Archive for the ‘Cybersecurity’ Category

How Not To Lose A Community’s Trust

Tuesday, March 28th, 2017

Humbled Malware Author Leaks His Own Source Code to Regain Community’s Trust by Catalin Cimpanu.

From the post:

The author of the Nuclear Bot banking trojan has leaked the source code of his own malware in a desperate attempt to regain trust and credibility in underground cybercrime forums.

Nuclear Bot, also known as NukeBot and more recently as Micro Banking Trojan and TinyNuke, is a new banking trojan that appeared on the malware scene in December 2016, when its author, a malware coder known as Gosya, started advertising it on an underground malware forum.

According to Gosya's ad, this new banking trojan was available for rent and included several features, such as:

  • Formgrabber and Web-Injection modules (Firefox, Chrome, IE, and Opera)
  • A SOCKS proxy module
  • Remote EXE file launcher module
  • Hidden VNC module that worked on Windows versions between XP and 10
  • Rootkit for 32-bit and 64-bit architectures
  • UAC bypass
  • Windows Firewall bypass
  • IBM Trusteer firewall bypass
  • Bot-killer – a mini anti-virus meant to remove all competing malware from the infected machine

Subsequent analysis from both Arbor Networks and Sixgill confirmed the trojan's deadly features. In spite of these favorable reports, Gosya's Nuclear Bot saw little adoption among cybercrime gangs, as the malware's author miserably failed to gain their trust.

See Catalin’s post for the most impressive list of social fails I have seen in years. Seriously.

More importantly, for hacker and other forums, learn the local customs. Always.

Enjoy!

Hacking vs. Buying Passwords – Which One For You?

Monday, March 27th, 2017

You remember the Dilbert cartoon on corporate security where the pointed haired boss asks what Dilbert would do if a stranger offered to buy company secrets. Dilbert responds asking how much is the stranger offering? See the strip for the boss’ answer and Wally’s follow up question.

Danny Palmer reports the price point for employees who would sell their access, maybe less than you think.

From the post:

A cyberattack could cost an organisation millions, but an employee within your company might be willing to give an outsider access to sensitive information via their login credentials for under £200.

According to a report examining insider threats by Forcepoint, 14 percent of European employees claimed they would sell their work login credentials to an outsider for £200. And the researchers found that, of those who’d sell their credentials to an outsider, nearly half would do it for less.

That’s about $260.00 U.S. at today’s exchange rates.

Only you know your time and expense of hacking passwords and/or buying them on the dark web.

I suspect the price point is even lower in government agencies with unpopular leadership.

I haven’t seen any surveys of US employees, but I suspect employees of companies, suppliers, contractors, banks, etc., involved in oil pipeline construction are equally open to selling passwords. Given labor conditions in the US, perhaps even more so.

Not that anyone opposing a multi-generational environmental crime like an oil pipeline would commit a crime when there are so many lawful and completely ineffectual means to oppose it at hand.

PS: As recent CIA revelations demonstrate, the question isn’t if government will betray the public’s interest but when. The same is true for environmental, health and other concerns.

Looking For Installed Cisco Routers?

Saturday, March 25th, 2017

News of 300 models of Cisco Catalyst switches being vulnerable to a simple Telnet attack, Cisco issues critical warning after CIA WikiLeaks dump bares IOS security weakness by Michael Cooney, for example, has piqued interest in installed Cisco routers.

You already know that Nmap can uncover and identify routers.

What you may not know is government hemorrhaging of IT information may be a useful supplement to Nmap.

Consider GovernmentBids.com for example.

You can search by federal government bid types and/or one or more of the fifty states. Up to 999 prior to the current date, for bids, which includes the bids as well as the winning vendor.

If you are routinely searching for IT vulnerability information, I would not begrudge them the $131/month fee for full information on bids.

From a topic map perspective, pairing IT bid information with vulnerability reports, would be creative and valuable intelligence.

How much IT information is your office/department hemorrhaging?

Attn: Zero-Day Hunters, ATMs Running Windows XP Have Cash

Friday, March 24th, 2017

Kimberly Crawley reprises her Do ATMs running Windows XP pose a security risk? You can bank on it! as a reminder that bank ATMs continue to run Windows XP.

Her post was three years old in February, 2017 and just as relevant as the first day of its publication.

Rather than passing even more unenforceable hacking legislation, states and congress should impose treble damages with mandatory attorney’s fees on commercial victims of hacking attacks.

Insecurity will become a cost center in their budgets, justifying realistic spending and demand for more secure software.

In the meantime, remember ATMs running Windows XP dispense cash.

The New Handbook For Cyberwar Is Being Written By Russia

Wednesday, March 22nd, 2017

The New Handbook For Cyberwar Is Being Written By Russia by Sheera Frenkel.

From the post:


One US intelligence officer currently involved in cyber ops said, “It’s not that the Russians are doing something others can’t do. It’s not as though, say, the US wouldn’t have the technical skill level to carry out those types of attacks. It’s that Russian hackers are willing to go there, to experiment and carry out attacks that other countries would back away from,” said the officer, who asked not to be quoted by name due to the sensitivity of the subject. “It’s audacious, and reckless. They are testing things out in the field and refining them, and a lot of it is very, very messy and some is very smart.”

Well, “…testing things out in the field and refining them…” is the difference between a potential weapon on a dry erase board and a working weapon in practice. Yes?

Personally I favor the working weapon in practice.

