Archive for Cyber Security

Charting Hacker Hangouts From BBS To Slack

Where have all the grey hat hacker forums gone?

Grey hats were always a valuable part of the hacker community. They may sometimes cross ethical lines, but unlike black hats they’re in it to learn, not to make money. A black hat might intend to steal credit cards and resell them online. A grey hat is just interested in smart new ways to gain network access.

Back in the day, before you could buy Hacking for Dummies at your local Indigo store, even basic hacking knowledge was a valuable commodity. There were places online, where grey hats would hang out and trade it. They were forums dedicated to the pursuit of knowledge, where the more advanced would mentor newcomers in the finer arts of system manipulation. They were places like The Works BBS.

The Works was a bulletin board system that started purely as an exchange board for text files, but which eventually allowed tech enthusiasts to talk to each other. It was here that Chris Wysopal, SecTor speaker and co-founder of l0pht, met his crew.

“I met the soon to be l0pht people there and cDC [Cult of the Dead Cow] folks there. It was a real community.  It morphed into the 2600 meetup community where we would meet up once a month in Cambridge, then later Boston,” he says.

Early hacker BBSs had their faults. They only had so many connections, meaning that participants might find themselves dialing a telephone number several times as they competed for time on a host machine. Despite that, the BBS movement had its cultural advantages.

“The early hacking BBSs were more of a tight-knit community because they were area code-based,” says Wysopal. “It cost money to make long-distance calls, but most people had unlimited plans for local numbers. “Phreakers could call long distance for free, but they still would hang out at a local BBS with their community. People used to call their neck of hackerdom by the area code.  I was a 617er.  NYC folks were 212s.  A famous early band of hackers was the 414s.”

Brian Bourne, co-founder of SecTor, spent a lot of time on BBSs in the early days. They were often invitation-only, and were therefore a haven for grey hats eager to exchange ideas, he says. Then, there was Internet Relay Chat (IRC).

“Law enforcement had no idea what a BBS was, never mind IRC!  So even though IRC channels were a bit harder to police membership and keep unknown folks out, we would share ideas with impunity,” he says.

Full article at source: https://sector.ca/charting-hacker-hangouts-from-bbs-to-slack/

‘The nail in the coffin’: Russia’s top cyber-firm may have made a ‘catastrophic’ mistake

Investigators believe that software from Russia’s top cybersecurity firm, Kaspersky Lab, was involved in a theft of top secret National Security Agency intelligence outlining how the US hacks its adversaries, The Wall Street Journal reported Thursday.

And depending on what was stolen, the breach could spell catastrophe for the company.

According to the Journal, an NSA contractor stole and downloaded onto his personal computer highly classified details about how the US penetrates foreign computer networks and defends itself against cyberattacks. (The Washington Post reported the person was not a contractor, but an employee working for the NSA’s elite hacking division known as Tailored Access Operations.)

Russian hackers then stole that intelligence by exploiting the Kaspersky antivirus software the contractor had been running on his computer.

The breach wasn’t discovered until spring 2016, according to the Journal and The Washington Post — nearly one year after the hackers are believed to have gained access to the intelligence.

Kaspersky has denied any involvement in the theft, and it is unclear whether the hackers stole code or documents from the contractor. The latter would prove far more damning for Kaspersky, experts say, especially as it stands accused by the US government of being a tool of the Kremlin.

“Ultimately, this will come down to what was stolen from the computer,” said David Kennedy, a former NSA intelligence analyst who founded the cybersecurity firm TrustedSec.

Source: http://www.msn.com/en-us/money/companies/the-nail-in-the-coffin-russias-top-cyber-firm-may-have-made-a-catastrophic-mistake/ar-AAsZZZY

New Evidence Links a 20-Year-Old Hack on the US Government to a Modern Attack Group

The artifacts they found on Hedges’ server provide an interesting look at the group’s early operations, showing how they improved their code and methods over time, if indeed they are the group now known as Turla.

“It’s almost like archaeology; you can see the evolution of tradecraft,” Rid told Motherboard. “There was a lot of handiwork involved. They didn’t really use automated command-and-control at the time; they actually had to log in and move data around [manually].”

The Moonlight Maze group stripped away components that didn’t work and combined tools that did to make them more potent. And unlike modern hacking operations that use a lot of automated scripts, the Moonlight Maze operators did everything in real time. They would log-in to Hedges’ server in the morning and manually set up tasks to tell their malware what to do, which got populated out to all the infected machines on DoD and government networks that they controlled.

“This is hacking in the 90s, so it looks very different from what we’re used to in modern operations,” Guerrero-Saade said.

Source: New Evidence Links a 20-Year-Old Hack on the US Government to a Modern Attack Group – Motherboard

BitWhisper: Stealing data from non-networked computers using heat

No matter how secure you think a computer is, there’s always a vulnerability somewhere that a remote attacker can utilize if they’re determined enough. To reduce the chance of sensitive material being stolen, many government and industrial computer systems are not connected to outside networks. This practice is called air-gapping, but even that might not be enough. The Stuxnet worm from several years ago spread to isolated networks via USB flash drives, and now researchers at Ben Gurion University in Israel have shown that it’s possible to rig up two-way communication with an air-gapped computer via heat exchange.

Researchers call this technique of harvesting sensitive data “BitWhisper.” It was developed and tested in a standard office environment with two systems sitting side-by-side on a desk. One computer was connected to the Internet, while the other had no connectivity. This setup is common in office environments where employees are required to carry out sensitive tasks on the air-gapped computer while using the connected one for online activities.

BitWhisper does require some planning to properly execute. Both the connected and air-gapped machines need to be infected with specially designed malware. For the Internet box, that’s not really a problem, but even the air-gapped system can be infected via USB drives, supply chain attacks, and so on. Once both systems are infected, the secure machine without Internet access can be instructed to generate heating patterns by ramping up the CPU or GPU. The internet-connected computer sitting nearby can monitor temperature fluctuations using its internal sensors and interpret them as a data stream. Commands can also be sent from the Internet side to the air-gapped system via heat.

via BitWhisper: Stealing data from non-networked computers using heat | ExtremeTech.

DARPA to hunt for space and time vulnerabilities of software algorithms

In the endless chess game of cybersecurity, the Defense Advanced Research Projects Agency wants to thinks a few moves ahead, with a new program that will search for revolutionary ways to deal with vulnerabilities inherent in software algorithms.

When defensive techniques close off one vulnerability, hackers inevitably move on to the next. They have exploited flawed implementations of algorithms for several years, the agency said, but as implementation defenses improve, hackers will move on to flaws in the algorithms themselves. So the agency’s Space/Time Analysis for Cybersecurity (STAC) program wants to identify vulnerabilities in software algorithms’ space and time resource usage, according to a presolicitation. These vulnerabilities, inherent to many types of software, can be used to carry out denial of service attacks or steal information.

For instance, hackers can deny service to users by inputing code that causes one part of a system to consume space and time to process that input—potentially disabling the entire system. Also, hackers indirectly observing the space and time characteristics of output could potentially deduce hidden information. Adversaries with adequate knowledge of these “side-channels” could then obtain secret information without direct observation.

The primary problem presented by these vulnerabilities is that they are inherent in algorithms themselves, DARPA said. Thus, they cannot be mitigated through traditional defensive techniques.

Instead, the STAC program is looking at new program analysis techniques that could allow analysts to find those vulnerabilities and predict where leaks and denial of service might be possible. These new techniques and tools would enable a methodical search for vulnerabilities in critical government, military and economic software.

via DARPA to hunt for space and time vulnerabilities of software algorithms — Defense Systems.

Heartbleed Bug SSL Vulnerability – Everything You Need To Know

heartbleed

So the Internet has been exploding this week due to the Heartbleed Bug in OpenSSL which effects a LOT of servers and websites and is being hailed by some as the worst vulnerability in the history of the Internet thus far.

The main info on the bug can be found at http://heartbleed.com/. In basic terms, it allows you to grab 64kb chunks of whatever is stored in RAM on the server as long as it’s using a vulnerable version of OpenSSL with Heartbeat enabled.

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

Who needs the NSA when we have this eh?

via Heartbleed Bug SSL Vulnerability – Everything You Need To Know – Darknet – The Darkside.

For more visit Bruce Schneier’s blog: https://www.schneier.com/blog/archives/2014/04/heartbleed.html

Surveillance by Algorithm

PatriotGames_blackop

Increasingly, we are watched not by people but by algorithms. Amazon and Netflix track the books we buy and the movies we stream, and suggest other books and movies based on our habits. Google and Facebook watch what we do and what we say, and show us advertisements based on our behavior. Google even modifies our web search results based on our previous behavior. Smartphone navigation apps watch us as we drive, and update suggested route information based on traffic congestion. And the National Security Agency, of course, monitors our phone calls, emails and locations, then uses that information to try to identify terrorists.

Documents provided by Edward Snowden and revealed by the Guardian today show that the UK spy agency GHCQ, with help from the NSA, has been collecting millions of webcam images from innocent Yahoo users. And that speaks to a key distinction in the age of algorithmic surveillance: is it really okay for a computer to monitor you online, and for that data collection and analysis only to count as a potential privacy invasion when a person sees it? I say it’s not, and the latest Snowden leaks only make more clear how important this distinction is.

