A Snowden leak accompanying today's story on the NSA's Tailored Access Operations group (TAO) details the NSA's toolbox of exploits, developed by an NSA group called ANT (Advanced or Access Network Technology).
ANT's catalog runs to 50 pages, and lists electronic break-in tools, wiretaps, and other spook toys. For example, the catalog offers FEEDTROUGH, an exploit kit for Juniper Networks' firewalls; gimmicked monitor cables that leak video-signals; BIOS-based malware that compromises the computer even before the operating system is loaded; and compromised firmware for hard drives from Western Digital, Seagate, Maxtor and Samsung.
Many of the exploited products are made by American companies, and hundreds of millions of everyday people are at risk from the unpatched vulnerabilities that the NSA has discovered in their products.
Read the rest
A new Snowden leak disclosed in Der Spiegel details the operations of the NSA's Tailored Access Operations group (TAO), the "plumbers" of the spy agency who collect and deploy exploits to infiltrate computer systems. Reportedly, Edward Snowden turned down a chance join the group.
TAO's repertoire of attacks included unpublished exploits and back-doors for products from major US IT companies like Microsoft and Cisco, as well as foreign companies like Huawei. Spiegel reports that TAO infiltrated networks in 89 countries, including "the protected networks of democratically elected leaders of countries." They took special interest in Mexico's anti-terror efforts, running an operation called WHITETAMALE that compromised the
Mexican Secretariat of Public Security.
The tactics deployed by TAO relied upon other NSA programs, like the infamous XKeyscore, which was used to passively intercept crash reports from computers running Windows in order to profile these systems and tailor attacks aimed at them. TAO also compromised the Blackberry's BES email servers, and were able to read mail sent and received by Blackberry users.
One interesting wrinkle: TAO used interception of ecommerce shipping reports to discover when a target ordered new computer equipment. These shipments would be intercepted and loaded with malware before delivery. I know an ex-MI5 whistleblower who only buys computers by walking into a store at random and plucking them off the shelf, to prevent this sort of attack. When I learned about this practice, it sounded a little paranoid to me, but it seems that it's actually a very reasonable precaution.
Read the rest
The Electronic Frontier Foundation's Cindy Cohn and Trevor Timm look at the NSA's Bullrun program, through which the US and UK governments have spent $250M/year sabotaging computer security. Cindy is the lawyer who argued the Bernstein case, which legalized civilian access to strong cryptography -- in other words, it's her work that gave us all the ability to communicate securely online. And so she's very well-situated to comment on what it means to learn that the NSA has deliberately weakened the security that ensures the integrity of the banking system, aviation control, embedded systems in everything from cars to implanted defibrillators, as well as network infrastructure, desktop computers, cloud servers, laptops, phones, tablets, TVs, and other devices.
Read the rest
For this year's DEFCON conference, the Electronic Frontier Foundation released an encryption-puzzle t-shirt (with glow-in-the-dark clues!) designed by EFF Senior Designer Hugh D'Andrade and Staff Technologist Micah Lee. The puzzle was fiendishly clever and made for a beautiful tee, and now it has been cracked by some of DEFCON's intrepid attendees, the first ten of whom stand to win a beautiful, limited edition, signed print.
Read the rest
Alex Stamos's Defcon 21 presentation The White Hat’s Dilemma
is a compelling and fascinating look at the ethical issues associated with information security work in the era of mass surveillance, cyberwar, and high-tech extortion and crime.
Read the rest
In "The anti-virus age is over," Graham Sutherland argues that the targeted, hard-to-stop attacks used by government-level hackers and other "advanced persistent threats" are now so automatable that they have become the domain of everyday script-kiddie creeps. Normally, the advanced techniques are only used against specific, high-value targets -- they're so labor-intensive that it's not worth trying them on millions of people in order to get a few more machines for a spam-sending botnet, or to extract a few credit-card numbers and passwords with a key-logger.
But all attacks tend to migrate from the realm of hand-made, labor-intensive and high-skill techniques to automated techniques that can be deployed with little technical expertise against millions of random targets.
