No, the cops can’t get a search warrant to just seize all devices in sight – US appeals court


It’s a ruling sending shockwaves through the worlds of privacy, device security, and law enforcement in America.

The US Circuit Court of Appeals in the District of Columbia on Friday overturned the conviction of a gang member because investigators obtained a search warrant for his devices without probable cause.

In other words, crucial evidence obtained by investigators using a search warrant to seize and scan all phones and other gadgets on sight has been thrown out.

Ezra Griffith, of Washington DC, was found guilty in 2013 of unlawful possession of a firearm by a felon, having been previously convicted of attempted robbery.

The then 23-year-old came under the suspicion of DC police officers investigating a gang-related murder due to his involvement with a rival gang and because of surveillance video.

His arrest on firearms charges followed a search of his girlfriend’s apartment that resulted in the recovery of a gun, something Griffith could not lawfully possess.

The officers at the scene had come with a search warrant for all cell phones and seized six, along with a tablet computer.

Hearing Griffith’s appeal to invalidate the warrant that led to the evidence used to convict him, the appeals court found that authorities had obtained permission to search the girlfriend’s apartment for electronic devices without adequately establishing probable cause.

The affidavit filed to obtain the warrant sought any cell phones or electronic devices belonging to Griffith, along with any written or printed material related to the homicide being investigated.

But authorities did not state any reason for believing that Griffith’s devices contained evidence of a crime.

“The government’s argument in support of probable cause to search the apartment rests on the prospect of finding one specific item there: a cell phone owned by Griffith,” the court ruling says. “Yet the affidavit supporting the warrant application provided virtually no reason to suspect that Griffith in fact owned a cell phone, let alone that any phone belonging to him and containing incriminating information would be found in the residence.”

Not only that, but the warrant allowed officers to seize any electronic devices present, even if they belonged to someone other than Griffith.

For the DC Court of Appeals, at least, such a broadly drawn warrant went too far.

“[W]e do not doubt that most criminals – like most people – have cell phones, or that many phones owned by criminals may contain evidence of recent criminal activity,” the court said. “Even so, officers seeking authority to search a person’s home must do more than set out their basis for suspecting him of a crime.”

The court’s affirmation of the Fourth Amendment comes as the Supreme Court is weighing how to apply the Constitution’s prohibition on unreasonable searches to cell phone location data. Earlier this week, tech companies joined media companies and other organizations to urge the Supreme Court to disallow demands for location data without a warrant.

Orin Kerr, a law professor at Georgetown University, via Twitter observed, “On a first read, at least, Judge Srinivasan’s alternative holding in Griffith is going to create a mess.”

However, he added, it’s great for defense attorneys. ®

The Joy and Pain of Buying IT – Have Your Say

Article source:

News in brief: few girls studying computing; new Galaxy Note battery issue; fine over parking data breach


Your daily round-up of some of the other stories in the news

Concern at number of girls studying computing

There’s been a lot of focus on how to improve the representation of women in the tech industry in the wake of concerns about the culture at companies such as Uber, and many experts agree that it’s important to focus on the pipeline and to encourage girls and young women to choose relevant subjects at school.

So the news that of those taking the A-level computing studies exam at 18, just 9.8% of them are girls has sparked concern – while there was also concern about the low overall numbers taking the course, the BBC reported.

Bill Mitchell of BCS, the chartered institute for IT, said in response to the figures from the Joint Council for Qualifications: “Today’s announcement that nearly 7,600 students in England took A-level computing means it’s not going to be party time in the IT world for a long time to come,” and added: “At less than 10%, the numbers of girls taking computing A-level are seriously low.”

He went on: “We need to make sure that our young women are leaving education with the digital skills they need to secure a worthwhile job, an apprenticeship or go on to further study.”

Battery fears hit Samsung again

Remember the debacle over the Samsung Galaxy Note 7 and the overheating batteries? Now Samsung has been hit by another battery issue – some refurbished Galaxy Note 4 devices are having their batteries recalled.

However, this time it’s not Samsung’s fault: the 10,000-odd affected devices, according to the US Consumer Product Safety Commission, which issued the recall, are “batteries placed into refurbished ATT Samsung Galaxy Note 4 cellphones by FedEx Supply chain and distributed as replacement phones through ATT’s insurance program only”.

The affected batteries are apparently counterfeit, and are at risk of overheating. Although the Note 4 is three years old, the affected phones were sent out to customers fairly recently, between December 2016 and April this year as replacements via ATT.

