Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

The Shadow Brokers: Lifting the Shadows of the NSA’s Equation Group?.

A detailed summary of what is or isn’t known about The Shadow Brokers and the alleged hack of the Equation Group (NSA owned and operated).

The story is being updated at this location so check back for breaking details.

Enjoy!

Simple hack unlocks 100 million Volkswagen vehicles by Patrick Howell O’Neill.

From the post:

Some 100 million Volkswagens are vulnerable to hackers who discovered key vulnerabilities that allow them to unlock the doors of the most popular cars on earth, according to a new research paper first reported by Wired.

University of Birmingham computer scientist Flavio Garcia was already widely known for working with colleagues to find major security flaws in Volkswagens last year that enabled hackers to quickly takeover a keyless car.

The new attack could result in the theft of anything kept in a car.

When you put the two attacks together, you have a recipe for getting into and driving off with a stolen car in less than 60 seconds—Nic Cage-caliber grand theft auto.

Actually, you don’t need to be as good as Nic Cage at all. A thief can pull this off with cheap equipment like a TI Chronos smart watch.
…

In the interest of “responsible” disclosure, you will have to reconstruct some of the research for yourself.

There is a simple and absolute defense to this hack:

You can order one of these starting at $239.00.

Compared to the aggravation of having your Volkswagen stolen?

Thieves will pick an easier target.

(Be innovative in your security thinking.)

Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea by Chris Williams.

From the post:

Microsoft leaked the golden keys that unlock Windows-powered tablets, phones and other devices sealed by Secure Boot – and is now scrambling to undo the blunder.

These skeleton keys can be used to install non-Redmond operating systems on locked-down computers. In other words, on devices that do not allow you to disable Secure Boot even if you have administrator rights – such as ARM-based Windows RT tablets – it is now possible to sidestep this block and run, say, GNU/Linux or Android.

What’s more, it is believed it will be impossible for Microsoft to fully revoke the leaked keys.

And perhaps most importantly: it is a reminder that demands by politicians and crimefighters for special keys, which can be used by investigators to unlock devices in criminal cases, will inevitably jeopardize the security of everyone.

Microsoft’s misstep was uncovered by two researchers, MY123 and Slipstream, who documented their findings here in a demoscene-themed writeup published on Tuesday. Slip believes Microsoft will find it impossible to undo its leak.
…

To understand the full technical implications of this Microsoft leak, let Chris take you through Secure Boot policies.

For representatives of the public, the summary is: Backdoor Key = Everyone has access.

Follow up question for representatives of the public: Is that what you want?

Have Lady GaGa CDs (Manning) or USB sticks labeled on one side NSA and the other Snowden to give anyone protesting government offices are secure. (Just me but I would put malware on both.)

Chris reports that as of 10 August 2016 that Microsoft has not commented on this story.

I hope MS puts on a brave face and says the leak was deliberate and done to illustrate the danger of golden backdoor keys.

They will no worse off than they are now and spun properly it could be a telling blow against backdoor keys.

Delta Flights Grounded For Hours Due To Worldwide System Outage by Camila Domonoske.

From the post:

Delta flights around the world were delayed this morning due to a “computer outage,” the company says.

A power outage in Atlanta around 2:30 a.m. ET was responsible for the problem, the company said in a statement.

…

“We are aware that flight status systems, including airport screens, are incorrectly showing flights on time,” Delta says. Meanwhile, passengers attempting to check in online or through Delta’s app have reported seeing error messages.

The problem is “system-wide” and happening “everywhere,” the company has said.
….

No causes have been specified for the “power outage.”

But a good example of how imaginative hacking can bring down a worldwide transportation system, without ever breaching computer security.

Delta computer security is probably as good as airline security gets, but who needs root access when you can pull the power plug?

A real world denial of service (DoS) attack.

PS: How many degrees of separation does your computer security encompass?

While casting about for statistics on hacking I ran across two cyber security reports that need to be on your reading list:

Verizon’s 2016 Data Breach Investigations Report, in part because it shares its database of incident reports, a novelty in the area of cyber security.

2016 NTT Group, Global Threat Intelligence Report, which does not share the underlying data.

Both will repay a close reading several times over.

Enjoy!

PS: I extracted the statistics I needed for a post but I’m going to give both reports a slow read. My only regret is that the contents are trapped in dead PDF files, making it difficult to reuse or repurpose with other data.

I am reminded that Mark Logic has a xdmp:pdf-convert function.

$hell on Earth: From Browser to System Compromise by Matt Molinyawe, Abdul-Aziz Hariri, and Jasiel Spelman.

