Against a sophisticated attacker, nothing connected to the internet is secure. Not your GMail account, not your Facebook account, not your website, not your home computer (especially if you are using WiFi), not industrial facilities, not governments.
While this may not absolutely always hold, I am increasingly convinced that the right way to treat the internet is to act as if this is so. If there is some information you absolutely want to keep private, keep it in a form that is not linked to the internet. Dig out an old computer for non-networked use or, better yet, use paper. Accept that anything you put online, even in a private email, could end up on display to the entire world.
People can certainly do a lot to protect themselves from what are essentially untargeted attacks. The people who run botnets just need control of random computers, and their attack methods are good enough to breach security on your average system. If security in yours is significantly better than average, you are probably at little risk from such annoyances. Everything changes, however, when the attacker has resources and expertise at their disposal, and they have you for a specific target. Organizations like governments, corporations, and organized crime groups have these resources, and attack techniques are always spreading to less sophisticated operators. As they say at the NSA, “Attacks always get better; they never get worse.”
Similarly, it is safest to assume that there is no mechanism that you can use to secure a non-networked computer from a sophisticated attacker. You can use encryption, but chances are they will be able to pull the passphrase from somewhere or find some workaround. If that passphrase is short, it can be defeated using brute force dictionary attacks. If it is stored anywhere on your computer, phone, or the internet, it can be found.
If you want secure encryption, use something like random.org to generate a random alphanumeric string with as many bits of data as the encryption you are using (there is little point in using 256-bit AES with a weak key like ‘AnteLope2841’. You need a key like:
xxDTAJjghYCb7YFm8zcV6YYhmgmvmNxE.
Once you have a strong key, write it down on paper, keep it locked up, and never use it for anything other than decrypting that one file.
If you are going to use random.org to generate keys, at least use the HTTPS version, preferably on some random computer that is unlikely to be monitored.
Also, part of the gap between the entropy of commonly used keys and the requirements of strong encryption is filled by key strengthening.
Treating the internet as something that cannot be secured could carry big personal costs. For instance, email has a lot less value if it can only be used for information you would be OK with seeing released publicly.
That’s true.
For many people, it may be sensible to continue behaving as usual, despite being aware of the risks. Convenience and the ability to share information easily both have considerable value – sometimes, more than the value of privacy.
Another thing that would be very hard to give up about GMail is the search and archiving capabilities. With GMail, it is simple to find a specific message from years ago.
Keeping your email on your own machine might make it more secure, but you pay a price in lost capabilities.
Data protectionism
Serfing the web
A small spat highlights a big issue: who owns your online identity?
Nov 11th 2010 | SAN FRANCISCO | from PRINT EDITION
SUCH is Facebook’s attraction these days that even Britain’s monarch has finally joined the 500m-plus users of the online social network. On November 8th Queen Elizabeth II launched a Facebook page to publicise the royal family’s doings. Within a day, it had attracted almost 200,000 “likes” from around the world plus messages such as “Hello Liz xxx”. But it had also turned into a forum for an acrimonious slanging match between supporters of the monarchy and its critics.
Buckingham Palace says that the Queen’s e-mail address, if she has one, is secret. But it will not end in gmail.com. That will spare her from another wrangle—a kind of digital trade war. On November 5th Google introduced a technical change that blocks its e-mail users from automatically transferring their electronic address book in one lump when they set up a Facebook account. It is part of Google’s efforts to defend its dominance of the internet from Facebook’s growing challenge (as is Google’s announcement this week giving all its 23,000 employees a 10% pay rise and a $1,000 bonus, which is an attempt to halt defections to Facebook).
Both Google and Facebook are run like absolute monarchies in which hundreds of millions of users (digital serfs, some might say) have created identities. Rather like mercantilist countries in the offline realm, both companies operate policies to protect this asset.
The Economist has interviewed, anonymously, executives past and present at 11 Western companies that have been bought by or have sold stakes to Chinese firms, or have been in negotiations to do so. Ten of the deals discussed were worth more than $1 billion. What these people say provides an insight into both China’s capacity to expand its companies abroad and the opaque workings of its state-backed firms. The impression they give is a mixture of awe at China’s ambition and technical skill and a far more qualified assessment of Chinese companies’ ability to run international businesses.
The meat of the negotiation often has two parts: marathon sessions at an investment bank’s offices, often in London, and visits by target firms’ executives to mainland China or Hong Kong. There they may be expected to make epic PowerPoint presentations to giant audiences, and to attend banquets and intimate discussions, often in hotels owned by the bidder.
Most visitors are impressed by Chinese firms’ technical nous. Both sides try to make friends: “Emotion and trust matter,” says a Briton, because authority within Chinese firms is opaque and arbitrary. Chinese negotiators often use booze to break down barriers—and to try to get the upper hand. This is a well-known tactic, says a European of hazy days he spent in a hotel dealing with the fine print. “They would bring in people to try to get you drunk…At one point I was sure they’d brought in a lady from the switchboard.”
Most targets of Chinese takeovers need an interpreter. It pays to be wary. The head of a mining firm grew fond of his, but jokes, “She was clearly an internal spy.” Most executives say they trusted their hosts. But not all. A European says, “They knew everything about me,” and adds, “I had 52 hits from China on my home computer.” Another boss negotiating a controversial natural-resources deal found the atmosphere sinister. “You had to take your battery out of your mobile phone. You were told the rooms were bugged.”
Who spies on your browsing history?
Cory Doctorow at 11:53 PM Wednesday, Dec 1, 2010
We’ve written before about the security vulnerability that allows websites to sniff your browsing history. A paper from UC San Diego computer science department researchers, “An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications,” surveys which websites use this invasive technique against their users. YouPorn tops the list, but PerezHilton, Technorati, TheSun.co.uk, and Wired are also spying on their users’ browsing habits by exploiting this vulnerability.
http://www.reddit.com/r/AskReddit/comments/ej8zi/give_me_your_deepest_most_profound_quote_you_know/
Facebook news feeds beset with malware
One fifth of Facebook users are exposed to malware contained in their news feeds, claim security researchers.
Security firm BitDefender said it had detected infections contained in the news feeds of around 20% of Facebook users.
By clicking on infected links in a news feed, users risk having viruses installed on their computer.
Facebook said it already had steps in place to identify and remove malware-containing links.
BitDefender arrived at its figures by analysing data from 14,000 Facebook users that had installed a security app, called safego, it makes for the social network site.
In the month since safego launched, it has analysed 17 million Facebook posts, said BitDefender.
The majority of infections were associated with apps written by independent developers, which promised enticements and rewards to trick users into installing the malware, BitDefender said.
I hereby speculate that harddisks can use the spare remapping area to secretly make copies of your data. Rising totalitarianism makes this almost a certitude. It is quite straightforward to implement some simple filtering schemes that would copy potentially interesting data. Better, a harddisk can probably detect that a given file is being wiped, and silently make a copy of it, while wiping the original as instructed.
Recovering such data is probably easily done with secret IDE/SCSI commands. My guess is that there are agreements between harddisk manufacturers and government agencies. Well-funded mafia hackers should then be able to find those secret commands too.
Don’t trust your harddisk. Encrypt all your data.
Of course this shifts the trust to the computing system, the CPU, and so on. I guess there are also “traps” in the CPU and, in fact, in every sufficiently advanced mass-marketed chip. Wealthy nations can find those. Therefore these are mainly used for criminal investigation and “control of public dissent”.
People should better think of their computing devices as facilities lended by the DHS.
What is known is the extent to which Chinese hackers use “spear-phishing” as their preferred tactic to get inside otherwise forbidden networks. Compromised e-mail accounts are the easiest way to launch spear-phish because the hackers can send the messages to entire contact lists.
The tactic is so prevalent, and so successful, that “we have given up on the idea we can keep our networks pristine,” says Stewart Baker, a former senior cyber-security official at the U.S. Department of Homeland Security and National Security Agency. It’s safer, government and private experts say, to assume the worst – that any network is vulnerable.
Two former national security officials involved in cyber-investigations told Reuters that Chinese intelligence and military units, and affiliated private hacker groups, actively engage in “target development” for spear-phish attacks by combing the Internet for details about U.S. government and commercial employees’ job descriptions, networks of associates, and even the way they sign their e-mails – such as U.S. military personnel’s use of “V/R,” which stands for “Very Respectfully” or “Virtual Regards.”
The spear-phish are “the dominant attack vector. They work. They’re getting better. It’s just hard to stop,” says Gregory J. Rattray, a partner at cyber-security consulting firm Delta Risk and a former director for cyber-security on the National Security Council.
And future people do not give a damn about your shopping,
your Visa number SSL’d to Cherry-Popping
Hot Grampa Action websites that you visit,
nor password-protected partitions, no matter how illicit.
And this, it would seem, is your saving grace:
the amazing haste of people to forget your name, your face,
your litanous* list of indefensible indiscretions.
