As Graham points out, the FBI has been denied the fruits of its operation of a child porn site (alleged identities of consumers of child porn), but there is a deeper issue here beyond than defining malware.
The deeper issue lies in a portion of the FBI brief that Graham quotes in part:
…
“Malicious” in criminal proceedings and in the legal world has very direct implications, and a reasonable person or society would not interpret the actions taken by a law enforcement officer pursuant to a court order to be malicious.
…
…
CARDINAL RICHELIEU. … Document three, the most important of all: A pardon — in case you get caught. It’s call a Carte Blanche. It has the force of law and is unbreakable, even by Royal fiat.
MILADY. (Reading it.) “It is by my order and for the benefit of the State that the bearer of this note has one what he has done.”
…
The FBI contends a court order, assuming it bothers to obtain one, operates as Carte Blanche and imposes no limits on FBI conduct.
Moreover, once a court order is obtained, reports by the FBI of guilt are sufficient for conviction. How the FBI obtained alleged evidence isn’t open to inspection.
Judges should disabuse the FBI of its delusions concerning the nature of court orders and remind it of its proper role in the criminal justice system. The courts, so far as I am aware, remain the arbiters of guilt and innocence, not the FBI.
Comments Off on FBI, Malware, Carte Blanche and Cardinal Richelieu
The instructions on preparing for a demonstration in Steal This Book read in part:
…
Ideally you should visit the proposed site of the demonstration before it actually takes place. This way you’ll have an idea of the terrain and the type of containment the police will be using. Someone in your group should mimeograph a map of the immediate vicinity which each person should carry. Alternative actions and a rendezvous point should be worked out. Everyone should have two numbers written on their arm, a coordination center number and the number of a local lawyer or legal defense committee. You should not take your personal phone books to demonstrations. If you get busted, pigs can get mighty Nosy when it comes to phone books. Any sharp objects can be construed as weapons. Women should not wear earrings or other jewelry and should tie their hair up to tuck it under a helmet. Wear a belt that you can use as a tourniquet. False teeth and contact lenses should be left at home if possible. You can choke on false teeth if you receive a sharp blow while running. Contact lenses can complicate eye damage if gas or Mace is used.
…
How would you update this paragraph for the age of smart phones?
You can do better than that, as Hoffman advises, leave your personal phone books (read smart phones) at home!
Your “whole life is on your phone.” Yes, I know. All the more reason to leave it out of the clutches of anyone interested in your “whole life.”
Buy clean burner phones in bulk.
Preset bookmarks for the protest area on Google maps, along with landmarks, rendezvous points, fall back positions, etc.
For texting during protests, create burner identities drawn from a list of characters in police shows, out of a hat. No changing, no choices. The same person should never re-use a burner identity. Patterns matter. (See the ACLU post for suggestions on secure messaging apps.)
Continue to write two phone numbers on your arm: coordination center and a local lawyer or legal defense committee.
Two reasons for these numbers on your arm: First, you may not have your cell phone when allowed to make a call from jail. Second, you should never have the number of another activist on your person.
Nothing takes the place of a site visit but technology has changed since Hoffman’s time.
High quality maps, photos, topographical (think elevation (high ground), drainage (as in running away from you)) features, not to mention reports of prior protests and police responses are available.
If my security suggestions sound extreme, recall that not all protests occur in the United States and even of those that do, not all are the “line up to be arrested” sort of events. Or are conducted in “free speech allotments,” like the upcoming Democratic and Republican political conventions this summer.
Comments Off on Securing Your Cellphone For A Protest
This past week, everyone’s been so focused on Hillary, Trump, police shootings and Dallas that few noticed that the Majority Staff of the House Homeland Security Committee finally released its encryption report — with some pretty big falsehoods in it. “Going Dark, Going Forward: A Primer on the Encryption Debate” is a guide for Congress and stakeholders that makes me wonder if we have a full-blown American hiring crisis for fact-checkers.
The report relied on more than “100 meetings with … experts from the technology industry, federal, state, and local law enforcement, privacy and civil liberties, computer science and cryptology, economics, law and academia, and the Intelligence Community.” And just a little bit of creative license.
The first line of the report is based on flat-out incorrect information.
…
Do us all a favor, read Violet Blue’s summary of the report and not the report itself.
Reading “Going Dark, Going Forward: A Primer on the Encryption Debate” will leave you mis-informed, annoyed/amazed at congressional committee ignorance, despairing over the future of civilization, and dumber.
I differ from Violet because I think the report is intended to mis-inform, mis-lead and set false terms into play for a debate over encryption.
That is not an issue of fact-checking but of malice.
Consider the “big lie” that Violet quotes from the report (its opening line):
“Public engagement on encryption issues surged following the 2015 terrorist attacks in Paris and San Bernardino, particularly when it became clear that the attackers used encrypted communications to evade detection — a phenomenon known as ‘going dark.'”
Every time that claim is made and repeated in popular media, a disclaimer should immediately appear:
The claim that encrypted communications were used to evade detection in the 2015 terrorist attacks in Paris and San Bernardino is a lie. A lie told with the intend to deceive and manipulate everyone who hears it.
I know, it’s too long to be an effective disclaimer. Do you think “Lying bastards!” in closed captioning would be clear enough?
These are dry notes I took in the process of setting up a burner iPhone SE as a secure travel device. They are roughly in setup order.
I believe iOS to be the most secure platform one can use at this time, but there are a lot of switches and knobs. This list optimizes for security versus convenience.
Don’t to use anything older than an iPhone 5S, it wouldn’t have the TPM.
Needless to say, use long unique passwords everywhere.
…
There are more than forty (40) tasks/sub-tasks to securing a travel iPhone so you best start well ahead of time.
No security is perfect but if you follow this guide, you will be more secure than the vast majority of travelers.
…A few years ago, Thomson Reuters purchased a company for $530 million. Part of this deal included a global database of “heightened-risk individuals” called World-Check that Thomson Reuters maintains to this day. According to Vice.com, World-Check is used by over 300 government and intelligence agencies, 49 of the 50 biggest banks, and 9 of the top 10 global law firms. The current-day version of the database contains, among other categories, a blacklist of 93,000 individuals suspected of having ties to terrorism.
I have obtained a copy of the World-Check database from mid-2014.
No hacking was involved in my acquisition of this data. I would call it more of a leak than anything, although not directly from Thomson Reuters. The exact details behind that can be shared at a later time.
This copy has over 2.2 million heightened-risk individuals and organizations in it. The terrorism category is only a small part of the database. Other categories consist of individuals suspected of being related to money laundering, organized crime, bribery, corruption, and other unsavory activities.
I am posting this message in order to ask, “Should I release this database to the world?”. I want your opinion.
…
Yeah, right.
Chris’s question: “Should I release this database to the world?,” was moot from the outset.
This is pandering for attention at its very worst.
Chris could have put all of us on par with $1 million subscribers to the World-Check database but chose attention for himself instead.
There are only three sources of data:
Clients – Confidential until the client says release it, even in the face of government pressure (just good professional ethics).
Contract – Limited to by the terms you used for access. If you don’t want to agree to the terms, find another means of access. (falls under the “don’t lie” principle, governments do enough of that for all of us)
Other – Should be shared as widely and often as possible.
The World-Check database clearly falls under “other” and should have been shared as widely as possible.
Thomas Reuters and similar entities survive not because of merit or performance, but because people like Chris compensate for their organizational and technical failures. The public interest is not being served by preservation of a less than stellar status quo.
Not to mention leaking the list would create marketing opportunities. The criminal defense bar comes to mind.
The omission of SS7 vulnerability is particularly disturbing because in some ways, it has the easiest defense.
Think about it for a moment. What do I need as the premise for most (not all) successful SS7 hacks?
Your smartphone number.
Yes, information you give away with every email, contact information listing, website registration, etc. Not only given away, but archived and available to search engines.
If you don’t believe me, try running a web search on your smartphone number.
I understand that your smartphone number is as useful as it is widespread. I’m just pointing out how many times you have tied a noose around your own neck.
The best (partial) defense to SS7 attacks?
Limit the distribution of your smartphone number.
When someone omits a root problem of smartphone security, in a listing of smartphone security issues, how much trust can you put in the rest of their analysis?
Comments Off on PSA – Misleading Post On Smartphone Security
Palantir Technologies has cultivated a reputation as perhaps the most formidable data analysis firm in Silicon Valley, doing secretive work for defense and intelligence agencies as well as Wall Street giants. But when Palantir hired professional hackers to test the security of its own information systems late last year, the hackers found gaping holes that left data about customers exposed.
Palantir, valued at $20 billion, prides itself on an ability to guard important secrets, both its own and those entrusted to it by clients. But after being brought in to try to infiltrate these digital defenses, the cybersecurity firm Veris Group concluded that even a low-level breach would allow hackers to gain wide-ranging and privileged access to the Palantir network, likely leading to the “compromise of critical systems and sensitive data, including customer-specific information.”
This conclusion was presented in a confidential report, reviewed by BuzzFeed News, that detailed the results of a hacking exercise run by Veris over three weeks in September and October last year. The report, submitted on October 19, has been closely guarded inside Palantir and is described publicly here for the first time. “Palantir Use Only” is plastered across each page.
It is not known whether Palantir’s systems have ever been breached by real-world intruders. But the results of the hacking exercise — known as a “red team” test — show how a company widely thought to have superlative ability to safeguard data has struggled with its own data security.
The red team intruders, finding that Palantir lacked crucial internal defenses, ultimately “had complete control of PAL’s domain,” the Veris report says, using an acronym for Palantir. The report recommended that Palantir “immediately” take specific steps to improve its data security.
“The findings from the October 2015 report are old and have long since been resolved,” Lisa Gordon, a Palantir spokesperson, said in an emailed statement. “Our systems and our customers’ information were never at risk. As part of our best practices, we conduct regular reviews and tests of our systems, like every other technology company does.”
…
Alden gives a lengthy summary of the report, but since Palantir claims the reported risks “…have long since been resolved” where is the Veris report?
Describing issues in glittering generalities isn’t going to improve anyone’s cybersecurity stance.
Hacking Facebook account is one of the major queries on the Internet today. It’s hard to find — how to hack Facebook account, but researchers have just proven by taking control of a Facebook account with only the target’s phone number and some hacking skills.
Yes, your Facebook account can be hacked, no matter how strong your password is or how much extra security measures you have taken. No joke!
Hackers with skills to exploit the SS7 network can hack your Facebook account. All they need is your phone number.
The weaknesses in the part of global telecom network SS7 not only let hackers and spy agencies listen to personal phone calls and intercept SMSes on a potentially massive scale but also let them hijack social media accounts to which you have provided your phone number.
…
Swati’s post has the details and a video of the hack in action.
Of greater interest than hacking Facebook accounts, however, is the weakness in the SS7 network. Hacking Facebook accounts is good for intelligence gathering, annoying the defenseless, etc., but fundamental weaknesses in telecom network is something different.
Swaiti quotes a Facebook clone as saying:
“Because this technique [SSL exploitation] requires significant technical and financial investment, it is a very low risk for most people,”
Here’s the video from Swati’s post (2:42 in length):
https://www.youtube.com/watch?v=wc72mmsR6bM
Having watched it, can you point out the “…significant technical and financial investment…” involved in that hack?
What investment would you make for a hack that opens up Gmail, Twitter, WhatsApp, Telegram, Facebook, any service that uses SMS, to attack?
Definitely a hack for your intelligence gathering toolkit.
Comments Off on Hacking Any Facebook Account – SS7 Weakness
For the second straight year, 75% of survey respondents have a significant cybersecurity risk exposure
Organizations that report more business-impacting security incidents are 65% more likely to have advanced cyber maturity capabilities
Half of those surveyed assess their incident response capabilities as either “ad hoc” or “nonexistent”
Less mature Organizations continue to mistakenly implement more perimeter technologies as a stop gap measure to prevent incidents from occurring
Government and Energy ranked lowest among industries in cyber preparedness
American entities continue to rank themselves behind both APJ and EMEA in overall cyber maturity
Relying on cybersecurity poverty making others more likely targets, is like increasing the size of a herd of sheep to reduce the odds of a wolf carrying off any particular one.
That works, but is of little consolation to the sheep that is carried off.
Are you depending on other sheep being carried off?
Comments Off on RSA Cybersecurity Poverty Index [Safety in Numbers?]
Security wasn’t Dimitar’s focus so the omission was understandable, but I can’t recall seeing any discussion of securing the results of intelligence gathering. Can you?
Are intelligence results by default subject to the same (lack of) security that most of us practice on our computers?
That’s ironic given that the goal of intelligence gathering is the penetration of other computers.
I agree that the suspect in that case has the far better argument (and case law), but on the other hand, you will note he has been in prison for seven months while the government argues it “knows” he is guilty.
The government’s claim of knowledge is puzzling because if they have proof of his guilt, why not proceed to trial? Ah, yes, that is an inconvenient question for the prosecution.
As I said, the case law appears to be on the side of the suspect but the prosecution has still cost him months of his life and depending on the decision of the Third Circuit, that could stretch into years.
An encrypted hard drive and refusal to unlock it may save you, at least for a while, from prosecution for hacking, but how much time do you want to spend in jail just for having an encrypted drive?
I’m not saying an encrypted drive is a bad idea, nice first line of defense but it isn’t a slam dunk when it comes to concealing information.
Within an encrypted drive, my concealment of captured hacking intelligence should meet the following requirements:
The captured hacking intelligence should be concealed in plain sight. That is a casual observer should not be able to distinguish the captured hacking intelligence file from any other file of a similar nature.
Even if the captured hacking intelligence file is identified, it should not be possible for a prosecutor to prove specified content was in fact recorded in that file.
As a counter to whatever fanciful claims by prosecutors, it should be possible to produce an innocent text from the captured intelligence file in a repeatable way. One that does not enable prosecutors to do the same thing with specified content.
Finally, it must be possible to effectively use and supplement the captured hacking intelligence content.
Notice that brevity is not a requirement. Storage space is virtually unlimited so unless you are creating an encyclopedia for one hacking job, I don’t see that as an issue.
Other requirements?
Suggestions for solutions that meet the requirements I outlined above?
Penetration testing simulates real cyber-attacks, either directly or indirectly, to circumvent security systems and gain access to a company’s information assets. The whole process, however, is more than just playing automated tools and then proceed to write down a report, submit it and collect the check.
The Penetration Testing Execution Standard (PTES) is a norm adopted by leading members of the security community as a way to establish a set of fundamental principles of conducting a penetration test. Seven phases lay the foundations of this standard: Pre-engagement Interactions, Information Gathering, Threat Modeling, Exploitation, Post Exploitation, Vulnerability Analysis, Reporting.
Intelligence gathering is the first stage in which direct actions against the target are taken. One of the most important ability a pen tester should possess is to know how to learn as much as possible about a targeted organization without the test has even begun – for instance, how this organization operates and its day-to-day business dealings – but most of all, he should make any reasonable endeavor to learn more about its security posture and, self-explanatory, how this organization can be attacked effectively. So, every piece of information that a pen tester can gather will provide invaluable insights into essential characteristics of the security systems in place.
…
Great introduction to intelligence gathering with links to some of the more obvious tools and coverage of common techniques.
As your tradecraft improves, so will your list of tools and techniques.
My only reservation is that Dimitar doesn’t mention how you capture the intelligence you have gathered.
Text document edited in Emacs?
Word document (shudder) under control of a SharePoint (shudder, shudder) server?
Spreadsheet?
Graph/Topic Map?
Intelligence gathering results in non-linear discovery arbitrary relationships and facts. Don’t limit yourself to a linear capture methodology, however necessary linear reports are for others.
My vote is with graphs/topic maps.
Since he didn’t mention recording your intelligence, Dimitar also doesn’t discuss how you secure your captured intelligence. But that’s a topic for another post.
Comments Off on Intelligence Gathering… [Capturing Intelligence]
In a nutshell, https://map.what3words.com/ has created a 3 by 3 meter grid on the Earth’s surface and assigned each block a three-word name. For the convenience of people accustomed to more conventional addresses, where available, you can submit an address and get the three-word name for that block back.
Excellent potential for a project name “Mis-Direction,” that needs an innocent name as a smartphone app.
You send someone a three-word block name and when displayed on their smartphone, it maps to the “canonical” location. Anyone using your phone will get that result.
However, if when the location is displayed, without a prompt or signal, if you enter a 5-digit code, the actual location intended by the sender is revealed.
Would require a mapping table between 3-word name as sent and 3-word name as intended, and the locations have to be plausible to any third party who might be tracking the communication or using your phone.
I would suggest allowing 5 tries to get the correct number because locations for demonstrations and other activities need to be operationally secure for only a matter of hours.
After that, anyone can follow the trail of emergency vehicles to a location that was a closely held secret only hours before.
It isn’t clear if the uptake on What3Words will be broad enough to have an impact at large political gatherings in the United States this year but the same re-mapping principle with password applies to more conventional mapping techniques as well.
Comments Off on Mis-Direction: Possible What3Words App
A man with intense eyes crouches over a laptop in a darkened room, his face and hands hidden by a black ski mask and gloves. The scene is lit only by the computer screen’s eerie glow.
But the reality is, as usual, less dramatic. While some of the largest cyberattacks have been the work of state-sponsored hackers—the OPM data breach that affected millions of Americans last year, for example, or the Sony hack that revealed Hollywood’s intimate secrets—the vast majority of the world’s quotidian digital malice comes from garden-variety hackers.
…
What a downer this would be at career day at the local high school.
Yes, you too can be a hacker but it’s as dull as anything you have seen in Dilbert.
Your location plays an important role in whether Russian hacking ring employment is in your future. Kaveh reports:
…
Even the boss’s affiliates, who get less than half of each ransom that they extract, make a decent wage. They earned an average of 600 dollars a month, or about 40 percent more than the average Russian worker.
…
$600/month is ok, if you are living in Russia, not so hot if you aspire to Venice Beach. (It’s too bad the beach cam doesn’t pan and zoom.)
The level of technical skills required for low-lying fruit hacking is falling, meaning more competitors for the low-end. Potential profits are going to fall even further.
The no liability for buggy software will fall sooner rather than later and skilled hackers (I mean security researchers) will find themselves in demand by both plaintiffs and defendants. You will earn more money if you can appear in court, some expert witnesses make $600/hour or more. (Compare the $600/month in Russia.)
Even if you can’t appear in court, for reasons that seem good to you, fleshing out the details of hacks is going to be on demand from all sides.
You may start at the shallow end of the pool but resolve to not stay there. Read deeply, practice everyday, start current on new developments and opportunities, contribute to online communities.
Comments Off on How to Run a Russian Hacking Ring [Just like Amway, Mary Kay … + Career Advice]
I recently had an exchange with the notorious hacker who hacked Hacking Team, a now infamous Italian company that sold spyware to oppressive regimes, which was used to target dissidents and journalists with spyware. Previously, the hacker breached Gamma Group, a similar corporation and dumped 40GB of files onto the Internet*. HB! was able to penetrate their customer support portal, where they obtained a list of targets in Bahrain . While 40GB seems like a large number, 30+ GB of it is a password protected zip file, presumably (according to HB) containing a full copy of the FinFisher server software, that no one has cracked.
(image omitted)
The Hacking Team breach was much larger, containing about 400GB of useful files. These hacks, besides being technically interesting, seems driven by political and human rights concerns. Further, by releasing their emails and source code, we found key details of how these corporations operate, an example being the CEO of Hacking Team ending all of his emails with a famous line attributed to Benito Mussolini.
By releasing the source code, some zero days that these corporations were using have been patched, they have lost numerous clients and their own engineers are leaving the field. The technical details of the hack are quite interesting themselves as the techniques are quite sophisticated. The hacker, who uses several alias including Hack Back!, Gamma Group PR and Phineas Phisher recently attacked a police “union” in Barcelona. In one of the most interesting hacks, Hack Back! exfiltrated a bunch of Bitcoin and sent it to Rojava in their struggle for autonomy against multiple international forces, including ISIS.
We spoke over a variety of topics including secure computation, anarchism, international solidarity, and prison abolition. Our transcript has been lightly edited, translated and some details left out for operation security purposes. I use the name HB to refer to his Hack Back! alias.
…
It’s an interesting and inspirational interview.
However, questions about political groups, books, music, etc., result in tells that even fairly inept government agents could follow.
At the very least, conduct interviews with hackers through intermediaries who can change language style and omit information that obviously leads to tells.
Better yet: Don’t ask. Don’t Tell.
What isn’t written down or spoken aloud is incapable of being discovered.
Yes?
Comments Off on Hack Back! — (Interview, OpSec Tips)
Car thieves generally have low social status. After all, for the most part they “hot-wire,” find cars with the keys left in them, or more recently, resort to car jacking. None of which requires any degree of intelligence and/or organization.
That may be about to change, at least for modern car thieves.
…
Drivers of the Mitsubishi Outlander Hybrid could be vulnerable to being hacked through the car’s Wi-Fi console. A flaw was recently discovered that could allow hackers to disable the alarm before the car was stolen.
Beyond disabling the alarm, cyberattackers could drain the car’s battery life, and even start the vehicle on some models.
Researchers discovered the vulnerability because of how the car’s Wi-Fi module works. Rather than using a GSM module, the Mitsubishi Outlander allows mobile devices to connect to the car by hosting its own Wi-Fi access point. This means your device must first disconnect from any other networks to connect.
It took researchers less than four days to hack into the system and explore the potential destruction hackers could create.
…
The first one took four days but with the hints in Kelli’s post, I suspect a trained researcher could perform the hack in less than four days.
Within a few months, Mitsubishi Outlander “apps” will appear that let you open and start any Outlander on a parking lot.
How impressive with that be for your date? Just pick one.
Not that you should take a vehicle other than your own joy-riding, but considerate joy-riders leave the vehicle clean, unlocked and in a well-lighted location.
Comments Off on Car Thieves Get A Bump In Social Status
Sign-up to receive an email when a new public bounty launches or when a bounty increases their high-end reward amount.
Bounty announcement for web, mobile, IoT, automotive, and network/host.
Looking a bit further, this is from bugcrowd, whose what-we-do page reports:
IT TAKES A CROWD TO BEAT A CROWD
Companies are in an unfair fight when it comes to cybersecurity. Regardless of how robust security efforts are, companies will always be outnumbered by the thousands of malicious hackers worldwide. We bring thousands of good hackers to the fight, helping companies even the odds and find bugs before the bad guys do.
…
As of today, fifty-four (54) current programs, 28 for rewards, 26 for points and 1 for charity.
It has attracted non-trivial venture capital, Series B, $15M, so take that as a positive sign.
Bugcrowd proposes that a density of “good hackers” is more useful than current software practices in detecting vulnerabilities.
What density of “good hackers” is required, for what types of software, what rewards are required to attract that density of “good hackers,” etc., remain open questions.
However, given the record of software vulnerabilities to this point, bugcrowd’s density of “good hackers” approach could hardly do worse than current practices.
Personally I think rewards need to increase to the point where “good hackers” can make a reasonable living.
Bettering software for the “common good” doesn’t pay utility bills or mortgage notes.
Liability for selling or using vulnerable software would help drive a rewards based “good hacker” economy.
Comments Off on Public Bounty Launch Newsletter (Are Hackers, Bugs or Both Dense?)
The year 2016 has beenhard on internet usersandwebsites alikesince more than1,076data breaches have occurred. The latest one is ShOping.su previously known asShOping.net, a Dark Net platform where hackers and cyber criminals sell hacked and stolen accounts. Recently, someone decided to take care of the stolen data stored on ShOping.su’s server by stealing thousands of accounts and putting it for sale online – But days after the hackers decided to leak the data to the public.
The hackers behind the leak claim to have leaked 16,000 ShOping.su’s registered accounts, 15,000 user accounts which were stolen from other sites and stored on the hacked servers and around 9000 credit card data. Hacked-DB, the data mining company who first discovered the data contacted HackRead with an in-depth analysis according to them the leaked data is legit and stolen from platforms across the web. The dumped data contains 16,566 user accounts with email addresses and their encrypted passwords, 9,000 accounts from platforms like Uber, cPanel, WebMail, GoDaddy, Twitter, PayPal, Amazon and more. (The 9,000 accounts were available on ShOping.su for sale.)
The analysis also revealed sensitive data dumped containing personal and credit card data of 5,000 users including ID card numbers, social security numbers, credit card numbers along with their CVV codes, type of card, zip code, users’ date of births, name or the state and city, phone numbers, usernames, email addresses, price and date of purchased.
“Hacked-DB has detected a data breach onShOping.suwebsite. The leaked data contains user account information and full credit card details, credit number, CVV, expiration date, holder name, credit type etc. the website was down for maintenance after the data breach but now it is back online,” said the company’s representatives.
…
Just for conversation, let’s assume you want to traffic in stolen credit card information. Not that you would but just for conversation.
Question: As you are about to engage in credit card fraud, would you record your true name, address, credit card information on a website that traffics in stolen credit card information?
Question: Have you read any stories lately about credit card information being stolen from websites?
Question: Do you have any uneasiness about sharing your credit card information on a site owned and operated by self-professed criminals?
Unless all the 16,000 ShOping.su’s registered accounts turn out to have 1060 West Addison (Wrigley Field, Chicago) addresses and equally bogus other information, whatever happens to ShOping.su’s clients is well deserved.
Law enforcement agencies are likely sharing that data by geographic areas even as I write this post.
If you ever decide to become a criminal (not recommended), try to follow Dogbert’s advice in this chain letter cartoon.
A “slug” is a mental object about the size and weight of a coin and can be placed in a vending machine, some of which will credit you as if money were deposited. Condom vending machines are frequent victims of “slugs.”
Das and Spicer report that the Fed rejected improperly formatted requests, only upon resubmission later that day, pay out $101 million, $20 which was reversed do to a misspelling.
After reading Das and Spicer, should the Superman’s fortress key or the condom vending machine image appear on the next cybersecurity report for the Federal Reserve Bank of New York?
Police properly applied a legal doctrine allowing it to refuse to acknowledge the existence of records, requested under state Freedom of Information Law, that related to surveillance programs, a Manhattan appeals court found.
The ruling by the Appellate Division, First Department, settles a dispute between two trial judges who disagreed in 2014 as to whether the New York City Police Department could use the “Glomar Doctrine.” The policy allows federal departments to cite security concerns to neither confirm nor deny the existence of records requested under the federal Freedom of Information Act.
The doctrine is named for an inquiry into a salvage operation of a Soviet nuclear submarine by a ship named the Hughes Glomar Explorer.
…
An NYPD spokesman commented:
“We are all safer because of this ruling, which confirms that the NYPD is not required to reveal the targets of counterterrorism surveillance,” department spokesman Nicholas Paolucci said.
I would agree with Paolucci had he said:
“Illegal, unauthorized and abusive ‘counterterrorism surveillance’ will be safer because of this ruling.”
National (think FBI) and local law enforcement authorities have long histories of illegal misconduct, a large amount of which is only discovered years or even decades later. There is no reason to believe that “counterterrorism surveillance” is any less prone to similar abuses.
Without public oversight and transparency, “counterterrorism surveillance” is a recipe for an ongoing abuse of the rights.
Having denied the access needed for meaningful public oversight, the courts and NYPD should not complain about uncontrolled releases of the same information.
When faced with an on-again/off-again democracy, what alternative does the public have?
FireEye threat researchers have found a complex malware instance that borrows tricks from Stuxnet and is specifically designed to work on Siemens industrial control systems.
Josh Homan, Sean McBride, and Rob Caldwell named the malware “Irongate” and say it is probably a proof-of-concept that is likely not used in wild.
Industrial control system malware are complex beasts in large part because exploitation requires knowledge of often weird, archaic, and proprietary systems.
The steep learning curve required to grok such systems limits the risk presented by the many holes they contain.
…
See Darren’s post for references on the “replay” mechanism used by “Irongate.”
What caught my attention was: “…often weird, archaic, and proprietary systems.”
Does that sound like SWIFT and financial software in general?
If SWIFT and related software has the vulnerability characteristics of Flash, the financial community is in deep doo-doo.
Won’t know until someone spends some serious time with that weird, archaic, and proprietary system known as SWIFT.
You should get an account at TotalVirus. Reported as where “Irongate” first appeared.
Comments Off on Weekend Hacking Homework: “Irongate” (SWIFT)
My take away from Grant’s report is the Fed had cybersecurity incidents. Full stop. How does that compare to other financial institutions? Don’t know, no one says. What happened as a response to those attacks? Don’t know or at least no one says. (Security by obscurity.)
The high point of Grant’s article was this passage:
The banking system is often a “hard target,” but the potential rewards are high for attackers who have a sophisticated skill set, added Richard Ford, chief scientist at security vendor Forcepoint. “There’s a certain brand of attacker who loves going after banks,” he said. “That’s really where the money is.”
Something we can all agree on and quite possibly, that’s becoming common knowledge.
After the SWIFT attacks, you have to wonder if the ‘hard target’ reputation of banks and the finance sector is bluff and bravado or something more serious?
So long as security by obscurity is SOP (standard operating procedure), that question will go unanswered, until it is too late.
Comments Off on Experts Agree, Banks Are Where The Money Really Is
Dissent Doe summarizes the facts of this case saying:
…Shafer reported that Patterson Dental had left patient data on an unsecured FTP server, and then he called attention to another vulnerability in one post in February, and then again in a second post in March. And now, according to an FBI agent, Patterson Dental was allegedly claiming that in accessing their unsecured anonymous FTP server, Shafer had accessed it “without authorization” and should be charged criminally under CFAA.
…
Take these recent events with Shafer as an incentive to read up on the Andrew “weev” Auernheimer proceedings (reversed on venue grounds on appeal).
The legal briefs in Auernheimer are linked at the bottom of this post.
The briefs run five hundred and thirty-nine (539) pages.
That’s five hundred and thirty-nine (539) pages researched, written, edited and polished, all while Auernheimer was in jail.
While reading Orin’s much shorter account and/or the briefs, keep this question in mind:
What pre-condition must exists for the Auernheimer case?
There is one and while obvious, it is often assumed.
I like reading briefs, chasing down references, etc., but unlike Auernheimer was, I’m not sitting in jail, hoping that the appeals court will rule in my favor.
That’s a big difference to keep in mind when debating “great issues.” Some in the debate have more “skin in the game” than others.
I fully agree the poorly written and even more poorly applied Computer Fraud and Abuse Act (CFAA) should be reformed. Dissent Doe mentions a number of supporters for such reform in her post.
However, lots of things that should be true:
Robert Mugabe should no longer hold political power anywhere. So long as we are wishing, Mugabe should live long enough to pay for his many crimes. (A very long time.)
War criminals named in the Iraq Inquiry report should be extradited from their home countries and face war crimes tribunals in the Hague. This report is due out 6 July 2016.
Military spending in every country should be reduced to equal that of Laos.
You may have a different list of “things that should be true,” but aren’t.
Accepting that, the question becomes how to avoid being snared by it?
Here’s a visual analogy for Shafer and Patterson/FBI:
Can you guess which of the things depicted in this image is Shafer and which is the Patterson/FBI?
The precondition for the Auernheimer case?
A nail that can be distinguished from all the other nails.
Knowing there are lots of nails doesn’t result in any search or arrest warrants. Having a nail you can point to does.
You may feel like (as I do) that’s unfair, the law should be different (sane), etc. Cf. my list and your lists of things that should be true.
I freely admit the cause of intellectual freedom can use martyrs and if you want to be one, test the limits of Computer Fraud and Abuse Act (CFAA), etc., be my guest.
On the other hand, being free to land body blows (legal ones of course) on corrupt and inept government agencies, their agents and masters, serves the cause of intellectual freedom as well.
Dissent Doe captures where I think Shafer went wrong:
…
Shafer discovered the exposed patient data at the beginning of February and contacted DataBreaches.net to request help with the notification and responsible disclosure. Both DataBreaches.net and Shafer began attempting to notify Patterson and clients whose unencrypted patient information had been exposed for an unknown period of time. Over the next few days, we emailed or called Patterson; Timberlea Dental Clinic in Alberta, Canada; Dr. M Stemalschuk in Canada; Massachusetts General Hospital Dental Group; and Dr. Rob McCanon.
Only after Shafer determined that the patient data had been secured did he and DataBreaches.net disclose the incident publicly. As reported on DataBreaches.net, Shafer found that 22,000 patients had had their unencrypted sensitive health information at risk of access by others. It is not clear how long the publicly accessible FTP server was available, and Patterson Dental did not answer the questions DataBreaches.net asked of it on the matter. Shafer told the Daily Dot, however, that the FTP server had been unsecured for years. In an email statement, he wrote (typos corrected):
“Many IT guys in the dental industry know that the Patterson FTP site has been unsecured for many years. I actually remember them having a passworded FTP site back in 2006. To get the password you would call tech support at Eaglesoft\Patterson Dental and they would just give you the password to the FTP site if you wanted to download anything. It never changed. At some point they made the FTP site anonymous. I think around 2010.”
…
Shafer was waving a red flag to mark his location with “hit me” hand painted on the flag.
The result, so far, you know.
Even if the case goes no further, some other PR hungry Assistant United States Attorney (AUSA) could snatch someone else up for equally specious reasons.
If they wave a red flag with “hit me” hand painted on it.
There are seven types of criminal activity enumerated in the CFAA: obtaining national security information, compromising confidentiality, trespassing in a government computer, accessing to defraud and obtain value, damaging a computer or information, trafficking in passwords, and threatening to damage a computer. Attempts to commit these crimes are also criminally punishable.
If you are not identified with any acts arguably covered by Computer Fraud and Abuse Act (CFAA), your odds of being arrested for such acts is greatly diminished.
Take the present facts. Clearly insane to claim that access to public data is ever unauthorized.
Multiple Choice Question:
Who is in jail as a result of: an insane view of the law + complaining witness + ASUS = warrant for your arrest.
A. The ASUS?
B. The complaining witness?
C. You?
If by accessing a server (doesn’t matter whether public, private, arguable) and you discover medical records, without revealing your identity, notify plaintiff’s attorneys in the legal jurisdictions where patients live or where the potential defendants are located.
If that seems to lack the “bang” of public shaming, consider that setting plaintiffs lawyers on them makes terriers hunting rats look quite tame. (not for the faint of heart)
You accomplish your goal of darkening the day for some N number of wrong-doers, increasing (perhaps) the protection offered patients, at a greatly diminished risk. A diminished risk that enables you to continue to do good deeds.
There are no, repeat no legal systems that give a shit, if you and all of your friends on social media think it is “unfair.” I may well agree with you too but entanglement in any legal system, even if you “win,” you have lost. Time, money, stress, etc.
Non-identification, however you accomplish that, is one step towards avoiding such entanglements.
Think of non-identification as the red team side of topic maps. The blue team tries to identify subjects while the red team attempts to avoid identification. A number of practical and theoretical issues ensue.
I reproduced the list, sans their annotations and gave you some useful links on each possible attack.
Two-factor authentication is an improvement over current SWIFT security, when it is used, but that hardly qualifies for a welcome into ranks of modern cybersecurity. Or as Paul puts it:
…
Apparently, however, SWIFT was not so swift. Only now, after the Bangladeshi attack (and others on banks in the Phillipines and Vietnam) will the bank move to expand its use of two-factor authentication. I would have assumed that for an organization like SWIFT, where security was a critical component of the business model, two-factor authentication would have been implemented long ago. That it has not been until now is simply incredible and says something very bad about SWIFT — for the failure is not just a lapse of technical implementation. The gap suggests very large failures of risk management and organizational governance — and that is not a good thing in an institution that is at the core of the world’s financial system.
I take that to mean there are technical, management and organizational vulnerabilities awaiting discovery and exploitation in SWIFT.
Take heart hackers of the world! Perhaps reporting a vulnerability will get you a new toaster.
(Non-Americans, the “toaster with a new bank account” isn’t a myth. According to Eddy Elfenbein, banks gave away toasters to pass cost savings onto depositors. How’s that for banking trivia?)
Comments Off on …The Word “Foolish” Is Spelled “SWIFT” [Two-Factor Authentication As Improvement. Really?]
Militant death cult Daesh released an audio message from spokesperson Abu Muhammad al-Adnani on Saturday, a much-anticipated event among the group’s supporters.
So overcome with excitement where they that some photographed handwritten messages of support and published them to channels on Telegram, the encrypted messaging app where many pro-Daesh communities interact.
The only problem? Many included clues as to their location and have since been tracked down by Twitter users around the world. Eliot Higgins, founder of Bellingcat and a member of the First Draft Coalition, first saw “ISIS watchers” sharing the pictures on social media and corralled his followers into tracking down their location.
Four locations have so far been found, revealing not only the same scenery as in the pictures, but the likely position of the photographer. The locations include a private home, an apartment building and a hotel. Authorities have been alerted.
“There were more images, not that many,” Higgins said, “but the ISIS supporters were retweeting like crazy and trying to get this whole thing trending in Paris and claiming Amsterdam and London.
…
Ignore the political tone of this post and focus on the breaches of operational security that exposed the posters so quickly.
If I were writing a book on operational security, this would be chapter 2. Chapter 1 would be on not making time stamped chat logs while you are carrying out hacks, etc.
Don’t hold me to the chapter hierarchy, I suspect even dumber mistakes have been made.
Along with the photos themselves, this post would make a great training tool.
Possible homework assignment: Students take “propaganda” photos, exchange them with classmates, attempt to discover location, etc.
Better to discover your inability to maintain operational security in a classroom setting than elsewhere.
Comments Off on Bad Operational Security – Real Life Example – ISIS ‘fanboys’
We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior. This ransom leverages removable and network drives to propagate itself and affect more users. We detect this ransomware as Ransom:Win32/ZCryptor.A.
…
The post goes onto note these avenues of infection:
Ransom:Win32/ZCryptor.A is distributed through the spam email infection vector. It also gets installed in your machine through other macro malware*, or fake installers (Flash Player setup).
…
If you think that sounds bad, consider one of the recommended means for avoiding Ransom:Win32/ZCryptor.A:
Avoid browsing web sites that are known for being malware breeding grounds (illegal download sites, porn sites, etc.)
And the other reasons for using the Internet would be? 😉
The best technical commentary I have found on SWIFT attacks is TWO BYTES TO $951M by Sergei Shevchenko (25 April 2016). (Bangladesh Bank’s (BB) SWIFT payment system attack.)
Sergei reports on malware used in the February 2016 attack on Bangladesh Bank’s (BB) SWIFT payment system. Malware thought to be part of a larger attack toolkit is identified, analyzed along with how the fraud was concealed.
I have gone through approximately thirty (30) reports that cite one or more of the malware file names and I have found no information beyond Sergei’s report. Avoid the duplication and repetition, start and end with Sergei’s report. (At least for now, new technical reports may emerge.)
In an amusing twist, SWIFT found out about the breach from a Reuters query about the breach. Apparently banks are no better at sharing information among themselves than they are with the public.
Banco del Austro (BDA) filed suit in New York State Court and Wells Fargo removed that case to the Federal District Court for the Southern District of New York. The original complaint appears as Exhibit A of the removal notice. (full text) The docket number in Federal District Court is: 1:2016-cv-00628.
You may not be experienced in reading legal pleading but you should take a look at Exhibit A. Wells Fargo is said to have “boosted,” “assured,” etc. In addition to being a fun read, you will gain some insight into the operation of SWIFT.
While writing this up, I discovered other resources you may find useful:
One step towards evaluating the security of SWIFT, is to collect and collate all the public information about SWIFT. Not a freebie, anyone interested purchasing/sponsoring such a collection?
Comments Off on SWIFT Network – “that’s where the money is” (Slick Willie Sutton)
Lawmakers crafting a massive annual Pentagon policy want the Defense Department to be able to provide off-the-clock cybersecurity protection to DOD personnel deemed “to be of highest risk of vulnerability to cyberattacks on their personal devices, networks and persons,”
That provision is included in the Senate’s version of the National Defense Authorization Act, which is headed for a vote in the Senate this week. Along with personal “cyber protection support,” the Senate bill would overhaul the role of the Pentagon chief information officer.
…
The phrase “off-the-clock” struck me as odd, even with lengthy experience at reading poorly written laws.
If you bother to check the text you will find:
…
Subtitle C—Cyber Warfare, Cybersecurity, And Related Matters
SEC. 1631. CYBER PROTECTION SUPPORT FOR DEPARTMENT OF DEFENSE PERSONNEL IN POSITIONS HIGHLY VULNERABLE TO CYBER ATTACK.
(a) Authority To Provide Support.—The Secretary of Defense may provide cyber protection support to personnel of the Department of Defense while such personnel occupy positions in the Department determined by the Secretary to be of highest risk of vulnerability to cyber attacks on their personal devices, networks, and persons.
(b) Nature Of Support.—Subject to the availability of resources, in providing cyber protection support pursuant to subsection (a), the Secretary may provide personnel described in that subsection training, advisement, and assistance regarding cyber attacks described in that subsection.
(c) Report.—Not later than 180 days after the date of the enactment of this Act, the Secretary shall submit to the Committees on Armed Services of the Senate and the House of Representatives a report on the provision of cyber protection support pursuant to subsection (a). The report shall include a description of the methodology used by the Secretary to determine the positions in the Department that are of highest vulnerability to cyber attacks for purposes of subsection (a).
…
No mention of “off-the-clock,” “round-the-clock,” “24×7,” etc.
Granting that Jack goes onto say:
…
Under the Senate bill, the Defense secretary would be authorized to identify high-risk positions and provide “training, advisements and assistance regarding cyberattacks,” according to the bill.
Neither man is a DOD employee, but the incidents raised concerns about the cybersecurity vulnerabilities posed by top government officials’ private email accounts.
The proposed move also comes amid increasing concerns about targeted malicious emails — phishing and “social engineering” attacks — aimed at tricking personnel into divulging login credentials or clicking on malicious links in otherwise legitimate-seeming emails.
…
I think the critical text reads:
…tricking personnel into divulging login credentials or clicking on malicious links in otherwise legitimate-seeming emails….
Let’s amend the Senate version to make it more effective than the proposed cyber-nannies:
Subtitle C—Cyber Warfare, Cybersecurity, And Related Matters
SEC. 1631. REDUCTION OF RISKS FROM PHISHING ATTACKS ON DOD PERSONNEL
(a) Preparation To Detect Phishing Susceptibility.—The Secretary of Defense shall designate personnel of the Department of Defense while such personnel occupy positions in the Department determined by the Secretary to be of highest risk of vulnerability to cyber attacks on their personal devices, networks, and persons, and publish a list of those personnel with their email addresses to Facebook.
(b) Detection Of Phishing Susceptibility.—The Secretary of Defense shall publish on Facebook an invitation for any citizen of any country to create and cause to be delivered, a phishing email to any of the personnel designated in (a), exempt from any statutes of the United States or its several states, prohibiting such emails. Upon receipt of proof of designated personnel being deceived by a phishing email, the Secretary of Defense will cause to be transmitted to the sender of such email, the sum of $5,000.00.
(c) Consequences Of Phishing Susceptibility.—The Secretary of Defense, upon receipt of proof of deception by phishing email, shall immediately cause to be suspended, all electronic or physical access to any and all DoD services and/or locations. This suspension will remain in effect until the person in question has been separated from their service.
(d) Report.—Not later than 180 days after the date of the enactment of this Act, the Secretary shall submit to the Committees on Armed Services of the Senate and the House of Representatives a report on the ongoing progress towards reducing phishing susceptibility at the Department of Defense.
Want to improve cybersecurity at the Department of Defense?
Test and separate personnel based on their susceptibility to phishing attacks.
Far saner and more effective than “off-the-clock” cyber-nannies.
Comments Off on Defense Department “Off-The-Clock” Cyber-Nannies
…
Later this year we plan to change how Chromium hints to websites about the presence of Flash Player, by changing the default response of Navigator.plugins and Navigator.mimeTypes. If a site offers an HTML5 experience, this change will make that the primary experience. We will continue to ship Flash Player with Chrome, and if a site truly requires Flash, a prompt will appear at the top of the page when the user first visits that site, giving them the option of allowing it to run for that site (see the proposal for the mock-ups).
To reduce the initial user impact, and avoid over-prompting, Chrome will introduce this feature with a temporary whitelist of the current top Flash sites(1). This whitelist will expire after one year, and will be periodically revisited throughout the year, to remove sites whose usage no longer warrants an exception.
Chrome will also be adding policy controls so that enterprises will be able to select the appropriate experience for their users, which will include the ability to completely disable the feature.
…
Any move away from Flash is good news but the unintended consequences of this news tempers my joy.
First, the Flash whitelist signals that delivery of Flash malware should concentrate on the top ten sites:
YouTube.com
Facebook.com
Yahoo.com
VK.com
Live.com
Yandex.ru
OK.ru
Twitch.tv
Amazon.com
Mail.ru
Second, offering users the option to run Flash, in spite of warnings, guarantees Flash will remain an expressway into your computer for years to come.
Third, as Flash usage drops, what is the likely curve of funding for fixing new bugs found in Flash? (That’s what I think as well.)
I don’t have a better alternative to offer, except to suggest that enterprises that care about security should offer cash bonuses to departments that abandon Flash altogether.
PS: Adobe should notify the community when the last copy of the source code for Flash is erased. To avoid some future computer archaeologist digging it up and becoming infected.
Comments Off on Unintended Consequences Of Slowly Strangling Flash To Death
In August of 2014, a hacker shook the cybersecurity world by exposing the secrets of the infamous government surveillance vendor Gamma Group, the makers of the spyware FinFisher.
The hacker jokingly called himself Phineas Fisher, publicizing the hack and taunting the company on Twitter. He also wrote a detailed guide on how he breached Gamma—not to brag, the hacker wrote, but to demystify hacking and “to hopefully inform and inspire you to go out and hack shit.”
Then, Phineas Fisher went dark. For almost a year, his public profiles remained silent. Given that he had just upset a company that sold tools to dozens of spy and police all over the world, it seemed like a wise move.
“For politically minded hackers, Phineas is a legend already.”
…
See Lorenzo’s post for a short history of Phineas Fisher.
I prefer my title because “notorious” and “hacker” imply that Phineas has transgressed in some way.
In the view of some legal systems, Phineas has transgressed but even within those systems, transgression is a matter of whim and caprice.
Phineas has acted, no more or less than the Koch brothers, to influence public opinion. Every citizen has the right to influence government action, theirs and others.
Phineas is using information instead of cash to influence government but that distinction matters only to cash hungry politicians and cash flush favor seekers who want to feed them.
“Western democracies” don’t engage in, for the most part, in qui pro quo style corruption. Donors routinely contribute money, year in and year out and not surprisingly, when government decisions are to be made, they have a place at the decision making table. And when the decision making is done, a larger share of government benefits than others.
Information activities, such as those by Phineas, have the potential to create a publicly traded information economy. Imagine if rather than slow leak of the Panama Papers, they appeared on an Information Exchange, where you could bid on some or all of the data for particular countries.
Ownership could be, but not necessarily be, exclusive. Your ownership of the data for China, for example, would in no way interfere with my ownership of the same information.
Make no mistake, Snow Crash, like the mistaken for reality tale Atlas Shrugged, is a work of fiction. Despite the potential for the dawning of a new future, the present power system will put you in jail today.
Phineas Fisher is an inspiration for a cyber-aware citizenry gathering and distributing information. Hopefully he will also inspire better operational security in those efforts as well.
Comments Off on Inspiring Next-Gen Citizens – Phineas Fisher
