VUPEN is an anti-security company that roots out vulnerabilities in common operating systems and programs and sells these vulnerabilities to governments, police forces and others who want to use them to build malicious software to let them spy on people (we've written about them before). Now they claim to have found vulnerabilities in Windows 8 and Internet Explorer 10, and have put these up for sale to customers who want to use them to hijack other peoples' computers.
Our first 0day for Win8+IE10 with HiASLR/AntiROP/DEP & Prot Mode sandbox bypass (Flash not needed) is ready for customers. Welcome #Windows8— VUPEN Security (@VUPEN) October 30, 2012
Want to know if you're in for a date with Doctor Jellyfinger the next time you go to the airport? Just print out your boarding-card and scan in the barcode: it encodes whether you're getting the "full security screening" or just the normal humiliation. Information about this vulnerability spread after a John Butler blog-post documented it. Not only can you discover if you're headed for the full monte, but you can also change your screening status by re-encoding the barcode with a different search-depth attached to your reservation.
Read the rest
I have X’d out any information that you could use to change my reservation. But it’s all there, PNR, seat assignment, flight number, name, ect. But what is interesting is the bolded three on the end. This is the TSA Pre-Check information. The number means the number of beeps. 1 beep no Pre-Check, 3 beeps yes Pre-Check. On this trip as you can see I am eligible for Pre-Check. Also this information is not encrypted in any way.
What terrorists or really anyone can do is use a website to decode the barcode and get the flight information, put it into a text file, change the 1 to a 3, then use another website to re-encode it into a barcode. Finally, using a commercial photo-editing program or any program that can edit graphics replace the barcode in their boarding pass with the new one they created. Even more scary is that people can do this to change names. So if they have a fake ID they can use this method to make a valid boarding pass that matches their fake ID.
In a presentation at the BreakPoint security conference in Melbourne, IOActive researcher Barnaby Jack described an attack on pacemakers that could, he says, deliver lethal shocks to their owners. Jack claims that an unspecified pacemaker vendor's devices have a secret wireless back-door that can be activated by knowledgeable attackers from up to 30 feet away, and that this facility can be used to kill the victim right away, or to reprogram pacemakers to broadcast malicious firmware updates as their owners move around, which cause them to also spread the firmware, until they fail at a later time. Darren Pauli from Secure Business Intelligence quotes Jack as saying,
“The worst case scenario that I can think of, which is 100 percent possible with these devices, would be to load a compromised firmware update onto a programmer and … the compromised programmer would then infect the next pacemaker or ICD and then each would subsequently infect all others in range,” Jack said.
He was developing a graphical adminstration platform dubbed “Electric Feel” which could scan for medical devices in range and with no more than a right-click, could enable shocking of the device, and reading and writing firmware and patient data.
“With a max voltage of 830 volts, it's not hard to see why this is a fairly deadly feature. Not only could you induce cardiac arrest, but you could continually recharge the device and deliver shocks on loop," he said.
Manufacturers of implanted devices have been resistant to calls to publish their sourcecode and to allow device owners to inspect and modify that code, citing security concerns should latent vulnerabilities be exposed, and put implantees at risk. Read the rest
Ot from Bits of Freedom sez, "On 15 October, the Dutch ministry of Justice and Security proposed powers for the police to break into computers, install spyware, search computers and destroy data. These powers would extend to computers located outside the Netherlands. Dutch digital rights movement Bits of Freedom warns for the unacceptable risks to cybersecurity and calls on other countries to strongly oppose the proposal."
Three new powers: spy, search and destroy
The proposal (Dutch, PDF) would grant powers to the Dutch police to break into computers, including mobile phones, via the internet in order to:
* install spyware, allowing the police to overtake the computer;
* search data on the computer, including data on computers located in other countries; and
* destroy data on the computer, including data on computers located in other countries.
If the location of the computer cannot be determined, for example in the case of Tor-hidden services, the police is not required to submit a request for legal assistance to another country before breaking in. Under the current text, it is uncertain whether a legal assistance request is required, or merely warranted, if the location of the computer is known. The exercise of these powers requires a warrant from a Dutch court.
