Here’s a new way to identify individual computers over the Internet. The page instructs the browser to draw an image. Because each computer draws the image slightly differently, this can be used to uniquely identify each computer. This is a big deal, because there’s no way to block this right now.
EDITED TO ADD (7/22): This technique was first described in 2012. And it seems that NoScript blocks this. Privacy Badger probably blocks it, too.
EDITED TO ADD (7/23): EFF has a good post on who is using this tracking system — the White House is — and how to defend against it.
And a good story on BoingBoing.
A six-hour video of a giant squid dissection from Auckland University of Technology.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
The Maryland Air National Guard needs a new facility for its cyberwar operations:
The purpose of this facility is to house a Network Warfare Group and ISR Squadron. The Cyber mission includes a set of capabilities, expertise to enable the cyber operational need for an always-on, net-speed awareness and integrated operational response with global reach. It enables operators to drive upstream in pursuit of cyber adversaries, and is informed 24/7 by intelligence and all-source information.
Is this something we want the Maryland Air National Guard to get involved in?
The article says they were Chinese but offers no evidence:
The intrusion at the Office of Personnel Management was particularly disturbing because it oversees a system called e-QIP, in which federal employees applying for security clearances enter their most personal information, including financial data. Federal employees who have had security clearances for some time are often required to update their personal information through the website.
This is a big deal. If I were a government, trying to figure out who to target for blackmail, bribery, and other coercive tactics, this would be a nice database to have.
Brian Krebs is reporting that:
The U.S. Secret Service is advising the hospitality industry to inspect computers made available to guests in hotel business centers, warning that crooks have been compromising hotel business center PCs with keystroke-logging malware in a bid to steal personal and financial data from guests.
It’s actually a very hard problem to solve. The adversary can have unrestricted access to the computer, especially hotel business center computers that are often tucked away where no one else is looking. I assume that if someone has physical access to my computer, he can own it. This is doubly true if he has hardware access.
Last week, we learned that the NSA targets people who look for information about Tor. A few days later, the operator of a Tor exit node in Austria has been found guilty as an accomplice, because someone used his computer to transmit child porn. Even more recently, Tor has been named as a defendant in a revenge-porn suit in Texas because it provides web-porn operators with privacy.
Here’s the EFF: “Seven Things You Should Know About Tor.”
EDITED TO ADD (7/16): It seems that article about Tor in Austria was wrong.
The latest Snowden story is a catalog of exploit tools from JTRIG (Joint Threat Research Intelligence Group), a unit of the British GCHQ, for both surveillance and propaganda. It’s a list of code names and short descriptions, such as these:
GLASSBACK: Technique of getting a targets IP address by pretending to be a spammer and ringing them. Target does not need to answer.
MINIATURE HERO: Active skype capability. Provision of real time call records (SkypeOut and SkypetoSkype) and bidirectional instant messaging. Also contact lists.
MOUTH: Tool for collection for downloading a user’s files from Archive.org.
PHOTON TORPEDO: A technique to actively grab the IP address of MSN messenger user.
SILVER SPECTOR: Allows batch Nmap scanning over Tor.
SPRING BISHOP: Find private photographs of targets on Facebook.
ANGRY PIRATE: is a tool that will permanently disable a target’s account on their computer.
BUMPERCAR+: is an automated system developed by JTRIG CITD to support JTRIG BUMPERCAR operations. BUMPERCAR operations are used to disrupt and deny Internet-based terror videos or other materials. The techniques employs the services provided by upload providers to report offensive materials.
BOMB BAY: is the capacity to increase website hits/rankings.
BURLESQUE: is the capacity to send spoofed SMS messages.
CLEAN SWEEP: Masquerade Facebook Wall Posts for individuals or entire countries.
CONCRETE DONKEY: is the capacity to scatter an audio message to a large number of telephones, or repeatedely bomb a target number with the same message.
GATEWAY: Ability to artificially increase traffic to a website.
GESTATOR: amplification of a given message, normally video, on popular multimedia websites (Youtube).
