The Onion is damaged … but not broken

The opposing sides

Connected People in NetworkWell it’s not quite Thor, but in this case the issue focuses on Tor, which is at the centre and focus of increasing conflict on the Internet.

As we move into an Information Age, there is a continual battle on the Internet between those who would like to track user activities, to those who believe in anonymity. The recent Right to be forgotten debate has shown that very little can be hidden on the Internet, and deleting these traces can be difficult.

To defence agencies the access to Internet-based information can provide a rich source of data for the detection and investigation of crime, but they have struggled against the Tor (The Onion Network) network for over a decade. Its usage has been highlighted over the years, such as when, in June 2013, Edward Snowden, used it to send information on PRISM to the Washington Post and The Guardian. This has prompted many government agencies around the World to prompt their best researchers to target cracking it, such as recently with the Russian government offering $111,000. At the core of Tor is its Onion Routing, which uses subscriber computers to route data packets over the Internet, rather than use publically available routers.

The battle of the Gods

fotolia_1499904With the right to be anonymous at its core, the Tor project created a network architecture which anonymized both the source of network and the identity of users. With some many defence agencies around the World targeting Tor, the cracks have been starting to be exposed, in the same way that there has been on the targeting of OpenSSL and TrueCrypt. For this researchers identified an underlying flaw in Tor’s network design, and which has led the Tor Project has warned that an attack on the anonymity network could have revealed user identities.

This message was in response to the work of two researchers from Carnegie Mellon University (Alexander Volynkin and Michael McCord) who exploited the infrastructure. At present SEI has a Defense Department until June 2015, and is worth over $110 million a year, with a special target on finding security vulnerabilities.

Overall the attacks ran from January 2014, and were finally detected and stopped on 4 July 2014. In response to the vulnerability being found the Tor team, in a similar way to the OpenSSL Heartbleed announcement, where informed that the researchers were to give a talk at the Black Hat hacker conference in Las Vegas. The sensitives around the area is highlight by the fact that the talk was cancelled, due to neither the university nor SEI (Software Engineering Institute) approving the talk. The Tor project, through Roger Dingledine blog entry on 4 July 2014, revealed that identities could have been revealed over the period of the research.

The research team, used two methods of exploitionation:

  • Traffic confirmation attack. This involves adding rogue relays to Tor, so that they can be used for the routing process. If there is just a few nodes, the routes cannot be determined, but if operated over a longer time period, it may have been possible to uncover some of the full path details of the accesses. This is similar to infecting a secret network with spies, and over time adding more spies, so that eventually, the spies become more trusted, and it is thus possible for a route to contain all the spying agents, and thus determine the complete route of a secret message.
  • Sybil attack.  This involved an attempt to a block up to 115 of the guard relays. As these account for around 6.4% of Tor’s guard capacity, it is likely that a considerable number of user traffic was involved.

Tor

The Web traces a wide range of information, including user details from cookies, IP addresses, and even user behaviour (with user fingerprints). This information be used to target marketing to users, and also is a rich seem of information for the detection and investigation of crime. The Tor network has long been a target of defence and law enforcement agencies, as it protects user identity and their source location, and is typically known as the dark web, as it is not accessible to key search engines such as Google. With the Tor network, the routing is done using computers of volunteers around the world to route the traffic around the Internet, and with ever hop the chances to tracing the original source becomes reduces. In fact, it is rather like a pass-the-parcel game, where game players randomly pass to others, but where eventually the destination receiver will eventually receive the parcel. As no-one has marked the parcel on its route, it’s almost impossible to find out the route that the parcel took.

The trace of users access Web servers is thus confused with non-traceable accesses. This has caused a range of defence agencies, including the NCA and GCHQ, to invest methods of compromising the infrastructure, especially to uncover the dark web. A strange feature in the history of Tor is that it was originally sponsored by the U.S. Naval Research Laboratory (which had been involved in onion routing), and its first version appeared in 2002, and was presented to the work by Roger Dingledine, Nick Mathewson, and Paul Syverson, who have since been named, in 2012, as one of Top 100 Global Thinkers. It since received funding from Electronic Frontier Foundation, and is now developed by The Tor Project, which is a non-profit making organisation.

Thus, as with the Rights to remain private, there are some fundamental questions that remain, and it a target for many government around the World. In 2011, it was awarded the Free Software Foundation’s 2010 Award for Projects of Social Benefit for:

"Using free software, Tor has enabled roughly 36 million people around the world to experience 
freedom of access and expression on the Internet while keeping them in control of their privacy 
and anonymity. Its network has proved pivotal in dissident movements in both Iran and more recently 
Egypt."

Figure 1 shows a Web browser application setup for Tor. It uses onion routing and also the HTTPS protocol to secure the accesses. With Tor, too, the path between the two communicating hosts is also encrypted, which creates a tunnel between them.  To focuses more on the security of the communication over the Internet, and less on the preserving the anonymity of the user. It is, though, often used for proxy accesses to systems, where a user wants to hide their access.

newFigure 1: Tor Web browser

For the attack by the researchers, the Tor project has proposed that the following questions remain unanswered:

  • Did we find all the malicious relays?
  • What data did the attackers keep, and are they going to destroy it?
  • How have they protected the data (if any) while storing it?

Conclusions

The latest target compromised things for a while, but once detected, it has managed to heal itself, but it is a major target, along with cracking cryptography. For those in defence agencies the question remains “Why do you want to keep things secret … do you have something to hide?”, which is a pretty fundamental question. At the current time, the Tor team have managed to fix the cracks, but with such a concerted probing around the World, you must wonder if they have the resources to cope with the probes. With OpenSSL, the Heartbleed bug had been uncovered for many years, so there will be weaknesses, it’s just that they haven’t been found yet. The recent tail of the TrueCrypt developers bailing of their project, leaves many questions around the maintenance of Open Source security software.

In defence, the Tor project is setting up a special group to monitor for malicious relays, and also to detect any compromises on the system. So, it’s one blow, but Tor has stood up to it, and came out fighting, and it is the research team who have been pin-pointed as the possibly stepping over the mark.

Coming soon to the App Store … Android Lockpick

Introduction

4d60a-pandora27sboxThe application of the smart phone continues making new in-roads into mobile banking, on-line shopping and video streaming. In fact if you watch many of the advertisements for sports channels you’ll find it is not a TV that is the device of choice for the viewer, it is their smart phone or tablet. increasingly, too, it is the one thing that we carry around with us. At one time it was our keys that we carried around, and these were are main security item which, if lost, would generally make our lives difficult. In this Information Age, though, it is now our smartphone which we use to identify ourselves, and which contains all our secret passwords and our secure connections into the Cloud. It’s our physical device which is basically becoming our pass key, without it we would struggle to identify ourselves, and end up having to find a general-purpose desktop computer. And so our smart phone is becoming our pass key in this electronic world, and it is the trust that we are placing in it, which is allowing our world to be re-designed. While it has problems with security, in the same way that losing a key causes, we can backup our world to the Cloud, and be ready with new keys, each re-programmed with new codes, if we need too.