Signature-based analysis, both static (e.g. SHA1 hash) and heuristic (e.g. pattern matching) is useless against polymorphic malware, which is becoming a big concern when you consider how easy it is to write code generators these days. By the time an identifying pattern is found in a particular morphing engine, the bad guys have already written a new one. When you consider that even most browser scripting languages are Turing complete, it becomes evident that the same malware behaviour is almost infinitely re-writeable, with little effort on the developer’s part. Behavioural analysis might provide a low-success-rate detection method, but it’s a weak indicator of malintent at best.
We’ve also seen a huge surge in attacks that fit the Advanced Persistent Threat (APT) model in the last few years. These threats have a specific target and goal, rather than randomly attacking targets to grab the low-hanging fruit. Attacks under the APT model can involve social engineering, custom malware, custom exploits / payloads and undisclosed 0-day vulnerabilities – exactly the threats that anti-malware solutions have difficulty handling.
This was the premise and theme of my novella Knights of the Rainbow Table (also available as a free audiobook). It's a funny old world.
The anti-virus age is over.
Emmaneul Goldstein from 2600 Magazine
sez, "The 2600 hacker video archiving project continues with 67 hours of talks from HOPE Number Six
being put online for public consumption. Highlights include keynotes Richard Stallman, Michael Hart, and Jello Biafra, along with all sorts of other presentations ranging from technical to social issues. Most fascinating are the legal and privacy panels that predict what surveillance tools will be in place in the future - from a 2006 perspective. The videos have been set up so that they play in the order they were presented in an attempt to recreate the original feel of the conference."
Control-Alt-Hack is a tremendously fun, hacker-themed strategy card game that uses the mechanic of the classic Steve Jackson Ninja Burger game. It comes out of the University of Washington Computer Security and Privacy Research Lab, and features extremely entertaining and funny computer-security-themed scenarios, buffs, attacks and characters.
The gameplay is very well-thought-through (here's a PDF of the rules). Three of us sat down to play it this weekend with only a cursory glance at the rules beforehand. By following the quickstart instructions, we were able to jump straight into play, and within a few turns, we really had the rhythm and were busily sabotaging one another and cursing at the dice when they rolled against our favor.
Based on my play session, I'm really impressed. Though one player led the game early on, there were several reversals, wherein the leading and trailing players traded places -- always the mark of a great game. There was a good mix of skill, strategy and luck, and things were just complicated enough that it absorbed our full attention, without lagging or flagging.
A full game takes about an hour, and between three and six people can play at once. We played it after Sunday brunch and it was a great digestive aid. All three of us loved the geeky, info-sec-y references, the funny scenarios (everything from devising a cryptographic protocol for implanted medical devices to pranking a labmate with a gag WiFi keystroke-inserter), and the grace-notes (like a scenario that is encoded as a cryptogram). There were moments of unlikely hail-mary-heroism, crushing defeat, and lots of laughs. We'll play this one again.
Control-Alt-Hack: White Hat Hacking for Fun and Profit
Control-Alt-Hack [Publisher's site]
Brian Krebs reports on the takedown of the command-and-control servers for Rustock, the largest and most successful spam botnet. The botnet's output has fallen from thousands of spams per second to one or two spams per second:
It may yet be too soon to celebrate the takedown of the world's largest spam botnet. For one thing, PCs that were infected with Rustock prior to this action remain infected, only they are now somewhat lost, like sheep without a shepherd. In previous takedowns, such as those executed against the Srizbi botnet, the botmasters have been able to regain control over their herds of infected PCs using a complex algorithm built into the malware that generates a random but unique Web site domain name that the bots would be instructed to check for new instructions and software updates from its authors. Using such a system, the botmaster needs only to register one of these Web site names in order to resume sending updates to and controlling the herd of infected computers.
Rustock Botnet Flatlined, Spam Volumes Plummet
Stewart said that whoever is responsible for this takedown clearly has done their homework, and that the backup domains hard-coded into Rustock appear to also have been taken offline. But, he said, Rustock also appears to have a mechanism for randomly generating and seeking out new Web site names that could be registered by the botmaster to regain control over the pool of still-infected PCs. Stewart said Rustock-infected machines routinely reach out to a variety of popular Web sites, such as Wikipedia, Mozilla, Slashdot, MSN and others, and that it is possible that Rustock may be configured to use the news headlines or other topical information from these sites as the random seed for generating new command and control domains.