SCRAPHEAP CHALLENGE: Perfect spoofing of emails from Blackberry targets.
SUNBLOCK: Ability to deny functionality to send/receive email or view material online.
SWAMP DONKEY: is a tool that will silently locate all predefined types of file and encrypt them on a targets machine
UNDERPASS: Change outcome of online polls (previously known as NUBILO).
WARPATH: Mass delivery of SMS messages to support an Information Operations campaign.
HAVLOCK: Real-time website cloning techniques allowing on-the-fly alterations.
HUSK: Secure one-on-one web based dead-drop messaging platform.
I would like to post the entire list. If someone has a clever way of extracting the text, or wants to retype it all, please send it to me.
EDITED TO ADD (7/16): HTML of the entire catalog is here.
This is an interesting paper: “An Anthropological Approach to Studying CSIRTs.” A researcher spent 15 months at a university’s SOC conducting “ethnographic fieldwork.” Right now it’s more about the methodology than any results, but I’ll bet the results will be fascinating.
And here’s some information about the project.
Funny, and the inspiration for this week’s headlines. (Note that the image shows Password Safe on the screen.)
And marginally related, here’s an odd essay about using a password as a mantra for personal change.
Okay, it’s a parody:
The Russian Federation is more complex. At a political level there’s a lot of grandstanding. Operationally though, we share intelligence with Russia on anyone who is a mutual target (and that, ironically, includes most of the Russian Federation). China is our main mutual target because it refuses to share the economic intelligence data it gathers about either Russia or America. All of us, however, have agreed to share intelligence data on the French.
Researchers are refining the techniques of surreptitiously videoing people as they type in their passwords.
Other hackers have shown it’s possible to perform automated over-the-shoulder password stealing. But Fu notes that older video tools had to actually see the display, which often is impossible from a distance or from indirect angles. (See UMass’s PIN-capturing footage taken by Glass in the GIF below.) His team’s video recognition software can spot passcodes even when the screen is unreadable, based on its understanding of an iPad’s geometry and the position of the user’s fingers. It maps its image of the angled iPad onto a “reference” image of the device, then looks for the abrupt down and up movements of the dark crescents that represent the fingers’ shadows.
LIFX is a smart light bulb that can be controlled with your smart phone via your home’s Wi-Fi network. Turns out that anyone within range can obtain the Wi-Fi password from the light bulb. It’s a problem with the communications protocol.
The latest story from the Snowden documents is about five prominent Muslim Americans who were spied on by the NSA and FBI. It’s a good story, and I recommend reading it in its entirety. I have a few observations.
One, it’s hard to assess the significance of this story without context. The source document is a single spreadsheet that lists 7,485 e-mail addresses monitored between 2002 and 2008.
The vast majority of individuals on the “FISA recap” spreadsheet are not named. Instead, only their email addresses are listed, making it impossible in most cases to ascertain their identities. Under the heading “Nationality,” the list designates 202 email addresses as belonging to “U.S. persons,” 1,782 as belonging to “non-U.S. persons,” and 5,501 as “unknown” or simply blank. The Intercept identified the five Americans placed under surveillance from their email addresses.
Without knowing more about this list, we don’t know whether this is good or bad. Is 202 a lot? A little? Were there FISA warrants that put these people on the list? Can we see them?
Two, the 2008 date is important. In July of that year, Congress passed the FISA Amendments Act, which restricted what sorts of surveillance the NSA can do on Americans. So while this story tells us about what was happening before the FAA, we don’t know what — if anything — changed with the passage of the FAA.
Three, another significant event at the time was the FBI’s prosecution of the Holy Land Foundation on terrorism charges. This brought with it an overly broad investigation of Muslim Americans who were just associated with that charity, but that investigation came with approved warrants and all the due process it was supposed to have. How many of the Americans on this list are there as a result of this one case?
