News Bits
Items from security-related news (E118.Jan-2014)


Press Release: NSA Security Science award nominations due on March 31 for the best paper of 2013.

The 2013 winner, Joseph Bonneau, had mixed feelings about the honor, according to a statement he released last July.


NSA morale down after Edward Snowden revelations, former U.S. officials say
The Washington Post
By Ellen Nakashima
December 7, 2013

"The agency, from top to bottom, leadership to rank and file, feels that it is had no support from the White House even though it's been carrying out publicly approved intelligence missions," said Joel Brenner, NSA inspector general from 2002 to 2006.  

Major tech companies unite to call for new limits on surveillance
By Craig Timberg
The Washington Post
December 8, 2013

Eight major US tech companies have sent a letter to U.S. leaders with a complaint against data collection. "We understand that governments have a duty to protect their citizens. But this summer's revelations highlighted the urgent need to reform government surveillance practices worldwide," the letter says.

In addition to Microsoft and Google, the signers are Apple, Facebook, LinkedIn, Yahoo, AOL and Twitter.  

NSA head says metadata program key tool against terrorism
By Thomas Burr
The Salt Lake Tribune
Dec 11 2013, Updated Dec 16 2013

NSA's Director, Gen. Keith Alexander, to the Senate Judiciary Committee that NSA metadata gathering is necessary to protect the US against terrorism.

The NSA has argued that collecting metadata - some of which is likely to be stored at the NSA's Utah Data Center - is a powerful instrument in being able to determine if terrorists are communicating with people inside the United States.  

Obama Panel Said to Urge N.S.A. Curbs
By David E. Sanger
The New York Times
December 12, 2013

The recommendations of a presidential advisory committee include more review of collection activities, including what data is sought and who the targets are. Administration officials say that the White House now supervises the programs. Resistance from agencies seems likely.  

By cracking cellphone code, NSA has ability to decode private conversations
by Craig Timberg and Ashkan Soltani
The Washington Post
Dec 13, 2013

Karsten Nohl, chief scientist at Security Research Labs in Berlin, says that worldwide, over 80 per cent of all cell phone calls use no encryption. Even those that do encrypt may be vulnerable to eavesdropping by the NSA, because the encryption has been "cracked" by the NSA scientists. Matthew Blaze, a University of Pennsylvania cryptology expert, said the weakness was in A5/1 encryption and is "a pretty sweeping, large vulnerability."  

Judge: NSA phone surveillance program unconstitutional
By Bill Mears and Evan Perez
December 16, 2013

A Federal judge, Richard Leon, favored five plaintiffs who object to NSA phone surveillance, setting up a battle between privacy advocates and US intelligence agencies. "I cannot imagine a more 'indiscriminate' and 'arbitrary invasion' than this systematic and high-tech collection and retention of personal data on virtually every citizen for purposes of querying and analyzing it without prior judicial approval," said Leon.  

Research shows how MacBook Webcams can spy on their users without warning
By Ashkan Soltani and Timothy B. Lee
The Washington Post
December 18, 2013

Some Apple computer users put a piece of tape over the camera lens of the their laptops and tablets. Are they paranoid? Althugh the built-in cameras on Apple computers were designed to prevent surreptious use, Stephen Checkoway, a computer science professor at Johns Hopkins and his co-author Matthew Brocker were able to get around the security feature of having a light on the computer activated when the camera a being used.  

Snowden still holding 'keys to the kingdom'
By Walter Pincus
The Washington Post
December 18, 2013

Journalist Glenn Greenwald, who has a copy of the Snowden documents, has commented on the extent of information as yet unpublished. These documents, Greenwald said, "would allow somebody who read them to know exactly how the NSA does what it does, which would in turn allow them to evade that surveillance or replicate it."  

RSA's secret contract with NSA
By Joseph Menn
December 20, 20133

The security company RSA adopted a random number generation method called Dual Elliptic Curve after being paid several million dollars the NSA. Documents leaked by Snowden indicate that the secret contract enabled backdoor access by NSA to encrypted data generated by RSA customers.  

US spy court: NSA to keep collecting phone records
By Stephen Braun and Kimberly Dozier
Associated Press
Jan 3, 2013

The Foreign Intelligence Surveillance Court acted to renew an NSA phone metadata collection program. At the same time, the US government filed to lift a stay of the collection on 5 plaintiffs as ordered by a Federal Court.  

Millions of accounts compromised in Snapchat hack
By Doug Gross
January 2, 2014

A group of whitehat hackers, Gibson Security, published code that would let other hackers obtain names and partial phone numbers of Snapchat users. That code was apparently exploited shortly thereafter. Snapchat seemed to downplay the event, claiming that it would be virtually impossible to match partial numbers to users' real names.  

Malware attack hits thousands of Yahoo users
By Faith Karimi and Joe Sutton
January 6, 2014

Windows users who accessed their Yahoo accounts from Dec. 31 to Jan. 3 may have been infected with malware introduced through hacked advertisements.  

N.S.A. Devises Radio Pathway Into Computers
By David E. Sanger and Thom Shankerton
New York Times
January 14, 2014

Ever wonder why the NSA needs to have a chip fabrication line? It may be for the purpose of manufacturing USB sticks that can communicate over short range radio transmissions without detection by unwitting users. These devices have been planted in as many as 100K computers around the world.  

Amazon is a hornet's nest of malware
By Brian Fung
The Washington Post
January 16, 2014
IT security firm Solutionary has gathered data indicating that Amazon's cloud services are the number one hosting site for malware affecting millions of LinkedIn subscribers.  

Point-of-sale malware infecting Target found hiding in plain sight
by Dan Goodin
Ars Technica
Jan 15, 2014

On December 18, 2013, KrebsOnSecurity's Brian Krebs uncovered "memory-scraping" malware on public site and reported on it here. It is apparently the same software that was able to steal data from point-of-sale terminals at Target during previous weeks. The software cleverly scans memory for sensitive data and copies it before the terminal's software encrypts it for transmission to servers.  

Some Obama spy changes hampered by complications
By Stephen Braun
Associated Press
in The Salt Lake Tribune
Jan 20, 2014

Plans to add additional review of Foreign Intelligence Surveillance Courts might be opposed the Judiciary as being an illegal form of inteference between branches of the US government.