Following up on yesterday's announcement by the UK Home Secretary that Pentagon hacker Gary McKinnon will not be extradited to the USA (where he faces up to 60 years in prison), the Guardian's Lizzy Davies reports on McKinnon's reaction:
Speaking in the aftermath of the decision, about which his mother informed him late on Tuesday morning shortly before May's statement, Glasgow-born McKinnon said he felt hopeful for the first time in a decade. "I have spent the past 10 years living with a dark and hollow feeling," he told the Daily Mail. "I have always thought that if things went against me, I would just have to end it all and take my own life. Now I just feel that I have been set free."
Referring to his long-term girlfriend, Lucy Clarke, who campaigned against his extradition alongside Janis Sharp, McKinnon's mother, he added: "I had no hopes for a future, no way of making plans, no thoughts of asking Lucy to share my life, no thoughts of whether I could ever have children or get work. It still does not feel real – but only now am I starting to feel as if a shutter has flipped up and lifted in my head."
Brian Krebs revisits his must-see chart on the ways that hacked PCs can be valuable to criminals, which is meant to help explain the importance of security to people who think that their old PCs aren't worth enough for crooks to bother with. As Krebs points out, even low-powered antiques can be used to get up to all sorts of mischief that can compromise your privacy, finance and data, as well as the integrity of the Internet itself.
One of the ideas I tried to get across with this image is that nearly every aspect of a hacked computer and a user’s online life can be and has been commoditized. If it has value and can be resold, you can be sure there is a service or product offered in the cybercriminal underground to monetize it. I haven’t yet found an exception to this rule.
2600's Emmanuel Goldstein sez, "Another 78 videos of historical hacker talks have been restored and posted online. The Fifth HOPE conference in 2004 brought together Steve Wozniak, Kevin Mitnick, Bruce Schneier, Jello Biafra and many more in an eclectic and enlightening mix of technical information, security challenges, social issues, and a spirit of fun and rebellion that now can be shared globally for the first time"
Robin Gross from IP Justice sez, "Public interest groups involved in ICANN will gather for the event, 'ICANN & Internet Governance: Security & Freedom in a Connected World' on Friday 12 October at the Fairmont Royal York Hotel in Toronto, Canada. Sponsored by the Noncommercial Users Constituency (NCUC), the voice of civil society in ICANN, the policy conference will focus on key ICANN policy issues like the need to promote both cyber-security and human rights in the development of global Internet policies. The event kicks-off with a morning address from cyber-security expert Ron Deibert, Director of the Canada Centre for Global Security Studies and The Citizen Lab, an inter-disciplinary research and development hothouse at the University of Toronto. Deibert will address the need to establish a cyber-security strategy for global civil society."
Read the rest
NCUC's policy conference will discuss the promotion of cyber-security and human rights on the Internet, multi-stakeholderism and the role of governments, and key policy issues surrounding new top-level domains such as freedom of expression and intellectual property rights. The conference subtitle "Security & Freedom in a Connected World" recognizes society's shared twin goals of security and freedom, and questions to what extent must society sacrifice one for the other.
Cyber-security expert Ron Deibert from The Citizen Lab at the University of Toronto will address the conference in the morning and ICANN's new CEO Fadi Chehade will deliver welcoming remarks to the group right after lunch. Other confirmed speakers include governmental representatives, members of ICANN's board of directors and senior staff, civil society and Internet business leaders.
My latest Guardian column, "Automated calls, fraud and the banks: a mismatch made in hell," reacts to the news that UK banks are using robo-call machines to check in with customers on possibly fraudulent transactions, and going about it in the worst way possible:
Read the rest
The banks, bless them, are only trying to prevent fraud, but this is a pretty silly way of going about it. For starters, there's the business of calling up people and asking them to give you all the information necessary to prove that they are indeed a bank customer – all the information that a fraudster needs to impersonate that person at the bank, in other words. The banks have spent decades systematically conditioning us to give our personal information to fraudsters, which is a strange way to prevent fraud.
But at least this silliness had one saving grace: a fraudster can only make so many calls per day, and so the scope of losses from such a programme of bad security education is limited by the human frailties of con-artists.
Enter the robo-caller. The banks are now outsourcing their fraud prevention to computers that can make dozens of calls all at once, around the clock, fishing (or phishing) for someone who just happened to have made an unusual purchase and is thus willing to spill all his details down the phone to get it approved. Note that most of the categories of purchase that trigger false positives from fraud detection systems are also the sort of thing that customers are anxious to see go off without a hitch.
The FTC has settled with seven rent-to-own companies and a software company called DesignerWare of North East Pennsylvania for their role in secretly installing spyware on rental laptops, which was used to take "pictures of children, individuals not fully clothed, and couples engaged in sexual activities."
