Archive for the ‘セキュリティ’ Category


レノボ製パソコンにバンドルされて問題になった Superfish などの脆弱性を簡単にチェックできるサイト

Superfish, Komodia, PrivDog vulnerability test | Filippo Valsorda

Turns out Lenovo preloaded their laptops with adware that will intercept all your secure connections, and allow criminals to do it, too.

After investigating the Lenovo incident we found out that many other softwares – like some Parental Controls or security packages – do things even worse for your security. This test attempts to detect them all.

レノボPCの人は今すぐチェックを!一部製品にSuperfishの大穴 | ギズモード・ジャパン


     *     *     *

追記:Michael Arrington が Superfish の背後にいるベンチャー企業に噛みついた

The Venture Capitalists Behind Superfish | Uncrunched

Other startups that use the same SSL intercept module from Komodia include Lavasoft (a free antivirus provider) (now you know why the antivirus is free).


Read Full Post »


How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last | Ars Technica

“Equation Group” ran the most advanced hacking operation ever uncovered.

U.S. Embedded Spyware Overseas, Report Claims | NYTimes.com

The United States has found a way to permanently embed surveillance and sabotage tools in computers and networks it has targeted in Iran, Russia, Pakistan, China, Afghanistan and other countries closely watched by American intelligence agencies, according to a Russian cybersecurity firm.

In a presentation of its findings at a conference in Mexico on Monday, Kaspersky Lab, the Russian firm, said that the implants had been placed by what it called the “Equation Group,” which appears to be a veiled reference to the National Security Agency and its military counterpart, United States Cyber Command.

Equation Group: The Crown Creator of Cyber-Espionage | Kaspersky Lab

Surprise! America Already Has a Manhattan Project for Developing Cyber Attacks | WIRED

世界で最も高度かつプロのサイバー攻撃集団The Equation Group–その正体は | ZDNet Japan

Read Full Post »


U.S. Tech Companies Press Case Against Restrictive Chinese Rules | WSJ

The proposed restrictions are the latest sign of the continuing repercussions from information about U.S. government intelligence-gathering tactics leaked by Edward Snowden, a former contractor for the National Security Agency. Among other things, Mr. Snowden alleged U.S. authorities hacked millions of Chinese phone messages.

China has issued restrictions that so far affect the country’s banking sector, but officials there have said they are under review and may be extended to telecommunication and other sectors, according to the letter.

米ハイテク企業、中国のソースコード開示要求に対抗 | WSJ

中国ネット監視新規定「米中自由貿易協定違反」と米政財界で批判強まる | 大紀元


China’s New Rules Ask Tech Firms to Hand Over Source Code | IEEE Spectrum

New Rules in China Upset Western Tech Companies | NYTimes.com

The Chinese government has adopted new regulations requiring companies that sell computer equipment to Chinese banks to turn over secret source code, submit to invasive audits and build so-called back doors into hardware and software, according to a copy of the rules obtained by foreign technology companies that do billions of dollars’ worth of business in China.

Some of America’s largest tech companies could be hurt by the rules, including Apple, which is making a big push into the country. Apple has used new encryption methods in the iPhone 6 that are based on a complicated mathematical algorithm tied to a code unique to each phone. Apple says it has no access to the codes, but under the proposed antiterrorism law, it would be required to provide a key so that the Chinese government could decrypt data stored on iPhones.

Read Full Post »


[Wikileaks が明らかにした FinFisher:The Verge


A Spy in the Machine | The Verge

One day in 2011, Moosa opened the Facebook Messenger app on his iPhone. What he saw was chilling: someone else typing under his name to an activist friend of his in Bahrain…

Facebook was only the beginning. Unbeknownst to him, Moosa’s phone and computer had been infected with a highly sophisticated piece of spyware, built and sold in secret.

It was a sign of a more sophisticated author at work. The implant used a technique called process-hollowing — injecting its own code into a program that’s still running in order to use the legitimate program as cover. […] “I thought, Finspy, that rings some bells,” Marquis-Boire recalls. “Holy shit, I think this is FinFisher!”

FinFisher had become a kind of bogeyman in the security community since brochures advertising the software’s capabilities popped up in a Wikileaks drop in December of 2011. FinFisher could purportedly empower its owner with the kinds of advanced intrusion techniques usually reserved for the NSA. “There was a certain amount of interest just because no one had seen it,” Marquis-Boire says. “All we had were these leaked documents.”

FinFisher was created and sold by Gamma International, an international surveillance company with offices in London and Frankfurt. The Gamma brochures promised remote monitoring and keylogging — they even said they could listen in on a target’s Skype calls in real time.

But now Marquis-Boire had caught a FinFisher sample in the wild, and thanks to the leaked brochures, he had a roadmap of everything the implant could do.

Marquis-Boire enlisted the aid of Claudio Guarnieri, a researcher at security firm Rapid7, to further explore the software. The two uncovered a mobile version of the implant, which came in different versions for iOS, Android, and even Symbian, like a hot startup trying to cover as much of the market as possible. […] Once the implant was installed, your phone effectively became an enemy agent. “I’d be working at my computer and start squinting at my phone, thinking, maybe I should turn that off,” Marquis-Boire says. “It produced this weird dissonance between me and this device that I carry around all the time.”

Instead of a few outposts, they found an army. FinFisher’s agents were everywhere: Japan, Germany, India, Serbia, Mongolia — there were even servers in the US. It was an atlas of personal invasions. All told, 25 countries hosted a server of some kind, each hired out to a different regime and pointing the x-ray at a different enemy of the state.

Marquis-Boire published the work in a series of three landmark papers from July 2012 to March of 2013, each titled with a cheeky Bond pun like 
”The Smartphone Who Loved Me” or “You Only Click Twice.” The papers laid out everything he knew about FinFisher’s network, revealing a global surveillance network that was being hired out to some of the world’s most repressive governments. Targeted exploits weren’t just for the NSA anymore. They were available to anyone who could pay for them.

Once the papers were published, FinFisher went back underground. The coders behind the program began to change its routines and filenames enough to let it slip by unnoticed.

Their primary concern stems not from what effect FinFisher could have on their activism, but from the specter of having their personal lives invaded — the same fundamental privacy concern behind much of the NSA surveillance controversies in the US.

“They actually have a system that the government buys, and they get the whole package,” Marczak says. “It’s not just the code itself, it’s the administration, the analysis, the support — the whole framework is provided.”

That turns the same surveillance conducted by the NSA or GCHQ into a market product, available to the highest bidder with no questions asked. “The value proposition is essentially: ‘Activists in your country are giving you trouble? Well here’s a product that will allow you to turn their cellphone or computer into basically a wiretap, a surveillance tool, and you can spy on everything they do,’” Marczak says. “And I think governments are very attracted to that.”

Wikileaks releases FinFisher files to highlight government malware abuse | The Guardian

FinSpy Surveillance Tool Takes Over Computers Video – Bloomberg | YouTube

国民監視用マルウェア詰め合わせキット「FinFisher/FinSpy」の内部文書やソースコード40GB分がリークされて誰でもダウンロード可能に | GIGAZINE

伊東 寛 × 櫻井よしこ「国益を守るため情報を取るのは世界の常識だ。日本はかなり劣っている」:世界の情報監視プログラムから考える日本の情報・諜報活動 | 言論テレビ

Read Full Post »


Disable Remote Content to Fight Spam and Guard Your Privacy | TekRevue

If you even open a spammer’s email that contains images, the spammer instantly knows that your email address is valid and that you saw the spam email. Even worse, the spammer will also be able to learn important information about you, such as your IP address, which for most users reveals their general geographic location.

Launch Mail in OS X and go to Mail > Preferences > Viewing. Find the box labeled Load remote content in messages and uncheck it. This stops Mail from automatically loading images and other remote content when you first open an email message.

Read Full Post »


Erasable Internet の必要性について

The Lesson of the Sony Hack: We Should All Jump to the ‘Erasable Internet’ | NYTimes.com

“Everyone is so excited about the cloud, but the cloud is really a drunken Xerox machine making copies of pretty much everything that everyone has said anywhere and spewing it all over the place,” said Howard Lerman, the co-creator of Confide, a messaging app that works like the corporate version of Snapchat.

Read Full Post »


Your Mac’s Firewall is Off By Default: Do You Need to Enable It? | How-To Geek

A standard Mac OS X system doesn’t have such potentially vulnerable services listening by default, so it doesn’t need a tacked-on firewall to help protect such vulnerable services from being attacked.

This is actually the same reason why Ubuntu Linux doesn’t ship with its firewall on by default — another thing that was controversial at the time. Ubuntu took the approach of simply not having potentially vulnerable services listening by default, so an Ubuntu system is secure without a firewall. Mac OS X works in the same way.

Read Full Post »


Industrial Control Systems on the Internet | presented at 4SICS.se

What is an Industrial Control System?

In a nutshell, Industrial control systems (ICS) are computers that control the world around you. They’re responsible for managing the air conditioning in your office, the turbines at a power plant, the lighting at the theatre or the robots at a factory.

各社の持つデータだけでなく電力など産業インフラの制御システム(ICS)もインターネットからのアクセスに晒されている。Firewall はどこまで有効か・・・

[via ‏@mikko

Read Full Post »



WireLurker, Masque Attack malware only a threat for users who disable Apple’s iOS, OS X security | AppleInsider

WireLurker and Masque Attack aren’t viral and can’t infect users unless they intentionally disable their security and manually install apps bypassing Apple’s builtin trust verification systems for iOS and Macs.

Apple Blocks Chinese iPhone Hacks | WSJ

Apple downplays Masque threat, ‘not aware’ of any users affected | San Jose Mercury News

Read Full Post »

Update:続報 — Android は安全だ》


[Android とマルウェア:image

Sundar Pichai の非常に率直な発言が話題になっている。

スペインのバルセロナで開催されている Mobile World Congress で、グーグルの Android チームを率いる Sundar Pichai が Android の安全性について答えたものだ。(Pichai は Andy Rubin の後を継いで Android の責任者となった。)

Pichai の発言の内容はつぎのとおり。

9to5Mac: “Google’s Sundar Pichai: Android not designed to be safe, would target Android too if he were making malware” by Ben Lovejoy: 27 February 2014
FrAndroid: “Pour Sundar Pichai, ‘le Galaxy S6 sera sous Android’” by Ulrich Rozier: 27 February 2014

     *     *     *

Android の安全性は保証できない

Android の安全性が確実であるように設計されているとは保証できない。むしろ Android は自由度を与えるべく設計されているからだ。Android を対象とするマルウェアの9割を話題にするとき、これは世界で最もポピュラーな OS への攻撃であることに思いをいたすべきだ。もし自分がマルウェア製作に専念する会社を持っているとしたら、当然自分は Android を攻撃目標にするだろう[と彼は笑いながら答えた。]

[9to5Mac の英訳]
We cannot guarantee that Android is designed to be safe, the format was designed to give more freedom. When people talk about 90% of malware for Android, they must of course take into account the fact that it is the most popular operating system in the world. If I had a company dedicated to malware, I would also be addressing my attacks on Android.

[FrAndroid の原文]
« Nous ne pouvons garantir que Android est conçu pour être sûr, son format a été conçu pour donner plus de liberté. Quand ils parlent de 90 % des logiciels malveillants destinés à Android, ils doivent bien entendu tenir compte du fait que c’est le système d’exploitation le plus utilisé dans le monde. Si j’avais une entreprise dédiée aux logiciels malveillants, j’adresserais également mes attaques à Android« , a t-il déclaré avec un grand sourire.

     *     *     *


また、FrAndroid のフランス語を 9to5Mac が(グーグル翻訳で)直訳しているように見えることから、発言の際のニュアンスも不明だ。

しかし OS の安全性が問題になっている折から、あからさまともいえるその「率直さ」が注目を引いた。


     *     *     *

マルウェアこそが自由だって:John Gruber

Daring Fireball: “Malware Is Freedom” by John Gruber: 27 February 2014

古い Windows 時代の言い草だ。Android がポピュラーだから当然マルウェアもたくさんあるのだと。しかしある意味サードパーティの開発者のサポートという点で、唯一 Android が iOS に差をつけている点だ。

The old Windows line of defense: Android is so popular of course it has all the malware. For some reason, though, that’s the only sort of software where Android leads iOS in third-party developer support.

     *     *     *

グーグルの本音だ:Jim Dalrymple

The Loop: “Google: We can’t guarantee Android is designed to be safe” by Jim Dalrymple: 27 February 2014


Those are the first true words to come out of Google in a long time.

     *     *     *

ちょうどアップルが「iOS 安全性白書」(iOS Security White Paper)を出したばかり。

iOS Security White Paper | Apple

アップルの「iOS 安全性白書」


「アップルは安全性を中核にして iOS プラットフォームを設計している。」

Apple designed the iOS platform with security at its core.

     *     *     *


★ →[原文を見る:9to5Mac
★ →[原文を見る:FrAndroid

     ❖     ❖     ❖
     ❖     ❖     ❖

《Update》続報 — Android は安全だ(3月1日)


[Sundar Pichai:photo

FrAndroid の記事で第一報を伝えた Mashable が、グーグルの提供したトランスクリプトを基に、Sundar Pichai の発言内容を訂正している。

Android は安全ではないとはひとこともいっていない、と・・・

Mashable: “Google’s Sundar Pichai: Android Built to Be Secure [UPDATED]” by Karissa Bell: 27 February 2014

     *     *     *


Android は非常に、大変安全に作られている。あなたがそう見るのは、Android がオープンなプラットフォームなので、多くの人が異なったやり方で Android を出荷でき、したがって一部のパートナーがデバイスを出荷するとき Android の古いバージョンを搭載するからだ。その場合は確かに安全上の脆弱性が生じる。だからといって Android が安全でないことを意味するものではない。

Android was built to be very, very secure. The thing that you’re seeing is because Android is an open platform, many people can ship Android in many different ways and so there are some partners when they ship devices, they have an older version of Android. And sure you can have a security vulnerability there, but that doesn’t mean Android isn’t secure.

     *     *     *


マルウェアの 90% が Android を攻撃目標としているなどという数字を挙げられると、残念ながらかかるマルウェア会社を経営している頭のいい企業人ならそうすべきかもといわざるを得ない。しかしこういう見方は間違っている。多くのマルウェアが Android を攻撃するのはそれが他のいかなるスマートフォンプラットフォームより多く使われているからという考え方があることは明らかだ。

When you say numbers like 90% of malware is targeting Android, you know, I hate to point out that if you’re a smart business person running this malware company, that’s what you should do. It’s the wrong way to look at the lens. Obviously, you will always see more malware targeting Android because Android is used more than any smartphone platform by a pretty substantial difference.

     *     *     *

Sundar Pichai の発言内容がなかなか微妙な言い回しであることが分かる。グーグルがトランスクリプトを提供したのもそのためだろう。


「Lost in Translation」の典型のようにも思える。



★ →[原文を見る:Original Text

Read Full Post »

Older Posts »