In fact, the only way that you could pray to make impression
on the era ahead is if, instead of being notable,
you make the data describing you undecodable
for script kiddies sifting in that relic called the internet
(seeking latches on treasure chests that they could wreck in seconds but didn’t yet
get a chance to cue up for disassembly)
to discover and crack the cover like a crème brûlée.
They’ll glance you over, I guess, and then for a bare moment
you’ll persist to exist; almost seems like you’re there, don’t it?
But you’re not. You’re here. Your name will fade as Front’s will,
‘less in the future they don’t know our cryptovariables still.
Cloud computing’s growing pains
Break-ins and breakdowns
The lessons from Sony’s big security lapse and Amazon’s cloud-computing outage
IT COULD turn out to be the biggest breach of data privacy since the advent of the internet. Sony admitted this week that hackers had stolen personal information, possibly including credit-card details, of many of the 77m-plus users of its online-gaming and entertainment networks. The Japanese company did not admit the full extent of the potential risks to its customers until nearly a week after it had taken its PlayStation Network off air, though it insisted that it had done so as soon as it realised how serious the intrusion into its systems had been.
Amazon, an American online retailer and provider of “cloud computing” services, has also suffered a lengthy breakdown at one of the giant server farms whose storage and processing facilities it rents to other companies. The two lapses, though unconnected and different in nature, have raised the question of whether customers can really trust the basic idea behind the cloud—that you can buy computing services from the internet, just like gas or water from a utility (see article).
Apple admits Mac scareware infections, promises cleaning tool
After taking heat for not helping users, Apple takes major step by owning up to security problems in Mac OS, says expert
Computerworld – Apple on Tuesday promised an update for Mac OS X that will find and delete the MacDefender fake security software, and warn still-unaffected users when they download the bogus program.
The announcement — part of a new support document that the company posted late Tuesday — was the company’s first public recognition of the threat posed by what security experts call “scareware” or “rogueware.”
“In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants,” Apple said in the document. “The update will also help protect users by providing an explicit warning if they download this malware.”
Apple also outlined steps that users with infected Macs can take to remove the scareware.
A lot of this is marketing — a combination of “we are invincible” and “be afraid, be very afraid.” But a lot of it is intended also to keep us locked-in to certain technologies. To this point most data security systems have been proprietary and secret. If an algorithm appears in public it escaped, was stolen, or reverse-engineered. Why should such architectural secrecy even be required if those 1024- or 2048-bit codes really would take a thousand years to crack? Isn’t the encryption, combined with a hard limit on login attempts, good enough?
Good question.
Alas, the answer is “no.” There are several reasons for this but the largest by far is that the U.S. government does not want us to have really secure networks. The government is more interested in snooping in on the rest of the world’s insecure networks. The U.S. consumer can take the occasional security hit, our spy chiefs rationalize, if it means our government can snoop global traffic.
This is National Security, remember, which means ethical and common sense rules are suspended without question.
RSA, Cisco, Microsoft and many other companies have allowed the U.S. government to breach their designs. Don’t blame the companies, though: if they didn’t play along in the U.S. they would go to jail. Build a really good 4096-bit AES key service and watch the Justice Department introduce themselves to you, too.
http://www.cringely.com/2011/06/when-engineers-lie/
Why it’s So Difficult to Trace Cyber-Attacks
I’ve been asked this question by countless reporters in the past couple of weeks. Here’s a good explanation. Shorter answer: it’s easy to spoof source destination, and it’s easy to hijack unsuspecting middlemen and use them as proxies.
No, mandating attribution won’t solve the problem. Any Internet design will necessarily include anonymity.
Hiding malware in smart batteries
Posted on July 22, 2011 by Cory Doctorow
Charlie Miller, a respected security researcher, has discovered vulnerabilities in the smart batteries for Apple laptops and mobile devices; he can manipulate their firmware to render them unusable or to cause them to misreport their remaining charge to the OS. The new firmware can survive an OS replacement, leading Miller to speculate that it could be used to store persistent malware that restored itself after the disk was erased and the OS was rewritten.
Researchers from Ruhr University Bochum demonstrated the insecurity of XML encryption standard at ACM Conference on Computer and Communications Security in Chicago this week. ‘Everything is insecure,’ is the uncomfortable message from Bochum. As pointed out by the Ars Technica article, XML Encryption is used widely as part of server-to-server Web services connections to transmit secure information mixed with non-sensitive data, based on cipher-block chaining. But it is apparently too weak, as demonstrated by Juraj Somorovsky and Tibor Jager. They were able to decrypt data by sending modified ciphertexts to the server by gathering information from the received error messages. The attack was tested against a popular open source implementation of XML Encryption, and against the implementations of companies that responded to the responsible disclosure — in all cases the result was the same: the attack worked. Fixing the vulnerability will require a revision of the W3C XML encryption standard, Somorovsky said. The researchers informed all possibly affected companies through the mailing list of W3C, following a clear responsible disclosure process.
This rule _definitely_ applies to cell phones.
The Hacker is Watching
Every online scam begins more or less the same—a random e-mail, a sketchy attachment. But every so often, a new type of hacker comes along. Someone who rewrites the rules, not just the code. He secretly burrows his way into your hard drive, then into your life. Is he following your every move?
By David Kushner
Photographs by Jason Madara
Milan,
As someone who covers IT security-related news, I thought you might be interested in today’s news from Passware, Inc., a provider of password recovery, decryption, and electronic evidence discovery software for computer forensics, law enforcement organizations, government agencies, and private investigators.
Passware warns consumer Mac users to vulnerabilities of Mac encryption solutions and notes that computer forensics experts can now easily decrypting Mac hard disks encrypted with FileVault.
With the release of this feature, Passware also announces that the new Passware Kit Forensic 11.3:
· recovers hashed passwords with Rainbow Tables
· extracts passwords from encrypted Mac keychain files
· builds a password list for its Dictionary attack based on the words detected in a computer memory
“Full disk encryption is becoming a major obstacle for digital investigations,” said Dmitry Sumin, president, Passware, Inc. “The latest version of Passware Kit Forensic offers multiple approaches to overcoming this problem, such as live memory analysis and extraction of encryption keys for BitLocker, TrueCrypt, and FileVault. This means forensic experts are better armed to approach investigative challenges with an effective and efficient solution that significantly reduces decryption time and thus allows investigators to focus on data analysis.”
To learn more, please see the release below. I am happy to arrange a briefing with Passware’s president if you would like even more detailed information.
Lauren Curley, for Passware
781 383 6406
lpcurley@comcast.net
Contact:
Nataly Koukoushkina
Passware Inc.
+1 (650) 472-3716 ext. 101
media@lostpassword.com
Passware Contributes to Mac Forensics by Decrypting FileVault; Warns Consumer Mac Users to Vulnerabilities of Mac Encryption Solutions
Full access to an encrypted Mac disk within minutes – new live memory analysis solution released by one of the leading eDiscovery software companies
Mountain View, Calif. (February 1, 2012) – Passware, Inc., a provider of password recovery, decryption, and electronic evidence discovery software for computer forensics, law enforcement organizations, government agencies and private investigators, announces Passware Kit Forensic v11.3, which builds upon the product’s capabilities to recover Mac OS user login passwords from computer memory (see July 26, 2011 press release) by decrypting Mac hard disks encrypted with FileVault.
Passware emphasizes the importance of Mac forensics (according to the recent statistics on Mac platforms sales) and ability to handling full disk encryption as an essential part of eDiscovery with the latest release of Passware for instant FileVault decryption. The solution includes live target memory acquisition over FireWire and subsequent recovery of a FileVault encryption key. Computer forensics can now easily gain a FileVault encryption key from the target computer memory, which provides full access to the encrypted Mac hard disk. The full process takes no more than 40 minutes – regardless of the length or complexity of the password.
“Full disk encryption is becoming a major obstacle for digital investigations,” said Dmitry Sumin, president, Passware, Inc. “The latest version of Passware Kit Forensic offers multiple approaches to overcoming this problem, such as live memory analysis and extraction of encryption keys for BitLocker, TrueCrypt, and FileVault. This means forensic experts are better armed to approach investigative challenges with an effective and efficient solution that significantly reduces decryption time and thus allows investigators to focus on data analysis.”
Latest Features and Vulnerability Alert to Casual Mac Users
With the release of this feature, Passware also announces that the new Passware Kit Forensic 11.3:
· recovers hashed passwords with Rainbow Tables
· extracts passwords from encrypted Mac keychain files
· builds a password list for its Dictionary attack based on the words detected in a computer memory
Supporting the solution’s ability to decrypt Mac hard disks encrypted with FileVault, other memory analysis options available with Passware Kit Forensic include decryption of TrueCrypt, BitLocker, and recovery of Mac user login passwords.
