Principia Discordia

Principia Discordia => Techmology and Scientism => Topic started by: Triple Zero on August 02, 2009, 01:13:29 PM

Title: Security Thread
Post by: Triple Zero on August 02, 2009, 01:13:29 PM
cause me and Rat and Cain and some others post security/hacking/social engineering/etc related articles up for discussion every now and then, I thought maybe I create a special thread for them.
anyone who wants to share a security-related article/topic, feel free to post at least title, link and short summary/blurb/first paragraph. also feel free to jack the thread as far as you like, it'll get back on topic when a new article gets posted.
remember, security is not just about technology or hacking or encryption, but also physical security such as lockpicking or social engineering.

Quote from: Cain on August 02, 2009, 02:08:08 PM
What are some good sites for security news?

Some Top (IMO) security blogs

http://www.schneier.com/blog/
http://www.wired.com/threatlevel/
http://www.lightbluetouchpaper.org/ (Security Research, Computer Laboratory, University of Cambridge--interesting projects)
http://asert.arbornetworks.com/


Tangentially security related (privacy, electronic freedom, etc)
http://www.freedom-to-tinker.com/
http://www.eff.org/deeplinks/archive
https://www.bof.nl/ (the Dutch EFF. if you can read Dutch, must-read, even if you don't live there. also a damn slick custom WordPress skin)

Misc
http://neworder.box.sk/
http://ha.ckers.org/ (used to be one of cutting edge in webappsec, but is rarely updated these days)
http://sla.ckers.org/forum/list.php?13 (the "News and Links" subforum of ha.ckers.org, dunno how good it is, but the community is reasonably active)






(original first post)

I'll start with

Stoned Bootkit pwns TrueCrypt Full-Volume
http://www.stoned-vienna.com/

Stoned Bootkit is a new Windows bootkit which attacks all Windows versions from XP up to 7. It is loaded before Windows starts and is memory resident up to the Windows kernel. Thus Stoned gains access to the entire system. It has exciting features like integrated file system drivers, automatic Windows pwning, plugins, boot applications and much much more. The project is partly published as open source under the European Union Public License. Like in 1987, "Your PC is now Stoned! ..again".

TrueCrypt Attack

Stoned is able to bypass the full volume encryption of TrueCrypt. It allows installing a trojan to a computer that's hard disk is full encrypted. Let's take a look at the technical part. For TrueCrypt encryption there are two scenarios:
Only the system partition is encrypted; the master boot record, unpartitioned space and the host protected area stay undecrypted
Full volume encryption, only the master boot record stays unencrypted

The trick is that the master boot record is never encrypted - and thus can be safely overwritten and used for our own boot 'software'. For the first case additional data such as plugins, the original master boot record backup or further code can be stored to unpartitioned space. For the second case the whole Windows attacking code must fit into the master boot record, into the 63 sectors minus the decryption software. TrueCrypt has free 7 sectors where Stoned Bootkit still fits, so even full volume encryption is no problem.

My personal notebook has the system partition encrypted with TrueCrypt. I showed at Black Hat USA 2009 live that Stoned Bootkit was able to bypass that and could pwn my own system.
Title: Re: Security Thread
Post by: Cain on August 02, 2009, 02:08:08 PM
What are some good sites for security news?  I only ever read Schneier, Wired's Threat Level and ha.ckers.org/
Title: Re: Security Thread
Post by: Cain on August 02, 2009, 02:18:35 PM
And on that note....THIS is why I've had to ban so many goddamn spambots of late:

McAfee warns Spam, Trojans and Spybots are rocketing

http://www.wired.com/threatlevel/2009/07/mcafee-spam-trojans-and-botnets-skyrocketing/

Zombie penetration set a record for the second straight quarter this year. Spam jumped 80 percent from the previous period, which made it a record 92 percent of all e-mail, according to the McAfee Threats Report released Wednesday.

"If the economy could rebound as spam has done in (the) second quarter, we would all be much happier with our retirement accounts. Spam has surged since the prior quarter, increasing nearly 80 percent. Last year's spam fell drastically from previous quarters, in large part due to the shutdown of the McColo ISP," the report said.

The report also warned of emerging threats of auto-run malware to increased botnets. Password-pilfering trojans are proliferating and expected to double this year from the prior year.

Researchers also warned of increasing malicious attacks on social-networking sites like Twitter, where URLs often are condensed. "The caution that users usually apply when they view search results and news links disappears behind the obfuscating address," the report notes.

------------------------

The article itself has some nice graphs and a link to the full report
Title: Re: Security Thread
Post by: Triple Zero on August 02, 2009, 03:03:16 PM
but I think the spam that is on the rise due to botnets and such, is email-spam, not forum-spambots.

you really need botnets for mass spam emailing, because no proper email server relays that shit anymore.

but for forum-spamming you just need fresh proxies. these fresh proxies probably also come from botnets, but they are not the limiting factor. I'd guess in this case it is the amount of CAPTCHAs you can crack, or admins you can feel into letting spambots in.

this is a bit of speculation on my side, so anyone correct me if they think I'm wrong. but the technology behind email spam is quite different than forum spam, even though the shit that is advertized is largely the same.

as for security sites/news, Schneier and ha.ckers would be the first ones I'd recommend as well. I dont happen to read Wired's Threat Level, unless I come across a link to it somewhere.
I get interesting security-related links via Twitter from various sources. One new thing I found through there, when looking up some stuff about the Iran DPI stuff is the Arbor security blog: http://asert.arbornetworks.com/ it had some good info not found elsewhere on traffic analysis before and during the Iran elections. It might be of particular interest to you, Cain, since the topics are less about the latest exploit in browser plugin X, but a bit more about the IR side of things. If you like podcasts, also check that section, there's some interesting titles there (but haven't listened myself).
Title: Re: Security Thread
Post by: Cain on August 02, 2009, 03:23:24 PM
OK then.  I'll take your speculation as likely, for now, since I know even less.  However, my general thinking is that if email spam is on the rise, then it suggests the people behind it are able to do more, and so may also have more resources to also devote to forum spam.

Anyway, thanks for the link.
Title: Re: Security Thread
Post by: Requia ☣ on August 02, 2009, 04:31:30 PM
Stoned isn't a terribly interesting attack.  Its just a logger on the system.  You still have to enter your password at least once after its installed for it to be useful.

Truecrypt still works perfectly for its purpose, which is keeping your data inaccessible without your password.  And a hardware keylogger was always able to do this if you gave someone physical access to your machine and then got it back.  (actually the keylogger is the bigger risk, since if you send a notebook in for hardware repairs its normal to keep the hard drive to avoid damage in shipping/idiots at the repair sweatshop wiping your data).
Title: Re: Security Thread
Post by: Triple Zero on August 02, 2009, 07:36:28 PM
Agreed with all that, except for "Stoned isn't a terribly interesting attack." cause the way it does it is interesting IMO.
Title: Re: Security Thread
Post by: Triple Zero on August 04, 2009, 11:10:54 PM
this is what the Deep Packet Inspection threat can do

http://asert.arbornetworks.com/2009/08/return-to-the-iranian-firewall/

Return to the Iranian Firewall
by Craig Labovitz

It has been 40 days since the start of protests in Iran.

And a lot has changed since my last blog post on the Iranian national firewall. Hundreds of Iranians are imprisoned or dead. And where the Iranian government firewall may have failed, oppression and fear have succeeded (at least for now). The infectious global anticipation of an Iranian velvet revolution is gone. Mass trials of reformists begin this week.

And the great Iranian firewall? Still in place and perhaps now operating with renewed efficiency.

http://asert.arbornetworks.com/2009/08/return-to-the-iranian-firewall/
Title: Re: Security Thread
Post by: Triple Zero on August 04, 2009, 11:17:58 PM
maybe this should be in aneristic delusions ...

http://www.nytimes.com/2009/08/02/us/politics/02cyber.html?pagewanted=print

Halted ’03 Iraq Plan Illustrates U.S. Fear of Cyberwar Risk
By JOHN MARKOFF and THOM SHANKER

It would have been the most far-reaching case of computer sabotage in history. In 2003, the Pentagon and American intelligence agencies made plans for a cyberattack to freeze billions of dollars in the bank accounts of Saddam Hussein and cripple his government’s financial system before the United States invaded Iraq. He would have no money for war supplies. No money to pay troops.

“We knew we could pull it off — we had the tools,” said one senior official who worked at the Pentagon when the highly classified plan was developed.

But the attack never got the green light. Bush administration officials worried that the effects would not be limited to Iraq but would instead create worldwide financial havoc, spreading across the Middle East to Europe and perhaps to the United States.

http://www.nytimes.com/2009/08/02/us/politics/02cyber.html?pagewanted=print
Title: Re: Security Thread
Post by: Requia ☣ on August 05, 2009, 03:20:36 AM
Quote from: Triple Zero on August 04, 2009, 11:10:54 PM
this is what the Deep Packet Inspection threat can do

http://asert.arbornetworks.com/2009/08/return-to-the-iranian-firewall/

Return to the Iranian Firewall
by Craig Labovitz

It has been 40 days since the start of protests in Iran.

And a lot has changed since my last blog post on the Iranian national firewall. Hundreds of Iranians are imprisoned or dead. And where the Iranian government firewall may have failed, oppression and fear have succeeded (at least for now). The infectious global anticipation of an Iranian velvet revolution is gone. Mass trials of reformists begin this week.

And the great Iranian firewall? Still in place and perhaps now operating with renewed efficiency.

http://asert.arbornetworks.com/2009/08/return-to-the-iranian-firewall/

Iran doesn't have DPI capability from what I've seen, which is why they blocked all access to text messaging and sites instead of just targeting dissident messages.
Title: Re: Security Thread
Post by: Triple Zero on August 05, 2009, 04:43:58 PM
Great Firewall, DPI, the distinction is not really important for the point of this article.
Title: Re: Security Thread
Post by: Triple Zero on August 07, 2009, 10:54:40 PM
Some Researchers Lack Basic Ethics
By Roel Schouwenberg

Some students at a Michigan university set up a server where people can upload (detected) viruses, and then the server would try many different "packers" on the code of these viruses.
A "packer" is a tool that modifies the code of a program, making it smaller using a ZIP-like algorithm and an integrated unpacker.
Packers are mainly used to reduce executable-size, as employed by mainstream software such as Opera and uTorrent, among others.
Apart from being useful to make executabels smaller, it also changes the code, hiding the "signature" that an anti-virus program looks for in order to detect the virus.

What this service did was apply different packers in different combinations (since the input and the output of such a packer are both executables, you can "chain" them and feed one to the other), and check how many virus scanners were still able to detect the virus.

It turns out that in most cases, a single pass by an opensource packer called UPX was enough to foil antivirus software. UPX is a packer we used to use back in my demoscene days, before 2000, in order to fit more cool shit into the "see how much cool graphics and sound you can fit into 64 kilobyte" competitions. That's 10 years ago.

Mr Roel Schouwenberg, an employee of Kapersky, a signature-based antivirus software company, thinks that the research done by these students was highly unethical.

