Traps are constantly set on the Internet to snare hackers in order to research their behavior and tactics. Many of these traps are honeypots or honeynets that take the form of deliberately unpatched computers or infrastructure exposed to the Internet that lure attackers to break in while their actions are recorded.
In very few instances are decoys built into security processes. However, two experts are in the research phase of building a tool that they say will do just that.
The project is called Honey Encryption and it will be formally rolled out at the Eurocrypt conference in Copenhagen this spring by former RSA Security chief scientist Ari Juels and Thomas Ristenpart of the University of Wisconsin. The concept involves pulling a bit of deceit against an attacker who has stolen some set of data encrypted with Honey Encryption. The tool produces a ciphertext, which, when decrypted with an incorrect key as guessed by the attacker, presents a plausible-looking yet incorrect plaintext password or encryption key.
With traditional encryption, an attacker making an incorrect guess gets gibberish in return to their request. “With Honey Encryption,” Juels told Threatpost, “he gets something that looks like real context.” An attacker would have no way of knowing which plausible-looking value is the correct one.
Juels said the initial motivation behind the project was the security of password vaults. Services such as LastPass, which was breached in 2011, enable users to secure a number of passwords with a master; synchronization of these services is often done in the cloud. If one of these providers is breached, an attacker can crack the master password associated with any vault and extract all of their passwords.
“We had the idea of exploring the possibility of encrypting a vault in such a way where if it were decrypted using the wrong master password, it would decrypt to something that looks plausible,” Juels said.
The trick is to build the capability into Honey Encryption to understand the appropriate structure of the messages an encryption system would try to recover.
“With credit card numbers, we understand them well. For all intents and purposes, they look like a uniformly random number,” Juels said. “You can construct a tight model for that. With a vault, for example, that’s trickier. You need to model how passwords are selected and stored for the particular vault.
“You need a good understanding of message-specific construction; encryption keys and credit card numbers are different than password vaults,” Juels said. “If you use ordinary encryption, it’s agnostic to the distribution of messages. You need to know what it means for a message to be plausible and application dependent.”
Luckily, research exists on password selection, and researchers can also learn from breaches such as the 2009 break-in at game developer RockYou where 32 million cleartext passwords were stolen. That kind of sample gives researchers a fairly accurate understanding of how well users compose secrets used as passwords, including how often words are phrases are re-used or appended according to a particular account.
“The model doesn’t have to be perfect to be good,” Juels said. “If just half of the decryption attempts yield something plausible, you still achieve the desired bafflement of the attacker.”
Some USB modems can be leveraged to send malicious SMS messages and even carry out spear-phishing attacks – sometimes in conjunction with each other – thanks to a cross-site request forgery vulnerability present in the device’s web interfaces.
According to Swedish security researcher Andreas Lindh, who wrote about his findings on 3VILDATA, an information security blog he shares with a fellow Swede, the problem is present in 3G and 4G modems that plug into machines and connect to the Internet through a built-in SIM card.
Lindh claims he hasn’t had time to notify the vendor yet so has held off on naming the specific USB modem used in his exploit but does claim it’s a “high-end one” that is “quite expensive” and “mostly used by corporate custumers.”
The web interface of the USB modem in question allows for configuration. Lindh notes that he can set a PIN, change it, enable it, re-enable it, add a profile, etc. The CSRF vulnerability he found also grants him the ability to send text messages through the modem, using its Web interface, to any phone number. This is done by getting the user to go to a website under his control that he can easily obfuscate the URL.
The vulnerability lets Lindh edit the HTTP POST request method without having to worry about bypassing authentication because there isn’t any–the functionality doesn’t exist.
In the code Lindh posted, the International Mobile Subscriber Identity (IMSI) – or phone number – is blacked out but the msg_content parameter, the function Lindh realized he could supply with text message content and send to users, can be seen:
Lindh also realized that he could employ the same exploit in a phishing attack.
Using a data URI scheme, Lindh was able to put together a fake Facebook login site. Data URI schemes, supported on most browsers (Chrome, Firefox, Safari, etc.) basically give web developers a way to create the illusion of a legitimate web site; the site data is displayed inline as if it’s coming from external sources but it’s not. Lindh’s scheme has all of its HTML loaded into the address bar – in this case the fake Facebook mockup – and doesn’t have to rely on being attached to a domain or hosted on a server.
Lindh then rigged a way for the fake site to steal user credentials from the log-in form fields after they’re entered and have that information passed along to him in a text message.
To test his exploit he obscured the fake Facebook site’s long URL with TinyURL and sent it along to dummy email account. From there, after clicking through and logging in, the login information was sent to his phone via the modem SMS vulnerability.
Lindh notes in the blogpost that it’s an “attack completely without infrastructure requirements; no web server to host the spoofed website, no server to post the stolen credentials to,” writing that all that’s needed is an “email address or some other way to distribute the URL, and a pre-paid phone to receive the text messages.”
Lindh acknowledges to get the trick to really work, it’d have to be a highly targeted attack but insists it may not be “as unlikely as it may seem at first.”
Aleksandr Andreevich Panin, one of the alleged masterminds behind the notorious SpyEye banking trojan, pleaded guilty in an Atlanta courtroom yesterday to conspiracy charges relating to the development and distribution of the the malware.