It’s an interesting read despite the repetition of the now debunked claim of Wikileaks releasing 8,761 CIA documents (Fact Checking Wikileaks’ Vault 7: CIA Hacking Tools Revealed (Part 1))

Frenkel of course covers the DNC hack:


The hack on the DNC, which US intelligence agencies have widely attributed to Russia, could be replicated by dozens of countries around the world, according to Robert Knake, a former director of cybersecurity policy in the Obama administration.

“Russia has laid out the playbook. What Russia did was relatively unsophisticated and something that probably about 60 countries around the world have the capability of doing — which is to target third parties, to steal documents and emails, and to selectively release them to create unfavorable conditions for that party,” Knake told the BBC’s Today. “It’s unsubtle interference. And it’s a violation of national sovereignty and customary law.”

Kanke reflects the failure of major powers to understand the leveling potential of cyberwarfare. Sixty countries? You think? How about every kid that can run a phishing scam to steal John Podesta’s password? How many? 600,000 maybe? More than that?

None of who care about “…national sovereignty and customary law.”

Are you going to write or be described in a chapter of the new book on cyberwar?

Your call.

When To Worry About CIA’s Zero-Day Exploits

Wednesday, March 22nd, 2017

Chris McNab’s Alexsey’s TTPs (.. Tactics, Techniques, and Procedures) post on Alexsey Belan provides a measure for when to worry about Zero-Day exploits held by the CIA.

McNab lists:

  • Belan’s 9 offensive characteristics
  • 5 defensive controls
  • WordPress hack – 12 steps
  • LinkedIn targeting – 11 steps
  • Third victim – 11 steps

McNab observes:


Consider the number of organizations that provide services to their users and employees over the public Internet, including:

  • Web portals for sales and marketing purposes
  • Mail access via Microsoft Outlook on the Web and Google Mail
  • Collaboration via Slack, HipChat, SharePoint, and Confluence
  • DevOps and support via GitHub, JIRA, and CI/CD utilities

Next, consider how many enforce 2FA across their entire attack surface. Large enterprises often expose domain-joined systems to the Internet that can be leveraged to provide privileged network access (via Microsoft IIS, SharePoint, and other services supporting NTLM authentication).

Are you confident safe 2FA is being enforced over your entire attack surface?

If not, don’t worry about potential CIA held Zero-Day exploits.

You’re in danger from script kiddies, not the CIA (necessarily).

Alexsey Belan made the Most Wanted list at the FBI.

Crimes listed:

Conspiring to Commit Computer Fraud and Abuse; Accessing a Computer Without Authorization for the Purpose of Commercial Advantage and Private Financial Gain; Damaging a Computer Through the Transmission of Code and Commands; Economic Espionage; Theft of Trade Secrets; Access Device Fraud; Aggravated Identity Theft; Wire Fraud

His FBI poster runs two pages but you could edit off the bottom of the first page to make it suitable for framing.

😉

Try hanging that up in your local university computer lab to test their support for free speech.

Pre-Installed Malware – Espionage Potential

Tuesday, March 14th, 2017

Malware found pre-installed on dozens of different Android devices by David Bisson.

From the post:

Malware in the form of info-stealers, rough ad networks, and even ransomware came pre-installed on more than three dozen different models of Android devices.

Researchers with Check Point spotted the malware on 38 Android devices owned by a telecommunications company and a multinational technology company.

See David’s post for the details but it raises the intriguing opportunity to supply government and corporate offices with equipment with malware pre-installed.

No more general or targeted phishing schemes, difficult attempts to breach physical security and/or to avoid anti-virus or security programs.

The you leak – we print model of the news media makes it unlikely news organizations will want to get their skirts dirty pre-installing malware on hardware.

News organizations consider themselves “ethical” in publishing stolen information but are unwilling to steal it themselves, because stealing is “unethical.”

There’s some nuance in there I am missing, perhaps that being proven to have stolen carries a prison sentence in most places. Odd how ethics correspond to self-interest isn’t it?

If you are interested in the number of opportunities for malware on computers in 2017, check out Computers Sold This Year. It reports as of today over 41 million computers sold this year alone.

News organizations don’t have the skills to create a malware network but if information were treated as having value, separate from the means of its acquisition, a viable market would not be far behind.

New Wiper Malware – A Path To Involuntary Transparency

Tuesday, March 14th, 2017

From Shamoon to StoneDrill – Advanced New Destructive Malware Discovered in the Wild by Kaspersky Lab

From the press release:

The Kaspersky Lab Global Research and Analysis Team has discovered a new sophisticated wiper malware, called StoneDrill. Just like another infamous wiper, Shamoon, it destroys everything on the infected computer. StoneDrill also features advanced anti-detection techniques and espionage tools in its arsenal. In addition to targets in the Middle East, one StoneDrill target has also been discovered in Europe, where wipers used in the Middle East have not previously been spotted in the wild.

Besides the wiping module, Kaspersky Lab researchers have also found a StoneDrill backdoor, which has apparently been developed by the same code writers and used for espionage purposes. Experts discovered four command and control panels which were used by attackers to run espionage operations with help of the StoneDrill backdoor against an unknown number of targets.

