Monday, December 30, 2013

A Snowden leak accompanying today's story on the NSA's Tailored Access Operations group (TAO) details the NSA's toolbox of exploits, developed by an NSA group called ANT (Advanced or Access Network Technology).
ANT's catalog runs to 50 pages, and lists electronic break-in tools, wiretaps, and other spook toys. For example, the catalog offers FEEDTROUGH, an exploit kit for Juniper Networks' firewalls; gimmicked monitor cables that leak video-signals; BIOS-based malware that compromises the computer even before the operating system is loaded; and compromised firmware for hard drives from Western Digital, Seagate, Maxtor and Samsung.
Many of the exploited products are made by American companies, and hundreds of millions of everyday people are at risk from the unpatched vulnerabilities that the NSA has discovered in their products.
The ANT division doesn't just manufacture surveillance hardware. It also develops software for special tasks. The ANT developers have a clear preference for planting their malicious code in so-called BIOS, software located on a computer's motherboard that is the first thing to load when a computer is turned on.
This has a number of valuable advantages: an infected PC or server appears to be functioning normally, so the infection remains invisible to virus protection and other security programs. And even if the hard drive of an infected computer has been completely erased and a new operating system is installed, the ANT malware can continue to function and ensures that new spyware can once again be loaded onto what is presumed to be a clean computer. The ANT developers call this "Persistence" and believe this approach has provided them with the possibility of permanent access.
Another program attacks the firmware in hard drives manufactured by Western Digital, Seagate, Maxtor and Samsung, all of which, with the exception of latter, are American companies. Here, too, it appears the US intelligence agency is compromising the technology and products of American companies.
Shopping for Spy Gear: Catalog Advertises NSA Toolbox [Jacob Appelbaum, Judith Horchert and Christian Stöcker/Spiegel] 

Tuesday, December 17, 2013

A Department of Energy network breach earlier this year that allowed hackers to download sensitive personal information for 104,000 people was the result of a decade-old patchwork of systems, some that hadn't installed critical security updates in years, according to a federal watchdog.
July's successful hack on the department's Employee Data Repository database was at least the third one to occur since 2011, DOE Inspector General Gregory H. Friedman wrote in a recently published review of the breach. The hack resulted in the exfiltration of more than 104,000 individuals' personally identifiable information (PII), including their social security numbers, bank account data, dates and places of birth, user names, and answers to security questions. The department expects to incur costs of $3.7 million setting up credit monitoring and in lost productivity. That figure doesn't include the costs of fixing the vulnerable systems.
The inspector general review recited a litany of failures that allowed hackers to penetrate system defenses. Chief among them is the fact that none of the 354 database tables containing social security numbers were encrypted. Using strong cryptography to protect such "at rest" PII has long been considered a best practice in government and corporate data security. The department's management information system (MIS) that allowed access to the DOEInfo databases also failed to require common security enhancements, such as two-factor authentication or a department-issued virtual private network.
Read 3 remaining paragraphs | Comments

Wednesday, December 11, 2013


Use a Plagiarism Checker to Get References for a Research Paper

ADAM DACHIS on LIFEHACKER STUDY HACKS

Use a Plagiarism Checker to Get References for a Research Paper
Getting all your citations together for a research paper can take a lot of work, and you might miss a few if you're not careful. To avoid this problem, redditorDisguising suggests finding what you need fast by using a plagiarism checker.P
When you run your paper through a checker, you'll get a bunch of sources you can use to quickly assemble a bibliography. This takes less work than figuring it out yourself through the books. Here are a few checkers you can use:P
Your mileage may vary with the different tools, so you probably should run your paper through a few of them to get all your sources. You'll know if it missed anything, as you have the books, so you can always add the remaining sources the hard way if it did. This method just might give you a few extra sources to cite, however, so you can make sure you don't wind up getting accused of plagiarism when you didn't do anything wrong.P

Monday, December 9, 2013

The Federal Register on Floppies... REALY???

