Archive for the ‘Technical’ Category

Stuxnet – a history

Thursday, January 13th, 2022

I haven’t kept this blog up much these last few years. But many of the topics I’ve covered in the past still deeply interest me. Cyber attacks are one such subject. Back in 2010, the Stuxnet Virus waged war on Iran’s nuclear centrifuges. I recall the stories that came out back then quite well. Indeed, I’d been following stories in that vein for sometime.

Today, a friend acquainted me with a Podcast that went over how researchers discovered and decoded the Stuxnet Virus and I found listening to it intensely interesting. If this sort of thing interests you, I think you will like this. It is here.

Listening to the Podcast made me recall a post I’d made here on on this blog. The post reported, in May of 2009, the U.S. was convinced that Iran was within three years of obtaining a nuclear weapon. That, in retrospect, may connect some of the dots. Dots that are always a bit vague at the time.

The 2009 post is here.

Maybe Better If You Don’t Read This Story on Public WiFi

Thursday, January 7th, 2016

– I knew things were bad – but I didn’t know they were this bad.

– Unless you want to be in complete denial about your computer security issues, you will want to read this.

– dennis

– – – – – – – – – – – – – – – –

We took a hacker to a café and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things they googled.

In his backpack, Wouter Slotboom, 34, carries around a small black device, slightly larger than a pack of cigarettes, with an antenna on it. I meet Wouter by chance at a random cafe in the center of Amsterdam. It is a sunny day and almost all the tables are occupied. Some people talk, others are working on their laptops or playing with their smartphones.

Wouter removes his laptop from his backpack, puts the black device on the table, and hides it under a menu. A waitress passes by and we ask for two coffees and the password for the WiFi network. Meanwhile, Wouter switches on his laptop and device, launches some programs, and soon the screen starts to fill with green text lines. It gradually becomes clear that Wouter’s device is connecting to the laptops, smartphones, and tablets of cafe visitors.

On his screen, phrases like “iPhone Joris” and “Simone’s MacBook” start to appear. The device’s antenna is intercepting the signals that are being sent from the laptops, smartphones, and tablets around us.

More text starts to appear on the screen. We are able to see which WiFi networks the devices were previously connected to. Sometimes the names of the networks are composed of mostly numbers and random letters, making it hard to trace them to a definite location, but more often than not, these WiFi networks give away the place they belong to.

We learn that Joris had previously visited McDonald’s, probably spent his vacation in Spain (lots of Spanish-language network names), and had been kart-racing (he had connected to a network belonging to a well-known local kart-racing center). Martin, another café visitor, had been logged on to the network of Heathrow airport and the American airline Southwest. In Amsterdam, he’s probably staying at the White Tulip Hostel. He had also paid a visit to a coffee shop called The Bulldog.

Session 1:

Let everyone connect to our fake network

The waitress serves us our coffee and hands us the WiFi password. After Slotboom is connected, he is able to provide all the visitors with an internet connection and to redirect all internet traffic through his little device.

Most smartphones, laptops, and tablets automatically search and connect to WiFi networks. They usually prefer a network with a previously established connection. If you have ever logged on to the T-Mobile network on the train, for example, your device will search for a T-Mobile network in the area.

Slotboom’s device is capable of registering these searches and appearing as that trusted WiFi network. I suddenly see the name of my home network appear on my iPhone’s list of available networks, as well as my workplace, and a list of cafes, hotel lobbies, trains, and other public places I’ve visited. My phone automatically connects itself to one of these networks, which all belong to the black device.

Slotboom can also broadcast a fictitious network name, making users believe they are actually connecting to the network of the place they’re visiting. For example, if a place has a WiFi network consisting of random letters and numbers (Fritzbox xyz123), Slotboom is able to provide the network name (Starbucks). People, he says, are much more willing to connect to these.

We see more and more visitors log on to our fictitious network. The siren song of the little black device appears to be irresistible. Already 20 smartphones and laptops are ours. If he wanted to, Slotboom could now completely ruin the lives of the people connected: He can retrieve their passwords, steal their identity, and plunder their bank accounts. Later today, he will show me how. I have given him permission to hack me in order to demonstrate what he is capable of, though it could be done to anyone with a smartphone in search of a network, or a laptop connecting to a WiFi network.

Everything, with very few exceptions, can be cracked.

The idea that public WiFi networks are not secure is not exactly news. It is, however, news that can’t be repeated often enough. There are currently more than 1.43 billion smartphone users worldwide and more than 150 million smartphone owners in the U.S. More than 92 million American adults own a tablet and more than 155 million own a laptop. Each year the worldwide demand for more laptops and tablets increases. In 2013, an estimated 206 million tablets and 180 million laptops were sold worldwide. Probably everyone with a portable device has once been connected to a public WiFi network: while having a coffee, on the train, or at a hotel.

The good news is that some networks are better protected than others; some email and social media services use encryption methods that are more secure than their competitors. But spend a day walking in the city with Wouter Slotboom, and you’ll find that almost everything and everyone connected to a WiFi network can be hacked. A study from threat intelligence consultancy Risk Based Security estimates that more than 822 million records were exposed worldwide in 2013, including credit card numbers, birth dates, medical information, phone numbers, social security numbers, addresses, user names, emails, names, and passwords. Sixty-five percent of those records came from the U.S. According to IT security firm Kaspersky Lab, in 2013 an estimated 37.3 million users worldwide and 4.5 million Americans were the victim of phishing—or pharming—attempts, meaning payment details were stolen from hacked computers, smartphones, or website users.

