Category: Security

Tsar Putin’s hackers take down US newspapers

putin gunHackers believed to be working for Tsar Putin have carried out a series of cyber breaches targeting reporters at The New York Times and other US news organisations.

The FBI has been looking at a number of similar intrusions and believe that Russian intelligence is likely behind the attacks. They appear to be part of a broader series of hacks that also have focused on Democratic Party organisations.

US intelligence officials believe the picture emerging from the series of recent intrusions is that Russian spy agencies are using a wave of cyber-attacks, including against think-tanks in Washington, to gather intelligence from a broad array of non-governmental organizations.

News organisations are considered top targets because they can yield valuable intelligence on reporter contacts in the government, as well as communications and unpublished works with sensitive information.

There is concern that Tsar Putin is trying to game the US elections in favour of his chum Donald Trump. A lot of Trump’s business finance comes from Putin’s oligarch mates and the thinking is that Putin can see a few advantages in having a US president who owes him money.

 

NSA hacking tools are pants claims researcher

spyWhile the headlines inspire fear that the NSA’s hacker tools are on sale on the dark web, a security expert who has had a look under the bonnet  thinks they are pretty rubbish.

Stephen Checkoway [no really.ed] , an Assistant Professor at the Department of Computer Science at the University of Illinois at Chicago, has analyzed some of the exploit code included in the recent Equation Group leak and is completely underwhelmed.

Checkoway looked at the source code of the BANANAGLEE exploit, which targets Juniper firewalls which he knows a bit about.

The security boffin looked at the key generation system and the process of redirecting IP packets and thought the whole thing was “ridiculous.”

“There’s no reason to read 32 bytes from /dev/urandom. There’s no benefit to calling rand(3) so many times. It’s a little ridiculous to be seeding with srandom(3) and calling rand(3), but in this particular implementation, rand(3) does nothing but call random(3).”

That is all you need to know apparently. But the NSA’s finest made matters worse.  Rather than having 2128 possible 128-bit keys, this procedure can only produce 264 distinct keys.  Chekoway thought this stuff up was worthy of an exclamation mark.

This means the key generation system was yielding a much smaller number of options to choose a random key, and all of it was the result of bad coding.

“It’s a 1/18446744073709551616 fraction of the total 340282366920938463463374607431768211456 possible 128-bit keys,” he added via email. So while there might be some good parts to the code, the cryptography is pants.

The professor adds the code has some “boring memory leaks,” but the part that really ticked him off resided in the mechanism that encrypts IP packets sent via this redirection process.

Checkoway found that 128-bit keys are actually generated with 64 bits of entropy instead of the intended 128, the “supposed” NSA coders repeated cipher IVs for the encryption, there was no authentication of the encrypted communications channel, and there was “sloppy and buggy code.”

 

Trump claims he was hacked too

Donald-Trump-funnyRepublican candidate Donald Trump has hired security outfit CrowdStrike after claiming his campaign has been hacked just like the Democrats.

But while the Democrats were almost certainly hacked by Trump’s allies in the Kremlin, it is less clear how significant the Republican hack really was. The US press claims that the “tools and techniques” used to hack Republican targets resemble those employed in attacks on Democratic Party organisations, including the DNC and Clinton’s campaign organisation. The implication is that the Russians were also spying on Trump.

Apparently one Trump staff member’s email account was infected with malware in 2015 and sent malicious emails to colleagues. It was unclear whether or not the hackers actually gained access to campaign computers. So basically any hacker who uses email to get into a system is hired by the Kremlin, which does not sound very logical.

The Trump campaign has hired security firm CrowdStrike, which also is assisting the Democratic National Committee. The company declined to comment.

Two US security officials said the FBI and the Department of Homeland Security have offered assistance to both political parties in identifying possible intrusions and upgrading their defenses against what one of the officials called “constantly evolving threats.”

People ignore security warnings nine out of ten times

face palmA new study from BYU and Google has found that the current method of warning messages appearing while people are typing, watching a video, uploading files, is pretty dumb because people ignore them.

Researchers found these times are less effective because of “dual task interference,” a neural limitation where even simple tasks can’t be simultaneously performed without significant performance loss.

Study co-author and BYU information systems professor Anthony Vance said that the average punter’s brain can’t handle multitasking very well and software developers categorically present warning messages without any regard to what the user is doing.

“They interrupt us constantly and our research shows there’s a high penalty that comes by presenting these messages at random times.”

More than 74 percent of people in the study ignored security messages that popped up while they were on the way to close a web page window. Another 79 percent ignored the messages if they were watching a video. And a whopping 87 percent disregarded the messages while they were transferring information, in this case, a confirmation code.

Jeff Jenkins, lead author of the study said that you can fix this problem simply by changing the timing of the warnings.

“Waiting to display a warning to when people are not busy doing something else increases their security actions substantially.”

People pay the most attention to security messages when they pop up in lower dual task times such as after watching a video, while waiting for a page to load and after  interacting with a website.

While this seems to be in the “no shit Sherlock” level of research, it is the complete opposite to the way that software is designed. Security warnings are timed to appear when a person is less likely to respond.

