2012 was another year of heavy hacking and data dumping, giving headaches to security professionals and intelligence agencies alike. Yet just as important were the spy-and-pry privacy and civil liberties concerns that those leaks revealed to We the People. Here are a half dozen of the most popular posts on Security Is Sexy, highlighting those security and privacy topics.
NSA expert James Bamford said, "In secret listening rooms nationwide, NSA software examines every email, phone call, and tweet as they zip by. Everybody's a target; everybody with communication is a target." Then former NSA senior official William Binney "held his thumb and forefinger close together: We are that far from a turnkey totalitarian state'." These revelations freaked out some Congressmen who asked NSA Chief General Keith Alexander if this were true. Alexander denied it; in fact, he answered 'no' 14 times during the Congressional probe.
Yet Bamford insisted, "The NSA has turned its surveillance apparatus on the U.S. and its citizens....The agency has begun building a place to store all the trillions of words and thoughts and whispers captured in its electronic net. And, of course, it's all being done in secret."
A few months later, Binney said the NSA has dossiers on nearly every U.S. citizen. So during the keynote at Def Con, Dark Tangent, aka Jeff Moss, asked Alexander if this domestic spying and dossiers on every American were true. Alexander denied that too; both Binney and Bamford said the NSA Chief is playing word games as the super-secret agency may have missed a few Americans.
When director Michael Gallagher chose to make 4chan / Anonymous the villain in the micro-budget slasher flick Smiley, he was on the receiving end of “life-imitates-art.” Gallagher supposedly went to the FBI for help after being bombarded with about 40 harassing calls per minute as well as voicemail, email and text death threats. The moral of this story may point back to an old adage: Never tick off a hacker . . . nevertheless being unwise enough to infuriate hordes of hackers.
The feds posed as Symantec employees as a part of a sting operation regarding the stolen and ransomed PCAnywhere source code. If you followed the allegations that Symantec’s PCAnywhere code had been compromised, then you might have suffered whiplash from the drastically changing ‘official’ story put out by Symantec.
At first, the dreaded ‘third party’ was blamed for the "segment of its source code" in the hands of YamaTough and AntiSec hackers who tried to extort $50,000 not to leak it. But then, Symantec backtracked and admitted its network was hacked and its source code was jacked. People using Norton security, antivirus or PCAnywhere products were at "a slightly increased security risk." A week later, the company advised disabling the product until patched. The ping pong pile up of company advice morphed yet again and gave the thumbs-up, all-clear sign that the patched PCAnywhere was safe to use.
Poor design head-butted with poor implementation when a ‘security strength' turned out to be a huge weakness, leaving millions of business and home wireless routers vulnerable to brute force attacks. The irony is that Wi-Fi Protected Setup (WPS) is enabled by default on most major brands of wireless routers to help the technically clueless setup encryption on their wireless networks. Security researcher Stefan Viehbock reported that Belkin, Buffalo, D-Link, Cisco's Linksys, Netgear and other wireless routers were vulnerable to brute force attacks which could crack the Wi-Fi router's security in two to ten hours.
After the exploit went public, US-CERT issued this advisory, “We are currently unaware of a practical solution to this problem." The recommended workaround was to disable WPS. "Within the wireless router's configuration menu, disable the external registrar feature of Wi-Fi Protected Setup (WPS). Depending on the vendor, this may be labeled as external registrar, router PIN, or Wi-Fi Protected Setup."
Several zero-day exploits targeting Java were spotted in the wild during 2012, causing severe headaches and hassles for IT and home users alike. It was so dangerous that security experts advised people to disable Java. Although Oracle eventually patched the critical hole, immediately afterwards Security Explorations researcher Adam Gowdiak disclosed another Java bug that was worse than the first. It put “one billion users” of Oracle Java SE software, Java 5, 6 and 7, at risk. It could be exploited using Chrome, Firefox, Internet Explorer, Opera and Safari web browsers. If users visited maliciously crafted webpages, "attackers could then install programs, view, change, or delete data with the privileges of a logged-on user."
Related to YamaTough and the Lords of Dharmaraja AntiSec hackers who ransomed the Symantec source code, the group claimed to have hacked an Indian military intelligence network. They then leaked a memo which revealed that RIM, Nokia, and Apple mobile device manufacturers "agreed to provide backdoor access on their devices" for the government. Security and privacy researcher Christopher Soghoian added that Microsoft is just as evil when it comes to providing “intercept backdoors” for law enforcement and government agencies. Yet Soghoian also suggested, "Instead of worrying about hackers getting access to 5+ year old Norton code we should worry about what NSA/US Military does with recent code."
At the time, cybersecurity guru Bruce Schneier said 'bad press' was more of worry for Symantec than exposed source code. However Schneier added, "The source code might have huge smoking guns." Some of those smoking guns allegedly pointed to former CIA, U.S. law enforcement and other Intelligence agencies.
You may hear the media claim that We the People don’t care about electronic privacy, but don’t believe it. Instead, think back to defeating SOPA/PIPA and what we can accomplish when we unite under a common civil liberties banner. If law enforcement, intelligence agencies and even businesses don’t tighten their hatches after all the 2012 hacks and leaks, then the forecast for 2013 might be another cluster year which NATO calls ‘Charlie Foxtrot’ and the military calls a ‘SNAFU’ or ‘FUBAR.’