Perhaps the most interesting thing about StoneDrill is that it appears to have connections to several other wipers and espionage operations observed previously. When Kaspersky Lab researchers discovered StoneDrill with the help of Yara-rules created to identify unknown samples of Shamoon, they realised they were looking at a unique piece of malicious code that seems to have been created separately from Shamoon. Even though the two families – Shamoon and StoneDrill – don’t share the exact same code base, the mind-set of the authors and their programming “style” appear to be similar. That’s why it was possible to identify StoneDrill with the Shamoon-developed Yara-rules.

Code similarities with older known malware were also observed, but this time not between Shamoon and StoneDrill. In fact StoneDrill uses some parts of the code previously spotted in the NewsBeef APT, also known as Charming Kitten – another malicious campaign which has been active in the last few years.

For details beyond the press release, see: From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond by Costin Raiu, Mohamad Amin Hasbini, Sergey Belov, Sergey Mineev or the full report, same title, version 1.05.

Wipers can impact corporate and governmental operations but they may be hiding crimes and misdeeds at the same time.

Of greater interest are the espionage operations enabled by StoneDrill.

If you are interested in planting false flags, pay particular attention to the use of language analysis in the full report.

Taking a clue from Lakoff on framing, would you opinion of StoneDrill change if instead of “espionage” it was described as a “corporate/government transparency” tool?

I don’t recall anyone saying that transparency is by definition voluntary.

Perhaps that’s the ticket. Malware can bring about involuntary transparency.

Yes?

Less Than Accurate Cybersecurity News Headline – From Phys.org No Less

Monday, March 13th, 2017

Skimming through my Twitter stream I encountered:

That sounds important and it’s from Phys.org.

Who describe themselves in 100 words:

Phys.org™ (formerly Physorg.com) is a leading web-based science, research and technology news service which covers a full range of topics. These include physics, earth science, medicine, nanotechnology, electronics, space, biology, chemistry, computer sciences, engineering, mathematics and other sciences and technologies. Launched in 2004, Phys.org’s readership has grown steadily to include 1.75 million scientists, researchers, and engineers every month. Phys.org publishes approximately 100 quality articles every day, offering some of the most comprehensive coverage of sci-tech developments world-wide. Quancast 2009 includes Phys.org in its list of the Global Top 2,000 Websites. Phys.org community members enjoy access to many personalized features such as social networking, a personal home page set-up, RSS/XML feeds, article comments and ranking, the ability to save favorite articles, a daily newsletter, and other options.

So I bit and visited New technique completely protects internet pictures and videos from cyberattacks, which reads in part:

A Ben-Gurion University of the Negev (BGU) researcher has developed a new technique that could provide virtually 100 percent protection against cyberattacks launched through internet videos or images, which are a growing threat.

“Any downloaded or streamed video or picture is a potential vehicle for a cyberattack,” says Professor Ofer Hadar, chair of BGU’s Department of Communication Systems Engineering. “Hackers like videos and pictures because they bypass the regular data transfer systems of highly secure systems, and there is significant space in which to implant malicious code.”

“Preliminary experimental results show that a method based on a combination of Coucou Project techniques results in virtually 100 percent protection against cyberattacks,” says Prof. Hadar. “We envision that firewall and antivirus companies will be able to utilize Coucou protection applications and techniques in their products.”

The Coucou Project receives funding from the BGU Cyber Security Research Center and the BaseCamp Innovation Center at the Advanced Technologies Park adjacent to BGU, which is interested in developing the protective platform into a commercial enterprise.

Summary: Cyberattackers using internet videos or images are in little danger of being thwarted any time soon.

First, Professor Hadar’s technique would need to be verified by other researchers. (Possibly has been but no publications are cited.)

Second, the technique must not introduce additional cybersecurity weaknesses.

Third, vendors have to adopt and implement the techniques.

Fourth, users must upgrade to new software that incorporates the new techniques.

A more accurate headline reads:

New Technique In Theory Protects Pictures and Videos From Cyberattacks

Yes?

Smile! You May Be On A Candid Camera!

Thursday, March 9th, 2017

Hundreds of Thousands of Vulnerable IP Cameras Easy Target for Botnet, Researcher Says by Chris Brook.

From the post:

A researcher claims that hundreds of thousands of shoddily made IP cameras suffer from vulnerabilities that could make them an easy target for attackers looking to spy, brute force them, or steal their credentials.

Researcher Pierre Kim disclosed the vulnerabilities Wednesday and gave a comprehensive breakdown of the affected models in an advisory on his GitHub page.

A gifted security researcher who has discovered a number of backdoors in routers, estimates there are at least 18,000 vulnerable cameras in the United States alone. That figure may be as high as 200,000 worldwide.

For all of the pissing and moaning in Chris’ post, I don’t see the problem.

Governments, corporations, web hosts either have us under surveillance or their equipment is down for repairs.

Equipment that isn’t under their direct control, such as “shoddily made IP cameras,” provide an opportunity for citizens to return the surveillance favor.

To perform surveillance those who accept surveillance of the “masses” but find surveillance of their activities oddly objectionable.

Think of it this way:

The US government has to keep track of approximately 324 million people, give or take. With all the sources of information on every person, that’s truly a big data problem.

Turn that problem around and consider that Congress has only 535 members.

That’s more of a laptop sized data problem, albeit that they are clever about covering their tracks. Or think they are at any rate.

No, the less security that exists in general the more danger there is for highly visible individuals.

Think about who is more vulnerable before you complain about a lack of security.

The security the government is trying to protect isn’t for you. I promise. (The hoarding of cyber exploits by the CIA is only one such example.)

