Boing Boing 

Meet the ninja who protects First Look from the crooked spies it reports on


First Look Media was founded to report on sensitive, adversarial stories about the world's spy agencies. Imagine being the sysadmin in charge of ensuring that the spies being busted in the site's articles didn't hack the site itself.

Read the rest

Anti-forensic mobile OS gets your phone to lie for you

In Android Anti-forensics: Modifying CyanogenMod Karl-Johan Karlsson and William Bradley Glisson present a version of the Cyanogenmod alternate operating system for Android devices, modified so that it generates plausible false data to foil forensic analysis by law enforcement. The idea is to create a mobile phone that "lies" for you so that adversaries who coerce you into letting them take a copy of its data can't find out where you've been, who you've been talking to, or what you've been talking about.

I'm interested in this project but wonder about how to make it practical for daily use. Presently, it maintains a hidden set of true data, and a trick set of false data intended to be fetched by forensic tools. Presumably, this only works until the forensic tools are modified to spot the real data. But you can conceptually imagine a phone that maintains a normal address book and SMS history, etc -- all the things that are useful to have in daily use -- but that, on a certain signal (say, when an alternate unlock code is entered, or after a certain number of failed unlock attempts) scrubs all that and replaces it with plausible deniability data.

Obviously, this kind of thing doesn't work against state-level actors who can subpoena (or coerce) your location data and call history from your carrier, but those people don't need to seize your phone in the first place.

Read the rest

Mysterious announcement from Truecrypt declares the project insecure and dead

The abrupt announcement that the widely used, anonymously authored disk-encryption tool Truecrypt is insecure and will no longer be maintained shocked the crypto world–after all, this was the tool Edward Snowden himself lectured on at a Cryptoparty in Hawai’i. Cory Doctorow tries to make sense of it all.

Read the rest

Estonia's online voting system is horrifically insecure and can't be trusted

Jason Kitcat writes, "I'm currently in Tallinn, Estonia as part of a team of independent security and elections researchers sharing our findings that the Estonian online e-voting system has serious flaws. We monitored the e-voting system in live use as accredited observers during municipal elections in October 2013. Then, using the source code the Estonian National Election Committee publishes, a replica of the system was built at the University of Michigan."

Read the rest

Former NSA boss defends breaking computer security (in the name of national security)


For me, the most under-reported, under-appreciated element of the Snowden leaks is the BULLRUN/EDGEHILL program, through which the NSA and GCHQ spend $250,000,000/year sabotaging information security. In a great Wired story, Andy Greenberg analyzes former NSA chief Keith Alexander's defense of the stockpiling of vulnerabilities to attack "bad guys." There is no delusion more deadly than the idea that spies will make us more secure by weakening our computers' security to make it easier to spy on us.

Read the rest

Hacking the hospital: medical devices have terrible default security


Scott Erven is head of information security for a healthcare provider called Essentia Health, and his Friday presentation at Chicago's Thotcon, "Just What The Doctor Ordered?" is a terrifying tour through the disastrous state of medical device security.

Wired's Kim Zetter summarizes Erven's research, which ranges from the security of implanted insulin pumps and defibrillators to surgical robots and MRIs. Erven and his team discovered that hospitals are full of fundamentally insecure devices, and that these insecurities are not the result of obscure bugs buried deep in their codebase (as was the case with the disastrous Heartbleed vulnerability), but rather these are incredibly stupid, incredibly easy to discover mistakes, such as hardcoded easy default passwords. For example: surgical robots have their own internal firewall. If you run a vulnerability scanner against that firewall, it just crashes, and leaves the robot wide open.

The backups for image repositories for X-rays and other scanning equipment have no passwords. Drug-pumps can be reprogrammed over the Internet with ease. Defibrillators can be made to deliver shocks -- or to withhold them when needed. Doctors' instructions to administer therapies can be intercepted and replayed, adding them to other patients' records. You can turn off the blood fridge, crash life-support equipment and reset it to factory defaults. The devices themselves are all available on the whole hospital network, so once you compromise an employee's laptop with a trojan, you can roam free. You can change CT scanner parameters and cause them to over-irradiate patients.

