Entries Tagged "hacking"

Page 51 of 78

QUANTUM Technology Sold by Cyberweapons Arms Manufacturers

Last October, I broke the story about the NSA’s top secret program to inject packets into the Internet backbone: QUANTUM. Specifically, I wrote about how QUANTUMINSERT injects packets into existing Internet connections to redirect a user to an NSA web server codenamed FOXACID to infect the user’s computer. Since then, we’ve learned a lot more about how QUANTUM works, and general details of many other QUANTUM programs.

These techniques make use of the NSA’s privileged position on the Internet backbone. It has TURMOIL computers directly monitoring the Internet infrastructure at providers in the US and around the world, and a system called TURBINE that allows it to perform real-time packet injection into the backbone. Still, there’s nothing about QUANTUM that anyone else with similar access can’t do. There’s a hacker tool called AirPwn that basically performs a QUANTUMINSERT attack on computers on a wireless network.

A new report from Citizen Lab shows that cyberweapons arms manufacturers are selling this type of technology to governments around the world: the US DoD contractor CloudShield Technologies, Italy’s Hacking Team, and Germany’s and the UK’s Gamma International. These programs intercept web connections to sites like Microsoft and Google—YouTube is specially mentioned—and inject malware into users’ computers.

Turkmenistan paid a Swiss company, Dreamlab Technologies—somehow related to the cyberweapons arms manufacturer Gamma International—just under $1M for this capability. Dreamlab also installed the software in Oman. We don’t know what other countries have this capability, but the companies here routinely sell hacking software to totalitarian countries around the world.

There’s some more information in this Washington Post article, and this essay on the Intercept.

In talking about the NSA’s capabilities, I have repeatedly said that today’s secret NSA programs are tomorrow’s PhD dissertations and the next day’s hacker tools. This is exactly what we’re seeing here. By developing these technologies instead of helping defend against them, the NSA—and GCHQ and CSEC—are contributing to the ongoing insecurity of the Internet.

Related: here is an open letter from Citizen Lab’s Ron Deibert to Hacking Team about the nature of Citizen Lab’s research and the misleading defense of Hacking Team’s products.

Posted on August 18, 2014 at 11:14 AMView Comments

Over a Billion Passwords Stolen?

I’ve been doing way too many media interviews over this weird New York Times story that a Russian criminal gang has stolen over 1.2 billion passwords.

As expected, the hype is pretty high over this. But from the beginning, the story didn’t make sense to me. There are obvious details missing: are the passwords in plaintext or encrypted, what sites are they for, how did they end up with a single criminal gang? The Milwaukee company that pushed this story, Hold Security, isn’t a company that I had ever heard of before. (I was with Howard Schmidt when I first heard this story. He lives in Wisconsin, and he had never heard of the company before, either.) The New York Times writes that “a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic,” but we’re not given any details. This felt more like a PR story from the company than anything real.

Yesterday, Forbes wrote that Hold Security is charging people $120 to tell them if they’re in the stolen-password database:

“In addition to continuous monitoring, we will also check to see if your company has been a victim of the latest CyberVor breach,” says the site’s description of the service using its pet name for the most recent breach. “The service starts from as low as 120$/month and comes with a 2-week money back guarantee, unless we provide any data right away.”

Shortly after Wall Street Journal reporter Danny Yadron linked to the page on Twitter and asked questions about it, the firm replaced the description of the service with a “coming soon” message.

Holden says by email that the service will actually be $10/month and $120/year. “We are charging this symbolical fee to recover our expense to verify the domain or website ownership,” he says by email. “While we do not anticipate any fraud, we need to be cognizant of its potential. The other thing to consider, the cost that our company must undertake to proactively reach out to a company to identify the right individual(s) to inform of a breach, prove to them that we are the ‘good guys’. Believe it or not, it is a hard and often thankless task.”

This story is getting squirrelier and squirrelier. Yes, security companies love to hype the threat to sell their products and services. But this goes further: single-handedly trying to create a panic, and then profiting off that panic.

I don’t know how much of this story is true, but what I was saying to reporters over the past two days is that it’s evidence of how secure the Internet actually is. We’re not seeing massive fraud or theft. We’re not seeing massive account hijacking. A gang of Russian hackers has 1.2 billion passwords—they’ve probably had most of them for a year or more—and everything is still working normally. This sort of thing is pretty much universally true. You probably have a credit card in your wallet right now whose number has been stolen. There are zero-day vulnerabilities being discovered right now that can be used to hack your computer. Security is terrible everywhere, and it it’s all okay. This is a weird paradox that we’re used to by now.

Oh, and if you want to change your passwords, here’s my advice.

EDITED TO ADD (8/7): Brian Krebs vouches for Hold Security. On the other hand, it had no web presence until this story hit. Despite Krebs, I’m skeptical.

EDITED TO ADD (8/7): Here’s an article about Hold Security from February with suspiciously similar numbers.

EDITED TO ADD (8/9): Another skeptical take.

Posted on August 7, 2014 at 7:45 AMView Comments

The Fundamental Insecurity of USB

This is pretty impressive:

Most of us learned long ago not to run executable files from sketchy USB sticks. But old-fashioned USB hygiene can’t stop this newer flavor of infection: Even if users are aware of the potential for attacks, ensuring that their USB’s firmware hasn’t been tampered with is nearly impossible. The devices don’t have a restriction known as “code-signing,” a countermeasure that would make sure any new code added to the device has the unforgeable cryptographic signature of its manufacturer. There’s not even any trusted USB firmware to compare the code against.

The element of Nohl and Lell’s research that elevates it above the average theoretical threat is the notion that the infection can travel both from computer to USB and vice versa. Any time a USB stick is plugged into a computer, its firmware could be reprogrammed by malware on that PC, with no easy way for the USB device’s owner to detect it. And likewise, any USB device could silently infect a user’s computer.

These are exactly the sorts of attacks the NSA favors.

EDITED TO ADD (8/14): Good writeup. Slides from BlackHat talk.

Posted on July 31, 2014 at 2:31 PMView Comments

Debit Card Override Hack

Clever:

Parrish allegedly visited Apple Stores and tried to buy products with four different debit cards, which were all closed by his respective financial institutions. When his debit card was inevitably declined by the Apple Store, he would protest and offer to call his bank—except, he wasn’t really calling his bank.

So, the complaint says, he would offer the Apple Store employees a fake authorization code with a certain number of digits, which is normally provided by credit card issuers to create a record of the credit or debit override.

Now that this trick is public, how long before stores stop accepting these authorization codes altogether? I’ll be that fixing the infrastructure will be expensive.

Posted on July 31, 2014 at 6:55 AMView Comments

Hackers Steal Personal Information of US Security-Clearance Holders

The article says they were Chinese but offers no evidence:

The intrusion at the Office of Personnel Management was particularly disturbing because it oversees a system called e-QIP, in which federal employees applying for security clearances enter their most personal information, including financial data. Federal employees who have had security clearances for some time are often required to update their personal information through the website.

This is a big deal. If I were a government, trying to figure out who to target for blackmail, bribery, and other coercive tactics, this would be a nice database to have.

Posted on July 17, 2014 at 6:09 AMView Comments

How Traffic Shaping Can Help the NSA Evade Legal Oversight

New research paper on how the NSA can evade legal prohibitions against collecting Internet data and metadata on Americans by forcing domestic traffic to leave and return to the US. The general technique is called “traffic shaping,” and has legitimate uses in network management.

From a news article:

The Obama administration previously said there had been Congressional and Judicial oversight of these surveillance laws—notably Section 215 of the Patriot Act, which authorized the collection of Americans’ phone records; and Section 702 of the Foreign Intelligence Surveillance Act (FISA), which authorized the controversial PRISM program to access non-U.S. residents’ emails, social networking, and cloud-stored data.

But the researchers behind this new study say that the lesser-known Executive Order (EO) 12333, which remains solely the domain of the Executive Branch—along with United States Signals Intelligence Directive (USSID) 18, designed to regulate the collection of American’s data from surveillance conducted on foreign soil—can be used as a legal basis for vast and near-unrestricted domestic surveillance on Americans.

The legal provisions offered under EO 12333, which the researchers say “explicitly allows for intentional targeting of U.S. persons” for surveillance purposes when FISA protections do not apply, was the basis of the authority that reportedly allowed the NSA to tap into the fiber cables that connected Google and Yahoo’s overseas to U.S. data centers.

An estimated 180 million user records, regardless of citizenship, were collected from Google and Yahoo data centers each month, according to the leaked documents. The program, known as Operation MUSCULAR, was authorized because the collection was carried out overseas and not on U.S. soil, the researchers say.

The paper also said surveillance can also be carried out across the wider Internet by routing network traffic overseas so it no longer falls within the protection of the Fourth Amendment.

We saw a clumsy example of this in 2013, when a bunch of Internet traffic was mysteriously routed through Iceland. That one was the result of hacking the Border Gateway Protocol (BGP). I assure you that the NSA’s techniques are more effective and less obvious.

EDITED TO ADD (7/13): Author responds to NSA comments.

Posted on July 1, 2014 at 3:23 PMView Comments

More on Hacking Team's Government Spying Software

Hacking Team is an Italian malware company that sells exploit tools to governments. Both Kaspersky Lab and Citizen Lab have published detailed reports on its capabilities against Android, iOS, Windows Mobile, and BlackBerry smart phones.

They allow, for example, for covert collection of emails, text messages, call history and address books, and they can be used to log keystrokes and obtain search history data. They can take screenshots, record audio from the phones to monitor calls or ambient conversations, hijack the phone’s camera to snap pictures or piggyback on the phone’s GPS system to monitor the user’s location. The Android version can also enable the phone’s Wi-Fi function to siphon data from the phone wirelessly instead of using the cell network to transmit it. The latter would incur data charges and raise the phone owner’s suspicion.

[…]

Once on a system, the iPhone module uses advance techniques to avoid draining the phone’s battery, turning on the phone’s microphone, for example, only under certain conditions.

“They can just turn on the mic and record everything going on around the victim, but the battery life is limited, and the victim can notice something is wrong with the iPhone, so they use special triggers,” says Costin Raiu, head of Kaspersky’s Global Research and Analysis team.

One of those triggers might be when the victim’s phone connects to a specific WiFi network, such as a work network, signaling the owner is in an important environment. “I can’t remember having seen such advanced techniques in other mobile malware,” he says.

Hacking Team’s mobile tools also have a “crisis” module that kicks in when they sense the presence of certain detection activities occurring on a device, such as packet sniffing, and then pause the spyware’s activity to avoid detection. There is also a “wipe” function to erase the tool from infected systems.

Hacking Team claims to sell its tools only to ethical governments, but Citizen Lab has found evidence of their use in Saudi Arabia. It can’t be certain the Saudi government is a customer, but there’s good circumstantial evidence. In general, circumstantial evidence is all we have. Citizen Lab has found Hacking Team servers in many countries, but it’s a perfectly reasonable strategy for Country A to locate its servers in Country B.

And remember, this is just one example of government spyware. Assume that the NSA—as well as the governments of China, Russia, and a handful of other countries—have their own systems that are at least as powerful.

Posted on June 26, 2014 at 6:37 AMView Comments

1 49 50 51 52 53 78

Sidebar photo of Bruce Schneier by Joe MacInnis.