Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

November 7, 2017

Built-in Keylogger – Penetration Strategy?

Filed under: Cybersecurity,Security — Patrick Durusau @ 7:35 pm

Built-in Keylogger Found in MantisTek GK2 Keyboards—Sends Data to China by Swati Khandelwal.

From the post:


The popular 104-key Mantistek GK2 Mechanical Gaming Keyboard that costs around €49.66 has allegedly been caught silently recording everything you type on your keyboard and sending them to a server maintained by the Alibaba Group.

Serious keylogging requires more stealth than Khandelwal reports but the idea is a good one.

When renting computers or a furnished office with computers, who is going to check all the systems for keyloggers?

Or if you sponsor a “contest” where the winner gets a new keyboard?

Or upgrades at a Fortune 100 or one of the top law firms includes new keyboards?

Or computers and keyboards are donated for use in public libraries?

Phishing is easier and cheaper than a built-in keylogger for a keyboard but don’t overlook hardware approaches for particularly tough cases.

Intel MINIX – Universal Vulnerability?

Filed under: Cybersecurity,Privacy,Security — Patrick Durusau @ 7:03 pm

MINIX — The most popular OS in the world, thanks to Intel by Bryan Lunduke

Unless most claims of being “widespread,” the claims about MINIX, a secret OS on Intel chips, appear to be true.

From the post:


MINIX is running on “Ring -3” (that’s “negative 3”) on its own CPU. A CPU that you, the user/owner of the machine, have no access to. The lowest “Ring” you have any real access to is “Ring 0,” which is where the kernel of your OS (the one that you actually chose to use, such as Linux) resides. Most user applications take place in “Ring 3” (without the negative).

The second thing to make my head explode: You have zero access to “Ring -3” / MINIX. But MINIX has total and complete access to the entirety of your computer. All of it. It knows all and sees all, which presents a huge security risk — especially if MINIX, on that super-secret Ring -3 CPU, is running many services and isn’t updated regularly with security patches.

For details, see Replace your exploit-ridden firmware with a Linux kernel, by Ron Minnich, et. al. (Seventy-one (71) slides. File name: Replace UEFI with Linux.pdf. I grabbed a copy just in case this one goes away.)

Intel material on UEFI.

Unified Extensible Firmware Interface Forum, consortium website. For the latest versions of specifications see: http://www.uefi.org/specifications but as of today, see:

ACPI Specification Version 6.2 (Errata A)

ACPI can first be understood as an architecture-independent power management and configuration framework that forms a subsystem within the host OS. This framework establishes a hardware register set to define power states (sleep, hibernate, wake, etc). The hardware register set can accommodate operations on dedicated hardware and general purpose hardware. [page 1.] 1177

UEFI Specification Version 2.7 (Errata A)

T
his Unified Extensible Firmware Interface (hereafter known as UEFI) Specification describes an interface between the operating system (OS) and the platform firmware. UEFI was preceded by the Extensible Firmware Interface Specification 1.10 (EFI). As a result, some code and certain protocol names retain the EFI designation. Unless otherwise noted, EFI designations in this specification may be assumed to be part of UEFI.

The interface is in the form of data tables that contain platform-related information, and boot and runtime service calls that are available to the OS loader and the OS. Together, these provide a standard environment for booting an OS. This specification is designed as a pure interface specification. As such, the specification defines the set of interfaces and structures that platform firmware must implement. Similarly, the specification defines the set of interfaces and structures that the OS may use in booting. How either the firmware developer chooses to implement the required elements or the OS developer chooses to make use of those interfaces and structures is an implementation decision left for the developer.

Using this formal definition, a shrink-wrap OS intended to run on platforms compatible with supported processor specifications will be able to boot on a variety of system designs without further platform or OS customization. The definition will also allow for platform innovation to introduce new features and functionality that enhance platform capability without requiring new code to be written in the OS boot sequence. [page 1.] 2575

UEFI Shell Specification Version 2.2

The UEFI Shell environment provides an API, a command prompt and a rich set of commands that extend and enhance the UEFI Shell’s capability. [page 1] 258

UEFI Platform Initialization Specification Version 1.6

This specification defines the core code and services that are required for an implementation of the Pre-EFI Initialization (PEI) phase of the Platform Initialization (PI) specifications (hereafter referred to as the “PI Architecture”). This PEI core interface specification (CIS) does the following:
[vol. 1, page 1] 1627

UEFI Platform Initialization Distribution Packaging Specification Version 1.1

This specification defines the overall architecture and external interfaces that are required for distribution of UEFI/PI source and binary files. [page 1] 359

TCG EFI Platform Specification

PC Client Work Group EFI Platform Specification, Version 1.22, Revision 15

This document is about the processes that boot an Extensible Firmware Interface (EFI) platform and load an OS on that platform. Specifically, this specification contains the requirements for measuring EFI unique events into TPM PCRs and adding boot event entries into the Event Log. [page 5] 43

TCG EFI Protocol Specification

PC Client Work Group EFI Protocol Specification, Family “2.0”, Level 00, Revision 00.13

The purpose of this document is to define a standard interface to the TPM on an EFI platform. This standard interface is useful on any instantiations of an EFI platform that conforms to the EFI Specification. This EFI Protocol Specification is a pure interface specification that provides no information on “how” to construct the underlying firmware implementation. [page 9] 46

By my count, 5,585 pages from the Unified Extensible Firmware Interface Forum, consortium website alone.

Of course, then you need to integrate it with other documentation, your test results and the results of others, not to mention blogs and other sources.

Breaking this content into useful subjects would be non-trivia, but how much are universal vulnerabilities worth?

November 1, 2017

Oracle Identity Manager Sets One Black Space Password – Functional “Lazy” Hacking?

Filed under: Cybersecurity,Oracle,Security — Patrick Durusau @ 4:02 pm

Oracle Identity Manager – Default User Accounts

From the webpage:


OIMINTERNAL

This account is set to a ‘run as’ user for Message Driven Beans (MDBs) executing JMS messages. This account is created during installation and is used internally by Oracle Identity Manager.

The password of this account is set to a single space character in Oracle Identity Manager database to prevent user login through Oracle Identity Manager Design console or Oracle Identity Manager System Administration Console.

Do not change the user name or password of this account.

That’s right! Hit the space bar once and you’ve got it!