The one bright spot is that anaesthesia and ventilators are not generally networked and are more secure.

Read the rest

Google Maps' spam problem presents genuine security issues


Bryan Seely, a Microsoft Engineer demonstrated an attack against Google Maps through which he was able to set up fake Secret Service offices in the company's geo-database, complete with fake phone numbers that rang a switch under his control and then were forwarded to real Secret Service offices, allowing him to intercept and record phone-calls made to the Secret Service (including one call from a police officer reporting counterfeit money). Seely was able to attack Google Maps by adding two ATMs to the database through its Google Places crowdsourcing tool, verifying them through a phone verification service (since discontinued by Google), then changing them into Secret Service offices. According to Seely, the disabling of the phone-verification service would not prevent him from conducting this attack again.

As Dune Lawrence points out, this is a higher-stakes version of a common spam-attack on Google Maps practiced by locksmith, carpet cleaning, and home repair services. Spammers flood Google Maps with listing for fake "local" companies offering these services, and rake in high commissions when you call to get service, dispatching actual local tradespeople who often charge more than you were quoted (I fell victim to this once, when I had a key break off in the lock of my old office-door in London and called what appeared to be a "local" locksmith, only to reach a call-center who dispatched a locksmith who took two hours to arrive and charged a huge premium over what I later learned by local locksmiths would have charged).

A detailed post by Dan Austin describes this problem, points out that Google is more than four years late in delivering promised fixes to the problem, and offers solutions of his own. He suggests that the high Google Adwords revenue from spammy locksmiths and other services is responsible for the slow response to the problem.

Read the rest

Samsung Galaxy back-door allows for over-the-air filesystem access


Developers from the Replicant project (a free Android offshoot) have documented a serious software back-door in Samsung's Android phones, which "provides remote access to the data stored on the device." They believe it is "likely" that the backdoor could provide "over-the-air remote control" to "access the phone's file system."

At issue is Samsung's proprietary IPC protocol, used in its modems. This protocol implements a set of commands called "RFS commands." The Replicant team says that it can't find "any particular legitimacy nor relevant use-case" for adding these commands, but adds that "it is possible that these were added for legitimate purposes, without the intent of doing harm by providing a back-door. Nevertheless, the result is the same and it allows the modem to access the phone's storage."

The Replicant site includes proof-of-concept sourcecode for a program that will access the file-system over the modem. Replicant has created a replacement for the relevant Samsung software that does not allow for back-door access.

Read the rest

How the NSA plans to automatically infect "millions" of computers with spyware




A new Snowden leak, detailed in a long, fascinating piece in The Intercept, explains the NSA's TURBINE initiative, intended to automate malicious software infections. These infections -- called "implants" in spy jargon -- have historically been carried out on a narrow, surgical scale, targeted at people of demonstrated value to spies, due to the expense and difficulty of arranging the attacks.

But TURBINE, which was carried out with other "Five Eyes" spy agencies as part of the NSA's $67.6M "Owning the Net" plan, is intended to automate the infection process, allowing for "millions" of infections at once.

The article mentions an internal NSA message-board posting called "I hunt sys admins," sheds some light on the surveillance practices at the NSA. In the post, an NSA operative explains that he targets systems administrators at companies, especially telecoms companies, as a "means to an end" -- that is, infiltrating the companies' networks. As Glenn Greenwald and Ryan Gallagher point out, this admission shows that malware attacks are not targeted solely or even particularly at people suspected of terrorism or other crimes -- rather, they are aimed at the people who maintain the infrastructure of critical networks and systems to allow the NSA to control those systems.

The malware that TURBINE implants can compromise systems in a variety of ways, including hijacking computer cameras and microphones, harvesting Web-browsing history and email traffic, logging passwords and other keystrokes, etc.

Read the rest

Security as a public health discipline, not an engineering one

In my latest Guardian column, If GCHQ wants to improve national security it must fix our technology, I argue that computer security isn't really an engineering issue, it's a public health issue. As with public health, it's more important to be sure that our pathogens are disclosed, understood and disclosed than it is to keep them secret so we can use them against our enemies.

