Privacy, Security Archive

Thunderstrike 2: Mac firmware worm details

This is the annotated transcript of our DefCon 23/BlackHat 2015 talk, which presented the full details of Thunderstrike 2, the first firmware worm for Apple's Macs that can spread via both software or Thunderbolt hardware accessories and writes itself to the boot flash on the system's motherboard. The original slides are available.

While I think it's unlikely this worm will pose any real threat in the real world, I find it amazing that we're living in a world where this is possible in the first place.

Online dating website for cheaters gets hacked

Ashley Madison, an online dating website that specifically targets people looking to have an affair, has been hacked by a group that calls itself Impact Team. A cache of data has been released by the Impact Team, including user profiles, company financial records, and "other proprietary information." The company's CEO, Noel Bilderman, confirmed with KrebsOnSecurity that they had been hacked, but did not speak about the extent of the breach.

I'm really surprised by the amount of comments online stating that this is not a problem, because they're just "cheaters" anyway, so they don't deserve privacy, right?

Cheating on your "loved" one is despicable, low, and disgusting (and an immediate, unequivocal relationship/friendship termination in my book), but one, it's not illegal, and two, even if it were, mob justice is not the way to go. This hack and possible release of personal information is just as bad as any other hack.

Hacking Team Android App Could Bypass Google Play Code Review

"Security researchers at Trend Micro's Trend Labs have uncovered a trick in a sample of a fake news application for Android created by the network exploitation tool provider Hacking Team that may have allowed the company's customers to sneak spyware through the Google Play store's code review. While the application in question may have only been downloaded fewer than 50 times from Google Play, the technique may have been used in other Android apps developed for Hacking Team customers--and may now be copied by others trying to get malware onto Android devices." OSNews readers would have never fallen for this ruse, since the name of the app was BeNews. Once we noticed there was nothing about BeOS in these, we discern its nefarious intent.

Hacking Team hacked, attackers claim 400GB in dumped data

On Sunday, while most of Twitter was watching the Women's World Cup - an amazing game from start to finish - one of the world's most notorious security firms was being hacked.

Specializing in surveillance technology, Hacking Team is now learning how it feels to have their internal matters exposed to the world, and privacy advocates are enjoying a bit of schadenfreude at their expense.

Hacking Team is an Italian company that sells intrusion and surveillance tools to governments and law enforcement agencies.

Feels poetic.

‘Cyber is just pounding me from every direction’

Texas representative John Carter, chairman of the subcommittee on Homeland Security appropriations, and who sits on various other defense-related subcommittees, is hearing about cyber a lot these days. As he put it, "cyber is just pounding me from every direction." That's just the first few seconds of the very entertaining video, where Carter tries to find the right words to express his concern over new encryption standards from Apple and others.

You may laugh about this, but... These are the people running the most powerful military of the world.

The CIA campaign to steal Apple’s secrets

Researchers working with the Central Intelligence Agency have conducted a multi-year, sustained effort to break the security of Apple's iPhones and iPads, according to top-secret documents obtained by The Intercept.

The security researchers presented their latest tactics and achievements at a secret annual gathering, called the "Jamboree," where attendees discussed strategies for exploiting security flaws in household and commercial electronics. The conferences have spanned nearly a decade, with the first CIA-sponsored meeting taking place a year before the first iPhone was released.

Outrage something something not surprised exclamation point.

The great SIM heist

American and British spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden.

The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world’s cellular communications, including both voice and data.

The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas and it has a large factory in Pennsylvania.

The Americans and British hacking into a Dutch company's private network to steal information so they can spy on pretty much everyone. And we call them our "allies". This is way, way worse than whatever the North-Koreans supposedly did to Sony.

In a just world, the people responsible for this act of aggression would be dragged to The Hague to face justice. Alas - we do not live in a just world. My own Dutch government will sweep this under the rug after some fake posturing for the electorate, and that's that.

Russian researchers expose breakthrough in US spying program

The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives.

That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations.

Google reveals third unpatched 90-day Windows vulnerability

Microsoft has heavily criticized Google and its 90-days security disclosure policy after the firm publicly revealed two zero-day vulnerabilities in Microsoft's Windows 8.1 operating system one after one just days before Microsoft planned to issue a patch to kill the bugs. But, seemingly Google don't give a damn thought.

Once again, Google has publicly disclosed a new serious vulnerability in Windows 7 and Windows 8.1 before Microsoft has been able to produce a patch, leaving users of both the operating systems exposed to hackers until next month, when the company plans to deliver a fix.

First, this article makes the usual mistake of calling these vulnerabilities "zero day". They are not zero day. They are 90 day. A huge difference that changes the entire context of the story. Microsoft gets 90 days - three months - to address these issues. I do not see why Google has to account for Microsoft's inflexible security policies which leave users in the lurch.

Second, note that Google also disclosed two OS X vulnerabilities alongside the Windows one. Nobody seems to be talking about those.

Third, Google, how about addressing your own security problems.

How Verizon and Turn defeat browser privacy protections

Verizon advertising partner Turn has been caught using Verizon Wireless's UIDH tracking header to resurrect deleted tracking cookies and share them with dozens of major websites and ad networks, forming a vast web of non-consensual online tracking. Explosive research from Stanford security expert Jonathan Mayer shows that, as we warned in November, Verizon's UIDH header is being used as an undeletable perma-cookie that makes it impossible for customers to meaningfully control their online privacy.

A virtually unchecked and unbound company with near-monopoly status in many US areas doing something scummy? I am so surprised.

Flaw discovered that could let anyone listen to your cell calls

German researchers have discovered security flaws that could let hackers, spies and criminals listen to private phone calls and intercept text messages on a potentially massive scale - even when cellular networks are using the most advanced encryption now available.

The flaws, to be reported at a hacker conference in Hamburg this month, are the latest evidence of widespread insecurity on SS7, the global network that allows the world's cellular carriers to route calls, texts and other services to each other. Experts say it's increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world’s billions of cellular customers.

Home Network Insecurity

Is your home wireless network secure? On a drive about town, I noticed that about one fifth of home routers are completely open and perhaps half are under-secured.

Used to be, this was because home users didn't know how to configure their routers. But now, Comcast is turning home networks into public hotspots unless customers -- few of whom even know about this -- specifically opt out. This article discusses the problems with this.

U.S. courts may hold you responsible if someone uses your wireless network -- without your knowledge or permission -- to illegally download music, movies, or software. People have even been raided by SWAT teams and convicted for downloading child pornography.

Is Comcast's project a bold move towards free wi-fi everywhere? Or is it a security outrage?

Meanwhile, here's a simple tutorial on how to secure your home wireless network.

DenyHost adds support for PF firewall

One common method attackers use when attempting to compromise a server is brute forcing login credentials. Given enough time, automated tools can guess a person's username and password, granting the attacker access to an unprotected server. To counter these sorts of attacks, where passwords are guessed by trial and error, several tools have been created. Utilities such as Fail2Ban and DenyHost monitor login attempts and automatically block the computers performing these types of attacks.

Last week the DenyHost project added a feature which allows the utility to block attacks by using the PF firewall. PF is typically used on the OpenBSD and FreeBSD operating systems to block or forward network traffic. The project's website reports:

DenyHost 2.9 adds one new feature, the ability to work with the PF packet filter, popular on BSD systems such as FreeBSD, OpenBSD, NetBSD, PC-BSD and TrueOS. The DenyHost daemon will now work with existing PF tables in real time, allowing administrators to block incoming secure shell connections at the firewall level. Examples of how to set up the appropriate PF rules and enable DenyHost to work with PF are available in the DenyHost configuration file (denyhosts.conf).

GCHQ: Silicon Valley is Terrorist “Command and Control” Network

The new head of GCHQ , Robert Hannigan, has spoken out strongly against American Internet companies. The BBC reports: "His concerns appear to be twofold. Firstly the fact that militant organisations such as Islamic State (IS) are using Twitter, Facebook and WhatsApp to promote themselves and the increasing sophistication that extremists are showing in their use of such platforms. And secondly he is not happy about pledges from Microsoft, Google, Apple and Yahoo to make encryption a default option to protect users from government snooping."

Serious OS X Yosemite Vulnerability Discovered

Emil Kvarnhammar, a hacker at Swedish security firm Truesec, calls the vulnerability "rootpipe" and has explained how he found it and how you can protect against it. It's a so-called privilege escalation vulnerability, which means that even without a password an attacker could gain the highest level of access on a machine, known as root access. From there, the attacker has full control of the system. It affects the newest OS X release, version 10.10, known as Yosemite. Apple hasn't fixed the flaw yet, he says, so Truesec won't provide details yet of how it works.