Panin pleaded guilty to conspiring to commit wire and bank fraud. He will be sentenced April 29, 2014, before United States District Judge Amy Totenberg.
Second only to the infamous and related Zeus banking trojan, SpyEye is among the most prominent pieces of financial malware to emerge in recent years. It essentially gives attackers the ability to steal online banking credentials from its victim’s machines, which criminals can use in turn transfer money out of those accounts. Certain versions of SpyEye are said to be capable of bypassing two-factor authentication mechanisms. According to the FBI, the SpyEye trojan has facilitated the infection of more than 1.4 million computers and the compromise of more than 10,000 online bank accounts, mostly located in the United States.
“As several recent and widely reported data breaches have shown, cyber attacks pose a critical threat to our nation’s economic security,” said United States Attorney Sally Quillian Yates. “Today’s plea is a great leap forward in our campaign against those attacks.”
“Panin was the architect of a pernicious malware known as SpyEye that infected computers worldwide. He commercialized the wholesale theft of financial and personal information. And now he is being held to account for his actions. Cyber criminals be forewarned—you cannot hide in the shadows of the Internet. We will find you and bring you to justice.”
Panin – also known by the pseudonyms ‘Gribodemon’ and ‘Harderman’ – is not the first man arrested in connection with the SpyEye trojan. In the summer of 2012, three Baltic men were arrested and charged with violating the United Kingdom’s computer misuse act after allegedly using the malicious software program to steal online banking credentials. In the spring of 2013, an alleged co-conspirator of Panin’s, Hamza Bendelladj of Algeria, was arrested in Thailand and extradited to the United States where he had been indicted in late 2011, and faced more than 30 counts related to botnet operation and bank fraud.
The FBI managed to catch Panin after conducting an investigation with international law enforcement and private sector partners, culminating in a search warrant that led to the seizure of a key SpyEye server. The FBI described this server as “very incriminating” because it “contained the full suite of features designed to steal confidential financial information, make fraudulent online banking transactions, install keystroke loggers, and initiate distributed denial of service (or DDoS) attacks from computers infected with malware.”
Several months after that, the FBI compelled the suspect to sell his wares to an undercover FBI agent. The suspect was arrested while flying through Hartsfield-Jackson Atlanta International Airport.
The FBI claims that Panin and others conspired to develop various versions of the SpyEye trojan which they would then advertise for sale in online criminal forums. Panin is said to have sold various versions of the SpyEye malware for anywhere between $1500 and $8500 to more than 150 customers. The exact amount of money stolen by the SpyEye trojan and the total profit earned by Panin are not known, though, one of Panin’s clients, “Soldier,” is reported to have made over $3.2 million in a six-month period using the SpyEye virus.
Threatpost reached out to the FBI’s Atlanta media contact, but a request for comment was not returned by the time of publication.
It seems the exaggerated volume of bad traffic used in politically motivated DDoS attacks last year was not an isolated phenomenon.
Distributed denial-of-service attacks that congest Internet connectivity and disrupt online services topped unprecedented levels in 2013, shoving aside stealthier attacks against the application layer preferred by hackers in previous years.
“It seems that attackers are trying to achieve a goal, be it to impact service availability or as part of a much broader attack campaign, distract from financial fraud and theft,” said Arbor Networks solutions archictect Darren Anstee. “They’ve gone back to volumetric attacks because they are aware that better defenses are in place and this is a way to get around those.”
Arbor released its Worldwide Infrastructure Security Report this week and regardless of whether respondents were in service provider or enterprise environments, DDoS attacks were the No. 1 operational threat to these organizations.
While it’s generally accepted that a 20 Gbps attack is enough to overrun a website or a Web-based service, a substantial number of attacks were more than 100 Gbps, topping out at 309 Gbps in an attack against spam blacklist provider Spamhaus.
“Far more respondents are telling us about larger attacks than 100 Gbps than in 2011 and 2012,” Anstee said. “We saw others at 191, 152 and 130 Gbps.”
Attacks such as the Spamhaus takedown are outliers to be sure with three times the traffic used there than in multiple attacks targeting Bank of America, PNC, Wells Fargo and other large American financial institutions allegedly by the the al-Qassam Cyber Fighters. Spikes in the Spamhaus DDoS attack reached 309 Gbps as attackers took advantage of open DNS resolvers to amplify attacks against the Swiss volunteer organization.
The availability of open DNS resolvers gave the Spamhaus attackers the ability to spoof Spamhaus IP addresses to send the site massive volumes of DNS requests; there was collateral damage in those attacks as well, impacting online streaming media services such as Netflix.
“Spamhaus made people aware of the threat of reflection amplification attacks. It does appear attackers have learned to leverage the infrastructure available on the Internet to help them in attacks,” Anstee said.
Within the last month, NTP amplification attacks have been used to take down sites as well, causing US-CERT to issue an advisory warning enterprises and service providers of the risk. Attackers are taking advantage of a weakness in NTP servers that allows an administrator to query for the IP address of the last 600 machines interacting with an NTP server. By sending a GETLIST command to an NTP server that is spoofed with a victim’s source address, that IP can be overrun with uncalled for traffic in no time.