Read the rest

Break up the NSA and save American spooks from themselves

On CNN, Bruce Schneier lays out the current organizational structure of the NSA, dividing its activities in to three categories: spying on specific people; spying on everyone; and breaking the Internet to make spying easier. He then proposes a new structure for the American intelligence apparat: move spying on specific people to a totally separate US Cyber Command under the DoD ("attacking enemy networks is an offensive military operation, and should be part of an offensive military unit"); move spying on Americans to the FBI and create safeguards to be sure this is done in accord with the law and the Constitution; and terminate the NSA's program of undermining security.

Instead, put the NSA in charge of improving the security of Internet users -- including American residents, businesses and government agencies -- so that the nation is resilient. As Schneier writes: "We need the NSA's expertise to secure our social networks, business systems, computers, phones and critical infrastructure. Just recall the recent incidents of hacked accounts -- from Target to Kickstarter. What once seemed occasional now seems routine. Any NSA work to secure our networks and infrastructure can be done openly -- no secrecy required."

Read the rest

Bletchley Park's new management chucks out long-term volunteers

Here's more bad news from historic computing site Bletchley Park, where a new, slick museum is being put together with enormous corporate and state funding. Last month, it was the fact that McAfee had apparently banned any mention of Edward Snowden in a cybersecurity exhibit.

Now there's this heartrending BBC report on how volunteers who've given decades of service to Bletchley have been summarily dismissed because they don't fit in with the new plan. The museum of Churchill memoribilia that shared the Bletchley site has been evicted.

For people like me who've donated over the years, fundraised for it, and joined the Friends of Bletchley, this is really distressing news. I've always dreamt of Bletchley getting enough funding to do the site and its collection justice, but if it comes at the expense of decency and integrity, they may as well have left it as Churchill did -- abandoned and forgotten.

Update: Bletchley Trust has clarified to me that while this volunteer was dismissed from guiding tours because he refused to conduct the tour to the new spec, he still volunteers with the Trust in its educational department.

BBC News Bletchley Park s bitter dispute over its future (via /.)

How to configure Chrome to stop websites from bugging you with your computer's microphone and camera


Under Chrome's security model, a website that gets your permission to access your mic and camera once keeps it forever, regardless of which page is loaded -- so you might authorize an app running on one page of Github to use your mic, and thereafter, every Github page you visit can listen in on you automatically, without you getting any indication that this is going on. Google maintains that this is the right way for Chrome to behave -- that it complies with the relevant W3C standard.

Google has created a fix for this, but have not pushed it to Chrome users. If you want to protect your camera and mic from sneaky or unintended remote operation and you use Chrome, you'll need to take some extraordinary measures, which are laid out in this Lifehacker post. The simplest thing is to disable camera/mic access in Chrome altogether, but that sucks if there are some instances in which you'd like to have them switched on.

Read the rest

HOPE X call for participation now open

Emmanuel Goldstein from 2600 Magazine writes, "The call for participation at HOPE X in New York City is now open. There is room for over 100 talks and panels, dozens of workshops, and all kinds of creative artwork with hacker overtones. This is expected to be one of the largest conferences dealing with hacking, whistleblowing, social change, surveillance, and new technology ever presented in the United States. There will be no government agency recruiters, no commercial exploitation, and no shortage of controversy. The doors are now open for imaginative ideas at this very crucial point in hacker (and human) history. HOPE X takes place July 18-20, 2014 at the Hotel Pennsylvania in New York City."

Teach your rooted Android phones to lie to apps about whether it's rooted

There's a funny paradox in rooting your Android phone. Once you take total control over your phone, some apps refuse to run, because they're trying to do something that treats you as untrusted. Now there's a utility called Rootcloak that lets you tell your rooted phone to lie to apps about whether it is rooted. It's both long overdue and a neat demonstration of what it means to be root on a computer.

Your refrigerator probably hasn't joined a botnet


A mediagenic press-release from Proofpoint, a security firm, announced that its researchers had discovered a 100,000-device-strong botnet made up of hacked "Internet of Things" appliances, such as refrigerators. The story's very interesting, but also wildly implausible as Ars Technica's Dan Goodin explains.

The report is light on technical details, and the details that the company supplied to Goodin later just don't add up. Nevertheless, the idea of embedded systems being recruited to botnets isn't inherently implausible, and some of the attacks that Ang Cui has demonstrated scare the heck out of me.

For more speculation, see my story The Brave Little Toaster, from MIT's TRSF.

Read the rest

Details about the malware used to attack Target's point-of-sale machines


The news that Target stores lost 110 million customers' credit card details in a hacker intrusion has illustrated just how grave a risk malicious software presents to the average person and the businesses they patronize. Brian Krebs has good, early details on the software that the hackers used on infected point-of-sale terminals at Target, and some good investigative guesses about who planted it there and how they operated it.

Krebs suggests that a Russian hacker called "Antikiller" may be implicated in the Target hack, and that Antikiller is, in any event, the author of the malware used against the point-of-sale systems.

Read the rest

HEADWATER: NSA program for sabotaging Huawei routers over the Internet


Bruce Schneier leads a discussion of HEADWATER, the NSA's tool for compromising Huawei routers over the Internet and turning them into snoops. It's one of the entries from the notorious TAO catalog:

Read the rest

Victorian Transport Department calls cops on 16 year old for reporting bug that exposed customers' personal data

Last month, around Christmas, a sixteen-year-old Australian named Joshua Rogers living in Victoria told the Transport Department that its Metlink website was exposing the sensitive details of over 600,000 transit users, including "full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers."

He waited two weeks, but after he had not heard from Metlink -- and as the data exposure was ongoing -- he went to the national newspaper The Age, who called the Transport Department for comment. Whereupon the Transport Department called the police, who arrested the teenager.

It may be that the mistake that exposed all this sensitive data was an "honest" one -- after all, there's no experimental methodology for verifying security apart from telling people what you're doing and asking them to poke holes in it. Security is a process, not a product.

But that means that anyone who keeps sensitive public information on hand has a duty to take bug reports about vulnerabilities seriously, and to act on them quickly. Killing (or arresting) the messenger is absolutely unforgivable, not merely because of the injustice to this one person, but because it creates a chilling effect on all future bug-reporters, and not just for your service, but for all of them.

The Transport Department hasn't only unjustly punished an innocent person; it hasn't only weakened its own security; it hasn't only failed in its duty to its customers -- it has struck a blow against the very idea of security itself, and harmed us all.

Read the rest

Senior execs are the biggest risk to IT security

Stroz Friedberg, a risk-management consultancy, commissioned a survey [PDF] of information handling practices in businesses that concluded that senior managers are the greatest risk to information security within companies.

Read the rest

Hackers vs the NSA in 1986

Emmanuel Goldstein from 2600 Magazine sez, "It shouldn't be that surprising, but Volume Three of The Hacker Digest contains all kinds of news items and articles concerning the National Security Agency, its attempts to control encryption, and the threat of surveillance. This was the hacker world of 1986."

Read the rest

NSA has a 50-page catalog of exploits for software, hardware, and firmware

A Snowden leak accompanying today's story on the NSA's Tailored Access Operations group (TAO) details the NSA's toolbox of exploits, developed by an NSA group called ANT (Advanced or Access Network Technology).

ANT's catalog runs to 50 pages, and lists electronic break-in tools, wiretaps, and other spook toys. For example, the catalog offers FEEDTROUGH, an exploit kit for Juniper Networks' firewalls; gimmicked monitor cables that leak video-signals; BIOS-based malware that compromises the computer even before the operating system is loaded; and compromised firmware for hard drives from Western Digital, Seagate, Maxtor and Samsung.

Many of the exploited products are made by American companies, and hundreds of millions of everyday people are at risk from the unpatched vulnerabilities that the NSA has discovered in their products.

Read the rest

TAO: the NSA's hacker plumber-wunderkinds

A new Snowden leak disclosed in Der Spiegel details the operations of the NSA's Tailored Access Operations group (TAO), the "plumbers" of the spy agency who collect and deploy exploits to infiltrate computer systems. Reportedly, Edward Snowden turned down a chance join the group.

TAO's repertoire of attacks included unpublished exploits and back-doors for products from major US IT companies like Microsoft and Cisco, as well as foreign companies like Huawei. Spiegel reports that TAO infiltrated networks in 89 countries, including "the protected networks of democratically elected leaders of countries." They took special interest in Mexico's anti-terror efforts, running an operation called WHITETAMALE that compromised the Mexican Secretariat of Public Security.

The tactics deployed by TAO relied upon other NSA programs, like the infamous XKeyscore, which was used to passively intercept crash reports from computers running Windows in order to profile these systems and tailor attacks aimed at them. TAO also compromised the Blackberry's BES email servers, and were able to read mail sent and received by Blackberry users.

One interesting wrinkle: TAO used interception of ecommerce shipping reports to discover when a target ordered new computer equipment. These shipments would be intercepted and loaded with malware before delivery. I know an ex-MI5 whistleblower who only buys computers by walking into a store at random and plucking them off the shelf, to prevent this sort of attack. When I learned about this practice, it sounded a little paranoid to me, but it seems that it's actually a very reasonable precaution.

Read the rest

EFF: the NSA has endangered us all by sabotaging security

The Electronic Frontier Foundation's Cindy Cohn and Trevor Timm look at the NSA's Bullrun program, through which the US and UK governments have spent $250M/year sabotaging computer security. Cindy is the lawyer who argued the Bernstein case, which legalized civilian access to strong cryptography -- in other words, it's her work that gave us all the ability to communicate securely online. And so she's very well-situated to comment on what it means to learn that the NSA has deliberately weakened the security that ensures the integrity of the banking system, aviation control, embedded systems in everything from cars to implanted defibrillators, as well as network infrastructure, desktop computers, cloud servers, laptops, phones, tablets, TVs, and other devices.

Read the rest

Decrypting EFF's DEFCON crypto-challenge tee


For this year's DEFCON conference, the Electronic Frontier Foundation released an encryption-puzzle t-shirt (with glow-in-the-dark clues!) designed by EFF Senior Designer Hugh D'Andrade and Staff Technologist Micah Lee. The puzzle was fiendishly clever and made for a beautiful tee, and now it has been cracked by some of DEFCON's intrepid attendees, the first ten of whom stand to win a beautiful, limited edition, signed print.

Read the rest

Ethical questions for security experts


Alex Stamos's Defcon 21 presentation The White Hat’s Dilemma is a compelling and fascinating look at the ethical issues associated with information security work in the era of mass surveillance, cyberwar, and high-tech extortion and crime.

Read the rest

When advanced black-hat hacking goes automatic, script kiddies turn into ninjas

In "The anti-virus age is over," Graham Sutherland argues that the targeted, hard-to-stop attacks used by government-level hackers and other "advanced persistent threats" are now so automatable that they have become the domain of everyday script-kiddie creeps. Normally, the advanced techniques are only used against specific, high-value targets -- they're so labor-intensive that it's not worth trying them on millions of people in order to get a few more machines for a spam-sending botnet, or to extract a few credit-card numbers and passwords with a key-logger.

But all attacks tend to migrate from the realm of hand-made, labor-intensive and high-skill techniques to automated techniques that can be deployed with little technical expertise against millions of random targets.

Signature-based analysis, both static (e.g. SHA1 hash) and heuristic (e.g. pattern matching) is useless against polymorphic malware, which is becoming a big concern when you consider how easy it is to write code generators these days. By the time an identifying pattern is found in a particular morphing engine, the bad guys have already written a new one. When you consider that even most browser scripting languages are Turing complete, it becomes evident that the same malware behaviour is almost infinitely re-writeable, with little effort on the developer’s part. Behavioural analysis might provide a low-success-rate detection method, but it’s a weak indicator of malintent at best.

