Category: Security

Tor developer helps spooks hack Tor

tor-sheepA former Tor Project developer is making a living creating malware for the Federal Bureau of Investigation that allows agents to unmask users of the anonymity software.

Matt Edman is a cybersecurity expert who worked as a part-time employee at Tor Project, the non-profit that builds Tor software and maintains the network, almost a decade ago.

Apparently he has developed some killer malware which is being used by the Untouchables to unmask Tor users. It’s been wielded in multiple investigations by federal law-enforcement and U.S. intelligence agencies in several high-profile cases.

The Tor Project has announced that it came to its attention that Matt Edman, who worked with the Tor Project until 2009, subsequently was employed by a defence contractor working for the FBI to develop anti-Tor malware.

Edman was only with Tor for a year. In 2008 he joined and worked on Vidalia, a piece of software meant to make Tor easier for normal users by implementing a simple user interface. He was a graduate student then, pursuing a Ph.D. in computer science that he would obtain in 2011 from Rensselaer Polytechnic Institute.

Of course there was a few fears that had Edman been considering his future he could have been installing backdoors into Tor. However Vidalia was the only Tor software to which Edman was able to commit changes and that software was dropped in 2013.

By 2012, Edman was working at Mitre as a senior cybersecurity engineer assigned to the FBI’s Remote Operations Unit, the bureau’s little-known internal team tapped to build or buy custom hacks and malware for spying on potential criminals. Edman became an FBI contractor tasked with hacking Tor as part of Operation Torpedo, a sting against three Dark Net child pornography sites that used Tor to cloak their owners and patrons.

At Mitre, Edman worked closely with FBI Special Agent Steven A. Smith to customize, configure, test, and deploy malware he called “Cornhusker” to collect identifying information on Tor users. More widely, it’s been known as Torsploit.

Cornhusker used a Flash application to deliver a user’s real Internet Protocol (IP) address to an FBI server outside the Tor network. The malware targeted the Flash inside the Tor Browser. The Tor Project has long warned against using Flash as unsafe but many people enough people made security mistakes and Operation Torpedo netted 19 convictions.

According to court documents, Cornhusker is no longer in use. Since then, newer FBI-funded malware has targeted a far wider scope of Tor users in the course of investigations.

NSA snooping scares Wikipedia readers

spyInternet traffic to Wikipedia pages summarising knowledge about terror groups and their tools plunged nearly 30 percent after revelations of widespread Web monitoring by the US spooks.

A paper in the Berkeley Technology Law Journal analyses the fall in traffic saying  that it provides the most direct evidence to date of a so-called “chilling effect,” or negative impact on legal conduct, from the intelligence practices disclosed by fugitive former NSA contractor Edward Snowden.

Author Jonathon Penney, a fellow at the University of Toronto’s interdisciplinary Citizen Lab, looked at the monthly views of Wikipedia articles on 48 topics identified by the US Department of Homeland Security as subjects that they track on social media, including Al Qaeda, dirty bombs and jihad.

In the 16 months prior to the first major Snowden stories in June 2013, the articles drew a variable but an increasing audience, with a low point of about 2.2 million per month rising to 3.0 million just before disclosures of the NSA’s Internet spying programs.

Views of the sensitive pages rapidly fell back to 2.2 million a month in the next two months and later dipped under 2.0 million before stabilising below 2.5 million 14 months later, Penney found.

Penney’s results confirm other research which noted a five per cent drop in Google searches for sensitive terms immediately after June 2013. Other surveys have found sharply increased use of privacy-protecting Web browsers and communications tools.


German nuclear power plant infected with viruses

drupal-panicA nuclear power plant in Germany is packed with computer viruses, but since they don’t pose a threat to the facility’s operations they are all ignored.

The Gundremmingen plant, located about 120 km northwest of Munich, is run by the German utility RWE which is not too worried becasue the plant is not connected to the internet.

The viruses, which include “W32.Ramnit” and “Conficker”, were discovered at Gundremmingen’s B unit in a computer system retrofitted in 2008 with data visualization software associated with equipment for moving nuclear fuel rods, RWE said.

Malware was also found on 18 removable data drives, mainly USB sticks, in office computers maintained separately from the plant’s operating systems. RWE said it has increased cyber security measures.

W32.Ramnit is designed to steal files from infected computers and targets Windows . It is nearly six years old and is distributed through data sticks, among other methods, and is intended to give an attacker remote control over a system when it is connected to the Internet.

Conficker has been around since 2008. It is able to spread through networks and by copying itself onto removable data drives, Symantec said.

RWE said it has informed Germany’s Federal Office for Information Security (BSI), which is working with IT specialists at the group to look into the incident.

Tuesday was the 30th anniversary of the Chernobyl nuclear disaster – just saying.

Encryption going like the clappers, Clapper moans

UNITED STATES - APRIL 18: James Clapper, Director of National Intelligence, prepares to testify at a Senate Armed Services Committee hearing in Dirksen Building titled "Current and Future Worldwide Threats," featuring testimony by he and Army Lt. Gen. Michael Flynn, director of the Defense Intelligence Agency. (Photo By Tom Williams/CQ Roll Call)The US’s top spook James Clapper has moaned that Edward Snowden’s leaks have sped up the advance of user-friendly, widely available strong encryption.