From the paper:

The winning submissions to Pwn2Own 2016 provided unprecedented insight into the state-of-the-art techniques in software exploitation. Every successful submission provided remote code execution as the super user (SYSTEM/root) via the browser or a default browser plug-in. In most cases, these privileges were attained through the exploitation of the Microsoft Windows® or Apple OS X® kernel. Kernel exploitation, using the browser as an initial vector, was a rare sight in previous contests.

This white paper will detail the eight winning browser-to-super-user exploitation chains demonstrated at this year’s contest. Topics such as modern browser exploitation, the complexity of kernel use-after-free vulnerability exploitation, the simplicity of exploiting logic errors, and directory traversals in the kernel are also covered. This paper analyzes all attack vectors, root causes, exploitation techniques, and remediation for vulnerabilities.

Reducing attack surfaces with application sandboxing is a step in the right direction. However, the attack surface remains expansive and sandboxes only serve as minor obstacles on the way to complete compromise. Kernel exploitation is clearly a problem, which has not disappeared and is possibly on the rise. If you’re like us, you can’t get enough of it—it’s shell on earth.

Unless you are still reading Harry Potter and the cursed child, the $hell on Earth whitepaper will be your best read for the weekend.

Enjoy!

How to Build Your Own Penetration Testing Drop Box by Beau Bullock.

With politics bleeding into even highly filtered feeds, thought it might be amusing to look at a hardware construction project.

I compared three single-board computers (SBC) against each other with a specific goal of finding which one would serve best as a “penetration testing drop box”, and maintain an overall price of around $110. Spoiler Alert: At the time I tested these Hardkernel’s ODROID-C2 absolutely destroyed the competition in this space. If you want to skip the SBC comparison and jump right to building your own pentest drop box you can find the instructions below and also here.

Overview

A few weeks ago I was scheduled for an upcoming Red Team exercise for a retail organization. In preparation for that assessment I started gathering all the gear I might need to properly infiltrate the organization, and gain access to their network. Social engineering attacks were explicitly removed from the scope for this engagement. This meant I wasn’t going to be able ask any employees to plug in USB devices, let me in certain rooms, or allow me to “check my email” on their terminals (yes this works).

Essentially, what were left at that point were physical attacks. Could I get access to a terminal left unlocked and perform a HID-based (think Rubber Ducky) attack? If the system wasn’t unlocked, perhaps a USB-Ethernet adapter (like the LAN Turtle) could be placed in line with the system to give me a remote shell to work from. Even if I could get physical access, without any prior knowledge of the network’s egress filtering setup, was I going to be able to get a shell out of the network? So this led me down the path of building a pentest drop box that I could place on a network, could command over a wireless adapter, automatically SSH out of a network, and just be an all-around pentesting box.

Some Device Requirements

Looking into the available options already out there it is very clear that I could either spend over $1,000 to buy something that did what I needed it to do, or try to build one comparable for significantly cheaper. So I set some very specific goals of what I wanted this device to do. Here they are:

• Device has to be relatively unnoticeable in size (could be plugged in under a desk unnoticed)
• Has to be able to be controlled over a wireless interface (bonus points if multiple wireless interfaces can be used so wireless management and wireless attacks can happen concurrently)
• Persistent reverse SSH tunnel to a command and control server
• Fully functional pentesting OS (not just a shell to route attacks through)
• Decent storage space (32-64GB)
• Actually be a usable pentesting box that is not sluggish due to hardware restrictions
• Cost around $110 total to build

…

I like that, requirements!

Assuming you have a briefcase or bulky coat, not a bad piece of hardware to have on you. Unless you anticipate physical searches. Can’t ever tell when you will be curious about something.

How foreign governments spy using PowerPoint and Twitter by Ron Deibert.

From the post:

News of the alleged Russian hack of the Democratic National Committee’s computers has riveted the world. But for many, this kind of behavior is a daily reality.

Take, for example, Syrian Nour Al-Ameer. A former vice president of the Syrian National Council, Al-Ameer was arrested and sent to infamous Adra prison in Damascus, where she was brutally tortured. Upon release, she became a refugee, fleeing to relative safety in Turkey.

Or so she thought.

Al-Ameer is a net savvy activist, and so when she received a legitimate looking email containing a PowerPoint attachment addressed to her and purporting to detail “Assad Crimes,” she could easily have opened it. Instead, she shared it with us at the Citizen Lab.

As we detail in a new report, the attachment led our researchers to uncover an elaborate cyberespionage campaign operating out of Iran. Among the malware was a malicious spyware, including a remote access tool called “Droidjack,” that allows attackers to silently control a mobile device. When Droidjack is installed, a remote user can turn on the microphone and camera, remove files, read encrypted messages, and send spoofed instant messages and emails. Had she opened it, she could have put herself, her friends, her family and her associates back in Syria in mortal danger.

Our organization has been documenting these type of targeted digital attacks against civil society for years. We’ve found that these organizations are assaulted by state-based cyberespionage the same way that governments and industry are. But they’re far less equipped to deal, and receive significantly less attention from policymakers.
…

A great post that quickly becomes disappointing because Ron cites only the usual suspects, China, Ethiopia, Latin America, Russia, Sudan, and the United Arab Emirates as governments that spy on civil society.

The United States has confessed to spying on its citizens. Illegally.

You can argue the United States hasn’t murdered its citizens on the basis of illegal surveillance (that we know of), but it has overthrown governments and inflicted hundreds of thousands of casualties upon civilian populations based on its spying efforts.

Every citizen, of all countries, deserves robust defenses against spying governments.

All governments, no exceptions.

The Transparency Toolkit has created the Surveillance Industry Index, which as of today (August 2, 2016), has 2350 entries.

Remembering the security incidents that have plagued some security firms, I wonder if this is a list of vendors, targets or perhaps both?

Yet another example of what is called “reader response” theory in action.

Enjoy!

Update: Data for the Surveillance Industry Index.

Will make your scanning of the vendors marginally easier.

After all, how much can you trust them, their products or services if they can’t keep you out?

QRLJacking — Hacking Technique to Hijack QR Code Based Quick Login System by Swati Khandelwal.

I put today’s date in the title so several years from now when a “security expert” breathlessly reports on “terrorists” using QRLJcking, you can easily find that it has been in use for years.

For some reason, “security experts” fail to mention that governments, banks, privacy advocates and numerous others in all walks of life and business use cybersecure services. Maybe that’s not a selling point for them. You think?

In any event, Swati gives a great introduction to QRLJacking, starting with:

Do you know that you can access your WeChat, Line and WhatsApp chats on your desktop as well using an entirely different, but fastest authentication system?

It’s SQRL, or Secure Quick Response Login, a QR-code-based authentication system that allows users to quickly sign into a website without having to memorize or type in any username or password.

QR codes are two-dimensional barcodes that contain a significant amount of information such as a shared key or session cookie.

A website that implements QR-code-based authentication system would display a QR code on a computer screen and anyone who wants to log-in would scan that code with a mobile phone app.

Once scanned, the site would log the user in without typing in any username or password.

Since passwords can be stolen using a keylogger, a man-in-the-middle (MitM) attack, or even brute force attack, QR codes have been considered secure as it randomly generates a secret code, which is never revealed to anybody else.

But, no technology is immune to being hacked when hackers are motivated.
…

Following this post and the resources therein, you will be well prepared for when your usual targets decide to “upgrade” to SQRL, or Secure Quick Response Login.

Enjoy!

PS: There is a well-known pattern in this attack, one that is true for other online security systems. Do you see it?

Why You Can’t Keep Secrets by William M. Arkin.

From the post:

I started thinking about this talk by polling friends in Washington to see if there were any good new jokes about secrecy. In other parts of the world, political jokes are often the purest expression of zeitgeist, so I thought a current favorite — you know, some knee slapper about the new Executive Order on classification, or one about the latest string of Bill Gertz’ leaks — would provide astute insight.

No dice though; people inside the beltway have never been renown for their humor.

In May, however, I was in Beirut, and the number of jokes about the Syrians were impressive.

Here’s my favorite.

Hafez Assad is with Bill Clinton and Jacques Chirac on the Mississippi River to negotiate Syria’s withdrawal from Lebanon. Assad drops his watch into the river and when he bend over the deck railing to look for it, snapping alligators thrust up from the deep. Clinton tells one of the Marine guards to retrieve President Assad’s watch. The Marine goes to the edge, looks over at the alligators and says to the President Mr. President, you know we live in the greatest country on earth, and therefore I can decline an unlawful order. If I jump in to retrieve Mr. Assad’s watch I would die, and besides I have a family…

So Chirac, thinking he can tweak the American nose says to a French soldier, jump in the water and retrieve Assad’s watch. The legionnaire snaps to attention and runs to dive in, but he then looks over and sees the snapping alligators, and turns to Chirac and says Monsieur President, you know our democracy is even older than America, and besides, I have a family…

So Assad whispers something in the ear of a Syrian soldier, who runs to the railing and without hesitation, jumps in the water, swims through the alligators, retrieves the watch, and returns safely to the boat. The Marine and the Legionnaire, both amazed, crowd around the Syrian to ask what Assad said.

Well, the soldier explains, I too have a family…

**

So what does this have to do with secrecy?

