iPhones being used as Wi-Fi hotspots are open to attack because of lax security protocols in the automatic password generation system Apple has in place, according to new research from the University of Erlangen in Germany.
The paper, “Usability vs. Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots” by Andreas Kurtz, Felix Freiling, and Daniel Metz, found that the seemingly random password iOS generates for hotspots is simple to crack. It consists of four to six characters followed by a four-digit number string.
As a test, the team downloaded a 52,500-word dictionary from an open source version of Scrabble, added number-generating code, and cracked the iOS password system every time – although the team points out it isn’t suggesting Apple used the same dictionary. Using a AMD Radeon HD 6990 GPU, the average time to crack was 59 minutes – which is interesting, but hardly practical.
So the team then reverse-engineered the iOS word list used for password generation, using “static and dynamic analysis,” tools like GNU Debugger, and by manually going through the ARM disassembly of the relevant iOS frameworks. They found Apple uses English-language words of between four and six letters from a dictionary copyrighted by Lernout Hauspie Speech Products.
“Only 1,842 different entries of that dictionary are taken into consideration,” the paper states. “Consequently, any default password used within an arbitrary iOS mobile hotspot, is based on one of these 1,842 different words. This fact reduced the search space of our initial brute force attack by more than 96% and thus increased the overall cracking speed signiﬁcantly.”
In addition, the selection of words picked for passwords was skewed. “Suave” was used 0.08 per cent of the time, “subbed” cropped up 0.76 per cent and “head” 0.53 per cent – ten times the frequency they should have had under a random pick. By frontloading these selections into any attack code, the chances of cracking the system quickly are greatly increased.
The team also decided to upgrade their hardware to bring down search times and built a box with four AMD Radeon HD 7970 units that could burn through 390,000 guesses per second. This cut the time to crack automatically generated passwords down to 24 seconds, or 52 using a single AMD Radeon HD 6990 GPU. Users should specify their own the team recommends.
As a test case, the team built an iOS application dubbed “Hotspot Cracker” which could be used to try out an attack of the target phone. This was limited by the processing power of the smartphone, but can be used in conjunction with a cloud password cracking service such as CloudCracker for better results.
Once the password has been cracked, the operator can piggyback on the hotspot’s bandwidth, stage a man-in-the-middle attack for eavesdropping, and get access to files stored on the device. Jailbroken iPhones are extra risky since they could allow access to the basic iPhone system services code.
While the researchers concentrated on Apple, they note that other mobile operating systems shouldn’t get too smug. Microsoft’s Windows Phone 8 uses a similar password system that doesn’t even use words, relying instead on eight-digit number strings alone. Android is much better, but there have been cases of manufacturers such as HTC dumbing down password generation for some handsets, the authors report.
“The results of our analysis have shown that the mobile hotspot feature of smart devices increases the attack surface in several ways,” the team concludes. “As the default password of an arbitrary iOS hotspot user can be revealed within seconds, attacks on mobile hotspots might have been underestimated in the past and might be an attractive target in the future.” ®
Users of the Tor traffic anonymizing service are currently locked out of Facebook after a flood of dodgy traffic triggered an automatic lockdown by the social network’s security systems.
Given the paranoid post-PRISM times we live, in the outage on Tuesday caused a certain amount of online panic. A report highlighting the issue briefly topped the front page on Reddit, before both Facebook and Tor told users there was nothing to worry about.
“Facebook is not blocking Tor deliberately,” a Facebook spokesman told El Reg in a statement. “However, a high volume of malicious activity across Tor exit nodes triggered Facebook’s site integrity systems which are designed to protect people who use the service. Tor and Facebook are working together to find a resolution.”
Tor too was quick to reassure users that this wasn’t the beginning of a crackdown on access to Facebook, although there’s no public word yet as to the specific type of traffic that triggered the shutdown. In a blog post, it assured users of Tor systems that it was working with Facebook on this, and that they would be able to get their daily dose of birthday reminders, cat pictures, and web games as soon as the problem was fixed.
There’s been a upsurge of interest in the Tor system ever since the revelations by NSA whistleblower Ed Snowden about the extent of domestic and international data surveillance by the US intelligence services. Tor uses a network of proxies to protect some of the activities of their users, but the organization has warned that the system isn’t perfect.
“The core Tor software’s job is to conceal your identity from your recipient, and to conceal your recipient and your content from observers on your end,” it said. “By itself, Tor does not protect the actual communications content once it leaves the Tor network. This can make it useful against some forms of metadata analysis, but this also means Tor is best used in combination with other tools.”
The group recommends using the HTTPS Everywhere browser plug-in to encrypt traffic to websites when possible, to do the same with email traffic using TorBirdy and Enigmail, and consider shifting to a decentralized social network such as Diaspora.
That said, a lot of work needs to be done to toughen-up the privacy protection of the Tor system, and the group is running a donations page to fund development and are on the lookout for volunteer coders to help out. ®
Yahoo! has become the latest big-hitting American tech firm to reveal exactly how much information it has handed to US spooks.
Marissa Mayer’s outfit joined Apple, Facebook and Microsoft in releasing the number of sensitive data requests made by spies and law enforcement agencies.
The tech giants want to reassure customers and prospective clients that they are not being spied upon in the wake of the PRISM surveillance scandal.
In a joint statement, Marissa Mayer, CEO and Ron Bell, general counsel, said her firm had processed between 12,000 and 13,000 information requests.
The most common requests involved “fraud, homicides, kidnappings and other criminal investigations”, as well as requests made under the Foreign Intelligence Surveillance Act (FISA). Yahoo was keen to point out that it could not reveal how many FISA requests it received.
Apple said it had received between 4,000 and 5,000 data requests in the same period. Microsoft and Facebook released information covering the latter half of 2012, where the social network said it had processed between 9,000 and 10,000 requests. Microsoft said it had dealt with between 6,000 and 7,000.
“We’ve worked hard over the years to earn our users’ trust and we fight hard to preserve it,” Yahoo!’s statement said.
“Like all companies, Yahoo! cannot lawfully break out FISA request numbers at this time because those numbers are classified. However, we strongly urge the federal government to reconsider its stance on this issue.
“Democracy demands accountability. Recognizing the important role that Yahoo! can play in ensuring accountability, we will issue later this summer our first global law enforcement transparency report, which will cover the first half of the year. We will refresh this report with current statistics twice a year.
“As always, we will continually evaluate whether further actions can be taken to protect the privacy of our users and our ability to defend it. We appreciate—and do not take for granted—the trust you place in us.”
In an interview with non-profit telly broadcaster PBS, President Barack Obama insisted that the NSA spying scheme was legal – and, in a piece of textbook doublespeak, even insisted the programme was “transparent”, despite the fact operations are planned and authorised under a cloak of secrecy.
He said this desire for openness had inspired the creation of a secret court set up under the Foreign Intelligence Surveillance Act, which authorises a programme to harvest American phone records and monitor US servers if it is suspected they are being used by foreign terror suspects.
In a bid to reassure a nervous public, Obama claimed to be setting up a board to monitor privacy and civil liberties, which will also decide how much data spies are allowed to harvest. He also promised to keep the public informed about government surveillance programmes in the future.
“We’re going to have to find ways where the public has an assurance that there are checks and balances in place … that their phone calls aren’t being listened into; their text messages aren’t being monitored; their emails are not being read by some big brother somewhere,” Obama said.
“What I’ve asked the intelligence community to do is see how much of this we can declassify without further compromising the program… And they are in that process of doing so now,” he added.
Edward Snowden, the IT worker behind the PRISM leak, is still at large in Hong Kong and gave a live webchat interview to The Guardian yesterday. He said: “All I can say right now is the US government is not going to be able to cover this up by jailing or murdering me. Truth is coming, and it cannot be stopped.”
Nine tech firms are alleged to be involved in the PRISM programme, although it is not clear if some or all of them would have been unwitting participants. So far, all of the firms have said that they require the police and other government workers to present them with a court order on a case-by-case basis before they will allow access to any data and none have copped to providing unfettered access to the Feds. Apple, for instance, said: “We first heard of the government’s ‘Prism’ program when news organizations asked us about it on June 6.” ®
Cybercrooks are selling the source code for the Carberp banking Trojan toolkit through underground forums – at just $5,000 a pop.
The sale of the building blocks for the banking Trojan toolkit is a sign of “conflict within the team”, according to Andrey Komarov of Russian security firm Group-IB.
“Some of the members would love to destroy the project and move onto another business or new product,” Komarov told El Reg.
The toolkit for sale consists of the full source code of Carberp, including: comments; web-injects; all the Carberp modules; source code of Gazavar (the worm module); the admin panel for the command and control servers; Windows exploits related to vulnerabilities patched last year (specifically CVE-2012-1864 and CVE-2012-0217); a bootkit module, and many other components. The complete archive weighs in at 5GB.
Forum user “madeinrm” states that he is offering the source code for sale because someone else using the nickname “batman” had already passed on the source code to a third party, apparently against madeinrm’s approval.
Madeinrm said he intends to screen potential customers but is nonetheless looking to sell the hitherto secret code powering the malware to a large number of people, rather than selling it at a higher price through an exclusive deal.
