## Archive for the ‘Security’ Category

Sunday, June 25th, 2017

From the post:

Today we are rolling out two new features on Facebook to improve the experience of sharing, discovering and clicking .onion links to Tor hidden services especially for people who are not on Tor.

First, Facebook can now show previews for .onion links. Hidden service owners can use Open Graph tags to customise these previews, much like regular websites do.

Second, people who are not using Tor and click on .onion links will now see a message informing them that the link they clicked may not work. The message enables people to find out more about Tor and – for hidden services which have opted in – helps visit the service’s equivalent regular website. For people who are already using Tor, we send them straight through to the hidden service without showing any message.

This is a very bad plan!

If you are:

not using Tor and click on .onion links will now see a message informing them that the link they clicked may not work.

Accessing .onion links on Facebook, without using Tor, in the words of Admiral Ackbar, “It’s a trap!”:

### Consumer Warning: Stale Passwords For Sale

Sunday, June 25th, 2017

The important take away: the passwords are from a 2012 LinkedIn breach.

Unless you like paying for and mining low grade ore, considering passing on this offer.

Claims of stolen government passwords don’t make someone trustworthy. 😉

### E-Cigarette Can Hack Your Computer (Is Nothing Sacred?)

Monday, June 19th, 2017

Kavita Iyer has the details on how an e-cigarette can be used to hack your computer at: Know How E-Cigarette Can Be Used By Hackers To Target Your Computer.

I’m guessing you aren’t so certain that expensive e-cigarette you “found” is harmless after all?

Malware in e-cigarettes seems like a stretch given the number of successful phishing emails every year.

But, a recent non-smoker maybe the security lapse you need.

### OpSec Reminder

Saturday, June 17th, 2017

Catalin Cimpanu covers a hack of the DoD’s Enhanced Mobile Satellite Services (EMSS) satellite phone network in 2014 in British Hacker Used Home Internet Connection to Hack the DoD in 2014.

The details are amusing but the most important part of Cimpanu’s post is a reminder about OpSec:

In a statement released yesterday, the NCA said it had a solid case against Caffrey because they traced back the attack to his house, and found the stolen data on his computer. Furthermore, officers found an online messaging account linked to the hack on Caffrey’s computer.

Caffrey’s OpSec stumbles:

1. Connection traced to his computer (No use of Tor or VPN)
2. Data found on his hard drive (No use of encryption and/or storage elsewhere)
3. Online account used in hack operated from his computer (Again, no use of Tor or VPN)

I’m sure the hack was a clever one but Caffrey’s OpSec was less so. Decidedly less so.

### Tails 3.0 is out (Don’t be a Bank or the NHS, Upgrade Today)

Tuesday, June 13th, 2017

Tails 3.0 is out

From the webpage:

We are especially proud to present you Tails 3.0, the first version of Tails based on Debian 9 (Stretch). It brings a completely new startup and shutdown experience, a lot of polishing to the desktop, security improvements in depth, and major upgrades to a lot of the included software.

Debian 9 (Stretch) will be released on June 17. It is the first time that we are releasing a new version of Tails almost at the same time as the version of Debian it is based upon. This was an important objective for us as it is beneficial to both our users and users of Debian in general and strengthens our relationship with upstream:

• Our users can benefit from the cool changes in Debian earlier.
• We can detect and fix issues in the new version of Debian while it is still in development so that our work also benefits Debian earlier.

This release also fixes many security issues and users should upgrade as soon as possible.

Upgrade today, not tomorrow, not next week. Today!

Don’t be like banks and NHS and run out-dated software.

• barring civil liability for
• decriminalizing
• prohibiting insurance coverage for damages due to

hacking of out-dated software.

Management will develop an interest in software upgrade policies.

### Power Outage Data – 15 Years Worth

Tuesday, June 13th, 2017

From the post:

This database details 15 years of power outages across the United States, compiled and standardized from annual data available at from the Department of Energy.

For an explanation of what it means, how it came about, and how we got here, listen to this conversation between Inside Energy Reporter Dan Boyce and Data Journalist Jordan Wirfs-Brock:

You can also view the data as a Google Spreadsheet (where you can download it as a CSV). This version of the database also includes information about the amount of time it took power to be restored, the demand loss in megawatts, the NERC region, (NERC refers to the North American Electricity Reliability Corporation, formed to ensure the reliability of the grid) and a list of standardized tags.

