The Privacy BlogPrivacy, Security, Cryptography, and Anonymity

CAT | hacking

DDoS from IoT Devices

On October 21st, a large number of websites, including some of the biggest names, were knocked off the Internet by a massive distributed denial-of-service (DDoS) attack. A DDoS attack occurs when thousands to millions of devices send traffic to a target, completely overloading its servers or Internet connection.

· · ·

Looking in Dark Box

I have long said that privacy services are all about trust. I this article demonstrating how to use a simple web proxy to compromise the users of that proxy. Of course, the operator of the proxy is being untrustworthy, but that is the whole point. If you don’t have a reason to specifically trust the operator of your privacy service, you need to assume that they are attempting to do you harm. Of course, the same argument applies to Tor. Literally anyone could be running that proxy for any purpose. (more…)

· · · ·


Dark Hotel hall

Kaspersky recently announced the discovery of a new Advanced Persistent Threat (APT) that they are calling DarkHotel. This is in the fine tradition of giving all newly discovered hackers or vulnerabilities clever and evil sounding names. In this case they have found something quite interesting.

For the last 7 years a group has been systematically targeting executives and government officials staying at high end hotels. They hack their computers and grab their files, sniff their keyboards, and install virus that can then spread within the victim’s organization. (more…)

· · · · ·

NSA’s TAO — Dark Reading

The Internet has been buzzing with reports of the recently leaked NSA exploits, backdoors, and hacking / surveillance tools. The linked article is good example.

None of this should be news to anyone paying attention. Many similar hacking tools are available from vendors at conferences like BlackHat and DefCon.

We all know that zero-day exploits exist, and things like Stuxnet clearly show that governments collect them.

Intentionally introducing compromised crypto into the commercial stream has a long history, perhaps best demonstrated by the continued sales of Enigma machines to national governments long after it had been cracked by the US and others.

This reminds me of a quote I posted back in March. Brian Snow, former NSA Information Assurance Director said “Your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents.”

One can focus on making this difficult, but none of us should be under the illusion that we can make it impossible. If you have something that absolutely must be protected, and upon which your life or liberty depends, then you need to be taking drastic steps, including total air gaps.

For the rest of your activities, you can use email encryption, disk encryption, VPNs, and other tools to make it as difficult as possible for any adversary to easily vacuum up your information.

If you are of special interest, you may be individually targeted, in which case you should expect your opponent to succeed. Otherwise, someone hacking your computer, or planting a radio enabled USB dongle on your computer is the least of your worries. Your cell phone and social media activities are already hemorrhaging information.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

· · ·

OS News has an interesting article: The second operating system hiding in every mobile phone

It discusses the security implications of the fact that all cell phones run two operating systems. One is the OS that you see and interact with: Android, iOS, Windows Phone, BlackBerry, etc. The other is the OS running on the baseband processor. It is responsible for everything to do with the radios in the phone, and is designed to handle all the real time processing requirements.

The baseband processor OS is generally proprietary, provided by the maker of the baseband chip, and generally not exposed to any scrutiny or review. It also contains a huge amount of historical cruft. For example, it responds to the old Hays AT command set. That was used with old modems to control dialing, answering the phone, and setting up the speed, and other parameters required to get the devices to handshake.

It turns out that if you can feed these commands to many baseband processors, you can tell them to automatically and silently answer the phone, allowing an attacker to listen in on you.

Unfortunately the security model of these things is ancient and badly broken. Cell towers are assumed to be secure, and any commands from them are trusted and executed. As we saw at Def Con in 2010, it is possible for attackers to spoof those towers.

The baseband processor, and its OS, is generally superior to the visible OS on the phone. That means that the visible OS can’t do much to secure the phone against these vulnerabilities.

There is not much you can do about this as an end user, but I thought you should know. 🙂

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

· · ·

Infosec Institute published an article showing in detail how application signing on Android devices can be defeated.

This trick allows the attacker to modify a signed application without causing the application to fail its signature check.

The attack works by exploiting a flaw in the way signed files in the .apk zip file are installed and verified. Most zip tools don’t allow duplicate file names, but the zip standard does support it. The problem is that, when confronted by such a situation the signature verification system and the installer do different things.

The signature verifier checks the first copy of a duplicated file, but the installer actually installs the last one.

So, if the first version of a file in the archive is the real one, then the package will check as valid, but then your evil second version actually gets installed and run.

This is another example of vulnerabilities hiding in places you least expect.

· · · ·


Welcome to The Privacy Blog Podcast for May 2013.

In this month’s episode, I’ll discuss how shared hosting is increasingly becoming a target and platform for mass phishing attacks. Also, I’ll speak about the growing threat of Chinese hackers and some of the reasons behind the increase in online criminal activity.

Towards the end of the episode, we’ll address the hot topic of Google Glass and why there’s so much chatter regarding the privacy and security implications of this technology. In related Google news, I’ll provide my take on the recent announcement that Google is upgrading the security of their public keys and certificates.

Leave any comments or questions below. Thanks for listening!

· · · · · · ·

Thanks to the Financial Times for their article on this.

When we hear that a company has been hacked by China what is usually meant is that the company has been hacked from a computer with a Chinese IP address. The immediate implication is that it is Chinese government sponsored.

Of course, there are many ways in which the attacks might not be from anyone in China at all. Using proxies or compromised computers as relays, would allow the attacker to be anywhere in the world while appearing to be in China. The fact that there is so much hype about Chinese government hacking right now, makes China the perfect false flag for any attacker. It sends investigators down the wrong path immediately. However, there is growing evidence that many of the attacks are actually being perpetrated by independent Chinese civilian criminal hackers out to make a buck. They are intent on stealing and selling intellectual property. The huge supply, and under employment, of computer trained people in China may be to blame. They have the skills, the time, and a need for money.

The Chinese government has also been very lax about trying to track down these individuals and generally suppress this kind of activity. The hacking activity is certainly beneficial to the Chinese economy, as the IP is generally stolen from outside China and sold to give advantage to Chinese companies. That gives a kind of covert and subtle support to the hacking activity without any actual material help or direction.

So, it is not quite government sponsored, and it IS actually Chinese. The bottom line is that it is a real problem, and a threat that is actually harder to track down and prevent because it is so amorphous.

· ·

Another from the “if the data exists, it will get compromised” file.

This article from the Washington Post talks about an interesting case of counter surveillance hacking.

In 2010, Google disclosed that Chinese hackers breached Google’s servers. What only recently came to light was that one of the things compromised was a database containing information about government requests for email records.

Former government officials speculate that they may have been looking for indications of which of their agents had been discovered. If there were records of US government requests for information on any of their agents, it would be evidence that those agents had been exposed. This would allow the Chinese to shut down operations to prevent further exposure and to get those agents out of the country before they could be picked up.

I had not thought about subpoenas and national security letters being a counter intelligence treasure trove, but it makes perfect sense.

Because Google / Gmail are so widely used, they present a huge and valuable target for attackers. Good information on almost any target is likely to live within their databases.

· · · ·

It is often debated if, and how often, hackers are going after critical infrastructure like water plants, generators, and such.

MIT Technology Review reports on a security researcher Kyle Wilhoit’s exploration of this question. He set up two fake control systems and one real one (just not connected to an actual plant), which he then connected to the Internet.

Over the course of the one month experiment he detected 39 sophisticated attacks against his “honeypot” systems. The attackers did not just penetrate the systems, but also manipulated their settings, which would have had real world impacts had these been real systems.

One must assume that the same is happening to any real Internet accessible industrial control systems.

· ·

Older posts >>