Arbor’s report indicates that few companies have security staff dedicated to infrastructure such as DNS and locking down those and related services. Coupled with the availability of open DNS resolvers, that presents a problem for high-value targets.
“If you’ve got open DNS resolvers you can use and if you’ve got a botnet that can generate a good volume of traffic and point it at a list of open DNS resolvers, you can use those resolvers to amplify the capabilities you have for your botnet,” Anstee said, adding that attackers can get a 30x improvement with amplification in some cases. “Unfortunately, it’s not that hard; the know-how is available.”
Survey respondents said their top concern for 2014 is DDoS attacks against infrastructure given the ease at which amplification attacks have been happening. Volumetric attacks that consume bandwidth are a top attack vector, along with TCP state-exhaustion attacks that consume connection state tables in load balancers, firewalls and applications servers, and application layers that target aspects of applications or services. A good number of those attacks are even conducted against HTTPS websites and services.
“Well-formed attacks that targeted encrypted Web services were much higher than expected,” Anstee said. Such attacks, like those carried out in Operation Ababil by al-Qassam Cyber Fighters, require a bit of reconnaissance by the attacker who must determine firsthand which files such as log-in forms, or PDFs of annual reports and investment details, are available on an open page. The attacker then uses a GET request over an over to that file putting a load on the server until it is overrun.
“They are carrying out a normal operation over an encrypted connection,” Anstee said, adding such attacks are difficult to detect. “You don’t see bots doing much of that.”
In a hearing before the Senate Intelligence Committee to discuss the public portions of a new national security threat assessment, top intelligence and law enforcement officials said that attacks against financial networks and the critical infrastructure are major threats to the United States’ security. But those threats, as serious as they may be, were not the ones that many of the committee members wanted to discuss. Instead, they were mainly interested in talking about Edward Snowden and the damage his disclosures may have caused to the country and its intelligence-gathering and security capabilities.
The committee, which ostensibly was there to discuss the intelligence community’s latest threat assessment, spent much of the hearing discussing Snowden’s disclosures, the need–or lack thereof–for intelligence reform and whether the leaks of the documents he stole have harmed the country’s security. James Clapper, the director of national intelligence, and Lt. Gen. Michael Flynn, director of the Defense Intelligence Agency, both asserted that Snowden’s leaks have caused serious damage to U.S. security and placed the lives of soldiers and intelligence officers in danger.
Clapper, who has come under fire for his statements to Congress about the NSA’s collection of intelligence on Americans, called Snowden’s actions “the most massive and most damaging theft of intelligence information in our history” and said that the disclosures have caused “profound damage”.
“As a result, we’ve lost critical intelligence sources,” Clapper said during the hearing Wednesday morning. “The intelligence community is going to have less capacity to protect our nation.”
Flynn echoed those sentiments, saying in response to a question that Snowden’s leaks have had serious consequences that may not be felt for years to come.
“This has caused grave damage to our national security,” Flynn said. The true cost, he added, will likely come in the form of “human lives on tomorrow’s battlefields.”
The questions and statements about Snowden’s actions overshadowed some other issues that were raised during the hearing. Sen. Ron Wyden (D-Ore.), a frequent vocal critic of the NSA’s collection programs, used his time toward the beginning of the hearing to ask several pointed questions about domestic surveillance. Specifically, he questioned CIA Director John Brennan about the agency’s activities in the U.S.
“Does the Computer Fraud and Abuse Act apply to the CIA?” Wyden asked, referring to the main U.S. statute that applies to computer crimes.
Brennan said he wasn’t sure and would have to check and get back to Wyden later with an answer. The CIA, like the NSA, is chartered to conduct foreign intelligence operations, not domestic surveillance.
Responding to another question from Sen. Mark Udall (D-NM), who also has been outspoken in his criticism of intelligence methods, about whether the CIA conducts domestic surveillance, Brennan said that the agency follows the law.
The newly published threat assessment from the intelligence community focuses quite a bit of attention on information security issues, especially attacks on financial systems and cyber espionage operations. The report stresses that online crime and intellectual property theft through cyber espionage operations represent serious threats to U.S. security and economic viability.
“Internationally, China also seeks to revise the multi-stakeholder model Internet governance while continuing its expansive worldwide program of network exploitation and intellectual property theft. Iran and North Korea are unpredictable actors in the international arena. Their development of cyber espionage or attack capabilities might be used in an attempt to either provoke or destabilize the United States or its partners. Terrorist organizations have expressed interest in developing offensive cyber capabilities. They continue to use cyberspace for propaganda and influence operations, financial activities, and personnel recruitment,” the report says.
The threat assessment, which also includes discussion of the major physical threats to the U.S., doesn’t go into much in the way of specifics, but says that attacks on critical infrastructure networks represent a serious threat.
“Critical infrastructure, particularly the Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems used in water management, oil and gas pipelines, electrical power distribution, and mass transit, provides an enticing target to malicious actors. Although newer architectures provide flexibility, functionality, and resilience, large segments of legacy architecture remain vulnerable to attack, which might cause significant economic or human impact,” the report says.
Photo from Flickr images of John D. Rockefeller.