Having designed the latest features of Passware Kit Forensic for computer forensics, Passware alerts home users of the vulnerabilities of Mac encryption solutions and advises users to shut down their computers especially when working with confidential data. Sumin notes, “Live memory analysis opens up great possibilities to password recovery and decryption. Every user should be aware that even full disk encryption is insecure while the data rests in computer memory.”
Pricing and Availability
Passware Kit Forensic is available directly from Passware and a network of resellers worldwide. The price is $995 with one year of free updates. Additional product information and screen shots are available at http://www.lostpassword.com/kit-forensic.htm.
About Passware Inc.
Founded in 1998, Passware Inc. is the worldwide leading maker of password recovery, decryption, and electronic evidence discovery software. Law enforcement and government agencies, institutions, corporations and private investigators, help desk personnel, and thousands of private consumers rely on Passware software products to ensure data availability in the event of lost passwords. Passware customers include many Fortune 100 companies and various US federal and state agencies, such as IRS, US Army, US Department of Defense (DOD), US Department of Justice, US Department of Homeland Security, US Department of Transportation, US Postal Service, US Secret Service, US Senate, and US Supreme Court.
More information about Passware, Inc. is available at http://www.lostpassword.com/. Passware is a privately held corporation with headquarters in Mountain View, Calif. and a software development and engineering office in Moscow, Russia.
“It is becoming increasingly difficult for anyone, anyone at all, to keep a secret.
In the age of the leak and the blog, of evidence extraction and link discovery, truths will either out or be outed, later if not sooner. This is something I would bring to the attention of every diplomat, politician, and corporate leader: The future, eventually, will find you out. The future, wielding unimaginable tools of transparency, will have its way with you. In the end, you will be seen to have done that which you did.
I say ‘truths,’ however, and not ‘truth,’ as the other side of information’s new ubiquity can look not so much transparent as outright crazy. Regardless of the number and power of the tools used to extract patterns from information, any sense of meaning depends on context, with interpretation coming along in support of one agenda or another. A world of informational transparency will necessarily be one of deliriously multiple viewpoints, shot through with misinformation, disinformation, conspiracy theories and a quotidian degree of madness. We may be able to see what’s going on more quickly, but that doesn’t mean we’ll agree about it any more readily.”
Gibson, William. Distrust That Particular Flavor. p.170 (hardcover)
Chrome Hacked In 5 Minutes At Pwn2Own
“After offering a total prize fund of up to $1M for a successful Chrome hack, it seems Google got what it wanted (or not!). No more than 5 minutes into the Pwn2Own cracking contest team Vupen exploited 2 Chrome bugs to demonstrate a total break of Google’s browser. They will win at least 60k USD out of Google’s prize fund, as well as taking a strong option on winning the overall Pwn2Own prize. It also illustrates that Chrome’s much lauded sandboxing is not a silver bullet for browser security.”
“A group of U.S. federal cybersecurity experts recently said the Defense Department’s network is totally compromised by foreign spies. The experts suggest the agency simply accept that its networks are compromised and will probably remain that way, then come up with a way to protect data on infected machines and networks.”
“Forbes profiles Vupen, a French security firm that openly sells secret software exploits to spies and government agencies. Its customers pay a $100,000 annual fee simply for the privilege of paying extra fees for the exploits that Vupen’s hackers develop, which the company says can penetrate every major browser, as well as other targets like iOS, Android, Adobe Reader and Microsoft Word. Those individual fees often cost much more than that six-figure subscription, and Vupen sells them non-exclusively to play its customers off each other in an espionage arms race. The company’s CEO, Chaouki Bekrar, says Vupen only sells to NATO governments and ‘NATO partners’ but he admits ‘if you sell weapons to someone, there’s no way to ensure that they won’t sell to another agency.'”
“Saturday’s electronic leadership vote for Canada’s New Democratic Party was plagued by delays caused by a botnet DDoS attack, coming from over 10,000 machines. Details are still scarce, but Scytl, who provided electronic voting services, will have to build more robust systems in the future in anticipation of such attacks. Party and company officials say an audit proved the systems and integrity of the vote were not compromised.”
Richard Clarke: All Major U.S. Firms Hacked By China
“Former White House cybersecurity advisor Richard Clarke says state-sanctioned Chinese hackers are stealing R&D from U.S. companies, threatening the long-term competitiveness of the nation. He said, ‘The U.S. government is involved in espionage against other governments. There’s a big difference, however, between the kind of cyberespionage the United States government does and China. The U.S. government doesn’t hack its way into Airbus and give Airbus the secrets to Boeing [many believe that Chinese hackers gave Boeing secrets to Airbus]. We don’t hack our way into a Chinese computer company like Huawei and provide the secrets of Huawei technology to their American competitor Cisco. [He believes Microsoft, too, was a victim of a Chinese cyber con game.] We don’t do that. … We hack our way into foreign governments and collect the information off their networks. The same kind of information a CIA agent in the old days would try to buy from a spy. … Diplomatic, military stuff but not commercial competitor stuff.'”
Hacker group LulzSec says it has attacked MilitarySingles.com
LulzSec appears to be back after many months of lying low. It says it has obtained email addresses and other data about nearly 171,000 users of MilitarySingles.com, a commercial dating site.
A nice piece of frightening securityspeak to conjure with: forever-day bugs, which are known bugs that the vendor has no intention of patching. These are often found in control systems, and are the sort of thing that Stuxnet exploited to attack the Iranian nuclear program. These controllers are also found on other kinds of industrial lines and, of course, in aircraft. “Forever day is a play on ‘zero day,’ a phrase used to classify vulnerabilities that come under attack before the responsible manufacturer has issued a patch. Also called iDays, or ‘infinite days’ by some researchers…” [Ars Technica]
Occupy Wall Street (@OccupyWallStNYC
)
19/04/2012 19:39
FBI seizes riseup.net server. #Anonymous #OWS #FBI help.riseup.net/en/seizure-201…
FBI: We Need Wiretap-Ready Web Sites — Now
TheGift73 writes with news that the FBI is pushing a proposal to update old wiretap legislation so that modern web firms would be forced to build in backdoors to facilitate government surveillance. Quoting CNET: “In meetings with industry representatives, the White House, and U.S. senators, senior FBI officials argue the dramatic shift in communication from the telephone system to the Internet has made it far more difficult for agents to wiretap Americans suspected of illegal activities, CNET has learned. The FBI general counsel’s office has drafted a proposed law that the bureau claims is the best solution: requiring that social-networking Web sites and providers of VoIP, instant messaging, and Web e-mail alter their code to ensure their products are wiretap-friendly. … The FBI’s proposal would amend a 1994 law, called the Communications Assistance for Law Enforcement Act, or CALEA, that currently applies only to telecommunications providers, not Web companies. The Federal Communications Commission extended CALEA in 2004 to apply to broadband networks.”
Everyone Has Been Hacked. Now What?
The attackers chose their moment well.
On Apr. 7, 2011, five days before Microsoft patched a critical zero-day vulnerability in Internet Explorer that had been publicly disclosed three months earlier on a security mailing list, unknown attackers launched a spear-phishing attack against workers at the Oak Ridge National Laboratory in Tennessee.
The lab, which is funded by the U.S. Department of Energy, conducts classified and unclassified energy and national security work for the federal government.
The e-mail, purporting to come from the lab’s human resources department, went to about 530 workers, or 11 percent of the lab’s workforce.
The cleverly crafted missive included a link to a malicious webpage, where workers could get information about employee benefits. But instead of getting facts about a health plan or retirement fund, workers who visited the site using Internet Explorer got bit with malicious code that downloaded silently to their machines.
Although the lab detected the spear-phishing attack soon after it began, administrators weren’t quick enough to stop 57 workers from clicking on the malicious link. Luckily, only two employee machines were infected with the code. But that was enough for the intruders to get onto the lab’s network and begin siphoning data. Four days after the e-mails arrived, administrators spotted suspicious traffic leaving a server.
Only a few megabytes of stolen data got out, but other servers soon lit up with malicious activity. So administrators took the drastic step of severing all the lab’s computers from the internet while they investigated.
As more research unfolds about the recently discovered Flame malware, researchers have found three modules – named Snack, Gadget and Munch – that are used to launch what is essentially a man-in-the-middle attack against other computers on a network. As a result, Kaspersky researchers say when a machine attempts to connect to Microsoft’s Windows Update, it redirects the connection through an infected machine and it sends a fake malicious Windows Update to the client. That is courtesy of a rogue Microsoft certificate that chains to the Microsoft Root Authority and improperly allows code signing. According to Symantec, the Snack module sniffs NetBIOS requests on the local network. NetBIOS name resolution allows computers to find each other on a local network via peer-to-peer, opening up an avenue for spoofing. The findings have prompted Microsoft to say that it plans to harden Windows Update against attacks in the future, though the company did not immediately reveal details as to how.” And an anonymous reader adds a note that Flame’s infrastructure is massive: “over 80 different C&C domains, pointed to over 18 IP addresses located in Switzerland, Germany, the Netherlands, Hong Kong, Poland, the UK, and other countries.
http://it.slashdot.org/story/12/06/05/1638228/flame-malware-hijacks-windows-update
Crypto breakthrough shows Flame was designed by world-class scientists
The spy malware achieved an attack unlike any cryptographers have seen before.
