STE WILLIAMS

The FBI is keeping quiet how exactly it brought down a Tor-hidden pedophile haven, having secured decades-long prison sentences for four of the website’s administrators.

Three men from the US and one from Canada were sent down for 20 to 35 years each for running a .onion site called The Giftbox Exchange, used by warped perverts to trade child sex abuse images, prosecutors announced today. At the time of its shutdown, we’re told, the dark-web website, which was hidden on the Tor anonymizing network, had 72,000 registered users and 56,000 forum posts that were categorized by the age range of the victims.

Patrick Falte, 29, from Franklin, Tennessee, was found to be the creator of the site and given 35 years in the clink along with a lifetime of supervised release. He was said to have run the site from 2015 to 2016 as a members-only swap shop with server hosting costs paid for in cryptocurrency. As administrator, Falte required users to upload images or footage of children being sexually abused to the site before getting access to the forum.

In announcing the prison terms, federal prosecutors noted the lengths the vile group went to in order to hide their activity from the Feds. In addition to concealing the website’s whereabouts and traffic on Tor, and opting for cryptocurrency payments, prosecutors said the group used “other advanced technological means to thwart law enforcement efforts, including file encryption and cryptography”.

The exact details on how Uncle Sam’s g-men unmasked the exchange’s sick masterminds remain a secret, however, as the relevant court documents are sealed. If past cases are anything to go by, the FBI may have used what its special agents call a network investigative technique – a webpage script, Flash file, or malware, potentially – to identify the .onion server’s true public IP address, or the public IP address of its administrators or users. The crime-fighters may have developed other ways to pinpoint Tor denizens.

The FBI seeks to keep this information secret to prevent scumbags from adjusting their methods to evade detection.

“The Giftbox Exchange proved a haven for sophisticated predators to produce and spread deplorable depictions of child sexual abuse,” said assistant AG Brian Benczkowski of the Justice Department’s criminal division.

“These sentences affirm that layers of anonymity on the dark web will not prevent the Department of Justice from identifying and holding accountable those who exploit children.”

FBI: We unmasked and collared child porn creep on Tor with spy tool

READ MORE

Falte and another site administrator, Benjamin Faulkner, 28, from Ontario, Canada, were also given life sentences for their role in the abuse of a minor in a separate case, making their supervised release requirement likely a moot point.

Two other Giftbox Exchange administrators, Andrew Leslie, 24, of Middleburg, Florida, and Brett Bedusek, 35, from Cudahy, Wisconsin, were given 30 and 20 years in prison, respectively, for their roles as moderators and members of the pedo cyber-lair. Leslie was also found to be operating another child sex abuse image site, again on the Tor anonymizing network.

The prosecutors are revealing little about how they were able to track down the administrators through Tor, which obfuscates the public IP addresses of its users and so-called hidden services on the network by routing their connections through a maze of nodes. It is shared by a mix of pro-privacy netizens, journalists, activists, criminals, and others.

Many documents in the Giftbox case, including the original complaint, were filed under seal and remain locked off from public view. The FBI has in the past sought to reveal as little as possible about their methods for tracking dark web sites to preserve ongoing investigations. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/12/tor_pedos_jailed/

CA/Browser Forum – an industry body of web browser makers, software developers, and security certificate issuers – is considering slashing the lifetime of HTTPS certs from 27 months to 13 months.

The plan, floated at a meeting by Googler Ryan Sleevi earlier this year and still in its draft stages, comes just one year after the lifetime maximum for certificates was lowered from 39 months to 27 months. There is no word yet on when a vote may take place.

HTTPS certificates are, essentially, used to encrypt connections between browsers and sites, and help software determine that no one is tampering with or eavesdropping on those connections.

By reducing the amount of time a TLS/SSL certificate is valid, websites must renew their certs more often. This will, it is hoped, force them to use certificates with the latest and greatest recommended cryptography and hashing, rather than hang onto aging certs that use insecure algorithms. The sort lifespan could also, in theory, help to cut down on fraudulent activity, as stolen certs would become useless sooner, and abandoned sites would see their certs expire faster.

This is not the first time such a plan has been floated. Back in 2017, the CA/Browser Forum voted down a proposal that would have sought cut the certificate lifespans from 39 months to 13 months.

In the background to all this, Let’s Encrypt is continuing to enjoy a meteoric rise: it issues free 90-day HTTPS certs that can be automatically renewed and deployed using a provided software client. Let’s Encrypt TLS/SSL certificates are supported by pretty much all browsers and operating systems, and the service is putting immense pressure on certificate authorities that charge people for HTTPS certs.

Google to bury indicator for Extended Validation certs in Chrome because users barely took notice

READ MORE

Digicert’s Timothy Hollebeek is among those who oppose the move to cut the lifetime of certs to 13 months. He argued on Monday this week that the perceived benefits of shorter certificate lifetimes will be offset by the added costs and headaches companies would encounter by having to renew their paid-for certificates roughly once a year.

In other words, slashing the lifetime may drive organizations into using Let’s Encrypt for free, rather than encourage them to cough up payment more regularly to outfits like Digicert. Digicert and its ilk charge, typically, hundreds of dollars for their certs: forcing customers to fork out more often may be more of a turn off than a money spinner.

“Rapidly reducing certificate lifetimes to one year, or even less, has significant costs to many companies which rely on digital certificates to protect their systems,” Hollebeek said. “These costs are not offset by any significant security improvement, and these changes have no impact on bad actors who are engaged in illegal activity or impersonating legitimate companies.”

Hollebeek also called into question the security benefits of the shorter lifespan, suggesting there are better ways to make sure certificates are current and safe.

“We believe the goal of improving certificate security is better served by allowing more time for companies to continue their growing use of automation, to test their systems and to prepare for these changes,” Hollebeek writes. “The primary point is that any benefit of reducing certificate lifetimes is theoretical, while the risks and costs to make the changes, especially in a short period of time, are real.” ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/13/site_certificate_lifetimes/

Attackers can use vulnerable drivers to escalate privilege and execute malicious code in every part of the system.

Attackers have learned that vulnerabilities can hide in the gaps: gaps between components of a system or gaps in a process or procedure. A researcher last week at DEF CON in Las Vegas showed that device drivers — the small utility applications that allow particular pieces of hardware to work with an operating system — can bridge critical gaps for legitimate hardware and malicious hackers alike.

Jesse Michael and Mickey Shkatov, both of Eclypsium, based their research on the fact that while drivers allow communication between software and hardware, they also facilitate communication between the so-called user mode and the OS kernel. And since they operate at the permission level of the kernel, they indeed can be very powerful tools.

Malware that exploits drivers isn’t new, and the simple fact that a driver vulnerability is being exploited isn’t novel. There have been numerous campaigns, most recently last year’s LoJax malware ascribed to Sednit, which employed driver exploits.

In Michael and Shkatov’s research, though, they found more than 40 drivers from at least 20 vendors — including every major BIOS vendor — had vulnerabilities. More important than the basic number was that every vulnerable driver they discovered was certified by Microsoft, nullifying one of the most basic protection mechanisms in place for Windows systems.

Each of the vulnerabilities found facilitate privilege escalation from Ring 3 to Ring 0: at this privilege level, attackers can perform kernel virtual memory access, physical memory access, MMIO access, MSR access, control register access, PCI device access, SMBUS access, and much more.

In their presentation, the researchers showed several attack scenarios, from exploiting a driver that exists on the system but is not yet loaded, to malware that brings its own drivers with counterfeit signatures. In each of these cases, the drivers, once loaded, can carry malicious kernel patches, illicit reads and writes of specific memory locations, modifications to Unified Extensible Firmware Interface (UEFI) and device firmware, and other actions that would facilitate complete system takeover.

The researchers pointed out that an attacker would need access to the system prior to exploiting a driver vulnerability. Once the initial infection is accomplished, however, the driver exploit could be a very persistent method for privilege escalation and exploit execution.

Michael and Shkatov first reported their findings to Microsoft and other vendors. Microsoft and some of the affected vendors already have issued patches for known issues, while others have not responded to the researchers.

Whether a particular vendor has patched their drivers or not, Michael and Shkatov pointed out, Windows will still allow older, unpatched drivers to run on a system, leaving risk in place until the latest version of Windows 10 is running with its new drivers.

Related Content:

• Breaking the Endless Cycle of ‘Perfect’ Cybercrimes
• What Cyber Skills Shortage?
• Meet Scranos: New Rootkit-Based Malware Gains Confidence
• 6 Ways Effective CISOs Are Changing their Role
• 9 Years After: From Operation Aurora to Zero Trust

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/security-flaws-discovered-in-40-microsoft-certified-device-drivers--/d/d-id/1335501?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

New technique involves query hijacking to trigger a wide range of memory safety issues within the widely used database engine, Check Point says.

The near-ubiquitous presence of the SQLite database on desktop and mobile operating systems makes it an attractive target for attackers. However, efforts at finding and exploiting vulnerabilities in the database engine have focused mostly on WebSQL and the browser layer alone.

Researchers at Check Point Software Technologies have developed a new technique that shows how attackers can reliably trigger and exploit a wide range of memory safety issues in the SQLite engine using nothing other than the SQL language. It is the first research to show how SQL queries can be modified and used to execute malicious commands in applications that use SQLite to store data.

At the 2019 DEF CON hacker conference last week, researchers from Check Point demonstrated how someone could use the technique to bypass Apple’s Secure Boot mechanism and gain administrative-level access and persistence on Apple’s latest iPhones. They also demoed how to execute code remotely and take control of a server running PHP7 by infecting their own device with a password-stealing malware.

The research shows that querying a database may not be as safe as assumed, Check Point researcher Omer Gull said. “Defenders should now take into consideration the fact that simply querying a database might have disastrous consequences and act accordingly,” Gull said. “Attackers can now leverage the use of SQLite database for their own malicious intent.”

SQLite is by far the world’s most widely deployed database engine, with many billions of copies in use currently. SQLite is embedded in every Android, iOS, and iPhone device; every Mac; every Windows 10 system; and every Chrome, Safari, and Firefox browser. The database is present in Skype, iTunes, Dropbox clients, smart TVs, set-top boxes, and multimedia systems.

Up to now, though — from a security standpoint, at least — SQLite has been examined only through the lens of Internet browsers, Gull noted. “However, this is just the tip of the iceberg,” he said. Because of how widely SQLite is used, there are multiple other opportunities for exploiting it.

Check Point researchers decided to see whether they could find, and how they could exploit, memory corruption issues within SQLite using just SQL. The research showed it is possible for attackers to essentially hijack queries in an SQLite environment and inject code of their own into it to trigger errors or to execute malicious actions in applications reading the data.

Check Point found attackers could leverage these issues to gain administrative privileges, create a persistent backdoor, and execute code remotely. “We found several vulnerabilities within the most popular database engine in the world,” Gull said. “Not only [did we uncover] those weaknesses but [we] also developed several techniques of exploitation.”

Trusted and Untrusted SQL Input
The takeaway for the industry as a whole is that the boundaries of what constitutes trusted and untrusted SQL input need to be revisited, Check Point said.

At DEF CON last week, Check Point researchers demonstrated two real-life scenarios involving their technique. In the first scenario, the researchers deliberately infected their device with a password-stealing malware and then showed how they could execute code on the malware author’s command and control servers to take over the crooks’ systems.

The second demo focused on the iPhone iOS. By replacing a certain database on the device, the researchers were able to both gain administrative privileges and create a persistent backdoor capable of surviving across reboots. “These two capabilities bypass Apple’s hard work on their sandbox and secure boot mitigations,” Gull said.

Apple earlier this year issued patches against the vulnerabilities exploited (CVE-2019-8600, CVE-2019-8598, CVE-2019-8602, and CVE-2019-8577) in the SQLite attack that the Check Point researchers demonstrated last week.

Related Content:

• SQL Injection Attacks Represent Two-Third of All Web App Attacks
• GandCrab Gets a SQL Update
• New Vulnerability Risk Model Promises More-Efficient Security
• 7 Types of Experiences Every Security Pro Should Have

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/researchers-show-how-sqlite-can-be-modified-to-attack-apps/d/d-id/1335500?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

DHS, security experts worry about nation-state or other actors waging a disruptive or other attack on the 2020 election to sow distrust of the election process.

When DEF CON debuted its first-ever Voting Village in 2017, it took just minutes for researcher Carsten Schürmann to crack into a decommissioned WinVote voting system machine via WiFi and take control of the machine such that he could run malware, change votes in the database, or even shut down the machine remotely. Several other researchers were able to break into other voting machines and equipment by pulling apart the guts and finding flaws by hand that year, and then again on other machines in the 2018 event.

The novelty of the live hacking of decommissioned voting machines has worn off a bit now and there weren’t many surprises – nor did the organizers expect many – at this year’s Voting Village, held at DEF CON in Las Vegas last week. But once again the event shone a white hot light on blatant security weaknesses in decommissioned voting machine equipment and systems.

“DEF CON is not about proving that voting machines can be hacked. They all can be hacked and 30 years from now, those can be hacked, too. It’s about making sure we understand the risk,” Harri Hursti, Nordic Innovation Labs, one of the founders of the Voting Village, told attendees last week.

Hursti as well as other security experts, government officials, and hackers at this year’s event doubled down on how best to secure the 2020 US presidential election: ensuring there’s an audit trail with paper ballots; employing so-called risk-limiting audits (manually checking paper ballots with electronic machine results); and proper security hygiene in voting equipment, systems, and applications.

Christopher Krebs, director of the US Department of Homeland Security’s Cybersecurity Infrastructure Agency (CISA) told Dark Reading in an interview at DEF CON that one of his top priorities the past two and half years has been to ensure CISA understands the election jurisdiction community and how best to help them security-wise. Krebs, who joined CISA in 2017, said election security was the last thing he expected to be working on when he took the helm of the agency, and it was eye-opening.

“When you put a local jurisdiction in the far-flung regions of the upper peninsula of Michigan facing the Russian GRU threat … that’s not a fair fight,” he told attendees at the Voting Village. “We had to figure out what problems the US federal government an help with from a cyber and physical” perspective to help local and state election bodies, he said.

He pointed to DHS’s formation of the Election-ISAC, of which all 50 states are members, and around 1,400 local election jurisdictions have joined the ISAC. CISA has helped provide training and tabletop exercises: “We’re raising the understanding of what bad guys are doing and not” merely providing indicators of compromise, he said.

Krebs said he feels optimistic about the direction CISA’s relationship is taking with state and local election officials, but the agency has more work to do: there are some 8,800 voting jurisdictions in the US, so the 1,400 is a drop in the bucket for now. His agency is exploring how to provide “vulnerability management in a box” for these jurisdictions, as well as providing remote penetration testing and helping with coordinated vulnerability disclosure programs.

It’s about building confidence and understanding about how best to protect the election, he said. He worries, though, about the threat of disruptive attacks on the 2020 election that could shake trust in the election system. “We need to have resilience in place,” he said. 

Most election security experts say it’s less likely that Russia or another nation-state will attempt a massive attack on the election systems: they worry more about a small attack, disruption, or even appearance of one, could shake the confidence of the electorate in the system. Hacking the mindset of the electorate, they said, would be a simpler and possibly more effective attack.

Brian Varner, a special projects researcher with Symantec who formerly worked for the National Security Agency, explained that such an operation could begin with a breach and manipulation of election results in cloud-based storage. News outlets poll and pull election results that are stored in cloud buckets, and report them as the polls close. “There’s a rush to call it [the election] first. What if I [as an attacker] compromised their cloud services buckets?” Reporting phony results could manipulate voters and instill doubt in the election system, he says.

What the Voting Village Hackers Found

Among the highlights of this year’s DEF CON Voting Village findings were the usual poor security features, or lack thereof, of IoT systems:

• Voting machine giant ESS’s Express Poll pollbook uses the vendor’s name as the password and stores maintenance credentials in plain text
• ESS Automark 300 supervisor and admin password was discovered via an Internet search
• Accuvote’s Optical Scanner can be opened post-poll closing and allow an attacker to add votes that appear to have been cast during the election timeframe
• Dominion’s ImageCast Precint system contains an exposed flash card with a file that could be abused to redirect votes to a different candidate.

Jeff Williams, CTO of Contrast Security, says while the Voting Village is interesting, performing more structured security analysis is more difficult and of course time-consuming. “Anyone can find vulnerabilities [in these systems]. It’s not very hard,” he said.

But a deeper understanding of an election system security posture is not so straightforward: “I haven’t seen a well-developed threat model” for election security, he said. “There’s nothing to measure it against, so how do you know if you’ve addressed every threat?”

That requires writing down a list of those threats and looking at the entire election ecosystem, he said, including how the systems and components are connected, the possible threats to them, and the people who might hack or touch them, including the manufacturers and the volunteers who handle the machines, for example.

Related Content:

• DARPA To Bring its Smart Ballot Boxes to DEF CON for Hacking
• DEF CON Rocks the Vote with Live Machine Hacking
• Voting System Hacks Prompt Push for Paper-Based Voting
• The ABCs of Hacking a Voting Machine

 

 

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/cloud/def-con-voting-village-its-about-risk-/d/d-id/1335504?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Well-known device hacking researchers at cybersecurity company Pen Test Partners have just published an article summarising the 4G hotspot hacking research they presented at last week’s DEF CON event.

Simply put, a 4G hotspot is a miniaturised, battery-powered, SIM-card-equipped equivalent to your home router.

Home routers typically plug into a mains adapter for power, plug into your phone line or a cable connection for internet connectivity, and accept Wi-Fi or wired network links from your laptops, desktops, smart TVs and so on.

In contrast, 4G hotspots are typically pocket-sized devices, often shaped like a small soap bar, that don’t plug into anything except to charge up their internal battery, usually via a 5V USB port.

Most mobile phones, in fact, include a hotspot feature so that you can share the phone’s 4G connection via the Wi-Fi card in the phone, but self-contained hotspots are still popular, not least because they make it easy to keep your voice and data charges separate.

Indeed, many mobile phone providers offer special deals with a hotspot device and a pre-paid data SIM for home users who can’t or don’t want to get a phone line or cable hookup at home.

But what about firmware upgrades? What about security? Just how safe is the average soap-bar hotspot?

After all, lots of people take hotspot devices with them on the road specifically to steer clear of unknown and untrusted access points in coffee shops, shopping malls and hotels.

In theory, getting hacked via a Wi-Fi connection you control yourself that talks back directly to the mobile network ought to be less likely than getting hacked via someone else’s Wi-Fi connection.

You can choose your own hotspot password and security settings, instead of relying on on a router behind someone else’s shop counter that was set up by who-knows-whom with a configuration of who-knows-what and last updated who-knows when.

In practice, however, your own hotspot device is only as secure as the settings you choose; only as secure as the latest firmware upgrade you installed; and ultimately only as secure as that latest firmware version itself, which is typically decided for you by your mobile provider.

How well do microrouters stack up?

Bugs in home routers and other Internet of Things (IoT) devices are, unfortunately, something we’ve written about rather frequently in the past few years.

There are lots of reasons why IoT devices don’t always have the baked-in security we might expect, including:

• IoT devices are often built down to a price. A $20 webcam or a router that’s “free on connection” doesn’t leave a lot of money for the vendor to spend on security.
• Ease-of-use often trumps function and security. In a competitive and crowded market, devices that force you to answer security questions before they work at all often lose out to ones that “just work”.
• Devices made in vast numbers often sit in the supply chain some time. By the time you buy an IoT device, the built-in firmware might be many versions and numerous security fixes behind.

Unfortunately, as Pen Test Partners discovered, several hotspot vendors hadn’t got security right on their hotspots, notably in the web interface that the hotspot uses for setup and configuration (and, ironically, often for updating).

Like the average home router, portable hotspots don’t have screens or keyboards of their own, so they rely on running a small web server for their user interface, and these web servers often rely on potentially insecure ways of letting you trigger commands remotely.

Many stripped-down web servers run local operating system commands simply by taking input from a web form, such as a Wi-Fi network name or a network password, and passing that input as a text string to the operating system’s command shell.

If the web server isn’t careful about the characters it lets through, the command that runs could end up doing more than you bargained for – and those commands often need to (sometimes inadvertently) run as root, meaning that they have full-blown sysadmin-level control

For example, if you combine the input mynetwork with the Linux command iwconfig, which is short for “internet wireless configuration program”, you can set the desired network name like this:

iwconfig wlan0 essid mynetwork

But if you let the user enter a sneaky network name like net; echo 'do command of my choice' and let the semicolon character through, then the command turns into:

iwconfig wlan0 essid net; echo 'do command of my choice'

And that is just shorthand for two successive commands, because the semicolon is a special character that lets you combine two or more commands onto a single line for convenience.

Thus you are inadvertently allowing users to both specify a network name and to issue a command of their own choosing, which could do pretty much anything they like.

Above, we just used the echo command to print out a text string, but a crook could have used a command that created an extra account, fired up a server process you don’t want, zapped files you wanted to keep, removed your your firewall rules, stole passwords or other data, and much more.

Bugs found

Pen Test Partners ended up reporting bugs in a number of different devices, included named devices from ZTE, Netgear and TP-Link.

The company also wrote that it:

[didn’t] talk about quite a few other issues we found in other devices in this particular talk.

(Watch this space in case future holes come to light!)

Note that some of these bugs are what’s known as ‘post-authentication’ flaws, meaning that until you’ve logged in to the hotspot web interface yourself via its web server, the bugs can’t be triggered.

That makes them sound harmless, except that many bugs that can be activated by a link in a web page can in theory be activated by any web page that a crook can lure you to.

That’s because the URL of your router is often easy to guess, given that many devices use easy-to-remember IP numbers such as 192.168.1.1 (this number is one of a range specially reserved for home and business networks).

Other routers automatically redirect server names such as http://vendorname to the router so that you can easily “find” the router on your own LAN without remembering a raw IP number. (In theory, domain names should always have at least two parts, such as example DOT com, so a domain name consisting of a single word that’s easy to remember seems fair game for “magic” redirections like this.)

In other words, crooks can very easily guess valid URLs on the local-area network side of your router (what’s known as your LAN), even if they’re sending those URLs from the wide-area network (WAN) side of your router.

If crooks can guess your router’s URL, then you are at risk of being exploited, or even made to issue legitimate router commands without realising it, whenever you’re logged into your own router.

If you forget to log out when you’re done, and leave your browser open for hours or even days on end, you might inadvertently be in a “ready to issue router commands” mode a lot of the time!

What to do?

• Treat 4G hotspots as judiciously as you treat your phone. They may be cheaper and less powerful, with a fraction of the storage, but they are essentially phones without voice support. You need to keep them updated just as keenly as you update your phone.
• Keep an eye out for bug reports. This means finding out which vendor actually made the hotspot device that you have. Mobile providers often brand the devices with their own logo, which can make the device model number and manufacturer hard to find. Check the manual, look through the web interface, or or search online, for exact details.
• Log out when you have finished. This advice applies to any online service, of course, including webmail and social media. But it’s easy to forget to logout after tweaking your router settings, which could leave you at the mercy of rogue ‘router specific’ web links emebedded in otherwise innocent-looking external web pages.
  

  ---

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/bLbnSDKyWeU/

Britons working for Google at its London HQ are being secretly spied on by creepy facial recognition cameras – but these ones aren’t operated by the ad-tech company.

Instead it’s the private landlord for most of the King’s Cross area doing the snooping, according to today’s Financial Times.

“The 67-acre King’s Cross area, which has been recently redeveloped and houses several office buildings including Google’s UK headquarters, Central Saint Martins college, schools and a range of retailers, has multiple cameras set up to surveil visitors,” reported the Pink ‘Un.

King’s Cross is no longer just a London railway terminus and notoriously seedy neighbourhood. The area around the station, once infamous for the types of activities featured in Irvine Welsh novels, has been extensively redeveloped – with tenants now including Google (and YouTube), various other trendy offices, eateries and so on, to the point where it apparently has its own unique postcode.

None of this, however, excuses the reported deployment of creepycams by the developers. They told the FT (paywalled): “These cameras use a number of detection and tracking methods, including facial recognition, but also have sophisticated systems in place to protect the privacy of the general public.”

The Register has contacted the King’s Cross developers’ PR tentacle separately and will update this article if their promised response to our detailed questions is forthcoming.

Tech lawyer Neil Brown of decoded.legal told El Reg that any company running facial recognition cameras “needs to have not only a lawful basis under the GDPR, as is required for any processing of personal data, but also to have met one of the additional conditions for the processing of ‘special category’ data,” basing this, he said, on the assumption that creepycams’ encoding of peoples’ faces would probably count as biometric data under current data protection laws.

Broadly, he told us, whoever’s running the King’s Cross creepycams needs to be certain their use is legal under section 10 of the Data Protection Act 2018, which permits non-consensual data processing for the “prevention or detection of an unlawful act”.

Metropolitan Police’s facial recognition tech not only crap, but also of dubious legality – report

READ MORE

Indiscriminate use of facial recognition technology in the UK is largely believed to be illegal, though nobody’s quite sure. So far the public conversation has focused upon the antics of police forces, which are very eager to deploy creepycams against the public, arguably in lieu of doing actual policing work. London’s Metropolitan Police deployed a system that was extremely inaccurate, not that it stopped them indiscriminately arresting people based on dodgy matches anyway.

Even though cross-party committees of MPs have called for creepycams to be banned until the risks and pitfalls are properly examined, British police forces have decided that Parliament can be safely ignored without any consequences, with the public forced to rely on controls and safeguards designed in the paper-and-ink days of the 1980s.

Rights group Privacy International commented: “The use of facial recognition technology can function as a panopticon, where no one can know whether, when, where and how they are under surveillance.

In London the creep of pseudo-public spaces, owned by corporations who can deploy facial recognition in what we believe are public streets, squares and parks, presents a new challenge to the ability of individuals to go about their daily lives without fear that they are being watched.

The police are subject to increasing scrutiny about the legality of their deployment of facial recognition, but the use in the commercial and retail sector has received insufficient attention and scrutiny.”

It added: “There is a lack of transparency not only about the use of this technology, but why it is being done, when it is being done, what happens to the images of people going to work, travelling to see family and generally going about their daily lives… These privacy intrusions are problematic regardless of whether or not you believe you have nothing to hide.”

So far, private sector use of creepycams hasn’t been part of the British national conversation about facial recognition tech. Thus, the developers of King’s Cross are about to become the first test case in the court of UK public opinion.

San Francisco became the first major city in the world to ban facial recog, back in May this year. ®

Updated to add at 1547 UTC, 12 August

When The Register asked how many cameras there were, who supplies them and exactly what the safeguards were, a spokesperson for King’s Cross instead decided to emit this quote: “In the interest of public safety and to ensure everyone who visits King’s Cross has the best possible experience, we use cameras around the site, as do many other developments and shopping centres, as well as transport nodes, sports clubs and other areas where large numbers of people gather. These cameras use a number of detection and tracking methods, including facial recognition, but also have sophisticated systems in place to protect the privacy of the general public.”

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/12/facial_recognition_kings_cross_london/

DEF CON For the first time, Vegas’s annual DEF CON hacking conference has an “aviation hacking village”, and the US military is scouting around there for a few good hackers to find bugs that its own hackers have missed.

“We’ve got some great hackers on our team and we’re proud of them,” Dr Will Roper, assistant secretary of the Air Force for Acquisition, Technology and Logistics, told The Register. “But we may not have the best, and that’s why we’re here. There’s a big pool of talent out there and bringing in fresh eyes could show us stuff that we’ve missed.”

Setting up the village and getting the necessary security clearances has been “eight months of pain,” one of the organises told us, but judging by the scrum it’s certainly popular.

Low-key efforts have been underway for over a year now, and saw a carefully selected and vetted team of non-military US hackers let loose on a F-15 fighter’s systems back in November.

They found 22 software vulnerabilities in the aircraft’s operating system. While the aircraft isn’t internet-connected in the air yet, it will be: the new F-35 is intended to act as a data hub for other aircraft and the military wanted to make sure that this wasn’t going to cause issues. There’s also the worry that after the plane lands, malware nasties might be installed.

In the second round, a team of hackers is currently poring through the F-15’s systems to, firstly, check the old vulnerabilities have been fixed, and, secondly, find new ones that could cause problems in the future.

You can’t try this at home, kids

For infoseccers keen on trying their hand at aircraft hacking, the military has brought in Lego models of helicopters and cargo planes. These are linked to Arduino boards running avionics control systems, allowing anyone to come over and plug their laptops into them and try a bit of hacking.

The models are run by engineers at the Naval Air Station Patuxent River (PAX), who provide a basic instruction guide on the operating systems and then let the hackers loose. The idea is to find out vulnerabilities that could be exploited by a suicidal passenger in flight, or from devices installed by corrupt or turned engineers on the ground.

“Many aviation systems were built in the ’60s and ’70s and are very trusting,” explained PAX engineer Nick Ashworth. “They have been designed due to lessons paid in blood – PAX is full of streets named after flyers who have died on the job – but we want to make them better.”

Testing of individual avionics systems is also being carried out at the village. Red-teamers Pen Test Partners are in the village with a bunch of commercial aviation equipment salvaged from scrap yards and bought on the second-hand markets.

Ken Munro, a consultant for the biz, wants hackers to break out their equipment and see what new holes can be found in existing systems. This can be used to apply fixes and provide insights for the next generation of designs.

It’s also not just aircraft that are being tested at DEF CON, but the facilities that support them. A Lego model of a US airbase is in position for hackers to test their mettle against because the military is worried that industrial control systems are at risk.

We’ve lost control again

Scott Thompson, a supervisory control and data acquisition (SCADA) engineer from military contractor CACI, explained that the control systems used to handle things like an airbase’s power supply and infrastructure management systems are ancient in computing terms, in some cases 30 years old.

“We’ve found this software on the majority of our airbases and it’s not secure,” said Thompson. “The manufacturers are unwilling to alter the code to close up vulnerabilities because they work. So we’re looking to build security systems around them to lock off potential threats.” ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/12/defcon_aviation_village/

DEF CON Despite some progress, the US is still massively underprepared for a serious cyber attack and the current administration isn’t helping matters, according to politicians visiting the DEF CON hacking conference.

In an opening keynote, representatives Ted Lieu (D-CA) and James Langevin (D-IL) were joined by hackers Cris Thomas, aka Space Rogue, and Jen Ellis (Infosecjen) to discuss the current state of play in government preparedness.

“No, we are not prepared,” said Lieu, one of only four trained computer scientists in Congress. “When a crisis hits, it’s too late for Congress to act. We are very weak on a federal level, nearly 20 years after Space Rogue warned us we’re still there.”

Thomas testified before Congress 20 years ago about the dangers that the internet could pose if proper steps weren’t taken. At today’s conference he said there was much still to be done but that he was cautiously optimistic for the future, as long as hackers put aside their issues with legislators and worked with them.

“As hackers we want things done now,” he said. “But Congress doesn’t work that way; it doesn’t work at the ‘speed of hack’. If you’re going to engage with it, you need to recognise this is an incremental journey and try not to be so absolutist.”

Three no Trump

He pointed out that the current administration was actually moving backwards, having placed less of a priority on IT security than past administrations. The session’s moderator, former Representative for California Jane Harman, was more blunt, saying that US president Donald Trump had fired his homeland security advisor, Tom Bossert, one of the most respected men in cybersecurity (Bossert actually resigned), and abolished his position.

Representative Langevin noted that the situation was improving. The US had been totally unprepared for Russian interference in 2016, he said, but the situation had improved by the 2018 elections and the intelligence agencies were ready for the 2020 election cycle.

“[Former US president Barack] Obama laid out a framework for a national incident response team,” he said. “That policy is in place, but as to whether it can be executed then we have to hope for the best, but we need to practice it, that’s the key thing.”

Langevin, a repeat visitor to DEF CON, appealed to the assembled security workers to get involved in helping to educate politicians and make them understand technical issues. It is a problem also close to Ellis’s heart.

You can easily secure America’s e-voting systems tomorrow. Use paper – Bruce Schneier

READ MORE

Ellis, a Brit by birth, came to the US, identified the committees dealing with cybersecurity and started offering advisory services. She found that politicians were willing to listen.

“When I did this, people asked you in to talk,” she said. “They were crying out for people who could talk about cybersecurity. There is interest. It’s hard… but do your research.”

It’s not enough to sit on the sideline and moan, she told the crowd. Instead it’s time for the community to get out there and make a difference.

Lieu also said he was hopeful that hackers would take up the torch and warned attendees not to give up, because change could come in surprising ways.

“In politics everything seems impossible until it happens,” he joked. “10 years ago if you’d told me people in some states would be smoking legal weed I’d never thought it would happen. And yet here we are.” ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/12/defcon_politicians_hackers/

Roundup Here is your friendly summary of recent news from the front lines of information security beyond everything else we’ve already reported.

Our vultures have also spent the past week or so flying around Las Vegas, keeping a close eye on what is essentially hacker comic con. Follow these links for our Black Hat, DEF CON, and Bsides coverage, and stay tuned for more this week.

Printers still a security weak point

Xerox printers are rife with security bugs that can put the rest of the network at risk.

This from bug-hunters at the NCC Group, who this week disclosed a pack of eight CVE-listed security flaws in the popular line-of-business printers. The flaws range from a lack of cross-site request forgery protections to buffer overflow errors that could allow for remote code execution via the web interface.

While a printer getting pwned is not the worst of scenarios, it could become one should the printer be used as the starting point for a larger network breach. Additionally, printers have been popular targets for botnets.

ESET warns of porn-peeping malware infection

A newly discovered piece of malware looks to catch its victims in compromising situations.

ESET says that “Varenyky”, a spam and spyware combo that infects French-language systems, includes a set of instructions that will activate the system’s screen recording tools when the user searches for specific terms used while crawling porn sites (we’ll leave it to you readers to figure out what those are).

“It will start two threads: one that’s in charge of sending spam and another that can execute commands coming from its Command and Control server on the computer,” said Alexis Dorais-Joncas of the ESET Montreal RD center.

“One of the most dangerous aspects is that it looks for specific keywords such as bitcoin and porn-related words in the applications running on the victim’s system. If any such words are found, Varenyky starts recording the computer’s screen and then uploads the recording to the CC server.”

Avaya phones dial “P” for pwnage

Bug-hunters at McAfee have found a decade-running security vulnerability in a popular line of Avaya VoIP phones.

The team said the Avaya 9600 series uses a specific open-source component in the H.232 software stack that Avaya branched for its own use back in 2009.

Shortly after the code was copied, someone found a vulnerability in the open-source tool that would allow for remote code execution. While the original component was updated to fix the bug, Avaya’s copy was not, and for the last 10 years the phones have been operating with an exploitable RCE bug.

Avaya has since issued an update to patch the flaw once and for all.

US government seeks contractor to help short-handed DHS security teams

The US Department of Homeland Security is looking to hire an outside contractor help its agencies manage their information security operations.

A Federal Business Opportunities posting first spotted by NextGov outlines a program that would see the contractor help to staff the 17 unclassified security operation centers (SOCs) across its agencies.

That contractor, if the deal were to come about, would be charged with doing things like helping fill out staffing shortfalls in areas like vulnerability assessment, email security monitoring, and incident response.

“DHS envisions a multiple award contract vehicle under which each awardee is capable of delivering the full scope of services described in this statement of work,” the posting reads.

The DHS is still in the process of deciding the specifics of the contract, so would-be bidders have plenty of time to get their pitches together.

Ellucian off the hook for university hacks

Last month, the US Department of Education issued an alert warning that a flaw in the Ellucian Banner System software had been exploited to get into the networks of more than 60 US colleges and universities.

Now, however, the department is walking that claim back, now saying that something else was responsible for the breaches, which implies the Ellucian software was not.

“Our ongoing research with targeted institutions has led us to a broader concern regarding the front-end registration portals used by institutions,” the education bod says.

“Specifically, some institutions are using third-party software as front-end access points to the Ellucian Banner System and similar administrative tools.”

F-Secure uncovers BIG-IP vulnerability

Finnish security folks at F-Secure have issued an warning to companies using some F5 Networks load balancers following the discovery of a command injection flaw.

F-Secure said the vulnerability is present in the BIG-IP balancers, which use the Tcl programming language for their iRules commands. Apparently, Tcl contains a flaw that would let an attacker slip arbitrary commands into scripts.

“Adversaries that successfully exploit such insecurely configured iRules can use the compromised BIG-IP device as a beachhead to launch further attacks, resulting in a potentially severe breach for an organization,” F-Secure warned.

“They could also intercept and manipulate web traffic, leading to the exposure of sensitive information, including authentication credentials and application secrets, as well as allowing the users of an organization’s web services to be targeted and attacked.”

VPNs (still) behaving badly

Last year, a report from Metric Labs’ Top10VPN found that many VPN apps are shady at best and a privacy nightmare in the worst case. An updated report from the same research team has found that, a year on, not much has changed.

Top10VPN’s Simon Migliano told El Reg that when he followed up the report six months on, 75 per cent of the offending apps were not only still being offered on the App Store and Google Play, but several were actually surging in popularity.

“Apple and Google ignored my request so I have published my findings in a comprehensive new report,” Migliano explained. “Since the publication, Apple have now agreed to look at the report but have yet to take any action.”

Cloud Atlas attack goes polymorphic

A long-running government hacking campaign called “Cloud Atlas” or “Inception” (depending on your taste in bad movies) has armed itself with a new set of capabilities in its efforts to get into machines in Eastern Europe and the Middle East.

Kaspersky reports that the hacking crew has added a new layer of polymorphic (self-changing) malware that not only shifts around its codebase to avoid detection, but also wipes the files used in previous stages to make its activity harder to detect.

If you’re one of the handful of governments in the area in and around Russia who are subject to this operation, you’ll want to give the report a close look. Everyone else, meanwhile, should probably be more concerned about the upcoming Patch Tuesday.

Study probes the *other* AWS data exposure trap

We all know by now that AWS S3 buckets are a treasure trove for data leaks thanks to incorrectly-configured storage instances. It turns out another AWS service, Elastic Block Storage, can also betray corporate data.

A Defcon presentation from Bishop Fox showed that EBS instances can also be crawled to find sensitive corporate information and leave the door open for other data theft, with things like encryption keys, passwords, and in some cases entire backups all left sitting out in the open.

Admins would be well-advised to double-check their EBS configurations and make sure public access is severely restricted. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/12/infosec_roundup/