proactively identify misconfigured files and buckets moving forward."

Read the full story for details.

--Moderator

Crypto-Gram Newsletter

MARCH 15, 2013

by Bruce Schneier
Chief Security Technology Officer, BT
schneier@schneier.com
http://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at <http://www.schneier.com/crypto-gram-1303.html>. These same essays and news items appear in the "Schneier on Security" blog at <http://www.schneier.com/blog>, along with a lively comment section. An RSS feed is available.

In this issue:

• Nationalism on the Internet
• Automobile Data Surveillance and the Future of Black Boxes
• The Court of Public Opinion
• News
• More on Chinese Cyberattacks
• Technologies of Surveillance
• Phishing Has Gotten *Very* Good
• Schneier News
• Hacking the Papal Election
• Getting Security Incentives Right
• All Those Companies that Can't Afford Dedicated Security

Today, Microsoft released multi-platform (for Windows workstations and servers, as well as Apple OS X) patches, some with critical impact resulting in remote code execution.  Read the full story for all details.

National Cyber Awareness System
TA13-071A: Microsoft Updates for Multiple Vulnerabilities

Original release date: March 12, 2013

Systems Affected

* Microsoft Windows
* Microsoft Internet Explorer
* Microsoft Office
* Microsoft Server Software
* Microsoft Silverlight

Overview

Select Microsoft software products contain multiple vulnerabilities.
Microsoft has released updates to address these vulnerabilities.

Description

The Microsoft Security Bulletin Summary for March 2013 describes
multiple vulnerabilities in Microsoft software. Microsoft has released
updates to address these vulnerabilities.

Impact

A remote, unauthenticated attacker could execute arbitrary code, cause a
denial of service, or gain unauthorized access to your files or system.

On 20 Feb 2013, Trustwave distributed their 2013 Global Security Report.

According to the Executive Summary of the report, "During 2012, nearly every industry, country and type of data was involved in a breach of some kind.   Cybersecurity threats are increasing as quickly as businesses can implement measures against them. At the same time, businesses must embrace virtualization and cloud, user mobility and heterogeneous platforms and devices. They also have to find ways to handle and protect exploding volumes of sensitive data. The combination of business and IT transformation, compliance and governance demands and the onslaught of security threats continues to make the job of safeguarding data assets a serious challenge for organizations of all types—from multinational corporations to independent merchants to government entities."

US-CERT Alert TA13-051A has been issued by the US-CERT describing multiple high impact Java vulnerabilities.

Web browsers using the Java plug-in are at risk.  See the full report for the description.

Crypto-Gram Newsletter

February 15, 2013

by Bruce Schneier
Chief Security Technology Officer, BT
schneier@schneier.com
http://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at <http://www.schneier.com/crypto-gram-1302.html>. These same essays and news items appear in the "Schneier on Security" blog at <http://www.schneier.com/blog>, along with a lively comment section. An RSS feed is available.

In this issue:

• Power and the Internet
• Who Does Skype Let Spy?
• Our New Regimes of Trust
• News
• TSA Removing Rapiscan Full-Body Scanners from U.S. Airports
• Dangerous Security Theater: Scrambling Fighter Jets
• Massive Police Shootout in Cleveland Despite Lack of Criminals
• "New York Times" Hacked by China
• Schneier News
• Jared Diamond on Common Risks
• Man-in-the-Middle Attacks Against Browser Encryption
• "People, Process, and Technology"

When I first read about this attack, it reminded me of the old "Ping of Death" ICMP vulnerability, but according to an article on The H, the security group Rapid7, the security firm who is responsbile for the Metasploit attack framework, has discovered that millions of devices are vulnerable to a UPnP (Universal Plug and Play) based attack that may allow an attacker to take over devices on remote networks.

Today, the PCI Security Council published guidance for entities that handle Cardholder Data that are outsourcing compute facilities to cloud processors.

Quoting the guidance document, "Cloud security is a shared responsibility between the cloud service provider (CSP) and its clients. If payment card data is stored, processed or transmitted in a cloud environment, PCI DSS will apply to that environment, and will typically involve validation of both the CSP’s infrastructure and the client’s usage of that environment. The allocation of responsibility between client and provider for managing security controls does not exempt a client from the responsibly of ensuring that their cardholder data is properly secured according to applicable PCI DSS requirements."