STE WILLIAMS

Thursday began with Rowland Yu of SophosLabs Australia presenting “GinMaster : a case study in Android malware”. GinMaster is so named because of its use of the GingerBreak jailbreaking exploit to gain root privileges on compromised Android devices.

GinMaster is primarily distributed in China, which Yu estimates has more than 5 million infected Android devices at any given time.

What is even more concerning is the escalation in evasive techniques used by the malware authors to avoid detection. The Android landscape is catching up to the sophistication of Windows malware, a very frightening revelation.

Yu provided an interesting visual depiction of the GinMaster ecosystem showing how the criminals behind this malware use multiple methods to maximize the profitability of adding you to their botnet.

Later in the morning it was Gabor Szappanos from SophosLabs Hungary who stepped up to the lectern to present “Hide and Seek – how targeted attacks hide behind clean applications”.

In the past we have written about the abuse of stolen or fraudlently obtained certificates to sign malware, but Gabor has been looking into something even more diifcult to detect.

Legitimate applications that are signed, but contain a bug known as the DLL search order flaw enabling attackers to inject malicious code into seemingly safe applications.

The most surprising thing in the presentation for me was the use of open source software as a vehicle for malicious code.

Szappanos showed how the LAME MP3 encoder was being used by attackers by simply adding two additional malicious exports that were designed to blend into real encoder commands.

Last up was Vanja Svajcer from SophosLabs Croatia. He presented “Classifying PUAs in the mobile environment”, a paper attempting to create a set of common criterea for detecting and determining the differences between malware and things that aren’t neccessarily malicious, but are clearly undesireable for some or all users.

Many applications may fall into the category of potentially unwanted. Some may require access to too much sensitive information, some may be pornographic and others may contain extremely agressive advertising components to sponsor their “freeness”.

It is difficult for vendors to be compared today due to varying ideas of what potentially unwanted might mean, so hopefully there will be some consensus as a result of this paper.

I also had the pleasure of producing a podcast with Paul Ducklin yesterday on the three things everyone must do to protect themselves and others for National Cyber Security Awareness Month.

Listen to our “Do These 3” tips now in this short, special-issue podcast

(03 October 2013, duration 8’58”, size 5.4MB)

Follow @chetwisniewski

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/HFT3lxfOOrQ/

INTEROP — New York City — Take it from Harry Sverdlove, CTO of security firm Bit9, no organization – regardless of size or business — is immune to today’s attacks.

Click here for more articles from Dark Reading.
Click here to register to attend Interop.

The security whitelisting vendor earlier this year revealed details of how attackers had stolen one of its digital code-signing certificates and then used it to sign malware attacks against three of its customers, who were the ultimate targets. It was an awkward and painful position for a security vendor, but Bit9 provided a detailed firsthand account of some of the key specifics of the attack, as well as the malware that was used.

Sverdlove here at Interop tomorrow will share five lessons from real-world attacks — some of which are gleaned from his company’s own experience getting attacked.

“Obviously, everyone is a target. It’s not pleasant to talk about … but [our breach] was a supply chain attack,” Sverdlove says. “There were multiple teams of hand-offs … What we gathered on the campaign is that we weren’t the target.”

[RSA, Microsoft, and Bit9 executives share insights on how the high-profile targeted breaches they suffered have shaped things. See Security Vendors In The Aftermath Of Targeted Attacks .]

Lesson number one: everyone is a target.
Sverdlove says mom-and-pop shops, suppliers, and other small businesses are getting hit. “You don’t have to be working on a secret nuclear weapons program. You don’t even have to have information of value, you just have to know people with information of value.”

Cyberespionage actors are getting to their actual targets via their suppliers and business partners, he says. After the Flame cyberspying malware attack was exposed a year and a half ago, one of Bit9’s customers in the Middle East found that it had been attacked by Flame. Bit9’s software blocked an actual infection, he says, and it turns out the firm was targeted because they do business in the Middle East. “They were a stepping-stone attack,” Sverdlove says.

That doesn’t mean small businesses don’t have valuable information of their own that attackers want. A small tire-maker in Texas, for example, was breached and the attack was traced to a sophisticated attack group, Sverdlove says. “I asked him, ‘well, why were you attacked?’ and he said, ‘I have a special way I make my tires.'”

Such proprietary information is attractive to cyberspies, Sverdlove says.

Lesson number two: attackers are constantly raising the bar.
The bad guys are sharing intel they gather, and they also capitalize on any code that’s published by the security community, such as the snippets of Stuxnet code that were posted in the wake of the discovery of the game-changing malware. “Stuxnet just raised the bar for everybody,” he says.

“Enemies are sharing the intel, and sometimes, we facilitate it” when posting and analyzing code, he says. “We’re doing our jobs. But the attackers download those samples,” too, he says, as well as the Metasploit modules that are released in the wake of zero-day finds.

“Metasploit is a great security tool for researchers, [for example], but that commercialization allows less sophisticated attackers to download it and they’re performing zero-day attacks,” he says.

Distributed denial-of-service (DDoS) attacks are getting exponentially more powerful and efficient, and waterholing attacks are becoming a popular way for cyberespionage attackers to more efficiently net their targets. “Instead of emailing you, they go to a softer target, a website you frequent and wait for you to come there,” Sverdlove says.

Since many companies outsource their websites, they have less control over the security, for instance, he says. Plus organizations can’t “secure the Internet” for all the websites their users visit, he says.

How do the attackers filter out the unwanted catches? “You can set up a watering hole attack and monitor the IP addresses and the machine names of the systems you have compromised,” Sverdlove says.

In one such attack on one organization investigated by Bit9, the attackers established a foothold in multiple systems and went dormant in the ones they didn’t want or need. “They can tell the others to delete and clean themselves up” and wait for the specific targeted user’s machine they were after, he says.

Several Chinese cyberspy gangs are broken into units, he says. They split the duties in their attacks: one group compromises the websites, filters out the targets, and hands them over to another group that handles the exfiltration of data. “It allows them to do campaigns that are certainly longstanding and prolonged. It’s not like they have one goal in mind; they have entire sectors they compromise and later, when they need specific information, they call in specific teams.”

Lesson number three: you’ve already been infiltrated.
“You should be assuming you are” infected, Sverdlove says.

These advanced attackers are in it for control and information, he says, so you have to assume you are under attack. “Then you have to answer the question, ‘if I were infected, how would I know?'”

Sverdlove says that requires changing your security program from prevention to protection and watching what’s happening in your environment. “And you need a response” to an attack, he says.

“Part of a security program, you have to have prevention, detection, and to monitor your ability on how quickly you can respond,” he says, whether it’s to wipe a system or sandbox it and watch the bad guys’ actions, he says.

Response encompasses several parties, including public relations. “It helps to have that PR agency on speed dial,” he says. “You have a process for escalation … in the early stage, you bring in a security analyst, who’s going to see what’s going on. But then later, you might need to bring in executive stakeholders, legal and or law enforcement.”

Lesson number four: Traditional security methods don’t solve today’s problems.
Default/deny, signature-based technology doesn’t stop sophisticated attacks. Companies who are getting hacked have had all of these technologies, including antivirus and firewalls, and still were infiltrated, Sverdlove says.

“They’re not stopping the attackers,” he says. But even so, they’re necessary for known threat prevention.

Lesson number five: Don’t despair.
There are steps organizations can take to minimize their risk of a targeted attack, however.

“Don’t use home email for work. That’s the number one way spearphishing happens,” Sverdlove says.

Keep patching, he says, and set in place policies for risky applications such as Java, for instance.

“A simple set of policies can reduce your attack surface area,” he says. But policies require verification, too.

Take strong password policies. Bit9’s security team regularly tests the company’s users’ passwords. “They use off-the-shelf password cracking tools,” Sverdlove says. If they can crack a user’s password with the tools, the user is notified and given tips on creating a stronger one.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/5-lessons-from-real-world-attacks/240162250

NEW YORK, N.Y. — Interop New York 2013 — Here at one of the networking industry’s best-known trade shows, you can get help with cloud networking, mobile device deployment, virtual private networks, email security, and much more. But finding a provider that can help you manage your enterprise’s risk, compliance, or security posture is not so easy.

“When it comes to setting up a risk profile, measuring the effect of your supply chain — particularly your service providers — is crucial,” said John Pironti, president of IP Architects and the security and risk track chair for the Interop conference. “But too often, service providers aren’t much help on measuring risk. They can give you their view, but they can’t help you build your own profile.”

As technology advances and businesses seek ways to become more flexible in their support of applications and devices, the enterprise is increasingly relying on third-party service providers, vendors and experts agreed.

“Businesses are finding that they don’t have the resources in house to do everything they want, and so outsourcing is becoming more and more of an option,” said Tom Buoniello, senior vice president of product management for AppRiver, which provides secure email and antivirus services. “They’re looking to us to increase their capabilities and reduce their risk.”

Indeed, implementation of next-generation technologies such as cloud services and mobile devices means finding a range of new service providers that the enterprise can trust.

“A lot of companies still have a black-and-white attitude about security — they feel that anything the do on their premises has no risk, and anything that’s done off premises is all risk,” said Bernard Golden, vice president of enterprise solutions at Enstratius, a business unit of Dell that helps businesses implement cloud computing. “One of the reasons they come to us is that they are looking for ways to build consistent governance across the cloud environment.”

In other cases, such as in the bring-your-own-device (BYOD) arena, service providers are a swift path to deployment. “A lot of the enterprises we work with don’t have a clear [BYOD] plan or policy in place,” said Amith Nair, vice president of sales and marketing at CloudPath, which helps enterprises speed the onboarding of mobile devices. “We give them a template to do that, and a workflow that makes it easier to administer.”

NCP Engineering, another Interop exhibitor, offers similar assistance with the deployment of virtual private networks. “We simplify remote access by enableing companies to roll out those capabilities using a central administration, without having to touch the device at the endpoint,” said Patrick Oliver Graf, general manager for the Americas at NCP Engineering. “We make the technology easier to roll out to the user, no matter what device they are using.”

But while these providers are helping enterprises to implement crucial capabilities such as secure email, cloud computing, BYOD, and VPNs, most enterprises still don’t have an accurate way to measure the impact of these services on security, compliance, or risk.

“We can help you to reduce risk by moving away from open [mobile] environments that might open you up to threats,” said CloudPath’s Nair. “But we don’t normally drill into the customer’s overall risk assessment.”

That view was common among the service providers at the show. Like specialist physicians, each was able to provide a risk and compliance assessment for its own area of specialty — cloud, BYOD, secure email, or VPNs — but none of the providers could deliver a picture of the enterprise’s overall security posture.

“They can see what they’re doing, but they can’t tell you how what they’re doing might affect [the security of] all of the rest of the things that the enterprise does,” Pironti said.

Experts say enterprises’ increasing reliance on third parties for critical networking and security services may drive a new demand for governance, risk and compliance (GRC) systems that can collect data from many different service providers and help paint a customized picture of the overall risk faced by a specific enterprise.

“The rising use of service providers increases the need for a well-defined GRC program that can help enterprises recognize the risks associated with each of those services and make good choices about how and when to use them,” says Chris Caldwell, CEO of LockPath, a leading GRC platform provider.

Service providers that offer security, compliance or risk data can provide a piece of the picture, but they can’t tell an enterprise how to manage risk, Caldwell observes. “You may outsource the capability, but you’re not outsourcing the risk or the liability if there’s a breach or a service interruption,” he says. “Risk management, compliance management are your responsibility, no matter how many service providers you have.”

GRC tools can help enterprises recognize the potential effects of using different types of network and security services, and how the addition of a new service provider might affect a company’s risk or security posture,, Caldwell says.

“With so many services coming out, you need a structure to manage your risk and make better decisions,” Caldwell adds. “Dropbox is a great service for sharing large files, but it can increase your risk significantly if you don’t lock it down properly. Similarly, enterprises need ways to audit their service providers to make sure that what the providers are telling them [about security] is true.”

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/services/at-interop-plethora-of-new-services-leav/240162229

5 ways to reduce advertising network latency

Adobe’s systems have been hit by numerous “sophisticated attacks” that have compromised the information of 2.9 million customers, and accessed the source code of Adobe products.

The company said on Thursday that it has been the victim of a major cyberattack and said hackers had accessed those millions of customer IDs and encrypted passwords.

“We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders,” the company said.

It does not believe decrypted credit or debit card numbers were accessed.

“As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. If your user ID and password were involved, you will receive an email notification from us with information on how to change your password,” the company wrote.

The company says people should change their passwords on any other website where they have used the same user ID and password. But you’d do that anyway, wouldn’t you?

It is “in the process” of notifying customers whose credit or debit data may have been stolen, and is offering them condolence in the form of a “one-year complimentary credit monitoring membership where available.”

Where we come from, that’s called offering free stable doors after the horses have bolted.

The company has also contacted federal law enforcement officials and notified banks that process customer payments for Adobe.

Hackers have also accessed the source code for the company’s Adobe Acrobat, ColdFusion, ColdFusion Builder, and other unnamed products, the company said in a separate blog post.

Security firm Hold Security claims to have found 40 gigabytes in encrypted archives on a hacker’s server, apparently containing source code on some of Adobe’s biggest products.

“This breach poses a serious concern to countless businesses and individuals,” Hold Security wrote. “Effectively, this breach may have opened a gateway for new generation of viruses, malware, and exploits.”

Adobe is seeking to reassure users. “We are not aware of any zero-day exploits targeting any Adobe products. However, as always, we recommend customers run only supported versions of the software, apply all available security updates, and follow the advice in the Acrobat Enterprise Toolkit and the ColdFusion Lockdown Guide,” it wrote. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/03/adobe_major_hack/

5 ways to reduce advertising network latency

Alleged online drug kingpin Ross William Ulbricht tried to have not one, but two people involved in the Silk Road killed, according to as US federal court indictment.

The Dread Pirate Roberts, as Ulbricht was known online, paid an undercover federal agent $80,000 to torture and kill a Silk Road employee, the indictment, filed in the United States District Court for the District of Maryland on Monday, alleges.

Ross William Ulbricht was arrested in the science fiction section of the Glen Park public library in San Francisco on Tuesday, and Silk Road, the Tor-based drug site he is alleged to have run, was shut on Wednesday.

In an earlier court complaint, it emerged that the Dread Pirate Roberts had paid Silk Road user “redandwhite” $150,000 in bitcoins to off a Canadian user of the site who was blackmailing him. Canadian police have found no evidence so far that a murder took place, however.

Now, along with being charged in New York with narcotics-trafficking conspiracy, computer-hacking conspiracy, and money-laundering conspiracy, Ulbricht is being charged in Maryland for conspiracy to distribute a controlled substance, use of interstate commerce facilities in commission of murder-for-hire, aiding and abetting, and attempted-witness murder.

In January, an undercover agent posing as a Silk Road user communicated with the Dread Pirate Roberts, complaining that the amounts of illegal drugs sold on the Silk Road were too low, and asking if they could arrange to find a buyer for a large shipment of cocaine, the indictment alleges.

Ulbricht obliged, the document states, and after some to-ing and fro-ing, the agent sent a kilogram of “a mixture of substance containing a detectable amount of cocaine” to a Silk Road employee for some $27,000 in bitcoins.

Shortly after that, the employee was arrested, and Ulbricht thought he had also stolen bitcoins from other users of the Silk Road. Ulbricht was apparently unnerved by the bust, and got in touch with the undercover agent on January 26th 2013 to ask if he could “beat up” the employee and compel him to give the bitcoins back, according to the indictment.

Just one day later, Ulbricht messaged the undercover agent and allegedly wrote: “can you change the order to execute rather than torture?” He explained that the employee had been in prison before. “Now that he’s been arrested, I’m afraid he’ll give up info,” Ulbricht wrote.

The undercover agent demanded $40,000 upfront, which Ulbricht paid via Technocash Limited in Australia to a bank account in Capital One Bank in Washington DC. He then requested on February 5 for “proof of death” and asked the undercover agent to try and get a video of the torture and death, and failing that, pictures, the feds allege.

Days passed with some back-and-forth messages as Ulbricht seemed to become more anxious, then on February 16 the undercover agent sent him staged photographs of the employee being tortured.

The Dread Pirate Roberts wrote back, saying I’m “a little disturbed, but I’m ok,” then added, “I’m sure I will call on you again at some point, though I hope I won’t have to.” On February 19, the undercover cop told the Ulbricht “[the Employee”] is dead[,] they killed him this weekend”. On February 21 the agent sent the DPR staged photographs of the dead employee.

On seeing the photos, the indictment reports that Ulbricht stated: “I’m pissed I had to kill him … but what’s done is done[,]…I just wish more people had some integrity[.]”. On March 1, he is alleged to have wired the other half of the hit money from Technocash Limited in Australia to a Capital One Bank in Washington, DC.

Ulbricht is currently being held without bail in San Francisco pending a hearing this Friday, October 4. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/03/silk_road_witness_murder_allegations/

5 ways to reduce advertising network latency

The former operator of a secure email service once used by NSA leaker Edward Snowden has been fined $10,000 for failing to give federal agents access to his customers’ accounts, newly released court documents show.

In August, Ladar Levinson shut down Lavabit, his security-minded email business, rather than comply with government demands that he claimed would have made him “complicit in crimes against the American people.”

At the time, a gag order prevented him from discussing the details of his situation. But court documents unsealed on Wednesday reveal that the FBI wanted Levinson to hand over encryption keys that would have given federal agents “real time” access to not just Snowden’s account, but the accounts of all 40,000 of Lavabit’s customers.

To Levinson, that was going too far. “You don’t need to bug an entire city to bug one guy’s phone calls,” he told The New York Times. “In my case, they wanted to break open the entire box just to get to one connection.”

Levinson claims he had complied with legal surveillance requests in the past, and that he proposed logging and decrypting just Snowden’s communications and uploading them to a government server once per day.

But the FBI said that wasn’t enough. It wanted access to the private SSL certificates used to encrypt all traffic on Lavabit, which Levinson says would have given agents up-to-the-minute access to the emails of every Lavabit user. In July it produced a federal warrant ordering Levinson to turn them over.

Prosecutors claim that monitoring Snowden was the only goal and that spying on Lavabit’s other users was never part of the plan. “There’s no agents looking through the 400,000 other bits of information, customers, whatever,” one said during a hearing in August. But Levinson still balked.

He certainly deserves credit for his pluck. Levinson complied with the letter of the order, but he delivered the encryption keys as strings of numbers printed out on paper, rather than as electronic files. What’s more, he intentionally printed them in a font designed to be hard to scan, one prosecutors described as “largely illegible.”

Federal Judge Claude Hilton was not amused. He found Levinson in contempt of court and levied a fine of $5,000 per day until the keys were provided in electronic form.

Levinson held out for two days but finally relented, only to shut down Lavabit at the same time he gave up the certificates – a move a prosecutor later described as “just short of a criminal act.”

Levinson now says he hopes to one day revive his business, which he founded in 2004 and had been operating as a full-time job since 2010. But he also wants to make the public aware of what happened to him and the potential pitfalls for other businesses in the face of unchecked government surveillance.

“How as a small business do you hire the lawyers to appeal this and change public opinion to get the laws changed,” Levinson told the NYT, “when Congress doesn’t even know what is going on?”

At least one Congressman has sided with Levinson, however. Libertarian-leaning Rand Paul, the Republican junior senator for Kentucky, has urged voters to sign a petition against NSA spying and to donate to Campaign for Liberty, a conservative pressure group that has agreed to help fund Levinson’s legal defense.

“Even though he’s lost his main source of income, Ladar Levison is fighting back,” Paul wrote in a statement. “I believe his legal battle is a key part in our shared fight to restore our Fourth Amendment freedoms.” ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/03/lavabit_snowden_investigation_details/

Adobe late today revealed that it recently discovered that it had suffered massive “sophisticated attacks” on its network that resulted in the theft of sensitive information including payment card information on 2.9 million customers as well as of source code for multiple Adobe software products, including Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe software.

Brad Arkin, chief security officer of Adobe, said in a blog post that the attacks may be related.

“Very recently, Adobe’s security team discovered sophisticated attacks on our network, involving the illegal access of customer information as well as source code for numerous Adobe products. We believe these attacks may be related,” Arkin said.

“Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems. We deeply regret that this incident occurred. We’re working diligently internally, as well as with external partners and law enforcement, to address the incident,” Arkin said.

Meanwhile, Hold Security said in a statement today that the security firm, working with Brian Krebs of KrebsOnSecurity, had discovered the pilfered Adobe source code on servers of the hackers behind the recently revealed breaches of LexisNexis, Kroll, NW3C, and other sites. “Over 40 Gigabytes in encrypted archives have been discovered on a hackers’ server that appear to contain source code of such products as Adobe Acrobat Reader, Adobe Acrobat Publisher, and the Adobe ColdFusion line of products. It appears that the breach of Adobe’s data occurred in early August of this year but it is possible that the breach was ongoing earlier,” Hold Security said in a post today.

Just how the source code was stolen and whether it was employed for malicious activity is unclear, according to Hold, but “unauthorized individuals” took and viewed the data.

The potential abuse of stolen Adobe source code could have serious and far-reaching consequences for users. “This breach poses a serious concern to countless businesses and individuals. Adobe products are installed on most end-user devices and used on many corporate and government servers around the world. While we are not aware of specific use of data from the source code, we fear that disclosure of encryption algorithms, other security schemes, and software vulnerabilities can be used to bypass protections for individual and corporate data. Effectively, this breach may have opened a gateway for new generation of viruses, malware, and exploits,” Hold Security says.

Adobe’s Arkin says the company is not aware of zero-day exploits or other specific threats to its customers due to the source code theft. “However, as always, we recommend customers run only supported versions of the software, apply all available security updates, and follow the advice in the Acrobat Enterprise Toolkit and the ColdFusion Lockdown Guide. These steps are intended to help mitigate attacks targeting older, unpatched, or improperly configured deployments of Adobe products,” he says.

Adobe customers affected by the account breach will be contacted and advised to change his or her password, and the company is also in the process of alerting customers whose credit and debit-card information was stolen. The good news is that the financial information was encrypted.

The company says it is working with “federal law enforcement” to help in its investigation of the hacks.

According to a post on KrebsOnSecurity, Brian Krebs and Hold Security CISO Alex Holden a week ago found 40 GB of source code stored on a server used by the same gang that appears to have hit data aggregators LexisNexis, Dun Bradstreet and Kroll, and others. “The hacking team’s server contained huge repositories of uncompiled and compiled code that appeared to be source code for ColdFusion and Adobe Acrobat,” Krebs wrote today. “Shortly after that discovery, KrebsOnSecurity shared several screen shots of the code repositories with Adobe. Today, Adobe responded with confirmation that it has been working on an investigation into a potentially broad-ranging breach into its networks since Sept. 17, 2013.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/adobe-hacked-source-code-customer-data-s/240162228

5 ways to prepare your advertising infrastructure for disaster

The notorious online drug market Silk Road has been shut down by the FBI, its suspected operator arrested and charged with narcotics trafficking conspiracy, computer hacking conspiracy, and money laundering conspiracy, and $3.6m worth of the bitcoin crypto-currency has been confiscated by federal agents.

The site’s alleged founder and main operator Ross William Ulbricht, aka “Dread Pirate Roberts” (DPR) was arrested in a public library in San Francisco on Tuesday. Silk Road’s Tor-based drug bazaar was shut down on Wednesday and users visiting the site were met with an FBI takedown notice.

Ulbricht made a number of operational security mistakes that linked his identity with various online personas associated with Silk Road, according to the FBI court complaint. However, there is no detail in the filing about how the FBI gained access to a Silk Road Tor server on which the site was based – an omission sure to disturb members of the security community at a time when new information is coming to light about the advanced capabilities of the America’s spy organization, the NSA.

“Silk Road has emerged as the most sophisticated and extensive criminal marketplace on the Internet today,” FBI agent Christopher Tarbell wrote in the FBI’s criminal complaint. “From in or about January 2011, up to and including in or about September 2013, ROSS WILLIAM ULBRICHT, a/k/a “Dread Pirate Roberts,” a/k/a “DPR,” a/k/a “Silk Road,” the defendant, owned and operated an underground website known as “Silk Road,” that provided a platform for drug dealers around the world to sell a wide variety of controlled substances via the Internet.”

Silk Road shut for business

Silk Road ran on Tor, a hidden computer network, and only accepted payments in the pseudo-anonymous BitCoin cryptocurrency. The FBI gained access to a Tor server on which the site was hosted and made a snapshot on July 2013.

The price of BitCoins crashed on Wednesday morning after news of the shutdown broke, adding grist to the Benjamin Lawsky, superintendent of the New York Department of Financial Services, characterization of the currency as “a virtual Wild West for narcotraffickers and other criminals“.

The Bitcoin exchange rate slumped after the site was taken down

The FBI says in its statement the it had “located in a certain foreign country the server used to host the silk road’s website,” and had gained access to it via a “mutual legal assistance request”.

This calls into question many of the widely-held beliefs about the security and anonymity of the Tor service.

There is also evidence that Ulbrich may have implicated himself and through lax security policies betrayed the details of the Tor servers.

One slip up was a posting on programmer QA site Stack Overflow under the name Ross Ulbricht that asked “How can I connect to a Tor hidden service using curl in php?”, before changing the account name to “Frosty”. A subpoena by the FBI showed the original account name.

Another screw up came with postings on two forums under the user name “Altoids” in early 2011 advertising the Silk Road, before posting several months later under the “Altoids” username on a Bitcoin forum asking for “IT pro in the bitcoin community” to help out on a “venture-backed company,” then advising them to contact the email address rossulbricht at gmail dot com.

The FBI also obtained data from Google on this Gmail account which closely associated access with separate logins to the Silk Road from similar locations in San Francisco.

Ulbricht had also arranged to have some nine fake identities sent to him for the purpose of procuring new servers. These documents were intercepted by customs and border patrol officials in early July, 2013, and led them to pay a visit to Ulbricht in San Francisco on July 26.

Ulbricht’s alleged online alias of ‘Dread Pirate Roberts’ had made numerous postings on Silk Road seeking identity documents from users. This is a rookie mistake that breaks dead rapper the Notorious B.I.G’s advice to dealers and lowlifes – “don’t get high off your own supply”.

A further point of compromise was that Ulbrich’s real life Google+ profile had shared videos from obscure economics thinktank the Ludwig von Mises Institute – the same videos were linked to by the signature of the Dread Pirate Roberts account on the Silk Road.

According to the complaint, Ulbricht employed several administrators on the Silk Road paying them $1,000 to $2,000 a week. They called him “boss” and “captain” the FBI said.

Bitcoin murder contract

The indictment states Silk Roads made scads and scads of cash, generating some $1.2bn in bitcoin transactions of which $80m was siphoned off by Dread Pirate Roberts during the course of its life. But it was not without problems the FBI claims.

The complaint accuses Ulbricht’s alleged online alias Dread Pirate Roberts of paying a third-party to murder another user of the site, who was trying to extort him.

The Dread Pirate Roberts was contacted in March 2013 by a Silk Road user “FriendlyChemist” claiming to have the details of thousands of the buyers and sellers on the anonymous illegal drug and services marketplace.

“FriendlyChemist” attempted to extort some $500,000 from him in exchange for the information, and eventually stated he needed the money because they owed money to a group of suppliers that used the Silk Road handle “redandwhite”.

Dread Pirate Roberts allegedly got in touch with redandwhite and, when FriendlyChemist continued attempting to extort him, asked if they could have the user killed. Dread Pirate Roberts then supplied them information on FriendlyChemist, including the person’s whereabouts (British Columbia, Canada), the FBI state.

“I would like to put a bounty on his head if it’s not too much trouble for you. What would be an adequate amount to motivate you to find him? Necessities like this do happen from time to time for a person in my position,” Dread Pirate Roberts wrote to redandwhite, who suggested a cost of between $150,000 and $300,000. They settled on a price of $150,000, which was transferred in bitcoins.

Though redandwhite claimed to have offed the person in question, and at the request of Dread Pirate Roberts sent a photo of the body, the FBI says the Canadian Police are not aware of any homicide associated with this case. Nor do they have information on anyone with the details of the aforementioned “FriendlyChemist”.

The shutdown of Silk Road follows the vanishing of Tor-hosted file sharing service Freedom Hosting in early August, and the similarly unexpected and unexplained shutdown of rival Tor-hosted drug mart in September.

“Regrettably it has come time for Atlantis to close its doors. Due to security reasons outside of our control we have no choice but to cease operation of the Atlantis Market marketplace. Believe us when we say we wouldn’t be doing this if it weren’t 100% necessary. Due to the urgency we are allowing all users to withdrawal all their coins for one week before the site, and forum, are shut down permanently,” Atlantis wrote at the time.

Perhaps they knew something the Dread Pirate Roberts didn’t? ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/02/silk_road_shutdown/

5 ways to prepare your advertising infrastructure for disaster

Analysis The US National Security Agency has recently admitted to experimenting with bulk collection of mobile phone locations, but denied it ever actually used the information.

This is unlike its European contemporaries, which apparently devolved the task of collecting mobile phone data to the network operators years ago.

The NSA project was an unsuccessful pilot, according to the spooks’ Director of Intelligence, James R Clapper. He told the Senate Judiciary Committee about the experiment on Wednesday, but denied there was any ongoing analysis of the data the NSA covertly slurped, as the New York Times explains.

But in Europe, network operators are obliged to keep the very same data, just in case law enforcement fancies a look at it.

Back in 2009, a German politician requested access to his location data from T-Mobile. Following various legal challenges the operator eventually complied and the newspaper Die Zeit put it together into an animated map which shows just what the European authorities can do, if they’re minded to.

The difference – and it’s an important one – is the presence of judicial oversight. An agency wanting access to European phone records, which are kept for at least a year, has to apply through the nominated Single Point of Contact (SPOC) which is actually a significant, if whispered, department within every police force and network operator, ready to supply thousands of requests for data every week.

Requests have to be proportional to the crime being investigated and are generally restricted to “was this phone in this location at this time” but can vary. A suspicious death connected to the owner of a particular phone may warrant the authorities slurping its location data for the last 24 hours, while an abducted child might warrant an urgent check for current information.

One of the key deterrents against agents of the state engaging in fishing expeditions is the price charged by mobile operators for access to the data they hold. Naturally, speedy access to data and access to large swathes of it tends to attract higher fees.

Exactly how much they charge, they won’t say. Operators are only supposed to cover their costs. The fact that a budget is needed for every enquiry helps prevent the more obvious checking up on lovers, and the like which the NSA has admitted occurs in its network.

Most of us trust the police, and most Americans (just about) trust their government, but we might not trust the individuals who comprisethese bodies. Perusing the Facebook page of an old partner is almost irresistible. Imagine how much more seductive it would be if one could overhear their phone calls too. Such a system needs robust oversight to prevent humans succumbing to their natural tendencies.

The problem here isn’t that the NSA was tracking phones, or that it requested data from internet companies; the problem was that it did so in the shadows.

Here in Europe we’re doing much the same thing, on a bigger scale and with more success. It’s hard to count foiled terrorist plots, but the same rules solve numerous crimes every day. Most of us don’t want to hide our location from the police or the secret services – but we might want to hide from the humans who make up those forces. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/03/nsa_admits_tracking_us_cellphones/

5 ways to prepare your advertising infrastructure for disaster

The chief of Iranian cyber-security has been shot dead, sparking rumours that he was murdered in a targeted assassination.

The body of Mojtaba Ahmadi, commander of the Cyber War Headquarters, was found in isolated woodland near a town called Karaj, which is north-west of Tehran. He had been shot twice through the heart.

Despite rumours that Israel’s intelligence unit, Mossad, was responsible for the killing – purportedly in order to cripple the Islamic Republic’s cyber warfare capability – the country’s Revolutionary Guard has cautioned against assuming the murder was an assassination.

“I could see two bullet wounds on his body and the extent of his injuries indicated that he had been assassinated from a close range with a pistol,” eyewitness told the website Alborz, according to the Telegraph.

Alborz is said to have links to the Revolutionary Guard Corps, a branch of the Iranian military dedicated to preserving the country’s Islam-based government and judiciary.

Yet a statement from the Imam Hassan Mojtaba division of the Revolutionary Guard Corps warned against “prematurely [speculating] about the identity of those responsible for the killing.”

Iran’s cyber warfare capabilities are not as much of an international concern as its nuclear weapons programme or its occasional threats to close the vital Strait of Hormuz, through which a large portion of the world’s oil exports passes. However, if the latest killing turns out to be an assassination by foreign powers, it will mark the beginning of a new front in the clandestine war against the Islamic Republic.

Shashank Joshi, from the Royal United Services Institute (RUSI), was surprised to see the killing. Iran is not known for its fearsome cyber warriors, despite persistent rumours suggesting it played a significant role in training the Syrian Electronic Army, which was responsible for a number of cyber-attacks – mostly Twitter hijacks – on Western targets this year.

Joshi said: “Iran’s cyber attacks on Israel and elsewhere in the region are a rising threat and a growing threat, but it hasn’t yet been seen as a major and sustained onslaught, so it would be pretty novel and significant to take this step in the field of cyber-warfare at this time.”

The modus operandi of the killing, which is thought to have been carried out by two men on motorcycles, is similar to previous assassinations against prominent Iranian officials.

Four Iranian scientists linked to the nuclear programme have been bumped off since 2007. Motorcycles have been linked to previous attacks. In at least one of the killings, a motorcyclist allegedly linked to Mossad stuck what was described as a “magnetic” bomb under a target’s car; in another, a remote-controlled bomb attached to a motorcycle was detonated outside a man’s home.

The head of Iran’s ballistic missiles programme was also killed in an explosion at an Iranian base in 2011.

American officials have previously claimed Iranian hackers were responsible for attacks on oil, gas and power firms.

Iran and the US are engaged in new diplomatic efforts aimed at ending sanctions and stopping Iran from developing a nuclear bomb. Any assassination could be seriously damaging to this nascent diplomacy. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/03/iranian_cyber_security_chief_assassinated/