The Flame espionage malware that infected computers in Iran achieved mathematic breakthroughs that could only have been accomplished by world-class cryptographers, two of the world’s foremost cryptography experts said.
“We have confirmed that Flame uses a yet unknown MD5 chosen-prefix collision attack,” Marc Stevens and B.M.M. de Weger wrote in an e-mail posted to a cryptography discussion group earlier this week. “The collision attack itself is very interesting from a scientific viewpoint, and there are already some practical implications.”
“Collision” attacks, in which two different sources of plaintext generate identical cryptographic hashes, have long been theorized. But it wasn’t until late 2008 that a team of researchers made one truly practical. By using a bank of 200 PlayStation 3 consoles to find collisions in the MD5 algorithm—and exploiting weaknesses in the way secure sockets layer certificates were issued—they constructed a rogue certificate authority that was trusted by all major browsers and operating systems. Stevens, from the Centrum Wiskunde & Informatica in Amsterdam, and de Wegwer, of the Technische Universiteit Eindhoven were two of the driving forces behind the research that made it possible.
Flame is the first known example of an MD5 collision attack being used maliciously in a real-world environment. It wielded the esoteric technique to digitally sign malicious code with a fraudulent certificate that appeared to originate with Microsoft. By deploying fake servers on networks that hosted machines already infected by Flame—and using the certificates to sign Flame modules—the malware was able to hijack the Windows Update mechanism Microsoft uses to distribute patches to hundreds of millions of customers.
Web Exploit Found That Customizes Attack For Windows, Mac, and Linux
“The U.S. Computer Emergency Readiness Team (US-CERT) has disclosed a flaw in Intel chips that could allow hackers to gain control of Windows and other operating systems, security experts say. The flaw was disclosed the vulnerability in a security advisory released this week. Hackers could exploit the flaw to execute malicious code with kernel privileges, said a report in the Bitdefender blog. ‘Some 64-bit operating systems and virtualization software running on Intel CPU hardware are vulnerable to a local privilege escalation attack,’ the US-CERT advisory says. ‘The vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape.'”
http://it.slashdot.org/story/12/06/16/0356209/us-cert-discloses-security-flaw-in-64-bit-intel-chips
—
The popular Blackhole exploit kit, assumed to be created and maintained by an individual going by the online moniker of ‘Paunch,’ who continuously updates the browser exploit software, looks like it has just received another upgrade. The exploit works by infecting a user when they visit a Blackhole-infected site, and their browser runs the JavaScript code, usually via a hidden iframe. If the location or URL for the malicious iframe changes or is taken down, all of the compromised sites will have to be updated to point to this new location, making it hard for the attackers. To deal with this, the Blackhole JavaScript code on compromised sites now dynamically generates pseudo-random domains, based on the date and other information, and then creates an iframe pointing to the generated domain. Moreover, the kit’s recent upgrade also added a new attack. According to Sophos, sometime in early June Blackhole was updated to include an attack that targets a flaw in Microsoft’s XML Core Services, which remains unpatched. Unfortunately, the changes prove once again that the criminal economy online is alive and well.
http://it.slashdot.org/story/12/07/03/1315230/blackhole-exploit-kit-gets-an-upgrade
—
“Security researchers have come across a worm that is meant specifically to steal blueprints, design documents and other files created with the AutoCAD software. The worm, known as ACAD/Medre.A, is spreading through infected AutoCAD templates and is sending tens of thousands of stolen documents to email addresses in China. However, experts say that the worm’s infection rates are dropping at this point and it doesn’t seem to be part of a targeted attack campaign. … [They] discovered that not only was the worm highly customized and well-constructed, it seemed to be targeting mostly machines in Peru for some reason. … They found that ACAD/Medre.A was written in AutoLISP, a specialized version of the LISP scripting language that’s used in AutoCAD.”
http://it.slashdot.org/story/12/06/25/2323259/autocad-worm-medrea-stealing-designs-blueprints
—
Serious Web Vulnerabilities Dropped In 2011
“It’s refreshing to see a security report from a security vendor that isn’t all doom-and-gloom and loaded with FUD. Web Application Security firm WhiteHat Security released a report this week (PDF) showing that the number of major vulnerabilities has fallen dramatically. Based on the raw data gathered from scans of over 7,000 sites, there were only 79 substantial vulnerabilities discovered on average in 2011. To compare, there were 230 vulnerabilities on average discovered in 2010, 480 in 2009, 795 in 2008, and 1,111 in 2007. As for the types of flaws discovered, Cross-Site Scripting (XSS) remained the number one problem, followed by Information Leakage, Content Spoofing, Insufficient Authorization, and Cross-Site Request Forgery (CSRF) flaws. SQL Injection, an oft-mentioned attack vector online – was eighth on the top ten.”
http://it.slashdot.org/story/12/06/30/1940218/serious-web-vulnerabilities-dropped-in-2011
—
Mikko Hypponen, Chief Research Officer of software security company F-Secure, writes that when his company heard about Flame, they went digging through their archive for related samples of malware and were surprised to find that they already had samples of Flame, dating back to 2010 and 2011, that they were unaware they possessed. ‘What this means is that all of us had missed detecting this malware for two years, or more. That’s a spectacular failure for our company, and for the antivirus industry in general.’ Why weren’t Flame, Stuxnet, and Duqu detected earlier? The answer isn’t encouraging for the future of cyberwar. All three were most likely developed by a Western intelligence agency as part of covert operations that weren’t meant to be discovered and the fact that the malware evaded detection proves how well the attackers did their job. In the case of Stuxnet and DuQu, they used digitally signed components to make their malware appear to be trustworthy applications and instead of trying to protect their code with custom packers and obfuscation engines — which might have drawn suspicion to them — they hid in plain sight. In the case of Flame, the attackers used SQLite, SSH, SSL and LUA libraries that made the code look more like a business database system than a piece of malware. ‘The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets,’ writes Hypponen, adding that it’s highly likely there are other similar attacks already underway that we haven’t detected yet because simply put, attacks like these work. ‘Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game.
Our applications host a variety of web content on behalf of our users, and over the years we learned that even something as simple as serving a profile image can be surprisingly fraught with pitfalls. Today, we wanted to share some of our findings about content hosting, along with the approaches we developed to mitigate the risks.
Historically, all browsers and browser plugins were designed simply to excel at displaying several common types of web content, and to be tolerant of any mistakes made by website owners. In the days of static HTML and simple web applications, giving the owner of the domain authoritative control over how the content is displayed wasn’t of any importance.
It wasn’t until the mid-2000s that we started to notice a problem: a clever attacker could manipulate the browser into interpreting seemingly harmless images or text documents as HTML, Java, or Flash—thus gaining the ability to execute malicious scripts in the security context of the application displaying these documents (essentially, a cross-site scripting flaw). For all the increasingly sensitive web applications, this was very bad news.
During the past few years, modern browsers began to improve. For example, the browser vendors limited the amount of second-guessing performed on text documents, certain types of images, and unknown MIME types. However, there are many standards-enshrined design decisions—such as ignoring MIME information on any content loaded through , , or —that are much more difficult to fix; these practices may lead to vulnerabilities similar to the GIFAR bug.
Google’s security team played an active role in investigating and remediating many content sniffing vulnerabilities during this period. In fact, many of the enforcement proposals were first prototyped in Chrome. Even still, the overall progress is slow; for every resolved problem, researchers discover a previously unknown flaw in another browser mechanism. Two recent examples are the Byte Order Mark (BOM) vulnerability reported to us by Masato Kinugawa, or the MHTML attacks that we have seen happening in the wild.
When Networks Network
Once studied solo, systems display surprising behavior when they interact
How crooks turn even crappy hacked PCs into money
“A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems, and while it has some interesting features, it does not appear to be the work of a high-level programmer or be meant for use in targeted attacks. The Linux rootkit does not appear to be a modified version of any known piece of malware and it first came to light last week when someone posted a quick description and analysis of it on the Full Disclosure mailing list. That poster said his site had been targeted by the malware and some of his customers had been redirected to malicious sites.”
DON’T MESS UP It is hard to pull off one of these steps, let alone all of them all the time. It takes just one mistake — forgetting to use Tor, leaving your encryption keys where someone can find them, connecting to an airport Wi-Fi just once — to ruin you.
“Robust tools for privacy and anonymity exist, but they are not integrated in a way that makes them easy to use,” Mr. Blaze warned. “We’ve all made the mistake of accidentally hitting ‘Reply All.’ Well, if you’re trying to hide your e-mails or account or I.P. address, there are a thousand other mistakes you can make.”
