TechDiem.com » Security

KARMA POLICE: GCHQ spooks spied on every web user ever

admin — Sat, 26 Sep 2015 10:44:09 +0000

New documents revealing GCHQ’s mass-surveillance activities have detailed an operation codenamed KARMA POLICE, which slurped up the details of “every visible user on the Internet”.

The operation was launched in 2009, without Parliamentary consultation or public scrutiny, to record the browsing habits of “every visible user on the Internet” without the agency obtaining legal permission to do so, according to documents published by The Intercept.

KARMA POLICE was constructed between 2007 and 2008, and according to slides was developed with the explicit intention of correlating “every user visible to passive SIGINT with every website they visit, hence providing either (a) a web browsing profile for every visible user on the Internet, or (b) a user profile for every visible website on the Internet.”

Its 2009 run was particularly interested in those listening to online radio shows, although one slide also shows tracking of those who have visited spook-baiting Cryptome.org, and pornography site RedTube.

A summary document reveals that the operation affected “224,446 unique listener IP addresses over a three month period, covering approximately 108448 /24 subnets.”

Another programme, codenamed BLAZING SADDLES, was used to target listeners of “any one particular radio station … to understand any trends or behaviours.”

The summary report states how:

A wealth of datamining techniques could be applied on small closed groups of individuals, to look for potential covert communications channels for hostile intelligence agencies running agents in allied countries, terrorist cells, or serious crime targets.

One user was targeted, without any stated suspicion of being involved in terrorism or posing a threat to national security, and was found to have visited popular porn purveyor Redtube, as well as social media sites and several Arabic and Islamic sites, which appeared to be commercial enterprises.

Eric King, deputy director of Privacy International, tweeted his alarm at the revelations of GCHQ’s activities and the spooks’ thoughts regarding oversight:

Best argument for Judicial Authorisation I’ve seen comes from GCHQs own internal documents. https://t.co/oDLjyinPKX pic.twitter.com/7MlJJlVK0x

— Eric King (@e3i5) September 25, 2015

The Register is analysing the new documents and will provide more reportage shortly. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: TheReg http://go.theregister.com/feed/www.theregister.co.uk/2015/09/25/gchq_tracked_web_browsing_habits_karma_police/

Obama brain trust sidesteps mandatory hackers’ backdoor idea

admin — Sat, 26 Sep 2015 10:44:08 +0000

An Obama administration working group mulled four mechanisms for breaking the encrypted smartphones of terrorist and criminal suspects before rejecting them all as too politically fraught or impractical.

While planting backdoors was “technically feasible”, each method risked becoming a focus of attacks by third parties and posed a risk to relations with tech firms, who might be less inclined to co-operate with other initiatives as a result.

Law enforcement officials and intel agencies have heightened warnings over the last year or so that web communications are going dark due to greater use of encryption in the latest generation of smartphones and messaging apps.

Spooks want access to any communications via a warrant, but that’s simply not possible if well engineered end-to-end encryption has been applied.*

The working group considered four technical methods towards implementing what is described as “accessible encryption” – an emphasis independent security experts were quick to mock as like TSA-compliant locks on suitcases.

One of the main candidates for working around encryption was compromising vendors’ update channels, an approach deemed unwieldy and problematic because it relied on users applying updates. Forced back-up and splitting of encryption keys, an option floated by NSA director Michael S Rogers earlier this year, were also considered. Adding a new physical, encrypted port to their devices for access by law enforcement was looked at but was considered too costly.

“Any proposed solution almost certainly would quickly become a focal point for attacks,” said the unclassified memo, put together by officials from law enforcement, intelligence, diplomatic and economic agencies for eventual debate by Cabinet members, the Washington Post reported.

“Rather than sparking more discussion, government-proposed technical approaches would almost certainly be perceived as proposals to introduce ‘backdoors’ or vulnerabilities in technology products and services and increase tensions rather [than] build cooperation,” the memo said.

Instead of developing a 21st century equivalent to the infamous Clipper Chip of the ’90s, governments should agree a framework with industry that respected key principles such as no backdoors and so-called “golden keys” for the government to gain access to data.

