http://www.informationweek.comInformationWeeken-usCopyright 2012, UBM LLC.2013-06-18T12:40:00ZFacial-recognition software advances allow law enforcement and government agencies to match images of unknown suspects with government-issued ID photos.http://www.informationweek.com/security/privacy/fbi-drivers-license-photo-searches-raise/240156871?cid=SBX_iwk_related_video_Privacy_security<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/government/security/spy-tech-10-cia-backed-investments/240142519"><img src="http://twimgs.com/informationweek/galleries/automated/912/01_extra_tn.jpg" alt="Spy Tech: 10 CIA-Backed Investments" title="Spy Tech: 10 CIA-Backed Investments" class="img175" /></a><br /><div class="storyImageTitle">Spy Tech: 10 CIA-Backed Investments</div><span class="inlinelargerView">(click image for larger view and for slideshow)</span></div> <!-- /KINDLE EXCLUDE --> When conducting investigations, the FBI can now compare images of unknown suspects with state-issued driver's license photographs, using facial-recognition software to find potential hits. <P> That revelation was made Monday by privacy rights groups Electronic Privacy Information Center (EPIC). "Through a Freedom of Information Act request, EPIC obtained a number of agreements between the FBI and state DMVs," according to a statement released by the organization. "The agreements allow the FBI to use facial recognition to compare subjects of FBI investigations with the millions of license and identification photos retained by participating state DMVs." <P> According to EPIC, one use of this data would allow the FBI to create a "massive virtual line-up" of suspects in an investigation. <P> The FBI isn't alone in running biometric searches on driver's license data. According to the <a href="http://www.washingtonpost.com/business/technology/state-photo-id-databases-become-troves-for-police/2013/06/16/6f014bd4-ced5-11e2-8845-d970ccb04497_story.html"><em>The Washington Post</em></a>, 26 states -- including Texas, Massachusetts, Illinois and Florida -- have facial-recognition systems, and allow police to search that data or request searches against a combined 107 million photos. Meanwhile, 11 states have facial-recognition systems but generally don't allow law enforcement agencies to search their combined 38 million images. Finally, 13 states have amassed a combined 65 million photos, but don't have facial-recognition systems for searching driver's license photos. <P> <strong>[ Citizens are raising a lot of questions about how the government balances security and privacy. See <a href="http://www.informationweek.com/quickview/nsa-prism-readers-speak/3642?wc=4?itc=edit_in_body_cross">NSA Prism: Readers Speak</a>. ]</strong> <P> While the FBI has agreements with some states that allow the bureau to search their driver's license and non-driver ID photos, the bureau has also amassed about 15 million photographs of arrestees and people convicted of crimes. The State Department, meanwhile, has about 230 million photos relating to visas and passports, but has relatively tight controls on how that information can be accessed by law enforcement agencies. Finally, the Defense Department has a database of about 6 million photos, largely comprised of people in Afghanistan and Iraq, compiled by soldiers battling insurgents. In fact, the facial-recognition software used by most government agencies, developed by Boston-based private contractor MorphoTrust USA, which is owned by France-based Safran, was created to help soldiers in the field positively identify insurgents. <P> Running facial recognition searches has long been the stuff of cop shows: A grainy still image captured from a CCTV camera is compared, using software, with a database of driver's license or other official government ID photos, until a sudden high-probability "hit" is made, helping investigators chase down a suspect and crack their case. <P> While facial-recognition-search payoffs are common on <em>NCIS</em>, in real life, the software carries caveats, with the <em>Post</em> noting that one image of a middle-aged white man might return a match with a 20-something African-American woman who has similarly shaped eyes or lips. <P> Still, advances in software are making large-scale facial recognition searches more feasible. But that raises privacy questions: Who should be allowed to run these facial recognition searches, and what privacy controls or oversight should be in place? <P> One fear is that authorities might amass a facial recognition database on par with national registers of fingerprint data, and increasingly, DNA data. Accordingly, EPIC said that it's currently "suing the FBI to learn more about its development of a vast biometric identification database," referring to the bureau's <a href="https://www.fbi.gov/about-us/cjis/fingerprints_biometrics/ngi">Next Generation Identification program</a>, which EPIC said will aggregate information about "fingerprints, DNA profiles, iris scans, palm prints, voice identification profiles, photographs and other identifying information." <P> The privacy rights group has warned that large-scale biometric databases could, for example, be used by law enforcement agencies to automatically catalog the identity of everyone participating in a peaceful -- and legal -- political demonstration. <P> "The potential for abuse of this technology is such that we have to make sure we put in place the right safeguards to prevent misuse," said Sen. Al Franken (D-Minn.), in a statement. "We also need to make sure the government is as transparent as possible in order to give the American people confidence it's using this technology appropriately." <P> In the case of the FBI, facial recognition is provided by -- and full access to the underlying data restricted to -- the bureau's Facial Analysis Comparison and Evaluation (FACE) services unit, which is part of the bureau's criminal justice information services division, and which is staffed by highly trained biometric images specialists.The FACE unit, which has been operating since 2011, "accepts unclassified photographs of subjects of FBI investigations (probe photos) and uses facial recognition technology to compare those photos against FBI database, other federal photo databases to which the FBI legally has access, and photo repositories from states that have entered into agreements with the FBI to share data," according to a related FBI privacy threshold analysis report, which was obtained by EPIC. <P> "After comparison and evaluation, the FACE services unit returns to the FBI case agent or analyst candidate photos that are likely matches to the probe photo, with the caveat that the candidate photos may serve only as investigative leads and do not constitute positive identification," according to the privacy threshold analysis. <P> Beyond the FBI, many state and local law enforcement agencies have long been allowed to access driver's license information for suspects who have been identified during the course of an investigation. For states that allow police to access facial-recognition search software for driver's license photos, some limit searches to only certain types of trained investigators, while others allow searches to be conducted only from headquarters. <P> But using facial-recognition software now provides police with the potential to take a photograph of an unknown suspect or "person of interest" and work backwards until they can positively identify the subject. In a case cited by the <em>Post</em>, for example, during the course of a homicide investigation, a tipster pointed Las Vegas police to a photograph of an unidentified woman and said she had lived in Nebraska. Taking the image and using facial-recognition software to compare it with Nebraska driver's license photographs produced a hit, which lead to investigators cracking the case. <P> "That picture hung on our wall for a long time," Betty Johnson, Nebraska's vehicle services administrator, told the <em>Post</em>. "We are pretty darn proud of that one."2013-06-18T09:06:00ZStartup that encourages playing offense on security launches cloud-based service to help businesses identify adversaries, mitigate attacks and pursue responses.http://www.informationweek.com/security/attacks/crowdstrike-falcon-traces-attacks-back-t/240156832?cid=SBX_iwk_related_video_Privacy_security<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know" title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /><span class="inlinelargerView">(click image for larger view)</span><br /><div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div></div><!-- /KINDLE EXCLUDE -->Who's launching online attacks against your network? How can you better detect those attacks and -- if an attack turns out to be successful -- identify what was stolen? <P> Enabling businesses to answer those questions is the premise of a cloud-based service announced Tuesday by security startup CrowdStrike. Dubbed Falcon, the big-data "active defense platform" is designed to identify intrusions in real time, attribute attacks &#8211; correlate with a known group of attackers &#8211; and help businesses block attacks or even engage in counterintelligence or deception by feeding attackers fake information. <P> "This is the real-time damage assessment that no one is doing today," said <a href="http://www.informationweek.com/security/attacks/shady-rat-attack-hit-72-organizations/231300162">Dmitri Alperovitch</a>, the co-founder and CTO of CrowdStrike, speaking by phone. "It shows you who the adversary is, what did they do [on your network], what did they take, which commands did they execute?" The service works in part by running a small (400 KB) "sensor" on Windows 7 and Mac OS X systems, bolstered by DNS, email and API sensors on servers, to track the types of attacks that are being launched. CrowdStrike then correlates attack information with intelligence that the company gathers on attack groups. <P> <strong>[ NSA whistleblower's accusations deepen. Read <a href="http://www.informationweek.com/security/privacy/snowden-says-us-hacking-chinese-civilian/240156625?itc=edit_in_body_cross">Snowden Says U.S. Hacking Chinese Civilians Since 2009</a>. ]</strong> <P> As highlighted by <a href="http://www.informationweek.com/security/attacks/spear-phishing-attacks-on-the-rise/230500025">successful spear-phishing attacks</a> against everyone from security giant RSA to the White House, stopping every last information security attack might be impossible. So-called <a href="http://www.informationweek.com/security/cybercrime/advanced-persistent-threats-get-more-res/232600562">advanced persistent threat (APT) groups</a> often use fake emails and attachments to infect targeted PCs and steal data, oftentimes without end users or security teams being aware. Once attackers infect a single PC, unless they're detected, they can lurk in corporate networks indefinitely: telecommunications giant <a href="http://www.informationweek.com/security/attacks/8-lessons-from-nortels-10-year-security/232601092">Nortel</a> was compromised for 10 years, <a href="http://www.informationweek.com/security/government/china-tied-to-3-year-hack-of-defense-con/240154064">defense contractor QinetiQ</a> for three years. <P> Such attacks are cheap to build and inexpensive to launch. Even if only one attack out of every 100 or 1,000 attempts succeeds, that might equal success for attackers. Given that reality, CrowdStrike's play is to help businesses identify not just when they've been attacked, but also who stole the information, what they stole and why they targeted the business in the first place -- what's their bigger goal? <P> "The problem you've had for the past six to seven years is the emergence of targeted attackers, and for them, it doesn't mater how many layers of defense you put in place; what they want is you," said Alperovitch. "They want money, national secrets, intellectual property, and they're going to worm their way in, because the return on that investment is gigantic." <P> Could defenders gain an edge by better understanding their attackers? "From an adversary perspective, we really focus on the targeted attackers," said Alperovitch. "We're tracking lots of nation-state-sponsored groups that are working to penetrate companies," he said, and "understanding their campaigns, and tradecraft, as well as who they're targeting." <P> CrowdStrike has grouped attackers into "adversary groups" -- to date, about 48 in total -- named for country characteristics: "pandas" for groups operating from China; "cats" as in Persian cats for Iran; "bears" for Russia; "saints" for Georgia; and "tigers" for India. "Some in the community refer to the adversary by the malware detection name from a specific antivirus vendor, e.g. Hydraq," said Adam Meyers, director of intelligence at CrowdStrike, in a <a href="http://www.crowdstrike.com/blog/whois-anchor-panda/index.html">blog post</a>, referring to the name of the malware used in the so-called <a href="http://www.informationweek.com/security/attacks/google-aurora-hack-was-chinese-counteres/240155268">Aurora attacks</a> against Google. "This is sometimes useful, but when the adversary is using a malware that is detected as Generic.Downloader.234, you have a much harder time communicating," Meyers said. <P> CrowdStrike recommends that businesses use its intelligence on online adversaries to identify and focus on the attackers they're most likely to face. "For example, if you're in the financial service industry, you'll care about Big Panda, which is going after financial services firms, but not Karma Panda that's going after dissident groups," said Alperovitch. "If you're trying to go after everyone and defend against everything, you're really defending against nothing." <P> For instance, one group that CrowdStrike has been tracking -- dubbed Anchor Panda -- has launched 124 attacks over the past six months, many of which appear to be aimed in part at <a href="http://www.informationweek.com/security/attacks/chinese-hackers-stole-us-military-secret/240155624">building out deep-sea capabilities</a>. Adam Meyers, head of intelligence for Crowdstrike, recently told <em>The New Yorker</em></a> that the information being targeted by the group bears more than a passing resemblance to <a href="http://www.newyorker.com/reporting/2013/05/20/130520fa_fact_seabrook">China's five-year plan for modernizing its infrastructure</a>. <P> Once businesses have identified the group behind an attack, or used new intelligence to identify previously unidentified attacks that were successful as well as what was stolen, what happens next? According to Alperovitch, "if you want to work with the government, we can help with that as well, on our services side," which is headed by <a href="http://www.informationweek.com/security/attacks/china-hack-attacks-play-offense-or-defen/240150482">Shawn Henry</a>, whose prior job was serving as the executive assistant director of the FBI's criminal, cyber, response and services branch. "Or you take the attribution and take legal action against that individual or the company," he said. "A lot of companies are multinationals, so you can actually sue them in the United States -- or in a jurisdiction of your choosing overseas, and get criminal damages or injunctive relief for stolen information." <P> Alperovitch said that when it comes to responding to hack attacks, there can be strength in numbers: "If you're one company going up against China, you're going to be afraid of retaliation, of your business being shut out of China. But if you're in a band of 20 or 30 Fortune 100 companies, China can't really retaliate; it needs them all." <P> "Ultimately we'll only solve this problem together, not individually trying to build castles to protect ourselves," said Alperovitch. "That model hasn't worked in the physical world in over 400 years, and certainly not in cyber space."2013-06-17T11:42:00ZNewly published information details the total number of government surveillance requests received; Google abstains, citing "a step back for users."http://www.informationweek.com/security/privacy/apple-facebook-microsoft-detail-surveill/240156783?cid=SBX_iwk_related_video_Privacy_security<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know" title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /><span class="inlinelargerView">(click image for larger view)</span><br /><div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div></div><!-- /KINDLE EXCLUDE -->Apple, Facebook and Microsoft, under fire from customers domestic and foreign, have received permission from the Department of Justice and FBI to detail the number of requests they've received for customer data from the U.S. government. <P> The Internet businesses had written to U.S. Attorney General Eric Holder <a href="http://www.informationweek.com/security/privacy/nsa-prism-google-facebook-want-more-tran/240156491">demanding greater transparency</a> about how they must comply with U.S. government surveillance data demands, in the wake of the <a href="http://www.informationweek.com/security/vulnerabilities/nsa-prism-relies-heavily-on-it-contracto/240156419">recent leak</a> by former NSA contractor Edward Snowden about the <a href="http://www.informationweek.com/security/government/nsa-prism-patriot-act-author-questions-s/240156451">Prism program</a>, which the NSA refers to as the Collection of Intelligence Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (FISA), and which targets foreign audio, email and video data. <P> Google, however, declined to release similar statistics, saying the government's restrictions "would be a step back for users." That's because the published information details the total number of requests received, without specifying whether those requests were from intelligence agencies such as the NSA, or made by the secret U.S. court that facilitates foreign surveillance orders under FISA. <P> <strong>[ Want more on Prism? Read <a href="http://www.informationweek.com/security/privacy/nsa-prism-inside-the-modern-surveillance/240156341?itc=edit_in_body_cross">NSA Prism: Inside The Modern Surveillance State</a>. ]</strong> <P> In a <a href="http://www.apple.com/apples-commitment-to-customer-privacy/">statement</a> released Monday, Apple said that between Dec. 1, 2012, and May 31, 2013, Apple fielded between 4,000 and 5,000 data requests from the U.S. government. "Between 9,000 and 10,000 accounts or devices were specified in those requests, which came from federal, state and local authorities and included both criminal investigations and national security matters," said Apple. "The most common form of request comes from police investigating robberies and other crimes, searching for missing children, trying to locate a patient with Alzheimer's disease, or hoping to prevent a suicide." <P> Reiterating previous statements, Apple said that "we do not provide any government agency with direct access to our servers, and any government agency requesting customer content must get a court order." Even with a court order, however, not all types of user data are available to the government via these requests, including iMessage and FaceTime conversations -- which are encrypted end-to-end and not readable by Apple -- as well as data related to customers' location, Siri requests and map searches, which Apple said it declines to store "in any identifiable form." Facebook, which counts 1.1 billion users, said Friday that in the second half of 2012, it received between 9,000 and 10,000 requests for information from law enforcement agencies pertaining to 18,000 or 19,000 accounts, or about .0017% of all Facebook users. "<a href="https://newsroom.fb.com/News/636/Facebook-Releases-Data-Including-All-National-Security-Requests">These requests run the gamut</a> -- from things like a local sheriff trying to find a missing child, to a federal marshal tracking a fugitive, to a police department investigating an assault, to a national security official investigating a terrorist threat," said Ted Ullyot, Facebook's general counsel, in a blog post. <P> Microsoft, meanwhile, reported Friday that for the second half of 2012, it received between 6,000 and 7,000 requests, pertaining to between 31,000 and 32,000 consumer accounts. "We have not received any national security orders of the type that Verizon was reported to have received that required Verizon to provide <a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/06/14/microsoft-s-u-s-law-enforcement-and-national-security-requests-for-last-half-of-2012.aspx">business records about U.S. customers</a>," said John Frank, VP and deputy general counsel for Microsoft, in a blog post. <P> According to Frank, the Justice Department and FBI allowed Microsoft "to publish data on national security orders received," but only for the second half of 2012, with totals presented in bands of 1,000 and with all of Microsoft's consumer services grouped together in a single count. "We are still not permitted to confirm whether we have received any FISA orders, but if we were to have received any they would now be included in our aggregate volumes." <P> Google, however, has declined to release similar figures. Via a <a href="http://blogs.wsj.com/digits/2013/06/14/facebook-got-fewer-than-10000-gov-data-requests-in-2nd-half-of-2012/">statement</a> provided to <em>The Wall Street Journal</em>, a spokesman said that Google "always believed that it's important to differentiate between different types of government requests," referring to national security requests for data versus data provided for criminal investigations. <P> "Lumping the two categories together would be a step back for users," said the Google spokesman. "Our request to the government is clear: to be able to publish aggregate numbers of national security requests, including FISA disclosures, separately." <P> Google already <a href="http://googleblog.blogspot.co.uk/2013/06/what.html">publishes partial information</a> about data demands in its semi-annual transparency report. But aside from a <a href="http://www.informationweek.com/government/policy/google-reports-censorship-surge/240153687">count of National Security letters received</a>, it legally isn't allowed to detail the number of FISA requests it receives for national security purposes, or the number of Google accounts those requests cover. <P> U.S. intelligence officials appear to be mindful of the fallout now facing Internet companies that must comply with court orders pertaining to customers' data. "The [U.S. government] requires (in legal terms, "compels") U.S. technology companies to provide certain communications records," according to a <a href="http://www.washingtonpost.com/world/national-security/call-records-of-fewer-than-300-people-were-searched-in-2012-us-says/2013/06/15/5e611cee-d61b-11e2-a73e-826d299ff459_story.html">statement provided Saturday to Congress</a> by U.S. intelligence officials. "While required to comply, U.S. companies have put energy, focus and commitment to consistently protect the privacy of their customers, as well as the safety and security of these same customers, around the world." <P> The technology companies, meanwhile, have said they're still not satisfied with the level of detail they've been allowed to provide to customers, and continue to push the Department of Justice to give them more leeway. "We understand they have to weigh carefully the impacts on national security of allowing more disclosures. With more time, we hope they will take further steps," said Microsoft's Frank. "Transparency alone may not be enough to restore public confidence, but it's a great place to start."2013-06-14T12:28:00ZThumb drives helped NSA whistle-blower Edward Snowden transport top-secret data from the agency. If the NSA can't keep a lid on thumb drives, can you?http://www.informationweek.com/security/storage/thumb-drive-security-snowden-1-nsa-0/240156720?cid=SBX_iwk_related_video_Privacy_securityPity the poor USB thumb drive. <P> The humble storage device is again under fire after reports surfaced that National Security Agency (NSA) <a href="http://www.informationweek.com/security/privacy/snowden-says-us-hacking-chinese-civilian/240156625">whistle-blower Edward Snowden</a>, 29, used a removable USB storage device to exfiltrate top-secret information from the agency, <a href="http://www.latimes.com/news/politics/la-pn-snowden-nsa-secrets-thumb-drive-20130613,0,791040.story">reported the <em>Los Angeles Times</em></a>. <P> NSA investigators now "know how many documents he downloaded and what server he took them from," a government official -- speaking on condition of anonymity -- told the paper. <P> In general, the use of removable USB storage devices is prohibited inside the agency. "Of course, there are always exceptions" to that rule, said the official. "There are people who need to use a thumb drive and they have special permission. But when you use one, people always look at you funny." <P> One job role that would require using removable storage, however, would be that of <a href="http://www.informationweek.com/security/vulnerabilities/nsa-prism-relies-heavily-on-it-contracto/240156419">IT or systems administrator</a>, which was Snowden's job at the NSA, although he was a contractor employed by Booz Allen Hamilton. <P> <strong>[ Is Snowden an altruistic whistleblower, reckless criminal, outright traitor or somewhere in between? Read <a href="http://www.informationweek.com/security/privacy/nsa-prism-whistleblower-snowden-deserves/240156522?itc=edit_in_body_cross">NSA Prism Whistleblower Snowden Deserves A Medal</a>. ]</strong> <P> The Department of Defense restrictions on using removable storage devices isn't unique. "At Huawei, my understanding is, plugging in a drive [equals] get fired," <a href="https://twitter.com/thegrugq/status/345422479809982464">tweeted</a> the Bangkok-based vulnerability buyer and seller known as the Grugq. <P> But as Snowden's leak shows, at a certain level, even the most advanced security measures or defensive systems <a href="http://www.informationweek.com/security/attacks/10-best-ways-to-stop-insider-attacks/232602440">rely on trust</a> -- whether or not thumb drives, iPods, smartphones with cameras, photocopiers, or telephones with outside access are available to employees inside the corporate perimeter. <P> "As we've seen with WikiLeaks and Snowden, if one person sets their mind to it, they will grab information and find a way to disseminate it," James C. Foster, founder and CEO of Riskive, and a past Booz Allen employee, <a href="http://www.darkreading.com/attacks-breaches/nsa-leak-ushers-in-new-era-of-the-inside/240156599">told <em>Dark Reading</em></a>. <P> Historically speaking, people haven't only used thumb drives to remove secret data stored in digital format from secure environments. In 2009, Britain's MI6 intelligence agency caught Daniel Houghton, one of its computer programmers, trying to sell advanced email interception technology -- as well as lists of MI6 and domestic intelligence agency MI5 staff members, including full contact details -- to another country, after having downloaded the information onto a secure digital memory card. (Memo to European spooks: <a href="http://www.informationweek.com/security/attacks/swiss-spooks-warn-of-counter-terrorism-i/240143979">Don't attempt to tempt the Dutch</a>.) <P> Removable media has long posed an information security risk to government networks. In 2008, the Department of Defense <a href="http://www.informationweek.com/security/attacks/pentagon-confirms-flash-drive-breached-m/227001122">banned all flash drives and other removable media</a>, although that ban was subsequently relaxed. But it wasn't until 2010 that William J. Lynn, then the U.S. deputy secretary of defense, said that a malware-infected USB drive had breached government systems and led to the ban. <P> "The flash drive's malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the U.S. Central Command," Lynn wrote in <em>Foreign Affairs</em>. "That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control. <P> In Feb. 2010, however, the Defense Department "decided to make this [thumb drive] technology available again on a strictly controlled basis," then vice admiral Carl Mauney, deputy commander of the U.S. Strategic Command, <a href="http://gcn.com/articles/2010/02/23/dod-flash-drives.aspx">told GCN</a>. "Removable media use will be limited to mission-essential operations, and only after strict compliance requirements are met." But those requirements were likely designed to prevent a repeat of the devices being used to distribute malware, rather than to combat insider attacks. <P> Calls for removable media to be more tightly monitored or restricted in U.S. government facilities soon resurged in the wake of <a href="http://www.informationweek.com/government/security/wikileaks-missives-contain-many-tech-sec/228400240">WikiLeaks publishing</a> -- largely between April and November 2010 -- <a href="http://www.informationweek.com/security/vulnerabilities/hackers-turn-on-each-other/231600789">redacted and then full versions</a> of 251,000 State Department cables. <P> Pfc. Bradley Manning, who was arrested in June 2010, is currently standing trial at Fort Meade, Md., on charges of leaking the cables, <a href="http://www.informationweek.com/security/cybercrime/lulzsec-leader-sabu-details-exploits/231900535">U.S. helicopter gunship footage</a> and other sensitive material. He <a href="http://www.informationweek.com/government/security/government-eyeing-security-technology-to/229301353">allegedly copied information</a> from the Department of Defense's classified SIPRNet network onto rewritable CDs that he hid <a href="http://www.informationweek.com/security/vulnerabilities/black-hat-pwnies-nominate-lulzsec-anonym/231002753">inside a Lady Gaga CD case</a>. <P> Since then, the Defense Department had been <a href="http://www.informationweek.com/security/government/army-eyes-monitoring-tools-to-stop-wikil/240000047">evaluating monitoring tools</a> to help military and defense agencies more quickly spot insider attacks. Obviously, that technology either wasn't in place inside the Hawaii NSA satellite facility where Snowden worked, or the technology failed to spot his suspicious behavior before he <a href="http://www.informationweek.com/security/privacy/9-facts-about-nsa-prism-whistleblower/240156431">flew to Hong Kong</a>.2013-06-14T09:42:00ZThousands of businesses are reportedly exchanging information on online threats in return for classified intelligence.http://www.informationweek.com/security/vulnerabilities/bug-data-buys-businesses-intel-from-us-g/240156695?cid=SBX_iwk_related_video_Privacy_security<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know" title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /><span class="inlinelargerView">(click image for larger view)</span><br /> <div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div></div> <!-- /KINDLE EXCLUDE --> Thousands of American businesses -- technology manufacturers, information security vendors, banks, satellite telecommunications providers and many others -- share threat intelligence with U.S. intelligence agencies, including details of secret zero-day vulnerabilities. In exchange, they receive access to classified intelligence, including early warnings on any attacks that have been detected that may target their networks or intellectual property, as well as where the attacks originated. <P> These information-sharing arrangements between businesses -- known in government parlance as "trusted partners" -- and the National Security Agency (NSA), CIA, FBI, U.S. military and other government agencies was first <a href="http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap-data-with-thousands-of-firms.html">reported Thursday by Bloomberg</a>. The revelations suggest that U.S. intelligence agencies' Internet monitoring programs extend far beyond the handful of secret projects detailed by recently leaked NSA documents. <P> Information published last week, based on <a href="http://www.washingtonpost.com/blogs/compost/wp/2013/06/07/the-nsa-powerpoint-the-worst-program/">secret documents</a> leaked by former NSA contractor Edward Snowden, detailed the existence of a program to <a href="http://www.informationweek.co.uk/security/privacy/7-tips-to-avoid-nsa-digital-dragnet/240156535">intercept metadata</a> -- phone numbers, call duration, approximate geographical location -- on millions of U.S. cell phone subscribers. The leaked information also <a href="http://www.informationweek.com/security/privacy/nsa-prism-inside-the-modern-surveillance/240156341">detailed Prism</a>, which is an arrangement between the NSA's Special Source Operations unit program and nine U.S. Internet companies -- including Facebook, Google, Microsoft and Yahoo -- that targets foreign voice, email and video communications. <P> <strong>[ More information keeps coming out on government-industry security arrangements. Read <a href="http://www.informationweek.com/security/privacy/obama-defends-nsa-prism-google-denies-ba/240156275?itc=edit_in_body_cross">Obama Defends NSA Prism, Google Denies Back Door</a>. ]</strong> <P> Another secret NSA project made public by Snowden's leaked information was <a href="http://www.guardian.co.uk/world/2013/jun/08/nsa-prism-server-collection-facebook-google">Blarney</a>, which according to the <em>Washington Post</em> is "an ongoing collection program that leverages IC [intelligence community] and commercial partnerships to gain access and exploit foreign intelligence obtained from global networks" by targeting network backbones. Blarney collects metadata for computers being used to send emails or browse the Internet. The collected metadata includes the device's operating system, the browser being used as well as <a href="http://www.informationweek.co.uk/security/application-security/oracle-promises-enterprise-java-security/240155912">Java software version</a>. Using that information would provide an intelligence agency with a shortcut to infiltrating any of those systems, for example by targeting known vulnerabilities in the browser or Java client. <P> Some of the shared information reportedly includes zero-day vulnerability details. Microsoft, for example, reportedly participates in the trusted-partner program, and shares information of vulnerabilities in its products with the government, before releasing those details -- or related fixes -- to business partners or the public. Such information could be used not only to proactively secure government computers against attack, but also to infiltrate foreign systems. <P> But two government officials, speaking anonymously to Bloomberg, said that while Microsoft is aware that the information it divulges can be used to target its foreign customers, legally speaking it's not allowed to ask -- and can't be told -- how the government might us this information. A Microsoft spokesman didn't immediately respond to an emailed request for comment about the full extent of its vulnerability-information-sharing arrangements with the U.S. government. <P> The <a href="http://www.informationweek.com/security/management/microsoft-drops-chinese-vendor-after-win/232901457">Microsoft Active Protections Program</a> (MAPP) counts a number of businesses and government organizations as participants, and gives them early information on vulnerabilities, in part to allow security firms to offer virtual patches against the bugs prior to their being detailed publicly. But the alleged information sharing between Microsoft and intelligence agencies would occur prior to bug information being distributed via MAPP. <P> The information-sharing news casts new light on how the U.S. government might have <a href="http://www.informationweek.com/security/attacks/weaponized-bugs-time-for-digital-arms-co/240008564">obtained the four zero-day vulnerabilities</a> that were <a href="http://www.informationweek.com/security/attacks/was-us-governments-stuxnet-brag-a-mistak/240001596">targeted by Stuxnet</a>, which anonymous U.S. government officials said was a <a href="http://www.informationweek.co.uk/security/management/stuxnet-launched-by-united-states-and-is/240001297">joint U.S.-Israeli project</a>. Security researchers have said that the Stuxnet code base is quite similar to <a href="http://www.informationweek.com/security/attacks/flame-malwares-ties-to-stuxnet-duqu-deta/240001271">Flame</a> and <a href="http://www.informationweek.co.uk/security/cybercrime/3-lessons-learned-from-duqu-malware/231901299">Duqu malware</a>, suggesting that they were also the product of a U.S.-commissioned cyber weapons factory. <P> One critical, legal point is that unlike some U.S. government interception programs -- such as Prism -- trusted partners aren't necessarily at the receiving end of a court order or <a href="http://www.informationweek.com/security/privacy/government-google-data-requests-scope-un/240150050">National Security Letter</a>, which can legally not only force their participation but also silence. Instead, the trusted partner program appears to be voluntary, and includes manufacturers providing detailed information about their hardware and software to the U.S government, although they appear to be sharing no customer information. <P> Likewise, many telecommunications companies reportedly give U.S. intelligence agencies direct access to their offshore data centers and other facilities, which is both legal and which exempts any resulting information intercepts from oversight under the <a href="http://www.informationweek.com/security/government/nsa-prism-patriot-act-author-questions-s/240156451">Foreign Intelligence Surveillance Act</a>. <P> The former director of the NSA and CIA, Michael Hayden, told Bloomberg that this <a href="http://www.informationweek.com/security/government/should-nsa-be-scanning-business-networks/232601943">information sharing</a> would be invaluable. "If I were the director and had a relationship with a company who was doing things that were not just directed by law but were also valuable to the defense of the Republic, I would go out of my way to thank them and give them a sense as to why this is necessary and useful," he said. <P> To create these types of relationships, intelligence agencies reportedly first approach one key executive, who then handpicks a few <a href="http://www.informationweek.co.uk/security/vulnerabilities/nsa-prism-relies-heavily-on-it-contracto/240156419">trusted IT administrators</a> to help. "You would keep it closely held within the company and there would be very few cleared individuals," Hayden said. Businesses sometimes also request immunity from any civil suits that might result from their information sharing. <P> Government officials told Bloomberg that Google co-founder Sergey Brin received a temporary clearance so that he could be briefed on what came to be known as the <a href="http://www.informationweek.co.uk/security/attacks/google-aurora-attackers-still-on-loose-s/240006930">Operation Aurora</a> advanced persistent threat (APT) attacks against Google. The attacks were reportedly <a href="http://www.informationweek.com/security/attacks/google-aurora-hack-was-chinese-counteres/240155268">traced to a Chinese People's Liberation Army cyber-attack unit</a> that specialized in launching APT attacks. Based on the documents leaked by Snowden, at that point, Google would have been part of the Prism program for more than a year. <P> Google CEO Larry Page last week said in a statement that he'd never heard of Prism, denied giving the U.S. government direct access to any Google servers and said the company only shared data with governments "only in accordance with the law." <P> A Google spokesman didn't immediately respond to a request for comment about Google's information-sharing arrangements with the U.S. government. <P> But in the face of a potential backlash from domestic and overseas customers, Google, Facebook, Microsoft and Twitter have recently <a href="http://www.informationweek.co.uk/security/privacy/nsa-prism-google-facebook-want-more-tran/240156491">petitioned the Department of Justice</a> and FBI, requesting that they be allowed to publicly detail the ways in which they share information with the U.S. government.2013-06-13T13:22:00ZRelease comes despite being convicted of child porn and serving only a portion of his sentence, leading hackers to suggest he's working with authorities.http://www.informationweek.com/security/attacks/lulzsec-hacker-ryan-cleary-to-be-release/240156590?cid=SBX_iwk_related_video_Privacy_security<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know" title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /><span class="inlinelargerView">(click image for larger view)</span><br /><div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div></div><!-- /KINDLE EXCLUDE -->Convicted LulzSec hacker Ryan Cleary, 21, is set to be released "imminently" after appearing Wednesday in a London courtroom for sentencing relating to charges that he made and possessed 172 indecent images of children on his PC. <P> "Some of these images showed children aged as young as six months old in circumstances where they were completely vulnerable," Judge Deborah Taylor told Cleary, <a href="http://www.independent.co.uk/news/uk/crime/lulzsec-hacker-ryan-cleary-will-be-freed-imminently-despite-170-child-porn-images-8655209.html">reported <em>The Independent</em> in Britain</a>. "These images were such as would make any right-minded person concerned at you viewing such images." <P> Cleary, <a href="http://www.informationweek.com/security/attacks/lulzsec-takes-hit-keeps-on-hacking/231000223">aka Viral</a>, previously pleaded guilty to two charges of making indecent images of children and one charge of possessing indecent images of children. Taylor said Wednesday that although U.K. sentencing guidelines required incarceration for the offenses to which Cleary had plead guilty, "time has been served in any event." <P> <strong>[ For the latest on NSA whistle blower Edward Snowden, see <a href=" http://www.informationweek.com/security/privacy/snowden-says-us-hacking-chinese-civilian/240156625?itc=edit_in_body_cross">Snowden Says U.S. Hacking Chinese Civilians Since 2009</a>. ]</strong> <P> Based on time served, his pleading guilty to all charges filed against him and agreeing to wear an electronic device that will monitor his location, Cleary received a three-year community service order, which requires that he work in the community without pay. He also received a 36-month supervision order, which is akin to probation and requires that Cleary meet weekly with his probation officer. Finally, Cleary was ordered to sign the U.K.'s <a href="http://en.wikipedia.org/wiki/Violent_and_Sex_Offender_Register">Violent and Sex Offender Register</a>, which is a database used by police and prison officials to track people convicted of related offenses. <P> Cleary <a href="http://www.informationweek.com/security/attacks/lulzsec-hackers-sentenced-in-london/240155060">previously appeared in court</a> last month, when he was sentenced to 32 months in prison, followed by a five-year serious crime prevention order that can be used to restrict where he's allowed to travel and which jobs he'll be allowed to work. <P> Also sentenced in May were fellow LulzSec participants Jake Davis (Topiary), Mustafa al-Bassam (Tflow) and Ryan Ackroyd (Kayla). Together with Cleary, they pleaded guilty to charges of hacking a number of sites, including the CIA, Britain's Serious Organized Crime Agency (SOCA) and National Health Service (NHS), and <a href="http://www.informationweek.com/security/attacks/fbi-busts-suspected-lulzsec-hacker-in-so/231602040 ">Sony Pictures Entertainment</a>, as well as leaking the credit card data and personal information of hundreds of thousands of people. Cleary also pleaded guilty to <a href="http://www.informationweek.com/news/security/vulnerabilities/232600411">launching numerous distributed denial of service (DDoS) attacks</a> under the banners of Anonymous, Internet Feds and LulzSec. <P> British police said the attacks in which Cleary participated caused an estimated $31 million in damages. <P> British police said that when they arrested Cleary at his home on June 20, 2011, they found him in the middle of launching a DDoS attack against the website of SOCA, which was conducting a joint investigation with the FBI into the activities of LulzSec, Anonymous and AntiSec. <P> Clearly was first arrested in 2011 and released on bail, subject to his refraining from using the Internet. He was <a href="http://www.informationweek.com/security/management/lulzsec-members-confess-to-ddos-attacks/240002706">re-arrested on bail violation charges</a> on March 5, 2012, for going online in December 2011 to contact LulzSec leader Sabu. The day after Cleary's arrest, federal officials revealed that in June 2011, Sabu -- real name <a href="http://www.informationweek.com/security/attacks/lulzsec-leader-sabu-unmasked-aids-fbi-ha/232602103">Hector Xavier Monsegur</a> -- had been arrested and turned <a href="http://www.informationweek.com/security/vulnerabilities/hacker-sabu-worked-nonstop-as-government/232602334">confidential government informant</a>, and was helping the FBI investigate hackers and information security attacks. <P> The news of Cleary's imminent release after serving less than his full jail sentence has led some members of Anonymous to accuse him of having <a href="https://www.cyberguerrilla.org/blog/?p=13810">cut a deal with authorities</a>, although no evidence has been produced to back up that assertion. "Anyone who gets away with child porn charges is obviously collaborating with the feds," according to a post by "ro0ted" to the pro-Anonymous CyberGuerilla blog. <P> Cleary's legal troubles might not be over, as he was indicted last year by a Los Angeles federal grand jury on hacking charges. But his attorney, Karen Todner, said last year that U.S. prosecutors had indicated that they wouldn't be seeking his extradition. Furthermore, if that changed, she said her client would <a href="http://www.informationweek.com/security/management/accused-lulzsec-hacker-fights-extraditio/240002206">fight any such request</a>. "Cleary suffers from Asperger's syndrome and is on the autistic spectrum and extradition to the United States is totally undesirable," she said.2013-06-13T11:24:00ZNSA whistle-blower says U.S. spies on people using computers at Hong Kong's Chinese University, as well as government officials and businesses.http://www.informationweek.com/security/privacy/snowden-says-us-hacking-chinese-civilian/240156625?cid=SBX_iwk_related_video_Privacy_security<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know" title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /><span class="inlinelargerView">(click image for larger view)</span><br /><div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div></div><!-- /KINDLE EXCLUDE -->The United States has hacked hundreds of Chinese civilians since 2009. But its favored hacking technique isn't to target individual PCs via advanced persistent threat (APT) attacks, in the manner of the Chinese military. Instead, it prefers to compromise foreign network backbones, thus potentially gaining access to hundreds of thousands of systems at once. <P> That revelation was delivered by <a href="http://www.informationweek.co.uk/security/privacy/nsa-prism-whistleblower-snowden-deserves/240156522">whistle-blower Edward Snowden</a>, until recently a contractor for the National Security Agency. He emerged from hiding Wednesday to grant an interview to Hong Kong's <em>South China Morning Post</em>. <P> "We hack network backbones -- like huge Internet routers, basically -- that give us access to the communications of hundreds of thousands of computers without having to hack every single one," he <a href="http://www.scmp.com/news/hong-kong/article/1259508/edward-snowden-us-government-has-been-hacking-hong-kong-and-china">told the <em>Post</em></a>. <P> According to NSA documents reviewed by the <em>Post</em>, which haven't been verified, targets of the <a href="http://www.informationweek.co.uk/security/privacy/nsa-prism-inside-the-modern-surveillance/240156341">NSA's Prism program</a> have included computers in both mainland China and Hong Kong. People targeted included systems at Hong Kong's Chinese University, as well as government officials, businesses and students in the region. But the <em>Post</em> reported that the program didn't appear to target Chinese military systems. <P> <strong>[ Security standoff at recent U.S.-China summit: Read <a href="http://www.informationweek.com/security/government/us-chinese-summit-4-security-takeaways/240156396?itc=edit_in_body_cross">U.S.-Chinese Summit: 4 Information Security Takeaways</a>. ]</strong> <P> According to Snowden, he learned of at least 61,000 such NSA hacking operations globally. The <em>Post</em> didn't specify whether those operations all allegedly occurred since 2009. <P> Why go public with the NSA's alleged hacking campaign? Snowden said he wanted to highlight "the hypocrisy of the U.S. government when it claims that it does not target civilian infrastructure, unlike its adversaries." <P> "Not only does it do so, but it is so afraid of this being known that it is willing to use any means, such as diplomatic intimidation, to prevent this information from becoming public," he said. <P> Snowden first arrived in Hong Kong May 20, and said that the choice of venue wasn't accidental. "People who think I made a mistake in picking Hong Kong as a location misunderstand my intentions. I am not here to hide from justice, I am here to reveal criminality," he said, noting that he planned to stay until "asked to leave." Noting that the U.S. government had already been "bullying" Hong Kong authorities into extraditing him, Snowden said that he would legally fight any such attempt. <P> How will Hong Kong handle Snowden's case? "We can't comment on individual cases," Hong Kong's chief executive, Leung Chun-ying, <a href="http://www.businessweek.com/news/2013-06-12/alleged-nsa-leaker-says-he-will-fight-extradition-from-hong-kong">told Bloomberg</a> Wednesday. "We'll handle the case according to our law." <P> Hong Kong is a special administrative region of China, and Beijing could influence the government's legal thinking. But when asked in a Thursday press conference if the Chinese government had received any requests from Washington related to Snowden's case, Hua Chunying, a spokeswoman for China's foreign ministry, said only: "We have no information to offer," <a href="http://www.thehindu.com/news/international/china-silent-on-snowden-case-but-hits-out-at-double-standards/article4810031.ece">reported <em>The Hindu</em> in India</a>. <P> Snowden previously said he would prefer to <a href="http://www.informationweek.co.uk/security/privacy/9-facts-about-nsa-prism-whistleblower/240156431">"seek asylum in a country with shared values,"</a> and named Iceland. Asked to respond to a spokesman for <a href="http://www.guardian.co.uk/world/2013/jun/11/edward-snowden-russia-asylum-request">Russian president Vladimir Putin</a> recently saying that were Snowden to apply for asylum in his country, authorities would consider his request, Snowden replied: "My only comment is that I am glad there are governments that refuse to be intimidated by great power." <P> Snowden said he hadn't contacted his family since leaving the country, but feared for both their safety as well as his own. He also appeared disinclined to glorify what he'd done. "I'm neither traitor nor hero. I'm an American," he said. "I believe in freedom of expression. I acted in good faith but it is only right that the public form its own opinion." <P> How has China reacted to Snowden's revelations that the NSA is spying on the Chinese? Chinese foreign ministry spokewoman Hua said in a regular press conference Thursday that the government has been following the revelations of NSA monitoring detailed by Snowden, and she repeated calls from the Chinese government -- agreed to in principle at last week's U.S.-China summit in California -- to launch a cybersecurity working group to increase "dialogue, coordination and cooperation" between the two countries. <P> "We also think adoption of double standards," she said, "will bring no benefit to settlement of the relevant issue."2013-06-12T13:23:00ZThese apps will keep your cell phone calls under wraps -- if the NSA hasn't already found a way to break them.http://www.informationweek.com/security/privacy/7-tips-to-avoid-nsa-digital-dragnet/240156535?cid=SBX_iwk_related_video_Privacy_security<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know" title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /><span class="inlinelargerView">(click image for larger view)</span><br /><div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div></div><!-- /KINDLE EXCLUDE -->Is it possible to avoid the National Security Agency's digital dragnet? <P> Thanks to NSA contractor Edward Snowden, leaked documents published last week revealed that the agency has <a href="http://www.informationweek.com/security/government/nsa-prism-patriot-act-author-questions-s/240156451">captured the metadata</a> -- numbers called, call duration, approximate geographical location -- for millions of U.S. phone subscribers. Under U.S. law, the agency is only allowed to spy on foreigners. But the system that's been revealed appears to capture data on everyone, then <a href="http://www.informationweek.com/big-data/news/big-data-analytics/defending-nsa-prisms-big-data-tools/240156388">rely on search algorithms</a> to prevent information being retrieved on anyone who seems to be a U.S. citizen. <P> But what if you object to the <a href="http://www.informationweek.com/security/privacy/nsa-prism-inside-the-modern-surveillance/240156341">blanket capture</a> of U.S. cell subscribers' metadata information, or simply don't trust the NSA? Is it possible to avoid having information captured as part of the phone-tapping program, or via the <a href="http://www.informationweek.com/security/vulnerabilities/nsa-prism-relies-heavily-on-it-contracto/240156419">surveillance program known as Prism</a> that captures audio, email and video communications made by using such well-known services as Gmail, Facebook, Hotmail, Skype and Yahoo? <P> Earlier this week, <em>The Washington Post</em> <a href="http://www.washingtonpost.com/blogs/wonkblog/wp/2013/06/10/five-ways-to-stop-the-nsa-from-spying-on-you/">detailed five strategies</a> for preventing communications from being intercepted, including browsing using Tor and using Silent Circle to make phone calls. To what extent will these approaches easily secure your communications, and what other possibilities are available? <P> <strong>[ Cell phone calls are just one way U.S. citizens are monitored. Read <a href="http://www.informationweek.com/government/information-management/whats-next-in-video-surveillance/240155161?itc=edit_in_body_cross">What's Next In Video Surveillance</a>. ]</strong> <P> In fact, many of the approaches trade increased information security for decreased usability. Then again, for some people, the tradeoff might be worth it. Here's what's available: <P> <strong>1. Tor, For Anonymous Browsing.</strong> <P> Using the Tor anonymous network helps prevent your traffic from being intercepted, thus foiling anyone who's attempting to identify which websites you're visiting, or people with whom you're communicating. In fact, Snowden, a former CIA employee and NSA contractor, was photographed with a Tor sticker. <P> Tor, which is free to use, uses an encrypted network to route your browsing. Using it for anonymous browsing is as easy as downloading the <a href="https://www.torproject.org/projects/torbrowser.html.en">Tor Browser Bundle</a>, which is a version of Firefox for Windows, Mac OS X and Linux. But that encrypted, anonymous network comes at a price: <a href="http://www.howtogeek.com/114004/how-to-browse-anonymously-with-tor/">slower browsing</a>. <P> Furthermore, Tor isn't foolproof. The 2011 attacks against Dutch certificate authority DigiNotar, for example, resulted in the <a href="http://www.informationweek.com/security/attacks/stolen-digital-certificates-compromised/231600810">creation of fraudulent digital certificates</a> for Facebook, Google, Skype, as well as Tor, apparently for the purpose of spying on Iranian Internet users. Likewise, researchers occasionally <a href="http://arstechnica.com/tech-policy/2011/04/not-anonymous-attack-reveals-bittorrent-users-on-tor-network/">identify vulnerabilities</a> in the service that can be exploited to identify users. <P> <strong>2. An OTR App, For Encrypted Chat.</strong> <P> Snowden communicated with Glenn Greenwald, the <em>Guardian</em> journalist who published some of the documents he leaked, using an unnamed OTR -- for <a href="http://en.wikipedia.org/wiki/Off-the-Record_Messaging">"off the record" -- chat messaging</a> program or plug-in. <P> For many people who want anonymous communications, the ease of using OTR applications, which enable chat sessions to be encrypted between two people using compatible clients or plug-ins for their chat service, makes it a natural choice. Furthermore, numerous free clients exist, including <a href="https://crypto.cat">Cryptocat</a>, <a href="http://adium.im/">Adium</a> for Mac OS X and <a href="https://plus.im/">IM+</a> for Android and iPhone.<strong>3. Silent Circle, For Encrypted Voice, Email And More.</strong> <P> Silent Circle is a relatively new and well-reviewed service for providing encrypted voice communications domestically. In the wake of the Prism scandal and "massive demand," the company announced that it's dropped the price of its annual subscription package for four services: encrypted mobile calls, encrypted text messaging, encrypted VoIP audio and video calls, and encrypted email. The company says it's been independently audited to ensure there are no backdoors for eavesdropping on service users. <P> One caveat with the service, however, is that for communications to remain fully encrypted in transit, they must be made between two Silent Circle subscribers. Still, that might appeal to businesses or activists worried about their communications being intercepted, or the identity of people they're speaking with tracked. <P> <strong>4. Redphone, For Secure Android Calls, Texts.</strong> <P> Android users, meanwhile, can get secure voice calls and texts via open source software from <a href="https://whispersystems.org/">WhisperSystems</a>. Redphone enables encrypted calling between two devices that use the software. TextSecure encrypts texts. Both applications have been audited to ensure they don't contain backdoors. As with Silent Circle, one caveat is that people on both sides of the conversation must be using the software. <P> <strong>5. PGP, For Data Encryption.</strong> <P> What else is possible? PGP -- or its open source equivalent GPG -- can be used to encrypt data and emails, but many people find it <a href="https://twitter.com/csoghoian/status/344422892789977089">difficult to use</a>. Notably, Snowden had to send a homemade video to Greenwald, showing him how to set it up. <P> <strong>6. Power Down Your Phone.</strong> <P> Mobile phone users can pull a Jason Bourne and remove the battery from their cell phone when they're not using it, thus preventing the device from pinging cell towers and revealing their approximate location. But as soon as you put the battery back in, you'll be trackable again, because the network has to reach your phone to provide voice and data services. <P> As Christopher Soghoian, principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project, told the <em>Post</em>, "The laws of physics will not let you hide your location from the phone company." <P> <strong>7. Expect Metadata To Be Captured.</strong> <P> For any unencrypted call made using your cellphone, the metadata can be -- and probably is being -- intercepted. From an intelligence standpoint, metadata is a goldmine: one <em>Nature</em> study suggests that by cross-referencing "human mobility" metadata, <a href="http://www.informationweek.com/security/privacy/nsa-prism-inside-the-modern-surveillance/240156341">only four location points</a> -- involving location and time -- are required to uniquely identify someone 95% of the time. <P> In other words, there's no way to use a mobile phone and avoid metadata capture. <P> The services detailed above, however, will at least encrypt your communications, avoiding capture via programs such as Prism. That said, they carry usability caveats, as well as integrity worries: what if the NSA's cryptographic capabilities already allow it to successfully defeat those services, or it's found an exploitable vulnerability that accomplishes the same result? <P> Then again, if you think about these things too much, you might want to join the tinfoil hat crowd. At a certain point, anyone who opts for encrypted communications will have to trust in the available, audited tools.2013-06-12T12:34:00ZWithout Snowden's leaks, we wouldn't be pursuing rational, democratic debates on the government's post-Sept. 11 balance between security and civil liberties.http://www.informationweek.com/security/privacy/nsa-prism-whistleblower-snowden-deserves/240156522?cid=SBX_iwk_related_video_Privacy_securityIs Edward Joseph Snowden an altruistic whistle-blower? A reckless criminal? An outright traitor? Or somewhere in between? <P> Those are <a href="http://www.nytimes.com/roomfordebate/2013/06/11/in-nsa-leak-case-a-whistle-blower-or-a-criminal">frequently debated questions</a> in the wake of Snowden's recent leaks of at least three National Security Agency (NSA) <a href="http://www.informationweek.com/security/privacy/nsa-prism-inside-the-modern-surveillance/240156341">surveillance programs</a>: Prism, which aims to intercept foreigners' audio, email and video from major Web services including Facebook, Gmail, Hotmail and Skype; <a href="http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining">Boundless Informant</a>, a data mining tool that tracks where intelligence originates; and another program that analyzes millions of U.S. phone records, capturing metadata related to phone numbers called, call durations and the approximate geographical location of the caller. <P> Snowden, a <a href="http://www.informationweek.com/security/vulnerabilities/nsa-prism-relies-heavily-on-it-contracto/240156419">contractor for Booz Allen</a> working at an NSA satellite office in Hawaii -- and now believed to be in a <a href="http://www.guardian.co.uk/world/2013/jun/11/edward-snowden-nsa-whistleblower-profile">safe house in Hong Kong</a> -- gave up a well-paid job and <a href="http://arstechnica.com/tech-policy/2013/06/nsa-leakers-girlfriend-blogged-about-feeling-alone-when-he-left/">stable life</a> to bring to light a surveillance program that he has characterized as a threat to democracy. "Perhaps I am naive," Snowden told <em>The Washington Post</em>, "but I believe that at this point in history, the greatest danger to our freedom and way of life comes from the reasonable fear of omniscient state powers kept in check by nothing more than policy documents." <P> <strong>[ What lessons can CIOs learn from Prism? See <a href="http://www.informationweek.com/global-cio/interviews/nsa-dragnet-debacle-what-it-means-to-it/240156243?itc=edit_in_body_cross">NSA Dragnet Debacle: What It Means To IT</a>. ]</strong> <P> Charges against Snowden have already been filed by the U.S. Department of Justice, and both the FBI and NSA have launched investigations. "If Edward Snowden did in fact leak the NSA data as he claims, the United States government must prosecute him to the fullest extent of the law and begin extradition proceedings at the earliest date," read a statement from Rep. Peter King (R-N.Y.), who chairs the Homeland Security Subcommittee on Counterintelligence and Terrorism. <P> "He's a traitor," House speaker John A. Boehner (R-Ohio) <a href="http://abcnews.go.com/Politics/transcript-exclusive-interview-house-speaker-john-boehner-nsa/story?id=19370792">told ABC News</a> Tuesday. "The disclosure of this information puts Americans at risk. It shows our adversaries what our capabilities are. And it's a giant violation of the law." <P> But others take a contrary view, as Snowden's leak has highlighted programs that appear to be operating outside the law. From a civil liberties standpoint, the phone record collection is "rampant abuse and it needs sunlight," said <em>Guardian</em> journalist Glenn Greenwald, who broke the leak story. "That's why this person came forward and that's why we published our stories." <P> The <a href="http://www.informationweek.com/security/privacy/obama-defends-nsa-prism-google-denies-ba/240156275">Obama administration's defense</a> of the formerly secret -- and no doubt still operational -- surveillance programs is that they were <a href="http://www.informationweek.com/security/government/nsa-prism-creates-stir-but-appears-legal/240156233">authorized by Congress</a> and overseen both by legislators and the judiciary, in the form of the Foreign Intelligence Surveillance Court. <P> "Everything that has been done and reported on in the last several days involves programs that have congressional oversight -- and regularized congressional oversight -- from the relevant committees," said White House spokesman Ben Rhodes in a Saturday press conference. "So the elected representatives of the American people do have eyes on these programs." <P> Or do they? James Clapper, the director of national intelligence, lied to a Senate committee in March, in response to a question from Sen. Ron Wyden (D-Ore.). "Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?" Wyden had asked. To which Clapper replied: "No, sir." <P> Called out on that denial in the wake of the phone-monitoring revelations, Clapper <a href="http://news.yahoo.com/blogs/ticket/intel-chief-clapper-gave-least-untruthful-answer-u-164742798.html">told NBC News</a>: "I responded in what I thought was the most truthful, or least untruthful, manner by saying 'no.'" Clapper said he didn't view the captured and stored metadata records as a "collection" if they weren't looked at. <P> What oversight or accountability was served by Clapper's evasion? "Secrecy is necessary for national security programs, but so too is democratic accountability," <a href="http://www.volokh.com/2013/06/11/whistle-blower-criminal-or-both/">said Jonathan Adler</a>, a law professor at Case Western Reserve University, in a blog post. <P> President Obama has said that the programs are being run in a way that <a href="http://www.informationweek.com/big-data/news/big-data-analytics/defending-nsa-prisms-big-data-tools/240156388">balances civil liberties concerns with security requirements</a>. "If we did everything necessary for our security, we would sacrifice too much privacy and civil liberties, but if we did everything necessary to have 100% privacy and civil liberties protections, we wouldn't be taking common-sense steps to protect the American people," White House spokesman Rhodes said. <P> But that balance is now <a href="http://www.informationweek.com/security/government/nsa-prism-patriot-act-author-questions-s/240156451">open for discussion</a>. "We'll have that debate," Rhodes said. "We welcome congressional interest in these issues. We welcome the interest of the American people and of course the media in these issues."Without Snowden's leaks, however, we wouldn't be having this debate. Furthermore, by bringing the surveillance programs to public attention, Snowden has put himself at personal risk, and not just of incarceration. "In Dulles UAL lounge listening to 4 US intel officials saying loudly leaker & reporter on #NSA stuff should be disappeared," <a href="https://twitter.com/SCClemons/statuses/343392529913356289">tweeted <em>Atlantic</em> foreign reporter Steve Clemons</a>. <P> To decide where Snowden falls in the spectrum between altruistic whistleblower and dangerous criminal, it helps to put the leaks into perspective. "In my estimation, there has not been in American history a more important leak than Edward Snowden's release of NSA material -- and that definitely includes the Pentagon Papers 40 years ago," <a href="http://www.guardian.co.uk/commentisfree/2013/jun/10/edward-snowden-united-stasi-america">Daniel Ellsberg wrote</a> Monday. Ellsberg is a former military analyst and RAND employee who in 1971 leaked to <em>The New York Times</em> the secret history of the Vietnam War known as the Pentagon Papers, which showed how four successive presidential administrations lied to the public about Vietnam policies. <P> Whistleblowers are vital to the health of a democracy. "Whistleblowing is the moral response to immoral activity by those in power," <a href="http://www.schneier.com/blog/archives/2013/06/government_secr.html">said information security guru Bruce Schneier</a>, chief security technology officer of BT, in a blog post, in which he lauded Snowden as "an American hero." <P> Schneier argued that we need more people like Edward Snowden who, when they see evidence of wrongdoing, release information on "government programs and methods, not data about individuals," which alludes to Snowden saying he <a href="http://www.informationweek.com/security/privacy/9-facts-about-nsa-prism-whistleblower/240156431">carefully selected leaked data</a> so it wouldn't put intelligence agents or overseas operations at risk. <P> "I understand I am asking for people to engage in illegal and dangerous behavior," Schneier said. "Do it carefully and do it safely, but -- and I am talking directly to you, person working on one of these secret and probably illegal programs -- do it." <P> For the rest of us, should whistle-blowers who bring to light "illegal and dangerous behavior" get a <a href="https://petitions.whitehouse.gov/petition/pardon-edward-snowden/Dp03vGYD">"stay out of jail free" card</a>? When leaks are done in a manner that doesn't put lives at risk, that does seem to be the appropriate, democratic response.2013-06-11T14:35:00ZWhite House says NSA's surveillance programs implement FISA and Patriot Act -- but Patriot Act author is not sure. Meanwhile, privacy groups turn up the heat.http://www.informationweek.com/security/government/nsa-prism-patriot-act-author-questions-s/240156451?cid=SBX_iwk_related_video_Privacy_securityIs the NSA's Prism program <a href="http://www.informationweek.co.uk/security/government/nsa-prism-creates-stir-but-appears-legal/240156233">legal</a>? <P> To be clear, what's being called Prism really refers to the name of an internal government computer system that's used as part of a program known as the Collection of Intelligence Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (FISA), or the Section 702 programs for short, according to a <a href="http://www.dni.gov/files/documents/Facts%20on%20the%20Collection%20of%20Intelligence%20Pursuant%20to%20Section%20702.pdf">DNI briefing document</a> released Saturday. <P> Whistleblower <a href="http://www.informationweek.co.uk/security/privacy/9-facts-about-nsa-prism-whistleblower/240156431">Edward Snowden</a>, 29, has claimed credit for releasing classified documents relating to two Section 702 monitoring programs. One is aimed at intercepting foreign online communications, including email, chat and VoIP communications; the other is tasked with gathering metadata relating to millions of phone calls, which could reveal the locations of callers as well as those of the people with whom they'd communicated, although not the content of calls. <P> <strong>[ How do system administrators fit into your company's security chain? Read <a href="http://www.informationweek.com/security/vulnerabilities/nsa-prism-relies-heavily-on-it-contracto/240156419?itc=edit_in_body_cross">NSA Prism Relies Heavily On IT Contractors</a>. ]</strong> <P> President Obama Friday <a href="http://www.informationweek.co.uk/security/privacy/obama-defends-nsa-prism-google-denies-ba/240156275">defended the programs</a>, as well as the NSA's capture of telephone metadata. He noted that both programs have been "authorized by broad bipartisan majorities repeatedly since 2006." <P> "We've got congressional oversight and judicial oversight. And if people can't trust not only the executive branch but also don't trust Congress and don't trust federal judges to make sure that we're abiding by the Constitution, due process and rule of law, then we're going to have some problems here," he said. <P> In a press conference Saturday, White House spokesman Ben Rhodes said the Section 702 program "was reauthorized by Congress in December 2012, and it has a reporting requirement to Congress," meaning that the Director of National Intelligence and Attorney General must provide semiannual reports to legislators to review "the targeting procedures as well as the minimization procedures associated with targeting." <P> The phone metadata capture appears to be authorized by <a href="http://www.aclu.org/free-speech-national-security-technology-and-liberty/reform-patriot-act-section-215">Section 215 of the Patriot Act</a>. <P> Rhodes said briefings about the programs had been regularly delivered to the intelligence and judiciary committees in both the House and Senate. He also said that additional FISA briefings had been provided for about 13 legislators who requested information about how the program captures telephone metadata. <P> Sen. Dianne Feinstein (D-Calif.), who chairs the Intelligence Committee and has backed the programs, said the committee will hold a closed briefing Thursday for all senators, in which officials from the NSA, FBI and Justice Department will detail the surveillance programs in greater detail. The House Intelligence Committee plans to hold a similar hearing next Tuesday. <P> House speaker John A. Boehner (R-Ohio) <a href="http://abcnews.go.com/Politics/transcript-exclusive-interview-house-speaker-john-boehner-nsa/story?id=19370792">told ABC News</a> Tuesday that he's been fully briefed on the two programs that Snowden publicly revealed, and dismissed any threat to civil liberties. "When you look at these programs, there are clear safeguards," he said. "There's no American who's gonna be snooped on in any way-- unless they're in contact with some terrorists somewhere around the world." <P> But in a <a href="http://sensenbrenner.house.gov/uploadedfiles/sensenbrenner_letter_to_attorney_general_eric_holder.pdf">letter</a> sent last week to Attorney General Eric Holder, the author of the Patriot Act, Rep. James Sensenbrenner (R-Wis.), said, "I am extremely disturbed by what appears to be an overbroad interpretation of the Act." <P> Similarly, Rep. Hank Johnson (D-NC) issued a statement calling for "a thorough and public debate on how our government can balance the need for national security while protecting the basic liberties of its citizens," saying that "Americans have a right to know the power that they are granting their government." <P> Privacy rights group EPIC <a href="http://epic.org/EPIC_FOIA_Request_NSA_Verizon_DOJ.PDF">filed a freedom of information request</a> with the Department of Justice Friday, seeking the release of its legal justification for the Prism program. But the White House has been resisting such measures. <P> Friday the White House filed a motion opposing public release of a 2011 Foreign Intelligence Surveillance Court decision declaring some aspect of National Security Agency surveillance under the FISA Amendments Act to be unconstitutional or otherwise illegal, in response to a <a href="https://www.eff.org/foia/fisc-orders-illegal-government-sureveillance">similar request from EPIC</a> pertaining to the capture of telephone metadata, law professor Jonathan Adler at Case Western Reserve University in a <a href="http://www.volokh.com/2013/06/08/doj-seeks-to-keep-fisa-court-decision-invalidating-nsa-surveillance-under-wraps/">said in a blog post</a>. <P> President Obama, defending the NSA's monitoring programs, said access to captured data was only authorized using warrants under FISA, which in 1979 created the Foreign Intelligence Surveillance Court (FISC) to field requests from the Department of Justice for surveillance warrants against suspected foreign agents engaged in espionage or terrorism.FISC is meant to be a safeguard. Yet the court appears to rubberstamp all such requests; only .03% have been rejected. That's based on annual Justice Department reports to Congress, which said that from 1979 through 2012, out of over 33,900 surveillance requests lodged by the Department of Justice, the court rejected only 11. <P> "The FISA system is broken," Marc Rotenberg, executive director of Electronic Privacy Information Center -- a privacy rights group -- told the <em>Journal</em>. "At the point that a FISA judge can compel the disclosure of millions of phone records of U.S. citizens engaged in only domestic communications, unrelated to the collection of foreign intelligence ... there is no longer meaningful judicial review." <P> But Timothy Edgar, a former top American Civil Liberties Union lawyer who joined the Director of National Intelligence in 2006 as a senior civil liberties official, said the process is "definitely not a rubber stamp." He told the <em>Journal</em> that the low level of rejections was down to the extent to which Justice lawyers vet all such requests before submitting them to the FISC. <P> Similarly, the American Civil Liberties Union (ACLU) and Yale Law School's Media Freedom and Information Clinic Monday <a href="http://www.aclu.org/files/assets/fisc_unsealing_motion.pdf">filed a motion</a> with FISC, requesting that the court publish its legal opinions "evaluating the meaning, scope, and constitutionality of Section 215." <P> Do the surveillance programs overreach and violate Americans' privacy? Public opinion appears to favor, slightly, the current course of action. According to a Pew Research Center and <i>Washington Post</i>survey conducted from June 6 to 9, in response to the statement that "NSA has been investigating people suspected of terrorist involvement by secretly listening in on phone calls and reading emails without court approval," 51% of respondents said they found it acceptable, while 47% didn't. Meanwhile, 62% said that having the government investigate terrorist threats was more important safeguarding people's privacy, while 34% disagreed. <P> Several information security experts have suggested that if the surveillance programs are too broad, however, it's not the fault of the intelligence community. "The highest priority at the NSA is avoiding infringing on citizen's rights. I know none of you will believe me, but it's true," said Robert David Graham, CEO of Errata Security, in a <a href="http://erratasec.blogspot.com/2013/06/nsa-is-wrong-not-evil.html">blog post</a>. "I'm regularly astonished by the degree to which they bend over backwards to protect [Americans'] privacy." <P> So if you want to blame someone, says Graham, look to Congress. "The rank and file of the NSA is not your enemy. They carry out the mission that politicians give them, and do not cross the line with an almost religious fervor," he said. "It's the politicians who have moved that line. It's every politician who voted to extend the Patriot Act and empower the FISA court that you have to fight."2013-06-11T11:49:00ZHere's what we know about Edward J. Snowden, the NSA contractor last seen in Hong Kong -- and why the Bradley Manning case could affect Snowden's fate.http://www.informationweek.com/security/privacy/9-facts-about-nsa-prism-whistleblower/240156431?cid=SBX_iwk_related_video_Privacy_security<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know" title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /><span class="inlinelargerView">(click image for larger view)</span><br /><div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div></div><!-- /KINDLE EXCLUDE -->Who is Edward Joseph Snowden? <P> Snowden, 29, has come forward to say that he's responsible for leaking information about the NSA's online communications surveillance program, <a href="http://www.informationweek.co.uk/security/government/nsa-prism-creates-stir-but-appears-legal/240156233">known as Prism</a>, to the <em>Guardian</em>, as well as leaking details of the NSA's access to U.S. phone call metadata to <em>The Washington Post</em>. <P> By some estimations, they are the <a href="http://www.guardian.co.uk/commentisfree/2013/jun/10/edward-snowden-united-stasi-america">most important leaks in U.S. history</a>, surpassing even Daniel Ellsberg's release of the secret history of the Vietnam War known as the Pentagon Papers, as well as the leak of classified State Department cables and information relating to the wars in Afghanistan and Iraq to WikiLeaks, for which <a href="http://www.informationweek.co.uk/government/information-management/military-arrests-alleged-wikileaks-sourc/225402144">Pfc. Bradley Manning has been charged</a> and is only now standing trial. Furthermore, according to <em>The Guardian</em>, Snowden has leaked "thousands" of documents, of which "dozens" are newsworthy and not all have yet been published. <P> <strong>[ What happens when leak controversies spill over into other areas of business? Read <a href="http://www.informationweek.com/government/policy/datacell-wins-wikileaks-donation-case/240153575?itc=edit_in_body_cross">DataCell Wins WikiLeaks Donation Case</a>. ]</strong> <P> In the midst of these leaks, here's what we know about Snowden, as well as what might be in store for him: <P> <strong>1. From Army Veteran To CIA Employee.</strong> <P> Snowden is a 29-year-old former technical assistant for the Central Intelligence Agency who's been working at the National Security Agency for the past four years as a contractor employed by various firms, including Dell and most recently Booz Allen. He told <em>The Guardian</em> that he earned about $200,000 a year, which commentators said would be a commensurate salary for a contract NSA IT administrator who holds a valuable top-secret clearance. <P> Sunday, <a href="http://www.boozallen.com/media-center/press-releases/48399320/statement-reports-leaked-information-060913">Booz Allen issued a statement</a> confirming that Snowden "has been an employee of our firm for less than three months, assigned to a team in Hawaii." <P> How did Snowden come to work in IT? Long interested in computers, he enlisted in the Army Reserve in 2003 in a Special Forces training program, but was discharged four months later after breaking both of his legs in a training accident. According to news reports, he then began a job as a security guard at a covert CIA facility in Maryland, then moved to an information security job with the CIA. <P> <strong>2. Snowden Requests No Anonymity.</strong> <P> Snowden purposefully requested that after <a href="http://www.informationweek.co.uk/security/privacy/obama-defends-nsa-prism-google-denies-ba/240156275">publishing the leaked data</a>, both <em>The Guardian</em> and <em>Post</em> identify him by name. "I have no intention of hiding who I am because I know I have done nothing wrong," Snowden told <em>The Guardian</em>, emphasizing that he's not seeking media attention. <P> "I don't want public attention because I don't want the story to be about me. I want it to be about what the U.S. government is doing," he said. "The government has granted itself power it is not entitled to. There is no public oversight. The result is people like myself have the latitude to go further than they are allowed to." <P> <strong>3. Reason For Leak: Dismantle "Architecture Of Oppression."</strong> <P> In a <a href="http://www.guardian.co.uk/world/2013/jun/09/edward-snowden-nsa-whistleblower-surveillance">video interview</a>, Snowden said the rationale for the leak was to highlight the extent to which the U.S. government was <a href="http://www.informationweek.co.uk/security/privacy/nsa-prism-inside-the-modern-surveillance/240156341">spying on its own citizens</a>, and that he was no longer able to countenance working a job that involved building an "architecture of oppression." <P> "The NSA has built an infrastructure that allows it to intercept almost everything. With this capability, the vast majority of human communications are automatically ingested without targeting," he <a href="http://www.guardian.co.uk/world/2013/jun/09/nsa-whistleblower-edward-snowden-why">told <em>The Guardian</em></a>. "If I wanted to see your emails or your wife's phone, all I have to do is use intercepts. I can get your emails, passwords, phone records, credit cards." <P> "I do not want to live in a world where everything I do and say is recorded," he said. "That is not something I am willing to support or live under."<strong>4. Snowden Carefully Selected Secrets.</strong> <P> Snowden told reporters that the information he leaked was designed to trigger a debate on the "scope of surveillance in America," but also to avoid the types of mistakes allegedly made by Pfc. Bradley Manning, who's accused of leaking documents that put the lives of confidential U.S. sources abroad at risk. <P> "I understand that I will be made to suffer for my actions," said Snowden. "I will be satisfied if the federation of secret law, unequal pardon and irresistible executive powers that rule the world that I love are revealed even for an instant." <P> <strong>5. Into Hiding In Hong Kong.</strong> <P> But Snowden didn't sit around waiting to be arrested. About three weeks ago, according to <em>The Guardian</em>, Snowden finished copying the last of the documents he planned to leak, then told his NSA supervisor that he required a two-week medical leave related to epilepsy, for which he was diagnosed last year. Then he flew to Hong Kong, registered at a nice hotel just down the street from the CIA station based in the local consulate, and rarely left, saying it was possible he would be rendered by U.S. agents, detained by Chinese officials, or extradited. <P> Snowden said he chose Hong Kong, a Chinese territory that <a href="https://www.cia.gov/library/publications/the-world-factbook/geos/hk.html">enjoys its own economic and political system</a>, for its "spirited commitment to free speech and the right of political dissent." In the short term, he hoped the government wouldn't deport him. Longer term, "my predisposition is to seek asylum in a country with shared values," he said. "The nation that most encompasses this is Iceland. They stood up for people over Internet freedom. I have no idea what my future is going to be." <P> <strong>6. Charges Filed Against Snowden.</strong> <P> Charges have now been filed against Snowden by the Department of Justice, <a href="http://www.nytimes.com/2013/06/11/us/snowden-facing-charges-leaves-hong-kong-hotel.html"><em>The New York Times</em> reported</a> Tuesday. The charges pave the way for his extradition, since foreign courts typically require criminal charges to be filed before they'll hear an extradition request. <P> Multiple investigations are also underway into the leaks. The FBI's Washington field office will lead one investigation. The NSA, meanwhile, launched its own investigation following revelations first published Wednesday by <em>The Guardian</em>, and is trying to ascertain the full extent of the information that was taken and released by Snowden. <P> <strong>7. Hong Kong Extraditions Subject To Delays.</strong> <P> Could Snowden successfully avoid being extradited from Hong Kong? Regina Ip, a former secretary of security who serves in the Hong Kong legislature, said that the territory has a history of working with U.S. law enforcement officials. "He won't find Hong Kong a safe harbor," Ip told the <em>Times</em>. <P> But Hong Kong university professor Simon Young told <em>The Guardian</em> that <a href="http://www.guardian.co.uk/world/video/2013/jun/10/edward-snowden-extradition-nsa-whistleblower-video">China would likely leave it to the Hong Kong courts</a> to decide whether Snowden would be extradited. <P> In fact, according to <em>GlobalPost</em>, Snowden's choice of Hong Kong looks astute, because the high court of Hong Kong government has charged the government with <a href="http://www.globalpost.com/dispatch/news/regions/asia-pacific/china/130610/why-edward-snowden-hong-kong-extradition-asylum">putting a new extradition system in place</a>, which could take some time. Until it does so, Hong Kong's extradition process is <a href="https://twitter.com/Bequelin/status/343983480310468608">stuck in legal limbo</a>, and no cases will likely be decided, according to Nicholas Bequelin, a senior researcher for Human Rights Watch. <P> <strong>8. U.S. Government Treatment Of Manning Might Safeguard Snowden.</strong> <P> In December, furthermore, a Hong Kong court ruled that no one can be extradited to a country where they might face cruel or unusual punishment, Patricia Ho, a lawyer at Daly & Associates, told GlobalPost. "The reason I think this is relevant," Ho said, "is because if you look at the case of Bradley Manning, during his detention period, he was found to have <a href="http://image.guardian.co.uk/sys-files/Guardian/documents/2012/03/12/A_HRC_19_61_Add.4_EFSonly-2.pdf">suffered cruel and degrading treatment</a>. It was found by the UN special rapporteur on torture." <P> "I would imagine given the similarity in the cases that Snowden could easily say, 'Well, I fear that the same would happen to me,' and use that as a basis to claim protection in Hong Kong," she said. "If he does that I would say his chances of protection would be fair." <P> <strong>9. Snowden Missing As Of Monday.</strong> <P> As of Monday, however, Snowden reportedly checked out of the Hong Kong hotel where he was staying -- perhaps after being located by multiple news outlets -- and his <a href="http://online.wsj.com/article/SB10001424127887324904004578537062414488652.html">whereabouts were unknown</a>. It's not clear if he'd been interviewed by American officials, as they were seeking to do, or if he might have been detained by Hong Kong authorities.2013-06-11T10:50:00ZNSA whistleblower Snowden likely enjoyed access to Prism program details as a contracted NSA IT administrator.http://www.informationweek.com/security/vulnerabilities/nsa-prism-relies-heavily-on-it-contracto/240156419?cid=SBX_iwk_related_video_Privacy_securityHow did a Booz Allen contractor get his hands on top secret details about National Security Agency (NSA) intelligence operations? <P> Edward J. Snowden, 29, <a href="http://www.informationweek.com/security/government/nsa-prism-creates-stir-but-appears-legal/240156233">leaked confidential information</a> to Britain's <em>Guardian</em> about the so-called NSA Prism program that conducts surveillance of online communications to and from foreigners, and leaked data to <em>The Washington Post</em> about the NSA's access to U.S. phone call metadata. According to Glenn Greenwald, a Brazil-based American who reports on civil liberties issues for the <em>Guardian</em>, Snowden has provided him with "thousands" of documents, of which "dozens" are newsworthy. <P> The leaks have highlighted how the NSA relies on an army on consultants to help it sift through the <a href="http://www.informationweek.com/security/privacy/nsa-prism-inside-the-modern-surveillance/240156341">massive quantities of data</a> it collects. According to information released this year by the Office of the Director of National Intelligence, 1.2 million Americans hold top-secret clearances, and 38% of those clearances are held by private contractors. <P> As that suggests, a substantial amount of U.S. intelligence work is now handled by private contractors. Naval War College professor John Schindler, a former NSA counterintelligence officer, said that the-post Sept. 11 launch of massive data-gathering operations -- for counterterrorism purposes -- required a commensurate increase in the number of people tasked with keeping those classified-data systems running. <P> <strong>[ Learn what Prism shows about cloud security. Read <a href="http://www.informationweek.com/global-cio/interviews/nsa-dragnet-debacle-what-it-means-to-it/240156243?itc=edit_in_body_cross">NSA Dragnet Debacle: What It Means To IT</a>. ]</strong> <P> "It's hard to think of a single thing the intelligence community can do on its own anymore without a contractor being involved in some way, from the most mundane of data crunching to the pointy end of the black ops side," Peter Singer, director of the Center for 21st Century Security and Intelligence at the Brookings Institution, told <em>The Wall Street Journal</em>. <P> But how did Snowden access the confidential information in the first place, which includes a top secret Foreign Intelligence Surveillance Court order? A former senior NSA official told the <em>Post</em> that only 30 or 40 people in the world would have had access to that data. <P> Government investigators are "working with the NSA and others around the intelligence community to understand exactly what information this individual had access to, and how that individual was able to take that information outside the community," a senior U.S. intelligence official told the <em>Post</em>. <P> The NSA would have determined which specific systems Snowden would have been able to access, according to contractors interviewed by the <em>Journal</em>. <P> Given Snowden's biography and job description -- serving as an "infrastructure analyst" employed by Booz Allen, but working at an NSA satellite office in Hawaii -- many security experts believe that he didn't just have top secret clearance, but served as an information security or IT administrator tasked with keeping confidential systems running. <P> That might explain Snowden's <a href="http://www.guardian.co.uk/world/2013/jun/09/edward-snowden-nsa-whistleblower-surveillance">remarks to the <em>Guardian</em></a> that he had "full access to the rosters of everyone working at the NSA, the entire intelligence community and undercover assets all around the world, the locations of every station we have, what their missions are and so forth." <P> A former senior official at the NSA told the <em>Post</em>, however, that Snowden's access claims are overblown. "When he said he had access to every CIA station around the world, he's lying," he said. <P> Then again, someone had to be maintaining the computer networks and related systems for those stations; what if it was Snowden? <P> The data leak situation further suggests that NSA officials might not have known the extent to which either private contractors or IT administrators were privy to highly confidential information. <P> Of course, no system is 100% secure, because a <a href="http://www.informationweek.com/security/attacks/10-best-ways-to-stop-insider-attacks/232602440">rogue or malicious insider</a> can always decide to leak stored data. To put that another way, the security of any IT system -- no matter how clandestine -- hinges on <a href="http://www.schneier.com/blog/archives/2013/06/trusting_in_it.html">trusting one's system administrator</a>. <P> "They can be a critical security gap because they see everything," Naval War College professor Schindler <a href="https://www.nytimes.com/2013/06/11/us/how-edward-j-snowden-orchestrated-a-blockbuster-story.html">told the <em>Times</em></a>. "They're like code clerks were in the 20th century. If a smart systems administrator went rogue, you'd be in trouble."2013-06-11T09:06:00ZWhat did the summit accomplish with regard to cyber spying and cyber attacks -- and what's left undone? http://www.informationweek.com/security/government/us-chinese-summit-4-information-security/240156396?cid=SBX_iwk_related_video_Privacy_security<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know" title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /><span class="inlinelargerView">(click image for larger view)</span><br /><div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div></div><!-- /KINDLE EXCLUDE -->Don't expect advanced persistent threat (APT) attacks emanating from China to stop anytime soon. <P> During a historic, two-day summit last week, President Barack Obama and Chinese president Xi Jinping spent eight hours discussing numerous issues of mutual concern. Results included new agreements on greenhouse gas emissions and North Korea; plans to run a joint naval exercise next summer; and, for Xi, the gift of a bench made of redwood. <P> But absent from the summit was any resolution regarding U.S. government allegations that <a href="http://www.informationweek.com/security/attacks/china-denies-us-hacking-accusations-6-fa/240149058">APT groups</a> operating from China have been waging a <a href="http://www.informationweek.com/security/government/china-tied-to-3-year-hack-of-defense-con/240154064">sustained and successful online industrial espionage campaign</a> against U.S. government agencies and businesses, including defense contractors. <P> <strong>[ China accuses the U.S. of the same cyber intrusions. Read <a href="http://www.informationweek.com/security/attacks/china-to-america-you-hack-us-too/240156178?itc=edit_in_body_cross">China To America: You Hack Us, Too</a>. ]</strong> <P> The White House did, however, address information security concerns during the summit. Here are the takeaways: <P> <strong>1. Chinese Now More Aware, Says White House</strong> <P> Simply put, the White House had little to show on the information security front after the two-day talks in California, which began Friday. "The President made clear the threat posed to our economic and national security by cyber-enabled economic espionage," said the President's national security adviser, Tom Donilon, in a press briefing Saturday. "The President underscored that resolving this issue is really key to the future of U.S.-China economic relations." <P> <strong>2. White House Continues To Pursue Diplomacy</strong> <P> Still, some progress has been made. Donilon said that a three-part diplomatic strategy, hammered out in March 2013, had to begin by first getting China to even discuss cybersecurity, which it previously hadn't done. "I think this concern is acknowledged at this point," he said. <P> Second, the White House has asked China to investigate industrial espionage operations being run from inside its borders, "and the Chinese have agreed to look at this," Donilon said. Finally, he said that China agreed "to engage in a dialogue with the United States on norms and rules -- that is what is acceptable and what's not acceptable in the realm of cyber." The presidents also agreed to the creation of a cybersecurity working group that will begin meeting in July, and meet regularly thereafter. <P> <strong>3. China Talks Cybercrime Generalities</strong> <P> China has previously responded to allegations leveled by the U.S. government -- that the Chinese government supports a number of APT attack groups -- by saying that <a href="http://www.informationweek.com/security/attacks/china-targets-us-in-hacking-blame-game/240149649">China gets hacked too</a>, and President Xi reportedly emphasized that again during the summit. <P> But Donilon said the White House has been attempting to push beyond bland generalities about global cybercrime. "The discussion that we're having with China with respect to this topic is really not focused on cyber hacking and cybercrime," he said. "These are problems that we've faced and we've faced jointly." <P> "The specific issue that President Obama talked to President Xi about today is the issue of cyber-enabled economic theft -- theft of intellectual property and other kinds of property in the public and private realm in the United States by entities based in China," he said Saturday. <P> <strong>4. Chinese Media Downplays Cyber Angle</strong> <P> Diplomatically speaking, China is now striking a more conciliatory cybersecurity note, with government officials at least mentioning the word publicly. "At this summit, Xi told Obama that cybersecurity should be a new highlight of bilateral cooperation instead of a source of suspicion and friction," said China's official Xinhua News Agency. "They agreed to strengthen dialogue, coordination and cooperation through the already-established cyber working group." <P> But in recent days, multiple official Chinese press outlets have suggested that the U.S. media has been obsessing over information security. For example, political science professor Zhu Zhiqun at Bucknell University in Lewisburg, Pa., told the state-owned <em>China Daily</em> that many Western media outlets had focused on cybersecurity "without a proper understanding of the complex relationship between the two great powers." <P> "Cybersecurity is hardly a major issue between the two countries," claimed Zhu.2013-06-10T12:41:00ZThe government's approach seems to be: "Collect first, ask questions later."http://www.informationweek.com/security/privacy/nsa-prism-inside-the-modern-surveillance/240156341?cid=SBX_iwk_related_video_Privacy_securityDystopia used to seem sexier. In George Orwell's <em>1984</em>, Big Brother used non-stop wars and ever-present surveillance to keep the population in check. A stray glance or thoughtcrime might send you to the slammer. Who wouldn't rebel against that? <P> In today's increasingly wired -- and wireless -- world, however, the surveillance situation is much more banal: Under the <a href="http://www.informationweek.com/security/government/nsa-prism-creates-stir-but-appears-legal/240156233">NSA's Prism program</a>, APIs installed on servers running at Google, Facebook, Microsoft and other technology giants give government spooks access to meta-data relating to communications and phone calls. It is signals intelligence meets big data and analytics, with a self-writing sales pitch that seems tailor-made for the Big Three: "Mass surveillance to monitor for suspected terrorists across the entire United States, for only $20 million." Data storage, no doubt, costs extra. <P> To top it all off, the design of the top secret Prism PowerPoint documents -- leaked by Edward Snowden, 29, an employee of Booz Allen Hamilton who's done contract work for U.S. intelligence agencies -- are, in the words of <a href="https://twitter.com/EdwardTufte/status/342816028419575808">renowned design guru Edward Tufte</a>, "dreadful." <P> <strong>[ Do you know what this means for your job? Read <a href="http://www.informationweek.com/global-cio/interviews/nsa-dragnet-debacle-what-it-means-to-it/240156243?itc=edit_in_body_cross">NSA Dragnet Debacle: What It Means To IT</a>.]</strong> <P> But the biggest problem with the NSA's program is that it has all the hallmarks of an "engineering first" mindset, along these lines: With all of that metadata floating in the ether, why not build it and see what secrets it might reveal? The same philosophy appeared to be behind Google's Street View program, in which a "rogue engineer" <a href="http://www.informationweek.com/security/privacy/google-wardriving-how-engineering-trumpe/232901230">pursued wardriving by design</a>, capturing Wi-Fi data for later analysis. Numerous governments fined Google for privacy violations. <P> Similar privacy fears were raised after a security researcher discovered that Carrier IQ diagnostic software installed on 141 million handsets could be used to <a href="http://www.informationweek.com/security/privacy/carrier-iq-vs-wiretap-laws/232200565">capture every keystroke</a> entered on the phone. While the company at first refused to discuss its software or what controls might be in place to counter abuse, it belatedly <a href="http://www.informationweek.com/security/mobile/carrier-iq-gets-scrooged-for-the-holiday/232200654">surrendered details</a> in response to a Senator's inquiry. <P> Both of those episodes highlight that just because something is technically feasible, when it comes to U.S. citizens' rights -- including Fourth Amendment protections against unreasonable searches -- that doesn't satisfy the moral question: Is it right? <P> Or <a href="https://twitter.com/mckeay/status/343923832165380096">in the words of Akamai's security evangelist, Martin McKeay</a>: "'Democratic Surveillance' -- collect minimum needed to be effective. 'Totalitarian Surveillance' -- collect everything, sort it out later." <P> Is Prism even legal? George Washington University professor Orin Kerr, a former Department of Justice computer crime prosecutor, has suggested that <a href="http://www.volokh.com/2013/06/07/is-the-prism-surveillance-program-legal/">Prism simply implements the Protect America Act of 2007 and FISA Amendments Act of 2008</a>. But as Glenn Greenwald, the Brazil-based U.S. citizen who broke the Prism story for the <em>Guardian</em> <a href="https://twitter.com/ggreenwald/status/344040989175996417">tweeted</a> Monday: "If everyone is so sure this spying is legal, why does Obama DOJ keep preventing federal courts from ruling on its constitutionality?" <P> Now it's up to the Obama administration to prove not only that the program is legal, but that privacy and usage safeguards are in place -- and subject to external reviews -- to ensure that information is only used to spy on foreigners, without infringing U.S. citizens privacy. In other words, the White House must prove the system is just. <P> Where moral questions are concerned, Snowden said he doesn't think the NSA operators were evil -- far from it. "Analysts (and government in general) aren't bad guys, and they don't want to think of themselves as such," he <a href="http://www.washingtonpost.com/world/national-security/code-name-verax-snowden-in-exchanges-with-post-reporter-made-clear-he-knew-risks/2013/06/09/c9a25b54-d14c-11e2-9f1a-1a7cdee20287_story_1.html">told <em>The Washington Post</em></a>. But the NSA's approach was based on a false premise: "If a surveillance program produces information of value, it legitimizes it,'" he said. <P> That "collect first, ask questions later" justification is chilling. Indeed, one big problem with big data analytics when practiced by intelligence or law enforcement agencies is that it's <a href="http://www.informationweek.com/global-cio/interviews/nsa-dragnet-debacle-what-it-means-to-it/240156243">not a zero-sum game</a>. The NSA's data dragnet operation snares information from everyone. According to accounts of how the system seems to work, it's then left to intelligence analysts to tweak their algorithms until they're only investigating hits on people they have a "51% confidence" of being foreign. <P> In the wrong hands, or without proper oversight, the data set collected by the NSA would be a privacy nightmare. In March 2013, for example, a <a href="http://www.nature.com/srep/2013/130325/srep01376/full/srep01376.html">study published in <em>Nature</em></a> found that "human mobility traces are highly unique," and that with just four data points -- involving location and time -- were required to "uniquely identify 95% of the individuals" studied. Picking two random points, meanwhile, allowed researchers to correctly identify half of people in the mobility data set, which was collected from 1.5 million people over a 15-month period. <P> Given the risks introduced by Prism, the big question in coming days will be: Who's guarding our secrets? Are the potentially petabytes of information being collected in safe hands? <P> One harbinger that the answers may not be to our liking comes via the actions of Snowden, a contract NSA network administrator who, after seeing the program in operation, gave up his $200,000 annual salary, job in Hawaii and hopes of ever seeing his girlfriend or family again. Snowden said the Prism program led him to conclude that the modern surveillance state is "such a direct threat to democratic governance that I have risked my life and family for it." <P> "Perhaps I am naive," Snowden told <em>The Washington Post</em>, "but I believe that at this point in history, the greatest danger to our freedom and way of life comes from the reasonable fear of omniscient State powers kept in check by nothing more than policy documents." <P> Now it's up to the Obama administration to refute that criticism and assuage Americans' concerns. In the <a href="http://www.guardian.co.uk/world/2013/jun/09/technology-giants-nsa-prism-surveillance">words of Senator Mark Udall</a> (D-Colo.), a member of the Senate intelligence committee who commented Sunday about ongoing Prism questions: "Let's have the debate, let's be transparent. Let's open this up."2013-06-07T13:31:00ZAndroid Trojan "Odad.a" rivals Windows malware in the harm it can do to mobile device users, say experts.http://www.informationweek.com/security/mobile/android-trojan-looks-acts-like-windows-m/240156254?cid=SBX_iwk_related_video_Privacy_security<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know" title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /><span class="inlinelargerView">(click image for larger view)</span><br /><div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div></div><!-- /KINDLE EXCLUDE -->Android malware is becoming more like Windows or Mac malware; in other words, more dangerous to users. One of the latest, a Trojan application called Odad.a, offers capabilities that rival many types of malware currently targeting Windows or Mac OS X systems, say experts. <P> For starters, the new malware creates an attacker-accessible backdoor on infected Android devices, can download and install additional malware, infect nearby devices with the malware -- via Wi-Fi or Bluetooth -- and receive further instructions from the attacker. For good measure, the malware also can <a href="http://www.informationweek.co.uk/mobility/security/malware-writers-prefer-android/240150256">send SMS messages to premium phone numbers</a>, thus generating revenue for attackers or their business associates. <P> "At a glance, <a href="http://www.securelist.com/en/blog/8106/The_most_sophisticated_Android_Trojan">we knew this one was special</a>," said Roman Unuchek, a security researcher at Kaspersky Lab, in a blog post citing the fact that whoever developed the malware not only built in numerous capabilities, but also carefully hid the code to make it difficult to detect or study. <P> "Malware writers typically try to make the codes in their creations as complicated as possible, to make life more difficult for anti-malware experts. However, it is rare to see concealment as advanced as Odad.a's in mobile malware," Unuchek said. That concealment extends to the Android user experience, as the application malware works in background mode and has no interface. <P> <strong>[ How low can hackers go? Read <a href="http://www.informationweek.com/security/attacks/malware-attackers-exploit-boston-maratho/240153142?itc=edit_in_body_cross">Malware Attackers Exploit Boston Marathon Bombing</a>. ]</strong> <P> Although the malware is somewhat rare, it's reportedly being distributed in a typical way: most likely disguised as a legitimate app via "alternative app stores and fishy websites," <a href="http://www.androidpolice.com/2013/06/07/kaspersky-researchers-discover-most-advanced-android-malware-yet/">reported Android Police</a>. <P> Whoever built the malware took advantage of three different flaws in the Android operating system, or related software, to make the malware more difficult to detect or eradicate. For example, the attackers used a vulnerability in the dex2jar software -- often used by malware analysts to convert Android application package (APK) files into Java Archive (JAR) format for easier analysis -- that prevents the APK file from being successfully converted. <P> Attackers also discovered a vulnerability in the <a href="http://developer.android.com/guide/topics/manifest/manifest-intro.html">AndroidManifest.xml file specification</a>, which provides essential information about every application to the Android operating system. Using this vulnerability, attackers were able to give the malware a file description that can't be automatically parsed by analysis tools, but which is still processed correctly by the Android operating system. <P> Finally, the malware's developers "also used yet another previously unknown error in the Android operating system," said Unuchek, which results in the malware being granted "extended Device Administrator privileges without appearing on the list of applications which have such privileges." From a user-interface standpoint, it also means that once the malware infects the device, a user can't revoke those privileges or even delete the application through the operating system. <P> Using these privileges, the malware can disable access to the device's screen for up to 10 seconds, which is likely used to conceal bad behavior, because it "typically happens after the device is connected to a free Wi-Fi network or Bluetooth is activated," said Unuchek. "With a connection established, the Trojan can copy itself and other malicious applications to other devices located nearby." <P> "Backdoor.AndroidOS.Obad.a looks closer to Windows malware than to other Android Trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits," Unuchek said. "This means that the complexity of Android malware programs is growing rapidly alongside their numbers." <P> Looking beyond Odad.a, the volume of malware that targets Android devices continues to increase. "Our count of mobile malware samples, just about exclusively for the Android OS, continues to skyrocket," said a <a href="http://www.mcafee.com/uk/resources/reports/rp-quarterly-threat-q1-2013.pdf">threat report</a> released last month by security firm McAfee, which analyzes the first three months of 2013. "Almost 30% of all mobile malware [ever recorded] appeared this quarter," it said. "Malicious spyware and targeted attacks highlighted the latest assaults on mobile phones." <P> Until last year, the majority of mobile malware attacks targeted users in Russia and China. But that's changing, according to McAfee's study. In recent months, for example, banking customers in Australia, Italy and Thailand were targeted with malware known as FKsite that purported to be secure online banking software. "Instead it forwards mobile transaction authorization numbers (mTANs) to attackers," said the report, referring to the one-time codes generated by some banks, which are sent via SMS to a subscribers' phone, and which must be used to authorize unusual or high-value transactions. Of course, such malware isn't new; the <a href="http://www.informationweek.co.uk/security/attacks/zeus-bank-malware-surges-on-facebook/240156156">Zeus variant known as Zitmo</a>, which debuted in 2011, targets mTANs. <P> Other recently discovered malware includes Smsilence.A, which is disguised as a coupon app for a popular South Korean coffee chain, but which can relay the device's phone number and forward or delete SMS messages. It only infects devices with a phone number beginning with South Korea's country code (+82). <P> Some mobile malware is even simpler, and recalls the scam <a href="http://www.informationweek.com/security/vulnerabilities/ransomware-pays-fbi-updates-reveton-malw/240143047">Reveton ransomware</a>, which tricks users into paying a fine for alleged illegal activity, supposedly to the FBI. One Android equivalent is Fakejoboffer, which targets users in India, telling them they've won a prize, but must pay a small fee to collect it. Of course, after paying the fee, they receive no prize. <P> Meanwhile, malware known as Ssucl.a -- a Trojan disguised as a system cleanup utility -- serves as a node in a botnet, and can launch phishing attacks to retrieve Google and Dropbox log-in credentials. Closing the gap between malware that's designed for desktop operating systems versus mobile devices, SSucl.a also can launch <a href="http://www.informationweek.com/security/vulnerabilities/8-reasons-conficker-malware-wont-die/232901154">auto-run infections</a> at any Windows system to which it gets connected. <P>2013-06-07T11:35:00ZMassive information-sharing program involves Google, Facebook and other tech heavyweights, top secret doc details. But NSA looks to have acted inside the law.http://www.informationweek.com/security/government/nsa-prism-creates-stir-but-appears-legal/240156233?cid=SBX_iwk_related_video_Privacy_securityHas the National Security Agency been illegally spying on Americans? <P> The <em>Guardian</em> newspaper in Britain Thursday <a href="http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data">published a top-secret document</a>, dated April 2013, outlining an information-sharing program -- code-named PRISM -- that counts seven of the country's biggest technology giants as participants, including Apple, Facebook and Google. <P> Run by the NSA, the program reportedly provides the agency with access to real-time information as well as stored data from the businesses' systems. According to a chart included in the NSA document, the agency has direct access to servers, and is able to access email, voice and video chat, videos, photos, stored data, VoIP, file transfers, video conference, login activity, social network details as well as "special requests." The current providers of such data are listed as Microsoft, Google, Yahoo, Facebook, PalTalk, YouTube, Skype, AOL and Apple. But the document said that the program is continuing to expand, naming Dropbox as an upcoming provider of data. <P> Those revelations came in the wake of a report released earlier this week that detailed a <a href="http://www.guardian.co.uk/world/2013/jun/06/nsa-phone-records-verizon-court-order">secret U.S. court order that compelled Verizon</a> to share all of its customers' call records, as well as details relating to subscribers' emails, Web searches and credit card activity. Similar programs count AT&T and Sprint as information providers, <a href="http://online.wsj.com/article/SB10001424127887324299104578529112289298922.html"><em>The Wall Street Journal</em> reported</a> Friday. <P> <strong>[ Where is the balance between security and civil liberties? See <a href="http://www.informationweek.com/security/government/boston-bombers-cant-elude-citys-tech-inf/240153256?itc=edit_in_body_cross">Boston Bombers Can't Elude City's Tech Infrastructure</a>. ]</strong> <P> Responding to the outing of the PRISM program, James R. Clapper, the U.S. director of National Intelligence, <a href="http://www.dni.gov/index.php/newsroom/press-releases/191-press-releases-2013/868-dni-statement-on-recent-unauthorized-disclosures-of-classified-information">issued a statement "on recent unauthorized disclosures of classified information"</a> Thursday, saying that "the article omits key information regarding how a classified intelligence collection program is used to prevent terrorist attacks and the numerous safeguards that protect privacy and civil liberties." <P> Clapper continued, "I believe it is important for the American people to understand the limits of this targeted counterterrorism program and the principles that govern its use." To that end, he said that he'd directed that some information relating to the "business records" accessed be the program "be declassified and immediately released to the public." <P> Friday, the <a href="http://www.guardian.co.uk/technology/2013/jun/07/uk-gathering-secret-intelligence-nsa-prism"><em>Guardian</em> reported</a> that the NSA's British equivalent, known as the Government Communications Headquarters (GCHQ), has enjoyed access to PRISM since 2010, and last year generated 197 intelligence reports using the program. <P> PRISM began in 2007. The first participant was Microsoft, followed by Yahoo (2008); Google, Facebook and PalTalk (2009); YouTube (2010); Skype and AOL (2011); and Apple (2012), reported the <em>Guardian</em>. <P> In response to questions about their PRISM participation, all of the technology companies named in the PRISM document <a href="http://mashable.com/2013/06/06/facebook-google-apple-prism">issued curiously similar statements</a> that largely included legal and technical hedges, saying they complied with court orders, but never gave the government "direct access" or a "back door" into their systems. <P> A statement issued by Google reads, "Google cares deeply about the security of our users' data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government 'back door' into our systems, but Google does not have a 'back door' for the government to access private user data." <P> While some businesses, including Apple, <a href="http://online.wsj.com/article/SB10001424127887324798904578529912280347482.html">said they'd never heard of PRISM</a>, none of the businesses denied being part of such a program. Then again, they may be <a href="http://venturebeat.com/2013/06/06/facebook-google-prism-denial/">subject to a gag order</a>. <P> "My read on PRISM: named [companies] provide an API to specific content and 'target activity' under FISA. Think of it as push notification for NSA," <a href="https://twitter.com/ashk4n/status/342890918434721792">tweeted</a> security researcher Ashkan Soltani. "This isn't 'direct access' nor is it a 'backdoor' which is why the talking points are all similar. It's a targeted API." <P> But is PRISM legal? The short answer appears to be -- no matter how unpalatable a massive domestic Internet surveillance program might sound -- yes. <P> "From what I've seen so far, it sounds like the program is the way the government is implementing the FISA Amendments Act of 2008 and the Protect America Act of 2007, which were enacted in response to the 2005 disclosure of the Bush Administration's <a href="http://www.informationweek.com/security/government/should-nsa-be-scanning-business-networks/232601943">warrantless wiretapping program</a>," said George Washington University professor Orin Kerr, a former Department of Justice computer crime prosecutor, in a <a href="http://www.volokh.com/2013/06/07/is-the-prism-surveillance-program-legal/">blog post</a>. <P> Even so, the scale of the domestic surveillance programs, launched by President George W. Bush and reauthorized by President Barack Obama, has drawn criticism from a number of civil rights and privacy groups. "Many lawmakers, like Senators Wyden and Udall, warned that the Executive Branch's interpretations of the Patriot Act and the FISA Amendments Act were dangerously broad," said Center for Democracy and Technology (CDT) senior counsel Greg Nojeim, in a statement. "Now we know just how right they were, and just how badly Congress needs to reform those laws." <P> Based on the leaked PRISM materials, however, the takeaway from the program doesn't appear to differ significantly from previously used law enforcement data-gathering techniques. "There's less difference between this 'collection-first' program and the usual law enforcement data search than first meets the eye," said <a href="http://www.steptoe.com/professionals-762.html">attorney Stewart A. Baker</a>, who served as NSA general counsel from 1992 to 1994. "In the standard law enforcement search, the government establishes the relevance of its inquiry and is then allowed to collect the data. In the new collection-first model, the government collects the data and then must establish the relevance of each inquiry before it's allowed to conduct a search." <P> "If you trust the government to follow the rules, both models end up in much the same place," Baker said.2013-06-06T13:47:00ZDifference is China doesn't point fingers, says head of China's computer emergency response team, even though it has "mountains" of evidence that U.S. snoops.http://www.informationweek.com/security/attacks/china-to-america-you-hack-us-too/240156178?cid=SBX_iwk_related_video_Privacy_security<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know" title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /><span class="inlinelargerView">(click image for larger view)</span><br /><div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div></div><!-- /KINDLE EXCLUDE -->Numerous online attacks against China have been traced back to U.S. servers. But unlike authorities in the United States, the Chinese government chooses to not point the finger, according to the head of the country's computer emergency response team. <P> <a href="http://www.chinadaily.com.cn/business/2013-06/05/content_16569726.htm">"We have mountains of data, if we wanted to accuse the U.S.</a>, but it's not helpful in solving the problem," Huang Chengqing, the director of the National Computer Network Emergency Response Technical Team Coordination Center of China (CNCERT), told government-run media outlet <em>China Daily</em> Wednesday. <P> According to data published by <a href="http://www.cert.org.cn/publish/english/index.html">CNCERT</a>, in the first three months of 2013, 5.6 million systems in China were infected by malware tied to 13,400 command-and-control servers located overseas. Of those, more than half of infected systems -- 2.9 million PCs -- were controlled by about 4,000 command-and-control servers based in the United States. Meanwhile, 3,500 U.S. systems had been used to take over about 7,700 different websites located in China. <P> <strong>[ China has been blamed for a variety of intrusions. Read <a href="http://www.informationweek.com/security/government/china-tied-to-3-year-hack-of-defense-con/240154064?itc=edit_in_body_cross">China Tied To 3-Year Hack Of Defense Contractor</a>. ]</strong> <P> In the same timeframe, CNCERT reported that 54 U.S.-based IP addresses had "hijacked Chinese official websites to steal data," which according to <em>China Daily</em> included sites related to "government departments, key information systems and research institutions." <P> Despite the origin of the attacks, "it's hard to judge whether the U.S. government supported or got involved in the hacking," Huang said. "Besides, hackers can easily hide their real location and identities." As a result, he added, "technically it is irresponsible and unfounded for some people to talk about alleged hacking supported by the Chinese authorities." Huang's comments were published in advance of a two-day Chinese-American summit between President Obama and China's newly minted leader, President Xi Jinping, which is scheduled to occur this Friday and Saturday in California. His comments continue the People's Republic of China (PRC) <a href="http://www.informationweek.com/security/attacks/china-targets-us-in-hacking-blame-game/240149649">party line</a>, which is that the government isn't sponsoring espionage attacks against the United States. <P> The <a href="http://www.informationweek.com/security/attacks/china-hack-attacks-play-offense-or-defen/240150482">blame game against Chinese hackers</a> has intensified in recent months. In February, a report from security firm Mandiant <a href="http://www.informationweek.com/security/attacks/china-denies-us-hacking-accusations-6-fa/240149058">accused a Chinese army unit</a> of having launched advanced persistent threat (APT) attacks against U.S. businesses. In March, Chinese Premier Li Keqiang <a href="http://www.chinadaily.com.cn/video/2013npc/2013-03/17/content_16314662.htm">rejected those accusations</a>, saying that they amounted to a "presumption of guilt," and that "China does not support but indeed oppose such attacks." <P> But a confidential Department of Defense report from January 2013, portions of which were first published last month by <em>The Washington Post</em>, said that hack attacks attributed to state-sponsored Chinese attackers had been <a href="http://www.informationweek.com/security/attacks/chinese-hackers-stole-us-military-secret/240155624">much more widespread</a> than previously acknowledged, and had resulted in the compromise of data relating to cutting-edge military weapons systems and technologies that are critical to national security.Still, arguably every country with the capability to <a href="http://www.informationweek.com/security/management/flame-malware-tapped-world-class-crypto/240001763">conduct online espionage operations</a> against rival governments does so. What makes China's alleged hacking any different from operations that might be sanctioned by the U.S. government? <P> "<a href="http://globalpublicsquare.blogs.cnn.com/2013/05/23/cyber-security-expert-answers-readers-questions/">China has been called out</a> because it appears groups within China have been particularly aggressive about such acts, and also are indulging at intrusions and theft in a grand scale (perhaps a function of their large population)," information security expert Eugene Spafford, a professor of computer sciences at Purdue University and former member of the President's Information Technology Advisory Committee, recently told CNN. <P> "I've heard some officials refer to it as 'large scale hoovering of information.' I imagine that some U.S. officials hoped that the public condemnation might cause second-thoughts by the perpetrators and a lessening of the brazen intrusions, but that doesn't appear to have happened -- at least, news reports indicate that not much has changed," he said. <P> Apparently responding to that escalation in U.S. rhetoric, Huang said U.S. authorities have publicly aired accusations about the theft of secrets by Chinese hackers, rather than first attempting to work with his agency to launch an investigation. "Some cases can be addressed if they had talked to us, why not let us know? It is not a constructive train of thought to solve problems," he said. <P> Obviously, Huang's comments could be disingenuous, or reflect that he's not party to the Chinese government's alleged industrial espionage operations. <P> "The government of the PRC has firmly denied any such activity by their government," said Spafford. "However, I also don't know of any modern country that has admitted to large-scale espionage when accused of such. You may draw your own conclusions." <P> Either way, don't expect the back-and-forth accusations to stop anytime soon. "A year ago these things were being said behind closed doors and now the <a href="http://www.welivesecurity.com/2013/06/05/china-has-mountains-of-data-on-u-s-cyber-attacks/">arguments are out in the open</a>, which hopefully marks a step forward in achieving some level of detente with respect to cyber espionage," said ESET security researcher Stephen Cobb in a blog post. "Although that is probably a long way off."2013-06-06T13:11:00ZU.S., British and Vietnamese authorities accuse men of selling 1.1 million stolen credit cards via Gmail and Facebook accounts.http://www.informationweek.com/security/attacks/police-bust-200-million-data-theft-ring/240156195?cid=SBX_iwk_related_video_Privacy_security<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know" title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /><span class="inlinelargerView">(click image for larger view)</span><br /><div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div></div><!-- /KINDLE EXCLUDE -->One of the world's largest underground "carder" forums for reselling stolen credit card data has been shut down. <P> That announcement was made Wednesday by the FBI, together with police in Britain and Vietnam, who have been conducting a joint investigation into the "Mattfeuter" website. Authorities have accused the site of selling harvested personal information, including 1.1 million stolen credit cards, which were used to make at least $200 million in fraudulent credit card charges. <P> In the past week, Vietnamese police have <a href="http://english.vietnamnet.vn/fms/society/75997/the--boss--in--200mil-credit-card-fraud-ring-arrested.html">arrested eight men</a> as part of the investigation, which is ongoing. Five were charged with being part of the gang that ran Mattfeuter, while three were charged with using information they'd obtained on the forum for ongoing gambling. A local news report named one of the arrested men, Van Tien Tu, as being the boss of the operation. <P> <strong>[ It's getting harder for cybercriminals to launder money without leaving a trail. Read <a href="http://www.informationweek.com/security/cybercrime/liberty-reserve-fallout-how-will-cybercr/240156012?itc=edit_in_body_cross">Liberty Reserve Fallout: How Will Cybercrime Move Money?</a> ]</strong> <P> "Although we haven't yet heard of many cases with Vietnamese cyber crime yet, the improvements in Vietnamese law passed in 2009 made it a criminal offense to fraudulently obtain card data from overseas targets, as well as from victims in Vietnam," said Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham, in a <a href="http://garwarner.blogspot.co.uk/2013/06/vietnamese-carders-arrested-in.html">blog post</a>. <P> In the United States, a related investigation has focused on Vietnam resident Duy Hai Truong, 23, who was arrested last week by Vietnamese police on related charges filed by British authorities. The Department of Justice, in a <a href="http://www.cis.uab.edu/forensics/blog/Duy.Hai.Truong.Sworn.Complaint.pdf">criminal complaint</a> filed Wednesday in federal court, charged Truong with being one of the leaders of the massive conspiracy to commit bank fraud, which began in 2007 and specialized in stealing the data from online retailers. If convicted, Truong faces up to 30 years in jail and a fine of $1 million, or two times the gain derived from the crimes or loss suffered by victims, whichever is greater. <P> Britain's Serious Organized Crime Agency (SOCA) announced Wednesday that they'd arrested three men in London who they accused of being "significant forum users." Related arrests reportedly also took place in Germany and Italy. <P> "One of the world's major facilitation networks for online card fraud has been dismantled by this operation," said SOCA's Andy Archibald, who's the interim deputy director of Britain's national cyber crime unit, in a statement. "Those engaged in this type of crime should know that that they are neither anonymous nor beyond the reach of law enforcement agencies." <P> SOCA is continuing to target more "Mattfeuter.ru" forum members and share related intelligence with international law enforcement agencies and said further arrests of forum members are likely to occur. <P> How did the forum operate? According to the U.S. criminal complaint, which was sworn by FBI Special Agent Russell Ficara, the forum sold data relating to an individual's personal identifying information (PII), which was known as a "dump." Each dump would fetch between $1 and $300, depending on the victim's country and the completeness of the data, which might include name, address, credit card details and social security number. Payments for dumps were made via wire-transfer services such as Western Union, as well as via <a href="http://www.informationweek.com/security/cybercrime/liberty-reserve-fallout-how-will-cybercr/240156012">Liberty Reserve</a>. Buyers either used dumps to make fraudulent credit card charges, or else resold the dumps to other carders. <P> Forum users could email their requests to the hackers who ran "Mattfeuter" and would need to use a wire-transfer service to send payment, then provide the related money transfer control number (MTCN) as proof of purchase before receiving the requested data. <P> But approximately 16,000 users instead registered with the "www.mattfeuter.biz" or "www.mattfeuter.com" websites -- which required creating a username and password -- and could then browse available credit card numbers and search based on regions and different credit card issuers. The site offered discounts for bulk purchases. After selecting their desired dumps, users headed to a checkout screen, where they entered their Liberty Reserve number to finalize the transaction, according to the criminal complaint. <P> Ficara said that he reviewed more than 1,100 bank accounts during the course of the investigation, and that Truong controlled email accounts that received many of the MTCNs used to pay for dumps. He said that the vast majority of these MTCNs were cashed in at a single Western Union location in Ho Chi Minh City, Vietnam, and that they exceeded $1.9 million. <P> According to the complaint, in a related case, an unnamed individual plead guilty to credit card fraud and began working with an unnamed law enforcement agency. As part of that cooperation, the person met with others who claimed to have access to stolen credit card numbers offered for sale via Mattfeuter, and communicated with the site using a Gmail account that was controlled by Truong. According to Ficara, Truong also used a Facebook account -- in his own name, and with a photograph of himself -- to post messages to dump purchasers.2013-06-06T10:46:00ZJoint operation is first in which law enforcement and private sector use civil seizure warrant to disrupt massive malware attack.http://www.informationweek.com/security/attacks/microsoft-fbi-trumpet-citadel-botnet-tak/240156171?cid=SBX_iwk_related_video_Privacy_security<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know" title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /><span class="inlinelargerView">(click image for larger view)</span><br /><div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div></div><!-- /KINDLE EXCLUDE -->Microsoft and FBI Wednesday announced that in a joint operation, they took down over 1,000 Citadel botnets that were being used to control millions of malware-infected PCs. <P> Over the past 18 months, authorities believe the botnets stole over $500 million from consumer and business bank accounts, infecting more than 5 million PCs located in 90 countries, including the United States, Australia, Hong Kong, India and large parts of Western Europe. <P> The takedown began last week, when Microsoft filed a civil lawsuit against the botnet "herders" running 1,463 <a href="http://www.informationweek.com/security/attacks/malware-tools-get-smarter-to-nab-financi/240062579">Citadel botnets</a>. Using a court-ordered seizure request and working with U.S. Marshalls, Microsoft employees seized servers from two hosting facilities in New Jersey and Philadelphia and provided information about the botnets to overseas Computer Emergency Response Teams (CERTs), requesting that they target related command-and-control infrastructure. The FBI simultaneously provided related information to its overseas law enforcement counterparts. <P> <strong>[ Zeus is back with a vengeance. Here's how to protect yourself and your business. <a href="http://www.informationweek.com/smb/security/zeus-malware-returns-targets-smbs/240156113?itc=edit_in_body_cross">Zeus Malware Returns, Targets SMBs</a>. ]</strong> <P> A related complaint, unsealed Wednesday, charged a "John Doe" who uses the alias "Aquabox" with being the mastermind behind the botnet gang and managing a group of over 80 "botnet herders" around the world who controlled groups of Citadel-infected PCs. <P> While Microsoft has previously participated in seven botnet takedowns, this operation marks the first time that law enforcement and the private sector have worked together in this way to execute a civil seizure warrant as part of a botnet disruption operation, according to a <a href="http://blogs.technet.com/b/microsoft_blog/archive/2013/06/05/microsoft-works-with-financial-services-industry-leaders-law-enforcement-and-others-to-disrupt-massive-financial-cybercrime-ring.aspx">blog post</a> by Richard Domingues Boscovich, assistant general counsel for Microsoft's digital crimes unit. <P> As with many types of malware, Citadel used malicious code to not only infect PCs but also resist attempts to remove it. "During our investigation we found that Citadel blocked victims' access to many legitimate anti-virus/anti-malware sites, making it so people may not have been able to easily remove this threat from their computer," said Boscovich. "However, with the disruptive action, victims should now be able to access these previously blocked sites." <P> According to Microsoft, the gang behind the Citadel botnets infected PCs in part by <a href="http://www.informationweek.com/software/enterprise-applications/microsoft-adobe-top-uk-software-piracy-l/240155634">selling pirated versions</a> of the Windows XP operating system that they'd pre-infected with the malware. <P> The Citadel takedown was a joint effort involving not just Microsoft and the FBI, but also U.S. Marshals Service. In addition, the Financial Services Information Sharing and Analysis Center (FS-ISAC), the Electronic Payments Association (NACHA) and the American Bankers Association (ABA) supported Microsoft's civil lawsuit by detailing how the botnets had been used to steal online banking credentials and execute fraudulent transactions. Likewise, security firm Agari detailed how the botnets had been built -- in part -- via <a href="http://reports.informationweek.com/abstract/21/9043/security/6-most-evil-phishing-scams-of-2012.html">phishing emails</a> disguised to look like communications from legitimate financial services firms. <P> The FBI said this Citadel botnet takedown was part of a larger effort, <a href="http://www.informationweek.com/security/government/fbi-defends-cyber-investigation-capabili/229402636">coordinated by the National Cyber Investigative Joint Task Force</a> (NCIJTF), which is targeting botnet creators and distributors. <P> Will this takedown have a permanent impact on the number of Citadel botnets in operation? "Due to Citadel's size and complexity, we do not expect to fully take out all of the botnets in the world using the Citadel malware," said Microsoft's Boscovich. "However, we do expect that this action will significantly disrupt Citadel's operation, helping quickly release victims from the threat and making it riskier and more costly for the cybercriminals to continue doing business." <P> Still, the takedown may serve as only a temporary setback for Aquabox's gang. "While it's good to see botnets like Citadel being shut down, without arrests I feel we are simply treating symptoms rather than the disease," <a href="https://twitter.com/BrianHonan/status/342555966807629825">tweeted</a> Brian Honan, CEO of the Irish Reporting and Information Security Service, which is Ireland's CERT. <P> But FBI assistant executive director Richard McFeely said the bureau is working with its overseas counterparts to identify the people responsible as part of an already "fairly advanced" criminal probe. "We are upping the game in our level of commitment in going after botnet creators and distributors," McFeely <a href="http://www.reuters.com/article/2013/06/05/net-us-citadel-botnet-idUSBRE9541KO20130605">told Reuters</a>. "This is a more concerted effort to engage our foreign partners to assist us in identifying, locating and -- if we can -- get U.S. criminal process on these botnet creators and distributors."2013-06-05T15:47:00ZOld threat makes a comeback, targeting Facebook users' bank credentials and more.http://www.informationweek.com/security/attacks/zeus-bank-malware-surges-on-facebook/240156156?cid=SBX_iwk_related_video_Privacy_security<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know" title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /><span class="inlinelargerView">(click image for larger view)</span><br /><div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div></div><!-- /KINDLE EXCLUDE -->Zeus malware, long popular with the cybercrime underground, has seen a resurgence in the first half of 2013, becoming a weapon of choice for attacks distributed via spam emails as well as social networks such as Facebook. <P> That finding comes from security firm Trend Micro, which has reported seeing a spike in attempted <a href="http://www.informationweek.com/smb/security/zbot-bugat-bank-trojan-joins-hackstappin/229203372">Zeus Trojan application</a> infections beginning in February 2013 and peaking in May. Zeus malware targets personal and financial data stored on Windows PCs and is controlled via a "Zbot" botnet. <P> "Old threats like Zbot can always make a comeback because <a href="http://blog.trendmicro.com/trendlabs-security-intelligence/zeuszbot-malware-shapes-up-in-2013/">cybercriminals profit from these</a>," said Jay Yaneza, senior technical manager at Trend Micro, in a blog post. "Peddling stolen banking and other personal information from users is a lucrative business in the underground market. Plus, these crooks can use your login credentials to initiate transactions in your account without your consent." <P> <strong>[ Want some good Facebook security news? Read <a href="http://www.informationweek.com/government/security/google-facebook-told-uk-we-wont-be-snoop/240155888?itc=edit_in_body_cross">Google, Facebook Told U.K.: We Won't Be Snoops</a>. ]</strong> <P> Zeus also can press infected PCs into service as nodes in a botnet composed of similar "zombie" PCs. Such botnets might comprise hundreds or thousands of systems and be tapped by attackers -- or <a href="http://www.informationweek.com/security/vulnerabilities/cheap-botnets-a-boon-to-hackers/225200501">rented out</a> -- to serve as spam email relays or malware attack launch pads, or to generate <a href="http://www.informationweek.com/security/attacks/ddos-attack-bandwidth-jumps-718/240153084">distributed denial-of-service (DDoS) attacks</a>. <P> Not all Zeus infections stem from spam emails. Criminal gangs also regularly post links to malicious websites that launch drive-by attacks that result in Zeus installations. Recent attack campaigns have involved links on supposed NFL fan pages on Facebook, as well as e-commerce sites selling fake Nike shoes, according to Eric Feinberg, founder of the advocacy group <a href="https://www.facebook.com/FAKE.US.ORG">Fans Against Kounterfeit Enterprise</a> (FAKE). <P> "If you really want to hack someone, <a href="http://bits.blogs.nytimes.com/2013/06/03/malware-that-drains-your-bank-account-thriving-on-facebook/">the easiest place to start is a fake Facebook profile</a> -- it's so simple, it's stupid," Feinberg told <em>The New York Times</em>. <P> According to Trend Micro, the recent spike in Zeus activity has largely involved two variants of the malware: Citadel, which first appeared in 2011 and is apparently the <a href="http://www.darkreading.com/advanced-threats/citadel-malware-brings-service-to-cyberc/232600861">brainchild of Russian and Ukrainian programmers</a> who worked with source code published by Zeus' developer; and Gameover, which is designed to steal bank and credit card details and has been distributed via <a href="http://www.darkreading.com/attacks-breaches/gameover-zeus-gang-launches-new-attacks/240143802">massive spam campaigns</a>. <P> Zeus first shot to cybercrime fame in 2006, gaining notoriety as king of <a href="http://www.informationweek.com/smb/security/malware-toolkits-generate-majority-of-on/229000835">automated attack toolkits</a>. Subsequent versions of the malware have continued to add features and functionality. The Zitmo variant, for example, was adapted in 2011 to <a href="http://www.informationweek.com/security/mobile/zeus-banking-trojan-hits-android-phones/231001685">target Android mobile devices</a> and steal the one-time passwords -- known as mobile transaction authentication numbers (mTANs) -- used by many banks. <P> As of 2010, a basic version of Zeus was <a href="http://www.secureworks.com/cyber-threat-intelligence/threats/zeus/">fetching $3,000</a>, although add-ons could boost the purchase price to above $10,000. As those prices suggest, Zeus attacks can be lucrative. For example, the <a href="http://www.informationweek.com/security/attacks/zeus-botnet-eurograbber-steals-47-millio/240143837">Eurograbber campaign</a>, discovered last year, used Zeus malware to steal an estimated $47 million from more than 30,000 corporate and private banking customers across Europe. <P> Many different, unconnected Zeus botnets are typically running at any given time. The <a href="https://zeustracker.abuse.ch/">Zeus Tracker</a> project, for example, which counts Zeus command-and-control (C&C) servers, currently reports that it's tracking 800 such servers. But related malware variants used by the attackers are detected by antivirus software only about 38% of the time. That low detection rate is typically due to the <a href="http://www.informationweek.com/security/cybercrime/3-lessons-learned-from-duqu-malware/231901299">malware being polymorphic</a>, meaning that the attack code is regularly repackaged so that it remains functionally equivalent but doesn't match known-file signatures.2013-06-05T13:46:00ZMalicious attacks are the leading cause of data breaches, but employee and contractor errors are a growing reason, study finds.http://www.informationweek.com/security/attacks/mistakes-approach-malice-as-data-breach/240156112?cid=SBX_iwk_related_video_Privacy_security<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know" title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /><span class="inlinelargerView">(click image for larger view)</span><br /><div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div></div><!-- /KINDLE EXCLUDE -->U.S. businesses that experience a data breach spend about $188 per exposed record in cleanup costs. <P> That finding comes from the eighth annual <a href="https://www-secure.symantec.com/about/news/release/article.jsp?prid=20130605_01">Cost of Data Breach report</a> released Wednesday by Ponemon Institute. The report, which was sponsored by Symantec, is based on surveys of 277 businesses across nine countries, and defines an exposed record as "information that identifies the natural person (individual) whose information has been compromised in a data breach." <P> The study found that each data breach cost U.S. businesses, on average, $5.4 million in 2012, down slightly from $5.5 million in 2011. But Germany, second after the U.S. with a total cleanup cost of $4.8 million, actually had the highest per-record cost of $199. Cleanup costs vary widely based on country due to various factors, such as regulations. The lowest per-record breach costs were reported by businesses in Brazil ($58) and India ($42), with total costs of $1.3 million and $1.1 million, respectively. <P> <strong>[ Yahoo is the latest major company to suffer data theft embarrassment. Read <a href="http://www.informationweek.com/security/attacks/yahoo-japan-data-breach-22m-accounts-exp/240155216?itc=edit_in_body_cross">Yahoo Japan Data Breach: 22M Accounts Exposed</a>. ]</strong> <P> Overall, the study found that 37% of breaches stem from malicious attacks, followed by human error or negligence on the part of an employee or contractor (35%), and system glitches (29%). Malicious attacks -- most often malware infections, <a href="http://www.informationweek.com/security/attacks/10-best-ways-to-stop-insider-attacks/232602440">malicious insiders</a>, phishing attacks, social engineering attacks and SQL injection exploits -- imposed the highest cleanup costs, which include expenses related to detecting and responding to breaches and notifying affected consumers, as well as further cleanup. <P> While malicious attacks continue to make headlines, employee negligence is a growing concern. "Eight years of research on data breach costs has shown employee behavior to be one of the most pressing issues facing organizations today, up 22% since the first survey," said Larry Ponemon, chairman of the Ponemon Institute, in a statement. <P> In fact, causes other than malicious attacks were most often to blame in some countries. Although intentional attacks were the leading data breach culprit in Germany, human error was most often to blame in Brazil, while the leading reported cause of breaches at Indian businesses was traced to system glitches or business process failures. <P> The industries with the highest breach costs were healthcare ($233 per exposed record), financial services ($215), and pharmaceuticals ($207). Both the healthcare and financial services industries reported that the greatest cost associated with a data breach was lost business -- defined as lost customers, the cost of acquiring new customers and loss of brand reputation. <P> How can businesses keep data breach cleanup costs under control? According to the study, the top three proactive ways to minimize cleanup costs are to create and maintain a <a href="http://www.informationweek.com/news/security/attacks/232500394">data breach response plan</a>, which reduced per-record cleanup costs by an average of $42 per record for U.S. businesses, followed by having a strong security posture ($34) as well as a <a href="http://www.informationweek.co.uk/security/management/linkedin-breach-leading-cisos-share-9-pr/240002913">chief information security officer</a> ($23). <P> Issuing <a href="http://www.informationweek.com/news/security/attacks/240003658">data breach notifications</a> to affected customers or consumers remains costly, accounting for 10% of total cleanup costs for U.S. businesses and 7% for German businesses. But the study found that notifying consumers too quickly -- meaning, less than 30 days after a breach -- added an average of $37 to a U.S. business's per-record cleanup costs. That's because by rushing to disclose breaches before wrapping related investigations and forensic analysis, businesses often <a href="http://www.informationweek.co.uk/security/attacks/data-breach-costs-drop/232602891">over-estimate the extent of a breach</a>. <P> Other factors that lead to costlier breaches include third parties being responsible for the breach, as well as the breach stemming from <a href="http://www.informationweek.com/security/attacks/stolen-nasa-laptop-had-unencrypted-emplo/240142160">lost or stolen devices</a>.2013-06-04T11:53:00ZHacktivists launch #OpTurkey DDoS campaign to support protests against government of Turkish prime minister Tayyip Erdogan.http://www.informationweek.com/security/attacks/anonymous-targets-turkish-government-web/240156036?cid=SBX_iwk_related_video_Privacy_security<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know " title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /> <span class="inlinelargerView">(click image for larger view)</span><br /> <div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div> </div> <!-- /KINDLE EXCLUDE --> The hacktivist collective Anonymous, as part of Operation Turkey (#OpTurkey), claimed Monday to have taken down more than a dozen websites belonging to Turkish government agencies. <P> "Turkey is supposed to be a so called 'modern' democracy, but the Turkish government behaves like the petty dictators in China or Iran. Anonymous is outraged by this behavior, and we will unite across the globe and bring the Turkish government to it's (sic) knees," according to an <a href="http://www.youtube.com/watch?v=kdQYDR1GxJ8">Anonymous statement</a> released Saturday, which first announced <a href="http://www.operationturkey.tk/">#OpTurkey</a>. <P> "We will attack every internet and communications asset of the Turkish government," the Anonymous statement promised. <P> To that end, the collective has published an extensive <a href="http://anonpublico.blogspot.co.uk/2013/06/a-list-of-turkey-government-sites.html">list of suggested government websites to be targeted</a> via distributed denial-of-service (DDoS) attacks. It also listed four police sites to target, as well as dozens of "vulnerable SQL sites" run by, or affiliated with, the Turkish government. <P> <strong>[ Now that cybercriminals' bank of choice is out of business, where will they turn? See <a href="http://www.informationweek.com/security/cybercrime/liberty-reserve-fallout-how-will-cybercr/240156012?itc=edit_in_body_cross">Liberty Reserve Fallout: How Will Cybercrime Move Money?</a> ]</strong> <P> As of Monday, Anonymous reported that 15 government sites had been taken "tango down," in part by "WikiCrew." They include the websites for the country's ruling Justice and Development (AK) party, as well as Istanbul's governor and the Directorate of Security. <P> The Anonymous campaign is designed to support ongoing protests in Turkey. The protests grew out of a peaceful rally, held last week in Gezi Park by environmentalists challenging the government's decision to turn a central Istanbul green space -- increasingly, a rarity -- near Taksim Square into a shopping mall. Police, early Friday, launched a raid against the protestors, who were staging a sit-in, and attempted to disperse them using tear gas and water cannons. At least 12 people were reportedly injured. <P> Instead of dispersing the protestors, however, the police action -- and widespread reports of excessive police force -- triggered more protests against the government of prime minister Tayyip Erdogan. As noted by a <a href="http://www.slate.com/blogs/the_slatest/2013/06/03/turkey_faq_what_s_happening_in_istanbul_will_recep_tayyip_erdogan_be_ousted.html"><em>Slate</em> FAQ on the Turkish protests</a>, Erdogan has ruled the democratic country for the past 10 years, and was twice elected by a near-majority of voters. <P> What's the problem? According to the <a href="http://hosted.ap.org/dynamic/stories/E/EU_TURKEY_PROTEST_QA?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2013-06-03-13-20-30">Associated Press</a>, the protestors "appear to be urban, secular Turks" who are "frustrated by what they see as Erdogan's close ties to development interests and his alleged attempts to force his religious outlook on them." <P> "We do not have a government, we have Tayyip Erdogan," protest attendee and political scientist Koray Caliskan <a href="http://www.abc.net.au/news/2013-06-01/turkish-police-fire-tear-gas-in-worst-protests-for-years/4727164">told Reuters</a>. "This is the beginning of a summer of discontent." <P> Erdogan, however, has dismissed the protests as being the work of secularists opposed to his AK party, which grew in part out of banned Islamist political parties but now espouses "conservative democracy" and a pro-American agenda. "This is a protest organized by extremist elements," Erdogan said earlier this week, <a href="http://www.reuters.com/article/2013/06/03/us-turkey-protests-idUSBRE94U0J920130603">reported Reuters</a>. "We will not give away anything to those who live arm-in-arm with terrorism." <P> In recent days, tens of thousands of people have reportedly taken to the streets to demonstrate. The protests have since spread to other Turkish cities, and at least two protestors have been killed.2013-06-04T11:30:00ZCriminals can move dirty money using digital currency, MoneyPak vouchers, even gold. But it's getting tougher to disguise money trails.http://www.informationweek.com/security/cybercrime/liberty-reserve-fallout-how-will-cybercr/240156012?cid=SBX_iwk_related_video_Privacy_security<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know " title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /> <span class="inlinelargerView">(click image for larger view)</span><br /> <div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div> </div> <!-- /KINDLE EXCLUDE --> How can online criminals move money without leaving a trail? <P> That's a timely question in the cybercrime underground following the Department of Justice's announcement last week that it had shut down -- after an 18-month investigation -- online payment service provider Liberty Reserve in Costa Rica. Prosecutors have <a href="http://www.informationweek.com/security/government/liberty-reserve-laundered-6-billion-say/240155642">accused the service of laundering $6 billion</a> for 1 million users worldwide, and serving as the bank of choice for the black market, including hackers. <P> The case "provides something of an update to an old law enforcement adage -- follow the virtual money," U.S. Attorney Preet Bharara said at a press conference last week. "And in this case, we followed it all over the world." Prosecutors said one-fifth of the service's users -- 200,000 people -- are based in the U.S. <P> Will seized Liberty Reserve systems give prosecutors clues to users' actual identities or any illegal services they may have bought or sold? According to court documents, Liberty Reserve used preapproved vendors -- "third party exchangers" -- that received funds from users via wire transfer. After taking a commission, the vendors would issue "LR" credits to users. Exchangers "operated without significant oversight or regulation in countries such as Malaysia, Russia, Nigeria and Vietnam," Bharara said. Perhaps the money trail stops there; perhaps not. <P> <strong>[ Do you have a cyberwar recovery plan? See <a href="http://www.informationweek.com/security/cybercrime/should-cios-hire-cyber-pinkertons/240155186?itc=edit_in_body_cross">Should CIOs Hire Cyber Pinkertons?</a> ]</strong> <P> Thanks to the Liberty Reserve rollup, one self-professed online criminal reportedly lost $300,000. So what alternative will online criminals now adopt? "Even in the underground forums, that isn't clear," Jonathan Leopando, a technical communications specialist with Trend Micro, said Monday in a <a href="http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-take-loss-of-liberty-reserve-poorly">blog post</a>. <P> "Gold and Bitcoins have both been mentioned as possible substitutes. Other digital currency services like Perfect Money have been mentioned as well," he said. "Coincidentally, some of these services have explicitly banned users from the U.S., perhaps in an attempt to shield themselves from U.S. law." <P> Thought exercise: How would you buy and sell cybercrime services online? And when weighing cybercrime risk versus reward, to what extent would you trust services that billed themselves as offering anonymity or untraceability? <P> For starters, avoid PayPal, as illustrated by last month's <a href="http://www.informationweek.com/security/attacks/fbi-arrests-nypd-detective-on-hacking-ch/240155332">arrest of New York Police Department detective Edwin Vargas</a>, 42. Vargas is charged with hiring a service to provide him with login credentials for 43 email accounts, 21 of which related to current or former NYPD employees, at a cost of between $50 and $250 per account. Vargas was reportedly spying on an ex-girlfriend -- and fellow NYPD employee -- with whom he'd had a child. <P> <a href="http://www.nytimes.com/2013/05/22/nyregion/bronx-officer-accused-of-hiring-e-mail-hackers.html">Investigators told <em>The New York Times</em></a> that while investigating a hacking-for-hire service in Los Angeles, they discovered evidence that some email accounts for NYPD personnel had been hacked over a two-year period. (Reached by phone, a spokeswoman for the Manhattan U.S. Attorney's Office declined to comment about whether the Vargas case is tied in any way to the Liberty Reserve investigation.) By October 2012, investigators said they'd followed a money trail back to Vargas. <P> Then again, Vargas would have served himself up on a platter to investigators, since one "proof of payment" he allegedly sent to hackers for services rendered was a PayPal receipt that listed his name, billing address and Yahoo email address. According to court documents, the Yahoo account was created via an IP address that was also used to access the illegally obtained email credentials. <P> Is the Vargas case an outlier? Arguably, today's most successful cybercriminals -- the ones who never get caught -- practice more advanced techniques for masking money trails. But what might they be? <P> One option is to use <a href="http://www.informationweek.com/security/cybercrime/iran-denies-hacking-american-banks-censo/240007838">wire transfers</a>, but incoming money would need to be collected in person, thus leaving the attacker exposed to a police sting. Furthermore, buyers might balk at using a payment technique that leaves them no recourse for reimbursement if the advertised service isn't delivered. <P> Another option, practiced by <a href="http://www.informationweek.com/security/vulnerabilities/ransomware-pays-fbi-updates-reveton-malw/240143047">ransomware scammers</a>, is to require victims to "unlock" their PCs by purchasing a MoneyPak voucher and forwarding the redemption code to the attacker. But as security reporter Brian Krebs has noted, <a href="http://krebsonsecurity.com/2013/06/cashout-service-for-ransomware-scammers/">converting these vouchers to cash, at scale, is tricky</a>, especially without using credit card or PayPal accounts, all of which can be traced. Instead, one recent cash-out service appeared to be attempting to launder the funds via a legitimate U.S. betting website and may have moved $7 million to date, earning a 60% commission along the way, Krebs found. But people wielding ransomware -- and its fake warnings of FBI fines for downloading child pornography -- are making themselves targets for U.S. investigators. <P> A decentralized digital currency such as <a href="http://www.informationweek.com/security/government/lulzsec-hackers-using-digital-currency-d/230500206">Bitcoins</a> is another option, but it's likewise a high-profile target. Anyone want to bet that the National Security Agency is working overtime to find ways of tracking digital currency money trails, since they could be used to launder funds for terrorism? <P> On balance, times appear to be tough for cashing in on cybercrime.2013-06-04T10:01:00ZWill LinkedIn and Evernote improve upon Apple and Twitter two-factor security systems, which have been widely criticized?http://www.informationweek.com/security/application-security/linkedin-evernote-add-two-factor-authent/240156025?cid=SBX_iwk_related_video_Privacy_security<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/client/ten-top-password-managers/240153906"><img src="http://twimgs.com/informationweek/galleries/automated/986/password_manager_slideshow_01_tn.jpg" alt="10 Top Password Managers" title="10 Top Password Managers" class="img175" /></a><br /> <div class="storyImageTitle">10 Top Password Managers</div> <span class="inlinelargerView">(click image for slideshow)</span> </div> <!-- /KINDLE EXCLUDE --> Both LinkedIn and Evernote last week announced that effective immediately, they would begin offering two-factor authentication (2FA) for users. If enabled, the optional feature requires users to log in with their username, password and a one-time code either sent in a text message to their registered mobile phone number or generated using an app such as Google Authenticator. <P> The two businesses' approaches differ slightly. Evernote, for example, said it offers two-factor authentication via a six-digit code sent to the mobile phone number registered to the account. "This code is delivered to your mobile phone via text message or, if you prefer, generated by an app that runs on your smartphone, such as Google Authenticator," said Seth Hitchings, VP of platform strategy at Evernote, in an <a href="http://blog.evernote.com/blog/2013/05/30/evernotes-three-new-security-features/">Evernote blog post</a>. "We'll also give you a set of one-time backup codes for when you're traveling." <P> The security feature is currently available only for paid users. "Two-step verification is initially available to Evernote Premium and Evernote Business users only," said Hitchings, who recommended that users update all of their Evernote applications to the latest version before activating it. "Once we've optimized our processes and feel comfortable with our ability to support a wide audience, we will make it available to all users," he said. <P> Evernote has also implemented -- for all users -- an "access history" feature, which will list the IP address and geographic location of all account access for the past 30 days. "If you ever suspect that your account was accessed without your knowledge, you can check the history," said Hitchings. <P> <strong>[ Want to become a LinkedIn power user? Read <a href="http://www.informationweek.com/social-business/news/galleries/social_networking_consumer/linkedin-tips-10-ways-to-do-more/240154479?itc=edit_in_body_cross">LinkedIn Tips: 10 Ways To Do More</a>. ]</strong> <P> <a href="http://blog.linkedin.com/2013/05/31/protecting-your-linkedin-account-with-two-step-verification/">LinkedIn announced Friday</a> that it too would offer two-factor authentication, though so far only via a six-digit code sent via SMS. "Turn on two-step verification for your account now by going to Settings, selecting the Account tab and clicking Manage security settings option," Vicente Silveira, a director at LinkedIn, wrote in a blog post. He also suggested that additional behind-the-scenes access controls are already in place, noting that "all LinkedIn accounts are already protected by a series of automatic checks that are designed to thwart unauthorized sign-in attempts." <P> The moves by Evernote and LinkedIn to offer some form of two-factor authentication came the same month that Twitter <a href="http://www.informationweek.com/security/management/twitter-two-factor-security-combats-take/240155457">began offering two-step verification</a>, although <a href="http://www.informationweek.com/security/management/twitters-two-factor-authentication-5-rea/240155539">early feedback</a> on its system has been mixed. Other businesses, including Google and Facebook, have offered the security feature for some time. <P> In the case of Evernote and LinkedIn, the move to two-factor authentication was driven by both businesses suffering data breaches that put passwords at risk. A <a href="http://www.informationweek.com/security/attacks/linkedin-confirms-password-breach-phishi/240001674">breach of at least 6.5 million LinkedIn passwords</a> was discovered in June 2012, after an attacker uploaded some of the password hashes to a hacking forum, seeking advice on how to crack them. <P> Evernote, meanwhile, announced in March 2013 that it had <a href="http://www.informationweek.com/security/application-security/password-police-cite-evernote-mistakes/240150250">suffered a database breach</a> in which attackers obtained usernames, as well as hashed and salted versions of users' passwords. The company immediately forced all 50 million users to reset their passwords and <a href="http://www.informationweek.com/security/management/evernote-were-adding-two-factor-authenti/240150023">promised to accelerate</a> two-factor authentication implementation plans. <P> And if password hashes are exposed in the future? For any Evernote or LinkedIn user who'd activated two-factor authentication, attackers wouldn't be able to automatically access their account and steal data. But that's not the case with every two-factor -- aka two-step -- verification system. <P> Take Apple iCloud. "In its current implementation, Apple's two-factor authentication does not prevent anyone from restoring an iOS backup onto a new (not trusted) device," <a href="http://blog.crackpassword.com/2013/05/apple-two-factor-authentication-and-the-icloud/">said Vladimir Katalov</a>, CEO of Moscow-based <a href="http://www.informationweek.com/security/encryption/security-fail-apple-ios-password-manager/232602738">Elcomsoft</a>, in a recent blog post. "In addition, and this is much more of an issue, Apple's [two-factor] implementation does not apply to iCloud backups." <P> As a result, any attacker who knows a target's Apple ID and password could restore any iOS device backup onto a fresh device, then access that information without ever having to provide a one-time code. "Of course you're in trouble if your ID (any one, not just Apple's) and password is leaked," Katalov said. "But that's where 2FA should help, and that's why because most of the services are implementing it nowadays." <P> Attackers targeting information stored in iCloud is no trivial matter. According to court records, for example, <a href="http://www.informationweek.com/security/attacks/anonymous-hackers-helper-it-security-neg/232602226">accused LulzSec collaborator Donncha O'Cearrbhail</a> intercepted the dial-in credentials for a transatlantic conference call between the FBI and its overseas cyber-crime counterparts, boasting to the hacktivist Sabu that he'd hacked "into the iCloud for the head of a national police cybercrime unit." O'Cearrbhail allegedly added: "I have all his contacts and can track his location 24/7." <P> To be fair, Apple hasn't ever suggested that its two-factor security system works for iCloud. As noted in the <a href="http://support.apple.com/kb/HT5570">Apple ID two-step verification FAQ</a>: "Turning on two-step verification reduces the possibility of someone accessing or making unauthorized changes to your account information at My Apple ID or making purchases using your account." <P> Until Apple extends two-factor authentication to iCloud, Katalov said iOS users who use Apple's service for backup or data storage are more vulnerable to data breaches than they should be. Then again, the same holds true for other services that are still refining their two-factor authentication systems, or not yet offering it to all users.2013-06-03T10:42:00ZCritics say Oracle hasn't done enough to address ongoing security and code quality problems in the Java browser plug-in.http://www.informationweek.com/security/application-security/oracle-promises-enterprise-java-security/240155912?cid=SBX_iwk_related_video_Privacy_security<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/client/ten-top-password-managers/240153906"><img src="http://twimgs.com/informationweek/galleries/automated/986/password_manager_slideshow_01_tn.jpg" alt="10 Top Password Managers" title="10 Top Password Managers" class="img175" /></a><br /> <div class="storyImageTitle">10 Top Password Managers</div> <span class="inlinelargerView">(click image for slideshow)</span> </div> <!-- /KINDLE EXCLUDE --> Java security memo to enterprise IT managers: Better distributed client control capabilities, locked down Java servers and certificate-based controls are coming. <P> Those three upcoming Java security changes were outlined in <a href="https://blogs.oracle.com/security/entry/maintaining_the_security_worthiness_of">"Maintaining the security-worthiness of Java is Oracle's priority,"</a> a Thursday blog post from Nandini Ramani, who heads Oracle's Java software development team and is responsible for Java security. <P> Already, Ramani said Oracle's Java developers have been practicing better <a href="http://www.informationweek.com/security/application-security/schwartz-on-security-secure-coding-or-bu/229401098">secure development practices</a>, including using more automated security testing tools, using better source code analysis tools, as well as hammering code with homegrown analysis tools designed to eliminate vulnerabilities that might be targeted using <a href="http://www.informationweek.com/byte/personal-tech/wireless/nfc-phone-hacking-and-other-mobile-attac/240004386">code-fuzzing techniques</a>. She also noted that Oracle has refocused resources to help release Java security updates more quickly. <P> <a href="http://www.informationweek.com/security/application-security/java-security-work-remains-bug-hunter-sa/240147150">Veteran Java bug hunter Adam Gowdiak</a>, CEO and founder of Poland-based Security Explorations, confirmed via email that Oracle has been responding to bug reports in just days -- instead of the weeks it used to take. Gowdiak also rated Oracle's Java patching speed as "slightly improved," saying that after Oracle receives a vulnerability report, it's been issuing a fix about two months later. <P> <strong>[ Is Twitter's new security scheme a case where the treatment is as bad as the disease? <a href="http://www.informationweek.com/security/management/twitters-two-factor-authentication-5-rea/240155539?itc=edit_in_body_cross">Twitter's Two-Factor Authentication: 5 Reasons To Avoid</a>. ]</strong> <P> Going forward, Oracle's Ramani promised further Java security improvements, starting with better controls for managing Java clients in the enterprise. "Local Security Policy features will soon be added to Java and system administrators will gain additional control over security policy settings during Java installation and deployment of Java in their organization," she said. For example, IT administrators will be able to restrict Java clients to only execute Java applications located on designated servers, which would make it more difficult for attackers to make PCs execute malicious Java applications located on remote servers. <P> Server-based Java will also get more locked down. Already, Oracle in April 2013 released an all-new Server Java Runtime Environment (Server JRE), which was a Java distribution designed "to reduce attack surface but also to reduce customer confusion when evaluating server exploitation risk factors," according to Ramani. Going forward, expect Oracle to refine Server JRE, "including the removal of certain libraries typically unnecessary for server operation," she said. <P> But Ramani said that tweaking Java 7 in this manner "would violate current Java specifications," meaning related changes won't happen until <a href="http://www.informationweek.com/security/application-security/oracle-delays-java-8-to-improve-java-7-s/240153185">Oracle releases Java 8</a>, which was originally set for September 2013, but has been delayed in the wake of Oracle now taking more time to fix Java 7 flaws. <P> The final previewed change concerns Java applications (aka JAR files) signed with digital certificates, which Oracle had been urging developers to do. Then, as of Java 7 update 21, released in April 2013, the Java client began prohibiting any unsigned application from automatically executing, and warned users to beware allowing the application to run. To date, however, that system has relied on a static list of known-bad certificates and applications -- a restriction that Ramani said resulted from performance concerns. Soon, however, Oracle will introduce "a dynamic blacklisting mechanism including daily updates for both blacklisted JAR files and certificates," she said. <P> But Ramani didn't address <a href="http://www.informationweek.com/security/application-security/java-7-malicious-app-warning-system-draw/240153174">criticism of the Java 7 warning system</a> on information security and usability grounds. On the security front, notably, "obtaining a code-signing certificate has not been a barrier for malware in the past and there is little chance it will become one in the future," Metasploit creator <a href="http://threatpost.com/mixed-reviews-on-oracles-java-security-update/"> HD Moore told Threatpost</a>. <P> On the usability front, meanwhile, the warning system's success is predicated on end users taking the time to read, understand -- and care -- about the new Java warning messages. As Paul Ducklin, head of technology for Sophos in the Asia Pacific region, said in April: "These dialogs end up asking the very questions that you might reasonably expect Java to answer." <P> Furthermore, Gowdiak at Security Explorations said that, with the exception of the new Local Security Policy features, Ramani's preview of upcoming improvements failed to address ongoing Java browser plug-in security shortcomings. "Seeing yet another Oracle VP speaking out about Java security only confirms our fears that the company prefers to hide a more systemic problem behind various security prompts and policies than to address it at the core," said Gowdiak via email. <P> "The core issue is about [the] poor quality and security of Oracle's code," he said. "We will get impressed if, and only if, Oracle makes it harder to break [the] Java security model. From our point of view the company hasn't made much [of a move] in that direction."