STE WILLIAMS

Do you remember the good old days?

Time was when all you had to do to avoid being tracked online was to remember to delete your cookies. And dig out your DOM storage. And flush your Flash LSOs. And clean the ETags out of your cache, steer clear of those mobile phone vendors who strap unique IDs on to outgoing traffic and decide if the security benefits of HSTS outweigh the potential privacy trade-offs.

Ah, simpler times.

Keeping on top of those things could be a headache but no matter how many tracking barnacles anchored themselves to the hull of your browser you were still in charge, provided that you and your plugins could find them and scrape them off.

Then came fingerprinting and tracking was turned on its head.

Browser fingerprints

Unlike the stateful, active, tracking of deletable beacons like cookies and LSOs fingerprinting is the passive recording of your browser’s individual attributes.

It turns out that browsers share (and overshare) so much information about themselves, and that the information varies so much from one user to another, that your browser doesn’t need a cookie to be tracked at all because your browser itself is a cookie.

And good luck deleting that.

From screen sizes and user-agent strings to long lists of fonts and plugins, web browsers are brimming with sources of entropy. Individually the values of each source of entropy aren’t discrete enough to act as a unique ID but add them together and they are. That ID is your browser’s fingerprint.

The more sources of entropy there are the easier it is to create stable fingerprints.

The EFF’s pioneering Panopticlick test turned our heads with just eight browser attributes and kicked off a search for more. The more we looked, the worse it got.

As the list of fingerprintable characteristics grew in size and sophistication it became clear that some of them, such as how much charge your battery has left in it or how your browser renders 3D graphics, are looking past the browser and into aspects of the hardware and OS (Operating System) below.

Those characteristics are the same no matter which browser you use.

Researchers in the USA have now demonstrated that browsers leak enough of this kind of information that it’s possible to create stable, usable fingerprints for your computer.

In other words it isn’t your browser that’s a cookie, your computer is a cookie.

Cross-browser fingerprints

Building on earlier work by Károly Boda et al from the Budapest University of Technology and Economics, Yinzhi Cao and Song Li of Lehigh University and Erik Wijmans of Washington University, St Louis have developed state-of-the-art browser fingerprinting and cross-browser fingerprinting techniques:

…that can identify not only users behind one browser but also these that use different browsers on the same machine. Our approach adopts OS and hardware levels features including graphic cards exposed by WebGL, audio stack by AudioContext, and CPU by hardwareConcurrency. Our evaluation shows that our approach can uniquely identify more users than AmIUnique for single-browser fingerprinting, and than Boda et al. for cross-browser fingerprinting. Our approach is highly reliable, i.e., the removal of any single feature only decreases the accuracy by at most 0.3%.

…our approach can successfully identify 99.24% of users as opposed to 90.84% for state of the art on single-browser fingerprinting against the same dataset. Further, our approach can achieve higher uniqueness rate than the only cross-browser approach in the literature…

To achieve their results the researchers mixed improved versions of existing fingerprinting techniques, such as a more robust cross-browser method for capturing screen resolution, with a raft of exotic new techniques.

The new techniques include the first use of information from audio devices in fingerprinting and what looks like a full body workout of the GPU (Graphics Processing Unit).

Its been known for a while that different browsers exhibit measurable differences in the way they render pictures and text on the HTML canvas element (a virtual drawing surface you can include in web pages).

So-called canvas fingerprinting is good enough to have been used for tracking in the wild and research carried out in 2014 found 20 separate implementations of canvas fingerprinting across the top 100000 websites (including one that was rolled out silently on to 13m sites by social media button peddler AddThis).

Cao et al take that idea of canvas fingerprinting and run a marathon with it.

GPUs are put through their paces with lighting and shadow mapping, clipping, vertex and fragment shading, font rendering and anti-aliasing, among other things.

Your computer’s execution of these tests will be different enough from mine that we can be reliably told apart.

Some screenshots of the canvas fingperinting tests taken from the researcher’s testing site uniquemachine.org are included below. Of course they’re only visible because this is research – somebody interested in silently tracking you would tuck these away where you couldn’t see them:

Some sources of entropy are captured indirectly via “side channels”.

You browser will happily give up lists of the fonts it supports but won’t list the languages that you’ve got installed. That’s easily overcome though: all you have to do is to test if a language is installed is to try and use it to write its own name. If your browser tries to write “Javanese” in Javanese but isn’t equipped with the right writing system then it’ll render a string of white boxes like this: □□□□□.

A string of white boxes mean the language isn’t installed, anything else means it is. Rinse and repeat for each language and you’ve got your list.

Other sources of entropy are harvested from your browser simply by asking for them.

Did you know that any website you visit can ask how many virtual cores your computer’s CPU has, for example? It’s right there in the window.navigator.hardwareConcurrency property.

One notable absentee from the list of “ask and we’ll tell you” browser attributes is battery life.

In 2015 researchers in France and Belgium showed that they could use the amount of charge left in your battery (accessible via browsers’ Battery Status API) as a unique ID.

About a year later a large scale study of tracking techniques used by the top 1m websites discovered battery life being used as a fingerprinting tactic in the wild.

Faced with clear evidence of its use as a tracking tool and serious questions about whether it had ever been used for its intended purpose by anyone, ever Firefox promptly pulled the plug on it.

What you can do

The paper deals with fingerprinting in a fairly even-handed way, suggesting that while it can be used to deliver unwanted, targeted ad, it might also be a useful second authentication factor.

I’m not ready to drink the Kool-Aid on this: cookies work just fine, thanks, and anything else says you’re not comfortable giving users a say in whether or not they’re tracked.

Unfortunately fingerprinting is very difficult to defend against.

The only browser that really makes life hard for fingerprinters is, not surprisingly, the Tor Browser. Privacy and security are the organising principles for the Tor Browser, a modified version of Firefox, and it’s been called out in all the research on the topic I’ve seen, including this one:

Tor Browser can successfully defend many browser fingerprinting techniques, including features proposed in our paper.

Provided that you disallow use of the canvas element (Tor tells you when a website tries to use it) the researchers reckon that Tor only gives them access to a few of the information sources they use.

It’s possible that browser plugins like Privacy Badger, Ghostery or NoScript help too. They don’t counter fingerprinting directly but their disruption of trackers and ads might stop you from loading a 3rd party fingerprinting script. Weighed against that is that an esoteric collection of plugins will make you a bit less like everyone else and therefore easier to fingerprint.

You can generate your own browser and computer fingerprints at the researchers’ site uniquemachine.org. It’ll give you a good feel for some of the graphical tricks used in the research but it won’t tell you how easily tracked you are.

If you’re after a site that allows you to test and retest your fingerprint with a view to reducing it then go to Panopticlick or Am I Unique instead.

The code used in the research is available from Song Li’s GitHub pages.

For more on browser fingerprinting and how it’s being used in the wild read Browser fingerprints – the invisible cookies you can’t delete.

Follow @NakedSecurity
Follow @MarkStockley

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/nNUlqYJhIig/

Britain’s latest military helicopter fleet has still not had a tactical data link capability fitted, two years after the aircraft entered service.

Although the new Leonardo Wildcat helicopters have already been deployed operationally aboard Royal Navy warships, including deployments as the sole helicopter aboard frigates patrolling overseas, they do not have a tactical data link (TDL) capability allowing them to transmit data to other units.

Instead, crews must use a USB stick after landing to transfer data collected by the Wildcat’s radar and camera systems to its host ship. The only other alternative, at present, is for the crew to call out contacts over the radio by voice – just as Fleet Air Arm observers did during the Second World War.

Air International magazine reported in its February issue that although Wildcat HMA2s are fitted with the Bowman secure voice radio system, the helicopters still lack the TDL capability fitted to other frontline naval and military helicopters such as the Merlin and Puma.

Lieutenant Commander Anthony Johnson of 825 Naval Air Squadron told the magazine: “At present, we have to download everything our systems produce on to some form of media and present this when we land. We cannot currently transfer this data electronically whilst airborne, so we continue to use voice communication.”

The magazine commented: “An uplink is considered essential for preparation of the battlefield, analysing patterns of life and delivering a kinetic effect in a littoral situation if required” – meaning smiting Her Majesty’s enemies at sea after first making sure no innocent passers-by will get caught in the crossfire.

The Wildcat is fitted with a modern radar and electro-optical sensor suite, with the Seaspray 7400E radar including air-to-air, air-to-ground and air-to-surface modes. The Wescam electro-optical system, mounted in a turret on the helicopter’s nose, can capture hi-res stills and video and also includes a laser range-finding capability – such as would be used in conjunction with the TDL.

The vital data link capability was deleted in 2008 as part of a cost-cutting exercise by the Ministry of Defence. At the same time, the total number of helicopters on order was cut from 70 to 62, along with a host of other vital capabilities, in the infamous phrase “fitted for but not with”.

The export version of the Wildcat is fitted with a Link 16-compatible TDL.

The Ministry of Defence insists its £178bn equipment programme will create thousands of jobs over the next few years.

The Wildcat HMA2 helicopter, built by the company formerly known as Westland, is the replacement for the venerable Lynx helicopter flown by the Royal Navy’s Fleet Air Arm and the Army Air Corps. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/17/lynx_wildcat_has_no_tactical_data_link_royal_navy/

Hackers are continuing to target Israeli Defence Force (IDF) personnel with Android spyware but doubts have emerged that Hamas is behind the cyber-spying operation.

ViperRAT has been specifically designed to exfiltrate information of high value from compromised devices. “Many of these samples are still active and are continuing to covertly copy files of interest from infected devices to attack controlled servers”, mobile security firm Lookout reports.

Initial reports had suggested IDF personnel had been compromised by social engineering — being lured into entering communications with third parties (posing as young women) through apps such as SR Chat and YeeCall Pro. ViperRAT has also surfaced in a billiards game, an Israeli Love Songs player, and a Move To iOS app.

A popular early theory was that Hamas was behind the malfeasance. Researchers at Lookout have come to doubt that theory.

“Strings found during source code analysis, as well as the overall sophistication of ViperRAT, suggest it is unlikely that Hamas is responsible for it,” according to Lookout. “Research indicates the actor behind it has a well-developed cyber-capability, an active interest in the Middle East region, and likely previously released a non-malicious application to the Google Play Store that is currently still live.”

There are currently two distinct variants of ViperRAT. One is a first stage application, that performs basic profiling of a device, and under certain conditions attempts to download and install a much more comprehensive surveillance component.

The ViperRAT second stage is responsible for intelligence gathering and retrieving a broad range of data from compromised devices including locations, web histories, audio clips from calls, text messages and more. The attackers are also hijacking the device camera to take pictures, say the researchers.

“Based on trade craft, modular structure of code and use of cryptographic protocols [AES and RSA encryption] the actor appears to be quite sophisticated,” Lookout concludes.

Further research on the same campaign by Kaspersky Lab can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/17/israeli_soldier_android_spyware/

At RSA, NSS Labs CTO Jason Brvenik discusses how to find the gaps in your current web of security products and how to discover what you’re not finding.

Article source: http://www.darkreading.com/nss-labs-talks-operationalizing-security/v/d-id/1328193?_mc=RSS_DR_EDT

Timothy Livingston committed identity theft and sent bulk spam emails on behalf of clients, generating $1.3 million in profit.

Florida resident Timothy Livingston has been sentenced by a US district court to 48 months in prison for computer hacking, identify theft, and email fraud. A US Department of Justice (DoJ) release said Livingston made more than $1.3 million in illegal profits through his hack scheme.

The DoJ reports he launched A Whole Lot of Nothing LLC in 2011 with the purpose of sending bulk spam emails, both legal and illegal, on behalf of clients. His clients included insurance companies and online pharmacies, which illegally sold medicine. His accomplice, Tomasz Chmielarz, wrote computer programs that would allow him to send bulk emails, evading filters and keeping the sender’s identity secret.

Livingston also hacked personal email accounts and committed identity theft. He then used corporate, as well as proxy, servers and botnets to send out the emails.

Read full DoJ report here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/florida-man-gets-48-months-for-$13m-spam-email-scheme-/d/d-id/1328198?_mc=RSS_DR_EDT

Louisiana resident Brian Johnson was sentenced to 34 months in prison and ordered to pay more than $1.1 million in damages.

Brian P. Johnson of Louisiana has been sentenced to 34 months in prison for hacking and intentionally disrupting operations at the Port Hudson mill of his former employer Georgia-Pacific, says the US Department of Justice (DoJ). Johnson has also been ordered to pay more than $1.1 million to the company in damages.

The report states Johnson, who was a systems administrator in the IT department of Georgia-Pacific’s Port Hudson division, was fired in February 2014. Following his termination, he configured his home computer to gain remote access to the company’s network and transmitted codes and commands to cause significant damage to the plant’s operations.

A police search at Johnson’s residence came up with evidence of his former misdeeds. His computer system and related devices were seized.

Johnson will start his jail term beginning next month.

Click here for details.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/man-jailed-for-hacking-ex-employers-operations/d/d-id/1328197?_mc=RSS_DR_EDT

At RSA, Mihir Maniar, Juniper Networks’ vice president of security products and strategy, and Laurence Pitt, Juniper Networks’ EMEA security strategy director, discuss how the network has not disappeared, it’s just become more elastic.

Article source: http://www.darkreading.com/juniper-discusses-the-new-network-and-how-to-secure-it/v/d-id/1328194?_mc=RSS_DR_EDT

At RSA, Mimecast cyber security strategy Bob Adams discusses graduating from basic filtering to true email security risk assessment.

Article source: http://www.darkreading.com/mimecast-tackles-email-bound-risks/v/d-id/1328195?_mc=RSS_DR_EDT

At RSA, Raytheon Foreground Security’s president, Paul Perkinson, and chief strategy officer, Joshua Douglas discuss how to get proactive with advanced threat hunting and managed detection response.

Article source: http://www.darkreading.com/raytheon-foreground-security-talks-proactive-risk-based-security/v/d-id/1328196?_mc=RSS_DR_EDT

Middle East targets – namely Saudi Arabia – feeling the brunt of the attacks, but experts anticipate Iran will double down on hacking US targets.

RSA CONFERENCE – San Francisco – As all eyes are on Russia’s coordinated hacking and propaganda efforts aimed at influencing elections in the US and some European nations, state-sponsored attackers out of Iran are quietly cranking up their cyber spying and data-destruction attacks.  

Most of Iran’s targets over the past few months have been in the Middle East – namely its nemesis Saudi Arabia – but some security experts warn that the US indeed could be in the line of fire given the increasingly contentious geopolitical climate between the two nations.

Former national security advisor Michael Flynn’s recent declaration that the US had put Iran “on notice” and subsequent anti-US protests and sentiment in Iran are the perfect recipe for an increase in cyber espionage and cyberattacks meant to destabilize or protest US policies on Iran, according to Adam Meyers, vice president of intelligence at CrowdStrike.

Meyers says Iran’s nation-state hacking machine is more prolific than ever lately. “What’s new is the level of activity we’ve seen, with dozens of targets in Saudi Arabia over the past two months,” Meyers said in an interview here.

“One of the things we’re tracking is if things escalate between the US and Iran, then we expect attacks will be likely in the financial sector” in the US in response, he said.

Iran’s cyberattack operations also have matured and become more disciplined, he says. “They are showing more mature capabilities” and organization, Meyers explained. “In early 2010 to 2014, they were very open, disorganized, [as] small companies doing training and pen-testing and exploit development. Now they’ve aligned themselves into proper ‘businesses'” working on attack campaigns, he said. “We don’t see them talking [about their cyber activities] as openly as before. That’s notable.”

In 2012, hackers believed to be out of Iran launched the devastating Shamoon data-wiping attacks on Middle East petroleum giant Saudi Aramco, damaging or wiping the hard drives of some 25,000 computers. The following year, US banks suffered a massive wave of distributed denial-of-service (DDoS) attacks that US officials blamed on Iran.

Then Shamoon reappeared in November of last year and again in January of this year, with a slightly new version of the destructive malware, hitting thousands of computers across more than 10 government and civil organizations in Saudi Arabia and the Gulf States.

IBM’s X-Force incident response services team, IRIS, here this week revealed its findings on just how the new Shamoon malware was unleashed on its victims, something that had been mostly speculated for some time given the nature of data-wiping attacks that leave little forensic evidence behind.

The latest Shamoon attacks began with a spear phishing email sent to employees at the organizations being targeted in the attacks. With those emails came a Microsoft Word document rigged with a  malicious macro that when enabled by the victim, then infected his or her machine. That generates PowerShell and allows remote command-line control of the machine, allowing the attackers to add other malware or gain privileged access to other systems on the victim’s network.

Once the attackers have enough intel to find juicy targets on the network, they deploy Shamoon, which overwrites the hard drives and disables the affected computers.

Wendi Whitmore, global lead of IBM X-Force IRIS (Incident Response and Intelligence Services), said her team has mostly seen the new Shamoon campaign targeting Middle East organizations. “Right now, the biggest threat is really to the Middle East region, from what we’ve seen,” she said in an interview here. IBM did not determine the initial attack vector of the 2012 Shamoon campaigns, she said.

Whitmore said she expects more Shamoon and destructive-type attacks to come. “Especially with how dynamic the political environment is now,” she said.

Meanwhile, researchers from Palo Alto Networks Unit 42 team have spotted other targeted attacks on government, energy, and technology organizations mainly in Saudi Arabia or those that do business there. PAN calls the attack group “Magic Hound,” noting that it may be somehow connected to the Iranian “Rocket Kitten” cyber espionage gang.

Unit 42 stopped short of tying these attacks to the Shamoon group. Rocket Kitten is best known for keylogging and other traditional cyber spying. Like the second Shamoon attacks, Magic Hound relies on malicious macros in Microsoft Office documents that call Windows PowerShell to wrest control of the victim machines.

“The weaponized Office documents were found to be hosted either on what appeared to be compromised legitimate websites, or on websites using domain names similar to legitimate domain names in appearance,” according to Unit 42’s research. “The two legitimate websites we were able to identify were owned by organizations in the government and energy sectors. Based on the existence of these malicious files on the legitimate websites, it is highly probable that the websites had already been compromised in some fashion.”

The initial attack vector was likely the old standby, spear phishing, according to the researchers.

Related Content:

• Saudi Arabia Issues Alert On Shamoon 2
• Inside The Aftermath Of The Saudi Aramco Breach
• Iran Counters US Hacking Indictments Of 7 Iranians
• The Data-Annihilation Attack Is Back

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/iran-intensifies-its-cyberattack-activity/d/d-id/1328189?_mc=RSS_DR_EDT