What’s more, it’s a default account!

Is this “functional hacking?” Being lazy and waiting for Oracle to hack itself?

October 28, 2017

The Little Black Box That Took Over Piracy (tl;dr – Read or Watch GoT?)

Filed under: Cybersecurity,Entertainment,Security — Patrick Durusau @ 7:56 pm

The Little Black Box That Took Over Piracy by Brian Barrett.

At > 2400 words, Barrett’s report on Kodi is a real time sink.

Three links instead:

  1. TV Addons
  2. AliExpress.com
  3. HOW-TO:Install Kodi for Linux

Enjoy!


At “Enjoy” 33 words versus > 2400. Comments?

Useless List of Dark Web Bargains – NRA Math/Social Science Problems

Filed under: Cybersecurity,Dark Web,Malware,Security — Patrick Durusau @ 3:00 pm

A hacker’s toolkit, shocking what you can buy on Dark Web for a few bucks by Mark Jones.

From the post:

Ransomware

  • Sophisticated license for widespread attacks $200
  • Unsophisticated license for targeted attacks $50

Spam

  • 500 SMS (Flooding) $20
  • 500 malicious email spam $400
  • 500 phone calls (Flooding) $20
  • 1 million email spam (legal) $200

What makes this listing useless? Hmmm, did you notice the lack of URLs?

With URLs, a teacher could create realistic math problems like:

How much money would Los Vegas shooting survivors and families of the deceased victims have to raise to “flood” known NRA phone numbers during normal business hours (US Eastern time zone) for thirty consecutive days? (give the total number of phone lines and their numbers as part of your answer)

or research problems (social science/technology),

Using the current NRA 504c4 report, choose a minimum of three (3) directors of the NRA and specify what tools, Internet or Dark Web, you would use to find additional information about each director, along with the information you discovered with each tool for each director.

or advanced research problems (social science/technology),

Using any tool or method, identify a minimum of five (5) contributors to the NRA that are not identified on the NRA website or in any NRA publication. The purpose of this exercise is to discover NRA members who have not been publicly listed by the NRA itself. For each contributor, describe your process, including links and results.

Including links in posts, even lists, helps readers reuse and even re-purpose content.

It’s called the World Wide Web for a reason, hyperlinks.

October 27, 2017

0-Days vs. Human Stupidity

Filed under: Cybersecurity,Security — Patrick Durusau @ 10:15 am

Kaspersky Lab released The Human Factor in IT Security last July (2017), which was summarized by Nikolay Pankov in The human factor: Can employees learn to not make mistakes?, saying in part:

  • 46% of incidents in the past year involved employees who compromised their company’s cybersecurity unintentionally or unwittingly;
  • Of the companies affected by malicious software, 53% said that infection could not have happened without the help of inattentive employees, and 36% blame social engineering, which means that someone intentionally tricked the employees;
  • Targeted attacks involving phishing and social engineering were successful in 28% of cases;
  • In 40% of cases, employees tried to conceal the incident after it happened, amplifying the damage and further compromising the security of the affected company;
  • Almost half of the respondents worry that their employees inadvertently disclose corporate information through the mobile devices they bring to the workplace.

If anything, human stupidity is a constant with little hope of improvement.

For example, the “Big Three” automobile manufacturers were founded in the 1920’s and now almost a century later, the National Highway Traffic Safety Administration reports in 2015 there were 6.3 million police reported automobile accidents (an increase of 3.8% over the previous year).

Or, another type of “accident” covered by the Guttmacher Institute shows for 2011:

Not to rag on users exclusively, vulnerabilities due to mis-configuration, failure to patch and vulnerabilities in security programs and programs more generally, are due to human stupidity as well.

0-Days will always capture the headlines and are a necessity against some opponents. At the same time, testing for human stupidity is certainly cheaper and often just as effective as advanced techniques.

Transparency is coming … to the USA! (Apologies to Leonard Cohen)

October 26, 2017

Democratizing CyberCrime – Messaging Apps As New Dark Web

Filed under: Cybersecurity,Security — Patrick Durusau @ 8:36 pm

Cyber criminals use messaging apps to locate new hideouts after dark web market crackdown

Mobile messaging apps said to be the “in” place for cyber criminals, leading to these observations:


“Today’s black market is accessible more than ever, with the tap of a finger over a portable pocket-held device,” the study said. “This could prove to cause a proliferation of low-level cybercrime, that is conducted by less qualified perpetrators”.

Traditional dark web markets required would-be users to know which sites to visit and how, using a special browser, all of which required no small amount of technical sophistication.

IntSights said hackers are turning to smaller, closed networks on social media and mobile messaging apps instead of traditionally open, moderated dark web forums because such groups can be easily set up, shut down and relocated via apps.

I’m all in favor of democratization of technology but like you, I nearly choked on:

…Traditional dark web markets required would-be users to know which sites to visit and how, using a special browser, all of which required no small amount of technical sophistication….

Wow, just wow! Being able to download/install Tor and finding .onion sites is “technical sophistication?”

Messaging apps mentioned:

Discord – #1 with a bullet.

Skype – Microsoft.

Telegram

WhatsApp – Facebook.

By sacrificing an email address, you can get a copy of the dark web/mobile app report.

Test Your Qualifications To Run A Web Hidden Service

Filed under: Cybersecurity,Security,Tor — Patrick Durusau @ 10:30 am

Securing a Web Hidden Service

From the post:

While browsing the darknet (Onion websites), it’s quite stunning to see the number of badly configured Hidden Services that will leak directly or indirectly the underlying clearnet IP address. Thus canceling the server anonymity protection that can offer Tor Hidden Services.

Here are a few rules you should consider following before setting up a Onion-only website. This guide covers both Apache and Nginx.
… (emphasis in original)

Presented as rules to preserve .onion anonymity, these five rules also test of your qualifications to run a web hidden service.

If you don’t understand or won’t any of these five rules, don’t run a web hidden service.

You are likely to expose yourself and others.

Just don’t.

October 25, 2017

Proton Sets A High Bar For Malware

Filed under: Cybersecurity,Malware,Security — Patrick Durusau @ 9:14 pm

Malware hidden in vid app is so nasty, victims should wipe their Macs by Iain Thomson

Proton was distributed by legitimate servers and is so severe that only a clean install will rid your system of the malware.