Clapper said that onset of commercial encryption has accelerated by seven years.

Talking to a breakfast for journalists hosted by the Christian Science Monitor, this  shortened timeline has had “a profound effect on the NSA’s ability to collect, particularly against terrorists.

The number was based on the projected growth maturation and installation of commercially available encryption. What had been forecasted for seven years ahead, three years ago, was accelerated to now, because of the revelation of the leaks.

He did not think this was a good thing because it meant better protection for American consumers from the arms race of hackers constantly trying to penetrate software worldwide.

Clapper acknowledged that there is no such thing as unbreakable encryption from his perspective. “In the history of mankind, since we’ve been doing signals intelligence, there’s really no such thing, given proper time, and proper application of technology.”

Unfortunately for him, Snowden’s revelations that the NSA was spying on everyone made ordinary people just as paranoid as terrorists.

Bank Robbers use SWIFT exploit

the-great-air-robbery-movie-poster-1919-1020417131Bankers drew a deep breath this morning after it was revealed that the hackers who nicked $81 million from the Bangladesh central bank probably hacked into software from the SWIFT financial platform that is at the heart of the global financial system.

Insecurity experts at BAE Systems had a look at the malware, which the thieves used to cover their tracks and delay discovery of the heist. The cyber criminals tried to make fraudulent transfers totaling $951 million from the Bangladesh central bank’s account at the Federal Reserve Bank of New York in February.

Most of the payments were blocked, but $81 million was routed to accounts in the Philippines and diverted to casinos there. Most of those funds remain missing.

SWIFT, a cooperative owned by 3,000 financial institutions has admitted that it is aware of malware targeting its client software. SWIFT, swiftly said it would release  a software update to thwart the malware, along with a special warning for financial institutions to scrutinise their security procedures with some extra scrut.

BAE believe they discovered malware that the Bangladesh Bank attackers used to manipulate SWIFT client software known as Alliance Access.

Investigators probing the heist had previously said the still-unidentified hackers had broken into Bangladesh Bank computers and taken control of credentials that were used to log into the SWIFT system. But the BAE research shows that the SWIFT software on the bank computers was probably compromised in order to erase records of illicit transfers.

Swift claims the malware had no impact on SWIFT’s network or core messaging services.

The SWIFT messaging platform is used by 11,000 banks and other institutions around the world, though only some use the Alliance Access software, Deteran said.

SWIFT may release additional updates as it learns more about the attack in Bangladesh and other potential threats, Deteran said.

Adrian Nish, BAE’s head of threat intelligence, said he had never seen such an elaborate scheme from criminal hackers.

“I can’t think of a case where we have seen a criminal go to the level of effort to customize it for the environment they were operating in,” he said. “I guess it was the realization that the potential payoff made that effort worthwhile.”

A senior official with the Bangladesh Police’s Criminal Investigation Department said that investigators had not found the specific malware described by BAE, but that forensics experts had not finished their probe.

Bangladesh police investigators said last week that the bank’s computer security measures were seriously deficient, lacking even basic precautions like firewalls and relying on used, $10 switches in its local networks.

Still, police investigators told Reuters in an interview that both the bank and SWIFT should take the blame for the problems.

“It was their responsibility to point it out but we haven’t found any evidence that they advised before the heist,” said Mohammad Shah Alamo, head of the Forensic Training Institute of the Bangladesh police’s criminal investigation department, referring to SWIFT.



Dutch arrest encrypted network provider

holland1Inspector Knacker of the Rotterdam Yard has fingered the collar of the owner of Ennetcom, a provider of encrypted communications.

Inspector Knacker seems to think that the business is being used for organised crime and shut it down.

Rotterdam judges ordered that Danny Manupassa should be held for 14 days during an ongoing investigation. Prosecutors said he is suspected of money laundering and illegal weapons possession.

“Police and prosecutors believe that they have captured the largest encrypted network used by organized crime in the Netherlands,” prosecutors said in a statement.

Ennetcom said in a statement on its website that the company had been forced to “suspend all operations and services for the time being.”

“Ennetcom regrets this course of events and insinuations towards Ennetcom. It should be clear that Ennetcom stands for freedom of privacy,” the company said.

While Ennetcom and most of its users are in the Netherlands, the bulk of the company’s servers were in Canada. Prosecutors said information on the servers in Canada has been copied in cooperation with Toronto police.

It is not clear if police can decrypt information kept on the servers.

“The company sold modified telephones for about 1,500 euros each and used its own servers for the encrypted data traffic. The phones had been modified so that they could not be used to make calls or use the Internet.”

The phones had turned up repeatedly in investigations into drug cases, criminal motorcycle gangs, and gangland killings, prosecutors said.



More than 700,000 websites hijacked

Hijack_posterBeancounters working for Google have worked out that more than  700,000 websites were breached between June 2014 and July 2015.

The research showed that vulnerable webservers were routinely hijacked for “cheap hosting and traffic acquisition”. Google recorded 760,935 “hijacking incidents” within the period but said that its direct communication with webmasters had curbed the amount of breaches.

Google’s Safe Browsing Alerts sendnotifications to network administrators when harmful URLs are detected on their networks. It said that these had increased the likelihood of a “cleanup” by over 50 percent and reduced “infection lengths” by at least 62 percent.

WordPress experienced the most breaches. The platform accounted for almost half of all attacks.

Attacks were primarily conducted on websites run in English, with attacks on Chinese, German, Japanese and Russian language websites following closely behind.

Google currently monitors approximately 40 percent of all active networks on the web.

Android is pretty secure according to Google

ANDROIDGoogle has been adding up some numbers and reached the conclusion that its Android software is pretty secure.

According to the Android Security Annual report in the last year, Android significantly improved its machine learning and event correlation to detect potentially harmful behavior.

“We protected users from malware and other Potentially Harmful Apps (PHAs), checking over six billion installed applications per day. We protected users from network-based and on-device threats by scanning 400 million devices per day. And we protected hundreds of millions of Chrome users on Android from unsafe websites with Safe Browsing,” A spokesgoogle said trying to get some repetition on the phrase “we protected” just like Mr Goebbels suggested.

Google said that it had made it more difficult to get dodgy software into Google Play and last year’s enhancements reduced the probability of installing a PHA from Google Play by over 40 percent compared to 2014. Within Google Play, install attempts of most categories of malware declined including:

  • Data Collection: decreased over 40% to 0.08% of installs
  • Spyware: decreased 60% to 0.02% of installs
  • Hostile Downloader: decreased 50% to 0.01% of installs
  • Overall, dodgy software was  installed on fewer than 0.15% of devices that only get apps from Google Play. About 0.5% of devices that install apps from both Play and other sources had a malware installed during 2015, similar to the data in last year’s report.

However, 2015 saw an increase in the number of PHA install attempts outside of Google Play something which Google thinks is a good thing because it disrupted several coordinated efforts to install malware onto user devices from outside of Google Play.

Android 6.0 Marshmallow, introducing a variety of new security protections and controls including full disk encryption is now a requirement for all new Marshmallow devices with adequate hardware capabilities and is also extended to allow encryption of data on SD cards.

Brainwaves are the new fingerprints

mind readingA team of boffins has worked out a way of telling who you are by reading your mind.

Researchers at Binghamton University in US  say their ‘brain prints’ are 100 percent accurate and might have a new life in ultra secure systems.

They looked at the brain activity of 50 people wearing an electroencephalogram (EEG) headset who were asked to looked at a series of 500 images designed specifically to elicit unique responses from person to person – for example a slice of pizza, a boat, or the word “conundrum”.

They found that participants’ brains reacted differently to each image, enough that a computer system was able to identify each volunteer’s ‘brainprint’ with 100 percent accuracy.

Assistant Professor Sarah Laszlo said that when you take hundreds of these images, where every person is going to feel differently about each individual one, then you can be really accurate in identifying which person it was who looked at them just by their brain activity.

According to Laszlo, brain biometrics are appealing because they are cancellable and cannot be stolen by malicious means the way a finger or retina can.

“In the unlikely event that attackers were actually able to steal a brainprint from an authorised user, the authorised user could then ‘reset’ their brainprint,” Laszlo said.

Zhanpeng Jin, assistant professor at Binghamton University, does not see this as the kind of system that would be mass-produced for low security applications, but it could have important security applications.

“We tend to see the applications of this system as being more along the lines of high-security physical locations, like the Pentagon or Air Force Labs, where there aren’t that many users that are authorised to enter, and those users don’t need to constantly be authorising the way that a consumer might need to authorise into their phone or computer,” Jin said.

Apple Macs stuffed-up by old Git

oldguyAnother bombshell has dropped on the Fruity Cargo Cult Apple’s poor security in its expensive Macs.

Jobs’ Mob’s software genii have apparently not bothered to upgrade the version of Git which comes bundled with OS X versions.

Git allows developers to manage source code repositories, keeping track of code changes from version to version. But the version in El Capitan is so old it exposes users to two possible attacks.

Security expert Rachel Kroll discovered that El Capitan comes bundled with Git 2.6.4. and the vulnerablities were found in  all Git versions before 2.7.3.

The two vulnerabilities are heap-based buffer overflows, allow attackers to execute malicious code on the machine. The attacker can use the malicious code hidden in the repo to launch an attack on the Mac, compromise the system, and take control of the user’s device and all the Mac user’s Coldplay collection and pictures of their mum and cats will be vulnerable.

There is no way to fix it either. The bundled Git version can’t be updated without breaking Git support.

Writing in her bog Kroll wrote: “If you rely on machines like this, I am truly sorry. I feel for you. I wrote this post in an attempt to goad them [Apple] into action because this is affecting lots of people who are important to me. They are basically screwed until Apple deigns to deliver a patched git unto them.”