by Mike Masnick
Mon, Nov 25th 2013 3:44am
by Mike Masnick
Mon, Nov 11th 2013 5:27am
from the is-nothing-sacred? dept
According to the slides in the GCHQ presentation, the attack was directed at several Belgacom employees and involved the planting of a highly developed attack technology referred to as a "Quantum Insert" ("QI"). It appears to be a method with which the person being targeted, without their knowledge, is redirected to websites that then plant malware on their computers that can then manipulate them. Some of the employees whose computers were infiltrated had "good access" to important parts of Belgacom's infrastructure, and this seemed to please the British spies, according to the slides.Over the weekend it appears that Der Spiegel published a further report by Laura Poitras on this hacking, which revealed that the spoofed websites used to install this malware were none other than Slashdot and Linkedin. Interesting choices.
Update: Nicholas Weaver explains what happened in much more detail. It's not a fake page, but a packet injection attack.
Fri, Oct 25th 2013 5:33pm
from the duke-nuclear-power? dept
Sharing time: I'm quite afraid of a lot of things in this life. Clowns, for instance, as well as female cats that just had kittens. Oddly, the Harris Bank lion has scared me since my childhood. Very small rocks. The American South. But, honestly, I'm not afraid of North Korea. Their threats tend to amount to piss-poor photoshopped pictures and videos that might be terrifying if their own enemies hadn't produced the footage for them. Now, I get that North Korea's government is a horrible threat to its own people and I dream nightly of the day when those people will be freed from their current leader and his never ending Bond-villain impression, but they just don't feel all that threatening to me. Why? Well, because their threats always seem to amount to a dud bottle-rocket, relatively speaking.
Take the latest dire warning out of South Korea, for instance, which amounts to reviled North Korean hackers trying to insert malware into software produced in North Korea for use in DDoS attacks.
In the latest criminal case, a North Korea hacker disguised himself as a software developer and offered to make online gaming programs for the arrested South Korean businessman at much cheaper prices than South Korean software developers, the NPA official said.Er, okay, so "thousands of dollars" were spent by a South Korean on North Korean programming that went nowhere and then the South Korean was arrested. And, yes, South Korea is occasionally the target of DDoS attacks that likely come from the North, but so what? Nobody is buying North Korean games en masse, should such things even exist. And, while I'm sure they have some talented techno-mancers in North Korea, why would using their programmers to produce games when that practice is illegal and likely better talent exists elsewhere ever become a trend?
The North Korean-developed gaming programs, for which “thousands of dollars” had been paid by the arrested South Korean businessman, were all confiscated before spreading online, he said, adding if the programs had been developed by South Koreans, the price tag would have been much higher.
Now -- and this is just a crazy out there suggestion -- but what if those North Korean programmers actually made a game worth some money, distributed it to those countries still willing to do business with them, and then, oh, I don't know, used the income to feed their own people on occasion? I know that doesn't make you a super-cool mega-villain, Supreme Leader, but at least it'd be more effective than constantly cleaning the egg off your face.
by Mike Masnick
Fri, Sep 13th 2013 5:34pm
from the confirmed dept
Freedom Hosting clearly hosted some very bad stuff, and there's nothing wrong with law enforcement looking to find and arrest those who are involved in criminal activities -- but when it reaches the level of installing effective malware and re-identifiying a ton of people who chose to be anonymous, many of whom are not criminals at all, it begins to raise questions about how appropriate (or legal) the activity really is. Taking control over all Freedom Hosting servers and inserting some code really seems like an incredibly questionable move.
by Mike Masnick
Tue, Aug 6th 2013 7:48am
Comcast NBC Universal Already Moving Past Six Strikes; Trying New Malware Popups Urging Downloaders To Buy
from the that-seems-like-a-bad-idea dept
While Comcast knows the solution is feasible, the company’s engineers haven’t formally begun work on it. The project is being worked on in tandem with engineers at NBC Universal, the content side of the conglomerate.That certainly sounds like something cooked up on the NBC Universal side of things. The offering here sounds ridiculous and intrusive:
As sources described the new system, a consumer illegally downloading a film or movie from a peer-to-peer system like Bittorrent would be quickly pushed a pop-up message with links to purchase or rent the same content, whether the title in question exists on the VOD library of a participating distributor’s own broadband network or on a third-party seller like Amazon.This highlights a few key points:
- For all the fuss about the six strikes system and how important it was, it sure sounds like yet another expensive disaster in a long line of expensive disasters by the legacy entertainment industry in its quixotic quest to stamp out infringement. They still don't get that this isn't an education problem, nor is it an enforcement problem. It's a service problem. And being creepy and spying on what people are surfing on isn't going to make people feel particularly warm and fuzzy about moving on to buy something.
- Popups are a bad idea. As in really, really bad. First off, it just pisses people off to get any sort of popup. Second, the only way to do this is by effectively spying on all trafffic -- i.e., some sort of deep packet inspection/malware-like setup monitoring everything you do. Anyone who doesn't think that doesn't open up opportunities for abuse and security vulnerabilities hasn't been paying much attention.
- As many people warned, you knew that the legacy entertainment industry would never believe that the six strikes program was "enough." They have huge staffs of "anti-piracy" people who need to stay employed, so you had to know they were cooking up more. But, no matter what plan is agreed to, there's always going to be mission creep as they try to get more and more and more.
- Any system that involves spying on the activities of users is going to be a non-starter. Creeping the hell out of people isn't a way of encouraging them to buy. It's a way of encouraging them to want nothing to do with you.
- My favorite part: the system would include affiliate links within the alerts in an attempt to drive extra revenue and to encourage other ISPs and sites to participate. I guess it's better than pressuring companies with a stick, but the affiliate link carrot just feels sleazy.
by Mike Masnick
Mon, Aug 5th 2013 1:11pm
from the left-hand,-meet-the-anonymous-right-hand dept
Shortly after Marques' arrest last week, all of the hidden service sites hosted by Freedom Hosting began displaying a “Down for Maintenance” message. That included websites that had nothing to do with child pornography, such as the secure email provider TorMail.So why do people think the feds are involved? The bit of malware scoops up various identifying information -- MAC address and Windows hostname -- and then sends it to a server in Virginia to find the real IP address of the computer in question. The Virginia server is controlled by the infamous contractor SAIC, who works with numerous government agencies.
By midday Sunday, the code was being circulated and dissected all over the net. Mozilla confirmed the code exploits a critical memory management vulnerability in Firefox that was publicly reported on June 25, and is fixed in the latest version of the browser.
Though many older revisions of Firefox are vulnerable to that bug, the malware only targets Firefox 17 ESR, the version of Firefox that forms the basis of the Tor Browser Bundle – the easiest, most user-friendly package for using the Tor anonymity network.
It's no secret that law enforcement has wanted to identify folks who are trying to be anonymous. And, as discussed just last week, the FBI has been using malware at an increasing rate. So it wouldn't be a huge surprise to find out that little tricky bit of malware was designed to provide more info on Tor users who might be up to nefarious activity (or, you know, they might just want to surf anonymously). I imagine that this is not the end of this particular story...
by Tim Cushing
Tue, Jul 9th 2013 7:44am
Your Tax Dollars At Work: How Commerce Dept. Spent $2.7 Million Cleaning Out Two Malware-Infected Computers
from the burning-a-hole-in-taxpayers'-pockets dept
The cyber-Pearl Harbor is upon us and the only way to defeat it is to sink our own ships at the first sign of invasion. This is the sort of thing that happens when the legislators and advisors with the loudest voices value paranoia over rational strategy. The Department of Commerce, aided by a tragicomic string of errors, managed to almost stamp out its malware problem.
The Commerce Department's Economic Development Administration spent almost half of its IT budget last year to remediate a cyber attack that barely happened.Also included in the mass destruction were cameras and TVs. It wasn't just cyber-paranoia that led to this hardware cull. There was plenty of miscommunication too, along with the usual doses of bureaucratic clumsiness. The Inspector General's report breaks down the chain of missteps, which all began with a response team member grabbing the wrong network info.
EDA's drastic steps to limit the damage by shutting down much of the access to the main Herbert Hoover Building network ended up costing the agency more than $2.7 million to clean up and reconfigure its network and computers. The IG said the bureau destroyed more than $170,000 in IT equipment, including desktop computers, printers, keyboards and mice.
In an effort to identify infected components, DOC CIRT’s (Dept. of Commerce Computer Incident Response Team) incident handler requested network logging information. However, the incident handler unknowingly requested the wrong network logging information... Instead of providing EDA a list of potentially infected components, the incident handler mistakenly provided EDA a list of 146 components within its network boundary. Accordingly, EDA believed it faced a substantial malware infection.Yes. Much like "Reply" and "Reply All" will both get the job done, only one is the correct choice when firing off a devastating critique of your soon-to-be-former coworkers. The same goes for network logs. One shows you the correct info. The other "indicates" that more than half the EDA's computers are suffering from a malware infection.
DOC CIRT did try to get this fixed, pointing out the error to the handling team and re-running the analysis using the correct network log. Turns out, the original estimate was slightly off.
The HCHB network staff member then performed the appropriate analysis identifying only two components exhibiting the malicious behavior in US-CERT’s alert.This new data in hand, a notification was sent out ostensibly to clear things up, but this too was mishandled so badly someone unfamiliar with bureaucratic ineptitude might be inclined to suspect sabotage.
DOC CIRT’s second incident notification did not clearly explain that the first incident notification was inaccurate. As a result, EDA continued to believe a widespread malware infection was affecting its systems.For five weeks, things went from bad to worse to comically tragic to tragically comic to full-scale computercide. Looking at its list (2 components), DOC CIRT asked the EDA to attempt containment by reimaging the infected items. Looking at its list (146 components), the EDA responded that reimaging half its devices would be "unfeasible." Taking a look at the EDA's list (from the first, mistaken network log analysis), DOC CIRT assumed the EDA had received additional analysis indicating the malware had spread, and changed its recommendations accordingly.
Specifically, the second incident notification began by stating the information previously provided about the incident was correct. EDA interpreted the statement as confirmation of the first incident notification, when DOC CIRT’s incident handler simply meant to confirm EDA was the agency identified in US-CERT’s alert. Nowhere in the notification or attachment does the DOC CIRT incident handler identify that there was a mistake or change to the previously provided information.
Although the incident notification’s attachment correctly identified only 2 components exhibiting suspicious behavior—not the 146 components that DOC CIRT initially identified—the name of the second incident notification’s attachment exactly matched the first incident notification’s attachment, obscuring the clarification.
Finally, both departments were on the same (but entirely wrong) page and scaled up the response accordingly. A copy went to the DHS, stating that "over 50%" of the EDA's devices were infected. The DHS then accepted this without seeking independent confirmation. The NSA cranked out its own concerned report, quoting heavily from the DHS report (which was still in draft form), both of which were based on DOC CIRT's first erroneous report. This went undetected for over a year, until the OIG informed the involved agencies of its findings in December 2012.
The end result? The EDA and DOC CIRT worked together, attempting to head off a "severe" malware threat before it spread to other connected government computers. Despite gathering more information from outside consultants that indicated the malware was neither "persistent" nor a threat to migrate, the two agencies began destroying devices in May of 2012, finally stopping three months later when the "break stuff" budget had been exhausted.
Fortunately for the agencies, taxpayers and the surviving equipment (valued at over $3 million), the OIG's findings were brought to the agencies' attention before the fiscal year began and a new "break stuff" budget approved. All in all, the EDA spent over $2.7 million fighting a malware "infection" confined to two computers.
There's nothing in this report that makes the EDA look good. A chart on page 8 shows the EDA has persistently ignored the OIG's recommendations on agency computer security, with some assessments going back as far as 2006. It's no surprise it managed to (along with the Dept. of Commerce's response team) transform a 2-computer infection into a nearly $3 million catastrophe.
by Glyn Moody
Tue, Jun 25th 2013 2:42pm
from the dedicated-follower-of-fashion dept
As we've noted before, when it comes to the Internet, governments around the world have an unfortunate habit of copying each other's worst ideas. Thus the punitive three-strikes approach based on accusations, not proof, was pioneered by France, and then spread to the UK, South Korea, New Zealand and finally the US (where, naturally, it became the bigger and better "six strikes" scheme). France appears to be about to abandon this unworkable and ineffective approach, leaving other countries to deal with all the problems it has since discovered.
Now there seems to be a new craze amongst ill-informed policy-makers: the use of government-sanctioned malware to spy on citizens. We wrote about Germany's trojan software back in October last year. Australia's spies want the same capability, and New Europe is reporting that Spain too is planning to pass a law that will allow its police to install malware on the systems of citizens:
According to the article 350 of the proposed draft, prosecutors may ask the judge for "the installation of a software that allows the remote examination and without knowledge of the owner of the content in computers, electronical devices, computer systems, instruments of massive storage or databases."
The key concern raised for similar projects of other countries applies here too: intentionally placing malware on computers increases the risk that others will be able to take control of those systems thanks to vulnerabilities in the code. That's no theoretical issue, as evidenced by major flaws discovered in Germany's trojan software. But it turns out that Spain's proposed malware scheme has an additional bad idea:
Furthermore, the article 351 of the text explains that official agents may require cooperation from "anyone who knows the operation of the computer system or measures applied in order to protect data held there". This means that Spanish authorities might require services from experts, "hackers" or computer companies.
Clearly that could be applied to Google or Facebook, say, which might be forced to provide user passwords or maybe even actively cooperate in attempts to infect a user's system. Given the current revelations about Internet companies' complicity in spying on huge numbers of people around the world, there seems little reason to hope that they would refuse to do so, despite protestations to the contrary, even if they -- unlike the Spanish politicians proposing this law -- understood the extreme stupidity of this approach.
by Mike Masnick
Tue, May 28th 2013 9:50am
national bureau of asian research
from the dumbest-ideas-ever dept
Let's start with the one that has received the most attention: the fact that the report recommends a "hack back" legalization, to allow those who feel their (loosely defined) "intellectual property" has been infringed to "hack back" at those who infringe. As Lauren Weinstein summarizes, this proposal more or less is a plan to legalize malware against infringers. Of course, this kind of idea is not new or unique. It's been around for a while. Almost exactly ten years ago, Senator Orrin Hatch proposed allowing copyright holders the right to destroy the computers of anyone infringing. The specifics here are explained over two "suggestions" that, when combined (hell, or even individually), are somewhat insane for anyone even remotely familiar with the nature of malware. First up, legalizing some basic spyware/malware:
Support efforts by American private entities both to identify and to recover or render inoperable intellectual property stolen through cyber means.Basically, malware/DRM-on-steroids. As if that will work. Anyone who had even a modicum of experience with DRM or watermarking knows that these things aren't difficult to get around, and are basically a huge waste of time and money for those who employ them. The idea that they might then lock down entire computers if an incorrect file gets onto one seems even more ridiculous. Given how often DRM causes problems for legitimate users of the content, you can imagine the headaches (and potential lawsuits) this kind of thing would lead to. A complete mess for no real benefit.
Some information or data developed by companies must remain exposed to the Internet and thus may not be physically isolated from it. In these cases, protection must be undertaken for the files themselves and not just the network, which always has the ability to be compromised. Companies should consider marking their electronic files through techniques such as “meta-tagging,” “beaconing,” and “watermarking.” Such tools allow for awareness of whether protected information has left an authorized network and can potentially identify the location of files in the event that they are stolen.
Additionally, software can be written that will allow only authorized users to open files containing valuable information. If an unauthorized person accesses the information, a range of actions might then occur. For example, the file could be rendered inaccessible and the unauthorized user’s computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account. Such measures do not violate existing laws on the use of the Internet, yet they serve to blunt attacks and stabilize a cyber incident to provide both time and evidence for law enforcement to become involved.
So, then, they take it up a notch. If bad DRM/watermarking isn't enough, how about legalizing the pro-active hacking of infringers? No, seriously.
Reconcile necessary changes in the law with a changing technical environment.Notice how that recommendation gets even more insane the further you read. "Retrieving" info? Okay. "Destroying info on an unauthorized network"? Yeah, could kinda see where someone not very knowledgeable about computers and networks thinks that's a good idea. "Photographing the hacker"? Well, that's going a bit far. "Implanting malware in the hacker’s network"? Say what now? "Physically disabling or destroying the hacker's own computer or network"? Are you people out of your minds?
When theft of valuable information, including intellectual property, occurs at network speed, sometimes merely containing a situation until law enforcement can become involved is not an entirely satisfactory course of action. While not currently permitted under U.S. law, there are increasing calls for creating a more permissive environment for active network defense that allows companies not only to stabilize a situation but to take further steps, including actively retrieving stolen information, altering it within the intruder’s networks, or even destroying the information within an unauthorized network. Additional measures go further, including photographing the hacker using his own system’s camera, implanting malware in the hacker’s network, or even physically disabling or destroying the hacker’s own computer or network.
This isn't just a bad idea, it's a monumentally dangerous idea that will have almost no benefit, but will have tremendously bad and dangerous consequences. Hell, today we already have to deal with a plethora of bogus DMCA takedown notices. Imagine if that morphed into bogus malware attacks or destroying of computers? It makes you wonder how anyone could take anything in the study seriously when you read something like that.
To be fair, the authors of the report say they don't recommend legalizing this stuff yet, but immediately make it clear that something like this is going to need to happen in the future, because "the current situation is not sustainable." Based on what? Well, as we explained in the first post about this report, that's mostly based on the authors' overactive imaginations, rather than anything fact-based.
by Glyn Moody
Thu, Jan 17th 2013 8:17pm
Australia's Spies Want To Put Members Of The Public At Risk By Using Them To Pass On Malware to Suspected Terrorists
from the not-thinking-it-through dept
Last year we wrote about the German police using malware to spy on members of the public. Now ASIO, Australia's national secret service, has come up with a new variant on the idea:
A spokesman for the Attorney-General's Department said it was proposing that ASIO be authorised to ''use a third party computer for the specific purpose of gaining access to a target computer''.
The problem seems to be that even suspected terrorists are getting the hang of this security stuff:
The department said technological advances had made it ''increasingly difficult'' for ASIO to execute search warrants directly on target computers, ''particularly where a person of interest is security conscious.''
So the idea seems to be to infect the computer of someone that the alleged terrorists know, and then use that trusted link to pass on malware:
Australians' personal computers might be used to send a malicious email with a virus attached, or to load ''malware'' onto a website frequently visited by the target.
That probably seemed like a really clever ruse to the people who thought it up, but it overlooks some basic flaws.
First, that once ASIO has taken control of an intermediary's computer it can do anything -- including poking around to see what's there. After all, if intermediaries are known to suspected terrorists, it's possible that they too might be terrorists.
The authorities are insisting that the warrant to break into somebody's computer would not authorize ASIO to obtain "intelligence material" from it. But you don't have to be clairvoyant to predict that at some point in the future, "exceptional" circumstances will be invoked to justify doing precisely that: once security services start down a slippery stop, they never seem to be able to stop.
Secondly, as the German experience shows, if a computer has been compromised by malware in this way, it's not just the government agencies that can take control: anyone who has obtained the malware and analyzed it will be able to look for ways to send their own instructions. That could leave innocent members of the public vulnerable to privacy breaches and economic losses that would be directly attributable to the spy agency's digital break-in.
Finally, this approach seems to overlook the fact that presumed terrorists are unlikely to be best pleased with any person that unwittingly sends them government malware. If they notice and really are ruthless terrorists, they might decide to take revenge on that person and his or her immediate circle of family and friends. Either the Australian spy agency hasn't really thought this through, or it is being extremely cavalier with the lives of the members of the public it is supposed to protect.