To me, it is a real world reminder that to level any kind of indictment about the evils of U.S. government secrecy is to be trivial. One only has to visit places like the Middle East to appreciate how free our system is.

…

Given the current events in Syria, a timely posting of a speech that Arkin made:

…twenty years ago to military and industry officers and officials at the annual U.S. Air Force National Security Leadership Course, Maxwell AFB, Alabama, delivered on 14 August 1996.

The central difficulty of secrecy and cybersecurity are both captured by the line:

Anyone knows that in order to preserve real secrets, they need to be identified.

As opposed to the blanket classification of nearly every document, memo, draft, email, etc., which is nearly the current practice in the Obama administration, you have to pick which secrets are truly worth protecting. And then protect them.

As Arkin points out, to do otherwise generates a climate where leaks are a routine part of government and generates suspicion even when the government, perhaps by accident, is telling the truth.

The same principle is true for cybersecurity. Have you identified the components of your network and the level of security appropriate to each one? Or do VPs still have write access to the accounting software?

For meaningful secrecy or cybersecurity, you must have explicit identification of what is to be secret/secure and what steps are taken to bring that about. Anything less and you won’t be able to keep secrets and/or have cybersecurity. (Ask the Office of Personnel Management (OPM) for example.)

The Troubling State of Security Cameras; Thousands of Devices Vulnerable by Ali Raza.

From the post:

The recent Lizard Squad hack which resulted in a lot of CCTV cameras targeted and hijacked by a DDOS attack has highlighted the need for better security cameras. A study conducted by Protection1 shows how many security agencies do not take things seriously, Protection1 report.

The Lizard Squad hack is not the first instance of security cameras being overridden and used to spy on people. The widespread hack has brought to light once again just how many security cameras are under operation without any sort of protection, making them sitting ducks for any hacker with moderate skills. The CCTV cameras in the US that were attacked by the Lizard Squad hack were used in a wide range of areas from home security and traffic cams to cameras in banks and restaurants.

The ease of carrying out this attack prompted security company Protection1 to investigate the matter. The rising levels of sophistication of hacking tools and the incompetence of security personnel to keep in touch with hackers have made hunting much simpler for hackers. In a bid to understand just how serious the situation is, Protection1 analyzed 6,000 unsecured or open cameras all over the United States of America to find out which companies do not take your security seriously. They pulled data from the cameras using insecam.org and mapped and analyzed the locations to generate results.
…

Ali re-uses all the graphics from the Protection1 report, which is itself written in a very summary fashion. No in depth coverage of the cameras and/or techniques to access them.

Be aware that Protection1 is a home/business security monitoring type company and not likely to interest cybersecurity fans.

As far as the “troubling state of security cameras,” that depends upon who you ask.

If you are selling security solutions, it is click-bait for customers who want to be more secure.

If you are selling surveillance, access and data collection services, such cameras are additional data sources.

After posting Safe Sex and Safe Chat, I asked a close friend if they used Signal from Open Whisper Systems, thinsing it would be good to practice before security is an absolute requirement.

In response I was sent a link to: Internet privacy, funded by spooks: A brief history of the BBG by Yasha Levine.

I take that to mean they aren’t using Whisper. 😉

Levine’s factual points about U.S. government funding of Tor, Whisper, etc., accord with my general impression of that history, but I do disagree with his concluding paragraph:

…
You’d think that anti-surveillance activists like Chris Soghoian, Jacob Appelbaum, Cory Doctorow and Jillian York would be staunchly against outfits like BBG and Radio Free Asia, and the role they have played — and continue to play — in working with defense and corporate interests to project and impose U.S. power abroad. Instead, these radical activists have knowingly joined the club, and in doing so, have become willing pitchmen for a wing of the very same U.S. National Security State they so adamantly oppose.

So long as privacy projects release open source code, I don’t see any source of funding as problematic. Drug cartels would have to launder their money first but even rumored drug money spends just like other. Terrorists should step up just to bother and confound the FBI, which sees informational darkness around every corner.

So long as the funding is toward the same goal, security in communication and all the work product is open source, then I see no natural limits on who can be allies of these projects.

I say allies because I mean just that, allies. Who may have their own reasons, some fair and some foul, for their participation and funding. So long as we are advancing towards a common goal, that in other arenas we have conflicts, is irrelevant.

One of the primary reasons why so many groups in the 1960’s failed is because everyone had to agree to be soul-mates on every issue. If you want a potpourri of splinter groups who spend more time fighting among themselves than with others, take that tack.

If, on the other hand, you want funded, effective research that may make a real difference to you and your allies, be more focused on the task at hand and less on the intrinsic goodness (or lack thereof) of your allies.