The whole discussion represents the results of a technical evaluation of encryption policy options for the Obama administration. A leaked memo from the National Security Council, published by The Washington Post earlier this month, lays out the political options facing Obama in handling the encryption issue over the last year or so of his presidency, as explained in our earlier story here. ®

Bootnote

* Even without a convenient backdoor the situation is far from hopeless for police and intel agencies. Mistakes made by suspects or weak passwords can offer a way in, as has been demonstrated on numerous occasions.

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: TheReg http://go.theregister.com/feed/www.theregister.co.uk/2015/09/25/obama_panel_rejects_backdoor_option/

Hilton hotels in credit-card-stealing malware infection scare

admin — Sat, 26 Sep 2015 10:44:06 +0000

Someone has hacked the Hilton’s sales registers, and made off with guests’ credit-card details, it’s claimed. The hotel chain confirmed today it is investigating the alleged breach of its computer security.

Investigative journo Brian Krebs says malware in point-of-sale (POS) terminals is believed to have nicked the card information, some of which is already being used to make fraudulent transactions, we’re told.

Multiple sources have told Krebs that bank staff have traced the misused cards to a common source: the tills at restaurants and gift shops in various Hilton hotels around the US.

It is not clear how many accounts may have been compromised, but the malware was active from April 21 to July 27 of this year, apparently. Visa reportedly issued a security alert on the security breach back in August.

Sales terminals in Doubletree, Embassy Suites, Hampton, and Waldorf Astoria hotels were also compromised, it is claimed.

A Hilton spokesperson told The Register late on Friday afternoon:

Hilton Worldwide is strongly committed to protecting our customers’ credit card information. We have many systems in place and work with some of the top experts in the field to address data security. Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace. We take any potential issue very seriously, and we are looking into this matter.

If Krebs’ sources are on the money, Hilton will be the latest major American chain to suffer a massive credit card security breach as the result of a malware incursion. Criminals typically plant malware on PC-like tills to collect credit card information when a purchase is made, and then siphon off the numbers.

In 2014, Target, Home Depot, and UPS all caught infections in their tills. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: TheReg http://go.theregister.com/feed/www.theregister.co.uk/2015/09/25/hilton_pos_breach/

Friday Squid Blogging: Disney’s Minigame Squid Wars

admin — Sat, 26 Sep 2015 04:43:54 +0000

Friday Squid Blogging: Disney’s Minigame Squid Wars

It looks like a Nintendo game.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Tags: games, squid

Posted on September 25, 2015 at 4:30 PM
•
9 Comments

Anti-Alien Security

admin — Sat, 26 Sep 2015 04:43:54 +0000

Anti-Alien Security

You can wrap your house in tinfoil, but when you start shining bright lights to defend yourself against alien attack, you’ve gone too far.

In general, society puts limits on what types of security you are allowed to use, especially when that use can affect others. You can’t place landmines on your lawn or shoot down drones hovering over your property.

Tags: drones, law enforcement, laws, security policies

Posted on September 25, 2015 at 2:23 PM
•
17 Comments

Google, Others Seek to Make Cybercrime Costlier For Criminals

admin — Sat, 26 Sep 2015 04:43:51 +0000

Most effective long-term strategy is to target the support infrastructure and financial services used by criminals, Google says

Researchers from Google and several academic institutions are devising ways to fight organized cybercrime by targeting the support infrastructure and financial services used by threat actors to conduct illegal activities.

The goal of the effort is to try and discourage fraudulent activity to the extent possible by making it costlier for criminals to operate, Kurt Thomas and Elie Bursztein, two members of Google’s Anti-Fraud and Abuse Research said in a blog post Thursday.

The two researchers pointed to several examples where Google and others have already begun taking such actions to try and disrupt the cyber underground.

By studying and understanding how cybercriminals are abusing the phone verified account system to do bulk registration of fraudulent accounts, Google for instance, has been able to make its accounts 30 to 40 percent costlier to register in the black market, Thomas and Bursztein said.

Similarly, by studying the methods used by a group of 26 underground merchants to register fake Twitter accounts, researchers at the University of California, Berkeley, George Mason University and Twitter were able to develop a method for retroactively detecting the fake accounts.