The data set isn’t useful for tactical information, the submissions are too general to replicate the events leading up to an outage.

On the other hand, identifiable outage events, dates, locations, etc., do make recovery of tactical data from grid literature a manageable search problem.

Enjoy!

### Electric Grid Threats – Squirrels 952 : CrashOverride 1 (maybe)

Tuesday, June 13th, 2017

If you are monitoring cyberthreats to the electric grid, compare the teaser document, Crash Override: Analysis of the Treat to Electric Grid Operators from Dragos, Inc. to the stats at CyberSquirrel1.com:

I say a “teaser” documents because the modules of greatest interest include: “This module was unavailable to Dragos at the time of publication” statements (4 out of 7) and:

If you are a Dragos, Inc. customer, you will have already received the more concise and technically in-depth intelligence report. It will be accompanied by follow-on reports, and the Dragos team will keep you up-to-date as things evolve.

If you have a copy of Dragos customer data on CrashOverride, be a dear and publish a diff against this public document.

Inquiring minds want to know. 😉

If you are planning to mount/defeat operations against an electric grid, a close study CyberSquirrel1.com cases will be instructive.

Creating and deploying grid damaging malware remains a challenging task.

Training an operative to mimic a squirrel, not so much.

### Personal Malware Analysis Lab – Summer Project

Wednesday, June 7th, 2017

Set up your own malware analysis lab with VirtualBox, INetSim and Burp by Christophe Tafani-Dereeper.

Whether you are setting this up for yourself and/or a restless child, what a great summer project!

You can play as well so long as you don’t mind losing to nimble minded tweens and teens. 😉

It’s never too early to teach cybersecurity and penetration skills or to practice your own.

With a little imagination as far as prizes, this could be a great family activity.

It’s a long way from playing Yahtzee with your girlfriend, her little brother and her mother, but we have all come a long way since then.

### Are Printer Dots The Only Risk?

Tuesday, June 6th, 2017

From the post:

Several journalists and experts have recently focused on the fact that a scanned document published by The Intercept contained tiny yellow dots produced by a Xerox DocuColor printer. Those dots allow the document’s origin and date of printing to be ascertained, which could have played a role in the arrest of Reality Leigh Winner, accused of leaking the document. EFF has previously researched this tracking technology at some length; our work on it has helped bring it to public attention, including in a somewhat hilarious video.

Schoen’s post and references are fine as far as they go, but there are other dangers associated with printers.

For example:

• The material in or omitted from a document can by used to identify the origin of a document.
• The order of material in a document, a list, paragraph or footnote can be used to identify the origin of a document.
• Micro-spacing of characters, invisible to the naked eye, may represent identification patterns.
• Micro-spacing of margins or other white space characteristics may represent identification patterns.
• Changes to the placement of headers, footers, page numbers, may represent identification patterns.

All of these techniques work with black and white printers as well as color printers.

The less security associated with a document and/or the wider its distribution, the less likely you are to encounter such techniques. Maybe.

Even if your source has an ironclad alibi, sharing a leaked document with a government agency is risky business. (full stop)

Just don’t do it!

### Google Capture the Flag 2017

Monday, June 5th, 2017

Google Capture the Flag 2017 by Josh Armour.

From the post:

On 00:00:01 UTC of June 17th and 18th, 2017 we’ll be hosting the online qualification round of our second annual Capture The Flag (CTF) competition. In a ‘Capture the Flag’ competition we create security challenges and puzzles in which contestants can earn points for solving them. We will be inviting the top 10 finalist teams to a secret undisclosed location (spoiler alert: it’s Google) to compete onsite for a prize pool of over USD$31,337 and we’ll help subsidize travel to the venue for the finals to four participants for each of the ten finalist teams. In addition to grand prizes given at the finals, we’ll be rewarding some of the best and creative write-ups that we receive during the qualifying round. We want to give you an opportunity to share with the world the clever way you solve challenges. Sounds cool! You playing? ### Unknown Buyers + Unknown Sellers ~= Closed Source Software Friday, June 2nd, 2017 TurkuSec Community reports another collaborative effort to buy into the Shadow Brokers malware-of-the-month club: “What Could Go Wrong?” is a valid question. On the other hand, you are already spending$billions on insecure software every year.