The Israeli researchers who last week discovered a VPN bypass bug in Android’s Jelly Bean 4.3 build have done some further testing and said the vulnerability also affects Android’s most recent variety of the operating system, KitKat 4.4.
Like the Jelly Bean bypass bug, this vulnerability allows a malicious app to bypass a VPN configuration to redirect traffic to another network address.
Since KitKat has a modified security implementation the researchers were unable to use the same vulnerability code as they used for Jelly Bean, but were able to find one that worked. The vulnerability relies on getting a malicious app to bypass VPN configuration without needing root permission, to “redirect secure communications to a different network address.”
Dudu Mimran, the CTO of Cyber Security Labs, a division of Ben Gurion University in Be-er Sheva, Israel, initially discussed the Jelly Bean bug last week in a disclosure report.
Just like with that vulnerability, Mimran reports that the communications that pass between the VPN configuration on KitKat are done in clear text and without encryption, unbeknownst to the user.
The researchers have outlined their exploit in a video, first pointing out the build (4.4.2 in this case) before going on to trigger the exploit, connecting to the VPN and demonstrating how to collect sensitive SMTP information via a packet capturing tool.
According to the researchers, the way the KitKat vulnerability works borrows a bit from another vulnerability they found last year in Samsung’s Knox security platform. That vulnerability allowed an attacker to intercept communication between Knox and the outside files on Samsung S4 devices, and in turn, bypass Knox
Samsung and Google dismissed Ben Gurion and Cyber Security Labs’ Knox findings earlier this month claiming the exploit “uses Android network functions in an unintended way” and that the research presented was not a bug or flaw, but a classic man in the middle (MitM) attack. In a public response penned by the two firms, it was stressed that “Android provides built-in VPN and support for third-party VPN solutions to protect data” and that using either of them would “have prevented an attack based on a user-installed local application.” Cyber Security Labs countered Google and Samsung’s opinions with their own response last week.
So far the group has reported both VPN issues to Google via its vulnerability reporting tools but has yet to hear any other than the company is still looking into it. Given Google and Samsung’s response to the group’s Knox discovery, it should be interesting to see what they have to say once the dust settles.
Cyber Security Labs has clarified in the past that follows what it calls a “Responsible Full Disclosure Policy.” In situations like these it notifies the public of each issue it finds, without disclosing critical details that could lead someone to recreate the attack, and updates their blog with the company’s input throughout.
Java-related security issues have remained relatively quiet during the past few months, especially after a rocky start to 2013 seemingly had one Java flaw after another in the news.
Things might be starting to ramp up again with the discovery of a cross-platform Java-based botnet.
Researchers at Kaspersky Lab’s Global Research and Analysis Team reported today their analysis of HEUR:Backdoor.Java.Agent.a, a malicious Java application that infects machines for the purpose of building a DDoS botnet.
The botnet communicates over IRC and can carry out distributed denial of service attacks using either HTTP or UDP flood attacks.
Researcher Anton Ivanov said today that the malicious Java application is capable of running on Windows, Linux and Mac OS X machines, and that the malware exploits a patched Java vulnerability, CVE-2013-2465.
The vulnerability is found in Java 7 u21 and earlier, as well as on different versions of Java 6 and 5. An exploit could allow an attacker to remotely run code on compromised machines through a bypass of the Java sandbox leading to disruption of service and information disclosure. The bug was patched as part of Oracle’s June 2013 Critical Patch Update.
Ivanov said one of the more notable features of the bot sample he analyzed as its use of the PircBot open framework for communication over IRC.
“The malware includes all the [Java] classes needed for the purpose,” Ivanov said. PircBot is a Java-based framework used to write IRC bots.
A passage on the Jibble website which hosts PircBot says: “PircBot allows you to perform a variety of fun tasks on IRC, but it is also used for more serious applications by the US Navy, the US Air Force, the CIA (unconfirmed), several national defence agencies, and inside the Azureus bittorrent client. But don’t let that put you off – it’s still easy to use!”
Once the bot infects a machine and launches, it copies itself into the autostart directories for the various platforms it supports, giving it persistence at startup for each. It then establishes a backdoor connection to the attackers and generates a unique identifier for each machine it compromises. Ivanov said it then connects to an IRC server and joins a channel that is predefined in the bot, awaiting commands.
The attacker uses this channel to specify not only whether it should use an HTTP or UDP flood attack, but also specifies a number of parameters for an attack, including the target’s IP address, port number over which the attack is carried out, attack duration, and how many threads are to be used in the attack, Ivanov said.
Complicating matters for researchers, the botnet uses the Zelix Klassmaster obfuscator.
“In addition to obfuscating bytecode, Zelix encrypts string constants,” Ivanov said. “Zelix generates a different [encryption] key for each class—which means that in order to decrypt all the strings in the application, you have to analyze all the classes in order to find the decryption keys.”
This is not the first time Kaspersky researchers have run into a Java exploit for CVE-2013-2465. A Java exploit called new.jar that as part of the NetTraveler espionage campaign also went after this particular Java vulnerability, dropping a backdoor onto victimized machines.