From the post:


Proton is a remote-control trojan designed specifically for Mac systems. It opens a backdoor granting root-level command-line access to commandeer the computer, and can steal passwords, encryption and VPN keys, and crypto-currencies from infected systems. It can gain access to a victim’s iCloud account, even if two-factor authentication is used, and went on sale in March with a $50,000 price tag.

Impressive!

Imagine a Windows trojan that requires a clean system install to disinfect your system.

Well, “disinfecting” a Windows system is a relative term.

If you are running Windows 10, you have already granted root access to Microsoft plus whoever they trust to your system.

Perhaps “disinfect within the terms and limitations of your EULA with Microsoft” is the better way to put it.

A bit verbose don’t you think?

October 24, 2017

Targeting Government Websites

Filed under: Cybersecurity,Government,Security — Patrick Durusau @ 8:05 pm

With only 379 days until congressional mid-terms, you should not waste time hardening or attacking seldom used or obscure government webpages.

If that sounds like a difficult question, then you don’t know about analytics.usa.gov!

This data provides a window into how people are interacting with the government online. The data comes from a unified Google Analytics account for U.S. federal government agencies known as the Digital Analytics Program. This program helps government agencies understand how people find, access, and use government services online. The program does not track individuals, and anonymizes the IP addresses of visitors.

Not every government website is represented in this data. Currently, the Digital Analytics Program collects web traffic from around 400 executive branch government domains, across about 4500 total websites, including every cabinet department. We continue to pursue and add more sites frequently; to add your site, email the Digital Analytics Program.

This open source project is in the public domain, which means that this website and its data are free for you to use without restriction. You can find the code for this website and the code behind the data collection on GitHub.

We plan to expand the data made available here. If you have any suggestions, or spot any issues or bugs, please open an issue on GitHub or contact the Digital Analytics Program.

Download the data

You can download the data here. Available in JSON and CSV format.

Whether you imagine yourself carrying out or defending against a Putin/FSB/KGB five-year cyberattack plan, analytics.usa.gov can bring some grounding to your defense/attack plans.

Sorry, but government web data won’t help with your delusions about Putin. For assistance in maintaining those, check with the Democratic National Committee and/or the New York Times.

October 22, 2017

Router Games While Waiting in Congressional Rep’s Parking Lot

Filed under: Cybersecurity,Government,Security — Patrick Durusau @ 8:00 pm

With the US congressional mid-term election only 381 days away (2018-11-06), I can only imagine the boredom from sitting in your representative’s branch office parking lot.

Watching for your representative and his/her visitors is a thankless task. The public always being interested in such details.

One amusing and potentially skill building exercise is described in Man-in-the-middle Router.

From the post:

Turn any linux computer into a public Wi-Fi network that silently mitms all http traffic. Runs inside a Docker container using hostapd, dnsmasq, and mitmproxy to create a open honeypot wireless network named “Public”. For added fun, change the network name to “xfinitywifi” to autoconnect anyone who has ever connected to those networks… they are everywhere.

The suggestion of using popular network names, which you can discover by cruising about with your Linux laptop, seems especially interesting.

Brush up on your cyberskills!

2018 is brimming with promise!

October 20, 2017

Not Zero-Day But Effective Hacking

Filed under: Cybersecurity,Security — Patrick Durusau @ 12:43 pm

Catalin Cimpanu reminds us in Student Expelled for Using Hardware Keylogger to Hack School, Change Grades not every effective hacking attack uses a zero-day vulnerability.

Zero-days get most of the press, ‘Zero Days’ Documentary Exposes A Looming Threat Of The Digital Age, but capturing the keystrokes on a computer keyboard, can be just as effective for stealing logins/passwords and other data.

Cimpanu suggests that hardware keyloggers can be had on Amazon or eBay for a little as $20.

I’m not sure when he looked but a search today shows the cheapest price on Amazon is $52.59 and on eBay $29.79. Check for current pricing.

I haven’t used it but the Keyllama 4MB USB Value Keylogger has an attractive form factor (1.6″) at $55.50.

USB keyloggers (there are software keyloggers) require physical access for installation and retrieval.

You can attempt to play your favorite spy character or you can identify the cleaning service used by your target. Turnover in the cleaning business runs from 75 percent to 400 percent so finding or inserting a confederate is only a matter of time.

USB keyloggers aren’t necessary at the NSA as logins/passwords are available for the asking. (Snowden)

October 17, 2017

Tor Keeps You Off #KRACK

Filed under: Cybersecurity,Security,Tor — Patrick Durusau @ 12:44 pm

You have seen the scrambling to address KRACK (Key Reinstallation Attack), a weakness in the WPA2 protocol. Serious flaw in WPA2 protocol lets attackers intercept passwords and much more by Dan Goodin, Falling through the KRACKs by John Green, are two highly informative and amusing posts out of literally dozens on KRACK.

I won’t repeat their analysis here but wanted to point out Tor users are immune from KRACK, unpatched, etc.

A teaching moment to educate users about Tor!

October 12, 2017

Fact-Free Reporting on Kaspersky Lab – Stealing NSA Software Tip

Filed under: Cybersecurity,Journalism,News,Reporting,Security — Patrick Durusau @ 4:36 pm

I tweeted:

@thegrugq Israelis they hacked Kerspersky, saw Russians there, tell NSA, lots of he, they, we say, few facts.

[T]the grugq‏ @thegrugq responded with the best question on the Kaspersky story:

What would count as a fact here? Kaspersky publicised the hack when it happened. Does that count as a fact?

What counts as a fact is central to my claim that thus far, all we have seen is fact-free reporting on the alleged use of Kaspersky Lab software to obtain NSA tools.

Opinions are reported but not facts you could give to an expert like Bruce Schneier ask for an opinion.

What would I think of as “facts” in this case?

What did Israeli intelligence allegedly see when it hacked into Kaspersky Lab?

Not some of the data, not part of the data, but a record of all the data seen upon which they then concluded the Russians were using it to search for NSA software.

To the automatic objection this was a “secret intelligence operation,” let me point out that without that evidence, the NSA and anyone else further down the chain of distribution of the Israeli opinion, were being manipulated by that opinion in the absence of facts.

Just as the NSA wants to foist its opinion on the public, through unnamed sources, without any evidence for the public to form its own opinion based on facts.