Most of which is closed-source, meaning it may contain CIA/NSA backdoors.

A few hires in the right places and unbeknownst to the vendor, they would be distributing CIA/NSA malware.

If you credit denials of such activities by the CIA/NSA or any other government spy agency, you should stop using computers. You are a security risk to your employer.

A Shadow Brokers subscription, where 2,500 people risk $100 each for each release, on the other hand, is far safer than commercial software. If the the first release prove bogus, don’t buy a second one. Contrast that with insecure closed source software for an OS or database that may contain CIA/NSA/etc. backdoors. You don’t get to avoid the second purchase. (You bought the maintenance package too. Am I right?) I can’t and won’t counsel anyone to risk more than$100, but shared risk is the fundamental principle of insurance. Losses can and will happen. That’s why we distribute the risk.

PS: Shadow Brokers: Even a list of the names with brief descriptions might help attract people who want to share the risk of subscribing. The “big” corporations are likely too arrogant to think they need the release.

### Another Patriarchy Triumph – Crowd Funding Shadow Brokers Fails

Thursday, June 1st, 2017

From the post:

To some, it was a terrible idea akin to paying bad people to do harm. To others, it was a chance to build more powerful defenses against the next WannaCry.

It’s now a moot point.

Forty-eight hours after they started a crowdsourcing effort on Patreon to raise $25,000 a month for a monthly Shadow Brokers subscription service, security researchers Matthew Hickey – perhaps better known as Hacker Fantastic – and x0rz, announced the fund’s cancellation. Thursday morning, the page was empty: Brenner covers alleged reasons for the cancellation and concludes with poor advice: Better to not go there. As I pointed out yesterday, if 2500 people each contributed %100, the goal of raising$25,000 would be met without significant risk to anyone. Cable bills, to say nothing of mobile phone charges, easily exceed $100 for a month. If a subscription were purchased for one month and either the Shadow Brokers don’t release new malware or what they release was cobbled up from standard malware sites, don’t buy a second one. At$100 each, isn’t that a risk you would take?

Assuming Shadow Brokers are serious about their malware-by-the-month club, a crowd funded subscription, premised on the immediate and public release of each installment, damages existing systems of patriarchy among/at:

• Blackhat hackers
• Governments (all levels)
• Software vendors
• Spy agencies (worldwide)

Whitehat-only distribution follows that old saw of patriarchy, “we know what is best for you to know, etc.”

Some innocent people will be hurt by future malware releases. That’s a fact. But it’s an odd complaint for governments, spy agencies and their whitehat and vendor allies to raise.

Governments, spy agencies, whitehats and vendors have jointly participated in the slaughter of millions of people and the oppression of millions more.

Now facing some sharing of their cyberpower, they are concerned about potential injuries?

Looking forward to a deeply concealed entity stepping forward to purchase or crowd fund a release on delivery copy of the first Shadow Brokers malware-by-the-month, month 1.

Take a chance on damaging those patriarchies? Sure, that’s worth $100. You? ### Malware Subscriptions and the Long Tail of Patching (What you get for$100)

Wednesday, May 31st, 2017

In part because whitehats will get the data at the same time.

Even if whitehats could instantly generate patches for all the vulnerabilities in each monthly release, if the vulnerabilities do have value, always an open question, they will retain that value for years, even more than a decade.

Why?

Roger Grimes recites the folk wisdom:

Folk wisdom says that patching habits can be divided into quarters: 25 percent of people patch within the first week; 25 percent patch within the first month; 25 percent patch after the first month, and 25 percent never apply the patch. The longer the wait, the greater the increased risk.

Or to put that another way:

50% of all vulnerable systems remain so 30+ days after the release.

25% of all vulnerable systems remain so forever.

Here’s a “whitehat” graphic that makes a similar point:

For $100 each by 2500 people, assuming there are vulnerabilities in the first Shadow Brokers monthly release, you get: Vulnerabilities for 25% of systems forever (assuming patches are possible), vulnerabilities for 50% of systems are vulnerable for more than a month (assuming patches are possible), for some industries offer years of vulnerability, especially government systems. For a$100 investment?

Modulo my preference for a group buy, then distribute model, that’s not a bad deal.

If there are no meaningful vulnerabilities in the first release, then don’t spend the second $100. A commodity marketplace for malware weakens the NSA and its kindred. That’s reason enough for me to invest. ### Disclosure = No action/change/consequences Wednesday, May 31st, 2017 What would you do if you discovered: A cache of more than 60,000 files were discovered last week on a publicly accessible Amazon server, including passwords to a US government system containing sensitive information, and the security credentials of a lead senior engineer at Booz Allen Hamilton, one of the nation’s top intelligence and defense contractors. What’s more, the roughly 28GB of data contained at least a half dozen unencrypted passwords belonging to government contractors with Top Secret Facility Clearance. ? UpGuard cyber risk analyst Chris Vickery discovered the Booz Allen server last week while at his Santa Rosa home running a scan for publicly accessible s3 buckets (what Amazon calls its cloud storage devices). The mission of UpGuard’s Cyber Risk Team is to locate and secure leaked sensitive records, so Vickery’s first email on Wednesday was to Joe Mahaffee, Booz Allen’s chief information security officer. But after received no immediate response, he went directly the agency. “I emailed the NGA at 10:33am on Thursday. Public access to the leak was cut off nine minutes later,” he said. What an unfortunate outcome. Not faulting Chris Vickery, who was doing his job. But responsible disclosure to Booz Allen Hamilton and then NGA, will result in no change to Booz Allen Hamilton’s position as a government IT supplier. Public distribution of these files might not result in significant changes at government agencies and their IT contractors. On the other hand, no consequences for agencies and their IT contractors hasn’t improved security. Shouldn’t we give real world consequences a chance? ### Crowd-Funding Public Access to NSA Tools! Tuesday, May 30th, 2017 Awesome! (with a caveat below) The group calling itself the Shadow Brokers have released several caches of exploits to date. These caches and releases have had a detrimental outcome on the Internet at large, one leak especially resulted in the now in-famous WannaCry ransomware worm – others have been used by criminal crackers to illegally access infrastructure. Many have been analysing the data to determine its authenticity and impact on infrastructure, as a community it has been expressed that the harm caused by exploits could have been mitigated against had the Shadow Brokers been paid for their disclosures. The leaks of information seen so far have included weaponized reliable exploits for the following platforms: • Cisco • Juniper • Solaris • Microsoft Windows • Linux The Shadow Brokers have announced they are offering a “monthly dump” service which requires a subscription of 100 ZCASH coins. Currently this is around £17688.29 but could change due to the fleeting nature of cryptocurrency. By paying the Shadow Brokers the cash they asked for we hope to pool resources and avert any future WannaCry type incidents. This patreon is a chance for those who may not have large budgets (SME, startups and individuals) in the ethical hacking and whitehat community to pool resources and buy a subscription for the new monthly released data. The goal here is to raise sufficient funds from interested parties to purchase a subscription to the new data leak. We are attempting to perform the following task: • Raise funds to purchase 100 ZCASH coins • Purchase 100 ZCASH coins from a reputable exchange • Transfer 100 ZCASH coins to ShadowBrokers with email address • Access the data from the ShadowBrokers and distribute to backers • Perform analysis on data leak and ascertain risk / perform disclosures The Shadow Brokers have implied that the leak could be any of the following items of interest: • web browser, router, handset exploits and tools • newer material from NSA ops disk including Windows 10 exploits • misc compromised network data (SWIFT or Nuclear programmes) • … (emphasis in original) An almost excellent plan that with enough contributors, reduces the risk to any one person to a manageable level. Two-hundred and fifty contributors at$100 each, makes the $25,000 goal. That’s quite doable. My only caveat is the “…whitehat ethical hacker…” language for sharing the release. Buying a share in the release should be just that, buying a share. What participants do or don’t do with their share is not a concern. Kroger clerks don’t ask me if I am going to use flour to bake bread for the police and/or terrorists. Besides, the alleged NSA tools weren’t created by “…whitehat ethical hackers….” Yes? No government has a claim on others to save them from their own folly. Any competing crowd-funded subscriptions to the Shadow Brokers release? ### Innovations In Security: Put All Potential Bombs In Cargo Monday, May 29th, 2017 From the post: US Secretary of Homeland Security Gen. John Kelly revealed in an interview over the weekend that the US might expand its current laptop ban to all flights into the US in the near future. “I might,” said Gen. Kelly yesterday on Fox News Sunday. “There’s a real threat. There’s numerous threats against aviation. That’s really the thing they’re really obsessed with, the terrorists, the idea of knocking down an airplane in flight, particularly if it is a US carrier, particularly if it is full of mostly US folks.” Is there an FOIA exception to obtaining the last fitness report on US Secretary of Homeland Security Gen. John F. Kelly when he was serving with the Marines? Loading fire-prone laptops, which may potentially also contain bombs, into a planes cargo hold for “safety,” raises serious questions about Kelly’s mental competence. Banning laptops could be a ruse to get passengers to use cloud services for their data, making it more easily available to the NSA. As the general says, there are people obsessed with “the idea of knocking down an airplane in fight,” but those are mostly found in the Department of Homeland Security. You need not take my word for it, consider the Wikipedia timeline of airline bombings shows eight such bombings since December of 2001. I find it difficult to credit “obsession” when worldwide there is only one bomb attack on an airline every two years. Moreover, the GAO in Airport Perimeter and Access Control Security Would Benefit from Risk Assessment and Strategy Updates (2016) found the TSA has not evaluated the vulnerability at 81% of the 437 commercial airports. US airports are vulnerable and the TSA can’t say which ones or by how much. If terrorists truly were “obsessed,” in General Kelly’s words, the abundance of vulnerable US airports should see US aircraft dropping like flies. Except they’re not. PS: Anticipating a complete ban on laptops, now would be a good time to invest in airport laptop rental franchises. ### The “blue screen of death” lives! (Humorous HTML Links) Monday, May 29th, 2017 From the post: In a blast from the past, a Russian researcher has uncovered a simple bug in the NTFS file system that consistently crashed Windows Vista to 8.1 PCs. Like the infamous Windows 95/98 /con/con bug, by simply entering a file name with “$MFT” the file-system bug locks up Windows at best, or dumps it into a “blue screen of death” at worse.

