Cell Phone Kill Switches Mandatory in California

California passedakill-switch law, meaning that all cell phones sold in California must have the capability to be remotely turned off. It was sold as an antitheft measure. If the phone company could remotely render a cell phone inoperative, there would be less incentive to steal one.

I worry more about the side effects: once the feature is in place, it can be used by all sorts of people for all sorts of reasons.

The law raises concerns about how the switch might be used or abused, because it also provides law enforcement with the authority to use the feature to kill phones. And any feature accessible to consumers and law enforcement could be accessible to hackers, who might use it to randomly kill phones for kicks or revenge, or to perpetrators of crimes who might — depending on how the kill switch is implemented — be able to use it to prevent someone from calling for help.

“It’s great for the consumer, but it invites a lot of mischief,” says Hanni Fakhoury, staff attorney for the Electronic Frontier Foundation, which opposes the law. “You can imagine a domestic violence situation or a stalking context where someone kills [a victim's] phone and prevents them from calling the police or reporting abuse. It will not be a surprise when you see it being used this way.”

I wrote about this in 2008, more generally:

The possibilities are endless, and very dangerous. Making this work involves building a nearly flawless hierarchical system of authority. That’s a difficult security problem even in its simplest form. Distributing that system among a variety of different devices — computers, phones, PDAs, cameras, recorders — with different firmware and manufacturers, is even more difficult. Not to mention delegating different levels of authority to various agencies, enterprises, industries and individuals, and then enforcing the necessary safeguards.

Once we go down this path — giving one device authority over other devices — the security problems start piling up. Who has the authority to limit functionality of my devices, and how do they get that authority? What prevents them from abusing that power? Do I get the ability to override their limitations? In what circumstances, and how? Can they override my override?

The law only affects California, but phone manufacturers won’t sell two different phones. So this means that all cell phones will eventually have this capability. And, of course, the procedural controls and limitations written into the California law don’t apply elsewhere.

More here

Posted in Uncategorized | Leave a comment

Pitou Q&A

What is Pitou?
A recently spotted spambot malware that shares many similarities from the notorious kernel-mode spambot Srizbi. After further analysis, we confirmed it is a revival of Srizbi. We named this latest malware Pitou. After some in-depth analysis, we found some other interesting technical features and wrote a whitepaper on it.

Why it is called Pitou?
The name Pitou came from our colleague’s existing detection name for it. We decided to use this family name to avoid confusion. Another reason why we think this spambot deserves a new name (rather than continuing with the Srizbi moniker, that is) is because the malware code has been completely rewritten with more robust features, including now being equipped with a bootkit.

Where was it first discovered?
We first encountered the threat on a client machine that reported a suspicious system driver file to our automated analytical systems. After some manual analysis, we found it to be malicious and containing a payload that is highly obfuscated and protected by Virtual Machine (VM) code. This implied that there was something the malware was trying to hide from researchers. So naturally we decided to do an in-depth analysis.

When was it first seen?
The threat was first found in April 2014 based on the dates from our sample collection systems, though it may have existed in the wild at an earlier date. The whitepaper includes more timeline information.

Who should be concerned by this threat?
This threat could cause havoc or bring inconvenience to both corporate and home users. The spambot will utilize an infected machine to spread spam emails, which can lead to the spamming IP address being blacklisted in Realtime Black List (RBL) by an Internet Service Provider (ISP). A blacklisted IP address is blocked from sending (even legitimate) email via standard Simple Mail Transfer Protocol (SMTP), which is commonly configured in most corporate email servers. A regular home users meanwhile would be concerned if they use a non-Web based email client, for example Microsoft Outlook, that ends up having its IP address blacklisted by an ISP.

What are some of Pitou’s indicators of compromise (IOC)?
The threat is not particularly stealthy compared to other modern rootkits. We list a couple of IOCs in our document for someone (reasonably technically astute) who is interested in quickly identifying if their machine is Pitou-infected.

Where can I get the Pitou whitepaper?
Click the image below, or visit the
technical papers section of our Labs site:

pitou_whitepaper_cover (96k image)

Post by – Wayne

On 28/08/14 At 08:25 AM

More here

Posted in Uncategorized | Leave a comment

Hacking Traffic Lights

New paper: “Green Lights Forever: Analyzing the Security of Traffic Infrastructure,” Branden Ghena, William Beyer, Allen Hillaker, Jonathan Pevarnek, and J. Alex Halderman.

Abstract: The safety critical nature of traffic infrastructure requires that it be secure against computer-based attacks, but this is not always the case. We investigate a networked traffic signal system currently deployed in the United States and discover a number of security flaws that exist due to systemic failures by the designers. We leverage these flaws to create attacks which gain control of the system, and we successfully demonstrate them on the deployment in coordination with authorities. Our attacks show that an adversary can control traffic infrastructure to cause disruption, degrade safety, or gain an unfair advantage. We make recommendations on how to improve existing systems and discuss the lessons learned for embedded systems security in general.

News article.

More here

Posted in Uncategorized | Leave a comment

Security by Obscurity at Healthcare.gov Site

The White House is refusing to release details about the security of healthcare.gov because it might help hackers. What this really means is that the security details would embarrass the White House.

More here

Posted in Uncategorized | Leave a comment

Eavesdropping Using Smart Phone Gyroscopes

The gyroscopes are sensitive enough to pick up acoustic vibrations. It’s crude, but it works. Paper. Wired article. Hacker News thread.

More here

Posted in Uncategorized | Leave a comment

Ransomware Race (part 5): SynoLocker’s unkept promises

We believe you should never pay a ransom to online criminals. The reason is quite simple. File-encrypting ransomware holds the victim’s personal files “at ransom” until a payment is made. For the scheme to work, the victim has to believe that paying up will help. However, the only certain outcome from paying criminals is to encourage them to continue their malicious activities: paying the ransom might not actually get you your files back. Case in point, a recent ransomware family commonly known as SynoLocker.

SynoLocker targets network attached storage devices manufactured by Synology. Once a device has been infected with SynoLocker, the malware will proceed to encrypt files stored on the device. It will also present the victim with a ransom message demanding payment in return for decryption of the files. Here, however, the criminals behind SynoLocker make a false promise. In many of the cases we have observed, the decryption process didn’t actually work or the decryption key provided by the criminals was incorrect.

Even after being double-crossed by the criminals, all hope is not lost. If a victim is able to obtain the correct decryption key, the files can still be restored. For this purpose, we are today releasing a small tool, a Python script, written by us. This tool can be used to safely decrypt SynoLocker-encrypted files as long as the correct decryption key can be provided. The tool does not in any way break the encryption of files created by SynoLocker and it does not attempt to bruteforce the decryption key. It will only work, if the decryption key is already known.

Screenshot of encrypted and decrypted file headers
On the left, the beginning of a file encrypted by SynoLocker and, on the right, the beginning of the same file decrypted.

Another use case for our decryption tool is a situation where a user has paid the ransom but can’t use the decryption key as they have removed the SynoLocker malware from the infected device. Instead of reinfecting your device with the malware (which is a bad idea), you can use the key together with our script to decrypt your files.

By releasing this tool to the community at large, we hope that we can contribute to undoing the harm caused by these criminals.

We never recommend anyone to pay a ransom.

Our decryption tool, as well as installation and usage instructions, can be found here.

Post by Artturi (@lehtior2)

On 22/08/14 At 12:44 PM

More here

Posted in Uncategorized | Leave a comment

Disguising Exfiltrated Data

There’s an interesting article on a data exfiltration technique.

What was unique about the attackers was how they disguised traffic between the malware and command-and-control servers using Google Developers and the public Domain Name System (DNS) service of Hurricane Electric, based in Fremont, Calif.

In both cases, the services were used as a kind of switching station to redirect traffic that appeared to be headed toward legitimate domains, such as adobe.com, update.adobe.com, and outlook.com.

[...]

The malware disguised its traffic by including forged HTTP headers of legitimate domains. FireEye identified 21 legitimate domain names used by the attackers.

In addition, the attackers signed the Kaba malware with a legitimate certificate from a group listed as the “Police Mutual Aid Association” and with an expired certificate from an organization called “MOCOMSYS INC.”

In the case of Google Developers, the attackers used the service to host code that decoded the malware traffic to determine the IP address of the real destination and redirect the traffic to that location.

Google Developers, formerly called Google Code, is the search engine’s website for software development tools, APIs, and documentation on working with Google developer products. Developers can also use the site to share code.

With Hurricane Electric, the attacker took advantage of the fact that its domain name servers were configured, so anyone could register for a free account with the company’s hosted DNS service.

The service allowed anyone to register a DNS zone, which is a distinct, contiguous portion of the domain name space in the DNS. The registrant could then create A records for the zone and point them to any IP address.

Honestly, this looks like a government exfiltration technique, although it could be evidence that the criminals are getting even more sophisticated.

More here

Posted in Uncategorized | Leave a comment

Data vs. Metadata

Google uses HTTPS for all search queries. That’s good, because it means that all of the questions you ask (a.k.a. your data) will be encrypted. However… regardless of HTTPS, inferences about your searches can still be made by somebody with accesses to your network traffic. For example:

Network Traffic Analysis, Google to AA

In the screenshot above, a popular “packet analyzer” displays DNS queries (a.k.a. metadata). We first connected our test device to google.com and performed a search — and then we clicked on the top search result link — and connected to aa.org.

The deductive reasoning skills of Sherlock Holmes aren’t required to figure out “alcoholics anonymous” was searched for. And even if aa.org used HTTPS encryption (it doesn’t), using DNS metadata, we can still infer the contents of the search data. The connections made offer all the evidence needed.

And that’s why metadata matters.

On 20/08/14 At 01:10 PM

More here

Posted in Uncategorized | Leave a comment

The Security of al Qaeda Encryption Software

The web intelligence firm Recorded Future has posted twostories about how al Qaeda is using new encryption software in response to the Snowden disclosures. NPR picked up the story a week later.

Former NSA Chief Council Stewart Baker uses this as evidence that Snowden has harmed America. Glenn Greenwald calls this “CIA talking points” and shows that al Qaeda was using encryption well before Snowden. Both quote me heavily, Baker casting me as somehow disingenuous on this topic.

Baker is conflating my stating of two cryptography truisms. The first is that cryptography is hard, and you’re much better off using well-tested public algorithms than trying to roll your own. The second is that cryptographic implementation is hard, and you’re much better off using well-tested open-source encryption software than you are trying to roll your own. Admittedly, they’re very similar, and sometimes I’m not as precise as I should be when talking to reporters.

This is what I wrote in May:

I think this will help US intelligence efforts. Cryptography is hard, and the odds that a home-brew encryption product is better than a well-studied open-source tool is slight. Last fall, Matt Blaze said to me that he thought that the Snowden documents will usher in a new dark age of cryptography, as people abandon good algorithms and software for snake oil of their own devising. My guess is that this an example of that.

Note the phrase “good algorithms and software.” My intention was to invoke both truisms in the same sentence. That paragraph is true if al Qaeda is rolling their own encryption algorithms, as Recorded Future reported in May. And it remains true if al Qaeda is using algorithms like my own Twofish and rolling their own software, as Recorded Future reported earlier this month. Everything we know about how the NSA breaks cryptography is that they attack the implementations far more successfully than the algorithms.

My guess is that in this case they don’t even bother with the encryption software; they just attack the users’ computers. There’s nothing that screams “hack me” more than using specially designed al Qaeda encryption software. There’s probably a QUANTUMINSERT attack and FOXACID exploit already set on automatic fire.

I don’t want to get into an argument about whether al Qaeda is altering its security in response to the Snowden documents. Its members would be idiots if they did not, but it’s also clear that they were designing their own cryptographic software longbeforeSnowden. My guess is that the smart ones are using public tools like OTR and PGP and the paranoid dumb ones are using their own stuff, and that the split was the same both pre- and post-Snowden.

More here

Posted in Uncategorized | Leave a comment

QUANTUM Technology Sold by Cyberweapons Arms Manufacturers

Last October, I broke the story about the NSA’s top secret program to inject packets into the Internet backbone: QUANTUM. Specifically, I wrote about how QUANTUMINSERT injects packets into existing Internet connections to redirect a user to an NSA web server codenamed FOXACID to infect the user’s computer. Since then, we’ve learned a lotmore about how QUANTUMworks, and general details of many otherQUANTUMprograms.

These techniques make use of the NSA’s privileged position on the Internet backbone. It has TURMOIL computers directly monitoring the Internet infrastructure at providers in the US and around the world, and a system called TURBINE that allows it to perform real-time packet injection into the backbone. Still, there’s nothing about QUANTUM that anyone else with similar access can’t do. There’s a hacker tool called AirPwn that basically performs a QUANTUMINSERT attack on computers on a wireless network.

A new report from Citizen Lab shows that cyberweapons arms manufacturers are selling this type of technology to governments around the world: the US DoD contractor CloudShield Technologies, Italy’s Hacking Team, and Germany’s and the UK’s Gamma International. These programs intercept web connections to sites like Microsoft and Google — YouTube is specially mentioned — and inject malware into users’ computers.

Turkmenistan paid a Swiss company, Dreamlab Technologies — somehow related to the cyberweapons arms manufacturer Gamma International — just under $1M for this capability. Dreamlab also installed the software in Oman. We don’t know what other countries have this capability, but the companies here routinely sell hacking software to totalitarian countries around the world.

There’s some more information in thisWashington Post article, and this essay on the Intercept.

In talking about the NSA’s capabilities, I haverepeatedlysaid that today’s secret NSA programs are tomorrow’s PhD dissertations and the next day’s hacker tools. This is exactly what we’re seeing here. By developing these technologies instead of helping defend against them, the NSA — and GCHQ and CSEC — are contributing to the ongoing insecurity of the Internet.

Related: here is an open letter from Citizen Lab’s Ron Diebert to Hacking Team about the nature of Citizen Lab’s research and the misleading defense of Hacking Team’s products.

More here

Posted in Uncategorized | Leave a comment