Four, this list was just the starting point for a much broader NSA surveillance effort. As Marcy Wheeler pointed out, these people were almost certainly associationally mapped. CAIR founder Nihad Awad is one of the NSA targets named in the story. CAIR is named in an EFF lawsuit against the NSA. If Awad had any contact with the EFF in 2008, then they were also being spied on — that’s one hop. Since I had lots of contact with the EFF in the affected time period, I was being spied on as well — that’s two hops. And if any of you e-mailed me around that time — well, that’s three hops. This isn’t “just metadata”; this is full-take content that’s stored forever. And, yes, the president instructed the NSA to only spy people up to two hops away this January, but that was just one program under one authority.
This is a hard story to analyze, because it’s more anecdote than data. I much preferred last Saturday’s story that tried to analyze broad trends about who the subjects of NSA surveillance are. But anecdotes are more persuasive than data, so this story might be more compelling to a mainstream audience.
One final note: I just couldn’t think of a headline more sensationalist than the descriptive one.
Man-in-the-middle attack against a Brazilian payment system:
Brazil has an extremely active and talented cybercrime underground, and increasingly Brazilian organized crime gangs are setting their sights on boleto users who bank online. This is typically done through malware that lies in wait until the user of the hacked PC visits their bank’s site and fills out the account information for the recipient of a boleto transaction. In this scenario, the unwitting victim submits the transfer for payment and the malware modifies the request by substituting a recipient account that the attackers control.
This is the sort of attack that bypasses any two-factor authentication system, since it occurs after all authentication has happened. A defense would be to send a confirmation notice to another device the account-owner owns, confirming the details of the transaction.
Pickpocket tricks explained by neuroscience.
So while sleight of hand helps, it’s as much about capturing all of somebody’s attention with other movements. Street pickpockets also use this effect to their advantage by manufacturing a situation that can’t help but overload your attention system. A classic trick is the ‘stall’, used by pickpocketing gangs all over the world. First, a ‘blocker’, walks in front of the victim (or ‘mark’) and suddenly stops so that the mark bumps into them. Another gang member will be close behind and will bump into both of them and then start a staged argument with the blocker. Amid the confusion one or both of them steal what they can and pass it to a third member of the gang, who quickly makes off with the loot.
I’ve seen Apollo Robbins in action. He’s very good.
Last week, the German government arrested someone and charged him with spying for the US. Buried in one of the stories was a little bit of tradecraft. The US gave him an encryption program embedded in a — presumably common — weather app. When you select the weather for New York, it automatically opens a crypto program. I assume this is a custom modification for the agent, and probably other agents as well. No idea how well this program was hidden. Was the modified weather app the same size as the original? Would it pass an integrity checker?
Related: there is an undocumented encryption feature in my own Password Safe program. From the command line, type: pwsafe -e filename
The latest story from the Snowden documents analyzes a large cache of intercepted conversations — actual operational data — and concludes that 90% of the individuals eavesdropped on were not the targets of the surveillance.
Many of them were Americans. Nearly half of the surveillance files, a strikingly high proportion, contained names, e-mail addresses or other details that the NSA marked as belonging to U.S. citizens or residents. NSA analysts masked, or “minimized,” more than 65,000 such references to protect Americans’ privacy, but The Post found nearly 900 additional e-mail addresses, unmasked in the files, that could be strongly linked to U.S. citizens or U.S.residents.
Many other files, described as useless by the analysts but nonetheless retained, have a startlingly intimate, even voyeuristic quality. They tell stories of love and heartbreak, illicit sexual liaisons, mental-health crises, political and religious conversions, financial anxieties and disappointed hopes. The daily lives of more than 10,000 account holders who were not targeted are catalogued and recorded nevertheless.
Note that this is data that the NSA has repeatedly assured us that Snowden did not have access to.
EDITED TO ADD (7/7): Benjamin Wittes has a good commentary on this.
EDITED TO ADD (7/11): Washington Post reporter Bart Gellman provides some additional context for the story.
I don’t care about the case, but look at this:
“Among the details police have released is that Harris and his wife, Leanna, told them they conducted Internet searches on how hot a car needed to be to kill a child. Stoddard testified Thursday that Ross Harris had visited a Reddit page called “child-free” and read four articles. He also did an Internet search on how to survive in prison, Stoddard said.
“Also, five days before Cooper died, Ross Harris twice viewed a sort of homemade public service announcement in which a veterinarian demonstrates on video the dangers of leaving someone or something inside a hot car.”
Stoddard is a police detective. It seems that they know about his web browsing because they seized and searched his computer:
…investigators confiscated Harris’ work computer at Home Depot following his arrest and discovered an Internet search about how long it would take for an animal to die in a hot car.
Stoddard also testified that Harris was “sexting” — is this a word we use in court now? — with several women on the day of his son’s death, and sent explicit pictures to one of them. I assume he knows that by looking at Harris’s message history.
A bunch of this would not be admissible in trial, but this was a probable-cause hearing, and the rules are different for those. CNN writes: “a prosecutor insisted that the testimony helped portray the defendant’s state of mind and spoke to the negligence angle and helped establish motive.”
This case aside, is there anyone reading this whose e-mails, text messages, and web searches couldn’t be cherry-picked to portray any state of mind a prosecutor might want to portray? (Qu’on me donne six lignes écrites de la main du plus honnête homme, j’y trouverai de quoi le faire pendre. — Cardinal Richelieu.)
Jake Appelbaum et. al, are reporting on XKEYSCORE selection rules that target users — and people who just visit the websites of — Tor, Tails, and other sites. This isn’t just metadata; this is “full take” content that’s stored forever.
This code demonstrates the ease with which an XKeyscore rule can analyze the full content of intercepted connections. The fingerprint first checks every message using the “email_address” function to see if the message is to or from “email@example.com”. Next, if the address matched, it uses the “email_body” function to search the full content of the email for a particular piece of text – in this case, “https://bridges.torproject.org/”. If the “email_body” function finds what it is looking for, it passes the full email text to a C++ program which extracts the bridge addresses and stores them in a database.
It is interesting to note that this rule specifically avoids fingerprinting users believed to be located in Five Eyes countries, while other rules make no such distinction. For instance, the following fingerprint targets users visiting the Tails and Linux Journal websites, or performing certain web searches related to Tails, and makes no distinction about the country of the user.
There are also rules that target users of numerous other privacy-focused internet services, including HotSpotShield, FreeNet, Centurian, FreeProxies.org, MegaProxy, privacy.li and an anonymous email service called MixMinion as well as its predecessor MixMaster. The appid rule for MixMinion is extremely broad as it matches all traffic to or from the IP address 184.108.40.206, a server located on the MIT campus.
It’s hard to tell how extensive this is. It’s possible that anyone who clicked on this link — with the embedded torproject.org URL above — is currently being monitored by the NSA. It’s possible that this only will happen to people who receive the link in e-mail, which will mean every Crypto-Gram subscriber in a couple of weeks. And I don’t know what else the NSA harvests about people who it selects in this manner.
Whatever the case, this is very disturbing.
And, since Cory said it, I do not believe that this came from the Snowden documents. I also don’t believe the TAO catalog came from the Snowden documents. I think there’s a second leaker out there.
EDITED TO ADD (7/3): Here is the code. In part:
These variables define terms and websites relating to the TAILs (The Amnesic
Incognito Live System) software program, a comsec mechanism advocated by
extremists on extremist forums.
$TAILS_terms=word(‘tails’ or ‘Amnesiac Incognito Live System’) and
or ‘ USB ‘ or ‘ CD ‘ or ‘secure desktop’ or ‘ IRC ‘ or ‘truecrypt’ or ‘
$TAILS_websites=(‘tails.boum.org/’) or (‘linuxjournal.com/content/linux*’);
This fingerprint identifies users searching for the TAILs (The Amnesic
Incognito Live System) software program, viewing documents relating to
or viewing websites that detail TAILs.
fingerprint(‘documents/comsec/tails_doc’) or web_search($TAILS_terms) or
url($TAILS_websites) or html_title($TAILS_websites);