Smartphones become more trusted

There are places where we need strong security, and the smartphone has been picking its targets and testing the water to see if both the consumer and service provider accept them. One of the most recent successes for the smartphone has been in airport check-in, where the technology has, within a short period of time, changed the way that many people identify themselves and their flight details. While hardly the most secure method in the world, it is just as secure as a piece of paper with dots on it, and the ability to retrieve the information at any time is a massive enhancement on having to use a printer and/or photocopier.

Hotel room access

One of the most trusted areas that we need strong security, and make sure that we identity people properly, iLarge safe, opens in hotels, where a slip in security could be costly. In fact, hotels tends to be more secure than homes, with only 0.3% of properly theft reported related to hotel incidents (from 2004-2008 – Bureau of Justice Statistics). So it is to the credit of smartphone technology that the Hilton hotel chain, with their Conrad Concierge application, plans to allow guests to select their rooms with their smartphone, and use them to check-in. They then intend to take this one step forward by using the smartphone itself to unlock the room, and will be implemented in our 4,000 hotels across the world, within more than 80 countries. Hilton thus have made the linkage of “my smartphone is me and I use it to control my world”. In their research they found that users wanted more control of their bookings, and the smartphone was the device of choice for setting this up. The target for the complete roll-out of the ability of lock/unlock rooms is 2016. Hilton obviously hope for … to use a bad pun … that there is a lock-in on the services that they provide, so that their application becomes key (another bad pun!) to the business traveler.

There have been worrying signs, though, such as in September 2012, when a Dell consultant had their lap stolen from a Hyatt room in Houston. For this it was conclused that the thief had gained access by exploiting a vulnerability in an Onity digital lock. This vulnerability for this lock had previously been disclosed, in July 2012, at a Black Hat security conference, and although an updated had been posted within a month, it had not been implemented in the hotel in question.

The rise of the App Stores

Cartoon hacker with laptopAt one time we received software through physical media, and this evolved to downloads from sites, but, as Gartner have identified in their top technology trends, it will be to the App Store that many users will focus their attention. The room lock/unlocker will thus be available through the main Apps Stores, especially focused on Apple and Google Live, so some customers without their operating systems may struggle to take full advantage of the services provided. So, as we see the new app in the App Stores, we must wonder, how long it will take for a whole lot of other apps, focusing on lock picking, as, unfortunately, the past has shown, that as long as there is a vulnerable element in the overall infrastructure, it will be exploited by some budding security specialist wishing to either showcase their talent, or with a motivation to make some money. In the unpicking of locks, for centuries, there has been a healthy business for lock pickers, and so it will be to the App Store that the future lock pickers could look too.

Conclusions

Hopefully there has been as much testing on the technology, than there has been on customer adoption. Again, unfortunately, many examples have shown that there is often too much focus on whether users like the technology, and rather less on discovering flaws in the systems, but it could be that this is just the way that we kick the tyres of a new technology, and know that there is going to be problems, and, as a society, we know that it will be worth it in the end. We are thus all part of a great big beta project, and it is one that is transforming the world. Well done smartphone!

Unfortunately digital locks are always likely to have vulnerabilities, in the same way that physical locks have, so it’s important that hotels monitor vulnerability reports, and make sure that they update their systems with patches, otherwise there may be a whole lot of people sniffing around their rooms with rooted apps on their smartphone. One thing we need to do, is to make sure that the people creating the apps, and the companies selling them, actually are trained in software security testing! In something a critical as gaining access to rooms, the application of patches, which in themselves may cause more problems than the fix, might not be top of the agenda for busy hotel administrators. While secrets about lock picking have been passed on from thief to thief over the centuries, the Internet is a much more open place, where secrets are disseminated and acted upon in short time periods, and there’s little that can be done about them – apart from strong patch management!

Boleto fraud: You don’t need a fast car to rob a bank anymore

Introduction

Cartoon hacker with laptopThe number of actual physical robberies on banks has slipped to almost zero, but the amount of money that they are losing through electronic methods has rocketed. With physical security it’s so easy to put up CCTV cameras, bullet proof glass, and have alarm bells, but in an electronic world there are an infinite ways to commit fraud. In fact there are so many targets in a electronic world, and criminals can focus their efforts on the customer, the bank, or the merchant. With virtually no effect at all criminal gangs can install malware within any part of the e-Commerce infrastructure, and either steal user credentials or modified transactions. While we may say that it is a victimless crime, we would be wrong, as large-scale fraud can have serious implications on the global financial market, and also on user trust.

In fact from the early days on the Internet, individuals have been find ways round the processes in the place (Figure 1). This includes John Draper (or Captain Crunch) who used a whistle tuned to 2.6kHz to place long distance calls that was given free in the cereal pack, to Vladmin Leven, from Russian, who siphoned off millions from Citibank. As we will find, these days, any script kiddie can create their own targeted attack on users, and it does not need extensive programming skills, or even a deep knowledge of how the e-Commerce infrastructure works. A key target, though, is the end user, as they tend to be the weakest link in the chain.

The latest targeted malware, most probably setup by Brazilian organized crime gangs has hijacked boleto transactions in Brazil for a vast amount of low-dollar transactions. It works by tricking users to install a piece of malware on their system which waits until the user visits their bank’s Web site. On detecting this, the malware fills-out all the required information for account require for the recipient of a boleto transaction. The malware then submits the transfer for payment, and modifies it by substituting a recipient account for the attackers one.

hackFigure 1: Well-known hackers

What happened with Boleto?

In July 2014, RSA announced a large-scale fraud of Boleto Bancário (or Boleto as it is simply known), and which should serve as a wake-up call for the finance industry, and governments around the World. In fact, it could be the largest electronic theft in history ($3.75bn). Overall with the fraud there were nearly 200,000 infected IP addresses that had the infection on their machine. A boleto is similar to an invoice issued by a bank so that a customer (“sacado”) can pay an exact amount of a merchant (“cedente”). These can be generated in an off-line manner (with a printed copy) or on-line (such as in on-line transactions).

Boleto is one of Brazil’s most popular payment methods, and just last week it was discovered to have been infected, for over two years, by malware. There are no firm figures on the extent of the compromise, but up to 495,753 Boleto transactions were affect, with a possible hit of $3.75bn (£2.18bn).

Boleto is the second most popular payment method in Brazil, after credit cards, and has around 18% of all purchases. It can be used to pay a merchant an exact amount, or, typically to pay for phone and shopping bills. There are many reasons that Boleto is popular in Brazil, including the fact that many Brazilian citizens do not have a credit card, and even when they do have one, they are often not trusted. Along with this the transaction typically has a fixed cost of 2 or 4 US dollars, as apposed to credit rates which is a percentage of the transaction (in Brazil, it can typically be between 4 and 7.5%).

