Boing Boing 

Cyber-crooks turn to Bitcoin extortion


Security journalist Brian Krebs documents a string of escalating extortion crimes perpetrated with help from the net, and proposes that the growth of extortion as a tactic preferred over traditional identity theft and botnetting is driven by Bitcoin, which provides a safe way for crooks to get payouts from their victims.

Read the rest

Charlie Stross on the stop/go nature of technological change

Charlie Stross's keynote speech to the Yet Another Perl Conference is an inspired riff on the weird, gradual-then-sudden nature of technological change. As Charlie points out, almost everything today -- including the people -- was around 20 years ago, and most of what's around now will be around in 20 years. But there will be some changes that would shock your boots off. Improbably, he manages to tie this all into perl programming, which, apparently, is the future of smart sidewalks. Charlie's thoughtfully provided a transcript of his talk, and there's a video for those who prefer to hear his rather good comic delivery.

Read the rest

Cops bust cybercrook who sent heroin to Brian Krebs

Sergei "Fly" Vovnenko, a Russo-Ukrainian cybercrook who stalked and harassed security journalist Brian Krebs -- at one point conspiring to get him arrested by sending him heroin via the Silk Road -- has been arrested. According to Krebs, Vovnenko was a prolific credit-card crook, specializing in dumps of stolen Italian credit-card numbers, and faces charges in Italy and the USA. Krebs documents how Vovnenko's identity came to light because he installed a keylogger on his own wife's computer, which subsequently leaked her real name, which led to him.

Read the rest

Researchers publish secret details of cops' phone-surveillance malware


Kaspersky Labs (Russia) and Citizen Lab (University of Toronto) have independently published details of phone-hacking tools sold to police departments worldwide by the Italian firm Hacking Team (here's Kaspersky's report and Citizen Lab's). The tools can be used to attack Android, Ios, Windows Mobile and Blackberry devices, with the most sophisticated attacks reserved for Android and Ios.

The spyware can covertly record sound, images and keystrokes, capture screenshots, and access the phones' storage and GPS. The tools are designed to detect attempts to search for them and to delete themselves without a trace if they sense that they are under attack.

Hacking Team insists that its tools are only sold to "democratic" police forces, but Citizen Lab's report suggests that the tool was used by the Saudi government to target dissidents.

The means of infection is device-specific. If police have physical access, it's simple. Android devices can be attacked by infecting a PC with a virus that installs the police malware when the device is connected to it. This attack also works on jailbroken Iphones.

Read the rest

Anti-forensic mobile OS gets your phone to lie for you

In Android Anti-forensics: Modifying CyanogenMod Karl-Johan Karlsson and William Bradley Glisson present a version of the Cyanogenmod alternate operating system for Android devices, modified so that it generates plausible false data to foil forensic analysis by law enforcement. The idea is to create a mobile phone that "lies" for you so that adversaries who coerce you into letting them take a copy of its data can't find out where you've been, who you've been talking to, or what you've been talking about.

I'm interested in this project but wonder about how to make it practical for daily use. Presently, it maintains a hidden set of true data, and a trick set of false data intended to be fetched by forensic tools. Presumably, this only works until the forensic tools are modified to spot the real data. But you can conceptually imagine a phone that maintains a normal address book and SMS history, etc -- all the things that are useful to have in daily use -- but that, on a certain signal (say, when an alternate unlock code is entered, or after a certain number of failed unlock attempts) scrubs all that and replaces it with plausible deniability data.

Obviously, this kind of thing doesn't work against state-level actors who can subpoena (or coerce) your location data and call history from your carrier, but those people don't need to seize your phone in the first place.

Read the rest

US appeals court rules a warrant is required for cell phone location tracking

logo25

Big news in the fight for security and privacy in the US: the 11th Circuit Court of Appeals this week ruled that a warrant is required for cell phone location tracking.

Read the rest

Criminal website selling thousands of credit cards hijacked from PF Chang's diners


In an echo of the massive breach of credit-card numbers from Target, credit-card numbers from thousands of PF Chang's customers who used their cards at the restaurant between March and May 2014 are being sold on the criminal underground. Rescator, the criminal selling the PF Chang's customers' card, has branded his product "Ronald Reagan", and offers cards at different prices based on whether they're regular, gold or platinum cards.

Read the rest

Encrypt like a boss with the Email Self-Defense Guide


Libby writes, "Today the Free Software Foundation is releasing Email Self-Defense, a guide to personal email encryption to help everyone, including beginners, make the NSA's job a little harder. We're releasing it as part of Reset the Net, a global day of action to push back against the surveillance-industrial complex. The guide will get you encrypting your emails in under 30 minutes, and takes you all the way through sending and receiving your first encrypted email."