With Twitter’s help, the researchers were able to use the method to disable 95 percent of all fraudulent accounts registered by the 27 merchants, including those accounts that had already been sold in the underground.

Using similar tactics, researchers from George Mason University and the University of California, San Diego were able to disrupt payment processing for several illegal pharmacies and outlets selling counterfeit software, the two researchers said.

Such measures are needed because conventional client and server-side oriented countermeasures such as personal anti-virus tools, firewalls, network packet scanners, automated software updates, and two-factor authentication only have had a limited effect in stemming cybercrime, Thomas and Bursztein noted in the blog.

Each time security researchers have developed defensive measures cyber criminals have been able to circumvent them. “While these safeguards have significantly improved user security, they create an arms race: criminals adapt or find the subset of systems that remain vulnerable and resume operation.”

The increasing sophistication and commoditization of the cyber underground has made it easy for criminals from everywhere to trade in knowledge, technologies, services, and data for defrauding businesses and users.

The availability of specialized services for buying and selling infected systems, exploit kits, spam hosting, and user records have transformed cybercrime into a massive collaborative operation among criminals, the Google researchers said.

“An alternative strategy in this space is to target resource bottlenecks within the underground,” they said. The goal should be to try and make it costlier for cybercriminals to do business.

Going forward, security researchers need to focus on a more thorough understanding of the ecosystem used by cybercriminals to develop, execute, and profit from fraudulent campaigns, the two researchers said in a technical paper to the topic developed with other researchers.

The study of underground markets has to evolve from an exploratory niche involving mostly anecdotal research to a core-component of security research. A clear picture of how attackers profit from victims and institutions is vital to developing effective countermeasures and breaking up the “fragile interdependencies” that exist in the cyber underground, the paper said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: Dark http://www.darkreading.com/risk/google-others-seek-to-make-cybercrime-costlier-for-criminals/d/d-id/1322354?_mc=RSS_DR_EDT

Tits and ads: Malware-riddled banners stiff X-rated websites

admin — Fri, 25 Sep 2015 22:43:54 +0000

An ongoing malvertising campaign that began in August by targeting Yahoo.com, MSN.com and other websites visited by millions of people has expanded to hit smut sites as well.

Many porn websites have been fingered with tainted advertisements via an ad network called TrafficHaus, a big player in supplying ads to adult networks.

Surfers visiting xHamsters and other popular grumble flick sites were in the firing line of attacks using the Angler Exploit Kit, ultimately geared towards planting malware onto systems running outdated versions of Internet Explorer.

“The malicious advert – served by TrafficHaus – was for a dating application called ‘Sex Messenger’ and was displayed often enough that we were able to reliably reproduce the infection in our lab, something that isn’t always feasible when it comes to malvertising,” web security firm Malwarebytes reports.

TrafficHaus was quick to stop the initial assault, but this has been followed up by another tainted ad attack slinging browser-based ransomware (browlock) at surfers frequenting xHamster. The ransomware page came from TrafficHaus, according to Malwarebytes.

“This latest example is a reminder that malvertising does not always equate to malware infections via exploit kits,” Jérôme Segura, senior security researcher at Malwarebytes, explains in a blog post.

“In fact, a very large portion of malvertising attacks push fraudulent pages (FBI browserlock ransomware, tech support scams, fake surveys, etc) because they can affect all platforms, and especially mobile users,” he added.

“Those sites are typically harmless, but display alarming messages and annoying pop-ups preventing users from closing their browser easily,” he concluded. ®

Bootnotes

Sex Messenger is an application to meet up with other adults. The program itself does not appear to be malicious as such, according to Malwarebytes.

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: TheReg http://go.theregister.com/feed/www.theregister.co.uk/2015/09/25/smut_site_tainted_ad_campaign_ie/

Blighty’s GCHQ stashes away 50+ billion records a day on people. Just let that sink in

admin — Fri, 25 Sep 2015 22:43:53 +0000

The enormous scale of GCHQ’s surveillance was revealed on Friday by newly published Snowden documents. The files note the growth in capabilities enjoyed by the UK government’s snoopers since intercepting communications in bulk from 2007.

