Friday Squid Blogging: Squid Worm Discovered

This squid-like worm -- Teuthidodrilus samae -- is new to science.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on November 29, 2013 at 4:15 PM • 53 Comments

Comments

Nick PNovember 29, 2013 6:00 PM

[reposted for people who only look at new squid thread]

To all working on secure comms

Just found something cool I missed a while back. I've often said that govt makes two standards: a subverted one for us and a good version for them. The NSA's Type 1 systems are probably pretty good. They go by names such as FIREFLY, HAIPE, SCIP, custom ciphers, etc. SCIP, for instance, is their protocol for secure voice over a variety of mediums. They keep the details of most of this secret minus some leaks I've posted here on occasion. So...

NSA SCIP Specification Documents
https://www.iad.gov/SecurePhone/documents.cfm?j6lj7MLH01PpRDBuMa66UU7GyePn0P6PlX0BM7n0j5A=

Released in 2011, it gives you plenty of details on SCIP. They also have an analysis of applying it over IP. I wonder if this is accurate, usable information or tainted. So, I'm posting the link here for other's review, particularly those with crypto or wireless experience.

AC2November 29, 2013 8:42 PM

Sting op exposes social media manipulation by Indian politicians.

http://m.timesofindia.com/tech/social-media/Cyber-supari-Pay-an-online-fixer-demolish-a-reputation/articleshow/26544921.cms

Although doubts are being raised by the Opposition on the motivation of those who conducted it

http://m.timesofindia.com/india/Congs-dirty-tricks-department-behind-Cobrapost-sting-BJP/articleshow/26609746.cms

the ruling govt says it has confirmed fears re this.

http://m.timesofindia.com/india/Shinde-endorses-Cobrapost-expose-on-IT-companies/articleshow/26589491.cms

Footnote: It is election season in India...

ChromatixNovember 30, 2013 6:01 AM

OpSec fail in an interesting (and karmic) way:

"Judge Murphy [...] points out additional evidence that despite their protestations to the contrary, Paul Hansmeier, John Steele, and Paul Duffy "are closely associated and acted in concert" to file the lawsuit in question. Not only do they originate from the same law firm, but they used the same login information on the court's electronic filing system."

Via Ars Technica: http://arstechnica.com/tech-policy/2013/11/unhappy-thanksgiving-for-prenda-law-ordered-to-pay-261k-to-defendants/

kashmarekNovember 30, 2013 8:39 AM

On the surface, this has to be the worst idea that I can think of...ephemeral apps...

http://tech.slashdot.org/story/13/11/30/0240254/google-is-building-a-way-to-launch-chrome-apps-without-installation

For years, the industry has been railing against the former default ability of applications to be run from email messages & such, to stop marauding malware from executing on our computers. But, things like JavaScript and Java enabled apps have moved up to take the place of files with hidden links and code (though script enabled Microsoft Office files are still worrisome). Now, Google is bringing back a new level of potential computer malware infestation with this feature...??? This should prompt a whole new level of social engineering to get users to click the objects of dubious value (or ways to enable the features behind the scenes and embed access to such apps under the covers).

kashmarekNovember 30, 2013 9:52 AM

Someone in the Slashdot post comments already tagged this: Chrome Apps as crapps, or craps as in the dice game, or as that other stuff (crap) as in crapping.

Jesse JamesNovember 30, 2013 1:01 PM

Dutch intelligence agency AIVD hacks internet forums
http://www.nrc.nl/nieuws/2013/11/30/dutch-intelligence-agency-aivd-hacks-internet-fora/

A part of the article:
The Dutch intelligence service - AIVD - hacks internet web forums to collect the data of all users. The majority of these people are unknown to the intelligence services and are not specified as targets when the hacking and data-collection process starts. A secret document of former NSA-contractor Edward Snowden shows that the AIVD use a technology called Computer Network Exploitation – CNE – to hack the web forums and collect the data.

Last week NRC reported that the NSA has infected 50,000 computer networks worldwide with malicious software. According to Dutch law, the intelligence service is permitted to hack computers of people or organisations under suspicion. But the law is not prescriptive regarding sophisticated forms of computer espionage. These techniques allow the intelligence services to harvest, analyse and utilise computer data of a large group of people using web forums.


Jesse JamesNovember 30, 2013 1:09 PM

BTW a propos the Computer Network Exploitation "technology" (technique?) utilized by the article about Dutch intelligence service (see my previous posting above).

The article discusses one of the Snowden documents linked to the article as follows:
The document summarizes a meeting held on February 14, 2013 between officials of the NSA and the Dutch intelligence services - AIVD and MIVD. During this meeting Dutch officials briefed their American counterparts on the way they target web forums with the CNE technique. “They acquire MySQL databases via CNE access”, the document reads.

Based on above it looks like MySQL DBs have some weakness that allow them to be exploited. The mechanism used for accessing the weakness is in the article referred to as both a "technology" and a "technique". I would suspect most likely it is a technique in any case.

Bottom line is, most MySQL DBs probably have this same weakness. Which means that many online shops are likely also vulnerable.

h4xxNovember 30, 2013 2:43 PM

Snowden docs reveal US fed authorities already interested in political blackmail http://www.bbc.co.uk/news/technology-25118156

They are considering releasing the online sexual habits of "radicals" but we all know that means political blackmail of Washington elite who vote against their funding. You either support the growing surveillance state or find your entire private sexuality broadcasted to the world. Looks like it's time for adult sites to up the game to TLS 1.2 and hire some crypto engineers as well.

NobodySpecialNovember 30, 2013 4:17 PM

As possibly the only messages from a EMEA source to Americans that doesn't get you put on a MMB watchlist - these messages could be the perfect cover for secret messages

NobodySpecialNovember 30, 2013 5:01 PM

The previous comment made (slightly) more sense before the preceding Nigerian Prince scam posting was removed !

NobodySpecialNovember 30, 2013 5:07 PM

Although the point remains. A single email from an address in a targeted country to a handful of addresses in America is going to start wheels turning in the great intelligence hive mind. Especially if it is encrypted or contains phrases like "the eagle strikes at the heart of the great satan tonight"

But a spam email to a million Americans doesn't raise any suspicions and can hardly be used to create any links between the recipients.
In the worst case you have a few 1000 gullible idiots replying with offers to send you money!

BuckNovember 30, 2013 9:14 PM

@Jesse James

See (for example) CVE-2012-2122:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122

sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.

Seems to me like a short lived/high returning plant if I ever smelled one...

Simultaneously mix in a CVE-2012-1823, add a dash of creativity (or an -s to view salts in source code), and let those hashes simmer! ;-)

Clive RobinsonDecember 1, 2013 4:53 AM

@ Nobodyspecial,

Yes that thought crossed my mind years ago, and I actually suggested to Bruce that such posts could be covert channels.

It led me on to think about ways to attack what are "air-gapped" electronic voting systems and further turn Google into a control channel for zombie nets and also how to decouple the return channel for malware data theft in a near untraceable way.

But have you read the BBC item @ h4xx posted?

You may remember that various "p0rn" pictures have (supposadly) been used as covert channels by various radical/terrorist organisations in the past, Osama Bin Laden being one reputed user to communicate this way to AQ seniors etc.

I guess they will need to switch to pictures/videos of "cute kitties/pets" or Uck boots or Simmey Choose footware fakes on E-Bay now like ~90% of bored office workers ;-)

65535December 1, 2013 5:54 AM

@ Nick P
Your link indicates an un-trusted site by FF (self-signed cert or the like). Do you have another link?

@ h4xx
I wonder how many politicians got blackmailed. They would be very sensitive to that.

@ Jackson
The encryption systems in the USA are under CALEA law. It appears all public encryption systems must be able to be silently decrypted by the government. That law is dubious and out-dated.

@ Buck and Jesse James
Ouch. More holes in MySQL. There is intrusion detection. But, is there an inexpensive MySQL/php/apache AV program that is effective?

WinterDecember 1, 2013 6:02 AM

@65535
PostgreSQL is a better MySQL. However, I have no clue about it's security profile.

Mike the goatDecember 1, 2013 6:11 AM

65535: We were required in the early 90s to enable legal interception of the ISP I was NOC manager for *at our expense*. I think it is accurate to assume that any commercial service must allow the government access. I know we were given a deadline to comply. They insisted we use Cisco's proprietary LI protocol.

andyfletcherDecember 1, 2013 11:04 AM

65535:

.. and would you trust the certificate if it was signed by a browser supported certification authority? In this case it appears to be for a different site but still self signed so there is a configuration problem anyway.

There is nothing wrong with having self signed certificates - the problem is the way browsers report this to the user.

Browsers should simply state the certificate is not signed by a browser root authority and the user should consider if this is an issue for this website. Instead they pump out all sorts of end-of-the-world type messages and scare the user.

The issue comes down to trust, I don't trust all the root issuers to control their keys properly and the way SSL works any root certification authority can sign any website.

Nick PDecember 1, 2013 11:19 AM

@ 65535

Like I told figureitout, that's because the DOD's CA's aren't in most browsers and govt often changes domains/sites without updating them. And HTTPS only tells you about the origin: you're still vulnerable to attacks from web sites either way. Anyway, it's the real site far as I can tell. Open it sandboxed or in a VM if you like, then put the PDF's in persisent storage. (Foxit w/out scripts to open them.)

@ Winter

MySQL was made in 1994. Postgres was created in the mid 80's by Stonebreaker, who also worked on Ingres. Postgres was doing useful DB work before SQL was invented, much less MySQL. ;) That time for maturity is one of the reasons it works so well.

FigureitoutDecember 1, 2013 11:51 AM

AC2
--Was on those forums last night! Interesting.

Just found the ticalc.org site, pretty neat community; sweet site. Kind of smacking myself for not realizing sooner I have a Z80 chip I've been using off and on since middle school. They also have some rand num gen programs (1 was made in 36 lines in asm).

Here's a link. Here's another. Here's the paper trying to be sold by ACM, on L'Ecuyer's algorithm. They give a strong warning and you should know it's not suitable for real security, I quote:

Most of the security of this method lies in the obscurity of the random number generator. Someone that has read this page (or someone from Texas Instruments) could break the code in a matter of seconds on a computer; and if they knew anything at all about the message, they could probably break the code with just a calculator.

Nonetheless, pretty neat to toy around with. Maybe write your own. Still a lot of holes in my knowledge of a PC, but these help.

NobodySpecialDecember 1, 2013 4:47 PM

@Clive - Scene from "a very British coup" when the MI5 agent is reporting on surveillance of the new 'socialist' cabinet:
"4 crooks, 3 perverts, 2 poofs and a KGB agent - sounds like every cabinet since the war"

Dirk PraetDecember 1, 2013 6:03 PM

@ Jesse James

Based on above it looks like MySQL DBs have some weakness that allow them to be exploited.

I kinda doubt that Anonymous were the first or only folks to indulge in SQL injection attacks and the like. There's plenty of tools and manuals out there. Try stuff like SQLNinja, SQLMap and FG Injector to name just a few.

name.withheld.for.obvious.reasonsDecember 1, 2013 7:06 PM

An earlier blog post, where I mentioned the use of collection data in new laws, this issue of using illegally acquired data seems to be permeating and infecting the minds of those in government. The Federation of American Scientists (FAS), Steven Aftergood, had posted at blog comment on their Secrecy Project site detailing (with continued evidence of the government using newspeak) that the IC's are not only looking at period re-evaluation of background checks but are also interested in "continuous monitoring". The blog also mentioned that this is part of "Insider Threat" program. When are they establishing the "Thr United States of America Government--is the Threat program???
The article/blog is to be found here.

ShunraDecember 1, 2013 7:26 PM

The story of the theft of this Seattle/VictoriaBC ferry is playing a four-part harmony on my outrage strings.

I mean: ok, unknown man shows up on a dock, walks into a boat, starts it on his own, and is only noticed by chance? In U.S. 2013, where boarding the ferry includes being sniffed by a dog (who deserves much better treatment than playing a role in two-bit(coin?) security theater) and working for the gov't involves going through the motions of pretend-clearance?
And a vehicle that is generally used for international travel?

And the low-key media response: does it imply that we have ruled out One Specific ReligionTM for the suspect?

Trying to make this story make sense is giving me a headache, because I keep running into walls of "but if they actually cared about security" and bouncing off into "security? what security? a person could steal the dock from under their feet!"

BuckDecember 1, 2013 9:31 PM

@h4xx

Well that would be an incredible feat of parallel construction! How would one go about convincing the peers of a so called "radical" that dragnet internet surveillance (brought to you by the U/N.S.A) is a reliable source of information...

Am I the only one with the impression that the top-secret classified definition of "terrorists" is in fact "political enemies"..?

inquisitiveravenDecember 2, 2013 12:16 AM

Oh my, a comment that's actually about the OP. Did you not notice that the squid worm story was dated November 2010? In fact, PZ Meyers had a post about it at the time.

Now, on a security related front, have you ever written anything about security theater at train stations? It's on my mind after traveling between Philadelphia 30th St. and Boston Back Bay stations over the Thanksgiving holiday, and 30th Street Station engages in quite visible security theater, while Back Bay apparently can't be bothered.

FigureitoutDecember 2, 2013 12:40 AM

Anura
--Yeah, was going to post that. Binary 0...that's what we'd be, nullified. I got shudders asking some people how close we came to nuclear annihilation. How we've made it this long w/o blowing up the planet is some kind of miracle to me.

inquisitiveraven
--Looks like 3-4 times.

BryanDecember 2, 2013 2:12 PM

Proof of concept audio networking. 65 feet for air-gapped ultrasonic communications. They only managed 20 bits per second, but that's enough for most keyboard input.

http://arstechnica.com/security/2013/12/scientist-developed-malware-covertly-jumps-air-gaps-using-inaudible-sound/

"In our article, we describe how the complete concept of air gaps can be considered obsolete as commonly available laptops can communicate over their internal speakers and microphones and even form a covert acoustical mesh network," one of the authors, Michael Hanspach, wrote in an e-mail. "Over this covert network, information can travel over multiple hops of infected nodes, connecting completely isolated computing systems and networks (e.g. the internet) to each other. We also propose some countermeasures against participation in a covert network."

Looks like it is time for hardware switches on speakers and microphones. Adding in a low pass filter with a 15kHz chop off would also be good.

Clive RobinsonDecember 2, 2013 8:50 PM

@ Bruce,

I see you've put your next book "Carry On" up on the side bar today.

Having read the blurb one word stands out "Anthology"...

Is the book just a collection of your other published writings and Blog entries or is it "further expanded" to provide other commentry, viewpoints and hindsight etc ?

Clive RobinsonDecember 2, 2013 9:30 PM

@ Bryan,

With regards the ARS article, I followed the links to the original paper and it's a bit suspicious in places.

The main thing of note is the lack of range (~20m) if you read the paper it gives a diagram of the physical setup and then mentions it went from fully working to fully failed when they extended the range out just another metre...

For this sudden change over a 4% increase in range suggests it's not a range limit but something else such as say multipath issues, or reflections from the end wall in the corridor getting back to the mic before the full data packet had been received, or the error correction failing hard for some reason.

Also I don't think the DS-FH system used is actually a sensible choice for a couple of reasons.

Firstly DS system are usually used where inband interferance is likely to be significant (such as CDMA based systems). From experiments I did years ago the 15-25KHz audio band tended to be fairly quiet inside buildings (though that might have changed with SM-PSU and low energy lighting tech etc) the most prominant noise being from the LOPT in VDU's singing away at the video line frequency (15.625KHz or higher for UK).

Secondly, the significant amount of FFT computation required per recovered bit of communications is extrodinary and would be fairly obvious in the "user response" area (often one of the first indicators of malware infection).

However that said it does prove what @ Robert T and myself were saying about the expected high frequency ability of the speakers and mics put in laptops. Which would also be true of Smart Phones where IT Sec is virtualy non existant...

Clive RobinsonDecember 2, 2013 9:50 PM

OFF Topic :

Something I missed the other day...

http://arstechnica.com/security/2013/11/new-linux-worm-targets-routers-cameras-internet-of-things-devices/

Whilst the worm should not be an issue for most Linux desktops/servers because the exploit used is over 18 months old. The same is not true for "Internet of Things" (IoT) devices or for that matter a number of smart phones. However luckily so far the worm is only targeting Intel x86 architectures, even though though it appears there is code for ARM and other architectures.

As the author of the article mentions IoT devices are like many embedded systems often not designed to be easily upgraded (if at all) thus unpatchable and as a consiquence open to vulnerabilits long since fixed.

FigureitoutDecember 2, 2013 11:41 PM

Bruce
--I won't buy another book until you put out another "Applied Cryptography". That's probably not happening (nor what you want to hear) so I'll just "Carry On" and enjoy my copy. You should really not be writing books and lead the charge on a more trustworthy internet b/c it's so nerve-wracking yet I'm totally isolated if I avoid it. Just a suggestion, live your life how you want of course.

Clive Robinson
like many embedded systems often not designed to be easily upgraded (if at all) thus unpatchable and as a consiquence open to vulnerabilits long since fixed.
--Well, that's good in a sense b/c I've physically witnessed physical access to a machine and "updating" it w/ some malware. So long as the machine is tiny enough to not be worth it and shielded and physically protected that makes me very happy. So it's another security problem and I'll take the well engineered "non-upgradeable" computer over the pushed-out-the-door crap that has an update for a critical error every week. The upgrading takes place in the fab lab and all prior viruses are burned in the smelters.

Mike the goatDecember 3, 2013 6:27 AM

Got an interesting bit of spam the other day that put a smile on my face - subject is "Are you dead or alive?" content continues:

"We are writhing to know if it's true that you are DEAD? Because we received a notification from one MR. GERSHON SHAPIRO of USA stating that you are DEAD and that you have giving him the right to claim your funds.

He stated you died on a CAR accident. He has been calling us regarding this issue and he presented an account today to receive the funds on your behalf, but we cannot proceed with him until we confirm this by hearing from you on or before 7days. The account which he forward to us as follow.

Bank of America"

This has to be one of the most ridiculous I have seen in a while.

Clive RobinsonDecember 3, 2013 5:11 PM

OFF Topic :

It would appear that last years out break of the deadly but silent bird flu H7N9 has started up again.

H7N9 is "silent" because it causes few if any signs in the avian (usually domestic fowl) hosts and is transmssable to humans by direct contact with an infected avian host. It is also avian to avian transmissable and thus it's possible it might move from domesticated fowl to wild birds and thus travel fairly quickly,

http://www.newscientist.com/article/dn24690-hong-kong-gets-its-first-case-of-deadly-h7n9-bird-flu.html

Nick PDecember 3, 2013 9:45 PM

@ Clive Robinson

" drop any thoughts you have on "stocastic forensics" over on the current Squid."

Darn, it looks like I need to do a paper update and get all of those from recent BlackHat/DEFCON. My PDF reader is glitching for some reason (e.g it's Linux) so I read a shorter paper instead of Black Hat. If I'm understanding it correctly, it boils down to these points:

1. Forensics is based on looking at "artifacts" to determine what happened.

2. File copying under windows doesn't update the access field, hence leaving no artifact to show exfiltration.

3. Clever contribution in paper notices copying has side effect of doing observable things to filesystem.

4. Analysis of such things can be used to show a data copy occurred.

Well, first I'll say it was a very clever, neat trick. They now have something to go on if someone is using a basic copy operation.

My gripe, though, is that the whole thing about artifacts is misleading. If the copying left detectable changes, then those *are* artifacts. They just require analysis to produce something useful from. This isn't much different than looking at artifacts at a crime scene to piece together, often indirectly, a story about what happened. I'm not an auditor but I figured the field already used indirect methods to identify computer crime. So, that anything other than the specific technique is a new idea to them surprises me.

So, now the technique is well known. What about an antiforensics to it? Copying each specific file individually should defeat the forensic that involves recursive directory access detection. If the files are local, one can use a forensic type LiveCD that can copy them without making any changes to the disc. If they're remote, they might be cached locally where the same thing could be done. If there's security software that removes them when done, one could load the files for viewing, kill the power on PC (simulating crash), copy with LiveCD, and then restart PC. If it's remote, it might take a bit of hacking.

(All this assumes the timestamps can't be changed. I used to be able to edit timestamps to cover tracks back in the day. Im guessing that's not possible on current Windows boxes?)

Alternative detection. My really old method that solved many problems was using an append-only filesystem and trusted OS style tracking of user activity on system objects. This really old school solution can tell you as much or as little about user activity as you like, along with some automation by tools. Every copy's source and destination could be recorded when it happened. The system might even be configured to kill the transfer if it couldn't send an authenticated audit record to a management system.

The Poly2 architecture would make this even easier as it has separate data, admin and security networks. Security-relevant events (eg copy) would be sent through the security network to appropriate monitoring systems. The OS programmed to kill file operations if security network stops working. Regardless of architecture, the file system's integrity should be cryptographically protected to defeat LiveCD type attacks.

Thing about most data exfiltration is that one can prevent much of it by eliminating low hanging fruit and append-only logging of reads/copies can catch most of the rest.

WinterDecember 4, 2013 12:58 AM

This was hot just a little time ago. Now there is a proof of concept: Infected computers communicating covertly using the on-board audio

On Covert Acoustical Mesh Networks in Air
http://www.jocm.us/index.php?m=content&c=index&a=show&catid=124&id=600

Abstract—Covert channels can be used to circumvent system and network policies by establishing communications that have not been considered in the design of the computing system. We construct a covert channel between different computing systems that utilizes audio modulation/demodulation to exchange data between the computing systems over the air medium. The underlying network stack is based on a communication system that was originally designed for robust underwater communication. We adapt the communication system to implement covert and stealthy communications by utilizing the near ultrasonic frequency range. We further demonstrate how the scenario of covert acoustical communication over the air medium can be extended to multi-hop communications and even to wireless mesh networks. A covert acoustical mesh network can be conceived as a botnet or malnet that is accessible via nearfield audio communications. Different applications of covert acoustical mesh networks are presented, including the use for remote keylogging over multiple hops. It is shown that the concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered. Finally, countermeasures against covert acoustical mesh networks are discussed, including the use of lowpass filtering in computing systems and a host-based intrusion detection system for analyzing audio input and output in order to detect any irregularities.

Clive RobinsonDecember 4, 2013 3:23 AM

@ Winter,

With regards the audio mesh network, if you look up the page you will see @ Bryan beat you too it with the ARS Technica link, and I commented on the paper a little further down.

As I noted above I feel their use of Frequency hoping spread spectrum is probably not an optimal solution (though I've just noticed I use DS-FH when I should have used SS-FH or FHSS hmm more sleep needed ;-)

If they are going to the lengths of implementing quite complex and CPU cycle greedy FFT digital signal processing algorithm they would be better using an orthagonal multitone (coherant MFSK) system such as the old UK Diplomatic Wireless Service (now part of MI6 at Hanslope Park) "Piccolo" system, which I mentioned back on the blog page Bruce commented on BadBIOS.

Clive RobinsonDecember 4, 2013 3:43 AM

@ Nick P,

Many years ago I looked into "file system analysis" as a forensic method, the fact that "access times" are so unreliable lead me to look at block and sector usage and free lists etc and the algorithms the OS file system drivers used. And even back then my first thoughts were bassed on "how to game the system" or what we now call anti-forensics.

The reason I shied away from using "access times" was "touch" and it's non *nix equivelents. At the time it was common knowledge as to how to "invisably" change access times either to "cover up" or "frame others". This is because it was --back then-- common to change access times when doing "backups" or if developing sofware to fool "make" into doing things out of the normal work flow.

But my thinking went deeper than that and questioned what the access times were actually attesting to (which is often not what many people think they do).

My first thoughts on "gaming the system" or as we now call it "anti-forensics" was what causes the create / modify / access times to change, what do they realy tell us and how do you not change them to "cover up" or falsify them to "frame" somebody. Further if you cann't get at them how do you make the changes look innocent...

So you have to ask such questions as "When is copying not copying?" to which the answer is "When archiving/backing up". And "When is reading a file not copying a file?" to which the answer is "never".

You then think well if I'm not a SysAdmin would making "backups be within company policy for me" and even if so "would it be suspicious to do so", most people don't think about this which means that unless they do it from day 1 they need to have had a belivable reason to start doing it with a suitable paper trail to cover it [1]. If it's going to look suspicious are there other more acceptable work related ways such as search tools you could use [2] (like say a hand written shell script using cat / grep in a recursive way needing the creation of temporary files via tee etc).

The secret to anti-forensics is knowing how both the work system and the likely forensics work as steps 1 and 2, but perhaps more importantly because people do get caught is how not to make yourself an "obvious suspect" as step 0... which generaly means good OpSec which we know most people are spectacularly bad at one way or another (often in the case of criminal endevor by "flashing the cash" or "flapping the gums" in order to "big themselves up")

As you note the idea of stohcastic forensics is not quite what it's portrayed to be and guess what the bod is apparently trying to patent the idea... Which should probably kill it stone dead as a field of further endevor in the US [3].

[1] Oddly perhaps I once got into trouble for actually saving a company considerable sums of money and embarisment because I kept personal backups of all my Emails, where as the Admin purged the files on the server at the six month mark. Thus I could show from my personal archive that a customer was being at best "economical with the truth" about contract discussions were as the company archives could not. My reward was a "verbal warning" on my employment record... suffice it to say when I left abrubtly (for a better job I'd found) very shortly there after I anounced it by getting a legal friend to send the head of their legal dept and the company secretary notice of action for "constructive dismissal" and seeking of compensation.

[2] You may remember that there was an "insider trading" action which the person doing it was found because they did not cover their trades properly. However they were nearly not prosecuted because although the legal firm they worked for had good auditing on "file access" they did not have auditing on listing up project and file names through a search tool. The file names, dates and file owner info along with knowledge of what various employees and groups did enabled the person to work out what was going on without having to access the files.

[3] Obvious examples of this are Differential Power Analysis and just about any crypto algorithm that's ever been patented.

Obi Wan KenobiDecember 5, 2013 10:34 AM

So how do these criminals get the users passwords? By breaking e.g. to Google servers? You would think Google hashes and salts any passwords on their servers.

If they have been obtained, on another hand, by breaking the security on the users computer then the user has bigger problems. In this case though perhaps these are the result of phishing attempts or the users using the same passwords on some compromised (low security) sites...

Cyber experts uncover 2 million stolen passwords to Web accounts
http://finance.yahoo.com/news/cyber-experts-uncover-2-million-001023886.html


BOSTON (Reuters) - Security experts have uncovered a trove of some 2 million stolen passwords to websites including Facebook, Google, Twitter and Yahoo from Internet users across the globe.

Researchers with Trustwave's SpiderLabs said they discovered the credentials while investigating a server in the Netherlands that cyber criminals use to control a massive network of compromised computers known as the "Pony botnet."

The company told Reuters on Wednesday that it has reported its findings to the largest of more than 90,000 websites and Internet service providers whose customers' credentials it had found on the server.

The data includes more than 326,000 Facebook Inc accounts, some 60,000 Google Inc accounts, more than 59,000 Yahoo Inc accounts and nearly 22,000 Twitter Inc accounts, according to SpiderLabs. Victims' were from the United States, Germany, Singapore and Thailand, among other countries.

Representatives for Facebook and Twitter said the companies have reset the passwords of affected users. A Google spokeswoman declined comment. Yahoo representatives could not be reached.

ThomasDecember 6, 2013 4:36 AM

@Clive Robinson

A lot of people are wondering why dragosr was the only one to run across this malware. In fact, he wasn't. The people who were before him were mocked and most threads closed and either deleted or shuffled to areas of message boards where Joe Q public couldn't see it and question this for themselves. [some] Major Anti-Virus companies included.

Users didn't want to know, companies didn't want to know. Unless you were "known" in the field, like dragosr, and even then, you are handled like you may be retarded or just need a vacation.

Here is one of dozens of reports:

LCD Monitor Broadcasts Noise To Radio! Why? (FRS)
http://forums.radioreference.com/computer/255488-lcd-monitor-broadcasts-noise-radio-why.html

Final post in that thread:

"BOTTOM LINE: No matter WHAT you do, all devices that use electricity will emit some sort of interference in the air and there's nothing you can do about it without unplugging/turning it off. "

including:

"Have you noticed any nondescript white vans or black helicopters in your neighborhood?

What do you do or have you done to make "them" take such an interest in you that "they" have to bug you?

You need a bigger tinfoil hat, perhaps a full body suit."

Another thread:

Gpu based paravirtualization rootkit, all os vulne

http://forum.sysinternals.com/gpu-based-paravirtualization-rootkit-all-os-vulne_topic26706.html

This:

U.N. report reveals secret law enforcement techniques

"Point 201: Mentions a new covert communications technique using software defined high frequency radio receivers routed through the computer creating no logs, using no central server and extremely difficult for law enforcement to intercept."

http://www.unodc.org/documents/frontpage/Use_of_Internet_for_Terrorist_Purposes.pdf

http://www.hacker10.com/other-computing/u-n-report-reveals-secret-law-enforcement-techniques/

I think this is something which has been brewing for years, but "forces" beyond our sight have managed to stifle any serious investigation into the technology. Some have announced they are retreating to ancient technology of the 70's and 80's, others are looking towards open source hardware and software combinations.

Is it time Wireshark included audio monitoring as well? Off to play with a recording device and Audacity.

Nick PDecember 6, 2013 9:37 AM

@ Thomas

""BOTTOM LINE: No matter WHAT you do, all devices that use electricity will emit some sort of interference in the air and there's nothing you can do about it without unplugging/turning it off. ""

Mostly true.

"Have you noticed any nondescript white vans or black helicopters in your neighborhood?"

Then, the post 180's into nonsense with the white van line. The LCD monitor issue, as most in that thread pointed out, was just electrical interference from one device to another. The security aspects of this are covered under EMSEC and TEMPEST. One piece of equipment interfering due with another is NOT evidence of an attack in and of itself.

Link 2 was a claim about GPU infection by a guy with questionable expertise or ability to diagnose that. Reading his posts I could see why they'd doubt him. The UN link is a vague claim about terrorists communicating with software defined radios. That Clive and I have already discussed exotic covert comms like that here, plus enduring popularity of ham radios, means that something like that is conceivable.

Yet, it seems to me like you grabbed a few links off the net, threw them together, and then claim that they collectively imply something about the validity of badBIOS claims. They don't. I'll add Dragos' own behavior with regard to disclosure of evidence is part of the reason for the community's doubt. Although the technical aspects of it are possible, the jury is still out on that specific case.

Now, what I did expect to see was people start building what he described just because they thought it was a cool idea. Then came the academic paper. Prediction working so far. Next part of the prediction was real malware, esp by high end hackers, using it in the field. Or modifying the concept with new vectors. Things will only get more interesting from here. ;)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..