Archive

Archive for the ‘Cyber Intelligence & Terrorism Research’ Category

Tor-provided web anonymity not PRISM-proof – Microsoft security guru

The Tor anonymity network cannot provide internet users shelter from government hackers and cyber criminals, a top Microsoft security expert has revealed.

“There is no such thing as really being anonymous on the internet. If [hackers and government agencies] want you, they will get you,” Andy Malone, of Microsoft Enterprise Security and founder of the Cyber Crime Security Forum, said at the Microsoft TechEd North America 2014.

While The Onion Router (Tor) remains more resilient than alternatives such as virtual private networks, cyber criminals are able to exploit weaknesses in the system.

“At the moment the Tor network’s security has never been broken, but there are flaws around it that can be exploited,” Malone said.

One such example is the fact that Tor still uses third-party add-ons, allowing snoops to track, monitor and steal data from its users.

“Tor leaks do occur through third-party apps and add-ons, like Flash. If I was doing forensics on you and thought you were on Tor I wouldn’t attack the network I’d attack the weak areas around it.

Malone says that both the National Security Agency and its UK counterpart, GCHQ, are monitoring “hundreds of Tor relays” and are constantly trying to find ways to break down the secure network. By its very nature, Tor cannot and does not protect against monitoring of traffic on the edges of the Tor network, where traffic comes in and goes out. While it can protect against the process of intercepting and examining messages – traffic analysis – it cannot prevent traffic confirmation.

A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application.

“You can get people on Tor in a variety of ways. You could do a time attack, which involves catching traffic between relays. You could also do entry and exit node monitoring, which involves dropping a zero-day on the actual machine accessing Tor or hosting an exit node and monitoring what’s going in or out of it.”

Honey Pots and the Dark Web

Onion routing was initially designed at the US Naval Research Laboratory to protect the security and privacy of network communications. Tor was originally designed to shield intelligence gathering operations from open sources and protect military communications over public networks. The network works by routing traffic through multiple nodes in an effort to help mask the identities of its users.

It allows for the creation of “invisible websites” with the .onion extension that can’t be accessed using conventional browsers like Google Chrome or Firefox. Such sections of the internet comprise part of the Deep Web – the part of the web not indexed by search engines.

Tor is made possible through a network of donated servers that exchange encrypted data amongst each other before returning through an “exit node,” or the server that is connected back to the internet. The goal is to obscure just where traffic is moving, in order to evade any observers. Exit Nodes are on the edge of the Tor network, meaning traffic from this node can be traced back to its IP address.

While many law-abiding citizens and those seeking to circumvent government censorship have embraced Tor, the notorious online market Silk Road, sometimes called “the ebay for drugs”, was also a hidden Tor service.

Malone said that law enforcement agencies are actively working on more direct ways to penetrate the Tor network and monitor its users.

“I work with, and issue recommendations for, law enforcement and I’m telling you now, the dark web is heavily monitored. The NSA and GCHQ are already monitoring hundreds of Tor relays and exit nodes and trying to find ways to break the network down,” he said.

He further warned that users should be aware that the NSA and GCHQ are installing hundreds of onion routers in order to capture and analyze traffic. If a user visits the Deep Web, they should be aware of the existence of honey pots, or trap websites that appear to be part of the network, but are in fact created by law enforcement to catch criminals.

That the NSA and GCHQ are targeting Tor is no secret. Last October, documents leaked by NSA whistleblower Edward Snowden revealed that the intelligence agencies are working extensively towards compromising the computers of people who browse the internet with Tor.

According to the Guardian’s James Ball, Bruce Schneier and Glenn Greenwald, the NSA’s “current successes against Tor rely on identifying users and then attacking vulnerable software on their computer.”

“While it seems that the NSA has not compromised the core security of the Tor software or network, the documents detail proof-of-concept attacks, including several relying on the large-scale online surveillance systems maintained by the NSA and GCHQ through internet cable taps,” the writers added.

Source: RT

Threats to Mobile Devices Using the Android Operating System

Threats to mobile phonesAndroid is the world’s most widely used mobile operating system (OS) and continues to be a primary target for malware attacks due to its market share and open source architecture. Industry reporting indicates 44 percent of Android users are still using versions 2.3.3 through 2.3.7-known as Gingerbread-which were released in 2011 and have a number of security vulnerabilities that were fixed in later versions.

The growing use of mobile devices by federal, state, and local authorities makes it more important than ever to keep mobile OS patched and up-to-date. The following are some known security threats to mobile OS and mitigation steps:

Security Threat Description Mitigation Strategy
SMS (Text Message) Trojansrepresent nearly half of the malicious applications circulating today on older Android OS. Sends text messages to premium-rate numbers owned by criminal hackers without the user’s knowledge, potentially resulting in exorbitant charges for tile user. Install an Android security suite designed to combat these threats. These security suites can be purchased or downloaded free from the Internet.
Rootkits are malware that hide their existence from normal forms of detection. In late 2011, a software developer’s rootkit was discovered running on millions of mobile devices. Logs the user’s locations, keystrokes, and passwords without the user’s knowledge. Install the Carrier IQ Test–a free application that can detect and remove he malicious software.
Fake Google Play Domainsare sites created by cybercriminals. Google Play enables users to browse and download music, books, magazines, movies, television programs, and other applications. Tricks users into installing malicious applications that enable malicious actors to steal sensitive information, including financial data and log-in credentials. Install only approved applications and follow IT department procedures to update devices’ OS. Users should install and regularly update antivirus software for android devices to detect and remove any malicious applications.

Google: Gmail users ‘have no legitimate expectation of privacy’

GmailAs tensions worsen among privacy-focused email users amid the escalating scandal surrounding government surveillance, a brief filed by attorneys for Google has surfaced showing that Gmail users should never expect their communications to be kept secret.

Consumer Watchdog has unearthed a July 13, 2013 motion filed by Google’s attorneys with regards to ongoing litigation challenging how the Silicon Valley giant operates its highly popular free email service.

The motion, penned in hopes of having the United States District Court for the Northern District of California dismiss a class action complaint against the company, says Gmail users should assume that any electronic correspondence that’s passed through Google’s servers can be accessed and used for an array of options, such as selling ads to customers.

Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use Web-based email today cannot be surprised if their emails are processed by the recipient’s [email provider] in the course of delivery,” the motion reads in part. “Indeed, ‘a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.’”

Elsewhere, Google’s legal counsel says the plaintiffs are attempting “to criminalize ordinary business practices” that the company has implemented for nearly a decade, specifically the automated scanning of emails.

According to Google, federal wiretap laws provide third-party email providers with liability from litigation if their practices are done “in their ordinary course of business.” An Electronic Communication Service (ECS) such as Gmail must scan emails sent to and from their systems, says Google, as part of providing the services they offer.

While plaintiffs go to great lengths to portray Google in a sinister light, the complaint actually confirms that the automated processes at issue are Google’s ordinary business practices implemented as part of providing the free Gmail service to the public. This is fatal to plaintiffs’ claims,” the attorneys write.

Plaintiffs claim that an illegal interception is committed each time an email sent to or from a Gmail account is scanned, but the company counters that claim by saying the automated scanning is not only outlined in the Terms of Service agreement, but necessary for the product to function in the way it does.

Gmail customers, the company claims, “are contractually bound to Google’s terms. Indeed, they devote much of the Complaint to attacking the disclosures in the TOS and Privacy Policy in an effort to avoid this express contractual consent.”

In short, there is no illegal ‘interception’ here because Plaintiffs’ own allegations confirm that the alleged practices at issue are part of Google’s ordinary course of business,” attorneys write.

In practice, plaintiffs’ theory would prevent ECS providers from providing a host of normal services that Congress could not possibly have intended to criminalize as an illegal interception,’” they continue. “For example, an ECS provider could not allow users to sort their emails using automated filters because any such system would require scanning the contents of the emails being delivered to the user, thus running afoul of plaintiffs’ theory. Nor could an ECS provider provide even basic features like allowing users to search their own emails for particular key terms because doing so would, again, involve the scanning of email content

Google is now asking for the court to reject the plaintiffs’ claims because their interpretation of what constitutes an illegal interception would make it “virtually impossible” for any email company to provide normal services. By saying customers lack no right to privacy, however, Consumer Watchdog is up in arms.

Google has finally admitted they don’t respect privacy,” John M. Simpson, Consumer Watchdog’s Privacy Project director, said in a statement “People should take them at their word; if you care about your email correspondents’ privacy don’t use Gmail.”

Google’s brief uses a wrong-headed analogy; sending an email is like giving a letter to the Post Office,” added Simpson. “I expect the Post Office to deliver the letter based on the address written on the envelope. I don’t expect the mail carrier to open my letter and read it. Similarly when I send an email, I expect it to be delivered to the intended recipient with a Gmail account based on the email address; why would I expect its content will be intercepted by Google and read?”

News of Google’s motion to dismiss the complaint comes just days after two pay-for-use providers of highly encrypted and seemingly secure email services announced they’d be calling it quits. Vaguely citing a federal investigation, Texas-based Lavabit said on Thursday last week that they’re shutting down its email service, reportedly used by National Security Agency leaker Edward Snowden. Hours later, competitor Silent Circle said they’d be doing the same.

Source: RT

Operation ‘Red October’: Global cyber-spy network uncovered by Russian experts

Operation 'Red October'

 

A sophisticated cyber-espionage network targeting the world’s diplomatic, government and research agencies, as well as gas and oil industries, has been uncovered by experts at Russia’s Kaspersky Lab.

The system’s targets include a wide range of countries, with the primary focus on Eastern Europe, former Soviet republics and Central Asia – although many in Western Europe and North America are also on the list.

“The majority of infections are actually from the embassies of ex-USSR country members located in various regions such as Western Europe and even in North America – in the US we have few infections as well. But most infections are concentrated around Russia,”  Vitaly Kamluk, chief malware expert at Kasperky Lab, told RT, adding that in Europe, the hardest-hit countries are apparently Beligum and Switzerland.

In addition to attacking traditional computer workstations, ‘Rocra’ – an abridgment of ‘Red October,’ the name the Kaspersky team gave the network – can steal data from smartphones, dump network equipment configurations, scan through email databases and local network FTP servers, and snatch files from removable disk drives, including ones that have been erased.

Unlike other well-known and highly automated cyber-espionage campaigns, such as ‘Flame’ and ‘Gauss,’ Rorca’s attacks all appear to be carefully chosen. Each operation is apparently driven by the configuration of the victim’s hardware and software, native language and even document usage habits.

The information extracted from infected networks is often used to gain entry into additional systems. For example, stolen credentials were shown to be compiled in a list for use when attackers needed to guess passwords or phrases.

The hackers behind the network have created more than 60 domain names and several server hosting locations in different countries – the majority of those known being in Germany and Russia – which worked as proxies in order to hide the location of the ‘mothership’ control server.

That malicious server’s location remains unknown, but experts have uncovered over 1,000 modules belonging to 34 different module categories.While Rocra seems to have been designed to execute one-time tasks sent by the hackers’ servers, a number of modules were constantly present in the system executing persistent tasks. This included retrieving information about a phone, its contact list, call history, calendar, SMS messages and even browsing history as soon as an iPhone or a Nokia phone is connected to the system.

The hackers’ primary objective is to gather information and documents that could compromise the security of governments, corporations or other organizations and agencies. In addition to focusing on diplomatic and governmental agencies around the world, the hackers also attacked energy and nuclear groups, and trade and aerospace targets.

No details have been given yet as to the attackers’ identity. However, there is strong technical evidence to indicate that the attackers are of Russophone origins, as Russian words including slang have been used in the source code commentaries. Many of the known attacks have taken place in Russian-speaking countries.

The hackers designed their own authentic and complicated piece of software, which has its own unique modular architecture of malicious extensions, info-stealing modules and backdoor Trojans. The malware includes several extensions and malicious files designed to quickly adjust to different system configurations while remaining able to grab information from infected machines.

These included a ‘resurrection’ module, which allowed hackers to gain access to infected machines using alternative communications channels and an encoded spy module, stealing information from different cryptographic systems such as Acid Cryptofiler, which has reportedly been used since 2011 by organizations such as NATO, the European Parliament and the European Commission.

The first instances of Red October malware were discovered in October 2012, but it has been infecting computers since at least 2007, Kaspersky Lab reported. The firm worked with a number of international organizations while conducting the investigation, including Computer Emergency Readiness Teams from the US, Romania and Belarus.

The EU is attempting to counter the huge rise in cyber-espionage by launching the European Cybercrime Center, which opened on Friday.

Source: RT

Worm Tries AutoRun, Then Social Engineering to Infect

Sophos and TrendMicro, and anumber of other security firms, are reporting a dramatic increase in the prevalence of a worm using AutoRun and social engineering to proliferate.

If you thought Microsoft solved the AutoRun problem, you aren’t alone. They tried to shut it down after it was famously and cleverly used to spread earlier variants of the Stuxnet worm that targeted the industrial control systems that controlled centrifuges at Iran’s Natanz nuclear enrichment facility. However, as we continue to move further and further from that date, and we continue to see the word AutoRun popping up in headlines, it is increasingly becoming one of those network security nuisances that just won’t go away.

Part of the problem here, according to Sophos, is that users still aren’t very good about patching their machines. It’s the same, simple old problem that never seems to change. Despite the fact that Microsoft shipped a patch to disable AutoRun nearly two years ago, some users still haven’t gotten around to implementing it. So the worm is spreading, in large part, through autorun.inf files loaded onto removeable media and writeable network shared.

Read more here: http://threatpost.com/en_us/blogs/worm-tries-autorun-then-social-engineering-infect-113012

The European Network and Information Security Agency (ENISA) recommends that honeypots be used to detect threats at an early stage

The European Network and Information Security Agency (ENISA) recommends that honeypots be used to detect threats at an early stage; the agency tested 30 current systems and came up with concrete recommendations.

Honeypots are digital traps used to analyse cyber attacks and their strategies and tools. In the study, ENISA tested honeypots for effectiveness and practicality, with a focus on open-source honeypots. The results are intended to help companies find the best digital traps for their particular situations and to promote further development in the area.

The evaluation system developed for the ENISA study places particular emphasis on user-friendliness. ENISA employees used the honeypot evaluation procedurePDF developed in 2006 by Christian Seifert, Ian Welch and Peter Komisarczuk as a basis for the system and added more “practical” categories. They also differentiated more between various types of honeypots; types tested include server-side honeypots, client-side honeypots, low-interaction honeypots, high-interaction honeypots, hybrid honeypots and sandboxes. Open source online honeypots for monitoring suspicious URLs were also evaluated.

As part of the study findings, ENISA recommends a number of digital traps, noting that dionaea, Glastopf, kippo and Honeyd are particularly easy to use. Among the client honeypots, Thug and Capture-HPC NG also received special mentions.

Read more here: http://www.h-online.com/open/news/item/ENISA-promotes-digital-hacker-traps-1759415.html

Rogue Microsoft Services Agreement Emails Lead to Latest Java Exploit

Hackers are distributing rogue email notifications about changes in Microsoft’s Services Agreement to trick people into visiting malicious pages that use a recently circulated Java exploit to infect their computers with malware. “We’re receiving multiple reports of a phishing campaign using the template from a legitimate Microsoft email regarding Important Changes to Microsoft Services Agreement and Communication Preferences…” The rogue email messages are copies of legitimate notifications that Microsoft sent out to users to announce changes to the company’s Services Agreement that will take effect in Oct.

However, in the malicious versions of the emails, the correct links have been replaced with links to compromised websites that host attack pages from the Blackhole exploit toolkit.  Read more here