That CIA exploit list in full: … [highlights]

Wednesday, March 8th, 2017

That CIA exploit list in full: The good, the bad, and the very ugly by Iain Thomson.

From the post:

We’re still going through the 8,761 CIA documents published on Tuesday by WikiLeaks for political mischief, although here are some of the highlights.

First, though, a few general points: one, there’s very little here that should shock you. The CIA is a spying organization, after all, and, yes, it spies on people.

Two, unlike the NSA, the CIA isn’t mad keen on blanket surveillance: it targets particular people, and the hacking tools revealed by WikiLeaks are designed to monitor specific persons of interest. For example, you may have seen headlines about the CIA hacking Samsung TVs. As we previously mentioned, that involves breaking into someone’s house and physically reprogramming the telly with a USB stick. If the CIA wants to bug you, it will bug you one way or another, smart telly or no smart telly. You’ll probably be tricked into opening a dodgy attachment or download.

That’s actually a silver lining to all this: end-to-end encrypted apps, such as Signal and WhatsApp, are so strong, the CIA has to compromise your handset, TV or computer to read your messages and snoop on your webcam and microphones, if you’re unlucky enough to be a target. Hacking devices this way is fraught with risk and cost, so only highly valuable targets will be attacked. The vast, vast majority of us are not walking around with CIA malware lurking in our pockets, laptop bags, and living rooms.

Thirdly, if you’ve been following US politics and WikiLeaks’ mischievous role in the rise of Donald Trump, you may have clocked that Tuesday’s dump was engineered to help the President pin the hacking of his political opponents’ email server on the CIA. The leaked documents suggest the agency can disguise its operations as the work of a foreign government. Thus, it wasn’t the Russians who broke into the Democrats’ computers and, by leaking the emails, helped swing Donald the election – it was the CIA all along, Trump can now claim. That’ll shut the intelligence community up. The President’s pet news outlet Breitbart is already running that line.

Iain does a good job of picking out some of the more interesting bits from the CIA (alleged) file dump. No, you will have to read Iain’s post for those.

I mention Iain’s post primarily as a way to entice you into reading the all the files in hopes of discovering more juicy tidbits.

Read the files. Your security depends on the indifference of the CIA and similar agencies. Is that your model for privacy?

Headless Raspberry Pi Hacking Platform Running Kali Linux

Wednesday, March 8th, 2017

Set Up a Headless Raspberry Pi Hacking Platform Running Kali Linux by Sadmin.

From the post:

The Raspberry Pi is a credit card-sized computer that can crack Wi-Fi, clone key cards, break into laptops, and even clone an existing Wi-Fi network to trick users into connecting to the Pi instead. It can jam Wi-Fi for blocks, track cell phones, listen in on police scanners, broadcast an FM radio signal, and apparently even fly a goddamn missile into a helicopter.

The key to this power is a massive community of developers and builders who contribute thousands of builds for the Kali Linux and Raspberry Pi platforms. For less than a tank of gas, a Raspberry Pi 3 buys you a low-cost, flexible cyberweapon.

Of course, it’s important to compartmentalize your hacking and avoid using systems that uniquely identify you, like customized hardware. Not everyone has access to a supercomputer or gaming tower, but fortunately one is not needed to have a solid Kali Linux platform.

With over 10 million units sold, the Raspberry Pi can be purchased in cash by anyone with $35 to spare. This makes it more difficult to determine who is behind an attack launched from a Raspberry Pi, as it could just as likely be a state-sponsored attack flying under the radar or a hyperactive teenager in high school coding class.

Blogging while I wait for the Wikileaks Vault7 Part 1 files to load into an XML database. The rhyme or reason (or the lack thereof) behind Wikileaks releases continues to escape me.

Within a day or so I will drop what I think is a more useful organization of that information.

While you wait, this is a particularly good post on using a Raspberry Pi “for reconnaissance and attacking Wi-Fi networks” in the author’s words.

Although a Raspberry Pi is easy to conceal, both on your person and on location, the purpose of such a device isn’t hard to discern.

If you are carrying a Raspberry Pi, avoid being searched until after you can dispose of it. Make sure that your fingerprints or biological trace evidence is not on it.

I say “your fingerprints or biological trace evidence” because it would be amusing if fingerprints or biological trace evidence implicated some resident of the facility where it is found.

The results of being suspected of possessing a Kali Linux equipped Raspberry Pi versus being proven to have possessed such a device, may differ by years.

Go carefully.

Confirmation: Internet of Things As Hacking Avenue

Tuesday, March 7th, 2017

I mentioned in the Internet of Things (IoT) in Reading the Unreadable SROM: Inside the PSOC4 [Hacking Leader In Internet of Things Suppliers] as a growing, “Compound Annual Growth Rate (CAGR) of 33.3%,” source of cyber insecurity.

Today, Bill Brenner writes:

WikiLeaks’ release of 8,761 pages of internal CIA documents makes this much abundantly clear: the agency has built a monster hacking operation – possibly the biggest in the world – on the backs of the many internet-connected household gadgets we take for granted.

That’s the main takeaway among security experts Naked Security reached out to after the leak went public earlier Tuesday.

I appreciate the confirmation!

Yes, the IoT can and is being used for government surveillance.

At the same time, the IoT is a tremendous opportunity to level the playing field against corporations and governments alike.

If the IoT isn’t being used against corporations and governments, whose fault is that?

That’s my guess too.

