Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

[ctg]

Backing up the NSA's claim that it was caught by surprise by the Heartbleed OpenSSL bug, the White House has tried to explain the rules under which it allows agencies to hoard security vulnerabilities.

In this White House blog post, cybersecurity coordinator Michael Daniel says leaving a huge number of vulnerabilities undisclosed would not be in America's national interest: “Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest,” he writes.

If you take that as meaning the White House is going to tell the NSA to disclose vulnerabilities it finds, however, think again. The post pirouettes immediately to defending vulnerability-hoarding: “that is not the same as arguing that we should completely forgo this tool [exploiting vulnerabilities rather than disclosing them – The Register] as a way to conduct intelligence collection”.

So the White House says it has established guidelines for when vulnerability-hoarding is okay: not “hard and fast” rules, Daniel writes, but considerations that apply if an agency asks to keep a vulnerability secret.

These include how widespread a vuln might be in critical infrastructure systems; how much risk exists [without noting who bears the risk] if the vulnerability is unpatched; how much harm “an adversary” could do with knowledge of a vulnerability; whether “we” would know if someone else was exploiting the vulnerability; the value of the intelligence that might be obtained exploiting the vulnerability; whether US agencies might have the chance to exploit the bug before disclosing it; the likelihood that someone else might discover the same vulnerability; and whether or not a vulnerability could be patched or mitigated.

In other words, the post seems to tell us that the White House will only hoard useful vulnerabilities that they can exploit without being caught, for as long as they think it won't be noticed by black-hats.

Don't you feel better for knowing that?

http://www.theregister.co.uk/2014/04/30/white_house_to_world_we_dont_hoard_vulnerabilities/

 

[ctg]

Researchers have sent quantum keys over a "lit" fiber-optic network, a step towards using quantum cryptography on the networks businesses and institutions use every day.

A group of U.K.-based research groups last week said the demonstration opens the door to more research that will make the technology more commercially viable. The researchers were from Toshiba Research Europe, BT, ADVA Optical Networking, and the U.K.'s National Physical Laboratory (NPL).

In quantum cryptography, the keys to unlock the contents of communications are represented with photons. It starts with a laser that sends a pair of photons over a fiber-optic network. The polarization of photons—whether they’re oscillating horizontally or vertically, for example—can be detected by a receiver and read as bits, which are used to generate the same encryption key at both ends of the network connection. If an interloper attempts to intercept the keys to decrypt a message, the receiver will be able to detect a change, according to the laws of quantum mechanics. If that happens, the receiver can reject the keys and the message stays encrypted.

Until now, quantum key distribution (QKD) has been done over dark fiber, or unused optical fiber lines, which means that a separate fiber optic line is needed for transmitting other data. But dark fiber networks are not always available and are expensive. Being able to transmit quantum keys over a lit fiber network means that institutions and businesses will be able to run quantum cryptography over their existing networking infrastructure, the researchers said.

"Using techniques to filter out noise from the very weak quantum signals, we've shown that QKD can be operated on optical fibers installed in the ground and carrying conventional data signals," said Andrew Shields from Toshiba Research Europe in a statement.

The National Physics Laboratory developed a series of measurements for identifying individual particles of light from the stream of photons sent over a fiber-optic line. That will allow the system to detect attempts to intercept the transmission of keys, which should improve customer confidence in quantum cryptography, said Alastair Sinclair from the National Physics Laboratory in a statement.

The test was conducted over a live BT fiber link between its research campus in Suffolk and another BT site in Ipswich, U.K. In an interview with Nature, Toshiba's Shields said the quantum key distribution was done alongside data transmitted at 40 gigabits per second, the fastest multiplexing of regular data with quantum keys to date. But he notes that implementing QKD in the "real world" is more challenging than a laboratory environment because there are environmental fluctuations that can cause data loss in fiber lines.