Report after report shows that digital identity fraud is an increasingly common problem. Hackers and cybercriminals currently have many different tricks at their disposal. But the prevalence of open, unprotected WiFi networks does make it extremely easy for them. The Netherlands National Cyber ??Security Center, a division of the Ministry of Security and Justice, did not issue the following advice in vain: “It is not advisable to use open WiFi networks in public places. If these networks are used, work or financial related activities should better be avoided.”

Slotboom calls himself an “ethical hacker,” or one of the good guys; a technology buff who wants to reveal the potential dangers of the internet and technology. He advises individuals and companies on how to better protect themselves and their information. He does this, as he did today, usually by demonstrating how easy it is to inflict damage. Because really, it’s child’s play: The device is cheap, and the software for intercepting traffic is very easy to use and is readily available for download. “All you need is 70 Euros, an average IQ, and a little patience,” he says. I will refrain from elaborating on some of the more technical aspects, such as equipment, software, and apps needed to go about hacking people.

Session 2:

Scanning for name, passwords, and sexual orientation

Armed with Slotboom’s backpack, we move to a coffeehouse that is known for the beautiful flowers drawn in the foam of the lattes, and as a popular spot for freelancers working on laptops. This place is now packed with people concentrating on their screens.

Slotboom switches on his equipment. He takes us through the same steps, and within a couple of minutes, 20 or so devices are connected to ours. Again we see their Mac-addresses and login history, and in some cases their owners’ names. At my request, we now go a step further.

Slotboom launches another program (also readily available for download), which allows him to extract even more information from the connected smartphones and laptops. We are able to see the specifications of the mobile phone models (Samsung Galaxy S4), the language settings for the different devices, and the version of the operating system used (iOS 7.0.5). If a device has an outdated operating system, for example, there are always known “bugs,” or holes in the security system that can be easily exploited. With this kind of information, you have what you need to break into the operating system and take over the device. A sampling of the coffeehouse customers reveals that none of the connected devices have the latest version of the operating system installed. For all these legacy systems, a known bug is listed online.

We can now see some of the actual internet traffic of those around us. We see that someone with a MacBook is browsing the site Nu.nl. We can see that many devices are sending documents using WeTransfer, some are connecting to Dropbox, and some show activity on Tumblr. We see that someone has just logged on to FourSquare. The name of this person is also shown, and, after googling his name, we recognize him as the person sitting just a few feet away from us.

Information comes flooding in, even from visitors who are not actively working or surfing. Many email programs and apps constantly make contact with their servers—a necessary step for a device to retrieve new emails. For some devices and programs, we are able to see what information is being sent, and to which server.

And now it’s getting really personal. We see that one visitor has the gay dating app Grindr installed on his smartphone. We also see the name and type of the smartphone he’s using (iPhone 5s). We stop here, but it would be a breeze to find out to who the phone belongs to. We also see that someone’s phone is attempting to connect to a server in Russia, sending the password along with it, which we are able to intercept.

Session 3:

Obtaining information on occupation, hobbies, and relational problems

Many apps, programs, websites, and types of software make use of encryption technologies. These are there to ensure that the information sent and received from a device is not accessible to unauthorized eyes. But once the user is connected to Slotboom’s WiFi network, these security measures can be circumvented relatively easily, with the help of decryption software.

To our shared surprise, we see an app sending personal information to a company that sells online advertising. Among other things, we see the location data, technical information of the phone, and information of the WiFi network. We can also see the name (first and last) of a woman using the social bookmarking website Delicious. Delicious allows users to share websites—bookmarks—they are interested in. In principle, the pages that users of Delicious share are available publicly, yet we can’t help feeling like voyeurs when we realize just how much we are able to learn about this woman on the basis of this information.

First we google her name, which immediately allows us to determine what she looks like and where in the coffeehouse she is sitting. We learn that she was born in a different European country and only recently moved to the Netherlands. Through Delicious we discover that she’s been visiting the website of a Dutch language course and she has bookmarked a website with information on the Dutch integration course.

In less than 20 minutes, here’s what we’ve learned about the woman sitting 10 feet from us: where she was born, where she studied, that she has an interest in yoga, that she’s bookmarked an online offer for a anti-snore mantras, recently visited Thailand and Laos, and shows a remarkable interest in sites that offer tips on how to save a relationship.

Slotboom shows me some more hacker tricks. Using an app on his phone, he is able to change specific words on any website. For example, whenever the word “Opstelten” (the name of a Dutch politician) is mentioned, people see the word “Dutroux” (the name of a convicted serial killer) rendered on the page instead. We tested it and it works. We try another trick: Anyone loading a website that includes pictures gets to see a picture selected by Slotboom. This all sounds funny if you’re looking for some mischief, but it also makes it possible to load images of child pornography on someone’s smartphone, the possession of which is a criminal offense.

Password intercepted

We visit yet another cafe. My last request to Slotboom is to show me what he would do if he wanted to really harm me. He asks me to go to Live.com (the Microsoft email site) and enter a random username and password. A few seconds later, the information I just typed appears on his screen. “Now I have the login details of your email account,” Slotboom says. “The first thing I would do is change the password of your account and indicate to other services you use that I have forgotten my password. Most people use the same email account for all services. And those new passwords will then be sent to your mailbox, which means I will have them at my disposal as well.” We do the same for Facebook: Slotboom is able to intercept the login name and password I entered with relative ease.

