STE WILLIAMS

Koobface worm-flinging gangster linked to pharma spam ops

Win Spectre Laptop with HP and The Register

What do you do after you’ve made millions through one of the most technically sophisticated strains of malware ever unleashed onto the internet? Make millions pushing penis-enhancing pills, according to more than one security researcher.

The findings suggest at least one of the crooks behind Koobface has branched out to become involved in selling penis pills using junkmail.


Ronald F Guilmette, an independent security researcher who first uncovered the hijacking of machines on Microsoft’s corporate network to spamvertise unlicensed Viagra pills back in 2010, has uncovered a strong connection between the same EvaPharmacy group that infected machines in a testing lab at Redmond three years ago and at least one of the people behind the infamous Koobface worm.

“EvaPharmacy is, and has been for many years now, one of the largest if not THE largest spamming enterprise in the known universe, pumping out more spam, month after month, than any other single individual, group, or enterprise on the net,” Guilmette told El Reg.

The evidence comes from historic domain registration information that links a Moscow address to both operations and shows an identical phone number linked to the registration of domains linked to Koobface and EvaPharmacy.

Spamtrackers.eu, which has been tracking EvaPharmacy for some time, associates the domain name checkoutpharamcysafe.com with EvaPharmacy. WHOIS records give the owner of checkoutpharamcysafe.com as “Andrey Polev”.

A detailed analysis of clues relating to the Koobface worm by security researcher Jago Maniscalchi provides evidence that various domains alleged to have been connected to Koobface were registered by under a variety of similar names: Andrei Polev, Andrej Polev or Aleksandr Polev.

“I suspect that all these are just pseudonyms anyway, so it is probable, I think, that the guy who wrote all these names just didn’t bother to be 100 per cent consistent across all his uses of this pseudonym,” Guilmette explained.

More critical and more telling, according to Guilmette, is that a contact “phone number” for the allegedly Koobface-related domain name “cheapestpharmacy.at”.

The street address and (Russian) zip code listed for both the domain name checkoutpharamcysafe.com (EvaPharmacy) and the domain name cheapestpharmacy.at (Koobface) are also almost identical.

“These matchups, of (a) the registrant name and also (b) the contact phone number and (c) the street address and zip code are _not_ mere coincidences, in my opinion,” Guilmette concludes.

“Rather, they appear to point rather unambiguously to a link, at the very least, between the Koobface gang and the EvaPharmacy gang. Maybe Koobface *is* EvaPharmacy and vice-versa. I don’t really know.”

Let SkLiP the dogs of war

Separately a report by antivirus vendor Trend Micro, titled The Heart of Koobface, shows the same alias or names being used by the registered owner of various Koobface CC (Command and Control) domains. The details can be found on page 32 of Trend Micro study (PDF).

The name Andrei/Andrej/Alexandr Polev, whether a pseudonym or not, is unambiguously linked to Koobface. It is also linked, again unambiguously, to the EvaPharmacy gang, according to Guilmette.

Other less substantial pieces of evidence further support the theory that Koobface is linked to EvaPharmacy and vice-versa.

One key EvaPharmacy player uses an online moniker “SkLiP” – which is slang, in some parts of the world, for “thief”. The Koobface gang apparently identified itself on some occasions as “Ali Baba 4”, a clear reference to Ali Baba and the Forty Thieves.

Guilmette’s investigations of the links between Koobface and EvaPharmacy had led him to identify one Moscow-based individual, whose name has been supplied to The Register, as the probable chief exec of EvaPharmacy and someone who was previously tied up with Koobface. This person has not been previously named in connection with Koobface, checks by El Reg suggest.

Face/off

Koobface began targeting surfers on Facebook and other social networks beginning in December 2008, typically encouraging prospective marks to execute malware packages disguised as Flash updates supposedly needed to view lurid or shocking content.

Once executed, the malware turns compromised computers in zombie drones under the control of hackers. The botnet was used to distribute secondary pay-per-install malware on the compromised computers as well as hijack search queries to display advertisements. The botnet was then targeted for takedown, which didn’t quite kill it off.

However, things have been very quiet since Facebook, although the social network has since controversially identified five individuals it alleged were involved with Koobface in January 2012. These five people have never been charged.

Koobface was chiefly monetised through click fraud. Guilmette’s thesis is that since Koobface went quiet three years ago, at least one of the fraudsters involved has moved on to become making his money through selling Viagra, Cialis and other pharmaceuticals, without prescription, through EvaPharmacy.

It may be that machines compromised using Koobface are been used to spamvertise EvaPharmacy. “Spamming for fake pharmacy domains would be more profitable, to the Koobface gang, than just trying to make money by perpetrating click frond,” Guilmette concluded.

Cybercrime researcher Dancho Danchev has also been following the trail of the Koobface gang for years. He reckons Guilmette’s theory is along the right lines but needs to be supplemented by evidence from the malware itself, rather than domain name registration information alone.

“I also don’t believe in such type of coincidences in our line of work, however, initial attributable ‘impressions’ must always be cross-checked against multiple infection/propagation indicators of live/historical campaigns, so that a truly realistic picture can emerge,” Danchev told El Reg

Although the attention towards the Koobface gang shifted in a post-Koobface botnet security industry, what we shouldn’t forget is that once they felt invincible to track/shut down, they experimented through a multi-layered monetisation of hosts, by starting to serve client-side exploits in 2009. What this revealed is also a direct connection with Exmanoize, the author of the Eleonore Exploit Kit, as the initial malicious domains was registered using an email belonging to him, proving that they’ve been busy socialising with other key market players back then.”

Danchev’s analysis of the client-side exploits involving Koobface, which mentions Exmanoize, and dating from 2009 can be found here.

Free whitepaper : Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/26/koobface_carder_pharma_spam_tieup/

PayPal fixes critical account switcheroo bug after researcher tipoff

Win Spectre Laptop with HP and The Register

PayPal has fixed a critical flaw that allowed an attacker to delete any account at will and replace it with one of their own.

In April, security researcher Ionut Cernica discovered that US PayPal account holders could add an email address to someone else’s account by visiting a PayPal webpage. This then allowed the account to be deleted, he showed in a demonstration video (beware, old-school techno soundtrack):

“After you added an existing email to your account if you go to the account profile and you delete the unconfirmed email, the original account will be deleted too,” Cernica’s report reads.

“After you removed the account, you can make another one with same username with your desired password, but you will have no money and is not confirmed.”

In order to achieve verified PayPal status, the attacker would simply need to assign a bank account or credit card to the replacement username and go through the standard accreditation procedure. If the scam wasn’t spotted quickly, funds could then be siphoned off as soon as they came in.

According to the report, PayPal acknowledged the flaw a week later and in May told Cernica that a fix had been issued – but the researcher reported back that the dodge was still possible. The final patch was issued this week, and Cernica has received his bounty for the bug.

The bug will net Cernica $3,000 at most, and would be worth many times that on the black market. The case highlights the effectiveness of once-controversial bug bounty programs, something even long-time holdout Microsoft has now acknowledged. ®

Free report : Seamless data management features with AOS 3.0

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/23/paypal_fixes_critical_account_switcheroo_bug_after_researcher_tipoff/

Germany warns: You just CAN’T TRUST some Windows 8 PCs

Win Spectre Laptop with HP and The Register

Microsoft’s new touchy Windows 8 operating system is so vulnerable to prying hackers that Germany’s businesses and government should not use it, the country’s authorities have warned in a series of leaked documents.

According to files published in German weekly Die Zeit, the Euro nation’s officials fear Germans’ data is not secure thanks to the OS’s Trusted Computing technology – a set of specifications and protocols that relies on every computer having a unique cryptographic key built into the hardware that’s used to dictate what software can be run.


Authorities at Germany’s Federal Office for Information Security (BSI) later clarified that it was the Trusted Computing specs in Windows 8 in conjunction with the Trusted Platform Module (TPM) chip embedded in the hardware that creates the alleged security issue. BSI released a statement that backtracked slightly, insisting that using Windows 8 in combination with a TPM may make a system safer, but noting that it is investigating “some critical aspects related to specific scenarios in which Windows 8 is operated in combination with a hardware that has a TPM 2.0”.

Trusted Computing is a controversial bunch of specifications developed by a group of companies including AMD, Cisco, Fujitsu, Hewlett-Packard, IBM, Intel, Microsoft and Wave Systems Corp.

The tech is designed to stop the use of software and files which do not contain the correct digital rights permissions (thus protecting the property of vendors behind the protocols), including “unauthorised operating systems” (a specific function of the much-maligned Secure Boot). Microsoft argues that Secure Boot protects users from rootkits and other malware attacks. The set of permissions is automatically updated online, outside of the control of the user.

A machine that contains a Trusted Platform Module and runs software adhering to the Trusted Computing specifications is, arguably, under the control of the vendor – in this case Microsoft. It also identifies the machine to the vendor, meaning that users’ identities can be linked to their machines as well as their online activities. As Redmond is a US firm, opponents to the protocols argue, users’ data is theoretically accessible to US spooks in the National Security Agency via the Foreign Intelligence Surveillance Act, as Die Zeit points out.

A TPM 2.0 chip is being built into more and more computers running Windows 8.

The newspaper obtained an internal document from Germany’s Ministry of Economic Affairs written at the beginning of 2012. It warned of “the loss of full sovereignty over information technology” and that “the security objectives of confidentiality’ and integrity are no longer guaranteed”.

It continued: “The use of ‘Trusted Computing’… in this form … is unacceptable for the federal administration and the operators of critical infrastructure.”

Trusted Platform Module 2.0 is considerably more invasive than older versions. Once this is rolled out across all Windows-using PCS, the Germans fear, there will be “simply no way to tell what exactly Microsoft does to its system through remote updates”.

“From the perspective of the BSI, the use of Windows 8 in combination with a TPM 2.0 is accompanied by a loss of control over the operating system and the hardware used. This results in new risks for the user, especially for the federal government and critical infrastructure.”

The Register previously described Trusted Computing as the “widely derided idea of computing secured for, and against, its users”.

The leaked documents advised that Windows 7 is still safe to use, at least until 2020. Windows 8, on the other hand, is so tied up with Trusted Computing protocols that it is already “unfit for use”.

Microsoft denied there was any backdoor. In a lengthy statement, a spokeswoman insisted that users cannot expect “privacy without good security”. Redmond argued that users could purchase machines whose manufacturers had disabled the TPMs. Presumably this will one day become a selling point, although Microsoft argues this will actually make the hardware less “secure”.

She said:

TPM 2.0 is designed to be on by default with no user interaction required. Since most users accept defaults, requiring the user to enable the TPM will lead to IT users being less secure by default and increase the risk that their privacy will be violated. We believe that government policies promoting this result are ill-advised.”

It is also important to note that any user concerns about TPM 2.0 are addressable. The first concern, generally expressed as “lack of user control,” is not correct as OEMs have the ability to turn off the TPM in x86 machines; thus, purchasers can purchase machines with TPMs disabled (of course, they will also be unable to utilize the security features enabled by the technology). The second concern, generally expressed as “lack of user control over choice of operating system,” is also incorrect. In fact, Windows has been designed so that users can clear/reset the TPM for ownership by another OS if they wish. Many TPM functions can also be used by multiple OSes (including Linux) concurrently.

Rumours about a backdoor in Windows are almost as old as Microsoft itself. In 2009, El Reg reported on the NSA’s admission that it had worked with developers on Windows 7’s operating system security, forcing Redmond to deny there was a backdoor left open to spooks. ®

Free report : Seamless data management features with AOS 3.0

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/23/nsa_germany_windows_8/

Report: Secret British spy base in Middle East taps region’s internet

Win Spectre Laptop with HP and The Register

Among the vast haul of information lifted from secret networks by former US intelligence sysadmin Edward Snowden are details of a top-secret British spy base placed in the Middle East to tap into undersea communications cables and eavesdrop on the region’s internet, it has been reported.

According to the Independent, the clandestine base is used to hoover up huge amounts of data, such as emails, telephone calls and web traffic.


America’s National Security Agency (NSA) and the UK’s eavesdropping nerve centre in Cheltenham (GCHQ) are recipients of data that have been sifted at the station for items of interest, it is claimed.

Left-wing newspaper The Guardian, which exclusively revealed some of the information Snowden had copied, stopped short of reporting the location of the covert base that apparently taps into and then scoops up data from underseas fibre-optic cables running through the region.

The Indy claimed that the Graun agreed with the UK government not to disclose any material contained in the 50,000 GCHQ documents that Snowden snatched in 2012 which could pose a threat to national security.

But the Indy, under no such obligation, also revealed that the former CIA techie and NSA contractor, who currently has political asylum in Russia, downloaded the docs “from an internal Wikipedia-style information site called GC-Wiki. Unlike the public Wikipedia, GCHQ’s wiki was generally classified Top Secret or above.”

The Register sought a statement from the GCHQ. A spokesperson simply told us: “We do not comment on intelligence matters”.

Earlier this month, the Guardian did report on so-called “intercept partners” the UK government has on its books, including BT, Verizon, Level 3, Interroute and Vodafone Business. But it only did that after Germany’s Süddeutsche newspaper published the names of the corporations that were said to be secretly working with the GCHQ on the spy programme codenamed Tempora.

Many of the companies mentioned in that report subsequently said that they complied with local laws in each of the countries that they operate in.

El Reg requested a statement from BT today. It repeated that line:

Questions relating to national security are for governments, not telecommunications providers. Having said that, we can reassure customers that we comply with the law wherever we operate and do not disclose customer data in any jurisdiction unless legally required to do so.

David Miranda, the Brazilian boyfriend of the Guardian writer Glenn Greenwald – the journalist at the centre of the Snowden media firestorm – was stopped and interrogated under the Terrorism Act for nine hours by police during a stopover at Heathrow airport earlier this week.

Late yesterday afternoon, Miranda secured a partial High Court injunction to stop the police “inspecting, copying or sharing” the data they seized from him – except for national security purposes.

It remains unclear what was contained on Miranda’s person as he passed through the UK’s largest airport. But if the information he was carrying revealed the location of the internet-spying base in the Middle East, then the spooks may argue that use of Blighty’s terror laws to detain Miranda were proportionate on the grounds of national security.

Scotland Yard, meanwhile, said their Counter Terrorism Command (which carries out the former Special Branch task of working with the intelligence agencies) had begun a criminal investigation after the Met initially examined the material seized last Sunday and found what they described as “highly sensitive material, the disclosure of which could put lives at risk.”

On the face of it an obvious location for spying on submarine cables leading to Middle Eastern nations such as Syria, Lebanon and Israel would be Cyprus, which is an undersea cable nexus for the region. A base there could be located inside one of the island’s British military base areas, which remain sovereign UK territory. It might seem to be hyperbole on the part of the British government to suggest that spooks on UK territory inside a secure military base would find their lives endangered by exposure of their mission: or it might be that in fact the “base” or parts of it are situated elsewhere on the island or beyond it.

Or of course the reference to “lives at risk” and the extreme concern felt by the British (and US) governments regarding Snowden’s revelations may not be related to the cable-tapping base at all, but to something else as yet undisclosed. ®

Free report : Seamless data management features with AOS 3.0

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/23/underseas_fibre_optic_cables_tapped_by_uk_spooks_from_secret_middle_east_base/

Russian spyboss brands Tor a crook’s paradise, demands a total ban

Win Spectre Laptop with HP and The Register

Russia’s spybosses are contemplating blocking access to the Tor network and similar privacy tools that try to prevent netizens from being traced online.

The proposal – pushed by Federal Security Service of the Russian Federation (the FSB) – sets out a clampdown on technologies top spooks branded tools for “weapon traffickers, drug dealers and credit card fraudsters”.


FSB director Aleksandr Bortnikov outlined his hopes of banning the use of Tor in Russia at a session of the motherland’s National Anti-Terrorism Committee: he said his agents could work with Russian cops and other security bodies to draft legislation outlawing the network, according to a report in daily broadsheet Izvestia.

The initiative emerged after Head Hunters, a Russian civil movement, lobbied the FSB to block Tor because the technology can be used to circulate and exchange images of child abuse anonymously. (And earlier this month, a man was arrested in Ireland after the FBI alleged he was “the largest facilitator of child porn on the planet”. It’s believed he ran an ISP that provided server nodes for the Tor network.)

Tor is widely used by privacy-conscious individuals, human rights activists and others to remain anonymous online: it works by randomly routing connections between the user and a website, or other service, through a huge mesh of nodes so that the person cannot be traced, in theory. Many countries, including China, have tried to stamp out use of the technology but this is technically difficult, though perhaps not completely impossible.

Blocking Tor is “not trivial, but if they’re not too bothered about accidentally blocking the odd connection that just looks like Tor, it’s possible,” Martijn Grooten, Virus Bulletin’s anti-spam test director told El Reg. “Tor is working hard to make their traffic look ‘normal’ so it’s a cat-and-mouse game.”

Blocking Tor and anonymising proxies would intensify Russia’s already tight ‪surveillance‬ and ‪censorship‬ regime as well as setting up a precedent for other countries to follow. SORM, the Russian internet and phone surveillance system, is every bit as far reaching as any of the tools the NSA has at its disposal, albeit far less publicised than PRISM and related US programmes. ®

Free report : Seamless data management features with AOS 3.0

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/23/russia_pushes_tor_ban/

Boffins use HOT maths MODELS to predict spam of the future

Win Spectre Laptop with HP and The Register

Australian computer boffins reckon game theory can be applied to build better spam filters.

The new spam classifier, developed by Professor Sanjay Chawla, Fei Wang and Wei Liu of the University of Sydney, outsmarts would-be spammers by predicting the likely pattern of future spam runs by learning from past attacks.


The two researchers at the Capital Markets Cooperative Research Centre (CMCRC), an independent academic centre for capital market research, have put together a model for a spam filter that uses ideas from “repetitive game theory” to achieve better results in junk mail filtering than existing commercial spam filters.

However independent anti-spam experts are skeptical over whether the claimed performance improvements in junkmail filtering would work for all classes of spam.

Martijn Grooten, Virus Bulletin’s anti-spam test director, told El Reg that the approach would probably only yield improvements for certain classes at spam. Grooten said he would like to see how the filter works in practice, rather than relying on marketing claims about the power of new approach compared to conventional multi-stage junk mail filters.

“It seems to me that they understand existing spam filters to be static engines that get updated every now and again,” Grooten told El Reg. “In fact, most are highly adaptive to both the mail they see (so they create some kind of pattern for that particular customer) and to emails received by external sensors such as spam traps and spam reports. So they get updated in real-time, usually without any human interaction.”

Existing spam filters already catch the majority of junk mail. While there’s always room for improvement the Australian team fails to acknowledge this, a factor that makes Grooten a tad skeptical about the claimed game theory-powered performance boosts. “They seem to miss the fact that a lot of spam is damn easy to block,” Grooten said. “Because of the sender (grandma’s PC). Because of the content (of which tons will have been received by spam traps). Because of the headers (broken in various ways). And because of the links (URLs on compromised websites). I don’t think there is a lot of room for improvement here. There is room for improvement among the niches of spam – and perhaps that’s where they make improvements. But they don’t say that.”

In a statement, Professor Sajay Chawla said that applying game theory allows filters to stay ahead of spammers tactics as well as offering other advantages that involve constantly updating junk mail filtering rules.

“Typical spam filters make more mistakes over time as the spammers work out how to get around the filter,” Prof Chawla said. “An example of this is spammers using misspelt words in the title.

“We have anticipated this adversarial behaviour resulting in a more accurate filter that deteriorates at a much slower rate than current filters would. This means the filter doesn’t need to be upgraded as often reducing the cost, time and disruption associated with upgrading software.”

Fei Weng added: “Modelling the interaction between a classifier and an adversary as a repeated game theory setting is a far more realistic way of getting training data for the classifier because it allows for cause and effect behaviour to be captured.”

The researchers have only come up with a plausible model for how spam filtering might be improved, which they have experimented with using computer models. They haven’t yet got as far as coding up an improved junk mail filter and trying it out in practice and this is perhaps something that is beyond the scope of academic research and best left to a commercial developer in any case.

Game theory is already used extensively in economics and politics to analyse and predict decision-making. The Australian boffins reckon the discipline can be applied effectively to tackle problems in computer science and data mining, with improved spam filers only one potential application. Preliminary findings from the research have been published in the Machine Learning Journal. The researchers hope Google, security software developers and telecom firms will take up the approach in order to develop better junk mail filters. An outline of the research provides an overview of how techniques from social science might be applied to create better junkmail filters.

Wang’s research combines adversarial learning with sparse modelling techniques (to discover predictive patterns in data) into a repeated game to make the research realistic with the real world. The role of sparse techniques is to model the scenario that spammers (and those working to prevent spam) have limited budgets.

The traditional approach to keep the classifiers updated is to repeatedly build the classifier in the face of changing data. In Wang’s research however, ideas from game theory are used to characterise an equilibrium, which has the side effect of creating new training data. The new training data, which in some sense, anticipates future adversarial behaviour is then used to build the classifier.

More details on the research can be found here (PDF).

Virus Bulletin’s Grooten remains on the fence about how great a performance gain could come from developing game theory-based algorithms for junkmail filtering compared to existing approaches based on content, source IP reputation, botnet tracking and other approaches.

“Their game theory approach will probably work well in theory – I’m sure they’ve done at least a half-decent job and ran it in some lab environments. It might even work well in a universe where all spammers are actively trying to improve their delivery rates and constantly adapt to changes in filters. In this universe, where spammers send spam by the millions apparently without much thought about delivery rates, I’m not sure if it will add anything,” Grooten concluded. ®

Bootnote

The Australian researchers are not the first academics to suggest game theory might be applied to fight spam. A team of researchers at Athens University of Economics and Business in Greece riffed on much the same idea back in 2005. Not much has been heard of Ion Androutsopoulos’ idea to use economic models to tune spam filters to either maximise the cost to the spammer, or maximise the benefit to the user in the eight years since, but perhaps that’s because the idea was ahead of its time rather then misapplied.

Free report : Seamless data management features with AOS 3.0

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/23/game_theory_spam_buster/

ASIO seeks new hires for telecoms interception teams

Win Spectre Laptop with HP and The Register

Australia’s security intelligence organisation (ASIO) is hiring a clutch of telecoms intelligence staff.

The agency is after a new “Assistant Director Telecommunications Interception” , a pair of ”Telecommunications Investigations Officers (we’ve linked to the better-paid of the two positions) and also a “Telecommunications Interceptions Specialist”.


The Assistant Director’s job says the successful applicant’s duties will include:

  • Supervision of technical staff involved in the development of telecommunications interception capabilities;
  • Contribute to policy and process development supporting telecommunications interception;
  • Liaison with telecommunications carriers for the development of lawful interception systems;
  • Liaison with industry for the development of specialist systems;
  • Compliance testing of interception solutions;
  • Trouble-shooting system faults; and
  • Development of in-house lawful interception solutions.

Vulture South can’t help but think the wording of those duties imply that new interception tools are contemplated.

Interceptions Specialists will be expected to perform duties including “Development of in-house lawful interception solutions”. Skills needed to score the job include:

  • Previous experience with carrier networks and/or interception systems
  • Project management in an ICT environment
  • Understanding of IP networks (architecture, systems and related protocols)
  • Understanding of the architecture of mobile telephony networks, including SMS, GPRS and LTE
  • Understanding of carrier-level VoIP implementations
  • Exposure to international ICT standards and specifications
  • Knowledge of mark-up languages such as XML and ASN.1
  • Ability to perform and analyse IP captures and perform protocol analysis and network-level problem-solving

The inclusion of LTE seems worth noting: 4G is growing fast in Australia and ASIO will doubtless be keen to monitor traffic on new networks. Intriguingly, “Applicants that have applied for this position in the last 12 months need not reapply,” suggesting this has proved a tough gig to fill.

The job description for the Telecommunications Investigations Officers says the new hires will “join a small team responsible for the collection, processing and dissemination of telecommunications-related data.”

Duties include “Assisting in the preparation and submission of lawful requests to telecommunications providers”, which sounds an awful lot like making warrantless requests for telecommunications metadata. Such requests are controversial because they’re made in their hundreds of thousands each year. If Vulture South’s guess is correct and ASIO feels it needs more people to make the requests, it could signal even greater volumes. Australia’s Greens party has tabled amendments to the Act permitting such requests in the hope of reducing their number.

If you fancy one of these jobs, care to check out the dozen or so other IT roles, or fancy a closer look at ASIO’s hiring trends, its vacancies page is here. ®

Free report : Seamless data management features with AOS 3.0

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/22/asio_beefing_up_telecoms_interception_teams/

CipherCloud lands in Oz

Win Spectre Laptop with HP and The Register

US encryption vendor CipherCloud, setup by ArcSight founding VP of engineering Pravin Kothari, is going live with an Australian office to provide professional services to local customers and give sales a kick along.

The company positions itself as allowing companies to resolve the most common concern of moving to cloud computing: control over information stored in the cloud, whether it’s simple remote storage, or cloud-based applications.


Speaking to The Register, Kothari said there has been a substantial chilling effect in America and overseas as a result of the continuing NSA scandal. In countries like Australia, Kothari agreed that data sovereignty adds to corporate concerns about the the risk of offshore hosting.

CipherCloud’s offering aims to overcome those concerns by either encrypting or tokenising data at the gateway to the enterprise, before it’s sent to the cloud. Since data doesn’t have to be decrypted at the far end, the keys remain with the customer.

(El Reg notes that if the Snowden claims about how the NSA works are accurate, that merely means that data might be retained in case it can be decrypted in the future. And if your company hosts cloud information in the USA, it might be prudent to ensure that whoever holds the keys doesn’t travel there …)

Of course, not everything can go through the crypto engine: for example, a metadata-trawl is going to see source and destination IP addresses, since these can’t be encrypted. However, the company says, all the application content that hits its gateway will be protected – including cloud applications like SalesForce (along with a number of other applications that are now partners, covering e-mail, CRM, ERP, and collaboration).

Its environment also covers data loss prevention and malware detection. ®

Free report : Seamless data management features with AOS 3.0

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/22/ciphercloud_lands_in_oz/

Hacktivists boast of English Defence League KO after website downed

Win Spectre Laptop with HP and The Register

Hacktivists linked to Anonymous have claimed responsibility for knocking shouty anti-Islam group the English Defence League’s website offline.

The EDL is a far-right street protest movement whose official stance is an objection to the “spread of Sharia law and Islamic extremism in the UK”. Its numerous critics argue the league are just a bunch of xenophobic football hooligans, and their numerous protests often involve violence and arrests.


The group’s official website (http://englishdefenceleague.org) was taken offline on Tuesday and a Pakistani hacking crew affiliated with Anonymous claimed responsibility for the hack.

The website remains unavailable at the time of writing on Thursday morning, with a notice stating that the website is unavailable. “We are currently fixing an issue with our server and will restore services as soon as possible,” a notice from the EDL Web Division explains.

Hacktivists affiliated with Anonymous have locked horns with the EDL on several previous occasions. For example, in May, the hacktivist group leaked names and addresses of more than 200 supposed members of the controversial protest group, as well as the mobile phone numbers of its leaders.

The leak was the first salvo in ‪#OpEDL‬, aimed at bringing down the group, which hacktivists accuse of attempting to hijack public revulsion about the horrific murder of soldier Lee Rigby in south London three months ago to further the group’s own political agenda. The EDL’s leader, Stephen Yaxley-Lennon, was yesterday charged with obstructing police after allegedly trying to defy a ban on marching past a mosque in Woolwich in June.

The latest hack was also carried out under the banner of ‪#OpEDL‬ and carried out by members of the ZHC (ZCompany Hacking Crew) from Pakistan, apparently supported by elements of the wider Anonymous hacktivist collective. ZHC accompanied the hack with the leak of around 40 names and mobile phone numbers of supposed EDL members.

It’s unclear whether the leaked list, uploaded to Pastebin, is genuine or represents new information. Very little has been heard of ‪#OpEDL‬ after an initial flurry of activity in late May, until this week’s shenanigans.

The ZHC member behind the latest hack, @Guy_Victory, has been taunting the EDL about its inability to get its site back up and running.

“EDL still cant fix site from #ZHC hacked it yesterday id call that a K.O :),” the hacktivist said in a Twitter update.

ZHC claims to have lifted personal information, including but perhaps not limited to email addresses, after breaking into the EDL’s official website in an earlier assault last November.

Research outfit Netcraft reports the englishdefenceleague.org website, which runs on Linux, began using protection services from CloudFlare earlier this month. ®

Free whitepaper : Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/22/edl_website_hack_zhc/

Four ways the Guardian could have protected Snowden – by THE NSA

Win Spectre Laptop with HP and The Register

Analysis The Guardian‘s editor-in-chief Alan Rusbridger fears journalists – and, by extension, everyone – will be reduced to using pen and paper to avoid prying American and British spooks online.

And his reporters must fly around the world to hold face-to-face meetings with sources (“Not good for the environment, but increasingly the only way to operate”) because they believe all their internet and phone chatter will be eavesdropped on by the NSA and GCHQ.


“It would be highly unadvisable for … any journalist … to regard any electronic means of communication as safe,” he wrote.

El Reg would like to save The Guardian a few bob, and reduce the jet-setting lefty paper’s carbon footprint, by suggesting some handy tips – most of them based on the NSA’s own guidance.

(It’s quite possible the Graun‘s able staffers have already thought of all this, and whistleblower Edward Snowden eventually taught his contacts how to use PGP, but allow us to throw it out there anyway for everyone to consider.)

1. Encryption: It’s not hard

David Miranda – the boyfriend of Glenn Greenwald, the journalist at the centre of Edward Snowden scoops about the NSA and GCHQ – was held at London Heathrow airport this week during a stopover from Berlin to Brazil. Miranda was carrying encrypted information in a laptop and USB drives, having visited Laura Poitras, the US filmmaker who worked with Greenwald on his NSA scandal stories.

You have to wonder why the Brazilian was being used as a data mule, for want of a better word, when there are other ways to securely transfer leaked documents without triggering the frankly unsettling schedule seven of the UK’s Terrorism Act. Although, he may have been stopped even if he was carrying nothing but his phone.

It’s reported that journalists, even tech journos, are woefully ill-equipped to deal with encrypted leaks: so let’s put a stop to this digital fumbling in the dark, and let the record show that some of us have an idea of how it all works.

First of all, take the NSA’s own advice [PDF] and grab a copy of the open-source cryptography toolkit GnuPGP. Compile it for your favourite operating system (or trust a pre-built download having checked its integrity), and then generate a private-public key pair: data encrypted using the public key is decrypted using the private key. So your source encrypts her sneaked-out files using your public key, sends you those scrambled bytes and you reconstruct the original using the private key.

Straightforward … GPG for Mac OS X will do the key-pair generation for you automatically (click to enlarge)

Why use key pairs, otherwise known as asymmetric encryption? Because it saves you having to whisper shared passwords to one another, essentially divulging secrets that if intercepted by an enemy would be catastrophic to your project.

With public-private keys there’s no need to reveal pass-phrases or drop off nondescript packages containing password code books, as exciting as that may sound. Instead, you can freely reveal your public key: it’s only good for encrypting stuff. (Technically speaking, the data is encrypted using a randomly generated one-off session key and a chosen cipher; asymmetric key encryption is computationally expensive, so a symmetric cipher and the session key is used to do all the heavy lifting. The asymmetric key pairs are used to encrypt the session key.)

Again, following the NSA’s own advice, in your chosen PGP software, generate a Diffie-Hellman/DSS (or RSA if you’re paranoid) key pair that’s 4,096 bits in length, set to expire in one year (or less if you’re planning a short whistle-blowing career), using AES-256 as the encryption cipher and SHA-2-512 as the hash function.

Keep your private key secret, encrypted and in one place (eg, not a police interrogation room)

Keep your generated private key somewhere safe and hidden, such as on a TrueCrypt-encrypted thumb drive, rather than at rest on a disk, and whatever you do, don’t take it through customs. Use steganography to hide it in a picture of a cat.

Don’t put yourself in a position where the police can demand it under the Regulation of Investigatory Powers Act. Don’t keep the key, data and the computers you are using anywhere the Powers That Be, having obtained a warrant, expect to physically find them. You need to have transferred the goods before anyone realises.

While David Miranda insists he didn’t know anything about the contents of the electronic documents he was carrying, he did hand over the passwords to his equipment to the plod after being threatened with imprisonment.

Thus, one only hopes any sensitive files he was carrying were encrypted using a second secret, one he couldn’t possibly divulge because he didn’t know it. However, that will not have impressed the cops, who may have thrown him in the cooler for a couple of years or until someone could provide that second key. This has happened in the past.

A good lawyer could get your mule off the hook if the brief argued that your bod didn’t know the key nor the contents of the files (and thus was no more complicit in any wrongdoing than a Royal Mail worker delivering brown envelopes of leaked material). In this case, Miranda knew something and eight hours under the spotlight was enough for him.

In short, don’t use data mules, and certainly not across guarded borders, unless you’ve got a bang-up lawyer (and pots of cash to pay for it) and a personal courier willing to spend hours, days or perhaps months detained.

(PS: Handing over account-level passwords, rather than decryption keys, is bad enough, though, for the poor bod intercepted; there is no doubt investigators will try to use this information to inspect email inboxes, instant messaging clients, social network accounts and anything else they could get hold of in search of wrongdoing. More determined operatives could use this sort of access to get a better idea of the chap’s friends and associates for follow-up surveillance.)

Your source should also create her own public-private key pair, following the same steps above; this is needed to sign messages, or in other words cryptographically prove that the data hasn’t been tampered with in transit and that it was created by the person who claims to have sent it.

Meet the Advanced Encryption Standard

As an aside: the AES-256 cipher, as mandated above, is recommended in the NSA’s own advice [PDF]. Uncle Sam’s spooks are told to use AES (Advanced Encryption Standard) and 128-bit keys to protect material designated “SECRET”. “TOP SECRET” – the highest security level available and usually reserved for compartmentalised information distributed on a strict need-to-know basis – requires 256-bit keys.

The standard – developed in 1998 by Belgians Vincent Rijmen and Joan Daemen – is considered unbreakable and spook-proof by all but the very, very paranoid; decrypting the data without knowing the key will require an infeasible amount of computing power. We’re talking more energy required than the universe can give us. There are 115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,

457,584,007,913,129,639,936 combinations of keys if you feel like trying to brute-force it.

Serious maths … the calculations behind AES

It is possible someone could extract unencrypted information, or even the secret crypto keys, using a side-channel attack. This is usually pulled off by precisely timing the calculations performed by the system doing the encryption and recovering the goodies byte by byte.

Such endeavours, so far as we know, have worked against tiny keys (some as small as 32 bits). Then in 2010, three boffins showed they could quickly recover a 128-bit AES key by running unprivileged code that spies on CPU cache access on a Linux server running OpenSSL: on the one hand, yes, you need to be able to run your own malicious software on the machine to snaffle this data, but on the other hand, this will not be difficult for state-backed spooks with loads of private zero-day exploits – so steps need to be taken to defend against this sort of compromise.

Proud tinfoil-hat-wearers among us will point out that these encryption standards may have been molested by the NSA at some point, perhaps to introduce weaknesses that can be exploited to easily crack encrypted data. Putting aside the fact that these algorithms have faced intense public scrutiny before their deployment, if the spooks had nobbled the maths, one wonders why the cops are so keen to extract decryption keys from suspects (or even perfectly innocent people) … though perhaps that’s what they want us to think.

2. Use clean machines

Make sure you’re doing all of this on completely clean computers, you and your whistleblower: only ever use them for communicating between you and your contact, and don’t contaminate the kit with other stuff or have it in any way associated with your other work. Keep both machines powered down when not in use; don’t connect either to your corporate or personal network.

Buy new machines for cash from a shop and harden them against attack: why not (again) take the NSA’s own advice and make sure you’re using Security-Enhanced Linux, a series of patches for the open-source OS that are now part of Linus Torvalds’ official mainline kernel. More seriously, install Grsecurity and use TrueCrypt to protect disk volumes. The spooks have online public guides to securing OSes here.

Essentially, do everything you can to compartmentalise your system. Install a hypervisor (yeah, a good one) on the new computer, and run all of the above software – your PGP tools and other essential utilities – inside a hardened virtual machine. Once that VM is set up, snapshot it and save it off disk on secured removable storage.

Every time you need to look at the leaked encrypted documents (again, stored securely off disk), reload the snapshot and use that environment afresh, so that the VM doesn’t have to touch the host machine’s disk and also just in case the VM was compromised the last time you used it.

Bear in mind that if an attacker did infiltrate your VM and silently escaped the hypervisor, or otherwise snaffled your private key, it’s game over. And state-backed spies will have zero-days to make this possible.

Even the NSA’s own advice is to assume you’ve been compromised and work from there. “We have to build our systems on the assumption that adversaries will get in,” the agency’s Debora Plunkett told a security conference. “We have to, again, assume that all the components of our system are not safe, and make sure we’re adjusting accordingly.”

In other words, carve your hardware into compartments and protect them from each other, even using an old-fashioned air gap. Be paranoid.

Free whitepaper : Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/22/guardian_snowden_advice/