Archive

Archive for the ‘Intelligence Collection and Analysis’ Category

Tor-provided web anonymity not PRISM-proof – Microsoft security guru

The Tor anonymity network cannot provide internet users shelter from government hackers and cyber criminals, a top Microsoft security expert has revealed.

“There is no such thing as really being anonymous on the internet. If [hackers and government agencies] want you, they will get you,” Andy Malone, of Microsoft Enterprise Security and founder of the Cyber Crime Security Forum, said at the Microsoft TechEd North America 2014.

While The Onion Router (Tor) remains more resilient than alternatives such as virtual private networks, cyber criminals are able to exploit weaknesses in the system.

“At the moment the Tor network’s security has never been broken, but there are flaws around it that can be exploited,” Malone said.

One such example is the fact that Tor still uses third-party add-ons, allowing snoops to track, monitor and steal data from its users.

“Tor leaks do occur through third-party apps and add-ons, like Flash. If I was doing forensics on you and thought you were on Tor I wouldn’t attack the network I’d attack the weak areas around it.

Malone says that both the National Security Agency and its UK counterpart, GCHQ, are monitoring “hundreds of Tor relays” and are constantly trying to find ways to break down the secure network. By its very nature, Tor cannot and does not protect against monitoring of traffic on the edges of the Tor network, where traffic comes in and goes out. While it can protect against the process of intercepting and examining messages – traffic analysis – it cannot prevent traffic confirmation.

A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application.

“You can get people on Tor in a variety of ways. You could do a time attack, which involves catching traffic between relays. You could also do entry and exit node monitoring, which involves dropping a zero-day on the actual machine accessing Tor or hosting an exit node and monitoring what’s going in or out of it.”

Honey Pots and the Dark Web

Onion routing was initially designed at the US Naval Research Laboratory to protect the security and privacy of network communications. Tor was originally designed to shield intelligence gathering operations from open sources and protect military communications over public networks. The network works by routing traffic through multiple nodes in an effort to help mask the identities of its users.

It allows for the creation of “invisible websites” with the .onion extension that can’t be accessed using conventional browsers like Google Chrome or Firefox. Such sections of the internet comprise part of the Deep Web – the part of the web not indexed by search engines.

Tor is made possible through a network of donated servers that exchange encrypted data amongst each other before returning through an “exit node,” or the server that is connected back to the internet. The goal is to obscure just where traffic is moving, in order to evade any observers. Exit Nodes are on the edge of the Tor network, meaning traffic from this node can be traced back to its IP address.

While many law-abiding citizens and those seeking to circumvent government censorship have embraced Tor, the notorious online market Silk Road, sometimes called “the ebay for drugs”, was also a hidden Tor service.

Malone said that law enforcement agencies are actively working on more direct ways to penetrate the Tor network and monitor its users.

“I work with, and issue recommendations for, law enforcement and I’m telling you now, the dark web is heavily monitored. The NSA and GCHQ are already monitoring hundreds of Tor relays and exit nodes and trying to find ways to break the network down,” he said.

He further warned that users should be aware that the NSA and GCHQ are installing hundreds of onion routers in order to capture and analyze traffic. If a user visits the Deep Web, they should be aware of the existence of honey pots, or trap websites that appear to be part of the network, but are in fact created by law enforcement to catch criminals.

That the NSA and GCHQ are targeting Tor is no secret. Last October, documents leaked by NSA whistleblower Edward Snowden revealed that the intelligence agencies are working extensively towards compromising the computers of people who browse the internet with Tor.

According to the Guardian’s James Ball, Bruce Schneier and Glenn Greenwald, the NSA’s “current successes against Tor rely on identifying users and then attacking vulnerable software on their computer.”

“While it seems that the NSA has not compromised the core security of the Tor software or network, the documents detail proof-of-concept attacks, including several relying on the large-scale online surveillance systems maintained by the NSA and GCHQ through internet cable taps,” the writers added.

Source: RT

Operation ‘Red October’: Global cyber-spy network uncovered by Russian experts

Operation 'Red October'

 

A sophisticated cyber-espionage network targeting the world’s diplomatic, government and research agencies, as well as gas and oil industries, has been uncovered by experts at Russia’s Kaspersky Lab.

The system’s targets include a wide range of countries, with the primary focus on Eastern Europe, former Soviet republics and Central Asia – although many in Western Europe and North America are also on the list.

“The majority of infections are actually from the embassies of ex-USSR country members located in various regions such as Western Europe and even in North America – in the US we have few infections as well. But most infections are concentrated around Russia,”  Vitaly Kamluk, chief malware expert at Kasperky Lab, told RT, adding that in Europe, the hardest-hit countries are apparently Beligum and Switzerland.

In addition to attacking traditional computer workstations, ‘Rocra’ – an abridgment of ‘Red October,’ the name the Kaspersky team gave the network – can steal data from smartphones, dump network equipment configurations, scan through email databases and local network FTP servers, and snatch files from removable disk drives, including ones that have been erased.

Unlike other well-known and highly automated cyber-espionage campaigns, such as ‘Flame’ and ‘Gauss,’ Rorca’s attacks all appear to be carefully chosen. Each operation is apparently driven by the configuration of the victim’s hardware and software, native language and even document usage habits.

The information extracted from infected networks is often used to gain entry into additional systems. For example, stolen credentials were shown to be compiled in a list for use when attackers needed to guess passwords or phrases.

The hackers behind the network have created more than 60 domain names and several server hosting locations in different countries – the majority of those known being in Germany and Russia – which worked as proxies in order to hide the location of the ‘mothership’ control server.

That malicious server’s location remains unknown, but experts have uncovered over 1,000 modules belonging to 34 different module categories.While Rocra seems to have been designed to execute one-time tasks sent by the hackers’ servers, a number of modules were constantly present in the system executing persistent tasks. This included retrieving information about a phone, its contact list, call history, calendar, SMS messages and even browsing history as soon as an iPhone or a Nokia phone is connected to the system.

The hackers’ primary objective is to gather information and documents that could compromise the security of governments, corporations or other organizations and agencies. In addition to focusing on diplomatic and governmental agencies around the world, the hackers also attacked energy and nuclear groups, and trade and aerospace targets.

No details have been given yet as to the attackers’ identity. However, there is strong technical evidence to indicate that the attackers are of Russophone origins, as Russian words including slang have been used in the source code commentaries. Many of the known attacks have taken place in Russian-speaking countries.

The hackers designed their own authentic and complicated piece of software, which has its own unique modular architecture of malicious extensions, info-stealing modules and backdoor Trojans. The malware includes several extensions and malicious files designed to quickly adjust to different system configurations while remaining able to grab information from infected machines.

These included a ‘resurrection’ module, which allowed hackers to gain access to infected machines using alternative communications channels and an encoded spy module, stealing information from different cryptographic systems such as Acid Cryptofiler, which has reportedly been used since 2011 by organizations such as NATO, the European Parliament and the European Commission.

The first instances of Red October malware were discovered in October 2012, but it has been infecting computers since at least 2007, Kaspersky Lab reported. The firm worked with a number of international organizations while conducting the investigation, including Computer Emergency Readiness Teams from the US, Romania and Belarus.

The EU is attempting to counter the huge rise in cyber-espionage by launching the European Cybercrime Center, which opened on Friday.

Source: RT

Pentagon to recruit Russian hackers

An adviser to U.S. President Barack Obama said that the U.S. has a new plan to combat cyberwarfare.

The U.S. government has a plan to put the skills of the best hackers in the world to work fighting terrorism and designing security systems for government agencies. John Arquilla, an adviser to U.S. President Barack Obama’s and the man who coined the term“cyberwarfare” told the UK’s Guardian newspaper that the U.S. Defense Department plans to hire about 100 hackers, primarily Russians for the initiative.

Arquilla accused the Pentagon of wasting billions of dollars on “pointless aircraft carriers, tanks and planes at the expense of nimbler, leaner strategy” of spending on experts. He said that as a result the U.S. has fallen behind other superpowers in the global cyber race.

“We intend to set up something like the English Bletchley Park (where the UK ran decryption operations during World War II),” said Arquilla. “We will hire Russians and Asians. They are definitely the best code crackers in the world. I have already established contact with several very influential hackers. I even brought one to meet the CEO of a major company to evaluate the vulnerability of his information systems. He managed to break into the system in just a few minutes.”

Russian hackers do not rule out the possibility of cooperating with the U.S. government, provided it observes a number of crucial factors.

Said one hacker known as Zeus: “I’ll agree if they offer me a fair salary and good living accommodations. Another important thing is that my activities mustn’t be aimed at Russia. I don’t want to be a traitor. There’s a great deal of advantages in working in the U.S. like opportunities to realize my potential, high living standards and an evolved society.”

Another hacker said that working for the U.S. government is, on the one hand, fairly risky, but on the other hand, a very lucrative and stable business.

“Our task is to make sure those who agree to work for us have all they need. America has always lavishly spent money on the best specialists in the world. That’s why I’m sure we’ll persuade them to cooperate,” Arquilla said.

Source: Izvestia Ru

Chinese Spy Device in Hong Kong Cars: Apple Daily

Source: Daily Mail

Chinese authorities may be listening in on travelers’ conversations in Hong Kong, with a device that’s been installed on thousands of vehicles, according to Hong Kong’s Apple Daily newspaper.

Authorities in Shenzhen have been installing “inspection and quarantine cards” on dual-plate Chinese and Hong Kong vehicles since 2007. They’re apparently for tracking cars crossing the border. But Apple Daily says these devices are capable of much more. In fact, experts who examined the devices—taken apart by Apple Daily—say they can be used for eavesdropping, and can send signals up to 12 miles away.

Apple Daily says smugglers were the first to suspect these devices. They thought it was strange that border agents were able to precisely track down vehicles used for smuggling goods.

Shenzhen authorities denied the allegations, when Apple Daily approached them. But the claims have made travelers uneasy, especially those who discuss private business matters during their travels between Hong Kong and Mainland China.

LinkedIn’s Leaky Mobile App Has Access to Your Meeting Notes

LinkedIn mobile app subscribers may be surprised to learn that the calendar entries on their iPhones or iPads— which may include details about meeting locations, participants, dial-in information, passwords and sensitive meeting notes — are transmitted back to LinkedIn’s servers without their knowledge.

The researchers, Yair Amit and Adi Sharabani, discovered that LinkedIn’s mobile app for iOS, Apple’s mobile operating system, included an opt-in feature that allows users to view their iOS calendar entries within the app. Once users opt in to that feature, however, LinkedIn automatically transmits their calendar entries to its servers. LinkedIn grabs details for every calendar on the iOS device, which may include both personal and corporate calendar entries.

That practice, which is not communicated to users, may violate Apple’s privacy guidelines, which expressly prohibit any app from transmitting users’ data without their permission. A similar practice came to light earlier this year when a developer noticed that Path, the popular mobile social network, was uploading entire address books to its servers without users’ knowledge. That practice came under scrutiny by members of Congress. In response, Path said it would stop the practice and destroy the data it had collected.

More here: http://bits.blogs.nytimes.com/2012/06/05/linkedins-leaky-mobile-app-has-access-to-your-meeting-notes/

Iran targeted by ‘Flame’ espionage virus

Source: The Telegraph

Iranian computer networks have been targeted by a cyber espionage virus many   times more complicated than any malicious software ever seen before,   security experts have said.

The virus, named Flame or Skywiper, could only have been created by a state,   according to analysts who have investigated it and the pattern of infection.

The results of our technical analysis support the hypotheses that Skywiper was   developed by a government agency of a nation state with significant budget   and effort, and it may be related to cyber warfare activities,” said Crysys   Lab, a unit that investigates computer viruses at Budapest University.

The discover of the Flame/Skywiper, which may have been in circulation for   more than five years, offers further confirmation of the secret battle being   waged by intelligence agencies online.

Although its purpose is to steal information rather than cause physical   damage, Flame/Skywiper is said to be a much more complicated piece of   malicious software than Stuxnet, the groundbreaking virus designed to   cripple Iranian uranium enrichment.

“Information gathering from a large network of infected computers was   never crafted as carefully,” Crysys Lab said.

“It covers all major possibilities to gather intelligence, including   keyboard, screen, microphone, storage devices, network, WiFi, Bluetooth, USB   and system processes.”

In their preliminary   technical report, the investiagtors describe unprecedented layers of   software, designed to allow Flame/Skywiper to penetrate computer networks   undetected. The 20MB file, which infects Microsoft Windows computers, has   five encryption algorithms, exotic data storage formats and the ability to   steal documents, spy on computer users and more.

Various components of Flame/Skywiper enable those behind it, who use a network   of rapidly-shifting “command and control” servers to direct the virus, to   turn microphone into listening devices, siphon off documents and log   keystrokes.

Eugene Kaspersky, the founder of the Russian anti-virus firm Kaspersky Lab,   which has also analysed the virus, noted that “it took us 6 months to   analyze Stuxnet. [This] is 20 times more complicated”.

Iran’s Computer Emergency Response Team, Maher, today issued a statement   claiming Flame/Skywiper was “a close relation” of Stuxnet, which   has itself been linked to Duqu, another complicated information-stealing   virus is believed to be the work of state intelligence. Many experts suspect   Stuxnet was created by the United States and Israel.

Crysys Lab said the technical evidence for a link between Flame/Skywiper and   Stuxnet or Duqu was inconclusive, however. While they shared many common   components, the newly-discovered virus bears little resemblance; for   instance Flame/Skywiper does not spread itself automatically but only when   hidden controllers allow it.

In its statement, published online, Maher said selected organisations had been   given software to detect and remove the newly-discovered virus at the   beginning of May.

As well as Iran, Flame/Skywiper infections have been detected in the West   Bank, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.

The head of Interpol: ‘Terrorists plan on email. And we can’t track them’

Ronald Noble: ‘Terrorists plan on email. And we can’t track them’

Source: (Independent.co.uk):

As a former head of the US Secret Service, Ronald Noble knows only too well how terrorism, drug-smuggling and people-trafficking cross borders which individual police forces cannot. He is now Secretary General of Interpol, and a specialist team from the organisation he has spent 11 years rebuilding will next summer help the Metropolitan Police combat those crimes and others, during the huge security operation protecting the 2012 Olympic Games.

Meeting The Independent before visiting Scotland Yard to discuss arrangements for the Games, Mr Noble said he recognised that some people are scared the event could bring an increased threat of violence to the UK.

“In terms of terrorist activity, there is talk, there is chatter, that follows any major event,” he says, but adds Interpol has “not seen or heard terrorists saying we’re going to target this event”.

“We try to think like terrorists would think,” he continues. “A smart terrorist would know that if the world’s attention is focused on something and they commit a terrorist act it will help them create the kind of fear that would make people want to leave London.

[…]

“My concern is that the people planning that attack – that nuclear attack, that bio-terrorist attack, that attack that should concern us all as a world – would be able to plan it more effectively because we don’t have a network in place for tracing the source of email messages on the internet,” he says.

“One of the things I want to do … is to create a cyber-fusion centre, where police around the world can go to one place quickly and find out the source of any kind of message or communication that’s come across the internet.”

That in itself may alarm some. But Mr Noble emphasises the centre will only target specific, suspicious emails, saying it simply could not track all the messages from billions of innocent people even if Interpol wanted it to.

Nevertheless, some civil liberties groups have questioned Interpol’s accountability and transparency.