Email Self-Defense - a guide to fighting surveillance with GnuPG (Thanks, Libby!)

Hackers in Iran set up fake news websites in cyberattack on US

"An elaborate, three-year cyberespionage campaign against United States military contractors, members of Congress, diplomats, lobbyists and Washington-based journalists has been linked to hackers in Iran." The NYT's Nicole Perlroth has more from a report released this week by the Dallas computer security firm iSight Partners.

Massive theft of medical data in LA sparks new security moves

la-me-ln-county-data-encryption-20140527-001In Los Angeles, the theft of computers from a county contractor's office that contained personal data for over 342,000 patients has led to a call for tighter security.

Read the rest

US gov may block Chinese nationals from Defcon hacker event

A map of China is seen through a magnifying glass on a computer screen showing binary digits in Singapore in this January 2, 2014 photo illustration. Picture taken January 2, 2014. REUTERS/Edgar Su

The US government may use visa restrictions to ban hackers from China from participating in the 2014 Defcon hacker conference in Las Vegas. The move is part of a larger effort by the US to combat Chinese internet espionage.

Read the rest

Schneier: NSA's offense leaves Americans undefended

Writing in the Atlantic, Bruce Schneier explains the NSA's insane program of creating, discovering and hoarding vulnerabilities in computer systems in order to weaponize them. These vulnerabilities allow the NSA to attack its enemies (everyone), but let other states, hackers, and crooks attack Americans. The NSA claims it is "securing" cyberspace, but its dominant tactic requires that everyone be made less secure so that the NSA can attack them if they feel the need.

Read the rest

100 creeps busted in massive voyeurware sweep


More than 100 people around the world have been arrested in a coordinated sweep of RATers (people who deploy "remote access trojans" that let them spy on people through their computers cameras and mics, as well as capturing their keystrokes and files). The accused are said to have used the Blackshades trojan, which sold for $40 from bshades.eu, mostly for sexual exploitation of victims (though some were also accused of committing financial fraud).

A US District Court in Manhattan handed down indictments for Alex Yücel and Brendan Johnston, who are said to have operated bshades.eu. Yücel, a Swedish national, was arrested in Moldova and is awaiting extradition to the USA. Johnstone is alleged to have been employed by Yücel to market and support Blackshades.

Read the rest

Photo of NSA technicians sabotaging Cisco router prior to export


One of the Snowden documents published by Glenn Greenwald with the release of his new book is a photo showing an actual NSA Tailored Access Operations team sabotaging a Cisco router before it is exported, a practice reported earlier this week in a story Greenwald wrote for the Guardian.

The great irony is that this kind of sabotage is exactly the sort of thing that the USA has repeatedly accuse Chinese authorities of doing to Huawei routers, something for which we have no evidence. Unlike the photographic evidence we have here of the NSA doing this to a Cisco router.

Read the rest

Movie plot threat semifinalists announced

Bruce Schneier has announced the semifinalists in his seventh annual Movie-Plot Threat Contest, wherein contestants dream up implausible reasons to justify extreme surveillance and other lawless policing techniques like torture and indefinite detention. My favorite: Homeopathic Factoring, "The NSA, through the White House's Office of Faith Based and Community Initiatives formed a partnership with Zicam Digital to explore and exploit homeopathic techniques for advanced cryptanalysis."

Read the rest

Estonia's online voting system is horrifically insecure and can't be trusted

Jason Kitcat writes, "I'm currently in Tallinn, Estonia as part of a team of independent security and elections researchers sharing our findings that the Estonian online e-voting system has serious flaws. We monitored the e-voting system in live use as accredited observers during municipal elections in October 2013. Then, using the source code the Estonian National Election Committee publishes, a replica of the system was built at the University of Michigan."

Read the rest

16 year old Canadian arrested for over 30 "swattings"


A 16-year-old Canadian male has been arrested for calling in over 30 "swattings," bomb threats and other hoax calls to emergency services in North America. The young man is alleged to be the operator of @ProbablyOnion on Twitter, which had previously advertised swattings (sending SWAT teams to your enemies' homes by reporting phony hostage-takings there, advising police that someone matching your victim's description is on the scene, armed and out of control) as a service, and had bragged of swatting computer crime journalism Brian Krebs twice. Krebs had previously caught a kid who swatted him, and outed him to his father -- this may have made him a target for other swatters.