These details were revealed in a series of documents published by The Intercept including one on the “flat data store” codenamed BLACK HOLE, and a document calling itself “the one-stop shop for Cyber Defence Operations legal and policy information.”

When the slide on BLACK HOLE was composed in March 2009, the flat data store held more than 1.1 trillion things which GCHQ had collected since August 2007.

The store weighed in at 217TB when uncompressed, the largest share of which was HTTP data (41 per cent), which alongside web search (19 per cent) and SMTP data (12 per cent) accounted for almost three quarters of all that it held.

Additional data covered instant messenger records, hacking logs for Computer Network Exploitation (CNE) operations, and the use of “Anonymisers.”

The collection began after Section 32 of the Terrorism Act 2007 had amended RIPA to extend interception warrants.

By 2010, GCHQ stated it was logging “30bn metadata records per day. By 2012, collection had increased to 50 billion per day, and work was underway to double capacity to 100 billion.”

GCHQ has since “developed new population scale analytics for multi-petabyte cluster,” which allows “population scale target discovery.”

In a vision document for 2013, its aim was to have created “the world’s biggest SIGINT engine to run cyber operations and to enable IA, Effects and SIGINT … [as well as] to perform CNE exfiltration, eAD, beaconry, and geo-location.”

There are 7 billion people in the world. GCHQ has 18 billion targeting identifiers for them. https://t.co/ttTIhq7K91

— Eric King (@e3i5) September 25, 2015

BLACK HOLE’s recorded events contain only metadata, according to the “Events” page from the GCWiki, although it notes that “sometimes there are grey areas between events and content” citing how the subject of an email is generally transmitted in the header portion of the SMTP communication, despite being considered content.

Slides showing GCHQ’s Content-Metadata Matrix suggest that the spooks’ views of what is metadata extends to passwords, buddylists, and folders used to organize emails.

The majority of GCHQ’s operational data is acquired through the agency’s operational activities, whether they are interception, computer network exploitation (CNE, or aggressive hacking), or through JTRIG operations.

One new document also discloses a number of tools used to analyze the data stored in BLACK HOLE, which are complementary and provide an insight into the depth and breadth of GCHQ’s surveillance practices. These tools all come under a portion of GCHQ’s analysis project called BLAZING SADDLES.

It is worth noting that the word “target” here does not mean a person specified for investigation by a warrant, but merely a hypothetical identity which has had identifiers allocated to it.

AUTOASSOC provides information as to which Target Detection Identities (TDIs) have been seen at the same time and from the same IP addresses as other TDIs – allowing the spooks to enlarge the number of identifiers tied to a particular target.
HRMap provides information about host-referrer relationships, examining how internauts traverse the web, i.e., what route they have taken to a particular site, and where they proceed to.
INFINITE MONKEYS is a tool which targets v-bulletin software, to reveal the forum accounts of targets and additionally to target particular forum users.
KARMA POLICE, which we have reported on, allows the spooks to know which websites the target visited, and when/where those targets occur – all of which is additionally tied to IPs.
MARBLED GECKO provides information about the use of Google Earth and Google Maps, which combined with MUTANT BROTH allows the noseys to see who is looking at particular areas of the Earth.
MEMORY HOLE provides information on web searches made on engines such as Google’s. It provides information on when, where, and from which IP addresses particular searches were made.
MUTANT BROTH is a tool to sift through BLACK HOLE data by TDIs, such as cookies. It allows the spooks to create a profile of any given target’s online activities.
SAMUEL PEPYS is described as “a near real-time Internet diarisation tool. It enables powerful IP stream analysis/profiling by fusing all available traffic types in one place. It contains both unselected events and content.”
SOCIAL ANIMAL provides information about how targets interact with other targets, and with files/pictures/video on the internet.
SOCIAL ANTHROPOID is a “converged comms events database” which enables the spooks to see who their targets have communicated with “via phone, internet, or using converged channels (e.g., sending emails from a phone or making voice calls over the internet).” This project is set to subsume SOCIAL ANIMAL.
GOLDEN AXE, which shares its name with a classic side-scrolling Sega game, is primarily for International Mobile Equipment Identity defeats – allowing the spooks to figure out whether particular mobile devices uniquely identify targets. The Register understands that some handsets may have identical IMEI, as in India.