(Image: Spam wall, a Creative Commons Attribution Share-Alike (2.0) image from 63056612@N00's photostream)
I am delighted to welcome author and journalist Joseph Menn (web / Twitter / Facebook) to Boing Boing as guestblogger. His most recent book, Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet, was published this January in the US and comes out today in an updated paperback form.
From his bio:
Menn has spoken at major security conferences including RSA, Black Hat DC and DefCon on his findings, which include hard evidence that the governments of Russia and China are protecting and directing the behavior of some of the world's worst cyber-criminals. He also has given invited talks at meetings convened by the US Secret Service and Federal Deposit Insurance Corp.
"Fatal System Error accurately reveals the secretive global cyber cartels and their hidden multibillion-dollar business, proving cybercrime does pay and pays well," said Richard A. Clarke, special advisor to President George W. Bush for cyber security. The New Yorker magazine said it was "riveted" by the tale, comparing it to the novels of Stieg Larsson, while Business Week called it "a fascinating high-tech whodunit." Fatal System Error has been placed on the official reading list of the US Strategic Command and is being translated into Chinese, Japanese and Korean.
Menn has reported on technology for more than a decade at the Financial Times and the Los Angeles Times, mostly from his current base in San Francisco. His coverage areas for the FT include technology security and privacy, digital media, and Apple and the PC industry.
Read the rest
Your office's high-end photocopier probably has a hard-drive used to store copies of documents that are scanned from the glass. Harvesting scanned documents from discarded office copiers (often returned at the end of a lease) yields a treasure-trove of fascinating corporate secrets.
Of the dozens of multi-purpose copiers Beitner has cleaned out in the past two years, he has seen hundreds of scanned documents that would be considered confidential. As a personal policy, he never reads them, but can easily tell where they are by the file names and sizes.
High-tech copy machines a gold mine for data thieves
"In almost all the machines I have seen, the files, phone numbers, fax numbers and email addresses are left there as if it was still in the office," said Beitner. "There are files from insurance companies, medical facilities, pharmaceutical and regular office-type documents," he said...
And, as a few Google searches will show you, you don't even need to leave the comfort of your home. The activity of photocopiers linked to an unsecure network can be seen and tracked online. With a few clicks of a mouse, and no knowledge of how to hack, we could see the latest activity of a photocopier in Korea, which included copies of invoices and employee expenses.
(Image: keypad photocopier, a Creative Commons Attribution image from Mr Thinktank's photostream)
"Understanding scam victims: seven principles for systems security" by Cambridge University's Frank Stajano and Paul Wilson is an excellent look at the principles involved in "short cons" (confidence games that only take a few minutes to "play") and how they can be applied to information security. The authors examine the mechanics of scams demonstrated in the BBC show "The Real Hustle" and then extract the principles that drive them and show how they are also used in online ripoffs:
Understanding scam victims: seven principles for systems security
This illustrates something important. Many people feel that they are wise to certain scams or take
steps to protect their property; but, often, these steps don't go far enough. A con artist can easily answer
people's concerns or provide all sorts of proof to put minds at ease. In order to protect oneself, it's
essential to remove all possibility of compromise. There's no point parking your own car if you then
give the valet your keys. Despite this, the mark felt more secure when, in actual fact, he had made the
hustler's job easier....
...Much of systems security boils down to "allowing certain principals to perform certain actions on
the system while disallowing anyone else from doing them"; as such, it relies implicitly on some form
of authentication--recognizing which principals should be authorized and which ones shouldn't. The
lesson for the security engineer is that the security of the whole system often relies on the users also
performing some authentication, and that they may be deceived too, in ways that are qualitatively differ-
ent from those in which computer systems can be deceived. In online banking, for example, the role of
verifier is not just for the web site (which clearly must authenticate its customers): to some extent, the
customers themselves should also authenticate the web site before entering their credentials, otherwise
they might be phished. However it is not enough just to make it "technically possible"18 : it must also be
humanly doable by non-techies. How many banking customers check (or even understand the meaning
of) the https padlock?19