Archive for Cyber Security

Meet Hacking Team, the company that helps the police hack you

In 2001, a pair of Italian programmers wrote a program called Ettercap, a “comprehensive suite for man-in-the-middle attacks” — in other words, a set of tools for eavesdropping, sniffing passwords, and remotely manipulating someone’s computer. Ettercap was free, open source, and quickly became the weapon of choice for analysts testing the security of their networks as well as hackers who wanted to spy on people. One user called it “sort of the Swiss army knife” of this type of hacking.

Ettercap was so powerful that its authors, ALoR and NaGA, eventually got a call from the Milan police department. But the cops didn’t want to bust the programmers for enabling hacker attacks. They wanted to use Ettercap to spy on citizens. Specifically, they wanted ALoR and NaGA to write a Windows driver that would enable them to listen in to a target’s Skype calls.

That’s how a small tech security consultancy ended up transforming into one of the first sellers of commercial hacking software to the police. ALoR’s real name is Alberto Ornaghi and NaGA is Marco Valleri. Their Milan-based company, Hacking Team, now has 40 employees and sells commercial hacking software to law enforcement in “several dozen countries” on “six continents.”

via Meet Hacking Team, the company that helps the police hack you | The Verge.

Ed Snowden’s Email Provider, Lavabit, Shuts Down To Fight US Gov’t Intrusion

Early on in the Snowden leaks, it was revealed that Snowden himself was using email services from an operation called Lavabit, which offered extremely secure email. However, today Lavabit’s owner, Ladar Levison, shut down the service, claiming it was necessary to do so to avoid becoming “complicit in crimes against the American people.” Not much more information is given, other than announced plans to fight against the government in court. Reading between the lines, it seems rather obvious that Lavabit has been ordered to either disclose private information or grant access to its secure email accounts, and the company is taking a stand and shutting down the service while continuing the legal fight. It’s also clear that the court has a gag order on Levison, limiting what can be said.

via Ed Snowden’s Email Provider, Lavabit, Shuts Down To Fight US Gov’t Intrusion | Techdirt.

Now, if that weren’t enough, the Feds Threaten To Arrest Lavabit Founder For Shutting Down His Service, rather than agree to some mysterious court order.

Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight

A legal fight over the government’s use of a secret surveillance tool has provided new insight into how the controversial tool works and the extent to which Verizon Wireless aided federal agents in using it to track a suspect.

Court documents in a case involving accused identity thief Daniel David Rigmaiden describe how the wireless provider reached out remotely to reprogram an air card the suspect was using in order to make it communicate with the government’s surveillance tool so that he could be located.

Rigmaiden, who is accused of being the ringleader of a $4 million tax fraud operation, asserts in court documents that in July 2008 Verizon surreptitiously reprogrammed his air card to make it respond to incoming voice calls from the FBI and also reconfigured it so that it would connect to a fake cell site, or stingray, that the FBI was using to track his location.

Air cards are devices that plug into a computer and use the wireless cellular networks of phone providers to connect the computer to the internet. The devices are not phones and therefore don’t have the ability to receive incoming calls, but in this case Rigmaiden asserts that Verizon reconfigured his air card to respond to surreptitious voice calls from a landline controlled by the FBI.

The FBI calls, which contacted the air card silently in the background, operated as pings to force the air card into revealing its location.

In order to do this, Verizon reprogrammed the device so that when an incoming voice call arrived, the card would disconnect from any legitimate cell tower to which it was already connected, and send real-time cell-site location data to Verizon, which forwarded the data to the FBI. This allowed the FBI to position its stingray in the neighborhood where Rigmaiden resided. The stingray then “broadcast a very strong signal” to force the air card into connecting to it, instead of reconnecting to a legitimate cell tower, so that agents could then triangulate signals coming from the air card and zoom-in on Rigmaiden’s location.

To make sure the air card connected to the FBI’s simulator, Rigmaiden says that Verizon altered his air card’s Preferred Roaming List so that it would accept the FBI’s stingray as a legitimate cell site and not a rogue site, and also changed a data table on the air card designating the priority of cell sites so that the FBI’s fake site was at the top of the list.

Rigmaiden makes the assertions in a 369-page document he filed in support of a motion to suppress evidence gathered through the stingray. Rigmaiden collected information about how the stingray worked from documents obtained from the government, as well as from records obtained through FOIA requests filed by civil liberties groups and from open-source literature.

via Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight | Threat Level | Wired.com.

Slaying the Java Beast

As you’ve probably heard by now, Java’s insecurity has been a vector for hackers’ to exploit and gain access to your computer through specially crafted malware that can hijack control over your machine. Even the Department of Homeland Security’s CERT team strongly recommends that consumers disable java on their computers.

While removing Java from your computer entirely may be one way to go, many require Java to run certain applications locally (which is fairly safe), the real problem lies in the browser itself — leaving the door open for “bad guys” to enter your system.

So how does one go about ‘slamming the door’ on these Java beasts? Here’s what I suggest:

Step 1: Which version of Java are you running? The easiest way to do this is through the Java control panel. Start by bringing up the Windows Control Panel (in Windows XP and Windows 7, choose Start, Control Panel; in Windows 8, right-click in the lower-left corner of the screen and choose Control Panel). If you see a Java icon, click on it. If you don’t see a Java icon (or link), in the upper-right corner, type Java. If you then see a Java icon, click on it.

Unfortunately, there’s a bug in at least one of the recent Java installers that keeps the Java icon from being displayed inside Windows Control Panel. If you can’t find the Java icon, go to C:\Program Files (x86)\Java\jre7\bin or C:\Program Files\Java\jre7\bin and double-click on the file called javacpl.exe. One way or another, you should now see the Java Control Panel.

Step 2: Update to the latest version of Java, version 7 update 11. In the Java Control Panel, under About, click the About button. The About Java dialog shows you the version number; if you’ve patched Java in the past few months, it’s likely Version 7 Update 9, 10, or 11. (Don’t be surprised if Java says that it’s set to update automatically, but doesn’t. I’ve seen that on several of my machines.) If you don’t have Java 7 Update 11, go to Java’s download site, and install the latest update. You have to restart your browser for the new Java version to kick in. Personally, I also reboot Windows.

Warning: Oracle, bless its pointed little pointy thingies, frequently tries to install additional garbage on your machine when you use its update site. Watch what you click.

Step 3: Disable the Java Runtime in all browsers. From the Java Control Panel, click or tap on the Security tab, then deselect the box marked Enable Java Content in the Browser. Click or tap OK, and restart your browsers (or better yet, reboot). From that point on, the Java Runtime should be disabled in all of your browsers, all of the time. To bring Java back, repeat the steps and select the box marked Enable Java Content in the Browser (the setting should, in fact, say “Enable Java Content in All of Your Browsers”).

Step 4: Turning off Java within each browser. In Internet Explorer 9 or 10, click on the gear icon in the upper-right corner and choose Manage Add-Ons. Scroll down to the bottom, under Oracle America, Inc., select each of the entries in turn; they’ll probably say “Java(tm) Plug-In SSV Helper” or some such. In the lower-right corner click the button marked Disable. Restart IE. At the bottom of the screen, you’ll see a notice that says, “The ‘Java(tm) Plug-In SSV Helper’ add-on from ‘Oracle America, Inc.’ is ready to use.” Click Don’t Enable. If you get a second notice about a Java add-on, click Don’t Enable on it, too. That should permanently disable Java Runtime in IE.

In any recent version of Firefox, click the Firefox tab in the upper-left corner and choose Add-Ons. You should see an add-on for Java(TM) Platform SE 7 U11. Click once on the entry, and click Disable. Restart Firefox.

In Chrome, type chrome://plugins in the address bar and push Enter. You should see an entry that says something like “Java (2 files) – Version: 10.7.2.11” Click on that entry and click the link that says Disable. Restart Chrome.

Step 5: Testing. Make sure the browsers are/aren’t running Java, by running each of them up against the Java test site. If you go to that site using Google Chrome, there better be a big yellow band at the top of your screen asking permission to run Java just this once.

