Some nasty malware with a decade of history behind it has been uncovered and it has the fingerprints of two governments all over it.
Complex malware known as Regin is the suspected technology behind sophisticated cyberattacks conducted by U.S. and British intelligence agencies on the European Union and a Belgian telecommunications company, according to security industry sources and technical analysis conducted by The Intercept.
Behind the malware — which disguised itself as Microsoft drivers and was served via malicious, fake LinkedIn pages — lies a cooperative effort between the NSA and GCHQ. Belgacom has long since ousted the intruding software and is now working with a federal prosecutor to pursue a criminal investigation. Belgacom’s subversion by this malware — comparable in sophistication to the infamous Stuxnet, according to Symantec (which published its findings last Sunday) — led to the breach of EU offices.
Spying on foreign governments is what intelligence agencies are expected to do. But dumping malware into the operating systems of a communications provider generally isn’t. Belgacom’s infection is the only verified incident so far, but there are likely many, many more considering the Regin malware traces back nearly ten years.
Based on an analysis of the malware samples, Regin appears to have been developed over the course of more than a decade; The Intercept has identified traces of its components dating back as far as 2003. Regin was mentioned at a recent Hack.lu conference in Luxembourg, and Symantec’s report on Sunday said the firm had identified Regin on infected systems operated by private companies, government entities, and research institutes in countries such as Russia, Saudi Arabia, Mexico, Ireland, Belgium, and Iran.
What’s currently out there in the wild may not be as effective anymore. Belgacom discovered its infection around June 21, 2013, about a week before Der Spiegel published Snowden documents pointing to the digital infiltration of EU offices. The Intercept has made the malware available for download and states the following in its article.
Given that that it has been over a year since the Belgacom operation was publicly outed, The Intercept considers it likely that the GCHQ/NSA has replaced their toolkit and no current operations will be affected by the publication of these samples.
The blessed government is attempting to bring us the “Snoopers Charter” part 2, in the guise of “IP Matching” laws. Here we go again.
What next… I know – lets ban Server 2012? And heaven help VMWare… they’re definitely on the extremists watch list.
DHCP is clear evidence of extremism.. anyone that doesn’t have a static IP definitely has something to hide.
Google’s “encryption everywhere” claim has been undermined by Mountain View stripping secure search functions for BT WiFi subscribers piggy-backing off wireless connections, sysadmin Alex Forbes has found.
The move described as ‘privacy seppuku’ by Forbes (@al4) meant that BT customer searches were broadcast in clear text and possibly open to interception.
Google engineer and security bod Adam Langley in a forum comment confirmed the SSL strip and said it would be removed ‘soon’.
“At the moment, yes, no nosslsearch VIP will do this. However we’re getting rid of it soon and replacing it with one that enables SafeSearch, but still over HTTPS,” Langley said.
“However, if you want an encrypted search option, ‘https://encrypted.google.com’ is always encrypted and isn’t affected by these methods.”
Google and BT have been contacted for comment.
Forbes speculated in a blog detailing the SSL strip that BT may have removed the security measure to facilitate content filtering for kids or ‘more likely’ for data mining.
“It’s reasonable to expect that BT knows the location of every BT WiFi router within 10 to 15 metres, because it has a home address for every one of them,” Forbes said.
“… knowing what is searched by location is a marketing gold mine.”
A curl request examining whether public DNS could get around the security gap demonstrated Google was redirecting users to unsecured http through a 302 found header.
“What we’re witnessing therefore, is almost certainly the result of a commercial agreement between BT and Google UK — one that exchanges the privacy of my searches for BT and Google’s commercial gain,” Forbes said.
“Duckduckgo it is then.”
Note: Use http://www.duckduckgo.com or http://www.startpage.com as your search engine, as neither will track your IP.
Take Home Message
1. Use a VPN – with OpenVPN.
2. Always consider BT or any ISP as the “enemy”.
Historically OpenVPN was designed to combat Russian & Chinese ISP’s.
3. Use Strong encryption – AES 256 for your symmetric cipher, along with at least 4096 Pubic keys.
4. Select your VPN provider from neutral third party information.
Use the http://www.torrentfreak.com or EFF membership (as in IVPN).
The use of a VPN is basically mandatory. If Google has the data – so does your government, council, benefits agency and divorce lawyer.
Get real – get a VPN.
Which is the safest VPN on the market? Who do I use for a VPN?
I agree that a degree in INFOSEC alongside CCNA or MSA, is the only way to get a job. Employers LOVE INFOSEC qualifications, but won’t hire you unless you have the old tried and trusted CCNA or MCSE, MCSD. Certifications are the key ingredient. I’ve seen Phd’s in INFOSEC who are unemployable… give those same Phd’s a CCNA and they’ve got 10 jobs. The combination is unstoppable. All Universities should make year 1 and year 2 students sit their CCNA exams as part of the course.
Originally posted on XeroCrypt Blog:
The KPMG’s survey and the Wall Street Journal’s coverage of it needed a response, beyond my slightly facetious reply to the latter’s Twitter operative.
Now, I’ve done quite a lot to distinguish myself over the past several years, worked on a few things here and there, been in some interesting places, and I’m still (roughly) in the same position as most computer/INFOSEC security graduates. I’ve also done a bit to mentor (God knows how many) people attempting to learn every tool and technique under the sun, in their attempts to tick all the right boxes, without much success, for some entry-level position. When it comes to the ‘skills shortage’, the media’s evidently reporting things wrong, and I think most of us (myself included) have completely misunderstood the way things work.
So the idea being promoted that firms are more likely to hire people convicted of hacking-related crimes in order to…
View original 528 more words
Applications often dial home to their mothership – but how do we detect this? It’s quite easy, but often we need to know the application that’s dialing home, so that we can prevent the data leak.
Step 1 – Admin CMD
Start > Accessories > Command prompt > right click > run as Administrator
Step 2 – Netstat to find connections
This netstat command will save the connections into a notepad file called “activity.txt”.
netstat -abf 5 > activity.txt
Leave this for 2-3 minutes, then press Ctrl+C – to cancel the logging.
Step 3 – Open activity.txt
Here we can see Firefox and IVPN connections.
Research undertaken between 2008 and 2014 suggests that more than 81% of Tor clients can be ‘de-anonymised’ – their originating IP addresses revealed – by exploiting the ‘Netflow’ technology that Cisco has built into its router protocols, and similar traffic analysis software running by default in the hardware of other manufacturers.
Professor Sambuddho Chakravarty, a former researcher at Columbia University’s Network Security Lab and now researching Network Anonymity and Privacy at the Indraprastha Institute of Information Technology in Delhi, has co-published a series of papers over the last six years outlining the attack vector, and claims a 100% ‘decloaking’ success rate under laboratory conditions, and 81.4% in the actual wilds of the Tor network.
Chakravarty’s technique [PDF] involves introducing disturbances in the highly-regulated environs of Onion Router protocols using a modified public Tor server running on Linux – hosted at the time at Columbia University. His work on large-scale traffic analysis attacks in the Tor environment has convinced him that a well-resourced organisation could achieve an extremely high capacity to de-anonymise Tor traffic on an ad hoc basis – but also that one would not necessarily need the resources of a nation state to do so, stating that a single AS (Autonomous System) could monitor more than 39% of randomly-generated Tor circuits.
Chakravarty says: “…it is not even essential to be a global adversary to launch such traffic analysis attacks. A powerful, yet non- global adversary could use traffic analysis methods […] to determine the various relays participating in a Tor circuit and directly monitor the traffic entering the entry node of the victim connection,”
Take Home Message
* TOR is being targeted by state actors.
*You really should be using a VPN, even if you don’t know why… a VPN is as critical as your Internet Connection.
*Combine several privacy tools… the EU actively supports PETS (Privacy Enhancing Technology) – use as many as you can – start with your search engine, for this use http://www.startpage.com.
*Look for military grade encryption from your VPN.
Check out IVPN – EFF members
Which is the safest VPN on the market? Who do I use for a VPN?
On the Effectiveness of Traffic Analysis Against Anonymity Networks Using Flow Records
- This was done by using a special button sequence and some knowledge. They supposedly made the ATM’s believe that they were distributing 1 dollar bill bills instead of 20 dollar bills that were actually dispensed by the cash trays. Thus a withdrawal of 20$ made the machine withdraw 400$ in cash, giving a profit of 380$ as the first 20$ were withdrawn from their own bank accounts as they were using their own ATM cards.
As charged, the stunt is an unusually successful example of a low quality ATM hack used for minor theft in the past. It shows vulnerabilities in the ATM machines made by the Tranax technologies and Trident which were showcased in a legendary ATM jackpotting demonstration delivered at the Black Hat conference in 2010 by security researcher Barnaby Jack.
Criminals at the street level have found another weakness in the machines which requires no software or gear. These machines (kiosk ATM’s) can be placed into an operator mode by simply pressing a sequence of buttons on the keypad. From this mode the number of variables can be manipulated like the number of bills loaded in the machines currency cartridges. This mode is secured by a secret six digit code which one of the defendants Fattah already knew, as he used to work for a company that operated the machines.
In 2005 it was discovered that the factory set master passcodes of the machines were printed inside the service manuals which were available online. These manuals advised the users to change the passcode on their first use but many small business owners never made the change. This led to a unique phenomenon of having as a street crime. The scheme went viral in 2006 when a man was looting an ATM at a Virginia gas station and was caught through the video of the surveillance camera.
- After that the Trinton and Tranax made changes in the programming of the machines which forced the user to change the passcode on the first use. Machines that were already in use were still vulnerable and many reports of new crimes came in repeatedly. In 2007 a convenience store in Pennsylvania was hit for 1,540$ by an unidentified man in shorts. In 2008 the Lobo’s City Mex in Lincoln were hit for 1400$ by two 21 year old men in three different visits but were caught on the 4th In 2010 a man who worked in a grocery store was turned in to the FBI by a coworker as he was planning to loot 30 different ATM’s while wearing a wig and he was sentenced to 37 months in jail.
Take away message:
Cambridge University (Ross Anderson) has openly and vocally criticised the lack of banking security.
DO NOT use “CONTACTLESS” payment cards…
The bank’s response to Ross Anderson was simply to threaten him for exposing their poor security. It’s like a Monty Python script.
Visa’s contactless credit cards are at risk of attack due to a flaw that means they will process unlimited cash transactions without asking for a PIN.
Experts from Newcastle University discovered that if the money is requested in a foreign currency, the cards will approve transactions of up to 999,999.99 in any of these currencies.
This sidesteps the current £20 contactless limit imposed on the technology – and transactions can be carried out even if the card is still in the victim’s pocket or bag.
Presenting their research at the CCS 2014 academic conference in Arizona, the Newcastle team said this flaw could open the door to potential fraud by criminals who are constantly looking for ways to breach the systems.
With just a mobile phone we created a POS terminal that could read a card through a wallet,’ explained Martin Emms, lead researcher on the project.
HOW CONTACTLESS CARDS WORK
Contactless debit or credit cards let people pay for items worth up to £20 without entering their PIN.
The cards feature a small chip that emits radio waves.
To pay for something, users hold the card within a few centimetres of a payment terminal, which then picks up the signal and processes the transaction.
Although contactless transactions don’t ask for a PIN, card issuers limit how many contactless transactions can be made before the PIN is requested, to prevent fraudulent activity.
‘All the checks are carried out on the card rather than the terminal, so at the point of transaction, there is nothing to raise suspicions.
‘By pre-setting the amount you want to transfer, you can bump your mobile against someone’s pocket or swipe your phone over a wallet left on a table and approve a transaction.
‘In our tests, it took less than a second for the transaction to be approved.’
The researchers continued that they have not yet tested the back end of the system, and stressed it is likely banks will use security systems to prevent this kind of fraud.
‘Nevertheless, our research has identified a real vulnerability in the payment protocol, which could open the door to … fraud by criminals who are constantly looking for ways to breach the system,’ Mr Emms said.
‘The fact that we can bypass the £20 limit makes this new hack potentially very scalable and lucrative.
‘All a criminal would need to do is set up somewhere like an airport or the London underground where the use of different currencies would appear legitimate.’
I didn’t know it at the time, but I had just been contacted by Edward Snowden, the National Security Agency contractor who was then preparing a momentous leak of government data.
A month earlier, Snowden had anonymously emailed Glenn Greenwald, a Guardian journalist and chronicler of war-on-terror excesses, but Greenwald didn’t use encryption and didn’t have the time to get up to speed, so Snowden moved on. As is now well known, Snowden decided to contact Poitras because she used encryption. But he didn’t have her encryption key, as is necessary to send someone encrypted email, and the key wasn’t posted on the web. Snowden, extraordinarily knowledgeable about how internet traffic is monitored, didn’t want to send her an unencrypted email, even if just to ask for her key. So he needed to find someone he thought he could trust who both had her key and used encrypted email.
That was me.
Tails, the secure system Poitras asked me to get for Greenwald, is serious business. It’s a hardened operating system designed for people who need to be anonymous, and not a lot of people use it. The acronym stands for The Amnesic Incognito Live System. Before Poitras asked me to teach it to Greenwald, I had never used it. Crucially, everything you do in Tails is anonymous. All internet activity is routed through Tor, so by default your privacy is protected. And you run Tails directly off of a DVD or a USB stick — it is not installed on your hard drive. Since Tails operates completely independently from your hard drive and usual operating system, it offers a hefty dose of protection from malware and from anyone who might inspect your computer to look at what you’ve been doing.
It’s also a free software project, just like Tor, GPG, and OTR. That means the code is open source and can be peer reviewed, a level of transparency that makes the software resistant to backdoors, covert access points buried deep in the code.
Privacy Tools used
A Virginia Circuit Court decided this week that if the cops suspects you’ve committed a crime, then they can demand your fingerprints, but not passcodes.
Take away message:
The Critical word here is “SUSPECTED”. The Police were on a fishing trip – they didn’t know what the phone data contained (they could have obtained this from the operator if the data had been transmitted via the Telco).