TwitterFacebook

Apple Releases Statement on Celebrity Hacking: iCloud Was Not Breached

“A very targeted attack on user names, passwords and security questions”
Technology • Views: 30,124

Here’s the statement just released by Apple on the theft of celebrities’ photos from their iCloud accounts.

Apple Media Advisory

Update to Celebrity Photo Investigation

We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud(r) or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.

To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at support.apple.com.

Is the XKeyScore Code Released in Germany Faked?

Expert analysis uncovers serious misrepresentations and possible fakery
Technology • Views: 25,639

Following up on our post about the wildly exaggerated claims made about the purported XKeyScore source code released in Germany this week by hacker Jacob Applebaum, here’s a very interesting post by cybersecurity expert Robert Graham with evidence that the code may have been at least partly faked: Errata Security: Validating XKeyScore Code.

The burning questions about the XKeyScore “source code” is whether it’s real, and whether it come from Snowden. The Grugq (@thegrugq) has some smart insight into this, and I have my own expertise with deep-packet-inspection code. I thought I’d write up our expert analysis to the questions.

TL;DR: we believe the code partly fake and that it came from the Snowden treasure trove.

A slightly longer summary is:

  1. The signatures are old (2011 to 2012), so it fits within the Snowden timeframe, and is unlikely to be a recent leak.
  2. The code is weird, as if they are snippets combined from training manuals rather than operational code. That would mean it is "fake".
  3. The story makes claims about the source that are verifiably false, leading us to believe that they may have falsified the origin of this source code.
  4. The code is so domain specific that it probably is, in some fashion, related to real XKeyScore code - if fake, it's not completely so.

Here’s a point that jumped out at me immediately upon looking at the code: all over the Internet, people are claiming that the code identifies linuxjournal.com as an “exremist forum” — but that’s simply false. As I tweeted two days ago:

Graham’s post agrees with this evaluation:

Another misrepresentation in the story is that the source calls the Linux Journal an extremist forum. That’s not true.

A comment does say that TAILS is “a comsec mechanism advocated by extremists on extremist forums”. This is true, as the picture (from the Grugq) demonstrates on the right: it’s a picture from an ISIS/jihad forum advocating the use of TAILS. But nowhere does it claim that the Linux Journal is one of those extremists — that’s something willfully made up by the authors of the story.

That the story already misrepresents the meaning of this source code hints that it may already be misrepresenting the provenance.

Exactly. Something smells very fishy here. Read the whole thing. And for those interested in the highly technical details, here’s Graham’s post going through the code line by line.

This Is Bad: Heartbleed Attack Targets VPN Service

Bad craziness
Technology • Views: 15,675
Image via snoopsmaus

Most of the coverage of the Heartbleed bug has focused on the security problems for websites, but there’s another avenue of attack now being exploited by hackers: the Virtual Private Network (VPN) systems used by many large and small businesses.

Security firm Mandiant reports that it is has observed a Heartbleed attack occurring “in the wild.” The attack targeted a Virtual Private Network service at an unnamed organization, gaining access to its internal corporate network — and it shows that hackers are finding the parts of the internet are least likely to have been updated to protect against Heartbleed.

The attack worked like this. When a user logs into a VPN service, it issues a “session token,” a temporary credential that is supposed to prove that a user has already been authenticated. By stealing the authentication token from the server’s memory, the attacker can impersonate the legitimate user and hijack her connection to the server, gaining access to the organization’s internal network.

This disastrous security hole in OpenSSL may have more effect on these kinds of semi-closed systems than on easily upgraded web servers, because the people who use VPNs and other types of networking applications and devices may not even realize they’re relying on the buggy versions of OpenSSL, and it may be difficult (or even impossible in some cases) to update the software.

But web servers are still a big problem as well; the Washington Post’s Brian Fung points out that we may be seeing some large scale disruptions of the Internet in the not too distant future: Heartbleed Is About to Get Worse, and It Will Slow the Internet to a Crawl.

