Skype's IP-leaking security bug creates denial-of-service cottage industry

It's been more than a year since the WSJ reported that Skype leaks its users' IP addresses and locations. Microsoft has done nothing to fix this since, and as Brian Krebs reports, the past year has seen the rise of several tools that let you figure out someone's IP address by searching for him on Skype, then automate launching denial-of-service attacks on that person's home.

In the above screen shot, we can see one such service being used to display the IP address most recently used by the Skype account “mailen_support” (this particular account belongs to the tech support contact for Mailien, a Russian pharmacy spam affiliate program by the same name).

Typically, these Skype resolvers are offered in tandem with “booter” or “stresser” services, online attack tools-for-hire than can be rented to launch denial-of-service attacks (one of these services was used in an attack on this Web site, and on that of Ars Technica last week). The idea being that if you want to knock someone offline but you don’t know their Internet address, you can simply search on Skype to see if they have an account. The resolvers work regardless of any privacy settings the target user may have selected within the Skype program’s configuration panel.

Beyond exposing one’s Internet connection to annoying and disruptive attacks, this vulnerability could allow stalkers or corporate rivals to track the movement of individuals and executives as they travel between cities and states.

Privacy 101: Skype Leaks Your Location Read the rest

Brian Krebs talks to hacker who may have SWATted him and attacked Wired's Mat Honan

Last week, Brian Krebs (a respected security researcher and journalist who often publishes details about high-tech crime) was SWATted -- that is, someone defrauded his local police department into sending a SWAT team to his house, resulting in his getting confronted by gun-wielding, hair-trigger cops who had him lie on the ground and cuffed him before it was all sorted out.

Krebs, being a talented investigator, is hot on the trail of the people or person responsible for this. And a variety of sources point to a 20-year-old hacker who goes by "Phobia," and whose real name, according to Krebs, is Ryan Stevenson. Phobia was implicated in the attack on Wired reporter Mat Honan, wherein his laptop drive and online backup were deleted, including irreplaceable photos of his child's first year, and eight years' worth of email.

Krebs phoned "Phobia" up and ended up speaking to Phobia and his father. Phobia denied attacking Krebs and insisted that he had nothing to do with the gamer/fraudster clan behind it (though Krebs pointed out that Phobia can be heard speaking in the group's YouTube videos, which document their attacks), but admitted that he had been the culprit in hacking Honan (his father then came onto the line to deny this). The transcript is the most interesting part of the piece:

BK: Uh huh. And is Honan referring to you in this article?

RS: Yeah.

BK Yes?

RS: Uh huh.

BK: Did anything bad ever happen to you because of this?

RS: No.

Read the rest

Casino cheats used house CCTVs to score $32M

A rich, high-stakes gambler was dragged out of his opulent comp suite at the Crown Towers casino in Melbourne, accused of participating in a $32M scam that made use of the casino's own CCTV cameras to cheat.

The Herald Sun understands remote access to the venue's security system was given to an unauthorised person.

Images relayed from cameras were then used to spy on a top-level gaming area where the high roller was playing.

Signals were given to him on how he should bet based on the advice of someone viewing the camera feeds. Sources said the total stolen was $32 million.

They are capable of transmitting the most intricate detail of goings-on inside the building.

Casinos were the world leaders in CCTV use, and really represent ground zero for the panopticon theory of security. What is rarely mentioned is that "security" measures can be turned against defenders if attackers can hijack them. This is as true when a mugger uses his victim's gun against him as it is when a casino's own CCTVs are used to defeat its own anti-cheating measures. This is the high-stakes gambling version of all those IP-based CCTVs that leak sensitive footage of the inside of peoples' houses onto the public Internet.

Crown casino hi-tech scam nets $32 million [Mark Buttler/Herald Sun]

(via /.) Read the rest

Control-Alt-Hack: delightful strategy card game about white-hat hacking

Control-Alt-Hack is a tremendously fun, hacker-themed strategy card game that uses the mechanic of the classic Steve Jackson Ninja Burger game. It comes out of the University of Washington Computer Security and Privacy Research Lab, and features extremely entertaining and funny computer-security-themed scenarios, buffs, attacks and characters.

The gameplay is very well-thought-through (here's a PDF of the rules). Three of us sat down to play it this weekend with only a cursory glance at the rules beforehand. By following the quickstart instructions, we were able to jump straight into play, and within a few turns, we really had the rhythm and were busily sabotaging one another and cursing at the dice when they rolled against our favor.