NetTraveler was publicly disclosed in June and another update was provided in September. The malware targeted diplomats, activists, government agencies and the scientific research community. The first version unveiled by Kaspersky researchers targeted Microsoft Office vulnerabilities; a second wave targeted this Java vulnerability. The NetTraveler attackers used watering hole attacks, compromising Uyghur-related websites to drop malware on machines that steals Office document files, as well as design documents done on Corel Draw or AutoCAD files.
As the noise and drama surrounding the NSA surveillance leaks and its central character, Edward Snowden, have continued to grow in the last few months, many people and organizations involved in the story have taken great pains to line up on either side of the traitor/hero line regarding Snowden’s actions. While the story has continued to evolve and become increasingly complex, the opinions and rhetoric on either side has only grown more strident and inflexible, leaving no room for nuanced opinions or the possibility that Snowden perhaps is neither a traitor nor a hero but something else entirely.
When the first stories based on the documents Snowden stole from the NSA began appearing last June, the reactions from those in the security and privacy community were strong and completely predictable for the most part. Many privacy advocates and people involved in security and civil liberty causes praised Snowden’s actions, saying that he had performed a tremendous service for Americans, as well as other users of the Internet around the world, by revealing the scope of the NSA’s surveillance operations and its alleged abuses of power. That sentiment has gained more supporters along the way, with hugely powerful organizations adding their voices to the pro-Snowden chorus. Earlier this month, the editorial board of The New York Times said that Snowden deserved clemency from criminal prosecution and that his actions were “clearly justified”.
“Considering the enormous value of the information he has revealed, and the abuses he has exposed, Mr. Snowden deserves better than a life of permanent exile, fear and flight. He may have committed a crime to do so, but he has done his country a great service,” the Times editorial says.
The anti-Snowden camp has been just as loud, however. NSA director Keith Alexander, President Barack Obama and members of Congress have decried Snowden’s actions, saying he has compromised the NSA’s ability to collect foreign intelligence and harmed national security. Some have even gone so far as to say that Snowden had endangered the lives of U.S. troops and probably also had been a mole for a foreign power. Robert Gates, the former secretary of the Defense Department, said in an interview earlier this month with PBS that he considered Snowden to be a traitor who should face severe consequences for his actions.
“I think that the revelations have done a lot of damage,” Gates said in the interview. “I think he’s a traitor.”
In some ways, the people pushing the Snowden-as-traitor narrative have a decided advantage here. This group comprises politicians, intelligence officials, lawmakers and others whose opinions carry the implicit power and weight of their offices. Whatever one thinks of Obama, Director of National Intelligence James Clapper and Alexander, they are among the more powerful men on earth and their public pronouncements by definition are important. If one of them declares Snowden to be a traitor or says that he should spend the rest of his life in prison for his actions, there is a sizable portion of the population who accepts that as fact.
That is not necessarily the case on the other side of the argument. However, many members of both the hero and traitor crowds formed their opinions reflexively, aligning themselves with the voices they support and then standing pat, regardless of the revelation of any new facts or evidence. They take the bits and pieces of Snowden’s story arc that fit with their own philosophy, use them to bolster their arguments and ignore the things that don’t help. This, of course, is in no way unique to the Snowden melodrama. It is a fact of life in today’s hyper-fragmented and hype-driven media environment, a climate in which strident opinions that fit on the CNN ticker or in a tweet have all but destroyed the possibility of nuanced discourse.
Snowden himself has provided plenty of evidence that things are quite a bit muddier than they may seem. Though he started by revealing NSA collection programs that some judges have now declared illegal, such as the metadata program, more recent leaks have exposed legitimate intelligence operations against foreign adversaries. How do those revelations fit with the hero storyline? And how do acknowledgements from Obama and some lawmakers that the NSA may have overstepped its bounds and needs to be reined in fit with the traitor narrative?
But people aren’t allowed to change their minds anymore. Saying that there may be some middle ground or grey area is seen as a sign of weakness, of moving off the party line. There is no greater crime in American media today than not having an opinion set in stone. You’ll be branded a flip-flopper and forever exiled from the lucrative talking head circuit. And then how will you sell your memoir or your motivational speeches?
The race to label Snowden as either a traitor or a hero has been counterproductive and done absolutely nothing to advance the far more important discussion around reforming intelligence collection or the fact that the Internet itself should now be considered compromised. Few things in life are entirely one thing or another. In the end, whether Snowden wears a black hat or a white one matters far less than what comes from his actions.
Image from Flickr photos of Duncan Hull.
A gag order has been eased that prevented technology and telecommunications companies from reporting requests for customer data made under the Foreign Intelligence Surveillance Act (FISA).
The move comes on the heels of announced surveillance reforms by President Obama on Jan. 17. Obama, during an address to the Justice Department, promised changes as to how long requests from the Foreign Intelligence Surveillance Court could be kept secret and how they could be reported. Technology companies such as Microsoft, Google, Facebook, LinkedIn and others had banded together several times to petition Obama and Attorney General Eric Holder for greater transparency around these types of requests.
A Justice Department ruling released last night provided companies with two reporting options, according to a letter from Deputy Attorney General James Cole to the general counsels of Yahoo, Microsoft, LinkedIn, Google and Facebook.
The first option brings FISA reporting in line with reporting of National Security Letters in that companies will be able to report the number of FISA orders for content, non-content, as well as the number of customer accounts affected for each in bands of 1,000 requests. The reporting restrictions around National Security Letters were eased last summer.
Reports may be published every six months, however, reporting on national security orders issued against data collected by new company products and services must be delayed two years.
The second option allows companies to report all national security requests, NSLs or FISA orders, and the number of customer accounts affected with exact numbers up to 250 requests, and thereafter in bands of 250.
CloudFlare, a company that optimizes Web traffic through a cloud-based service, wasted no time in providing its transparency report in accordance with the new order. CloudFlare reported 0-249 National Security Letter orders received impacting 0-249 accounts.
Apple also issued a transparency report on national security orders, reporting 0-249 total orders received affecting 0-249 customer accounts. Apple also reported 927 law enforcement requests on 2,330 accounts. Apple said that it complied with 81 percent of account requests where some data was disclosed.
“This data represents every U.S. national security order for data about our customers regardless of geography,” Apple said in a statement. “We did not receive any orders for bulk data. The number of accounts involved in national security orders is infinitesimal relative to the hundreds of millions of accounts registered with Apple.”
Apple was among the technology companies that on several occasions requested additional leeway in reporting national security orders. The companies argued that the ban violated their respective First Amendment to free speech and harmed their ability to maintain trustworthy relationships with customers. LinkedIn went so far as to call the ban unconstitutional in September.
Companies balked at the government’s initial concession to allow reporting in buckets of 1,000 requests, arguing that it would misrepresent the state of affairs for smaller companies that likely would not receive thousands of requests for national security orders. The companies worried that reporting in bulk would create the impression that the number of orders received would be much higher than reality, i.e., a company that received only 10 requests would have to report that as 0-999.
“The information permitted under these measures would be misleading, would distort the public’s understanding of the actual number of government requests received, would reduce rather than increase transparency, and would deplete rather than enhance trust in the companies, the industry and the government,” LinkedIn wrote in an amicus brief with a California court of appeals in September.
CloudFlare, for example, said that the number of orders it received affects fewer than 0.02 percent of its customers.
“We have long felt that the arguments in support of restricting the disclosure of NSLs to be flawed,” said CloudFlare counsel Kenneth R. Carter in a statement. “We see no threat to national security by acknowledging the program or the number of orders a particular company has received. Further, it is frustrating that most assume the program to be widespread and that tech companies receive NSLs on a daily basis.”
Hasbro[.]com, a leading toy and game distributor in the United States, is infected and serving malware to visitors of the site. Researchers at Barracuda Networks said the site remained infected as of this morning and Hasbro has not responded to an email from the security firm disclosing the issue.
The Java-based attack is similar to one conducted against popular humor website cracked[.]com, which was found in November to also be hosting a drive-by download attack, and as of two weeks ago, was again serving up malware in drive-by attacks.
Like Cracked, Hasbro is a popular website that, based on traffic analysis from Alexa.com from 2013, gets upwards of 215,000 daily visitors. Barracuda estimates that given current Java installations and patching levels, the site could potentially be infecting up to 20,000 visitors a day. While the Cracked and Hasbro attacks don’t seem to be related, Barracuda research scientist Daniel Peck said, the possibility exists that these compromises are recruiting zombie endpoints for a botnet.
“That’s a lot of the motivation for compromising desktop systems for building a botnet, exfiltrating individual data and so forth,” Peck said. “There are a ton of different options [an attacker] can use to monetize a compromised system.”
Barracuda’s automated detection systems said Hasbro[.]com was serving malware on four previous occasions this month: Jan 10, 11, 14 and 20. The site is sending Java-based browser exploits compromising as many as three vulnerabilities dating back to 2012.
“We didn’t see any indicators of it being any known exploit kits,” Peck said. “It seems like it may be a one-off.”
When a visitor lands on Hasbro’s website, the exploits attack the browser and make a backdoor connection to a command and control server. Barracuda made several packet capture files available for analysis of the malware; 27 of 50 vendors were able to detect the malware, according to VirusTotal. The infected browser is sent on several hops, including one that uses HTTPS to obfuscate a redirection to ahnc[.]blockscheine[.]com. Barracuda said on its blog that malicious domain serves a number of Java exploits, which if successful install the malicious payload.
“It’s garden-variety installing arbitrary code on your systems and taking control and doing anything it needs to,” Peck said. “Honestly, I don’t think anything stands out too much. The biggest reason we put the post up about it is because it’s a well-known website. We’ve got our automated systems to find these compromised sites all the time. When we see something that’s common enough that people need to be warned about, it’s worth talking about.”
Barracuda has also recently reported on compromises involving php.net as well as Cracked, which Peck said was compromised again after the initial infection was cleaned up after it was reported in November.
“It’s a very similar attack,” Peck said. “It’s not the same payload and it used a different set of compromised servers inside, so it’s possibly a different group, or possibly someone’s gotten in there very deeply and every now and then they’ll turn it on and avoid being rooted out completely and still be able to use that traffic. With a site like Cracked or any of these other sites that get so much [traffic] a day, you can do quite a bit to build up your botnet.”
A group of six Congressmen have asked President Barack Obama to remove James Clapper as director of national intelligence as a result of his misstatements to Congress about the NSA’s dragnet data-collection programs. The group, led by Rep. Darrell Issa (R-Calif.), said that Clapper’s role as DNI “is incompatible with the goal of restoring trust in our security programs”.
In March, Clapper, the country’s highest-ranking intelligence official, testified before the Senate Intelligence Committee, and was asked by Sen. Ron Wyden (D-Ore.) whether the NSA collects information in bulk on Americans. The hearing took place three months before the Edward Snowden leaks began, and Clapper responded that the agency does not collect such information, at least not knowingly.
“No sir,” Clapper said at the time. “Not wittingly.”
In early July, weeks after the Snowden leaks began, Clapper sent a letter to Sen. Dianne Feinstein (D-Calif.), chairman of the intelligence committee, saying that he had made a mistake in his testimony in March. Clapper said that he was confused by Wyden’s question and thought the senator was asking him about a different program.
“That said, I realized later that Senator Wyden was asking about Section 215 metadata collection rather than content collection. Thus my response was clearly erroneous–for which I apologize,” Clapper said.
Clapper is the former head of the National Geospatial Intelligence Agency and has been DNI since 2010. In their letter to Obama, the group of Congressmen calling for his ouster said that he lied to Congress and should no longer be in office.
“The continued role of James Clapper as Director of National Intelligence is incompatible with the goal of restoring trust in our security programs and ensuring the highest level of transparency. Director Clapper continues to hold his position despite lying to Congress, under oath, about the existence of bulk data collection programs in March 2013. Asking Director Clapper, and other federal intelligence officials who misrepresented programs to Congress and the courts, to report to you on needed reforms and the future role of government surveillance is not a credible solution,” the letter from Issa, Ted Poe, Paul Broun, Doug Collins, Walter Jones and Alan Grayson says.
The Congressmen sent the letter to Obama on Monday, 10 days after the president gave a much-anticipated speech on the NSA’s role and some new limits he wants to place on the scope of its data collection. Security experts and privacy advocates were not enthusiastic about the changes Obama announced, which included a recommendation that a third party hold phone metadata records, which are now stored by the NSA.
One issue that Obama didn’t address in his speech was the agency’s alleged subversion of cryptographic standards and algorithms. In their letter, Issa and his colleagues urged Obama to address this issue.
“While the collection of bulk telephone records (meta-data) under Section 215 of the PATRIOT Act has understandably garnered the most significant public debate over government overreach, considerable concern has been raised about the govemment’s exploitation of the Internet through circumvention of encryption. The Review Group recognized the potential hazard created by exposing vulnerabilities in encryption data and recommended that your Administration support, rather than undermine, efforts to protect the integrity of these systems.3 However, your January 17′th speech failed to address the future of encryption related programs. Internet freedom is indispensible, and reports regarding the govemment’s treatment of encryption protocols underscore the need to provide leadership and clarity beyond the collection of telephone records,” the letter says.
Just like it’s done time and time before, the Syrian Electronic Army (SEA) broke into yet another media outlet late last week, hacking a handful of social media accounts belonging to CNN, including seven Twitter accounts and two Facebook accounts.
CNN admitted the accounts were compromised in a post Friday morning but insisted that the SEA, a group of pro-Syrian regime hackers, only had access for “minutes” and that the accounts were quickly secured.
Microsoft made a similar admission Friday, acknowledging that some of its employees’ social media and email accounts had recently been hit by phishers.
Twitter accounts for CNN’s Security Clearance blog, along with blogs for Political Ticket, The Lead, Security Clearance, The Situation Room and Crossfire were hacked while the Facebook pages for CNN and Security Clearance were also compromised in the attack.
A report by CNN on Monday that purported industrial scale “systematic torture and killing” by Syrian President Bashar al-Assad’s regime drew the ire of the SEA. Officials from Syria’s Justice Ministry shot down the report Wednesday, deeming the attached photos “fake,” leading CNN to print a correction but that didn’t stop the group from carrying out the hack Thursday.
The group called out the news agency following the attack on its official Twitter account, writing that it would “not stop to pursue these liars and will expose them and their methods for the world to see.”
“Tonight, the #SEA decided to retaliate against #CNN’s viciously lying reporting aimed at prolonging the suffering in #Syria,” another tweet said.
Elsewhere on Friday a blog post by Adrienne Hall, the General Manager for Microsoft’s Trustworthy Computing Group admitted that a “select number” of the Microsoft employees had fallen victim to phishing attacks that granted hackers access to social media and email accounts.
The company claimed “documents associated with law enforcement inquiries” – information that it sounds like would be included in one of Microsoft’s semi-annual transparency reports – were at the center of the hack. Hall’s post didn’t elaborate on the attacks, declining to specify both the type of phishing attacks and the ‘validity’ of the stolen emails or documents.
Microsoft’s statement may come off as vague but the admission comes just a few weeks after the SEA hijacked of a handful of social media entities belonging to the company to spread its anti-surveillance agenda, suggesting the two incidents may be related.
Hall claims that Microsoft’s investigation is still continuing but if customer information involving those reports winds up being compromised, the company “will take appropriate action.”