Another trick that Slotboom uses is to divert my internet traffic. For example, whenever I try to access the webpage of my bank, he has instructed his program to re-direct me to a page he owns: a cloned site that appears to be identical to the trusted site, but is in fact completely controlled by Slotboom. Hackers call this DNS spoofing. The information I entered on the site is stored on the server owned by Slotboom. Within 20 minutes he’s obtained the login details, including passwords for my Live.com, SNS Bank, Facebook, and DigiD accounts.

I will never again be connecting to an insecure public WiFi network without taking security measures.

– Follow this link to the original of this story…

Mysterious world of the ‘dark web’

Monday, August 17th, 2015

The “dark web” is a part of the world wide web that requires special software to access. Once inside, web sites and other services can be accessed through a browser in much the same way as the normal web.

However, some sites are effectively “hidden”, in that they have not been indexed by a search engine and can only be accessed if you know the address of the site. Special markets also operate within the dark web called, “darknet markets”, which mainly sell illegal products like drugs and firearms, paid for in the cryptocurrency Bitcoin.

There is even a crowdfunded “Assassination Market”, where users can pay towards having someone assassinated.

Because of the the dark web’s almost total anonymity, it has been the place of choice for groups wanting to stay hidden online from governments and law enforcement agencies. On the one hand, there have been whistleblowers using the dark web to communicate with journalists, but more frequently it has been used by paedophile groups, terrorists and criminals to keep their dealings secret.

Going dark

There are a number of ways to access the dark web, including the use of Tor, Freenet and I2P. Of these, the most popular is Tor (originally called The Onion Router), partly because it is one of the easiest software packages to use. Tor downloads as a bundle of software that includes a version of Firefox configured specifically to use Tor.

Tor provides secrecy and anonymity by passing messages through a network of connected Tor relays, which are specially configured computers. As the message hops from one node to another, it is encrypted in a way that each relay only knows about the machine that sent the message and the machine it is being sent to.

Rather than conventional web addresses, Tor uses “onion” addresses, which further obsure the content. There are even special versions of search engines like Bing and Duck Duck Go that will return onion addresses for Tor services.

It is a mistake to think that Tor is entirely anonymous. If a web site is accessed, it can still potentially find out information about whoever is accessing the site because of information that is shared, such as usernames and email addresses. Those wanting to stay completely anonymous have to use special anonymity services to hide their identity in these cases.

Services on the dark web would not have been as popular without a means of paying for them. This is something that Bitcoin has made possible. A recent study by Carnegie Mellon researchers Kyle Soska and Nicolas Christin has calculated that drug sales on the dark net total US$100 million a year. Most, if not all, was paid for in Bitcoin.

Bitcoin is made even more difficult to track on the dark web through the use of “mixing services” like Bitcoin Laundry, which enables Bitcoin transactions to be effectively hidden completely.

How ‘dark’ is the dark web?

The developers of Tor and organisations like the Electronic Frontier Foundation (EFF argue that the principal users of Tor are activists and people simply concerned with maintaining their privacy. Certainly, Tor has been used in the past for journalists to talk to whistleblowers and activists, including Edward Snowden).

However, even a cursory glance at the Hidden Wiki – the main index of dark websites – reveals that the majority of sites listed are concerned with illegal activities. Some of these sites are scams, and so it is not clear how easy it is to buy guns, fake passports and hire hackers from the services listed. But there are likely sites on the dark web where these things are entirely possible.

Although the dark web makes law enforcement agencies’ jobs much more difficult, they have had a great deal of success in bringing down sites and arresting their users and the people behind them. The most famous of these was the arrest of Ross Ulbricht, the person behind the most well known of the drug markets, Silk Road.

More recently, the FBI’s arrest of two users of a child abuse site on the dark web highlighted that they are now able to use a range of techniques to unmask Tor users’ real internet addresses.

– To the Original:  

 

Spyware demo shows how spooks hack mobile phones

Wednesday, August 12th, 2015

Intelligence agencies’ secretive techniques for spying on mobile phones are seldom made public.

But a UK security firm has shown the BBC how one tool, sold around the world to spooks, actually works.

It allows spies to take secret pictures with a phone’s camera and record conversations with the microphone, without the phone owner knowing.

Hacking Team’s software was recently stolen from the company by hackers and published on the web.

Almost any data on a phone, tablet or PC can be accessed by the tool and it is fascinating how much it can do.

When Joe Greenwood, of cybersecurity firm 4Armed, saw that source code for the program had been dumped online by hackers, he couldn’t resist experimenting with it.

Although he had to fiddle with the code to make it work, it only took a day before he had it up and running.

The software consists of the surveillance console, which displays data retrieved from a hacked device, and malware planted on the target device itself.

4Armed was careful to note that using it to spy on someone without their consent would be against the law.

Listening in

After testing the software on his own PC, Mr Greenwood soon realised the scope of its capabilities.

“You can download files, record microphones, webcam images, websites visited, see what programs are running, intercept Skype calls,” he told the BBC.

The software even has some in-built features to track Bitcoin payments, which can be difficult to associate with individuals without additional data about when and how transactions were performed.