This is the way some Federal agencies transmit their daily notices to the Federal Register.
Imagine this scenario: your job is to take hundreds of pages worth of content every day and publish it to the Web, but the only way you're guaranteed to get that content is on paper. If you're lucky, the paper copy comes with an electronic version on CD—or a 3.5-inch floppy disk.
That's exactly what happens at the Federal Register, the New York Times reports. The federal publication, a record of executive orders, proposes regulatory changes and other official federal notices. It's assembled by an office of the National Archives and published on the Web and in print daily by the Government Printing Office. And while the laws and regulations that govern how agencies are required to submit content to the Register allow for digitally signed e-mail messages, some agencies haven't implemented the public-key infrastructure (PKI) required to send such messages. Flash drives and SD cards aren't even allowed yet because they didn't exist at the time the regulations were written.
That means that a number of agencies still submit their notices by courier and on floppy disk. Amy P. Bunk, the Federal Register's director of legal affairs and policy, told the Times that while many agencies now do use signed e-mails, the GPO could not make it mandatory until Congress amends the Federal Register Act and provides the funding required for all agencies to implement PKI. But due to budget cuts, some agencies are at least a year away from having PKI in place.
Read on Ars Technica
Microsoft appears to be readying some significant changes to its next version of Windows. Paul Thurrott reports that Microsoft is planning to make the Start menu available as an option in the next major Windows release, currently codenamed "Threshold." The Start menu change will follow a recent reversal that Microsoft made in Windows 8.1, bringing back the Start button UI. It’s not clear if the Start menu will be made available for all versions of Windows Threshold, and Thurrott speculates it may appear as an option for those that only support desktop apps.

Further Threshold changes appear to include an option to run Windows 8-style ("Metro") apps on the desktop. Currently, the new Windows 8-style apps can run alongside the desktop, but the next version of Windows is said to expand this greatly by allowing Metro apps to float as separate windows on the desktop. Third-party tools like Stardock’s ModernMix already support this, but it appears Microsoft will add it natively to provide more flexibility for its new style apps.

Separate versions of Windows for consumer and business

On the topic of Threshold, ZDNet is also reporting that Microsoft is moving to a simplified version of Windows for consumers, including a version focused on Windows 8-style apps that’s updated frequently and available for ARM-based Windows tablets, PCs, and Windows Phones. A more traditional consumer version will be designed for the current PC market and fully support existing desktop apps. A separate enterprise version will include the policy management and enterprise features that you’d expect, but it’s not designed to be updated as frequently as the consumer SKUs. The Verge can confirm Microsoft is investigating separate consumer and enterprise versions of Windows.

Microsoft’s Windows "Threshold" version is expected to debut in spring 2015.

And the list keeps growing...

10,000 Top Passwords


Back when I wrote Perfect Passwords, I generated a list of the top 500 worst (aka most common) passwords which seems to have propagated quite a bit across the internet, including being mentioned on GizomodoBoing BoingSymantec,  Laughing Squid and many other sites. Since then I have collected a large number of new passwords bringing my current list to about 6,000,000 unique username/password combos, including many of those that have been recently made public*.
At some point I will make this full data set publicly available but in the meantime, I have decided to release the following list of the top 10,000 most common passwords. This list is ranked by counting how many different usernames appear on my list with the same password. Note that for this list, I do not take capitalization into consideration when matching passwords so this list has been converted to all lowercase letters. What is interesting here is that in my current sample data, this list of the 10,000 most common passwords represents 99.8% of all user passwords.
Here are the files:
While many people have improved the security and strength of their passwords, there are still a huge number of people who pick from a very small list of common passwords. In fact, 91% of all user passwords sampled all appear on the list of just the top 1,000 passwords.
The following graph illustrates how often users select common passwords (click for larger):
Passwords Frequency
What is interesting here is how fast that curve drops from the top password (which is password). In other words, as you go down the list of top passwords, the number of users that select that password drops dramatically.
Here are some interesting facts gleaned from my most recent data:
  • 4.7% of users have the password password;
  • 8.5% have the passwords password or 123456;
  • 9.8% have the passwords password, 123456 or 12345678;
  • 14% have a password from the top 10 passwords
  • 40% have a password from the top 100 passwords
  • 79% have a password from the top 500 passwords
  • 91% have a password from the top 1000 passwords
Of course, a chart only means so much, so here is the data for the top 500 passwords show as a tag cloud (click for larger):
It is important to point out that although the top 10,000 passwords are used by 98.8% of all users, there are 2,342,603 (that’s 99.6%) unique passwords remaining that are in use by only .18% of users!
So how does the new top 500 list compare to my old top 500 list? Here is a visual diff that shows how it has changed.

