TwitterFacebook

Apple Releases Statement on Celebrity Hacking: iCloud Was Not Breached

“A very targeted attack on user names, passwords and security questions”
Technology • Views: 30,413

Here’s the statement just released by Apple on the theft of celebrities’ photos from their iCloud accounts.

Apple Media Advisory

Update to Celebrity Photo Investigation

We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud(r) or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.

To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at support.apple.com.

Is the XKeyScore Code Released in Germany Faked?

Expert analysis uncovers serious misrepresentations and possible fakery
Technology • Views: 25,833

Following up on our post about the wildly exaggerated claims made about the purported XKeyScore source code released in Germany this week by hacker Jacob Applebaum, here’s a very interesting post by cybersecurity expert Robert Graham with evidence that the code may have been at least partly faked: Errata Security: Validating XKeyScore Code.

The burning questions about the XKeyScore “source code” is whether it’s real, and whether it come from Snowden. The Grugq (@thegrugq) has some smart insight into this, and I have my own expertise with deep-packet-inspection code. I thought I’d write up our expert analysis to the questions.

TL;DR: we believe the code partly fake and that it came from the Snowden treasure trove.

A slightly longer summary is:

  1. The signatures are old (2011 to 2012), so it fits within the Snowden timeframe, and is unlikely to be a recent leak.
  2. The code is weird, as if they are snippets combined from training manuals rather than operational code. That would mean it is "fake".
  3. The story makes claims about the source that are verifiably false, leading us to believe that they may have falsified the origin of this source code.
  4. The code is so domain specific that it probably is, in some fashion, related to real XKeyScore code - if fake, it's not completely so.

Here’s a point that jumped out at me immediately upon looking at the code: all over the Internet, people are claiming that the code identifies linuxjournal.com as an “exremist forum” — but that’s simply false. As I tweeted two days ago:

Graham’s post agrees with this evaluation:

Another misrepresentation in the story is that the source calls the Linux Journal an extremist forum. That’s not true.

A comment does say that TAILS is “a comsec mechanism advocated by extremists on extremist forums”. This is true, as the picture (from the Grugq) demonstrates on the right: it’s a picture from an ISIS/jihad forum advocating the use of TAILS. But nowhere does it claim that the Linux Journal is one of those extremists — that’s something willfully made up by the authors of the story.

That the story already misrepresents the meaning of this source code hints that it may already be misrepresenting the provenance.

Exactly. Something smells very fishy here. Read the whole thing. And for those interested in the highly technical details, here’s Graham’s post going through the code line by line.

This Is Bad: Heartbleed Attack Targets VPN Service

Bad craziness
Technology • Views: 15,872
Image via snoopsmaus

Most of the coverage of the Heartbleed bug has focused on the security problems for websites, but there’s another avenue of attack now being exploited by hackers: the Virtual Private Network (VPN) systems used by many large and small businesses.

Security firm Mandiant reports that it is has observed a Heartbleed attack occurring “in the wild.” The attack targeted a Virtual Private Network service at an unnamed organization, gaining access to its internal corporate network — and it shows that hackers are finding the parts of the internet are least likely to have been updated to protect against Heartbleed.

The attack worked like this. When a user logs into a VPN service, it issues a “session token,” a temporary credential that is supposed to prove that a user has already been authenticated. By stealing the authentication token from the server’s memory, the attacker can impersonate the legitimate user and hijack her connection to the server, gaining access to the organization’s internal network.

This disastrous security hole in OpenSSL may have more effect on these kinds of semi-closed systems than on easily upgraded web servers, because the people who use VPNs and other types of networking applications and devices may not even realize they’re relying on the buggy versions of OpenSSL, and it may be difficult (or even impossible in some cases) to update the software.

But web servers are still a big problem as well; the Washington Post’s Brian Fung points out that we may be seeing some large scale disruptions of the Internet in the not too distant future: Heartbleed Is About to Get Worse, and It Will Slow the Internet to a Crawl.

Estimates of the severity of the bug’s damage have mounted almost daily since researchers announced the discovery of Heartbleed last week. What initially seemed like an inconvenient matter of changing passwords for protection now appears much more serious. New revelations suggest that skilled hackers can use the bug to create fake Web sites that mimic legitimate ones to trick consumers into handing over valuable personal information.

The sheer scale of the work required to fix this aspect of the bug — which makes it possible to steal the “security certificates” that verify that a Web site is authentic — could overwhelm the systems designed to keep the Internet trustworthy.

“Imagine if we found out all at once that all the doors everybody uses are all vulnerable — they can all get broken into,” said Jason Healey, a cybersecurity scholar at the Washington-based Atlantic Council. “The kinds of bad things it enables is largely limited only by the imagination of the bad guys.”

UPDATE at 4/18/14 6:22:46 pm

Please note! We got out in front of the rush to revoke/reissue our SSL certificates right away, the day the bug was announced, so Little Green Footballs is not vulnerable to the problem described in the Washington Post article.

Programmer Who Introduced ‘Heartbleed’ Bug Speaks

“Quite trivial”
Technology • Views: 12,093
Image via Shutterstock

The Sydney Morning Herald has a piece on the man who made a lot of Internet system administrators’ lives miserable this week, the German programmer who introduced the Heartbleed bug into the OpenSSL code.

There’s been way too much embarrassing noobish speculation from some quarters of the journalistic arena that the NSA might have planted this bug deliberately, years ago, and has been spying on their emails and cat pictures ever since, but no — developer Robin Seggelmann says it was “a simple programming error,” as I had assumed.

The type of programming mistake he describes is known as a “bounds checking error.” They’re depressingly common and are often the cause of serious security problems.

Mr Seggelmann, of Münster in Germany, said the bug which introduced the flaw was “unfortunately” missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.

“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he said.

“In one of the new features, unfortunately, I missed validating a variable containing a length.”

And about that noobish speculation:

A number of conspiracy theorists have speculated the bug was inserted maliciously.

Mr Seggelmann said it was “tempting” to assume this, especially after the disclosure by Edward Snowden of the spying activities conducted by the US National Security Agency and others.

“But in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,” he said. “It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”

Despite denying he put the bug into the code intentionally, he said it was entirely possible intelligence agencies had been making use of it over the past two years.

“It is a possibility, and it’s always better to assume the worst than best case in security matters, but since I didn’t know the bug until it was released and [I am] not affiliated with any agency,” Mr Seggelmann said.

Seggelmann is correct on that last point; the really awful part of Heartbleed is that it leaves almost no trace it grabbed everything in your web server’s memory. (And I only say “almost no trace” because at this point I don’t believe anyone has a system for detecting it, but it might be possible by analyzing server logs.)

Since the bug has been deployed in the OpenSSL service on countless web servers for more than two years, it’s not wild speculation to think it’s probably already been exploited, and national security services are usually among the first to find these things; but I’m less worried about the NSA than I am about criminal hacking gangs who operate with tacit approval from the Russian and Chinese governments.

And this is a great time to remind everyone that it would be an excellent idea to change your LGF password now (and don’t reuse a password you’ve used somewhere else!), because we have completed all the necessary steps to make sure our servers are no longer vulnerable to this exploit.

Susan Benesch on Troll Wrastling for Beginners: Data-Driven Methods to Decrease Hatred Online

Technology • Views: 16,755

YouTube

Hateful and even violent speech is familiar online; what’s unusual are data-driven efforts to diminish them. Experiments so far have produced intriguing results including: some ‘trolls’ recant or apologize in response to counterspeech, and small changes in platform architecture can improve online discourse norms. In this talk Susan Benesch — founder of the Dangerous Speech Project and professor of American University’s School of International Service — discusses early research and experiments into managing and responding to hateful speech online, especially in climates where online speech may be tied to offline violence.

More info on this event here: cyber.law.harvard.edu

Felix Baumgartner’s 24-Mile High Space Jump, Captured by His GoPro Camera

Baumgartner was wearing a GoPro camera, and the footage is incredible
Technology • Views: 17,062

YouTube

October 14, 2012, Felix Baumgartner ascended more than 24 miles above Earth’s surface to the edge of space in a stratospheric balloon. Millions across the globe watched as he opened the door of the capsule, stepped off the platform, and broke the speed of sound while free falling safely back to Earth. Felix set three world records that day—and inspired us all to reach beyond the limits of our own realities, and reimagine our potential to achieve the incredible.

GoPro was honored to be a part of this epic achievement, with seven HERO2 cameras documenting every moment. From the airless freeze of outer space, to the record-breaking free fall and momentous return to ground—see it all through Felix’s eyes as captured by GoPro, and experience this incredible mission like never before. No one gets you closer than this.

Shot 100% on the HD HERO2(r) camera from gopro.com.

Music
East of the River
“Wilderness is Their Home Now”
“Satellites”
eastoftheriveruk.bandcamp.com

Additional Music Courtesy of ExtremeMusic
extrememusic.com

Special Thanks
Red Bull
Ed Herlihy
The Internet Archive
archive.org

Jeremy Hammond, Hacker for Anonymous, Sentenced to 10 Years

While pretending to be about freedom these groups are really about getting personal info and credit cards
Technology • Views: 16,795

A Chicago computer hacker tied to the group known as Anonymous was sentenced Friday to 10 years in prison for cyberattacks on various government agencies and businesses, including a global intelligence company.

Jeremy Hammond, 28, was handed the maximum term for the December 2011 hacking of Strategic Forecasting, an attack his lawyers contend was driven by concern about the role of private firms in gathering intelligence domestically and abroad.

…resulted in the theft of 60,000 credit card numbers and records for 860,000 clients, which were then uploaded online. Prosecutors say the hack of Strategic Forecasting, or Stratfor, resulted in the theft of 60,000 credit card numbers and records for 860,000 clients, which were then uploaded online. Hammond admitted being behind it in May.

He also admitted to hacking several law enforcement agencies and organizations, including the Arizona Department of Public Safety, and releasing personal details of officers as part of an attack by the Anonymous-affiliated group LulzSec.

More: Jeremy Hammond, Hacker for Anonymous, Sentenced to 10 Years

Remember Lavabit, the “Secure Email” Service That Shut Down? It Was Totally Insecure.

“The basic definition of snake oil”
Technology • Views: 19,625

Remember Lavabit, the “secure email” service that was closed down by its owner Ladar Levison, ostensibly to avoid complying with a government request to access their “secure emails?” Specifically, emails from one of their most famous clients, Edward Snowden?

Something that always bothered me about the story: Lavabit claimed on their home page (see screenshot above) that their system was designed so that even their administrators couldn’t read users’ emails. I assumed this meant they were using some kind of public/private key scheme to encrypt emails, so that they would be encrypted while on Lavabit’s servers in a form that could not be decrypted even by Lavabit.

So how then could the government read those emails without the private keys of each user? Well, it turns out that Lavabit’s claim they couldn’t read emails simply wasn’t true. Their basic design was not secure at all, as cryptographer Moxie Marlinspike explains: Op-Ed: Lavabit’s Primary Security Claim Wasn’t Actually True.

If, as Lavabit said, it wasn’t capable of reading its users’ e-mails, how could it have been in a position to provide those plaintext e-mails to the US government?

Unfortunately, Lavabit’s primary security claim wasn’t actually true. As Ladar himself explained in this blog post, the system consisted of four basic steps:

  1. At account creation time, the user selected a login passphrase and transmitted it to the server.
  2. The server generated a keypair for that user, encrypted the private key with the login passphrase the user had selected, and stored it on the server.
  3. For every incoming e-mail the user received, the server would encrypt it with the user’s public key, and store it on the server.
  4. When the user wanted to retrieve an e-mail, they would transmit their password to the server, which would avert its eyes from the plaintext encryption password it had just received, use it to decrypt the private key (averting its eyes), use the private key to decrypt the e-mail (again averting its eyes), and transmit the plaintext e-mail to the user (averting its eyes one last time).

Unlike the design of most secure servers, which are ciphertext in and ciphertext out, this is the inverse: plaintext in and plaintext out. The server stores your password for authentication, uses that same password for an encryption key, and promises not to look at either the incoming plaintext, the password itself, or the outgoing plaintext.

The ciphertext, key, and password are all stored on the server using a mechanism that is solely within the server’s control and which the client has no ability to verify. There is no way to ever prove or disprove whether any encryption was ever happening at all. Whether it was or not makes little difference.

So the claim on Lavabit’s home page that they couldn’t read stored emails was simply false. The promise of security they made to their users was a lie. They promised not to read the emails, but breaking that promise would have been trivially easy with the way their system was built — and that’s why the feds wanted access.

It’s not clear whether the Lavabit crew consciously understood the system’s shortcomings and chose to misrepresent them, or if it really believed it built something based on can’t rather than won’t. One way or the other, in the security world, a product that uses the language of cryptography to fundamentally misrepresent its capabilities is the basic definition of snake oil.

Yep. And it raises the issue of whether Lavabit’s owner is telling the truth about the real reasons for shutting down his business, as well.

Ars Technica’s Crazy in-Depth Review of OS X 10.9 Mavericks

Excuse me while I tech out
Technology • Views: 14,935

Apple released the latest version of Mac OS today, code-named Mavericks, and after installing it I feel like I’m at a highly dangerous, potentially lethal surfing spot with insanely gigantic waves. (OK, not rly.) Good thing I read John Siracusa’s incredibly in-depth article on this new operating system before getting my shorts wet: OS X 10.9 Mavericks: The Ars Technica Review.

Mavericks is the first California-themed release of OS X, named after “places that inspire us here in California,” according to Craig Federighi, who says this naming scheme is intended to last for at least the next 10 years. The pressure is on for Mavericks to set a new direction for the Mac platform.

According to Apple, Mavericks has a dual focus. Its first and most important goal is to extend battery life and improve responsiveness. Secondarily, Mavericks aims to add functionality that will appeal to “power users” (Apple’s words), a group that may be feeling neglected after enduring two releases of OS X playing iOS dress-up.

Is that enough for Mavericks to live up to its major-release version number and to kick off the next phase of OS X’s life? Let’s find out.

Breaking Greenwald Bombshell: Spy Agencies Crack Encryption Methods!

Only since the dawn of human history
Technology • Views: 19,653

Greenwald and the Guardian’s latest bombshell breaking story on the NSA uses a fear-mongering tactic that’s been common throughout their bombshell breaking stories — a seemingly deliberate intention to confuse and conflate the ability to do something with the act of doing something.

The breathless headline: US and UK Spy Agencies Defeat Privacy and Security on the Internet.

The overheated lead paragraphs:

US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden.

The files show that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.

And not a hint of acknowledgment that in order to decrypt any US citizen’s information for any purpose, the government still needs to get an individual warrant. (This time, a search for “warrant” in the article returned no results.)

The bombshell comes down to this: spy agencies crack encryption schemes.

“Since the beginning of human history,” the Guardian did not add.

UPDATE at 9/5/13 2:07:00 pm

Greenwald boasts that he ignored government requests not to publish the article:

^ back to top ^

TwitterFacebook

Turn off all ads for a full year by subscribing!
For about 33 cents a day (per month) or 22 cents a day (per year), our subscription option turns off all advertisements at LGF!
Read more...

► LGF Headlines

  • Loading...

► Tweeted Articles

  • Loading...

► Tweeted Pages

  • Loading...

► Top 10 Comments

  • Loading...

► Bottom Comments

  • Loading...

► Recent Comments

  • Loading...

► Tools/Info

► Tag Cloud

► Contact

You must have Javascript enabled to use the contact form.
Your email:

Subject:

Message:


Messages may be published unless you request otherwise.
Tech Note:
Using the Contact Form
LGF Pages

This button leads to the main index of LGF Pages, our user-submitted articles. You can post your own LGF Pages simply by registering a free account with us.

Create a Page

This is the LGF Pages posting bookmarklet. To use it, drag this button to your browser's bookmark bar, and title it 'LGF Pages' (or whatever you like). Then browse to a site you want to post, select some text on the page to use for a quote, click the bookmarklet, and the Pages posting window will appear with the title, text, and any embedded video or audio files already filled in, ready to go.

Or... you can just click this button to open the Pages posting window right away.

Last updated: 2014-03-07 2:19 pm PST

LGF User's Guide
Recent Pages
MichaelJ
Fanning Wins the 2014 Rip Curl Pro Portugal
Today at the Rip Curl Pro at Supertubes he was the last man standing and it's a Mick Fanning signature. He's done it three times this year; you haven't noticed he's even in the event until he's won it. ...

3 hours, 1 minute ago
Views: 61 • Comments: 0
Tweets: 0 • Rating: 0
Randall Gross
Expelled Nazis Collected Millions in Social Security
Dozens of suspected Nazi war criminals and SS guards collected millions of dollars in U.S. Social Security benefits after being forced out of the United States, an Associated Press investigation has found. The payments, underwritten by American taxpayers, flowed ...

14 hours, 58 minutes ago
Views: 246 • Comments: 0
Tweets: 8 • Rating: 0
Lumberhead
Moulton Underplays Military Service - Metro - the Boston Globe
This really is remarkable. I came across it over at Charlie Pierce's blog at Esquire. Imagine, a politician downplaying his heroic war record. The American political graveyard has more than a few monuments to politicians and public officials who embellished ...

15 hours, 4 minutes ago
Views: 122 • Comments: 0
Tweets: 0 • Rating: 0
FemNaziBitch
The Truth About Period Pain — Don’t ignore this
The science lesson in which we covered human biology focused primarily on puberty - things would change, we were told in a serious voice: hair would grow in new places, breasts would sprout, shoulders would broaden and voices would ...

19 hours, 37 minutes ago
Views: 203 • Comments: 1
Tweets: 0 • Rating: 3
Souliren
Natalie MacMaster Fiddle school
This is a short (under two minute) video of Natalie teaching a technique for "Athole Brose," in Cape Breton style.

1 day, 9 hours ago
Views: 130 • Comments: 0
Tweets: 0 • Rating: 1
Rightwingconspirator
1934 Had Worst Drought of Last Thousand Years-We Made It Worse
"It was the worst by a large margin, falling pretty far outside the normal range of variability that we see in the record," said climate scientist Ben Cook at NASA's Goddard Institute for Space Studies in New York. Cook ...

3 days, 14 hours ago
Views: 452 • Comments: 0
Tweets: 0 • Rating: 4
Skip Intro
The Scablands: A scarred landscape as strange as fiction
arstechnica.com

1 week ago
Views: 686 • Comments: 2
Tweets: 0 • Rating: 3
I Stand With Big Sodomy!
Daniel Johnston-True Love Will Find You In The End.
A simple, imperfect, brilliant song, by a fascinating man. Link

1 week, 1 day ago
Views: 492 • Comments: 0
Tweets: 0 • Rating: 2
Bubblehead II
High Court Lifts Hold on Gay Marriage in Idaho
[large]YES![/large] WASHINGTON - The Supreme Court says same-sex marriage can go ahead in Idaho. More: High Court Lifts Hold on Gay Marriage in Idaho [large]YES![/large]

1 week, 3 days ago
Views: 698 • Comments: 1
Tweets: 12 • Rating: 2
HamSandwich
How Islamic extremists convinced two French schoolgirls to join jihad in Syria
Sahra and Nora are among some 100 girls and young women from France who have left to join jihad in Syria, up from just a handful 18 months ago, when the trip was not even on Europe's security radar, ...

1 week, 3 days ago
Views: 950 • Comments: 15
Tweets: 0 • Rating: 3
 Frank says:

Nobody looks good bent over. Especially to pick up a cheque. -- Guitar Magazine 1984