The prevention of contrary opinions or avoiding questioning of an opinion, can only be achieved by blocking access to the alleged evidence that “supports” the opinion.

Without any “facts” to speak of, the Department of Homeland Security, is attempting to govern all federal agencies and their use of Kaspersky security software.

Stating the converse, how do you dispute claims made by unnamed sources that say the Israelis saw the Russians using Kaspersky Lab software to look for NSA software?

The obvious answer is that you can’t. There are no facts to check, no data to examine, and that, in my opinion, is intentional.

PS: If you want to steal NSA software, history says the easiest route is to become an NSA contractor. Much simpler than hacking anti-virus software, then using it to identify likely computers, then hacking identified computers. Plus, you paid vacation every year until you are caught. Who can argue with that?

XML Prague 2018 – Apology to Procrastinators

Filed under: Conferences,Cybersecurity,Security,XML,XPath,XQuery,XSLT — Patrick Durusau @ 10:49 am

Apology to all procrastinators, I just saw the Call for Proposals for XML Prague 2018

You only have 50 days (until November 30, 2017) to submit your proposals for XML Prague 2018.

Efficient people don’t realize that 50 days is hardly enough time to put off thinking about a proposal topic, much less fail to write down anything for a proposal. Completely unreasonable demand but, do try to procrastinate quickly and get a proposal done for XML Prague 2018.

The suggestion of doing a “…short video…” seems rife with potential for humor and/or NSFW images. Perhaps XML Prague will post the best “…short videos…” to YouTube?

From the webpage:

XML Prague 2018 now welcomes submissions for presentations on the following topics:

  • Markup and the Extensible Web – HTML5, XHTML, Web Components, JSON and XML sharing the common space
  • Semantic visions and the reality – micro-formats, semantic data in business, linked data
  • Publishing for the 21th century – publishing toolchains, eBooks, EPUB, DITA, DocBook, CSS for print, …
  • XML databases and Big Data – XML storage, indexing, query languages, …
  • State of the XML Union – updates on specs, the XML community news, …
  • XML success stories – real-world use cases of successful XML deployments

There are several different types of slots available during the conference and you can indicate your preferred slot during submission:

30 minutes
15 minutes
These slots are suitable for normal conference talks.
90 minutes (unconference)
Ideal for holding users meeting or workshop during the unconference day (Thursday).

All proposals will be submitted for review by a peer review panel made up of the XML Prague Program Committee. Submissions will be chosen based on interest, applicability, technical merit, and technical correctness.

Authors should strive to contain original material and belong in the topics previously listed. Submissions which can be construed as product or service descriptions (adverts) will likely be deemed inappropriate. Other approaches such as use case studies are welcome but must be clearly related to conference topics.

Proposals can have several forms:

full paper
In our opinion still ideal and classical way of proposing presentation. Full paper gives reviewers enough information to properly asses your proposal.
extended abstract
Concise 1-4 page long description of your topic. If you do not have time to write full paper proposal this is one possible way to go. Try to make your extended abstract concrete and specific. Too short or vague abstract will not convince reviewers that it is worth including into the conference schedule.
short video (max. 5 minutes)
If you are not writing person but you still have something interesting to present. Simply capture short video (no longer then 5 minutes) containing part of your presentation. Video can capture you or it can be screen cast.

I mentioned XSLT security attacks recently, perhaps you could do something similar on XQuery? Other ways to use XML and related technologies to breach cybersecurity?

Do submit proposals and enjoy XML Prague 2018!

October 10, 2017

Wall Street Journal Misses Malvertising Story – Congressional Phishing Tip

Filed under: Cybersecurity,Malware,Security — Patrick Durusau @ 2:32 pm

Warning: Millions of POrnhub Users Hit With Maltertising Attack by Mohit Kumar.

From the post:

Researchers from cybersecurity firm Proofpoint have recently discovered a large-scale malvertising campaign that exposed millions of Internet users in the United States, Canada, the UK, and Australia to malware infections.

Active for more than a year and still ongoing, the malware campaign is being conducted by a hacking group called KovCoreG, which is well known for distributing Kovter ad fraud malware that was used in 2015 malicious ad campaigns, and most recently earlier in 2017.

The KovCoreG hacking group initially took advantage of POrnHub—one of the world’s most visited adult websites—to distribute fake browser updates that worked on all three major Windows web browsers, including Chrome, Firefox, and Microsoft Edge/Internet Explorer.

According to the Proofpoint researchers, the infections in this campaign first appeared on POrnHub web pages via a legitimate advertising network called Traffic Junky, which tricked users into installing the Kovtar malware onto their systems.

When you spend your time spreading government directed character assassination rumors about Kerpersky Lab, you miss opportunities to warn your readers about malvertising infections from PornHub.

Just today, the Wall Street Journal WSJ left its readers in the dark about Kovter ad fraud malware from PornHub.

You can verify that claim by using site:wsj.com plus KovCoreG, Kovter, and PornHub to search wsj.com. As of 15:00 on October 9, 2017, I got zero “hits.”

The WSJ isn’t a computer security publication but an infection from one of the most popular websites in the world, especially one of interest to likely WSJ subscribers, Harvey Weinstein, Donald Trump, for example, should be front page, above the fold.

Yes?

PS: Congressional Phishing Tip: For phishing congressional staffers, members of congress, their allies and followers, take a hint from the line: “…POrnHub—one of the world’s most visited adult websites….” Does that suggest subject matter for phishing that has proven to be effective?

October 8, 2017

Shaming Hackers – New (Failing) FBI Strategy

Filed under: Cybersecurity,FBI,Security — Patrick Durusau @ 2:10 pm

There are times, not often, when government agencies are so clueless that I feel pity for them.

Case in point, the FBI strategy reported in FBI’s Cyber Strategy: Shame the Hackers.

From the post:

The Federal Bureau of Investigation wants to publicly shame cyber criminals after they’ve been caught as part of an effort to make sure malicious actors don’t count on anonymity.

“You will be identified pursued, and held to account no matter where you are in the world,” Paul Abbate, the FBI’s executive assistant director of the Criminal, Cyber, Response and Services Branch, said at a U.S. Chamber of Commerce event in Washington Wednesday.

The FBI’s cyber response team is focused on tracking down “high-level network and computer intrusion,” carried out by “state-sponsored hackers and global organized criminal syndicates,” Abbate said. Often, these malicious actors are operating from overseas, using “foreign technical infrastructure” that makes the threats especially difficult to detect.

Once those actors are identified, the FBI tries to “impose costs on them,” which might include ”economic sanctions, prison terms, or battlefield death.” It also aims to “publicly name them, shame them, and let everyone know who they are…[so they] don’t feel immune or anonymous.”

Hmmmm, but if being anonymous is the goal of hackers, why do so many claim credit for hacks?

A smallish sampling of such claims: “Anonymous” claims credit for hacking into Federal Reserve (“Anonymous”), Guccifer 2.0 takes credit for hacking another Democratic committee (Guccifer 2.0), Hacker claims credit for WikiLeaks takedown (Jester), Hacker Group Claims Credit For Taking Xbox Live Offline (Lizard Squad), Hacking Group From Russia, China Claims Credit For Massive Cyberattack (New World Hackers), OurMine claims credit for attack on Pokemon Go servers (OurMine), Grandpa, patriot who goes by ‘The Raptor,’ claims credit for taking down Al Qaeda websites (The Raptor), Iranian Group Claims Credit for Hack Attack on New York Dam (SOBH Cyber Jihad), etc., etc.

Oh, the FBI equates being “anonymous” with:

You didn’t use your home/work email address, leaving your home/work phone numbers and addresses on an “I hacked your computer” note on the victim’s computer.

Hackers avoid leaving their true identity information just like skilled bank robbers don’t write robbery notes on their own deposit slips, it’s a way of avoiding interaction with the police. That’s not shame, that’s just good sense.

As far as “shaming” hackers, the FBI learned nothing from the case of Aaron Swartz, Aaron Swartz stood up for freedom and fairness – and was hounded to his death. Swartz was known among geeks but no where nearly as widely known until prosecutors hounded him to death. How’d shaming work for the FBI in that case?

Public “shaming” of hackers, most of who attack the least sympathetic targets in society, is going to build the public (as opposed to hacker) reputations of “shamed” hackers.

Go ahead FBI, grant hackers the benefit of your PR machinery. “Shame” away.

October 6, 2017

Lauren Duca Declares War!

Filed under: Cybersecurity,Government,Politics,Security — Patrick Durusau @ 3:49 pm

The latest assault on women’s health, which impacts women, men and children, is covered by Jessie Hellmann in: Trump officials roll back birth-control mandate.

Lauren is right, this is war. It is a war on behalf of women, men and children. Women are more physically impacted by reproduction issues but there are direct impacts on men and children as well. When the reproductive health of women suffers, the women, men in their lives and children suffer as well. The reproductive health of women is everyone’s concern.

For OpSec reasons, don’t post your answer, but have you picked a specific target for this war?

I ask because diffuse targets, Congress for example, leads to diffuse results.

Specific targets, now former representative Tim Murphy for example, can have specific results.

PS: Follow and support Lauren Duca, @laurenduca!

XSLT Server Side Injection Attacks

Filed under: Cybersecurity,Security,XML,XSLT — Patrick Durusau @ 12:02 pm

XSLT Server Side Injection Attacks by David Turco.

From the post:

Extensible Stylesheet Language Transformations (XSLT) vulnerabilities can have serious consequences for the affected applications, often resulting in remote code execution. Examples of XSLT remote code execution vulnerabilities with public exploits are CVE-2012-5357 affecting the .Net Ektron CMS; CVE-2012-1592 affecting Apache Struts 2.0; and CVE-2005-3757 which affected the Google Search Appliance.

From the examples above it is clear that XSLT vulnerabilities have been around for a long time and, although they are less common than other similar vulnerabilities such as XML Injection, we regularly find them in our security assessments. Nonetheless the vulnerability and the exploitation techniques are not widely known.

In this blog post we present a selection of attacks against XSLT to show the risks of using this technology in an insecure way.

We demonstrate how it is possible to execute arbitrary code remotely; exfiltrate data from remote systems; perform network scans; and access resources on the victim’s internal network.

We also make available a simple .NET application vulnerable to the described attacks and provide recommendations on how to mitigate them.

A great post for introducing XML and XSLT to potential hackers!

Equally great potential for a workshop at a markup conference.

Enjoy!

October 5, 2017

Software McCarthyism – Wall Street Journal and Kaspersky Lab

Filed under: Cybersecurity,Malware,NSA,Security — Patrick Durusau @ 8:42 pm

The Verge reports this instance of software McCarthyism by the Wall Street Journal against Kaspersky Lab saying:


According to the report, the hackers seem to have identified the files — which contained “details of how the U.S. penetrates foreign computer networks and defends against cyberattacks” — after an antivirus scan by Kaspersky antivirus software, which somehow alerted hackers to the sensitive files.
… (emphasis added)

Doesn’t “…somehow alerted hackers to the sensitive files…” sound a bit weak? Even allowing for restating the content of the original WSJ report?

The Wall Street Journal reports in Russian Hackers Stole NSA Data on U.S. Cyber Defense:

Hackers working for the Russian government stole details of how the U.S. penetrates foreign computer networks and defends against cyberattacks after a National Security Agency contractor removed the highly classified material and put it on his home computer, according to multiple people with knowledge of the matter.

The hackers appear to have targeted the contractor after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said.

U.S. investigators believe the contractor’s use of the software alerted Russian hackers to the presence of files that may have been taken from the NSA, according to people with knowledge of the investigation. Experts said the software, in searching for malicious code, may have found samples of it in the data the contractor removed from the NSA.

But how the antivirus system made that determination is unclear, such as whether Kaspersky technicians programed the software to look for specific parameters that indicated NSA material. Also unclear is whether Kaspersky employees alerted the Russian government to the finding.

Investigators did determine that, armed with the knowledge that Kaspersky’s software provided of what files were suspected on the contractor’s computer, hackers working for Russia homed in on the machine and obtained a large amount of information, according to the people familiar with the matter.

The facts reported by the Wall Street Journal support guilt by association style McCarthyism but in a software context.