Under the terms of the settlement, the companies are free to go on engaging in this behavior, but now they'll have to notify customers. They won't pay a fine. The FTC won't say if it's referred any of the companies for criminal prosecution. The rental companies used the spyware to harvest renters' bank passwords, private emails to doctors, medical records, and Social Security numbers, and they used it to pop up deceptive windows on customers' computers to trick them into entering personal information.
Wired's David Kravets has more:
Read the rest
The software, known as Detective Mode, didn’t just secretly turn on webcams. It “can log the keystrokes of the computer user, take screen shots of the computer user’s activities on the computer, and photograph anyone within view of the computer’s webcam. Detective Mode secretly gathers this information and transmits it to DesignerWare, who then transmits it to the rent-to-own store from which the computer was rented, unbeknownst to the individual using the computer,” according to the complaint.
Under the settlement, the companies can still use tracking software on their rental computers, so long as they advise renters, the FTC said. The companies include Aspen Way Enterprises Inc.; Watershed Development Corp.; Showplace Inc., doing business as Showplace Rent-to-Own; J.A.G.
Moxie Marlinspike and David Hulton's Divide and Conquer: Cracking MS-CHAPv2 with a 100% success rate presentation from Defcon is now a reality. If you want to crack a MS-CHAPv2 PPTP authentication handshake (like the one I use when I connect to IPREDator, the secure proxy I favor), they'll exhaust all of the DES keyspace for you for a mere $20, usually in less than a day.
Basically, MS-CHAPv2-based VPNs should now be considered insecure and not fit for purpose. Plus Moxie and David can brute force all of DES for $20. Yowza.
A Week Of Discounted Cracking
For this week (9/23/2012), we will be offering deeply discounted MS-CHAPv2 cracking jobs by reducing the price from $200 to $20. This means that any PPTP VPN connection or intercepted MS-CHAPv2 WPA Enterprise wireless credentials can be cracked and decrypted with a 100% success rate for only $20.
The one major caveat is that an influx of additional jobs might increase the pending queue depth and cause MS-CHAPv2 jobs to take slightly longer than ususal, but we'll see how it goes.
"The Terrorism Delusion," a paper by John Mueller and Mark G. Stewart in this summer's issue of International Security, argues that terrorists basically suck at their jobs. They report that the best US intelligence puts the whole al Qaeda weapons of mass destruction R&D budget at US$4,000; that Americans who are "radicalized" and brought to terrorism training camps return disgusted and disillusioned and determined to put future recruits off (and then get arrested anyway); that Iraqis were so alienated from loony al Qaeda fighters that bin Laden proposed renaming the group; and that terrorists who are busted are basically dolts, fools, bumblers and delusional loonies.
But, as Mueller and Stewart write, the counter-terror forced continue to present terrorism as a grave risk brought about by super-criminal masterminds who threaten the safety of all of us, every day.
Terrorists have proven to be relentless, patient, opportunistic, and flexible, learning from experience and modifying tactics and targets to exploit perceived vulnerabilities and avoid observed strengths.”8
This description may apply to some terrorists somewhere, including at least a few of those involved in the September 11 attacks. Yet, it scarcely describes the vast majority of those individuals picked up on terrorism charges in the United States since those attacks. The inability of the DHS to consider this fact even parenthetically in its fleeting discussion is not only amazing but perhaps delusional in its single-minded preoccupation with the extreme.
In sharp contrast, the authors of the case studies, with remarkably few exceptions, describe their subjects with such words as incompetent, ineffective, unintelligent, idiotic, ignorant, inadequate, unorganized, misguided, muddled, amateurish, dopey, unrealistic, moronic, irrational, and foolish.9 And in nearly all of the cases where an operative from the police or from the Federal Bureau of Investigation was at work (almost half of the total), the most appropriate descriptor would be “gullible.”
In all, as Shikha Dalmia has put it, would-be terrorists need to be “radical- ized enough to die for their cause; Westernized enough to move around with- out raising red flags; ingenious enough to exploit loopholes in the security apparatus; meticulous enough to attend to the myriad logistical details that could torpedo the operation; self-sufficient enough to make all the preparations without enlisting outsiders who might give them away; disciplined enough to maintain complete secrecy; and—above all—psychologically tough enough to keep functioning at a high level without cracking in the face of their own impending death.”