Hackers offer to sell NSA virus tools

spyA hacking group called the Shadow Brokers have claimed to have hacked the National Security Agency’s Equation Group and are  auctioning off what they claim to be a small but dangerious set of Equation Group’s cyberweapons to the highest bidder.

The bidding for the potential cyberweapons has officially begun considerably lower than the asking price. The Shadow Broker’s Bitcoin address shows a kick-off bid of 0.0355 BTC, equivalent to less than $20.

The Shadow Broker website claims. “We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.”

It looked a bit silly, but cybersecurity experts think it could be the real and that the  auctioned data might be stolen straight from the NSA.

Matt Suiche, founder of UAE-based cybersecurity startup Comae Technologies said that while he had not tested the exploits they appear real.

Apparently Washington is all a buzz thinking that those responsible for the hack might be Tsar Putin’s hacker team who also took down the Democrat servers to help Donald Trump to win the election. We would have thought though that the NSA’s hacker tools would be more useful to the Russians if only it knew about them.

 

Queensland coppers hack US sites

Native_PoliceAussie coppers think it is “fair dinkum” to hack US Tor  sites to uncover crime rings.

The hack was part of a child pornography investigation and the Aussie antics have appeared in US court documents. In one case, Australian authorities remotely hacked a computer in Michigan to obtain the suspect’s IP address.

What is interesting was that the coppers have no juristiction in the US and little in the way of legal rights.

“The Love Zone” was a prolific dark web child abuse site, where users were instructed to upload material at least once a month to maintain access to the forum. By July 2014, the site had over 29,000 members, according to US court documents, constituting what the US Department of Justice described as a “technologically sophisticated conspiracy”.

In 2014, Queensland Police Service’s Task Force Argos, a small, specialised unit focused on combating child exploitation crimes, identified the site’s Australian administrator and quietly took over his account. For months ran the site in an undercover capacity, posing as its owner.

Because The Love Zone was based on the dark web, users typically connected via the Tor network, Argos could see what the users were viewing, and what pages they were visiting, but not where they were really connecting from. So they hacked some of the users to get their real IP addresses and unmasked the IP addresses of many of those who used the site.

They then handed over the evidence against more than 30 uses  to the  FBI who arrested the local users. Apparently this involved phishing attacks claiming to be from the site using kiddie porn as bait.The code behind the movie would send the users IP address to the authorities.

But all this had to have been done without a warrant, and  Australian Federal Police (AFP) have said that the  AFP was not aware of, or involved with this operation..

Whether using a hacking tool to grab the real IP address of a Tor user constitutes a search in a legal sense has recently become a contentious issue in the US. Several judges have said that suspects do not have a reasonable expectation of privacy around their IP address when using the Tor network, meaning that it is not protected by the Fourth Amendment, and a hack grabbing it would not require a warrant. The Electronic Frontier Foundation thinks otherwise

 

Democrats expect executives and laywers to defend them against hackers

face palmThe Democratic National Committee has not really learnt its lessons about hackers.  It has formed a new committee to defend itself against future hackers and has not included a single computer technical expert – in other words all chiefs and no indians.

According to a memo obtained by POLITICO, the committee will be made up of  Rand Beers, former Department of Homeland Security acting secretary; Nicole Wong, former deputy chief technology officer of the U.S. and a former technology lawyer for Google and Twitter; Aneesh Copra, co-founder of Hunch Analytics and former chief technology officer of the U.S and Michael Sussmann, a partner in privacy and data security at the law firm Perkins Coie and a former Justice Department cybercrime prosecutor.  After all laywers and executives always know what to do when your server is hacked and how to protect it.

interim DNC Chairwoman Donna Brazile wrote in a memo that the board would prevent future attacks and “ensure that the DNC’s cybersecurity capabilities are best-in-class, I am creating a Cybersecurity Advisory Board composed of distinguished experts in the field,” .

“The Advisory Board will work closely with me and the entire DNC to ensure that the party is prepared for the grave threats it faces—today and in the future.”

Hard to see how that works. Hacking attacks are usually stopped by a security expert who knows what they are doing wiring up a system which prevents hacking. A lawyer is not particularly useful and while NSA looks good on a CV the phrase “acting secretary” does not mean that they dealt with much hacking.

 

Putin’s hacker posts democrat leader’s number online

putin-buzz1A hacker linked to President Putin’s propaganda unit has posted U.S. House Democratic Leader Nancy Pelos’s personal details online and led to he being flooded with nasty phone calls.

Pelosi sent a letter to colleagues warning them to take precautions and said she was changing her phone number after a hacker identified as “Guccifer 2.0” posted the personal cellphone numbers and email addresses on Friday.

The posted information appeared was stolen duing the Democratic Congressional Campaign Committee, the fundraising and campaign arm of Democrats in the House of Representatives.

“On a personal note, I was in the air flying from Florida to California when the news broke. Upon landing, I have received scores of mostly obscene and sick calls, voicemails and text messages,” Pelosi said.

Pelosi blamed Russia for the cyber attack and called it an “electronic Watergate” akin to the 1972 burglary at Democratic Party headquarters that ultimately brought down Republican President Richard Nixon.

John Ramsey, the House’s chief information security officer,  said the hacker had uploaded a spreadsheet with a mix of House and personal email addresses and cellphone numbers for “nearly every” House Democrat and “an assorted number of Republicans,” and similar information for hundreds of staffers.

“Along with the Excel file, ‘Guccifer 2.0′ uploaded documents that included the account names and passwords for an assortment of subscription services used by the DCCC. Initial analysis identifies some members’ home addresses, along with their spouse’s name, marital status, and religion,” the memo said.

US intelligence officials have concluded that Guccifer 2.0 is an individual or group operating with or for the GRU, the Russian military intelligence agency. Russia has denied involvement in the breach.

 

Bleeping computer goes to war with Enigma

Were-Doomed-The-Dads-Army-StoryA discussion forum which helps people get malware off their PCs has countersued the makers of Spyhunter, the Enigma group.

Bleeping said that Enigma has been registering domain names that include “bleepingcomputer” and posting some of the company’s webpage’s source code on other websites without its authorisation.

However, there is a bit of a backstory because Enigma has sued Bleeping for libel earlier this year over a series of messages that it claims disparaged SpyHunter.

It boils down to a September 2014 post, during which one of Bleeping’s moderators, “Quietman7,” wrote that he could not recommend SpyHunter given “reports by customers of deceptive pricing, continued demands for payment after requesting a refund, lack of adequate customer support, removal (uninstall) problems, and various other issues with their computer as a result of using this product.”

According to Ars Technica further posts described SpyHunter as engaging in “deceptive pricing” and claimed that SpyHunter is a “dubious and ineffective program.”

Bleeping’s lawyers  said:

“Enigma’s lawsuit is plainly nothing more than an attempt to bully and censor Bleeping Computer, and to deter anyone who might criticize it—one more attempt in Enigma’s long pattern of threats, intimidation and litigation. Worse, however, is that all the while, Enigma has been engaged in aggressive, secretive, and cowardly attacks against Bleeping Computer, including ripping off Bleeping Computer’s content and pretending it was authored by Enigma, repeatedly misusing Bleeping’s registered trademark to trade upon its goodwill, and publishing blatantly false claims about Bleeping. As the following allegations demonstrate, Enigma conducts its business in a manner that is illegal, unethical and simply immoral, thereby demonstrating that Quietman7’s mildly critical statements about Enigma’s product, that so enraged Enigma and lead to this lawsuit, pale in comparison to the egregious misconduct Enigma perpetrates on a regular basis.”

Bleeping says that many of these websites, which include infringing URLs and ridiculous subdomains—browser.hijack.bleeping.computer.virus.spywareremovalfreetrial.com—seem to suggest that Bleeping’s own free anti-malware software, known as RKill, is in and of itself a “virus, spyware, or other malware, and specifically malware that can be removed by Enigma’s SpyHunter product.”

Another alleged “Spyhunter” website even claims that RKill a high‐risk Trojan virus infection designed by cyber criminals recently, which bursts in the life of many computer users and causes serious damages to the infected computer. It goes on to say:

“The hateful virus is brimful of mischief. Once it gets in the target computer, it is able to be hidden deep so as to undermine the entire system. Many computer users have no clue until the computer becomes worse and worse. It also can confuse antivirus programs with advanced technology so that it won’t be removed by any removal tools. The virus makers may use every opportunity to control the computer remotely. With the cover of the virus, they can remove or modify your important documents wantonly and steal or encrypt your personal data, resulting in inconvenience as well as unnecessary losses. Therefore, getting rid of rkill.com is quite urgent.”

It looks like it will be an entertaining day in court.  It should get to trial early next year.

VW locking is a doddle to break

vwHitler’s favourite car company, VW, is in hot water over its electronic key which has a security vulnerably which makes it easy for hackers to open the car doors.

According to Wired,  security researchers found they can  use software defined radio (SDR) to remotely unlock hundreds of millions of cars.

Led by Flavio Garcia at the University of Birmingham in the UK, the group of hackers reverse-engineered an undisclosed Volkswagen component to extract a cryptographic key value that is common to many of the company’s vehicles.

When combined with the unique value encoded on an individual vehicle’s remote key fob—obtained with a little electronic eavesdropping, say—you have a functional clone that will lock or unlock that car. VW has apparently acknowledged the vulnerability and has changed some of the numbering on new parts.

The UoB also found another security hole which affects Alfa Romeo, Citroën, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot.

It exploits a much older cryptographic scheme used in key fobs called HiTag2. The hacker has to do some electronic eavesdropping to capture a series of codes sent out by a remote key fob. Once a few codes had been gathered, the encryption scheme can be encyrpted in under a minute.

When the attacks might appear a bit convoluted, it is thought that they are behind a rash of car thefts, including a few in the US as hackers exploit the power of 1990s-era automotive-grade encryption with cheap hacking gear.