Here are the only facts I can glean from the WSJ report and common knowledge of virus software:

  1. NSA contractor removed files from NSA and put them on his home computer
  2. Home computer was either a PC or Mac (only desktops supported by Kaspersky)
  3. Kaspersky anti-virus software was on the PC or Mac
  4. Kaspersky anti-virus software is either active or runs at specified times
  5. Kaspersky anti-virus software scanned the home computer one or more times
  6. Hackers stole NSA files from the home computer

That’s it, those are all the facts reported in the Wall Street Journal “story,” better labeled a slander against Kaspersky Lab.

The following claims are made with no evidence whatsoever:

  1. “after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab”
  2. “believe the contractor’s use of the software alerted Russian hackers to the presence of files”
  3. “whether Kaspersky technicians programed the software to look for specific parameters”
  4. “unclear is whether Kaspersky employees alerted the Russian government to the finding”
  5. “armed with the knowledge that Kaspersky’s software provided”

The only evidence in the possession of investigators is the co-locations of the NSA files and Kaspersky anti-virus software on the same computer.

All the other beliefs, suppositions, assumptions, etc., of investigators are attempts to further the government’s current witch hunt against Kaspersky Labs.

The contractor’s computer likely also had MS Office, the home of more than a few security weaknesses. To say nothing of phishing emails, web browsers, and the many other avenues for penetration.

As far as “discovering” the contractor to get the files in question, it could have been by chance and/or the contractor bragging to a waitress about his work. We’re not talking about the sharpest knife in the drawer on security matters.

Judging hacking claims based on co-location of software is guilt by association pure and simple. The Wall Street Journal should not dignify such government rumors by reporting them.

Printer Exploitation Toolkit: PRET [398 Days to Congressional MidTerm Elections]

Filed under: Cybersecurity,Malware,Politics,Security — Patrick Durusau @ 1:08 pm

Printer Exploitation Toolkit: PRET

From the post:

PRET is a new tool for printer security testing developed in the scope of a Master’s Thesis at Ruhr University Bochum. PRET connects to a device via network or USB and exploits the features of a given printer language. Currently PostScript, PJL and PCL are supported which are spoken by most laser printers today. This allows PRET to do cool stuff like capturing or manipulating print jobs, accessing the printer’s file system and memory or even causing physical damage to the device. All attacks are documented in detail in the Hacking Printers Wiki.

The main idea of PRET is to facilitate the communication between the end-user and a printer. Thus, after entering a UNIX-like command, PRET translates it to PostScript, PJL or PCL, sends it to the printer, evaluates the result and translates it back to a user-friendly format. PRET offers a whole bunch of commands useful for printer attacks and fuzzing.

Billed in the post as:

The tool that made dumpster diving obsolete (emphasis in original)

I would not go that far, after all, there are primitives without networked printers, or so I have heard. For those cases, dumpster diving remains a needed skill.

Reading Exploiting Network Printers – A Survey of Security Flaws in Laser Printers and Multi-Function Devices (the master’s thesis) isn’t required, but it may help extend this work.

Abstract:

Over the last decades printers have evolved from mechanic devices with microchips to full blown computer systems. From a security point of view these machines remained unstudied for a long time. This work is a survey of weaknesses in the standards and various proprietary extensions of two popular printing languages: PostScript and PJL. Based on tests with twenty laser printer models from various vendors practical attacks were systematically performed and evaluated including denial of service, resetting the device to factory defaults, bypassing accounting systems, obtaining and manipulating print jobs, accessing the printers’ file system and memory as well as code execution through malicious firmware updates and software packages. A generic way to capture PostScript print jobs was discovered. Even weak attacker models like a web attacker are capable of performing the attacks using advanced cross-site printing techniques.

As of July of 2016, Appendix A.1 offers a complete list of printer CVEs. (CVE = Common Vulnerabilities and Exposures.)

The author encountered a mapping issue when attempting to use vFeed to map between CVEs to CWE (CWE = Common Weakness Enumeration).


Too many CWE identifier however match a single CVE identifier. To keep things clear, we instead grouped vulnerabilities into nine categories of attack vectors as shown in Table 3.2. It is remarkable that half of the identified security flaws are web-related while only one twelfth are caused by actual printing languages like PostScript or PJL.
… (page 11 of master’s thesis)

I haven’t examined the mapping problem but welcome suggestions from those of you who do. Printer exploitation is a real growth area in cybersecurity.

I mentioned the 398 Days to Congressional MidTerm Elections in anticipation that some bright lasses and lads will arrange for printers to print not only at a local location but remote one as well.

Think of printers as truthful but not loyal campaign staffers.

Enjoy!

October 3, 2017

Searching for Butt Plugs in Congressional Offices

Filed under: Cybersecurity,Humor,Security — Patrick Durusau @ 4:08 pm

It’s a click-bait title but I’m entirely serious. There are security flaws in IoT adult toys, flaws that enable you to discover and manipulate those toys. I use Congress as an example but the same principles apply to banks, Wall Street offices, government agencies, law firms, etc.

Discovering such a device could result in a lower mortgage interest rate, a favorable administrative decision, changes to pending legislation, dismissal of charges, any number of things normally associated with class-based privilege.

I encountered John Leyden‘s report Dildon’ts of Bluetooth: Pen test boffins sniff out Berlin’s smart butt plugs – You’ve heard of wardriving – say hello to screwdriving (warning NSFW image) first:

Security researchers have figured out how to locate and exploit smart adult toys.

Various shenanigans are possible because of the easy discoverability and exploitability of internet-connected butt plugs and the like running Bluetooth’s baby brother, Bluetooth Low Energy (BLE), a wireless personal area network technology. The tech has support for security but it’s rarely implemented in practice, as El Reg has noted before.

The shortcoming allowed boffins at Pen Test Partners to hunt for Bluetooth adult toys, a practice it dubbed screwdriving, in research that builds on its earlier investigation into Wi-Fi camera dildo hacking earlier this year.

BLE devices also advertise themselves for discovery. The Lovense Hush, an IoT-enabled butt plug, calls itself LVS-Z001. Other Hush devices use the same identifier.

The Hush, like every other sex toy tested by PTP (the Kiiroo Fleshlight, Lelo, Lovense Nora and Max), all lacked adequate PIN or password protection. If the devices did have a PIN it was generic (0000 / 1234 etc). This omission is for understandable reasons. PTP explains: “The challenge is the lack of a UI to enter a classic Bluetooth pairing PIN. Where do you put a UI on a butt plug, after all?
… (bold emphasis added)

Indeed, a UI for a butt plug is difficult to imagine. 😉

For the technical details, with more NSFW images, Alex Lomas describes the insecurity of adult toys in great detail in Screwdriving. Locating and exploiting smart adult toys.