The operation infected PCs using standard spear phishing methods, and managed to infect near 200,000 PCs, and stole over 83,000 user email credentials. It used a man-in-the-browser attack, where the malware sits in the browser, which included Google’s Chrome, Mozilla’s Firefox and Microsoft’s Internet Explorer, and intercepts Boleto transactions. The reason that the impact was so great, is that Boleto is only used in Brazil, thus malware detection software has not targeted Boleto, as it is a limited market.

The Web-based control panel [2] for the operation shows that fraudsters had stolen $250,000 from hijacked 383 boleto transactions from February 2014 until the end of June 2014 (Figure 2). Of the statistics received, all the infected machines where running Microsoft Windows, with the majority running Microsoft Windows 7 (78.3%), with Microsoft Windows XP being the second most popular (17.2%). Of the browsers detected the most popular was Internet Explorer (48.7%), followed by Chrome (34%) and Firefox (17.3%), and the most popular email domain used to steal user credentials was hotmail.com (94%).

Figure 2: Control panel showing fraud

Was Boleto secure?

While it was seen to be generally secure, it has been identified as being open to a ‘check-bounce’ scenario, where a payment looks as it has went through, and the goods are received, but the transaction eventually bounces (which is similar to a check bouncing). A typical transaction involves the bank notifying the CyberSource Latin American Processing that a boleto has been paid, but can either indicate that the payment status is either paid or not. In the case of a check, the status will be set to non-payment. There can thus be fraud when the goods are received before the payment is cleared. When the payment status is set of ‘paid’ the transaction is reported to the Payment Events Report. Unfortunately there are no charge-backs on Boleto transactions, and the transaction is paid by cash, check, or through an online bank transfer. There is some protection, though, in using Boleto, as consumers are allowed to seven days to ‘regret’ the payment, and ask for a refund. With Visa, there is payment protection for the consumer, which does not happen with Boleto.

So who was the man-in-the-browser?

Figure 3 shows an outline of the taxonomy of malware. It shows that it has a:

  • Distribution method. In the case of the Boleto fraud this was through spear phishing emails.
  • System compromise. After distribution, the malware then compromises the system and places itself in a persistent way. In this case it placed a program on the disk, and then added an entry into the Windows registry so that the program loaded ever time the computer was booted.
  • Trigger event. After the compromise, the malware is then triggered by an event. In this case by the user accessing their Live/Hotmail email account or by when the made a transaction using Boleto.

In the case of the Boleto fraud the man-in-the-browser was Eupuds (which is classified as an Information Stealing Trojan (MITB)) and which infects web browsers on Windows-based PCs, including Internet Explorer, Firefox and Chrome, and also steals account information for live.com, hotmail.com and facebook.com.

Eupuds manages to stay alive by created a program on the disk at (where c:\users\fred is the home directory):

c:\users\fred\Application Data\[RANDOM CHARACTERS].exe

and then makes sure that it is always started when the computer is booted by modifying the Windows registry key of:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS].exe" =
 "c:\users\fred\Application Data\[RANDOM CHARACTERS].exe"

In this way the Trojan program is always started when the computer is booted. In many cases the malware will hide itself so that it can get round a virus scan. In this case, the malware creates random characters to the name of the file, and then creates a different name for the process. Along with this the malware is compiled AutoIt script, and uses UPX packing, which makes it difficult to analyse/reverse engineer.

The malware works by detecting traffic between the browser and the server, and searches for specific strings:

  • Boleto.
  • pagador.com.br – this is the Brazilian online payment service.
  • segundavia – this is used when requesting a Boleto reissue.
  • 2via – this is used when requesting a Boleto reissue.
  • ?4798 – this is part of a Brazilian bank URL.
  • carrinho -this is a shopping cart of an online store
  • live.com – this detects a login for the Microsoft Live email package.

This is a modification of the standard Eupuds malware, which also detected strings containing .gif, .png, .flv, and facebook.com. Once it is installed it then looks for client-side security plug-ins used by banks. The shared executables that the plug-ins use are then neutralised by downloading patched-versions, so that the user has no protection for the man-in-the-middle.

malwareFigure 3: Taxonomy of malware

There have been many threat message which highlight the distribution of the spam emails, such as from Cisco Systems on 2012:

Cisco Security Intelligence Operations has detected significant activity related to spam e-mail 
messages that claim to contain an import assistant program for the recipient. The e-mail message 
attempts to convince the recipient to open a .zip attachment to preview the data to be imported. 
However, the .zip attachment contains a malicious .cmd file that, when executed, attempts to 
infect the system with malicious code.
 
E-mail messages that are related to this threat (RuleID4218, RuleID4218KVR, and RuleID4349KVR) 
may contain an of the following files:
Fatura_Cartao.txt.zip
 Fatura cartao.cmd 
 Fatura-Boleto.zip
 Fatura-Cartao.cmd
 Fatura.zip
 Fatura.cmd
 Fatura.exe
 Boleto.zip
Boleto.cmd
The Boleto.cmd file in the Boleto.zip attachment has a file size of 368,640 bytes. The MD5 checksum is the following string: 0x21E9F84477A48C63115FE0E9A22E4DA8. The following text is a sample of the e-mail message that is associated with this threat outbreak: Subject: Boleto@jcessoria.com.br Message Body: Zip archive attachment (Fatura_Cartao.txt.zip) or Subject: Boleto de cobranca Message Body: Demostrativo em anexo. or Subject: cobranca@checkok.com.br
Message Body:
Demostrativo em anexo.

As this threat warning is nearly two years old, why did it take so long to actually discover the objectives of the malware? Other warnings, such as in 2013 also highlighted the threat. Along with this the first signs of the ZIP file containing the malware appeared in 2010:

2010/10/8_12:43 fileden.com/files/2010/9/27/2980248/Boleto.zip
2010/11/3_00:52 novemstn.webcindario.com/boleto.zip
2010/11/3_05:09 ormsoigso.webcindario.com/boleto.zip

The last two are Spanish hosting companies.

Detecting the Malware

Once the malware is installed on the machine, it communicates with the command and control (C&C) server using a basic encryption method, which encodes the messages with an exclusive-OR (XOR) operation using a key of
0xA4BBCCD4, followed by a modified Base64 encoding, with characters such as ‘+’ and ‘/’ replaced
by ‘-‘ and ‘_’, respectively (Figure 4). The IP addresses detected for the C&C include 216.246.98.4, 216.246.91.220 and 216.246.91.221, which point to the hostforweb.com domain, and which is a general Web hosting infrastructure.

mal01Figure 4: Network request (RSA Labs [1])

Conclusions

Spear phishing is the most common method of getting malware these days, where users are sent emails with links on them, and when the user clicks on them, they will run a program on their computer, and install the malware. In this case it was a Trojan which intercepted the communications between the browser and the Web site, and was setup to detect Boleto payments. The malware also was able to intercept email login details. So what’s the solution? Users need to watch what the click, and also patch their systems.

What is most worrying about this type of fraud, is that it could compromise the whole of the finance industry, and could even bring down major finance companies, and even nation states, with a single large-scale event. The target is slowly moving to end-users, as, as long as there’s one person will to click on a link in an email, there will be the potential for fraud.

if you are interested, this presentation shows a real-life Trojan infection, and which uses the same methods used in this fraud. For details of exploit kits (go to 57m6s), and on a real-life Trojan is at (13m30s):

References

[1] RSA DISCOVERS MASSIVE BOLETO FRAUD RING IN BRAZIL, https://blogs.rsa.com/wp-content/uploads/2015/07/Bolware-Fraud-Ring-RSA-Research-July-2-FINALr2.pdf, July 2014.

[2] Brazilian ‘Boleto’ Bandits Bilk Billions, http://krebsonsecurity.com/2014/07/brazilian-boleto-bandits-bilk-billions/

TrueCrypt: A Strange Mystery in a World of Secrets

Introduction

Imagine the headlines, if, after a full review of the safety of their cars, that BMW announced that they were releasing a new car that had safety warning messages all over it, and that it was the last car they would ever be building. To add to this they had limited the performance of it so that it was almost unusable, and that car users should go and purchase a Mercedes Benz instead. And, finally, that they were shutting down all their plants and burning of all their designs, so that no-one could use them. Well, in the world of cryptography, this is roughly what happened with TrueCrypt.

Keeping a secret

The ability for defence agencies to read secret communications and messages gives them a massive advantage over their adversaries, and is the core of many defence strategies. Most of the protocols used on the Internet are clear-text ones, such as HTTP, Telnet, FTP, and so on, but increasing we are encrypting our communications (such as with HTTPS, SSH and FTPS), where an extra layer of security (SSL) is added to make it difficult for intruders to read and change our communications. When not perfect, and open to a man-in-the-middle attack, it is a vast improvement to communicating where anyway how can sniff the network packets can read (and change) the communications. The natural step forward, though, is to encrypt the actual data before it is transmitted, and when it is stored. In this way not even a man-in-the-middle can read the communications, and the encryption key only resides with those who have rights to access it.

While many defence mechanisms in security have been fairly easy to overcome, cryptography – the process of encrypting and decrypting using electronic keys – has been seen as one of the most difficult defence mechanisms to overcome. It has thus been a key target for many defence organisations with a whole range of conspiracy theories around the presence of backdoors in the cryptography software, and where defence agencies have spied on their adversaries. Along with the worry of backdoors within the software, there has been several recent cases of severe bugs in the secure software, and which can comprise anything that has been previous kept secure. This is highlighted within OpenSSL for Heartbleed, and with the heart symbol bug in TweetDeck.

So, after the major impact of the bug found in OpenSSL which led to Heartbleed, on 28 May 2014 2014 visitors to the TrueCrypt site found a message of:

The development of TrueCrypt was ended in 5/2014 after Microsoft 
terminated support of Windows XP. Windows 8/7/Vista and later offer 
integrated support for encrypted disks and virtual disk images. 
Such integrated support is also available on other platforms 
(click here for more information). You should migrate any data 
encrypted by TrueCrypt to encrypted disks or virtual disk images 
supported on your platform.

For an open source project which supported a wide range of computer types and languages, it was a strange message to say that users should move to a closed-source and commercial solution. From a software solution that supports most types of modern computers, and is free to use, Bitlocker is part of Microsoft Windows, and which requires a licence for a version of Microsoft Windows that supports disk encryption.

Some basics of encryption

Most encryption uses a secret encryption key, which is used to encrypt and also to decrypt. This is known as private-key encryption, and the most robust of these is AES (Advanced Encryption Standard). The key must be stored someone, and is typically placed in a digital certificate which is stored on the computer, and can be backed-up onto a USB device. The encryption key is normally generated by the user generating a password, which then generates the encryption key.

Along with this we need to provide the identity of user, and also that the data has not been changed. For this we use a hash signature, which allows for an almost unique code to be created for blocks of data. The most popular for this is MD5 and SHA. More details here. The hashing method used in TrueCrypt is SHA-512.

The Trouble Caused by Cryptography

Encryption is the ultimate nightmare for defence agencies, as it makes it almost impossible to read messages from enemies. The possibilities is to either find a weakness in the methods used (such as in OpenSSL) or with the encryption keys (such as with weak passwords) or, probably the easiest is to insert a backdoor in the software that allows defence agencies a method to read the encrypted files.

There has been a long history of defence agencies blocking the development of high-grade cryptography. In the days before powerful computer hardware, the Clipper chip was used, where a company would register to use it, and given a chip to use, and where government agencies kept a copy of it.

in 1977, Ron Rivest, Adi Shamir, and Leonard Adleman at MIT developed the RSA public key method, where one key could be used to encrypt (the public key) and only a special key (the private key) could decrypt the cipher text. Martin220px-PRZ_closeup_cropped Gardner in his Mathematical Games column in Scientific American was so impressed with the method that he published an RSA challenge for which readers could send a stamped address envelope for the full details of the method. The open distribution of the methods which could be used outside the US worried defence agencies, and representations were made to stop the paper going outside the US, but, unfortunately for them, many papers had gone out before anything could be done about it.

Phil Zimmerman was one of the first to face up to defence agencies with his PGP software, which, when published in 1991, allowed users to send encrypted and authenticated emails. For this the United States Customs Service filed a criminal investigation for a violation in the Arms Export Control Act, and where cryptographic software was seen as a munition. Eventually the charges were dropped.

A Brief History of TrueCrypt

TrueCrypt is an open source disk cryptography package, which has been around since February 2004 and maintained by the TrueCrypt Foundation. It has versions for Microsoft Windows, OS X, Linux, and Android, and supports 30 languages. David Tesařík registered the TrueCrypt trademarking the US and Czech Republic, and Ondrej Tesarik registered the not-for-profit TrueCrypt company in the US. It works by created a virtual drive on a computer, and then anything which is written to the disk is encrypted, and then decrypted when the files are read back. For encryption it uses private key encryption with AES, Serpent, or Twofish (or combinations of these), and uses hash functions of RIPEMD-160, SHA-512, and Whirlpool. In modern systems, AES is seen to be the most secure, and SHA-512 provides state-of-the-art signatures. The encrypted drive does not have a magic number which identifies the presence of TrueCrypt, but forensic analysis can reveal a TrueCrypt boot loader, after which a hacker might try different passwords to unlock the drive.

So what happened?

Internally, with Version 7.1a, there had been an audit on the code, with an announcement on 28 May 2014 that there was a discontinuation of TrueCrypt, along with the release of version of 7.2 (which was intentionally crippled and contained lots of warnings in the code). The updated licence (TrueCrypt License v 3.1) contained the removal of a specific language that required attribution of TrueCrypt. Never in the history of software had there been such an abrupt end, and where the developers did not even want a fork of their code. A recent email from a TrueCrypt developer (on 16 June 2014) outlined that they did not want to change the license to an open source one, and that the code should not be forked.

Backdoor?

Some reckon that there was an on-going code audit, and that an NSA-created backdoor was due to be found. Again, something that the smoke-screen was then put-up to move towards a closed-source alternative, which some reckon, also has an NSA-enabled backdoor. Few security professionals, especially those involved in the creation of encryption software, would have recommended the Microsoft technology.

The mystery remains about the code, but there are some strange pointers that give some clues. A strange one is that, with the code, “U.S.” has been changed to “United States”, which could point to an automated search and replace method of changing the code to reflect a possible change of ownership of the code.

The other strange thing about the post is that the page created for the re-directed looks as if it has been created by a complete amateur:

Screen Shot 2014-07-03 at 21.06.18and even the Wayback engine was having trouble finding the pages from the past:

Screen Shot 2014-07-03 at 21.12.30So was it a back door or could it have been a bug, in the same way that OpenSSL was exposed?

Code bug?

If there is a code bug, the light is likely to shine on one of the weak points in cryptography, which is the generation of a pseudo random number, which is almost impossible on a computer. One way of doing this is to randomly use the time between key strokes for users, but if an intruder can guess these, they can significantly reduce the range of numbers used for the cryptography process. This could have been the Achilles heel of the code, and that the audit process could have uncovered a flaw, which others could exploit. In the case of TrueCrypt the random number was generated by the user moving a cursor across the screen, and it could be this method which caused the problem.

Another possible problem focuses on the actual binary code produced. Even if the source code does not contain any bugs, it will be converted into machine code, which could expose problems which could be exploited. Overall, most users will generally download the binary distribution, as it is often too difficult to build the code from scratch. Thus there could have been an exploit within the binary distributions which could be compromised. Often developers forget that their code can be run within a debugger to view, and even edit, the code. With the code built for so many systems, it would have been almost impossible to make sure that the compiled code would be secure from being tampered with.

Will it die?

While the licence possibly prohibits a fork of the code, new groups, working outside the US, are Screen Shot 2014-07-03 at 21.55.29looking a setting up the code to overcome the licencing issues. The Web site on the right-hand side shows a group based in Switzerland (TrueCrypt.ch), and who aim to fully investigate the code, and build on previous versions of the code. The message on the site is:

TrueCrypt
must not die

TrueCrypt.ch is the gathering place for all up-to-date 
information.  If TrueCrypt.org really is dead, we 
will try to organize a future.

The Problems with Disk Encryption

Many see the encrypting of disks as the ultimate method of security, but, unfortunately, it suffers from many problems. These include:

  • When the user uses a weak password can make it fairly easy for an intruder to crack, as they continually try common passwords.
  • The encryption key is stored in running memory which is protected when TrueCrypt is running, but researchers have shown that a warm boot (that is, one which starts from a Ctrl-Al-Del, rather than from a power up) can release the lock on the memory and reveal the encryption key.
  • The domain administrator has a copy of the encryption keys. Most users in companies connect to a domain, and the domain administrator normally has a copy of the encryption keys for the encrypted drive (and which normally can be used to decrypt the disk if they user forgets their password). If they domain is breached the encryption key can be stolen and used to decrypt the drive.
  • The electronic key must be stored somewhere, and this is normally on a digital certificate. This is stored on the system, and can be cracked by brute-forcing the password on the digital certificate.

Conclusions

This article has more questions than answers, as this is currently where we are in understanding what happened here. There are still many theories around, but what could have happened, and virtually every software developer will relate to this, is that the developers found an architectural flaw, which could not be fixed with a simple update, and they decided to pull-the-plug. Otherwise, there approach seems strange, and doesn’t fit into the normal practice of open source developers. It must be noted that when OpenSSL was analysed it contained a whole of serious problems, and perhaps the developers within TrueCrypt realised that their code, written in C++ and Assembly Language, might have some serious problems which could be exploited by others, or that it had already been.

Many wonder why the audit started by the TrueCrypt team should continue, but humans are inquisitive, and love the challenge of looking for flaws, so we need to keep examining our code, and weed out bad practice, as so many problems have been caused with poorly written software, just as OpenSSL has shown.

What is strange is that all the previous versions have been taken-off the TrueCrypt site, which seems to point to a problem with these versions, and where they are pushing users to use the most up-to-date version (which contains lots of warnings and with code that makes it difficult to use).

In an era, where the natural next step for security is for us to store encrypted data within public cloud infrastructures, a weaknesses of this could end up compromising the whole of the Internet. So rather than the shock story around BMW giving up building cars, the shock story could be that all our secret files and communications were now viewable by everyone on the Internet … honestly … it could happen!

In the Information Age, we are all part of a great big experiment

Introduction

Connected People in NetworkWe are entering into an era where data is King, and where our every move, our every emotion and our every contact can be tracked. With the increasing analysis of social media, there is often very little that can be done about our lives that can be hidden from organisations wishing to push customized content to us, to try and understand how we live our lives. If an on-line company can drop a cookie onto our machine, they can sustain a long-term tracking of our activities, and this now includes understanding how we react to advertising material, especially on what material has made us click on the content, and increasingly they are learning our behavior.

The need to gain ethical permission, in the same way that research teams require when they involve human participants, is slowly eroding, and perhaps, in some cases, a natural extension of existing practices, where advertising content is focused on target groups.

One of the major changes within this Big Data era, is that users often freely offer their data to the Internet, and where it can be used in ways that are often unexpected to the user. For example, a tweet on a local event will time stamp where a person was at a given time, and even reveal information around their movements, and perhaps who they had contact with.

Mining for sense and emotion

With so much on-line data, it is key for advertising agencies to understand the emotions of messages posted on-line, and where studies that would take months or even years, can now be done within minutes. Like it or not, we are all part of an on-going experiment which is mining our data on a continual basis, and then pushing content our way, and monitoring even how we use the customized content.

SInce advertising began as an industry, researchers have thus been trying to mine large populations for the emotions, and the challenge within social media is to make sense of large amount of comments and to mine for the sentiments shown with them. This is fairly easy with a tweet of:

I am so happy that the sun is shining today :-)

but by placing a different emoticon on it, changes the sense:

I am so happy that the sun is shining today ;-)

and then is changed completely with the dreaded exclamation mark:

I am so happy that the sun is shining today!

which gives the impression that someone is very unhappy about the weather.

Part of a great experiment

Facebook took the emotion research one step forward in January 2012,  when their data scientist Adam Kramer conducted a two week experiment on 689,003 Facebook users, in order to find out if emotions where contagious within social networks. It basically came of the almost obvious conclusion that users feel generally happy when they are fed good news – the economy is looking good and the weather is nice – and depressed when they get bad news – a bomb has gone off injuring many people and it looks like snow is on the way.

For users the mining of the data is generally fine, and Facebook, and many other Internet-focused companies, especially Google and Amazon,  extensively mine our data and try to make sense of it. For this symbiotic relationship, the Internet companies give us something that we want, such as free email, or the opportunity to distribute our messages. What was strange about this one is that the Facebook users were been treated in the same way as rats in a laboratory, and had no idea that they were involved in the experiment. On the other hand it is not that much different from the way that affiliate networks have been created, and which analyse the user, and try to push content from an affiliate of the network, and then monitor the response from the user (Figure 1).

We increasingly see adverting in our Web page accesses, where the user is matched to their profile though a cookie, and where digital marketing agencies and affiliate marketing companies  try and match an advertising to our profile. They then monitor the success of the advertising using analytics such as:

  • Dwell time. This type of metric is used to find out how keen the user has been before clicking the content.
  • Click-through. This records the click-though rate on content. An affiliate publisher will often be paid for click-throughs on advertising material. This can lead to click-through scams, where users a paid to click on advertising content on a page.
  • Purchases. This records the complete process of clicking-though, and the user actually purchasing something. This is the best level of success, and can lead to higher levels of income, and in some cases to share a percentage of the purchase price. Again this type of metric can lead to fraud activity, where a fraudster will use stolen credit card details to purchase a high price item through a fraudulent Web site, and use this to gain commission from an on-line purchase (which is then traced to be fraudulent at a future time).

affFigure 1: Affiliate marketing

The key areas which are relevant to monitoring of user activities are:

  • Transaction verification. This involves protecting users by understanding their activities, especially around the types of purchases they make.
  • Brand monitoring. This involves understanding how brands are used within web pages, and how they are integrated and if key messages are picked-up.
  • Web-traffic analytics. This involves understanding how users search of pages and navigate around web sites.
  • Affiliate platforms. This tries to match users to affiliates, and integrate targeted marketing.
  • Campaign verification. This uses analytics to verify that campaigns are successful in their scope.

One of the most successful uses of targeting the user and monitoring their actions is in affiliate marketing, where  businesses reward affiliates for each ‘customer’ brought about by the affiliate’s own marketing efforts. This is a booming market:

  • Of projected global online sales of nearly $780 billion by 2014, ~ $90bn will be driven by affiliate marketing
  • $4.62bn sales driven by affiliate marketing in the UK in 2010.

Figure 2 shows an example of targeted advertising, where a previous page involved a search for a Microsoft Surface Pro, and Ad-Choice (which is maintained by Criteo) has integrated an advert for it within another page. In this way Ad-Choice has decided that this is a good advertisement for us, and if we click though, the click will be remembered, and the host site will get some form of payment for the click. If the user actually follows-through and purchases the goods, the host site could gain a part of the commision.

expertFigure 2: Ad-choice integration based on user activity

Conclusions

Thus we are being monitoring and mined all the time, and the content which is pushed to us is focused on us. Increasely the content for us is being customized with advertising messages. There is generally no need for informed consent, at the present, for this type of push advertising, as users generally feel that there an acceptable level in intervention for their Web content, but perhaps forget that there is a whole of lots matching and analyzing going on in the background.

Gaining Access to our Internet Records – Warrant or Not? Can it be trusted?

Background

Corroboration article

Corroboration article

Many countries are debating how digital information is used to detect and resolve crime. On the right-wing, there is a push to justify the accesses to ISP (Internet Service Provider) information, such as for the IP addresses of users downloading and distributing copyright material, while more liberal government see this as a Big Brother society.

In a countries such as Canada there is a move for information from ISPs to be handed over without a warrant. The Conservative government in Canada has thus pushed through Bill C-13 (Protecting Canadians from Online Crime Act) which aims to allow access to ISP records within a warrant, but the Bill has just been overruled by Canada’s top court as being unconstitutional, and seen as a snooping law. A major question must be in how creditable Internet records will actually be, as many homes are allocated a single IP address, which maps to all the users of the home network. The Bill is justified through the risks around Cyberbully and copyright breaches, but could obviously be abused, and used for a range of surveillance activities. A previous Bill (C-30) was rejected due to surveillance concerns, and many think that the recent cases of Cyberbullying in Canada are being used to justify C-13.

In Scotland, too, there has also been a great deal of discussion on ditching corroboration in cyber crime in Scotland. It looks like that this will not go ahead. One thing that should be remembered is that digital evidence is often fragile. To outline how fragile it is, the article outlines six key scenarios which show that it is often not possible to fully prove the digital information is fully creditable in criminal investigations. The six defence scenarios which can be easily quoted are:

  • It wasn’t my computer.
  • Someone accessed my machine and did it.
  • Someone stole my user account details.
  • The bot did it.
  • My computer automatically went to it.
  • I didn’t send the email.

The article does not outline the rights or wrongs of accessing without a warrant, but outlines the cases where the digital information cannot be seen as definitive sources of evidence.

Six Scenarios

Digital Information is really just a bunch of 1s and 0s. It is fragile, and often can be changed while it is stored, transmitted or even processed. Basically all the information what we see is converted from these 1s and 0s, and often provided in a way which can be easily compromised. I thus see the usage of digital evidence gathering provides investigators with new ways to quickly investigate, and also to provide corroboration to traditional evidence. I’d like to thus outline seven scenarios, which show how fragile digital information is.

Crime Scenario 1 (Defence: It wasn’t my computer). In this case Bob is at home, and his ISP has detected that he has been accessing illegal content. Bob is arrested, and says that it was someone else in his work. In this case, most home networks use NAT (Network Address Translation) which maps one or more private IP addresses (such as 192.168.0.1, 192.168.0.2, and so on) to a single public IP address. Thus all the data packets received by the ISP will have the same IP address, no matter the computer that generated the request. Thus it is not possible to lock-in on the physical address of the computer, as the physical address cannot be determined from the data packets. So just IP addresses alone cannot be taken as a single source of evidence.

In a company environment, again, the IP address alone cannot be taken as a creditable single source, as it can be spoofed. In this case, Alice waits for Bob to log-off, and then sets her computer to a static address which matches Bob’s computer, and then accesses the material, and Bob gets the blame. If we were to use the physical too as a trace, again, the physical address (normally known as the MAC address) is also easily spoofed.

Crime Scenario 2 (Defence: Someone accessed my machine and did it). In this case, Bob’s computer has illegal content on it, and he claims that he had no idea how it got there. In this case, most computers are networks, and once they join a network that can be connected to. Often guest shares or guest accounts can be used to create a connection. If not, there’s a whole lots of malware kits that Eve can use to gain remote access to the machine. In this case Eve sends a link to Bob to access a PDF document. He views it, and it actually setups up a remote access method for Eve, and she can do whatever she wants on his machine. If Bob hasn’t patched his machine, he has become vulnerable to this. So in defence he just says that he doesn’t trust Microsoft for their patches, and it was their fault. If the PDF one doesn’t work, she tries a Java exploit, if that doesn’t work, it’s a Flash compromise … and she keeps trying.

Crime Scenario 3 (Defence: Someone stole my user account details). Bob is arrested for trying to take money from someone else’s account and put it into an off-shore account. The bank says that he logged in, and transferred the money. With this, Eve has send Bob a trick email which asks him to login and check some details. He logs in, but it doesn’t work, but the next time it is fine. After this Eve has his login details, and can go ahead and login on his behalf. Bob has no idea that anything has went wrong, but the first site was a spoof-site, and captured his login details for his bank, and then redirected to the main site, for which the login worked. To make the spoof site look real, Eve has scrapped the images, text and style sheets from the bank site, so it all look real.

trojCrime Scenario 4 (Defence: The bot did it). In this case, Bob has been attacking a remote site, and is arrested. His defence is that it wasn’t him, but it was a bot on his machine. In most cases, this defence is not strong, but there is always a chance that a bot on the computer did generate the malicious activity. Just because no malware is found on a machine at the point of investigation, doesn’t mean that it wasn’t there at some time in the past.

Crime Scenario 5 (Defence: My computer automatically went to it). In this case, Bob has been detected by his ISP in accessing some criminal material. He is arrested, and says that he knew very little about it, and has basically accessed his bank but ended up viewing the criminal material. For this one, we have to look at details at domain name servers (DNSs), and to Internet gateways. Unfortunately, the Internet has been created with very little creditability in the information that is passed. So when Bob starts his computer, Eve has broadcasts the MAC address of her computer, and pretends to be his Internet gateway and also his DNS server. All Bob knows is that when he accesses his bank, he sees the wrong site. In fact, Eve has poisoned his domain name look-ups, and she resolves his domain requests to the wrong IP address, which is logged on the ISP.

Crime Scenario 6 (Defence: I didn’t send the email). In this case we have Bob who is send abusive emails to Alice, and she forwards them onto the Police saying that he is abusing her. Bob is then arrested saying that he knew nothing about it. In this case, the email system we have setup has no credibility, and anyone can send an email saying that they are anyone they want to be. Thus Eve uses her own SMTP server, within a private network, and send the email. In fact the email contents just contain headers of:

To: Alice@test.com
From: Bob@test.com

and there is no way of actually telling it was from Bob. So? Email really can’t be used as a fully creditable source of evidence. If can be used to timeline, but you cannot ever confirm that the send is actually who it says in the “From:” field.

Conclusions

There’s very little of what is generated on a computer or network is actually 100% creditable. Basically if someone wants to change things on the Internet, or on computers, they can do so. I appreciate that many of the crimes which are investigated related to cybercrime have threat levels, but that does not justify reducing the threshold for the evidence level. To pin-point someone from an IP address (or even a MAC address), when they are using a shared home network, it not really any form of creditable evidence, and can only be used to provide one piece of the picture around a crime.

Text from the article

POLICE have called for the abolition of a key plank of Scots law in order to help secure convictions for online crimes such as child pornography and grooming.

Officers say the need to corroborate key facts to bring a case to court is limiting their ability to tackle cyber crimes, which include paedophilia, harassment and online fraud.

But online experts have warned that digital trails of evidence can be unreliable on their own and need to be corroborated by others forms of evidence to prevent miscarriages of justice.

Police Scotland officers struggle to find corroborating evidence when acting on allegations of online crime brought by members of the public.

Assistant Chief Constable Malcolm Graham said: “It’s an emerging crime type where the likelihood of getting corroboration for essential facts diminishes.

“A lot of cases that come through the courts are where police have proactively monitored people, where we think there’s a risk that children might be abused.

“But in cases where people come and report to us that they have been the victim of cyber crime, there can be issues in terms of attributed communications hardware.

“We believe the law should develop to keep in touch with technology. This would be an example where current legislation has not developed and evolved in recognition of the range of criminal operations.”

Police Scotland supports the Scottish Government’s plans to abolish the requirement to have corroboration in order to bring a case to court.

The legislation, which is being debated in the Scottish Parliament, is based on recommendations by Lord Carloway, the Lord Justice Clerk, which are opposed by other Scottish judges and leading lawyers.

Professor Bill Buchanan, director of Edinburgh Napier University’s centre for distributed computing, networks, and security, which trains police in tackling cyber crime, also warned against abolishing the need for corroboration.

“On the internet it’s very difficult to take one source of evidence as a definitive source as things can be changed and people can have different identities,” he said.

“We should always get some physical and some traditional corroboration, along with the digital footprint.

“Logs can be tampered with, you have an IP address, but people can spoof them.”

A UK expert on online crime said that more funding, rather than a change in the law, was needed.

David Cook, a cyber crime and data security solicitor, said: “Our prosecutors find it notoriously difficult to adequately evidence crimes that occur online and the vast majority go not only without prosecution but even without a proper investigation.

“However an effective investigation can and should still take place. That those who police us choose to not provide adequate resources to such matters, instead suggesting the erosion of a civil liberty that is centuries old, is a lamentable position.

“I fear that such a change would inevitably cause an increase in the number of miscarriages of justice,” he added.

Police Scotland estimates that 3,000 more victims will be granted access to justice by abolishing the need for corroboration,” he added.

In a separate study, the Crown Office looked at 458 rape allegations which did not reach court because of insufficient evidence. They were re-examined as if corroboration was not required and prosecutors estimated 82 per cent could have proceeded to trial, and 60 per cent had a reasonable prospect of conviction.

Police Scotland has not yet produced similar research on what impact removing the requirement would have on cyber crime.

Alison McInnes MSP, Scottish Liberal Democrat justice spokeswoman, said: “This is a new argument which has certainly not been reflected in the wide range of evidence given to the justice committee. If Police Scotland believe that corroboration has impeded cases such as these then I am surprised that they have not reflected that in their oral evidence to the committee.

Abolition call: Cadder ruling

The proposed abolition of corroboration – the requirement to have two independent pieces of evidence to bring a case to court – stems from a Supreme Court judgment in 2010.

The UK’s highest criminal court found in favour of Peter Cadder by ruling that it was a human rights breach for police to interview suspects without giving them access to a solicitor. This has led to more suspects refusing to speak in interviews.

This is particularly problematic for police in cases of alleged rape. Previously an accused may have admitted having sex but claimed it was consensual, which would have allowed police to corroborate a key element of the charge.

In light of the Cadder ruling, the Scottish Government asked Lord Carloway, now Scotland’s most senior judge, to review Scots law. Carloway made a raft of recommendations, including abolishing the need for corroboration. The proposal is in a criminal justice bill now in front of the Scottish Parliament.

Forget Bombs and Guns … this is the new Battle Field

Introduction

Anonymous faceAs we have seen in Russia’s suspected cyber attack on Web sites in Estonia, and in the Arab Spring uprising, the Internet is playing an increasing part within conflicts around the World. Thus as we move into an Information Age, the battle field of the future is likely to be in Cyber Space, along with this it will also be the place where nation states will struggle to control news outlets.

Over the centuries, information has often been controlled by traditional media outlines, where viewpoints on whether organisations and individuals are seen generally as threats is defined by the government of the time. On the Internet, national boundaries have become blurred, and the control that any nation can have of dissemination on the Internet has been eroded, especially in the openness of platforms such as Twitter, Facebook, and also on news Web sites. This article outlines how the Syrian Electronic Army (SEA), a pro-Assad group of “hacktivists”, with its limited resources, managed to compromise one of the leading news agencies in the World, and not by directly compromising their site, but an associated one. This expands the scope of compromises from not just sites operated by organisations, but also to their trusted partners.

Reuters Hack

Over the weekend (at 12noon on Sunday 22 June 2014) this was highlighted by the SEA redirecting users to a page which stated:

Stop publishing fake reports and false articles about Syria!UK government is supporting the terrorists in Syria to destroy it. Stop spreading its propaganda.

The target, though, was not the Reuters site, but on the content it hosted, and which is used by many other media outlets. This has happened in other related hacks on sites, such as with the New York Times, where the SEA went after the domain name servers of the New York Times and Twitter, though the registry records of Melbourne IT. Thus when a user wanted to go to the New York Times site, they were re-directed to a page generated by the SEA.

In the case over the weekend, the web advertising site Taboola was compromised, and which could have serious consequences for their other clients, who include Yahoo!, the BBC and Fox News. With the increasing use of advertising material on sites, it will be great worry to many sites that messages from hacktivists could be posted through them. Previously, in 2012, Reuters was hacked by the SEA (Syrian Electronic Army) who posted a false article on the death of Saudi Arabia’s foreign minister Saud al-Faisal.

In a previous hack on The Onion, the SEA used one of the most common methods of compromise: a phishing email. With this a person in the company clicked on the malicious link for what seemed to be a lead story from the Washington Post story. Unfortunately it re-directed to another site and then asked for Google Apps credentials. After which, SEA gained access to the Web infastructure and managed to post a story.

It is possible that this attack on Reuters is based on this type of compromise, as it is fairly easy to target key users, and then trick them into entering their details. Often the phishing email can even replicate the local login to an intranet, but is actually a spoofed version. In the case of The Onion, SEA even gained access to their Twitter account.

In classic form, The Onion, on finding the compromise, posted and article leading with:

Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Death At Hands of Rebels.”

While it took a while for The Onion to understand what had happened on their network, Reuters detected the compromise, and within 20 minutes the content had been fixed.

A cause or a fight?

Organisations need to understand that there are new risks within the Information Age and there are new ways to distribute messages, especially from those who are skillful enough to be able to disrupt traditional forms for dissemination. Thus Hacktivism can become a threat to any nation state and organisation (Figure 1).

Slide3Figure 1: Security is not just technical, it is also Political, Economic, and Social

The important thing to note about Hacktivism is that the viewpoint on the Hacktivist will often be reflected on the political landscape of the current time, and that time itself can change this viewpoint. While Adolf Hitler and Benito Mussolini are still rightly seen as terror agents, Martin Luther King and Mahatma Gandhi are now seen as freedom fighters. Thus viewpoints often change and for some the Hacktivist can have the image of a freedom fighter.

Slide6Figure 2: Hacktivism

Big v Little

The Internet supports a voice for all, and there are many cases of organisations and national states upsetting groups around the World, and where they have successful rebelled against them. In 2012, Tunisian Government web sites were attacked because of Wikileaks censorship, and in 2011, the Sony Playstation Network was hacked after Sony said they would name and shame the person responsible for jail breaking their consoles (Figure 3). It can be seen that just because you are small on the Internet, doesn’t mean you cannot have a massive impact. Sony ended up losing billions on their share price, and lost a great deal of customer confidence.

Slide7Figure 3: Hacktivism examples

HBGary Federal

The HBGary Federal example is the best one in terms of how organisations need to understand their threat landscape. For this Aaron Barr, the CEO of HBGary, announced that they would unmask some of the key people involved in Anonymous, and contacted a host of agencies, including the NSA and Interpol. Anonymous bounced a message back saying that they shouldn’t do this, as they would go after them. As HBGary were a leading security organisation, they thought they could cope with this and went ahead with their threat.

Anonymous then searched around on the HBGary CMS system, and found that a simple PHP request of:

http://www.hbgaryfederal.com/pages.php?pageNav=2&page=27

give them access to the complete database of usernames and hashed passwords for their site. As the passwords were not salted, it was an easy task to reverse engineer the hashes back to the original password. Their target, though, was Aaron Barr and Ted Vera (COO), each of which used weak passwords of six characters and two numbers, which are easily broken.

Now they had their login details, Anonymous moved onto other targets. Surely they wouldn’t have used the same password for their other accounts? But when they tried, the can get access to a while range of their accounts using the same password (including Twitter and Gmail). This allowed Anonymous access to GBs of R&D information. Then the noticed that the System Administrator for their Gmail Email account as Aaron, and managed to gain access to their complete email system, and which included the email system for the Dutch Police.

Slide9Figure 4: Access to email and a whole lot more.

Finally they went after their top security expert: Greg Hoglund, who owned HBGary. For this they send him an email, from within the Gmail account, from a system administrator, and asking for confirmation on a key system password, of which Greg replied back with it. Anonymous then went onto compromise his accounts, and which is a lesson for many organisations. While HBGary Federal has since been closed down, due to the adverse publicity around the hack, the partner company (HBGary) has went from strength-to-strength, with Greg making visionary presentations on computer security around the World.Slide10Figure 5: Greg’s compromise.

 

Conclusions

A likely focus of the intrusion is around a spear phishing email, where users are tricked into entering their user details, which allows the intruder to gain access to privileged systems. The worry for this compromise is that the Reuters site integrates over 30 third-party/advertising network agencies into its content, and a breach on any of these could compromise their whole infrastructure.

I am a technologist and not a political analyst, so I couldn’t make any political judgments around Hacktivism, but HBGary shows us a few things:

  • Use strong passwords.
  • Never re-use passwords.
  • Patch systems.
  • Watch-out of social engineering.
  • Beware of unchecked Web sites.
  • Get an SLA (Service Level Agreement) from your Cloud provided. Organisations need to react quickly on a data breach, especially for email, and an SLA should state how quickly the Cloud provider will react to requests for a lockdown of sensitive information, along with providing auditing information to trace the compromise.
  • Don’t store emails in the Cloud.
  • Test your Web software for scripting attacks.

And for the Internet providing mechanisms for those with a grievance to air their viewpoint, well some would say that individuals have rights to give their viewpoints, while others will say that their viewpoints are a threat against society, so it’s important for us all to make up our own minds, and for us to assess each on its merit.