Archive for the ‘Security Issues’ Category

Diplomat to be new head of GCHQ

April 16, 2014 Leave a comment
Robert Hannigan -- new head of GCHQ

Robert Hannigan — new head of GCHQ

The new head of GCHQ is neither a spy by trade nor a hard-hitting political bully — he is a diplomat. Robert Hannigan, selected to replace Sir Iain Lobban, as head of Britain’s spy agency GCHQ comes out of the Foreign Office and is a former adviser to Tony Blair in Northern Ireland.

Ex-colleagues say choice of Foreign Office diplomat as GCHQ chief suggests government is leaving door open to reform
Robert Hannigan: GCHQ director who can balance secrecy and accountability — Guardian

The implication is clear: maybe, just maybe, Cameron has realised the severity of not just public concern and distrust over GCHQ, but the dismay of our European political allies. It will take some serious diplomacy to soothe some very ruffled feathers. It already seems likely the Britain will be excluded from the EU’s Schengen-routing and Schengen-cloud (see here for details); and that would put the country at a severe trade disadvantage in our most important export market.

The Guardian goes on to give an example of Hannigan’s diplomacy:

Hannigan rose from being the head of communications in the Northern Ireland Office to running its political affairs department. At one particularly critical moment in the peace talks in 2007, Hannigan helped overcome an impasse between Sinn Féin’s Gerry Adams and the DUP’s Ian Paisley. The latter wanted an adversarial arrangement with the parties glaring at each other across a table; Adams wanted them sitting side by side, as partners. Hannigan suggested a diamond-shaped table as a compromise.

The best of all possible worlds will be that Hannigan’s brief is to open up GCHQ to some form of public transparency. The greater likelihood, however, is that his brief is to pull the diplomatic wool over everyone’s eyes to allow GCHQ to continue as is.


Categories: All, Politics, Security Issues

Google amends its Terms of Service

April 16, 2014 Leave a comment

google logoWith most privacy laws you can pretty much do what you want provided you are up front about it. The key is the ‘informed consent’ of the user.

Google has been getting grief from legislators who claim that the complexity of its privacy policies make it impossible for users to be informed, and difficult for them to opt out if they do not consent.

One continuing argument is over Google’s scanning of email content in order to provide targeted advertising to Gmail users. The nub of the argument is that claimants say they have not given consent to this scanning while Google’s response is that consent is implied by use.

Now Google has made its practices explicit with a Monday addition to its terms of service. It has added a new paragraph:

Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.
Google Terms of Service

I think Google was correct in reality if not legality when it claimed that consent was implicit in use — most if not all users are perfectly aware that email content is scanned electronically. The new paragraph makes this explicit: informed consent is now given by use of Google services.

What I still find interesting is that this consent is said to apply to received emails. If a non-Google user sends me a message, how is that user giving consent for the message to be scanned by Google? Is it realistic for non-Gmail users to read Google’s terms of service before emailing a Google user?

I don’t believe it is. So who owns the content: the sender or receiver? Copyright would suggest it is the sender — in which case this amendment to the terms of service will go some way, but not all the way, towards solving Google’s privacy issues.

Categories: All, Security Issues

Having sex online can seriously damage your economic health

April 15, 2014 Leave a comment

Get Safe Online is warning young males about the webcam scam sex blackmail. It seems to be targeting youngsters in Avon and Somerset because when I asked about other cases I was told, “The City of London police haven’t been able to provide any further stats, as this is a relatively new type of fraud.”

Strange, because it certainly isn’t new and is unlikely to be limited to Avon and Somerset.

Avon and Somerset Constabulary has dealt with several cases where, following connecting via social networking sites, victims (usually young males) are lured into taking off their clothes in front of their webcam – and sometimes performing sexual acts – which is videoed by the fraudster. The victims are then threatened with blackmail to avoid the video being published online and shared with their contacts. Investigations have revealed that most of these cases stem from abroad, making them difficult to trace.

That’s the scam in a nutshell. But it’s certainly not new – and you can get a more complete description from a report in the BBC from September 2012.

She said she was French, living in Lyon, but was on holiday in Ivory Coast. We then chatted for a bit on MSN and I could see a video of her. She was a very beautiful French-looking girl, very pretty.

She was dressed to begin with and asked whether I would be interested in going further. I asked what that meant and she said she wanted to see my body… everything.
Blackmail fraudsters target webcam daters

This particular case seems to have been in France, but adds another potentially more worrying aspect. The subsequent video was published with a caption saying the victim performed a sex act in front of a young girl – and that unless he pays €500 to take it down, the world would soon know he is a paedophile.

“At the moment we are persuaded that there are several blackmail attempts committed every day,” says Vincent Lemoine, a specialist in cybercrime in the Gendarmerie’s criminal investigations unit.

So it’s not new and already widespread. Perhaps it’s just newly migrated to the UK because, let’s face it, we Brits have a reputation for not even shaking hands without a formal introduction. But it is a problem and it’s very likely to be an increasing problem. I just wish that Get Safe Online would get real with the young of today. Its language simply doesn’t resonate.

“It’s terrible that fraudsters are targeting innocent people in such a personal way,” said Tony Neate, Chief Executive of Get Safe Online. The language is so British and understated. Terrible? Devastating and possibly life threatening (“His blackmailers were relentless and he could see no end to his ordeal. A week after the first demand, he killed himself.” BBC report) might be more accurate.

I also have some concerns over whether Get Safe Online actually understands young culture. The purpose of the warning is admirable – but the advice given somewhat misses the mark. “Be wary about who you invite or accept invitations from on social networking sites. Don’t accept friendship requests from complete strangers. You wouldn’t do this in real life!”

That’s the problem. That’s exactly what people actually do in real life. We dress up, go out on the town, hook up with a complete stranger and have sex. It’s called a one-night-stand and it’s what weekends were invented for. And all friends were strangers before they became friends, so saying don’t make friends with strangers is a bit silly.

So I would say to Get Safe Online, if you want to seriously warn the youngsters of today, Get Safe should first get real.

If you want more advice on the threat from Get Safe, there’s an outline on their site:

Get Safe warning

I think the illustration is meant to show a worried young man who is being blackmailed – but it could just be someone giving head to a stranger he just met on Facebook.

Categories: All, Security Issues

New Android flaw could send you to a phishing site

April 14, 2014 Leave a comment

Last week news of the Heartbleed bug broke. Initial concern concentrated on the big service providers and whether they were bleeding their users’ credentials, but attention soon turned to client devices, and in particular Android. Google said only one version of Android was vulnerable (4.11 Jelly Bean); but it’s the one that is used on more than one-third of all Android devices.

The problem is, Android simply won’t be patched as fast as the big providers. Google itself is good at patching; but Android is fragmented across multiple manufacturers who are themselves responsible for patching their users – and historically, they are not so good. It prompted ZDNet to write yesterday,

The Heartbleed scenario does raise the question of the speed of patching and upgrading on Android. Take for instance, the example of the Samsung Galaxy S4, released this time last year, it has taken nine months from the July 2013 release of Jelly Bean 4.3 for devices on Australia’s Vodafone network to receive the update, it took a week for Nexus devices to receive the update.
Heartboned: Why Google needs to reclaim Android updates

Today we get further evidence of the need for Google to take control of Android updating – information from FireEye on a new and very dangerous Android flaw. In a nutshell, a malicious app can manipulate other icons.

FireEye mobile security researchers have discovered a new Android security issue: a malicious app with normal protection level permissions can probe icons on Android home screen and modify them to point to phishing websites or the malicious app itself without notifying the user. Google has acknowledged this issue and released the patch to its OEM partners.
Occupy Your Icons Silently on Android

The danger, however, is this can be done without any warning. Android only notifies users when an app requires ‘dangerous’ permissions. This flaw, however, makes use of normal permissions; and Android does not warn on normal permissions. The effect is that an apparently benign app can have dangerous consequences.

FireEye's POC test app does not display any warning to the user

FireEye’s POC test app does not display any warning to the user

As a proof of concept attack scenario, a malicious app with these two permissions can query/insert/alter the system icon settings and modify legitimate icons of some security-sensitive apps, such as banking apps, to a phishing website. We tested and confirmed this attack on a Nexus 7 device with Android 4.4.2. (Note: The testing website was brought down quickly and nobody else ever connected to it.) Google Play doesn’t prevent this app from being published and there’s no warning when a user downloads and installs it. (Note: We have removed the app from Google Play quickly and nobody else downloaded this app.)

Google has already released a patch for Android, and Nexus users will soon be safe. But others? “Many android vendors were slow to adopt security upgrades. We urge these vendors to patch vulnerabilities more quickly to protect their users,” urges FireEye.

Categories: All, Security Issues

Is it safe to carry on using Dropbox with Condoleezza Rice on the Board?

April 14, 2014 Leave a comment
Drew Houston, Dropbox (Wikipedia)

Drew Houston, Dropbox (Wikipedia)

No. How could you even ask? Leopards do not change their spots except on the road to Damascus; and Rice was too involved in the road to Baghdad with warrantless wiretapping along the route.

And what is Drew Houston, founder and CEO of Dropbox even thinking? On 9 April he blogged:

Finally, we’re proud to welcome Dr. Condoleezza Rice to our Board of Directors. When looking to grow our board, we sought out a leader who could help us expand our global footprint. Dr. Rice has had an illustrious career as Provost of Stanford University, board member of companies like Hewlett Packard and Charles Schwab, and former United States Secretary of State. We’re honored to be adding someone as brilliant and accomplished as Dr. Rice to our team.
Growing our leadership team

Condoleezza Rice, 2005 (Wikipedia)

Condoleezza Rice, 2005 (Wikipedia)

It is true that Rice has had an illustrious career. However, some of the bits not mentioned by Houston include being a board member of Chevron (one of the top six ‘supermajor’ oil companies) before becoming Bush’s National Security Advisor (the two positions actually overlapped for one month). As National Security Advisor she understood the need for the petrodollar invasion of Iraq and was a strong supporter of the 2003 invasion.

On Iraq’s weapons of mass destruction, the primary and false premise that justified the war, she said, “The problem here is that there will always be some uncertainty about how quickly he can acquire nuclear weapons. But we don’t want the smoking gun to be a mushroom cloud.” As Ming Campbell said of Tony Blair, you are either incompetent or lying.

There’s more. Rice was a strong supporter of the NSA’s warrantless wiretapping program; and it is claimed she personally authorised eavesdropping on UN officials. The Guardian reported on a leaked memo in 2003 instructing the NSA to increase surveillance “‘particularly directed at… UN Security Council Members (minus US and GBR, of course)’ to provide up-to-the-minute intelligence for Bush officials on the voting intentions of UN members regarding the issue of Iraq.”

The existence of the surveillance operation, understood to have been requested by President Bush’s National Security Adviser, Condoleezza Rice, is deeply embarrassing to the Americans in the middle of their efforts to win over the undecided delegations.
Revealed: US dirty tricks to win vote on Iraq war

Now, seriously, do we want a supporter of warrantless surveillance to be on the Board of a company that holds some of our most precious documents, photos and thoughts?

Categories: All, Politics, Security Issues

Andrew Weev Auernheimer freed on an important technicality

April 13, 2014 Leave a comment

Just over one year ago, Andrew (Weev) Auernheimer was sentenced to 41 months in prison for downloading data that AT&T had left exposed on the internet. That data was the email addresses of more than 100,000 early iPad adopters; and was a major embarrassment for AT&T.

Perhaps because of the importance of AT&T to law enforcement; perhaps because of the celebrities and government officials included in the early adopters; the government prosecuted Weev under the Computer Fraud and Abuse Act.

The important point to remember is that Weev performed no hack, subverted no security defences — he merely downloaded (effectively by asking the site to give him…) the email addresses of AT&T customers. The implication of the government action against him is that any site could declare any data ‘prohibited’ after its download, and allow the government to prosecute anyone who had downloaded it.

It would also mean that much genuine and valuable security research — such as testing a website to see if it is vulnerable to the Heartbleed bug — and even the compilation of web search databases such as Google and Bing would be illegal.

Weev appealed his sentence, and one year and a bit later, on 10 April 2014, Third Circuit judges vacated the conviction.

weev free

The satisfactory outcome is that Weev has been freed from another government CFAA overreach. The unsatisfactory outcome is the cop-out manner in which it was done by the court.

The appeal was effectively over the misuse of the CFAA, and the location of the trial in New Jersey. Location is an important concept in US computer law. If the conviction had been allowed to stand, prosecutors would be able to cherry-pick from different state laws (as indeed they seem to have done with Weev) in order to maximise the penalty. But the law says that there must be a geographical connection between the crime and the prosecution.

In this instance Auernheimer was in Arkansas, his accomplice was in California, AT&T was in Texas with the server in Georgia — and Gawker (which published some of the email addresses downloaded by Weev) was in New York. But the government prosecuted him in New Jersey where state laws allowed a longer sentence.

Few people believe that Weev’s conviction and sentence was anything other than a miscarriage of justice. This view could have been upheld by the appeal court either on the misuse of the CFAA or the venue of the trial. It chose the latter because this meant it did not need to consider the former. The great news is that the conviction has been vacated; the disappointing news is that the CFAA itself has not been challenged and future overreach remains a distinct possibility.

Mandiant: has the leopard changed its spots in its first major report since being acquired by FireEye

April 10, 2014 Leave a comment

The Mandiant M-Trends 2014 Threat Report: Beyond the Breach, published today, is Mandiant’s first report since its acquisition by FireEye. Mandiant is a technically competent company (it was one of the original four companies chosen by GCHQ to take part in the pilot incident response scheme); but for me it is also a politically suspect company. The latter stems from its famous or infamous APT1 report from just over a year ago. That report very clearly accused the Chinese government of being involved with the APT1 hacking group, which it said was part of the People’s Liberation Army Unit 61398. This was at a time when it was politically expedient for the US government to hype the cyber terrorism threat, and to particularly challenge China. No other security expert or company that I have spoken to has ever suggested that it is possible to be so certain about the precise source of a cyber attack.

So I consider that there are two aspects to this new report worthy of consideration: firstly its content because of Mandiant’s expertise; and secondly, any political over- or undertones following the takeover by the more circumspect and therefore believable FireEye.

Jason Steer, director of technology strategy, FireEye

Jason Steer, director of technology strategy, FireEye

There are five sections to this report. Jason Steer, director of technology strategy (from the FireEye pedigree) guided me through them: some general statistics; a closer look at Syrian Electronic Army activities followed by an evaluation of ‘suspected’ Iranian activities; a look at financial attacks with particular focus on the retail industry; and then what amounts to a defence of the APT1 report.

The statistics come from Mandiant customers, but Jason pointed out that doesn’t mean only large companies. “Some of our customers have as few as 200 users,” he told me. It’s not the size of the company that would warrant FireEye/Mandiant involvement, but the value of the data to be protected. He mentioned small companies that might have a highly valuable Trading Floor algorithm to protect, or a patent on the transmission of power via laser.

Those statistics appear to show a very slight improvement in the state of security. Compromises are being detected up to two weeks faster than they were in 2012; but against this the number of breaches detected by the breached company is down from 37% to 33%. 67% of victims were warned of the breach by an outside source, sometimes a bank or financial institution, but “Law enforcement is one of the primary sources,” Jason told me. Agents watch and monitor the underground chat rooms, pick up hints and warn the victim. (Of course, if the victim is particularly unlucky, discovery may come via Brian Krebs and Hold Security and be exposed to the world via KrebsOnSecurity.)




One conclusion from the statistics could be that criminals and malware are getting better at hiding themselves on the network; but that law enforcement has become even better at infiltrating underground chat rooms.

The section on the Syrian Electronic Army provides additional lesser known facts about SEA’s methods. It is often suggested that SEA is unsophisticated and technically inferior to other groups. We don’t actually know this because it has been very successful in what it does and what it seeks: compromise sites and accounts for propaganda purposes. It needs little more than successful phishing, and its phishing has been very successful.

SEA“Since its inception in 2011,” reports Mandiant, “the SEA has successfully infiltrated more than 40 organizations, primarily targeting the websites and social media accounts of major Western news agencies.” But the effort used to do this is revealing. In one particular incident, Mandiant says, “All told, the SEA sent thousands of phishing emails to a large number of employees over the span of three hours. Despite having a success rate of only 0.04%, the phishing emails still allowed the SEA to harvest the credentials necessary to access the targeted resources. Within two hours of the first phishing email, the SEA obtained credentials for the news agency’s main website.”

The next section, Iran-based Activity, is particularly interesting since it gives clues on whether the Mandiant leopard has changed its spots. Mandiant had been called in to investigate a suspected breach at a state government office. Its investigation led it to believe that the attackers were probably Iran-based and not particularly competent.

Mandiant’s observations of suspected Iranian actors have not provided any indication that they possess the range of tools or capabilities that are hallmarks of a capable, full-scope cyber actor. They rely on publicly available tools and capitalize solely on Web-based vulnerabilities — constraints that suggest these cyber actors have relatively limited capabilities.

I put it to Jason that this is exactly how I would behave if I were a third-party agency, perhaps beginning with N or G, who for political purposes wished firstly to be discovered, and secondly to implicate Iran. “Absolutely,” he replied. “That’s why we have said ‘suspected’ Iranian involvement.” When you read this section you get the overwhelming feeling that Mandiant is accusing Iran – but when you examine the content you find the word ‘suspected’ repeated eight times (out of a total of nine throughout the whole document) at strategic points. It is, one might almost say, a suspected semantic insertion after the event.

If this sounds like a paranoid conspiracy theory, I would briefly refer you back to the very first page of the report. It says, “With no diplomatic solution in sight, the ability to detect and respond to attacks has never been more important.” You cannot have a diplomatic solution to criminal activity. I suspect, then, that this report was always, or at least originally, intended to highlight the type of state-sponsored activity that could be swayed by diplomacy. If this is the case, a primary purpose of the report was to accuse Iran of state-sponsored cyberwar – and the leopard has not yet changed its spots.

This conclusion is possibly confirmed by the final section of the report which is an analysis of the period since Mandiant’s APT1 report last year. It starts with that ninth use of the word ‘suspected’: “January 2013 marked the first large-scale public disclosure that an advanced persistent threat (APT) group with suspected ties to the People’s Republic of China (PRC) had compromised a key U.S. media company: The New York Times.” The rest of the section, however, amounts to a renewal of the original accusations and a robust defence of Mandiant’s of conclusions.

Despite the recent accusations and subsequent international attention, APT1 and APT12’s reactions indicate a PRC interest in both obscuring and continuing its data theft. This suggests the PRC believes the benefits of its cyber espionage campaigns outweigh the potential costs of an international backlash.

My reading of this report is that Mandiant still wishes to name and shame political opponents to the United States; but that it is being reined in somewhat by FireEye proof readers. If this is the case, I wish FireEye all success in doing so. Mandiant’s technical expertise is overshadowed by doubts over its political desires – and that is a huge shame. The information that Mandiant is otherwise able to give security defenders is too valuable and useful to be lost to such concerns. That missing fourth section, for example, includes the warning that average criminals are mass compromising systems, and then selling on the cherries to more advanced and organized gangs who take over the initial entry point with more sophisticated and stealthy malware intent on long-term compromise and data exfiltration. Such insights will only serve to improve industry’s overall security stance by helping to formulate and guide more effective defensive policies.

Categories: All, Politics, Security Issues

The Heartbleed bug and SSL implementations

April 9, 2014 1 comment

heartbleedlogoLike the tree falling in the forest, we simply do not know if the Heartbleed bug was ever exploited. The problem is that exploiting it makes no sound.

The Heartbleed bug is a fault in the implementation of the Heartbeat extension to OpenSSL. The effect is to expose up to 64kb of supposedly encrypted traffic in plaintext. That plaintext would likely include the encryption keys, user credentials (ID and password) and message content. But exploiting the bug leaves no trace in the logs, so in theory it could have been used by hackers at any time or ever since the flaw was introduced several years ago.

This potential problem is huge. “Just one application that uses OpenSSL, Apache, is used to run 346 million public websites or about 47 percent of the Internet today” explains Kevin Bocek, Vice President, Security Strategy & Threat Intelligence at Venafi. “And the problem is even larger since this doesn’t include the tens of millions of behind-the-firewall applications, devices and appliances that run Apache and use OpenSSL.”

An update to OpenSSL has been released, and hopefully the faulty implementations are being fixed. The encryption keys are being changed and all should be well soon. But will it?

Once the SSL keys are known, then all previous messages could be decrypted. So if any attacker has been sniffing and storing messages, and has at any time obtained those keys, then those stored messages could be decrypted (unless forward secrecy – which provides new keys for each message – was being used). Forward secrecy is only now becoming more popular for precisely such a concern.

The elephant, of course, is the NSA and GCHQ (and to a lesser extent probably every other national intelligence agency in the world). On the plus side, there is no indication in the Snowden files released so far to suggest that the NSA knew about or used this bug. The downside is that unless they wrote about it, we would probably never know.

Meanwhile, researchers have been trying to discover which services use vulnerable versions of OpenSSL and have put their users at risk. Filippo Valsorda produced a test site to check whether particular sites are vulnerable. “Very quickly, it became clear that popular sites like Google, Facebook, Twitter, Dropbox, were not affected, but other sites (for instance, dating site OKCupid, Imgur, Flickr, Stackoverflow and Eventbrite) were at risk,” commented Graham Cluley this morning.

More worrying, however, is that Yahoo was affected (although it has been fixed now). The problem with Yahoo is that we know that GCHQ had been intercepting and storing Yahoo traffic.

Qualys has also added Heartbleed detection to its SSL test site. The advantage of this site is that it provides a detailed analysis of a website’s overall SSL implementation. The two graphics show summary the results from Yahoo (after fixing Heartbleed: A) and a site operated by a major security company (which should really do better: F).






Although Yahoo has now fixed the Heartbleed bug, Yahoo users should all consider changing their passwords – just in case.

Categories: All, Security Issues

Get every new post delivered to your Inbox.

Join 127 other followers