From the post:

Alex is using LightBlue Explorer® — Bluetooth Low Energy (Google Play), (AppStore), although other Bluetooth discovery apps would work just as well.

Searching Congressional Offices For Newbies

If you are comfortable with Bluetooth and hex commands, you have all you need to surf for butt plugs in congressional offices.

Others, especially those who only use smart phone apps, may need some additional instructions.

At the risk of more NSFW images, the Hush butt plug homepage advises:

(Google Play), (AppStore),

You install the Hush app, fire it up (sorry), walk about waiting for a connection to appear. How hard is that? (Scanning tip, 360 degrees, standing, up to 30 feet; sitting, 5 to 10 feet.)

Cautions?

Unauthorized interception of even advertised signals may be a crime in some jurisdictions. Not to mention unauthorized interaction with a remote device is likely to constitute battery (a crime).

That said, the insecurity of Bluetooth devices and other cyberinsecurities are opportunities to challenge existing privilege systems. Whether you take up that challenge or choose to support the status quo, is entirely up to you.

Who Does Cyber Security Benefit?

Filed under: Cybersecurity,Ethics,Malware,Security — Patrick Durusau @ 2:04 pm

Indoctrinating children to benefit the wealthy starts at a young age: ‘Hackathon’ challenges teens to improve cyber security.

Improving cyber security is taught as an ethical imperative, but without asking who that “imperative” benefits.

OxFam wrote earlier this year:

Eight men own the same wealth as the 3.6 billion people who make up the poorest half of humanity, according to a new report published by Oxfam today to mark the annual meeting of political and business leaders in Davos.

Oxfam’s report, ‘An economy for the 99 percent’, shows that the gap between rich and poor is far greater than had been feared. It details how big business and the super-rich are fuelling the inequality crisis by dodging taxes, driving down wages and using their power to influence politics. It calls for a fundamental change in the way we manage our economies so that they work for all people, and not just a fortunate few.

New and better data on the distribution of global wealth – particularly in India and China – indicates that the poorest half of the world has less wealth than had been previously thought. Had this new data been available last year, it would have shown that nine billionaires owned the same wealth as the poorest half of the planet, and not 62, as Oxfam calculated at the time.
… From: Just 8 men own same wealth as half the world

It’s easy to see the cyber security of SWIFT, “secure financial messaging system,” benefits:

the “[the e]ight men own the same wealth as the 3.6 billion people who make up the poorest half of humanity”

more than “…the 3.6 billion people who make up the poorest half of humanity.”

Do you have any doubt about that claim in principle? The exact numbers of inequality don’t interest me as much as the understanding that information systems and their cyber security benefit some people more than others.

Once we establish the principle of differential in benefits from cyber security, then we can ask: Who does cyber security X benefit?

To continue with the SWIFT example, I would not volunteer to walk across the street to improve its cyber security. It is an accessory to a predatory financial system that exploits billions. You could be paid to improve its cyber security but tech people at large have no moral obligation to help SWIFT.

If anyone says you have an obligation to improve cyber security, ask who benefits?

Yes?

September 28, 2017

Tails 3.2 Out! [Questions for Journalists]

Filed under: Cybersecurity,Journalism,Security,Tails,Tor — Patrick Durusau @ 8:48 pm

Tails 3.2 is out

From the about page:

Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship almost anywhere you go and on any computer but leaving no trace unless you ask it to explicitly.

It is a complete operating system designed to be used from a USB stick or a DVD independently of the computer’s original operating system. It is Free Software and based on Debian GNU/Linux.

Tails comes with several built-in applications pre-configured with security in mind: web browser, instant messaging client, email client, office suite, image and sound editor, etc.

Does your editor keep all reporters supplied with a current version of Tails?

Are reporters trained on a regular basis in the use of Tails?

If your answer to either question is no, you should be looking for another employer.

September 27, 2017

#1 of the “Big Four” Falls – Odds On Your Mid-Term Candidate?

Filed under: Cybersecurity,Security — Patrick Durusau @ 10:37 am

Deloitte, one of the “Big Four” accounting firms has suffered an email leak. Ben Miller reports varying accounts of the breach in Deloitte Admits Email Hack, Says No Government Clients Impacted.

Deloitte minimizes the breach while others report the entire system was breached, months ago. Too early to know the details but I’m betting on complete breach.

Which is made all the more amusing by this description of the “Big Four:”

The majority of the world’s auditing services are performed by only four accounting firms.

Known as the ‘Big 4’, these firms completely dominate the industry, auditing more than 80 percent of all US public companies.

In addition, these mammoth organizations advise on tax and offer a wide range of management and assurance services.

Although usually identified as single companies, each one of the Big 4 Accounting Firms is actually a network of independent corporations who have entered into agreements with one another to set quality standards and share a common name.

….

Deloitte LLP is the number one firm in the United States (and in the world). The company began as the separate companies of William Deloitte, Charles Haskins, Elijah Sells, and George Touche. The three companies eventually merged to become Deloitte & Touche. Today the company is known primarily as Deloitte LLP, and has four subsidiaries: Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP and Deloitte Tax LLP.

The Big 4 Accounting Firms

With serious people failing at cybersecurity, what are the odds for your candidate for the 2018 congressional mid-terms? Or the odds for candidates you oppose in the same election?

All the more reason to mourn the passing of Leonard Cohen.

He could have written: Transparency is coming to the USA.

Are you on the side of transparency or opaqueness and privilege?

PS: A scoreboard for cybersecurity breaches of the “Big Four:”

Updates to: patrick@durusau.net

September 25, 2017

Evidence of Government Surveillance in Mexico Continues to Mount [Is This News?]

Filed under: Cybersecurity,Government,Journalism,News,Privacy,Reporting,Security — Patrick Durusau @ 4:19 pm

Evidence of Government Surveillance in Mexico Continues to Mount by Giovanna Salazar, translated by Omar Ocampo.

From the post:

In early September, further attempts to spy on activists in Mexico were confirmed. The president of Mexicans Against Corruption and Impunity (MCCI), an organization dedicated to investigative journalism, received several SMS messages that were intended to infect his mobile device with malicious software.