You can bulk download the first drop from: https://archive.org/details/wikileaks.vault7part1.tar.

Vault 7: CIA Hacking Tools In Bulk Download

Tuesday, March 7th, 2017

If you want to avoid mirroring Vault 7: CIA Hacking Tools Revealed for yourself, check out: https://archive.org/details/wikileaks.vault7part1.tar.

Why Wikileaks doesn’t offer bulk access to its data sets, you would have to ask Wikileaks.

Enjoy!

Wikileaks Armed – You’re Not

Tuesday, March 7th, 2017

Vault 7: CIA Hacking Tools Revealed (Wikileaks).

Very excited to read:

Today, Tuesday 7 March 2017, WikiLeaks begins its new series of leaks on the U.S. Central Intelligence Agency. Code-named “Vault 7” by WikiLeaks, it is the largest ever publication of confidential documents on the agency.

The first full part of the series, “Year Zero”, comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virgina. It follows an introductory disclosure last month of CIA targeting French political parties and candidates in the lead up to the 2012 presidential election.

Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

Very disappointed to read:


Wikileaks has carefully reviewed the “Year Zero” disclosure and published substantive CIA documentation while avoiding the distribution of ‘armed’ cyberweapons until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should analyzed, disarmed and published.

Wikileaks has also decided to redact and anonymise some identifying information in “Year Zero” for in depth analysis. These redactions include ten of thousands of CIA targets and attack machines throughout Latin America, Europe and the United States. While we are aware of the imperfect results of any approach chosen, we remain committed to our publishing model and note that the quantity of published pages in “Vault 7” part one (“Year Zero”) already eclipses the total number of pages published over the first three years of the Edward Snowden NSA leaks.

For all of the fretting over the “…extreme proliferation risk in the development of cyber ‘weapons’…”, bottom line is Wikileaks and its agents are armed with CIA cyber weapons and you are not.

Assange/Wikileaks have cast their vote in favor of arming themselves and protecting the CIA and others.

Responsible leaking of cyber weapons means arming everyone equally.

Reading the Unreadable SROM: Inside the PSOC4 [Hacking Leader In Internet of Things Suppliers]

Monday, March 6th, 2017

Reading the Unreadable SROM: Inside the PSOC4 by Elliot Williams.

From the post:

Wow. [Dmitry Grinberg] just broke into the SROM on Cypress’ PSoC 4 chips. The supervisory read-only memory (SROM) in question is a region of proprietary code that runs when the chip starts up, and in privileged mode. It’s exactly the kind of black box that’s a little bit creepy and a horribly useful target for hackers if the black box can be broken open. What’s inside? In the manual it says “The user has no access to read or modify the SROM code.” Nobody outside of Cypress knows. Until now.

This matters because the PSoC 4000 chips are among the cheapest ARM Cortex-M0 parts out there. Consequently they’re inside countless consumer devices. Among [Dmitry]’s other tricks, he’s figured out how to write into the SROM, which opens the door for creating an undetectable rootkit on the chip that runs out of each reset. That’s the scary part.

The cool parts are scattered throughout [Dmitry]’s long and detailed writeup. He also found that the chips that have 8 K of flash actually have 16 K, and access to the rest of the memory is enabled by setting a single bit. This works because flash is written using routines that live in SROM, rather than the usual hardware-level write-to-register-and-wait procedure that we’re accustomed to with other micros. Of course, because it’s all done in software, you can brick the flash too by writing the wrong checksums. [Dmitry] did that twice. Good thing the chips are inexpensive.

We should all commend Dmitry Grinberg on his choice of the leading Internet of Things (IoT) supplier as his target.

Cyber-insecurity grows with every software security solution but

The Internet of Things market size is estimated to grow from USD 157.05 Billion in 2016 to USD 661.74 Billion by 2021, at a Compound Annual Growth Rate (CAGR) of 33.3% from 2016 to 2021. (Internet of Things (IoT) Market)

Insecurity growing at a “Compound Annual Growth Rate (CAGR) of 33.3%” is impressive to say the least. Not to mention all the legacy insecurities that have never been patched or where patches have not been installed.

Few will duplicate Dmitry’s investigation but no doubt tools will soon bring the fruits of his labor to a broader market.

Responsible Disclosure

The comments on Dmitry’s work have the obligatory complaints about public disclosure of these flaws.

Every public disclosure is a step towards transparency of both corporations and governments.

I see not cause for complaint.

You?

Enjoy the Projects gallery as well.

Covert FM Radio Stations For Activists – Thumb In Eye Of Stingray Devices

Thursday, March 2nd, 2017

Singing posters and talking shirts: UW engineers turn everyday objects into FM radio stations by Jennifer Langston.

From the post:


They overlaid the audio and data on top of ambient news signals from a local NPR radio station. “FM radio signals are everywhere. You can listen to music or news in your car and it’s a common way for us to get our information,” said co-author and UW computer science and engineering doctoral student Anran Wang. “So what we do is basically make each of these everyday objects into a mini FM radio station at almost zero power.

”Such ubiquitous low-power connectivity can also enable smart fabric applications such as clothing integrated with sensors to monitor a runner’s gait and vital signs that transmits the information directly to a user’s phone. In a second demonstration, the researchers from the UW Networks & Mobile Systems Lab used conductive thread to sew an antenna into a cotton T-shirt, which was able to use ambient radio signals to transmit data to a smartphone at rates up to 3.2 kilobits per second.