Another technical challenge facing widespread use of QKD is the distance keys can be sent. Light pulses sent over a fiber optic line fade, which means that key distribution can only be done at a distance of about 100 kilometers. (See Long-Distance Quantum Cryptography.) But as governments and companies seek out the most secure ways to send data, quantum cryptography could become an appealing option.

http://spectrum.ieee.org/tech-talk/...antum-cryptography-done-over-shared-data-line

 

[ctg]

Britain's electronic surveillance agency, Government Communications Headquarters, has long presented its collaboration with the National Security Agency's massive electronic spying efforts as proportionate, carefully monitored, and well within the bounds of privacy laws. But according to a top-secret document in the archive of material provided to The Intercept by NSA whistleblower Edward Snowden, GCHQ secretly coveted the NSA's vast troves of private communications and sought 'unsupervised access' to its data as recently as last year – essentially begging to feast at the NSA's table while insisting that it only nibbles on the occasional crumb

https://firstlook.org/theintercept/...q-prism-nsa-fisa-unsupervised-access-snowden/

 

[ctg]

The hacker in the Italian Job did it spectacularly. So did the fire sale team in Live Free or Die Hard. But can hackers really hijack traffic lights to cause gridlock and redirect cars?

According to one researcher, parts of the vehicle traffic control system installed at major arteries in U.S. cities and the nation’s capital are so poorly secured they can be manipulated to snarl traffic or force cars onto different streets.

http://www.wired.com/2014/04/traffic-lights-hacking/

 

[ctg]

Mitenköhän kotimaassa menisi jos kaikkien firmojen pitäisi lähettää palvelin ja verkkolaite hakemukset ensin viestikoelaitokselle arvioitavaksi ennenkuin niistä voisi hintaa ruveta kyselemään?

The new Telecommunications (Interception Capability and Security) Act of 2013 is in effect in New Zealand and brings in several drastic changes for ISPs, telcos and service providers. One of the country's spy agencies, the GCSB, gets to decide on network equipment procurement and design decisions (PDF), plus operators have to register with the police and obtain security clearance for some staff. Somewhat illogically, the NZ government pushed through the law combining mandated communications interception capabilities for law enforcement, with undefined network security requirements as decided by the GCSB. All network operators are subject to the new law, including local providers as well as the likes of Facebook, Google, Microsoft, who have opposed it, saying the new statutes clash with overseas privacy legislation

http://yro.slashdot.org/story/14/05...y-agency-to-vet-network-builds-provider-staff

 

[ctg]

A document included in the trove of National Security Agency files released with Glenn Greenwald’s book No Place to Hide details how the agency’s Tailored Access Operations (TAO) unit and other NSA employees intercept servers, routers, and other network gear being shipped to organizations targeted for surveillance and install covert implant firmware onto them before they’re delivered. These Trojan horse systems were described by an NSA manager as being “some of the most productive operations in TAO because they pre-position access points into hard target networks around the world.”

The document, a June 2010 internal newsletter article by the chief of the NSA’s Access and Target Development department (S3261) includes photos (above) of NSA employees opening the shipping box for a Cisco router and installing beacon firmware with a “load station” designed specifically for the task.

The NSA manager described the process:

Here’s how it works: shipments of computer network devices (servers, routers, etc,) being delivered to our targets throughout the world are intercepted. Next, they are redirected to a secret location where Tailored Access Operations/Access Operations (AO-S326) employees, with the support of the Remote Operations Center (S321), enable the installation of beacon implants directly into our targets’ electronic devices. These devices are then re-packaged and placed back into transit to the original destination. All of this happens with the support of Intelligence Community partners and the technical wizards in TAO.

http://arstechnica.com/tech-policy/...de-factory-show-cisco-router-getting-implant/

 

[ctg]

Security researchers have uncovered a series of Trojan-based attacks which have infiltrated several targets by infecting industrial control system software from the makers of SCADA and ICS systems.

The majority of the victims are located in Europe, though at the time of writing at least one US firm's compromised gear appears to be phoning home to botnet control servers set up by the attackers.


Two of the European victims are major educational institutions in France known for technology-related research; two are German industrial application or machine producers; one is a French industrial machine producer; and one is a Russian construction firm.

The motive for the attacks - much less the identity of its perpetrators - remains unclear.

The attacks, which began earlier this year, were pulled off used the Havex general purpose Remote Access Trojan (RAT) and a server running PHP.

"The attackers have [made] Trojanised software available for download from ICS/SCADA manufacturer websites in an attempt to infect the computers where the software is installed", Finnish security software firm F-Secure reports.

"We gathered and analysed 88 variants of the Havex RAT used to gain access to, and harvest data from, networks and machines of interest. This analysis included investigation of 146 command and control (C&C) servers contacted by the variants, which in turn involved tracing around 1,500 IP addresses in an attempt to identify victims."

Elements of the malicious code are designed to "harvest data" from infected machines used in ICS/SCADA systems. F-Secure reasons that this means the unknown attackers are taking steps to give them control of the ICS/SCADA systems in various organisations, rather than just using vulnerable control system set-ups as a means to infiltrate corporate networks. If successful the attack establishes a backdoor on compromised networks that can easily be used to push secondary samples of malicious code.

The miscreants behind the attack are using third-party compromised websites, mainly blogs, as command and control servers.

The Havex RAT at the centre of the assault is distributed through either spam emails, exploit kits or (much more unusually) trojan-laden installers planted on compromised vendor sites.

"It appears the attackers abuse vulnerabilities in the software used to run the websites to break in and replace legitimate software installers available for download to customers," F-Secure's researchers Daavid Hentunen and Antti Tikkanen explain in a blog post.

F-Secure has uncovered three software vendor sites that were hacked to act as a conduit for malware distribution. All three unnamed companies in Germany, Switzerland and Belgium are involved in development of applications and appliances for use in industrial applications. Two of firms supply remote management software for industrial control systems while the third develops high-precision industrial cameras and related software. Other firms might easily have been hit by they same attack.

"The attackers behind Havex are conducting industrial espionage using a clever method. Trojanising ICS/SCADA software installers is an effective method in gaining access to target systems, potentially even including critical infrastructure," F-Secure says.

"The method of using compromised servers as C&C's is typical for this group,” F-Secure continues. “The group doesn't always manage the C&C's in a professional manner, revealing lack of experience in operations. We managed to monitor infected computers connecting to the servers and identify victims from several industry sectors.”

“The additional payload used to gather details about ICS/SCADA hardware connected to infected devices shows the attackers have direct interest in controlling such environments," it added. ®

http://www.theregister.co.uk/2014/06/26/industrial_control_trojan/

 

[ctg]

The German government has said it will cancel its contract with US telecoms provider Verizon, citing spying fears.

"The pressures on networks as well as the risks from highly-developed viruses or Trojans are rising," the country's Interior Ministry told Reuters on Thursday. "Furthermore, the ties revealed between foreign intelligence agencies and firms in the wake of the US National Security Agency (NSA) affair show that the German government needs a very high level of security for its critical networks."


The move comes following reports that US intelligence agencies have been monitoring German communications networks, even to the point of tapping the mobile phone of German Chancellor Angela Merkel.

In May, Germany said it didn't think it had enough evidence to pursue legal action over the Merkel affair, but that didn't stop German pols from condemning US activities based on reports in the magazine Der Spiegel, which cited documents leaked by Edward Snowden among its sources.

Merkel herself has lent her support to the idea of the European Union building new telecoms networks that would be more difficult for the US to spy on, something she has discussed with French President François Hollande.

Germans aren't alone in their outrage. Upon hearing about the Merkel affair, US senator John McCain (R-AZ) called for the resignation of then-NSA chief General Keith Alexander. That was largely for show, though; Alexander retired from military service in March, to be replaced by Navy Vice Admiral Michael Rogers.

German carrier Deutsche Telekom will reportedly pick up where Verizon leaves off after getting the boot, and Reuters notes that DT already has a contract with the German government for carrying its most sensitive phone calls and data.

In a statement, Verizon protested the German government's decision and said that there was nothing to fear from US spy agencies.