These tools were being used in a Joint Collaboration Environment titled Innov8, which was testing large-scale analytics using both GCHQ and NSA data.

A sample search was provided, based on automatic TDIs, which showed visits to pornography site YouPorn, as well as Reuters, Facebook, Yahoo, and Google.

The Intercept noted that MUTANT BROTH’s ability to identify cookies was integral to GCHQ’s attack on Belgian telco Belgacom.

Cookies associated with the IPs revealed the Google, Yahoo, and LinkedIn accounts of three Belgacom engineers, whose computers were then targeted by the agency and infected with malware.

The hack, codenamed “Operation Socialist,” gained access to Belgacom’s Core GRX routers so the spooks could run man-in-the middle attacks against targets roaming with smartphones.

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: TheReg http://go.theregister.com/feed/www.theregister.co.uk/2015/09/25/trillions_in_surveillance_gchq/

US, China manage to keep a straight face while promising to not hack each other’s corps

admin — Fri, 25 Sep 2015 22:43:51 +0000

US President Barack Obama and Chinese President Xi Jinping have announced an cyber-peace deal in which neither side will engage in commercial spying online.

“We have agreed that neither the US nor the Chinese government will conduct, or knowingly support, cyber-enabled theft of intellectual property – including trade secrets or other confidential business information – for commercial advantage,” Obama said in a press conference on Friday.

“In addition we will work together, and with other nations, to promote international rules of the road for appropriate conduct in cyberspace.”

As part of the no-hack pact, the two superpowers will share information about online threats and set up meetings to discuss hackers latest techniques. The US and China will also create a body of experts to look into computer network defenses.

On the Chinese side, this will include representatives from Ministry of Public Security, Ministry of State Security, Ministry of Justice, and the State Internet and Information Office. The US Secretary of Homeland Security and the US Attorney General will co-chair the group, with staff from the FBI, intelligence community, and other agencies.

The gang will meet twice a year to go over outstanding issues and discuss progress in online security. A hotline will also be established between the two nations to ensure a speedy response to online security issues as they come up.

#DOJ, which has indicted Chinese officials for hacking, will work with Chinese officials to crack down on hacking.

http://t.co/uU3XEEASva

— Brad Heath (@bradheath) September 25, 2015

President Xi began his state visit with protestations that China doesn’t slurp commercial secrets from other countries, and is more hacked against than hacking. He called the peace deal “productive” in today’s press conference.

But there are real doubts that the agreement will stick. Let’s face it, working out who hacked whom is difficult, and it would be easy for any miscreant to route their attacks through a server in almost any country.

Crucially, the pact covers nothing about political or “national security” hacking, so expect to see plenty of this sort of stuff going forward. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: TheReg http://go.theregister.com/feed/www.theregister.co.uk/2015/09/25/us_china_promise_to_stop_hacking/

People Who Need to Pee Are Better at Lying

admin — Fri, 25 Sep 2015 16:43:50 +0000

People Who Need to Pee Are Better at Lying

No, really.

Abstract: The Inhibitory-Spillover-Effect (ISE) on a deception task was investigated. The ISE occurs when performance in one self-control task facilitates performance in another (simultaneously conducted) self-control task. Deceiving requires increased access to inhibitory control. We hypothesized that inducing liars to control urination urgency (physical inhibition) would facilitate control during deceptive interviews (cognitive inhibition). Participants drank small (low-control) or large (high-control) amounts of water. Next, they lied or told the truth to an interviewer. Third-party observers assessed the presence of behavioral cues and made true/lie judgments. In the high-control, but not the low-control condition, liars displayed significantly fewer behavioral cues to deception, more behavioral cues signaling truth, and provided longer and more complex accounts than truth-tellers. Accuracy detecting liars in the high-control condition was significantly impaired; observers revealed bias toward perceiving liars as truth-tellers. The ISE can operate in complex behaviors. Acts of deception can be facilitated by covert manipulations of self-control.

News article.

Tags: behavioral detection, deception, lies

Posted on September 25, 2015 at 5:54 AM
•
25 Comments