The bug won’t deliver malware but since it works in URLs (except for Chrome), humorous HTML links in emails are the order of the day.

Enjoy!

### Hacking Fingerprints (Yours, Mine, Theirs)

Thursday, May 25th, 2017

From the post:

Fingerprints are supposed to be unique markers of a person’s identity. Detectives look for fingerprints in crime scenes. Your phone’s fingerprint sensor means only you can unlock the screen. The truth, however, is that fingerprints might not be as secure as you think – at least not in an age of machine learning.

A team of researchers has demonstrated that, with the help of neural networks, a “masterprint” can be used to fool verification systems. A masterprint, like a master key, is a fingerprint that can be open many different doors. In the case of fingerprint identification, it does this by tricking a computer into thinking the print could belong to a number of different people.

“Our method is able to design a MasterPrint that a commercial fingerprint system matches to 22% of all users in a strict security setting, and 75% of all users at a looser security setting,” the researchers ­– Philip Bontrager, Julian Togelius and Nasir Memon – claim in a paper.

The tweet that brought this post to my attention didn’t seem to take this as good news.

But it is, very good news!

Think about it for a moment. Who is most likely to have “strict security settings?”

Your average cubicle dweller/home owner or …, large corporation or government entity?

What is more, if you, as a cubicle dweller are ever accosted for a breach of security, leaking fingerprint protected files, etc., what better defense than known spoofing of fingerprints?

Not that you would be guilty of such an offense but its always nice to have a credible defense in addition to being innocent!

For further details:

Abstract:

We present two related methods for creating MasterPrints, synthetic fingerprints that a fingerprint verification system identifies as many different people. Both methods start with training a Generative Adversarial Network (GAN) on a set of real fingerprint images. The generator network is then used to search for images that can be recognized as multiple individuals. The first method uses evolutionary optimization in the space of latent variables, and the second uses gradient-based search. Our method is able to design a MasterPrint that a commercial fingerprint system matches to 22% of all users in a strict security setting, and 75% of all users at a looser security setting.

Defeating fingerprints as “conclusive proof” of presence is an important step towards freedom for us all.

### Banking Malware Tip: Don’t Kill The Goose

Thursday, May 25th, 2017

From the post: