'The Washington elites fear liberty. They fear you'

Plus: 'I do not want my name to be on Apple's blacklist'

SANS - Survey on application security programs

QuotW This was the week when the NSA PRISM scandal rumbled on with politician attempts to curb the spook agency's remit in the US House of Representatives. The Defense Appropriations Bill had an amendment stuck on to the end of it asking Congress to stop the phone and internet data sniffers from accessing the data of those not actually under investigation.

President Obama wasn't too pleased with that and issued a statement urging the government to vote against the amendment:

This blunt approach is not the product of an informed, open, or deliberative process. We urge the House to reject the Amash Amendment, and instead move forward with an approach that appropriately takes into account the need for a reasoned review of what tools can best secure the nation.

But Justin Amash (MI-R), who proposed the amendment, retorted:

#NSA's unconstitutional spying on ALL Americans was "not the product of an informed, open, or deliberative process." It must be stopped now.

When's the last time a president put out an emergency statement against an amendment? The Washington elites fear liberty. They fear you.

However, his pleas fell on deaf ears as the House voted against the measure, though only just.

The NSA was also in trouble on another front this week when it admitted that it had accidentally leaked information through Microsoft's SharePoint software. The data oozed out from a sysadmin given SharePoint privileges and NSA chief General Keith Alexander said it was a "huge break in trust and confidence":

This leaker was a sysadmin who was trusted with moving the information to actually make sure that the right information was on the SharePoint servers that NSA Hawaii needed.

In other leaky ship news, the Linux distribution's online community Ubuntuforums.org was shut down after a security breach in which hackers made off with every user's local username, password and email address. Luckily, the passwords were salted and hashed rather than in plain text, but that didn't stop penguins from pouring bile down atop the head of alleged culprit, whom they fingered as Twitter user @Sputn1k_ (The Twitter handle has since been deleted.)

One tweeter said:

@Sputn1k_ You must feel proud defacing a site by volunteers. They dedicate time and effort to make a free distro. Worst kind of "hacker".

While another said:

@Sputn1k_ This jerk took down the Ubuntu Forums, one of the most important resources on the web. Let's hope he gets what's coming to him.

Meanwhile, London-based security researcher Ibrahim Balic claimed responsibility for shutting down Apple's Developer Centre website.

He said he found 13 vulnerabilities in the system and used them to pull up the details of 73 fruity workers, and also accessed over 100,000 developers' private data. But he insists he did this to demonstrate the flaws in the machine and said he had sent in a bug report:

I'm not feeling very happy with what I read and I'm a bit irritated, as I did not do this research [to cause] harm or damage.

I didn't attempt to publish or share this situation with anybody else. My aim was to report bugs and collect the data for the purpose of seeing how deep I can go within this scope. I have over 100,000 users' details and Apple is informed about this. I didn't attempt to get the data first and report then, instead I have reported first.

I do not want my name to be on a blacklist. I'm keeping all the evidence, emails and images. Also I have the records of the bugs that I made through Apple's bug-report [system].

Good luck avoiding that Apple blacklist there, Balic. El Reg has been on it for years and there's no signs we'll be leaving it any time soon...

Another security researcher, this time German Karsten Nohl, founder of Berlin's Security Research Labs, has said that a quarter of mobiles using DES encryption rather than the newer triple-DES for their SIM cards are vulnerable to an attack via SMS that results in a complete takeover of the phone. He said:

We can spy on you. We know your encryption keys for calls. We can read your SMSs. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account.

He's holding back the details of the hack until this weekend's Black Hat Convention, but Reg Central's Bill Ray has some ideas here.

And finally, the act of giving birth was widely celebrated this week by the long-heralded arrival of the Royal Baby. Of course, spammers were likely to celebrate the rosy-cheeked future king George Alexander Louis with a deluge of spam, security bod Graham Cluley said before the actual birth:

Malware authors worldwide have been waiting ages for this... I don't want to scaremonger, but it's easy to imagine.

"Exclusive first pictures", "Secret video from inside delivery room" and "Sex revealed" were all prospective spam titles, he said, pointing out that the goings-on of Wills and Kate had been exploited by spammers for years. ®

3 Big data security analytics techniques

More from The Register

next story
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
Reprieve for Weev: Court disowns AT&T hacker's conviction
Appeals court strikes down landmark sentence
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
prev story


SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.