* Note that all passwords on this list are from publicly available sources and can be found by anyone. The list does not include the 30 million passwords from the rockyou release because the list does not contain usernames and therefore duplicates with my own list cannot be detected and so they cannot be merged.

Creative Commons License
This work by Mark Burnett is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

You may use the Top 10,000 Passwords List, the Top Passwords Tag Cloud or any portion of this article (including commercial use) with attribution to Mark Burnett (xato.net).


Report: The NSA Has Undercover World of Warcraft Agents


Report: The NSA Has Undercover World of Warcraft AgentsSEXPAND
For the NSA, you real life isn't enough. No, as well as reading your emails and monitoring your phone calls, its agents have been deployed inside MMORPGs like World of Warcraft and Second Life, as well as Xbox Live.
A briefing uncovered by the Guardian reveals that the NSA—and its UK sister agency GCHQ—have infiltrated the massive online gaming communities in their quest to uncover secrets. The newspaper reports that the NSA has "built mass-collection capabilities against the Xbox Live console network," as well as deploying agents in the virtual kingdoms of World of Warcraft and Second Life.
The report—originally penned in 2008—explains that these digital realms are "target-rich communications networks" where bad-doers could "hide in plain sight". The Guardian also explains how there "were attempts, too, to recruit potential informants from the games' tech-friendly users." Why such a rich seam? The Guardian explains:
If properly exploited, games could produce vast amounts of intelligence, according to the the NSA document. They could be used as a window for hacking attacks, to build pictures of people's social networks through "buddylists and interaction", to make approaches by undercover agents, and to obtain target identifiers (such as profile photos), geolocation, and collection of communications.
The ability to extract communications from talk channels in games would be necessary, the NSA paper argued, because of the potential for them to be used to communicate anonymously: Second Life was enabling anonymous texts and planning to introduce voice calls, while game noticeboards could, it states, be used to share information on the web addresses of terrorism forums.
Indeed, given that plenty of gamers use voice headsets, video cameras, and other such tech, there was a ready-to-be-tapped stream of biometric information, too. All that said, though, the document don't indicate that any of this wealth of data every foiled any terrorism plots. Nor, for that matter, is it clear that any terror groups really use such virtual communities to communicate, even though the NSA suspected they might.
The report should raise privacy concerns for gamers. Firstly, it's unclear how the NSA ensured it was monitoring the correct targets—many could, in theory, have been innocent Americans. Second, it's unclear how much data was acquired. It could be a lot. Masses, in fact. All in, it's another example of the NSA scrabbling to acquire as much data as possible with little thought for the impact of its investigations, or, for that matter, the methodology behind it. Sadly, by now we know it won't be the last to come to light. [Guardian]
Image by beketchai under Creative Commons license

Friday, December 6, 2013





Someone's Been Siphoning Data Through a Huge Internet Security Hole


Someone's Been Siphoning Data Through a Huge Internet Security Hole
Sometimes, something is so big that you don't notice it for a long time. You suddenly realize you're in a massive crater, say, or that a building is towering overheard. Or, in this case, a gaping security void in the internet. And someone's been siphoning massive amounts of data out of it.
Wired reports that someone, somewhere, has been using a security loophole—one that was feared might exist—to hijack internet traffic headed to government agencies, corporate offices and other recipients in the U.S. First, it was redirected to Belarus and Iceland, then latterly sent on to its intended destinations. It happened for several months, until someone noticed.Wired explains:
The stakes are potentially enormous, since once data is hijacked, the perpetrator can copy and then comb through any unencrypted data freely — reading email and spreadsheets, extracting credit card numbers, and capturing vast amounts of sensitive information.
The attackers initiated the hijacks at least 38 times, grabbing traffic from about 1,500 individual IP blocks — sometimes for minutes, other times for days — and they did it in such a way that, researchers say, it couldn't have been a mistake.
So what was the motivation? Well, initially it seemed financial—much of the data was destined for a big bank—but then data showed up that was headed to foreign ministries and *cough* a "large VoIP provider in the U.S." Combine that with the fact that the hacks were routed through two outposts—though it's believed it's all masterminded by one team—and it's proving tricky to work out who is, in fact, behind it all. As Wired says:
Tony Kapela [one of the researchers who discovered the breach] says the culprit... could actually be an outsider who simply seizes control of one of the systems and sends out the bogus announcement without the owner of the system knowing it. He imagines a scenario where an attacker gains physical access to a router belonging to one of the companies and installs a monitoring device to record data, then gains control of the router console to send out a bogus BGP announcement to redirect traffic through the router. If anyone discovers the redirect, the culprit would appear to be the company that owned the router.
Which leaves the internet at a bit of a loss as to what's going on—and how to stop it. How quickly the mystery can be solved remains to be seen. [Wired]

