Archive

Archive for the ‘Security Issues’ Category

What’s with the TrueCrypt warning?

June 1, 2014 1 comment

TrueCrypt, the free open source full disk encryption program favoured by many security-savvy people, including apparently Edward Snowden, is no more. Its website now redirects to its SourceForge page which starts with this message:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

This page exists only to help migrate existing data encrypted by TrueCrypt.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

This statement is so full of problems it is difficult to know where to start.

Is it a canary?
Canaries are warnings by a different method (if a canary died in a mine, the likelihood was that poison gas, otherwise yet undetected, was present). So one suggestion is that this message indicates government interference, and like Levison and Lavabit, it has been shut down to protect the users. (Levison said, “I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit.”) Some have gone so far as to suggest a more explicit warning in TrueCrypt’s first paragraph: “not secure as”.

BitLocker

Microsoft’s BitLocker disk encryption

But for me the strongest suggestion that this might be a canary warning is the recommendation for Microsoft’s BitLocker. The message says “You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.” It then proceeds to give a step-by-step how-to for migrating to BitLocker.

My problem is two-fold. Firstly, I find it difficult to believe that the developers of open-source cryptography would voluntarily recommend placing faith in a closed-source solution — and one from Microsoft to boot. Secondly, BitLocker gives up the ground won with such difficulty during the First Crypto Wars against Clinton’s Clipper chip and key escrow demands — BitLocker escrows the keys either with the IT department or with Microsoft’s cloud services. From both locations, using the PATRIOT Act, government agencies can retrieve those keys effectively on demand. This recommendation doesn’t make sense from a purely ‘security’ viewpoint.

Against this, however, we should note that ‘David’ (apparently a or the TrueCrypt developer) has told @stevebarnhart that there has been no government contact except one time inquiring about a ‘support contract'; that “BitLocker is ‘good enough’ and Windows was original ‘goal of the project';” and that “There is no longer interest.” But whether ‘David’ is who he says he is, or whether what he says is true is anyone’s guess.

I find myself conflicted. This time my heart says, don’t think conspiracy; but my head says, this isn’t right.

What next?
For whatever reason, TrueCrypt can no longer be trusted. If we take David at face value, he has simply lost interest in the project and bowed out in a most unsatisfactory manner. That would imply that you can carry on using TrueCrypt; but that like XP, any future issues will not be resolved. So it’s probably best not to wait for them.

But if you were savvy enough to install TrueCrypt you will be savvy enough to migrate to an alternative without being persuaded into using BitLocker. BitLocker works with the Trusted Platform Module (TPM), a motherboard chip that to my mind turns Windows 8 into an NSA trojan. (See Is Windows 8 an NSA trojan?) This latest development merely reinforces my opinion.

It would be tempting to say it is time to migrate away from Windows altogether — perhaps to Linux. The reality, however, is that nothing is secure. What can be made by software can be unmade by software; that which can be built by computer power can be demolished by computer power. The unmakers have a thousand times the resources of the makers.

The solution is political, not technological. We the people have to reassert our role over the politicians. They are our servants. We pay them to do our bidding. And we have to make it absolutely clear that government interference and surveillance is unacceptable and must stop.

Categories: All, Politics, Security Issues

We’re moving and expanding!

May 29, 2014 Comments off

This blog is moving (and expanding) to a full IT security news and views site (http://ITsecurity.co.uk).

logo

Latest news on ITsecurity

But that’s all folks. If you want to keep up with the latest news and views, hop over to ITsecurity!

The new site will continue its role in challenging and disrupting the traditional view of security – but over a wider area. In particular it now has a Panel of Experts who will be contributing (when they get time from their day jobs) on a selection of specialist areas. Alphabetically, they include:

  • Dr Brian Bandey – Dr Bandey’s Surgery: IP, Cloud, Big Data and e-Safety Laws Anatomised
  • Alexander Hanff – CEO Think Privacy Inc: Globally respected Privacy expert
  • David Harley – David Harley on malware
  • Bev Robb @teksquisite –Internet security & social media consultant by stealth…
  • Richard Smith – Financial skulduggery; especially of the tech variety
  • Kevin Townsend – Opinions on current information security news and issues (that’s me!)
  • Robin Wood – Penetration testing issues and passwords

All, except perhaps for me, are recognised world- and thought-leaders. So head over and check us out – and spread the word.

Categories: All, Security Issues

More on the Avast breach and the hash used

May 27, 2014 Leave a comment

My understanding is that the hash formula used by Avast to store its forum users’ passwords was

$hash = sha1(strtolower($username) . $password);

This is the formula built into the SMF open source forum software used by Avast. It is both good and bad. It confirms that the hash was salted (with the user’s username); but the use of SHA1 will raise some eyebrows. Robin Wood, a professional pentester, suggests that something like Bcrypt would have been much stronger.

Nevertheless, Wood points out, the use of the salt would make cracking much harder. “I have tables for a lot of the common hashing algorithms with just plain words (password, computer etc), but there is no way I can generate them with the salts (kevinpassword, kevincomputer, robinpassword, robincomputer).”

At a pinch, he admitted, he could generate a few tables for the most common passwords, such as root or admin or 123456. So some of the passwords could be cracked relatively easily by a sophisticated hacker, and even more could be cracked if there were world enough and time. Which is actually pretty much what Avast implied in its blog.

Again, my understanding (and you can interpret that any way you like) is that Avast is embarrassed and wishes to do the right thing. It is holding back from making a more complete formal statement simply because it is still investigating the breach — and doesn’t yet know whether it screwed up or was breached by an unknown 0-day in the SMF software.

One thing that does seem clear, however, is that the attackers were indeed sophisticated and not kiddies since the attack coincided with a multi-GBPS DOS attack. Users should therefore assume that if they used a simple password it is now known to the attackers. Those who used a strong password should assume that with time, it will also become known to the attackers. Since Avast immediately took down the forum the passwords will be of little value UNLESS the user reuses the same password elsewhere. It is for this reason that those passwords should be changed immediately; and users who do so should stop reusing passwords immediately.

So what next? In his original post, CEO Vince Steckler said that Avast will rebuild the forum and move it to a different software platform. It will be interesting to see whether the company publicise how it will store its users’ passwords on the new platform.

Categories: All, Security Issues

Avast forum hack demonstrates we need password storage disclosure

May 27, 2014 1 comment

A blog post early this morning by Avast Software CEO Vince Steckler announced

The AVAST forum is currently offline and will remain so for a brief period. It was hacked over this past weekend and user nicknames, user names, email addresses and hashed (one-way encrypted) passwords were compromised.
AVAST forum offline due to attack

Avast’s reaction to this hack is in stark contrast to that of eBay’s recent reaction. While eBay said very little, Avast has quickly taken down the breached forum and contacted the users with laudable speed. And it has explained the risks.

While eBay gave no details about how its passwords were stored, Avast has indicated that they were hashed but can still be cracked. Like eBay it also lost usernames and email addresses, and that information alone is valuable to phishers. Steckler has advised users to change their passwords everywhere they have been reused — good and essential advice; but users should also be on guard against phishing attempts.

But while the Avast response has been better than eBay’s, it is still not enough — users need and deserve more. Steckler wrote,

Even though the passwords were hashed, it could be possible for a sophisticated thief to derive many of the passwords.

What does this mean; and what is a ‘sophisticated thief’? The thief was sophisticated enough to breach Avast’s defences, so we can assume he or they is sophisticated enough to use a password cracker. If he can ‘derive many of the passwords’, does that imply that a weak hashing algorithm was used, or simply that the hash was not salted? If a modern method of hashing was combined with secure salting, then it would be very difficult to derive the passwords.

Users deserve to know how their passwords are protected. This can only be done before the event, because once a breach has happened, the natural inclination of all companies is to minimize any blame on themselves. While the European Union is discussing mandatory breach disclosure as part of the General Data Protection Regulation, it simply does not go far enough. All companies that store user passwords should be obliged to publicly disclose how those passwords are stored and protected.

This will not help the thief. Once he has obtained the passwords, he will rapidly discover that information for himself. It will, however, help the user. The user can decide whether to trust the company before sign up; and will know how much to worry after a breach.

More to the point, however, is that security experts will publicly deride any company without good security — and that alone will force them to do better.

Categories: All, Security Issues

Hector ‘Sabu’ Monsegur to be sentenced while Hammond sits in prison

May 26, 2014 Leave a comment

A common cry in Anonymous circles is ‘Free Jeremy Hammond; Fuck Sabu’. Jeremy Hammond is currently serving a ten-year prison sentence for his involvement in the Stratfor hack. Sabu (real name Hector Xavier Monsegur) will be sentenced tomorrow for his role in Lulzsec and many other hacks. He is expected, on FBI request, to walk free. The judge, in both cases, was and is judge Loretta Preska. Comparing and contrasting the behaviour of Hammond and Monsegur explains the Anonymous cry.

Sabu

Sabu

Monsegur was the original founder of the original LulzSec hacking group, (in)famous for its ’50 days of lulz’ during the summer of 2011. Sabu was ‘outed’ and subsequently interviewed by the FBI. He rapidly (by the next day) agreed to cooperate; and has been cooperating ever since. There is some suggestion that the FBI pointed out that his two young nieces, for whom he is a foster parent, would have an uncertain future if he was incarcerated.

The extent of that cooperation is only just becoming clear, although it was always known to be extensive. Some of it borders on illegality, but is certainly immoral. The Stratfor hack was organized by Sabu at the behest of the FBI in order to entrap Jeremy Hammond – a member of Anonymous rather than Lulzsec but high, on the list of the FBI’s most wanted. It worked. It also, incidentally, ensnared Barret Brown who was arrested effectively for publishing a link to stolen Stratfor information; although his charges have now largely been dropped.

Sabu’s cooperation also led to the unmasking and arrest of the other members of LulzSec: 2 in the UK, 2 in Ireland and one in the US. It seems clear that he also tried to implicate and entrap many others; including, for example, Jacob Appelbaum.

spacer

appelbaum_sabu tweets

Jacob Appelbaum tweeting on Saturday

spacer

He also cooperated with the government, using Hammond, to enable it to hack foreign websites. Hammond’s attorneys wrote to judge Preska last month:

spacer

hammond attorney's letter

spacer

Hammond’s own behaviour has been in direct contrast. After his arrest he decided to fight the charges. Eventually, however, he gave up and accepted a plea deal with the government. Almost exactly one year ago he announced,

Today I pleaded guilty to one count of violating the Computer Fraud and Abuse Act. This was a very difficult decision. I hope this statement will explain my reasoning. I believe in the power of the truth. In keeping with that, I do not want to hide what I did or to shy away from my actions. This non-cooperating plea agreement frees me to tell the world what I did and why, without exposing any tactics or information to the government and without jeopardizing the lives and well-being of other activists on and offline.
Statement from Jeremy Hammond regarding his plea

Jeremy Hammond (Associated Press)

Jeremy Hammond
(Associated Press)

His reasoning was not that he thought he would lose the case, but that the FBI would simply press similar charges elsewhere. “The process might have repeated indefinitely,” he said.

I have already spent 15 months in prison. For several weeks of that time I have been held in solitary confinement. I have been denied visits and phone calls with my family and friends. This plea agreement spares me, my family, and my community a repeat of this grinding process.

The key sentence in this announcement is, “This non-cooperating plea agreement frees me to tell the world what I did and why, without exposing any tactics or information to the government and without jeopardizing the lives and well-being of other activists on and offline.” So while Sabu cooperated with the FBI and will most likely walk free tomorrow, Hammond refused to cooperate and took a ten-year sentence. That, basically, is why the call is ‘Free Jeremy Hammond; Fuck Sabu.’

Tomorrow, 27th May 2014 at 11 am, Judge Preska will pronounce sentence on Sabu. In theory he faces a sentence of between 259 and 317 months for the crimes he as admitted. But, says the FBI in its pre-sentencing submission to Judge Preska,

Probation recommends a sentence of time served. As set forth in more detail below, Monsegur was an extremely valuable and productive cooperator.
Government’s notice of intent reference sentencing

He has, during the three years of his cooperation with the FBI, served seven months in prison. Judge Preska is expected to follow the FBI request and sentence him to seven months – allowing him to walk free.

We will update this post tomorrow with details of judge Preska’s sentence.

Update

The much delayed sentencing of former LulzSec hacker-turned-FBI informant Hector “Sabu” Monsegur finally took place on Tuesday, when he received time served plus one year of supervised release with computer logging.
Ars Technica

Categories: All, Politics, Security Issues

The eBay hack, the loss of 140 million records, and the PR fiasco

May 23, 2014 1 comment
Ebay – hacked on Wednesday

Ebay – hacked on Wednesday

There are two functions to PR: the first is to shout the good news from the hilltops, while the second is to bury the bad. When bad news hits, PR says very little.

Bad news has hit eBay. It admitted Wednesday that it had been hacked – but it actually gives very little information. This is a mistake. It means that people will comb their words used looking for clues over what has actually happened. The result is conjecture; but what follows is the conjecture of some very clever security people.

Three things leap out from the eBay statement. The first is the repeated use of the word ‘encrypted’, with no mention of hashing for the passwords. The second is the duration of the breach – it occurred in February/March, but was only discovered a couple of weeks ago. And the third is the mention of the database – not part of, nor a geographical region, but the (whole?) database. So what can we surmise from all this?

Ian Pratt, co-founder of Bromium

Ian Pratt, co-founder of Bromium

Firstly, were the passwords encrypted or hashed? It makes a difference. The implication from the statement is that they were encrypted. Most security experts believe that this would be a mistake – passwords should be hashed and salted. In fact, Ian Pratt, co-founder of Bromium, goes so far as to suggest, “It would be rather unusual to encrypt passwords rather than hash them; it’s probably just lack of precision in the statement.”

But that’s what we said about the Adobe breach – and it turned out that the passwords were indeed encrypted rather than hashed. The opinion among the experts I talked to is fairly evenly balanced – while eBay’s semantics suggest they used encryption, many experts find it hard to believe. “This heavily implies that the passwords were not hashed,” said Chris Oakley, principle security consultant at Nettitude. “eBay’s report suggests that the passwords were encrypted rather than hashed,” added Brendan Rizzo, Technical Director EMEA for Voltage Security. Sati Bains, COO of Sestus, said, “Yes… it appears from the comment that they did [encrypt rather than hash].”

Jon French, security analyst at AppRiver

Jon French, security analyst at AppRiver

“Encryption and hashing are often confused with each other,” explains Jon French, a security analyst at AppRiver. “But from the sounds of the [eBay’s] press release, it seems they were using some sort of encryption.”

Andrey Dulkin, senior director of cyber innovation at CyberArk, is in no doubt. “Indeed, from the eBay statements we understand that the passwords were encrypted, rather than hashed. The fact that the statements repeatedly use the words ‘encrypted’ and ‘decrypted’ supports this interpretation.”

It is, of course, possible that eBay is simply not differentiating between the two processes, since most of its customers will not understand the difference. “The public understand the word ‘encrypted’ more than hashed – so encrypt is frequently used in place of hashed. But it is believed they were hashed,” suggests Guy Bunker, spokesperson for the Jericho Forum and a cyber security expert at Clearswift.

Ilia Kolochenko, founder and CEO of High-Tech Bridge

Ilia Kolochenko, founder and CEO of High-Tech Bridge

Ilia Kolochenko, founder and CEO of High-Tech Bridge (HTB), doesn’t believe we can tell from eBay’s comments. “The difference isn’t easily understood by users. Even the spokesperson might not be aware. It’s quite possible that the company simply didn’t want to introduce the complexity of describing the technicalities of hashing and salting in a brief announcement.”

What’s the difference, and why does it matter?
The primary operational difference is that encryption can be decrypted; that is the original plaintext can be retrieved from the ciphertext through the use of the encryption key. Hashed outputs cannot be mathematically returned to the original plaintext.

In practice, an entire database of passwords would be encrypted via a single encryption key. But if hashing was used, each individual password would ideally have an unknown value added to it (a ‘salt’) and the results would be separately hashed. “This salt,” explains Voltage’s Rizzo, “is a way to make sure that the hash of a particular password cannot be compared to the known hash of that same password by the attacker through the use of rainbow tables.”

This means that if an encrypted database is stolen, only one key needs to be found to unlock every password in the database.If the passwords are hashed, every single password needs to be cracked individually.

“The advantages to hashing,” Nick Piagentini, senior solutions architect at CloudPassage, told me, “are one, there is no need to manage sensitive encryption keys; two, hashing processes have less overhead to run than encryption processes; and three, there is no need to reconstruct the password data from the hash. Encryption would only be used if there was a need to get the original password back.”

Could the hackers have the encryption key?
This is the 64 million dollar question (and is only relevant if the passwords were encrypted). We don’t know, and we may never know. But it is certainly possible. There are two possibilities: it could have been cracked or it could have been stolen.

Reuters spoke to eBay spokeswoman Amanda Miller:

She said the hackers gained access to 145 million records of which they copied “a large part”. Those records contained passwords as well as email addresses, birth dates, mailing addresses and other personal information, but not financial data such as credit card numbers.
Hackers raid eBay in historic breach, access 145 million records

eBay says the database was compromised some time around late February or early March; but wasn’t discovered until about two weeks ago. What we don’t know is whether the compromise was still in active use by the hackers, what else they did during the two months they were undetected, or whether they left something unwelcome behind. Frankly, I find it hard to believe that having gained access without being discovered the hackers did not have a good look round.

Chris Oakley, principle security consultant at Nettitude

Chris Oakley, principle security consultant at Nettitude

(Incidentally, it is worth pointing out at this point another comment from HTB’s Kolochenko. Basically, eBay’s statement that financial details were safely stored on a separate server is pretty meaningless. “The two servers would have to communicate,” he explained. “The hackers could have installed some malware to listen to the communication between the servers, and sniffed the plaintext traveling between them.”)

So could they have found the encryption key? Opinion is divided. “This is a primary argument for using hashing over encryption for password storage,” comments Nettitude’s Oakley; “an attacker who is able to compromise the database may also be in a position to obtain the encryption key(s).” (Incidentally, if the passwords were hashed rather than encrypted, the hackers could just as likely have found the salt or salt mechanism, rendering the hashed passwords relatively easy to crack via rainbow tables.)

On the other hand, “I would hope they [eBay] didn’t ‘tape the key to the door of the safe’”, comments Trey Ford, global security strategist at Rapid7. “eBay and PayPal have solid security teams, and go through regular third-party assessments. I refuse to believe they would handle encryption key materials that poorly.”

Trey Ford, global security strategist at Rapid7

Trey Ford, global security strategist at Rapid7

And yet they left the users’ email addresses and other personal information unencrypted. If they were using encryption seriously, they would have used a hardware security module (HSM) to house the keys, and would have encrypted everything. “They do not seem to be very confident about their encryption system,” comments Sebastian Munoz, CEO of REALSEC, “when they are suggesting their customers to reset passwords. If efficiently encrypted, using specific certified hardware, there would be no need to reset the passwords, since protection is guaranteed. When you use a Hardware Security Module (HSM) and not a simple and insecure encryption-by-software process, there is no way that hackers can gain access to the encryption keys.”

Munoz further suspects that software based encryption was used since only the passwords were encrypted. Since software encryption impacts on performance, then cost arguments come into play.

Sebastian Munoz, CEO of REALSEC

Sebastian Munoz, CEO of REALSEC

So, given the duration of the breach and the probable lack of an HSM, it is perfectly possible that the hackers also found the encryption key – and if this is the case, they now have access to all of the greater part of 145 million passwords, along with ‘email address, physical address, phone number and date of birth’.

If they did not find the key, would they be able to crack the encryption key? Again, opinion is divided – it all depends upon what encryption algorithm was used. Older encryption algorithms might be susceptible to a ‘known plaintext’ attack (see Wikipedia for details). Getting the necessary plaintext would be no problem. The most popular passwords are remarkable consistent – so a simple analysis with something like DigiNinja’s Pipal on an existing cracked database would provide a fair sampling of plaintext.

Dr Guy Bunker, spokesperson for the Jericho Forum and a cyber security expert at Clearswift

Dr Guy Bunker, spokesperson for the Jericho Forum and a cyber security expert at Clearswift

“However,” notes Bromium’s Ian Pratt, “assuming any kind of modern encryption (e.g. AES-128) was used then a known plaintext attack should not be feasible to recover the key and hence reveal other passwords.”

“Another approach,” suggested Clearswift’s Bunker, “is to ‘inject’ known passwords (either the hash or the encrypted version) into the database. This would create the equivalent of denial of service for the individual but would allow the attacker free reign over the account.”

The problem is we simply do not know what has happened. eBay’s attempts to downplay the incident is simply leading to conjecture.

UPDATE
While writing this report, Rapid7’s Trey Ford noticed adverts for the sale of eBay’s stolen database beginning to appear on Pastebin. “There has now been a posting on pastebin claiming to offer ‘145 312 663 unique records’ relating to the eBay breach,” he told me by email. We don’t know if they’re genuine, “it’s possible that a criminal has just spotted an opportunity to cash in on the attack with some other credentials dump they have.”

An analysis of the sample provided is inconclusive – the records are possibly genuine but not certainly genuine. But Ford had a look at the sample:

The sample that has been shared indicates that cracking the passwords will take considerable time. This is nothing like what we saw when LinkedIn was breached and the stolen credentials were quickly cracked due to only SHA-1 hashing being used for storage. In contrast, this credentials set is using PBKDF2 (Password-Based Key Derivation Function 2) SHA-256 hashes, which means they employ a strong hash function and also intentionally make cracking them more difficult and slow by individually salting and using a high number of hash iterations. The method used can be regarded as the state-of-the-art way to store passwords on web applications. Again though, we don’t know that these are credentials taken from the eBay breach, and no details have come from eBay on how they secure passwords.

This would fit in with eBay’s apparent confidence that the passwords cannot be hacked. However, Reuters spoke to eBay about the sample, and

eBay’s [spokesperson Amanda] Miller said the information was not authentic.
U.S. states probe eBay cyber attack as customers complain

AppRiver’s Jon French also noticed the Pastebin offer. He told me by email,

I’ll be wary of anything like this until I see people saying they see their own names (or if I end up seeing mine). Eventually if the Pastebin offer is legit, someone will post the file for free somewhere or some security company that buys it will verify authenticity.

His colleague, Troy Gill, a senior security analyst at AppRiver also suggested something that serious criminals will be well aware of: “There is always the remote possibility that this is a honey pot set by authorities to lure in would be buyers.”

Summary
eBay is taking the standard route for crisis management: say nothing. This is hugely disrespectful to its customers, who need and have a right to know everything possible. But eBay is also making a mistake in trying to downplay the effect of the stolen data. It says it has “no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information.” This is meant to make its customers feel better – the danger is that it might.

What eBay isn’t saying is that the unencrypted personal data also stolen (email address, physical address, phone number and date of birth) is a phisher’s wet dream. Armed with that information criminals will be able to concoct very compelling emails and cold call telephone calls. This is likely to happen on a vast scale and very soon. eBay might feel confidant about its own business, but the data it has lost puts millions of individuals and other companies in danger.

“When companies like eBay keep silent about the details,” commented High-Tech Bridge’s Kolochenko, “I would tend to expect the worst.” It is perhaps worth remembering the Adobe incident, which started off with a breach of a couple of million and slowly escalated into one of the worst breaches in history.

Categories: All, Security Issues

FBI indicts five members of the Chinese military for hacking US companies

May 20, 2014 Leave a comment

Eric Holder yesterday announced: “Today, we are announcing an indictment against five officers of the Chinese People’s Liberation Army for serious cybersecurity breaches against six American victim entities.”

spacer

The five Chinese military men wanted by the FBI

The five Chinese military men wanted by the FBI

spacer

The five officers are known by the aliases UglyGorilla, Jack Sun, Lao Wen, hzy_1hx and KandyGoo. They are members of the PLA’s military unit 61398 (you may recall that this is the unit accused by Mandiant last year as being the source of the APT1 hacking group). They stand accused of using spearphishing to penetrate six US companies (Westinghouse Electric, Alcoa, Allegheny Technologies Incorporated, U.S. Steel, the United Steelworkers Union and SolarWorld) to conduct economic espionage.

“This is a tactic that the U.S. government categorically denounces,” said Holder. “As President Obama has said on numerous occasions, we do not collect intelligence to provide a competitive advantage to U.S. companies, or U.S. commercial sectors.” This is from the man who lied to Congress.

It is also inaccurate. The Snowden files have shown that the NSA has bugged trade negotiations; and trade negotiations are quite plainly ‘economic’ – with US industry likely to benefit. And of course the NSA’s hacking of Chinese servers, and excluding Huawei over fears that it might be backdoored while it proceeded to backdoor Cisco equipment has sort of ceded the moral high ground.

I asked FireEye, which now owns Mandiant, if it had supplied any of the information used by the FBI in its indictment. A spokesperson told me, “The US government just used information from the APT1 report which was published. We did not actively provide information. We believe this was a natural escalation after the revelation – the PLA group went quiet but now are very active again so was only a matter of time.”

But there may be another reason for the delay between Mandiant’s initial report and this indictment… Generally speaking, law enforcement needs a victim complaint over intelligence of a crime before it can take action against the suspected criminal; so it has had to wait for the hacked companies to investigate and complain before it could commence the indictment proceedings.

Luis Corrons, PandaLabs

Luis Corrons

Luis Corrons, technical director at PandaLabs, finds this a frequent problem. “This year I have handed LEA information about 3 different criminal cases; and all 3 of them have real evidence of who is behind them. But if there is no official complaint from the victims, nothing happens. One of the cases is multinational – the local LE tried to convince a Spanish company who was victim to present a complaint, but it didn’t want to. Now the LEA is trying in different countries trying to convince victims to present a complaint.

“But this is not the only problem,” he continued.” Some investigations are really complex, and while for me it can be ‘easy’ to gather evidences, for an LEA to do it in the proper and legal way can take months or even years.”

If that’s the case here, this indictment is actually quite speedy.

But is it wise?

Much of the security industry is in favour of the US action. “This really could be a landmark moment that has the potential to change the way in which we respond to the growing threat presented by digital criminality,” said Martin Sutherland, managing director of BAE Systems Applied Intelligence, in an emailed statement. “This current case is encouraging and sets an interesting precedent for other countries combating digital crime.”

“The US government is toughening up its language against nation-state and industrial cyber-espionage,” said Bob West, chief trust officer at CipherCloud in another email. “We’re calling out the Chinese government for its role fostering theft of American intellectual property and doing it by naming specific hackers with military ties.”

“While I doubt that foreign military commanders who are prosecuted by the Department of Justice will be successfully apprehended and brought to justice,” said Tom Cross, director of security research at Lancope, “these prosecutions do send a clear message regarding what sort of behavior the United States views as unacceptable.”

In each case I asked a few questions. Most pertinent was this:

Is it not pure hypocrisy? We know from the Snowden files that the NSA has hacked Chinese servers. Holder says ‘we do not do it for economic advantage’. Leaving aside any cynicism over such a statement, isn’t it irrelevant? Holder is saying that the accused have broken US laws; but the US breaks Chinese laws. So what is the legal difference?

I have not had a reply. In fairness, it probably has as much to do with trans-Atlantic time zones as a disinclination to respond; and I will update this post with any replies that I get.

However, it is the problem I have with the US action. It is a nation that claims to uphold the rule of law – but only the rule of US law. This action says to the world, you must all abide by our laws, but our laws are the only ones that we need abide by.

Categories: All, Politics, Security Issues

Worldwide crackdown on BlackShades RAT users

May 19, 2014 1 comment

First official indications emerged at the Reuters Cybersecurity Summit (although there have been rumblings in hacker circles for a couple of weeks now). This was last Wednesday. The FBI executive assistant director Robert Anderson, appointed in March to oversee ‘all FBI criminal and cyber investigations worldwide, international operations, critical incident response, and victim assistance’, announced:

There is a philosophy change. If you are going to attack Americans, we are going to hold you accountable. If we can reach out and touch you, we are going to reach out and touch you.

Eurojust – coordinated the European action

Eurojust – coordinated the European action

Within days it emerged that the FBI is reaching out to touch buyers and users of the BlackShades remote access trojan — not just the FBI, but law enforcement agencies around the world. It was officially a two-day operation involving the law enforcement and judicial agencies of more ten different countries, coordinated in Europe out of Eurojust with representatives from Eurojust, Europol’s EC3 and the FBI present.

To put the size of the operation in context, action took place in the Netherlands, Belgium, France, Germany, UK, Finland, Austria, Estonia, Denmark, USA, Canada, Chile, Croatia and Italy. 359 house searches were undertaken; over 1,100 data storage devices were seized; and 97 arrests have been made. Seventeen arrests were in the UK.

BlackShades is a remote administration tool; but coupled with malware it becomes a remote access trojan. It can be bought on the internet for anything between £40 and £100 depending on the variant purchased. Although there is (at the time of writing this) no official confirmation of any arrests in the US, the FBI’s influence is clear throughout. Indeed, the UK’s National Crime Agency (NCA) specifically describes the operation as ‘initiated by the FBI’. And noticeably, the bshades.eu website has been seized by the FBI.

spacer

bshades

bshades.eu – seized by the FBI

spacer

There is little doubt that BlackShades is a serious threat. The NCA suspects that its UK users may have stolen 200,000 user names and passwords around the world. Nevertheless, it is simply not as well known, nor has done the same amount of damage, as some of the other well-known malwares. So why chose BlackShades rather than, for example, Zeus?

“I suspect,” David Harley, senior research fellow with ESET told me, “that BlackShades – and, maybe more to the point, its users – constituted a relatively easy target because it had operated within an area seen as legally ‘grey’. It looks to me as if those involved were often less scrupulous about covering their tracks than the career criminals associated with more heavyweight malware. It could be that they see themselves as borderline legal or at any rate of less interest to law enforcement, despite their association with the somewhat notorious Cool Exploit kit.”

The ‘grey area’ is that a remote administration tool is not illegal; it is only when it is used as a remote access trojan that it becomes so. Consider this, for example, from a German BlackShades user highlighted by Rickey Gevers:

I'm OK – I'm a RAT user, not a RAT user...

I’m OK – I’m a RAT user, not a RAT user…

Click it for full size. The author writes, “Hey guys, guess what happened today.” He had a visit from the German police who took away his computer because it contains BlackShades.
But he’s not worried because he only used it for testing purposes on his own computers — that is, as a remote administration tool.

But the other point to note is the date and his reference to rumours going on for days or weeks. It would seem that this operation has been going on for longer — and is probably a lot wider — than the official announcements so far. And remember also that we have not yet heard of any US arrests.

Last word goes to Rickey Gevers:

If all the above is true we are just seeing the tip of the iceberg. And are probably being witness of one of the biggest international raids ever related to cybercrime.

Categories: All, Security Issues

C-13 — a two-faced law from a two-faced government

May 18, 2014 Leave a comment

One of the nastiest little tricks of nasty little governments is to hide new laws that they don’t want us to know about in popular laws that we all welcome. All governments do it — and the latest example is being done to us in Canada.

Parliament of Canada

The Bill is C-13. It is called the Protecting Canadians from Online Crime Act — but has been sold to the people as the anti-cyberbullying law. Everybody agrees with the need for laws against cyberbullying and the practice of ‘revenge porn’ that frequently lies behind it. That’s the public face of C-13.

The government says,

This enactment amends the Criminal Code to provide, most notably, for

(a) a new offence of non-consensual distribution of intimate images as well as complementary amendments to authorize the removal of such images from the Internet and the recovery of expenses incurred to obtain the removal of such images, the forfeiture of property used in the commission of the offence, a recognizance order to be… read more
Bill C-13

But you know there are problems when the mother of a victim of cyberbullying stands up and says, this is wrong. Carol Todd (whose daughter, Amanda, took her own life) wants the public face of C-13; but is worried about what lies beneath — the hidden face of C-13. That hidden face is all about providing the authorities with personal information on demand without a judicial warrant.

Todd wants emotional issues like cyberbullying to be kept separate from contentious issues like information sharing.

The government swiftly rejected Todd’s proposal, in keeping with its pattern of linking the two issues, likely because the Conservatives know that the only way to get the public to swallow unacceptable intrusions into our privacy is by linking them to child protection.
Feds slyly expand power to invade privacy

That’s what C-13 is really about — making it easier for government officials to obtain users’ personal data from the telcos. But it does it more subtly than the earlier controversial and contentious C-30. At that time, the proposal was that the telcos would have to hand over data on demand. This one doesn’t do that — it simply provides immunity to the telcos when they do so.

Professor Michael Geist

Professor Michael Geist

Two years ago, Michael Geist revealed that the telecoms companies were collaborating with the government over c-30:

In the months leading up to the introduction Bill C-30, Canada’s telecom companies worked actively with government officials to identify key issues and to develop a secret industry-government collaborative forum on lawful access.

The working group includes virtually all the major telecom and cable companies, whose representatives have signed nondisclosure agreements and been granted secret-level security clearance.
How Canada’s telecoms quietly backed Internet surveillance bill

That collaboration has probably never stopped. Governments want telcos’ user data; and telcos cannot thrive without government approval. Ergo, telcos will work with governments to provide whatever is required. C-30 would have given the telcos legal support for surrendering customer data.

But even though they didn’t get C-30, it hasn’t stopped the telcos handing over the data. On 30 April 2014, the Canadian Privacy Commissioner published details on telcos information disclosure to government authorities. Twelve telcos were asked to respond. Nine did. The figures show that there were almost 1.2 million government requests (on average) per year. The number of accounts that were subject to disclosure by the telcos amounted to 784,756 (but with the added note, “This total only includes three providers as five providers were unable to provide this information”). We can confidently assume that there are more than 1 million government requests for personal information every year, and that in the majority of cases, the telcos provide that information without a judicial requirement and while refusing to tell either the privacy commissioner, or the users, who was involved nor what information was required for what purpose.

C-13 will allow the telcos to hand over data willingly without fear of privacy action from the user. This would include giving almost any customer data to almost any government official without the awkward need for a judicial warrant.

Blacklock’s Reporter, an Ottawa-based website that covers the federal government, reported that, according to lawyers and police, this would allow any clerk at the CRA to hand confidential information to any police officer on a fishing expedition with no paper trail.

Currently, tax information can only be released by a judge. If the Tories pass this clause unamended, it will no longer be judges making that call, but CRA officials, which is scary.
Feds slyly expand power to invade privacy

C-13 is scary. And so indeed is any government, and that includes almost all of them, who tries to smuggle invidious legislation in an insidious manner.

Categories: All, Politics, Security Issues

The hypocrisy of the European Union’s Freedom of Expression guidelines

May 17, 2014 Leave a comment

In the blue corner...

Last week the Council of the EU published the EU Human Rights Guidelines on Freedom of Expression Online and Offline. It is really aimed at non-EU states that show little regard for human rights — but the reality is the EU should look closely at its own behaviour.

Consider just three extracts:

1. Free, diverse and independent media are essential in any society to promote and protect freedom of opinion and expression and other human rights. By facilitating the free flow of information and ideas on matters of general interest, and by ensuring transparency and accountability, independent media constitute one of the cornerstones of a democratic society. Without freedom of expression and freedom of the media, an informed, active and engaged citizenry is impossible… Efforts to protect journalists should not be limited to those formally recognised as such, but should also cover support staff and others, such as ”citizen journalists”, bloggers, social media activists and human rights defenders, who use new media to reach a mass audience…

2. Support the adoption of legislation that provides adequate protection for whistleblowers and support reforms to give legal protection to journalists’ right of non-disclosure of sources…

3. The right to seek and receive information
The right to freedom of expression includes freedom to seek and receive information. It is a key component of democratic governance as the promotion of participatory decision-making processes is unattainable without adequate access to information. For example the exposure of human rights violations may, in some circumstances, be assisted by the disclosure of information held by State entities. Ensuring access to information can serve to promote justice and reparation, in particular after periods of grave violations of human rights. The UN Human Rights Council has emphasized that the public and individuals are entitled to have access, to the fullest extent practicable, to information regarding the actions and decision-making processes of their Government…

These are, put simply, ‘a free and independent press, including bloggers'; ‘protection for whistleblowers'; and ‘freedom of information’ — all of which are necessary to and in a democratic society.

Independent press
The UK seeks to curtail an independent press. It does this through threats (such as using the Leveson proposals against journalists and editors), abuse of the Terrorism Act (just as Obama abuses the Espionage Act), and pure and simple bullying.

Leveson
Example: When Guido Fawkes’ political blog scooped the mainstream press on the arrests of Max Clifford, Jim Davidson and Rolf Harris, Fawkes wrote,

No judge has ordered reporting restrictions in relation to Rolf Harris, no super-injunctions prevent the reporting of news concerning him, instead his lawyers Harbottle and Lewis are citing the Leveson Inquiry’s report in letters to editors of newspapers – cowing them into silence. The Leveson effect is real and curtailing the freedom of the press through fear.
Leveson Effect: Can You See What It Is Yet?

Terrorism Act
Example: David Miranda was arrested, detained at Heathrow, and had his computer equipment confiscated when he was merely passing through Heathrow on the way from Berlin to Brazil. To achieve this, the UK government had to classify him as a terrorist for possibly carrying Snowden files.

Bullying
Example: Government officials insisted on and oversaw the physical destruction of The Guardian’s hard disks that contained Snowden files.

Manning, Assange & Snowden – the 3 great whistleblowers of the modern age

Manning, Assange & Snowden – the 3 great whistleblowers of the modern age

Protection for whistleblowers
The three great whistleblowers of the modern age are Chelsea (Bradley) Manning, Julian Assange, and Edward Snowden. Manning is in prison and likely to stay there for many years to come; Assange has a European Arrest Warrant against him and is effectively imprisoned for life in the Ecuadorean Embassy in London; and the whole of Europe has refused to provide asylum to Snowden.

At the Stockholm Internet Forum set for the end of May, and hosted by the Swedish government,

.SE – the only non-governmental organization among the hosts – made a list of possible candidates. The most important name on it: Edward Snowden. Further names included journalists Glenn Greenwald and Laura Poitras, the two journalists that informed the world about the NSA’s activities, Guardian Editor in Chief Alan Rusbridger as well as hacker Jacob Appelbaum, who found the mobile phone number of German Chancellor Angela Merkel in Snowden’s database. The list of candidates was sent to the Swedish Foreign Ministry for approval.
Swedish Foreign Ministry prevents Snowden’s invitation

In the event, Carl Bildt’s foreign ministry vetoed all except Laura Poitras, who declined the invite because of the blacklist.

If the European Union was serious about protection for whistleblowers, it would provide protection for Assange and Snowden. For the former it is assisting the US attempts at getting him into the USA; and for the latter it is doing nothing to prevent it.

Dr Helen Wallace – executive director of GeneWatch

Dr Helen Wallace – executive director of GeneWatch

Freedom of information
This, says the EU, is a necessary ingredient for democracy — but denies it to its own people. In April, Dr Helen Wallace of GeneWatch announced

GeneWatch has spent 12 months battling to reveal documents showing extensive government contacts between the Department of Food, Environment and Rural Affairs (Defra) and the GM crop lobby crop the Agricultural Biotechnology Council (ABC).

“These partial documents strongly suggest the Government is colluding with the GM industry to manipulate the media, undermine access to GM-free-fed meat and dairy products and plot the return of GM crops to Britain”, said Dr Helen Wallace, Director of GeneWatch UK, “The public have a right to know what is going on behind closed doors”.

She was complaining about missing and redacted documents from the Department for Environment Food & Rural Affairs (DEFRA). Early in May she commented,

These documents expose Government collusion with the GM industry to agree PR messages and blacklist critical journalists. Scientists have been cherry-picked to push GM industry PR, as it seems the Government has made promises of research funds tied to public-private partnerships with Monsanto or Syngenta dependent on supporting commercial cultivation of RoundUp Ready GM crops in Britain. Disturbingly, the Government has also been kept in the loop over lobbying by GM feed importers behind closed doors to stop supermarkets offering their customers the choice of GM-free-fed meat and dairy products. British consumers have lost out to boost Monsanto’s profits, as more GM RoundUp Ready soya is shipped in for use in feed, harming the environment abroad.

In short, the UK government systematically denies information to the UK people where the democratic process might disturb its autocratic purposes. This is contrary to both the spirit and word of the EU’s freedom of expression guidelines.

The only realistic conclusion that can be drawn from the EU guidelines is that they are nothing other than propaganda designed to make European citizens believe that they live in a democracy. It wants the world to believe that it has high ideals over freedom of expression and access to information, but does little to ensure it within its own borders.

Follow

Get every new post delivered to your Inbox.

Join 138 other followers