Based on my play session, I'm really impressed. Though one player led the game early on, there were several reversals, wherein the leading and trailing players traded places -- always the mark of a great game. There was a good mix of skill, strategy and luck, and things were just complicated enough that it absorbed our full attention, without lagging or flagging.

A full game takes about an hour, and between three and six people can play at once. We played it after Sunday brunch and it was a great digestive aid. All three of us loved the geeky, info-sec-y references, the funny scenarios (everything from devising a cryptographic protocol for implanted medical devices to pranking a labmate with a gag WiFi keystroke-inserter), and the grace-notes (like a scenario that is encoded as a cryptogram). Read the rest

MD used "silicone fingers" to trick biometric time clock on colleagues' behalf

Brazilian doctor Thaune Nunes Ferreira, 29, was arrested for fraud for allegedly covering up her colleagues' absence from work by using prosthetic fingers to sign them in on a biometric time clock at the hospital near Sao Paulo. According to the BBC, "police said she had six silicone fingers with her at the time of her arrest, three of which have already been identified as bearing the fingerprints of co-workers." Ferreira's attorney claims "she was forced into the fraud as she faced losing her job." (BBC News) Read the rest

Inside the awful world of RATters - the men who spy on people through their computers with "remote administration tools"

Nate Anderson's long Ars Technica piece on RATters -- men who use "Remote Administration Tools" to spy on others, mostly women, via their laptop cameras, and to plunder their computers for files and passwords -- is a must-read. Anderson lays out the way that online communities like Hack Forums provide expertise, tools, and, most importantly, validation for the men who participate in this "game." Anderson explains the power of software like DarkComet, which allows for near-total control of compromised computers (everything from opening the CD trays to disabling the Start menu in Windows); the dehumanizing language used by Ratters (they call their victims "slaves"); and the way that these tools have found their way into the arsenals of totalitarian governments, like the Assad regime in Syria, which used these tools to spy on rebels.

For many ratters, though, the spying remains little more than a game. It might be an odd hobby, but it's apparently no big deal to invade someone's machine, rifle through the personal files, and watch them silently from behind their own screens. "Most of my slaves are boring," wrote one aspiring ratter. "Wish I could get some more girls with webcams. It makes it more exciting when you can literally spy on someone. Even if they aren't getting undressed!"

One poster said he had already archived 200GB of webcam material from his slaves. "Mostly I pick up the best bits (funny parts, the 'good' [sexual] stuff) and categorize them (name, address, passwords etc.), just for funsake," he wrote.

Read the rest

RU Sirius on the history of cypherpunk

Over at The Verge, our pal RU Sirius writes about the history of "cypherpunk," a term coined in 1992 by legendary hacker St. Jude Milhon (RIP), and now used by Wikileaks founder Julian Assange in the title of his new book, Cypherpunks: Freedom and the Future of the Internet. From RU's piece at The Verge:
(EFF co-founder) John Gilmore summed up the accomplishments of the cypherpunks in a recent email: "We did reshape the world," he wrote. "We broke encryption loose from government control in the commercial and free software world, in a big way. We built solid encryption and both circumvented and changed the corrupt US legal regime so that strong encryption could be developed by anyone worldwide and deployed by anyone worldwide," including WikiLeaks.

As the 1990s rolled forward, many cypherpunks went to work for the man, bringing strong crypto to financial services and banks (on the whole, probably better than the alternative). Still, crypto-activism continued and the cypherpunk mailing list blossomed as an exchange for both practical encryption data and spirited, sometimes-gleeful argumentation, before finally peaking in 1997. This was when cypherpunk’s mindshare seemed to recede, possibly in proportion to the utopian effervescence of the early cyberculture. But the cypherpunk meme may now be finding a sort of rebirth in one of the biggest and most important stories in the fledgeling 21st century.

"Cypherpunk rising: WikiLeaks, encryption, and the coming surveillance dystopia" Read the rest

Access files on locked, encrypted Android phones by putting them in a freezer for an hour

This is alarming, if true: according to a group of German security researchers at the University of Erlangen, if you put a locked, encrypted Android phone in the freezer for an hour and then quickly reboot it and plug it into a laptop, the memory will retain enough charge to stay decrypted, and can boot up into a custom OS that can recover the keys and boot the phone up with all the files available in the clear. The attack is called FROST: "Forensic Recovery Of Scrambled Telephones," and it requires a phone with an unlocked bootloader to work.

At the end of 2011, Google released version 4.0 of its Android operating system for smartphones. For the first time, Android smartphone owners were supplied with a disk encryption feature that transparently scrambles user partitions, thus protecting sensitive user information against targeted attacks that bypass screen locks. On the downside, scrambled telephones are a a nightmare for IT forensics and law enforcement, because once the power of a scrambled device is cut any chance other than bruteforce is lost to recover data.

We present FROST, a tool set that supports the forensic recovery of scrambled telephones. To this end we perform cold boot attacks against Android smartphones and retrieve disk encryption keys from RAM. We show that cold boot attacks against Android phones are generally possible for the first time, and we perform our attacks practically against Galaxy Nexus devices from Samsung. To break disk encryption, the bootloader must be unlocked before the attack because scrambled user partitions are wiped during unlocking.

Read the rest

TSA will allow small knives, golf clubs onto airplanes

In a rare, welcome moment of sanity, the TSA has announced that it will allow small knives, golf clubs, hockey sticks, wiffle bats, and similar items on planes. Given that you are allowed to bring on canes -- that is, clubs -- and 40-oz duty-free liquor bottles -- that is, long glass knives, this represents no new risk to flight crews. However, aviation employees are beefing and saying that this represents the TSA's convenience, not theirs. Gee, thanks.

On the other hand, they still ban box-cutters -- small knives of a specific, but not particularly lethal form -- because "there’s just too much emotion associated with them, particularly the box cutters." That's from John Pistole, head of the TSA, and apparent believer in sympathetic magic.

The agency will permit knives with retractable blades shorter than 6 centimeters (2.36 inches) and narrower than 1/2 inch, TSA Administrator John Pistole said today at an aviation security conference in Brooklyn. The change, to conform with international rules, takes effect April 25.

Passengers will also be allowed to board flights with some other items that are currently prohibited, including sticks used to play lacrosse, billiards and hockey, ski poles and as many as two golf clubs, Pistole said.

TSA Will Permit Knives, Golf Clubs on U.S. Planes [Jeff Plungis/Bloomberg]

(Thanks, Brian!) Read the rest

Handmade lockpicks from old bandsaw blades

The wonderful folks at the Port City Makerspace had me over to their enormous, beautiful spot this evening, and gifted me with "the keys to the city," in the form of a set of handmade lockpicks from their own Tinker Woodworks. The picks are gorgeous. Seriously.

This is a handmade set of lockpicks with a leather case. The picks are shaped out of old bandsaw blades. I chose the pick shapes based on which picks have been most useful to me in my lock picking exploits. The case is made by soaking the leather and stitching it around a form to fit the picks. The case is about five inches long and fits nicely into a jacket pocket. I can do some simple embroidery on the case similar to the key embroidery in the pictures on one of the cases, or a persons initials, etc. Contact me if you want embroidery on the case. Otherwise the case will be the plain ones depicted. The kit comes with the three picks and two different size tension wrenches.

Lockpick tool set with leather case Read the rest

Using Silk Road: game theory, economics, dope and anonymity

Gwern's "Using Silk Road" is a riveting, fantastically detailed account of the theory and practice of Silk Road, a Tor-anonymized drugs-and-other-stuff marketplace where transactions are generally conducted with BitCoins. Gwern explains in clear language how the service solves many of the collective action problems inherent to running illicit marketplaces without exposing the buyers and sellers to legal repercussions and simultaneously minimizing ripoffs from either side. It's a tale of remix-servers, escrows, economics, and rational risk calculus -- and dope.

But as any kidnapper knows, you can communicate your demands easily enough, but how do you drop off the victim and grab the suitcase of cash without being nabbed? This has been a severe security problem forever. And bitcoins go a long way towards resolving it. So the additional security from use of Bitcoin is nontrivial. As it happened, I already had some bitcoins. (Typically, one buys bitcoins on an exchange like Mt.Gox; the era of easy profitable "mining" passed long ago.) Tor was a little more tricky, but on my Debian system, it required simply following the official install guide: apt-get install the Tor and Polipo programs, stick in the proper config file, and then install the Torbutton. Alternately, one could use the Tor browser bundle which packages up the Tor daemon, proxy, and a web browser all configured to work together; I’ve never used it but I have heard it is convenient. (I also usually set my Tor installation to be a Tor server as well - this gives me both more anonymity, speeds up my connections since the first hop/connection is unnecessary, and helps the Tor network & community by donating bandwidth.)

Using Silk Road (via O'Reilly Radar) Read the rest

Understanding the Computer Fraud and Abuse Act: can you go to jail for violating a clickthrough agreement?

The Computer Fraud and Abuse Act (CFAA) is a creaking, 1986-vintage US anti-hacking law. It makes it a felony to "exceed authorized access" on a computer you don't own, and some federal prosecutors (including Carmen Ortiz, who prosecuted Aaron Swartz) claim that this means that any time you violate the terms of service on website, that you commit a felony and can be imprisoned.

The Electronic Frontier Foundation has published detailed, user-friendly documentation for the CFAA, including the relevant case-law. It's a must-read for anyone who cares about justice in the 21st century. We click through dozens of impossible terms-of-service every day, and if violating them is a felony, we'll all vulnerable to threats of a long sentence.

The Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, is an amendment made in 1986 to the Counterfeit Access Device and Abuse Act that was passed in 1984 and essentially states that, whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer if the conduct involved an interstate or foreign communication shall be punished under the Act. In 1996 the CFAA was, again, broadened by an amendment that replaced the term “federal interest computer” with the term “protected computer.”18 U.S.C. § 1030. While the CFAA is primarily a criminal law intended to reduce the instances of malicious interferences with computer systems and to address federal computer offenses, an amendment in 1994 allows civil actions to brought under the statute, as well.

Computer Fraud and Abuse Act (CFAA) (Thanks, Julian! Read the rest

Jacob Appelbaum's 29C3 keynote on the out-of-control surveillance state

Jacob Appelbaum's keynote from 29C3 -- last December's Chaos Communications Congress in Berlin -- is a riveting hour on surveillance, freedom, and the wild, criminal lawlessness of the NSA.

The flags really make this sign

USA USA USA Read the rest

Canadian businesses lobby for the right to infect peoples' computers with viruses and rootkits

Michael Geist sez,

A coalition of Canadian industry groups, including the Canadian Chamber of Commerce, the Canadian Marketing Association, the Canadian Wireless Telecommunications Association and the Entertainment Software Association of Canada, are demanding legalized spyware for private enforcement purposes. The demand comes as part of a review of anti-spam and spyware legislation in Canada.

The potential scope of coverage is breathtaking: a software program secretly installed by an entertainment software company designed to detect or investigate alleged copyright infringement would be covered by this exception. This exception could potentially cover programs designed to block access to certain websites (preventing the contravention of a law as would have been the case with SOPA), attempts to access wireless networks without authorization, or even keylogger programs tracking unsuspecting users (detection and investigation).

Sony Rootkit Redux: Canadian Business Groups Lobby For Right To Install Spyware on Your Computer Read the rest

How the Internet changes power relationships

Bruce Schneier's essay "Power and the Internet" is a thoughtful look at the way that the Internet causes shifts in power relationships. Here's the crux of the thing, in my opinion:

It's not all one-sided. The masses can occasionally organize around a specific issue -- SOPA/PIPA, the Arab Spring, and so on -- and can block some actions by the powerful. But it doesn't last. The unorganized go back to being unorganized, and powerful interests take back the reins.

Debates over the future of the Internet are morally and politically complex. How do we balance personal privacy against what law enforcement needs to prevent copyright violations? Or child pornography? Is it acceptable to be judged by invisible computer algorithms when being served search results? When being served news articles? When being selected for additional scrutiny by airport security? Do we have a right to correct data about us? To delete it? Do we want computer systems that forget things after some number of years? These are complicated issues that require meaningful debate, international cooperation, and iterative solutions. Does anyone believe we're up to the task?

We're not, and that's the worry. Because if we're not trying to understand how to shape the Internet so that its good effects outweigh the bad, powerful interests will do all the shaping. The Internet's design isn't fixed by natural laws. Its history is a fortuitous accident: an initial lack of commercial interests, governmental benign neglect, military requirements for survivability and resilience, and the natural inclination of computer engineers to build open systems that work simply and easily.

Read the rest

Seven steps to learning to love US torture and detention policies, via "Zero Dark Thirty"

A waterboarding scene from the film "Zero Dark Thirty."

Karen J. Greenberg, executive director of the New York University Center on Law and Security and author of The Least Worst Place: Guantanamo's First One Hundred Days, explains seven simple steps to making US torture and detention policies once again acceptable to the American public, as illustrated in "Zero Dark Thirty." Read the rest

More posts