In the end, Mr. Kaminsky noted, if the F.B.I. is after your e-mails, it will find a way to read them. In that case, any attempt to stand in its way may just lull you into a false sense of security.
Some people think that if something is difficult to do, “it has security benefits, but that’s all fake — everything is logged,” said Mr. Kaminsky. “The reality is if you don’t want something to show up on the front page of The New York Times, then don’t say it.”
This could be useful, and could do a little bit to help reverse the tide of malicious activity on the web:
Hosting provider Antagonist automatically fixes vulnerabilities in customers’ websites
It’s very challenging for ordinary website operators to make their sites secure, and to deal with the consequences of security breaches.
Hacker’s ad for a Yahoo email-stealing exploit, up for sale at $700
Your Cisco phone is listening to you: 29C3 talk on breaking Cisco phones
Here’s a video of Ang Cui and Michael Costello’s Hacking Cisco Phones talk at the 29th Chaos Communications Congress in Hamburg. Cui gave a show-stealing talk last year on hacking HP printers, showing that he could turn your printer into a inside-the-firewall spy that systematically breaks vulnerable machines on your network, just by getting you to print out a document.
Cui’s HP talk showed how HP had relied upon the idea that no one would ever want to hack a printer as its primary security. With Cisco, he’s looking at a device that was designed with security in mind. The means by which he broke the phone’s security is much more clever, and makes a fascinating case-study into the cat-and-mouse of system security.
The threat of browser-based data breaches is growing. The number of vulnerabilities in browser plugins is on the rise. Now is the time to be proactive about the security of your web browser.
Qualys BrowserCheck is a cloud service that scans your browsers and plugins to see if they’re all up-to-date. It’s an “online checkup” that relieves you from having to manually chase the constantly-shifting landscape of patches and updates to determine what you should be using. BrowserCheck identifies which browsers and plugins are used on your computer and whether newer versions have been released by vendors. On PCs running Microsoft Windows XP or later, BrowserCheck can also verify that important OS settings are enabled and Windows security updates are being received.
Fuzz testing
From Wikipedia, the free encyclopedia
Fuzz testing or fuzzing is a software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test for security problems in software or computer systems.
“The Los Angeles Times has scrubbed its Web site of malicious code that served browser exploits and malware to potentially hundreds of thousands of readers over the past six weeks,” reports Brian Krebs. The paper’s statement on the matter is a model of how not to handle security clusterfucks.
Passware Inc. is a forensics security company that develops investigation software kits to reveal passwords on seized computers. Last year it released a version of its kit that allows an investigator to reveal the passwords of Apple’s FileVault encryption technology, along with those for similar technologies such as TrueCrypt, PGP Disk, and BitLocker. Recently the kit has gained more features and now has the ability to snoop through a system’s hibernation file for Google and Facebook account passwords.
The Passware snooping technology works by accessing a system’s memory either through a port that has direct memory access (DMA), or by accessing a system’s sleepimage (hibernation) files. It scans the contents of these resources for patterns to reveal relevant passwords.
In many ways, the attacks resembled those criminal groups and spammers deploy against individuals and businesses. A “spearphishing” e-mail is sent, which attempts to get members of an organisation to open an attachment that appears to originate from a colleague or business partner, and contains some typical business data. Rather than a file, though, the attachment is a piece of malware. When opened, it exploits system flaws to install backdoor access to the computer. This allows remote command-and-control servers anywhere on the internet to install additional software, capture keystrokes and images on the screen, and ferret around the local network.
Mandiant says the hackers sometimes used malicious remote-access toolkits readily available on the “dark side” of the internet (if not through your average Google search). But mostly they either developed or acquired at least 42 “families” of proprietary remote-access tools. Some have dates imprinted in them which indicate they were initially programmed as early as 2004, with updates added over the subsequent six years. The attacks, in other words, were carefully planned and premeditated.
To fool firewalls and other software, some remote-control malware mimicked traffic patterns of legitimate internet services, like the Jabber/XMPP chat system used by Google and Facebook, among others. This allowed them to send information to and from the infected machines without raising suspicions. A lot of the insidious traffic was encrypted, but this too is commonplace for many websites and services, including Twitter and standard e-mail.
APT1 tried hard to retrieve password-related information, often using common cracking tools. Before being stored a password is usually fed into an algorithm called a hash function. This converts it into an obscure string of symbols, or a “hash”, that offers no clue as to the original input. The function is irreversible, so you cannot work back from a hash to the password. You can, however, run different words through a hash function and compare the resulting hash with the one stored. Many such “brute-force” attacks use large dictionaries of common and less common passwords. As a number of companies discovered last year, poor passwords make for easy pickings. Some clever tools actually let an attacker log into a system using the encrypted form of a password, dispensing with the need to crack it.
Nate Anderson’s long Ars Technica piece on RATters — men who use “Remote Administration Tools” to spy on others, mostly women, via their laptop cameras, and to plunder their computers for files and passwords — is a must-read. Anderson lays out the way that online communities like Hack Forums provide expertise, tools, and, most importantly, validation for the men who participate in this “game.” Anderson explains the power of software like DarkComet, which allows for near-total control of compromised computers (everything from opening the CD trays to disabling the Start menu in Windows); the dehumanizing language used by Ratters (they call their victims “slaves”); and the way that these tools have found their way into the arsenals of totalitarian governments, like the Assad regime in Syria, which used these tools to spy on rebels.
Today, a cottage industry exists to build sophisticated RAT tools with names like DarkComet and BlackShades and to install and administer them on dozens or even hundreds of remote computers. When anti-malware vendors began to detect and clean these programs from infected computers, the RAT community built “crypters” to disguise the target code further. Today, serious ratters seek software that is currently “FUD”—fully undetectable.
Building an army of slaves isn’t particularly complicated; ratters simply need to trick their targets into running a file. This is commonly done by seeding file-sharing networks with infected files and naming them after popular songs or movies, or through even more creative methods. “I seem to get a lot of female slaves by spreading Sims 3 with a [RAT] server on torrent sites,” wrote one poster. Another turned to social media, where “I’ve been able to message random hot girls on facebook (0 mutual friends) and infect (usually become friends with them too); with the right words anything is possible.”
HER hopes of joining a Romney administration now vanished, Nikki Haley, the Republican governor of South Carolina, is expected to announce next summer that she will seek a second term in 2014. But her chances may be crippled by the fact that, in October the news broke that an international computer hacker had stolen from the South Carolina Department of Revenue’s data base the tax records of every South Carolinian who has filed a state tax return online since 1998—3.8m individuals and almost 700,000 businesses. It is believed to be the largest cyber-attack against a state tax agency in America’s history, and it went on for ten days after detection before the intruder’s access could be blocked.
Monitor
An internet of airborne things
Networking: Enthusiasts dream of building a drone-powered internet to carry objects rather than data. Are they mad?
Microsoft sees all your HTTPS links in Skype, and you didn’t know
Revealed: how Microsoft handed the NSA access to encrypted messages
http://m.guardiannews.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data
SIR – In a few years nothing in electronic format will be secure. Has the time for a step back arrived? Paper, typewriters, attaché cases handcuffed to couriers and underground vaults for storage might be the only way to make secret information truly inaccessible to adversaries. Perhaps China is already doing that.
Jose Latour
Toronto
http://www.economist.com/news/letters/21580127-iran-coastal-homes-mexico-city-prism-london-publishing-bosses-newcastle
Webcam spying goes mainstream as Miss Teen USA describes hack
“The light didn’t even go on, so I had no idea.”
CrowdStrike is a vocal advocate of “active defence” technologies that are generating much buzz in the cyber-security world. Their proponents argue that those who think firewalls, antivirus programmes and other security software are enough to keep their networks safe are kidding themselves. Instead, companies should work on the assumption that their systems have been breached, and take the fight to the hackers. The methods they prescribe include planting false information on their systems to mislead data thieves, and creating “honeypot” servers, decoys that gather information about intruders.
http://www.economist.com/news/business/21583251-new-breed-internet-security-firms-are-encouraging-companies-fight-back-against-computer
NSA surveillance: A guide to staying secure
The NSA has huge capabilities – and if it wants in to your computer, it’s in. With that in mind, here are five ways to stay safe
Bruce Schneier
theguardian.com, Friday 6 September 2013 14.09 BST
…
The primary way the NSA eavesdrops on internet communications is in the network. That’s where their capabilities best scale. They have invested in enormous programs to automatically collect and analyze network traffic. Anything that requires them to attack individual endpoint computers is significantly more costly and risky for them, and they will do those things carefully and sparingly.
Leveraging its secret agreements with telecommunications companies – all the US and UK ones, and many other “partners” around the world – the NSA gets access to the communications trunks that move internet traffic. In cases where it doesn’t have that sort of friendly access, it does its best to surreptitiously monitor communications channels: tapping undersea cables, intercepting satellite communications, and so on.
…
The NSA also attacks network devices directly: routers, switches, firewalls, etc. Most of these devices have surveillance capabilities already built in; the trick is to surreptitiously turn them on. This is an especially fruitful avenue of attack; routers are updated less frequently, tend not to have security software installed on them, and are generally ignored as a vulnerability.
The NSA also devotes considerable resources to attacking endpoint computers. This kind of thing is done by its TAO – Tailored Access Operations – group. TAO has a menu of exploits it can serve up against your computer – whether you’re running Windows, Mac OS, Linux, iOS, or something else – and a variety of tricks to get them on to your computer. Your anti-virus software won’t detect them, and you’d have trouble finding them even if you knew where to look. These are hacker tools designed by hackers with an essentially unlimited budget. What I took away from reading the Snowden documents was that if the NSA wants in to your computer, it’s in. Period.
…
The NSA deals with any encrypted data it encounters more by subverting the underlying cryptography than by leveraging any secret mathematical breakthroughs.
…
As was revealed today, the NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about.
…
Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on. If the back door is discovered, it’s explained away as a mistake.
…
If the NSA can modify the encryption algorithm or drop a Trojan on your computer, all the cryptography in the world doesn’t matter at all.
1. When you set up your computer, connect it to the Internet as little as possible. It’s impossible to completely avoid connecting the computer to the Internet, but try to configure it all at once and as anonymously as possible. I purchased my computer off-the-shelf in a big box store, then went to a friend’s network and downloaded everything I needed in a single session. (The ultra-paranoid way to do this is to buy two identical computers, configure one using the above method, upload the results to a cloud-based anti-virus checker, and transfer the results of that to the air gap machine using a one-way process.)
2. Install the minimum software set you need to do your job, and disable all operating system services that you won’t need. The less software you install, the less an attacker has available to exploit. I downloaded and installed OpenOffice, a PDF reader, a text editor, TrueCrypt, and BleachBit. That’s all. (No, I don’t have any inside knowledge about TrueCrypt, and there’s a lot about it that makes me suspicious. But for Windows full-disk encryption it’s that, Microsoft’s BitLocker, or Symantec’s PGPDisk — and I am more worried about large US corporations being pressured by the NSA than I am about TrueCrypt.)
3. Once you have your computer configured, never directly connect it to the Internet again. Consider physically disabling the wireless capability, so it doesn’t get turned on by accident.
4. If you need to install new software, download it anonymously from a random network, put it on some removable media, and then manually transfer it to the air-gapped computer. This is by no means perfect, but it’s an attempt to make it harder for the attacker to target your computer.
5. Turn off all autorun features. This should be standard practice for all the computers you own, but it’s especially important for an air-gapped computer. Agent.btz used autorun to infect US military computers.
6. Minimize the amount of executable code you move onto the air-gapped computer. Text files are best. Microsoft Office files and PDFs are more dangerous, since they might have embedded macros. Turn off all macro capabilities you can on the air-gapped computer. Don’t worry too much about patching your system; in general, the risk of the executable code is worse than the risk of not having your patches up to date. You’re not on the Internet, after all.
7. Only use trusted media to move files on and off air-gapped computers. A USB stick you purchase from a store is safer than one given to you by someone you don’t know — or one you find in a parking lot.
8. For file transfer, a writable optical disk (CD or DVD) is safer than a USB stick. Malware can silently write data to a USB stick, but it can’t spin the CD-R up to 1000 rpm without your noticing. This means that the malware can only write to the disk when you write to the disk. You can also verify how much data has been written to the CD by physically checking the back of it. If you’ve only written one file, but it looks like three-quarters of the CD was burned, you have a problem. Note: the first company to market a USB stick with a light that indicates a write operation — not read or write; I’ve got one of those — wins a prize.
9. When moving files on and off your air-gapped computer, use the absolute smallest storage device you can. And fill up the entire device with random files. If an air-gapped computer is compromised, the malware is going to try to sneak data off it using that media. While malware can easily hide stolen files from you, it can’t break the laws of physics. So if you use a tiny transfer device, it can only steal a very small amount of data at a time. If you use a large device, it can take that much more. Business-card-sized mini-CDs can have capacity as low as 30 MB. I still see 1-GB USB sticks for sale.
10. Consider encrypting everything you move on and off the air-gapped computer. Sometimes you’ll be moving public files and it won’t matter, but sometimes you won’t be, and it will. And if you’re using optical media, those disks will be impossible to erase. Strong encryption solves these problems. And don’t forget to encrypt the computer as well; whole-disk encryption is the best.
https://www.schneier.com/blog/archives/2013/10/air_gaps.html
International Space Station attacked by ‘virus epidemics’
Malware spread from infected devices in orbit, proving not even computers in space are safe from viruses
Most laptops with built-in cameras have an important privacy feature — a light that is supposed to turn on any time the camera is in use. But Wolf says she never saw the light on her laptop go on. As a result, she had no idea she was under surveillance.
That wasn’t supposed to be possible. While controlling a camera remotely has long been a source of concern to privacy advocates, conventional wisdom said there was at least no way to deactivate the warning light. New evidence indicates otherwise.
Marcus Thomas, former assistant director of the FBI’s Operational Technology Division in Quantico, said in a recent story in The Washington Post that the FBI has been able to covertly activate a computer’s camera — without triggering the light that lets users know it is recording — for several years.
Now research from Johns Hopkins University provides the first public confirmation that it’s possible to do just that, and demonstrates how. While the research focused on MacBook and iMac models released before 2008, the authors say similar techniques could work on more recent computers from a wide variety of vendors. In other words, if a laptop has a built-in camera, it’s possible someone — whether the federal government or a malicious 19 year old — could access it to spy on the user at any time.
iSeeYou: Disabling the MacBook Webcam Indicator LED
The ubiquitous webcam indicator LED is an important privacy feature which provides a visual cue that the camera is turned on. We describe how to disable the LED on a class of Apple internal iSight webcams used in some versions of MacBook laptops and iMac desktops. This enables video to be captured without any visual indication to the user and can be accomplished entirely in user space by an unprivileged (non- root) application. The same technique that allows us to disable the LED, namely reprogramming the firmware that runs on the iSight, enables a virtual machine escape whereby malware running inside a virtual machine reprograms the camera to act as a USB Human Interface Device (HID) keyboard which executes code in the host operating system. We build two proofs-of-concept: (1) an OS X application, iSeeYou, which demonstrates capturing video with the LED disabled; and (2) a virtual machine escape that launches Terminal.app and runs shell commands. To defend against these and related threats, we build an OS X kernel extension, iSightDefender, which prohibits the modification of the iSight’s firmware from user space.
Bad Ads on Yahoo Infected Thousands of Users With Malware
Thousands of users who visited Yahoo’s Web site over the past week were infected with malware, researchers have found. The malware was delivered via malicious advertisements that appeared on the site.
The Blackhole Exploit Kit has been out of commission since October when its alleged creator, a hacker named Paunch, was arrested in Russia. The kit was a favorite among cybercriminals who took advantage of its frequent updates and business model to distribute financial malware to great profit. Since the arrest of Paunch, however, a viable successor has yet to emerge–and experts believe one will not in the short term. This is partially the reason for the increase in outbreaks of ransomware such as CryptoLocker as hackers aggressively attempt to recover lost profits.
—
Viable Blackhole Successor Could Take Years to Emerge
Malware threats making anti-virus software ‘totally useless’
Nearly 100 per cent of computer attacks are criminal in nature, say experts
Online Trust Alliance (OTA) Executive Director and President Craig Spiezle testified before the U.S. Senate’s Homeland Security and Governmental Affairs Permanent Subcommittee on Investigations, outlining the risks of malicious advertising, and possible solutions to stem the rising tide. According to OTA research, malvertising increased by over 200% in 2013 to over 209,000 incidents, generating over 12.4 billion malicious ad impressions. The threats are significant, warns the Seattle-based non-profit—with the majority of malicious ads infecting users’ computers via ‘drive by downloads,’ which occur when a user innocently visits a web site, with no interaction or clicking required.
Put simply, a crypting service takes a bad guy’s piece of malware and scans it against all of the available antivirus tools on the market today — to see how many of them detect the code as malicious. The service then runs some custom encryption routines to obfuscate the malware so that it hardly resembles the piece of code that was detected as bad by most of the tools out there. And it repeats this scanning and crypting process in an iterative fashion until the malware is found to be completely undetectable by all of the antivirus tools on the market.
Incidentally, the bad guys call this state “fully un-detectable,” or “FUD” for short, an acronym that I’ve always found ironic and amusing given the rampant FUD (more commonly known in the security industry as “fear, uncertainty and doubt”) churned out by so many security firms about the sophistication of the threats today.
In some of the most sophisticated operations, this crypting process happens an entirely automated fashion (the Styx-Crypt exploit kit is a great example of this): The bad guy has a malware distribution server or servers, and he signs up with a crypting service. The crypting service has an automated bot that at some interval determined by the customer grabs the code from the customer’s malware distribution server and then does its thing on it. After the malware is declared FUD by the crypting service, the bot deposits the fully crypted malware back on the bad guy’s distribution server, and then sends an instant message to the customer stating that the malware is ready for prime time.
True Goodbye: ‘Using TrueCrypt Is Not Secure’ http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/
A security researcher has identified a Tor exit node that was actively patching binaries users download, adding malware to the files dynamically. The discovery, experts say, highlights the danger of trusting files downloaded from unknown sources and the potential for attackers to abuse the trust users have in Tor and similar services. Josh Pitts of Leviathan Security Group ran across the misbehaving Tor exit node while performing some research on download servers that might be patching binaries during download through a man-in-the middle attack.
http://it.slashdot.org/story/14/10/24/186223/researcher-finds-tor-exit-node-adding-malware-to-downloads
Hacking Team Manuals: Sobering Reminder That Privacy is Elusive
The manuals describe Hacking Team’s software for government technicians and analysts, showing how it can activate cameras, exfiltrate emails, record Skype calls, log typing, and collect passwords on targeted devices. They also catalog a range of pre-bottled techniques for infecting those devices using wifi networks, USB sticks, streaming video, and email attachments to deliver viral installers. With a few clicks of a mouse, even a lightly trained technician can build a software agent that can infect and monitor a device, then upload captured data at unobtrusive times using a stealthy network of proxy servers, all without leaving a trace. That, at least, is what Hacking Team’s manuals claim as the company tries to distinguish its offerings in the global marketplace for government hacking software.
Samy Kamkar has a proof-of-concept attack through which he plugs a small USB stick into an unlocked Mac OS X machine and then quickly and thoroughly compromises the machine, giving him total, stealthy control over the system in seconds, even reprogramming the built-in firewall to blind it to its actions.
Unlike most hacks, this one is visually pretty spectacular, since the attack emulates a keyboard and mouse, making windows appear and disappear at speed, while phantom words appear in the terminal and a phantom hand clicks the mouse on interface items deep in the OS.
“Specifically, when you normally plug in a mouse or keyboard into a machine, no authorization is required to begin using them. The devices can simply begin typing and clicking. We exploit this fact by sending arbitrary keystrokes meant to launch specific applications (via Spotlight/Alfred/Quicksilver), permanently evade a local firewall (Little Snitch), install a reverse shell in crontab, and even modify DNS settings without any additional permissions.”
http://boingboing.net/2014/12/19/usbdriveby-horrifying-proof-o.html
Cyberattack On German Steel Factory Causes ‘Massive Damage’
In a rare case of an online security breach causing real-world destruction, a German steel factory has been severely damaged after its networks were compromised. “The attack used spear phishing and sophisticated social engineering techniques to gain access to the factory’s office networks, from which access to production networks was gained. … After the system was compromised, individual components or even entire systems started to fail frequently. Due to these failures, one of the plant’s blast furnaces could not be shut down in a controlled manner, which resulted in ‘massive damage to plant,’ the BSI said, describing the technical skills of the attacker as ‘very advanced.'” The full report (PDF) is available in German.
A flaw in the design
The Internet’s founders saw its promise but didn’t foresee users attacking one another
Hackers who breached Ashley Madison’s site are threatening to release nude photos and sexual fantasies of more than 37 million cheating spouses
Hackers claim to have personal details of more than 37 million cheating spouses on dating website Ashley Madison and have threatened to release nude photos and sexual fantasies of the site’s clients unless it is shut down, blog KrebsOnSecurity reported.
Ashley Madison’s Canadian parent, Avid Life Media, confirmed the breach on its systems and said it had since secured its site and was working with law enforcement agencies to try to trace those behind the attack.
Xzibit’s Iron Law of Computer Architecture: Hard work is offloaded to hardware, which is really just another computer — with its own firmware and storage. The biggest lie about your computer is that it’s just one computer.
How browser extensions steal logins & browsing habits; conduct corporate espionage
Windows 10 covertly sends your disk-encryption keys to Microsoft
There’s no way to turn off the “recovery” feature that sends your disk encryption keys to Microsoft by default, without notice — though you can (and should) ask Microsoft to forget the keys later.
The new disk encryption protocol in Windows 10 is in stark contrast with Microsoft’s Bitlocker product, a hardcore, Fed-infuriating full-disk encryption system that allows you to decide whether or not to escrow your keys with Microsoft.
Windows 10 has many unprecedented anti-user features: a remote killswitch that lets it disable your hardware; keylogging and browser-history logging that, by default, sends it all to Microsoft, and a deceptive “privacy mode” that continues to exfiltrate your data, even when you turn it on.
A Skeleton Key of Unknown Strength
TL;DR: The glibc DNS bug (CVE-2015-7547) is unusually bad. Even Shellshock and Heartbleed tended to affect things we knew were on the network and knew we had to defend. This affects a universally used library (glibc) at a universally used protocol (DNS). Generic tools that we didn’t even know had network surface (sudo) are thus exposed, as is software written in programming languages designed explicitly to be safe. Who can exploit this vulnerability? We know unambiguously that an attacker directly on our networks can take over many systems running Linux. What we are unsure of is whether an attacker anywhere on the Internet is similarly empowered, given only the trivial capacity to cause our systems to look up addresses inside their malicious domains.
Big-name sites hit by rash of malicious ads spreading crypto ransomware [Updated]
Mainstream websites, including those published by The New York Times, the BBC, MSN, and AOL, are falling victim to a new rash of malicious ads that attempt to surreptitiously install crypto ransomware and other malware on the computers of unsuspecting visitors, security firms warned.
The tainted ads may have exposed tens of thousands of people over the past 24 hours alone, according to a blog post published Monday by Trend Micro. The new campaign started last week when “Angler,” a toolkit that sells exploits for Adobe Flash, Microsoft Silverlight, and other widely used Internet software, started pushing laced banner ads through a compromised ad network.
According to a separate blog post from Trustwave’s SpiderLabs group, one JSON-based file being served in the ads has more than 12,000 lines of heavily obfuscated code. When researchers deciphered the code, they discovered it enumerated a long list of security products and tools it avoided in an attempt to remain undetected.
“If the code doesn’t find any of these programs, it continues with the flow and appends an iframe to the body of the html that leads to Angler EK [exploit kit] landing page,” SpiderLabs researchers Daniel Chechik, Simon Kenin, and Rami Kogan wrote. “Upon successful exploitation, Angler infects the poor victim with both the Bedep trojan and the TeslaCrypt ransomware–double the trouble.”
Be Careful. Mistyping a Website URL Could Expose You to Malware.
Ransomware gets a lot faster by encrypting the master file table instead of the filesystem
In just a few short years, ransomware — malware that encrypts all the files on the computer and then charges you for a key to restore them — has gone from a clever literary device for technothrillers to a cottage industry to an epidemic to a public menace.
But ransomware has a serious Achilles heel that’s kept it in check: encrypting a lot of files is computationally expensive, especially when there isn’t much free space on the victim’s hard-drive. That means that ransomware either has to run very slowly (increasing the chances that it’ll be detected and stopped before it can gobble up too many files) or very obviously (slowing down the victim’s PC so badly that they may figure out something’s up before it gets very far and pull the plug).
A new ransomware, Petya, deploys a rarely seen technique that massively speeds up the encryption. Petya attacks the drive’s Master Boot Record and Master File Table, the metadata files that allow a drive to start up a computer and know which files are in which sectors. Without these two files, disks are unreadable by normal measures — but these two files are relatively tiny and can be encrypted in seconds, rather than days.
I mentioned that lots of people, including Snowden, are now working on the problem of how to make the internet more secure, yet he seemed to do the opposite at the NSA by trying to find ways to track and identify people who use Tor and other anonymizers. Would he consider working on the other side of things? He wouldn’t rule it out, he said, but dismally suggested the game was over as far as having a liberating and safe internet, because our laptops and smartphones will betray us no matter what we do with them.
“There’s the old adage that the only secure computer is one that is turned off, buried in a box ten feet underground, and never turned on,” he said. “From a user perspective, someone trying to find holes by day and then just live on the internet by night, there’s the expectation [that] if somebody wants to have access to your computer bad enough, they’re going to get it. Whether that’s an intelligence agency or a cybercrimes syndicate, whoever that is, it’s probably going to happen.”
https://theintercept.com/2016/06/28/he-was-a-hacker-for-the-nsa-and-he-was-willing-to-talk-i-was-willing-to-listen/
A team led by Ang Cui (previously) — the guy who showed how he could take over your LAN by sending a print-job to your printer — have presented research at Defcon, showing that malware on your computer can poison your monitor’s firmware, creating nearly undetectable malware implants that can trick users by displaying fake information, and spy on the information being sent to the screen.
It’s a scarier, networked, pluripotent version of Van Eck phreaking that uses an incredibly sly backchannel to communicate with the in-device malware: attackers can blink a single pixel in a website to activate and send instructions to the screen’s malware.
What’s more, there’s no existing countermeasure for it, and most monitors appear to be vulnerable.
https://boingboing.net/2016/08/06/computer-monitors-vulnerable-t.html
How surveillance capitalism tracks you without cookies
Princeton computer science researchers Steven Englehardt and Arvind Narayanan (previously) have just published a new paper, Online tracking: A 1-million-site measurement and analysis, which documents the state of online tracking beyond mere cookies — sneaky and often illegal techniques used to “fingerprint” your browsers and devices as you move from site to site, tracking you even when you explicitly demand not to be track and take countermeasures to prevent this.
Insecure internet-connected “honeypot” toaster hacked within an hour
First, citizens can up their security game a little. For example, they can turn on “two factor authentication” which is available through all major email providers. That means that logins to an account from unfamiliar machines will require something more than an easily-compromised password. For example, a text message might have to be sent to a preregistered mobile phone, showing that the user not only knows the right password but also is physically holding his or her phone. And password managers can be used to generate unique passwords for each site—a common weak spot, as a password compromised in one place is frequently used elsewhere.
These sorts of steps will mitigate the risk of casual hacks, but they can’t readily stop someone with the determination and resources to break in. For example, someone can go to a mobile phone store and pretend to be the victim, switching phone service to a new unit—and then have the means for two-factor authentication or outright password recovery. Or the victim can be enticed to visit a site that looks like Gmail—complete with a prompt for a mobile phone’s confirmation text after a password is entered—while the site is, in real time, serving as a “man-in-the-middle” relaying the user’s answers to the real email site just in time to then take over the user’s session and view and download all the email.
Safety last
How to manage the computer-security threat
The incentives for software firms to take security seriously are too weak
Why everything is hackable
Computer security is broken from top to bottom
As the consequences pile up, things are starting to improve
This is a weird story: researchers have discovered that an audio driver installed in some HP laptops includes a keylogger, which records all keystrokes to a local file. There seems to be nothing malicious about this, but it’s a vivid illustration of how hard it is to secure a modern computer. The operating system, drivers, processes, application software, and everything else is so complicated that it’s pretty much impossible to lock down every aspect of it. So many things are eavesdropping on different aspects of the computer’s operation, collecting personal data as they do so. If an attacker can get to the computer when the drive is unencrypted, he gets access to all sorts of information streams — and there’s often nothing the computer’s owner can do.
Purism Now Offers Laptops with Intel’s ‘Management Engine’ Disabled
“San Francisco company Purism announced that they are now offering their Librem laptops with the Intel Management Engine disabled,” writes Slashdot reader boudie2. Purism describes Management Engine as “a separate CPU that can run and control a computer even when powered off.”
HardOCP reports that Management Engine “is widely despised by security professionals and privacy advocates because it relies on signed and secret Intel code, isn’t easily alterable, isn’t fully documented, and has been found to be vulnerable to exploitation… In short, it’s a tiny potentially hackable computer in your computer that you cannot totally control, nor opt-out of, but it can totally control your system.”
Zero-Day iOS HomeKit Vulnerability Allowed Remote Access To Smart Accessories Including Locks
No More Ransom is a joint effort by Europol, the Dutch police, Kaspersky and McAfee to help people who’ve been compromised by ransomware get their data back without paying off criminals.
It’s “a repository of keys and applications that can decrypt data locked by different types of ransomware.” There’s still ransomware out there it can’t unlock, but it can get your data back from dozens of ransomware strains.
Western Digital ‘My Cloud’ Devices Have a Hardcoded Backdoor
Today, yet another security blunder becomes publicized, and it is really bad. You see, many Western Digital MyCloud NAS drives have a hardcoded backdoor, meaning anyone can access them — your files are at risk. It isn’t even hard to take advantage of it — the username is “mydlinkBRionyg” and the password is “abc12345cba” (without quotes). To make matters worse, it was disclosed to Western Digital six months ago and the company did nothing. GulfTech Research and Development explains, “The triviality of exploiting this issues makes it very dangerous, and even wormable. Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as ‘wdmycloud’ and ‘wdmycloudmirror’ etc.”
Huge aluminium plants hit by ‘severe’ ransomware attack – BBC News
Apple Pushes a Silent Mac Update To Remove Hidden Zoom Web Server
Apple has released a silent update for Mac users removing a vulnerable component in Zoom, the popular video conferencing app, which allowed websites to automatically add a user to a video call without their permission.
WordPress Team Working on Daring Plan To Forcibly Update Old Websites – Slashdot
https://it.slashdot.org/story/19/08/08/1523212/wordpress-team-working-on-daring-plan-to-forcibly-update-old-websites
Huge Survey of Firmware Finds No Security Gains In 15 Years – Slashdot
Everybody Does It: The Messy Truth About Infiltrating Computer Supply Chains
The danger of China compromising hardware supply chains is very real, judging from classified intelligence documents, even if a Bloomberg story on the matter is highly disputed.
By Micah Lee, Henrik Moltke
Interior Department Grounds Chinese-Made Drones, Months After It Approved Them
The Interior Department has grounded its fleet of more than 800 drones, citing potential cybersecurity risks and the need to support U.S. drone production – suggesting the move is aimed at least in part at China, a leading drone producer.
The operation, codenamed Thesaurus and then renamed Rubicon in 1980s, demonstrated the overwhelming intelligence value of being able to insert flaws into widely sold communications equipment. The CIA’s success over many years is likely to reinforce current US suspicions of equipment made by the Chinese company Huawei.
https://www.theguardian.com/us-news/2020/feb/11/crypto-ag-cia-bnd-germany-intelligence-report
Ransomware-hit US gas pipeline shut for two days
A ransomware attack on a US natural gas facility meant a pipeline had to be shut down for two days, the US Department of Homeland Security (DHS) has said.
Stopping the Press
New York Times Journalist Targeted by Saudi-linked Pegasus Spyware Operator
By Bill Marczak, Siena Anstis, Masashi Crete-Nishihata, John Scott-Railton, and Ron Deibert
Journalist’s Phone Hacked: All He Had To Do Was Visit a Website. Any Website.
Their government could read every email, text and website visited; listen to every phone call and watch every video conference; download calendar entries, monitor GPS coordinates, and even turn on the camera and microphone to see and hear where the phone was at any moment.
Yet Radi was trained in encryption and cyber security. He hadn’t clicked on any suspicious links and didn’t have any missed calls on WhatsApp — both well-documented ways a cell phone can be hacked. Instead, a report published Monday by Amnesty International shows Radi was targeted by a new and frighteningly stealthy technique. All he had to do was visit one website. Any website.
Forensic evidence gathered by Amnesty International on Radi’s phone shows that it was infected by “network injection,” a fully automated method where an attacker intercepts a cellular signal when it makes a request to visit a website. In milliseconds, the web browser is diverted to a malicious site and spyware code is downloaded that allows remote access to everything on the phone. The browser then redirects to the intended website and the user is none the wiser.
Hackers Could Use IoT Botnets To Manipulate Energy Markets – Slashdot
https://hardware.slashdot.org/story/20/08/04/2213253/hackers-could-use-iot-botnets-to-manipulate-energy-markets
Florida water treatment facility hack used a dormant remote access software, sheriff says – CNN
https://www.cnn.com/2021/02/10/us/florida-water-poison-cyber/index.html
Colonial pipeline: Cyberattack forces major US fuel pipeline to shut down – CNNPolitics
https://www.cnn.com/2021/05/08/politics/colonial-pipeline-cybersecurity-attack/index.html
A critical vulnerability in a widely used software tool – one quickly exploited in the online game Minecraft – is rapidly emerging as a major threat to organizations around the world.
“The internet’s on fire right now,” said Adam Meyers, senior vice-president of intelligence at the cybersecurity firm Crowdstrike. “People are scrambling to patch”, he said, “and all kinds of people scrambling to exploit it.” He said on Friday morning that in the 12 hours since the bug’s existence was disclosed, it had been “fully weaponized”, meaning malefactors had developed and distributed tools to exploit it.
The flaw, dubbed “Log4Shell”, may be the worst computer vulnerability discovered in years. It was uncovered in an open-source logging tool that is ubiquitous in cloud servers and enterprise software used across the industry and the government. Unless it is fixed, it grants criminals, spies and programming novices alike, easy access to internal networks where they can loot valuable data, plant malware, erase crucial information and much more.
https://www.theguardian.com/technology/2021/dec/10/software-flaw-most-critical-vulnerability-log-4-shell
GO Transit, CRA websites taken down to protect them from global internet flaw
https://www.thestar.com/news/gta/2021/12/11/go-transit-cra-websites-taken-down-to-protect-them-from-global-internet-flaw.html