The SEA took over Skype’s Twitter account on New Year’s Day to voice its displeasure over parent company Microsoft and its alleged involvement in NSA’s surveillance activities. The group also took aim at the Twitter and Instagram accounts of Microsoft’s Xbox support, @XBoxSupport, and its official news blog, @MSFTNews, just a week later to spread more or less the same remarks.
The SEA of course has been behind a rash of Twitter takedowns, DDoS attacks and internet vigilantism over the past several years. The group has executed well-publicized attacks on the New York Times, the Washington Post and Harvard University, just to name a few targets.
Espionage malware used in attacks against Israel, as well as Syrian activists, in the last 18 months has been linked to a new attack against Israel’s Civil Administration, the country’s governing body in the West Bank.
Researchers at Seculert reported today that samples of XtremeRAT, a data-stealing remote access Trojan, were found on as many as 15 machines, including some belonging to the Civil Administration of Judea and Samaria, which is responsible for entry and work permits from West Bank to Israel. Aviv Raff, Seculert CTO, said spear phishing emails from a Gmail account purporting to be the Israeli Shin-Bet, Israel’s Security Agency, were used against the Civil Administration.
The lure was a publicly available Hebrew-language Shin-Bet report on recent terror attacks and an attachment linked to the late prime minister Ariel Sharon, discovered Jan. 15, four days after his death.
“Closer examination of the spear phishing emails revealed that the attackers are not native Hebrew speakers and most likely copied and altered incomplete text to create the subject of the email.” Raff said on the company’s blog. “Evidence shows that the word ‘poisoned’ was then added with incorrect grammar to the end of this phrase as seen below.”
XtremeRAT arrived as a PDF in these attacks; in November 2012, the malware was in a Microsoft Word document in an attack against a politician.
The malware connects to a command and control server in the United States, according to Raff, using HTTP over port 1863 to send stolen data to the attackers. The attackers had remote access to receive data and send more malware to infected machines.
“This isn’t the first and it most definitely won’t be the last time we see Xtreme RAT used by cybercriminals, hacktivists or nation-states. In terms of this particular targeted attack, the nature of the compromised organizations could have implications outside cyberspace,” Raff said.
XtremeRAT is a Trojan commonly used by Middle East attackers, including the Syrian Electronic Army. The SEA has claimed responsibility for a number of high-profile attacks against American media outlets, including the New York Times.
In December, researchers at Citizen Lab at the University of Toronto and the Electronic Frontier Foundation looked at malware campaigns targeting Syrian activists. Groups backing Syrian president Bashar al-Assad, of which the SEA is one, were found to be using not only XtremeRAT but also njRAT to target individuals in the Syrian resistance. The malware not only steals data but can be armed with a keylogger used to steal credentials. The lure in each case was different; one XtremeRAT campaign contained a .zip archive of a video of a man being executed.
Seculert said Palestinian hacktivists were behind the latest XtremeRAT attack on Israel. Guy Inbar, a spokesman for the Civil Administration told Reuters: “We are not commenting on it, we don’t respond to such reports.”
These are not the first targeted attacks against Israeli defense agencies. A joint research effort by Kaspersky and Seculert in 2012 uncovered the Madi malware campaign, used against high value targets with extensive spying features. The malware could be programmed to monitor computer screens, record audio and steal screenshots, keystrokes, documents and e-mail correspondence.
Mozilla has fixed a serious vulnerability in its Thunderbird email application that enables an attacker to bypass the filter in Thunderbird that prevents HTML tags from being used in messages. Exploiting the bug could give an attacker the ability to run code on a user’s machine.
The vulnerability in Thunderbird 17.0.6 can be triggered when an attacker injects HTML tags into an email message and a user then replies to or forwards the message. Once the user takes one of those actions, the attacker has the ability to run persistent scripts on the victim’s machine.
“By default, HTML tags like <script> and <iframe> are blocked in Thunderbird and get filtered immediately upon insertion however, While drafting a new email message, attackers can easily bypass the current input filters by encoding their payloads with base64 encryption and using the <object> tag and insert malicious scripts / code eg. (script / frame) within the emails and send it to the victims. The exploit gets triggered once the victim decides to reply back and clicks on the `Reply` or `Forward` Buttons,” the advisory from Vulnerability Laboratory says.
“After successfully bypassing the input filters, an attacker can inject persistent script code while writing a new email and send it to victims. Interestingly the payload gets filtered during the initial viewing mode however if the victim clicks on Reply or Forward, the exploit gets executed successfully. For a POC i will be including multiple examples in this advisory for your review. I was able to run multiple scripts generating strange behaviour on the application which can be seen in the debugging errors which I have attached along with this report.”
The vulnerability is fixed in the most recent versions of Thunderbird, and users should upgrade as soon as possible, as the bug doesn’t require much in the way of user interaction for exploitation.
“These sort of vulnerabilities can result in multiple attack vectors on the client end which may eventually result in complete compromise of the end user system. The persistent code injection vulnerability is located within the main application. Exploitation of this persistent application vulnerability requires a low or medium user interaction. Successful exploitation of the vulnerability may result in malicious script code being executed in the victims browser resulting in script code injection, persistent phishing, Client side redirects and similar client side attacks,” the advisory says.