Disabling Java in your browsers may seem like a real pain in the rump, but it is something that absolutely everyone must take seriously. Do it now!

 

Silent Circle: Mike Janke’s iPhone app makes encryption easy, governments nervous.

Lately, Mike Janke has been getting what he calls the “hairy eyeball” from international government agencies. The 44-year-old former Navy SEAL commando, together with two of the world’s most renowned cryptographers, was always bound to ruffle some high-level feathers with his new project—a surveillance-resistant communications platform that makes complex encryption so simple your grandma can use it.

This week, after more than two years of preparation, the finished product has hit the market. Named Silent Circle, it is in essence a series of applications that can be used on a mobile device to encrypt communications—text messages, plus voice and video calls. Currently, apps for the iPhone and iPad are available, with versions for Windows, Galaxy, Nexus, and Android in the works. An email service is also soon scheduled to launch.

The encryption is peer to peer, which means that Silent Circle doesn’t centrally hold a key that can be used to decrypt people’s messages or phone calls. Each phone generates a unique key every time a call is made, then deletes it straight after the call finishes. When sending text messages or images, there is even a “burn” function, which allows you to set a time limit on anything you send to another Silent Circle user—a bit like how “this tape will self destruct” goes down in Mission: Impossible, but without the smoke or fire.

Silent Circle began as an idea Janke had after spending 12 years working for the U.S. military and later as a security contractor. When traveling overseas, he realized that there was no easy-to-use, trustworthy encrypted communications provider available to keep in touch with family back home. Cellphone calls, text messages, and emails sent over the likes of Hotmail and Gmail can just be “pulled right out of the air,” according to Janke, and he didn’t think the few commercial services offering encryption—like Skype and Hushmail—were secure enough. He was also made uneasy by reports about increased government snooping on communications. “It offended what I thought were my God-given rights—to be able to have a free conversation,” Janke says. “And so I began on this quest to find something to solve it.”

via Silent Circle: Mike Janke’s iPhone app makes encryption easy, governments nervous. – Slate Magazine.

With Plan X, Pentagon seeks to spread U.S. military might to cyberspace

The Pentagon is turning to the private sector, universities and even computer-game companies as part of an ambitious effort to develop technologies to improve its cyberwarfare capabilities, launch effective attacks and withstand the likely retaliation.

The previously unreported effort, which its authors have dubbed Plan X, marks a new phase in the nation’s fledgling military operations in cyberspace, which have focused more on protecting the Defense Department’s computer systems than on disrupting or destroying those of enemies.

Plan X is a project of the Defense Advanced Research Projects Agency, a Pentagon division that focuses on experimental efforts and has a key role in harnessing computing power to help the military wage war more effectively.

“If they can do it, it’s a really big deal,” said Herbert S. Lin, a cybersecurity expert with the National Research Council of the National Academies. “If they achieve it, they’re talking about being able to dominate the digital battlefield just like they do the traditional battlefield.”

Cyberwarfare conjures images of smoking servers, downed electrical systems and exploding industrial plants, but military officials say cyberweapons are unlikely to be used on their own. Instead, they would support conventional attacks, by blinding an enemy to an impending airstrike, for example, or disabling a foe’s communications system during battle.

The five-year, $110 million research program will begin seeking proposals this summer. Among the goals will be the creation of an advanced map that details the entirety of cyberspace — a global domain that includestens of billions of computers and other devices — and updates itself continuously. Such a map would help commanders identify targets and disable them using computer code delivered through the Internet or other means.

Another goal is the creation of a robust operating system capable of launching attacks and surviving counterattacks. Officials say this would be the cyberspace equivalent of an armored tank; they compare existing computer operating systems to sport-utility vehicles — well suited to peaceful highways but too vulnerable to work on battlefields.

The architects of Plan X also hope to develop systems that could give commanders the ability to carry out speed-of-light attacks and counterattacks using preplanned scenarios that do not involve human operators manually typing in code — a process considered much too slow.

via With Plan X, Pentagon seeks to spread U.S. military might to cyberspace – The Washington Post.

