Posts tagged ‘fbi’

Schneier on Security: Why the Current Section 215 Reform Debate Doesn’t Matter Much

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The ACLU’s Chris Soghoian explains (time 25:52-30:55) why the current debate over Section 215 of the Patriot Act is just a minor facet of a large and complex bulk collection program by the FBI and the NSA.

There were 180 orders authorized last year by the FISA Court under Section 215 — 180 orders issued by this court. Only five of those orders relate to the telephony metadata program. There are 175 orders about completely separate things. In six weeks, Congress will either reauthorize this statute or let it expire, and we’re having a debate — to the extent we’re even having a debate — but the debate that’s taking place is focused on five of the 180, and there’s no debate at all about the other 175 orders.

Now, Senator Wyden has said there are other bulk collection programs targeted at Americans that the public would be shocked to learn about. We don’t know, for example, how the government collects records from Internet providers. We don’t know how they get bulk metadata from tech companies about Americans. We don’t know how the American government gets calling card records.

If we take General Hayden at face value — and I think you’re an honest guy — if the purpose of the 215 program is to identify people who are calling Yemen and Pakistan and Somalia, where one end is in the United States, your average Somali-American is not calling Somalia from their land line phone or their cell phone for the simple reason that AT&T will charge them $7.00 a minute in long distance fees. The way that people in the diaspora call home — the way that people in the Somali or Yemeni community call their family and friends back home — they walk into convenience stores and they buy prepaid calling cards. That is how regular people make international long distance calls.

So the 215 program that has been disclosed publicly, the 215 program that is being debated publicly, is about records to major carriers like AT&T and Verizon. We have not had a debate about surveillance requests, bulk orders to calling card companies, to Skype, to voice over Internet protocol companies. Now, if NSA isn’t collecting those records, they’re not doing their job. I actually think that that’s where the most useful data is. But why are we having this debate about these records that don’t contain a lot of calls to Somalia when we should be having a debate about the records that do contain calls to Somalia and do contain records of e-mails and instant messages and searches and people posting inflammatory videos to YouTube?

Certainly the government is collecting that data, but we don’t know how they’re doing it, we don’t know at what scale they’re doing it, and we don’t know with which authority they’re doing it. And I think it is a farce to say that we’re having a debate about the surveillance authority when really, we’re just debating this very narrow usage of the statute.

Further underscoring this point, yesterday the Department of Justice’s Office of the Inspector General released a redacted version of its internal audit of the FBI’s use of Section 215: “A Review of the FBI’s Use of Section 215 Orders: Assessment of Progress in Implementing Recommendations and Examination of Use in 2007 through 2009,” following the reports of the statute’s use from 2002-2005 and 2006. (Remember that the FBI and the NSA are inexorably connected here. The order to Verizon was from the FBI, requiring it to turn data over to the NSA.)

Details about legal justifications are all in the report (see here for an important point about minimization), but detailed data on exactly what the FBI is collecting — whether targeted or bulk — is left out. We read that the FBI demanded “customer information” (p. 36), “medical and educational records” (p. 39) “account information and electronic communications transactional records” (p. 41), “information regarding other cyber activity” (p. 42). Some of this was undoubtedly targeted against individuals; some of it was undoubtedly bulk.

I believe bulk collection is discussed in detail in Chapter VI. The chapter title is redacted, as well as the introduction (p. 46). Section A is “Bulk Telephony Metadata.” Section B (pp. 59-63) is completely redacted, including the section title. There’s a summary in the Introduction (p. 3): “In Section VI, we update the information about the uses of Section 215 authority described [redacted word] Classified Appendices to our last report. These appendices described the FBI’s use of Section 215 authority on behalf of the NSA to obtain bulk collections of telephony metadata [long redacted clause].” Sounds like a comprehensive discussion of bulk collection under Section 215.

What’s in there? As Soghoian says, certainly other communications systems like prepaid calling cards, Skype, text messaging systems, and e-mails. Search history and browser logs? Financial transactions? The “medical and educational records” mentioned above? Probably all of them — and the data is in the report, redacated (p. 29) — but there’s nothing public.

The problem is that those are the pages Congress should be debating, and not the telephony metadata program exposed by Snowden.

Krebs on Security: mSpy Denies Breach, Even as Customers Confirm It

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Last week, KrebsOnSecurity broke the news that sensitive data apparently stolen from hundreds of thousands of customers mobile spyware maker mSpy had been posted online. mSpy has since been quoted twice by other publications denying a breach of its systems. Meanwhile, this blog has since contacted multiple people whose data was published to the deep Web, all of whom confirmed they were active or former mSpy customers.

myspyappmSpy told BBC News it had been the victim of a “predatory attack” by blackmailers, but said it had not given in to demands for money. mSpy also told the BBC that claims the hackers had breached its systems and stolen data were false.

“There is no data of 400,000 of our customers on the web,” a spokeswoman for the company told the BBC. “We believe to have become a victim of a predatory attack, aimed to take advantage of our estimated commercial achievements.”

Let’s parse that statement a bit further. No, the stolen records aren’t on the Web; rather, they’ve been posted to various sites on the Deep Web, which is only accessible using Tor. Also, I don’t doubt that mSpy was the target of extortion attempts; the fact that the company did not pay the extortionist is likely what resulted in its customers’ data being posted online.

How am I confident of this, considering mSpy has still not responded to my requests for comment? I spent the better part of the day today pulling customer records from the hundreds of gigabytes of data leaked from mSpy. I spoke with multiple customers whose payment and personal data — and that of their kids, employees and significant others — were included in the huge cache. All confirmed they are or were recently paying customers of mSpy.

Joe Natoli, director of a home care provider in Arizona, confirmed what was clear from looking at the leaked data — that he had paid mSpy hundreds of dollars a month for a subscription to monitor all of the mobile devices distributed to employees by his company. Natoli said all employees agree to the monitoring when they are hired, but that he only used mSpy for approximately four months.

“The value proposition for the cost didn’t work out,” Natoli said.

Katherine Till‘s information also was in the leaked data. Till confirmed that she and her husband had paid mSpy to monitor the mobile device of their 14-year-old daughter, and were still a paying customer as of my call to her.

Till added that she was unaware of a breach, and was disturbed that mSpy might try to cover it up.

“This is disturbing, because who knows what someone could do with all that data from her phone,” Till said, noting that she and her husband had both discussed the monitoring software with their daughter. “As parents, it’s hard to keep up and teach kids all the time what they can and can’t do. I’m sure there are lots more people like us that are in this situation now.”

Another user whose financial and personal data was in the cache asked not to be identified, but sheepishly confirmed that he had paid mSpy to secretly monitor the mobile device of a “friend.”

REACTION ON CAPITOL HILL

News of the mSpy breach prompted renewed calls from Sen. Al Franken for outlawing products like mSpy, which the Minnesota democrat refers to as “stalking apps.” In a letter (PDF) sent this week to the U.S. Justice Department and Federal Trade Commission, Franken urged the agencies to investigate mSpy, whose products he called ‘deeply troubling’ and “nothing short of terrifying” when “in the hands of a stalker or abuse intimate partner.”

Last year, Franken reintroduced The Location Privacy Protection Act of 2014, legislation that would outlaw the development, operation, and sale of such products.

U.S. regulators and law enforcers have taken a dim view of companies that offer mobile spyware services like mSpy. In September 2014, U.S. authorities arrested a 31-year-old Hammad Akbar, the CEO of a Lahore-based company that makes a spyware app called StealthGenie. The FBI noted that while the company advertised StealthGenie’s use for “monitoring employees and loved ones such as children,” the primary target audience was people who thought their partners were cheating. Akbar was charged with selling and advertising wiretapping equipment.

“Advertising and selling spyware technology is a criminal offense, and such conduct will be aggressively pursued by this office and our law enforcement partners,” U.S. Attorney Dana Boente said in a press release tied to Akbar’s indictment.

Akbar pleaded guilty to the charges in November 2014, and according to the Justice Department he is “the first-ever person to admit criminal activity in advertising and selling spyware that invades an unwitting victim’s confidential communications.”

Schneier on Security: More on Chris Roberts and Avionics Security

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Last month ago I blogged about security researcher Chris Roberts being detained by the FBI after tweeting about avionics security while on a United flight:

But to me, the fascinating part of this story is that a computer was monitoring the Twitter feed and understood the obscure references, alerted a person who figured out who wrote them, researched what flight he was on, and sent an FBI team to the Syracuse airport within a couple of hours. There’s some serious surveillance going on.

We know a lot more of the backstory from the FBI’s warrant application. He was interviewed by the FBI multiple times previously, and was able to take control of at least some of the panes’ controls during flight.

During two interviews with F.B.I. agents in February and March of this year, Roberts said he hacked the inflight entertainment systems of Boeing and Airbus aircraft, during flights, about 15 to 20 times between 2011 and 2014. In one instance, Roberts told the federal agents he hacked into an airplane’s thrust management computer and momentarily took control of an engine, according to an affidavit attached to the application for a search warrant.

“He stated that he successfully commanded the system he had accessed to issue the ‘CLB’ or climb command. He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights,” said the affidavit, signed by F.B.I. agent Mike Hurley.

Roberts also told the agents he hacked into airplane networks and was able “to monitor traffic from the cockpit system.”

According to the search warrant application, Roberts said he hacked into the systems by accessing the in-flight entertainment system using his laptop and an Ethernet cable.

Wired has more.

This makes the FBI’s behavior much more reasonable. They weren’t scanning the Twitter feed for random keywords; they were watching his account.

We don’t know if the FBI’s statements are true, though. But if Roberts was hacking an airplane while sitting in the passenger seat…wow is that a stupid thing to do.

From the Christian Science Monitor:

But Roberts’ statements and the FBI’s actions raise as many questions as they answer. For Roberts, the question is why the FBI is suddenly focused on years-old research that has long been part of the public record.

“This has been a known issue for four or five years, where a bunch of us have been stood up and pounding our chest and saying, ‘This has to be fixed,'” Roberts noted. “Is there a credible threat? Is something happening? If so, they’re not going to tell us,” he said.

Roberts isn’t the only one confused by the series of events surrounding his detention in April and the revelations about his interviews with federal agents.

“I would like to see a transcript (of the interviews),” said one former federal computer crimes prosecutor, speaking on condition of anonymity. “If he did what he said he did, why is he not in jail? And if he didn’t do it, why is the FBI saying he did?”

The real issue is that the avionics and the entertainment system are on the same network. That’s an even stupider thing to do. Also last month I wrote about the risks of hacking airplanes, and said that I wasn’t all that worried about it. Now I’m more worried.

Errata Security: Our Lord of the Flies moment

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

In its war on researchers, the FBI doesn’t have to imprison us. Merely opening an investigation into a researcher is enough to scare away investors and bankrupt their company, which is what happened last week with Chris Roberts. The scary thing about this process is that the FBI has all the credibility, and the researcher none — even among other researchers. After hearing only one side of the story, the FBI’s side, cybersecurity researchers quickly turned on their own, condemning Chris Roberts for endangering lives by taking control of an airplane.

As reported by Kim Zetter at Wired, though, Roberts denies the FBI’s allegations. He claims his comments were taken out of context, and that on the subject of taking control a plane, it was in fact a simulator not a real airplane.

I don’t know which side is telling the truth, of course. I’m not going to defend Chris Roberts in the face of strong evidence of his guilt. But at the same time, I demand real evidence of his guilt before I condemn him. I’m not going to take the FBI’s word for it.

We know how things get distorted. Security researchers are notoriously misunderstood. To the average person, what we say is all magic technobabble anyway. They find this witchcraft threatening, so when we say we “could” do something, it’s interpreted as a threat that we “would” do something, or even that we “have” done something. Important exculpatory details, like “I hacked a simulation”, get lost in all the technobabble.

Likewise, the FBI is notoriously dishonest. Until last year, they forbad audio/visual recording of interviews, preferring instead to take notes. This inshrines any misunderstandings into official record. The FBI has long abused this, such as for threatening people to inform on friends. It is unlikely the FBI had the technical understanding to understand what Chris Roberts said. It’s likely they willfully misunderstood him in order to justify a search warrant.

There is a war on researchers. What we do embarrasses the powerful. They will use any means possible to stop us, such as using the DMCA to suppress publication of research, or using the CFAA to imprison researchers. Criminal prosecution is so one sided that it rarely gets that far. Instead, merely the threat of prosecution ruins lives, getting people fired or bankrupted.

When they come for us, the narrative will never be on our side. They will have constructed a story that makes us look very bad indeed. It’s scary how easily the FBI convict people in the press. They have great leeway to concoct any story they want. Journalists then report the FBI’s allegations as fact. The targets, who need to remain silent lest their words are used against them, can do little to defend themselves. It’s like how in the Matt Dehart case, the FBI alleges child pornography. But when you look into the details, it’s nothing of the sort. The mere taint of this makes people run from supporting Dehart. Similarly with Chris Roberts, the FBI wove a tale of endangering an airplane, based on no evidence, and everyone ran from him.

We need to stand together on or fall alone. No, this doesn’t mean ignoring malfeasance on our side. But it does mean that, absent clear evidence of guilt, that we stand with our fellow researchers. We shouldn’t go all Lord of the Flies on the accused, eagerly devouring Piggy because we are so relieved it wasn’t us.


P.S. Alex Stamos is awesome, don’t let my bitch slapping of him make you believe otherwise.

Errata Security: Those expressing moral outrage probably can’t do math

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Many are discussing the FBI document where Chris Roberts (“the airplane hacker”) claimed to an FBI agent that at one point, he hacked the plane’s controls and caused the plane to climb sideways. The discussion hasn’t elevated itself above the level of anti-vaxxers.

It’s almost certain that the FBI’s account of events is not accurate. The technical details are garbled in the affidavit. The FBI is notorious for hearing what they want to hear from a subject, which is why for years their policy has been to forbid recording devices during interrogations. If they need Roberts to have said “I hacked a plane” in order to get a search warrant, then that’s what their notes will say. It’s like cops who will yank the collar of a drug sniffing dog in order to “trigger” on drugs so that they have an excuse to search the car.

Also, security researchers are notorious for being misunderstood. Whenever we make innocent statements about what we “could” do, others often interpret this either as a threat or a statement of what we already have done.

Assuming this scenario is true, that Roberts did indeed control the plane briefly, many claim that this is especially reprehensible because it endangered lives. That’s the wrong way of thinking about it. Yes, it would be wrong because it means accessing computers without permission, but the “endangered lives” component doesn’t necessarily make things worse.

Many operate under the principle that you can’t put a price on a human life. That is false, provably so. If you take your children with you to the store, instead of paying the neighbor $10 to babysit them, then you’ve implicitly put a price on your children’s lives. Traffic accidents near the home are the leading cause of death for children. Driving to the store is a vastly more dangerous than leaving the kids at home, so you’ve priced that danger around $10.

Likewise, society has limited resources. Every dollar spent on airline safety has to come from somewhere, such as from AIDS research. With current spending, society is effectively saying that airline passenger lives are worth more than AIDS victims.

Does pentesting an airplane put passenger lives in danger? Maybe. But then so does leaving airplane vulnerabilities untested, which is the current approach. I don’t know which one is worse — but I do know that your argument is wrong when you claim that endangering planes is unthinkable. It is thinkable, and we should be thinking about it. We should be doing the math to measure the risk, pricing each of the alternatives.

It’s like whistleblowers. The intelligence community hides illegal mass surveillance programs from the American public because it would be unthinkable to endanger people’s lives. The reality is that the danger from the programs is worse, and when revealed by whistleblowers, nothing bad happens.

The same is true here. Airlines assure us that planes are safe and cannot be hacked — while simultaneously saying it’s too dangerous for us to try hacking them. Both claims cannot be true, so we know something fishy is going on. The only way to pierce this bubble and find out the truth is to do something the airlines don’t want, such as whistleblowing or live pentesting.

The systems are built to be reset and manually overridden in-flight. Hacking past the entertainment system to prove one could control the airplane introduces only a tiny danger to the lives of those on-board. Conversely, the current “security through obscurity” stance of the airlines and FAA is an enormous danger. Deliberately crashing a plane just to prove it’s possible would of course be unthinkable. But, running a tiny risk of crashing the plane, in order to prove it’s possible, probably will harm nobody. If never having a plane crash due to hacking is your goal, then a live test on a plane during flight is a better way of doing this than the current official polices of keeping everything secret. The supposed “unthinkable” option of live pentest is still (probably) less dangerous than the “thinkable” options.

I’m not advocating anyone do it, of course. There are still better options, such as hacking the system once the plane is on the ground. My point is only that it’s not an unthinkable danger. Those claiming it is haven’t measure the dangers and alternatives.

The same is true of all security research. Those outside the industry believe in security-through-obscurity, that if only they can keep details hidden and pentesters away from computers, then they will be safe. We inside the community believe the opposite, in Kerckhoff’s Principle of openness, and that the only trustworthy systems are those which have been thoroughly attacked by pentesters. There is a short term cost of releasing vulns in Adobe Flash, because hackers will use them. But the long term benefit is that this leads to a more secure Flash, and better alternatives like HTML5. If you can’t hack planes in-flight, then what you are effectively saying is that our believe in Kerckhoff’s Principle is wrong.

Each year, people die (or get permanently damaged) from vaccines. But we do vaccines anyway because we are rational creatures who can do math, and can see that the benefits of vaccines are a million to one times greater than the dangers. We look down on the anti-vaxxers who rely upon “herd immunity” and the fact the rest of us put our children through danger in order to protect their own. We should apply that same rationality to airline safety. If you think pentesting live airplanes is unthinkable, then you should similarly be able to do math and prove it, rather than rely upon irrational moral outrage.

I’m not arguing hacking airplanes mid-flight is a good idea. I’m simply pointing out it’s a matter of math, not outrage.

Krebs on Security: Mobile Spy Software Maker mSpy Hacked, Customer Data Leaked

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

mSpy, the makers of a dubious software-as-a-service product that claims to help more than two million people spy on the mobile devices of their kids and partners, appears to have been massively hacked. Last week, a huge trove of data apparently stolen from the company’s servers was posted on the Deep Web, exposing countless emails, text messages, payment and location data on an undetermined number of mSpy “users.”

mSpy has not responded to multiple requests for comment left for the company over the past five days. KrebsOnSecurity learned of the apparent breach from an anonymous source who shared a link to a Web page that is only reachable via Tor, a technology that helps users hide their true Internet address and allows users to host Web sites that are extremely difficult to get taken down.

The Tor-based Web site hosting content stolen from mobile devices running Mspy.

The Tor-based Web site hosting content stolen from mobile devices running mSpy.

The Tor-based site hosts several hundred gigabytes worth of data taken from mobile devices running mSpy’s products, including some four million events logged by the software. The message left by the unknown hackers who’ve claimed responsibility for this intrusion suggests that the data dump includes information on more than 400,000 users, including Apple IDs and passwords, tracking data, and payment details on some 145,000 successful transactions.

The exact number of mSpy users compromised could not be confirmed, but one thing is clear: There is a crazy amount of personal and sensitive data in this cache, including photos, calendar data, corporate email threads, and very private conversations. Also included in the data dump are thousands of support request emails from people around the world who paid between $8.33 to as much as $799 for a variety of subscriptions to mSpy’s surveillance software.

Mspy users can track Android and iPhone users, snoop on apps like Snapchat and Skype, and keep a record of every key the user types.

mSspy users can track the exact location of Android and iPhone users, snoop on apps like Snapchat and Skype, and keep a record of every word the user types.

It’s unclear exactly where mSpy is based; the company’s Web site suggests it has offices in the United States, Germany and the United Kingdom, although the firm does not appear to list an official physical address. However, according to historic Web site registration records, the company is tied to a now-defunct firm called MTechnology LTD out of the United Kingdom.

Documents obtained from Companies House, an official register of corporations in the U.K., indicate that the two founding members of the company are self-described programmers Aleksey Fedorchuk and Pavel Daletski. Those records (PDF) indicate that Daletski is a British citizen, and that Mr. Fedorchuk is from Russia. Neither men could be reached for comment.

Court documents (PDF) obtained from the U.S. District Court in Jacksonville, Fla. regarding a trademark dispute involving mSpy and Daletski state that mSpy has a U.S.-based address of 800 West El Camino Real, in Mountain View, Calif. Those same court documents indicate that Daletski is a director at a firm based in the Seychelles called Bitex Group LTD. Interestingly, that lawsuit was brought by Retina-X Studios, an mSpy competitor based in Jacksonville, Fla. that makes a product called MobileSpy.

U.S. regulators and law enforcers have taken a dim view of companies that offer mobile spyware services like mSpy. In September 2014, U.S. authorities arrested a 31-year-old Hammad Akbar, the CEO of a Lahore-based company that makes a spyware app called StealthGenie. The FBI noted that while the company advertised StealthGenie’s use for “monitoring employees and loved ones such as children,” the primary target audience was people who thought their partners were cheating. Akbar was charged with selling and advertising wiretapping equipment.

“Advertising and selling spyware technology is a criminal offense, and such conduct will be aggressively pursued by this office and our law enforcement partners,” U.S. Attorney Dana Boente said in a press release tied to Akbar’s indictment.

Akbar pleaded guilty to the charges in November 2014, and according to the Justice Department he is “the first-ever person to admin criminal activity in advertising and selling spyware that invades an unwitting victim’s confidential communications.”

Unlike Akbar’s StealthGenie and some other mobile spyware products, mSpy advertises that its product works even on non-jailbroken iPhones, giving users the ability to log the device holder’s contacts, call logs, text messages, browser history, events and notes.

“If you have opted to purchase mSpy Without Jailbreak, and you have the mobile user’s iCloud credentials, you will not need physical access to the device,” the company’s FAQ states. “However, there may be some instances where physical access may be necessary. If you purchase mSpy for a jailbroken iOS phone or tablet, you will need 5-15 minutes of physical access to the device for successful installation.”

A public relations pitch from mSpy to KrebsOnSecurity in March 2015 stated that approximately 40 percent of the company’s users are parents interested in keeping tabs on their kids. Assuming that is a true statement, it’s ironic that so many parents have now unwittingly exposed their kids to predators, bullies and other ne’er-do-wells thanks to this breach.

Schneier on Security: Admiral Rogers Speaking at the Joint Service Academy Cyber Security Summit

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Admiral Mike Rogers gave the keynote address at the Joint Service Academy Cyber Security Summit today at West Point. He started by explaining the four tenets of security that he thinks about.

First: partnerships. This includes government, civilian, everyone. Capabilities, knowledge, and insight of various groups, and aligning them to generate better outcomes to everyone. Ability to generate and share insight and knowledge, and to do that in a timely manner.

Second, innovation. It’s about much more than just technology. It’s about ways to organize, values, training, and so on. We need to think about innovation very broadly.

Third, technology. This is a technologically based problem, and we need to apply technology to defense as well.

Fourth, human capital. If we don’t get people working right, all of this is doomed to fail. We need to build security workforces inside and outside of military. We need to keep them current in a world of changing technology.

So, what is the Department of Defense doing? They’re investing in cyber, both because it’s a critical part of future fighting of wars and because of the mission to defend the nation.

Rogers then explained the five strategic goals listed in the recent DoD cyber strategy:

  1. Build and maintain ready forces and capabilities to conduct cyberspace operations;

  2. Defend the DoD information network, secure DoD data, and mitigate risks to DoD missions;
  3. Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence;
  4. Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages;
  5. Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability.

Expect to see more detailed policy around these coming goals in the coming months.

What is the role of the US CyberCommand and the NSA in all of this? The CyberCommand has three missions related to the five strategic goals. They defend DoD networks. They create the cyber workforce. And, if directed, they defend national critical infrastructure.

At one point, Rogers said that he constantly reminds his people: “If it was designed by man, it can be defeated by man.” I hope he also tells this to the FBI when they talk about needing third-party access to encrypted communications.

All of this has to be underpinned by a cultural ethos that recognizes the importance of professionalism and compliance. Every person with a keyboard is both a potential asset and a threat. There needs to be well-defined processes and procedures within DoD, and a culture of following them.

What’s the threat dynamic, and what’s the nature of the world? The threat is going to increase; it’s going to get worse, not better; cyber is a great equalizer. Cyber doesn’t recognize physical geography. Four “prisms” to look at threat: criminals, nation states, hacktivists, groups wanting to do harm to the nation. This fourth group is increasing. Groups like ISIL are going to use the Internet to cause harm. Also embarrassment: releasing documents, shutting down services, and so on.

We spend a lot of time thinking about how to stop attackers from getting in; we need to think more about how to get them out once they’ve gotten in — and how to continue to operate even though they are in. (That was especially nice to hear, because that’s what I’m doing at my company.) Sony was a “wake-up call”: a nation-state using cyber for coercion. It was theft of intellectual property, denial of service, and destruction. And it was important for the US to acknowledge the attack, attribute it, and retaliate.

Last point: “Total force approach to the problem.” It’s not just about people in uniform. It’s about active duty military, reserve military, corporations, government contractors — everyone. We need to work on this together. “I am not interested in endless discussion…. I am interested in outcomes.” “Cyber is the ultimate team sport.” There’s no single entity, or single technology, or single anything, that will solve all of this. He wants to partner with the corporate world, and to do it in a way that benefits both.

First question was about the domains and missions of the respective services. Rogers talked about the inherent expertise that each service brings to the problem, and how to use cyber to extend that expertise — and the mission. The goal is to create a single integrated cyber force, but not a single service. Cyber occurs in a broader context, and that context is applicable to all the military services. We need to build on their individual expertises and contexts, and to apply it in an integrated way. Similar to how we do special forces.

Second question was about values, intention, and what’s at risk. Rogers replied that any structure for the NSA has to integrate with the nation’s values. He talked about the value of privacy. He also talked about “the security of the nation.” Both are imperatives, and we need to achieve both at the same time. The problem is that the nation is polarized; the threat is getting worse at the same time trust is decreasing. We need to figure out how to improve trust.

Third question we about DoD protecting commercial cyberspace. Rogers replied that the DHS is the lead organization in this regard, and DoD provides capability through that civilian authority. Any DoD partnership with the private sector will go through DHS.

Fourth question: How will DoD reach out to corporations, both established and start-ups? Many ways. By providing people to the private sectors. Funding companies, through mechanisms like the CIA’s In-Q-Tel.. And some sort of innovation capability. Those are the three main vectors, but more important is that the DoD mindset has to change. DoD has traditionally been very insular; in this case, more partnerships are required.

Final question was about the NSA sharing security information in some sort of semi-classified way. Rogers said that there are lot of internal conversations about doing this. It’s important.

In all, nothing really new or controversial.

These comments were recorded — I can’t find them online now — and are on the record. Much of the rest of the summit was held under Chatham House Rules. I participated in a panel on “Crypto Wars 2015″ with Matt Blaze and a couple of government employees.

Errata Security: NSA: ad hominem is still a fallacy

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

An ad hominem attack is where, instead of refuting a person’s arguments, you attack their character. It’s a fallacy that enlightened people avoid. I point this out because of a The Intercept piece about how some of NSA’s defenders have financial ties to the NSA. This is a fallacy.

The first rule of NSA club is don’t talk about NSA club. The intelligence community frequently publishes rules to this effect to all their employees, contractors, and anybody else under their thumb. They don’t want their people talking about the NSA, even in defense. Their preferred defense is lobbying politicians privately in back rooms. They hate having things out in the public. Or, when they do want something public, they want to control the messaging (they are control freaks). They don’t want their supporters muddying the waters with conflicting messaging, even if it is all positive. What they fear most is bad supporters, the type that does more harm than good. Inevitably, some defender of the NSA is going to say “ragheads must die”, and that’ll be the one thing attackers will cherry pick to smear the NSA’s reputation.

Thus, you can tell how close somebody is to the NSA by how much they talk about the NSA — the closer to the NSA they are, the less they talk about it. That’s how you know that I’m mostly an outsider — if I actually had the close ties to the NSA that some people think I do, then I couldn’t publish this blogpost.

Note that there are a few cases where this might not apply, like Michael Hayden (former head) and Stewart Baker (former chief lawyer). Presumably, these guys have such close ties with insiders that they can coordinate messaging. But they are exceptions, not the rule.

The idea of “conflict of interest” is a fallacy because it works both ways. You’d expect employees of the NSA to like the NSA. But at the same time, you’d expect that those who like the NSA would also seek a job at the NSA. Thus, it’s likely they sincerely like the NSA, and not just because they are paid to do so.

This applies even to Edward Snowden himself. In an interview, he said of the NSA “These are good people trying to do hard work for good reasons”. He went to work for the intelligence community because he believe in their mission, that they were good people. He leaked the information because he felt the NSA overstepped their bounds, not because the mission of spying for your country was wrong.

If the “conflict of interest” fallacy were correct, then it would apply to The Intercept as well, whose entire purpose is to fan the flames of outrage over the NSA. If the conflict of interest about NSA contractors is a matter of public concern, then so is the amount Glenn Greenwald is getting paid for his stash of Snowden secrets, and how much Snowden gets paid living in Russia.

The reality is this. Those who attack the NSA, like The Intercept, are probably sincere in their attacks. Likewise, those who defend the NSA are likely sincere in their defense.

As the book Too Kill a Mockingbird said, you don’t truly know somebody until you’ve walked a mile in their shoes. Many defend the NSA simply because they’ve walked a mile in the NSA’s shoes. I say this from my own personal perspective. True, I often attack the NSA, because I agree with Snowden that surveillance has gone too far. But at the same time, again like Snowden, I feel they’ve been unfairly demonized — because I’ve seen them up close and personal. In the intelligence community, it’s the NSA who takes civil rights seriously, and it’s organizations like the DEA, ATF, and FBI that’ll readily stomp on your rights. We should be hating these other organizations more than the NSA.

It’s those like The Intercept who are the questionable bigots here. They make no attempt to see things from another point of view. As a technical expert, I know their stories based on Snowden leaks are often bunk — exploited to trigger rage with little interest in understanding the truth.

Stewart Baker and Michael Hayden are fascist pieces of crap who want a police state. That doesn’t mean their arguments are always invalid, though. They know a lot about the NSA. They are worth considering, even if wrong.

Errata Security: Some notes on why crypto backdoors are unreasonable

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Today, a congressional committee held hearings about ‘crypto backdoors’ that would allow the FBI to decrypt text messages, phone calls, and data on phones. The thing to note about this topic is that it’s not anywhere close to reasonable public policy. The technical and international problems are unsolvable with anything close to the proposed policy. Even if the policy were reasonable, it’s unreasonable that law enforcement should be lobbying for it.


Crypto is end-to-end

The debate hinges on a huge fallacy, that it’s about regulating industry, forcing companies like Apple to include backdoors. This makes it seem like it’s a small law. The truth is that crypto is end-to-end. Apple sells a generic computer we hold in our hand. As a user, I can install any software I want on it — including software that completely defeats any backdoor that Apple would install. Examples of such software would be Signal and Silent Circle.

It seems reasonable that you could extend the law so that it covers any software provider. But that doesn’t work, because software is often open-source, meaning that anybody can build their own app from it. Starting from scratch, it would take me about six-months to write my own app that would talk to other people using the ZRTP encryption standard.

Well, presumably if you couldn’t regulate the software on the phone, you could regulate a service in the Internet. That doesn’t work, either. Such services could be located in another country, because there are no real national borders in cyberspace. In any event, such services aren’t “phone” services, but instead just “contact” services. They let people find each other, but they don’t control the phone call. It’s possible to bypass such services anyway, by either using a peer-to-peer contact system, or overloading something completely different, like DNS.

Like crypto, the entire Internet is based on the concept of end-to-end, where there is nothing special inside the network that provides a service you can regulate.

The point is this. Forcing Apple to insert a “Golden Key” into the iPhone looks reasonable, but the truth is the problem explodes to something far outside of any sort of reasonableness. It would mean outlawing certain kinds of code — which is probably not possible in our legal system.

China and Russia want it, too

The problem with forcing Apple to give a “Golden Key” to the US government is that all governments will want such a key, too. This includes repressive regimes like China and Russia.
This risks balkanizing encrypted phone calls. The Internet knows no national borders. I regularly make calls around the world using encrypted voice apps like Signal. When each country passes backdoor laws, they’ll all do it differently, and they’ll all break. In some cases, it’ll be impossible to call another country with compatible software.
This will make travel difficult. Last time I was in Japan, I used Signal to call back to the United States, using the local wifi, purely to avoid roaming charges (not even caring that it was encrypted). This sort of thing would now be illegal, because while I might have the FBI’s Golden Keys installed on the phone, I wouldn’t have Japan’s. They would notice, and come arrest me.
Even if you could get all this worked out, standardizing things, making this automatic, you’ve now got a hundred countries with their finger in the pie. There’s no way to make this work.

China and Russia want it, too (part two)

The FBI’s testimony stressed that they would only use the Golden Key with a lawful warrant with full Fourth Amendment protections. So would the law enforcement agencies of China and Russia — only their lawful warrants include suppression of political dissent.
Here’s the deal: in the modern world where electronics are the only means of communication, crypto backdoors can make dissent nearly impossible. We saw that in Soviet Union, where even things like copy machines were tightly controlled by the state. 
Like it or not, the United States sets the agenda on freedom around the world. Our policy must be in support of strong crypto around the world, so that citizen’s can hide data from repressive governments. There is no way to have a backdoor for United States communications while opposing backdoors elsewhere.

Our country really isn’t trustworthy

The elephant in the room during today’s testimony is that our government really isn’t as trustworthy as we’d like. It’s more than just the Snowden revelations of mass surveillance of phone records.
Law enforcement used “Stingray”-like devices over 100,000 times last year to intercept mobile phones. Yet, this was challenged in court zero times. Most of the time they hide from defendants that Stingrays were even used, and in the few cases where defendants challenged them, they simply dropped the case rather than expose their use.
As the congressional probing demonstrated, the FBI is gathering everyone’s cell location records all the time. While they don’t know your exact location, they do know within a few blocks. Again, this is all secret, and not accountable to the public.
The United States jails 10 time more of its people (as a percentage) than other free countries, more even than China or Russia. With 5% of the world’s population we have 30% of the world’s prisoners behind bars. A big piece of Hillary Clinton’s 2016 platform is getting these people out of jail. It’s also important to the Koch brothers (the other side of the political spectrum) — they recently removed criminal background from application forms for their companies.
We have a long way to go to reform law enforcement in this country. It’s not reasonable at this time to give them vast new powers that totalitarian regimes drool over.

It’s improper for them to ask

Today’s testimony by the FBI and the DoJ discussed the tradeoffs between privacy and protection. Victims of crimes, those who get raped and murdered, deserve to have their killers brought to justice. That criminals get caught dissuades crime. Crypto makes prosecuting criminals harder.
That’s all true, and that’s certainly the argument victim rights groups should make when lobbying government. But here’s the thing: it’s not the FBI’s job to care. We, the people, make the decision about these tradeoffs. It’s solely we, the people, who are the constituents lobbying congress. The FBI’s job is to do what we tell them. They aren’t an interested party. Sure, it’s their job to stop crime, but it’s also their job to uphold rights. They don’t have an opinion, by definition, which one takes precedence over the other — congress makes that decision.
Yet, in this case, they do have an opinion. The only reason the subcommittee held hearings today is in response to the FBI lobbying for backdoors. Even if this issue were reasonable, it’s not reasonable that the FBI should lobby for it.

Conclusion

I’m a big fan of the idea that reasonable people can disagree, that there are two sides to every debate. This applies to even rancorous debates like abortion and global warming. On many issues, I defend the reasonableness of the opposing side: while I disagree with their policy, I agree that it’s not unreasonable. I point this out to stress the fact that I’m not calling this policy unreasonable simply because I disagree with it.
It’s not merely a matter of forcing Apple to provide the FBI a Golden Key, because users would still encrypt anyway, and Russia would want their own Golden Key. Solving those problems means a public policy that looks nothing like the original one proposed. While it’s reasonable for the people to bring up the subject, it’s wholly unreasonable for the FBI. They serve us, they should stop acting like we serve them.

Schneier on Security: “Hinky” in Action

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

In Beyond Fear I wrote about trained officials recognizing “hinky” and how it differs from profiling:

Ressam had to clear customs before boarding the ferry. He had fake ID, in the name of Benni Antoine Noris, and the computer cleared him based on this ID. He was allowed to go through after a routine check of his car’s trunk, even though he was wanted by the Canadian police. On the other side of the Strait of Juan de Fuca, at Port Angeles, Washington, Ressam was approached by U.S. customs agent Diana Dean, who asked some routine questions and then decided that he looked suspicious. He was fidgeting, sweaty, and jittery. He avoided eye contact. In Dean’s own words, he was acting “hinky.” More questioning — there was no one else crossing the border, so two other agents got involved — and more hinky behavior. Ressam’s car was eventually searched, and he was finally discovered and captured. It wasn’t any one thing that tipped Dean off; it was everything encompassed in the slang term “hinky.” But the system worked. The reason there wasn’t a bombing at LAX around Christmas in 1999 was because a knowledgeable person was in charge of security and paying attention.

I wrote about this again in 2007:

The key difference is expertise. People trained to be alert for something hinky will do much better than any profiler, but people who have no idea what to look for will do no better than random.

Here’s another story from last year:

On April 28, 2014, Yusuf showed up alone at the Minneapolis Passport Agency and applied for an expedited passport. He wanted to go “sightseeing” in Istanbul, where he was planning to meet someone he recently connected with on Facebook, he allegedly told the passport specialist.

“It’s a guy, just a friend,”he told the specialist, according to court documents.

But when the specialist pressed him for more information about his “friend” in Istanbul and his plans while there, Yusuf couldn’t offer any details, the documents allege.

“[He] became visibly nervous, more soft-spoken, and began to avoid eye contact,” the documents say. “Yusuf did not appear excited or happy to be traveling to Turkey for vacation.”

In fact, the passport specialist “found his interaction with Yusuf so unusual that he contacted his supervisor who, in turn, alerted the FBI to Yusuf’s travel,” according to the court documents.

This is what works. Not profiling. Not bulk surveillance. Not defending against any particular tactics or targets. In the end, this is what keeps us safe.

The Hacker Factor Blog: There’s No Fool Like an April Fool

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

I stopped celebrating “April Fools Day” many years ago. There’s always someone pulling an unfunny joke, someone trying to hide the fact that they fell for it, and someone who doesn’t get the joke — taking it way too seriously. And most of the gags I’ve seen really haven’t been funny. Moreover, people seem to be doing gags all the time; April Fools day just isn’t special anymore.

In the last two weeks, I have seen three computer security articles where people have just behaved like idiots. In one case, it’s the vendors. In another case, it’s the security researcher. And in the third case, it was law enforcement. With these news reports, I find it hard to believe that it isn’t April 1st.

Car Hacking

There are some things that people in the security community have known for years but have not been made public yet. The reason is usually that experts are working (or trying to work) with vendors to fix the problems. The bigger the problem, the longer it may take to fix. Whispers among small groups of people with the knowledge may go on for years before some problems are resolved. In many cases, the fixes are performed quietly since a public announcement will only benefit the bad guys during a slow roll-out. These are usually the cases where informing the public will educate criminals, without any viable solution for the public.

However, sometimes the vendors become non-responsive. That’s when vulnerabilities with no solution are often made public.

Earlier this month, news outlets reported on an upcoming security presentation about car hacking. Keep in mind, talks on car hacking have been going on for a decade. In this latest exploit, the attacker only needs a $20 amplifier that can fit in your hand to unlock your keyless-entry car. (Funny… the same exploit was discussed two years ago, when it only cost $5.)

Attacks against this keyless entry system have ranged from cracking the weak cryptography (2006) to record and playback attacks (2010).

So here’s the exploit (as detailed by various news outlets)… New keyless-entry cars just require the key near the car in order to unlock. What’s really happening is that the car is constantly sending out a cryptographic challenge over a wireless frequency to the key. The car uses a low power radio signal, so the key has to be very close to hear the challenge. If the key is near enough (usually within a few inches) then it hears the challenge, issues a response, and the car unlocks.

In this latest attack (which is actually from 2013), an amplifier just replays the car’s query louder. Rather than needing the key within a few inches, it can be a few hundred feet away and it will still respond. The amplifier hears the whispered response from the distant key and repeats it so the car can hear it. In the radio community, this is a basic radio repeater — it is technology that has been around for about a century. There’s no need for decryption and no interfering with the signal; the signal is just made louder so it has a larger range.

There comes a point when vendors fail to fix a problem and it must be made public. This usually happens when bad guys are actively using the exploit. Making these details public won’t help bad guys since they already know about it. But public disclosure will inform force legal repercussions onto the vendors.

In this case, the bad guys clearly know about this. Back in 2013, police announced that they were stumped by some car thefts. They included a video where the criminals walk up to the car, hold a small device in their hand, and the car unlocks. This happened outside a residence, where we can assume the key was probably less than a hundred feet from the car. (If the car doesn’t unlock, then the key is probably too far away to hear the amplified signal.)

When I first heard of the car break-ins (in 2013) I started asking around. The exploit had been known to some people in the security community for over a year. They had been trying to get the vendors to address the problem. It is no surprise to me that someone would make the details public years later, since vendors are still rolling out the same keyless entry system in even more vehicles.

Airplane Hacking

While I may be critical of them, I have a lot of respect for the Electronic Frontier Foundation. They stand up for computer security researchers, challenge governments and corporations that violate our digital freedoms, and advise us on ways to stay safe online. However, sometimes I question the battles that the EFF is willing to fight…

Last week, security researcher Chris Roberts was detained by the FBI. He had been planning on speaking at the upcoming RSA conference on airplane insecurity (how to hack airplanes while sitting in coach). Last week, the FBI visited Roberts. They confiscated his equipment but eventually release him. However, that wasn’t the end of it…

On his way to the conference, United Airlines refused to let him board the plane. Roberts was lucky to get on a different airline in order to make it to the conference. According to the EFF:

Our client, Chris Roberts, a founder of the security intelligence firm One World Labs, found himself detained by the FBI earlier this week after tweeting about airplane network security during a United Airlines flight. When Roberts landed in Syracuse, he was questioned by the FBI, which ultimately seized a number of his electronic devices. EFF attorneys now represent Roberts, and we’re working to get his devices back promptly. But unfortunately last week’s tweet and FBI action isn’t the end of the story.

Roberts was back at the airport on Saturday evening, headed to San Francisco to attend two high-profile security conferences, the RSA Conference, where he is scheduled to present on Thursday, and BSides SF. After Roberts retrieved his boarding pass, made his way through the TSA checkpoint and reached the gate, United corporate security personnel stopped him from boarding the plane. Roberts was told to expect a letter explaining the reasons for not being allowed to travel on United. Thankfully, Roberts was able to book a last-minute flight on another airline and has now landed safely in San Francisco.

Reading the report from the EFF, one would think that the FBI and United Airlines were trying to stop the presentation, hinder his freedom of speech, and enforce security by obscurity. However, the EFF left out one major detail: Roberts had tweeted a threat to the airlines.

https://twitter.com/Sidragon1/status/588433855184375808

In this tweet, Roberts explicitly listed attacks he could do on the airplane.

Keep in mind, talking about how to make bombs in an airport, how to shoot up a school, or how to take down an airplane before getting on a plane is still plotting to kill people. Even if said as a joke (not funny) or if he had no real intent.

I’m not an attorney, but it should be obvious that Freedom of Speech does not give you the freedom to cause panic or harm. As ruled in Schenck v. United States (249 U.S. 47, 1919), the First Amendment does not allow you to cause panic by shouting fire in a crowded theater. Tweeting about ways to take down an airplane that you are about to board seems no different to me.

Chris Roberts even knew that these actions were likely illegal, as he tweeted in follow-ups:

Frankly, I’m surprised that the FBI let him go. And I don’t blame United Airlines for exercising their right to refuse service to someone who threatened the safety of their airline.

Do I think the airlines have a security problem that needs to be addressed? Definitely. Do I think that the airline manufacturers and network providers (e.g., Boeing and Cisco) are intentionally ignoring the problem? Yes. Do I think Chris Roberts should give his presentation? Absolutely. But I also think Roberts was a dumb-ass for tweeting his “joke”.

In the case of Roberts, I doubt that anyone would have interfered with him if he did not tweet his joke. I’m looking forward to hearing how the EFF plans to defend this type of threatening speech that was clearly intended to cause panic.

Felony for an 8th Grader

Less than two weeks ago, the Tampa Bay Times reported on an eighth-grader at Paul R. Smith Middle School in Holiday, Florida. The kid had used the teacher’s computer and pulled a prank; he “changed the background image on a teacher’s computer to one showing two men kissing.” The kid was charged with “offense against a computer system and unauthorized access, a felony.”

(Note: Even though news articles repeatedly mention his name, I’m not naming the kid here because he is a minor.)

The article even quotes Sheriff Chris Nocco: “Even though some might say this is just a teenage prank, who knows what this teenager might have done.” To this, I feel that I need to personally respond to the sheriff…

Dear Sheriff Nocco:

Changing a background picture is not the same as stealing cars or threatening to take down airplanes. It’s a prank and nobody got hurt — except the kid, who is probably scarred for life. If you do not see the difference between changing a background picture and the threats dreamed up by your wild imagination, then you need to take some technology courses. And if you cannot see the difference between a prank and a threat, then you need to choose a new occupation.

The article mentions a lot of details about this case. I hope that the kid’s attorney is focusing on these items:

  • The article says that the kid “logged onto the school’s network on March 31 using an administrative-level password without permission.” If he had the password, then he had permission. He did not hack the system; he used it as it was designed.
  • The article says that this happened on March 31 and that the teacher was out that day. This means that the teacher would see it the next day, on April 1st (April Fools Day). This goes along with it being a harmless prank.
  • “One of the computers [the kid] accessed also had encrypted 2014 FCAT questions stored on it, though the sheriff and Pasco County School District officials said [the kid] did not view or tamper with those files.” If the kid did not attempt to access, view, or tamper with those files, then this clearly goes toward the kid’s intent as a prank and not anything malicious.
  • The kid was interviewed at his home and mentioned that ‘students would often log into the administrative account to screen-share with their friends’. (I’m quoting the Tampa Bay Times and not the kid’s actual words.) This shows that using the administrative account was common practice and acceptable behavior. If it wasn’t acceptable, then the administrators would have stopped this behavior before the kid changed the background.
  • The Tampa Bay Times noted that the kid discovered the password by watching the teacher type it in. The purpose of a classroom is for a teacher to show students new concepts. If the teacher showed any student how to login, then the child clearly learned well in this classroom environment.
  • The most startling part is where the Tampa Bay Times wrote, “It was a well-known trick … because the password was easy to remember: a teacher’s last name.” *sigh* At least the password wasn’t “abcde” — like some voting machines in Virginia. If someone intentionally chooses a weak password, then it implies that someone thinks that the system does not need to be secured. Simple patterns (“abcde”, “12345”, etc.), common words (“password”), and personal names have topped the lists of bad password choices for decades.

If the kid gets a felony for this, then the teach should get life. I’m not an attorney and I can easily see that the teachers (both the regular teacher and the substitute) should be charged with Contributing to the Delinquency of a Minor, Attractive Nuisance, and Child Neglect. In particular, the child was left alone with the teacher’s computer after being shown how to login to it. I’m sure an attorney could come up with even more charges.

The EFF pointed out some of these issues in their own report. The EFF describes the Florida law as using “overbroad and insensible language” and being applied arbitrarily. They also point out that the “school had terrible operational security where weak passwords, teachers entering passwords in front of students, and students regularly using teacher credentials, was prevalent.”

The news article ends with a warning from Sheriff Nocco: “If information comes back to us and we get evidence (that other kids have done it), they’re going to face the same consequences.”

In my opinion, Sheriff Nocco is an idiot. You don’t charge an inquisitive child with a felony for a harmless prank. The child should get off with nothing more than a reprimand. And if he is this creative and this tech savvy, then he should be placed in an environment that nurtures and directs his talents toward a beneficial outcome. (Why not have the kids suggest how to strengthen the school’s computer security, since clearly the teacher’s do not know.) In contrast, the teacher and the school should face heavy repercussions for failing to provide a safe environment for these children, failing to secure their computer systems, and failing to provide adequate guidance. And Sheriff Nocco should take an early retirement before being he gets charged with something more serious, like restricting the child’s creative outlet (a First Amendment violation).

Not Joking

It is long after April 1st, but we still have people acting like idiots. Car vendors should have acted upon these exploits when they learned of the risks. Security researchers should not make jokes about technologies that put life in danger. And law officers should not treat pranks as felonies. On the Internet, everyday seems like April Fools Day.

Schneier on Security: Hacker Detained by FBI After Tweeting About Airplane Software Vulnerabilities.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This is troubling:

Chris Roberts was detained by FBI agents on Wednesday as he was deplaning his United flight, which had just flown from Denver to Syracuse, New York. While on board the flight, he tweeted a joke about taking control of the plane’s engine-indicating and crew-alerting system, which provides flight crews with information in real-time about an aircraft’s functions, including temperatures of various equipment, fuel flow and quantity, and oil pressure. In the tweet, Roberts jested: “Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? ‘PASS OXYGEN ON’ Anyone ? :)” FBI agents questioned Roberts for four hours and confiscated his iPad, MacBook Pro, and storage devices.

Yes, the real issue here is the chilling effects on security research. Security researchers who point out security flaws is a good thing, and should be encouraged.

But to me, the fascinating part of this story is that a computer was monitoring the Twitter feed and understood the obscure references, alerted a person who figured out who wrote them, researched what flight he was on, and sent an FBI team to the Syracuse airport within a couple of hours. There’s some serious surveillance going on.

Now, it is possible that Roberts was being specifically monitored. He is already known as a security researcher who is working on avionics hacking. But still…

Slashdot thread. Hacker News thread.

Schneier on Security: Hacker Detained by FBI after Tweeting about Airplane Software Vulnerabilities

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This is troubling:

Chris Roberts was detained by FBI agents on Wednesday as he was deplaning his United flight, which had just flown from Denver to Syracuse, New York. While on board the flight, he tweeted a joke about taking control of the plane’s engine-indicating and crew-alerting system, which provides flight crews with information in real-time about an aircraft’s functions, including temperatures of various equipment, fuel flow and quantity, and oil pressure. In the tweet, Roberts jested: “Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? ‘PASS OXYGEN ON’ Anyone ? :)” FBI agents questioned Roberts for four hours and confiscated his iPad, MacBook Pro, and storage devices.

Yes, the real issue here is the chilling effects on security research. Security researchers who point out security flaws is a good thing, and should be encouraged.

But to me, the fascinating part of this story is that a computer was monitoring the Twitter feed and understood the obscure references, alerted a person who figured out who wrote them, researched what flight he was on, and sent an FBI team to the Syracuse airport within a couple of hours. There’s some serious surveillance going on.

Now, it is possible that Roberts was being specifically monitored. He is already known as a security researcher who is working on avionics hacking. But still…

Slashdot thread. Hacker News thread.

Schneier on Security: Counting the US Intelligence Community Leakers

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

It’s getting hard to keep track of the US intelligence community leakers without a scorecard. So here’s my attempt:

  • Leaker #1: Chelsea Manning.

  • Leaker #2: Edward Snowden.
  • Leaker #3: The person who leaked secret documents to Jake Appelbaum, Laura Poitras, and others in Germany: the Angela Merkel surveillance story, the TAO catalog, the X-KEYSCORE rules. My guess is that this is either an NSA employee or contractor working in Germany, or someone from German intelligence who has access to NSA documents. Snowden has said that he is not the source for the Merkel story, and Greenwald has confirmed that the Snowden documents are not the source for the X-KEYSCORE rules. This might be the “high-ranking NSA employee in Germany” from this story — or maybe that’s someone else entirely.
  • Leaker #4: “A source in the intelligence community,” according to the Intercept, who leaked information about the Terrorist Screening Database, the “second leaker” from the movie Citizen Four. Greenwald promises a lot from him: “Snowden, at a meeting with Greenwald in Moscow, expresses surprise at the level of information apparently coming from this new source. Greenwald, fearing he will be overheard, writes the details on scraps of paper.” We have seen nothing since, though. This is probably the leaker the FBI identified, although we have heard nothing further about that, either.
  • Leaker #5: Someone who is leaking CIA documents.
  • Leaker #6: The person who leaked secret information about WTO spying to the Intercept and the New Zealand Herald. This isn’t Snowden; the Intercept is very careful to identify him as the source when it writes about the documents he provided. Neither publication give any indication of how it was obtained. This might be Leaker #3, since it contains X-KEYSCORE rules.
  • Leaker #7: The person who just leaked secret information about the US drone program to the Intercept and Der Spiegel. This also might be Leaker #3, since there is a Germany connection. According to the Intercept: “The slides were provided by a source with knowledge of the U.S. government’s drone program who declined to be identified because of fears of retribution.” That implies someone new.

Am I missing anyone?

Harvard Law School professor Yochai Benkler has written an excellent law review article on the need for a whistleblower defense. And there’s this excellent article by David Pozen on why government leaks are, in general, a good thing. I wrote about the value of whistleblowers in Data and Goliath.

Way back in June 2013, Glenn Greenwald said that “courage is contagious.” He seems to be correct.

This post was originally published on the Lawfare blog.

Errata Security: Solidarity

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

The government’s zealous War on Hackers threatens us, the good hackers who stop the bad ones. They can’t tell the good witches from the bad witches. When members of our community get threatened by the system, we should probably do more to stand in solidarity with them. I mention this because many of you will be flying to SFO this coming week for the RSA Conference, which gives us an opportunity to show solidarity.

Today, a security researcher tweeted a joke while on a plane. When he landed, the FBI grabbed him and confiscated all his stuff. The tweets are here:


Chris Roberts’ area of research is embedded control systems like those on planes. It’s not simply that the FBI grabbed him because of a random person on a plane, but specifically because he’s a security researcher. He’s on the FBI’s radar (so to speak) for things like this Fox News interview.

I suggest we all start joke tweeting along these lines,  from the airplanes, like:

DFW->SFO. Playing with airplane wifi. I hope the pilots enjoy the Rick Astely video playing on their EICAS system. 

LGA->SFO. Note to self. Don’t fuzz the SATCOM unit while on Twitter. Takes GoGo an hour to come back up. 

NRT->SFO. Yup, the IFE will grab corrupt MP3 from my iPhone and give a shell. I wonder if nmap will run on it. 

PDX->SFO. HackRF says there’s a strong 915 MHz qpsk 64k symbol/second signal. I wonder what’ll happen if I replay it.

The trick is to write jokes, not to actually threaten anything — like the original tweet above. Those of us with technical knowledge and skills should be free to express our humor without the FBI confiscating all our stuff when we land.


BTW, I know you can all steal in-flight WiFi easier than you can pay for it, but do pay for it :)

TorrentFreak: Microsoft Takes Pirated Windows NT 4.0 Source Code Offline

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

microsoft-pirateIn February 2004 large portions of Microsoft’s Windows 2000 and Windows NT 4.0 source code leaked onto the Internet.

In a statement issued at the time, Microsoft said the breach didn’t come from inside. The company worked closely with the FBI to track down the source but these efforts were fruitless.

Hoping to keep the leak under control, Microsoft also started issuing takedown notices to sites and P2P file-sharers, urging them to stop offering the code.

However, like anything that leaks onto the Internet it’s pretty much impossible to remove something for good. Even today, several NT 4.0 copies are still floating around in the dark corners of the web.

Up until a few days ago there was even a copy hosted on the popular developer platform GitHub. Posted by “njdragonfly” the leaked source code has been available there since 2011.

Microsoft initially didn’t spot the infringing copy but it recently took action by sending GitHub a DMCA takedown notice.

Microsoft’s takedown notice
mstd

“We have received information that the domain listed above, which appears to be on servers under your control, is offering unlicensed copies of, or is engaged in other unauthorized activities relating to, copyrighted works published by Microsoft Corporation,” the company writes

The notice proved to be successful. A few hours after its arrival the repository was made inaccessible. Those who try to access it now are redirected to GitHub’s standard takedown page.

While it’s understandable that Microsoft doesn’t want its source code out in the open, it’s not as much as a security threat as it was a decade ago. Today, more than 10 years after it was first published, pretty much all exploits have been patched.

That said, it’s worth nothing that after all these years Microsoft is trying to contain the leak. But perhaps that’s just for sentimental value.

Windows NT 4.0
Windows_NT_4.0

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Schneier on Security: Alternatives to the FBI’s Manufacturing of Terrorists

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

John Mueller suggests an alternative to the FBI’s practice of encouraging terrorists and then arresting them for something they would have never have planned on their own:

The experience with another case can be taken to suggest that there could be an alternative, and far less costly, approach to dealing with would-be terrorists, one that might generally (but not always) be effective at stopping them without actually having to jail them.

It involves a hothead in Virginia who ranted about jihad on Facebook, bragging about how “we dropped the twin towers.” He then told a correspondent in New Orleans that he was going to bomb the Washington, D.C. Metro the next day. Not wanting to take any chances and not having the time to insinuate an informant, the FBI arrested him. Not surprisingly, they found no bomb materials in his possession. Since irresponsible bloviating is not illegal (if it were, Washington would quickly become severely underpopulated), the police could only charge him with a minor crime — making an interstate threat. He received only a good scare, a penalty of time served and two years of supervised release.

That approach seems to have worked: the guy seems never to have been heard from again. It resembles the Secret Service’s response when they get a tip that someone has ranted about killing the president. They do not insinuate an encouraging informant into the ranter’s company to eventually offer crucial, if bogus, facilitating assistance to the assassination plot. Instead, they pay the person a Meaningful Visit and find that this works rather well as a dissuasion device. Also, in the event of a presidential trip to the ranter’s vicinity, the ranter is visited again. It seems entirely possible that this approach could productively be applied more widely in terrorism cases. Ranting about killing the president may be about as predictive of violent action as ranting about the virtues of terrorism to deal with a political grievance. The terrorism cases are populated by many such ranters­ — indeed, tips about their railing have frequently led to FBI involvement. It seems likely, as apparently happened in the Metro case, that the ranter could often be productively deflected by an open visit from the police indicating that they are on to him. By contrast, sending in a paid operative to worm his way into the ranter’s confidence may have the opposite result, encouraging, even gulling, him toward violence.

TorrentFreak: Major Labels Sue Music Leaker After FBI Investigation

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

nickiIf there is one issue guaranteed to incense recording labels and artists alike it’s the premature public availability of pre-release music.

Over the years leaks from popular artists have featured in countless online piracy cases, painted by the labels as some of the most damaging forms of unauthorized distribution.

While some believe that leaks are useful for creating buzz, labels often argue that availability amounts to unfair competition and the undermining of an artist’s decision as to when and where content should be heard.

Pre-release leaks can happen anywhere in the supply chain, usually towards the retail environment, but a case set to be heard next month is unusual in several respects, not least the point at which the music was obtained.

Between 2010 and 2013 it’s alleged that unreleased music began leaking from industry-affiliated email accounts based in the United States. Tracks from some of the world’s biggest stars was targeted, including those from Nicki Minaj, Chris Brown and Mary J Blige.

It’s claimed that the music began turning up in public after being sold to DJs worldwide, events which heralded the involvement of the FBI and a trail to Sweden.

“In the United States an investigation was launched into the stolen songs. The tracks led to Sweden through bank accounts and IP addresses. Therefore, we were contacted,” says prosecutor Fredrik Ingblad.

Further investigation led Swedish authorities to a 25-year-old local man who is said to have hacked the email accounts, obtained the music, and sold it on for a profit.

“He hacked into the email accounts and got hold of unreleased songs, and songs that might have never been released. That makes this case unusual,” Ingblad adds.

The prosecution claims that the man, who denies the charges, made around $12,000 from sales of the tracks. He will go on trial in Sweden next month and will face fines and up to two years in prison. Labels including Sony, Warner and Universal are suing the man and will be seeking damages.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Errata Security: Stop making the NSA the bogeyman of privacy

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Snowden is my hero, but here’s the thing: the NSA is the least of our worries. Firstly, their attention is foreign, not domestic. Secondly, they are relatively uncorrupt. Our attention should be focused on the corrupt domestic law-enforcement agencies, like the ATF, DEA, and FBI.

I mention this because a lot of people seem concerned that the “cyber threat sharing” bills in congress (CISA/CISPA) will divulge private information to the NSA. This is nonsense. The issue is private information exposed to the FBI and other domestic agencies. It’s the FBI, ATF, or DEA that will come break down your door and arrest you, not the NSA.
We see that recently where the DEA (Drug Enforcement Administration) has been caught slurping up international phone records going back to the 1990s. This appears as bad as the NSA phone records program that started the Snowden disclosures.
I know the FBI is corrupt because I’ve experienced it personally, when they threatened me in order to suppress a conference talk. We know they are corrupt in the way they hide cellphone interception devices (“stingray”) from public disclosure. We know they are corrupt because their headquarters is named after J Edgar Hoover, the notoriously corrupt head of the FBI during much of the last century. 
For all that the FBI is horrid, the DEA and the ATF are worse. These are truly scary police-state style agencies which we allow operate only because their focus is so narrow. Every gun store owner I know has stories of obviously dodgy characters trying to buy guns who they are certain are actually ATF agents doing “sting” operations. One of the many disturbing elements of the “fast and furious” ATF scandal is how they strong-armed gun store owners into complying.
In any case, even if you hate the NSA the most, the NSA’s frightening ability to monitor everything outside the United States means they probably don’t need the domestic “cyber threat information”.
My point is this: stop making the NSA the bogeyman of privacy. Domestic agencies, namely the FBI, are a far greater danger.

Schneier on Security: Lone-Wolf Terrorism

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The Southern Poverty Law Center warns of the rise of lone-wolf terrorism.

From a security perspective, lone wolves are much harder to prevent because there is no conspiracy to detect.

The long-term trend away from violence planned and committed by groups and toward lone wolf terrorism is a worrying one. Authorities have had far more success penetrating plots concocted by several people than individuals who act on their own. Indeed, the lone wolf’s chief asset is the fact that no one else knows of his plans for violence and they are therefore exceedingly difficult to disrupt.

[…]

The temptation to focus on horrific groups like Al Qaeda and the Islamic State is wholly understandable. And the federal government recently has taken steps to address the terrorist threat more comprehensively, with Attorney General Eric Holder announcing the coming reconstitution of the Domestic Terrorism Executive Committee. There has been a recent increase in funding for studies of terrorism and radicalization, and the FBI has produced a number of informative reports.

And Holder seems to understand clearly that lone wolves and small cells are an increasing threat. “It’s something that frankly keeps me up at night, worrying about the lone wolf or a group of people, a very small group of people, who decide to get arms on their own and do what we saw in France,” he said recently.

Jim Harper of the Cato Institute wrote about this in 2009 after the Fort Hood shooting.

Krebs on Security: FBI Warns of Fake Govt Sites, ISIS Defacements

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The Federal Bureau of Investigation (FBI) is warning that individuals sympathetic to the Islamic State of Iraq and al-Shams (ISIS) are mass-defacing Websites using known vulnerabilities in WordPress. The FBI also issued an alert advising that criminals are hosting fraudulent government Web sites in a bid to collect personal and financial information from unwitting Web searchers.

fbilogoAccording to the FBI, ISIS sympathizers are targeting WordPress Web sites and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international sites. The agency said the attackers are mainly exploiting known flaws in WordPress plug-ins for which security updates are already available.

The public service announcement (PSA) coincides with a less public alert that the FBI released to its InfraGard members, a partnership between the FBI and private industry partners. That alert noted that several extremist hacking groups indicated they would participate in an operation dubbed #OpIsrael, which will target Israeli and Jewish Web sites to coincide with Holocaust Remembrance Day (Apr .15-16).

“The FBI assesses members of at least two extremist hacking groups are currently recruiting participants for the second anniversary of the operation, which started on 7 April 2013, and coincides with Holocaust Remembrance Day,” the InfraGard alert notes. “These groups, typically located in the Middle East and North Africa, routinely conduct pro-extremist, anti-Israeli, and anti-Western cyber operations.”

Experts say there may be no actual relationship between these defacements and Islamist militants. In any case, if you run a Web site powered by WordPress — or any other content management system (CMS) — please take a few moments today to ensure that the CMS itself is up-to-date with the latest patches, and apply all available fixes for any installed plug-ins.

The FBI also issued an unrelated PSA advising people to be wary of fake government Web sites set up to take advantage of search engine optimization techniques that try to get the sites listed prominently in search results when searching for government services online. The FBI explains the scam thusly:

“Victims use a search engine to search for government services such as obtaining an Employer Identification Number (EIN) or replacement social security card. The fraudulent criminal websites are the first to appear in search results, prompting the victims to click on the fraudulent government services website. The victim completes the required fraudulently posted forms for the government service they need. The victim submits the form online, believing they are providing their PII to government agencies such as the Internal Revenue Service, Social Security Administration, or similar agency based on the service they need.”

“Once the forms are completed and submitted, the fraudulent website usually requires a fee to complete the service requested. The fees typically range from $29 to $199 based on the government service requested. Once the fees are paid the victim is notified they need to send their birth certificate, driver’s license, employee badge, or other personal items to a specified address. The victim is then told to wait a few days to several weeks for processing.”

“By the time the victim realizes it is a scam, they may have had extra charges billed to their credit/debit card, had a third-party designee added to their EIN card, and never received the service(s) or documents requested. Additionally, all of their PII data has been compromised by the criminals running the websites and can be used for any number of illicit purposes. The potential harm gets worse for those who send their birth certificate or other government-issued identification to the perpetrator.”

The FBI advises consumers to use search engines or other websites to research the advertised services or person/company you plan to deal with. Search the Internet for any negative feedback or reviews on the government services company, their Web site, their e-mail addresses, telephone numbers, or other searchable identifiers. Fly-by-night scam Web sites often have little or no reputation — i.e., they haven’t been online that long. A simple WHOIS Web site registration record search will often reveal scam domains as just recently having been put online.

Schneier on Security: The Eighth Movie-Plot Threat Contest

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

It’s April 1, and time for another Movie-Plot Threat Contest. This year, the theme is Crypto Wars II. Strong encryption is evil, because it prevents the police from solving crimes. (No, really — that’s the argument.) FBI Director James Comey is going to be hard to beat with his heartfelt litany of movie-plot threats:

“We’re drifting toward a place where a whole lot of people are going to be looking at us with tears in their eyes,” Comey argued, “and say ‘What do you mean you can’t? My daughter is missing. You have her phone. What do you mean you can’t tell me who she was texting with before she disappeared?”

[…]

“I’ve heard tech executives say privacy should be the paramount virtue,” Comey said. “When I hear that, I close my eyes and say, ‘Try to imagine what that world looks like where pedophiles can’t be seen, kidnappers can’t be seen, drug dealers can’t be seen.'”

(More Comey here.)

Come on, Comey. You might be able to scare noobs like Rep. John Carter with that talk, but you’re going to have to do better if you want to win this contest. We heard this same sort of stuff out of then-FBI director Louis Freeh in 1996 and 1997.

This is the contest: I want a movie-plot threat that shows the evils of encryption. (For those who don’t know, a movie-plot threat is a scary-threat story that would make a great movie, but is much too specific to build security policies around. Contest history here.) We’ve long heard about the evils of the Four Horsemen of the Internet Apocalypse — terrorists, drug dealers, kidnappers, and child pornographers. (Or maybe they’re terrorists, pedophiles, drug dealers, and money launderers; I can never remember.) Try to be more original than that. And nothing too science fictional; today’s technology or presumed technology only.

Entries are limited to 500 words — I check — and should be posted in the comments. At the end of the month, I’ll choose five or so semifinalists, and we can all vote and pick the winner.

The prize will be signed copies of the 20th Anniversary Edition of the 2nd Edition of Applied Cryptography, and the 15th Anniversary Edition of Secrets and Lies, both being published by Wiley this year in an attempt to ride the Data and Goliath bandwagon.

Good luck.

Errata Security: What ever it is, CISA isn’t cybersecurity

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

In the next couple months, Congress will likely pass CISA, the Cybersecurity Information Sharing Act. This is a bad police-state thing. It will do little to prevent attacks, but do a lot to increase mass surveillance.

They did not consult us security experts when drafting this bill. If they had, we would have told them the idea doesn’t really work. Companies like IBM and Dell SecureWorks already have massive “cybersecurity information sharing” systems where they hoover up large quantities of threat information from their customers. This rarely allows them to prevent attacks as the CISA bill promises.

In other words, we’ve tried the CISA experiment, and we know it doesn’t really work.

While CISA won’t prevent attacks, it will cause mass surveillance. Most of the information produced by countermeasures is in fact false-positives, triggering on innocent anomalies rather than malicious hackers. Your normal day-to-day activities on the Internet occasionally trigger these false-positives. When this information gets forwarded to law enforcement, it puts everyone in legal jeopardy. It may trigger an investigation, or it may just become evidence about you, for example, showing which porn sites you surf. It’s mass surveillance through random sampling.

That such mass surveillance is the goal is demonstrated by several clauses in the bill, such as how the information can be used in cases of sexual exploitation of minors. If CISA were about prevention, then it would be useless in such cases. But CISA isn’t about prevention, it’s about gathering information after the fact while prosecuting a crime.

Even if CISA could work, it would still be dampened by the fact that government is both incompetent and corrupt. The FBI and DHS do not have adequate technical expertise. We can see that from the incomplete and incorrect warnings they produce. That they are corrupt is demonstrated by whether something is a “cyber threat indicator” changes according to what is politically correct. Who receives the best information depends upon who is best politically connected. CISA even calls for loyalty oaths to the United States before the government will even consider sharing threat information. Conversely, the FBI today regularly threatens people to suppress them from sharing cyber threat information that would embarrass the politically connected.

I know all this because I’m one of the foremost experts in this field. I created BlackICE Guard, the first intrusion-prevention system (IPS). The IPS is one of the biggest producers of information the government wants to get their hands on. The IPS is also one of the biggest consumers of threat intelligence that government proposes sharing in the other direction. I have sat in the monitoring center gathering data from thousands of customers, and know from personal experience that it’s of limited value in preventing attacks. When I was favored by the FBI, I received special threat information others did not. When I was not in favor with the FBI, I received threats trying to stop me from embarrassing the politically connected.

In summary, CISA does not work. Private industry already has exactly the information sharing the bill proposes, and it doesn’t prevent cyber attacks as CISA claims. On the other side, because of the false-positive problem, CISA does far more to invade privacy than even privacy advocates realize, doing a form of mass surveillance. Even if it could work and privacy could be protected, CISA creates a corrupt system for the politically connected. This is a typical bad police state bill, and not one that anybody should take seriously as something that would stop hackers.

Krebs on Security: Premera Blue Cross Breach Exposes Financial, Medical Records

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Premera Blue Cross, a major provider of health care services, disclosed today that an intrusion into its network may have resulted in the breach of financial and medical records of 11 million customers. Although Premera isn’t saying so just yet, there are independent indicators that this intrusion is once again the work of state-sponsored espionage groups based in China.

premeraIn a statement posted on a Web site set up to share information about the breach — premeraupdate.com — the company said that it learned about the attack on January 29, 2015. Premera said its investigation revealed that the initial attack occurred on May 5, 2014.

“This incident affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and our affiliate brands Vivacity and Connexion Insurance Solutions, Inc,” the company said. Their statement continues:

“Our investigation determined that the attackers may have gained unauthorized access to applicants and members’ information, which could include member name, date of birth, email address, address, telephone number, Social Security number, member identification numbers, bank account information, and claims information, including clinical information. This incident also affected members of other Blue Cross Blue Shield plans who sought treatment in Washington or Alaska.

“Individuals who do business with us and provided us with their email address, personal bank account number or social security number are also affected. The investigation has not determined that any such data was removed from our systems.  We also have no evidence to date that such data has been used inappropriately.”

Premera said it will be notifying affected customers in letters sent out via postal mail, and that it will be offering two years of free credit monitoring services through big-three credit bureau Experian.

ANOTHER STATE-SPONSORED ATTACK?

The health care provider said it working with security firm Mandiant and the FBI in the investigation. Mandiant specialize in tracking and blocking attacks from state-sponsored hacking groups, particularly those based in China. Asked about clues that would suggest a possible actor involved in the breach, Premera deferred to the FBI.

An official with the FBI’s Seattle field office confirmed that the agency is investigating, but declined to discuss details of its findings thus far, citing “the ongoing nature of the investigation. “Cybercrime remains a significant threat and the FBI will continue to devote substantial resources and efforts to bringing cyber criminals to justice,” the FBI said in an emailed statement.

There are indications that this may be the work of the Chinese espionage group tied to the breach disclosed earlier this year at Anthem, an intrusion that affected some 78 million Americans.

On Feb. 9, 2015, KrebsOnSecurity carried an exclusive story pointing to clues in the Anthem breach which suggested that the attackers blamed for that breach — a Chinese state-sponsored hacking group known variously as “Deep Panda,” “Axiom,” “Group 72,” and the “Shell_Crew” — began chipping away at Anthem’s defenses in late April 2014. The evidence revolved around an Internet address that researchers had tied to Deep Panda hacking activity, and that address was used to host a site called we11point.com (Anthem was previously known as Wellpoint prior to its corporate name change in late 2014).

As that story noted, Arlington, Va. based security firm ThreatConnect Inc. tied that Wellpoint look-alike domain to a series of targeted attacks launched in May 2014 that appeared designed to trick Wellpoint employees into downloading malicious software tied to the Deep Panda hacking gang.

On Feb. 27, 2015, ThreatConnect researchers published more information tying the same threat actors and modus operandi to a domain called “prennera.com” (notice the use of the double “n” there to mimic the letter “m”.

“It is believed that the prennera[.]com domain may have been impersonating the Healthcare provider Premera Blue Cross, where the attackers used the same character replacement technique by replacing the ‘m’ with two ‘n’ characters within the faux domain, the same technique that would be seen five months later with the we11point[.]com command and control infrastructure,” ThreatConnect wrote in a blog post three weeks ago.

More on this story as it develops. Stay tuned.

Schneier on Security: Can the NSA Break Microsoft’s BitLocker?

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The Intercept has a new story on the CIA’s — yes, the CIA, not the NSA — efforts to break encryption. These are from the Snowden documents, and talk about a conference called the Trusted Computing Base Jamboree. There are some interesting documents associated with the article, but not a lot of hard information.

There’s a paragraph about Microsoft’s BitLocker, the encryption system used to protect MS Windows computers:

Also presented at the Jamboree were successes in the targeting of Microsoft’s disk encryption technology, and the TPM chips that are used to store its encryption keys. Researchers at the CIA conference in 2010 boasted about the ability to extract the encryption keys used by BitLocker and thus decrypt private data stored on the computer. Because the TPM chip is used to protect the system from untrusted software, attacking it could allow the covert installation of malware onto the computer, which could be used to access otherwise encrypted communications and files of consumers. Microsoft declined to comment for this story.

This implies that the US intelligence community — I’m guessing the NSA here — can break BitLocker. The source document, though, is much less definitive about it.

Power analysis, a side-channel attack, can be used against secure devices to non-invasively extract protected cryptographic information such as implementation details or secret keys. We have employed a number of publically known attacks against the RSA cryptography found in TPMs from five different manufacturers. We will discuss the details of these attacks and provide insight into how private TPM key information can be obtained with power analysis. In addition to conventional wired power analysis, we will present results for extracting the key by measuring electromagnetic signals emanating from the TPM while it remains on the motherboard. We will also describe and present results for an entirely new unpublished attack against a Chinese Remainder Theorem (CRT) implementation of RSA that will yield private key information in a single trace.

The ability to obtain a private TPM key not only provides access to TPM-encrypted data, but also enables us to circumvent the root-of-trust system by modifying expected digest values in sealed data. We will describe a case study in which modifications to Microsoft’s Bitlocker encrypted metadata prevents software-level detection of changes to the BIOS.

Differential power analysis is a powerful cryptanalytic attack. Basically, it examines a chip’s power consumption while it performs encryption and decryption operations and uses that information to recover the key. What’s important here is that this is an attack to extract key information from a chip while it is running. If the chip is powered down, or if it doesn’t have the key inside, there’s no attack.

I don’t take this to mean that the NSA can take a BitLocker-encrypted hard drive and recover the key. I do take it to mean that the NSA can perform a bunch of clever hacks on a BitLocker-encrypted hard drive while it is running. So I don’t think this means that BitLocker is broken.

But who knows? We do know that the FBI pressured Microsoft into adding a backdoor in BitLocker in 2005. I believe that was unsuccessful.

More than that, we don’t know.