The system works by taking an everyday FM radio signal broadcast from an urban radio tower. The “smart” poster or T-shirt uses a low-power reflector to manipulate the signal in a way that encodes the desired audio or data on top of the FM broadcast to send a “message” to the smartphone receiver on an unoccupied frequency in the FM radio band.

For the details:


The UW team has — for the first time — demonstrated how to apply a technique called “backscattering” to outdoor FM radio signals. The new system transmits messages by reflecting and encoding audio and data in these signals that are ubiquitous in urban environments, without affecting the original radio transmissions. Results are published in a paper to be presented in Boston at the 14th USENIX Symposium on Networked Systems Design and Implementation in March.

So government agents can cover cellphone frequencies with Stingray (“cell site simulators”) devices.

Wonder if they can cover the entire FM band? 😉

I’m guessing not. You?

Imagine a phone or shirt that is tuned to the frequency of a covert FM transmitter at a particular location. The information is just hanging out there but unless the “right” receiver walks by, its never known to anyone.

Ideal for messages directing public gatherings with near zero risk of interception by, shall we say, unfriendly parties?

Or other types of messages, imagine a singing dead drop as it were. You move away, the song goes away.

Enjoy!

Introducing Malboxes: …

Sunday, February 26th, 2017

Introducing Malboxes: a Tool to Build Malware Analysis Virtual Machines

From the post:

Malware analysis is like defusing bombs. The objective is to disassemble and understand a program that was built to do harm or spy on computer users (oops, this is where the bomb analogy fails, but one gets the point). That program is often obfuscated (ie: packed) to make the analysis more complex and sometimes dangerous. This blog post introduces a tool that we have built that creates Windows Virtual Machines (VMs) without any user interaction. Those VMs are preconfigured with malware analysis tools and security settings tailored for malware analysis. We will then explore how to use the tool, its architecture and where we want to take it.

TL;DR

We are announcing the first “official” release of malboxes, a tool meant to help build safe and featureful Windows machines for malware analysis. Accessible to anyone, it even uses trial versions of Windows if one doesn’t have his own license.

How very cool!

Just as your programming improves by studying great code… 😉

Enjoy!

RTM: Stealthy group targeting remote banking system

Saturday, February 25th, 2017

RTM: Stealthy group targeting remote banking system by Jean-Ian Boutin and Matthieu Faou.

From the post:

Today, we have released a white paper on RTM, a cybercrime group that has been relentlessly targeting businesses in Russia and neighboring countries using small, targeted campaigns. This group, active since at least 2015, is using malware, written in Delphi, to spy on its victims in a variety of ways, such as monitoring keystrokes and smart cards inserted into the system.

It has the ability to upload files from the compromised system to its command and control (C&C) server. It also has a fingerprinting module to find systems on which specialized accounting software is installed. In particular, they are looking for signs of popular accounting software called “1C: Enterprise 8”. This software is used by businesses, among other things, to make bulk transfers via Remote Banking Systems (RBSes).

The post and the white paper, Read The Manual: A Guide to the RTM Banking Trojan focus on the technical aspects of this series of attacks.

It’s an interesting read despite a very poor pie chart at page 5:

If hackers encountered accounts held by Trump family members, do you think that information will be leaked to the media?

That’s one motive to become skilled at hacking banks.

Others will occur to you over time. 😉

Fingerprinting Every Browser But Tor

Friday, February 24th, 2017

Browser Fingerprinting Tech Works Across Different Browsers for the First Time by Amy Nordrum.

Yinzhi Cao and colleagues have developed browser fingerprint code that identifies 99.24 percent of users across browsers.

Cao’s paper, (Cross-)Browser Fingerprinting via OS and
Hardware Level Features
.

Github: https://github.com/Song-Li/cross_browser.

Demo: http://www.uniquemachine.org

The lead for the story was buried at the end of the post:

The only browser that his method didn’t work on was Tor. (emphasis added)

Your call, you can take care of your own security or be provably insecure.

Advice For Serious Leakers

Thursday, February 23rd, 2017

[T]he grugq is commenting on the story: A note on our lawsuit against Otto and Uber.

If you are a serious leaker you should be able to use Internet search engines but just in case:

  1. How to create a bootable USB stick on Windows
  2. Create a Bootable Linux Flash Drive in Three Easy Steps
  3. How to Create a Bootable Linux USB Flash Drive, the Easy Way
  4. Making a Kali Bootable USB Drive
  5. Tails Installation Assistant

Everyone has a favorite Linux distribution but Tails (#5) should be your default for leaking and Kali (#4) if you have more serious goals in mind.

BTW, don’t expect any sympathy if these are your facts:


We found that six weeks before his resignation this former employee, Anthony Levandowski, downloaded over 14,000 highly confidential and proprietary design files for Waymo’s various hardware systems, including designs of Waymo’s LiDAR and circuit board. To gain access to Waymo’s design server, Mr. Levandowski searched for and installed specialized software onto his company-issued laptop. Once inside, he downloaded 9.7 GB of Waymo’s highly confidential files and trade secrets, including blueprints, design files and testing documentation. Then he connected an external drive to the laptop. Mr. Levandowski then wiped and reformatted the laptop in an attempt to erase forensic fingerprints.

Wow! That’s incredibly lame.

You shouldn’t commit crimes at all but if you do, don’t embarrass everyone in IT.