Personally, I think antivirus software companies are a bunch of snake-oil salesmen, that sell false security which can be foiled by 10 year old software tools. And no I don't know what the safe answer is here, except that I'll be switching back to Linux soon :-P

http://threatpost.com/blogs/some-researchers-lack-basic-ethics#comment-14427588
Title: Re: Security Thread
Post by: Requia ☣ on August 08, 2009, 10:14:38 AM
Kaspersky is hardly just signature based.  In fact I don't know any major vendor without at least some level of heuristic detection.  Even AVG finally got it.
Title: Re: Security Thread
Post by: Triple Zero on August 08, 2009, 01:11:14 PM
Requia, I notice that every time I post about something security related article, you feel you need to downplay it in some way, usually missing the point entirely. Why is this?

Also in this case, again, missing the point. The fact remains that a single pass with publically available packers can and do foil most antivirus software (including Kapersky, who are now screaming about ethics).

Adding to that, what are "heuristics" by the way? I know a lot of antivirus software claims "heuristics", but what does it do exactly? And does using "heuristics" mean they do not use signature-based detection?

Some antivirus software claim they use "heuristics" so they can detect unknown viruses before their signatures are downloaded from the signature database update. If that's what heuristics means, it's completely unrelated to this research, since the research is about hiding known viruses. In which it seems to succeed, heuristics or no.

In my mind, I always thought of heuristics as the antivirus software scanning in some sense the "intention" of the code, that a heuristic virus scanner would somehow look for "code that exploits the host and copies and/or infects other computers or files and/or listens to a C&C server for botnet commands" (or something like that), regardless of the exact code instructions used to implement this behaviour. The problem however, is that this is, like the Halting Problem, an undecidable problem, which in practice means that it is computationally intractable to make even a reasonable attempt, and conversely, given a reasonable attempt, it is trivial to foil it (as the research shows).

...

okay right, I just looked up heuristic based virus scanning on wikipedia:

http://en.wikipedia.org/wiki/Antivirus_software#Heuristics

read it. the paragraphs are about what I described above, as you can see it is riddled with :cn: tags, which I can only assume that it is because these techniques are only theoretical and  not implemented, what anti virus programs would *like* to be able to do, except none of them actually do it (because it is pretty fucking hard to do and trivially easy to foil).

after that comes a bit about generic signatures. which is about detecting slight variants of known viruses (calling this "mutation" is going a littlebit too far with the biological analogy IMO).

so, finally we read that what anti virus software calls "heuristics" is nothing more than signatures with wildcards.

sorry but WTF. I always assumed the signatures already contained wildcards and that the detection they call "heuristics" would at least be slightly smarter than that (even if I dont know how).

but yeah, no wonder that a simple packer foils even heuristic-based anti virus software, it completely changes all the bytes of the code, so no wildcard is going to catch that.

also, UPX (or perhaps it was another widely used packer) allows you to set a special "key" with the packing algorithm, since it's shuffling bits around during the unpacking stage anyway, it's easy to XOR the stream with a key as well, thereby obfuscating the bytes of the code in an arbitrary fashion.
unless the antivirus software specifically detects UPX packed code, and then unpacks it (it cannot just block UPX packed code, because lots of legit software uses it), and then checks for the signature, this is impossible to catch. of course, the antivirus software needs to do this for every code packer that is publically available.

it's pretty much a losing battle if you fight it that way.

Title: Re: Security Thread
Post by: Faust on August 08, 2009, 01:23:17 PM
Um If I'm not mistaken the heuristic approach is statistical accumulation of of computer processes to watch for abnormal behavior  (not just copying itself or hiding itself but also for making connections to remote machines at set intervals of time).
Some of it is pretty impressive, the college statistical analysis showed how one lecturers computer was being logged into every day despite the college being closed on sundays and from that they found that it had been compromised.
Title: Re: Security Thread
Post by: Triple Zero on August 08, 2009, 02:26:44 PM
Quote from: ☂Faust☂ on August 08, 2009, 01:23:17 PM
Um If I'm not mistaken the heuristic approach is statistical accumulation of of computer processes to watch for abnormal behavior  (not just copying itself or hiding itself but also for making connections to remote machines at set intervals of time).
Some of it is pretty impressive, the college statistical analysis showed how one lecturers computer was being logged into every day despite the college being closed on sundays and from that they found that it had been compromised.

You're confusing Antivirus Software with Intrusion Detection and Prevention Systems here.

http://en.wikipedia.org/wiki/Intrusion-prevention_system
http://en.wikipedia.org/wiki/Intrusion_detection

These are more like upstream intelligent firewall/router combinations and indeed they employ some pretty damn smart algorithms. [According to Wikipedia] Snort (http://en.wikipedia.org/wiki/Snort_(software)) is the de facto standard for IDS/IPS used by network security professionals today. Which rhymes with my personal experience, as it's what all my friends talk about :-) The ones that talk about network security, that is.

The difference is IPS tools scan and filter network packets for suspicious data and behaviour, used by security professionals. They were programmed by unix hackers and network admins, as opensource software, and as you can read in Intrusion_detection#Theory they fully admit the NP-hardness of the problem they are trying to tackle. But it works, and the only reason it works is that you simply cannot use a tool like Snort if you don't know what you're doing. It is not a "point and click and install and now you're safe" tool. You need to look at logs and filter rules and shit.

On the other hand, antivirus software is snake-oil sold by slick businessmen to nontechnical Windows users that explicitly want a "point and click and now you're safe" tool.

Heuristics in IPS is a completely different beast than heuristics in antivirus software.
Title: Re: Security Thread
Post by: Faust on August 08, 2009, 02:32:20 PM
Ah ok so thats the distinction, then I cant for the life of me figure out what heuristics could go into antivirus, they are all basically glorified look up tables of file signatures aren't they?
Title: Re: Security Thread
Post by: Triple Zero on August 08, 2009, 09:01:48 PM
Well the wikipedia article states a few things that antivirus heuristics could do *in theory* : http://en.wikipedia.org/wiki/Antivirus_software#Heuristics

except that no antivirus software actually does this, because the problem is computationally intractable (http://en.wikipedia.org/wiki/Intractable#Intractability)

unlike IPS, which can easily juggle with false positives and false negatives recognition rates, as the network security dude configuring the program can always check out the logs--kind of in a similar way that we check the forum error logs every now and then, to manually check for suspicious activity, yet in 99% of the cases it's just some misconfiguration or hiccup.
Title: Re: Security Thread
Post by: Triple Zero on August 14, 2009, 10:46:32 PM
http://www.freedom-to-tinker.com/blog/paul/anonymization-fail-privacy-law-fail

Computer scientists have recently undermined our faith in the privacy-protecting power of anonymization, the name for techniques for protecting the privacy of individuals in large databases by deleting information like names and social security numbers. These scientists have demonstrated they can often “reidentify” or “deanonymize” individuals hidden in anonymized data with astonishing ease. By understanding this research, we will realize we have made a mistake, labored beneath a fundamental misunderstanding, which has assured us much less privacy than we have assumed. This mistake pervades nearly every information privacy law, regulation, and debate, yet regulators and legal scholars have paid it scant attention. We must respond to the surprising failure of anonymization, and this Article provides the tools to do so.
Title: Re: Security Thread
Post by: The Johnny on August 30, 2009, 11:37:27 AM
Quote from: Cain on August 02, 2009, 02:08:08 PM
What are some good sites for security news?  I only ever read Schneier, Wired's Threat Level and ha.ckers.org/

neworder.box.sk
Title: Re: Security Thread
Post by: Triple Zero on September 09, 2009, 03:02:58 PM
http://isc.sans.org/diary.html?storyid=7108&rss

Possible DDOS on gov.au sites starting tonight?
Published: 2009-09-09,
Last Updated: 2009-09-09 11:45:11 UTC
by Mark Hofman (Version: 2)

The group anonymous, who were reported to be responsible for the attack on scientology sites now have the Australian Government in their sights.  In 2008 the Australian Government decided that the internet should be filtered.  They are running trials with a number of ISPs.  There is within Australia a fair amount of resistance to this practice for a number of reasons.  You can read the government position here (http://www.dbcde.gov.au/online_safety_and_security/cybersafety_plan/internet_service_provider_isp_filtering).   This Wikipedia article has more information on the issue as well (http://en.wikipedia.org/wiki/Internet_censorship_in_Australia)

In addition to opposition to this scheme within Australia it looks like the group anonymous has also become involved.  A web site 09-09-2009.org was set up and it looks like activities are coordinated through another web site.  The crux of their demands is for the senator responsible for the filtering scheme to resign and the plans for filtering to be abandoned, or else.

The or else is a DDOS attack on Australian government sites starting at 9.00 am GMT which is 7.00PM on the east coast.  Fax machines and phone lines may also be targeted.  Some "interesting" activity has been observed on some of the networks, but whether this is related or not is uncertain at this stage.

In preparation, make sure you have your incident handling processes ready, make sure that servers and other perimeter devices are patched so they are better able to resist attack.  You may want to have your ISP's contact details handy just in case you need them to stem the flow of traffic.  If your infrastructure is outsourced, maybe ask the outsourcer what plans they have in place, should anything happen.   But most importantly decide if switching off the site in the face of an attack is an option for you.

Mark H

UPDATE 1

Well the DDOS Started at 7 pm on the dot and has been going on for about an hour or so.   www.pm.gov.au is being kept busy and over the hour it was unavailable from where I am for a few minutes at best.  The attack seems to be mostly multiple web requests on the site which exhausts the threads on the web server causing it to respond with a 503 error.  Once left alone by a few of the attackers the site is again more than happy.  As far as impact goes the net result seems to be zilch.

UPDATE 2

The attack is over.  It achieved some publicity and managed to make the pm's website unavailable for a few minutes.  Otherwise there was no impact. - M   
Title: Re: Security Thread
Post by: Cain on September 09, 2009, 05:14:35 PM
Quote from: JohNyx on August 30, 2009, 11:37:27 AM
Quote from: Cain on August 02, 2009, 02:08:08 PM
What are some good sites for security news?  I only ever read Schneier, Wired's Threat Level and ha.ckers.org/

neworder.box.sk

Will check it out, thanks.
Title: Re: Security Thread
Post by: Triple Zero on September 26, 2009, 07:58:09 PM
AES explained in a stick figure comic:

http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

starts out simple, with at the end of each "chapter" some students leaving the classroom, as the explanation becomes more in-depth, indicating that one can just read the comic up to the point that you still find the explanation interesting and/or worth reading (which is an original metaphor/storytelling device, btw)
Title: Re: Security Thread
Post by: Shibboleet The Annihilator on September 29, 2009, 10:19:59 PM
Quote from: Cain on August 02, 2009, 02:08:08 PM
What are some good sites for security news?  I only ever read Schneier, Wired's Threat Level and ha.ckers.org/

networkworld.com
slashdot.org
http://digg.com/security
ARS Technica can have some decent security stuff too. I generally just keep an eye on most of the decent tech sites.
Title: Re: Security Thread
Post by: Triple Zero on October 22, 2009, 05:56:32 PM
http://www.nybooks.com/articles/23231

Who's in Big Brother's Database?
By James Bamford

(book review of The Secret Sentry: The Untold History of the National Security Agency by Matthew M. Aid)

On a remote edge of Utah's dry and arid high desert, where temperatures often zoom past 100 degrees, hard-hatted construction workers with top-secret clearances are preparing to build what may become America's equivalent of Jorge Luis Borges's "Library of Babel," a place where the collection of information is both infinite and at the same time monstrous, where the entire world's knowledge is stored, but not a single word is understood. At a million square feet, the mammoth $2 billion structure will be one-third larger than the US Capitol and will use the same amount of energy as every house in Salt Lake City combined.

Unlike Borges's "labyrinth of letters," this library expects few visitors. It's being built by the ultra-secret National Security Agency—which is primarily responsible for "signals intelligence," the collection and analysis of various forms of communication—to house trillions of phone calls, e-mail messages, and data trails: Web searches, parking receipts, bookstore visits, and other digital "pocket litter." Lacking adequate space and power at its city-sized Fort Meade, Maryland, headquarters, the NSA is also completing work on another data archive, this one in San Antonio, Texas, which will be nearly the size of the Alamodome.

Just how much information will be stored in these windowless cybertemples? A clue comes from a recent report prepared by the MITRE Corporation, a Pentagon think tank. "As the sensors associated with the various surveillance missions improve," says the report, referring to a variety of technical collection methods, "the data volumes are increasing with a projection that sensor data volume could potentially increase to the level of Yottabytes (1024 Bytes) by 2015."[1] Roughly equal to about a septillion (1,000,000,000,000,000,000,000,000) pages of text, numbers beyond Yottabytes haven't yet been named. Once vacuumed up and stored in these near-infinite "libraries," the data are then analyzed by powerful infoweapons, supercomputers running complex algorithmic programs, to determine who among us may be—or may one day become—a terrorist. In the NSA's world of automated surveillance on steroids, every bit has a history and every keystroke tells a story. (...)

(article continues at this link (http://www.nybooks.com/articles/23231), below the ad)
Title: Re: Security Thread
Post by: Remington on October 22, 2009, 10:50:16 PM
Quote from: Triple Zero on October 22, 2009, 05:56:32 PM
http://www.nybooks.com/articles/23231

Who's in Big Brother's Database?
By James Bamford

(book review of The Secret Sentry: The Untold History of the National Security Agency by Matthew M. Aid)

On a remote edge of Utah's dry and arid high desert, where temperatures often zoom past 100 degrees, hard-hatted construction workers with top-secret clearances are preparing to build what may become America's equivalent of Jorge Luis Borges's "Library of Babel," a place where the collection of information is both infinite and at the same time monstrous, where the entire world's knowledge is stored, but not a single word is understood. At a million square feet, the mammoth $2 billion structure will be one-third larger than the US Capitol and will use the same amount of energy as every house in Salt Lake City combined.

Unlike Borges's "labyrinth of letters," this library expects few visitors. It's being built by the ultra-secret National Security Agency—which is primarily responsible for "signals intelligence," the collection and analysis of various forms of communication—to house trillions of phone calls, e-mail messages, and data trails: Web searches, parking receipts, bookstore visits, and other digital "pocket litter." Lacking adequate space and power at its city-sized Fort Meade, Maryland, headquarters, the NSA is also completing work on another data archive, this one in San Antonio, Texas, which will be nearly the size of the Alamodome.

Just how much information will be stored in these windowless cybertemples? A clue comes from a recent report prepared by the MITRE Corporation, a Pentagon think tank. "As the sensors associated with the various surveillance missions improve," says the report, referring to a variety of technical collection methods, "the data volumes are increasing with a projection that sensor data volume could potentially increase to the level of Yottabytes (1024 Bytes) by 2015."[1] Roughly equal to about a septillion (1,000,000,000,000,000,000,000,000) pages of text, numbers beyond Yottabytes haven't yet been named. Once vacuumed up and stored in these near-infinite "libraries," the data are then analyzed by powerful infoweapons, supercomputers running complex algorithmic programs, to determine who among us may be—or may one day become—a terrorist. In the NSA's world of automated surveillance on steroids, every bit has a history and every keystroke tells a story. (...)

(article continues at this link (http://www.nybooks.com/articles/23231), below the ad)
Time to cut the phone line and break out the homing pigeons  :eek:
Title: Re: Security Thread
Post by: Triple Zero on October 23, 2009, 11:14:44 AM
No but seriously, read the entire article (at the link). I get the impression that the NSA has been a pretty much useless money hog ever since WW2, (just one example)
Quote"The agency first learned of the September 11 attacks on $300 television sets tuned to CNN, not its billion-dollar eavesdropping satellites tuned to al-Qaeda. T
hen there is the pattern by which the NSA was actually right about a warning, but those in power chose to ignore it (...)"

In addition to that, the most often heard thing about the eavesdropping business is that while they might be able to pick up and store yottabytes of info, they don't have the menpower or computing power to actually analyze all this data.

If only that were the biggest problem :)

Turns out that all these harddisks use stupendous ridiculous amounts of electrical power, and severe shortage of electrical power is one of their most urgent problems:

QuoteAid concludes that the biggest problem facing the agency is not the fact that it's drowning in untranslated, indecipherable, and mostly unusable data, problems that the troubled new modernization plan, Turbulence, is supposed to eventually fix. "These problems may, in fact, be the tip of the iceberg," he writes. Instead, what the agency needs most, Aid says, is more power. But the type of power to which he is referring is the kind that comes from electrical substations, not statutes. "As strange as it may sound," he writes, "one of the most urgent problems facing NSA is a severe shortage of electrical power." With supercomputers measured by the acre and estimated $70 million annual electricity bills for its headquarters, the agency has begun browning out, which is the reason for locating its new data centers in Utah and Texas.

Schneier (the security blogger guy) seems to either miss this point or disagree because he still concludes "The problem with all of that data is that there's no time to process it. Think of it as trying to drink from a fire hose.", however one of the comments on his blog article brings up a different, interesting, scary view of the "too much to process" problem:

Quote
Quote
QuoteWe also have to look at the information in terms of how things will likely be in the future. A couple decades ago, back when a KB was considered a lot of memory, no one would have dreamed of using a terabyte, which probably would have required a huge facility. Yet, just today, I rotated one of my TB backup drives to an offsite location. Small too.

Before long, we'll be dealing in Petabyte, then perhaps Exabyte. Zettabyte or Yottabyte may not be in our lifetimes, but people before us never dreamed GB, much less TB would be.

My point is just because something is too much information to process today doesn't mean the technology won't be here in our lifetimes to do so.

The problem is that the data collected is only relevant for a limited time.

If the data cannot be turned into actionable information in that time it is only useful for tracing the steps AFTER something has happened.

Example: you have the data on where Osama bin Laden will be next Tuesday. But you won't be able to process that information for the next 10 years.

Oh, I fully agree. No debate here.

Yet, that is my entire point, though I wasn't clear enough. It can't be used for what would be a relevant reason today. But it may be used for much different reasons in 20 years. Why? We don't know, but i'm guessing it won't be a pleasant use.

Which is why they should not collect it in the first place. I'm not scared of what they'll do with it today, I'm scared of what they can do with this ocean of data in the future, and the day is coming when they can use it with ease.

of course that's all just speculation.

plus it kind of bases upon that somehow our ability to process information will grow faster than our ability to produce it. which I predict will be exactly the other way around. but then, you never know, and even then, they will soon have the power to analyze all that old information, and it's a shit ton of information and you really just don't know what they can do with that.
Title: Re: Security Thread
Post by: rong on October 23, 2009, 11:39:31 AM
is anyone up to speed on the current capabilities of voice recognition softare?  just curious to how well that can/could be applied to all those recorded phone calls.
Title: Re: Security Thread
Post by: Triple Zero on October 23, 2009, 11:53:34 AM
that's all a manner of juggling with false positives and false negatives. if you wanna filter phone calls for certain words, and allow a certain percentage of false positives, just so you catch the possible real bomb terrorist, and process the flagged calls manually, that certainly can be done.

but I guess the uselessness of that technique would become apparent rather quickly. (too much false positives, too much manual work)

maybe if they had some real specific keywords to look for, it could be done. like some arabic names or something.

to perform better than that they'd need to recognize phrases and stuff .. once more it becomes a matter of juggling the probabilities. but if a phrase is made up of a string of words, you might actually get better accuracy because what could be a false positive as a single word, would have a lower probability to fit in a complete phrase and be classed negative. it would cost more computing power though.

actually I kind of doubt they can do much with voice recognition on the scale of recording all calls in the US. if they can narrow things down somewhat, there might be a  possibility, but like Schneier said, it's like drinking from a firehose. Even if voice recognition technology was really good, I somehow doubt they can implement it at such incredible data rates.

I could be wrong though.
Title: Re: Security Thread
Post by: Triple Zero on November 08, 2009, 10:01:08 AM
Smashing the Ozdok/Mega-D botnet in 24 hours.

http://blog.fireeye.com/research/2009/11/smashing-the-ozdok.html

a pretty cool story about how botnets can be battled. but it also teaches me the following:

this botnet has about 200k zombie computers, and it is one of many. there are many differing, yet closely linked criminal hacker groups that are controlling multiple botnets of comparable sizes.

why they only use it for spam and not political purposes truly is beyond me, maybe they just don't care and it pays pretty well? or maybe they really are just clueless.

check out the kind of resources this attempt at takedown cost. and the botnet still has a couple of fallback mechanisms that could get the infected machines to update and make a large part of all the work for nothing.

basically the weak point of a botnet is that the zombies need to get their commands from somewhere, a Command & Control Center. these must be located by IP. so the IPs can be shut down and CnC is gone. so the botnet has a fallback mechanism, instead of listing IPs it uses domain names, which point to the CnC IPs. if the IPs get taken down, the botnet owners will simply make the domain names point to new CnC IPs. but also the domain names can be taken down or bought out. so the last fallback mechanism is that the botnet generates one random domain name per day (such as dfcznu9qx.biz), name generated based on date/time, the botnet owners can reg these domains and regain control of the botnet again. so finally these random domains need to be pre-registered for, say the ones that will be generated in the next week or so (the names can be predicted as they got the source of the bot, so algorithm is known), so the botnet owners cannot use that mechanism either.

wow.

that's some pretty damn sophisticated shit right there.

they managed to hit the bot network pretty hard, but only managed to take down all but 4 of the current CnC IPs, less than half of the active CnC domains, and registered (squatted) all of the inactive domains (which are relatively cheap in operations like this) and the randomly generated ones for the next 3 days (I suppose they will reg more when necessary).

while I applaud their effort, and they might even win this battle, it seems to me like a lost war.

if the CnC chain is the only weak point they can use to hit the botnets, they are fucked. off the top of my head I can think of a few ways to get this data reliably to the botnet zombies via channels that cannot be taken down. I understand all you need to transmit is a list of IPs. an IP is just 32 bits. use a large public network such as Facebook or Twitter. somewhere in the profile will be a bunch of text that is stego-ed to contain a digitally signed message containing the IP(s). it is stego'ed so it looks like a normal profile and cannot be easily filtered like a base64 string would be. it is digitally signed so that the zombies can check authenticity of the message, and only accept one that is signed by the owners (simple GPG signature is enough I think). the zombie bots will semi randomly spider Facebook until they hit a profile that, when un-stego'ed, is signed with the signature, decode it and have a new list of IPs.

or something like that. actually maybe not use Facebook since it is owned by the NSA and they might actually implement filtering for profiles that appear to be signed. better instead use a list of small to medium-popular social networks, they can't all implement that filtering.

or maybe I'm missing something here. either way, I believe that if the botnet owners successfully add GPG / RSA crypto and digital signing into the mix the security corps are truly fucked.
Title: Re: Security Thread
Post by: Chief Uwachiquen on November 08, 2009, 10:14:48 AM
Quote from: rong on October 23, 2009, 11:39:31 AM
is anyone up to speed on the current capabilities of voice recognition softare?  just curious to how well that can/could be applied to all those recorded phone calls.