Screenshot of Carberp. Click to enlarge
Carberp first emerged on the banking fraud scene around three years ago as a competitor to the dominant financial malware platforms Zeus and SpyEye. Russian police have made a number of arrests involving cybercriminals who used the malware to carry out electronic banking fraud.
Despite this, the core of the group actually developing the malware has remained intact and are continuing with their work, even sub-contracting out aspects of the creation of the code.
“Previously, Group-IB took part in the arrest of some members of Carberp group, which is an international group,” Komarov explained. “For example, this team hired Chinese hackers for bootkit module developing, before starting the Carberp 2 project.”
Group-IB reckons that there are currently around 12 active members within the Carberp gang, with most of them either from the Ukraine or Russia. Some members are thought to live in the European Union.
Komarov compared the circumstances surrounding the release of the Carberp source code with those around the release of the source code for ZeuS two years ago.
“This is very similar to how Zeus was leaked,” he said. “Someone tried to sell its source code too, but then the code was published on one of the filesharing networks hosting for free.”
History appears to be repeating itself. Misunderstandings and conflict within the Zeus team are repeating themselves within the Carberp group. The most likely outcome of the rift with the Carberp group is a split, with elements going off to work on other malware-based projects, which might include even more powerful banking Trojan malware.
“We will probably receive something new instead of Carberp in the very near future,” Komarov concluded. ®
Australians fell prey to online scams to the tune of around $AUD93.5 million in 2012, and reported nearly 84,000 “scam-related contacts” to the Australian Competition and Consumer Commission (ACCC).
The Commission has just released the results of its 2012 report on scam activity, published as part of Australia’s National Consumer Fraud Week 2013.
There’s good news in the report, since 88 percent of the people reporting scams to the ACCC also reported that they suffered no financial loss (that is, they didn’t fall for the scam), and most of those reporting loss were taken down for less than $500. The latter, the watchdog says, indicates that scammers prefer to buy their suckers in big-box outlets rather than one-by-one.
Out of the 83,803 total reports, just 13 percent – a little under 11,000 – related to computer hacking incidents. The vast majority of scammers worked variations on advanced fee fraud as pioneered by Nigerian “419” scams, except that today’s scammer prefers phone calls over e-mail to lay the bait.
Rising through the charts with a bullet is the online shopping scam, up by 65 percent but still only worth $4 million in total.
The Register finds it interesting to extrapolate this data outwards. Australia’s $4 annually per capita loss would, multiplied by the world’s population of 7 billion, suggest that annual online scams are worth around $28 billion – which is somewhat less than the hundreds of billions some surveys suggest.
Australians do, however, appear to be more gullible than Americans. According to the Internet Crime Centre, that country’s losses amounted to $525 billion in 2012 – a mere $US1.66 per person. ®
Cross-site scripting, failure to check credentials, directory traversal and SQL injection make up more than three-quarters of vulnerabilities in SAP environments, according to a presentation by ERPScan’s Alexander Polyakov to RSAConference Asia Pacific 2013.
And the vulnerable state of the SAP world is increasingly attracting the attention of security researchers, Polyakov said, with nearly 60 percent of vulnerabilities found in 2013 turned up by outsiders.
That’s troubling, he told delegates, because ERPScan is also observing a growing willingness by SAP users to open up interfaces to the Internet, either for remote workers, inter-office connections, or remote management.
As reported by SC Magazine Australia, which attended the conference, Polyakov said “If someone gets access to the SAP they can steal HR data, financial data or corporate secrets … or get access to a SCADA system.”
A successful intrusion into the SAP system could easily mean the “end of the business”, Polyakov claimed.
With a combination of Shodan and Google searchers, he told the conference he was able to identify more than 4,000 Internet-facing SAP environments.
And – whether it’s because owners are lazy or updates are difficult – Polyakov said 35 percent of the systems ERPScan found were using NetWeaver 7 EHP 0, which hasn’t been updated since 2005. Another 19 percent were running software that hasn’t been patched since 2009, and 23 percent ran a version last updated in 2010.
The presentation slides can be found here. ®
The number of Metropolitan Police officers investigated for misusing a controversial police database has more than doubled in the past five years, The Register can reveal.
Since 2009, a total of 76 officers in London have been investigated for misusing the Police National Computer (PNC), according to figures released under Freedom of Information laws. The PNC keeps records of all a person’s interactions with the police, whether they were found guilty in court or not. It is estimated that more than 9.2 million people have records on the cops’ computer system.
With this amount of data on hand, data security is of paramount importance. Yet the problem of PNC abuse is growing.
In 2009, 12 Met officers in London were probed for unlawfully accessing the PNC, whereas last year 25 officers were put under investigation.
The Met is currently investigating five officers accused of misusing the PNC. Two officers last year “resigned/ retired” following the investigation, according to the figures, and in 2011 two officers were dismissed without notice.
Anyone who has access to the PNC has a treasure trove of information about British people – and not just criminals. It holds vehicle information and details of stolen property, and is linked to the national DNA and biometric databases. Altering any of this information has the potential to be life-changing.
Even very minor misdemeanours are kept on record for life, potentially causing problems for individuals concerned. For instance if someone has been arrested just once – regardless of whether this was wrongful or for a ridiculously trivial crime – that person is banned from the US Visa Waiver scheme, which allows British nationals to get into the States without a visa.
A Metropolitan Police spokeswoman insisted all its staff were trained to obey data protection laws.
“The MPS expects its staff to behave professionally, ethically and with the utmost of integrity at all times. Any instance where the conduct of our staff brings the MPS into disrepute is treated extremely seriously in line with MPS policy.”
According to reports in national newspapers, some 20,000 people have been wrongly branded a criminal due to mistakes in the information held on the PNC.
The Information Commisioner ordered police forces to delete criminal records from people who have kept their nose clean for decades, but the cops appealed and won the right to keep millions of minor records until a person reaches the ripe old age of 100, when they are finally set free from the database.
The police are very sensitive about sensibly reducing the amount of data held on the PNC, because the Soham killer Ian Huntley managed to get a job at a school, despite having a record on the PNC that linked him with sex crimes and burglaries. The police and social services were slammed for allowing this to happen, making them extra-cautious in the years since.
The police also brought in a new system called the Police National Database, which was introduced in 2011 and allows officers to share information on an estimated 15 million people – about a quarter of the British population.
Anyone who has been naughty in the past can apply to have their record erased, but they must persuade a top cop that their situation is “exceptional” – which basically means that appeals will be refused in most cases.
Nick Pickles, director of Big Brother Watch, commented:
“The police national computer is one of the least transparent databases operated by the state, with much of its contents never proven in court. It offers a detailed insight to people’s lives, so it is hardly surprising that it is prone to abuse.
“The broader issue is that without any real audit process, these figures are likely to be the tip of the iceberg.”
Are you concerned about the PNC? Did you work on building the system or are you involved with building similar systems? The Reg wants to hear from you. ®
A security flaw thought to have been fixed by Adobe in October 2011 has reappeared thanks to a new vulnerability involving Flash Player browser plug-ins.
The as yet unpatched vulnerability creates a means to seize control of webcams without permission before siphoning off video and audio from victims’ PCs. The clickjack-style flaw was uncovered by security consultant Egor Homakov, who developed a harmless proof-of-concept exploit to underline his concerns and push for an early fix.
“This works precisely like regular clickjacking – you click on a transparent flash object, it allows access to Camera/Audio channel. Voila, attacker sees and hears you,” Homakov explains in a blog post.
Adobe security team spokeswoman Heather Edell confirmed there was an issue but said it was limited to Flash Player for Google Chrome.
“This vulnerability affects users on Flash Player installed with Google Chrome,” Edell told El Reg in an email. “Google is working to resolve the issue and plans to provide a fix this week,” she added.
The vulnerability would be potentially handy for both perverts and NSA-style spies. Tinfoil hatters who tape over webcams when they aren’t in use have been vindicated by the discovery of the problem.
Robert Hansen, director of product management for WhiteHat Security, said the security model adopted by Adobe Flash has contributed to the problem.
“The basic problem with Flash is that it doesn’t have modal dialogues that pop up outside of the browser, which can alert the user to what’s about to happen,” Hansen explained. “Because the dialogues are on the same page as the adversary’s code, they can overlay things, make it opaque, and so on, to effectively hide the dialogue warning.”
Google recently imposed a seven day deadline for vendors to respond to security bug reports. Homakov’s discovery represents the first chance to see whether Google itself can stick to such tight deadlines. ®
Apple has joined Facebook and Microsoft by revealing it has received thousands of requests for sensitive user data from US investigators in less than a year.
And like the two other giants, the fruity computer company is remaining vague about the details.
Cupertino’s statement marks another attempt to diffuse the ongoing row over PRISM – the NSA’s controversial project that taps up Apple and other internet giants for personal information on foreigners. The reveal tries to put a positive spin the iPhone-maker’s close cooperation with cops and spies.
The cloud-powered iPad-slinger said it had dealt with between 4,000 and 5,000 surveillance requests from the US government since December 2012. These requests covered between 9,000 and 10,000 accounts or devices and came from federal, state and local authorities – the cases concerned had to do with both criminal investigations and national security matters.
“The most common form of request comes from police investigating robberies and other crimes, searching for missing children, trying to locate a patient with Alzheimer’s disease, or hoping to prevent a suicide,” Apple said in a public statement. “Regardless of the circumstances, our Legal team conducts an evaluation of each request and, only if appropriate, we retrieve and deliver the narrowest possible set of information to the authorities.”
Apple stated that iMessage, FaceTime, map searches, location details and Siri requests remain private. In the case of Facetime and iMessage, this is because of end-to-end encryption, and data from the latter three is not retained by the company, Cupertino insists.
Apple, Facebook and Google were among nine tech firms named as having participated (wittingly or unwittingly) in the controversial NSA PRISM we surveillance programme. The 41-page presentation was given in April this year and made public by the Washington Post.
The Apple statement, although it reveals the number of requests Cupertino complied with, it continues to deny allowing gov bods to access its servers, stating: “We first heard of the government’s ‘Prism’ program when news organizations asked us about it on June 6.”
Since the exposure of the programme through the actions of former CIA contractor Edward Snowden, US tech firms have been lobbying the government to allow them to provide more details to their customers on the extent to which they have helped the authorities with their inquiries. Spy chiefs were against this disclosure but politicians appear to have overruled them and allowed tech giants to provide more details on wiretap requests than had been permitted with previous transparency reports from the likes of Google and Microsoft.
This move is clearly designed, at least in part, to reassure businesses and consumers that data held by US technology firms is not subject to dragnet surveillance, a concern that might prompt enterprises and international consumers to look for alternatives to US-based services.
Facebook released a similar set of data to Apple on Friday, saying it received 9,000 to 10,000 requests for user data from US authorities (local, state and federal) in the second half of 2012. These requests covered 18,000 to 19,000 of its users’ accounts. “These requests run the gamut – from things like a local sheriff trying to find a missing child, to a federal marshal tracking a fugitive, to a police department investigating an assault, to a national security official investigating a terrorist threat,” Facebook said in a statement.
The social network claimed that its lawyers guarded users’ privacy jealously against these requests. “We’ve reiterated in recent days that we scrutinize every government data request that we receive – whether from state, local, federal, or foreign governments. We’ve also made clear that we aggressively protect our users’ data when confronted with such requests: we frequently reject such requests outright, or require the government to substantially scale down its requests, or simply give the government much less data than it has requested. And we respond only as required by law,” it said.
Microsoft, meanwhile, said it had handled 6,000 to 7,000 criminal and national security requests from US authorities affecting 31,000 to 32,000 accounts over the last six months of 2012. Redmond said the figures were an amalgamation of statistics from requests from US local, state and federal authorities. It said the figures included more on national security requests than previously provided while stating that the government has still not allowed it to be completely candid.
“For the first time, we are permitted to include the total volume of national security orders, which may include FISA orders, in this reporting. We are still not permitted to confirm whether we have received any FISA orders, but if we were to have received any they would now be included in our aggregate volumes,” Microsoft said in a statement.
“We are permitted to publish data on national security orders received (including, if any, FISA Orders and FISA Directives), but only if aggregated with law enforcement requests from all other US local, state and federal law enforcement agencies; only for the six-month period of July 1, 2012 thru December 31, 2012; only if the totals are presented in bands of 1,000; and [only if] all Microsoft consumer services had to be reported together.” ®
Over 900 Hong Kong-ers braved torrential rain on Saturday to march on the US Consulate and HK government in support of infamous PRISM whistle-blower Edward Snowden, as the man himself released yet more classified info on US intelligence operations.
The supportsnowden.org movement is positioning Snowden’s case and how the authorities respond to any potential extradition demands from the US as marking “a crossroads in Hong Kong’s future”.
With backing from several pan-democratic political parties in the SAR, its aim is as follows:
We call on Hong Kong to respect international legal standards and procedures relating to the protection of Snowden; we condemn the US government for violating our rights and privacy; and we call on the US not to prosecute Snowden.
The rally took place as Snowden reportedly made new information available to The Observer, which on Sunday reported that US operatives in the UK intercepted the communications of then-Russian president Dmitry Medvedev during the 2009 G20 summit staged in London.
Such revelations are problematic for Snowden because although they promote him as a more valuable asset for China to hang on to, they would also seem to strengthen the case for his extradition – as he is now exposing large chunks of classified intelligence on US operations abroad.
The former IT security administrator at US defence contractor Booz Allen Hamilton is still thought to be holed up in the former British colony despite hinting at plans to seek asylum in Iceland. ®