If you’ve got one of these devices, power down the phone and don’t use it – you’ll be hearing from FedEx.

Council fined over parking data breach

A local authority in London has been fined £70,000 after it exposed the personal information of 89,000 people via its parking ticket system, which allowed people to see CCTV images of their alleged parking offence.

The Information Commissioner’s Office, the UK’s data regulator, fined the council after a member of the public realised that by manipulating a URL on the council’s Ticket Viewer system they could access the information of other people including bank details, medical evidence and home addresses and phone numbers.

Sally Anne Poole, the ICO enforcement officer, said: “People have a right to expect their personal information is looked after. Local authorities handle lots of personal information, much of which is sensitive. If that information isn’t kept secure, it can have distressing consequences for all those involved.”

The ICO said that the council hadn’t tested the system either before it went live nor regularly after that.

Catch up with all of today’s stories on Naked Security

Article source:

Berkeley boffins build better spear-phishing black-box brusier


Security researchers from UC Berkeley and the Lawrence Berkeley National Laboratory in the US have come up with a way to mitigate the risk of spear-phishing in corporate environments.

In a paper presented at Usenix 2017, titled “Detecting Credential Spearphishing in Enterprise Settings,” Grant Ho, Mobin Javed, Vern Paxson, and David Wagner from UC Berkeley, and Aashish Sharma of The Lawrence Berkeley National Laboratory (LBNL), describe a system that utilizes network traffic logs in conjunction with machine learning to provide real-time alerts when employees click on suspect URLs embedded in emails.

Spear-phishing is a social engineering attack that involves targeting specific individuals with email messages designed to dupe the recipient into installing a malicious file or visiting a malicious website.

Such targeted attacks are less common than phishing attacks launched without a specific victim in mind, but they tend to be more damaging. High profile data thefts at the Office of Personnel Management (22.1 million people) and at health insurance provider Anthem (80 million patient records), among others, have involved spear-phishing.

The researchers are concerned specifically with credential theft since it has fewer barriers to success than exploit-based attacks. If malware is involved, diligent patching and other security mechanisms may offer defense, even if the target has been fooled. If credentials are sought, tricking the target into revealing the data is all that’s required.

The researchers focus on dealing with attacks that attempt to impersonate a trusted entity, which may involve spoofing the name field in emails, inventing name that’s plausibly trustworthy, like [email protected], or messages delivered from a compromised trusted account. Another means of impersonation, email address spoofing, is not considered because it can be dealt with through email security mechanisms like DKIM and DMARC.

The challenge in automating spear-phishing detection is that such attacks are rare, which is why many organizations still rely on user reports to trigger an investigation. The researchers note that their enterprise dataset contains 370 million emails – about four years worth – and only 10 known instances of spear-phishing.

So even a false positive rate of 0.1 per cent would mean 370,000 false alarms, enough to paralyze a corporate IT department. And the relative scarcity of spear-phishing examples ensures that machine learning techniques lack the volume of data to create a viable training model.

The Joy and Pain of Buying IT – Have Your Say

Article source:

Phone location privacy – for armed robber – headed to Supreme Court


Armed robbers are not sympathetic characters. Which means defending their right to privacy might not get much sympathy either.

But, as multiple privacy advocates note, it’s not just about them – it’s about the rest of us: if their privacy isn’t protected, neither is yours and neither is anyone’s.

That is at the heart of a case now headed to the US Supreme Court (SCOTUS). The legal issue is whether cell phone users “voluntarily” turn over cell tower location data to the carriers, which therefore means it is not private. It is a sure bet that almost nobody thinks that, since they don’t get to volunteer. If they want to use their phones, the carrier collects the data.

But the emotional/political issue is that it’s about a convicted criminal. Which recalls the words of HL Mencken, the iconic journalist and cultural critic, who famously saidL

The trouble with fighting for human freedom is that one spends most of one’s time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all.

The scoundrel in this case is Timothy Ivory Carpenter, convicted in 2013 of six robberies of cell phone stores in the Detroit area, and using a gun in five of them. He was sentenced to 116 years for his role in the crimes, committed with several others, including his half-brother, Timothy Michael Sanders.

But part of the evidence used to convict Carpenter was data from wireless carriers, which prosecutors said placed his phone within a half mile to two miles of the sites of the robberies when they were committed.

Carpenter and Sanders appealed, with the backing of the American Civil Liberties Union (ACLU) and other groups, arguing that the collection of that data without a warrant violated his Fourth Amendment protection against unreasonable search and seizure.

They failed at the Appeals Court level in April 2016, when the Sixth US Circuit Court of Appeals found that while personal communications are private, “the federal courts have long recognized (that) the information necessary to get those communications from point A to point B is not,” which includes the metadata from cell phone towers. The court added that such data

… are information that facilitate personal communications, rather than the content of those communications themselves. The government’s collection of business records containing these data therefore is not a search.

It also noted that access to the phone records had been granted by magistrate judges under the Stored Communications Act (SCA), which the FBI sought after one of the robbers confessed and then gave the agency his cellphone along with the numbers of other participants.

However, the FBI didn’t seek a warrant. And that prompted the appeal, which the Supreme Court is scheduled to hear in the term that begins in October, and which has prompted a small blizzard of amicus briefs from privacy advocates including the Electronic Frontier Foundation, (EFF), the Electronic Privacy Information Center (EPIC) and another from more than a dozen of the nation’s top tech companies including Airbnb, Apple, Cisco Systems, Dropbox, Evernote, Facebook, Google, Microsoft, Mozilla, Nest Labs, Snap, Twitter and Verizon.

One of their biggest objections to the Appeals Court decision is that it is based, as the court said, on “long recognized” precedent. Long, as in long ago, in the 1970s, when nobody had a cellphone. It holds that information voluntarily given to a third party as part of a business transaction doesn’t qualify for Fourth Amendment protection.

That, the advocates say, is vastly out of date – applying analog rules to a digital world – since just about everybody now carries a cellphone. There are now an estimated 396m mobile accounts in the US (more than the nation’s population), and the location data gathered by cell towers is becoming as precise as GPS tracking.

Even if location services is shut off on a phone, simply operating the phone means it connects to cell towers, generating data called cell site location information (CSLI). According to the EFF brief, “as the number of cell towers has increased and cell sites have become more concentrated, the geographic area covered by each cell sector has shrunk,” which makes it possible to determine where a phone is within 50 meters.

The tech companies’ brief also noted that the SCA, under which the FBI sought the phone metadata, was enacted in 1986, when, “few people used the internet, almost none had portable computers, and only around 500,000 Americans subscribed to basic cell phone service”.

Other reasons cited by privacy advocates for the Fourth Amendment applying to CSLI include:

  • Users don’t really “voluntarily” turn over that data to the wireless carriers, since they can’t use the phone without doing so. Alan Butler, senior counsel at EPIC, said the Supreme Court has already signaled that it understands that mobile devices “have become embedded into our daily lives. I think the notion that cell phone users necessarily ‘assume the risk’ or ‘consent’ to collection and disclosure of their location information is nonsense and flips privacy law entirely on its head.”

Butler, who also authored a recent post on SCOTUSblog about the Carpenter case, noted that the Supreme Court in 2012 unanimously threw out a conviction for drug trafficking because of evidence gathered by law enforcement putting a GPS tracker on the defendant’s car.

Carrying a phone, he and others have noted, amounts to a GPS tracker monitoring not just where your car goes, but where you go, all the time.

  • If precedent stands, Big Brother can track just about anybody without a warrant. EFF noted that “ATT alone received 70,528 requests for CSLI in 2016 and 76,340 requests in 2015. Verizon received 53,532 requests in 2016 and 50,066 requests in 2015.” The majority of them warrantless.
  • The location tracking of people extends far beyond real time, unlike human surveillance. It can go back months, or even years, creating a highly detailed record of everywhere a person has been.
  • Given the necessity of cell phones, people now have a “reasonable expectation” that their location information is private.

The lobbying for the Carpenter conviction to be overturned is not unanimous, however. Orin Kerr, a research professor at the George Washington University Law School, in a post on SCOTUSblog, argued that what is really at issue is “what you might call the eyewitness rule: the government can always talk to eyewitnesses”.

In this case, he said, the wireless carrier is an eyewitness. “Customers use their services and hire the companies to place calls for them,” he wrote, which means the business record of what they did for customers doesn’t have Fourth Amendment protection.

The right question for the court, he contended, is not Carpenter’s “expectation” of privacy, but whether he should “have a right to stop others from telling the government about what they saw [him] do”.

Of course, this is about billions of digital “eyes”, not people on the street.

Which calls to mind a talk by Christopher Soghoian late last year, when he was chief technologist at the ACLU, titled “Stopping Law Enforcement Hacking” at the Chaos Communication Congress (CCC).  He said:

Many of the court cases that define our basic privacy rights come from cases involving drug dealers, people smuggling alcohol, and paedophiles. So it can be very unpleasant for people to engage in these cases.

But if you wait until the government is using its powers against journalists and freedom fighters, by that point the case law is settled.


Article source:

‘Pulse wave’ DDoS – another way of blasting sites offline


After all the excitement over 2016’s Mirai Internet of Things (IoT) DDoS attack, you could be forgiven for thinking that the criminal pastime of overloading servers with lots of unwanted traffic has gone a bit quiet recently.

It’s been this way for years. DDoS attacks tend not to be noticed by anyone other than service providers unless they are particularly huge, hit well-known websites, or manifest nastiness such as the notorious DD4BC extortion gang attacks of 2015.

This happens infrequently even though below the surface of service providers fighting fires and commercial secrecy that obscures many unreported attacks, innovation rumbles on.

Now, mitigation company Incapsula has spotted an example of this behind-the-scenes evolution in the form of “pulse wave”, a new type of attack pattern which, from the off, had its experts intrigued.

DDoS attacks, which spew forth from botnets of one type or another, normally follow a format in which traffic increases before a peak is reached, after which comes either a gradual or sudden drop. The rise has to be gradual because bots take time to muster.

The recent wave of pulse attacks during 2017 looked different, with massive peaks popping out of nowhere rapidly, often within seconds. Demonstrating that this was no one-off, successive waves followed the same pattern.

Says Incapsula:

This, coupled with the accurate persistence in which the pulses reoccurred, painted a picture of very skilled bad actors exhibiting a high measure of control over their attack resources.

Granted, but to what end?

The clue was in the gaps between the “pulses” of each attack. In fact, the botnet or botnets behind these attacks were not necessarily being switched off at all – the gaps were just the attackers pointing it at different targets, like turning a water cannon.  This explained the rapid surge in traffic on the commencement of each attack.

It’s likely not a coincidence, Incapsula claims, that this pattern causes problems for one DDoS defence, which is to use on-site equipment with fail-over to a cloud traffic “scrubbing” system in the event that an attack gets too big. Because traffic ramps almost instantly, that fail-over can’t happen smoothly, and indeed the network might find rapidly itself cut off.

If that’s true, organisations that have built their datacentres around sensible layered or “hybrid” DDoS defense will be in a pickle. Either they’ll have to beef up their in-house mitigation systems or convince their cloud provider to offer rapid fail-over. Incapsula, we humbly note, sells cloud-based mitigation.

All in all, it sounds like a small but important technical innovation that will be countered with the same. Given the impressive traffic these botnets seem able to summon at will – reportedly 300Gbps for starters – it would be unwise to dismiss it as just another day at the internet office.

Or perhaps the real innovation in DDoS criminality isn’t in the way traffic is pointed at victims so much as the tragic wealth of undefended servers and devices that can be hijacked to generate the load in the first place.

This was one of the surprising lessons of Mirai and perhaps it has yet to be learned: never underestimate the damage a motley collection of ignored and forgotten webcams and home routers can do to some of the internet’s biggest brands if given the chance.

Article source:

Drone firm says it’s stepping up security after US army ban


Two weeks ago, the US Army told its troops that using drones from DJI – maker of the world’s best-selling drones – was henceforth verboten, given unspecified vulnerabilities discovered by its research lab and the US Navy.

While the army was keeping mum about those vulnerabilities, others haven’t been so circumspect. Rather, they’ve been talking for months about sensitive information having the potential to be scattered in the tailwinds.

In May, Kevin Pomaski, a chief pilot for one of the largest commercial UAS service providers in the US, wrote an article about highly sensitive information that can be revealed in conversations between unmanned aerial system (UAS) pilots and their clients: details that he said can include infrastructure, stadiums, military installations, construction sites, details about security, details about the drone itself, details about the drone operator, and more.

This sensitive data is vulnerable to interception, he said:

Critical infrastructure access and layouts are being captured every day. This information may be accessed by foreign actors that mean to harm the countries that these locations are in. The complete data record can be cataloged by pilot, region or location and a full report of the layout, security response, names of people will be revealed. Corporate espionage agents would love to have visual and audio details of that new system being captured by the drone in any industrial field of pursuit.

More recently, rumors have been flying about operators being told not to show up for work at US government agencies unless they bring American-made drones with them. According to sUAS News, the unspecified government agencies allegedly have security concerns about data being shared unwittingly.

If the allegations are true, it adds up to a ban on the Chinese-made DJI equipment. DJI is, after all, a Chinese company, governed by Chinese law, as Pomaski pointed out.

He dissected the privacy policy of DJI’s Go app and came up with a number of issues around sensitive data. For example, this passage from the privacy policy notes that personal information could be transferred to offshore servers:

The DJI Go App connects to servers hosted in the United States, China, and Hong Kong. If you choose to use the DJI Go App from the European Union or other regions of the world, then please note that you may be transferring your personal information outside of those regions for storage and processing. Also, we may transfer your data from the US, China, and Hong Kong to other countries or regions in connection with storage and processing of data, fulfilling your requests, and providing the services associated with the DJI Go App. By providing any information, including personal information, on or through the DJI Go App, you consent to such transfer, storage, and processing.

Now, two months after the army banned DJI drones, DJI has responded by adding a privacy mode to its equipment to prevent flight data being shared to the internet.

On Monday, DJI announced that it’s adding a local data mode that stops internet traffic to and from its flight control apps “in order to provide enhanced data privacy assurances for sensitive government and enterprise customers”.

The company says the privacy mode had been in the works for months, before the army ban. The new privacy mode, due out in future app versions expected in the coming weeks, entails a tradeoff: blocking all internet data means that DJI apps won’t…

  • update maps or geofencing information, meaning pilots could wind up flying in banned zones
  • notify pilots of newly issued flight restrictions or software updates
  • be able to upload to YouTube

On the plus side:

[Local data mode] will provide an enhanced level of data assurance for sensitive flights, such as those involving critical infrastructure, commercial trade secrets, governmental functions or other similar operations.

The army memo had told troops to “cease all use, uninstall all DJI applications, remove all batteries/storage media from devices, and secure equipment for follow on direction.”

However, the army has reportedly walked that ban back a bit, sUAS News reported on Monday. A second memo had reportedly gone out at the end of last week, to the effect that the army will grant exceptions to the ban once a DJI plugin has passed OPSEC (Operational Security) scrutiny.

Article source:

How likely is a ‘digital Pearl Harbor’ attack on critical infrastructure?


It’s coming on two decades now since the first warnings that US critical infrastructure is vulnerable to a catastrophic cyberattack. According to some experts, it is perhaps more vulnerable now than ever – the threats are worse and the security is no better.

But how likely is such an attack? There is still plenty of debate about that.

Richard A Clarke, who in 2000 was the US’s top counter-terrorism and cybersecurity chief, gets credit for coining the term “digital Pearl Harbor”. He said at the time that it was “improbable,” but added that “statistically improbable events can occur”.

There have been similar warnings since from top government officials – former defense secretary Leon Panetta paraphrased Clarke in 2012, warning of a “cyber Pearl Harbor” – a major cyberattack on industrial control systems (ICS) that could disable the nation’s power grid, transportation system, financial industry and government for months or longer.

Of course, nothing even close to that catastrophic level has happened – yet. And there are a number of experts who say such doomsday language is gross hyperbole, peddling nothing but FUD (fear, uncertainty and doubt). Marcus Sachs, CSO of the North American Electric Reliability Corporation (NERC), said at the 2015 RSA conference that squirrels and natural disasters were a more realistic threat of taking down the grid than a cyber attack.

But a couple of experts in ICS – the equipment used to operate the grid and other critical infrastructure – say they are increasingly troubled that security has not really improved since the warnings began.

Galina Antova, co-founder and chief business development officer at Claroty, recently referred in a blog to “The Lost Decade of Information Security”, saying:

“We are no better off today in terms of cybersecurity readiness than we were 10 years ago. The threat landscape is clearly growing more active and dangerous by the day. The theoretical is becoming reality and, unfortunately, we aren’t prepared to counter the threat just over the horizon.

She has some company in the person of Joe Weiss, managing partner at Applied Control Solutions, who has said for years that ICS security is dangerously lax. Writing on his “Unfettered” blog last week, Weiss said there is essentially no security in ICS process sensors, the tools to detect anomalies in the operation of ICSs – which means an attacker could get control of them relatively easily and create major physical damage.

Weiss cited a number of sensor “malfunctions” that illustrate the problem. One, he said, resulted in the release of 10m gallons of untreated wastewater. Another, he said, was the rupture of a pipeline in Bellingham, WA, which released 237,000 gallons of gasoline into a nearby creek causing it to catch fire, killed three people, caused an estimated $45m in property damage and led to the bankruptcy of the Olympic Pipeline Company.

“That happened in June, 1999,” Weiss said in an interview. “How can that be relevant today? It turns out every bit of it is, because the same flaws that existed then exist today.”

He said in most cases there is no way to know if what happened was an accident or a malicious attack, because of a lack of visibility into the networks. And he wondered on his blog: “How can this lack of security and authentication of process sensors be acceptable?”

What to do? That is where Weiss and Antova part company – just a bit. Antova said she agrees that the sensor flaws exist and, as she wrote, the threat of major ICS attacks “is real and just over the horizon”, But, in an interview, she also said she is “allergic” to describing the threat at either extreme – in relatively trivial terms (squirrels) or disaster (Pearl Harbor).

She said it is not simple or quick to fix flaws in sensors. “Engineers know it takes years to design,” she said, “and it can take 25 to 35 years to replace the architecture” of ICS equipment. She ought to know – she was formerly global head of industrial security services at Siemens, a leading manufacturer of power generation and transmission systems.

In her blog post, she said called for implementing what is practical and feasible – the kind of “security hygiene” steps that would keep ICS from being the “low-hanging fruit” that it is now. Things like patches, really taking network segmentation seriously, and giving IT professionals visibility into the networks.

What has hampered that, she wrote, has been a failure to “bridge the gap” between IT and engineering staff, each of whom, “approach the world with different viewpoints, backgrounds and missions.” Engineers, she noted, focus on keeping things physically safe and running. Anything that impedes that, they reject.

She also said government regulatory frameworks and standards are, in many cases, not practical. One example she cited was the push for “air-gapped” networks. It sounded good, she said, but it interfered too much with efficiency and the needs of the business. “As a result, air gaps now have one thing in common with unicorns – they don’t exist,” she wrote.

But just doing security basics would help. “You have to start somewhere,” she said.

Weiss contends it is possible, and necessary, to be both more aggressive and creative. Part of the problem, he said, “is a failure of imagination. When you look at the bad guys, they really are bad guys. We need to think like bad guys.”

But the two agree that there needs to be better communication between operations and IT. “We’ve got to have engineering in the same room when IT comes in and says this is what I want to do,” Weiss said. “Every time there’s an important meeting in DC on cybersecurity, GE and Siemens aren’t there.”

And both agree that the risk of something really serious happening is growing. “We know these (ICS) networks are exposed,” Antova said. “They are resilient and have safety measures, but for a skilled hacker, it’s not that hard to fool safety equipment.”

The real menace, she is said, is that ransomware like WannaCry and Petya are not just in the hands of nation states, but, “in the hands of every crazy person. I don’t think people realize how poor the cyber hygiene is.”

Article source:

What weighs 800kg and runs Windows XP? How to buy an ATM for fun and profit


BSides Weighing in at 800kg secondhand, freestanding ATMs – a “safe with a computer on top” – are a logistical nightmare to own and research, security boffin Leigh-Anne Galloway warned delegates at the BSides Manchester infosec conference yesterday.

b sides manchester talk on ATM. scrren grab from video

Security boffin Leigh-Anne Galloway, cat and pieces of ATM…

Galloway, Positive Technologies’ security resilience lead, explored various ways to purchase an ATM including through a seemingly cancelled eBay auction and a quickly discarded plan to drive a leased machine from Moscow before discovering that it is easier to get one through the regular market in the UK. Suppliers are used to selling in bulk to banks but they will sell to firms providing they set up a line of credit.

Galloway’s logistical problems kicked in after the purchase of an NCR “Personas 77” ATM for £2,600 (before tax). Most courier firms wouldn’t move and Positive Technologies’ third floor UK office had a lift rated only to 600kg. “Part of the security of these devices is their immovability,” Galloway explained. “They are designed to be brought somewhere and to stay in situ”.

Four out of five cash machines still run Win XP or Win XP Embedded.

The security researcher’s house is a converted warehouse. The ATM was initially brought – where moving it caused damage to her floor – before it was left outside, protected from the elements by pond liners. It later found a home in a car park outside Positive Technologies’ offices.

Galloway reports that in both locations, neighbours asked when the device would be operational.

Leigh-Anne Galloway B Sides manchester talk on ATM. screen grab from video

The ATM was initially was left outside, protected from the elements by pond liners, later finding a home in a car park…

To make the ATM more practical to transport, Galloway and colleagues cut off its base with an angle grinder. The safe element is typically concrete and steel and cutting through that with industrial-grade kit allowed the team to halve its weight.

ATMs can be compromised and used to jackpot cash, skim cards and even infect banking networks. Having gained access to the front of the machine, a criminal can access USB ports within the device to perform various attacks. These include forcing the machine to dispense cash and installing malware to skim card details.

ATM logic attacks involving malware started in earnest in 2009, with the “Skimer” trojan. Ever more sophisticated malware has been developed in the years since.

Crooks typically look for people with legitimate access to the ATM such as a bank employee or contractor responsible for ATM maintenance that can be bribed to compromise machines and install the malware. Once the necessary ATMs have been infected, the criminals proceed to the cash withdrawal phase. Mules have to physically come to the ATM and take the cash.

There are also attacks that will focus on bypassing the ATM’s computer altogether, so encryption should be enforced between the computer and the dispenser. Galloway added, “While ATMs made in the last six years will likely have this any manufactured pre-2011, of which there are many in use today, should be fitted with an ‘after-market’ device that monitors the current between the dispenser and PC for anomalies. These devices typically retail at £150.”

Banks should install and properly configure application control software to monitor software integrity, allowing only whitelisted programs that have been checked for unauthorised modifications.

Although Galloway said she’d learned a lot from the project, which helped her firm secure consultancy work with Wincor, she said she “would not recommend” it to others because of the logistical problems and general hassle involved. At the end of the exercise, Galloway was saddled with the device. “An ATM is for life, not just for infosec,” she concluded.

A trailer for Galloway’s talk, Money Makes Money, How To Buy An ATM, can be found below. ®

Youtube Video

The Joy and Pain of Buying IT – Have Your Say

Article source:

Q: How many drones are we bombing ISIS with? A: That’s secret, mmkay


The Information Tribunal has rejected an appeal by campaigners trying to find out how many British Reaper drones are being used for warlike missions in the Middle East.

The Tribunal ruled that the Information Commissioner’s Office (ICO) was right to reject anti-drone campaign group Drone Wars UK’s Freedom of Information request seeking to find out how many RAF MQ-9 Reaper drones are being used to bomb Islamic State in Iraq and Syria on March 1, 2016.

As Chris Cole of Drone Wars pointed out in his appeal, the Ministry of Defence routinely publishes the number of conventional, manned aircraft being used for warlike operations abroad, and released detailed numbers of Reapers being used in Afghanistan and their main base location at Kandahar Airfield.

Cole’s appeal was heard under parallel legal rules that apply for national security hearings, where most of the normal procedures about openness and transparency of evidence simply do not apply. This even extends to having two parallel judgements: a non-binding “open” one that is made available to the public, and the actual “closed” judgement, which is kept secret from everyone except the government and the judge who writes it.

In theory the open judgement is a bowdlerised version of the closed judgement. In practice the closed judgement can say anything.

Rejecting the FoI request, the ICO said that revealing the number of drones being used would prejudice “the capability, effectiveness or security” of the drone units, as well as being likely to prejudice “the promotion or protection by the United Kingdom of its interests abroad” – two of the reasons the State can use to refuse disclosure of information, as permitted under sections 26 and 27 of the Freedom of Information Act 2000.

The MoD successfully argued to the ICO that disclosing the number of drones being used “would be likely to assist opposing forces in building up a detailed picture of UK tactics and strike capabilities”, allowing enemies to figure out how to counter them. Supporting the MoD, the Information Commissioner herself, Elizabeth Denham, vigorously agreed with the government department’s view that revealing how many drones were flying over Iraq and Libya would create “a real and significant risk” of prejudicing the RAF’s operations.

Denham told the tribunal she could not disclose the evidence that led her to come to this conclusion, saying only that there were “differences” between the Afghanistan deployment and the more recent Syria and Iraq drone deployments. She also argued that there was little public interest in the number of Reapers being used to bomb Islamic State being disclosed, claiming that this would not help in “informing a debate about the use of Unmanned Aerial Vehicles (UAVs)”.

Group Captain Mark Flewin of the MoD’s Permanent Joint Headquarters at Northwood, Middlesex, giving evidence for the MoD, claimed the RAF’s Reapers are “intelligence, surveillance and reconnaissance assets” before conceding that their available munitions include laser-guided bombs and Hellfire anti-tank missiles.

An RAF Reaper famously used its weapons to kill British Islamist terrorist Reyaad Khan in Syria during August 2015, while his fellow Brit, Junaid Hussein, was eventually killed by American drones after a bungled first attempt killed three civilians.

Flewin was questioned by the tribunal about an MoD press release that described how “two Tornados joined the existing eight earlier this week and six Typhoon aircraft were introduced” to anti-Islamic State bombing operations from RAF Akrotiri at Cyprus. Asked whether this was not the same type of information that Cole was asking for, the group captain described the precise figures in the press release as “generic numbers”.

The tribunal ruled in favour of the MoD and dismissed Cole’s appeal. It also refused to disclose whether the USA “had been given an effective veto over disclosure”, something Flewin was asked about in a closed session that Cole was excluded from.

“Drawing on an analogy from World War 2, it can be readily understood why, for reasons of boosting morale at home and seeking to undermine that of the enemy, the government would have been keen to release the news that, on a particular night, a specified number of Lancaster bombers flew a mission over Berlin,” ruled tribunal judge Peter Lane. “It would, however, be entirely understandable why the government would be reluctant to reveal how many Lancaster bombers it actually had at its disposal on that particular night. By the same context, question (a) is directed at the number of RAF Reaper UAVs that were available to the RAF on 1 March 2016.”

Part of the three-judge tribunal’s unanimous decision that the public interest was not strong enough to order disclosure rested on reasons given in its closed judgement. Judge Lane, accompanied by Paul Taylor and Anne Chafer on the bench, did not even give a summary in the open judgement of the tribunal’s reasoning for this decision.

Speaking to The Register today by email, Cole speculated that the MoD may be struggling to recruit enough personnel to fly and maintain its drone fleet and so opposes disclosure because this would reveal whether that is the case.

He added: “The other, and probably overlapping explanation, is that the government simply wants to be able to deploy armed drones on covert operations overseas and does not want to seek Parliamentary approval, as [has] become the convention. Publicising the number and location of UK drones in operation today would set a precedent and make it harder for the government to refuse such details in the future.” ®

The Joy and Pain of Buying IT – Have Your Say

Article source:

So long and thanks for all the phish: Red teams need to be smarter now


BSides The opening talk at BSides Manchester on Thursday examined how red team tactics are evolving beyond phishing to include a wider variety of methods.

For example, internet-facing ADFS (Active Directory Federation Services) endpoints can be abused to gain entry to corporate environments without needing to trick staff into opening booby-trapped emails. Alternatively, pushing fake Skype updates through recently expired Microsoft domains offers another attack technique, according to security researchers Dominic Chell and Vincent Yiu. The pair showed how a tool called LinkedInt could be used to scrape the professionals’ social network LinkedIn during reconnaissance.

Red team penetration testing emulates a real-world attack against a company to evaluate the effectiveness of its security defences. It’s wider in scope than regular pen-testing exercises, which are normally to focus solely on specific corporate resources such as a range of IP addresses.

As defensive technologies and detection capabilities improve, red team aggressors must evolve, adapting their tactics to avoid the spotlight shone by the blue (defence) team.

Chell and Yiu examined the most significant advances in red team tactics over the past 12 months. In addition to public research, the duo detailed some of the research performed by MDSec’s ActiveBreach team. Specifically, the research included domain fronting, using high-reputation domains to evade controls such as proxy categorisation in the course of exfiltrating data. The presentation also covered how popular (and expensive) malware protection sandboxes can be bypassed.

Chell predicted that over the next year we will witness a greater focus in red teaming on defensive tech evasion such as approaches to defeating Windows 10’s Device Guard and Credential Guard as the technologies become widely deployed.

Chell and Yiu’s talk opened the one-day security conference, attended by around 500 pen-testers, app developers and other infosec pros. The conference closed with a plea that white-hat hackers need to go beyond being engineers to become teachers, diplomats and negotiators as computer security issues and concerns become more mainstream. The plea was delivered by Charl van der Walt in a talk entitled Return of the Jedi – Considering the role of the Security Professional in Extraordinary Times. ®

The Joy and Pain of Buying IT – Have Your Say

Article source: