Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Edward Snowden trying to flee from the U.S. government

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

June 23, 2013

Edward Snowden, the NSA whistleblower against the U.S. government, left Hong Kong for Moscow this morning, challenging several attempts by the United States to extradite him back to the U.S. under espionage charges.

According to a few unconfirmed reports, Snowden has already left Hong Kong yesterday, went to Russia, stayed there for a few hours and is now on his way to Cuba. There's no question that he's on the run, but there's still conflicting reports that he might still be in Russia as of this morning.

In a statement issued this morning, the Hong Kong government confirmed that Snowden had left the country on "his own volition for a third country through a lawful and normal channel".

According to the statement, Hong Kong had no legal basis to stop him from leaving the country, as "documents provided by the U.S. government didn't fully comply with Hong Kong's laws".

And to complicate matters even more, Hong Kong has formally requested clarification on "earlier reports about the hacking of computer systems in Hong Kong by U.S. government agencies."

"The Hong Kong government will continue to follow up on the matter so as to protect the legal rights of the people of Hong Kong," the message read.

On Friday June 21st, the U.S. Department of Justice (DoJ) formally charged Snowden with spying against the United States government.

Snowden, a former security contractor, leaked the existence of The PRISM Project to The Guardian Newspaper and The Washington Post, which published several details of this NSA secret surveillance program two weeks ago.

The U.S. government had also asked Hong Kong to issue a provisional arrest warrant for Snowden, the Hong Kong Special Administrative Region said in a statement. But HKSAR officials said there were issues with the request.

Hong Kong's lack of intervention came after Snowden told the Souh China Morning Post that U.S. intelligence agents have been hacking computer networks in Hong Kong and mainland China for years.

Hong Kong said it wanted to have some words with the United States about that. "The HKSAR government has formally written to the U.S. government requesting clarification on earlier reports about the hacking of computer systems in Hong Kong by U.S. government agencies," Hong Kong officials said in the same statement.

U.S. federal prosecutors have charged Snowden with theft of government property, unauthorized communication of national defense information, and willful communication of classified communications intelligence to an unauthorized person or group of people.

The latter two allegations amount to espionage under the federal Espionage Act. News of Snowden's departure followed a day of intense speculation over whether Hong Kong would extradite him back to the United States.

Hong Kong Executive Council member Regina Ip said authorities could arrest Snowden if his actions qualify as criminal under Hong Kong law, China's state-run Xinhua news agency reported earlier Sunday. The executive council decides on policy matters for Hong Kong, a special administrative region of China.

But if the charges against him were deemed to be political in nature, the 30-year-old would not be extradited, Ip told the Xinhua News Agency.

Snowden has admitted in several interviews that he was the source behind the leaking of classified U.S. government documents about the NSA's surveillance programs. Those leaks were the basis of reports in Britain's Guardian newspaper and The Washington Post two weeks ago. The Guardian revealed Snowden's identify at his request.

The documents revealed the existence of programs that collect records of domestic telephone calls in the United States and monitor the Internet activity of overseas residents.

The revelation of the leaks rocked the White House and U.S. intelligence community, raising questions about secret operations of the NSA and whether the agency was infringing on American civil liberties or not.

President Obama, top legislators and U.S. national security officials defend the surveillance programs as necessary to combat global terrorism and argue that some privacy must be sacrificed in a balanced approach.

Last week, Snowden threw a curve at GCHQ, the U.K.'s counterpart to the NSA, when he exposed massive data leaks by the security agency.

In other internet security news

A nasty IT oversight released hundreds of photos of suspected criminals on the web. But it got a lot worse when the details of the British citizens who reported them over the internet got published as well.

The Facewatch website, which allows police and businesses in Britain to upload and share evidence of alleged petty crimes, was left wide open thanks to a nasty web server misconfiguration.

The error allowed anyone to easily access a huge trove of CCTV footage, including images and information about companies that sign up to the service.

We were able to look through about 4,250 records containing photos and videos of suspects dating back to March 2011.

We saw shoplifters stealing various merchandise from department stores, a man waving a long stick inside a check cashing service outlet, and people looking rather suspicious in some packed pubs presumably just before a crime took place.

Some of the images even had names on them, which would be legally problematic for the site's owner (s) if those pictured turned out to be innocent.

We also saw long lists of stores around Britain which have signed up to Facewatch, along with the names and contact details of their security guards and managers. This could come in handy for any potential criminal wishing to intimidate a witness or cause some kind of revenge on the person who reported them to the police.