I don't know too much about it, but I did pick up a little bit from my roommates mom who works at a max security prison psychologist. At least I think it's max security. BUT ANYWAY. She was talking about how voice recognition software is still kind of archaic and a pain in the ass. Even the slightest bit of change in a person's voice fucks with the whole system. They can't even recognize someone if they have the slightest head cold and they have to call in somebody to authorize them. So, under ideal circumstances, voice recognition works okay but it's hardly fantastorasstic. At least, that's what I've gotten from what I've heard. Of course I could be wrong, but meh.
Title: Re: Security Thread
Post by: Cain on November 08, 2009, 02:27:46 PM
Quote from: Triple Zero on November 08, 2009, 10:01:08 AM
why they only use it for spam and not political purposes truly is beyond me, maybe they just don't care and it pays pretty well? or maybe they really are just clueless.

Apparently many hacker groups are apprehensive about working for governments or against other governments, not without reason, because while the government is not good at the technical side of things, it is very good at manipulating and using people until they cease being useful, and then making an example of them or using them as a bargaining chip.  If in the future, Georgia and Russia wanted to kiss and make up, for example, a few hackers might be sent to do some hard time in a Tblisi jail.  Or if a government wants to make really sure an attack can't be traced back to them by a criminal group thinking about selling them out, it might arrange some "fatal muggings".  At the very least, once they have proof of your illegal actions and your identity, they can then blackmail you into working for free, on the threat of imprisonment, not a pleasant prospect at all.
Title: Re: Security Thread
Post by: Triple Zero on November 08, 2009, 03:54:42 PM
Well, I didn't mean to work for the government, also because I don't think they really pay more than a proper spamming run.

And indeed then they know your name.

I was thinking of them carrying out their own politically motivated actions. I dunno, get in the way of some fucks you don't like, or help a bunch of others. All while staying out of the picture, of course.
Title: Re: Security Thread
Post by: Triple Zero on December 14, 2009, 04:04:07 PM
updated the first post with a list of good security blogs, will update as I find more, also accepting suggestions of course.

lightbluetouchpaper is a new one I found today

Quote from: Triple Zero on August 02, 2009, 01:13:29 PM
Quote from: Cain on August 02, 2009, 02:08:08 PM
What are some good sites for security news?

Some Top (IMO) security blogs

http://www.schneier.com/blog/
http://www.wired.com/threatlevel/
http://www.lightbluetouchpaper.org/ (Security Research, Computer Laboratory, University of Cambridge--interesting projects)
http://asert.arbornetworks.com/


Tangentially security related (privacy, electronic freedom, etc)
http://www.freedom-to-tinker.com/
http://www.eff.org/deeplinks/archive
https://www.bof.nl/ (the Dutch EFF. if you can read Dutch, must-read, even if you don't live there. also a damn slick custom WordPress skin)

Misc
http://neworder.box.sk/
http://ha.ckers.org/ (used to be one of cutting edge in webappsec, but is rarely updated these days)
http://sla.ckers.org/forum/list.php?13 (the "News and Links" subforum of ha.ckers.org, dunno how good it is, but the community is reasonably active)

Title: Re: Security Thread
Post by: Triple Zero on January 04, 2010, 09:56:13 AM
Entertaining and enlightening article about TSA Security Theater

http://www.theatlantic.com/doc/print/200811/airport-security

preaching to the choir, but it's an interesting article, check it out.
Title: Re: Security Thread
Post by: Cain on January 09, 2010, 08:44:10 PM
http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=222200373

PDF hacking looks interesting

QuoteIn a blog posted earlier this week, Internet Storm Center researcher Bohan Zdrnja describes a new JavaScript exploit that hides in PDF files and exploits a known vulnerability.

The shellcode used for the exploit is remarkable in its small footprint and sophistication, Zdrnja reports. Just 38 bytes long, it works in two stages: The first stage seeks out targets and obfuscates the attack, then passes the baton to a second-stage shellcode that is capable of executing code on a victim's machine.

The exploit's construction makes it not only difficult for traditional antivirus tools to detect, but also masks the execution of the code so that the end user might not even know anything has happened, Zdrnja says.

"Not only was this a very interesting example of a malicious PDF document carrying a sophisticated 'warhead,' but it also showed the length attackers are willing to go to in order to make their malware as hard to detect as possible, not only for the AV vendors, but also for victims," the blog says. "If we are to judge the new year by sophistication the attackers started using, it does not look too good."

The new exploit feeds the fire of predictions that Adobe, not Microsoft, will be attackers' chief target in the new year. In its new threat predictions report, security firm McAfee projects there will be more attacks on Adobe in 2010 than on Windows.
Title: Re: Security Thread
Post by: Golden Applesauce on January 09, 2010, 09:21:43 PM
Quote from: Cain on January 09, 2010, 08:44:10 PM
http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=222200373

PDF hacking looks interesting

QuoteIn a blog posted earlier this week, Internet Storm Center researcher Bohan Zdrnja describes a new JavaScript exploit that hides in PDF files and exploits a known vulnerability.

The shellcode used for the exploit is remarkable in its small footprint and sophistication, Zdrnja reports. Just 38 bytes long, it works in two stages: The first stage seeks out targets and obfuscates the attack, then passes the baton to a second-stage shellcode that is capable of executing code on a victim's machine.

The exploit's construction makes it not only difficult for traditional antivirus tools to detect, but also masks the execution of the code so that the end user might not even know anything has happened, Zdrnja says.

"Not only was this a very interesting example of a malicious PDF document carrying a sophisticated 'warhead,' but it also showed the length attackers are willing to go to in order to make their malware as hard to detect as possible, not only for the AV vendors, but also for victims," the blog says. "If we are to judge the new year by sophistication the attackers started using, it does not look too good."

The new exploit feeds the fire of predictions that Adobe, not Microsoft, will be attackers' chief target in the new year. In its new threat predictions report, security firm McAfee projects there will be more attacks on Adobe in 2010 than on Windows.

Looks like I'll be replacing Adobe with GScript on my Windows laptop...
Title: Re: Security Thread
Post by: Triple Zero on January 10, 2010, 12:41:14 AM
trying to find out what the exploit actually does, will post comment when I do (tomrrow rpobably)
Title: Re: Security Thread
Post by: Triple Zero on January 10, 2010, 12:55:46 PM
the blog post linked to in the article doesn't want to load, but here is google's cached version:

http://bit.ly/isc-sans-org-diary-html-storyid-7867

it's kind of techy, basically it's a buffer overflow type attack getting a malformed PDF to execute arbitrary machine code when it's loaded in Acrobat. solutions to defend yourself against this kind of thing are easy: 1) dont use acrobat 2) if you have to, disable javascript execution in acrobat 3) dont open PDFs from unknown sources.

number 1 is probably your best bet, cause number 2 is just the attack vector of this particular exploit, the next one might not exploit the JS engine but some other plugin, and 3 .. well .. where's the fun in that? :)

the remarkable thing about this particular exploit is not that it can be done, cause there are numerous bugs like this in adobe acrobloat. it's the way the hacker made this exploit's shellcode modular, or something, which is a nice touch.

another interesting finding is the mention that antivirus software does a pretty bad job at detecting it.

which is to be expected, cause they XOR the shellcode, which is a very simple form of obfuscation, real easy to uncipher (it's similar to "shift the alphabet 3 positions to the right" cipher) but of course this makes the simple pattern matching that AV software does, impossible.

[rant] and no, anti virus "heuristics" is nothing more than a marketing buzzword that does absolutely nothing. as I pointed out in an earlier post, the reality of antivirus "heuristics" has never been anything more than matching with wildcards, which frankly was something I'd have expected them to do without calling it "heuristics". the whole shit about "analyzing the code to see if it does anything malicious" is just theoretical pipe dreams and has never been implemented, and probably never will because it is nearly impossible to do [in fact actual true automated code analysis is theoretically impossible, but perhaps something approximating it would be incredibly hard to design, and then probably laughably easy to circumvent too]

back in the old days when viruses were swapped on floppies with copied games and such, AV software was useful.

these days it is not, they are just ad-infested CPU and memory hogs -- pretty much like most viruses.

rantrantrant sorry :)
Title: Re: Security Thread
Post by: Triple Zero on January 21, 2010, 02:05:06 PM
apparently, IT [cyberwar!] IS ON, BITCHES.

:

info about that 0-day exploit Rat warned us about ("if you're running windoze" thread):

http://extraexploit.blogspot.com/2010/01/iexplorer-0day-cve-2010-0249.html

if that seems to technical for you, scan through a littlebit and scroll to the heading "News and old news about" which contains some very juicy bits about how this exploit was the one that China used to compromise Google!

then go here to read the details on that, and how there are many, many other corporations hit, compromised in the same manner without even knowing it:

http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100119

there are some more good links in those articles, but I haven't read them yet:

http://googleblog.blogspot.com/2010/01/new-approach-to-china.html
http://www.chinadaily.com.cn/world/2007-09/27/content_6139437.htm

Title: Re: Security Thread
Post by: Triple Zero on May 25, 2010, 06:18:46 PM
hahaha this is hilarious:

http://milesb.tumblr.com/post/622434207/say-what-you-will-about-ligatt-security-the (50 second security ad video)
Title: Re: Security Thread
Post by: Cramulus on May 25, 2010, 07:26:34 PM
Quote from: Triple Zero on May 25, 2010, 06:18:46 PM
hahaha this is hilarious:

http://milesb.tumblr.com/post/622434207/say-what-you-will-about-ligatt-security-the (50 second security ad video)

wow, that sounds like an excellent racket!

It's like, "Invest in our insurance package... if you don't want your kneecaps broken..."
                           /
            :kojak:
Title: Re: Security Thread
Post by: Unkl Dad on June 11, 2010, 03:46:19 AM
CNBC's production Big Brother, Big Business 
http://video.google.com/videoplay?docid=6061213358499552766#
(http://video.google.com/videoplay?docid=6061213358499552766#)

Goes a bit into what information is kept by which corporations, names a few large data brokers and information security companies and gives a few case studies in which identities or information was stolen.

I just brought it up because I found it ironic that the show made allusions to Big Brother getting a hold of the data held by private entities for political uses or free speech suppression yet appears to suggest the solution is more government regulation and monitoring, which seems to default the information to the people it sees as the possible problem.

Title: Re: Security Thread
Post by: Cain on August 05, 2010, 02:57:31 PM
http://www.bbc.co.uk/news/technology-10850875

QuoteOne visit to a booby-trapped website could direct attackers to a person's home, a security expert has shown.

The attack, thought up by hacker Samy Kamkar, exploits shortcomings in many routers to find out a key identification number.

It uses this number and widely available net tools to find out where a router is located.

Demonstrating the attack, Mr Kamkar located one router to within nine metres of its real world position.

'Creepy' attack

Many people go online via a router and typically only the computer directly connected to the device can interrogate it for ID information.

However, Mr Kamkar found a way to booby-trap a webpage via a browser so the request for the ID information looks like it is coming from the PC on which that page is being viewed.

He then coupled the ID information, known as a MAC address, with a geo-location feature of the Firefox web browser. This interrogates a Google database created when its cars were carrying out surveys for its Street View service.

This database links Mac addresses of routers with GPS co-ordinates to help locate them. During the demonstration, Mr Kamkar showed how straightforward it was to use the attack to identify someone's location to within a few metres.

"This is geo-location gone terrible," said Mr Kamkar during his presentation. "Privacy is dead, people. I'm sorry."

http://www.wired.com/threatlevel/2010/07/intercepting-cell-phone-calls/

QuoteA security researcher created a cell phone base station that tricks cell phones into routing their outbound calls through his device, allowing someone to intercept even encrypted calls in the clear.

The device tricks the phones into disabling encryption and records call details and content before they're routed on their proper way through voice-over-IP.

The low-cost, home-brewed device, developed by researcher Chris Paget, mimics more expensive devices already used by intelligence and law enforcement agencies – called IMSI catchers – that can capture phone ID data and content. The devices essentially spoof a legitimate GSM tower and entice cell phones to send them data by emitting a signal that's stronger than legitimate towers in the area.

"If you have the ability to deliver a reasonably strong signal, then those around are owned," Paget said.

Paget's system costs only about $1,500, as opposed to several hundreds of thousands for professional products. Most of the price is for the laptop he used to operate the system.

Doing this kind of interception "used to be a million dollars, now you can do it with a thousand times less cost," Paget said during a press conference after his attack. "If it's $1,500, it's just beyond the range that people can start buying them for themselves and listening in on their neighbors."

Paget's device captures only 2G GSM calls, making AT&T and T-Mobile calls, which use GSM, vulnerable to interception. Paget's aim was to highlight vulnerabilities in the GSM standard that allows a rogue station to capture calls. GSM is a second-generation technology that is not as secure as 3G technology.

Encrypted calls are not protected from interception because the rogue tower can simply turn it off. Although the GSM specifications say that a phone should pop up a warning when it connects to a station that does not have encryption, SIM cards disable that setting so that alerts are not displayed.

"Even though the GSM spec requires it, this is a deliberate choice on the cell phone makers," Paget said.

The system captures only outbound calls. Inbound calls would go directly to voicemail during the period that someone's phone is connected to Paget's tower.

The device could be used by corporate spies, criminals, or private investigators to intercept private calls of targets.

"Any information that goes across a cell phone you can now intercept," he said, except data. Professional grade IMSI catchers do capture data transfers, but Paget's system doesn't currently do this.

http://www.wired.co.uk/news/archive/2010-08/02/high-security-locks-cracked

QuoteThe lock that would seem to have thwarted them the most was actually one of the easiest to crack. The Biolock Model 333 is a sleek £126 ($200) lock that combines a mechanical cylinder and fingerprint reader.

The Biolock fingerprint reader illuminates a blue LED when a fingerprint is authenticated. If the reader fails, a key can be inserted in a key port hidden behind a flip door in the handle.

"It's a very neatly designed container," says Tobias. "But the problem with this lock design is so elementary, frankly it defies belief."

The lock can be programmed with one or more "master" fingerprints, which can be used to authorise other users. To open the lock, a user touches the fingerprint pad, and a blue LED light illuminates to indicate the person is authorised, allowing the door handle to turn. The lock can also be unlocked with a remote-control.

If the fingerprint reader fails, a mechanical key can be used instead. The key entry is concealed beneath a flip door on the lever handle. And therein lies the security problem, Tobias says.

A paperclip inserted in the Biolock's key chamber (hidden behind a flip door) is used to push an internal pin and unlock the door, making the fingerprint reader superfluous.

The mechanical lock, which uses a bypass cylinder, can be easily thwarted with a paperclip inserted in the keyway to depress a pin that engages the latch. In two seconds, the researchers were able to open the lock.

"This is an absolute perfect example of insecurity engineering," Tobias says.
Title: Re: Security Thread
Post by: LMNO on August 05, 2010, 03:07:46 PM
YOU SHALL NOT--oh, yes, right this way...
   \
(http://portugal.theoffside.com/wp-content/uploads/2007/04/gandalf.jpg)
Title: Re: Security Thread
Post by: Triple Zero on August 05, 2010, 07:15:29 PM
Hm, I gotta figure out how to change the MAC address on my router.

I mean, given that those WiFi cracking Linux boot-CDs with Kismet and WAP-crack (?) and Wireshark and whatnot on them are able to make any network card spoof any arbitrary MAC address, implies it's not completely hardcoded on the card. That's for PCs and laptops, though. Hopefully the same goes for WiFi routers.

And if the default firmware on my router can't do it, maybe Tomato (http://www.google.com/search?num=100&q=tomato+router) can. That's an open-source firmware available for a lot of different routers, which I really should install anyway, because router firmware is generally a really insecure piece of trash. At least, the web-admin interfaces are. The people that code those things are obviously really good at programming hardware, but when it comes to web applications they seem to be years behind.
Title: Re: Security Thread
Post by: Cain on August 05, 2010, 07:17:21 PM
The Anonymous /i/nsurgent wiki used to have some software for changing the MAC address with.  Not sure if the site is still up, however.
Title: Re: Security Thread
Post by: Bebek Sincap Ratatosk on August 05, 2010, 07:18:54 PM
I was surprised when *LARGE TELCO THAT I SIGNED AN NDA WITH* showed us that they can track pretty much any individual, anywhere in the world.

Once you control much of the Internet Infrastructure, you can cross-correlate all sorts of logs.

:horrormirth:
Title: Re: Security Thread
Post by: Triple Zero on August 05, 2010, 08:03:55 PM
Quote from: Cain on August 05, 2010, 07:17:21 PM
The Anonymous /i/nsurgent wiki used to have some software for changing the MAC address with.  Not sure if the site is still up, however.

Yeah the software is out there and easily available, I just forgot what it was called, and am not sure whether it also works for routers and not just network cards in PCs and laptops.

I was always kinda surprised the MAC address wasn't hardcoded burned into the chip in the first place.
Title: Re: Security Thread
Post by: Triple Zero on October 01, 2010, 02:35:30 PM
Heh, anyone remember Enemy of the State? :)


Position of killed FARC commander was determined by GPS in boot (http://www.digitaljournal.com/article/298069)

Bogot - The location of Jorge Briceño (Mono Jojoy), second in command of the Revolutionary Armed Forces of Colombia (FARC), was allegedly determined by military intelligence personnel through a global positioning system (GPS) chip secretly implanted in a boot.
The implanting of the GPS chip was possible after authorities intercepted a communication from the guerrillas requesting special shoes for the guerrilla leader, reported Colombia's ElExpectador.com (in Spanish).



also, DIABETICS!!! :argh!:



According with the version of a security agent interviewed by RCN Radio (audio in Spanish), Briceño was suffering of diabetes that affected the blood circulation in his feet which, in recent months, caused him serious sores forcing him to use special footwear.
Title: Re: Security Thread
Post by: Triple Zero on October 01, 2010, 03:26:58 PM
Interesting:

Remember how in the old days we were told to NEVER CLICK the "unsubscribe" links in our spam? Turns out that nowadays it's perfectly fine to do so, and they actually work!

Spam unsubscribe links no longer considered harmful (http://essays.dayah.com/spam-unsubscribe-not-harmful)

We've always been told never to follow unsubscribe links in spam. However, the CAN-SPAM act has created a curious paradox. If the message is readable, then it's highly likely the unsubscribe link is safe and functional.

The article explains that there are basically 2 categories of spam:

- one "don't care as long as it gets through the spamfilter" type that has malformed emails, clunky language and spam-poetry snippets to circumvent the Bayesian filters, and links that send you to Chinese domains that become invalid within days. These usually don't even have an unsubscribe link.
- The other are people that believe they send "legitimate" commercial mailings, and they take care to adhere to all sorts of rules because of the CAN-SPAM act. This way they don't need to circumvent (many?) filters, and can actually use proper english in their messages ;-) But if they would ignore an unsubscribe request, they get blacklisted. And because of them following the rules, circumventing the blacklist will get them into trouble.

Additionally, the guy did an experiment and clicked the unsubscribe links in a 10y old email inbox, which received about 300 messages per day. He has a nice graph showing that this exercise indeed reduced the amount of spam to just 80 messages per day after just a few days! And seems to stick, as well.
Title: Re: Security Thread
Post by: Triple Zero on October 01, 2010, 04:05:08 PM
Quote from: Triple Zero on August 05, 2010, 07:15:29 PM
Hm, I gotta figure out how to change the MAC address on my router.

Turns out this is super easy if you're on Linux, and really not that hard to do from Windows, either:

how-to-change-or-spoof-mac-address-in-windows-xp-vista-server-20032008-mac-os-x-unix-and-linux (http://www.mydigitallife.info/2008/06/30/how-to-change-or-spoof-mac-address-in-windows-xp-vista-server-20032008-mac-os-x-unix-and-linux/)



Sorry about all the ads crap on that page, you might want to get the Readability Bookmarklet (http://lab.arc90.com/experiments/readability/) which works wonders on pages like this (it's a thingy link that you can drag to your browser toolbar so that it becomes a button. Then when you visit a horrible page with horrible markup, you click the button and it will automagically transform the site into a pleasantly readable just-the-article-and-images version--try it out, you'll love it).
Title: Re: Security Thread
Post by: Shibboleet The Annihilator on October 02, 2010, 06:48:29 PM
On the last 2 Linksys WRT54G routers I had, I was able to change the MAC of the router through the browser GUI for the router. I think it was just 1 or 2 menus in and this was on the stock firmware, no Tomato or DDWRT or anything like that.
Title: Re: Security Thread
Post by: Triple Zero on October 02, 2010, 11:21:29 PM
But why would you want to change the MAC address of your router?
Title: Re: Security Thread
Post by: pharmakon on October 03, 2010, 07:00:47 AM
Quote from: Triple Zero on October 01, 2010, 04:05:08 PM

Sorry about all the ads crap on that page, you might want to get the Readability Bookmarklet (http://lab.arc90.com/experiments/readability/) which works wonders on pages like this (it's a thingy link that you can drag to your browser toolbar so that it becomes a button. Then when you visit a horrible page with horrible markup, you click the button and it will automagically transform the site into a pleasantly readable just-the-article-and-images version--try it out, you'll love it).

You just made my life so much better.
Title: Re: Security Thread
Post by: Remington on October 03, 2010, 07:05:15 AM
Security Thread: The stuff Security blankets are made of
Title: Re: Security Thread
Post by: Triple Zero on October 04, 2010, 06:00:58 PM
Quote from: Triple Zero on October 02, 2010, 11:21:29 PM
But why would you want to change the MAC address of your router?

Answering my own question, THIS is why you would want to change the MAC address of your router every couple of months or so:

http://www.samy.pl/mapxss/

Yes that's right, Google made a complete MAC-to-Location database as well during their StreetView project. MAC addresses are more unique and more stable than IP addresses. They're a lot like the serial number of an electronics device (they're not really intended to change, ever).

You also can't easily read them out when someone visits your site (like with IP addresses), in the example above Samy uses an XSS exploit in the router web config interface. These are usually coded pretty badly, so finding an XSS sploit there is not that hard or unlikely. It becomes hard when you want to make it a generic exploit, because then you need to find XSS sploits in the 99% most common routers--which is tedious to do alone, but sounds like a fun weekend pizza+beer hacking project, with 1 or 2 likeminded ppl :)

However, MAC addresses are completely public data because they're broadcast by every WiFi access point. Have to be, because your WiFi card uses them to tell different access points apart.

So Google using their StreetView project to connect MAC addresses to their respective GPS coordinates is technically a perfectly legal and valid way to combine publicly available data.

That makes this one of the most striking examples I've seen so far of how the combining of publicly available data in a large database on a grand enough scale can indeed bring severe privacy risks.



... too bad you need to go through so much trouble to get people's MAC address, otherwise we'd have a very solid way to track our trolls now ;-)
Title: Re: Security Thread
Post by: Triple Zero on October 20, 2010, 02:03:18 PM
:lulz:

http://www.schneier.com/blog/archives/2010/10/predator_softwa.html

Intelligent Integration Systems (IISi), a small Boston-based software development firm, alleges that their Geospatial Toolkit and Extended SQL Toolkit were pirated by Massachusetts-based Netezza for use by a government client. Subsequent evidence and court proceedings revealed that the "government client" seeking assistance with Predator drones was none other than the Central Intelligence Agency.

IISi is seeking an injunction that would halt the use of their two toolkits by Netezza for three years. Most importantly, IISi alleges in court papers that Netezza used a "hack" version of their software with incomplete targeting functionality in response to rushed CIA deadlines. As a result, Predator drones could be missing their targets by as much as 40 feet.
Title: Re: Security Thread
Post by: Triple Zero on October 07, 2011, 07:13:33 PM
Computer virus hits US Predator and Reaper drone fleet
http://arstechnica.com/business/news/2011/10/exclusive-computer-virus-hits-drone-fleet.ars

Title: Re: Security Thread
Post by: Cain on October 09, 2011, 06:46:59 PM
http://redtape.msnbc.msn.com/_news/2011/10/08/8228095-chaos-computer-club-german-govt-software-can-spy-on-citizens

QuoteA Germany-based hacker group claims a German government-created Trojan horse program is capable of secretly spying on Web users without their consent.

The group says on its Web site that it obtained and analyzed a piece of software that is supposed to be a "lawful interception" program designed to listen in on Internet-based phone calls as part of a legal wiretap, but its capabilities go far beyond legal bounds.

The program is capable of logging keystrokes, activating Webcams, monitoring Web users' activities and sending mountains of data to government officials, the club said.

To cover its tracks, the data is routed through rented servers located in the U.S., the club alleges.

"To avoid revealing the location of the command and control server, all data is redirected through a rented dedicated server in a data center in the USA," the Club said on its Web site.

The German government has yet to comment on the findings, but already, antivirus companies are reacting to them. Security firm F-Secure will detect and disable the alleged government monitoring software if found on clients' computers, it announced on Saturday.

"Yes, it is possible the Trojan found by CCC is written by the German government. We just can't confirm that," said Mikko Hypponen, F-Secure's chief technology officer, via Twitter.

The program, labeled a "backdoor" because it can open a computer to surreptitious access, targets certain applications for keylogging, including Firefox, Skype, MSN Messenger, ICQ and others, according to F-Secure.

"We do not know who created this backdoor and what it was used for," Hypponen wrote on F-Secure's blog. "(But) We have no reason to suspect CCC's findings."

German courts have long allowed use of a backdoor program known as "Bundestrojan" — "federal Trojan," in English — which permits government investigators to listen in on Skype-based phone calls as part of a legal wiretap order. Skype and other kinds of Internet phone calls that can be encrypted are particularly troubling for law enforcement, because they can be used by suspects to evade wiretaps.

After a court battle in 2008, Bundestrojan was ruled legal as long as it screened only very specific communications — essentially, Internet telephone calls.

But the Chaos Computer Club announced Saturday that it had obtained a copy of what it believed was a copy Bundestrojan, and that the program has capabilities that go far beyond legal wiretapping. In addition to keylogging and screen shots, the software is also capable of remote control and upgrade.

"This refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown Trojan is possible in practice – or even desired.... The Trojan's developers never even tried to put in technical safeguards to make sure the malware can exclusively be used for wiretapping internet telephony, as set forth by the constitution court," said the club on its site. "Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully. In this case, functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system."

The club also criticized security measures put in place by programmers of the alleged Trojan. Poor encryption implementation means a malicious third-party could intercept the government communications, or take control of government-infected machines, it said.

That final part is the problem with all backdoor surveillance techniques.  That's how Chinese hackers got into Gmail last year - the NSA requested a back door, and the Chinese hackers used that to get in.

I wouldn't be surprised to discover every developed country in the world was running at least one program like this.
Title: Re: Security Thread
Post by: Triple Zero on October 09, 2011, 11:59:19 PM
Original article from the CCC: http://www.ccc.de/en/updates/2011/staatstrojaner (has basically the same info).

I love the word "Bundestrojaner" :lol:
Title: Re: Security Thread
Post by: Triple Zero on October 11, 2011, 04:17:31 PM
Slashdot on the BundesTrojaner:

http://yro.slashdot.org/story/11/10/11/1322202/German-State-Confesses-To-Downplays-Government-Spyware?utm_source=slashdot&utm_medium=twitter
Title: Re: Security Thread
Post by: Triple Zero on October 29, 2011, 10:27:18 AM
Chinese government is systemically penetrating every US company and government agency of any regard, 0wning the fuck out of everybody:

http://krebsonsecurity.com/2011/10/who-else-was-hit-by-the-rsa-attackers/

Ok to be completely fair, this list, while VERY impressive, actually just lists a prerequisite of being 0wned, namely that they did a DNS request for one of the C&C servers of the botnet:

QuoteA few caveats are in order here. First, many of the network owners listed are Internet service providers, and are likely included because some of their subscribers were hit. Second, it is not clear how many systems in each of these companies or networks were compromised, for how long those intrusions persisted, or whether the attackers successfully stole sensitive information from all of the victims. Finally, some of these organizations (there are several antivirus firms mentioned  below) may be represented because they  intentionally compromised internal systems in an effort to reverse engineer malware used in these attacks.

But then still, look at that list, it's 760 companies. Only a few of them are AV companies that might have had a non-0wnage reason to access the C&C servers, and even for the ISPs, it means that at least one of their clients was hit.

There's a lot of criticism on this list and I agree that it would have been nice if mr Krebs could have provided a littlebit more conclusive info, but on the other hand it's just irrelevant details, fighting over who exactly got 0wned and how badly is neither here nor there:

China is indeed systematically penetrating systems all over the world1.


You know, actually, the big unasked question is: Why?

I mean of course, gathering intel and all that, but they've been at it for a while now, and doing it with tremendous force and magnitude, but to what specific end? Just for knowing what is going on, and specific business intel? They're not destructive or doing DDoS attacks, just penetrating and gathering unknown amounts of data.
Cain didn't you mention one that China basically has this kind of "wait and see" strategy, something about their reluctance of involvement, so they're basically trying to observe the outside world as best as possible in order to keep their status quo and avoid anything that might challenge it, is that it?


1 at least, we only hear mostly about US companies getting hit, but why wouldn't they target Europe too? I don't think our digital security is specifically better (or worse), I'm guessing it's a matter of publicity?
Title: Re: Security Thread
Post by: Cain on October 29, 2011, 11:33:59 AM
Thats what I believe, yes.  China is keen to grow it's economy and little else.  It knows economic superiority invariably leads to military superiority, but for the moment that economic goal is the overriding one.

American history, or a version thereof, has been keenly studied in China.  And what the Chinese with influence believe is that America got to the top of the world by not intervening too closely in either major world war until it had to, by building a massive economic base and one of the reasons they got such a large industrial base was, apart from resources and population, through naked copyright theft from more advanced European nations (at least in the 19th century, when they could more plausibly get away with it).  Stealing innovation and then making the product cheaper means more market access, more sales and more money to put into research and development further down the line.  It's a solid way forward for a country where production costs can be kept especially low.

Also, I'd be willing to bet NSA penetration of US companies is just as extensive, if not more so.
Title: Re: Security Thread
Post by: Triple Zero on November 04, 2011, 03:21:45 PM
F-Secure published a very interesting Q&A about Operation Duqu:

http://www.f-secure.com/weblog/archives/00002264.html

What's that then? Well basically Duqu is closely related to Stuxnet, probably engineered partly by the same team, and it uses a really advanced and expensive Windows kernel exploit to do its work. Except it's being much more secretive about its purposes, and well it looks like it's just only doing recon work for the next "StuxNet 2.0" operation.

And a lot of other interesting things, how it's probably one cog in larger operation, and tries to hide itself in different ways.

Highly recommended for reading if you're interested in these things.
Title: Re: Security Thread
Post by: Triple Zero on November 14, 2011, 06:55:35 PM
Iran Working to Control Duqu Virus Attack (http://www.pcmag.com/article2/0,2817,2396348,00.asp#fbid=UuppgYukqO9)

Iranian officials have confirmed that the Stuxnet-like Duqu virus hit computers in the country, but said a fix is being provided to those affected.
Title: Re: Security Thread
Post by: Triple Zero on November 21, 2011, 12:01:03 PM
So apparently ... in between developing censoring and deep packet inspection infrastructure for Iran and Egypt (in a joint venture with Nokia) and getting their PLC control software rooted by Stuxnet, Siemens makes badly secured SCADA systems for Texan water supplies:

http://threatpost.com/en_us/blogs/hacker-says-texas-town-used-three-character-password-secure-internet-facing-scada-system-11201

:lulz:
Title: Re: Security Thread
Post by: Faust on November 21, 2011, 12:14:59 PM
Quote from: Triple Zero on November 21, 2011, 12:01:03 PM
So apparently ... in between developing censoring and deep packet inspection infrastructure for Iran and Egypt (in a joint venture with Nokia) and getting their PLC control software rooted by Stuxnet, Siemens makes badly secured SCADA systems for Texan water supplies:

http://threatpost.com/en_us/blogs/hacker-says-texas-town-used-three-character-password-secure-internet-facing-scada-system-11201

:lulz:

OH GOOD GOD! Putting any kind of process control on internet accessable SCADA systems is something that should never be done lightly, especially a potentially LETHAL one like a water system.

And using a three character password to boot, not only should someone get fired, that department should get shut down.
Title: Re: Security Thread
Post by: Triple Zero on November 21, 2011, 12:48:29 PM
Also, very weird shit going on from within China's Great Firewall:

http://www.nsc.liu.se/~nixon/sshprobes.html

Servers accepting incoming SSH connections from Chinese IPs sometimes first get "probed" with a short burst of completely random data from completely different Chinese IPs. Sometimes the SSH connection itself is dropped shortly thereafter. Assumed is it's got something to do with Chinese censorship, but it's a complete mystery what the random data is for (as it just generates an error at the server, doesn't exploit anything).
Title: Re: Security Thread
Post by: Faust on November 21, 2011, 01:08:42 PM
Quote from: Triple Zero on November 21, 2011, 12:48:29 PM
Also, very weird shit going on from within China's Great Firewall:

http://www.nsc.liu.se/~nixon/sshprobes.html

Servers accepting incoming SSH connections from Chinese IPs sometimes first get "probed" with a short burst of completely random data from completely different Chinese IPs. Sometimes the SSH connection itself is dropped shortly thereafter. Assumed is it's got something to do with Chinese censorship, but it's a complete mystery what the random data is for (as it just generates an error at the server, doesn't exploit anything).

They are targeting coordinates for the space based laser that etched those markings.
Title: Re: Security Thread
Post by: Triple Zero on December 10, 2011, 11:34:35 AM
Just got this off the twitter:

UNDERSTANDING CYBERCRIME: A GUIDE FOR DEVELOPING COUNTRIES -- ICT Applications and Cybersecurity Division, Policies and Strategies Department, ITU Telecommunication Development Sector, Draft April 2009 (http://www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-understanding-cybercrime-guide.pdf)  via @laviero (http://mobile.twitter.com/laviero/status/145433003043209216)

and http://www.cybercrimelaw.net/Cybercrimelaw.html -- "An International Criminal Tribunal for Cyberspace should be established as an United Nations court of law for the most serious cybercrimes of global concern. Such Court may have its seat in The Hague or in Singapore, discusses Judge Stein Schjolberg, Norway, in a book «A Global Treaty on Cybersecurity and Cybercrime» that was published on February 23." (PDF download of the book on that page) via @laviero (http://mobile.twitter.com/laviero/status/145440510222417920)

It's an interesting angle, different from my usual interests, which are of course with the more technical aspects of "cyber" security. This focuses more on the international, political and legal ways of dealing with the problems.

Like if there's a rogue group of hackers from Lithuania attacking servers in Switzerland, who's responsibility is that and what can the Swiss do to bring these people to justice? Much more complex than with meat-crime1, as the first response has traditionally always been "catch them before they cross your border again", but that doesn't work, the Internet has no borders and cybercrime being perpetrated completely within one nation's border is truly more the exception than the rule. A hacker would be stupid to not route his attack through one or more unrelated countries to take advantage of exactly these difficulties.

Problem is, naive solutions result in huge privacy violations and/or wrecking the very fundamental concepts that made the Internet grow so useful, and all that.

Bigger problem is, the political/legal people making up these regulations may not have the technical knowledge to realize these naive solutions are naive and come up with alternatives. They feel they need to do something, and this is the best they can come up with, cause they don't understand the subject matter (which is very complex and I'd be hard pressed to come up with a solid waterproof solution myself as well), and then something monkeystupid will happen: the biggest hurdle to implement these naive solutions to them is getting all these nations to agree, work together, make treaties, the whole political game, it's complex and even if the answer was straightforward, it'd still take a lot of greasing to get everyone facing mostly the same way. And seeing that big hurdle, the politicans are happy, because this is a difficult task that they are good at and can sink their teeth in! So they gladly forget about all that technical stuff which keeps reminding them of their ignorance and start campaigning and putting their weight in and whenever they make some progress with that, they feel like they've accomplished something useful because it was politically hard, not because it was the best way forward.

I dunno if this book discusses the above, btw. I should probably read it, even though I fear it'll bore the fuck out of me :)

But on PD there's enough people that are interested more in these legal/political aspects than myself, so I hope it's interesting to you (and that if you read it maybe give me a TLDR/summary) -- there's more links on that page btw, this book's just one of them.





1 if they're going to insist on calling it "cyber-crime", I'm going to insist we call regular crime "meat-crime" from now on.
Title: Re: Security Thread
Post by: Mesozoic Mister Nigel on December 12, 2011, 02:07:43 AM
MEAT-CRIME.

!
Title: Re: Security Thread
Post by: Triple Zero on December 12, 2011, 03:19:12 PM
Quote from: Nigel on December 12, 2011, 02:07:43 AM
MEAT-CRIME.

!

SUCH AS THROWING AWAY BACON FAT


OR THAT PINK SHIT IN CHEAP HOT DOGS
Title: Re: Security Thread
Post by: Triple Zero on December 24, 2011, 12:11:55 AM
Hackers Completely Penetrated U.S. Chamber of Commerce's IT Systems  (http://spectrum.ieee.org/riskfactor/telecom/security/hackers-completely-penetrate-us-chamber-of-commerces-it-systems)
The Wall Street Journal published a story today that is no doubt causing consternation in many US businesses today. According to the story, a hacking group based in China was able to fully penetrate the U.S. Chamber of Commerce's computer systems in November 2009, if not before. The intrusion, in which administrator level passwords were stolen, was not discovered until May 2010 by the US Federal Bureau of Investigation (FBI). The FBI immediately informed the Chamber, at which time the Chamber began to take measures to close off the intrusion. The WSJ says that all the Chamber's systems may not be completed secure even now.


check it out, they got 0wned pretty bad ...
Title: Re: Security Thread
Post by: Mesozoic Mister Nigel on December 24, 2011, 12:15:49 AM
Quote from: Triple Zero on December 24, 2011, 12:11:55 AM
Hackers Completely Penetrated U.S. Chamber of Commerce's IT Systems  (http://spectrum.ieee.org/riskfactor/telecom/security/hackers-completely-penetrate-us-chamber-of-commerces-it-systems)
The Wall Street Journal published a story today that is no doubt causing consternation in many US businesses today. According to the story, a hacking group based in China was able to fully penetrate the U.S. Chamber of Commerce's computer systems in November 2009, if not before. The intrusion, in which administrator level passwords were stolen, was not discovered until May 2010 by the US Federal Bureau of Investigation (FBI). The FBI immediately informed the Chamber, at which time the Chamber began to take measures to close off the intrusion. The WSJ says that all the Chamber's systems may not be completed secure even now.


check it out, they got 0wned pretty bad ...

Whoa!
Title: Re: Security Thread
Post by: Triple Zero on May 13, 2012, 04:24:46 PM
Malware coder / Botnet herder does AMA on Reddit, loads of interesting things:

http://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/

(Be sure to expand all the collapsed comment thread bits because some have such a dislike of anonymous cybercriminals they downvoted many of the OP's comments into collapsement)
Title: Re: Security Thread
Post by: Triple Zero on May 14, 2012, 11:02:46 AM
From the discussion on HN about the above Reddit AMA, kind of off-topic in regard to security, but a very interesting observation in general:

http://news.ycombinator.com/item?id=3962120
Quote from: etheraelIt was quite interesting to me how he rationalised his behaviour; Yes, it's a bad thing to do, but at the same time the world is full of bad actors, unscrupulous politicians and out of control corrupt financial institutions, so really I'm just acting in accordance with the established order.

I think people don't consider how the blatant and endemic corruption in society affects the moral codes of ordinary people very often, but this is a good case in point.
Title: Re: Security Thread
Post by: Golden Applesauce on May 14, 2012, 11:55:29 PM
Quote from: Triple Zero on May 14, 2012, 11:02:46 AM
From the discussion on HN about the above Reddit AMA, kind of off-topic in regard to security, but a very interesting observation in general:

http://news.ycombinator.com/item?id=3962120
Quote from: etheraelIt was quite interesting to me how he rationalised his behaviour; Yes, it's a bad thing to do, but at the same time the world is full of bad actors, unscrupulous politicians and out of control corrupt financial institutions, so really I'm just acting in accordance with the established order.

I think people don't consider how the blatant and endemic corruption in society affects the moral codes of ordinary people very often, but this is a good case in point.

I saw that!

I also like how he blaims his victims for being insufficiently paranoid / tech savvy.  Of course they're not as paranoid as you are - they aren't cybercriminals.

Also - either 12,000 bots is fucking tiny or being a botmaster doesn't pay shit.  Sure, it's a part-time college job, but he's only making a fraction of what a first-year CS graduate can make in the States.
Title: Re: Security Thread
Post by: Triple Zero on May 15, 2012, 02:20:21 PM
yes 12k bots is quite tiny, most "pro" botnets I heard of are in the 100k range, the real big ones can easily be 5-10x that.

I don't think it's bad money, though. It's obviously not his full-time job as he's still studying engineering. In the mean time he's tinkering with netsec and reverse engineering, which he would probably be doing anyway. The bitcoin mining seems to net him about $1000 each month, he doesn't say how much he gets from selling cc info in addition to that.

And with that quote I meant something different. I'm completely uninterested in how or why this guy's rationalisations are wrong, unethical, immoral and/or misguided. That much is obvious and the whole moral crusade thing is just for making the people pointing it out feel good about themselves but detrimental to learning and the discussion. However it's the last sentence of that quote that caught my attention:

I think people don't consider how the blatant and endemic corruption in society affects the moral codes of ordinary people very often, but this is a good case in point.

See I don't care about his arguments that people should learn to protect themselves better etc, though I agree that they should that's no reason to rob them. The interesting thing is he also points at politicians, bankers and such who are operating much larger scale corruption, stealing billions from the economy, fucking over people far worse (through policies and crises) than he does.

It's an interesting idea, how many people rationalize their smaller-scale crimes because even our "leaders" are doing it, and they're doing it much worse?

"They're screwing us over, so that means I can take what I want, too"

Something about responsibility and setting an example.
Title: Re: Security Thread
Post by: Cain on February 04, 2013, 10:48:56 AM
Might want to watch out for this

http://www.theregister.co.uk/2013/02/01/ransomware_trojan/

QuoteDepraved miscreants are spreading vile ransomware that displays images of child abuse on infected PCs and demands payment to remove them.

Typically, this sort of malware pretends to be an official piece of police software and pops up a text message accusing victims of breaking the law - usually for downloading copyrighted material or dodgy pornography - and locks down the computer until the user coughs up some cash.

But this new Trojan stoops to an all-time low by displaying actual pictures of child sex abuse and accuses the victim of previously viewing it. The ransomware sports logos of the German Federal Office for Information Security (BSI) and the German Society for the Prosecution of Copyright Infringement (GVU) to lend an air of authenticity to proceedings.
Title: Re: Security Thread
Post by: Mesozoic Mister Nigel on February 05, 2013, 03:04:37 AM
Quote from: Cain on February 04, 2013, 10:48:56 AM
Might want to watch out for this

http://www.theregister.co.uk/2013/02/01/ransomware_trojan/

QuoteDepraved miscreants are spreading vile ransomware that displays images of child abuse on infected PCs and demands payment to remove them.

Typically, this sort of malware pretends to be an official piece of police software and pops up a text message accusing victims of breaking the law - usually for downloading copyrighted material or dodgy pornography - and locks down the computer until the user coughs up some cash.

But this new Trojan stoops to an all-time low by displaying actual pictures of child sex abuse and accuses the victim of previously viewing it. The ransomware sports logos of the German Federal Office for Information Security (BSI) and the German Society for the Prosecution of Copyright Infringement (GVU) to lend an air of authenticity to proceedings.

FUCKING HELL

That's horrifying!
Title: Re: Security Thread
Post by: The Good Reverend Roger on February 05, 2013, 03:38:45 AM
Quote from: M. Nigel Salt on February 05, 2013, 03:04:37 AM
Quote from: Cain on February 04, 2013, 10:48:56 AM
Might want to watch out for this

http://www.theregister.co.uk/2013/02/01/ransomware_trojan/

QuoteDepraved miscreants are spreading vile ransomware that displays images of child abuse on infected PCs and demands payment to remove them.

Typically, this sort of malware pretends to be an official piece of police software and pops up a text message accusing victims of breaking the law - usually for downloading copyrighted material or dodgy pornography - and locks down the computer until the user coughs up some cash.

But this new Trojan stoops to an all-time low by displaying actual pictures of child sex abuse and accuses the victim of previously viewing it. The ransomware sports logos of the German Federal Office for Information Security (BSI) and the German Society for the Prosecution of Copyright Infringement (GVU) to lend an air of authenticity to proceedings.

FUCKING HELL

That's horrifying!

Jesus Christ.
Title: Re: Security Thread
Post by: Nephew Twiddleton on February 05, 2013, 04:18:48 AM
Wow. What the shit.
Title: Re: Security Thread
Post by: Golden Applesauce on March 16, 2013, 04:21:36 AM
"Hackers" call in a SWAT team on big shot security researcher / blogger / professional Russian cybercrime pisser-offer Brian Krebs. Brian Krebs is unimpressed.

http://krebsonsecurity.com/2013/03/the-world-has-no-room-for-cowards/#more-19437 (http://krebsonsecurity.com/2013/03/the-world-has-no-room-for-cowards/#more-19437)
Title: Re: Security Thread
Post by: Mesozoic Mister Nigel on March 16, 2013, 05:06:39 AM
Very interesting, and well-handled on his part.
Title: Re: Security Thread
Post by: Bu🤠ns on March 16, 2013, 07:58:00 AM
Quote from: Triple Zero on May 15, 2012, 02:20:21 PM
yes 12k bots is quite tiny, most "pro" botnets I heard of are in the 100k range, the real big ones can easily be 5-10x that.

I don't think it's bad money, though. It's obviously not his full-time job as he's still studying engineering. In the mean time he's tinkering with netsec and reverse engineering, which he would probably be doing anyway. The bitcoin mining seems to net him about $1000 each month, he doesn't say how much he gets from selling cc info in addition to that.

And with that quote I meant something different. I'm completely uninterested in how or why this guy's rationalisations are wrong, unethical, immoral and/or misguided. That much is obvious and the whole moral crusade thing is just for making the people pointing it out feel good about themselves but detrimental to learning and the discussion. However it's the last sentence of that quote that caught my attention:

I think people don't consider how the blatant and endemic corruption in society affects the moral codes of ordinary people very often, but this is a good case in point.

See I don't care about his arguments that people should learn to protect themselves better etc, though I agree that they should that's no reason to rob them. The interesting thing is he also points at politicians, bankers and such who are operating much larger scale corruption, stealing billions from the economy, fucking over people far worse (through policies and crises) than he does.

It's an interesting idea, how many people rationalize their smaller-scale crimes because even our "leaders" are doing it, and they're doing it much worse?

"They're screwing us over, so that means I can take what I want, too"

Something about responsibility and setting an example.


I'm almost finished the thread but what grabbed me is the idea that Antivirus companies will purposely leave holes open and that they're nothing more than snake oil salesmen. 

What do you think about that?  At least from a Windows point of view.
Title: Re: Security Thread
Post by: Golden Applesauce on March 16, 2013, 06:20:44 PM
Quote from: Bu☆ns on March 16, 2013, 07:58:00 AM
I'm almost finished the thread but what grabbed me is the idea that Antivirus companies will purposely leave holes open and that they're nothing more than snake oil salesmen. 

What do you think about that?  At least from a Windows point of view.

They don't need to leave holes open. Antivirus software fundamentally does not work - they attempt to guess if a program is a virus or not by looking at its code. Which is theoretically unsolvable (see: Halting Problem (http://en.wikipedia.org/wiki/Halting_problem), the computer equivalent of Gödel's incompleteness theorem (http://en.wikipedia.org/wiki/G%C3%B6del%27s_incompleteness_theorems)) as well as unsolvable in practice - all you have to do is either deploy a self-decrypting or self-extracting program and AV software can't read inside of it, or trick a safe program into running malicious code (the "poisonous PDF" trick.)

Windows or not is irrelevant. Actually, PC hacks these days tend to rely more on vulnerabilities in specific programs (Adobe Reader, Java's browser plugin, Flash) than operating systems. They might still be deploying Windows code, but only because that's the most bang for your effort, not because modern Windows is especially vulnerable. It's terrifically easy to accidentally configure Windows to be insecure (or forget to turn on the important security settings)

Security companies can work, but good security is Hard, and therefore Expensive. Cost efficient if you're a bank or DoD contractor, not so much as an individual user or small business. Here's a story about what real security firm looks like. They messed up, but the attackers had to work really hard to pull it off. Maybe not Stuxnet grade, but almost certainly state-backed.
http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/
http://krebsonsecurity.com/2013/02/bit9-breach-began-in-july-2012/
Title: Re: Security Thread
Post by: Cain on March 16, 2013, 06:29:51 PM
Not to mention, thanks to the flood of cyberwarfare scares in the past few years, the security consultant firm is absolutely filled to the brim with scam artists and people who do not know what they are talking about.

Most companies would also rather take the losses and bury the mistake and hire some shiney looking outfit to run "stress tests" and "deploy active countermeasures" than be told that they need to change their passwords weekly, and not have their password as "password".  They'll take their (not so) cheap, technological cure-all (which doesn't actually work) over a focus on the human equation of security, being told no security is perfect and engaging in a number of opportunity-cost raising activities which may not reassure investors and could impact on their bottom line.
Title: Re: Security Thread
Post by: Bu🤠ns on March 16, 2013, 08:04:10 PM
Quote from: Golden Applesauce on March 16, 2013, 06:20:44 PM
Quote from: Bu☆ns on March 16, 2013, 07:58:00 AM
I'm almost finished the thread but what grabbed me is the idea that Antivirus companies will purposely leave holes open and that they're nothing more than snake oil salesmen. 

What do you think about that?  At least from a Windows point of view.

They don't need to leave holes open. Antivirus software fundamentally does not work - they attempt to guess if a program is a virus or not by looking at its code. Which is theoretically unsolvable (see: Halting Problem (http://en.wikipedia.org/wiki/Halting_problem), the computer equivalent of Gödel's incompleteness theorem (http://en.wikipedia.org/wiki/G%C3%B6del%27s_incompleteness_theorems)) as well as unsolvable in practice - all you have to do is either deploy a self-decrypting or self-extracting program and AV software can't read inside of it, or trick a safe program into running malicious code (the "poisonous PDF" trick.)

Windows or not is irrelevant. Actually, PC hacks these days tend to rely more on vulnerabilities in specific programs (Adobe Reader, Java's browser plugin, Flash) than operating systems. They might still be deploying Windows code, but only because that's the most bang for your effort, not because modern Windows is especially vulnerable. It's terrifically easy to accidentally configure Windows to be insecure (or forget to turn on the important security settings)

Security companies can work, but good security is Hard, and therefore Expensive. Cost efficient if you're a bank or DoD contractor, not so much as an individual user or small business. Here's a story about what real security firm looks like. They messed up, but the attackers had to work really hard to pull it off. Maybe not Stuxnet grade, but almost certainly state-backed.
http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/
http://krebsonsecurity.com/2013/02/bit9-breach-began-in-july-2012/

So then the best security practices are to: enable basic OS security settings, update everything constantly, scan for rootkits, not use pirate software and use script blockers?   I've considered using a VM to do the more risky stuff....is that a useful tactic?


Quote from: Cain on March 16, 2013, 06:29:51 PM
Not to mention, thanks to the flood of cyberwarfare scares in the past few years, the security consultant firm is absolutely filled to the brim with scam artists and people who do not know what they are talking about.

Most companies would also rather take the losses and bury the mistake and hire some shiney looking outfit to run "stress tests" and "deploy active countermeasures" than be told that they need to change their passwords weekly, and not have their password as "password".  They'll take their (not so) cheap, technological cure-all (which doesn't actually work) over a focus on the human equation of security, being told no security is perfect and engaging in a number of opportunity-cost raising activities which may not reassure investors and could impact on their bottom line.

This is crazy..it's the first I've heard of this.  Here I'm thinking that I'm lucky because I don't get malware (that i know of :P ) because I update my AV every time I can.
Title: Re: Security Thread
Post by: Cain on March 19, 2013, 07:33:49 PM
Quote from: Golden Applesauce on March 16, 2013, 04:21:36 AM
"Hackers" call in a SWAT team on big shot security researcher / blogger / professional Russian cybercrime pisser-offer Brian Krebs. Brian Krebs is unimpressed.

http://krebsonsecurity.com/2013/03/the-world-has-no-room-for-cowards/#more-19437 (http://krebsonsecurity.com/2013/03/the-world-has-no-room-for-cowards/#more-19437)

Unfortunately for these hackers, they are being datamined by whitehat hackers currently.  Krebs is pretty popular amongst the more sensible and knowledgeable infosec circles, and they are most upset at him being treated in such a manner.
Title: Re: Security Thread
Post by: Lord Cataplanga on July 12, 2013, 02:56:53 PM
http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/

A vulnerability in Android's security model has been found, that affects 99% of all Android devices.

Quote from: http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature.

All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn't been tampered with or modified. This vulnerability makes it possible to change an application's code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.

That means that trojan applications can be nigh-indistinguishable from the legit ones.

This vulnerability requires a firmware update to patch, and there is no way Samsung is going to release a new version of my ancient phones' firmware :(

QuoteInstallation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these "zombie" mobile devices to create a botnet.

This "botnet" idea seems like it could work, because most Android phones are quite old, and rarely get firmware security patches.
Title: Re: Security Thread
Post by: Pæs on July 13, 2013, 12:17:31 AM
Hokay, ditching plans to make apps, working on benevolent mobile botnet instead.
Title: Re: Security Thread
Post by: LMNO on July 13, 2013, 04:24:36 AM
Is it just me, or did you just up the difficulty level by about 162%?
Title: Re: Security Thread
Post by: Pæs on March 01, 2015, 11:33:11 PM
BUMP in lieu of PlightOfFernandoPoo making his security thread.

Recommending risky.biz for security podcasts to follow. Hard to find security podcasts which aren't just a bunch of dudebros lulzing about farts.
Title: Re: Security Thread
Post by: Cain on March 07, 2015, 07:23:02 PM
Looks good.

I personally like Krypt3ria (https://krypt3ia.wordpress.com/), though it's only one person and they don't update as much as I'd like.
Title: Re: Security Thread
Post by: disfnordia on October 04, 2015, 05:26:20 AM
I have been around a long time, not this forum just this world. I rarely post on the clearnet, when I see facebook with a discordian page, of which I belong, I know the end is neigh. Now you damn kids get off my grass!

I wanted to link to zine that had some useful information https://zine.riseup.net/

This is my first post, I will stick around for a while. I am scanning some old 23 zines I have lying around from the 80's. I will up load them soon for your viewing pleasure.



(https://www.dropbox.com/s/3fi4eos918wgtzu/transcendental%20bunny.jpg?dl=0)