Boots on the ground: Obama’s cybersecurity directive could allow military deployment within the US

Boots on the ground: Obama’s cybersecurity directive could allow military deployment within the US — RT

Lawyers with the Electronic Privacy Information Center EPIC have filed a Freedom of Information Act FOIA request with the office of US President Barack Obama in hopes if hearing more about an elusive order signed in secrecy in mid-October but only made public in an article published this week in the Washington Post.

According to persons close to the White House who have seen the order and spoke with the Post, Presidential Policy Directive 20 PP20 aims to “finalize new rules of engagement that would guide commanders when and how the military can go outside government networks to prevent a cyberattack that could cause significant destruction or casualties.” Attorneys with EPIC are now demanding that they see this secret order to find out what exactly that could mean, citing the possibility of putting boots on the ground in the United States if the government argues it’s imperative for cybersecurity.

In the FOIA request, EPIC attorneys Amie Stepanovich and Ginger McCall ask to see information about PP20 because they fear it may enable “military deployment within the United States” by way of a “secret law” that lets the National Security Agency and Pentagon put armed forces in charge of protecting America’s cyberinfrastructure and crucial routes of communications.

“We don’t know what’s in this policy directive and we feel the American public has the right to know,” McCall tells Raw Story this week.

On her part, Stepanovich adds that getting to the truth of the matter could be a nightmare given the NSA’s tendency to keep these sorts of things secret.

“The NSA’s cyber security operations have been kept very, very secret, and because of that it has been impossible for the public to react to them,” Stepanovich adds. “ That makes it very difficult, we believe, for Congress to legislate in this area. It’s in the public’s best interest, from a knowledge perspective and from a legislative perspective, to be made aware of what authority the NSA is being given.”

The potential of martial law became a topic actually discussed by Congress last year when lawmakers first considered provisions for this year’s National Defense Authorization Act, or NDAA. Before the House and Senate agreed on including a section to the law letting the White House arrest and detain any US citizen indefinitely without trial or charge, another provision was almost put on the books that would have essentially allowed for military rule during some situations.

The NDAA’s S. 1867 would “basically say in law for the first time that the homeland is part of the battlefield” Sen. Lindsey Graham R-S.C. , a supporter of the bill, said last year.

via Boots on the ground: Obama’s cybersecurity directive could allow military deployment within the US — RT.

Data Mining Firms Admit to Legislators That Personal Info is Collected from Social Networks Then Sold

The data mining industry is booming with no signs of slowing down thanks to increasing integration with other systems like facial recognition and an increasing reluctance to comply with any and all requests from users to maintain privacy.

Now a group of the largest data mining companies admitted to a bipartisan body of legislators in the House that they indeed mine social networks like Facebook for personal information which they then sell to third parties for advertising and “other purposes,” according to Hillicon Valley.

The admission came after Reps. Edward Markey and Joe Barton along with others “sent letters to nine major data brokerage companies asking how they collect, assemble and sell consumer information to third parties.”

Harte-Hanks, one of the firms that responded to the letters claimed that they only collect information “in accordance with [the social networking sites’] terms of service, and as authorized by the users.”

Similarly, Intelius stated that they only gather publicly available information like “screen names, website addresses, professional history, and interests.”

Other companies responding to the legislators’ letters said that they indeed collect and sell personal information but they don’t actually mine the data from social networking sites.

via Data Mining Firms Admit to Legislators That Personal Info is Collected from Social Networks Then SoldData Mining Firms Admit to Legislators That Personal Info is Collected from Social Networks Then Sold | Wake Up World.

Inside the Mind of a Hacker

Poteet, chief security officer at AppDefense, is the type of hacker commonly referred to as a white-hat hacker or security researcher—someone who digs for system holes to point out where trouble could occur. Black-hat hackers are just the opposite—people who try to gain access to systems and the data on them for nefarious purposes. In the past, most hackers were in it for fun or for bragging rights.

Now, black hats are selling exploits for tens of thousands of dollars as the malware industry capitalizes on flaws to capture passwords, credentials for banking sites and personal information for identity theft and financial fraud.

Learning how black-hat hackers think, what they’re looking for and how they get it should be a fundamental part of any company’s security strategy.

eWeek: Inside the Mind of a Hacker

Cyber Attack Hits Pentagon

(WASHINGTON)—The Defense Department took as many as 1,500 computers off line because of a cyber attack, Pentagon officials said Thursday.

Few details were released about the attack, which happened Wednesday, but Defense Secretary Robert Gates said the computer systems would be working again soon.

Gates said the Pentagon sees hundreds of attacks a day, and this one had no adverse impact on department operations. Employees whose computers were affected could still use their handheld BlackBerrys.

During a press briefing Gates said: “We obviously have redundant systems in place. … There will be some administrative disruptions and personal inconveniences.”

Cyber Attack Hits Pentagon | TIME

Intelsat Satellite over Indian Ocean hacked

The Tamil Tigers in Sri Lanka have been hacking the Intelsat that hangs over the Indian Ocean to transmit propaganda. Intelsat is trying very hard to figure out how they did it, and then keep them from doing it again.

Adding to the idea that no system is safe, Intelsat is on the hook today to protect its in orbit systems from being hacked to transmit propaganda. In the world of cyber warfare, the ability of the Tamil Tigers to hack Intelsat is something that people who plan for or otherwise work in long range global telecommunications needs to be thinking about. Intelsat issued a tersely worded statement today about the ongoing problem:

“Intelsat does not tolerate terrorists operating illegally on it satellites. Since we first learned of the LTTE’s signal piracy, we have been actively pursuing a number of technical alternatives to halt the transmissions. We are clear in our resolve to ending this terrorist organisation’s unauthorised use of our satellite,” Intelsat, the world’s largest provider of fixed satellite services, said in a statement. Source: Daily News

This is not the first time that this kind of thing has happened either, the falungong in 2002 hacked AsiaSat to broadcast their propaganda as well. Taking the TV airwaves from the Chinese government so that they could spread their word using the TV signal from the system.

IToolbox Blogs / Dan Morril : Hack a Satellite while it is in orbit

AJAX Apps Ripe Targets for JavaScript Hijacking

from eWeek : AJAX Apps Ripe Targets for JavaScript Hijacking

Fortify Software has documented what the security firm is calling a “pervasive and critical” vulnerability in Web 2.0 applications—specifically, in the ability of an attacker to use a JavaScript vulnerability to steal critical data by emulating unsuspecting users.

The vulnerability—which allows an exploit called JavaScript Hijacking—can be found in the biggest AJAX frameworks out there, including three server-integrated toolkits: Microsoft ASP.Net AJAX (aka Atlas), Google Web Toolkit and xajax—the last of which is an open-source PHP-class library implementation of AJAX.

Client-side libraries that Fortify inspected and found to be vulnerable are the Yahoo UI, Prototype, Script.aculo.us, Dojo, Moo.fx, jQuery, Rico and MochiKit.

Of the AJAX frameworks and client-side libraries Fortify inspected, only DWR 2.0 (Direct Web Remoting 2.0) has mechanisms to prevent JavaScript Hijacking.

ANI Zero Day Takes New Turns to the Uber-Nasty

Security Watch – Exploits and Attacks – ANI Zero Day Takes New Turns to the Uber-Nasty

If you’re reading this with Internet Explorer on a Windows machine, don’t. The Windows animated cursor zero-day attack that was coming through on IE 6 and 7 running on fully patched Windows XP SP2 is now also hitting Windows 2000, Server 2003 and Vista. As F-Secure advises, better to use some other combination.

Proof-of-concept code for the attack was released after business hours on Friday, according to SANS.

Blocking .ani files won’t help. SANS has picked up reports of the vulnerability being exploited in the wild with .ani files renamed as JPEGs.

Microsoft today posted security advisory 935423 about the exploit. Here’s the full list of vulnerable systems:

Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 2
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows Vista

[see more]