Read the rest

Forged certificates common in HTTPS sessions

In Analyzing Forged SSL Certificates in the Wild [PDF] a paper authored by researchers at CMU and Facebook, we learn that "a small but significant percentage" of HTTPS connections are made using forged certificates generated by adware and malware. Disturbingly, some of this malware may be working by attacking anti-virus software and stealing its keys, and the authors also speculate that anti-virus authors may be giving their keys out to governments in order to allow police to carry out man-in-the-middle attacks.

The researchers used a technique to detect forged-cert connections that has post-Heartbleed applications, since it would allow sites to discover whether their visitors are being man-in-the-middled through keys stolen before Heartbleed was widely known. This all points to a larger problem with HTTPS, which has been under increased scrutiny since Heartbleed, but whose defects were well understood within the security community for a long time. I co-wrote this editorial for Nature with Ben Laurie in 2012 describing a system called "Certificate Transparency" that makes it easier to audit and remediate problems with SSL certificates, which Google is now adding to Chrome.

Read the rest

Former NSA boss defends breaking computer security (in the name of national security)


For me, the most under-reported, under-appreciated element of the Snowden leaks is the BULLRUN/EDGEHILL program, through which the NSA and GCHQ spend $250,000,000/year sabotaging information security. In a great Wired story, Andy Greenberg analyzes former NSA chief Keith Alexander's defense of the stockpiling of vulnerabilities to attack "bad guys." There is no delusion more deadly than the idea that spies will make us more secure by weakening our computers' security to make it easier to spy on us.

Read the rest

Tor: network security for domestic abuse survivors


Michael from Beta Boston writes, "The privacy protections offered by tools like Tor aren't just for journalists and spies; they're important for everyone. Almost every modern abusive relationship has a digital component, from cyberstalking to hacking phones, emails, and social media accounts, but women's shelters increasingly have found themselves on the defensive, ill-equipped to manage and protect their clients from increasingly sophisticated threats. Recently the Tor Project stepped in to help change that, and we took a long look at the work cut out for them."

This is an important point: when you make it so that no one can keep secrets from the state and its enforcement arm, you also make it so that no one can keep secrets from crooks, thugs, stalkers, and every other kind of bad guy.

Read the rest

Kids are mostly sexually solicited online by classmates, peers, teens

The respected Crimes Against Children Research Center reports that one in seven children is sexually exploited online. This figure is both credible and alarming. But the context is vital: as danah boyd writes, the average predator isn't a twisted older man trawling for kids; rather, "most children are sexually solicited by their classmates, peers, or young adults just a few years older than they are."

Now, it's absolutely possible for a child to sexually exploit another child, so this isn't to minimize the potential harm to kids. But for so long as we model the threat to kids as being weird, strange grownups, rather than the young people they know and see every day, we will fail to prepare them to comport themselves wisely and safely.

Read the rest

Obama administration proves why we need someone to leak CIA Torture Report

image: Reuters


image: Reuters

It’s now been over a month since the Senate Intelligence Committee voted to force the Obama administration to declassify parts of the Committee’s landmark report on CIA torture, and the public still has not seen a word of the 6,000 page investigation.

Read the rest

Hacking the hospital: medical devices have terrible default security


Scott Erven is head of information security for a healthcare provider called Essentia Health, and his Friday presentation at Chicago's Thotcon, "Just What The Doctor Ordered?" is a terrifying tour through the disastrous state of medical device security.

Wired's Kim Zetter summarizes Erven's research, which ranges from the security of implanted insulin pumps and defibrillators to surgical robots and MRIs. Erven and his team discovered that hospitals are full of fundamentally insecure devices, and that these insecurities are not the result of obscure bugs buried deep in their codebase (as was the case with the disastrous Heartbleed vulnerability), but rather these are incredibly stupid, incredibly easy to discover mistakes, such as hardcoded easy default passwords. For example: surgical robots have their own internal firewall. If you run a vulnerability scanner against that firewall, it just crashes, and leaves the robot wide open.

The backups for image repositories for X-rays and other scanning equipment have no passwords. Drug-pumps can be reprogrammed over the Internet with ease. Defibrillators can be made to deliver shocks -- or to withhold them when needed. Doctors' instructions to administer therapies can be intercepted and replayed, adding them to other patients' records. You can turn off the blood fridge, crash life-support equipment and reset it to factory defaults. The devices themselves are all available on the whole hospital network, so once you compromise an employee's laptop with a trojan, you can roam free. You can change CT scanner parameters and cause them to over-irradiate patients.

The one bright spot is that anaesthesia and ventilators are not generally networked and are more secure.

Read the rest

Marshall Islands sues 9 nuclear powers, including US and Russia, over failure to disarm nuclear stockpiles

The Castle Bravo nuclear test on Bikini Atoll, Marshall Islands. A 15-megaton device equivalent to 1,000 Hiroshima blasts was detonated in 1954. Photograph: US Air Force - digital version


The Castle Bravo nuclear test on Bikini Atoll, Marshall Islands. A 15-megaton device equivalent to 1,000 Hiroshima blasts was detonated in 1954. Photograph: US Air Force - digital version

The Marshall Islands is suing the nine known nations with nuclear weapons at the international court of justice at The Hague, over charges they have violated their legal obligation to disarm under the 1968 nuclear non-proliferation treaty (NPT). From the Guardian:

In the unprecedented legal action, comprising nine separate cases brought before the ICJ on Thursday, the Republic of the Marshall Islands accuses the nuclear weapons states of a "flagrant denial of human justice". It argues it is justified in taking the action because of the harm it suffered as a result of the nuclear arms race. The Pacific chain of islands, including Bikini Atoll and Enewetak, was the site of 67 nuclear tests from 1946 to 1958, including the "Bravo shot", a 15-megaton device equivalent to a thousand Hiroshima blasts, detonated in 1954. The Marshallese islanders say they have been suffering serious health and environmental effects ever since.
Named in the lawsuit are the United States, Russia, China, France, the United Kingdom, India, Pakistan, North Korea, and Israel, an undeclared nuclear weapons state.

Phone phreakers' anthem

Brad sez, "A few decades ago, phone phreaks spent all of their free time learning about the Bell telephone system and making free phone calls to each other. This song by Bonecage attempts to capture that era, and the footage for the video was contributed by phone phreaks (and ex-phone phreaks) around the world."

Eternal vigilance app for social networks: treating privacy vulnerabilities like other security risks

Social networking sites are Skinner boxes designed to train you to undervalue your privacy. Since all the compromising facts of your life add less than a dollar to the market-cap of the average social network, they all push to add more "sharing" by default, with the result that unless you devote your life to it, you're going to find your personal info shared ever-more-widely by G+, Facebook, Linkedin, and other "social" services.

Arvind Narayanan has proposed a solution to this problem: a two-part system through which privacy researchers publish a steady stream of updates about new privacy vulnerabilities introduced by the social networking companies (part one), and your computer sifts through these and presents you with a small subset of the alerts that pertain to you and your own network use.

Read the rest

US intel chief's insane new secrecy directive forbids intel employees from "unauthorized" contact with reporters


U.S. Director of National Intelligence James Clapper. (Kevin Lamarque/Reuters)

The US Director of National Intelligence has issued a Directive [PDF] that forbids most intelligence community employees from talking to journalists about “intelligence-related information” unless they have explicit authorization to do so.

Intelligence community employees “must obtain authorization for contacts with the media” on any intel-related matters, and “must also report… unplanned or unintentional contact with the media on covered matters,” according to the Directive signed by James Clapper.

Read the rest

HOPE X conference: Dissent in NYC


Emmanuel from 2600 writes, "It should come as no surprise that dissent is playing a prominent role at the HOPE X conference this July in New York. So many technological developments of late involve standing up to authority and questioning the status quo. Whether it's using social media to organize people into doing something worthwhile, exposing security holes in the face of threats and lawsuits, becoming a whistleblower by using the information and technology we have access to, or just getting the word out about the latest laws, restrictions, and threats to our freedom and privacy, a lot of what we talk about constitutes one form or another of dissent. And it feels pretty good and healthy to speak out and share knowledge."

Read the rest

Edward Snowden: "Vladimir Putin must be called to account on surveillance just like Obama"


Vladimir Putin during the nationwide phone-in in Moscow. Photograph: RIA Novosti/Reuters

Today's question-and-answer session on Russian TV between NSA whistleblower Edward Snowden and Russian President Vladimir Putin did not go as Snowden had hoped. "I questioned the Russian president live on TV to get his answer on the record, not to whitewash him," Snowden says in an op-blog in the Guardian:

Read the rest

Appeals court overturns conviction of Andrew “weev” Auernheimer in iPad hacking case


Andrew “Weev” Auernheimer, in 2012. Photo: pinguino.

Notorious hacker and troll weev was released from prison this evening. A federal appeals court today overturned his conviction in a case of significance for all security researchers.

Weev exposed a security flaw in AT&T's website and obtained the personal data of more than 100,000 iPad users. He was charged with violating the Computer Fraud and Abuse Act (CFAA), and sentenced to three and a half years in prison. Today's ruling says prosecutors did not have the right to charge him in a state where none of the alleged crimes occurred.

Read the rest