Information Security News
by Cyrus Farivar
On Friday, Google told The Washington Post that it was accelerating implementation of end-to-end encryption between its data centers worldwide.
The search giant did not immediately respond to a request for comment from Ars.
“Google has data centers around the world and when you have an e-mail stored, it’s stored at [something like] six data centers around the world,” Chris Soghoian, a privacy expert at the American Civil Liberties Union, told Ars. “Every single bit of data is now going to be encrypted, so now if the government is listening to that fiber, they won’t get that data.”
The majority of devices connected to the Tor privacy service may be using encryption keys that can be broken by the National Security Agency, a security researcher has speculated.
Rob Graham, CEO of penetration testing firm Errata Security, arrived at that conclusion by running his own "hostile" exit node on Tor and surveying the encryption algorithms established by incoming connections. About 76 percent of the 22,920 connections he polled used some form of 1024-bit Diffie-Hellman key. The analysis came a day after revelations the NSA can circumvent much of the encryption used on the Internet. While no one knows for sure exactly what the NSA is capable of cracking, educated speculation has long made a case that the keys Graham observed are within reach of the US spy agency.
"Everyone seems to agree that if anything, the NSA can break 1024 RSA/DH keys," Graham wrote in a blog post published Friday. "Assuming no 'breakthroughs,' the NSA can spend $1 billion on custom chips that can break such a key in a few hours. We know the NSA builds custom chips, they've got fairly public deals with IBM foundries to build chips."
Given that we now know that the National Security Agency (NSA) has the ability to compromise some, if not all of VPN, SSL, and TLS forms of data transmission hardening, it’s worth considering the various vectors of technical and legal data-gathering that high-level adversaries in America and Britain (and likely other countries, at least in the “Five Eyes” group of anglophone allies) are likely using in parallel to go after a given target. So far, the possibilities include:
Let’s take these one at a time.
As Ars has reported before, one of the major telecommunications companies in America—either Verizon or AT&T—went to the NSA in the days after September 11, 2001 because it “noticed odd patterns in domestic calling records surrounding the events of 11 September and offered call records and analysis."
I peruse through my spam folder periodically looking for anything out of the ordinary. I also examine quite closely email that are obviously spam that make it through to my inbox. This one in fact reads a lot like a job application, or a business promotion attempt gone wrong. Unlike a job application it was not addressed to anyone in particular, and was in fact sent to the SANS Internet Storm Center Handlers distribution list. The fact that the handlers are on a spam list I suppose is not surprising. What I find odd is that this person who is looking for work bought a list for the purpose of spamming it! He did not attach a resume (unlike spammer Bernard Shifman) however did place a link to his LinkedIn profile so that the recipients of his spam can read all about his having achieved his MBA. Which made me wonder if they teach spamming at college or university these days? My thoughts on the subject are that spamming is not the way to go when marketing yourself or your business. Also I am fairly certain SANS would not hire a spammer as a 'business analyst'. The handlers list has never been used to advertise any job openings. Which really has me wondering where he got it? Also where would he get the idea that spamming random people on the Internet would help his job search?
Here is the first part of the correspondence:
He is unapologetic and responds that he is being creative!
I wonder if they teach ethics in business at the place he acquired his MBA? What do you think? Creative or a spammer?
Would you hire or do business with a spammer? He appears to be in good company, has spamming become the new resume distribution method of choice?:
I find it depressing that the spammer appears to have in fact gotten a job roughly four weeks later. Well, according to his LinkedIn profile, so it must be true!
A recommended read on how to actually find a job without sending spam:
What is a 'Bernard Shifman':
Adrien de Beaupré
My SANS Teaching Schedule
Posted by InfoSec News on Sep 06http://healthitsecurity.com/2013/09/04/ehr-and-mobile-device-auditing-security-requires-vigilance/
Posted by InfoSec News on Sep 06http://www.wired.com/threatlevel/2013/09/nsa-backdoored-and-stole-keys/
Posted by InfoSec News on Sep 06http://www.chicagotribune.com/news/local/breaking/chi-advocate-medical-group-didnt-adequately-secure-data-classaction-suit-says-20130905,0,7744379.story
Posted by InfoSec News on Sep 06http://www.zdnet.com/darknets-wargames-and-raspberry-pi-at-first-ever-balkan-hacker-conference-7000020315/
Posted by InfoSec News on Sep 06http://rt.com/usa/fbi-adds-sea-wanted-list-484/
InfoSec Skills Partners with Global Certification Institute (GCI) to ...
PR.com (press release)
InfoSec Skills has entered into a partnership agreement with Australia's leading certification and examination services provider to launch a new certification scheme in Information Assurance for the Asia Pacific marketplace. This incorporates ...
GCI to distribute BCS-accredited IA training to combat skills shortage