AI Podcast: Winning the Cybersecurity Cat and Mouse Game with AI

Wednesday, February 22nd, 2017

AI Podcast: Winning the Cybersecurity Cat and Mouse Game with AI. Brian Caulfield interviews Eli David of Deep Instinct.

From the description:

Cybersecurity is a cat-and-mouse game. And the mouse always has the upper hand. That’s because it’s so easy for new malware to go undetected.

Eli David, an expert in computational intelligence, wants to use AI to change that. He’s CTO of Deep Instinct, a security firm with roots in Israel’s defense industry, that is bringing the GPU-powered deep learning techniques underpinning modern speech and image recognition to the vexing world of cybersecurity.

“It’s exactly like Tom and Jerry, the cat and the mouse, with the difference being that, in this case, Jerry the mouse always has the upper hand,” David said in a conversation on the AI Podcast with host Michael Copeland. He notes that more than 1 million new pieces of malware are created every day.

Interesting take on detection of closely similar malware using deep learning.

Directed in part at detecting smallish modifications that evade current malware detection techniques.

OK, but who is working on using deep learning to discover flaws in software code?

Transparent Government Has Arrived (sorta)

Tuesday, February 21st, 2017

I saw US Cities Exposed: Industries and ICS, source of this graphic, in Violet Blue‘s report Hacking and infosec news: February 21, 2017

Violet’s report has other useful security news but I just had to share the increasing government transparency graphic with you.

The growing insecurity of government computers makes the news organization stance that leakers must hand them documents all the more puzzling.

I don’t know if that is a result of being hand fed all these years, genuine concern over prosecution or both.

Think about it this way, short of a source outing themselves, how is anyone going to know that a journalist enlisted hackers versus having a genuine leaker?

Put that way, perhaps there are loose confederations of hackers breaching government networks right now. (Sorry, didn’t mean to panic any security types.)

😉

Read the rest of the report and Violet’s post as well.

Enjoy!

Reversing HERMES ransomware

Sunday, February 19th, 2017

From the description:

Recording of the first live stream reverse engineering a new ransomware family. Lots of lessons learned for the next time 🙂

I haven’t made it through the entire video (almost four hours) but it is very impressive!

Speaking of impressive, check out the Emisoft blog for more of same.

Enjoy!

Software Is Politics [Proudhon’s Response]

Sunday, February 19th, 2017

Software Is Politics by Richard Pope.

From the post:

If you work in software or design in 2016, you also work in politics. The inability of Facebook’s user interface, until recently, to distinguish between real and fake news is the most blatant example. But there are subtler examples all around us, from connected devices that threaten our privacy to ads targeting men for high-paying jobs.

Digital services wield power. They can’t be designed simply for ease of use—the goal at most companies and organizations. Digital services must be understandable, accountable, and trusted. It is now a commercial as well as a moral imperative.

DESIGN IS POLITICAL

Power and politics are not easy topics for many designers to chew on, but they’re foundational to my career. I worked for the U.K.’s Government Digital Service for five years, part of the team that delivered Gov.uk. I set up the labs team at Consumer Focus, the U.K.’s statutory consumer rights organization, building tools to empower consumers. In 2007, I cofounded the Rewired State series of hackdays that aimed to get developers and designers interested in making government better. I’ve also worked at various commercial startups including moo.com and ScraperWiki.

The last piece of work I did in government was on a conceptual framework for the idea of government as a platform. “Government as a platform” is the idea of treating government like a software stack to make it possible to build well-designed services for people. The work involved sketching some ideas out in code, not to try and solve them upfront, but to try and identify where some of the hard design problems were going to be. Things like: What might be required to enable an end-to-end commercial service for buying a house? Or what would it take for local authorities to be able to quickly spin up a new service for providing parking permits?

With this kind of thinking, you rapidly get into questions of power: What should the structure of government be? Should there be a minister responsible for online payment? Secretary of state for open standards? What does it do to people’s understanding of their government?

Which cuts to the heart of the problem in software design today: How do we build stuff that people can understand and trust, and is accountable when things go wrong? How do we design for recourse?
… (emphasis in original)

The flaw in Pope’s desire for applications are “…accountable, understandable, and trusted…” by all, is that it conceals the choosing of sides.

Or as Craig Gurian in Equally free to sleep under the bridge illustrates by quoting Anatole France:

“In its majestic equality, the law forbids rich and poor alike to sleep under bridges, beg in the streets and steal loaves of bread.”

Applications that are “…accountable, understandable, and trusted…” will have silently chosen sides just as the law does now.

Better to admit to and make explicit the choices of who serves and who eats in the design of applications. At least then disparities are not smothered by the pretense of equality.

Or as Proudhon would say:

What is equality before the law without equality of fortunes? A balance with false weights.

Speak not of “…accountable, understandable, and trusted…” applications in the abstract but for and against who?

EFF Urges Trusting Cheaters

Sunday, February 19th, 2017

Congress Must Protect Americans’ Location Privacy by Kate Tummarello.

From the post:

Your smartphone, navigation system, fitness device, and more know where you are most of the time. Law enforcement should need a warrant to access the information these technologies track.

Lawmakers have a chance to create warrant requirements for the sensitive location information collected by your devices.

It’s already against the law to intercept and transcribe all phone calls but the weight of the evidence shows the US government is doing exactly that.

The periodic EFF calls for legislation by known cheaters leave me puzzled.

Laws, to government agencies, mark “don’t get caught zones” and little more.

