Archive for the ‘Security’ Category

Introducing Malboxes: …

Sunday, February 26th, 2017

Introducing Malboxes: a Tool to Build Malware Analysis Virtual Machines

From the post:

Malware analysis is like defusing bombs. The objective is to disassemble and understand a program that was built to do harm or spy on computer users (oops, this is where the bomb analogy fails, but one gets the point). That program is often obfuscated (ie: packed) to make the analysis more complex and sometimes dangerous. This blog post introduces a tool that we have built that creates Windows Virtual Machines (VMs) without any user interaction. Those VMs are preconfigured with malware analysis tools and security settings tailored for malware analysis. We will then explore how to use the tool, its architecture and where we want to take it.

TL;DR

We are announcing the first “official” release of malboxes, a tool meant to help build safe and featureful Windows machines for malware analysis. Accessible to anyone, it even uses trial versions of Windows if one doesn’t have his own license.

How very cool!

Just as your programming improves by studying great code… 😉

Enjoy!

RTM: Stealthy group targeting remote banking system

Saturday, February 25th, 2017

RTM: Stealthy group targeting remote banking system by Jean-Ian Boutin and Matthieu Faou.

From the post:

Today, we have released a white paper on RTM, a cybercrime group that has been relentlessly targeting businesses in Russia and neighboring countries using small, targeted campaigns. This group, active since at least 2015, is using malware, written in Delphi, to spy on its victims in a variety of ways, such as monitoring keystrokes and smart cards inserted into the system.

It has the ability to upload files from the compromised system to its command and control (C&C) server. It also has a fingerprinting module to find systems on which specialized accounting software is installed. In particular, they are looking for signs of popular accounting software called “1C: Enterprise 8”. This software is used by businesses, among other things, to make bulk transfers via Remote Banking Systems (RBSes).

The post and the white paper, Read The Manual: A Guide to the RTM Banking Trojan focus on the technical aspects of this series of attacks.

It’s an interesting read despite a very poor pie chart at page 5:

If hackers encountered accounts held by Trump family members, do you think that information will be leaked to the media?

That’s one motive to become skilled at hacking banks.

Others will occur to you over time. 😉

Advice For Serious Leakers

Thursday, February 23rd, 2017

[T]he grugq is commenting on the story: A note on our lawsuit against Otto and Uber.

If you are a serious leaker you should be able to use Internet search engines but just in case:

  1. How to create a bootable USB stick on Windows
  2. Create a Bootable Linux Flash Drive in Three Easy Steps
  3. How to Create a Bootable Linux USB Flash Drive, the Easy Way
  4. Making a Kali Bootable USB Drive
  5. Tails Installation Assistant

Everyone has a favorite Linux distribution but Tails (#5) should be your default for leaking and Kali (#4) if you have more serious goals in mind.

BTW, don’t expect any sympathy if these are your facts:


We found that six weeks before his resignation this former employee, Anthony Levandowski, downloaded over 14,000 highly confidential and proprietary design files for Waymo’s various hardware systems, including designs of Waymo’s LiDAR and circuit board. To gain access to Waymo’s design server, Mr. Levandowski searched for and installed specialized software onto his company-issued laptop. Once inside, he downloaded 9.7 GB of Waymo’s highly confidential files and trade secrets, including blueprints, design files and testing documentation. Then he connected an external drive to the laptop. Mr. Levandowski then wiped and reformatted the laptop in an attempt to erase forensic fingerprints.

Wow! That’s incredibly lame.

You shouldn’t commit crimes at all but if you do, don’t embarrass everyone in IT.

Letterlocking [Activist Security]

Thursday, February 23rd, 2017

Letterlocking The technology of folding & securing an epistolary writing substrate to function as its own envelope.

From the about page:

Letterlocking – Unlocking History

Welcome to letterlocking! You can find essential information about letterlocking and the Unlocking History research team on this page. We will be updating the website regularly in the coming months, including major uploads to the Dictionary of Letterlocking (DoLL) – so please check in periodically, and follow us on social media for all the news.

Unlocking History

Unlocking History is the name for a group of conservation specialists, scholars, publishers, book-artists, imaging specialists, engineers, and scientists who are interested in the historical practice of letterlocking. We want to make sure letters are conserved properly so that they can be studied for the historical secrets they reveal. The material features of letters can speak to us about the past, but in order to hear them we have to learn their language. Unlocking History is dedicated to bringing together all the tools we need to do so – a dictionary, instructional videos, images, and hands-on workshops in libraries, museums, universities, and schools around the world.

Letterlocking and the Dictionary of Letterlocking (DoLL)

Letterlocking refers to the technology of folding and securing an epistolary writing substrate to function as its own envelope – a vital communications technology before the invention of the mass-produced envelope in the 19th century. A full definition of letterlocking can be found in the Dictionary of Letterlocking (DoLL).

Documenting the physical details of well-preserved letters has helped us discern and define different locking formats with multiple levels of built-in security and various authentication devices. DoLL will explain the key differences between these formats – and show you how to make them. With practice, you will be able to examine flattened historical letters in libraries and archives, and make models to show you which letterlocking format the writer or secretary was using. These formats may correlate to the sensitivity of the information contained inside, or contribute to the meaning of the text they carry.

Imaging and Conservation

The study of letterlocking is important for the preservation of documents because it informs conservators about the evidential value of folds, creases, and intentional damage.

View and share images of letterlocking preservation: #PreserveTheFolds.

Letterlocking interests curators and historians but has advantages for modern activists as well.

Those advantages include:

  1. Accessible to nearly anyone
  2. Flummoxes the average FBI agent
  3. Provides visual evidence of tampering
  4. Slower search than digital communications
  5. Supports physical encryption (measurable distances)

Not to mention the use of “antiquated” technology will draw attention to the letters, whether they contain valuable or useless information. Government agents, being risk adverse, will fear some later review will prove the letters had valuable intelligence.

A trap entirely of their own making and one you should exploit whenever possible.

If that captures your interest, continue onto: A Postal Treasure Trove:

In 1926, a seventeenth-century trunk of letters was bequeathed to the Museum voor Communicatie in The Hague, then as now the centre of government, politics, and trade in The Netherlands. The trunk belonged to one of the most active postmaster and post mistress of the day, Simon and Marie de Brienne, a couple at the heart of European communication networks. The chest contains an extraordinary archive: 2600 “locked” letters sent from all over Europe to this axis of communication, none of which were ever delivered. In the seventeenth century, the recipient also paid postal and delivery charges. But if the addressee was deceased, absent, or uninterested, no fees could be collected. Postmasters usually destroyed such “dead letters”, but the Briennes preserved them, hoping that someone would retrieve the letters – and pay the postage. Hence the nickname for the trunk: “the piggy bank” (spaarpotje). The trunk freezes a moment in history, allowing us to glimpse the early modern world as it went about its daily business. The letters are uncensored, unedited, and 600 of them even remain unopened. The archive itself has remained virtually untouched by historians until it was recently rediscovered. Our international and interdisciplinary team of researchers has now begun a process of preservation, digitization, transcription, editing, and identification of letterlocking formats that will reveal its secrets for the first time – even, we hope, those of the unopened letters.

How cool is that? Letters preserved because the post office was hoping to nick the recipient for the postage!

Does that explain pay-in-advance postal systems of today. 😉

Both Letterlocking and A Postal Treasure Trove provide links to other resources on letterlocking.

A YouTube search on letterlocking returns approximately 525 videos.

On Twitter, follow @letterlocking, among others.

Any CS/Math types in the crowd who want to express letterlocking more formally? Thinking of Paper Folding Geometry and the exploration of folding algorithms more generally, such as with protein folding (except in 2 dimensions).

Transparent Government Has Arrived (sorta)

Tuesday, February 21st, 2017

I saw US Cities Exposed: Industries and ICS, source of this graphic, in Violet Blue‘s report Hacking and infosec news: February 21, 2017

Violet’s report has other useful security news but I just had to share the increasing government transparency graphic with you.

The growing insecurity of government computers makes the news organization stance that leakers must hand them documents all the more puzzling.

I don’t know if that is a result of being hand fed all these years, genuine concern over prosecution or both.

Think about it this way, short of a source outing themselves, how is anyone going to know that a journalist enlisted hackers versus having a genuine leaker?

Put that way, perhaps there are loose confederations of hackers breaching government networks right now. (Sorry, didn’t mean to panic any security types.)

😉

Read the rest of the report and Violet’s post as well.

Enjoy!

Reversing HERMES ransomware

Sunday, February 19th, 2017

From the description:

Recording of the first live stream reverse engineering a new ransomware family. Lots of lessons learned for the next time 🙂

I haven’t made it through the entire video (almost four hours) but it is very impressive!

Speaking of impressive, check out the Emisoft blog for more of same.

Enjoy!

Data Breach Digest 2017 (Verizon)

Saturday, February 18th, 2017

Data Breach Digest (Verizon)

From the report:

The Situation Room

Data breaches are complex affairs often involving some combination of human factors, hardware devices, exploited configurations or malicious software. As can be expected, data breach response activities—investigation, containment, eradication, notification, and recovery—are proportionately complex.

These response activities, and the lingering post-breach aftereffects, aren’t just an IT security problem; they’re an enterprise problem involving Legal Counsel, Human Resources, Corporate Communications and other Incident Response (IR) stakeholders. Each of these stakeholders brings a slightly different perspective to the breach response effort.

Last year, thousands of IR and cybersecurity professionals delved into the inaugural “Data Breach Digest—Scenarios from the Field” (aka “the RISK Team
Ride-Along Edition”) to get a first-hand look into the inner workings of data breaches from an investigative response point of view (PoV).

Continued research into our recent caseload still supports our initial inklings that just over a dozen or so prevalent scenarios occur at any given time. Carrying forward from last year, we have come to realize that these data breach scenarios aren’t so much about threat actors, or even about the vulnerabilities they exploited, but are more about the situations in which the victim organizations and their IR stakeholders find themselves. This gives each scenario a distinct personality … a unique persona, per se.

This year, for the “Data Breach Digest—Perspective is Reality” (aka “the IR Stakeholder Edition”), we took a slightly different approach in bringing these scenarios to life. Each scenario narrative—again, based on real-world data breach response activities—is told from a different stakeholder PoV. As such, the PoV covers their critical decision pivot points, split-second actions taken, and crucial lessons learned from cases investigated by us – the Verizon RISK Team.
… (emphasis in original)

The “scenario” table mapping caught my eye:

The Scenari-cature names signal an amusing and engaging report awaits!

A must read!

To make up for missing this last year, here’s a link to 2016 Data Breach Digest.

Activists! Another Windows Vulnerability

Saturday, February 18th, 2017

If software vulnerabilities were the new it bleeds it leads, news organizations would report on little else.

Still, you have to credit The Hacker News with a great graphic for Google Discloses Windows Vulnerability That Microsoft Fails To Patch, Again! by Swati Khandelwal.

Microsoft is once again facing embarrassment for not patching a vulnerability on time.

Yes, Google’s Project Zero team has once again publicly disclosed a vulnerability (with POC exploit) affecting Microsoft’s Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10 that had yet to be patched.
… (emphasis in original)

The Google report is more immediately useful but far less amusing that this post by Swati Khandelwal.

Swati reports that without an emergency patch from Microsoft this month, attackers have almost 30 days to exploit this vulnerability.

No rush considering the Verizon 2016 Data Breach Investigations Report shows hacks known since before 1999 are still viable:

Taking that into account, plus the layering of insecure software on top of insecure software strategy of most potential targets:


According to the Cisco 2017 Security Capabilities Benchmark Study, most companies use more than five security vendors and more than five security products in their environment. Fifty-five percent of the security professionals use at least six vendors; 45 percent use anywhere from one to five vendors; and 65 percent use six or more products.
… (Cisco 2017 Annual Cybersecurity Report, page 5)

Small targets could be more secure by going bare and pointing potential attackers to bank, competitor and finance targets with a BetterTargetsREADME file. (Warning: That is an untested suggestion.)

Paying To Avoid A Scarlet A

Friday, February 17th, 2017

Two-thirds of US companies would pay to avoid public shaming scandals after a breach by Razvan Muresan

From the post:

Some 66% of companies would pay an average of $124k to avoid public shaming scandals following a security breach, according to a Bitdefender survey of 250 IT decision makers in the United States in companies with more than 1,000 PCs.

Some 14 percent would pay more than $500k, confirming that negative media headlines could have substantial financial consequences. In a recent case, officials from Verizon, which agreed to buy Yahoo’s core properties for $4.83 billion in July, told reporters that the company has “a reasonable basis” to suspect that the Yahoo security breach, one of the largest ever, could have a meaningful financial impact on the deal, according to multiple reports.

The ransomware report I was reading earlier said that 29% discounts off of original ransom demands are common and the trade tends to the low end, several hundred dollars.

Perhaps Barrons or the Wall Street Journal needs to find its way onto your reading list.

Ransomware for Activists?

Friday, February 17th, 2017

An F-Secure infographic on ransomware starts:

That sounds a bit harsh don’t you think?

What if the ransomware in question were being used to:

  • Cripple “business as usual” strategies of corporate entities
  • Force divestiture from morally questionable entities or projects
  • Interfere with unlawful surveillance
  • Sanction illegal law enforcement conduct (Think Standing Rock)

Would you still agree with: Abandon All Ethical And Moral Principles[?]”

What if ransomware were used to stop:

  • coal mining companies that dump “excess spoil” in rivers and streams
  • oil transport companies that maintain leaky pipelines
  • usurers such as title pawn companies
  • police and prosecutors who abuse minorities
  • (add your target(s) to the list)

Is that ethical and/or moral?

General state of ransomware, see Evalutating the Customer Journey of Cryto-Ransomware And the Paradox Behind It by F-Secure

Make your own decisions but relinquishing a weapon because your enemy thinks poorly of its use makes no sense to me.

Bypassing ALLR Protection on 22 CPU Architectures (Why This Is Good News!)

Thursday, February 16th, 2017

A Simple JavaScript Exploit Bypasses ASLR Protection On 22 CPU Architectures by Swati Khandelwal.

From the post:

Security researchers have discovered a chip flaw that could nullify hacking protections for millions of devices regardless of their operating system or application running on them, and the worse — the flaw can not be entirely fixed with any mere software update.

The vulnerability resides in the way the memory management unit (MMU), a component of many CPUs, works and leads to bypass the Address Space Layout Randomization (ASLR) protection.

ASLR is a crucial security defense deployed by all modern operating systems from Windows and Linux to macOS, Android, and the BSDs.

In general, ASLR is a memory protection mechanism which randomizes the location where programs run in a device’s memory. This, in turn, makes it difficult for attackers to execute malicious payloads in specific spots in memory when exploiting buffer overflows or similar bugs.

In short, for attackers, it’s like an attempt to burglarize a house blindfolded.

But now a group of researchers, known as VUSec, from the Vrije University in the Netherlands have developed an attack that can bypass ASLR protection on at least 22 processor micro-architectures from popular vendors like Intel, AMD, ARM, Allwinner, Nvidia, and others.

The attack, dubbed ASLR Cache or AnC, is particularly serious because it uses simple JavaScript code to identify the base addresses in memory where system and application components are executed.

So, merely visiting a malicious site can trigger the attack, which allows attackers to conduct more attacks targeting the same area of the memory to steal sensitive information stored in the PC’s memory.

See Swati’s post for two videos demonstrating this unpatchable security flaw in action.

For a more formal explanation of the flaw,

ASLR on the Line: Practical Cache Attacks on the MMU by Ben Gras, et al.

Abstract:

Address space layout randomization (ASLR) is an important first line of defense against memory corruption attacks and a building block for many modern countermeasures. Existing attacks against ASLR rely on software vulnerabilities and/or on repeated (and detectable) memory probing.

In this paper, we show that neither is a hard requirement and that ASLR is fundamentally insecure on modern cachebased architectures, making ASLR and caching conflicting requirements (ASLR⊕Cache, or simply AnC). To support this claim, we describe a new EVICT+TIME cache attack on the virtual address translation performed by the memory management unit (MMU) of modern processors. Our AnC attack relies on the property that the MMU’s page-table walks result in caching page-table pages in the shared last-level cache (LLC). As a result, an attacker can derandomize virtual addresses of a victim’s code and data by locating the cache lines that store the page-table entries used for address translation.

Relying only on basic memory accesses allows AnC to be implemented in JavaScript without any specific instructions or software features. We show our JavaScript implementation can break code and heap ASLR in two major browsers running on the latest Linux operating system with 28 bits of entropy in 150
seconds. We further verify that the AnC attack is applicable to every modern architecture that we tried, including Intel, ARM and AMD. Mitigating this attack without naively disabling caches is hard, since it targets the low-level operations of the MMU. We conclude that ASLR is fundamentally flawed in sandboxed environments such as JavaScript and future defenses should not rely on randomized virtual addresses as a building block.

and,

Reverse Engineering Hardware Page Table Caches Using Side-Channel Attacks on the MMU by Stephan van Schaik, et al.

Abstract:

Recent hardware-based attacks that compromise systems with Rowhammer or bypass address-space layout randomization rely on how the processor’s memory management unit (MMU) interacts with page tables. These attacks often need to reload page tables repeatedly in order to observe changes in the target system’s behavior. To speed up the MMU’s page table lookups, modern processors make use of multiple levels of caches such as translation lookaside buffers (TLBs), special-purpose page table caches and even general data caches. A successful attack needs to flush these caches reliably before accessing page tables. To flush these caches from an unprivileged process, the attacker needs to create specialized memory access patterns based on the internal architecture and size of these caches, as well as on how the caches interact with each other. While information about TLBs and data caches are often reported in processor manuals released by the vendors, there is typically little or no information about the properties of page table caches on
different processors. In this paper, we retrofit a recently proposed EVICT+TIME attack on the MMU to reverse engineer the internal architecture, size and the interaction of these page table caches with other caches in 20 different microarchitectures from Intel, ARM and AMD. We release our findings in the form of a library that provides a convenient interface for flushing these caches as well as automatically reverse engineering page table caches on new architectures.

So, Why Is This Good News?

Everything exists in a context and security flaws are no exception to that rule.

For example, H.J.Res.41 – Providing for congressional disapproval under chapter 8 of title 5, United States Code, of a rule submitted by the Securities and Exchange Commission relating to “Disclosure of Payments by Resource Extraction Issuers” reads in part:


Resolved by the Senate and House of Representatives of the United States of America in Congress assembled, That Congress disapproves the rule submitted by the Securities and Exchange Commission relating to “Disclosure of Payments by Resource Extraction Issuers” (published at 81 Fed. Reg. 49359 (July 27, 2016)), and such rule shall have no force or effect.
… (emphasis in original)

That may not sound like much until you read Disclosure of Payments by Resource Extraction Issuers, issued by the Security and Exchange Commission (SEC), which reads in part:


SUMMARY:

We are adopting Rule 13q-1 and an amendment to Form SD to implement Section 1504 of the Dodd-Frank Wall Street Reform and Consumer Protection Act relating to the disclosure of payments by resource extraction issuers. Rule 13q-1 was initially adopted by the Commission on August 22, 2012, but it was subsequently vacated by the U.S. District Court for the District of Columbia. Section 1504 of the Dodd-Frank Act added Section 13(q) to the Securities Exchange Act of 1934, which directs the Commission to issue rules requiring resource extraction issuers to include in an annual report information relating to any payment made by the issuer, a subsidiary of the issuer, or an entity under the control of the issuer, to a foreign government or the Federal Government for the purpose of the commercial development of oil, natural gas, or minerals. Section 13(q) requires a resource extraction issuer to provide information about the type and total amount of such payments made for each project related to the commercial development of oil, natural gas, or minerals, and the type and total amount of payments made to each government. In addition, Section 13(q) requires a resource extraction issuer to provide information about those payments in an interactive data format.
… (emphasis in original)

Or as By Alex Guillén says in Trump signs bill killing SEC rule on foreign payments:

President Donald Trump Tuesday signed the first in a series of congressional regulatory rollback bills, revoking an Obama-era regulation that required oil and mining companies to disclose their payments to foreign governments.

The danger posed to global corruption by this SEC rule has passed.

What hasn’t passed is the staffs of foreign governments and resource extraction issuers remain promiscuous web surfers.

Web surfers who will easily fall prey to a JavaScript exploit that bypasses ASLR protection!

Rather than protecting global corruption, H.J.Res 41 increases the incentives for breaching the networks of foreign governments and resource extraction issuers. You may find payment information and other embarrassing and/or incriminating information.

ASLR Cache or AnC gives you another tool for mining the world of the elites.

Rejoice at every new systemic security flaw. The elites have more to hide than youthful indiscretions and records of poor marital fidelity.

Investigating A Cyberwar

Thursday, February 16th, 2017

Investigating A Cyberwar by Juliana Ruhfus.

From the post:

Editor’s Note: As the Syrian civil war has played out on the battlefields with gunshots and mortars, a parallel conflict has been fought online. The Syrian Electronic Army (SEA), a pro-Assad government group of hackers, has wielded bytes and malware to obtain crucial information from opponents of the Assad regime. The extracted information has led to arrests and torture of dissidents. In this interview, GIJN’s Eunice Au talks to Al Jazeera’s Juliana Ruhfus about the methodology and challenges of her investigation into the SEA and the process of transforming the story into an online game.

How did the idea for a documentary on the SEA come about? Who was part of your investigative team and how long did it take?

I had the idea for the film when I came across a report called “Behind Syria’s Digital Frontline,” published by a company called FireEye, cybersecurity analysts who had come across a cache of 30,000 Skype conversations that pro-Assad hackers had stolen from anti-Assad fighters. The hack provided a unique insight into the strategic intelligence that had been obtained from the Skype conversations, including Google images plans that outlined the battle at Khirbet Ghazaleh and images of missiles which the rebels were trying to purchase.

The fascinating thing was, it also shed light on how the hack was carried out. Pro-Assad hackers had created female avatars who befriended fighters on the front line by telling them how much they admired them and eventually asked to exchange photos. These images were infected with malware which proved devastating once downloaded. Computers in the field are shared by many fighters, allowing the hackers to spy on a large number of targets at once.

When I read the report I had the Eureka moment that I wait for when I am looking for a new idea: I could visualize the “invisible” cyberwar story and, for the first time ever, I really understood the crucial role that social engineering plays in hacking, that is the hacker’s psychological skill to get someone to click on an infected link.

I then shot the film together with director Darius Bazargan. Ozgur Kizilatis and Alexander Niakaris both did camera work and Simon Thorne was the editor. We filmed in London, Turkey, and France, and all together the production took just under three months.
… (emphasis in original)

C-suite level material but quite good, if a bit heavy-handed in its support for rebel forces in Syria. I favor the foxes over the hounds as well but prefer a more balanced approach to the potential of cyberwarfare.

Cyberweapons have the potential to be great equalizers with conventional forces. Punishing the use or supplying of cyberweapons, as Juliana reports here, is more than a little short-sighted. True, the Assad regime may have the cyber advantage today, but what about tomorrow? Or other governments?

EFF Dice-Generated Passphrases

Wednesday, February 15th, 2017

EFF Dice-Generated Passphrases

From the post:

Create strong passphrases with EFF’s new random number generators! This page includes information about passwords, different wordlists, and EFF’s suggested method for passphrase generation. Use the directions below with EFF’s random number generator member gift or your own set of dice.

Ah, EFF random number generator member gift. 😉

Or you can order five Bicycle dice from Amazon. (Search for dice while you are there. I had no idea there were so many distinct dice sets.)

It’s mentioned but not emphasized that many sites don’t allow passphrases. Which forces you to fall back onto passwords. A password manager enables you to use different, strong passwords for every account.

Password managers should always be protected by strong passphrases. Keys to the kingdom as it were.

big-list-of-naughty-strings

Wednesday, February 15th, 2017

big-list-of-naughty-strings by Max Woolf.

From the webpage:

The Big List of Naughty Strings is a list of strings which have a high probability of causing issues when used as user-input data.

You won’t see any of these strings on the Tonight Show with Jimmy Fallon. 😉

They are “naughty” when used as user-input data.

For those searching for a starting point for legal liability, failure to test and/or document testing against this data set would be a good place to start.

Have you tested against the big-list-of-naughty-strings?

Designing a Business Card in LaTeX (For Your New Alt-Identities)

Monday, February 13th, 2017

Designing a Business Card in LaTeX by Olivier Pieters

From the post:

In 2017, I will graduate from Ghent University. This means starting a professional career, either in academia or in industry. One of the first things that came to mind was that I needed a good curriculum vitæ, and a business card. I already have the former, but I still needed a business card. Consequently, I looked a bit online and was not all that impressed by the tools people used to design them. I did not want to change some template everybody’s using, but do my own thing. And suddenly, I realised: what better tool than LaTeX to make it!

I know, I already hear some saying “why not use the online tools?” or “Photoshop?”. I picked LaTeX because I want to have a platform independent implementation and because why not? I really like making LaTeX documents, so this seemed like something other than creating long documents.

So, how are we going to create it? First, we’ll make a template for the front and back sides. Then, we will modify this to our needs and have a perfectly formatted and aligned business card.

One of the few fun tasks in the creation of an alternative identity should be the creation of a new business card.

Olivier’s post gets you started on the LaTeX side, although an eye-catching design is on you.

It’s too late for some of us to establish convincing alternative identities.

On the other hand, alternative identities should be established for children before they are twelve or so. Complete interlocking financial, social, digital, etc. for each one.

It doesn’t make you a bad parent if you haven’t done so but a verifiable and alternative identity could be priceless in an uncertain world.

Opening Secure Channels for Confidential Tips [Allocating Risk for Leaks]

Thursday, February 9th, 2017

Opening Secure Channels for Confidential Tips by Martin Shelton.

From the post:

In Shields Up, security user researcher Martin Shelton writes about security threats and defenses for journalists. Below, his first installment. —eds

To make it easier for tipsters to share sensitive information, a growing number of news organizations are launching resources for confidential tips. While there is some overlap between the communication channels that each news organization supports, it’s not always clear which channels are the most practical for routine use. This short guide will describe some basics around how to think about security on behalf of your sources before thinking about tools and practices. I’ll also describe common communication channels for accepting sensitive tips and tradeoffs when using each channel. When thinking about tradeoffs, consider which channels are right for you.
… (emphasis in original)

Martin does a great job of surveying your current security options but doesn’t address the allocation of risk between leakers and news organizations that I covered in U.S. Leaking Law: You Go To Jail – I Win A Pulitzer and/or the option of leaking access rather than the risk of leaking data/documents, How-To: Leaking In Two Steps.

Here’s the comment I’m posting to his post and I will report back on his response, probably in a separate post:

Martin, great job on covering the security options for tips and their tradeoffs!

I do have a question though about the current model of leaking, which puts all of the risk on the leaker. A leaker undertakes the burden of liberating data and/or documents, takes the risk of copying/removing them and then the risk of getting them securely to a news organization.

All of which requires technical skills that aren’t common.

As an alternative, why shouldn’t leakers leak access to such networks/servers and enable news organizations, who have greater technical resources, to undertake the risks of retrieval of such documents?

I mentioned this to another news person and they quickly pointed out the dangers of the Computer Fraud and Abuse Act (CFAA) for a news organization but the same holds true for the leaker. Who very likely has fewer technical skills than any news organization.

Thinking that news organizations can decide to serve the interests of government (follow the CFAA) or they can decided to serve the public interest. In my view, those are not synonymous.

I am still refining ways that leakers could securely leak access but at present, using standard subscription forms with access information instead of identifying properties, offers both a trustworthy target (the news organization) and a multiplicity of places to leak, which prevents effective monitoring of them. I have written more than once about this topic but two of particular interest: U.S. Leaking Law: You Go To Jail – I Win A Pulitzer, and, How-To: Leaking In Two Steps.

Before anyone protests the “ethics” of breaking laws such as the CFAA, recall governments broke faith with their citizens first. Laws like the CFAA are monuments to that breach of faith. Nothing more.

Fileless attacks against enterprise networks

Thursday, February 9th, 2017

Kaspersky Lab reports in Fileless attacks against enterprise networks the discovery of malware that hides in memory to avoid detection.

It’s summary:

During incident response, a team of security specialists needs to follow the artefacts that attackers have left in the network. Artefacts are stored in logs, memories and hard drives. Unfortunately, each of these storage media has a limited timeframe when the required data is available. One reboot of an attacked computer will make memory acquisition useless. Several months after an attack the analysis of logs becomes a gamble because they are rotated over time. Hard drives store a lot of needed data and, depending on its activity, forensic specialists may extract data up to a year after an incident. That’s why attackers are using anti-forensic techniques (or simply SDELETE) and memory-based malware to hide their activity during data acquisition. A good example of the implementation of such techniques is Duqu2. After dropping on the hard drive and starting its malicious MSI package it removes the package from the hard drive with file renaming and leaves part of itself in the memory with a payload. That’s why memory forensics is critical to the analysis of malware and its functions. Another important part of an attack are the tunnels that are going to be installed in the network by attackers. Cybercriminals (like Carbanak or GCMAN) may use PLINK for that. Duqu2 used a special driver for that. Now you may understand why we were very excited and impressed when, during an incident response, we found that memory-based malware and tunnelling were implemented by attackers using Windows standard utilities like “SC” and “NETSH“.

Kaspersky reports 140 enterprises in 40 countries have been affected by the malware:

hidden-malware-460

The reported focus has been on banking/financial targets, which implies to me that political targets are not preparing for this type of attack.

If you are going to “play in the street,” an American expression meaning to go in harm’s way, be sure to read the attribution section carefully and repeatedly. Your skills aren’t useful to anyone if you are in prison.

Republican Regime Creates New Cyber Market – Burner Twitter/Facebook Accounts

Thursday, February 9th, 2017

The current Republican regime has embarked upon creating a new cyber market, less than a month after taking office.

Samatha Dean (Tech Times) reports:

Planning a visit to the U.S.? Your passport is not the only thing you may have to turn in at the immigration counter, be prepared to relinquish your social media account passwords as well to the border security agents.

That’s right! According to a new protocol from the Homeland Security that is under consideration, visitors to the U.S. may have to give their Twitter and Facebook passwords to the border security agents.

The news comes close on the heels of the Trump administration issuing the immigration ban, which resulted in a massive state of confusion at airports, where several people were debarred from entering the country.

John F. Kelly, the Homeland Security Secretary, shared with the Congress on Feb. 7 that the Trump administration was considering this option. The measure was being weighed as a means to sieve visa applications and sift through refugees from the Muslim majority countries that are under the 90-day immigration ban.

I say burner Twitter/Facebook accounts, if you plan on making a second trip to the US, you will need to have the burner accounts maintained over the years.

The need for burner Twitter/Facebook accounts, ones you can freely disclose to border security agents, presents a wide range of data science issues.

In no particular order:

  • Defeating Twitter/Facebook security on a large scale. Not trivial but not the hard part either
  • Creating accounts with the most common names
  • Automated posting to accounts in their native language
  • Posts must be indistinguishable from human user postings, i.e., no auto-retweets of Sean Spicer
  • Profile of tweets/posts shows consistent usage

I haven’t thought about burner bank account details before but that certainly should be doable. Especially if you have a set of banks on the Net that don’t have much overhead but exist to keep records one to the other.

Burner bank accounts could be useful to more than just travelers to the United States.

Kudos to the new Republican regime and their market creation efforts!

Latest Data on Cellphone Spy Tool Flood

Wednesday, February 8th, 2017

Cellphone Spy Tools Have Flooded Local Police Departments by George Joseph.

From the post:


In December 2015, The Intercept released a catalogue of military surveillance tools, leaked by an intelligence community source concerned by this perceived militarization of domestic law enforcement. The catalogue included tools that could track thousands of people’s cellphones at once, extract deleted text messages from captured phones, and monitor ongoing calls and text messages. Following this news, last April, CityLab began sending public records requests to the top fifty largest police across the country asking for purchasing orders and invoices over 2012 to 2016 related to any of the devices listed in the catalogue. (Note: The fifty largest list is based on data released in 2010 from the Police Pay Journal, and thus does not include some departments now among the top fifty largest).

Of the fifty departments sent public records requests, only eight claimed not to have acquired any spy tools leaked by The Intercept’s intelligence source. At least twelve have admitted to having cellphone interception devices, and nineteen have admitted to having cellphone extraction devices. The responses, security-based rejections, and outstanding requests still being processed for CityLab suggest that, at a minimum, thirty-nine of the fifty departments have acquired at least some of these military-grade surveillance tools over the last four years. (Click here to see the original cache of documents, or scroll down to the bottom of this article)
… (emphasis in original)

George details the results of their investigation by class of software/hardware and provides the original documents supporting his analysis.

Later in the post:


As these military-grade spy tools pour down into local police departments across the country, legal experts are concerned that their use isn’t in keeping with individuals’ due process rights. Law enforcement practices vary dramatically across the country. In 2014, the U.S. Supreme Court unanimously ruled that police could not extract data from an arrested individual’s cellphone without ob­tain­ing a war­rant. But the ruling itself did not give clear guidance on how broad police warrant requests could be designed, and such decisions are still left up to law enforcement discretion in many cases.

I puzzle over the “lack of rules for digital surveillance” discussions.

The police/government has:

  • Lied and/or concealed its use of digital surveillance software/hardware
  • Has evaded/resisted any meaningful oversight of its surveillance activities
  • Collects data indiscriminately
  • etc.,

Yet, fashioning rules for the use of digital surveillance is all the rage.

Why will government agencies fear to break digital surveillance rules when they have systematically broken the law in the past?

Personal privacy depends on defeating military grade surveillance tools.

Not military grade but an item for testing your surveillance defeating work:

Build Your Own GSM Base Station For Fun And Profit.

I don’t keep up on the hardware side of things so please comment with more recent hardware/software for surveillance or defeating the same.

Burner Phone Guide – Caution on Burner App

Friday, February 3rd, 2017

Now’s Probably The Time To Consider One Of These Burner Phones by Paul Sarconi.

From the post:

WE’RE LIVING IN a new era of political unpredictability. Who knows what race, religious group, or professional sector will be scrutinized tomorrow? If you’re concerned that your devices will be targeted for confiscation and search, heed caution now. Start carrying a burner phone—a handset you can wipe clean and destroy without much thought. We’ve rounded up some good options.

One note: The point of using a burner is to avoid leaving a trace of your phone activity. Our list of recommended phones (and one app!) comes with links to online retailers so you can read more about the devices, but if you’re trying to stay private, you should buy both the phone and a pre-paid data allotment with cash. Most of these handsets (and the prepaid cards) are available at big-box stores here and abroad.
… (emphasis in original)

If your privacy matters, burner phones are in your present and future.

Quite recently I was creating an account at a hacker site that required, required mind you, a cellphone number for authentication.

That’s crazy. Why would I want to label myself with my cellphone number in a hacker forum? Not today, not tomorrow, not any day.

So, Paul’s list comes at an opportune time.

A word of caution about the Burner App.

It’s true you can delete the Burner App temporary phone number from your phone but Burner App maintains a copy of that number with your account. In case you want to “reactivate” the number.

Trusting a third party is a poor opening move in learning to protect your privacy.

Buy a debit card for cash and use a fake identity with Burner App.

How-To: Leaking In Two Steps

Friday, February 3rd, 2017

In Lowering the Bar for Leakers I proposed this method for leaking login credentials:

  1. Write login credentials (not your own), login URL, on paper
  2. Mail to (news address) – no return address
  3. News Media: Destroys all leaked credentials upon receipt

Easier than the convolutions you will find at: How easy is it to securely leak information to some of America’s top news organizations? This easy or Attention Federal Employees: If You See Something, Leak Something, but we can do better.

A Universal (nearly) and Secure Leaking Point

Can you think of one characteristic shared by almost all websites? Aside from being on the Web?

The ability to create an account for news and updates!

Like this page from the New York Times:

nytimes-account-460

Warning: Leak login credentials to sites using the https protocol only.

Leaking access to a publicly accessible server

Leaking your sysadmin’s, boss’s, co-worker’s credentials, you enter:

nytimes-account-460-leak-1

Leaking access to a server on a restricted network

For servers or resources requiring more than one set of credentials, say on a secure network, again using your sysadmin’s, boss’s, co-worker’s credentials, you enter:

nytimes-account-460-leak-2

Leaking In Two Steps

The leaking of login credentials (not your own) is two steps:

  1. Create account from non-work computer
  2. Enter login credentials as account details

You are protected by:

  1. SSL encryption
  2. Safety in numbers – Study finds that 97% of large companies have had credentials leaked online
  3. Credential duplication is a well-known fact – 17% of passwords are “123456”
  4. Not facing the risks of a sneakernet thief to steal, transport and deliver data in hard copy or digital format

This technique will work with agencies, banks, corporations, courts, governments, legislatures, PACs, anywhere that requires digital login credentials.

I used email and password fields here but that is just an artifact of the New York Times form. Other parts of a form and other separators are certainly possible.

PS: Don’t leak credentials to me because my site doesn’t have SSL (right now) and I’m not in full control of the server.

Personally, if I were to accept leaked credentials, I would store that data on a RAM disk.

Twitter Activist Security

Tuesday, January 31st, 2017

Twitter Activist Security by the grugq.

From the post:

Many people are starting to get politically active in ways they fear might have negative repercussions for their job, career or life. It is important to realise that these fears are real, but that public overt resistance is critical for political legitimacy. This guide hopes to help reduce the personal risks to individuals while empowering their ability to act safely.

I am not an activist, and I almost certainly don’t live in your country. These guidelines are generic with the hope that they will be useful for a larger number of people.

The basic principles of operational security are actually very simple, they’re what we call the three Cs:

  • Cover
  • Concealment
  • Compartmentation

There is more to serious counterintelligence, of course, but keep these three concepts in mind. The two most important concerns will be compartmentation and concealment. In practice this means that you need to separate your resistance Twitter account from your personal life completely.

I won’t quote the details because any omission could be the one that trips you up.

It’s not a short read but if you want to be safe, read Twitter Activist Security at least once a month and see how you stack up against the advice.

The precautions are good ones but I would be asking what “political activism” requires a Twitter account?

Unless you are using the account to stream coded messages, the purpose of such an account is unclear to me.

Not to mention that every account associated with another identity is an opportunity to make a mistake and break cover.

Lowering the Bar for Leakers

Wednesday, January 25th, 2017

Leaking and leakers were in the news in the waning days of the Obama administration. Chelsa Manning, source of the Afghan War Diary, had her 35 year sentence commuted to seven years by President Obama. Edward Snowden, who leaked a wide variety of materials, was discussed as a candidate for a pardon, but none was forthcoming.

The House Intelligence Committee letter urged President Obama to not pardon Snowden. The only truthful statement in the letter, apart from the signatures, appears to be:

America’s intelligence professionals take Mr. Snowden’s disclosures personally.

Why “America’s intelligence professionals” pouting over disclosures of their illegal and ineffectual activities is relevant to pardoning Snowden isn’t clear. In any event, Snowden continues to reside in Russia.

What is clear is that leakers bear the risk of obtaining and leaking material of great public interest. Some of that risk is an artifact of current practices for leaking.

Present Day Leaking Practices

The Intercept has a fair description of current art of leaking:

  • Begin by bringing your personal computer to a Wi-Fi network that isn’t associated with you or your employer, like one at a coffee shop. Download the Tor Browser. (Tor allows you to go online while concealing your IP address from the websites you visit.)
  • You can access our SecureDrop server by going to http://y6xjgkgwj47us5ca.onion/ in the Tor Browser. This is a special kind of URL that only works in Tor. Do NOT type this URL into a non-Tor Browser. It won’t work — and it will leave a record.
  • If that is too complicated, or you don’t wish to engage in back-and-forth communication with us, a perfectly good alternative is to simply send mail to P.O. Box 65679, Washington, D.C., 20035, or to The Intercept, 114 Fifth Avenue, 18th Floor, New York, New York, 10011. Drop it in a mailbox (do not send it from home, work or a post office) with no return address.

Attention Federal Employees: If You See Something, Leak Something

The Intercept never discusses the form, hard copy or digital, of a leak but WikiLeaks:Submissions, reads like a description of a sneakernet.

“Sneakernet” were a primitive and inefficient way to transfer information from one computer to another. With a user carrying a floppy disk from one computer to another, hence “sneakernet.”

Primitive and inefficient qualify as descriptors for leakers obtaining documents in hard copy and/or electronically and transferring them to the news media.

Potential leakers must endanger themselves by copying and smuggling the documents to be leaked, plus do a technical dance to leak them. In a modern networked environment.

In a networked environment is the key.

Leaking in a Networked Environment

No leaking advice is universal and what I am about to describe won’t work, at least not well, for air gapped systems. Leaking by sneakernet remains relevant for some situations.

In a networked environment, consider a potential leaker leaking login credentials? Not necessarily theirs, perhaps the sysadmin credentials written next to the console. Or their office manager’s.

That sort of leaking only requires:

  1. Blank paper with envelope
  2. Addressed to a news media address – no return address
  3. Credentials written on the paper with remote login URL
  4. News media destroys notes after they arrive

The usual cautions, not from your place of business, etc. apply.

Prospective leakers enjoy these advantages from leaking login credentials:

  1. Easy to leak
  2. No copying, physical or digital to attract attention
  3. No smuggling of documents or media past security
  4. No traceability in sea of breaches large and small

The reduction of the technical requirements for leaking, not to mention reducing the risk to the leakers themselves, lowers the bar for leakers and should attract more leaking.

The news media obtains advantages from credential leaking as well:

  1. Enables creation of a library of sources
  2. Enables exploration for other documents
  3. Reduces arbitrary or incomplete nature of leaks
  4. Reduces the opacity reflex, media likely knows the truth already

Credential leaking does alter the risk of leaking from being leaker centric to putting a greater burden on the news media.

Allocation of Risk

The sharing of login credentials maybe a crime under 18 USC 1030 (Computer Fraud & Abuse Act (CFAA)). I say “maybe” a crime because panels of Ninth Circuit Federal Court of Appeals “appear” to have different ideas on password sharing. Ninth Circuit Panel Backs Away From Dangerous Password Sharing Decision—But Creates Even More Confusion About the CFAA

Whether faulty reasoning spreads from the Ninth Circuit or not, it remains clear that avoiding copying, smuggling, etc., as with credential leaking, poses a reduced risk to leakers.

On the other hand, under the provisions of 18 USC 1030 (Computer Fraud & Abuse Act (CFAA)), the risk to any reporter or news media organization that makes use of leaked credentials, the risk is elevated.

Elevated to federal felony level risk.

That may seem like a poor trade for the news media, but consider that the New York Times has stables of internal counsel, not to mention external counsel and financial resources that aren’t available to the average leaker.

Moreover, the New York Times has access to highly competent computer experts who can “leak” data to its reporters via secure means, enabling reporters to truthfully testify as to the origin of leaked materials used in their stories.

Unlike current leaking practices, where the leaker takes all the risks, considerable risks, credential leaking allocates the leak and risk to those best able to accomplish it with a margin of safety.

Along with that reallocation of risk, comes the potential to greatly democratize the practice of leaking.

Democratizing Leaking

How effective are postings like Attention Federal Employees: If You See Something, Leak Something?

The Bureau of Labor Statistics estimates the number of potential leakers by employment category as of December 2016 (my characterization, not theirs):

  • Accounting 1,015,800
  • Financial Activities 8,359,000
  • Government 22,565,000
  • Legal Services 1,131,900
  • Oil and Gas 173,300
  • Real Estate 2,147,400

(Table B-1. Employees on nonfarm payrolls by industry sector and selected industry detail)

Not a complete listing of the categories. I selected those where scandals and/or scandalous materials are most often found.

By my count, 35,392,400 potential leakers.

Compare The Intercept‘s long treatment with on the masthead of Times-with-a-Spine (fictitous newspaper):

Leakers (see A-2)

On page A-2:

If you are going to leak:

  1. Write login credentials (not your own), login URL, on paper
  2. Mail to (news address) – no return address
  3. We destroy all leaked credentials upon receipt

Push an ad with the same content into daily shoppers, free/community newspapers, websites, etc. Perhaps even Amazon ads keyed to people with .gov and .mil email addresses.

How news organizations will use leaked credentials I cannot say. In order to protect leakers, however, any credential leaks should be destroyed upon determination they are credential leaks. (Complete burning with paper of similar origins into a fine ash, sifting and secure burial for starters.)

Happy leaking!

Quantum Computer Resistant Encryption

Wednesday, January 18th, 2017

Irish Teen Introduces New Encryption System Resistant to Quantum Computers by Joseph Young.

From the post:


… a 16-year-old student was named as Ireland’s top young scientist and technologist of 2017, after demonstrating the application of qCrypt, which offers higher levels of protection, privacy and encryption in comparison to other innovative and widely-used cryptographic systems.

BT Young Scientist Judge John Dunnion, the associate professor at University of College Dublin, praised Curran’s project that foresaw the impact quantum computing will have on current cryptographic and encryption methods.

“qCrypt is a novel distributed data storage system that provides greater protection for user data than is currently available. It addresses a number of shortfalls of current data encryption systems; in particular, the algorithm used in the system has been demonstrated to be resistant to attacks by quantum computers in the future,” said Dunnion.

While it may be too early to predict whether technologies like qCrypt can protect existing encryption methods and data protection systems from quantum computers, Curran and the judges of the competition saw promising potential in the technology.

Word is spreading rapidly.

qCrypt has a place-holder website, Post-Quantum Cryptography for the Masses.

A Youtube video:

Shane’s Github repository (no qCrypt, yet)

Not to mention Shane’s website.

qCrypt has the potential to provide safety from government surveillance for everyone, everywhere.

Looking forward to this!

Security Design: Stop Trying to Fix the User (Or Catch Offenders)

Friday, January 13th, 2017

Security Design: Stop Trying to Fix the User by Bruce Schneier.

From the post:

Every few years, a researcher replicates a security study by littering USB sticks around an organization’s grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as “teachable moments” for others. “If only everyone was more security aware and had more security training,” they say, “the Internet would be a much safer place.”

Enough of that. The problem isn’t the users: it’s that we’ve designed our computer systems’ security so badly that we demand the user do all of these counterintuitive things. Why can’t users choose easy-to-remember passwords? Why can’t they click on links in emails with wild abandon? Why can’t they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?

Traditionally, we’ve thought about security and usability as a trade-off: a more secure system is less functional and more annoying, and a more capable, flexible, and powerful system is less secure. This “either/or” thinking results in systems that are neither usable nor secure.

Non-reliance on users is a good first step.

An even better second step would create financial incentives for Bruce’s first step.

Financial incentives similar to those in products liability cases, where a “reasonable care” standard evolves over time. No product has to be perfect, but there are expectations of how not bad a product must be.

Liability not only for the producer of the software but also enterprises using that software, when third-parties are hurt by data breaches.

Claims about the complexity of software are true, but can you honestly say that software is more complex than drug interactions across an unknown population? Yet, we have products liability standards for those cases.

Without financial incentives, substantial financial incentives, such as with products liability, cybersecurity experts (Bruce excepted) will still be trying to “fix the user” a decade from now.

The romantic quest to capture and punish those guilty of cybercrime, hasn’t worked so well. One collection of cybercrime statistics pointed out that detected cybercrime incidents increased by 38% in the last year.

Tell me, do you know of any statistics showing a 38% increase in the arrest and prosecution of cybercriminals in the last year? No? That’s what I thought.

With estimated cybercrime prevention spending at $80 billion this year and an estimated cybercrime cost of $2 trillion by 2019, you don’t seem to be getting very much return on your investment.

We know that fixing users doesn’t work and capturing cybercriminals is a dicey proposition.

Both of those issues can be addressed by establishing incentives for more secure software. (Legal liability takes legislative misjudgment out of the loop, enabling the organic growth of software liability principles.)

Ultrasound Tracking Defeats Tor (Provides Pathway Into Government Offices)

Friday, January 13th, 2017

Tor users at risk of being unmasked by ultrasound tracking by Danny Bradbury.

How close is your phone to your computer right now?

That close?

You may want to rethink your phone’s location.

From the post:

A new type of attack should make Tor users – and countless dogs around the world – prick up their ears. The attack, revealed at BlackHat Europe in November and at the 33rd Chaos Computer Congress the following month, uses ultrasounds to track users, even if they are communicating over anonymous networks.

The attack uses a technique called ultrasound cross-device tracking (uXDT), which made its way into advertising circles as early as 2012. Marketing companies running uXDT campaigns will play an ultrasonic sound, inaudible to the human ear, in a TV or radio ad, or even in an ad delivered via a computer browser.

Although the user won’t hear it, other devices such as smartphones using uXDT-enabled apps will be listening. When the app hears the signal, it will ping the advertising network with details about itself. What details? Anything it asks for the phone for, such as its IP address, geolocation Coleman’s, telephone number and IMEI (SIM card) code.

That’s creepy enough in marketing. Now, advertisers can tell what TV or radio ads you’ve been listening to, matching them with the universe of other information they have about you from your web searches, social media activity and emails.

In essence the technique uses an ultrasound “beacon” to trigger your phone to “call home.”

Hmmm, betrayed by your own phone.

Danny outlines a number of scenarios of governments using this technique against users.

Ultrasound tracking poses a significant risk for Tor users, but they are security conscious enough to be using Tor.

Consider the flip side of using ultrasound tracking as a pathway into government offices. A phone that can “call home” can certainly listen for keystrokes.

Where do you think most sysadmins keep their phones? 😉

Cellebrite Hacked (Crowd-Funding for Tools?)

Friday, January 13th, 2017

Phone-Hacking Firm Cellebrite Got Hacked; 900GB of Data Stolen by Swati Khandelwal.

From the post:

Israeli firm Cellebrite, the popular company that provides digital forensics tools and software to help law enforcement access mobile phones in investigations, has had 900 GB of its data stolen by an unknown hacker.

But the hacker has not yet publicly released anything from the stolen data archive, which includes its customer information, user databases, and a massive amount of technical data regarding its hacking tools and products.

Instead, attackers are looking for possible opportunities to sell the access to Cellebrite system and data on a few selected IRC chat rooms, the hacker told Joseph Cox, contributor at Motherboard, who was contacted by the hacker and received a copy of the stolen data.

I can understand the hacker’s desire to make money and if unlike TheShadowBrokers, who are still pricing themselves out of a sale (approximately $8,230,000), the price is a reasonable one, crowd-funding might be a useful approach to purchasing the tools for public release.

I can’t afford to bid on the tools as an individual, but would contribute to a crowd-funded effort to secure a public release of the tools.

Why? The more hacking tools that are available, the less secure governments become.

People become less secure as well but governments are a far greater threat to people than cyber-criminals will ever be.

Cyber-criminals want your money, governments want your freedom.

Sharpening Your Hacking Skills!

Tuesday, January 3rd, 2017

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills.

From the post:

Attack is definitely the best form of defense and this also applies to Cyber Security.

Companies are now hacking their own websites and even hiring ethical hackers in an attempt to find vulnerabilities before the bad guys do. As such ethical hacking is now a much sought after skill but hacking websites without permission can get you on the wrong side of the law, even if you’re just practising.

So how do practice your hacking skills whilst staying on the right side of the law? Well there are a number of deliberately vulnerable websites out there designed to allow you to practise and hone your hacking skills, without fear of prosecution. So we’ve decided to compile a list of over forty of them, each with short description.

Once you feel comfortable finding vulnerabilities, the next step could be a job as a penetration tester or participation in one of the bug bounty programmes where companies reward you based on the severity of the bugs that you find, which could be very lucrative. Facebook is one such company offering a bug bounty programme and has paid out more than a million dollars to date.

So without further ado, here’s the list. If you know of a good hacking website that’s not on this list, let me know and I’ll add it. Oh, and don’t forget to bookmark this page! 🙂

Yes! Not only bookmark this page but visit the sites it lists!

My only disappointment was that the Office of Personnel Management wasn’t listed. I guess the OPM site is requiring permission for hacking now. 😉

PostgreSQL/NoSQL Targets for 2017

Thursday, December 22nd, 2016

matherly-22dec2016-460

To be fair, Kevin Beaumont notes in his retweet:

Where to begin… (There’s a similar number of No SQL databases with no passwords).

There are “weird machines” and cutting edge hacks but what separates you from a successful hacker is making the effort.

Are you going to be a successful hacker in 2017?

Thieves Have Privacy Rights? (Attack Vector for Government Networks)

Wednesday, December 21st, 2016

Smile! You’re on a stolen iPhone’s candid camera! by Lisa Vaas.

Lisa tells the story of Anthony van der Meer and his creation of a honeypot phone in order to create a film about who would steal a cellphone?

The phone was rigged to allow Van der Meer to spy on the thief and quite to my surprise, Lisa raises the question of whether it is “ethical” to spy on the thief?

How very curious. Thieves have privacy rights?

Van der Meer’s case it possible the original thief simply sold the phone but even if you credit that tale, would you buy a phone at below market value on the street? And not suspect there was something odd about the transaction?

In any event, I do appreciate Lisa’s story because it points to a great technique for piercing government security. After all, what government staffer would not appreciate finding a quite new and unlocked iPhone 7?

Of course they want to use their phones to access their government email, networks, etc.

😉

Better penetration efforts everywhere are already using this technique but just in case it has not occurred to you, enjoy!

Don’t get your hopes up too high. Places that are somewhat serious about security, DOE (read nuclear sites), CIA, etc., prohibit cellphones altogether on premises.

That leaves hundreds of thousands of other government sites and facilities open, not to mention the users themselves.