In a live demonstration of the system, Mr Greenwood showed how an infected phone could be made to record audio from the microphone, even when the device was locked, and use the phone’s camera without its owner knowing.

“We can actually take photos without them realising.

“So the camera in the background is running, taking photos every number of seconds,” explained Mr Greenwood.

It was also possible to listen in on phone calls, access the list of contacts stored on the device and track what websites the phone user was visiting.

 

Both Mr Greenwood and 4Armed’s technical director, Marc Wickenden, said they were surprised by the sleekness of the interface.

Both point out, though, that customers could be paying upwards of £1m for the software and would expect it to be user-friendly, especially if it was intended for use by law enforcers on the beat.

For the tracked user, though, there are very few ways of finding out that they are being watched.

One red flag, according to Mr Greenwood, is a sudden spike in network data usage, indicating that information is being sent somewhere in the background. Experienced spies, however, would be careful to minimise this in order to remain incognito.

At present, spy software like this is only likely to be secretly deployed on the phones and computers of people who are key targets for an intelligence agency.

Spy catcher

The version of the spyware distributed online is now likely to be more easily detected by anti-virus programs because companies analysing the source code are in the process of updating their systems to recognise it.

Security expert Graham Cluley said it should be as easy to detect as malware.

“The danger will be that malicious hackers could take that code and augment it or change it so it no longer looks like Hacking Team’s versions, which might avoid detection,” he added.

The best course of action, said Mr Cluley, is to keep operating systems and software as up to date as possible.

In a statement, a spokesman for Hacking Team said it advised its customers not to use the software once the breach was discovered.

“As soon as the event was discovered, Hacking Team immediately advised all clients to discontinue the use of that version of the software, and the company provided a patch to assure that client surveillance data and other information stored on client systems was secure.

“From the beginning Hacking Team has assumed that the code that has been released is compromised,” he said.

The spokesman added that the software would be operated by clients of Hacking Team, not Hacking Team itself, and therefore no sensitive data relating to ongoing investigations had been compromised in the breach.

“Of course, there are many who would use for their own purposes the information released by the criminals who attacked Hacking Team.

“This was apparently not a concern of the attackers who recklessly published the material for all online.

“Compiling the software would take considerable technical skill, so not just anyone could do that, but that is not to say it is impossible,” he said.

– To the original:  

 

Websites can track us by the way we type

Friday, July 31st, 2015

– Here’s an article explaining how websites can identify who is typing by watching patterns in how we touch the keys.  I.e., how long you hold particular keys down and how much time elapses between different keystrokes.

– And the article describes a Google Chrome add-on that will mask this for you so you can become anonymous again.

– It is getting harder and harder to move about in the world anonymously.  There are some who would say, “If you are not doing anything wrong, why would you care?”  I don’t subscribe to that.  We are, by common social agreement and oftentimes by the rule of law, innocent until proved guilty.

– The people that hold and use these tools may be benign towards us today but there’s no guarantee that they will remain so in the future.  So, it seems obvious to me that if someone wants to exert greater control over us in the future, they will already have all the tools they need to win the battle to control us before a shot is fired.

– dennis

= = = = = = = = = = = = =

Meet KeyboardPrivacy: a proof-of-concept Google Chrome extension that masks how long your fingers linger on each key you depress as you type and how much of a time lag there is between each of your key presses.

And just why would you need to disguise these typing traits – also known as periodicity – which are as unique to individuals as fingerprints?

Because there’s technology out there that can measure our typing characteristics, on the scale of millisecond-long delays and key presses, and use the data to profile us with such a high degree of accuracy that – Tor or no Tor – you won’t stay anonymous when browsing online.

Examples include profiling technology from a Swedish company called BehavioSec that can identify site visitors, based on their typing habits, with a session score of 99% and a confidence rate of 80%.

That type of success comes after the technology has been trained on a mere 44 input characters.

The extension, designed to obfuscate our typing patterns, comes from security researchers Per Thorsheim and Paul Moore.

On Tuesday, Moore said on his blog that UK banks are rumored to be actively trialing such technology to try to detect and minimize the risk of fraud.

That rumor is backed up by news reports mentioning that, as of March 2013, BehavioSec counted Sweden’s top ten national banks – along with Samsung – among its clients.

Why would the researchers want to fight off banks’ efforts to detect fraudulent activity on our accounts?

And why would bank customers want to reduce security by throwing a monkey wrench – or, really, in this case, it’s more like introducing the technical equivalent of a highly accurate cat walking across our keyboards – into banks’ efforts?

Because as it is, we’re trading privacy for security, Moore said.

…More:

 

Hacking BIOS Chips isn’t just the NSA’s domain anymore

Monday, March 23rd, 2015

– I’m coming to believe that the only secrets left are the things in your head that you’ve never told another soul.  And I’m increasingly fearful that those who want to dominate our societies in the name of ‘security’ are developing the tools to disarm any who might try to organize against them.

– In the coming years, when the various dominator powers war against each other for global domination, those of us who understand little of these cyber wars will be like rats beneath the wheels of the passing chariots.

– As I see it, the only saving grace is that the type of intelligence it takes to participate in these wars is in no way exclusive to those with the urge to dominate.  But the Dominators do have the enviable advantage of money and organizational power.

– And note well, my friends, that nothing I’ve just said acknowledges in any way the other preeminent fact of our times – that our presence within, expansion into and carelessness with the natural environment around us is virtually certain to bring it down around our ears, unless we change our ways.

– Those going forward from here will increasingly live in ‘interesting times’.  We are truly at a pivot-point in human history and most of us are deeply asleep with regard to how fragile the world around us is becoming.

– dennis

= = = = = = = = = = = = = = = = = = = = = =

THE ABILITY TO hack the BIOS chip at the heart of every computer is no longer reserved for the NSA and other three-letter agencies.  Millions of machines contain basic BIOS vulnerabilities that let anyone with moderately sophisticated hacking skills compromise and control a system surreptitiously, according to two researchers.

The revelation comes two years after a catalogue of NSA spy tools leaked to journalists in Germany surprised everyone with its talk about the NSA’s efforts to infect BIOS firmware with malicious implants.

The BIOS boots a computer and helps load the operating system. By infecting this core software, which operates below antivirus and other security products and therefore is not usually scanned by them, spies can plant malware that remains live and undetected even if the computer’s operating system were wiped and re-installed.

BIOS-hacking until now has been largely the domain of advanced hackers like those of the NSA. But researchers Xeno Kovah and Corey Kallenberg presented a proof-of-concept attack today at the CanSecWest conference in Vancouver, showing how they could remotely infect the BIOS of multiple systems using a host of new vulnerabilities that took them just hours to uncover. They also found a way to gain high-level system privileges for their BIOS malware to undermine the security of specialized operating systems like Tails—used by journalists and activists for stealth communications and handling sensitive data.

Although most BIOS have protections to prevent unauthorized modifications, the researchers were able to bypass these to reflash the BIOS and implant their malicious code.

Kovah and Kallenberg recently left MITRE, a government contractor that conducts research for the Defense Department and other federal agencies, to launch LegbaCore, a firmware security consultancy. They note that the recent discovery of a firmware-hacking tool by Kaspersky Lab researchers makes it clear that firmware hacking like their BIOS demo is something the security community should be focusing on.

Because many BIOS share some of the same code, they were able to uncover vulnerabilities in 80 percent of the PCs they examined, including ones from Dell, Lenovo and HP. The vulnerabilities, which they’re calling incursion vulnerabilities, were so easy to find that they wrote a script to automate the process and eventually stopped counting the vulns it uncovered because there were too many.

“There’s one type of vulnerability, which there’s literally dozens of instances of it in every given BIOS,” says Kovah. They disclosed the vulnerabilities to the vendors and patches are in the works but have not yet been released. Kovah says, however, that even when vendors have produced BIOS patches in the past, few people have applied them.

“Because people haven’t been patching their BIOSes, all of the vulnerabilities that have been disclosed over the last couple of years are all open and available to an attacker,” he notes. “We spent the last couple of years at MITRE running around to companies trying to get them to do patches. They think BIOS is out of sight out of mind [because] they don’t hear a lot about it being attacked in the wild.”

An attacker could compromise the BIOS in two ways—through remote exploitation by delivering the attack code via a phishing email or some other method, or through physical interdiction of a system. In that case, the researchers found that if they had physical access to a system they could infect the BIOS on some machines in just two minutes. This highlights just how quickly and easy it would be, for example, for a government agent or law enforcement officer with a moment’s access to a system to compromise it.

Their malware, dubbed LightEater, uses the incursion vulnerabilities to break into and hijack the system management mode to gain escalated privileges on the system. System management mode, or SMM, is an operations mode in Intel processors that firmware uses to do certain functions with high-level system privileges that exceed even administrative and root-level privileges, Kovah notes. Using this mode, they can rewrite the contents of the BIOS chip to install an implant that gives them a persistent and stealth foothold. From there, they can install root kits and steal passwords and other data from the system.

But more significantly, SMM gives their malware the ability to read all data and code that appears in a machine’s memory. This would allow their malware, Kovah points out, to subvert any computer using the Tails operating system—the security and privacy-oriented operating system Edward Snowden and journalist Glenn Greenwald used to handle NSA documents Snowden leaked. By reading data in memory, they could steal the encryption key of a Tails user to unlock encrypted data or swipe files and other content as it appears in memory. Tails is meant to be run from a secure USB flash drive or other removable media—so that conceivably it won’t be affected by viruses or other malware that may have infected the computer. It operates in the computer’s memory and once the operating system is shut down, Tails scrubs the RAM to erase any traces of its activity. But because the LightEater malware uses the system management mode to read the contents of memory, it can grab the data while in memory before it gets scrubbed and store it in a safe place from which it can later be exfiltrated. And it can do this while all the while remaining stealth.

“Our SMM attacker lives in a place nobody checks today to see if there’s an attacker,” Kovah says. “System management mode can read everyone’s RAM, but nobody can read System Management Mode’s RAM.”

Such an attack shows, he says, that the operating system Snowden chose to protect himself can’t actually protect him from the NSA or anyone else who can design an attack like LightEater.

– To the original article:  

– research thanks to: K. M.

 

 

NSA hiding Equation spy program on hard drives

Wednesday, February 18th, 2015

– In 1999, Motorola, at my request, sent me to Silicon Valley for a week-long course in advanced Windows Win32 programming.  

– During this course, I remember talking with another participant; a young computer whiz who was from the NSA.  

– He talked about how they (the NSA computer guys) conducted red-team green-team battles to see who could infiltrate the other’s team’s computer systems.

– But the thing he talked about, that caught my interest the most, was when he said the hot new frontier was getting into firmware as a way of exerting control over computers remotely.  It was a new idea that immediately fascinated me but once he saw my interest, I think he realized that he might be talking too much and clammed up.  He avoided me for the rest of the week.

– The story, below, says that the technique of firmware infiltration may have been around since 2001.  I’m sure I heard the sound of the other shoe dropping when I read that.

– The article says:

It is not clear how the NSA may have obtained the hard drives’ source code. Western Digital spokesman Steve Shattuck said the company “has not provided its source code to government agencies.” The other hard drive makers would not say if they had shared their source code with the NSA.

– I don’t find it all that mysterous.  How hard would it be for the NSA to field computer-savvy agents directed to seek employment in these companies?  Or, as the article says, to require the companies to provide their source code to the NSA for security reviews before the U.S. Government will allow it to be used in U.S. facilities?

– Once the NSA has the firmware’s source code, they can modify it and then intercept the firm’s drives in shipment and refresh the firmware on the intercepted drives with the NSA’s new stuff …  that does everything the old firmware does … and a bit more.  

– The interception-during-shipment technique was outed over a year ago as being one of their favorite techniques though in that case it had to do with routers.

– dennis

= = = = = = = = = = = = = = = = = = = = = = = = =

The US National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world’s computers, according to cyber researchers and former operatives.

That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations.

Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said.

The firm declined to publicly name the country behind the spying campaign, but said it was closely linked to Stuxnet, the NSA-led cyberweapon that was used to attack Iran’s uranium enrichment facility. The NSA is the agency responsible for gathering electronic intelligence on behalf of the United States.

A former NSA employee told Reuters that Kaspersky’s analysis was correct, and that people still in the intelligence agency valued these spying programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.

NSA spokeswoman Vanee Vines declined to comment.

Kaspersky published the technical details of its research on Monday, which should help infected institutions detect the spying programs, some of which trace back as far as 2001.

The disclosure could further hurt the NSA’s surveillance abilities, already damaged by massive leaks by former contractor Edward Snowden. Snowden’s revelations have hurt the United States’ relations with some allies and slowed the sales of US technology products abroad.

The exposure of these new spying tools could lead to greater backlash against Western technology, particularly in countries such as China, which is already drafting regulations that would require most bank technology suppliers to proffer copies of their software code for inspection.

TECHNOLOGICAL BREAKTHROUGH

According to Kaspersky, the spies made a technological breakthrough by figuring out how to lodge malicious software in the obscure code called firmware that launches every time a computer is turned on.

Disk drive firmware is viewed by spies and cybersecurity experts as the second-most valuable real estate on a PC for a hacker, second only to the BIOS code invoked automatically as a computer boots up.

“The hardware will be able to infect the computer over and over,” lead Kaspersky researcher Costin Raiu said in an interview.

Though the leaders of the still-active espionage campaign could have taken control of thousands of PCs, giving them the ability to steal files or eavesdrop on anything they wanted, the spies were selective and only established full remote control over machines belonging to the most desirable foreign targets, according to Raiu. He said Kaspersky found only a few especially high-value computers with the hard-drive infections.

Kaspersky’s reconstructions of the spying programs show that they could work in disk drives sold by more than a dozen companies, comprising essentially the entire market. They include Western Digital, Seagate, Toshiba, IBM, Micron Technology and Samsung.

Western Digital, Seagate and Micron said they had no knowledge of these spying programs. Toshiba and Samsung declined to comment. IBM did not respond to requests for comment.

GETTING THE SOURCE CODE

Raiu said the authors of the spying programs must have had access to the proprietary source code that directs the actions of the hard drives. That code can serve as a roadmap to vulnerabilities, allowing those who study it to launch attacks much more easily.

“There is zero chance that someone could rewrite the [hard drive] operating system using public information,” Raiu said.

Concerns about access to source code flared after a series of high-profile cyberattacks on Google Inc and other US companies in 2009 that were blamed on China. Investigators have said they found evidence that the hackers gained access to source code from several big US tech and defense companies.

It is not clear how the NSA may have obtained the hard drives’ source code. Western Digital spokesman Steve Shattuck said the company “has not provided its source code to government agencies.” The other hard drive makers would not say if they had shared their source code with the NSA.

Seagate spokesman Clive Over said it has “secure measures to prevent tampering or reverse engineering of its firmware and other technologies.” Micron spokesman Daniel Francisco said the company took the security of its products seriously and “we are not aware of any instances of foreign code.”

According to former intelligence operatives, the NSA has multiple ways of obtaining source code from tech companies, including asking directly and posing as a software developer. If a company wants to sell products to the Pentagon or another sensitive US agency, the government can request a security audit to make sure the source code is safe.

“They don’t admit it, but they do say, ‘We’re going to do an evaluation, we need the source code,'” said Vincent Liu, a partner at security consulting firm Bishop Fox and former NSA analyst. “It’s usually the NSA doing the evaluation, and it’s a pretty small leap to say they’re going to keep that source code.”

Kaspersky called the authors of the spying program “the Equation group,” named after their embrace of complex encryption formulas.

The group used a variety of means to spread other spying programs, such as by compromising jihadist websites, infecting USB sticks and CDs, and developing a self-spreading computer worm called Fanny, Kasperky said.

Fanny was like Stuxnet in that it exploited two of the same undisclosed software flaws, known as “zero days,” which strongly suggested collaboration by the authors, Raiu said. He added that it was “quite possible” that the Equation group used Fanny to scout out targets for Stuxnet in Iran and spread the virus.

– To the Original:  

Crypto phones and dubious cell phone towers

Thursday, September 4th, 2014

HackedPhoneMysterious Phony Cell Towers Could Be Intercepting Your Calls

Every smart phone has a secondary OS, which can be hijacked by high-tech hackers

Like many of the ultra-secure phones that have come to market in the wake of Edward Snowden’s leaks, the CryptoPhone 500, which is marketed in the U.S. by ESD America and built on top of an unassuming Samsung Galaxy SIII body, features high-powered encryption. Les Goldsmith, the CEO of ESD America, says the phone also runs a customized or “hardened” version of Android that removes 468 vulnerabilities that his engineering team team found in the stock installation of the OS.

His mobile security team also found that the version of the Android OS that comes standard on the Samsung Galaxy SIII leaks data to parts unknown 80-90 times every hour.  That doesn’t necessarily mean that the phone has been hacked, Goldmsith says, but the user can’t know whether the data is beaming out from a particular app, the OS, or an illicit piece of spyware.  His clients want real security and control over their device, and have the money to pay for it.

To show what the CryptoPhone can do that less expensive competitors cannot, he points me to a map that he and his customers have created, indicating 17 different phony cell towers known as “interceptors,” detected by the CryptoPhone 500 around the United States during the month of July alone. Once the phone connects with the interceptor, a variety of “over-the-air” attacks become possible, from eavesdropping on calls and texts to pushing spyware to the device.

“Interceptor use in the U.S. is much higher than people had anticipated,” Goldsmith says.  “One of our customers took a road trip from Florida to North Carolina and he found 8 different interceptors on that trip.  We even found one at South Point Casino in Las Vegas.”

– More…

– 16Sep14 – More on this story…

Why the Security of USB Is Fundamentally Broken

Monday, August 11th, 2014

– If you liked what I posted yesterday, you’l love today.

– dennis

= = = = = = = = = = = = = = = = = = =

Computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work.

That’s the takeaway from findings security researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken. The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted. And the two researchers say there’s no easy fix: The kind of compromise they’re demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue.

“These problems can’t be patched,” says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. “We’re exploiting the very way that USB is designed.”

‘IN THIS NEW WAY OF THINKING, YOU HAVE TO CONSIDER A USB INFECTED AND THROW IT AWAY AS SOON AS IT TOUCHES A NON-TRUSTED COMPUTER.’

Nohl and Lell, researchers for the security consultancy SR Labs, are hardly the first to point out that USB devices can store and spread malware. But the two hackers didn’t merely copy their own custom-coded infections into USB devices’ memory. They spent months reverse engineering the firmware that runs the basic communication functions of USB devices—the controller chips that allow the devices to communicate with a PC and let users move files on and off of them. Their central finding is that USB firmware, which exists in varying forms in all USB devices, can be reprogrammed to hide attack code. “You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s ‘clean,’” says Nohl. But unless the IT guy has the reverse engineering skills to find and analyze that firmware, “the cleaning process doesn’t even touch the files we’re talking about.”

The problem isn’t limited to thumb drives. All manner of USB devices from keyboards and mice to smartphones have firmware that can be reprogrammed—in addition to USB memory sticks, Nohl and Lell say they’ve also tested their attack on an Android handset plugged into a PC. And once a BadUSB-infected device is connected to a computer, Nohl and Lell describe a grab bag of evil tricks it can play. It can, for example, replace software being installed with with a corrupted or backdoored version. It can even impersonate a USB keyboard to suddenly start typing commands. “It can do whatever you can do with a keyboard, which is basically everything a computer does,” says Nohl.

The malware can silently hijack internet traffic too, changing a computer’s DNS settings to siphon traffic to any servers it pleases. Or if the code is planted on a phone or another device with an internet connection, it can act as a man-in-the-middle, secretly spying on communications as it relays them from the victim’s machine.

Most of us learned long ago not to run executable files from sketchy USB sticks. But old-fashioned USB hygiene can’t stop this newer flavor of infection: Even if users are aware of the potential for attacks, ensuring that their USB’s firmware hasn’t been tampered with is nearly impossible. The devices don’t have a restriction known as “code-signing,” a countermeasure that would make sure any new code added to the device has the unforgeable cryptographic signature of its manufacturer. There’s not even any trusted USB firmware to compare the code against.

The element of Nohl and Lell’s research that elevates it above the average theoretical threat is the notion that the infection can travel both from computer to USB and vice versa. Any time a USB stick is plugged into a computer, its firmware could be reprogrammed by malware on that PC, with no easy way for the USB device’s owner to detect it. And likewise, any USB device could silently infect a user’s computer. “It goes both ways,” Nohl says. “Nobody can trust anybody.”

– More…

 

Leaked docs show spyware used to snoop on US computers

Sunday, August 10th, 2014

– Truly, I think we have less and less of a chance to keep our computers secure and our communications private.  If we haven’t been hacked, it is only because there are so many of us and so few hackers/criminals to go around.   Or it’s because we have not sufficiently irritated someone in the officialdom enclosing us.