"Verizon Germany is a German company and we comply with German law," Verizon spokesman Detlef Eppig said. "The US government cannot compel us to produce our customers' data stored in data centres outside the US, and if it attempts to do so, we would challenge that attempt in a court." ®

http://www.theregister.co.uk/2014/06/26/germany_boots_verizon/

 

[ctg]

http://map.ipviking.com/ Loistava reaaliaikanen virtuaalikartta erillaisista hyökkäyksistä.

 

[ctg]

Controversial emergency laws will be introduced into the Commons next Monday to reinforce the powers of security services to require phone companies to keep records of their customers' calls.

The move follows private talks over the past week and the laws will have the support of Labour and the Liberal Democrats on the basis that there will be a sunset clause and a new board to oversee the functioning of the powers.

Details are due to be announced at a Downing Street press conference on Thursday morning

http://www.theguardian.com/technolo...lance-laws-rushed-through-cross-party-support

 

[ctg]

A Chinese manufacturer has been accused of implanting malware that steals supply chain intelligence in its hand-held scanner firmware.

Security firm TrapX says infected scanners have been sold to eight unnamed firms including a large robotics company.

Variants of the malware broke into enterprise resource planning platforms to steal financial, logistical and customer information which was exfiltrated to the unnamed accused Chinese manufacturer located in Shandong province, a block from the Lanxiang Vocational School said to be the headquarters of the Google Aurora attacks.

The manufacturer denied knowledge that its scanners and website-hosted software were infected.

Infected scanners once connected to one firm's wireless network attacked its corporate network via the SMB protocol, morphing to infect using the RADMIN protocol more than nine servers after it was initially blocked by a firewall.

Sixteen of the 48 scanners deployed at the firm were infected, TrapX found, which successfully sought out and compromised host names containing the word finance and siphoning off the logistical and financial data stored within.

A "comprehensive" command and control link was then established to a bot terminating near Lanxiang before another stealthier connection was made between the hacked financial and a Beijing drop.

"Exfiltration of all financial data and ERP data was achieved, providing the attacker complete situational awareness and visibility into the logistic/shipping company’s worldwide operations," the report Anatomy of the Attack: Zombie Zero (PDF) read.

TrapX suspected the attacks dubbed Zombie Zero were backed by Beijing in a bid to gain intelligence on either logistics firms or their customers.

One of the hacked firms deployed the security company's network of targeted honeypots to capture the attackers' activity which it described as creating security through "deception and interdiction". ®

http://regmedia.co.uk/2014/07/11/zombietrapss.png

 

[ctg]

The secretive British spy agency GCHQ has developed covert tools to seed the internet with false information, including the ability to manipulate the results of online polls, artificially inflate pageview counts on web sites, “amplif[y]” sanctioned messages on YouTube, and censor video content judged to be “extremist.” The capabilities, detailed in documents provided by NSA whistleblower Edward Snowden, even include an old standby for pre-adolescent prank callers everywhere: A way to connect two unsuspecting phone users together in a call.


The tools were created by GCHQ’s Joint Threat Research Intelligence Group (JTRIG), and constitute some of the most startling methods of propaganda and internet deception contained within the Snowden archive. Previously disclosed documents have detailed JTRIG’s use of “fake victim blog posts,” “false flag operations,” “honey traps” and psychological manipulation to target online activists, monitor visitors to WikiLeaks, and spy on YouTube and Facebook users.

But as the U.K. Parliament today debates a fast-tracked bill to provide the government with greater surveillance powers, one which Prime Minister David Cameron has justified as an “emergency” to “help keep us safe,” a newly released top-secret GCHQ document called “JTRIG Tools and Techniques” provides a comprehensive, birds-eye view of just how underhanded and invasive this unit’s operations are. The document—available in full here—is designed to notify other GCHQ units of JTRIG’s “weaponised capability” when it comes to the dark internet arts, and serves as a sort of hacker’s buffet for wreaking online havoc.

https://firstlook.org/theintercept/...lls-ways-british-spies-seek-control-internet/

 

[ctg]

No online communication is for your eyes only in the age of Internet surveillance by government spy agencies. But a leaked British spy catalog has revealed a wide array of online tools designed to also control online communication by doing everything from hacking online polls to artificially boosting online traffic to a particular website.

The spy catalog information developed by the British spy agency GCHQ comes from documents leaked by former NSA contractor Edward Snowden, according to The Intercept. Such documents don't contain much in the way of technical information about how the online spy tools work, but they do reveal a colorful array of code names for methods aimed at both collecting information and manipulating online information seen on websites such as Facebook and YouTube. The GCHQ's Joint Threat Research Intelligence Group (JTRIG) that developed the catalog described most of the tools as being "fully operational" or else "very close to being ready."

Some of the most intriguing spy tools show the UK spy agency's desire to control and manipulate both online and cellphone communication, including emails and popular social media networks such as Facebook. In the latter case, a tool named "Clean Sweep" can "masquerade Facebook wall posts for individuals or entire countries." Another tool called "Burlesque" can send spoofed (faked) SMS text messages. And "Scrapheap Challenge" can send fake emails that appear to originate from a target Blackberry device.

Other tools can change the online information and websites that ordinary Internet users might see. A tool named "Underpass," previously known as "Nubilo," can supposedly change the outcome of online polls. "Bomb Bay" has the capability to boost a website's recorded hits and rankings in order to improve its popularity. Similarly, "Gateway" artificially increases the traffic going to a certain website, while "Slipstream" inflates page views. A more mysterious tool named "Gestator" aims to amplify certain messages, typically videos, on "popular multimedia websites such as YouTube."

The catalog also reveals efforts to counter the propaganda of terrorist and insurgent groups. "Bumpercar" represents an automated system capable of filing "offensive material" reports on video upload services such as YouTube, with the goal of getting "terror videos" removed. Another tool called "Silverlord" targets video-based websites hosting "extremist content" for the purpose of discovering and removing such content.

Some of the listed spy tools also appear to fulfill propaganda purposes or other information operation campaigns by sending out mass emails and text messages. Others appear to come from a hacker wish list by launching denial of service attacks. And one intriguing tool named "Glitterball" comes with the description: "Online gaming capabilities for sensitive operations." The latter seemed to be used by British agents in the online game "Second Life" as of the document's latest update in July 2012. (For more, see "Spy Games: Spooks Infiltrated Online Games.")

By now, few people should be surprised that government spies have tools to eavesdrop on both cellphone and online communication. For instance, much has already been revealed about how the U.S. National Security Agency (NSA) scoops up online records from the internal networks of Internet giants such as Google and Yahoo, as well as how the spy agency tracks cellphone location data worldwide. But the recent revelations about GCHQ's activities show that the UK spy agency also has a strong interest in actively controlling both public information and personal communication in certain cases.

Such online tools give some real-world heft to the fictional boast of Q, the MI6 gadgets man of the long-running 007 films, as he compares his hacking skills to James Bond's more physical approach in the 2012 film "Skyfall": "I can do more damage on my laptop, sitting in my pajamas, before my first cup of Earl Grey than you can do in a year in the field."

http://spectrum.ieee.org/tech-talk/...eveals-tools-to-manipulate-online-information

 

[ctg]

According to one slide the iPhone is “reasonably secure” to a typical attacker and the iPhone 5 and iOS 7 are more secure from everybody except Apple and the government. But he notes that Apple has “worked hard to ensure that it can access data on end-user devices on behalf of law enforcement” and links to Apple’s Law Enforcement Process Guidelines, which clearly spell this out.

http://www.zdnet.com/forensic-scien...doors-running-on-every-ios-device-7000031795/

 

[ctg]

Esimerkkiä siitä kuin helppoa on metadatan kerääminen.

 

[ctg]

Keith Alexander, the recently retired director of the National Security Agency, left many in Washington slack-jawed when it was reported that he might charge companies up to $1 million a month to help them protect their computer networks from hackers. What insights or expertise about cybersecurity could possibly justify such a sky-high fee, some wondered, even for a man as well-connected in the military-industrial complex as the former head of the nation's largest intelligence agency?

http://www.foreignpolicy.com/articl...he_NSA_goes_corporate_keith_alexander_patents

 

[KorpiSISSI]

RasPi:lla voi myös vakoilla
LINKKI

Janne Luotola, 2.8.2014, 10:35

Tutkijat vakoilivat ulkoilijoita halpatietokoneen avulla - vakava uhka tietoturvalle

Liikuntasuorituksia seuraavat laitteet, jotka viestivät esimerkiksi puhelimen kanssa, välittävät tietoa usein suojaamattomasti. Kuka tahansa voi vakoilla tätä liikennettä, kertoo BBC.

Tietoturvayhtiö Symantec varoittaa erilaisten jäljityslaitteiden käyttäjiä siitä, että laitteiden keräämä tieto päätyy helposti muiden käsiin.

Yhtiön tutkijat osoittivat uhan yksinkertaisen halpatietokoneen Raspberry Pin ja bluetooth-radiovastaanottimen avulla. He veivät koneen Irlannissa ja Sveitsissä paikkoihin, jonka ohi juoksi valtava määrä ihmisiä. Kone sai seurattua juoksijoiden mittareiden ja heidän puhelimensa välistä tietoliikennettä.

Datan avulla tutkijat pystyivät erottamaan yksilöt toisistaan. Noin 20 prosenttia ohi liikkuneista laitteista ei salannut tietoliikennettä millään tavalla, vaikka ne liikuttivat tietoa nimistä, salasanoista ja syntymäajoista.

 

[hessukessu]

Bluetoothin tietoturva on syvältä, vaikka uusia versioita siitäkin on väsätty. Miten niin simppeli asia onkin saatu sössittyä niin pahasti ja miten siihen voidaankin suhtautua niin välinpitämättömästi, on minulle ainakin mysteeri. Bluetoothiin vielä sen käyttämä DSSS-tekniikka hieman hiotummaksi, eli-ei-normaalilla/sovitulla-kanavalla-normaalilla-tapaa-viestittäväksi niin eipä koko viestiliikennettä pysty radiotaajuusspektrillä havaitsemaankaan. Mutta kun ei niin ei. Yhdestä salasanasta voisi helposti tehdä kaksi salausavainta, joista toista käytettäisiin DSSS-modulointiin ja toista liikenteen salaamiseen vahvalla salauksella. Aivan simppeli toteuttaa. Mutta kun ei niin ei.

 

[ctg]

A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.


The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems.

Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information.

http://www.nytimes.com/2014/08/06/t...an-a-billion-stolen-internet-credentials.html

1.2 miljardia login detaljia on aika helvetin paljon.

 

[ctg]

When I recently set out for the Pentagon's R&D department, I instead found myself in front of a downtrodden shopping mall in Arlington, Virginia. I'd been navigating the old fashioned way—with my eyes—but when I pulled out my smartphone there it was, clearly marked in the Google Maps app: DARPA.

It turns out that the unmarked spaceship of a structure that DARPA calls home is tucked neatly behind the Ballston Common Mall. When I eventually found the right entrance and stepped inside the lobby, everything suddenly felt familiar. The clean lines and shiny surfaces would look right at home at the office of any number of large tech companies I've visited. The metal detectors, however, would not. The security desk promptly snatching my smartphone away before I headed for the elevators would've also been out of place at most startups, whose executives are just as tethered to their devices as teenagers with bad Snapchat habits. Of course, most tech companies aren't tasked with developing weapons of warfare, like super strong humanoid robots and drones that fly out of submarines.

DARPA does a lot more than build weapons, however. The same government agency that invented the internet and laid the groundwork for America's thriving startup culture is now trying to act more like a startup itself.

http://gizmodo.com/inside-the-militarys-secretive-smartphone-program-1603143142