The robots-vs-spies divide is especially important as we decide what to do about NSA and GCHQ surveillance. The spy community and the Justice Department have reported back early on President Obama’s request for changing how the NSA “collects” your data, but the potential reforms — FBI monitoring, holding on to your phone records and more — still largely depend on what the meaning of “collects” is.

Indeed, ever since Snowden provided reporters with a trove of top secret documents, we’ve been subjected to all sorts of NSA word games. And the word “collect” has a very special definition, according to the Department of Defense (DoD). A 1982 procedures manual (pdf; page 15) says: “information shall be considered as ‘collected’ only when it has been received for use by an employee of a DoD intelligence component in the course of his official duties.” And “data acquired by electronic means is ‘collected’ only when it has been processed into intelligible form.”

Director of National Intelligence James Clapper likened the NSA’s accumulation of data to a library. All those books are stored on the shelves, but very few are actually read. “So the task for us in the interest of preserving security and preserving civil liberties and privacy,” says Clapper, “is to be as precise as we possibly can be when we go in that library and look for the books that we need to open up and actually read.” Only when an individual book is read does it count as “collection,” in government parlance.

So, think of that friend of yours who has thousands of books in his house. According to the NSA, he’s not actually “collecting” books. He’s doing something else with them, and the only books he can claim to have “collected” are the ones he’s actually read.

This is why Clapper claims — to this day — that he didn’t lie in a Senate hearing when he replied “no” to this question: “Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?”

via Schneier on Security: Surveillance by Algorithm.

State Department Announces New Stance on Encryption and Surveillance

Deputy Assistant Secretary Scott Busby acknowledged “support for encryption protocols,” which are “critical for an Internet that that is truly open to all.” According to Busby, the U.S. government will gather and use data based on six principles: “rule of law, legitimate purpose, non-arbitrariness, competent authority, oversight, and transparency and democratic accountability.”

When questioned on its support, Busby explained that the principles were approved government-wide, including Office of the Director of National Intelligence, which is headed by James Clapper. Clapper has been criticized for giving deceptive testimony before congress about the National Security Agency’s (NSA) practices.

His statements were not without immediate criticism. A legislator from Hong Kong responded that the U.S. government actively “undermin[es] exactly the kind of things [Busby] talked about,” and that his government was “attacked and criticized” by the U.S. after NSA whistleblower Edward Snowden fled to Hong Kong.

Nevertheless, a representative from the human rights organization Access, which hosts RightsCon, explained at a press conference that the statement from the government is significant, because it is not only “a strong statement on support for cybersecurity and encryption,” but an affirmation of “human rights law which historically they’ve been loath to acknowledge,” and “the first time they recognize international norms and laws as they apply when conducting surveillance.”

As Jon Brodkin of ArsTechnica highlighted last year, the National Security Agency has previously worked to actively undermine encryption.

via State Department Announces New Stance on Encryption and Surveillance – Hit & Run : Reason.com.

Researchers crack the world’s toughest encryption by listening to the tiny sounds made by your computer’s CPU

Security researchers have successfully broken one of the most secure encryption algorithms, 4096-bit RSA, by listening – yes, with a microphone — to a computer as it decrypts some encrypted data. The attack is fairly simple and can be carried out with rudimentary hardware. The repercussions for the average computer user are minimal, but if you’re a secret agent, power user, or some other kind of encryption-using miscreant, you may want to reach for the Rammstein when decrypting your data.

This acoustic cryptanalysis, carried out by Daniel Genkin, Adi Shamir (who co-invented RSA), and Eran Tromer, uses what’s known as a side channel attack. A side channel is an attack vector that is non-direct and unconventional, and thus hasn’t been properly secured. For example, your pass code prevents me from directly attacking your phone — but if I could work out your pass code by looking at the greasy smudges on your screen, that would be a side channel attack. In this case, the security researchers listen to the high-pitched (10 to 150 KHz) sounds produced by your computer as it decrypts data.

This might sound crazy, but with the right hardware it’s actually not that hard. For a start, if you know exactly what frequency to listen out for, you can use low- and high-pass filters to ensure that you only have the sounds that emanate from your PC while the CPU decrypts data. (In case you were wondering, the acoustic signal is actually generated by the CPU’s voltage regulator, as it tries to maintain a constant voltage during wildly varied and bursty loads). Then, once you have the signal, it’s time for the hard bit: Actually making sense of it.

via Researchers crack the world’s toughest encryption by listening to the tiny sounds made by your computer’s CPU | ExtremeTech.

Teens Prep for Cyberwar

Computer-savvy teens are putting down their game controllers — at least temporarily — for code writing and virus-sweeping. Call it “Red Dawn: Part Deux: Teen Cyber-Commandos.”

