Archive

Archive for the ‘Cyber Intelligence & Terrorism Research’ Category

Tor-provided web anonymity not PRISM-proof – Microsoft security guru

The Tor anonymity network cannot provide internet users shelter from government hackers and cyber criminals, a top Microsoft security expert has revealed.

“There is no such thing as really being anonymous on the internet. If [hackers and government agencies] want you, they will get you,” Andy Malone, of Microsoft Enterprise Security and founder of the Cyber Crime Security Forum, said at the Microsoft TechEd North America 2014.

While The Onion Router (Tor) remains more resilient than alternatives such as virtual private networks, cyber criminals are able to exploit weaknesses in the system.

“At the moment the Tor network’s security has never been broken, but there are flaws around it that can be exploited,” Malone said.

One such example is the fact that Tor still uses third-party add-ons, allowing snoops to track, monitor and steal data from its users.

“Tor leaks do occur through third-party apps and add-ons, like Flash. If I was doing forensics on you and thought you were on Tor I wouldn’t attack the network I’d attack the weak areas around it.

Malone says that both the National Security Agency and its UK counterpart, GCHQ, are monitoring “hundreds of Tor relays” and are constantly trying to find ways to break down the secure network. By its very nature, Tor cannot and does not protect against monitoring of traffic on the edges of the Tor network, where traffic comes in and goes out. While it can protect against the process of intercepting and examining messages – traffic analysis – it cannot prevent traffic confirmation.

A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application.

“You can get people on Tor in a variety of ways. You could do a time attack, which involves catching traffic between relays. You could also do entry and exit node monitoring, which involves dropping a zero-day on the actual machine accessing Tor or hosting an exit node and monitoring what’s going in or out of it.”

Honey Pots and the Dark Web

Onion routing was initially designed at the US Naval Research Laboratory to protect the security and privacy of network communications. Tor was originally designed to shield intelligence gathering operations from open sources and protect military communications over public networks. The network works by routing traffic through multiple nodes in an effort to help mask the identities of its users.

It allows for the creation of “invisible websites” with the .onion extension that can’t be accessed using conventional browsers like Google Chrome or Firefox. Such sections of the internet comprise part of the Deep Web – the part of the web not indexed by search engines.

Tor is made possible through a network of donated servers that exchange encrypted data amongst each other before returning through an “exit node,” or the server that is connected back to the internet. The goal is to obscure just where traffic is moving, in order to evade any observers. Exit Nodes are on the edge of the Tor network, meaning traffic from this node can be traced back to its IP address.

While many law-abiding citizens and those seeking to circumvent government censorship have embraced Tor, the notorious online market Silk Road, sometimes called “the ebay for drugs”, was also a hidden Tor service.

Malone said that law enforcement agencies are actively working on more direct ways to penetrate the Tor network and monitor its users.

“I work with, and issue recommendations for, law enforcement and I’m telling you now, the dark web is heavily monitored. The NSA and GCHQ are already monitoring hundreds of Tor relays and exit nodes and trying to find ways to break the network down,” he said.

He further warned that users should be aware that the NSA and GCHQ are installing hundreds of onion routers in order to capture and analyze traffic. If a user visits the Deep Web, they should be aware of the existence of honey pots, or trap websites that appear to be part of the network, but are in fact created by law enforcement to catch criminals.

That the NSA and GCHQ are targeting Tor is no secret. Last October, documents leaked by NSA whistleblower Edward Snowden revealed that the intelligence agencies are working extensively towards compromising the computers of people who browse the internet with Tor.

According to the Guardian’s James Ball, Bruce Schneier and Glenn Greenwald, the NSA’s “current successes against Tor rely on identifying users and then attacking vulnerable software on their computer.”

“While it seems that the NSA has not compromised the core security of the Tor software or network, the documents detail proof-of-concept attacks, including several relying on the large-scale online surveillance systems maintained by the NSA and GCHQ through internet cable taps,” the writers added.

Source: RT

Threats to Mobile Devices Using the Android Operating System

Threats to mobile phonesAndroid is the world’s most widely used mobile operating system (OS) and continues to be a primary target for malware attacks due to its market share and open source architecture. Industry reporting indicates 44 percent of Android users are still using versions 2.3.3 through 2.3.7-known as Gingerbread-which were released in 2011 and have a number of security vulnerabilities that were fixed in later versions.

The growing use of mobile devices by federal, state, and local authorities makes it more important than ever to keep mobile OS patched and up-to-date. The following are some known security threats to mobile OS and mitigation steps:

Security Threat Description Mitigation Strategy
SMS (Text Message) Trojansrepresent nearly half of the malicious applications circulating today on older Android OS. Sends text messages to premium-rate numbers owned by criminal hackers without the user’s knowledge, potentially resulting in exorbitant charges for tile user. Install an Android security suite designed to combat these threats. These security suites can be purchased or downloaded free from the Internet.
Rootkits are malware that hide their existence from normal forms of detection. In late 2011, a software developer’s rootkit was discovered running on millions of mobile devices. Logs the user’s locations, keystrokes, and passwords without the user’s knowledge. Install the Carrier IQ Test–a free application that can detect and remove he malicious software.
Fake Google Play Domainsare sites created by cybercriminals. Google Play enables users to browse and download music, books, magazines, movies, television programs, and other applications. Tricks users into installing malicious applications that enable malicious actors to steal sensitive information, including financial data and log-in credentials. Install only approved applications and follow IT department procedures to update devices’ OS. Users should install and regularly update antivirus software for android devices to detect and remove any malicious applications.

Google: Gmail users ‘have no legitimate expectation of privacy’

GmailAs tensions worsen among privacy-focused email users amid the escalating scandal surrounding government surveillance, a brief filed by attorneys for Google has surfaced showing that Gmail users should never expect their communications to be kept secret.

Consumer Watchdog has unearthed a July 13, 2013 motion filed by Google’s attorneys with regards to ongoing litigation challenging how the Silicon Valley giant operates its highly popular free email service.

The motion, penned in hopes of having the United States District Court for the Northern District of California dismiss a class action complaint against the company, says Gmail users should assume that any electronic correspondence that’s passed through Google’s servers can be accessed and used for an array of options, such as selling ads to customers.

Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use Web-based email today cannot be surprised if their emails are processed by the recipient’s [email provider] in the course of delivery,” the motion reads in part. “Indeed, ‘a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.’”

Elsewhere, Google’s legal counsel says the plaintiffs are attempting “to criminalize ordinary business practices” that the company has implemented for nearly a decade, specifically the automated scanning of emails.

According to Google, federal wiretap laws provide third-party email providers with liability from litigation if their practices are done “in their ordinary course of business.” An Electronic Communication Service (ECS) such as Gmail must scan emails sent to and from their systems, says Google, as part of providing the services they offer.

While plaintiffs go to great lengths to portray Google in a sinister light, the complaint actually confirms that the automated processes at issue are Google’s ordinary business practices implemented as part of providing the free Gmail service to the public. This is fatal to plaintiffs’ claims,” the attorneys write.

Plaintiffs claim that an illegal interception is committed each time an email sent to or from a Gmail account is scanned, but the company counters that claim by saying the automated scanning is not only outlined in the Terms of Service agreement, but necessary for the product to function in the way it does.

Gmail customers, the company claims, “are contractually bound to Google’s terms. Indeed, they devote much of the Complaint to attacking the disclosures in the TOS and Privacy Policy in an effort to avoid this express contractual consent.”

In short, there is no illegal ‘interception’ here because Plaintiffs’ own allegations confirm that the alleged practices at issue are part of Google’s ordinary course of business,” attorneys write.

In practice, plaintiffs’ theory would prevent ECS providers from providing a host of normal services that Congress could not possibly have intended to criminalize as an illegal interception,’” they continue. “For example, an ECS provider could not allow users to sort their emails using automated filters because any such system would require scanning the contents of the emails being delivered to the user, thus running afoul of plaintiffs’ theory. Nor could an ECS provider provide even basic features like allowing users to search their own emails for particular key terms because doing so would, again, involve the scanning of email content

Google is now asking for the court to reject the plaintiffs’ claims because their interpretation of what constitutes an illegal interception would make it “virtually impossible” for any email company to provide normal services. By saying customers lack no right to privacy, however, Consumer Watchdog is up in arms.

Google has finally admitted they don’t respect privacy,” John M. Simpson, Consumer Watchdog’s Privacy Project director, said in a statement “People should take them at their word; if you care about your email correspondents’ privacy don’t use Gmail.”

Google’s brief uses a wrong-headed analogy; sending an email is like giving a letter to the Post Office,” added Simpson. “I expect the Post Office to deliver the letter based on the address written on the envelope. I don’t expect the mail carrier to open my letter and read it. Similarly when I send an email, I expect it to be delivered to the intended recipient with a Gmail account based on the email address; why would I expect its content will be intercepted by Google and read?”

News of Google’s motion to dismiss the complaint comes just days after two pay-for-use providers of highly encrypted and seemingly secure email services announced they’d be calling it quits. Vaguely citing a federal investigation, Texas-based Lavabit said on Thursday last week that they’re shutting down its email service, reportedly used by National Security Agency leaker Edward Snowden. Hours later, competitor Silent Circle said they’d be doing the same.

Source: RT

Operation ‘Red October’: Global cyber-spy network uncovered by Russian experts

Operation 'Red October'

 

A sophisticated cyber-espionage network targeting the world’s diplomatic, government and research agencies, as well as gas and oil industries, has been uncovered by experts at Russia’s Kaspersky Lab.

The system’s targets include a wide range of countries, with the primary focus on Eastern Europe, former Soviet republics and Central Asia – although many in Western Europe and North America are also on the list.

“The majority of infections are actually from the embassies of ex-USSR country members located in various regions such as Western Europe and even in North America – in the US we have few infections as well. But most infections are concentrated around Russia,”  Vitaly Kamluk, chief malware expert at Kasperky Lab, told RT, adding that in Europe, the hardest-hit countries are apparently Beligum and Switzerland.

In addition to attacking traditional computer workstations, ‘Rocra’ – an abridgment of ‘Red October,’ the name the Kaspersky team gave the network – can steal data from smartphones, dump network equipment configurations, scan through email databases and local network FTP servers, and snatch files from removable disk drives, including ones that have been erased.

Unlike other well-known and highly automated cyber-espionage campaigns, such as ‘Flame’ and ‘Gauss,’ Rorca’s attacks all appear to be carefully chosen. Each operation is apparently driven by the configuration of the victim’s hardware and software, native language and even document usage habits.

The information extracted from infected networks is often used to gain entry into additional systems. For example, stolen credentials were shown to be compiled in a list for use when attackers needed to guess passwords or phrases.

The hackers behind the network have created more than 60 domain names and several server hosting locations in different countries – the majority of those known being in Germany and Russia – which worked as proxies in order to hide the location of the ‘mothership’ control server.

That malicious server’s location remains unknown, but experts have uncovered over 1,000 modules belonging to 34 different module categories.While Rocra seems to have been designed to execute one-time tasks sent by the hackers’ servers, a number of modules were constantly present in the system executing persistent tasks. This included retrieving information about a phone, its contact list, call history, calendar, SMS messages and even browsing history as soon as an iPhone or a Nokia phone is connected to the system.

The hackers’ primary objective is to gather information and documents that could compromise the security of governments, corporations or other organizations and agencies. In addition to focusing on diplomatic and governmental agencies around the world, the hackers also attacked energy and nuclear groups, and trade and aerospace targets.

No details have been given yet as to the attackers’ identity. However, there is strong technical evidence to indicate that the attackers are of Russophone origins, as Russian words including slang have been used in the source code commentaries. Many of the known attacks have taken place in Russian-speaking countries.

The hackers designed their own authentic and complicated piece of software, which has its own unique modular architecture of malicious extensions, info-stealing modules and backdoor Trojans. The malware includes several extensions and malicious files designed to quickly adjust to different system configurations while remaining able to grab information from infected machines.

These included a ‘resurrection’ module, which allowed hackers to gain access to infected machines using alternative communications channels and an encoded spy module, stealing information from different cryptographic systems such as Acid Cryptofiler, which has reportedly been used since 2011 by organizations such as NATO, the European Parliament and the European Commission.

The first instances of Red October malware were discovered in October 2012, but it has been infecting computers since at least 2007, Kaspersky Lab reported. The firm worked with a number of international organizations while conducting the investigation, including Computer Emergency Readiness Teams from the US, Romania and Belarus.

The EU is attempting to counter the huge rise in cyber-espionage by launching the European Cybercrime Center, which opened on Friday.

Source: RT

Worm Tries AutoRun, Then Social Engineering to Infect

Sophos and TrendMicro, and anumber of other security firms, are reporting a dramatic increase in the prevalence of a worm using AutoRun and social engineering to proliferate.

If you thought Microsoft solved the AutoRun problem, you aren’t alone. They tried to shut it down after it was famously and cleverly used to spread earlier variants of the Stuxnet worm that targeted the industrial control systems that controlled centrifuges at Iran’s Natanz nuclear enrichment facility. However, as we continue to move further and further from that date, and we continue to see the word AutoRun popping up in headlines, it is increasingly becoming one of those network security nuisances that just won’t go away.

Part of the problem here, according to Sophos, is that users still aren’t very good about patching their machines. It’s the same, simple old problem that never seems to change. Despite the fact that Microsoft shipped a patch to disable AutoRun nearly two years ago, some users still haven’t gotten around to implementing it. So the worm is spreading, in large part, through autorun.inf files loaded onto removeable media and writeable network shared.

Read more here: http://threatpost.com/en_us/blogs/worm-tries-autorun-then-social-engineering-infect-113012

The European Network and Information Security Agency (ENISA) recommends that honeypots be used to detect threats at an early stage

The European Network and Information Security Agency (ENISA) recommends that honeypots be used to detect threats at an early stage; the agency tested 30 current systems and came up with concrete recommendations.

Honeypots are digital traps used to analyse cyber attacks and their strategies and tools. In the study, ENISA tested honeypots for effectiveness and practicality, with a focus on open-source honeypots. The results are intended to help companies find the best digital traps for their particular situations and to promote further development in the area.

The evaluation system developed for the ENISA study places particular emphasis on user-friendliness. ENISA employees used the honeypot evaluation procedurePDF developed in 2006 by Christian Seifert, Ian Welch and Peter Komisarczuk as a basis for the system and added more “practical” categories. They also differentiated more between various types of honeypots; types tested include server-side honeypots, client-side honeypots, low-interaction honeypots, high-interaction honeypots, hybrid honeypots and sandboxes. Open source online honeypots for monitoring suspicious URLs were also evaluated.

As part of the study findings, ENISA recommends a number of digital traps, noting that dionaea, Glastopf, kippo and Honeyd are particularly easy to use. Among the client honeypots, Thug and Capture-HPC NG also received special mentions.

Read more here: http://www.h-online.com/open/news/item/ENISA-promotes-digital-hacker-traps-1759415.html

Rogue Microsoft Services Agreement Emails Lead to Latest Java Exploit

Hackers are distributing rogue email notifications about changes in Microsoft’s Services Agreement to trick people into visiting malicious pages that use a recently circulated Java exploit to infect their computers with malware. “We’re receiving multiple reports of a phishing campaign using the template from a legitimate Microsoft email regarding Important Changes to Microsoft Services Agreement and Communication Preferences…” The rogue email messages are copies of legitimate notifications that Microsoft sent out to users to announce changes to the company’s Services Agreement that will take effect in Oct.

However, in the malicious versions of the emails, the correct links have been replaced with links to compromised websites that host attack pages from the Blackhole exploit toolkit.  Read more here

New virus linked to makers of Flame detected across Mideast

Kaspersky internet security firm says new virus, named Gauss, based on Flame platform; infected computers found in Israel, Lebanon, PA, among other states.

The Kaspersky internet security firm announced on Thursday that it has detected of a new kind of computer virus that has been targeting computers in Lebanon, Israel, and the Palestinian Authority.

According to the firm, the new virus, called Gauss, was designed as a spy tool, and that it was programmed using the platform of another computer virus, Flames, which was exposed earlier this year.

In the past, Kaspersky officials have determined that there was a clear link between Flame, Stuxnet – the computer worm reportedly used to target Iran’s nuclear facilities – and another virus by the name of Doqu.

What this means, is that Gauss could be another in a chain of cyber assault tools developed by a single country, or by a many countries.

According to the security firm, Gauss injects code into different internet browsers in order to track the users’ activities and steal passwords, “cookie” files, and browser history. In addition, it also collects information on the computer’s network connections and attached devices, which he sends to the virus’ control servers.

Kaspersky indicated that Gauss was developed in 2011-2012, and was actively distributed throughout the Middle East in the last ten months. Most of the infected computers were in Lebanon (1,660), with Israel a distant second, housing 483 computers with the virus.

In addition, 261 infected computers were also found in the Palestinian Authority, along with a handful of computers in Egypt, Qatar, Syria, Jordan, and Saudi Arabia, as well as 43 in the United States and five in Germany.

The virus reportedly injured Microsoft operation systems, from Windows 7 to Windows XP.

Last month, the Iranian Students’ News Agency quoted an unnamed cyber security official as saying that the United States will face a “teeth-breaking” response if it continues to carry out cyber attacks against Iran. Iran has previously accused the United States and its allies of trying to sabotage its disputed nuclear program by using computer worms like Stuxnet, which caused centrifuges at the country’s main enrichment facility to fail in 2010.

In June, Iran said it had detected plans by the United States, Israel and Britain to launch what it said was a massive cyber strike, after diplomatic efforts to curb Tehran’s nuclear program broke down.

Western powers believe Iran wants to produce atomic bombs, a charge Tehran denies. It says it only wants the technology to generate medical isotopes to treat cancer patients.

Source: Haaretz

Chinese Espionage Campaign ‘Luckycat’ Targets Android

Luckycat, a gang of Chinese cybercriminals targeting executives in the aerospace, energy, and engineering industries, has been evolving its attacks since initial reports emerged in June 2011.

First they targeted Windows (easy). Then earlier this year, we saw Luckycat exploit a Javascript flaw to spy on Mac OS systems, with SabPub.

This summer, Trend Micro reports evidence that Luckycat is now targeting Android devices.

The company discovered two unfinished, and undelivered Android apps during a recent investigation of a Luckycat command and control center (Trend also discovered ongoing deliveries of SabPub via a Javascript exploit). The two apps were called “testService” and the only difference was that one of the icons was invisible. Clearly, the attackers were working on making this as stealthy as possible:

The apps exhibited behaviors similar to a Remote Access Trojan (RAT), like being able to locate sensitive data and upload them to a remote server. However the “remote shell” command was incomplete, meaning the attackers couldn’t take real-time control of the devices.

Tom Kellermann, director of cyber security at Trend Micro, illustrated the potential danger of being able to remotely control devices in real time.

“For example if I the attacker see in your [phone's] calendar that you have a meeting in ten minutes, I could just pop the mic,” he said.

Lookout Mobile confirmed seeing the same malware samples, all clearly in debug (testing) mode since the output was all debug messages.

The key question now is, how do the attackers intend to deliver this malware to their targets? The attackers have several options, Trend Micro notes. One is an SMS or email containing a download URL disguised as something legit (spearphishing). Sabpub, for instance, was delivered through poorly-spellt emails appealing to Tibetan sympathizers.

Should You Worry?
You may not be a key target of Luckycat, but one day the same malware could be used to target your Android device. Some simple countermeasures we normal folk can take are, well, the same as always:

  1. Stick to the official Google Play and Amazon Android app Stores.
  2. Don’t click on strange links within emails.
  3. Use a mobile security app—free versions of Lookout, Trend Micro, avast!, and McAfee provide strong lines of defense.

Source: http://securitywatch.pcmag.com/none/301002-chinese-espionage-campaign-luckycat-targets-android

Pentagon to recruit Russian hackers

An adviser to U.S. President Barack Obama said that the U.S. has a new plan to combat cyberwarfare.

The U.S. government has a plan to put the skills of the best hackers in the world to work fighting terrorism and designing security systems for government agencies. John Arquilla, an adviser to U.S. President Barack Obama’s and the man who coined the term“cyberwarfare” told the UK’s Guardian newspaper that the U.S. Defense Department plans to hire about 100 hackers, primarily Russians for the initiative.

Arquilla accused the Pentagon of wasting billions of dollars on “pointless aircraft carriers, tanks and planes at the expense of nimbler, leaner strategy” of spending on experts. He said that as a result the U.S. has fallen behind other superpowers in the global cyber race.

“We intend to set up something like the English Bletchley Park (where the UK ran decryption operations during World War II),” said Arquilla. “We will hire Russians and Asians. They are definitely the best code crackers in the world. I have already established contact with several very influential hackers. I even brought one to meet the CEO of a major company to evaluate the vulnerability of his information systems. He managed to break into the system in just a few minutes.”

Russian hackers do not rule out the possibility of cooperating with the U.S. government, provided it observes a number of crucial factors.

Said one hacker known as Zeus: “I’ll agree if they offer me a fair salary and good living accommodations. Another important thing is that my activities mustn’t be aimed at Russia. I don’t want to be a traitor. There’s a great deal of advantages in working in the U.S. like opportunities to realize my potential, high living standards and an evolved society.”

Another hacker said that working for the U.S. government is, on the one hand, fairly risky, but on the other hand, a very lucrative and stable business.

“Our task is to make sure those who agree to work for us have all they need. America has always lavishly spent money on the best specialists in the world. That’s why I’m sure we’ll persuade them to cooperate,” Arquilla said.

Source: Izvestia Ru