Attackers are accessing routers running on the border gateway protocol (BGP) and injecting additional hops that redirect large blocks of Internet traffic to locations where it can be monitored and even manipulated before being sent to its intended destination.
Internet intelligence company Renesys has detected close to 1,500 IP address blocks that have been hijacked on more than 60 days this year, a disturbing trend that indicates attackers could finally have an increased interest in weaknesses inherent in core Internet infrastructure.
It is unknown how the attackers are accessing the affected routers, whether they have physical access or whether the router is exposed to the Internet, but that’s the easy part. The route injection is merely a few tweaks to the router’s configuration.
“It’s actually making a BGP-speaking router do exactly what it is intended to do. All you’re doing is changing the configuration on the router,” said Renesys CTO and cofounder Jim Cowie. “A normal border router would have normal configuration entries for all the networks you have access to—all your customers. This just adds extra lines to a configuration. They can announce these routes to my peers and let them know I can reach this even though it’s fiction. As long as you have access to a border router at an important service provider and you’ve chosen the right place to do this, there’s no software [malware] required.”
The hard part is knowing where to insert the route injection attack, Cowie said, adding that some of the victims Renesys has observed—and contacted—include financial services organizations, voice over IP providers, government agencies and other large enterprises. Attacks take place at the level of the BGP route where blocks of IP addresses, in some cases targeting specific organizations, are misdirected.
“On one hand, we’ve seen people hijacking blocks of addresses that belong to DSL pools, groups of customers not very specific somewhere in the country. And we’ve seen networks hijacked that belong to very specific organizations; they’re not a big pool of generic users, but somebody’s business,” Cowie said.
Cowie said the attackers are using the routing system much in the same way a network engineer would.
“There is some sophistication in the choice of place where you inject these routes from,” Cowie said. “You want to be able to evade whatever filters people have in place to prevent the spread of bad routing. And you want to hijack a place that has influential status who are going to propoagate to the people whose traffic you want. Most of sophistication in the attack is in the choice of the point where you actually do route injection.”
The attackers, meanwhile, can pull of this type of redirection and traffic inspection without much in terms of latency to either end of the web request. Also, unlike traditional man-in-the middle attacks where the bad guy is within physical proximity of the victim, here the attacker could just as easily be halfway around the world. And should the traffic in question be unencrypted, plenty of sensitive business or personal data would be at risk.
“[The attacker is] getting one side of conversation only,” Cowie said. “If they were to hijack the addresses belonging to the webserver, you’re seeing users requests—all the pages they want. If they hijack the IP addresses belonging to the desktop, then they’re seeing all the content flowing back from webservers toward those desktops. Hopefully by this point everyone is using encryption.”
Renesys provided two examples of redirection attacks. The first took place every day in February with a new set of victims in the U.S., South Korea, Germany, the Czech Republic, Lithuania, Libya and Iran, being redirected daily to an ISP in Belarus.
“We recorded a significant number of live traces to these hijacked networks while the attack was underway, showing traffic detouring to Belarus before continuing to its originally intended destination,” the company said on its blog. The hop starting in Guadalajara, Mexico and ending in Washington, D.C., included hops through London, Moscow and Minsk before it’s handed off to Belarus, all because of a false route injected at Level3, the ISP formerly known as Global Crossing. The traffic was likely examined and then returned on a “clean path” to its destination—all of this happening in the blink of an eye.
In the second example, a provider in Iceland began announcing routes for 597 IP networks owned by a large U.S. VoIP provider; normally the Icelandic provider Opin Kerfi announces only three IP networks, Renesys said. The company monitored 17 events routing traffic through Iceland.
“We have active measurements that verify that during the period when BGP routes were hijacked in each case, traffic redirection was taking place through Belarusian and Icelandic routers. These facts are not in doubt; they are well-supported by the data,” the blog said. “What’s not known is the exact mechanism, motivation, or actors.”
Since this isn’t a vulnerability that can be patched, mitigations are limited to either cryptographically signing routes, or following a best practice known as BGP 38, where ISPs put filters in place to prevent spoofing and route injection, Cowie said. Both are expensive and may not be economically feasible to ISPs unless all are required to do so. Also, in particular with crypto signing of routes, if the trust is derived from the government or a single organization, they would have control over segments of Internet traffic which could introduce another set of surveillance issues.
“The tempo [of route injection attacks] has picked up over the course of this year, so my guess is this is more common knowledge among groups who can do this,” Cowie said. “It’s hard to say whether it’s one group, or two groups, three groups. Maybe they know each other, we don’t know. It’s really pretty unknowable.”
Graphic courtesy of Renesys.
NEW YORK–If Bill Cheswick had his way, the future of computing and computer security would look a lot like the distant past, with trusted platforms, small programs, applications that can’t affect the operating system and resistance to user mistakes.
Cheswick, a former Bell Labs computer scientist and longtime speaker on security topics, echoed what many people in the security field have been saying for years now: The current way that we’re thinking about and deploying software and security isn’t working well enough and needs to be rethought. This is a familiar refrain for anyone who’s been paying attention to the direction of the security community of late, but Cheswick said that the solution to the current problem set doesn’t involve adding successively thicker layers of security onto existing platforms. Rather, he envisions a reboot of the computing ecosystem itself.
“I think we can build an affordable computing platform that can’t be compromised by user error not involving a screwdriver,” Cheswick said in a keynote talk at the OWASP AppSec USA conference here Wednesday. “You couldn’t compromise the apps, you couldn’t affect the OS, you couldn’t own the machine. It’s not about user education. It’s bad engineering to rely on grandma. There shouldn’t be anything she can do to affect the system.”
The ideal compute platform would include trusted hardware, trusted firmware, a sandbox and a trusted operating system, Cheswick said. The stack he described is not a novel concept. Older platforms, going back several decades, relied on this architecture, he said, and it’s been proven to be reliable and secure. The problem is that the current software and security ecosystems have evolved to a point where implementing something like that would be expensive, at least at the beginning. However, Cheswick believes that it would be worth the start-up costs and effort in order to spread the benefits to the widest possible user base.
Detecting intrusions and compromises of software and devices is the main goal of much of the security software in use today, but Cheswick maintains that model needs some tweaking.
“We’ve already lost once the evil software is on the machine,” he said.
Preventing attackers from getting their mitts on a target machine in the first place should be the goal, he said, and one that Cheswick believes can be achieved through the separation of the core components of the computing platform from the pieces the user needs to touch.
“I want a system where the OS can’t be changed or subverted regardless of the app that’s run or the user’s action. The apps can’t taint the OS or other apps,” he said. “Random Web software can run in a sandbox and it can have arbitrary amounts of evil and it won’t do any harm. And we need ubiquitous end-to-end crypto. I want my kernel to be cast in adamantium before it goes onto the machine. I don’t want it to change once it loads.”
Some of the features that Cheswick described have been implemented in various platforms over the years, most recently in Apple iOS, which will only run signed code and treats the device as a trusted platform. Whether that model becomes a dominant one in the years to come remains to be seen, but Cheswick said he thinks there’s a good chance it could happen.
“I think we can win. Correct software can be implemented if we’re very careful,” he said.
Hackers reportedly breached servers in January belonging to Cupid Media, a niche dating service with 30 million users, stealing more than 42 million unencrypted passwords and various other sensitive data.
Cupid Media operates a variety of niche dating sites based on ethnicity, religion, physical appearance, special interests, lifestyle and more.
Brian Krebs, who first obtained information about the attack earlier this month, suggests that the Australia-based online dating service may have failed to remove information belonging to users who had deleted their accounts. This, Krebs said, is likely how the site ended up exposing the information of more users than are currently registered there.
The Cupid Media compromise, which the company’s managing director, Andrew Bolton confirmed to Krebs, demonstrates two troubling realities: users are still bad at creating passwords and some companies are still failing to encrypt user data, passwords in particular.
According to the report, the hack exposed the names, email addresses, and birthdays of current and former users as well. The stolen information was found on a server which contained information from other recent data breaches, including some of the 2.9 million customer records stolen from Adobe, uncovered by Krebs.
Krebs examined the passwords used on the Cupid Media service, making lists of the top-ten numeric and non-numeric passwords. What he found was not promising:
Graphs via Krebs on Security
Attackers are exploiting a two-year-old vulnerability in JBoss Application Servers that enables a hacker to remotely get a shell on a vulnerable webserver. The number of infections has surged since exploit code called pwn.jsp was publicly disclosed Oct. 4.
Researchers at Imperva said that a number of government and education websites have been compromised, as indicated by data collected through the company’s honeypots. An attacker with remote shell access can inject code into a website run by the server or hunt and peck for files stored on the machine and extract them.
The vulnerability in the HTTP Invoker service that provides RMI/HTTP access to Enterprise Java Beans, was discovered in 2011 and presented at a number of security events that year.
“The vulnerability allows an attacker to abuse the management interface of the JBoss AS in order to deploy additional functionality into the web server,” said Imperva’s Barry Shteiman. “Once the attackers deploy that additional functionality, they gain full control over the exploited JBoss infrastructure, and therefore the site powered by that application server.”
On Sept. 16, the National Vulnerability Database issued an advisory warning of a remote code execution bug affecting HP ProCurve Manager, network management software. The vulnerability was given the NVD’s highest criticality ranking of 10. Since then, other products running the affected JBoss Application Server have been identified, including some security software.
Within three weeks, an exploit was added to exploit-db that successfully gained shell against a product running JBoss 4.0.5.
“Immediately thereafter, we had witnessed a surge in JBoss hacking, which manifested in malicious traffic originating from the infected servers and observed in Imperva’s honeypot array,” Shteiman said.
According to Imperva’s analysis, the vulnerability lies in the Invoker service, which operates at the remote management level enabling applications to access the server. The Invoker improperly exposes the management interface, Shteiman said.
Compounding the problem is that in addition to the pwn.jsp shell, Shteiman said there is another more sophisticated shell available to attackers.
“In these cases, the attackers had used the JspSpy web shell which includes a richer User Interface, enabling the attackers to easily browse through the infected files and databases, connect with a remote command and control server and other modern malware capabilities,” he said.
Imperva also said that the number of webservers running JBoss software has tripled since the initial vulnerability research was made public.
Developers behind the Angler Exploit Kit have apparently added a new exploit over the last week that leverages a known vulnerability in Microsoft’s Silverlight browser framework.
Silverlight, similar to Adobe Flash, is Microsoft’s plug-in for streaming media on browsers and is perhaps most known for being used in Netflix’s streaming video service.
British-based security researcher Chris Wakelin discovered the Silverlight exploit last week and posted about it on Twitter via his @EKWatcher handle. From there an independent security researcher that goes by the name Kafeine picked it up, investigated Angler EK and described his findings on his blog Malware Don’t Need Coffee.
According to Kafeine the exploit kit usually checks to see if the system it’s deployed on has Java or Flash but can now check to see if has Silverlight installed. If it can’t exploit Java or Flash it delivers a remote control exploit (CVE-2013-0074) that targets Silverlight 5. The vulnerability was patched in March but users running Silverlight who haven’t yet patched the critical vulnerability are still at risk and would be best served to update their software.
Angler EK surfaced last month following the arrest of the Blackhole Exploit Kit’s creator Paunch in Russia. According to Kafeine, the same team behind the more souped-up Cool Exploit Kit, who also had ties to Blackhole, helped develop Angler and are also behind the popular Reveton ransomware.
Netflix has 40 million global subscribers that could potentially be vulnerable to the exploit since the service principally uses Silverlight for streaming media. The video streaming company has been making strides to ditch Silverlight for HTML5 over the past few months and while it introduced HTML5-support in Windows 8.1 and Internet Explorer 11 over the summer, the technology hasn’t been completely fleshed out yet on most browsers.
Thirty-seven states are claiming a privacy victory against Google and will split a $17 million settlement from the search giant.
Google, which generated $2.97 billion in online advertising revenue in the third quarter, was deliberately bypassing default privacy settings in Apple’s Safari browser in order to serve targeted ads to consumers. A special snippet of code enabled Google, through its DoubleClick service, to drop cookies despite a default setting in Safari that blocked them.
The Wall Street Journal exposed the practice in early 2012 and Google quickly removed the offending code. That did not stop the attorneys general of 37 states and the District of Columbia from moving forward with legal action against Google that was settled this week. The states believed they had a case because Google did not make it clear to Safari users that cookies were being placed on their machines without their consent.
“Consumers should be able to know whether there are other eyes surfing the web with them. By tracking millions of people without their knowledge, Google violated not only their privacy, but also their trust,” New York Attorney General Schneiderman said in a statement. “We must give consumers the reassurance that they can browse the Internet safely and securely. My office will continue to protect New Yorkers from any attempts to deliberately expose their personal data.”
The settlement requires Google to not bypass cookie settings without a user’s consent, nor may it fail to inform consumers of how Google serves personalized ads to them via their browsers. In addition, Google must expire the cookies placed on Safari browsers from June 1, 2011 through Feb. 15, 2012 by February of next year.
Google must also maintain a website for five years that explains what cookies are and the privacy implications for consumers.
A Google spokesperson said in a statement: “We work hard to get privacy right at Google and have taken steps to remove the ad cookies, which collected no personal information, from Apple’s browsers.”
Last June, Google was forced to fork over $22.5 million to settle a similar charge by the U.S. Federal Trade Commission, to date the largest settlement in FTC history.
The penalty settled charges that Google violated an earlier settlement between the FTC and Google.
“Google exploited an exception to the browser’s default setting to place a temporary cookie from the DoubleClick domain,” read a portion of the June 2012 settlement. “Because of the particular operation of the Safari browser, that initial temporary cookie opened the door to all cookies from the DoubleClick domain, including the Google advertising tracking cookie that Google had represented would be blocked from Safari browsers.”
The initial settlement was in October 2011 and it claimed Google was deceptive and violated its privacy pact with users by misrepresenting the control that Safari users had over the placement of cookies on their machines.
Microsoft and Google appear to be the primary belligerents in an anti-arms race that pays security researchers to sniff out bugs on the Internet. Yesterday it was Google’s turn to proliferate the scope of its bug bounty program.
More robust, high paying, and far reaching bug bounties are good news for everyone – other than the governments and exploit brokers that would rather buy and sell vulnerabilities with little competition. Bug bounties are good for users because they make the Web, computers, and software safer, and they are also good for vendors, because it is cheaper to pay one-off researchers than it is to hire full-time bug-hunters.
Google is one of the vanguards of paying bounties to researchers who responsibly disclosed bugs in their products and services. In October though, the company announced its Patch Rewards Program, which offers payments to researcher that disclose bugs in open-source protocols and projects.
Initially the list of eligible services were core infrastructure network services like OpenSSH, BIND, and ISC DHCP; core infrastructure image parsers like libjpeg, libjpeg-turbo, libpng, and giflib; open-source foundations of Google Chrome like Chromium and Blink; other high-impact libraries like OpenSSL and zlib; and security-critical, commonly used components of the Linux kernel (including KVM).
Now Google is extending that list to include: all the open-source components of Android such as the Android Open Source Project; widely used web servers such as Apache httpd, lighttpd and nginx; popular mail delivery services including Sendmail, Postfix, Exim, and Dovecot; virtual private networking services like OpenVPN; network time, for example, the University of Delaware’s NTPD; more core libraries like Mozilla NSS and libxml2; and toolchain security improvements for GCC, binutils, and llvm.
Microsoft too has been improving its bounty program in recent months. First it announced that it would pay six-figure sums for particularly critical bugs. Then it added incident response teams and forensics experts who come across active attacks in the wild to the list of candidates eligible for these six-figure rewards. In addition to that, along with Facebook, Microsoft sponsors an Internet bug bounty, similar to Google’s, which rewards researchers for uncovering vulnerabilities in core Internet technologies.
Google announced today that it has completed the upgrade of all its SSL certificates to 2048-bit RSA or better, coming in more than a month ahead of schedule.
“We have completed this process which will allow the industry to start removing trust from weaker 1024-bit keys next year,” Google security engineer Dan Dulay said today.
Google announced in May that it had begun work on changing all its key lengths and that it wanted to do so before the end of 2013. That was a little more than two weeks before the first Edward Snowden leaks and bombshell revelations about NSA surveillance on Americans in the name of national security.
By choosing the longer key lengths, Google makes cracking the SSL connections that encrypt and secure banking transactions, email communication and more online that much tougher.
“The hardware security module that contained our old 1024-bit intermediate certificate has served us well,” Dulay said. “Its final duty after all outstanding certificates were revoked was to be carefully destroyed.”
Google’s Dulay also said that its intermediate certificate authority, the Google Internet Authority, will issue 2048-bit certificates for its websites and online services going forward.
Google has had SSL on by default in Gmail since 2010 and has been encrypting searches for logged-in users by default since October 2011. This September, Google instituted SSL by default for all searches.
Google was scheduled to start switching over to 2048-bit certificates in August, as well as changing the root certificate signing all of its SSL certificates. It also advised there could be some configurations that could cause an issue with the new certificates, in particular with embedded devices.
In particular, Google said clients must have the ability to support the normal validation of a certificate chain, along with including a properly extensive set of root certificates. There are a number of things that could cause certificate validation issues after the change, Google said, including clients that use hashes to match certificates exactly. Also, clients with hard-coded root certificates, such as those with certificates embedded in firmware, may run into problems.
The SSL protocol has stood up well to hackers, who have had to find success breaking SSL implementations or finding holes in certificate authorities to exploit. The NSA, meanwhile, has also had to get creative in beating the protocol. The most recent Snowden revelations have the NSA tapping the unecrypted fiber cables between data centers in order to siphon data on web searches, email messages and other information.
“The deprecation of 1024-bit RSA is an industry-wide effort that we’re happy to support, particularly light of concerns about overbroad government surveillance and other forms of unwanted intrusion,” Dulay said.
A hacker group calling itself Inj3ct0r is taking responsibility for the compromise of more than 860,000 passwords at MacRumors.com as well as a separate attack on vBulletin.com, makers of the vBulletin software powering a number of high-profile forums including MacRumors and Ubuntu Forums.
The Inj3ct0r Team posted on its Facebook page that it had attacked the three sites and found a critical zero-day vulnerability on all versions of vBulletin 4.x.x and 5.x.x.
“We’ve got upload shell in vBulletin server, download database and got root,” the post says.
Vbulletin technical support lead Wayne Luke reported the breach late last week in an advisory, urging vBulletin users to change their passwords as well.
“Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password,” Luke wrote. “Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password.”
In the meantime, Black Hat and DEF CON founder Jeff Moss posted to Twitter that the DEF CON forums were temporarily shut down. Inj3ct0r also claims to have used the same zero-day vulnerability in vBulletin to infiltrate the DEF CON forum.
“You are late, we made a backup sites that we care about you too. LOL,” Inj3ct0r posted to Facebook this morning.
Inj3ct0r claims to run a database of exploits and vulnerabilities [www[.]1337day[.]com and acts as a resource for researchers and security professionals.
“The 1337day team specializes solely in bug research, not malicious actions,” the website says.
Inj3ct0r also claimed responsibility for the MacRumors Forum hack and used the zero-day to obtain a moderator’s password and steal the password database.
The hackers posted to the MacRumors Forum shortly after the attack that would not leak the password data. Editorial director Arnold Kim confirmed the legitimacy of the post to Threatpost last week; the hackers posted a portion of Kim’s password hash and salt as proof.
Kim quickly alerted users of the breach and he too advised his members to change their passwords, not only on the forum but anywhere else they might have used the same password.
“We’re not going to ‘leak’ anything. There’s no reason for us to. There’s no fun in that. Don’t believe us if you don’t want to, we honestly could not care less,” the hacker wrote. “We’re not ‘mass cracking’ the hashes. It doesn’t take long whatsoever to run a hash through hashcat with a few dictionaries and salts, and get results.”
In the same post last week, the hacker hinted too that version 3.x.x of vBulletin was more secure than later releases and that the blame should not put on outdated vBulletin software.
The attack on free Linux distribution Ubuntu in July affected close to 2 million of its forum account members as they were able to access every user’s email address and hashed passwords.
“Consider the ‘malicious’ attack friendly,” Inj3ct0r said of the MacRumors attack. “The situation could have been catastrophically worse if some fame-drive idiot was the culprit and the database were to be leaked to the public.”
Following months of criticism from security experts and privacy advocates for not deploying SSL across its Web offerings, Yahoo on Monday announced that it will be giving users the option to encrypt all of the data they exchange with the company by the end of the first quarter next year.
The change is a long time coming for Yahoo, which is months or years behind Google and Microsoft in offering this option. Yahoo announced recently that it would be giving its email users the ability to choose SSL as the default for their connections, a change that is scheduled to be rolled out by the beginning of January. With the new announcement, users also will have the option of using a secure HTTPS connection for other Yahoo services, such as search. Google made SSL the default option for Gmail in 2010.
In addition to encrypting traffic to and from its Web properties, Yahoo also will be encrypting the data that moves between its data centers around the world. This move can be seen as a direct response to recent revelations that the NSA has been intercepting traffic between data centers belonging to both Google and Yahoo. Google officials said they have made the same change.
Yahoo CEO Marissa Mayer said in a statement:
“Today we are announcing that we will extend that effort across all Yahoo products. More specifically this means we will:
- Encrypt all information that moves between our data centers by the end of Q1 2014;
- Offer users an option to encrypt all data flow to/from Yahoo by the end of Q1 2014;
- Work closely with our international Mail partners to ensure that Yahoo co-branded Mail accounts are https-enabled.
As we have said before, we will continue to evaluate how we can protect our users’ privacy and their data.”
Encrypting the traffic flowing between its data centers is a major change for Yahoo, but the more important move for consumers is the option for them to use a secure connection for their sessions with Yahoo Web properties. That change will protect a huge amount of Web traffic and user data.
Tens of millions of online banking customers in the U.K. are the targets of a dangerous spam campaign enticing users to open an attachment containing the CryptoLocker ransomware.
The U.K.’s National Crime Agency’s National Cyber Crime Unit posted an advisory late last week warning people to be vigilant about opening email attachments, in particular those from small- and medium-sized banks and financial institutions.
“The emails may be sent out to tens of millions of UK customers, but appear to be targeting small and medium businesses in particular,” the advisory said. “This spamming event is assessed as a significant risk.”
The attachments purport to be about a number of potential issues with a user account, including details of suspicious transactions, invoices, voicemails or faxes. Instead, they drop the ransomware on the victim’s machine.
“The NCA are actively pursuing organized crime groups committing this type of crime,” said Lee Miles, Deputy Head of the NCCU. “We are working in cooperation with industry and international partners to identify and bring to justice those responsible and reduce the risk to the public.”
US-CERT issued an advisory two weeks ago about a spike in CryptoLocker infections. Unlike other ransomware scams, CryptoLocker is capable of finding and encrypting files from a number of network resources and then displaying a banner to the victim demanding a ransom for the decryption key. A clock on the banner ticks down to a time when the private key will be destroyed. More familiar ransomware schemes put up a similar banner, but will lock a user out of their machine until the ransom is paid.
The attackers, in this case, are demanding £536, according to the NCA, which is approximately $850 US. Victims are told they have to make their payments to the attackers via Bitcoin or MoneyPak.
Much like law enforcement in the U.S., the NCA advises victims not to pay the ransom demand, adding the caveat that there is no guarantee the criminals would decrypt the files in question. Instead, the NCA asks victims to report CryptoLocker infections to Action Fraud, the U.K.’s national fraud and Internet crime reporting center.
CryptoLocker has been in circulation for a few months, but infections started surging last month, according to a US-CERT advisory. In the U.S., the attackers have found success using phone Federal Express or UPS tracking notification emails as a lure.
The malware sniffs out files in a number of network resources, including shared network drives, removable media such as USB sticks, external hard drives, network file shares and some cloud storage services.
“If one computer on a network becomes infected, mapped network drives could also become infected,” the US-CERT advisory warns, adding that victims should immediately disconnect their computers from their wired or wireless networks immediately upon seeing the red-screen notice put up by CryptoLocker that provides details on how to recover the encrypted files.
Upon infection, the malware establishes contact with the attacker and stores the asymmetric encryption key there. Researchers at Kaspersky Lab said CryptoLocker uses domain generation algorithm to generate up to 1,000 domain names from which to connect to the attacker’s command and control infrastructure. During a three-day period in October, more than 2,700 domains tried to contact three CryptoLocker domains sinkholed by Kaspersky.
The challenge to the NSA’s domestic surveillance program filed with the Supreme Court by the Electronic Privacy Information Center ended Monday, with the court refusing to consider the challenge at all. EPIC had filed the challenge directly with the Supreme Court rather than going through the lower courts.
“EPIC seeks a writ of mandamus to review the order of Judge Roger Vinson, United States Foreign Intelligence Surveillance Court (“FISC”) requiring Verizon Business Network Services (“Verizon”) to produce to the National Security Agency (“NSA”) call detail records, or “telephony metadata,” for all calls wholly within the United States. Mandamus relief is warranted because the FISC exceeded its statutory jurisdiction when it ordered production of millions of domestic telephone records that cannot plausibly be relevant to an authorized investigation. EPIC is a Verizon customer subject to the order. Because of the structure of the Foreign Intelligence Surveillance Act (“FISA”), no other court may grant the relief that EPIC seeks,” the group’s challenge says.
In denying the challenge, the Supreme Court made no comment about the petition or its validity, but simply refused to consider it. EPIC lawyers in their petition argued that because of the FISC’s unique position and jurisdiction, the Supreme Court was the only court with proper jurisdiction to review the challenge.
“The plain terms of the Foreign Intelligence Surveillance Act and the rules of the FISC bar EPIC from seeking relief before the FISC or Court of Review. The FISC may only review business record orders upon petition from the recipient or the Government,” the petition says.
Under the order granted by the FISC, the NSA has the ability to compel Verizon to turn over metadata related to millions of phone calls made every day. Metadata does not include the content of calls, but does comprise things such as the originating and terminating phone numbers and length of call. The revelation of the existence of this program earlier this year was the beginning of the leaks from former NSA contractor Edward Snowden related to the agency’s surveillance and intelligence-gathering capabilities. It sparked a huge amount of outrage among privacy advocates and security experts who saw it as proof that the U.S. government is conducting surveillance on American citizens.
Marc Rotenberg, the president of EPIC, said in a statement that the group was disappointed in the court’s decision and that it still maintains the FISC order is illegal.
“Obviously, we are disappointed by the Supreme Court’s decision,” said Rotenberg. “The surveillance order was clearly unlawful. There is simply no way to establish relevance for the collection of all telephone records on all US telephone customers for an intelligence investigation.
“The FISA makes it very difficult to challenge these determinations. That is why we urged the Supreme Court to take the case and reverse the order of the Foreign Intelligence Surveillance Court.”
Image from Flickr photos of TexasGOPvote.
Microsoft and Google are cooperating in an effort to make it much more difficult for child predators to find illegal images online by blocking search results for about 100,000 search terms. The companies also are collaborating on methods to better identify illegal abuse images and remove them more quickly.
Both Microsoft’s Digital Crimes Unit and people within Google have been working on this issue separately for several years now, and each company has made quite a lot of progress on the problem. They work closely with law enforcement agencies and child exploitation prevention groups to not just remove illegal abuse content but also to help victims recover. Now, the two companies are pooling their resources to prevent users from finding the content their looking for when they use any of about 100,000 search terms related to child abuse.
“We’ve fine tuned Google Search to prevent links to child sexual abuse material from appearing in our results,” Google Chairman Eric Schmidt wrote in the Daily Mail Monday.
“While no algorithm is perfect – and Google cannot prevent paedophiles adding new images to the web – these changes have cleaned up the results for over 100,000 queries that might be related to the sexual abuse of kids.”
Google and Microsoft both have teams that work on identifying and removing illegal abuse images from the Web, and because this process can’t be done reliably by computers, humans have to be involved in distinguishing abuse images from legitimate ones. Microsoft has been developing technology to help fingerprint illegal images, which it has shared with Google. A similar technology also is being applied to videos on YouTube.
Google also will be loaning engineers to the Internet Watch Foundation in the U.K. and the National Center for Missing and Exploited Children in the United States.
VMware announced today it has patched a privilege escalation vulnerability in VMware Workstation.
Workstation is the hypervisor software connecting multiple virtual machines on host hardware. Compromising a hypervisor would give an attacker remote control over a number guest machines; the risk is especially elevated in hosting or service provider environments.
This particular vulnerability is limited to Linux version of VMware Workstation, prior to version 9.0.3.
VMware also patched VMware Player for Linux prior to version 5.0.3.
The vulnerability, VMware said, is a shared library privilege escalation bug. Both Workstation and Player contain the same vulnerability, which could allow a local attacker to escalate privileges all the way to root on the host operating system.
VMplayer is packaged alongside Workstation running the OS image without the need for additional hardware.
“The vulnerability does not allow for privilege escalation from the guest operating system to the host or vice-versa,” the advisory said.
Just about a month ago, VMware patched most of its product line, fixing authentication bypass and denial-of-service bugs in vCenter Server, vCenter Server Appliance, vSphere Update Manager, ESX and ESXi.
The most serious vulnerability was in vCenter Server 5.0 and 5.1 that could enable an attacker to bypass the need for valid credentials under some circumstances. In order for the vulnerability to be exploitable, the affected product must be deployed in an Active Directory environment, VMware said.
Security people like to call themselves a community, but until June some might say its greatest community achievement is turning Twitter into its own private and contentious echo chamber.
But since the Snowden leaks, there’s been a palpable change and a marked swell in stand-taking. Tweeters have become activists. Companies have shut down services, or shut their doors. People are mad—and to risk a cliché–don’t want to take it anymore.
Words such as transparency are part of the security lexicon, and the long-neglected and apparently subverted protocols, algorithms and standards supporting encryption technologies are no longer skeletons in the closet.
The NSA has done Americans—and “non-Americans”—wrong by collecting the metadata from our phone calls, tapping data center fiber links to monitor our Google searches and email messages, and trampling all over the First Amendment in the name of national security.
And in the process, they’ve stepped on the toes of the security community. They’ve trampled too into your backyard by crippling NIST standards development from the get-go, legally or otherwise coercing companies into giving up encryption keys, and hinting that they can hack their way into companies to steal them if necessary.
The response has been admirable. Google, Facebook, Microsoft, Twitter, LinkedIn and others have all petitioned the government to allow those foundational Internet companies to be more forthcoming about the national security requests for customer data they receive. By law they’re not allowed to provide specific data about National Security Letters, but they’re arguing to the highest courts that they should be able to, if for no other reason to demonstrate that they’re not complicit with the NSA or FBI in providing user data without a warrant.
Other technology companies, security firms such as Lavabit and Silent Circle have made their own stands. Lavabit, allegedly Edward Snowden’s secure email provider, shut its doors overnight after being forced to turn over the SSL keys for its service. Silent Circle, seeing the writing on the wall, did the same with its Silent Mail service.
And then you have grassroots movements such as the TrueCrypt audit which raised more money than it anticipated in order to look at oddities in the Windows binaries of the popular open source encryption product. It just might keep the movement going to peer inside other ubiquitous open source security software.
“One of the lasting impacts of the Summer of Snowden is that it’s radicalized members of the security community,” Chris Soghoian told Threatpost last month. “Some of these systems, we’ve long known weren’t good, but no one was incentivized do something. Now they’re asking tough questions and realizing that [the government saying] ‘Just trust us,’ doesn’t work. It’s funny watching peers who are more conservative and scientists who believe their only job is to publish papers—it’s funny watching them become active too.”
But is it helping? Are you tweeters-turned-activists just spitting into the wind?
Every time NSA Director Gen. Keith Alexander, or Director of National Intelligence James Clapper, sit before a Congressional committee to explain the agency’s surveillance activities, they’re quick to point out there is a legal basis for this activity. And by the letter of the law, they’re probably correct. There’s always a loophole. There’s always a crack to slither through unscathed. There’s always a way—and there’s certainly a will.
And not only are lawyers working against you, but powerful lobbies and perhaps misinformed lawmakers. For every USA FREEDOM Act that’s submitted for consideration, you have something such as the FISA Improvements Bill from Sen. Dianne Feinstein, the powerful chair of the Senate Intelligence Committee who supports NSA surveillance. While the Feinstein bill contemplates ratcheting back some of the NSA’s powers with regard to surveillance, it tacitly approves of metadata collection, for example, and would allow it to continue. This contrasts with the FREEDOM Act, which calls for the immediate and permanent suspension of bulk data collection.
NSA reform will be difficult to come by, rest assured of that. It’s probably fair to say most Americans still stand by that old chestnut that “I have nothing to hide, so what do I care if they monitor what I’m doing.” But the security community—yes you’ve become a community—knows better. There’s finally a call to action that has awakened passion in people who suddenly understand why it’s important to stand up and try to make a difference.
Apple has released a new fix for iOS 7–no, it doesn’t roll your phone back to iOS 6–that patches a vulnerability that enabled a user to make app or in-app purchases without needing to enter a password.
The release of iOS 7.04 marks the third update of the iPhone operating system in the short time since Apple pushed out iOS 7 in September. The new OS represented a major change from the older operating systems, both in the look and feel of the software and in its functionality. There’s much zooming in and out and all about in iOS 7, as well as a blurry background that has drawn quite a bit of criticism.
iOs 7 also was a major security release, fixing issues with the iPhone’s certificate trust policy as well as remote code-execution vulnerabilities in the CoreGraphics and CoreMedia components. Quickly following the release of iOS 7 researchers discovered a method for bypassing the passcode lock on the iPhone using two different methods. Apple ended up fixing those in point releases in October.
Now, the company has pushed out another patch for iOS 7, this one with a single security fix.
“A signed-in user may be able to complete a transaction without providing a password when prompted. This issue was addressed by additional enforcement of purchase authorization,” the Apple advisory says.
To update, iPhone users can go to their Settings and install the software update.
Image from Flickr photos of Klaus.
Buried underneath the ever-growing pile of information about the mass surveillance methods of the NSA is a small but significant undercurrent of change that’s being driven by the anger and resentment of the large tech companies that the agency has used as tools in its collection programs.
The changes have been happening since almost the minute the first documents began leaking out of Fort Meade in June. When the NSA’s PRISM program was revealed this summer, it implicated some of the larger companies in the industry as apparently willing partners in a system that gave the agency “direct access” to their servers. Officials at Google, Yahoo and others quickly denied that this was the case, saying they knew of no such program and didn’t provide access to their servers to anyone and only complied with court orders. More recent revelations have shown that the NSA has been tapping the links between the data centers run by Google and Yahoo, links that were unencrypted.
That revelation led a pair of Google security engineers to post some rather emphatic thoughts on the NSA’s infiltration of their networks. It also spurred Google to accelerate projects to encrypt the data flowing between its data centers. These are some of the clearer signs yet that these companies have reached a point where they’re no longer willing to be participants, witting or otherwise, in the NSA’s surveillance programs. Bruce Schneier, the cryptographer and security expert who has seen some of the NSA documents leaked by Edward Snowden, wrote in a new analysis of the current climate that there appears to be a “fraying” of the surveillance partnerships that have existed for years.
“The Snowden documents made it clear how much the NSA relies on corporations to eavesdrop on the Internet. The NSA didn’t build a massive Internet eavesdropping system from scratch. It noticed that the corporate world was already eavesdropping on every Internet user — surveillance is the business model of the Internet, after all — and simply got copies for itself,” Schneier wrote in his essay.
“Now, that secret ecosystem is breaking down. Supreme Court Justice Louis Brandeis wrote about transparency, saying ‘Sunlight is said to be the best of disinfectants.’ In this case, it seems to be working.”
A partnership requires at least two parties, however, and the disinfectant that has helped bring the anger and disappointment of tech companies out into the open has so far not made its way into the NSA. There are several bills making their way through Congress at the moment, and surely more to come, and some of them are designed to require more transparency of the NSA’s activities. Transparency is one thing; reform is quite another.
The surveillance programs that the NSA and other intelligence agencies have been conducting for years now have relied on weaknesses in the Internet infrastructure, ones that they have taken advantage of in order to gobble massive amounts of data.As many security experts have pointed out, those same weaknesses can be exploited by any other kind of attacker, and their presence makes the Internet itself weaker. Fixing those weaknesses will take some doing, as many of them lie in the basic infrastructure of the network, but as Schneier points out, the job needs doing.
“It’s impossible to build an Internet where the good guys can eavesdrop, and the bad guys cannot. We have a choice between an Internet that is vulnerable to all attackers, or an Internet that is safe from all attackers. And a safe and secure Internet is in everyone’s best interests, including the US’s,” he wrote.
Image from Flickr photos of Jim Kelly.