Category Archives: information security

Heartbleed bug puts the chaotic nature of the Internet under the magnifying glass

The Washington Post reports: A major flaw revealed this week in widely used encryption software has highlighted one of the enduring — and terrifying — realities of the Internet: It is inherently chaotic, built by multitudes and continuously tweaked, with nobody in charge of it all.

The Heartbleed bug, which security experts first publicly revealed on Monday, was a product of the online world’s makeshift nature. While users see the logos of big, multibillion-dollar companies when they shop, bank and communicate over the Internet, nearly all of those companies rely on free software — often built and maintained by volunteers — to help make those services secure.

Heartbleed, security experts say, was lodged in a section of code that had been approved two years ago by a developer that helps maintain OpenSSL, a piece of free software created in the mid-1990s and still used by companies and government agencies almost everywhere.

While the extent of the damage caused by the bug may never be known, the possibilities for data theft are enormous. At the very least, many companies and government agencies will have to replace their encryption keys, and millions of users will have to create new passwords on sites where they are accustomed to seeing the small lock icon that symbolizes online encryption.

“This was old code. Everyone depends on it. And I think that just everyone assumed that somebody else was dealing with it,” said Christopher Soghoian, principal technologist for the American Civil Liberties Union.

The group that was actually dealing with it consisted of fewer than a dozen encryption enthusiasts sprawled across four continents. Many have never met each other in person. Their headquarters — to the extent one exists at all — is a sprawling home office outside Frederick, Md., on the shoulders of Sugarloaf Mountain, where a single employee lives and works amid racks of servers and an industrial-grade Internet connection. [Continue reading…]

Facebooktwittermail

NSA infiltrated RSA security more deeply than thought

Reuters reports: Security industry pioneer RSA adopted not just one but two encryption tools developed by the U.S. National Security Agency, greatly increasing the spy agency’s ability to eavesdrop on some Internet communications, according to a team of academic researchers.

Reuters reported in December that the NSA had paid RSA $10 million to make a now-discredited cryptography system the default in software used by a wide range of Internet and computer security programs. The system, called Dual Elliptic Curve, was a random number generator, but it had a deliberate flaw – or “back door” – that allowed the NSA to crack the encryption.

A group of professors from Johns Hopkins, the University of Wisconsin, the University of Illinois and elsewhere now say they have discovered that a second NSA tool exacerbated the RSA software’s vulnerability.

The professors found that the tool, known as the “Extended Random” extension for secure websites, could help crack a version of RSA’s Dual Elliptic Curve software tens of thousands of times faster, according to an advance copy of their research shared with Reuters. [Continue reading…]

Facebooktwittermail

The Internet is broken: SEC probes threat from cyber attacks against Wall Street

n13-iconBloomberg reports: The U.S. Securities and Exchange Commission is examining the exposure of stock exchanges, brokerages and other Wall Street firms to cyber-attacks that have been called a threat to financial stability.

The SEC held a roundtable discussion of those risks in Washington today as it weighs a proposal to require stock exchanges to protect their critical technology and tell members about breaches of important systems. More than half of exchanges surveyed globally in 2012 said they experienced a cyber-attack, while 67 percent of U.S. exchanges said a hacker tried to penetrate their systems.

Dennis Fisher writes: Costin Raiu is a cautious man. He measures his words carefully and says exactly what he means, and is not given to hyperbole or exaggeration. Raiu is the driving force behind much of the intricate research into APTs and targeted attacks that Kaspersky Lab’s Global Research and Analysis Team has been doing for the last few years, and he has first-hand knowledge of the depth and breadth of the tactics that top-tier attackers are using.

So when Raiu says he conducts his online activities under the assumption that his movements are being monitored by government hackers, it is not meant as a scare tactic. It is a simple statement of fact.

“I operate under the principle that my computer is owned by at least three governments,” Raiu said during a presentation he gave to industry analysts at the company’s analyst summit here on Thursday.

The comment drew some chuckles from the audience, but Raiu was not joking. Security experts for years have been telling users — especially enterprise users — to assume that their network or PC is compromised. The reasoning is that if you assume you’re owned then you’ll be more cautious about what you do. It’s the technical equivalent of telling a child to behave as if his mother is watching everything he does. It doesn’t always work, but it can’t hurt.

Raiu and his fellow researchers around the world are obvious targets for highly skilled attackers of all stripes. They spend their days analyzing new attack techniques and working out methods for countering them. Intelligence agencies, APT groups and cybercrime gangs all would love to know what researchers know and how they get their information. Just about every researcher has a story about being attacked or compromised at some point. It’s an occupational hazard.

But one of the things that the events of the last year have made clear is that the kind of paranoia and caution that Raiu and others who draw the attention of attackers employ as a matter of course should now be the default setting for the rest of us, as well. As researcher Claudio Guarnieri recently detailed, the Internet itself is compromised. Not this bit or that bit. The entire network. [Continue reading…]

Last year, CSIS reported: After years of guesswork and innumerable attempts to quantify the costly effects of cybercrime on the U.S. and world economies, McAfee engaged one of the world’s preeminent international policy institutions for defense and security, the Center for Strategic and International Studies (CSIS) to build an economic model and methodology to accurately estimate these losses, which can be extended worldwide. “Estimating the Cost of Cybercrime and Cyber Espionage” posits a $100 billion annual loss to the U.S. economy and as many as 508,000 U.S. jobs lost as a result of malicious cyber activity.

Facebooktwittermail

Hackers sell exploits for Bitcoins in underground market

n13-iconBloomberg reports: Hackers from the U.S., Russia and Ukraine hawk computer exploits for as much as $300,000 on an underground market fueled by digital currencies like Bitcoin, a report by RAND Corp. and Juniper Networks Inc. shows.

The thriving trade in software, data or commands that takes advantage of computer bugs and glitches generates billions of dollars using digital storefronts that connect sellers with buyers or where mercenaries can be hired to do the job, according to the report released today.

“Anyone with an Internet connection can get involved,” Lillian Ablon, an information systems analyst at RAND and the study’s lead author, said in a phone interview. “If you can’t do something, you can find someone else to do it for you.”

One of the first comprehensive efforts to map out how criminal hackers operate using anonymous networks, encrypted communications and digital currencies, the 83-page report comes amid warnings by U.S. government and industry officials that digital attacks are becoming more sophisticated and dangerous. [Continue reading…]

Facebooktwittermail

Can we trust an Internet that’s become a weapon of governments?

f13-iconMIT Technology Review: Security experts have been warning for some time that computer networks are not secure from intruders. But in 2013, we learned that the mayhem has become strategic. Governments now write computer viruses. And if they can’t, they can purchase them. A half-dozen boutique R&D houses, like Italy’s Hacking Team, develop computer vulnerabilities and openly market them to government attackers.

Criminals use common computer weaknesses to infect as many machines as possible. But governments assemble large research teams and spend millions patiently pursuing narrow objectives. ­Costin Raiu, who investigates such “advanced persistent threats” as director of research and analysis for anti-virus company Kaspersky Lab, says he logs on to his computer assuming he is not alone. “I operate under the principle that my computer is owned by at least three governments,” he says.

That is a threat mainstream technology companies are grappling with. The U.S. government circumvented Google’s security measures and secretly collected customer data. British spies scooped up millions of webcam images from Yahoo. In December, on Microsoft’s official blog, the company’s top lawyer, Brad Smith, said he had reason to view surreptitious “government snooping” as no different from criminal malware. Microsoft, along with Google and Yahoo, has responded by greatly widening its use of encryption (see “The Year of Encryption”).

“We’re living in a very interesting time, where companies are becoming unwilling pawns in cyberwarfare,” says Menny Barzilay, a former Israeli intelligence officer now working in IT security for the Bank Hapoalim Group, in Tel Aviv. In this new context, nobody can say where the responsibilities of a company may end and those of a nation might begin. Should a commercial bank be expected to expend resources to defend itself when its attacker is a country? “This is not a ‘maybe’ situation. This is happening right now,” says Barzilay. “And this is just the beginning.” [Continue reading…]

Facebooktwittermail

How Target stood by as 40 million credit card numbers were stolen

f13-iconBloomberg Businessweek reports: The biggest retail hack in U.S. history wasn’t particularly inventive, nor did it appear destined for success. In the days prior to Thanksgiving 2013, someone installed malware in Target’s security and payments system designed to steal every credit card used at the company’s 1,797 U.S. stores. At the critical moment — when the Christmas gifts had been scanned and bagged and the cashier asked for a swipe — the malware would step in, capture the shopper’s credit card number, and store it on a Target server commandeered by the hackers.

It’s a measure of how common these crimes have become, and how conventional the hackers’ approach in this case, that Target was prepared for such an attack. Six months earlier the company began installing a $1.6 million malware detection tool made by the computer security firm FireEye, whose customers also include the CIA and the Pentagon. Target had a team of security specialists in Bangalore to monitor its computers around the clock. If Bangalore noticed anything suspicious, Target’s security operations center in Minneapolis would be notified.

On Saturday, Nov. 30, the hackers had set their traps and had just one thing to do before starting the attack: plan the data’s escape route. As they uploaded exfiltration malware to move stolen credit card numbers — first to staging points spread around the U.S. to cover their tracks, then into their computers in Russia — FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then …

Nothing happened.

For some reason, Minneapolis didn’t react to the sirens. Bloomberg Businessweek spoke to more than 10 former Target employees familiar with the company’s data security operation, as well as eight people with specific knowledge of the hack and its aftermath, including former employees, security researchers, and law enforcement officials. The story they tell is of an alert system, installed to protect the bond between retailer and customer, that worked beautifully. But then, Target stood by as 40 million credit card numbers — and 70 million addresses, phone numbers, and other pieces of personal information — gushed out of its mainframes. [Continue reading…]

Facebooktwittermail

‘What does ISP mean?’ — how government officials are flunking security challenges

a13-iconThe Guardian reports: One of the world’s leading cyberwarfare experts has warned of the damaging lack of government literacy in cybersecurity issues, pointing out that some senior officials don’t know how to use email, and that one US representative about to negotiate cybersecurity with China asked him what an “ISP” was.

Speaking at the SXSW festival, Dr Peter W Singer, director of the Center for 21st Century Security & Intelligence, cited a 2014 poll by the Pew research institute that found Americans are more afraid of cyberattack than attack by Iran or North Korea, climate change, the rise of China or authoritarian Russia.

Sketching out the scale of technology in our lives, Singer said that 40 trillion emails are sent a year, that 30 trillion websites now exist and that 9 new pieces of malware are discovered every second. He claimed that 97% of Fortune 500 companies have admitted they’ve been hacked – the other 3% just aren’t ready to admit it yet.

The consequent rise in cybercrime and state-sponsored attacks has not gone unnoticed. 100 nations now have cyber command, and the Pentagon’s own briefings, which contained the word ‘cyber’ 12 times during 2012, have already mentioned it 147 times so far this year.

Yet former head of US homeland security Janet Napolitano once told Singer. “Don’t laugh, but I just don’t use email at all,” Singer recalled. “It wasn’t a fear of privacy or security – it’s because she just didn’t think it was useful. A supreme court justice also told me ‘I haven’t got round to email yet’ – and this is someone who will get to vote on everything from net neutrality to the NSA negotiations.” [Continue reading…]

Facebooktwittermail

Snowden told me the NSA set fire to the web. Silicon Valley needs to put it out

o13-iconChristopher Soghoian writes: “You are the firefighters,” National Security Agency whistleblower Edward Snowden told a tech savvy audience here yesterday, during my conversation with him at the SXSW festival. “The people in Austin are the ones who can protect our rights through technical standards.”

Ed’s comments were a call to arms for the tech community to protect its users from indiscriminate mass surveillance by the NSA and the insecurity it creates. Despite the talk from Washington DC regarding cybersecurity threats – and you’ll hear more of it today during a confirmation hearing for the would-be next head of the NSA – it is now clear that the NSA’s mass surveillance efforts are not meant for good. Whether it’s systematically undermining global encryption standards, hacking communications companies’ servers and data links or exploiting so-called zero-day vulnerabilities, the nation’s cyberspies are focused on attacking online privacy and weakening the security of systems that we all trust.

Forget all the government rhetoric on cybersecurity: the NSA simply isn’t here to make the Internet more secure. But that doesn’t mean the agency has to win. The global tech community can fight back, if developers ramp up efforts to build privacy and security into their products. By zeroing in on practical steps Ed and I discussed in our conversation here, we can build a more open, free and secure Internet. [Continue reading…]

Facebooktwittermail

Experian lapse allowed ID theft service access to 200 million consumer records

n13-iconBrian Krebs reports: In October 2013, KrebsOnSecurity published an exclusive story detailing how a Vietnamese man running an online identity theft service bought personal and financial records on Americans directly from a company owned by Experian, one of the three major U.S. credit bureaus. Today’s story looks deeper at the damage wrought in this colossal misstep by one of the nation’s largest data brokers.

Last week, Hieu Minh Ngo, a 24-year-old Vietnamese national, pleaded guilty to running an identity theft service out of his home in Vietnam. Ngo was arrested last year in Guam by U.S. Secret Service agents after he was lured into visiting the U.S. territory to consummate a business deal with a man he believed could deliver huge volumes of consumers’ personal and financial data for resale.

But according to prosecutors, Ngo had already struck deals with one of the world’s biggest data brokers: Experian. Court records just released last week show that Ngo tricked an Experian subsidiary into giving him direct access to personal and financial data on more than 200 million Americans. [Continue reading…]

Facebooktwittermail

Watch: Edward Snowden at SXSW (via planet Mars)

n13-iconThe Guardian reports: Encryptions tools must be simplified and made accessible for the mainstream, Pulitzer-winning journalist Barton Gellman said on Monday, calling on the tech industry to have the courage and ingenuity to help address the disparity of power between the people and their government.

Addressing the SXSW festival shortly before Edward Snowden’s live speech by video, Gellman said we are a long way off simple, transparent encryption tools. He cited Pew research which found that 88% of Americans say they have taken steps to protect their privacy in some form.

“With all the user interface brains out there we could get easier tools,” he said. “But it’s not just the ability to encrypt, it’s a frame of mind, a workflow and a discipline that is alien to most people, and that is the opposite to the open nature of the consumer internet. You could use Tor to access a site a hundred times, but the 101st time you forget, you may as well not have used Tor.”

“There are people at this conference who have taken very considerable risk to protect the privacy of their customers and have put themselves at the edge of the door to jail and it will take courage as well as ingenuity to change the way things work.” [Continue reading…]

Note: The audio quality of Snowden’s feed renders him virtually unintelligible, but Christopher Soghoian, the American Civil Liberties Union’s principal technologist, comes through loud and clear.

Facebooktwittermail

Hacking Team’s foreign espionage infrastructure located in U.S.

n13-iconThreat Post reports: Milan-based Hacking Team relies on servers in the United States and hosted by American companies to support its clients’ state-sponsored surveillance operations in some of the world’s most repressive regimes.

Hacking Team is an Italian security firm that develops surveillance equipment and sells it to foreign governments that allegedly turn around and use that equipment to spy on various targets. According to a new report from the University of Toronto’s Citizen Lab, in at least 12 cases, U.S.-based data centers contain servers that have some nexus in the infrastructure of foreign espionage.

The specific tool sold by Hacking Team is known as Remote Control System (RCS). According to the report, RCS has the capacity to spy on Skype conversations, email communications, and instant messaging services in addition to siphoning off passwords and local computer files. [Continue reading…]

Facebooktwittermail