Intelligence officials appearing before the House Permanent Select Committee on Intelligence on Tuesday denied collecting the phone records of citizens in France, Spain and Italy, as recently reported by media outlets in those countries.
“The assertions made by Le Monde of France, El Mundo of Spain and L’espresso of Italy are completely false,” said NSA Director Gen. Keith Alexander, who added that screenshots cited as evidence of collection were from a data management tool and that the newspapers did not understand what they were looking at. “The tool counts metadata and displays metadata. This data was legally collected and provided to us by foreign partners. It is not information we collected on European citizens. It represents data we and our NATO allies collected in defense of our countries and in support of military operations.”
The latest Snowden leaks came to a head when allegations surfaced that the NSA and U.S. intelligence were spying on foreign heads of state, including German Chancellor Angela Merkel.
Director of National Intelligence James Clapper told the committee that is part and parcel of intelligence operations, something he learned in school going back to 1963.
“The plans and intentions of foreign leaders is important to know,” Clapper said. “That’s a perennial since I’ve been in intelligence. Leadership intentions is a basic tenet of what we collect and analyze.”
Clapper said foreign heads of state are monitored, and that type of activity is a two-way street with U.S. allies likely conducting the same activity against American leadership.
Committee chairman Rep. Mike Rogers (R-Mich.) asked Alexander point-blank if U.S. allies are engaged in espionage against the U.S., to which Alexander replied: “Absolutely,” adding that it’s ongoing.
Clapper said spying on foreign leaders, including allies, helps the U.S. determine whether an ally’s policies and actions are a match.
“It’s invaluable to us to know where countries are coming from, what their policies are, and how they impact us on a range of issues,” Clapper said.
Clapper and Alexander again stood up for their actions against a backdrop of oversight they say is unmatched worldwide. Alexander added that the NSA will hire a privacy and civil liberties officer, adding further oversight and compliance obligations to their efforts.
“We want to demonstrate that we have a front door, that we have transparency and we take it seriously,” Alexander said. “This is a huge step forward, and there’s more we have to do in terms of pushing information to the press.”
They were also pushed on a perceived lack of transparency in informing Congress of the wiretapping of foreign leaders as mandated by the 1947 National Security Act. Clapper, however, said the intelligence efforts lived up to the spirit and letter of the law.
Today’s hearing was held under the auspices of potential changes to the Foreign Intelligence Surveillance Act (FISA). Alexander defended the actions of the NSA and derided the leaks coming from whistleblower Edward Snowden as treasonous and damaging to the U.S.’ s ability to defend against terrorists
A mass injection campaign has surfaced over the last two weeks that’s already compromised at least 40,000 web pages worldwide and is tricking victims into downloading rogue, unwanted software to their computer.
The campaign, dubbed GWload by researchers at Websense, relies on a Cost Per Action scam that convinces users into thinking the page they’ve navigated to has been locked and that they need a special version of VLC Player to open it.
A Cost Per Action scam is a social engineering ploy where the attacker locks content until a certain access is completed. In this case, attackers are using code to defeat browser-based ad-blocker software and then tricking users into downloading something they don’t need.
While VLC Player is a legitimate media player, the version being linked to here is loaded with copious amounts of bloatware. Binaries of more than half a dozen different types of software, including ShoppingChip, SweetIM/SweetPacks, Amonetize Updater, CouponScout, Bprotector and CS Browser Assistant are silently downloaded when the user agrees to download VLC Player and another piece of software, Registry Helper, that piggybacks onto it.
Websense notes the GWload attack has mostly centered on business and economy websites in the United States but ‘Sex,’ ‘Web Hosting’ and ‘Information Technology’ sites and webpages in Taiwan, Italy and Germany also make up a good chunk of the infected sites.
While Websense first noticed the injection campaign pop up the week of Oct. 14, it appears to have really caught on as of late. A graph on the firm’s Security Labs blog today points out its spotted nearly 275,000 injected web pages and that’s just in the last week.
The timing of the campaign is something researchers are suggesting coincides with the recent arrest of “Paunch” the creator of the Blackhole Exploit Kit the week before. Elad Sharf, a senior security researcher at Websense wrote that the change in tactics – from serving exploits to serving social engineering tricks “could suggest that actors adapt to change rapidly to keep their attack going.”
Unlike Blackhole though, this campaign doesn’t lead to malicious payload websites but to actual legitimate websites that have been compromised and used as launching pads for the rogue software installations.
Paunch, the alleged hacker behind the famed Blackhole Exploit Kit was arrested earlier this month in Russia. It’s unclear if there’s actually a connection between the arrest and the increased proliferation of these kind of campaigns. At the time Aleks Gostev, chief security expert for Kaspersky Lab’s Global Research & Analysis Team prophesied Black Hole would either “disappear, be taken over by other developers, or replaced by other exploit kits.”
The annual Social Engineering Capture the Flag contest held during DEF CON may seem on the surface to be just an opportunity for pen-testers and hackers to flex their pretexting muscles. But if you’re one of the 10 major technology, manufacturing and critical infrastructure organizations targeted by this year’s contestants, you might want to re-evaluate how well-equipped your staff is to ward off sneaky people.
Social engineering is the linchpin and launching pad for just about every targeted attack that’s been made public. Hackers comb social media sites, online forums, company directories and any other source of intelligence available looking for an edge that will help them get through the front door, or at least through the network perimeter.
The end result ranges from identity theft, to the loss of customer data, to the loss of intellectual property or military/government secrets.
This year, a team of 10 men competed against 10 women, turning their skills against the likes of Apple, Boeing, Chevron, Exxon, General Dynamics, General Electric, General Motors, Home Depot, Johnson & Johnson and Walt Disney Corp., targeting “flags” such as learning which Internet browser(s) is in use at a company, operating system information, wireless access information, whether a virtual private network is used by remote employees and whether there is an onsite cafeteria.
Competitors had two weeks to gather open source intelligence data prior to DEF CON, excluding onsite visits or phishing attempts; they were able to use only Web-based tools in order to prepare a report on their targets. And then during DEF CON, the competitors would use that data during a live-call session that took place during the annual hacker conference in Las Vegas.
“What was notable was the huge amount of information gathered during the OSI portion,” said Chris Hadnagy, founder of Social-Engineer.com, and organizer of the SECTF. “Previously, we’d see a handful of reports with monster amounts of information. This year, there was an unbelievable amount of information. One contestant found an Internet log-in page with a link to a help document that did not require credentials. In that document, they gave you an example of a log-in with a picture of a corporate ID that worked and we were able to log in. Things like that are shocking in 2013 to see.”
Perhaps as shocking is the volume and quality of information given up by the target organizations. Regardless of industry category—be it manufacturing, technology, retail, or energy, oil and gas—the contestants were able to walk off with details on the browser being used in that company, and version number; that was the top flag obtained throughout the competition. Operating system information was also coveted and snared by the competitors, as was whether a VPN was in use.
“Companies are still using browsers like IE 7, the majority are on IE 7. That’s a major blunder in my opinion,” Hadnagy said. “They’re still using a vulnerable browser and people were willing to give that information out to strangers on the phone. It opens them up to a plethora of phishing, phone and onsite impersonation.”
Knowing such information as browser, OS or even VPN details can give a hacker a measure of trust on a call to internal support looking for system access.
The competitors also were able to gain details that could enable physical access such as the food service used by the organization and whether there is an onsite cafeteria; these two details were among the top five sought after and given up by critical infrastructure such as oil and gas utilities.
“How hard is it to obtain a t-shirt, ballcap or clipboard for the company that does food service? How many times are you going to get stopped carrying food into a building? No one stops you,” Hadnagy said. “You don’t need a corporate badge to be invisible. This opens you up to impersonation attacks.”
According to the scoring provided by the contest, Apple fared the worst, followed by General Motors, Home Depot, Johnson & Johnson and Chevron. Details on specific vulnerable areas were not made public, but are available to the target companies upon request, Hadnagy said.
“This is my opinion, but most awareness training is not worth its weight,” Hadnagy said. “The proof is in how easy attacks are carried out against companies with regular security awareness training.”
Still, companies that do conduct training aren’t doing it regularly, according to the results gathered. Some refresh less than annually, while others went so far as to admit to the pretexters that they’d had it during new-employee orientation and never again in the years since.
“The purpose for us holding this competition is to raise awareness of social engineering as a threat,” Hadnagy said, adding that corporations should consider social engineering as part of regular penetration tests. “We’re seeing an increase of social engineering in pen-testing, but we’re not seeing accepted by many major corporations.”
President Barack Obama has initiated a review of the procedures and methods that the NSA uses to collect intelligence at home and overseas to ensure that the agency isn’t overstepping its bounds in phone and Internet data collection.
The review comes at a time when Congress is set to consider several bills that may affect the way that the NSA and other agencies are able to gather information. Rep. Jim Sensenbrenner (R-Wisc.) has introduced the USA FREEDOM Act this week, which would restrict the way the NSA can gather intelligence, specifically by ending the bulk collection of data under Section 215 of the USA PATRIOT Act.
The bill will “rein in the dragnet collection of data by the National Security Agency (NSA) and other government agencies, increase transparency of the Foreign Intelligence Surveillance Court (FISC), provide businesses the ability to release information regarding FISA requests, and create an independent constitutional advocate to argue cases before the FISC,” Sensenbrenner’s summary says.
Now, in a video interview with ABC News on Monday, Obama said that his administration is undertaking a review of the NSA’s collection methods.
“We give them policy direction. But what we’ve seen over the last several years is their capacities continue to develop and expand and that’s why I’m initiating now a review to make sure that what they’re able to do doesn’t necessarily mean what they should to do,” Obama said in the interview.
The review, which Obama didn’t go into in any detail, is one of many results of the leaks of NSA collection methods from Edward Snowden, a former NSA contractor. Another outcome from all of the leaks and speculation is the ongoing series of hearings in Congress about the intelligence community’s methods. The most recent hearing is scheduled for Tuesday afternoon before the House Intelligence Committee and it concerns potential changes to the Foreign Intelligence Surveillance Act, one of the laws on which the NSA’s data collection capabilities are built. That hearing will include both James Clapper, the director of national intelligence, and Gen. Keith Alexander, the director of the NSA.
Image from Flickr photos of Muhammad Ghafari.
UPDATE: Rep. Jim Sensenbrenner (R-Wisc.) is introducing a bill that would counteract many of the elements of the U.S. PATRIOT Act that enables the mass collection of data belonging to U.S. citizens.
Sensenbrenner’s bill is called the USA FREEDOM Act, a quasi-acronym for Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet Collection, and Online Monitoring Act. The broadly stated purpose of the bill is to “rein in the dragnet collection of data by the National Security Agency (NSA) and other government agencies, increase transparency of the Foreign Intelligence Surveillance Court (FISC), provide businesses the ability to release information regarding Foreign Intelligence Surveillance Act (FISA) requests, and create an independent constitutional advocate to argue cases before the FISC.”
Ironically, Sensenbrenner also initially introduced the PATRIOT Act to the U.S. House of Representatives in October 2001.
On ending the bulk collection of U.S. citizen’s communication data, the bill aims to nullify such collection as permitted by Section 215 of the PATRIOT Act; strengthen the prohibition of reverse-targeting, which is the process of targeting a non-U.S. citizen with the clear goal of acquiring a U.S. citizen’s data; and more stringently require that the government aggressively filter and discard any information accidentally collected through PRISM and related programs.
Regarding reforms to the FISC, the bill would create an Office of the Special Advocate that would promote privacy within FISC’s closed hearings and have the authority to appeal FISC decisions; require that the FISC and the more broad foreign intelligence community more robustly report its actions to congress; and grant the Privacy and Civil Liberties Oversight Board subpoena authority to investigate issues related to privacy and national security.
The bill would also increase transparency with provisions designed to end secret laws by requiring that the Attorney General publicly disclose all FISC decisions issued after July 10, 2003 that required a significant construction or interpretation of law; allow that Internet and telecom companies may publicly report estimates on the number of FISA orders and National Security Letters (NSL) received, complied with, and the number of user accounts affected by such orders; and further require that the government produce its own annual or semiannual transparency reports indicating the the total number of people and businesses subject to orders enabling electronic surveillance.
If passed into law, the USA FREEDOM Act would “adopt a single standard for Section 215 and NSL protection to ensure the administration doesn’t use different authorities to support bulk collection” in addition to establishing a sunset provision that could end the practice of issuing NSLs, ensuring proper congressional review of the practice.
Sensenbrenner’s bill is a near-direct reaction to the U.S. government’s alleged mass surveillance programs revealed by NSA whistle-blower Edward Snowden and published by The Guardian.
It is not clear whether the house will even consider Sensenbrenner’s bill or any other similar ones – let alone pass it on to the Senate who will need to pass it as well before the president has a chance to sign it into law. However, the bill mirrors largely negative public sentiment surrounding the NSA’s surveillance activities. Advocacy groups from across the political spectrum are calling on congress to end such practices and even held a rally on the Capitol last weekend expressing discontent with the status quo.
“Recent revelations of the NSA’s expansive surveillance programs harm user trust in the digital ecosystem, stifle innovation, and lead to a harmful balkanization of the Internet,” wrote Harvey Anderson, senior vice president of business and legal affairs at the Mozilla Foundation on the Mozilla Blog.
Bruce Schneier and numerous other security experts have expressed similar sentiments.
“We don’t know what’s been tampered with. Nothing can be trusted. Everything is suspect,” Schneier told Threatpost in an interview in late September.
This lack of trust in many of the Internet security protocols on which we have come to rely, many, Schneier among them, have argued is perhaps the most damaging aspect of the NSA surveillance revelations.
While Anderson expresses concerns that the revelations may cause people to lose faith in the security of and stop using digital communications tools altogether, he is ultimately optimistic. This bill and another sponsored by Democratic Rep. Jim Leahy of Vermont in the Senate may have the impact of undoing the damage done and rebuilding the trust that is essential to the Internet.
“Certainly, more is required to address this issue as each day we learn of new and disturbing aspects of global surveillance on citizens around the world,” Anderson wrote. “The Freedom Act is not a wholesale fix to the myriad of issues exposed by the NSA’s surveillance programs, but it is a step in the right direction. “
A researcher has discovered serious vulnerabilities in the main Facebook and Facebook Messenger apps for Android that enable any other app on a device to access the user’s Facebook access token and take over her account. The same researcher also discovered a separate, similar flaw in the Facebook Pages Manager for Android, an app that allows admins to manage multiple Facebook accounts. That bug also enables other apps to grab a user’s access token.
The vulnerabilities were discovered earlier this year by Mohamed Ramadan, a researcher at Attack Secure, who reported them to Facebook and was rewarded with $6,000 in bug bounties. The first vulnerability lies in the way that the main Facebook app and the Facebook Messenger app for Android devices handles a user’s access token, which is essentially the key to accessing a Facebook account. This flaw would allow a malicious app to get the access_token stored on a user’s device and then hijack the user’s account, Ramadan said.
“Imagine this scenario: you are a facebook user, you have android phone/tablet and you installed facebook main app and messenger app for android, now you got a message from a friend or from someone on facebook, you will open the message to read it and there is an attachment like: a movie, doc, pdf, pic or any files that can be attached in facebook messages,” Ramadan said in a blog post explaining the exploit scenario.
“You clicked on file to download it and in the same time your facebook access_token is leaked to android logcat which means that ANY android app can read and capture your facebook access_token stealthy and hijack your account.”
“If you don’t know what is logcat, it is a tool built into all android devices to collect the log messages from all android apps.”
Ramadan said that the Facebook access_tokens don’t expire, meaning that the danger remains indefinitely if the user hasn’t updated his Facebook apps to patch the vulnerability.
The second vulnerability is in the Facebook Pages Manager app for Android, which is designed to help users manage a number of different accounts. The app, which has been installed more than 10 million times, has a similar flaw to the main Facebook app that allows a malicious app to get a user’s access_token, but in this case the user doesn’t need to download or run any code from anywhere else.
That vulnerability has been patched as well, and Ramadan said users should update their apps immediately in order to protect against attacks. Ramadan earlier this year discovered a vulnerability in the Facebook app and Facebook Messenger app that allowed an attacker to access and download a user’s photos.
Image from Flickr photos of Mkhmarketing.
Google announced a change to its reCAPTCHA authentication system late Friday wherein the company will begin creating different types of puzzles for different users, use numeric CAPTCHAs and move away from more obscure, hard-to-read distorted letters.
CAPTCHAs are the series of distorted letter puzzles internet users may encounter as an added layer of human authentication on some websites and email clients.
The move incorporates “advanced risk analysis techniques” according to Vinay Shet, reCAPTCHA’s product manager, who wrote about the update in a post on Google’s Online Security Blog.
According to Shet the update considers user engagement before during and after the user interacts with the puzzle and should deter bots which have become more sophisticated and skilled at cracking reCAPTCHA over the last few years.
Google’s studies found numeric CAPTCHAs easier to solve for humans, and that with them they were able to achieve nearly perfect pass rates. While more information about the study is still forthcoming, Google boasts that the new “multifaceted approach” will make it so bots “won’t even see” the numbers.
It’s unclear just how the service will create different CAPTCHAs for different users but the blog post hints that the new method should better protect its users from attackers and “serve less as a test of humanity,” as opposed to the CAPTCHAs users are familiar with that merely characterize humans and bots.
Google acquired reCAPTCHA in 2009 in hopes of beating spammers who were creating multiple fake accounts to defraud authentication mechanisms. reCAPTCHA is a popular variation of CAPTCHA, first coined by students at Carnegie Mellon University as an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart.
As the years have progressed, technology has as well. Bots or in some cases, humans hired to solve the squiggly puzzles have been working hard to crack CAPTCHAs and have succeeded. Countless research groups have poked holes in the challenge-response mechanism over the years. Researchers at Newcastle pointed out the algorithm’s insecurities in 2008 (.PDF) and Stanford built a tool to bust it called DeCAPTCHA in 2011.
Google’s announcement comes at an interesting time – just yesterday a small California startup threw more research on the pile, proclaiming text-based CAPTCHAs “no longer effective as a Turing test.”
Vicarious, a Bay Area firm announced yesterday it found a new way to break most types of CAPTCHAs – including Google’s – using artificial intelligence that apparently achieves success rates up to 90 percent. The work is part of something the group is calling its Recursive Cortical Network, something it anticipates will have repercussions down the road for security, medicine and robotic fields.
The list of objectors to the TrueCrypt open source license is a long one and includes some popular distributions such as Debian, Fedora—and by extension Red Hat. In fact, the wrangling over the TrueCrypt license dates back as far as 2006, long before there were serious inquiries as to the trustworthiness of the popular disk encryption software and whether it had been backdoored by a three-letter U.S. intelligence agency or a foreign power.
Now that a serious effort is under way to audit the integrity of not only the TrueCrypt code, but its license, people want to put concerns about using TrueCrypt to rest, resolving not only the license status but also document repeatable deterministic builds of TrueCrypt from source code for Windows, Mac OS X and Linux.
The license, however, requires legal help be brought into the fold. It requires agreed-upon interpretations of a license that some have called “dangerous” and have said introduces more risk and liability to its users than it’s worth.
“It’s one of the least open open-source licenses,” said Kenneth White, who along with cryptographer Matthew Green, helped get IsTrueCryptAuditedYet? off the ground. “It’s certainly very unconventional by U.S. case law standards.”
The project is currently not only evaluating a professional auditing service provider who will look at the 1s and 0s behind TrueCrypt, but is also looking for legal help to wade through the murkiness that is the license. To date, it has raised more than $50,000 to fund the effort.
Against the backdrop of surveillance by the NSA and a call to look closer at the TrueCrypt code, in particular the Windows binaries, the license issue was revisited on Oct. 16 on an OpenSource.org forum. Some expressed discomfort with many provisions in the license, even after it was reviewed and some initial concerns addressed. For example, posters on the forum were concerned about how broad the indemnification clause is protecting the anonymous authors of TrueCrypt. The language is confusing and vague, leaving far too much room for interpretation, according to some; in fact, this is something the license seems to acknowledge with a provision that states:
“If you are not sure whether you understand all parts of this license or if you are not sure whether you can comply with all terms and conditions of this license, you must not use, copy, modify, create derivative works of, nor (re)distribute this product, nor any portion(s) of it. You should consult with a lawyer.”
White said resolution of such issues is critical in order to create the verified, independent version-control history repository for the code that includes a signed source and binary.
“I believe we need to ask the question no one seems to have ever really asked: Why are certain provisions in the license? What, precisely, are the TrueCrypt developers trying to do? Have they been burned in the past?” White said.
Uncertainty of the wording is what led Red Hat, Debian and the Open Source Initiative to recommend against using TrueCrypt. Green said the license fails to explain how the license can be used and under which conditions.
“It didn’t say you could use the license under these conditions and it’s fine, it was a bunch of things you couldn’t do with it and didn’t make it clear what you could do,” Green said. “It seemed to have, either been written by somebody who doesn’t know how to write licenses very well, or it was written by maliciously. Nobody knows.”
There are also legitimate questions as to whether the license is enforceable under current case law, White said, referring to the above provision. The lack of clarity going back a half-decade or more still haunts TrueCrypt and contributes to the current atmosphere of mistrust.
“I actually think this whole exercise is just evidence of the beginnings of a much larger call-to-arms for vigilance, across the open source and security communities generally,” White said. “Let’s be honest—when NIST literally recalls a published cryptographic primitive and ‘strongly recommends against using’ it, over evidence of deliberate efforts to weaken encryption standards by US intelligence operatives, we have entered a whole new era. And the RSA BSAFE and DPM announcements only serve to punctuate that imperative.
“Clearly, we are collectively paying attention now,” White said. “Here’s hoping our modest project will make a dent in restoring some much needed confidence.”
WASHINGTON — Saturday marked the 12-year anniversary of the initial signing of the controversial USA PATRIOT Act, the anti-terrorism bill signed into law shortly after the terrorist attacks on Sept. 11, 2001, sections of which have allegedly given federal law enforcement the authority to surreptitiously collect the digital communications data of millions of innocent U.S. citizens.
Protesting the U.S. government’s sweeping surveillance program, as revealed by NSA whistle-blower Edward Snowden, thousands of privacy and security advocates convened at Union Station in the nation’s capital and marched to the Capitol steps on Saturday.
The Stop Watching Us coalition, a conglomeration of whistle-blowers, technologists, activists, and public advocacy groups, organized the rally, demanding that Congress reveal the full extent of federal law enforcement’s spying activities. As one speaker at the rally noted, the coalition brings together strange bedfellows, drawing support from different ends of the political and cultural spectrum. Members of the coalition include Chinese artist and human rights activist Ai Weiwei, the Tea-Party aligned political fundraising group FreedomWorks, a Vermont company that makes ice cream, called Ben & Jerry’s, The Electronic Frontier Foundation, and the man widely credited with having invented the World Wide Web, Tim Berners-Lee, among others.
In a letter to Congress, the coalition demanded that it enact reform “to Section 215 of the USA PATRIOT Act, the state secrets privilege, and the FISA Amendments Act to make clear that blanket surveillance of the Internet activity and phone records of any person residing in the U.S. is prohibited by law and that violations can be reviewed in adversarial proceedings before a public court; Create a special committee to investigate, report, and reveal to the public the extent of this domestic spying. This committee should create specific recommendations for legal and regulatory reform to end unconstitutional surveillance; Hold accountable those public officials who are found to be responsible for this unconstitutional surveillance.”
Amidst much chanting, drumming, and outraged shouting, the rally-goers delivered some 575,000 signed anti-surveillance petitions to the steps of U.S. Capitol Building.
The evening before the rally, the Electronic Privacy Information Center and Public Citizen hosted a crypto-party at Public Citizen’s second story office in DuPont Circle. EFF staff members and others put on clinics on setting up encrypted email, browsing securely on the Tor network, and a system called Secure Drop, originally developed by the late technologist and open-Internet activist Aaron Swartz, and designed to let whistle-blowers and other sensitive sources deliver information securely to the media.
Cryptographer and Internet security philosopher Bruce Schneier and former New Mexico governor and Libertarian Party presidential candidate Gary Johnson provided keynotes at the crypto party.
Schneier urged the audience to use encryption, thus making blanket data collection too expensive for the NSA. Encryption works, he claimed, noting that law enforcement had culled ten times more information from Yahoo than from Google, which is counterintuitive given Google’s far larger user-base, but makes sense when you consider that Google has SSL implemented by default, and Yahoo only recently announced that it would implement SSL by default in the coming months.
“The math works, but math has no agency,” Schneier said. “ The vulnerabilities come when you turn the math into software, into systems, onto computers, onto networks.”
He went on to say that Snowden’s revelations seem to suggest that the NSA is not breaking encryption but rather that they are exploiting bad implementations and default or weak keys, deliberately inserting backdoors, and exfiltrating data.
Schneier espoused a need to move government surveillance from a wholesale practice to a retail one by using encryption and making data collection more expensive.
“Even if you are doing nothing secret,” he went on, “you’re providing cover traffic for all the dissidents that rely on this to stay alive. The more we can encrypt, the more we can protect those who need to encrypt.”
Former governor Johnson reluctantly analogized the scale of NSA programs to the climate in pre-World War II Germany.
“I don’t want the government to fix anything when it comes to the Internet. And I certainly don’t want the government involved in this scale of broad-based surveillance that, historically, you do have to go back to Germany pre-World War Two and the monetary collapse that happened in Germany and the rise of power of Hitler and the information gathering. I mean, I hate to bring those analogies up, but they exist and that is where all of this ultimately goes.”
Dennis Fisher talks with Jeremiah Grossman of WhiteHat Security about the company’s new Aviator browser, which employees have used for years, but the company just released as a public project.http://threatpost.com/files/2013/10/digital_underground_130.mp3
LinkedIn stood up for its new Intro app for iOS by providing some high-level transparency into how it handles communication between devices and its network, and took time to call initial criticism of the app inaccurate and speculative.
In the meantime, one security researcher posted details online of how he was able to spoof the profile information LinkedIn drops into the iOS Mail app and the relative ease with which this facilitates a phishing attack.
Intro arrived last Wednesday and immediately security experts voiced concern over the integrated service’s behavior, in particular how it sits as a proxy between the native iOS Mail client and your email provider. All IMAP and SMTP messages are routed to and from LinkedIn’s servers and an Intro bar is inserted into every message. The bar is essentially a shortcut to the sender’s LinkedIn profile, and includes their profile picture and a dropdown with additional information about the person and links back to their profile.
Bishop Fox, a security consultancy in San Francisco, posted a lengthy warning about Intro, pointing out that the app likely violates corporate email policy, breaks cryptographic signatures and creates a central collection point for government surveillance.
“Most of your end users aren’t going to understand the impact of these changes, nor will they know how to reverse them if they wanted to do so,” Bishop Fox analysts Vinnie Liu and Carl Livitt said. “You are effectively putting your trust in LinkedIn to manage your users’ device security.”
Bishop Fox also asserted that Intro installs a new security profile onto the Apple device in order to re-route email messages through LinkedIn. They warn that the insertion of a new security profile could enable an attacker to install or delete apps, restrict functionality on the phone or even wipe it clean.
LinkedIn senior manager for information security Cory Scott said Intro does not change the device’s security profile as Bishop Fox suggests.
“We worked to help ensure that the impact of the iOS profile is not obtrusive to the member,” Scott wrote in a blogpost on Saturday. “It’s important to note that we simply add an email account that communicates with Intro. The profile also sets up a certificate to communicate with the Intro Web endpoint through a Web shortcut on the device.”
Scott also said Intro is isolated onto a separate network segment, services were hardened reducing exposure to third-party monitoring and tracking, and that every line of credential hardening and mail parsing/insertion code was reviewed by security consultancy iSEC Partners and pen-tested by LinkedIn’s internal analysts.
In addition, Scott confirmed that SSL/TLS is used to encrypt communication between the device, LinkedIn and the email provider.
“When mail flows through the LinkedIn Intro service, we make sure we never persist the mail contents to our systems in an unencrypted form,” Scott said. “And once the user has retrieved the mail, the encrypted content is deleted from our systems.”
None of that, however, deterred security researcher Jordan Wright, a security engineer at CoNetrix, from managing to spoof Intro profile information inserted into a Mail client message.
Wright posted some details on his blog. He started by intercepting the security profile sent to an Apple device that installs the new email account acting as a proxy that sits between LinkedIn’s IMAP and SMTP servers. From the profile, he was able to recover the username and password used to log into LinkedIn’s services. Using that information, he was able to see the content LinkedIn’s IMAP proxy injects into an email and ultimately hide the existing Intro data in favor of spoofed data he injected into the message.
He demonstrates a harmless example online, yet an attacker could inject links to malicious sites or apps.
“While LinkedIn Intro seems like it would be useful on the surface, the security risks of using it are simply too high,” Wright said.
It’s been known for some time now–several months, in fact–that there is a critical, remotely exploitable vulnerability in some of Netgear’s ReadyNAS storage boxes, and a patch has been available since July. However, many of the boxes exposed to the Web are still vulnerable, and a recent scan by HD Moore of Rapid7 found that about 65 percent of the ReadyNAS devices reachable on port 80 are still unpatched.
Moore, the founder of the Metasploit Project and chief research officer at Rapid7, was interested in figuring out how many ReadyNAS boxes were exposed to the Web, and then how many of those were running the vulnerable firmware. To do that, he used his Project Sonar infrastructure to scan the IPv4 address space and identify ReadyNAS devices. That fingerprint was done by sending a GET request to port 80 and ReadyNAS devices sent back an identifiable header.
“I wrote a quick script to process this data via stdin, match ReadyNAS devices, and print out the IP address and Last-Modified date from the header of the response. I ran the raw scan output through this script and made some coffee. The result from our October 4th scan consisted of 3,488 lines of results. This is a little different than the numbers listed by SHODAN, but they can be explained by DHCP, multiple merged scans, and the fact that the ReadyNAS web interface is mostly commonly accessed over SSL on port 443,” Moore wrote in a blog post on the experiment.
“The interesting part about the Last-Modified header is that it seems to correlate with specific firmware versions. Version 4.2.24 was built on July 2nd, 2013 and we can assume that all versions prior to that are unpatched.”
Moore came up with 3,488 ReadyNAS boxes exposed on port 80, and of those, 2,257 of them were running vulnerable versions of the firmware. He said it’s not clear whether the results would be significantly different if the scan was done on port 443.
The vulnerability in ReadyNAS, which was discovered by Tripwire researcher Craig Young, enables an attacker to execute commands on a vulnerable device in the context of the Web server. Young has a proof-of-concept exploit that gives him a reverse shell.
UPDATE — The effort to audit TrueCrypt, the open source encryption tool, received an important endorsement in the last week when a member of its anonymous development team reached out to the organizers of IsTrueCryptAuditedYet?
“He wrote us a friendly but formal letter stating that they were happy to hear about the audit, provided it was a serious effort and not ‘money for nothing,’” said Matthew Green, a cryptographer with Johns Hopkins University in Baltimore, who along with fellow researcher Kenneth White helped get the audit off the ground. Green said the developer expects the audit to operate independently of TrueCrypt to avoid the appearance of a conflict of interest.
The audit hopes to answer a number of questions that have taken on a new significance considering the revelations about U.S. government surveillance on Americans in the name of national security. The principal concern is whether TrueCrypt, which has been downloaded more than 28 million times, has been back-doored. Security experts have concerns also about the custom open source license governing its use whether it opens users up to additional legal risks.
In the meantime, a separate review of TrueCrypt was conducted by Xavier de Carne’ de Carnavalet of Concordia University in Canada that came to the conclusion TrueCrypt is not backdoored between the available sources and binaries. DeCarnavalet said he was able to reproduce a deterministic compilation process specific to TrueCrypt for Windows that matches the binaries. Green and White were quick to praise the project and laud such a grassroots effort.
“TrueCrypt could still be sort of backdoored, but that would be written in the source code and would show up in a serious code audit (let aside the trust in the compilers and in your computer). What I proved is that the program on the website comes from the available sources, and nothing (no backdoor) has been surreptitiously added in between,” de Carnavalet told Threatpost. “This makes the code audit worthy, otherwise, auditors would not be sure they analyze the right thing. I just bridged the gap, so to speak.”
As for the fundraising effort to raise money to hire a professional code auditing firm and legal help to review the license, it jumped $17,000 in the last week. The $53,000 raised so far has helped the organizers develop an initial road map for the audit. The code audit will focus on two areas primarily, Green said: the cryptography used in TrueCrypt, as well as an evaluation of the Windows version. Unlike TrueCrypt for Linux, for example, Windows users download binaries rather than source code. Those binaries cannot be compared to the source code, and behave differently than other versions.
For example, TrueCrypt 7.0a fills the last 65,024 bytes of the header with random values. Are the values truly random, or are they an encryption of the password securing the TrueCrypt volume? If TrueCrypt is compromised, and those values are an encrypted password, the key would be available only to the third party who did the encrypting.
Green said the audit organizers are still in the process of getting bids from security firms to conduct the code audit.
“I can’t give you specifics, but suffice it to say that $50,000 doesn’t go as far as you’d think it does when you’re discussing a full-freight audit by a top company,” Green said. “Now we’re hoping to take advantage of some generosity on the part of various companies, so we won’t be paying full rates. And we’ve already received some generous offers (including one from the Open Technology Fund). But at the end of the day we want to get professional results, and even at a steep discount that kind of work is expensive.”
Meanwhile, de Carnavalet’s work, he said, should ease concerns of the software’s trustworthiness.
“I present how I compiled TrueCrypt 7.1a for Windows and reached a very close match to the official binaries,” he wrote in an article on the process. “I am also able to explain the small remaining differences and then prove that the official binaries indeed come from the public sources.”
Green and White praised the work as instrumental in being able to ultimately arrive at a deterministic build for TrueCrypt, in particular in putting together a prerequisite package of Microsoft tools in order to properly compile TrueCrypt.
“His results are certainly a useful data point, but more so because of the detailed build process he has shared (particularly where it deviates from existing documentation). His work in tracking down exactly which precise Windows Service Pack and version of Visual Studio is needed, the GUIDs, checksum internals, etc. is especially helpful as we conduct an independent verification,” White said. “But, in my view, this is only one piece of achieving our deterministic build goal, a necessary but not sufficient prerequisite to a comprehensive cryptanalysis and code audit. And from my read, I think Xavier agrees.”
Carnavalet says any backdoors are non-existent in TrueCrypt 7.1a from available sources, but only after he was able to reproduce the developers’ environment closely.
“My analysis can serve the [audit] to understand the importance of running the exact same compiler version in order to provide a deterministic build. Fortunately, TrueCrypt sources come with a working Visual Studio solution ready to compile, and thus relieve lots of problems that can arise from differences in the project configuration,” he wrote. “Now, efforts can be focused on auditing the source code, rather than trying to reverse-engineer the whole software to search for non-existent backdoors.”
This article was updated at 8:30 a.m. with clarifications from Xavier de Carne’ de Carnavalet.
There is a vulnerability in some Netgear wireless routers that allows a remote attacker to completely compromise a device and gain root privileges. The bug is trivially exploitable and the researcher who discovered it has posted a proof-of-concept exploit.
The vulnerability is a command-injection flaw that, when combined with a separate authentication-bypass bug that the same researcher discovered, can give an attacker simple root access to vulnerable routers. The bug is in the Netgear WNDR3700v4 router, a home dual-band gigabit router, and Zach Cutlip, the researcher who discovered the flaw said his exploit can exploit the bug, disable authentication, open a Telnet server and then restore the router to its original state so the user doesn’t realize anything has happened.
The vulnerability involves a function called cmd_ping6 (), which is meant to ping any given hostname of IPv6 address. However, the vulnerability in the firmware enables an attacker to use this function as a vector to compromise the target router and then do whatever he chooses. The bug affects versions 18.104.22.168 and 22.214.171.124 of the router’s firmware.
“What is happening here, as it so often does, is the host string gets copied into a shell command on the stack using sprintf(). This is probably the most straightforward buffer overflow vulnerability you will ever see. Sadly, you shouldn’t exploit it. It is a tempting one to exploit because it is so clean and simple and because popping root with a MIPS ROP payload is sexy. But that would be silly, because right after it there is a call to system(). The system() function passes whatever string it is given to an invocation of /bin/sh. This is a command injection vulnerability in its purest form and is trivially exploitable. If the address string that gets passed in is something like “; evil_command; #”, the ping6 command will be terminated prematurely, and evil_command will be executed right after it,” Cutlip, a senior vulnerability researcher at Tactical Network Solutions, wrote in his explanation of the Netgear flaw.
Previously, Cutlip had discovered and published an explanation of another vulnerability in the same router, which allows an attacker to bypass the authentication feature on the router. Using that bug in conjunction with the command-injection vulnerability gives an attacker a potent method for owning and staying resident on the Netgear routers.
“If you browse to http://<router address>/BRS_02_genieHelp.html, you are allowed to bypass authentication for all pages in the entire administrative interface. But not only that, authentication remains disabled across reboots. And, of course if remote administration is turned on, this works from the frickin’ Internet,” Cutlip said in the explanation of the authentication bypass flaw.
The exploit that Cutlip wrote for the command-injection vulnerability takes advantage of the authentication issue as well and makes it quite simple for an attacker to go after vulnerable devices. He said that while there isn’t any patch available right now, the best mitigation for affected users is to disable remote administration on their routers.
“Remote administration is the primary attack surface we look at and find bugs in for SOHO routers. Also ensure that WPA2 encryption is enabled, and that untrusted devices aren’t allowed to connect to the LAN, either via wired or wireless,” Cutlip said via email.
Cutlip mentioned on Twitter that the vulnerabilities he found were also discovered independently by another researcher, Craig Young of Tripwire, who also found a serious flaw in Netgear’s ReadyNAS product.
Telecommunications company Cisco rolled out three patches for multiple products yesterday, addressing vulnerabilities that could’ve led to a denial of service (DoS) attack or allowed an attacker to execute code and obtain sensitive information.
Per usual, Cisco’s Product Security Incident Respoinse Team (PSIRT) posted about the vulnerabilities yesterday on its Security Advisories, Responses and Notices page.
The first patch fixes a vulnerability that’s been plaguing at least four of Cisco’s products, including its Business Edition 3000, Identity Services Engine (ISE), Media Experience Engine (MXE) and Unified SIP Proxy (CUSP).
All of those products use a vulnerable version of Apache’s Struts 2 framework that could be exploited to let attackers execute arbitrary code on systems. All the attacker would have to do is send Object-Graph Navigation Language (OGNL) requests to the system. OGNL is a Java language that can let attackers access data objects and use them to create and inject server side code.
While Cisco’s ISE is vulnerable to the aforementioned Struts problem, it’s also vulnerable to two additional but separate issues. ISE, a policy control platform used by IT professionals for managing accounts, suffers from an authenticated arbitrary command execution vulnerability and a support information download authentication bypass vulnerability. Essentially both could allow an attacker to execute code on the platform and gain access to user credentials and other information from the system. Both issues were fixed by Cisco’s second patch yesterday.
Lastly, Cisco patched its IOS XR software to prevent a DoS condition that pops up when its route processor mishandles fragmented packets. IOS XR is an extensive infrastructure that’s used on routers across Cisco’s network. While only customers running a specific version of IOS XR (3.3.0 to 4.2.0) are at risk here, the condition can be triggered by an unauthenticated, remote attacker sending fragmented packets to an affected system.
Cisco’s patches address all of these issues, save for the Struts vulnerability in Business Edition 3000. It’s a little trickier for attackers to execute on this software because the attacker “must provide valid credentials or persuade a user with valid credentials to execute a malicious URL.” End users running that software are encouraged to contact their Cisco representative to see what their options are.
While Cisco’s PSIRT claims its unaware of any of these vulnerabilities being exploited, the proof of concept code for the Struts vulnerability has been circulating in the wild for a few weeks and is even published on the official Apache Struts 2 page. Since the vulnerability is publicly available, it may might make sense for end users to patch that hole first.
This is one introduction you may not want to make.
LinkedIn’s release of its Intro app yesterday for Apple iOS mobile devices raised more than a few eyebrows for behaviors that are causing security experts to worry.
Intro is an integrated service that works hand-in-hand with the Apple Mail app native to iPhones and iPads. The service embeds LinkedIn profile information into every message, despite the fact that Apple maintains a notoriously strict walled garden around its products, meaning no plug-ins for its native apps, for example.
LinkedIn managed to go around this by having Intro act as a proxy server sitting between your email provider and the native Mail client; all IMAP and SMTP messages are routed through LinkedIn servers on their way to and from an email provider. LinkedIn says Intro doesn’t store email messages, instead it forwards requests from an iOS device to the email provider and does the same with responses from the provider to the device. In the meantime, each message gets an Intro bar inserted into it with a photo of the sender and a dropdown of more information from their LinkedIn profile.
The potential for security exposures and privacy violations is almost limitless, security experts said, citing concerns over corporate email policy violations, broken cryptographic signatures and the creation of a central collection point for government surveillance efforts.
“Intro works by pushing a security profile to your device; they’re not just installing the Intro app. They have to do this in order to re-route your emails,” wrote Bishop Fox analysts Vinnie Liu and Carl Livitt in a blogpost. “But, these security profiles can do much, much more than just redirect your emails to different servers. A profile can be used to wipe your phone, install applications, delete applications, restrict functionality, and a whole heap of other things.
“Most of your end users aren’t going to understand the impact of these changes, nor will they know how to reverse them if they wanted to do so,” Liu and Livitt said. “You are effectively putting your trust in LinkedIn to manage your users’ device security.”
LinkedIn says it will cache email passwords for the length of time it takes to install the Intro app, and never more than two hours. “Typically, your password is cached for no more than one minute,” LinkedIn said in a privacy pledge posted on its website.
“While the implementation is an interesting solution to a limitation, it introduces too much risk for anyone to use even with the pledge of privacy,” said Michael Yuen, security researcher at application security company Cenzic. “It is not LinkedIn that I worry about, but malicious attackers that want to take advantage of the weakness in security that the proxy creates.”
As for storing messages, or message metadata, LinkedIn said its servers may cache emails in order to have them download faster.
“All cached information is held securely to industry standards,” LinkedIn said. “Each piece of data is encrypted with a key that is unique to you and your device, and the servers themselves are secured and monitored 24/7 to prevent any unauthorized access.”
The fact that LinkedIn is adding data to each message, changing the content and structure of each message, experts worry, will impact the security of the message.
“Cryptographic signatures will break because LinkedIn is rewriting your outgoing emails by appending a signature on the end,” Liu and Livitt wrote. “This means email signatures can no longer be verified. Encrypted emails are likely to break because of the same reason—extra data being appended to your messages.”
LinkedIn suffered a breach in June 2012 when a hacker was able to download the hashed passwords of 6.5 million of its 238 million members. The hashes were posted to a Russian underground forum and some of the stolen credentials were compromised, the company admitted. Further, it urged users to change their password and said it would also begin salting passwords, in addition to hashing them.
In September of this year, LinkedIn made a plea not only to the Foreign Intelligence Surveillance Court, but the FBI as well expressing its desire to share more information on the number of National Security Letters it received, calling a ban on sharing NSL data unconstitutional. Companies are allowed to report the number of NSL requests they receive in bunches of 1,000, something companies such as LinkedIn, Facebook and others say reduces transparency.
In LinkedIn’s most recent transparency report, it said it fielded 83 law enforcement and government requests for member data during the first half of 2013, 70 of those from the United States; LinkedIn provided data in 57 percent of those cases in the U.S.