Sony hack shows how hard it is to stay anonymous

Asian woman headsmack FBI Director James Cormey says that the North Korean’s who hacked Sony were tracked because of bad operational security in their use of proxies.

We saw the same thing with the take down of the Silk Road website. Few people have the skills, tools, and discipline to be 100% consistent with their anonymity. Any slip at any time can blow your cover. Of course, this could have been an intentional false flag, the rabbit hole can get very deep. Jeff Carr makes the case that this is actually quite likely.

"FBI Director James Comey, today, said that the hackers who compromised Sony Pictures Entertainment usually used proxy servers to obfuscate their identity, but "several times they got sloppy."

Speaking today at an event at Fordham University in New York, Comey said, "Several times, either because they forgot or because of a technical problem, they connected directly and we could see that the IPs they were using ... were exclusively used by the North Koreans."

FBI Director Says 'Sloppy' North Korean Hackers Gave Themselves Away

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Are free proxies hurting your security?

Looking in Dark Box I have long said that privacy services are all about trust. I this article demonstrating how to use a simple web proxy to compromise the users of that proxy. Of course, the operator of the proxy is being untrustworthy, but that is the whole point. If you don’t have a reason to specifically trust the operator of your privacy service, you need to assume that they are attempting to do you harm. Of course, the same argument applies to Tor. Literally anyone could be running that proxy for any purpose.

Why are free proxies free?

I recently stumbled across a presentation of Chema Alonso from the Defcon 20 Conference where he was talking about how he created a Javascript botnet from scratch and how he used it to find scammers and hackers.

Everything is done via a stock SQUID proxy with small config changes.

The idea is pretty simple:

  1. [Server] Install Squid on a linux server
  2. [Payload] Modify the server so all transmitted javascript files will get one extra piece of code that does things like send all data entered in forms to your server
  3. [Cache] Set the caching time of the modified .js files as high as possible

Read the whole article.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Security advice for travelers to Sochi Olympic hacking hotzone

Sochi passport stampsSochi visitors entering hacking 'minefield' by firing up electronics | Security & Privacy - CNET News UPDATE: According to Errata security the NBC story about the hacking in Sochi total BS. Evidently: They were in Moscow, not Sochi. The hack was from sites they visited, not based on their location. They intentionally downloaded malware to their Android phone. So, as a traveler you are still at risk, and my advice still stands, but evidently the environment is not nearly as hostile as reported.

According to an NBC report, the hacking environment at Sochi is really fierce. After firing up a couple of computers at a cafe, they were both attacked within a minute, and within a day, both had been thoroughly compromised.

While you are vulnerable anywhere you use the Internet, it appears that attackers are out in force looking for unwary tourists enjoying the olympics.

Make sure you take precautions when you travel, especially to major events like the Sochi Olympics.

  • Enable whole disk encryption on your laptop (FileVault for Mac and TrueCrypt for Windows), and always power off your computer when you are done, rather than just putting it to sleep.
  • Turn off all running applications before you connect to any network, particularly email. That will minimize the number of connections your computer tries to make as soon as it gets connectivity.
  • Enable a VPN like Anonymizer Universal the moment you have Internet connectivity, and use it 100% of the time.
  • If you can, use a clean computer with a freshly installed operating system.
  • Set up a new Email account which you will only use during the trip. Do not access your real email accounts.
  • Any technology you can leave behind should be left back at home.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

NSA's TAO -- Leaked catalog of tools and techniques

NSA's TAO -- Dark Reading

The Internet has been buzzing with reports of the recently leaked NSA exploits, backdoors, and hacking / surveillance tools. The linked article is good example.

None of this should be news to anyone paying attention. Many similar hacking tools are available from vendors at conferences like BlackHat and DefCon.

We all know that zero-day exploits exist, and things like Stuxnet clearly show that governments collect them.

Intentionally introducing compromised crypto into the commercial stream has a long history, perhaps best demonstrated by the continued sales of Enigma machines to national governments long after it had been cracked by the US and others.

This reminds me of a quote I posted back in March. Brian Snow, former NSA Information Assurance Director said “Your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents.”

One can focus on making this difficult, but none of us should be under the illusion that we can make it impossible. If you have something that absolutely must be protected, and upon which your life or liberty depends, then you need to be taking drastic steps, including total air gaps.

For the rest of your activities, you can use email encryption, disk encryption, VPNs, and other tools to make it as difficult as possible for any adversary to easily vacuum up your information.