Thursday, December 5, 2013

Microsoft Cybersecurity Report: Top 10 Most Wanted Enterprise Threats


In my travels abroad over the years, I have had the great opportunity to meet with many enterprise customers to discuss the evolving threat landscape.  In addition to helping inform customers, these meetings have provided me with an opportunity to learn more about how customers are managing risk within their environments.   Many of these customers are interested in learning about the top threats found in enterprise environments.  Visibility into what threats are most common in enterprise environments helps organizations assess their current security posture and better prioritize their security investments.  Given the high level of interest in this information, I thought it would be helpful to take a close look at the top 10 threats facing enterprise customers based on new intelligence from the latest Microsoft Security Intelligence Report (SIRv15).
The latest report found that in the enterprise environment, on average about 11% of systems encountered malware, worldwide between the third quarter of 2012 (3Q12) and the second quarter of 2013 (2Q13).  The “encounter rate” is defined as the percentage of computers running Microsoft real-time security software that report detecting malware - typically resulting in a blocked installation of malware. This is different from the number of systems that actually get infected with malware, a measure called computers cleaned per mille (CCM).
Figure 1 (left): The malware encounter rates for consumer and enterprise computers, 3Q12-2Q13.  Figure 2 (right): The quarterly trends for the top 10 families detected by Microsoft enterprise security products, 3Q12-2Q13, by percentage of computers encountering each family in 2Q13.
   
When we look at the top 10 enterprise threats worldwide from the list above, it gives us insight into the most common ways in which enterprise organizations are coming into contact with malware today.  Based on this list, there are three primary methods in which enterprises are encountering malware:
  • Via malicious or compromised websites
  • Worms that spread through network drives, Autorun feature abuse, and/or weak passwords
  • Social engineering that tricks the user into installing malware on their system 
Malicious or Compromised Websites
By the end of 2012, web-based attacks had surpassed traditional network worms to become the top threats facing enterprises.  The latest Security Intelligence Report shows this trend is continuing in the first half of 2013.
Figure 3: The quarterly trends for the top 10 families detected by Microsoft enterprise security products, between the third quarter of 2012 and the second quarter of 2013, by percentage of computers encountering each family


In fact, in 2Q13 six out of the top ten threats facing enterprises were associated with malicious or compromised websites.  These threats include JS/Seedabutor, HTML/IframeRef, Win32/Sirefef, JS/BlacoleRef, Java/CVE-2012-1723 and Blacole. Computer users in organizations typically come into contact with these types of malicious or compromised websites unexpectedly when browsing the web while using their organization’s systems.
For example, in the case of HTML/IframeRef, attackers have built automated systems that probe websites to identify and infect vulnerable web servers.  Once compromised, an infected server can then host a small, seemingly benign, piece of code that is used as a redirector.  However, this code is part of a chain, and when victims visit the website, the redirector can serve malicious pages from another malicious server to infect the victim with malware. You can read about the mechanics of this type of attack in a series of articles I wrote previously:
What You Should Know About Drive-By Download Attacks - Part 1
What You Should Know About Drive-By Download Attacks – Part 2
Once a system is compromised with malware, it not only disrupts the infected machine but also has the potential to cause harm to the systems it interacts with. The infected system may be used to spread malware both inside and outside the organization, and steal information such as intellectual property.
Network Drives, Autorun, Weak Passwords
While web-based attacks have become the most common threats facing enterprises, worms cannot be ignored.  In 2Q13 three out of the top ten threats facing enterprises were associated with worms (Win32/Conficker, INF/Autorun, Win32/Dorkbot).  Worms are commonly spread through network drives, abusing the Autorun feature or exploiting weak passwords.
For example, the Conficker worm is commonly spread by exploiting weak passwords.  The worm uses a built-in list of common or weak passwords to attempt to compromise other computers in addition to stealing the credentials of any user that logs into the infected system. Passwords such as “admin,” “admin123,” “administrator,” “default,” “test,” “12345” and even “security” are part of Conficker’s list of passwords. Once Conficker compromises a systems it can steal the credentials of an IT administrator to spread on the internal network. Here’s how Conficker spreads using this technique:
  • A system becomes compromised
  • The user suspects a problem and reports the issue to the administrator for help
  • The administrator logs onto the infected machine with the network admin password to troubleshoot the problem
  • Conficker steals the Admin credentials, and immediately uses it to log onto every other machine in the network and compromise those machines
Social Engineering
The third most common way in which enterprise organizations are encountering malware, based on the latest threat intelligence, is through social engineering; Win32/Obfuscator is an example of this. Cybercriminals will try to hide the malware using deceitful tactics to trick you into installing it.  There are a number of ways this may occur.
For example, a compromised system may be used by attackers to send out erroneous emails, friend requests or instant messages which contain links to malicious sites or malware.    Another common way in which attackers try to trick people into installing malware is by bundling it with popular software, movies or music that can be downloaded online.  We talked about this method in detail when we released the Microsoft Security Intelligence Report Volume 13.
The good news is that there are effective mitigations and best practices that can be used to help to protect enterprises:
  • Keep all software up-to-date:  Attackers will try to use vulnerabilities in all sorts of software from different vendors, so it is important for organizations to keep all of the software in their environment up to date and run the latest versions whenever possible.  This will make it harder for the types of threats we see in the enterprise today to be successful. This tactic would have helped to mitigate six out of the top ten threats detected in enterprise environments in the first half of 2013.
  • Demand software that was developed with a security development lifecycle:  Until you get a software update from the affected vendor, test it, and deploy it, it’s important that you manage the risk that attackers will attempt to compromise your environment using these vulnerabilities.  A very effective way for software vendors to help you do this is by using security mitigations built into the platform, such as ASLR, DEP, SEHOP and others.  These mitigations can make it much harder for attackers to successfully exploit vulnerabilities.  Demand software from your vendors that use these mitigations.  You can check if the software you have in your environment have these mitigations turned on, using a tools like Binscope or EMET.  In cases where you have software deployed in your environment that do not use these mitigations, in some cases EMET might be able to turn them on for you.  These mitigations can help you manage risk by giving you more time to test and deploy security updates or new versions of software. An easy way to ask your vendors if they use a security development lifecycle is to ask them if they meet the guidance in an international standard called ISO 27034.
  • Restrict websites: Limit web sites that your organization’s users can visit.  This likely won’t be popular in the office, but given the majority of threats found in the enterprise are delivered through malicious websites, you might have the data needed to make a business case.  Also, restricting web access from servers has been a best practice for a long time. 
    • Manage security of your websites: Many organizations don’t realize that their websites could be hosting the malicious content that is being used in these attacks.  Organizations should regularly assess their own web content to avoid a compromise that could affect their customers and their reputation.
  • Leverage network security technologies: technologies like Network Access Protection (NAP), Intrusion Prevention System (IPS), and content filtering can provide an additional layer of defense by providing a mechanism for automatically bringing network clients into compliance (a process known as remediation) and then dynamically increasing its level of network access.
Of course, there is plenty of other data and guidance in the latest Microsoft Security Intelligence Report; it is designed to provide prescriptive guidance which can help our customers manage risk and protect their assets.  If you are responsible for managing risk for your organization, then I encourage you to download it today at www.microsoft.com/sir to learn about the latest threat trends.
Tim Rains
Director
Trustworthy Computing
Inside the command and control channel of a point-of-sale botnet powered by StarDust.
IntelCrawler
Underscoring the growing sophistication of Internet crime, researchers have documented one of the first known botnets to target point-of-sale (PoS) terminals used by stores and restaurants to process customers' credit and debit card payments.
The botnet remained active at the time of writing and had compromised more than 20,000 payment cards since August, researchers from IntelCrawler, a Los Angeles-based security intelligence provider, told Ars. The researchers arrived at the findings after infiltrating one of the control servers used to send commands to infected machines and receive pilfered data from them. A recently captured screenshot (above) showed that it was controlling 31 machines that the researchers said belonged to US-based restaurants and retailers. Some of the infected machines are servers, so the number of affected PoS devices could be much higher. The researchers have reported their findings to law enforcement agencies that they declined to identify by name.
PoS-based hacking is nothing new. The best-known incident stole data for more than 146,000 cards after infecting 200 terminals used at Subway Sandwich shops and other small merchants. According to federal prosecutors, the criminals behind that intrusion infected one or more servers with "sniffing" software that logged payment card numbers and sent them to a remote server. Although the now-convicted crooks were able to install a backdoor on the computers they accessed so they could change configuration settings and install new programs, there is no evidence of a botnet that actively controlled the infected machines in lockstep.
Read 9 remaining paragraphs | Comments

Wednesday, December 4, 2013

How Newspapers Wrote About the Internet in 1988
MATT NOVAK on PALEOFUTURE 

How Newspapers Wrote About the Internet in 1988SEXPAND
"Once upon a time computers were for thinking... That's no longer true. Computers are for communicating now, and networks allowed that to happen."


That's Harvard astronomer-turned-computer expert Clifford Stoll, quoted in the November 20, 1988 edition of theWashington Post. And yes, that's the same Cliff Stoll who just a few years later would proclaim that the internet's potential to transform the way we live was largely just a bunch of hype.
Barton Gellman's 1988 article about the internet for the Post is quite a fascinating artifact. We see the introduction of terms that hadn't yet entered the national lexicon, such as "snail mail," "virus," and "netiquette." And we see the writer slowly introducing the public to the idea that this network could be something important to their lives in the future.
We also see the warnings that a more connected world will have its downsides, as in the case of computer viruses able to spread at lightning speed.
From the November 20, 1988 Washington Post:
Using Internet and overlapping networks, thousands of men and women in 17 countries swap recipes and woodworking tips, debate politics, religion and antique cars, form friendships and even fall in love.
But the networks that link tens of thousands of computers 24 hours a day also allowed the computer virus to spread much more rapidly, and with far greater potential for damage, than any previous electronic invader. That frightens many network visionaries, who dream of a "worldnet" with ever more extensive connections and ever fewer barriers to the exchange of knowledge.
"The Internet is a community far more than a network of computers and cables," Stoll said. "When your neighbors become paranoid of one another, they no longer cooperate, they no longer share things with each other. It takes only a very, very few vandals to ... destroy the trust that glues our community together."
The article was published before the privatization of the internet's backbone network, and hints at the ARPANET work accomplished in 1969 that gave rise to the modern internet.


The metaphor of a community is apt. Internet, which began as a Defense Department link between four research computers in 1969, is still officially limited to universities, research facilities and government offices. But it has evolved its own language, social norms and "netiquette," even as its sprawling growth has outrun the ability to map it.
No one can keep track of how many people use Internet, how many machines it can reach or even how many sub- and sub-sub-networks form a part of it. The "backbone" of the network — major electronic corridors established by the Department of Defense, the National Science Foundation and others — is obvious enough, but like the interstate highway system, it leads to successively smaller local byways and obscure private roads.
And while committees exist to set technical standards, and unclassified Defense Department systems form its core, no one really "runs" the network.
"The content and direction is really up to the people using it, which makes it kind of a grand social experiment," said Eugene H. Spafford, a professor of computer science at Purdue University.
Gellman, of course, would go on to become one of the reporters to help expose the NSA's illegal domestic surveillance programs.
You can read the entire article over at the Washington Post.