Protecting sensitive location information, to be effective, must be demanded by consumers of manufacturers.

No backdoors, no warrants, no snooping, it’s just that simple.

Data Breach Digest 2017 (Verizon)

Saturday, February 18th, 2017

Data Breach Digest (Verizon)

From the report:

The Situation Room

Data breaches are complex affairs often involving some combination of human factors, hardware devices, exploited configurations or malicious software. As can be expected, data breach response activities—investigation, containment, eradication, notification, and recovery—are proportionately complex.

These response activities, and the lingering post-breach aftereffects, aren’t just an IT security problem; they’re an enterprise problem involving Legal Counsel, Human Resources, Corporate Communications and other Incident Response (IR) stakeholders. Each of these stakeholders brings a slightly different perspective to the breach response effort.

Last year, thousands of IR and cybersecurity professionals delved into the inaugural “Data Breach Digest—Scenarios from the Field” (aka “the RISK Team
Ride-Along Edition”) to get a first-hand look into the inner workings of data breaches from an investigative response point of view (PoV).

Continued research into our recent caseload still supports our initial inklings that just over a dozen or so prevalent scenarios occur at any given time. Carrying forward from last year, we have come to realize that these data breach scenarios aren’t so much about threat actors, or even about the vulnerabilities they exploited, but are more about the situations in which the victim organizations and their IR stakeholders find themselves. This gives each scenario a distinct personality … a unique persona, per se.

This year, for the “Data Breach Digest—Perspective is Reality” (aka “the IR Stakeholder Edition”), we took a slightly different approach in bringing these scenarios to life. Each scenario narrative—again, based on real-world data breach response activities—is told from a different stakeholder PoV. As such, the PoV covers their critical decision pivot points, split-second actions taken, and crucial lessons learned from cases investigated by us – the Verizon RISK Team.
… (emphasis in original)

The “scenario” table mapping caught my eye:

The Scenari-cature names signal an amusing and engaging report awaits!

A must read!

To make up for missing this last year, here’s a link to 2016 Data Breach Digest.

Activists! Another Windows Vulnerability

Saturday, February 18th, 2017

If software vulnerabilities were the new it bleeds it leads, news organizations would report on little else.

Still, you have to credit The Hacker News with a great graphic for Google Discloses Windows Vulnerability That Microsoft Fails To Patch, Again! by Swati Khandelwal.

Microsoft is once again facing embarrassment for not patching a vulnerability on time.

Yes, Google’s Project Zero team has once again publicly disclosed a vulnerability (with POC exploit) affecting Microsoft’s Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10 that had yet to be patched.
… (emphasis in original)

The Google report is more immediately useful but far less amusing that this post by Swati Khandelwal.

Swati reports that without an emergency patch from Microsoft this month, attackers have almost 30 days to exploit this vulnerability.

No rush considering the Verizon 2016 Data Breach Investigations Report shows hacks known since before 1999 are still viable:

Taking that into account, plus the layering of insecure software on top of insecure software strategy of most potential targets:


According to the Cisco 2017 Security Capabilities Benchmark Study, most companies use more than five security vendors and more than five security products in their environment. Fifty-five percent of the security professionals use at least six vendors; 45 percent use anywhere from one to five vendors; and 65 percent use six or more products.
… (Cisco 2017 Annual Cybersecurity Report, page 5)

Small targets could be more secure by going bare and pointing potential attackers to bank, competitor and finance targets with a BetterTargetsREADME file. (Warning: That is an untested suggestion.)

Paying To Avoid A Scarlet A

Friday, February 17th, 2017

Two-thirds of US companies would pay to avoid public shaming scandals after a breach by Razvan Muresan

From the post:

Some 66% of companies would pay an average of $124k to avoid public shaming scandals following a security breach, according to a Bitdefender survey of 250 IT decision makers in the United States in companies with more than 1,000 PCs.

Some 14 percent would pay more than $500k, confirming that negative media headlines could have substantial financial consequences. In a recent case, officials from Verizon, which agreed to buy Yahoo’s core properties for $4.83 billion in July, told reporters that the company has “a reasonable basis” to suspect that the Yahoo security breach, one of the largest ever, could have a meaningful financial impact on the deal, according to multiple reports.

The ransomware report I was reading earlier said that 29% discounts off of original ransom demands are common and the trade tends to the low end, several hundred dollars.

Perhaps Barrons or the Wall Street Journal needs to find its way onto your reading list.

Ransomware for Activists?

Friday, February 17th, 2017

An F-Secure infographic on ransomware starts:

That sounds a bit harsh don’t you think?

What if the ransomware in question were being used to:

  • Cripple “business as usual” strategies of corporate entities
  • Force divestiture from morally questionable entities or projects
  • Interfere with unlawful surveillance
  • Sanction illegal law enforcement conduct (Think Standing Rock)

Would you still agree with: Abandon All Ethical And Moral Principles[?]”

What if ransomware were used to stop:

  • coal mining companies that dump “excess spoil” in rivers and streams
  • oil transport companies that maintain leaky pipelines
  • usurers such as title pawn companies
  • police and prosecutors who abuse minorities
  • (add your target(s) to the list)

Is that ethical and/or moral?

General state of ransomware, see Evalutating the Customer Journey of Cryto-Ransomware And the Paradox Behind It by F-Secure

Make your own decisions but relinquishing a weapon because your enemy thinks poorly of its use makes no sense to me.