– Personally, I am considering setting up from scratch (wipe the disk and install a virgin copy of the operating system) one specific computer for my essential banking and financial activities.   This machine would be only used for these activities and nothing else.  I’ll keep its anti-vius and malware defenses fully updated and, when I am not using it, it will be turned off and disconnected.   And, when I do use it, I will shut off and disconnect the other systems on my LAN in case they are infected.

– I’m also considering changing all my passwords as well.

– Paranoid or playing the odds?  I think it is hard to tell but the saying ‘better safe than sorry’ does come to mind.

– And should I not worry so much and simply assume that my government will look out for me?  

– I Don’t think so.  They are too busy doing the bidding the corporate world.  And I am irrelevant to the corporate world useless they can use me  somehow to increase their profits.

– Nope, other than me, nobody else has my back on this.  And those who think it isn’t so will eventually find out the truth the hard way.

– dennis

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

imagesSoftware created by the controversial UK-based Gamma Group International was used to spy on computers that appear to be located in the United States, the UK, Germany, Russia, Iran, and Bahrain, according to a leaked trove of documents analyzed by ProPublica.

It’s not clear whether the surveillance was conducted by governments or private entities. Customer e-mail addresses in the collection appeared to belong to a German surveillance company, an independent consultant in Dubai, the Bosnian and Hungarian Intelligence services, a Dutch law enforcement officer, and the Qatari government.

The leaked files—which were posted online by hackers—are the latest in a series of revelations about how state actors including repressive regimes have used Gamma’s software to spy on dissidents, journalists, and activist groups.

The documents, leaked last Saturday, could not be readily verified, but experts told ProPublica they believed them to be genuine. “I think it’s highly unlikely that it’s a fake,” said Morgan Marquis-Bore, a security researcher who while at The Citizen Lab at the University of Toronto had analyzed Gamma Group’s software and who authored an article about the leak on Thursday.

The documents confirm many details that have already been reported about Gamma, such as that its tools were used to spy on Bahraini activists. Some documents in the trove contain metadata tied to e-mail addresses of several Gamma employees. Bill Marczak, another Gamma Group expert at the Citizen Lab, said that several dates in the documents correspond to publicly known events—such as the day that a particular Bahraini activist was hacked.

Gamma has not commented publicly on the authenticity of the documents. A phone number listed on a Gamma Group website was disconnected. Gamma Group did not respond to e-mail requests for comment.

The leaked files contain more than 40 gigabytes of confidential technical material, including software code, internal memos, strategy reports, and user guides on how touse Gamma Group software suite called FinFisher. FinFisher enables customers to monitor secure Web traffic, Skype calls, webcams, and personal files. It is installed as malware on targets’ computers and cell phones.

price list included in the trove lists a license of the software at almost $4 million.

The documents reveal that Gamma uses technology from a French company called Vupen Security that sells so-called computer “exploits.”

Exploits include techniques called “zero days” for “popular software like Microsoft Office, Internet Explorer, Adobe Acrobat Reader, and many more.” Zero days are exploits that have not yet been detected by the software maker and therefore are not blocked.

Vupen has said publicly that it only sells its exploits to governments, but Gamma may have no such scruples. “Gamma is an independent company that is not bound to any country, governmental organisation, etc.,” says one file in the Gamma Group’s material. At least one Gamma customer listed in the materials is a private security company.

Vupen didn’t respond to a request for comment.

Many of Gamma’s product brochures have previously been published by the Wall Street Journal andWikileaks, but the latest trove shows how the products are getting more sophisticated.

In one document, engineers at Gamma tested a product called FinSpy, which inserts malware onto a user’s machine, and found that it could not be blocked by most antivirus software.

Documents also reveal that Gamma had been working to bypass encryption tools including a mobile phone encryption app, Silent Circle, and were able to bypass the protection given by hard-drive encryption products TrueCrypt and Microsoft’s Bitlocker.

Mike Janke, the CEO of Silent Circle, said in an e-mail that “we have serious doubts about if they were going to be successful” in circumventing the phone software and that Silent Circle is working on bulletproofing its app.

Microsoft did not respond to a request for comment.

The documents also describe a “country-wide” surveillance product called FinFly ISP which promises customers the ability to intercept Internet traffic and masquerade as ordinary websites in order to install malware on a target’s computer.

The most recent date-stamp found in the documents is August 2, coincidung with the first tweet by a parody Twitter account, @GammaGroupPR, which first announced the hack and may be run by the hacker or hackers responsible for the leak.

On Reddit, a user called PhineasFisher claimed responsibility for the leak. “Two years ago their software was found being widely used by governments in the middle east, especially Bahrain, to hack and spy on the computers and phones of journalists and dissidents,” the user wrote. The name on the @GammaGroupPR Twitter account is also “Phineas Fisher.”

GammaGroup, the surveillance company whose documents were released, is no stranger to the spotlight. The security firm F-Secure first reported the purchase of FinFisher software by the Egyptian State Security agency in 2011. In 2012, Bloomberg News and The Citizen Lab showed how the company’s malware was used to target activists in Bahrain.

In 2013, the software company Mozilla sent a cease-and-desist letter to the company after a report by The Citizen Lab showed that a spyware-infected version of the Firefox browser manufactured by Gamma was being used to spy on Malaysian activists.

– To the original: