Archive for Cyber Security

BitWhisper: Stealing data from non-networked computers using heat

No matter how secure you think a computer is, there’s always a vulnerability somewhere that a remote attacker can utilize if they’re determined enough. To reduce the chance of sensitive material being stolen, many government and industrial computer systems are not connected to outside networks. This practice is called air-gapping, but even that might not be enough. The Stuxnet worm from several years ago spread to isolated networks via USB flash drives, and now researchers at Ben Gurion University in Israel have shown that it’s possible to rig up two-way communication with an air-gapped computer via heat exchange.

Researchers call this technique of harvesting sensitive data “BitWhisper.” It was developed and tested in a standard office environment with two systems sitting side-by-side on a desk. One computer was connected to the Internet, while the other had no connectivity. This setup is common in office environments where employees are required to carry out sensitive tasks on the air-gapped computer while using the connected one for online activities.

BitWhisper does require some planning to properly execute. Both the connected and air-gapped machines need to be infected with specially designed malware. For the Internet box, that’s not really a problem, but even the air-gapped system can be infected via USB drives, supply chain attacks, and so on. Once both systems are infected, the secure machine without Internet access can be instructed to generate heating patterns by ramping up the CPU or GPU. The internet-connected computer sitting nearby can monitor temperature fluctuations using its internal sensors and interpret them as a data stream. Commands can also be sent from the Internet side to the air-gapped system via heat.

via BitWhisper: Stealing data from non-networked computers using heat | ExtremeTech.

DARPA to hunt for space and time vulnerabilities of software algorithms

In the endless chess game of cybersecurity, the Defense Advanced Research Projects Agency wants to thinks a few moves ahead, with a new program that will search for revolutionary ways to deal with vulnerabilities inherent in software algorithms.

When defensive techniques close off one vulnerability, hackers inevitably move on to the next. They have exploited flawed implementations of algorithms for several years, the agency said, but as implementation defenses improve, hackers will move on to flaws in the algorithms themselves. So the agency’s Space/Time Analysis for Cybersecurity (STAC) program wants to identify vulnerabilities in software algorithms’ space and time resource usage, according to a presolicitation. These vulnerabilities, inherent to many types of software, can be used to carry out denial of service attacks or steal information.

For instance, hackers can deny service to users by inputing code that causes one part of a system to consume space and time to process that input—potentially disabling the entire system. Also, hackers indirectly observing the space and time characteristics of output could potentially deduce hidden information. Adversaries with adequate knowledge of these “side-channels” could then obtain secret information without direct observation.

The primary problem presented by these vulnerabilities is that they are inherent in algorithms themselves, DARPA said. Thus, they cannot be mitigated through traditional defensive techniques.

Instead, the STAC program is looking at new program analysis techniques that could allow analysts to find those vulnerabilities and predict where leaks and denial of service might be possible. These new techniques and tools would enable a methodical search for vulnerabilities in critical government, military and economic software.

via DARPA to hunt for space and time vulnerabilities of software algorithms — Defense Systems.

Heartbleed Bug SSL Vulnerability – Everything You Need To Know

heartbleed

So the Internet has been exploding this week due to the Heartbleed Bug in OpenSSL which effects a LOT of servers and websites and is being hailed by some as the worst vulnerability in the history of the Internet thus far.

The main info on the bug can be found at http://heartbleed.com/. In basic terms, it allows you to grab 64kb chunks of whatever is stored in RAM on the server as long as it’s using a vulnerable version of OpenSSL with Heartbeat enabled.

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

Who needs the NSA when we have this eh?

via Heartbleed Bug SSL Vulnerability – Everything You Need To Know – Darknet – The Darkside.

For more visit Bruce Schneier’s blog: https://www.schneier.com/blog/archives/2014/04/heartbleed.html

Surveillance by Algorithm

PatriotGames_blackop

Increasingly, we are watched not by people but by algorithms. Amazon and Netflix track the books we buy and the movies we stream, and suggest other books and movies based on our habits. Google and Facebook watch what we do and what we say, and show us advertisements based on our behavior. Google even modifies our web search results based on our previous behavior. Smartphone navigation apps watch us as we drive, and update suggested route information based on traffic congestion. And the National Security Agency, of course, monitors our phone calls, emails and locations, then uses that information to try to identify terrorists.

Documents provided by Edward Snowden and revealed by the Guardian today show that the UK spy agency GHCQ, with help from the NSA, has been collecting millions of webcam images from innocent Yahoo users. And that speaks to a key distinction in the age of algorithmic surveillance: is it really okay for a computer to monitor you online, and for that data collection and analysis only to count as a potential privacy invasion when a person sees it? I say it’s not, and the latest Snowden leaks only make more clear how important this distinction is.

The robots-vs-spies divide is especially important as we decide what to do about NSA and GCHQ surveillance. The spy community and the Justice Department have reported back early on President Obama’s request for changing how the NSA “collects” your data, but the potential reforms — FBI monitoring, holding on to your phone records and more — still largely depend on what the meaning of “collects” is.

Indeed, ever since Snowden provided reporters with a trove of top secret documents, we’ve been subjected to all sorts of NSA word games. And the word “collect” has a very special definition, according to the Department of Defense (DoD). A 1982 procedures manual (pdf; page 15) says: “information shall be considered as ‘collected’ only when it has been received for use by an employee of a DoD intelligence component in the course of his official duties.” And “data acquired by electronic means is ‘collected’ only when it has been processed into intelligible form.”

Director of National Intelligence James Clapper likened the NSA’s accumulation of data to a library. All those books are stored on the shelves, but very few are actually read. “So the task for us in the interest of preserving security and preserving civil liberties and privacy,” says Clapper, “is to be as precise as we possibly can be when we go in that library and look for the books that we need to open up and actually read.” Only when an individual book is read does it count as “collection,” in government parlance.

So, think of that friend of yours who has thousands of books in his house. According to the NSA, he’s not actually “collecting” books. He’s doing something else with them, and the only books he can claim to have “collected” are the ones he’s actually read.

This is why Clapper claims — to this day — that he didn’t lie in a Senate hearing when he replied “no” to this question: “Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?”

via Schneier on Security: Surveillance by Algorithm.

State Department Announces New Stance on Encryption and Surveillance

Deputy Assistant Secretary Scott Busby acknowledged “support for encryption protocols,” which are “critical for an Internet that that is truly open to all.” According to Busby, the U.S. government will gather and use data based on six principles: “rule of law, legitimate purpose, non-arbitrariness, competent authority, oversight, and transparency and democratic accountability.”

When questioned on its support, Busby explained that the principles were approved government-wide, including Office of the Director of National Intelligence, which is headed by James Clapper. Clapper has been criticized for giving deceptive testimony before congress about the National Security Agency’s (NSA) practices.

His statements were not without immediate criticism. A legislator from Hong Kong responded that the U.S. government actively “undermin[es] exactly the kind of things [Busby] talked about,” and that his government was “attacked and criticized” by the U.S. after NSA whistleblower Edward Snowden fled to Hong Kong.

Nevertheless, a representative from the human rights organization Access, which hosts RightsCon, explained at a press conference that the statement from the government is significant, because it is not only “a strong statement on support for cybersecurity and encryption,” but an affirmation of “human rights law which historically they’ve been loath to acknowledge,” and “the first time they recognize international norms and laws as they apply when conducting surveillance.”

As Jon Brodkin of ArsTechnica highlighted last year, the National Security Agency has previously worked to actively undermine encryption.

via State Department Announces New Stance on Encryption and Surveillance – Hit & Run : Reason.com.

Researchers crack the world’s toughest encryption by listening to the tiny sounds made by your computer’s CPU

Security researchers have successfully broken one of the most secure encryption algorithms, 4096-bit RSA, by listening – yes, with a microphone — to a computer as it decrypts some encrypted data. The attack is fairly simple and can be carried out with rudimentary hardware. The repercussions for the average computer user are minimal, but if you’re a secret agent, power user, or some other kind of encryption-using miscreant, you may want to reach for the Rammstein when decrypting your data.

This acoustic cryptanalysis, carried out by Daniel Genkin, Adi Shamir (who co-invented RSA), and Eran Tromer, uses what’s known as a side channel attack. A side channel is an attack vector that is non-direct and unconventional, and thus hasn’t been properly secured. For example, your pass code prevents me from directly attacking your phone — but if I could work out your pass code by looking at the greasy smudges on your screen, that would be a side channel attack. In this case, the security researchers listen to the high-pitched (10 to 150 KHz) sounds produced by your computer as it decrypts data.

This might sound crazy, but with the right hardware it’s actually not that hard. For a start, if you know exactly what frequency to listen out for, you can use low- and high-pass filters to ensure that you only have the sounds that emanate from your PC while the CPU decrypts data. (In case you were wondering, the acoustic signal is actually generated by the CPU’s voltage regulator, as it tries to maintain a constant voltage during wildly varied and bursty loads). Then, once you have the signal, it’s time for the hard bit: Actually making sense of it.

via Researchers crack the world’s toughest encryption by listening to the tiny sounds made by your computer’s CPU | ExtremeTech.

Teens Prep for Cyberwar

Computer-savvy teens are putting down their game controllers — at least temporarily — for code writing and virus-sweeping. Call it “Red Dawn: Part Deux: Teen Cyber-Commandos.”

At events like the CyberLympics, CyberPatriot contest or just-announced “Toaster Wars,” sponsored by the National Security Agency, high school geek squads are competing to see who does the best job at preventing unauthorized computer intrusions.

This growing interest in cyberdefense comes at a time when the Pentagon officials are warning against damaging computer attacks from China and other nations, while stoking concerns that the United States education system hasn’t trained enough cyber-warriors to protect either military or civilian computer systems.

Utilities, power companies, tech firms, banks, Congress, universities and media organizations, all have faced suspected Chinese attacks in recent months.

“The threat has evolved so quickly,” said Diane Miller, Northrop Grumman’s director of information security and cyber initiatives. “It really has created a sense of urgency.”

The Pentagon and its defense contractors are behind these contests, which are designed to recruit kids to future careers in cyberdefense and IT security. The CyberPatriot contest, which is sponsored by the Air Force Association, has grown from eight high school squads in 2009 to more than 1,200 this year.

via Teens Prep for Cyberwar : Discovery News.

Inside the Effort to Crowdfund NSA-Proof Email and Chat Services

Back in 1999, Seattle-based activists formed the communication collective Riseup.net. The site’s email and chat services, among other tools, soon offered dissidents a means of encrypted communication essential to their work. Fourteen years later, Riseup is still going strong. In fact, they’ve been fighting the US state surveillance apparatus longer than most people have been aware of the NSA’s shenanigans. Now, the collective is hoping to expand, given the gross privacy transgressions of the NSA and US government as a whole.

“What surveillance really is, at its root, is a highly effective form of social control,” reads an August Riseup newsletter. “The knowledge of always being watched changes our behavior and stifles dissent. The inability to associate secretly means there is no longer any possibility for free association. The inability to whisper means there is no longer any speech that is truly free of coercion, real or implied. Most profoundly, pervasive surveillance threatens to eliminate the most vital element of both democracy and social movements: the mental space for people to form dissenting and unpopular views.”

The impetus behind the project is Riseup’s struggle to keep up with new user demand for an email service that doesn’t log IP addresses, sell data to third parties, or hand data over to the NSA. Riseup will also be able to expand its considerable anonymous emailing lists, which features nearly 6 million subscribers spread across 14,000 lists. Their Virtual Private Network (VPN), which allows users to securely connect to the internet as a whole, will also be made more robust. What Riseup can’t do is offer its users an anonymous browsing experience, but that’s not their aim.

via Inside the Effort to Crowdfund NSA-Proof Email and Chat Services | Motherboard.

Meet Hacking Team, the company that helps the police hack you

In 2001, a pair of Italian programmers wrote a program called Ettercap, a “comprehensive suite for man-in-the-middle attacks” — in other words, a set of tools for eavesdropping, sniffing passwords, and remotely manipulating someone’s computer. Ettercap was free, open source, and quickly became the weapon of choice for analysts testing the security of their networks as well as hackers who wanted to spy on people. One user called it “sort of the Swiss army knife” of this type of hacking.

Ettercap was so powerful that its authors, ALoR and NaGA, eventually got a call from the Milan police department. But the cops didn’t want to bust the programmers for enabling hacker attacks. They wanted to use Ettercap to spy on citizens. Specifically, they wanted ALoR and NaGA to write a Windows driver that would enable them to listen in to a target’s Skype calls.

That’s how a small tech security consultancy ended up transforming into one of the first sellers of commercial hacking software to the police. ALoR’s real name is Alberto Ornaghi and NaGA is Marco Valleri. Their Milan-based company, Hacking Team, now has 40 employees and sells commercial hacking software to law enforcement in “several dozen countries” on “six continents.”

via Meet Hacking Team, the company that helps the police hack you | The Verge.

Ed Snowden’s Email Provider, Lavabit, Shuts Down To Fight US Gov’t Intrusion

Early on in the Snowden leaks, it was revealed that Snowden himself was using email services from an operation called Lavabit, which offered extremely secure email. However, today Lavabit’s owner, Ladar Levison, shut down the service, claiming it was necessary to do so to avoid becoming “complicit in crimes against the American people.” Not much more information is given, other than announced plans to fight against the government in court. Reading between the lines, it seems rather obvious that Lavabit has been ordered to either disclose private information or grant access to its secure email accounts, and the company is taking a stand and shutting down the service while continuing the legal fight. It’s also clear that the court has a gag order on Levison, limiting what can be said.

via Ed Snowden’s Email Provider, Lavabit, Shuts Down To Fight US Gov’t Intrusion | Techdirt.

Now, if that weren’t enough, the Feds Threaten To Arrest Lavabit Founder For Shutting Down His Service, rather than agree to some mysterious court order.

Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight

A legal fight over the government’s use of a secret surveillance tool has provided new insight into how the controversial tool works and the extent to which Verizon Wireless aided federal agents in using it to track a suspect.

Court documents in a case involving accused identity thief Daniel David Rigmaiden describe how the wireless provider reached out remotely to reprogram an air card the suspect was using in order to make it communicate with the government’s surveillance tool so that he could be located.

Rigmaiden, who is accused of being the ringleader of a $4 million tax fraud operation, asserts in court documents that in July 2008 Verizon surreptitiously reprogrammed his air card to make it respond to incoming voice calls from the FBI and also reconfigured it so that it would connect to a fake cell site, or stingray, that the FBI was using to track his location.

Air cards are devices that plug into a computer and use the wireless cellular networks of phone providers to connect the computer to the internet. The devices are not phones and therefore don’t have the ability to receive incoming calls, but in this case Rigmaiden asserts that Verizon reconfigured his air card to respond to surreptitious voice calls from a landline controlled by the FBI.

The FBI calls, which contacted the air card silently in the background, operated as pings to force the air card into revealing its location.

In order to do this, Verizon reprogrammed the device so that when an incoming voice call arrived, the card would disconnect from any legitimate cell tower to which it was already connected, and send real-time cell-site location data to Verizon, which forwarded the data to the FBI. This allowed the FBI to position its stingray in the neighborhood where Rigmaiden resided. The stingray then “broadcast a very strong signal” to force the air card into connecting to it, instead of reconnecting to a legitimate cell tower, so that agents could then triangulate signals coming from the air card and zoom-in on Rigmaiden’s location.

To make sure the air card connected to the FBI’s simulator, Rigmaiden says that Verizon altered his air card’s Preferred Roaming List so that it would accept the FBI’s stingray as a legitimate cell site and not a rogue site, and also changed a data table on the air card designating the priority of cell sites so that the FBI’s fake site was at the top of the list.

Rigmaiden makes the assertions in a 369-page document he filed in support of a motion to suppress evidence gathered through the stingray. Rigmaiden collected information about how the stingray worked from documents obtained from the government, as well as from records obtained through FOIA requests filed by civil liberties groups and from open-source literature.

via Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight | Threat Level | Wired.com.

Slaying the Java Beast

As you’ve probably heard by now, Java’s insecurity has been a vector for hackers’ to exploit and gain access to your computer through specially crafted malware that can hijack control over your machine. Even the Department of Homeland Security’s CERT team strongly recommends that consumers disable java on their computers.

While removing Java from your computer entirely may be one way to go, many require Java to run certain applications locally (which is fairly safe), the real problem lies in the browser itself — leaving the door open for “bad guys” to enter your system.

So how does one go about ‘slamming the door’ on these Java beasts? Here’s what I suggest:

Step 1: Which version of Java are you running? The easiest way to do this is through the Java control panel. Start by bringing up the Windows Control Panel (in Windows XP and Windows 7, choose Start, Control Panel; in Windows 8, right-click in the lower-left corner of the screen and choose Control Panel). If you see a Java icon, click on it. If you don’t see a Java icon (or link), in the upper-right corner, type Java. If you then see a Java icon, click on it.

Unfortunately, there’s a bug in at least one of the recent Java installers that keeps the Java icon from being displayed inside Windows Control Panel. If you can’t find the Java icon, go to C:\Program Files (x86)\Java\jre7\bin or C:\Program Files\Java\jre7\bin and double-click on the file called javacpl.exe. One way or another, you should now see the Java Control Panel.

Step 2: Update to the latest version of Java, version 7 update 11. In the Java Control Panel, under About, click the About button. The About Java dialog shows you the version number; if you’ve patched Java in the past few months, it’s likely Version 7 Update 9, 10, or 11. (Don’t be surprised if Java says that it’s set to update automatically, but doesn’t. I’ve seen that on several of my machines.) If you don’t have Java 7 Update 11, go to Java’s download site, and install the latest update. You have to restart your browser for the new Java version to kick in. Personally, I also reboot Windows.

Warning: Oracle, bless its pointed little pointy thingies, frequently tries to install additional garbage on your machine when you use its update site. Watch what you click.

Step 3: Disable the Java Runtime in all browsers. From the Java Control Panel, click or tap on the Security tab, then deselect the box marked Enable Java Content in the Browser. Click or tap OK, and restart your browsers (or better yet, reboot). From that point on, the Java Runtime should be disabled in all of your browsers, all of the time. To bring Java back, repeat the steps and select the box marked Enable Java Content in the Browser (the setting should, in fact, say “Enable Java Content in All of Your Browsers”).

Step 4: Turning off Java within each browser. In Internet Explorer 9 or 10, click on the gear icon in the upper-right corner and choose Manage Add-Ons. Scroll down to the bottom, under Oracle America, Inc., select each of the entries in turn; they’ll probably say “Java(tm) Plug-In SSV Helper” or some such. In the lower-right corner click the button marked Disable. Restart IE. At the bottom of the screen, you’ll see a notice that says, “The ‘Java(tm) Plug-In SSV Helper’ add-on from ‘Oracle America, Inc.’ is ready to use.” Click Don’t Enable. If you get a second notice about a Java add-on, click Don’t Enable on it, too. That should permanently disable Java Runtime in IE.

In any recent version of Firefox, click the Firefox tab in the upper-left corner and choose Add-Ons. You should see an add-on for Java(TM) Platform SE 7 U11. Click once on the entry, and click Disable. Restart Firefox.

In Chrome, type chrome://plugins in the address bar and push Enter. You should see an entry that says something like “Java (2 files) – Version: 10.7.2.11” Click on that entry and click the link that says Disable. Restart Chrome.

Step 5: Testing. Make sure the browsers are/aren’t running Java, by running each of them up against the Java test site. If you go to that site using Google Chrome, there better be a big yellow band at the top of your screen asking permission to run Java just this once.

Disabling Java in your browsers may seem like a real pain in the rump, but it is something that absolutely everyone must take seriously. Do it now!

 

Silent Circle: Mike Janke’s iPhone app makes encryption easy, governments nervous.

Lately, Mike Janke has been getting what he calls the “hairy eyeball” from international government agencies. The 44-year-old former Navy SEAL commando, together with two of the world’s most renowned cryptographers, was always bound to ruffle some high-level feathers with his new project—a surveillance-resistant communications platform that makes complex encryption so simple your grandma can use it.

This week, after more than two years of preparation, the finished product has hit the market. Named Silent Circle, it is in essence a series of applications that can be used on a mobile device to encrypt communications—text messages, plus voice and video calls. Currently, apps for the iPhone and iPad are available, with versions for Windows, Galaxy, Nexus, and Android in the works. An email service is also soon scheduled to launch.

The encryption is peer to peer, which means that Silent Circle doesn’t centrally hold a key that can be used to decrypt people’s messages or phone calls. Each phone generates a unique key every time a call is made, then deletes it straight after the call finishes. When sending text messages or images, there is even a “burn” function, which allows you to set a time limit on anything you send to another Silent Circle user—a bit like how “this tape will self destruct” goes down in Mission: Impossible, but without the smoke or fire.

Silent Circle began as an idea Janke had after spending 12 years working for the U.S. military and later as a security contractor. When traveling overseas, he realized that there was no easy-to-use, trustworthy encrypted communications provider available to keep in touch with family back home. Cellphone calls, text messages, and emails sent over the likes of Hotmail and Gmail can just be “pulled right out of the air,” according to Janke, and he didn’t think the few commercial services offering encryption—like Skype and Hushmail—were secure enough. He was also made uneasy by reports about increased government snooping on communications. “It offended what I thought were my God-given rights—to be able to have a free conversation,” Janke says. “And so I began on this quest to find something to solve it.”

via Silent Circle: Mike Janke’s iPhone app makes encryption easy, governments nervous. – Slate Magazine.