Big high-street names whose staff details were available for anyone to look at include the Carphone Warehouse, Lloyds Bank and Ladbrokes, which runs a nationwide chain of various betting offices.

Publicly distributing images of suspected criminals could cause a legal headache due to strict rules on defamation and contempt of court. Publishing evidence of a person apparently committing a crime risks prejudicing a jury, should the case ever come to trial, or it could simply ruin their reputation for a very long time.

Blighty's privacy watchdog - the Office of the Information Commissioner - told us it was beginning inquiries that could lead to a formal investigation.

A spokesman said-- “We have recently been made aware of a possible data breach which appears to involve the Facewatch website. We will be making enquiries into the potential breach of the Data Protection Act before deciding what action, if any, needs to be taken.”

The website boasts it was declared "secured by design" by a police-run body that recognises products or businesses that meet the "Police Preferred Specification" on security. This badge of honour is normally given to secure buildings or products, such as window locks and burglar alarms, but Facewatch was awarded the online equivalent.

But now with a gaping security hole in its website, this could make businesses think again about how stringent this standard actually is.

Worse-- you didn't have to be a small time thief or an expert hacker to get into the sensitive files. All that was required was changing "http" to "https" in the website's address and all the information was there to be accessed.

Specifically, the Nginx software running the HTTPS site was incorrectly configured to list the contents of file directories on the web server rather than serving the intended web pages. Visiting redirects to but this didn't happen on the HTTPS site, which instead revealed the index of the server root directory, which could be explored to find a lot of website code, databases of users and various folders packed with hundreds of images.

We were told about the security flow by a source who was trying to report a crime. While trying to find the address of a HTTPS-encrypted server to send the images to, we found and it gave us full read-only access to Facewatch's file tree.

We reported the security flaw to Facewatch, which closed the hole immediately. The organization's chairman told us the "accessible code was related to a previous version" of its website software. And he argued the long lists of email addresses we saw were in the public domain already and could be "accessed by the public in order for people reporting crimes to contact those who reported a crime on their behalf."

The chairman admitted that contact details of security staff were left visible but they were people who took "all necessary precautions to protect their personal safety".

He continued-- "We have undertaken some strong penetration testing to ensure that the data stored in the Facewatch systems is very secure and we can confirm that all personal data is secure and that our systems are safe. The URL to which you referred us has been closed as this is no longer in use."

No names of any crime victims were hosted on the site due to ICO rules that state they should be deleted within 36 hours of recording them.

The chairman added that some 63,000 people have downloaded Facewatch's smartphone app and its images have been viewed nine million times. As far as allowing officers and authorizeed people to upload files, Facewatch authorizes British citizens to use their mobile phones to view CCTV still shots and other images of people wanted for questioning by the police.

Facewatch's Gordon claimed that some of the images we found on the server were part of that public mug-shot gallery.

"Some residual photos of individuals that the police would like to contact in relation to certain reported crimes were in fact available. Those images had been made available to see if members of the public would be able to help with their identification," Gordon added.

In other internet security news

According to a new study from the University of Erlangen in Germany, Apple's iPhone devices being used as Wi-Fi hotspots are open to hacker's attacks because of weak security protocols in the automatic password generation system Apple has in place.

Called "Usability vs. Security-- The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots," the paper reveals that the seemingly random password iOS generates for hotspots is very simple to hack into.

It consists of only four to six characters followed by a four-digit number string. As a test, the team downloaded a 52,500-word dictionary from an open source version of Scrabble, added number-generating code, and cracked the iOS password system every time, although the team points out it isn't suggesting Apple used the same dictionary.

Using an AMD Radeon HD 6990 GPU, the average time to crack was just 59 minutes. So the team then reverse-engineered the iOS word list used for password generation, using "static and dynamic analysis," tools like GNU Debugger, and by manually going through the ARM disassembly of the relevant iOS frameworks.

They discovered that Apple uses English-language words of between four and six letters from a dictionary made by Lernout & Hauspie Speech Products.

"Only 1,842 different entries of that dictionary are taken into consideration," the paper states. "Consequently, any default password used within an arbitrary iOS mobile hotspot, is based on one of these 1,842 different words. This fact reduced the search space of our initial brute force attack by more than 96 percent and thus increased the overall cracking speed significantly."

Additionally, the selection of words picked for passwords was skewed. For example, the word "suave" was used 0.08 percent of the time, while "subbed" cropped up 0.76 percent of the time and "head" 0.53 percent-– ten times the frequency they should have had under a random selection.

By frontloading these selections into any attack code, the chances of cracking the system quickly are greatly increased.

The team also decided to upgrade their hardware to bring down search times and built a box with four AMD Radeon HD 7970 units that could burn through 390,000 guesses per second. This cut the time to crack automatically generated passwords down to 24 seconds, or 52 seconds using a single AMD Radeon HD 6990 GPU. Users should specify their own, the team recommends.

As a test case, the security team built an iOS application dubbed "Hotspot Cracker" which could be used to try out an attack of the target phone. This was limited by the processing power of the smartphone, but can be used in conjunction with a cloud password cracking service.

Once the password has been compromised, the operator can piggyback on the hotspot's bandwidth, stage a man-in-the-middle attack for eavesdropping, and then get access to files stored on the device.

Jailbroken iPhones are extra risky since they could even allow access to the basic iPhone system services code. While the researchers concentrated on Apple, they noted that other mobile operating systems could also be affected as well.

To be sure, Microsoft's Windows Phone 8 uses a similar password system that doesn't even use words, relying instead on eight-digit number strings alone.

Android is somewhat better, but there have been cases of manufacturers such as HTC dumbing down password generation for some handsets, the University says.

"The results of our analysis have demonstrated that the mobile hotspot feature of smart devices increases the attack footprint in several ways," the team concludes.

"As the default password of an arbitrary iOS hotspot user can be revealed within seconds, attacks on mobile hotspots might have been underestimated in the past and might be an attractive target in the future," the report added.

In other internet security news

A hacker says he's published what he claims to be three telephone numbers belonging to Philippine president Benigno Aquino, including his private mobile number, in a bid to urge voters to confront their leader directly.

Going by the pseudonym “#pRis0n3r”, the hacker posted the numbers to his 10,000+ followers on Facebook on Friday night, alongside the president’s home address and the address of Aquino’s office in the House of Representatives Batasan building.

Beneath the numbers is the message “This is now the chance for your voice to be heard”, alongside an Anonymous logo.

There was no confirmation as to the veracity of the phone numbers but an Aquino spokesman, Ricky Carandang, didn’t sound too happy about that.

"It's cyber vandalism plain and simple," he told AFP. "We're dealing with it. That's all I can say for now."

When the news wire tried to contact the numbers on Saturday morning they had apparently stopped working. There was no further information on the Facebook page of #pRis0n3r as to exactly how he obtained the numbers, but in a message sent to a local paper, the hacktivist claimed he was “100 percent” sure they were Aquino’s.

He also complained that the president was "very silent when it comes to national issues", adding, "We want to hear him."

The group Anonymous has had several run-ins in the past with the Acquino administration, most notably in January when it defaced several government web sites in response to the Cybercrime Prevention Act of 2012.

Local hacktivists claiming to be affiliated with the group have also been involved in a bitter online battle between Filipino and Malaysian hackers which erupted after bloody clashes in the northern Borneo region of Sabah, and in tit-for-tat exchanges with patriotic Chinese over the disputed group of rocks known as Scarborough Shoal.

In other internet security news

Yesterday's Patch Tuesday update for Microsoft Windows OSs all over the globe went pretty well, and was rolled out with five bulletins, including a single critical security update that deals with flaws in all supported versions of Internet Explorer.

Available at 1.10 PM EST, the IE update (MS13-047) deals with no less than nineteen security vulnerabilities and covers all versions of Internet Explorer from IE6 to IE10 and on all supported versions of Windows, from XP to RT.

It's just the sort of thing that might be latched on by hackers as part of drive-by-download attacks, based on malicious scripts on compromised websites, and therefore needs to be patched sooner rather than later.

The other four security bulletins this week all cover lesser flaws, rated "important" by Microsoft. The most noteworthy of these is (MS13-051) which covers Microsoft Office 2003 on Windows and 2011 for Mac OS X and tackles a parsing vulnerability for the PNG graphic format that has already cropped up in a limited number of active attacks.

"The attack arrives in an Office document and is triggered when the user opens the document," writes Wolfgang Kandek, CTO at cloud security firm Qualys.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: The Washington Post.

Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

Click here to order our special clearance dedicated servers.

Get your Linux or Windows dedicated server today.

Click here to order our special clearance dedicated servers.

Click here to order our special clearance dedicated servers.