At events like the CyberLympics, CyberPatriot contest or just-announced “Toaster Wars,” sponsored by the National Security Agency, high school geek squads are competing to see who does the best job at preventing unauthorized computer intrusions.

This growing interest in cyberdefense comes at a time when the Pentagon officials are warning against damaging computer attacks from China and other nations, while stoking concerns that the United States education system hasn’t trained enough cyber-warriors to protect either military or civilian computer systems.

Utilities, power companies, tech firms, banks, Congress, universities and media organizations, all have faced suspected Chinese attacks in recent months.

“The threat has evolved so quickly,” said Diane Miller, Northrop Grumman’s director of information security and cyber initiatives. “It really has created a sense of urgency.”

The Pentagon and its defense contractors are behind these contests, which are designed to recruit kids to future careers in cyberdefense and IT security. The CyberPatriot contest, which is sponsored by the Air Force Association, has grown from eight high school squads in 2009 to more than 1,200 this year.

via Teens Prep for Cyberwar : Discovery News.

Inside the Effort to Crowdfund NSA-Proof Email and Chat Services

Back in 1999, Seattle-based activists formed the communication collective Riseup.net. The site’s email and chat services, among other tools, soon offered dissidents a means of encrypted communication essential to their work. Fourteen years later, Riseup is still going strong. In fact, they’ve been fighting the US state surveillance apparatus longer than most people have been aware of the NSA’s shenanigans. Now, the collective is hoping to expand, given the gross privacy transgressions of the NSA and US government as a whole.

“What surveillance really is, at its root, is a highly effective form of social control,” reads an August Riseup newsletter. “The knowledge of always being watched changes our behavior and stifles dissent. The inability to associate secretly means there is no longer any possibility for free association. The inability to whisper means there is no longer any speech that is truly free of coercion, real or implied. Most profoundly, pervasive surveillance threatens to eliminate the most vital element of both democracy and social movements: the mental space for people to form dissenting and unpopular views.”

The impetus behind the project is Riseup’s struggle to keep up with new user demand for an email service that doesn’t log IP addresses, sell data to third parties, or hand data over to the NSA. Riseup will also be able to expand its considerable anonymous emailing lists, which features nearly 6 million subscribers spread across 14,000 lists. Their Virtual Private Network (VPN), which allows users to securely connect to the internet as a whole, will also be made more robust. What Riseup can’t do is offer its users an anonymous browsing experience, but that’s not their aim.

via Inside the Effort to Crowdfund NSA-Proof Email and Chat Services | Motherboard.

Meet Hacking Team, the company that helps the police hack you

In 2001, a pair of Italian programmers wrote a program called Ettercap, a “comprehensive suite for man-in-the-middle attacks” — in other words, a set of tools for eavesdropping, sniffing passwords, and remotely manipulating someone’s computer. Ettercap was free, open source, and quickly became the weapon of choice for analysts testing the security of their networks as well as hackers who wanted to spy on people. One user called it “sort of the Swiss army knife” of this type of hacking.

Ettercap was so powerful that its authors, ALoR and NaGA, eventually got a call from the Milan police department. But the cops didn’t want to bust the programmers for enabling hacker attacks. They wanted to use Ettercap to spy on citizens. Specifically, they wanted ALoR and NaGA to write a Windows driver that would enable them to listen in to a target’s Skype calls.

That’s how a small tech security consultancy ended up transforming into one of the first sellers of commercial hacking software to the police. ALoR’s real name is Alberto Ornaghi and NaGA is Marco Valleri. Their Milan-based company, Hacking Team, now has 40 employees and sells commercial hacking software to law enforcement in “several dozen countries” on “six continents.”

via Meet Hacking Team, the company that helps the police hack you | The Verge.

Ed Snowden’s Email Provider, Lavabit, Shuts Down To Fight US Gov’t Intrusion

Early on in the Snowden leaks, it was revealed that Snowden himself was using email services from an operation called Lavabit, which offered extremely secure email. However, today Lavabit’s owner, Ladar Levison, shut down the service, claiming it was necessary to do so to avoid becoming “complicit in crimes against the American people.” Not much more information is given, other than announced plans to fight against the government in court. Reading between the lines, it seems rather obvious that Lavabit has been ordered to either disclose private information or grant access to its secure email accounts, and the company is taking a stand and shutting down the service while continuing the legal fight. It’s also clear that the court has a gag order on Levison, limiting what can be said.

via Ed Snowden’s Email Provider, Lavabit, Shuts Down To Fight US Gov’t Intrusion | Techdirt.

Now, if that weren’t enough, the Feds Threaten To Arrest Lavabit Founder For Shutting Down His Service, rather than agree to some mysterious court order.