NSA’s ANT Division – Catalogue of Exploits

http://leaksource.info/2013/12/30/nsas-ant-division-catalog-of-exploits-for-nearly-every-major-software-hardware-firmware/

The ANT division doesn’t just manufacture surveillance hardware. It also develops software for special tasks. The ANT developers have a clear preference for planting their malicious code in so-called BIOS, software located on a computer’s motherboard that is the first thing to load when a computer is turned on.

This has a number of valuable advantages: an infected PC or server appears to be functioning normally, so the infection remains invisible to virus protection and other security programs. And even if the hard drive of an infected computer has been completely erased and a new operating system is installed, the ANT malware can continue to function and ensures that new spyware can once again be loaded onto what is presumed to be a clean computer. The ANT developers call this “Persistence” and believe this approach has provided them with the possibility of permanent access.

Another program attacks the firmware in hard drives manufactured by Western Digital, Seagate, Maxtor and Samsung, all of which, with the exception of latter, are American companies. Here, too, it appears the US intelligence agency is compromising the technology and products of American companies.

****

Persistence is achieved via the BIOS

Cryptoparty – Protect Your Online Privacy in the Age of Mass Surveillance

http://www.meetup.com/ORG-Cardiff/events/177249972/

Cryptoparty – Cardiff

At the Cryptoparty, you can learn how to browse the internet anonymously, encrypt your emails and chat securely. Tech facilitators will explain how surveillance works and how we all can protect ourselves. They will teach useful tools such as TOR, PGP and OTR. If you bring your laptop, you will be able to install and learn these tools step by step.

Cryptoparties are open to everyone, from complete beginners to technical experts. They provide practical tips to activists, lawyers, journalists, doctors, social media users and occasional email and internet users to understand how to protect their documents, emails and passwords from
being accessed.

War Games: Russian SU-24 versus USS Donald Cook

Russian Jamming Technology

The USS Donald Cook entered the Black Sea – which is Russian… this time it backfired – and spectacularly.

In response, Russia sent an unarmed bomber Su- 24 to fly around the U.S. destroyer. However, experts say that this plane was equipped with the latest Russian electronic warfare complex. According to this version, “Aegis” spotted from afar the approaching aircraft, and sounded alarm. Everything went normally, American radars calculated the speed of the approaching target. And suddenly all the screens went blank. “Aegis” was not working any more, and the rockets could not get target information. Meanwhile, Su-24 flew over the deck of the destroyer, did battle turn and simulated missile attack on the target. Then it turned and repeated the maneuver. And did so 12 times.

Apparently, all efforts to revive the “Aegis” and provide target information for the defence failed. Russia’s reaction to military pressure from the United States was profoundly calm, feels the Russian political scientist Pavel Zolotarev:

The demonstration was original enough. A bomber without any weapons, but having onboard equipment for jamming enemy radar, worked against a destroyer equipped with “Aegis”, the most modern system of air and missile defence. But this system of mobile location, in this case the ship, has a significant drawback. That is, the target tracking capabilities. They work well when there is a number of these ships which can coordinate with each other somehow. In this case there was just one destroyer. And, apparently, the algorithm of the radar in the “Aegis” system on the destroyer did not load under the influence of jamming by the Su-24. It was therefore not only a nervous reaction to the fact of flying around by the Russin bomber which was common practice during the Cold War. The reaction of the Americans was due to the fact that most modern system, especially its informative or radar part, did not work adequately. Therefore, there was such a nervous reaction to the whole episode.

After the incident, the foreign media reported that “Donald Cook” was rushed into a port in Romania. There all the 27 members of the crew filed a letter of resignation. It seems that all 27 people have written that they are not going to risk their lives. This is indirectly confirmed by the Pentagon statement according to which the action demoralized the crew of the American ship.
Read more: http://indian.ruvr.ru/2014_04_21/Russian-Su-24-scores-off-against-the-American-USS-Donald-Cook-5786/

 

Russians want respect, they’re awesome propulsion engineers, awesome at jamming technology too.  RESPECT!

 

HACKING: Why no one wants to hack for the US government

The FBI and Pentagon plan to hire 6,000 cybersecurity professionals by 2016, but they’re having a really rough time recruiting people to work for them. There could be many reasons why – low pay, not enough American-born resources – but it all might really come down to one thing: that the US treats hackers as the worst possible criminals. So why would a hacker want to work for them?

FACEBOOK: The Untouchables: You Can’t Sue General Mills if You “Like” Their Products on Facebook

http://www.nytimes.com/2014/04/17/business/when-liking-a-brand-online-voids-the-right-to-sue.html?_r=1

General Mills, the maker of cereals like Cheerios and Chex as well as brands like Bisquick and Betty Crocker, has quietly added language to its website to alert consumers that they give up their right to sue the company if they download coupons, “join” it in online communities like Facebook, enter a company-sponsored sweepstakes or contest or interact with it in a variety of other ways.

If you “like” one of their products on Facebook or download coupons from them, their new terms of use state that you can no longer take them to court for any reason. Here is the new clause, straight from the horses…ahem…mouth.

General Mills, the maker of cereals like Cheerios and Chex as well as brands like Bisquick and Betty Crocker, has quietly added language to its website to alert consumers that they give up their right to sue the company if they download coupons, “join” it in online communities like Facebook, enter a company-sponsored sweepstakes or contest or interact with it in a variety of other ways.

Instead, anyone who has received anything that could be construed as a benefit and who then has a dispute with the company over its products will have to use informal negotiation via email or go through arbitration to seek relief, according to the new terms posted on its site. (source)

 

http://www.nutritionalanarchy.com/2014/04/18/the-untouchables-you-cant-sue-general-mills-if-you-like-their-products-on-facebook/

Might downloading a 50-cent coupon for Cheerios cost you legal rights?

If so, I hope you didn’t “like” them on Facebook.

General Mills has taken “CYA” (Cover Your A**) to an entirely new level.

This is morally and legally wrong.

BRUTEFORCE HACKING – Bruteforce Calculator – A Visual Guide

http://calc.opensecurityresearch.com/

Wonder why hackers use dictionaries that are precompiled?

Select the password length (8 or 10 characters)

 

Select the hashing algorithm, MD5, SHA1, Kerberos.

Select if number or a mix of alpha numeric.

The calculator will tell you how many days or years  it would take to brute force.

****

If you are going to compile your own wordlist, use small data sets, compile 8 characters, then compile a file for 9 characters.

It is feasible to crack a password of 8 characters, it probably isn’t feasible to crack a password of 18 characters.

Use Graphics cards rather than your CPU for cracking.  GPU’s are much faster.

What to do next…

KALI – How to crack passwords using Hashcat – The Visual Guide

https://uwnthesis.wordpress.com/2013/08/07/kali-how-to-crack-passwords-using-hashcat/

Claim: “The NSA is Out of Control!”

Published on Apr 16, 2014

Back in early September, 2013, Matthew Green, a computer science professor in cryptography at JHU, tweeted on his blog that the NSA was engaged in efforts “to break encryption” on private servers and was doing so on a big scale. His post was flagged and Green was told by the school to remove the post. Later, the school’s decision to impose its heavy-handed censorship measure was reversed.

On Tuesday evening, April 15, 2014, on the campus of Johns Hopkins U., a public forum featuring three panel members was held to discuss the above matter and the issue of “collaboration” between the NSA & JHU, and other universities. The event was sponsored by the students’ “Human Rights Working Group” and the “New Political Society.” The first speaker was Christopher Soghoain, a representative of the ACLU. Mr. Soghoain, a graduate of JHU, who is experienced in the field of surveillance cases, claimed: “We have an intelligence agency [NSA] that is out of control! This is an agency that is collecting information about law-abiding Americans who’ve done nothing wrong…” Professor Green recounted his JHU-related blog/censorship experience from last year. He also underscored his concern that the “NSA has been inside ‘Google’s Data Centers’ collecting data.” An attorney and expert on Constitutional Law, Shahid Buttar, was the third panel member. He is the Exec. Dir. of the “Bill of Rights Defense Committee.” Buttar traced the history of government-sanctioned spying and warned that the NSA’s egregious conduct has currently reached Orwellian proportions and is a serious threat to “Freedom of Thought!”

 

Tax dodgers beware: Taxman could be watching your social media

http://www.cnet.com/news/tax-dodgers-beware-irs-could-be-watching-your-social-media/

The IRS is said to be data mining Facebook, Instagram, Twitter, and other sites for info that could come handy in audits.

Facebook, Instagram, and Twitter have all become places where people post intimate details about their lives: vacation photos, work successes, buying a new house, car, or other cool stuff.  However, this information is also up for grabs by the Internal Revenue Service.

In its quest to find and audit tax dodgers, the IRS is said to use online activity trackers to sift through the mass amounts of data available on the Internet, according to Marketplace. This data is then added to the information the agency already has on people, such as Social Security numbers, health records, banking statements, and property.

“It seems they may be using predictive analytics,” University of Pennsylvania’s Annenberg School of Communication Professor Joseph Turow told Marketplace. “That takes a huge amount of data and puts it together in a big pot to see if they can predict which individuals don’t pay their taxes.”

Last year, it was revealed that the IRS was claiming the right to read taxpayers’ email and private information on social media accounts without first getting a search warrant. After a brouhaha from civil liberties groups, citizens, and lawmakers, the IRS announced the no-warrant-required policy would be ditched for email, but it did not make the same commitment for other private electronic communications.

ANDROID – Heartbleed makes 50m Android phones vulnerable, data shows

http://www.theguardian.com/technology/2014/apr/15/heartbleed-android-phones-vulnerable-data-shows

Devices running Android 4.1.1 could be exploited by ‘reverse Heartbleed’ to yield user data – including 4m in US alone

At least 4m Android smartphones in the US, and tens of millions worldwide, could be exploited by a version of the “Heartbleed” security flaw, data provided to the Guardian shows.

Worldwide, the figure could be 50m devices, based on Google’s own announcement that any device running a specific variant of its “Jelly Bean” software – Android 4.1.1, released in July 2012 – is vulnerable.

The figure, calculated using data provided exclusively by the analytics firm Chitika, is the first time an accurate estimate has been put on the number of vulnerable devices. Other estimates have suggested it is hundreds of millions, based on the number of devices running versions of Android 4.1. But most of those run 4.1.2, which is not at risk.

Google has not disclosed how many devices are vulnerable, although it has indicated that the figure is “less than 10%” of devices activated worldwide.

But that could be a huge number, given that Google has activated 900m Android devices worldwide. There are also hundreds of millions of handsets in China running Android without Google services, which would not show up on its systems, and which are also likely to be running vulnerable versions.

The figure on the number of vulnerable devices comes from an analysis for the Guardian by the ad network Chitika of US network traffic. Looking at web traffic for the seven-day period between 7 April and 13 April, “Android 4.1.1 users generated 19% of total North American Android 4.1 Web traffic, with users of version 4.1.2 generating an 81% share. Web traffic from devices running Android 4.1.0 made up less than 0.1% of the Android 4.1 total observed, so we did not include for the purposes of clarity,” said Andrew Waber, a Chitika representative.

Based on Comscore data which suggests there are 85m Android smartphones in use in the US, that means that there are at least 4m handsets which are vulnerable.

The devices would be vulnerable to a hack described as “reverse Heartbleed” – where a malicious server would be able to exploit the flaw in OpenSSL to grab data from the phone’s browser, which could include information about part sessions and logins.

The NSA’s Heartbleed problem is the problem with the NSA – Guardian

http://www.theguardian.com/commentisfree/2014/apr/12/the-nsas-heartbleed-problem-is-the-problem-with-the-nsa

What the agency’s denial isn’t telling you: it didn’t even need know about the bug to vacuum your privacy and store it indefinitely

The American intelligence community is forcefully denying reports that the National Security Agency has long known about the Heartbleed bug, a catastrophic vulnerability inside one of the most widely-used encryption protocols upon which we rely every day to secure our web communications. But the denial itself serves as a reminder that NSA’s two fundamental missions – one defensive, one offensive – are fundamentally incompatible, and that they can’t both be handled credibly by the same government agency.

In case you’ve spent the past week under a rock, Heartbleed is the name security researchers have given to a subtle but serious bug in OpenSSL, a popular version of the Transport Layer Security (TLS) protocol – successor to the earlier Secure Sockets Layer (SSL) – that safeguards Internet traffic from prying eyes. When you log in to your online banking account or webmail service, the little lock icon that appears in your browser means SSL/TLS is scrambling the data to keep aspiring eavesdroppers away from your personal information. But an update to OpenSSL rolled out over two years ago contained a bug that would allow a hacker to trick sites into leaking information – including not only user passwords, but the master encryption keys used to secure all the site’s traffic and verify that you’re actually connected to MyBank.com rather than an impostor.

It’s exactly the kind of bug you’d expect NSA to be on the lookout for, since documents leaked by Edward Snowden confirm that the agency has long been engaged in an “aggressive, multi-pronged effort to break widely used Internet encryption technologies”. In fact, that effort appears to have yielded a major breakthrough against SSL/TLS way back in 2010, two years before the Heartbleed bug was introduced – a revelation that sparked a flurry of speculation among encryption experts, who wondered what hidden flaw the agency had found in the protocol so essential to the Internet’s security.

On Friday, Bloomberg News reported that Heartbleed had indeed been added to NSA’s arsenal almost immediately after the bug appeared, citing two anonymous sources “familiar with the matter”. Within hours, the intelligence community’s issued an unusually straightforward denial, free from the weasely language intelligence officials sometimes employ to almost-but-not-quite deny allegations. As the statement pointed out, the federal government itself “relies on OpenSSL to protect the privacy of users of government websites and other online services.” If NSA had found such a serious security hole, the agency would have disclosed it, officials asserted. Moreover, the White House has recently “reinvigorated” the “Vulnerabilities Equities Process” designed to ensure that newly-discovered exploits aren’t kept secret any longer than is absolutely necessary for vital intelligence purposes.

As Indiana University cybersecurity expert Fred Cate points out, however, the intelligence community’s track record of misleading statements about its capabilities means even such a seemingly unambiguous denial has been greeted with some skepticism. And even if we take that denial at face value when it comes to Heartbleed, reports of NSA’s 2010 “breakthrough” suggest they may be sitting on other, still-undisclosed vulnerabilities.

Here, however, is the really crucial point to recognize: NSA doesn’t need to have known about Heartbleed all along to take advantage of it.

The agency’s recently-disclosed minimization procedures permit “retention of all communications that are enciphered.” In other words, when NSA encounters encryption it can’t crack, it’s allowed to – and apparently does – vacuum up all that scrambled traffic and store it indefinitely, in hopes of finding a way to break into it months or years in the future. As security experts recently confirmed, Heartbleed can be used to steal a site’s master encryption keys – keys that would suddenly enable anyone with a huge database of encrypted traffic to unlock it, at least for the vast majority of sites that don’t practice what’s known as “forward security”, regularly generating new keys as a safeguard against retroactive exposure.

If NSA moved quickly enough – as dedicated spies are supposed to – the agency could have exploited the bug to steal those keys before most sites got around to fixing the bug, gaining access to a vast treasure trove of stored traffic.

That creates a huge dilemma for private sector security experts. Normally, when they discover a vulnerability of this magnitude, they want to give their colleagues a discreet heads-up before going public, ensuring that the techies at major sites have a few days to patch the hole before the whole world learns about it.

The geeks at NSA’s massive Information Assurance Directorate – the part of the agency tasked with protecting secrets and improving security – very much want to be in that loop. But they’re part of an organization that’s also dedicated to stealing secrets and breaking security. And security companies have been burned by cooperation with NSA before: the influential firm RSA trusted the agency to help them improve one of their popular security tools, only to discover via another set of Snowden documents that the spies had schemed to weaken the software instead.

Giving NSA advance warning of Heartbleed could help the agency protect all those government systems that were relying on OpenSSL to protect user data – but it also would aid them in exploiting the bug to compromise privacy and security on a massive scale in the window before the fix was widely deployed.

Little wonder, then, that the President’s Review Group on Intelligence and Communications Technologies – informally known as the Surveillance Review Group – dedicated a large section of its recent report, Liberty and Security in a Changing World, to this basic tension. “NSA now has multiple missions and mandates, some of which are blurred, inherently conflicting, or both,” the Review Group wrote. “Fundamentally NSA is and should be a foreign intelligence organization” rather than “an information assurance organization.”

Because Internet security depends on trust and cooperation between researchers, the mission of a security-breaking agency is fundamentally incompatible with that of a security-protecting agency. It’s time to spin off NSA’s “defense” division from the “offense” team. It’s time to create an organization that’s fully devoted to safeguarding the security of Internet users – even if that might make life harder for government hackers.