Estimates of the severity of the bug’s damage have mounted almost daily since researchers announced the discovery of Heartbleed last week. What initially seemed like an inconvenient matter of changing passwords for protection now appears much more serious. New revelations suggest that skilled hackers can use the bug to create fake Web sites that mimic legitimate ones to trick consumers into handing over valuable personal information.

The sheer scale of the work required to fix this aspect of the bug — which makes it possible to steal the “security certificates” that verify that a Web site is authentic — could overwhelm the systems designed to keep the Internet trustworthy.

“Imagine if we found out all at once that all the doors everybody uses are all vulnerable — they can all get broken into,” said Jason Healey, a cybersecurity scholar at the Washington-based Atlantic Council. “The kinds of bad things it enables is largely limited only by the imagination of the bad guys.”

UPDATE at 4/18/14 6:22:46 pm

Please note! We got out in front of the rush to revoke/reissue our SSL certificates right away, the day the bug was announced, so Little Green Footballs is not vulnerable to the problem described in the Washington Post article.

Programmer Who Introduced ‘Heartbleed’ Bug Speaks

“Quite trivial”
Technology • Views: 11,922
Image via Shutterstock

The Sydney Morning Herald has a piece on the man who made a lot of Internet system administrators’ lives miserable this week, the German programmer who introduced the Heartbleed bug into the OpenSSL code.

There’s been way too much embarrassing noobish speculation from some quarters of the journalistic arena that the NSA might have planted this bug deliberately, years ago, and has been spying on their emails and cat pictures ever since, but no — developer Robin Seggelmann says it was “a simple programming error,” as I had assumed.

The type of programming mistake he describes is known as a “bounds checking error.” They’re depressingly common and are often the cause of serious security problems.

Mr Seggelmann, of Münster in Germany, said the bug which introduced the flaw was “unfortunately” missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.

“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he said.

“In one of the new features, unfortunately, I missed validating a variable containing a length.”

And about that noobish speculation:

A number of conspiracy theorists have speculated the bug was inserted maliciously.

Mr Seggelmann said it was “tempting” to assume this, especially after the disclosure by Edward Snowden of the spying activities conducted by the US National Security Agency and others.

“But in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,” he said. “It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”

Despite denying he put the bug into the code intentionally, he said it was entirely possible intelligence agencies had been making use of it over the past two years.

“It is a possibility, and it’s always better to assume the worst than best case in security matters, but since I didn’t know the bug until it was released and [I am] not affiliated with any agency,” Mr Seggelmann said.

Seggelmann is correct on that last point; the really awful part of Heartbleed is that it leaves almost no trace it grabbed everything in your web server’s memory. (And I only say “almost no trace” because at this point I don’t believe anyone has a system for detecting it, but it might be possible by analyzing server logs.)

Since the bug has been deployed in the OpenSSL service on countless web servers for more than two years, it’s not wild speculation to think it’s probably already been exploited, and national security services are usually among the first to find these things; but I’m less worried about the NSA than I am about criminal hacking gangs who operate with tacit approval from the Russian and Chinese governments.

And this is a great time to remind everyone that it would be an excellent idea to change your LGF password now (and don’t reuse a password you’ve used somewhere else!), because we have completed all the necessary steps to make sure our servers are no longer vulnerable to this exploit.

Susan Benesch on Troll Wrastling for Beginners: Data-Driven Methods to Decrease Hatred Online

Technology • Views: 16,684

YouTube

Hateful and even violent speech is familiar online; what’s unusual are data-driven efforts to diminish them. Experiments so far have produced intriguing results including: some ‘trolls’ recant or apologize in response to counterspeech, and small changes in platform architecture can improve online discourse norms. In this talk Susan Benesch — founder of the Dangerous Speech Project and professor of American University’s School of International Service — discusses early research and experiments into managing and responding to hateful speech online, especially in climates where online speech may be tied to offline violence.

More info on this event here: cyber.law.harvard.edu

Felix Baumgartner’s 24-Mile High Space Jump, Captured by His GoPro Camera

Baumgartner was wearing a GoPro camera, and the footage is incredible
Technology • Views: 16,967

YouTube

October 14, 2012, Felix Baumgartner ascended more than 24 miles above Earth’s surface to the edge of space in a stratospheric balloon. Millions across the globe watched as he opened the door of the capsule, stepped off the platform, and broke the speed of sound while free falling safely back to Earth. Felix set three world records that day—and inspired us all to reach beyond the limits of our own realities, and reimagine our potential to achieve the incredible.

GoPro was honored to be a part of this epic achievement, with seven HERO2 cameras documenting every moment. From the airless freeze of outer space, to the record-breaking free fall and momentous return to ground—see it all through Felix’s eyes as captured by GoPro, and experience this incredible mission like never before. No one gets you closer than this.

Shot 100% on the HD HERO2(r) camera from gopro.com.

Music
East of the River
“Wilderness is Their Home Now”
“Satellites”
eastoftheriveruk.bandcamp.com

Additional Music Courtesy of ExtremeMusic
extrememusic.com

Special Thanks
Red Bull
Ed Herlihy
The Internet Archive
archive.org

Jeremy Hammond, Hacker for Anonymous, Sentenced to 10 Years

While pretending to be about freedom these groups are really about getting personal info and credit cards
Technology • Views: 16,762

A Chicago computer hacker tied to the group known as Anonymous was sentenced Friday to 10 years in prison for cyberattacks on various government agencies and businesses, including a global intelligence company.

Jeremy Hammond, 28, was handed the maximum term for the December 2011 hacking of Strategic Forecasting, an attack his lawyers contend was driven by concern about the role of private firms in gathering intelligence domestically and abroad.

…resulted in the theft of 60,000 credit card numbers and records for 860,000 clients, which were then uploaded online. Prosecutors say the hack of Strategic Forecasting, or Stratfor, resulted in the theft of 60,000 credit card numbers and records for 860,000 clients, which were then uploaded online. Hammond admitted being behind it in May.

He also admitted to hacking several law enforcement agencies and organizations, including the Arizona Department of Public Safety, and releasing personal details of officers as part of an attack by the Anonymous-affiliated group LulzSec.

More: Jeremy Hammond, Hacker for Anonymous, Sentenced to 10 Years

Remember Lavabit, the “Secure Email” Service That Shut Down? It Was Totally Insecure.

“The basic definition of snake oil”
Technology • Views: 19,469

Remember Lavabit, the “secure email” service that was closed down by its owner Ladar Levison, ostensibly to avoid complying with a government request to access their “secure emails?” Specifically, emails from one of their most famous clients, Edward Snowden?

Something that always bothered me about the story: Lavabit claimed on their home page (see screenshot above) that their system was designed so that even their administrators couldn’t read users’ emails. I assumed this meant they were using some kind of public/private key scheme to encrypt emails, so that they would be encrypted while on Lavabit’s servers in a form that could not be decrypted even by Lavabit.

So how then could the government read those emails without the private keys of each user? Well, it turns out that Lavabit’s claim they couldn’t read emails simply wasn’t true. Their basic design was not secure at all, as cryptographer Moxie Marlinspike explains: Op-Ed: Lavabit’s Primary Security Claim Wasn’t Actually True.

If, as Lavabit said, it wasn’t capable of reading its users’ e-mails, how could it have been in a position to provide those plaintext e-mails to the US government?

Unfortunately, Lavabit’s primary security claim wasn’t actually true. As Ladar himself explained in this blog post, the system consisted of four basic steps:

  1. At account creation time, the user selected a login passphrase and transmitted it to the server.
  2. The server generated a keypair for that user, encrypted the private key with the login passphrase the user had selected, and stored it on the server.
  3. For every incoming e-mail the user received, the server would encrypt it with the user’s public key, and store it on the server.
  4. When the user wanted to retrieve an e-mail, they would transmit their password to the server, which would avert its eyes from the plaintext encryption password it had just received, use it to decrypt the private key (averting its eyes), use the private key to decrypt the e-mail (again averting its eyes), and transmit the plaintext e-mail to the user (averting its eyes one last time).

Unlike the design of most secure servers, which are ciphertext in and ciphertext out, this is the inverse: plaintext in and plaintext out. The server stores your password for authentication, uses that same password for an encryption key, and promises not to look at either the incoming plaintext, the password itself, or the outgoing plaintext.

The ciphertext, key, and password are all stored on the server using a mechanism that is solely within the server’s control and which the client has no ability to verify. There is no way to ever prove or disprove whether any encryption was ever happening at all. Whether it was or not makes little difference.

So the claim on Lavabit’s home page that they couldn’t read stored emails was simply false. The promise of security they made to their users was a lie. They promised not to read the emails, but breaking that promise would have been trivially easy with the way their system was built — and that’s why the feds wanted access.

It’s not clear whether the Lavabit crew consciously understood the system’s shortcomings and chose to misrepresent them, or if it really believed it built something based on can’t rather than won’t. One way or the other, in the security world, a product that uses the language of cryptography to fundamentally misrepresent its capabilities is the basic definition of snake oil.

Yep. And it raises the issue of whether Lavabit’s owner is telling the truth about the real reasons for shutting down his business, as well.

Ars Technica’s Crazy in-Depth Review of OS X 10.9 Mavericks

Excuse me while I tech out
Technology • Views: 14,865

Apple released the latest version of Mac OS today, code-named Mavericks, and after installing it I feel like I’m at a highly dangerous, potentially lethal surfing spot with insanely gigantic waves. (OK, not rly.) Good thing I read John Siracusa’s incredibly in-depth article on this new operating system before getting my shorts wet: OS X 10.9 Mavericks: The Ars Technica Review.

Mavericks is the first California-themed release of OS X, named after “places that inspire us here in California,” according to Craig Federighi, who says this naming scheme is intended to last for at least the next 10 years. The pressure is on for Mavericks to set a new direction for the Mac platform.

According to Apple, Mavericks has a dual focus. Its first and most important goal is to extend battery life and improve responsiveness. Secondarily, Mavericks aims to add functionality that will appeal to “power users” (Apple’s words), a group that may be feeling neglected after enduring two releases of OS X playing iOS dress-up.

Is that enough for Mavericks to live up to its major-release version number and to kick off the next phase of OS X’s life? Let’s find out.

Breaking Greenwald Bombshell: Spy Agencies Crack Encryption Methods!

Only since the dawn of human history
Technology • Views: 19,553

Greenwald and the Guardian’s latest bombshell breaking story on the NSA uses a fear-mongering tactic that’s been common throughout their bombshell breaking stories — a seemingly deliberate intention to confuse and conflate the ability to do something with the act of doing something.

The breathless headline: US and UK Spy Agencies Defeat Privacy and Security on the Internet.

The overheated lead paragraphs:

US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden.

The files show that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.

And not a hint of acknowledgment that in order to decrypt any US citizen’s information for any purpose, the government still needs to get an individual warrant. (This time, a search for “warrant” in the article returned no results.)

The bombshell comes down to this: spy agencies crack encryption schemes.

“Since the beginning of human history,” the Guardian did not add.

UPDATE at 9/5/13 2:07:00 pm

Greenwald boasts that he ignored government requests not to publish the article:

^ back to top ^

TwitterFacebook

Turn off all ads for a full year by subscribing!
For about 33 cents a day (per month) or 22 cents a day (per year), our subscription option turns off all advertisements at LGF!
Read more...

► LGF Headlines

  • Loading...

► Tweeted Articles

  • Loading...

► Tweeted Pages

  • Loading...

► Top 10 Comments

  • Loading...

► Bottom Comments

  • Loading...

► Recent Comments

  • Loading...

► Tools/Info

► Tag Cloud

► Contact

You must have Javascript enabled to use the contact form.
Your email:

Subject:

Message:


Messages may be published unless you request otherwise.
Tech Note:
Using the Contact Form
LGF Pages

This button leads to the main index of LGF Pages, our user-submitted articles. You can post your own LGF Pages simply by registering a free account with us.

Create a Page

This is the LGF Pages posting bookmarklet. To use it, drag this button to your browser's bookmark bar, and title it 'LGF Pages' (or whatever you like). Then browse to a site you want to post, select some text on the page to use for a quote, click the bookmarklet, and the Pages posting window will appear with the title, text, and any embedded video or audio files already filled in, ready to go.

Or... you can just click this button to open the Pages posting window right away.

Last updated: 2014-03-07 2:19 pm PST

LGF User's Guide
Recent Pages
Randall Gross
Echosmith - Cool Kids [Official Music Video]
"Cool Kids" by Echosmith from Talking Dreams, out now. Video directed by Mark Pellington in Los Angeles, CA. Support this song by leaving a comment, a thumbs up, or sharing it with your friends. Song picked on Bethany Mota's ...

3 hours, 6 minutes ago
Views: 62 • Comments: 0
Tweets: 0 • Rating: 0
FemNaziBitch
Executive Office Gets Serious About Sexual Assault
"Perhaps most important, we need to keep saying to anyone out there who has ever been assaulted: you are not alone. We have your back. I've got your back." President Barack Obama, January 22, 2014 More: Not Alone Letter ...

11 hours, 15 minutes ago
Views: 141 • Comments: 1
Tweets: 5 • Rating: 5
The War TARDIS
Doctor Who “Listen” Open Thread
I'm back. Last week, I couldn't do this thread, as something more important was going on. One of my best friends, a sweet, and very devout Christian, is going to the UK to help a Christian Group in Oxford, and ...

1 day, 2 hours ago
Views: 147 • Comments: 40
Tweets: 0 • Rating: 2
Rightwingconspirator
Are Higher Frame Rates Really a Better Moving Image in Cinema?
As a guy who scratches the surface of this medium with humble indy efforts and some industrial video experience I have to watch carefully. If I commit to the wrong camera or format, it can hurt financially. Once I had ...

2 days, 4 hours ago
Views: 338 • Comments: 6
Tweets: 24 • Rating: 6
Slap
For guitar fans…
I suppose one needs to be a guitar freak of a certain age to recognize both of these guys. Gabrels' work might be familiar to fans of Bowie/Tin Machine. Nelson's work? I believe him to be one of the most ...

2 days, 7 hours ago
Views: 188 • Comments: 1
Tweets: 0 • Rating: 1
GlutenFreeJesus
Check your gmail accounts!
Here's the link to the tool. One of mine was on that list, so I changed the password. Good luck! isleaked.com

3 days, 23 hours ago
Views: 398 • Comments: 2
Tweets: 0 • Rating: 7
I Stand With Big Sodomy!
French speaking tourists wanted for luring, kicking squirrel into Grand Canyon
Needless to say the little guy didn't make it. The tourists are described as two French-speaking men, wearing only cowboy hats and boxer shorts. Story

4 days, 4 hours ago
Views: 516 • Comments: 6
Tweets: 1 • Rating: 6
CriticalDragon1177
Ars Technica - Tasmanian depths may have been hiding unknown animal phylum
As John Timmer at Ars Technica points out, we may have found not only a new species, but a brand new type of animal! This is big news for the science of biology, and zoology in particular! Over the past ...

5 days, 2 hours ago
Views: 385 • Comments: 2
Tweets: 3 • Rating: 0
danarchy
Mysterious Phony Cell Towers Could Be Intercepting Your Calls
Weird stuff. Interceptors vary widely in expense and sophistication - but in a nutshell, they are radio-equipped computers with software that can use arcane cellular network protocols and defeat the onboard encryption. Whether your phone uses Android or iOS, it ...

5 days, 3 hours ago
Views: 290 • Comments: 0
Tweets: 0 • Rating: 3
rhit
Social Media to Combat ISIS
The new ISIS bucket challenge. I think perhaps if I had done it better it could take off. Thoughts ?

5 days, 19 hours ago
Views: 183 • Comments: 0
Tweets: 0 • Rating: 0
 Frank says:

Whereever you're going, don't walk there first. If you do, people will think you know where you're going.