According to The New York Times, Claudio X. González Guajardo was threatened with Pegasus, a sophisticated espionage tool or “spyware” sold exclusively to governments that was acquired by the Mexican government in 2014 and 2015, with the alleged intention of combating organized crime. Once installed, Pegasus spyware allows the sender or attacker to access files on the targeted device, such as text messages, emails, passwords, contacts list, calendars, videos and photographs. It even allows the microphone and camera to activate at any time, inadvertently, on the infected device.

Salazar’s careful analysis of the evidence leaves little doubt:

these intrusive technologies are being used to intimidate and silence dissent.

But is this news?

I ask because my starting assumption is that governments buy surveillance technologies to invade the privacy of their citizens. The other reason would be?

You may think some targets merit surveillance, such as drug dealers, corrupt officials, but once you put surveillance tools in the hands of government, all citizens are living in the same goldfish bowl. Whether we are guilty of any crime or not.

The use of surveillance “to intimidate and silence dissent” is as natural to government as corruption.

The saddest part of Salazar’s report is that Pegasus is sold exclusively to governments.

Citizens need a free, open source edition of Pegasus Next Generation with which to spy on governments, businesses, banks, etc.

A way to invite them into the goldfish bowl in which ordinary citizens already live.

The ordinary citizen has no privacy left to lose.

The question is when current spy masters will lose theirs as well?

Awesome Windows Exploitation Resources (curated)

Filed under: Cybersecurity,Malware,Security — Patrick Durusau @ 3:27 pm

Awesome Windows Exploitation Resources

Not all of these resources are recent but with vulnerability lifetimes of a decade or more, there is much to learn here. I count two hundred and fifty (250) resources as of today.

Including election day, November 6, 2018, there are only 408 days left until the 2018 mid-term Congressional elections. You have a lot of reading to do.

You can contribute materials for listing.

September 22, 2017

540,000 Car Tracking Devices – Leak Discovery Etiquette – #ActiveLeak

Filed under: Cybersecurity,Security — Patrick Durusau @ 8:44 pm

Passwords For 540,000 Car Tracking Devices Leaked Online by Swati Khandelwal.

From the post:

Login credentials of more than half a million records belonging to vehicle tracking device company SVR Tracking have leaked online, potentially exposing the personal data and vehicle details of drivers and businesses using its service.

Just two days ago, Viacom was found exposing the keys to its kingdom on an unsecured Amazon S3 server, and this data breach is yet another example of storing sensitive data on a misconfigured cloud server.

Stands for Stolen Vehicle Records, the SVR Tracking service allows its customers to track their vehicles in real time by attaching a physical tracking device to vehicles in a discreet location, so their customers can monitor and recover them in case their vehicles are stolen.

The leaked cache contained details of roughly 540,000 SVR accounts, including email addresses and passwords, as well as users’ vehicle data, like VIN (vehicle identification number), IMEI numbers of GPS devices.

Since the leaked passwords were stored using SHA-1, a 20-years-old weak cryptographic hash function that was designed by the US National Security Agency (NSA), which can be cracked with ease.

Interestingly, the exposed database also contained information where exactly in the car the physical tracking unit was hidden.

It’s not known if anyone else uncovered this data but as usual, there’s no penalty for misconfiguring your Amazon Web Server (AWS) S3 cloud storage bucket.

You will suffer a few minutes, perhaps hours of shame before other data leaks takes your place on the wall of shame, but it won’t be long.

But only after some enterprising security firm has discovered your error and the leak has been fixed. Translate: No adverse consequences for poor security practices. None.

When (not if) you find a mis-configured Amazon Web Server (AWS) S3 cloud storage bucket, post it with #ActiveLeak to Twitter. Makes it a race between the owner and hackers for the data.

You will still get credit for discovering the leak and the owner will learn a valuable lesson. The owner’s lesson being reinforced by whatever other consequences flow from the data leak.

MS Finds Some Bug In Chrome – What Bug? Don’t Know

Filed under: Cybersecurity,Microsoft,Security — Patrick Durusau @ 4:32 pm

[$7500][765433] High CVE-2017-5121: Out-of-bounds access in V8. Reported by Jordan Rabet, Microsoft Offensive Security Research and Microsoft ChakraCore team on 2017-09-14

From Stable Channel Update for Desktop Thursday, September 21, 2017

As of 22 September 2017, 17:14 ESDT, the URL 765433 displays only a lack of access notice, for me.

Unlike hackers, who have a tradition of sharing information, Microsoft and Google believe what they know is unknown to others. That works, sort of, if your’re an ostrich, not so well in cybersecurity.

I mention this posting mostly to list some of the tools Google uses for bug testing:

AddressSanitizer

AFL

Control Flow Integrity

libFuzzer

MemorySanitizer

UndefinedBehaviorSanitizer

Enjoy!

Torrent Sites: Preserving “terrorist propaganda” and “evil material”

Filed under: Censorship,Cybersecurity,Free Speech,Government,Security — Patrick Durusau @ 1:37 pm

I mentioned torrent sites in Responding to Theresa May on Free Speech as a way to help preserve and spread “terrorist propaganda” and “evil material.”

My bad, I forgot to post a list of torrent sites for you to use!

Top 15 Most Popular Torrent Sites 2017 reads in part:

The list of the worlds most popular torrent sites has seen a lot of changes in recent months. While several torrent sites have shut down, some newcomers joined the list. With the shutdown of Torrentz.eu and Kickass Torrents, two of the largest sites in the torrenting scene disappeared. Since then, Torrentz2 became a popular successor of Torrentz.eu and Katcr.co is the community driven version of the former Kickass Torrents.

Finding torrents can be stressful as most of the top torrent sites are blocked in various countries. A torrent proxy let you unblock your favorite site in a few seconds.

While browsing the movies, music or tv torrents sites list you can find some good alternatives to The Pirate Bay, Extratorrent, RARBG and other commonly known sites. This list features the most popular torrent download sites:

The list changes over time so check back at Torrents.me.

As a distributed hash storage system, torrent preserves content across all the computers that downloaded the content.

Working towards the mention of torrent sites making Theresa May‘s sphincter eat her underpants. (HT, Dilbert)

« Newer PostsOlder Posts »

Powered by WordPress