We’ve also seen a huge surge in attacks that fit the Advanced Persistent Threat (APT) model in the last few years. These threats have a specific target and goal, rather than randomly attacking targets to grab the low-hanging fruit. Attacks under the APT model can involve social engineering, custom malware, custom exploits / payloads and undisclosed 0-day vulnerabilities – exactly the threats that anti-malware solutions have difficulty handling.

This was the premise and theme of my novella Knights of the Rainbow Table (also available as a free audiobook). It's a funny old world.

The anti-virus age is over.

Hacker talks from HOPE 6 online

Emmaneul Goldstein from 2600 Magazine sez, "The 2600 hacker video archiving project continues with 67 hours of talks from HOPE Number Six being put online for public consumption. Highlights include keynotes Richard Stallman, Michael Hart, and Jello Biafra, along with all sorts of other presentations ranging from technical to social issues. Most fascinating are the legal and privacy panels that predict what surveillance tools will be in place in the future - from a 2006 perspective. The videos have been set up so that they play in the order they were presented in an attempt to recreate the original feel of the conference."

Control-Alt-Hack: delightful strategy card game about white-hat hacking


Control-Alt-Hack is a tremendously fun, hacker-themed strategy card game that uses the mechanic of the classic Steve Jackson Ninja Burger game. It comes out of the University of Washington Computer Security and Privacy Research Lab, and features extremely entertaining and funny computer-security-themed scenarios, buffs, attacks and characters.

The gameplay is very well-thought-through (here's a PDF of the rules). Three of us sat down to play it this weekend with only a cursory glance at the rules beforehand. By following the quickstart instructions, we were able to jump straight into play, and within a few turns, we really had the rhythm and were busily sabotaging one another and cursing at the dice when they rolled against our favor.

Based on my play session, I'm really impressed. Though one player led the game early on, there were several reversals, wherein the leading and trailing players traded places -- always the mark of a great game. There was a good mix of skill, strategy and luck, and things were just complicated enough that it absorbed our full attention, without lagging or flagging.

A full game takes about an hour, and between three and six people can play at once. We played it after Sunday brunch and it was a great digestive aid. All three of us loved the geeky, info-sec-y references, the funny scenarios (everything from devising a cryptographic protocol for implanted medical devices to pranking a labmate with a gag WiFi keystroke-inserter), and the grace-notes (like a scenario that is encoded as a cryptogram). There were moments of unlikely hail-mary-heroism, crushing defeat, and lots of laughs. We'll play this one again.

Control-Alt-Hack: White Hat Hacking for Fun and Profit

Control-Alt-Hack [Publisher's site]

World's largest spam botnet goes down (for now?)

Brian Krebs reports on the takedown of the command-and-control servers for Rustock, the largest and most successful spam botnet. The botnet's output has fallen from thousands of spams per second to one or two spams per second:
It may yet be too soon to celebrate the takedown of the world's largest spam botnet. For one thing, PCs that were infected with Rustock prior to this action remain infected, only they are now somewhat lost, like sheep without a shepherd. In previous takedowns, such as those executed against the Srizbi botnet, the botmasters have been able to regain control over their herds of infected PCs using a complex algorithm built into the malware that generates a random but unique Web site domain name that the bots would be instructed to check for new instructions and software updates from its authors. Using such a system, the botmaster needs only to register one of these Web site names in order to resume sending updates to and controlling the herd of infected computers.

Stewart said that whoever is responsible for this takedown clearly has done their homework, and that the backup domains hard-coded into Rustock appear to also have been taken offline. But, he said, Rustock also appears to have a mechanism for randomly generating and seeking out new Web site names that could be registered by the botmaster to regain control over the pool of still-infected PCs. Stewart said Rustock-infected machines routinely reach out to a variety of popular Web sites, such as Wikipedia, Mozilla, Slashdot, MSN and others, and that it is possible that Rustock may be configured to use the news headlines or other topical information from these sites as the random seed for generating new command and control domains.

Rustock Botnet Flatlined, Spam Volumes Plummet

(Image: Spam wall, a Creative Commons Attribution Share-Alike (2.0) image from 63056612@N00's photostream)