HOPE X call for participation now open

Emmanuel Goldstein from 2600 Magazine writes, "The call for participation at HOPE X in New York City is now open. There is room for over 100 talks and panels, dozens of workshops, and all kinds of creative artwork with hacker overtones. This is expected to be one of the largest conferences dealing with hacking, whistleblowing, social change, surveillance, and new technology ever presented in the United States. There will be no government agency recruiters, no commercial exploitation, and no shortage of controversy. The doors are now open for imaginative ideas at this very crucial point in hacker (and human) history. HOPE X takes place July 18-20, 2014 at the Hotel Pennsylvania in New York City." Cory 1

Teach your rooted Android phones to lie to apps about whether it's rooted

There's a funny paradox in rooting your Android phone. Once you take total control over your phone, some apps refuse to run, because they're trying to do something that treats you as untrusted. Now there's a utility called Rootcloak that lets you tell your rooted phone to lie to apps about whether it is rooted. It's both long overdue and a neat demonstration of what it means to be root on a computer. Cory 10

Your refrigerator probably hasn't joined a botnet


A mediagenic press-release from Proofpoint, a security firm, announced that its researchers had discovered a 100,000-device-strong botnet made up of hacked "Internet of Things" appliances, such as refrigerators. The story's very interesting, but also wildly implausible as Ars Technica's Dan Goodin explains.

The report is light on technical details, and the details that the company supplied to Goodin later just don't add up. Nevertheless, the idea of embedded systems being recruited to botnets isn't inherently implausible, and some of the attacks that Ang Cui has demonstrated scare the heck out of me.

For more speculation, see my story The Brave Little Toaster, from MIT's TRSF.

Read the rest

Details about the malware used to attack Target's point-of-sale machines


The news that Target stores lost 110 million customers' credit card details in a hacker intrusion has illustrated just how grave a risk malicious software presents to the average person and the businesses they patronize. Brian Krebs has good, early details on the software that the hackers used on infected point-of-sale terminals at Target, and some good investigative guesses about who planted it there and how they operated it.

Krebs suggests that a Russian hacker called "Antikiller" may be implicated in the Target hack, and that Antikiller is, in any event, the author of the malware used against the point-of-sale systems.

Read the rest

HEADWATER: NSA program for sabotaging Huawei routers over the Internet


Bruce Schneier leads a discussion of HEADWATER, the NSA's tool for compromising Huawei routers over the Internet and turning them into snoops. It's one of the entries from the notorious TAO catalog:

Read the rest

Victorian Transport Department calls cops on 16 year old for reporting bug that exposed customers' personal data

Last month, around Christmas, a sixteen-year-old Australian named Joshua Rogers living in Victoria told the Transport Department that its Metlink website was exposing the sensitive details of over 600,000 transit users, including "full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers."

He waited two weeks, but after he had not heard from Metlink -- and as the data exposure was ongoing -- he went to the national newspaper The Age, who called the Transport Department for comment. Whereupon the Transport Department called the police, who arrested the teenager.

It may be that the mistake that exposed all this sensitive data was an "honest" one -- after all, there's no experimental methodology for verifying security apart from telling people what you're doing and asking them to poke holes in it. Security is a process, not a product.

But that means that anyone who keeps sensitive public information on hand has a duty to take bug reports about vulnerabilities seriously, and to act on them quickly. Killing (or arresting) the messenger is absolutely unforgivable, not merely because of the injustice to this one person, but because it creates a chilling effect on all future bug-reporters, and not just for your service, but for all of them.

The Transport Department hasn't only unjustly punished an innocent person; it hasn't only weakened its own security; it hasn't only failed in its duty to its customers -- it has struck a blow against the very idea of security itself, and harmed us all.

Read the rest

Senior execs are the biggest risk to IT security

Stroz Friedberg, a risk-management consultancy, commissioned a survey [PDF] of information handling practices in businesses that concluded that senior managers are the greatest risk to information security within companies.

Read the rest

Hackers vs the NSA in 1986

Emmanuel Goldstein from 2600 Magazine sez, "It shouldn't be that surprising, but Volume Three of The Hacker Digest contains all kinds of news items and articles concerning the National Security Agency, its attempts to control encryption, and the threat of surveillance. This was the hacker world of 1986."

Read the rest

NSA has a 50-page catalog of exploits for software, hardware, and firmware

A Snowden leak accompanying today's story on the NSA's Tailored Access Operations group (TAO) details the NSA's toolbox of exploits, developed by an NSA group called ANT (Advanced or Access Network Technology).

ANT's catalog runs to 50 pages, and lists electronic break-in tools, wiretaps, and other spook toys. For example, the catalog offers FEEDTROUGH, an exploit kit for Juniper Networks' firewalls; gimmicked monitor cables that leak video-signals; BIOS-based malware that compromises the computer even before the operating system is loaded; and compromised firmware for hard drives from Western Digital, Seagate, Maxtor and Samsung.

Many of the exploited products are made by American companies, and hundreds of millions of everyday people are at risk from the unpatched vulnerabilities that the NSA has discovered in their products.

Read the rest

TAO: the NSA's hacker plumber-wunderkinds

A new Snowden leak disclosed in Der Spiegel details the operations of the NSA's Tailored Access Operations group (TAO), the "plumbers" of the spy agency who collect and deploy exploits to infiltrate computer systems. Reportedly, Edward Snowden turned down a chance join the group.

TAO's repertoire of attacks included unpublished exploits and back-doors for products from major US IT companies like Microsoft and Cisco, as well as foreign companies like Huawei. Spiegel reports that TAO infiltrated networks in 89 countries, including "the protected networks of democratically elected leaders of countries." They took special interest in Mexico's anti-terror efforts, running an operation called WHITETAMALE that compromised the Mexican Secretariat of Public Security.

The tactics deployed by TAO relied upon other NSA programs, like the infamous XKeyscore, which was used to passively intercept crash reports from computers running Windows in order to profile these systems and tailor attacks aimed at them. TAO also compromised the Blackberry's BES email servers, and were able to read mail sent and received by Blackberry users.

One interesting wrinkle: TAO used interception of ecommerce shipping reports to discover when a target ordered new computer equipment. These shipments would be intercepted and loaded with malware before delivery. I know an ex-MI5 whistleblower who only buys computers by walking into a store at random and plucking them off the shelf, to prevent this sort of attack. When I learned about this practice, it sounded a little paranoid to me, but it seems that it's actually a very reasonable precaution.

Read the rest

EFF: the NSA has endangered us all by sabotaging security

The Electronic Frontier Foundation's Cindy Cohn and Trevor Timm look at the NSA's Bullrun program, through which the US and UK governments have spent $250M/year sabotaging computer security. Cindy is the lawyer who argued the Bernstein case, which legalized civilian access to strong cryptography -- in other words, it's her work that gave us all the ability to communicate securely online. And so she's very well-situated to comment on what it means to learn that the NSA has deliberately weakened the security that ensures the integrity of the banking system, aviation control, embedded systems in everything from cars to implanted defibrillators, as well as network infrastructure, desktop computers, cloud servers, laptops, phones, tablets, TVs, and other devices.

Read the rest

Decrypting EFF's DEFCON crypto-challenge tee


For this year's DEFCON conference, the Electronic Frontier Foundation released an encryption-puzzle t-shirt (with glow-in-the-dark clues!) designed by EFF Senior Designer Hugh D'Andrade and Staff Technologist Micah Lee. The puzzle was fiendishly clever and made for a beautiful tee, and now it has been cracked by some of DEFCON's intrepid attendees, the first ten of whom stand to win a beautiful, limited edition, signed print.

Read the rest

Ethical questions for security experts


Alex Stamos's Defcon 21 presentation The White Hat’s Dilemma is a compelling and fascinating look at the ethical issues associated with information security work in the era of mass surveillance, cyberwar, and high-tech extortion and crime.

Read the rest

When advanced black-hat hacking goes automatic, script kiddies turn into ninjas

In "The anti-virus age is over," Graham Sutherland argues that the targeted, hard-to-stop attacks used by government-level hackers and other "advanced persistent threats" are now so automatable that they have become the domain of everyday script-kiddie creeps. Normally, the advanced techniques are only used against specific, high-value targets -- they're so labor-intensive that it's not worth trying them on millions of people in order to get a few more machines for a spam-sending botnet, or to extract a few credit-card numbers and passwords with a key-logger.

But all attacks tend to migrate from the realm of hand-made, labor-intensive and high-skill techniques to automated techniques that can be deployed with little technical expertise against millions of random targets.

Signature-based analysis, both static (e.g. SHA1 hash) and heuristic (e.g. pattern matching) is useless against polymorphic malware, which is becoming a big concern when you consider how easy it is to write code generators these days. By the time an identifying pattern is found in a particular morphing engine, the bad guys have already written a new one. When you consider that even most browser scripting languages are Turing complete, it becomes evident that the same malware behaviour is almost infinitely re-writeable, with little effort on the developer’s part. Behavioural analysis might provide a low-success-rate detection method, but it’s a weak indicator of malintent at best.

We’ve also seen a huge surge in attacks that fit the Advanced Persistent Threat (APT) model in the last few years. These threats have a specific target and goal, rather than randomly attacking targets to grab the low-hanging fruit. Attacks under the APT model can involve social engineering, custom malware, custom exploits / payloads and undisclosed 0-day vulnerabilities – exactly the threats that anti-malware solutions have difficulty handling.

This was the premise and theme of my novella Knights of the Rainbow Table (also available as a free audiobook). It's a funny old world.

The anti-virus age is over.

Hacker talks from HOPE 6 online

Emmaneul Goldstein from 2600 Magazine sez, "The 2600 hacker video archiving project continues with 67 hours of talks from HOPE Number Six being put online for public consumption. Highlights include keynotes Richard Stallman, Michael Hart, and Jello Biafra, along with all sorts of other presentations ranging from technical to social issues. Most fascinating are the legal and privacy panels that predict what surveillance tools will be in place in the future - from a 2006 perspective. The videos have been set up so that they play in the order they were presented in an attempt to recreate the original feel of the conference." Cory 1