Monthly Archives: October 2013

Troubles with TOR

The Onion Router has long been thought to be one of the best methods for maintaining anonymity of internet traffic, and has even been assailed by the NSA as a hard problem, leading them to use workarounds to circumvent the network and attack specific users However, new research presented by a team from the US Naval Research Lab and Georgetown University has found that with specific methods they designed:

“Tor faces even greater risks from traffic correlation than previous studies suggested. An adversary that provides no more bandwidth than some volunteers do today can deanonymize any given user within three months of regular Tor use with over 50% probability and within six months with over 80% probability.”

Traffic correlation and nodes controlled by malicious actors have both been considered as a major risk to TOR  for a significant amount of time. This new research quantifies the problem and the danger to users of the service, and with any luck may lead to changes in the system to mitigate said risks.

The Malware of Things

A pair of dueling intelligence exploitation revelations have given the ongoing Snowden releases a run for their money. The first is the allegation that Russia provided poisoned gifts to delegates at the G20 summit. The complementary USB sticks and telephone chargers which they distributed to attendees came with trojan software installed (in the case of the USB sticks) while the cell phone chargers had the ability to slurp data from phones connected to them and send it onward to quarters unknown. Apparently the malware accessories were first recognized as hacking devices by Herman Von Rompuy’s staff. There have been official statements that the devices were not used by any heads of states, but there are indications they may have been picked up by various members of their staffs. Russia has made an official denial of any involvement with the hacking attack, instead stating that this revelation is merely an attempt to distract the world from the NSA spying scandal. There has also been a report published (first in Russian media) that Russian customs officials had seized a number of electric coffeepots, imported from China, which when plugged in search for unlocked wireless networks and then start distributing malware and sending spam emails.

Undoubtedly this sort of situation is not what futurists predicting an “Internet of Things” anticipated. However, we must come to the conclusion that with ubiquitous computing will come ubiquitous malware and exploitative software. It may not yet be time to lie awake at night worrying if your toaster is hacking into your email and changing the controls on your fridge and your TiVo, but the hour certainly draws near.

Admiral Stavridis Advocates for a Leadership Separation of the NSA and Cyber Command

Admiral (USN ret.) Stavridis has written an article in Foreign Affairs assailing the current leadership structure for US Cyber Command. Under the current regime, General Keith Alexander is the head of both the NSA and the DoD’s Cyber Command. Stavridis argues that in the coming months after General Alexander’s planned retirement it would be good for both organizations if there were separate leadership. Given the substantial operational overlap between the two groups, and their shared location at Ft. Meade the decision was made to have both of them headed by the same individual. However, given the rise of importance of cyber issues in government national security policy-making, it may well be a good idea to head off bureaucratic problems by bringing in separate leadership.

 

Dan Gifford MCySec Media Manager

Novel Fingerprinting Technique Identifies Phones Using Accelerometer Data.

Hristo Bojinov and other researchers at Stanford have discovered a new way of digitally fingerprinting mobile devices. The method works off the fact that the accelerometers used in  smart phones all have unique measurement errors after rolling off the assembly line. These errors can be found by setting the phone on a flat surface, tapping it, then flipping it over. The researchers have stood up a proof of concept site where users can find the accelerometer fingerprint of their own device.

The technique could be used by advertisers and by surveillance agencies as a method of tracking and identifying mobile devices. The current favored method for this operation, putting tracking cookies on the piece of hardware, is subject to a number of constraints. Not the least of these being that the users can delete the cookies to give themselves a fresh start in the tracking system.

Dan Gifford – MCySec Media Manager

Greek Foreign Ministry’s Email Server Hacked by Anonymous

More than 3700 documents, ranging from press releases to restricted intelligence assessments have been leaked online by hackers operating under the banner of Anonymous. The documents were obtained through hacking the email servers of the Greek Foreign Ministry and the Organisation for Security and Cooperation in Europe (OSCE). In light of the Greek government’s imminent assumption of the rotating EU presidency come January, security lapses on this scale are certainly troubling.

The attack occurs within the context of a recent Anonymous campaign against the Golden Dawn political party and rising dissatisfaction with austerity policies. The hackers may be attempting to find links within the Greek Government and the OSCE to the Golden Dawn and to other political initiatives in Europe that they find troubling, such as the Internet Crime Units of the European Union Agency for Network and Information Security (ENISA). Their communique regarding the hacking attack can be found here.

Dan Gifford – MCySec Media Manager

“Paunch” Punches Out, Blackhole Kit Hits the Rocks

The Blackhole Exploit Kit, one of the more popular methods of delivering criminal malware to unsuspecting users, has run into a number of difficulties in the last few days. The leading crimeware kit, which has usually been updated as often as twice a day to stay ahead of antivirus detection rules, has not been updated in over a week. This comes amid rumors of the arrest of “Paunch”, the kit’s creator, in Russia. Russian authorities have confirmed the arrest to Europol and news agencies.

The Blackhole kit is by far the most popular exploit injection architecture in recent use, and typically operates through using infected sites to foist java vulnerabilities and criminal malware on unsuspecting surfers, though it has also been used to attack users through phishing emails with links to  malicious sites. While other services are used to manage the development of the specific exploit payloads (Zeus is a standout in this category), the objective of the Blackhole kit and similar programs is serving these payloads up to users using java and other platform vulnerabilities. The arrest of “Paunch” will no doubt lead to the market migrating to other service providers. It must be remembered that this niche is incredibly lucrative- user licenses for Blackhole cost up to $50 per day, or $500 per month.

Dan Gifford – MCySec Media Manager

Middle Eastern Banks Hit by Crimeware, Trying to Find Solutions

An article in the Financial Times by Abigail Fielding-Smith describes the recent attacks by criminal networks and others on the banking and industrial networks in the Middle East. The damage caused by the various attacks, from the theft operations against banks to wiper attacks on the oil company Saudi Aramco’s computers, have inspired a concerted response, including standing up CERT teams and making regional actors compliant with data security protocols.

Taiwan’s Citizen Smart Card Plan Compromised by Bad RNGs

In a recent paper compiling a few years of ongoing research, an international team has described the methods they used to find the cryptographic keys of 184 out of 2 million smart card certificates issued to the Taiwanese public by their government. More than a hundred of the keys shared prime numbers used in their generation with at least one other key,  While this may seem like a trivial number of failures for a program of this size, the algorithm used to generate the keys, 1024 bit RSA, can randomly choose between more than 2^502 different prime numbers when building a key. Even in a sample size as large as 2 million, any prime sharing indicates deep seated failure in the employment of the cryptographic system. The researchers used regular desktop computers to find the keys, in operations that should have taken millions of years of processing time had the cryptosystems been implemented correctly.

The cards were issued by the Taiwanese government to enable citizens to authenticate themselves to the government when using online services, such as paying taxes. The vulnerable cards were all using RSA 1024, while most of the cards issued now use RSA 2048. The government has also attempted to reach out to the citizens whose cards are cryptographically compromised in order to replace them.

Problematically, the system and the smart cards had been certified as cryptographically safe by a number of agencies. This failure will certainly raise more doubt about the current effectiveness of certification agencies for cryptography. In the wake of the remaining questions regarding the DUAL_EC_DRBG fiasco at the US’s NIST (National Institute of Science and Technology), the old question of “Quis custodiet ipsos custodes?” or “Who watches the watchmen?” still stands.

Dan Gifford – MCySec Media Manager 

Adm. Stavridis Advocates for US Cyber Force

Former Commander of NATO (and current Dean of the Fletcher School) Admiral (USN Ret.) James Stavridis has published an Op-Ed in the Boston Globe advocating for the creation of a US Military “Cyber Force” in parallel to the Army, Navy, Air Force and Coast Guard. He makes a potent analogy to the evolving state of US Government policy towards the commercial and military use of air power, and pointedly claims that the policy community on cyber is still on the level that the FAA was at Kitty Hawk.

Now, given that computing technology has had a good fifty years to develop, I would object somewhat on the kitty hawk analogy; we are much further along than that. However, the use of “cyber” as a budget padding measure by each armed service and government agency has certainly resulted in a system that could hardly be described as functional. Without any guiding vision or overarching command structure, military cyber operations will continue to be disjointed and poorly articulated. I would counter with an analogy of my own, the position of Billy Mitchell after the First World War in attempting to get the established military command structure to respond to the changes that were bearing down on them. Let us hope there is not a Pearl Harbor event to vindicate our views.

Dan Gifford – MCySec Media Manager