If you are of special interest, you may be individually targeted, in which case you should expect your opponent to succeed. Otherwise, someone hacking your computer, or planting a radio enabled USB dongle on your computer is the least of your worries. Your cell phone and social media activities are already hemorrhaging information.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

The second operating system hiding in every mobile phone

OS News has an interesting article: The second operating system hiding in every mobile phone It discusses the security implications of the fact that all cell phones run two operating systems. One is the OS that you see and interact with: Android, iOS, Windows Phone, BlackBerry, etc. The other is the OS running on the baseband processor. It is responsible for everything to do with the radios in the phone, and is designed to handle all the real time processing requirements.

The baseband processor OS is generally proprietary, provided by the maker of the baseband chip, and generally not exposed to any scrutiny or review. It also contains a huge amount of historical cruft. For example, it responds to the old Hays AT command set. That was used with old modems to control dialing, answering the phone, and setting up the speed, and other parameters required to get the devices to handshake.

It turns out that if you can feed these commands to many baseband processors, you can tell them to automatically and silently answer the phone, allowing an attacker to listen in on you.

Unfortunately the security model of these things is ancient and badly broken. Cell towers are assumed to be secure, and any commands from them are trusted and executed. As we saw at Def Con in 2010, it is possible for attackers to spoof those towers.

The baseband processor, and its OS, is generally superior to the visible OS on the phone. That means that the visible OS can’t do much to secure the phone against these vulnerabilities.

There is not much you can do about this as an end user, but I thought you should know. :)

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

The Privacy Blog Podcast - Ep. 13: Adobe, Russia, the EU, Experian, Google, Silk Road, and Browser Fingerprinting

Welcome to episode 13 of our podcast for September, 2013.In this episode I will talk about: A major security breach at Adobe How airplane mode can make your iPhone vulnerable to theft Russian plans to spy on visitors and athletes at the winter Olympics Whether you should move your cloud storage to the EU to avoid surveillance Identity thieves buying your personal information from information brokers and credit bureaus How to stop google using your picture in its ads Why carelessness lead to the capture of the operator of the Silk Road And how Browser Fingerprinting allows websites to track you without cookies.

Please let me know what you think, and leave suggestions for future content, in the comments.

The Privacy Blog Podcast – Ep.10: Storage Capacity of the NSA Data Center, Royal Baby Phishing Attacks, and how your SIM Card is Putting you at Risk

Welcome to Episode 10 of The Privacy Blog Podcast, brought to you by Anonymizer. In July’s episode, I’ll be talking about the storage capacity of the NSA’s data center in Utah and whether the US really is the most surveilled country in the world. Next, I’ll explain why the new royal baby is trying to hack you and how your own phone’s SIM card could be putting your privacy at risk.

Lastly, I’ll discuss the current legal status of law enforcement geolocation, Yahoo!’s decision to reuse account names, and  some exciting Anonymizer Universal news.

As always, feel free to leave any questions in the comments section. Thanks for listening!

The Privacy Blog Podcast - Ep.8: Phishing Attacks, Chinese Hackers, and Google Glass

Welcome to The Privacy Blog Podcast for May 2013. In this month’s episode, I’ll discuss how shared hosting is increasingly becoming a target and platform for mass phishing attacks. Also, I’ll speak about the growing threat of Chinese hackers and some of the reasons behind the increase in online criminal activity.

Towards the end of the episode, we’ll address the hot topic of Google Glass and why there’s so much chatter regarding the privacy and security implications of this technology. In related Google news, I’ll provide my take on the recent announcement that Google is upgrading the security of their public keys and certificates.

Leave any comments or questions below. Thanks for listening!

Government enabled Chinese criminal hacking.

Thanks to the Financial Times for their article on this.

When we hear that a company has been hacked by China what is usually meant is that the company has been hacked from a computer with a Chinese IP address. The immediate implication is that it is Chinese government sponsored.

Of course, there are many ways in which the attacks might not be from anyone in China at all. Using proxies or compromised computers as relays, would allow the attacker to be anywhere in the world while appearing to be in China. The fact that there is so much hype about Chinese government hacking right now, makes China the perfect false flag for any attacker. It sends investigators down the wrong path immediately. However, there is growing evidence that many of the attacks are actually being perpetrated by independent Chinese civilian criminal hackers out to make a buck. They are intent on stealing and selling intellectual property. The huge supply, and under employment, of computer trained people in China may be to blame. They have the skills, the time, and a need for money.

The Chinese government has also been very lax about trying to track down these individuals and generally suppress this kind of activity. The hacking activity is certainly beneficial to the Chinese economy, as the IP is generally stolen from outside China and sold to give advantage to Chinese companies. That gives a kind of covert and subtle support to the hacking activity without any actual material help or direction.

So, it is not quite government sponsored, and it IS actually Chinese. The bottom line is that it is a real problem, and a threat that is actually harder to track down and prevent because it is so amorphous.

Hacking for counter surveillance

Another from the "if the data exists, it will get compromised" file.

This article from the Washington Post talks about an interesting case of counter surveillance hacking.

In 2010, Google disclosed that Chinese hackers breached Google's servers. What only recently came to light was that one of the things compromised was a database containing information about government requests for email records.

Former government officials speculate that they may have been looking for indications of which of their agents had been discovered. If there were records of US government requests for information on any of their agents, it would be evidence that those agents had been exposed. This would allow the Chinese to shut down operations to prevent further exposure and to get those agents out of the country before they could be picked up.

I had not thought about subpoenas and national security letters being a counter intelligence treasure trove, but it makes perfect sense.

Because Google / Gmail are so widely used, they present a huge and valuable target for attackers. Good information on almost any target is likely to live within their databases.

Attackers are going after water plants and other infrastructure

It is often debated if, and how often, hackers are going after critical infrastructure like water plants, generators, and such.

MIT Technology Review reports on a security researcher Kyle Wilhoit's exploration of this question. He set up two fake control systems and one real one (just not connected to an actual plant), which he then connected to the Internet.

Over the course of the one month experiment he detected 39 sophisticated attacks against his "honeypot" systems. The attackers did not just penetrate the systems, but also manipulated their settings, which would have had real world impacts had these been real systems.

One must assume that the same is happening to any real Internet accessible industrial control systems.

The Privacy Blog Podcast – Ep.7: Blacklisted SSL Certificates, Social Media Hacking, and the “Right to be Forgotten” Online

Welcome to episode 7 of The Privacy Blog Podcast. In April’s episode, we’ll be looking at the blacklisting of SSL certificate authorities by Mozilla Firefox - Specifically, what this complex issue means and why Mozilla chose to start doing this.

In more breaking online privacy news, I will be discussing the security implications of relying on social media following the hacking of the Associated Press Twitter account earlier this week.

Next, I’ll chat about the “right to be forgotten” on the Internet, which hinges on the struggle between online privacy and free speech rights. In a closely related topic and following Google’s release of the new “Inactive Account Manager,” I will discuss what happens to our social media presence and cloud data when we die. It’s a topic none of us likes to dwell on, but it’s worth taking the time to think about our digital afterlife.

The power we give to Social Media

Last week the Twitter account of the Associated Press was hacked, and a message posted saying that bombs had gone off in the white house, and the president was injured.

 

Obviously this was false. The Syrian Electronic army a pro regime hacker group has claimed responsibility, which does not prove that they did it.

There is talk about Twitter moving to two factor authentication to reduce similar hacking in the future. While this is all well and good, it will not eliminate the problem.

The bigger issue is that these poorly secured social media sites are used by people around the world as reliable sources of news.

Apparently much of the crash came from automated trading systems parsing the tweet, and generating immediate trades without any human intervention at all.

The DOW dropped 140 points in 5 minutes.

The creators of these trading algorithms feel that news from twitter is reliable enough to be the basis of equity trades without any confirmation, or time for reflection.

Certainly very large amounts of money were made and lost in that short period.

Why make the effort to hack into what we hope is a well defended nuclear power plant or other critical infrastructure, when you can get similar amounts of financial damage from subverting a nearly undefended twitter account.

Because individual twitter accounts are not considered critical infrastructure, they are hardly protected at all, and are not designed to be easy to protect.

Nevertheless we give it, and other social media, substantial power to influence us and our decisions, financial and otherwise.

Take for example the crowd sourced search for the Boston bombers on reddit. Despite the best of intentions, many false accusations were made that had major impact on the accused, and one can imagine scenarios which could have turned out much worse. What if the accused at committed suicide, been injured in a confrontation with authorities, or been the vicim of vigilante action? Now, what if there had been malicious players in that crowd intentionally subverting the process. Planting false information, introducing chaos and causing more damage.

 

This is an interesting problem. There are no technical or legislative solutions. It is a social problem with only social solutions. Those are often the hardest to address.

Devastatingly effective spear phishing

The BBC has an article that powerfully reinforces what I have been saying for years about spear phishing. It is worth a read if just for the specific examples.

The short version is, if an attacker is going for you specifically, they can do enough research to craft an email and attachment that you are almost certain to open. The success rate against even very paranoid and sophisticated users is shockingly high.

In Bruce Schneier's blog post about this he quotes Brian Snow, former NSA Information Assurance Director. "Your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents."

Sobering….

A peek at the cybercrime economy

The latest Java exploit has given another view into the workings of the cybercrime economy. Although I should not be, I am always startled at just how open and robustly capitalistic the whole enterprise has become. The business is conducted more or less in the open.

Krebs on Security has a nice piece on an auction selling source code to the Java exploit. You can see that there is a high level of service provided, and some warnings about now to ensure that the exploit you paid for stays valuable.