Pre-Snowden Debate About NSA Call-Records Collection Program

Reuters is reporting that in 2009, several senior NSA officials objected to the NSA call-records collection program.

The now-retired NSA official, a longtime code-breaker who rose to top management, had just learned in 2009 about the top secret program that was created shortly after the Sept. 11, 2001, attacks. He says he argued to then-NSA Director Keith Alexander that storing the calling records of nearly every American fundamentally changed the character of the agency, which is supposed to eavesdrop on foreigners, not Americans.

Hacker News thread.

More here

Posted in Uncategorized | Leave a comment

A New Free CA

Announcing Let’s Encrypt, a new free certificate authority. This is a joint project of EFF, Mozilla, Cisco, Akamai, and the University of Michigan.

This is an absolutely fantastic idea.

The anchor for any TLS-protected communication is a public-key certificate which demonstrates that the server you’re actually talking to is the server you intended to talk to. For many server operators, getting even a basic server certificate is just too much of a hassle. The application process can be confusing. It usually costs money. It’s tricky to install correctly. It’s a pain to update.

Let’s Encrypt is a new free certificate authority, built on a foundation of cooperation and openness, that lets everyone be up and running with basic server certificates for their domains through a simple one-click process.


The key principles behind Let’s Encrypt are:

  • Free: Anyone who owns a domain can get a certificate validated for that domain at zero cost.
  • Automatic: The entire enrollment process for certificates occurs painlessly during the server’s native installation or configuration process, while renewal occurs automatically in the background.

  • Secure: Let’s Encrypt will serve as a platform for implementing modern security techniques and best practices.

  • Transparent: All records of certificate issuance and revocation will be available to anyone who wishes to inspect them.

  • Open: The automated issuance and renewal protocol will be an open standard and as much of the software as possible will be open source.

  • Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the entire community, beyond the control of any one organization.

SlashDot thread. Hacker News thread.

More here

Posted in Uncategorized | Leave a comment

Response to “Can a CISO Serve Jail Time?”

I just read a story titled Can a CISO Serve Jail Time? Having been Chief Security Officer (CSO) of Mandiant prior to the FireEye acquisition, I thought I would share my thoughts on this question.

In brief, being a CISO or CSO is a tough job. Attempts to criminalize CSOs would destroy the profession.

Security is one of the few roles where global, distributed opponents routinely conduct criminal acts against business operations. Depending on the enterprise, the offenders could be nation state adversaries largely beyond the reach of any party, to include the nation state hosting the enterprise. Even criminal adversaries can remain largely untouchable.

I cannot think of another business function that suffers similar disadvantages. If a commercial competitor took actions against a business using predatory pricing, or via other illegal business measures, the state would investigate and possibly prosecute the offending competitor. For actions across national boundaries, one might see issues raised at the World Trade Organization (WTO), assuming the two hosting countries are WTO members.

These pressures are different from those faced by other elements of the business. When trying to hire and retain staff, human resources doesn’t face off against criminals. When trying to close a deal, sales people don’t compete with military hackers. (The exception might be transactions involving Chinese or Russian companies,) When creating a brand campaign, marketing people might have to worry about negative attention from hacktivists, but if the foe crosses a line the state might prosecute the offender.

The sad reality is that no organization can prevent all intrusions. The best outcome is to prevent as many intrusions as possible, and react quickly and effectively to those compromises that occur. As long as the security team contains and removes the intruder before he can accomplish his mission, the organization wins.

We will continue to see organizations fined for poor security practices. The Federal Trade Commission, Securities and Exchange Commission, and Federal Communications Commission are all very active in the digital security arena. If prosecutors seek jail time for CSOs who suffer compromises, I would expect CSOs will leave their jobs. They already face an unfair fight. We don’t need to add the threat of jail time to the list of problems confronting security staff.

More here

Posted in Uncategorized | Leave a comment

OnionDuke: APT Attacks Via the Tor Network

Recently, research was published identifying a Tor exit node, located in Russia, that was consistently and maliciously modifying any uncompressed Windows executables downloaded through it. Naturally this piqued our interest, so we decided to peer down the rabbit hole. Suffice to say, the hole was a lot deeper than we expected! In fact, it went all the way back to the notorious Russian APT family MiniDuke, known to have been used in targeted attacks against NATO and European government agencies. The malware used in this case is, however, not a version of MiniDuke. It is instead a separate, distinct family of malware that we have since taken to calling OnionDuke. But lets start from the beginning.

When a user attempts to download an executable via the malicious Tor exit node, what they actually receive is an executable “wrapper” that embeds both the original executable and a second, malicious executable. By using a separate wrapper, the malicious actors are able to bypass any integrity checks the original binary might contain. Upon execution, the wrapper will proceed to write to disk and execute the original executable, thereby tricking the user into believing that everything went fine. However, the wrapper will also write to disk and execute the second executable. In all the cases we have observed, this malicious executable has been the same binary (SHA1: a75995f94854dea8799650a2f4a97980b71199d2, detected as Trojan-Dropper:W32/OnionDuke.A). This executable is a dropper containing a PE resource that pretends to be an embedded GIF image file. In reality, the resource is actually an encrypted dynamically linked library (DLL) file. The dropper will proceed to decrypt this DLL, write it to disk and execute it.

A flowchart of the infection process
A flowchart of the infection process

Once executed, the DLL file (SHA1: b491c14d8cfb48636f6095b7b16555e9a575d57f, detected as Backdoor:W32/OnionDuke.B) will decrypt an embedded configuration (shown below) and attempt to connect to hardcoded C&C URLs specified in the configuration data. From these C&Cs the malware may receive instructions to download and execute additional malicious components. It should be noted, that we believe all five domains contacted by the malware are innocent websites compromised by the malware operators, not dedicated malicious servers.

Screenshot of the embedded configuration data
A screenshot of the embedded configuration data

Through our research, we have also been able to identify multiple other components of the OnionDuke malware family. We have, for instance, observed components dedicated to stealing login credentials from the victim machine and components dedicated to gathering further information on the compromised system like the presence of antivirus software or a firewall. Some of these components have been observed being downloaded and executed by the original backdoor process but for other components, we have yet to identify the infection vector. Most of these components don’t embed their own C&C information but rather communicate with their controllers through the original backdoor process.

One component, however, is an interesting exception. This DLL file (SHA1 d433f281cf56015941a1c2cb87066ca62ea1db37, detected as Backdoor:W32/OnionDuke.A) contains among its configuration data a different hardcoded C&C domain, and also evidence suggesting that this component may abuse Twitter as an additional C&C channel. What makes the domain interesting, is it was originally registered in 2011 with the alias of “John Kasai”. Within a two-week window, “John Kasai” also registered the following domains:,,,,,,,,,, and This is significant because the domains and have previously been identified as C&C domains used by MiniDuke. This strongly suggests that although OnionDuke and MiniDuke are two separate families of malware, the actors behind them are connected through the use of shared infrastructure.

A graph showing the infrastructure shared between OnionDuke and MiniDuke
A visualization of the infrastructure shared between OnionDuke and MiniDuke

Based on compilation timestamps and discovery dates of samples we have observed, we believe the OnionDuke operators have been infecting downloaded executables at least since the end of October 2013. We also have evidence suggesting that, at least since February of 2014, OnionDuke has not only been spread by modifying downloaded executables but also by infecting executables in .torrent files containing pirated software. However, it would seem that the OnionDuke family is much older, both based on older compilation timestamps and also on the fact that some of the embedded configuration data make reference to an apparent version number of 4 suggesting that at least three earlier versions of the family exist.

During our research, we have also uncovered strong evidence suggesting that OnionDuke has been used in targeted attacks against European government agencies, although we have so far been unable to identify the infection vector(s). Interestingly, this would suggest two very different targeting strategies. On one hand is the “shooting a fly with a cannon” mass-infection strategy through modified binaries and, on the other, the more surgical targeting traditionally associated with APT operations.

In any case, although much is still shrouded in mystery and speculation, one thing is certain. While using Tor may help you stay anonymous, it does at the same time paint a huge target on your back. It’s never a good idea to download binaries via Tor (or anything else) without encryption. The problem with Tor is that you have no idea who is maintaining the exit node you are using and what their motives are. VPNs (such as our Freedome VPN) will encrypt your connection all the way through the Tor network, so the maintainers of Tor exit nodes will not see your traffic and can’t tamper with it.


  •  a75995f94854dea8799650a2f4a97980b71199d2
  •  b491c14d8cfb48636f6095b7b16555e9a575d57f
  •  d433f281cf56015941a1c2cb87066ca62ea1db37

Detected as: Trojan-Dropper:W32/OnionDuke.A, Backdoor:W32/OnionDuke.A, and Backdoor:W32/OnionDuke.B.

Post by — Artturi (@lehtior2)

On 14/11/14 At 05:00 AM

More here

Posted in Uncategorized | Leave a comment

What grade does your favorite app get?

Forbes’Parmy Olson published a short article about PrivacyGrade on Tuesday. What is PrivacyGrade?

From PrivacyGrade’s FAQ:

The goal of is to help raise awareness of the behaviors that many smartphone apps have that may affect people’s privacy. PrivacyGrade provides detailed information about an app’s privacy-related behaviors. We summarize these behaviors in the form of a grade, ranging from A+ (most privacy sensitive) to D (least privacy sensitive).

Here’s our App Permissions’ grade:

PrivacyGrade, F-Secure App Permissions A+

Grading apps can be a very subjective thing.

For example, social network integration might be of more concern to some than ad networks and location permissions — but whatever your personal criteria — the folks at PrivacyGrade have compiled some very interesting statistics.

  •  Most Popular Permissions
  •  Third Party Libraries

On 12/11/14 At 01:31 PM

More here

Posted in Uncategorized | Leave a comment

Hacking Internet Voting from Wireless Routers

Good paper, and layman’s explanation.

Internet voting scares me. It gives hackers the potential to seriously disrupt our democratic processes.

More here

Posted in Uncategorized | Leave a comment

Sophisticated Targeted Attack Via Hotel Networks

Kaspersky Labs is reporting (detailed report here, technical details here) on a sophisticated hacker group that is targeting specific individuals around the world. “Darkhotel” is the name the group and its techniques has been given.

This APT precisely drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crew’s most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world. These travelers are often top executives from a variety of industries doing business and outsourcing in the APAC region. Targets have included CEOs, senior vice presidents, sales and marketing directors and top R&D staff. This hotel network intrusion set provides the attackers with precise global scale access to high value targets. From our observations, the highest volume of offensive activity on hotel networks started in August 2010 and continued through 2013, and we are investigating some 2014 hotel network events.

Good article. This seems pretty obviously a nation-state attack. It’s anyone’s guess which country is behind it, though.

Targets in the spear — phishing attacks include high-profile executives — among them a media executive from Asia¬≠as well as government agencies and NGOs and U.S. executives. The primary targets, however, appear to be in North Korea, Japan, and India. “All nuclear nations in Asia,” Raiu notes. “Their targeting is nuclear themed, but they also target the defense industry base in the U.S. and important executives from around the world in all sectors having to do with economic development and investments.” Recently there has been a spike in the attacks against the U.S. defense industry.

We usually infer the attackers from the target list. This one isn’t that helpful. Pakistan? China? South Korea? I’m just guessing.

More here

Posted in Uncategorized | Leave a comment

The Future of Incident Response

Security is a combination of protection, detection, and response. It’s taken the industry a long time to get to this point, though. The 1990s was the era of protection. Our industry was full of products that would protect your computers and network. By 2000, we realized that detection needed to be formalized as well, and the industry was full of detection products and services.

This decade is one of response. Over the past few years, we’ve started seeing incident response (IR) products and services. Security teams are incorporating them into their arsenal because of three trends in computing. One, we’ve lost control of our computing environment. More of our data is held in the cloud by other companies, and more of our actual networks are outsourced. This makes response more complicated, because we might not have visibility into parts of our critical network infrastructures.

Two, attacks are getting more sophisticated. The rise of APT (advanced persistent threat)–attacks that specifically target for reasons other than simple financial theft–brings with it a new sort of attacker, which requires a new threat model. Also, as hacking becomes a more integral part of geopolitics, unrelated networks are increasingly collateral damage in nation-state fights.

And three, companies continue to under-invest in protection and detection, both of which are imperfect even under the best of circumstances, obliging response to pick up the slack.

Way back in the 1990s, I used to say that “security is a process, not a product.” That was a strategic statement about the fallacy of thinking you could ever be done with security; you need to continually reassess your security posture in the face of an ever-changing threat landscape.

At a tactical level, security is both a product and a process. Really, it’s a combination of people, process, and technology. What changes are the ratios. Protection systems are almost technology, with some assistance from people and process. Detection requires more-or-less equal proportions of people, process, and technology. Response is mostly done by people, with critical assistance from process and technology.

Usability guru Lorrie Faith Cranor once wrote, “Whenever possible, secure system designers should find ways of keeping humans out of the loop.” That’s sage advice, but you can’t automate IR. Everyone’s network is different. All attacks are different. Everyone’s security environments are different. The regulatory environments are different. All organizations are different, and political and economic considerations are often more important than technical considerations. IR needs people, because successful IR requires thinking.

This is new for the security industry, and it means that response products and services will look different. For most of its life, the security industry has been plagued with the problems of a lemons market. That’s a term from economics that refers to a market where buyers can’t tell the difference between good products and bad. In these markets, mediocre products drive good ones out of the market; price is the driver, because there’s no good way to test for quality. It’s been true in anti-virus, it’s been true in firewalls, it’s been true in IDSs, and it’s been true elsewhere. But because IR is people-focused in ways protection and detection are not, it won’t be true here. Better products will do better because buyers will quickly be able to determine that they’re better.

The key to successful IR is found in Cranor’s next sentence: “However, there are some tasks for which feasible, or cost effective, alternatives to humans are not available. In these cases, system designers should engineer their systems to support the humans in the loop, and maximize their chances of performing their security-critical functions successfully.” What we need is technology that aids people, not technology that supplants them.

The best way I’ve found to think about this is OODA loops. OODA stands for “observe, orient, decide, act,” and it’s a way of thinking about real-time adversarial situations developed by US Air Force military strategist John Boyd. He was thinking about fighter jets, but the general idea has been applied to everything from contract negotiations to boxing–and computer and network IR.

Speed is essential. People in these situations are constantly going through OODA loops in their head. And if you can do yours faster than the other guy–if you can “get inside his OODA loop”–then you have an enormous advantage.

We need tools to facilitate all of these steps:

  • Observe, which means knowing what’s happening on our networks in real time. This includes real-time threat detection information from IDSs, log monitoring and analysis data, network and system performance data, standard network management data, and even physical security information–and then tools knowing which tools to use to synthesize and present it in useful formats. Incidents aren’t standardized; they’re all different. The more an IR team can observe what’s happening on the network, the more they can understand the attack. This means that an IR team needs to be able to operate across the entire organization.
  • Orient, which means understanding what it means in context, both in the context of the organization and the context of the greater Internet community. It’s not enough to know about the attack; IR teams need to know what it means. Is there a new malware being used by cybercriminals? Is the organization rolling out a new software package or planning layoffs? Has the organization seen attacks form this particular IP address before? Has the network been opened to a new strategic partner? Answering these questions means tying data from the network to information from the news, network intelligence feeds, and other information from the organization. What’s going on in an organization often matters more in IR than the attack’s technical details.
  • Decide, which means figuring out what to do at that moment. This is actually difficult because it involves knowing who has the authority to decide and giving them the information to decide quickly. IR decisions often involve executive input, so it’s important to be able to get those people the information they need quickly and efficiently. All decisions need to be defensible after the fact and documented. Both the regulatory and litigation environments have gotten very complex, and decisions need to be made with defensibility in mind.
  • Act, which means being able to make changes quickly and effectively on our networks. IR teams need access to the organization’s network–all of the organization’s network. Again, incidents differ, and it’s impossible to know in advance what sort of access an IR team will need. But ultimately, they need broad access; security will come from audit rather than access control. And they need to train repeatedly, because nothing improves someone’s ability to act more than practice.

Pulling all of these tools together under a unified framework will make IR work. And making IR work is the ultimate key to making security work. The goal here is to bring people, process and, technology together in a way we haven’t seen before in network security. It’s something we need to do to continue to defend against the threats.

This essay originally appeared in IEEE Security & Privacy.

More here

Posted in Uncategorized | Leave a comment

Hack In The Box 2014 KUL

The Hack In The Box (HITB) SecConf 2014 was held from the 13 to the 16 of October, in Kuala Lumpur, Malaysia. More than 500 people from around the world participated in the event. Unfortunately, 2014 was the final round of this nice event.

More here

Posted in Uncategorized | Leave a comment

Remember, Remember the Fifth of November

Remember remember the fifth of November
Gunpowder, treason and plot.

I see no reason why gunpowder, treason
Should ever be forgot…

Switch On Freedom

The Economist: How Guy Fawkes became the face of post-modern protest

On 05/11/14 At 01:27 PM

More here

Posted in Uncategorized | Leave a comment