Posts tagged ‘research’

lcamtuf's blog: Technical analysis of Qualys’ GHOST

This post was syndicated from: lcamtuf's blog and was written by: Michal Zalewski. Original post: at lcamtuf's blog

This morning, a leaked note from Qualys’ external PR agency made us aware of GHOST. In this blog entry, our crack team of analysts examines the technical details of GHOST and makes a series of recommendations to better protect your enterprise from mishaps of this sort.


Figure 1: The logo of GHOST, courtesy of Qualys PR.

Internally, GHOST appears to be implemented as a lossy representation of a two-dimensional raster image, combining YCbCr chroma subsampling and DCT quantization techniques to achieve high compression rates; among security professionals, this technique is known as JPEG/JFIF. This compressed datastream maps to an underlying array of 8-bpp RGB pixels, arranged sequentially into a rectangular shape that is 300 pixels wide and 320 pixels high. The image is not accompanied by an embedded color profile; we must note that this poses a considerable risk that on some devices, the picture may not be rendered faithfully and that crucial information may be lost.

In addition to the compressed image data, the file also contains APP12, EXIF, and XMP sections totaling 818 bytes. This metadata tells us that the image has been created with Photoshop CC on Macintosh. Our security personnel notes that Photoshop CC is an obsolete version of the application, superseded last year by Photoshop CC 2014. In line with industry best practices and OWASP guidelines, we recommend all users to urgently upgrade their copy of Photoshop to avoid exposure to potential security risks.

The image file modification date returned by the HTTP server at community.qualys.com is Thu, 02 Oct 2014 02:40:27 GMT (Last-Modified, link). The roughly 90-day delay between the creation of the image and the release of the advisory probably corresponds to the industry-standard period needed to test the materials with appropriate focus groups.

Removal of the metadata allows the JPEG image to be shrunk from 22,049 to 21,192 bytes (-4%) without any loss of image quality; enterprises wishing to conserve vulnerability-disclosure-related bandwidth may want to consider running jhead -purejpg to accomplish this goal.

Of course, all this mundane technical detail about JPEG images distracts us from the broader issue highlighted by the GHOST report. We’re talking here about the fact that the JPEG compression is not particularly suitable for non-photographic content such as logos, especially when the graphics need to be reproduced with high fidelity or repeatedly incorporated into other work. To illustrate the ringing artifacts introduced by the lossy compression algorithm used by the JPEG file format, our investigative team prepared this enhanced visualization:


Figure 2: A critical flaw in GHOST: ringing artifacts.

Artifacts aside, our research has conclusively showed that the JPEG formats offers an inferior compression rate compared to some of the alternatives. In particular, when converted to a 12-color PNG and processed with pngcrush, the same image can be shrunk to 4,229 bytes (-80%):


Figure 3: Optimized GHOST after conversion to PNG.

PS. Tavis also points out that “>_” is not a standard unix shell prompt. We believe that such design errors can be automatically prevented with commercially-available static logo analysis tools.

PPS. On a more serious note, check out this message to get a sense of the risk your server may be at. Either way, it’s smart to upgrade.

TorrentFreak: Netflix Sees Popcorn Time As a Serious Competitor

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

netflix-logoThe Popcorn Time app brought peer-to-peer streaming to a mainstream public last year.

Branded the “Netflix for Pirates” it became an instant hit by offering BitTorrent-powered streaming in an easy-to-use Netflix-style interface.

This was cause for concern for many Hollywood executives and Netflix itself is now also starting to worry. In a letter to the company’s shareholders Popcorn Time gets a special mention.

“Piracy continues to be one of our biggest competitors,” Netflix CEO Reed Hastings writes.

“This graph of Popcorn Time’s sharp rise relative to Netflix and HBO in the Netherlands, for example, is sobering,” he adds, referencing the Google trends data below showing Popcorn Time quickly catching up with Netflix.

popcorn-netflix

While it’s a relatively small note, Hastings’ comments do mark a change in attitude for a company that previously described itself as a piracy killer.

Netflix’s CEO previously noted that piracy might even help the company, as many torrent users would eventually switch to Netflix as it offers a much better user experience.

“Certainly there’s some torrenting that goes on, and that’s true around the world, but some of that just creates the demand,” Hastings said last year.

“Netflix is so much easier than torrenting. You don’t have to deal with files, you don’t have to download them and move them around. You just click and watch,” he added.

The problem with Popcorn Time is that it’s just as easy as Netflix, if not easier. And in terms of recent movies and TV-shows the pirated alternative has a superior content library too.

A study published by research firm KPMG previously revealed that only 16% of the most popular and critically acclaimed films are available via Netflix and other on-demand subscription services.

While Netflix largely depends on the content creators when it comes to what content they can make available, this is certainly one of the areas where they have to “catch up.”

Despite the Popcorn Time concerns, business is going well for Netflix. The company announced its results for the fourth quarter of 2014 which resulted in $1.48 billion in revenue, up 26%, and a profit of $83 million.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Schneier on Security: Defending Against Liar Buyer Fraud

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

It’s a common fraud on sites like eBay: buyers falsely claim that they never received a purchased item in the mail. Here’s a paper on defending against this fraud through basic psychological security measures. It’s preliminary research, but probably worth experimental research.

We have tested a collection of possible user-interface enhancements aimed at reducing liar buyer fraud. We have found that showing users in the process of filing a dispute that (1) their computer is recognized, and (2) that their location is known dramatically reduces the willingness to file false claims. We believe the reason for the reduction is that the would-be liars can visualize their lack of anonymity at a time when they are deciding whether to perform a fraudulent action. Interestingly, we also showed that users were not affected by knowing that their computer was recognized, but without their location being pin-pointed, or the other way around. We also determined that a reasonably accurate map was necessary — but that an inaccurate map does not seem to increase the willingness to lie.

TorrentFreak: Pirate MEP Proposes Major Reform of EU Copyright

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

The idea of copyright is certainly not new and most countries worldwide have developed complex systems to ensure that it’s upheld, ostensibly to protect the rights of creators.

But with the unprecedented advancement of communications technology, especially in respect of the Internet, copyright frameworks often appear terribly outdated and unfit for purpose.

In 2015 the EU has its collective eyes on copyright reform and to this end has appointed an individual whose political party has more focus than most on the world of copyright.

Last November, Julia Reda, a politician for the German Pirate Party and member of the European Parliament, was tasked with producing a report on the implementation of the 2001 InfoSoc Directive.

Having already presented her plans during a meeting of the Legal Affairs Committee in December, this morning Reda released a first draft of her report. It will come as no surprise that need for reform has been underlined.

“Although the directive was meant to adapt copyright to the digital age, in reality it is blocking the exchange of knowledge and culture across borders today,” Reda’s core finding reads.

The report draws on responses to a public consultation and lays out a reform agenda for the overhaul of EU copyright. It finds that the EU would benefit from a copyright mechanism that not only protects past works, but also encourages future creation and the unlocking of a pan-European cultural market.

reda-pic“The EU copyright directive was written in 2001, in a time before YouTube or Facebook. Although it was meant to adapt copyright to the digital age, in reality it is blocking the exchange of knowledge and culture across borders today“, Reda explains.

“We need a common European copyright that safeguards fundamental rights and makes it easier to offer innovative online services in the entire European Union.”

The draft (pdf) acknowledges the need for artistic works to be protected under law and calls for improvements in the positions of authors and performers “in relation to other rightholders and intermediaries.”

The document recommends that public sector information should be exempt from copyright protection and calls on the Commission to safeguard public domain works while recognizing rightsholders’ freedom to “voluntarily relinquish their rights and dedicate their works to the public domain.”

Copyright lengths are also tackled by Reda, who calls on the Commission to harmonize the term to a duration that does not exceed the current international standards set out in the Berne Convention.

On Internet hyperlinking the report requests that citizens are allowed to freely link from one resource to another and calls on the EU legislator “to clarify that reference to works by means of a hyperlink is not subject to exclusive rights, as it is does not consist in a communication to a new public.”

The document also calls for new copyright exceptions to be granted for research and educational purposes to not only cover educational establishments, but “any kind of educational and research activities,
including non-formal education.”

Also of interest is Reda’s approach to transparency. Since being appointed, Reda says she’s received 86 meeting requests from lobbyists. As can be seen from the chart below, requests increased noticeably after the Pirate was named as rapporteur in November 2014.

graph-reda

“I did my best to balance out the attention paid to various interest groups. Most requests came from publishers, distributors, collective rights organizations, service providers and intermediaries (57% altogether), while it was more difficult to get directly to the group most often referred to in public debate: The authors,” Reda explains.

“The results of the copyright consultation with many authors’ responses demonstrate that the interests of collecting societies and individual authors can differ significantly.”

Reda has published a full list of meetings that took place. It includes companies such as Disney and Google, and ‘user’ groups such as the Free Software Foundation Europe.

“Tomorrow morning around 9 I’m going to publish my report on EU #copyright, discussion in legal affairs committee on Tuesday,” Reda reported a few minutes ago.

The final report will be put to an April vote in the Legal Affairs Committee and then to a vote before the entire Parliament during May.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: IFPI Targets ‘Pirate’ Domains With New Site Blocking Law

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

Domain blocking is now firmly established as one of the entertainment industries’ go-to methods for reducing online copyright infringement. Its use is widespread around Europe by both the music and movie sector.

In Europe the most important legal decision was announced in March last year when the Court of Justice of the European Union confirmed that EU ISPs can be required to block access to sites engaged in copyright infringement.

Elsewhere, individual countries are making their own decisions on how to move forward. Last July, Singapore legislators approved the Copyright Amendment Bill which allows copyright holders to obtain High Court orders forcing local service providers to block “flagrantly infringing” websites. Now, six months on, entertainment companies are ready to launch their first tests.

IFPI regional director Ang Kwee Tiang confirmed that the music group will initially target three to five “infringing sites” over the next two months.

“We are now actively looking into exercising this in the future,” he said.

The sites to be targeted have not yet been revealed but it’s always been the understanding that The Pirate Bay would be tackled first. The site’s reputation as the “worst-of-the-worst” allows entertainment companies to present a relatively straightforward case to the courts. The rising number of blocking orders already granted elsewhere only add to the mix.

“Now, The Pirate Bay has more than 6 million links. We take the screenshots and we show that these are not licensed. We’re going to show that The Pirate Bay has been blocked in nine or 10 different countries. I think that will be very convincing for our cause,” Ang said.

However, with The Pirate Bay currently down, it’s possible that other targets will have to be selected in the first batch. Ang confirms that evidence is still being collated but he’s confident that a successful blockade will help to reduce piracy.

“I divide (consumers) 80 to 20 – 80 per cent are average consumers, if they cannot get it easily and if a legal site offers it, they may go for the legal site,” he said.

“The committed pirate is like a committed criminal. They will search for ways to circumvent. But once we have the website blocking, then we are free to tackle the 20 per cent.”

The driving force behind the site blocking phenomenon can be found in the entertainment companies of the United States but following the SOPA debacle public discussion to progress site blocking has been fairly muted. That doesn’t mean nothing has been happening, however.

In December it was revealed that behind closed doors the MPAA has been working hard to bring site blocking to the United States. Whether those aims will still be progressed following the somewhat embarrassing leaks will remain to be seen, but it’s likely the movie group won’t be steered off course for long.

Overall, Hollywood definitely sees blocking as an important anti-piracy tool. The practice is endorsed by none other than MPAA chief Chris Dodd and internal MPAA research has found it to be effective.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Errata Security: A Call for Better Vulnerability Response

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Microsoft forced a self-serving vulnerability disclosure policy on the industry 10 years ago, but cries foul when Google does the same today.

Ten years ago, Microsoft dominated the cybersecurity industry. It employed, directly or through consultancies, the largest chunk of security experts. The ability to grant or withhold business meant influencing those consulting companies — Microsoft didn’t even have to explicitly ask for consulting companies to fire Microsoft critics for that to happen. Every product company depended upon Microsoft’s goodwill in order to develop security products for Windows, engineering and marketing help that could be withheld on a whim.

This meant, among other things, that Microsoft dictated the “industry standard” of how security problems (“vulnerabilities”) were reported. Cybersecurity researchers who found such bugs were expected to tell the vendor in secret, and give the vendor as much time as they needed in order to fix the bug. Microsoft sometimes sat on bugs for years before fixing them, relying upon their ability to blacklist researchers to keep them quiet. Security researchers who didn’t toe the line found bad things happening to them.

I experienced this personally. We found a bug in a product called TippingPoint that allowed us to decrypt their “signatures”, which we planned to release at the BlackHat hacker convention, after giving the vendor months to fix the bug. According to rumors, Microsoft had a secret program with TippingPoint with special signatures designed to track down cybercriminals. Microsoft was afraid that if we disclosed how to decrypt those signatures, that their program would be found out.

Microsoft contacted our former employer, ISS, which sent us legal threats. Microsoft sent FBI agents to threaten us in the name of national security. A Microsoft consultant told the BlackHat organizer, Jeff Moss, that our research was made up, that it didn’t work, so I had to sit down with Jeff at the start of the conference to prove it worked before I was allowed to speak.

My point is that a decade ago in the cybersecurity industry, Microsoft dictated terms.

Today, the proverbial shoe is on the other foot. Microsoft’s products are now legacy, so Windows security is becoming as relevant as IBM mainframe security. Today’s cybersecurity researchers care about Apple, Google Chrome, Android, and the cloud. Microsoft is powerless to threaten the industry. It’s now Google who sets the industry’s standard for reporting vulnerabilities. Their policy is that after 90 days, vulnerabilities will be reported regardless if the vendor has fixed the bug. This applies even to Google itself when researchers find bugs in products like Chrome.

This is a nasty trick, of course. Google uses modern “agile” processes to develop software. That means that after making a change, the new software is tested automatically and shipped to customers within 24 hours. Microsoft is still mired in antiquated 1980s development processes, so that it takes three months and expensive manual testing before a change is ready for release. Google’s standard doesn’t affect everyone equally — it hits old vendors like Microsoft the hardest.

We saw the effect this last week, where after notifying Microsoft of a bug 90 days ago, Google dumped the 0day (the information hackers need to exploit the bug) on the Internet before Microsoft could release a fix.

I enjoyed reading Microsoft’s official response to this event, full of high-minded rhetoric why Google is bad, and why Microsoft should be given more time to fix bugs. It’s just whining — Microsoft’s alternative disclosure policy is even more self-serving than Google’s. They are upset over their inability to adapt and fix bugs in a timely fashion. They resent how Google exploits its unfair advantage. Since Microsoft can’t change their development, they try to change public opinion to force Google to change.

But Google is right. Since we can’t make perfect software, we must make fast and frequent fixes the standard. Nobody should be in the business of providing “secure” software that can’t turn around bugs quickly. Rather than 90 days being too short, it’s really too long. Microsoft either needs to move forward with the times and adopt “agile” methodologies, or just accept its role of milking legacy for the next few decades as IBM does with mainframes.

TorrentFreak: Chilling Effects DMCA Archive Censors Itself

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

chillingOn an average day Google now processes more than a million takedown requests from copyright holders, and that’s for its search engine alone.

Thanks to Google’s transparency report the public is able to see where these notices come from and what content they’re targeting. In addition, Google partners with Chilling Effects to post redacted copies of all notices online.

The Chilling Effects DMCA clearing house is one of the few tools that helps to keep copyright holders accountable. Founded by Harvard’s Berkman Center, it offers an invaluable database for researchers and the public in general.

At TF we use the website on a weekly basis to spot inaccurate takedown notices and other wrongdoings. Since the native search engine doesn’t always return the best results, we mostly use Google to spot newsworthy notices on the site.

This week, however, we were no longer able to do so. The Chilling Effects team decided to remove its entire domain from all search engines, including its homepage and other informational and educational resources.

chilling1res

Ironically enough, complaints from copyright holders are at the base of this unprecedented display of self-censorship. Since Chilling Effects has partnered with Google to publish all takedown notices Google receives, its pages contain hundreds of millions of non-linked URLs to infringing material. Copyright holders are not happy with these pages. Previously, Copyright Alliance CEO Sandra Aistars described the activities of the Chilling Effects projects as “repugnant.”

As a result of the increased criticisms Chilling Effects has now decided to hide its content from search engines, making it harder to find.

“After much internal discussion the Chilling Effects project recently made the decision to remove the site’s notice pages from search engines,” Berkman Center project coordinator Adam Holland informs TF.

“Our recent relaunch of the site has brought it a lot more attention, and as a result, we’re currently thinking through ways to better balance making this information available for valuable study, research, and journalism, while still addressing the concerns of people whose information appears in the database.”

The self censorship may sound strange coming from an organization that was founded to offer more transparency, but the Chilling Effects team believes that it strikes the right balance, for now.

“As a project, we’ve always worked to strike that balance, for example by removing personally identifying information. Removing notice pages from search engine results is the latest step in that balancing process,” Holland tells us.

“It may or may not prove to be permanent, but for now it’s the step that makes the most sense as we continue to think things through,” he adds.

While we respect the decision it’s a real shame for researchers that the notices and other informational material are now hidden from search engines. The notices themselves remain online, but with just the site’s own search it’s harder to find cases of abuse.

The copyright holders on the other hand will be happy. But they probably don’t care much about the chilling effect it has.

Photo: CC

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Schneier on Security: Fidgeting as Lie Detection

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Sophie Van Der Zee and colleagues have a new paper on using body movement as a lie detector:

Abstract: We present a new robust signal for detecting deception: full body motion. Previous work on detecting deception from body movement has relied either on human judges or on specific gestures (such as fidgeting or gaze aversion) that are coded or rated by humans. The results are characterized by inconsistent and often contradictory findings, with small-stakes lies under lab conditions detected at rates only slightly better than guessing. Building on previous work that uses automatic analysis of facial videos and rhythmic body movements to diagnose stress, we set out to see whether a full body motion capture suit, which records the position, velocity and orientation of 23 points in the subject’s body, could yield a better signal of deception. Interviewees of South Asian (n = 60) or White British culture (n = 30) were required to either tell the truth or lie about two experienced tasks while being interviewed by somebody from their own (n = 60) or different culture (n = 30). We discovered that full body motion — the sum of joint displacements — was indicative of lying approximately 75% of the time. Furthermore, movement was guilt-related, and occurred independently of anxiety, cognitive load and cultural background. Further analyses indicate that including individual limb data in our full bodymotion measurements, in combination with appropriate questioning strategies, can increase its discriminatory power to around 82%. This culture-sensitive study provides an objective and inclusive view on how people actually behave when lying. It appears that full body motion can be a robust nonverbal indicator of deceit, and suggests that lying does not cause people to freeze. However, should full body motion capture become a routine investigative technique, liars might freeze in order not to give themselves away; but this in itself should be a telltale.

This is a first research study, and the results might not be robust. But it certainly is interesting.

Blog post. News article. Slashdot thread.

TorrentFreak: Netflix Cracks Down on VPN and Proxy “Pirates”

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

netflix-logoDue to complicated licensing agreements Netflix is only available in a few dozen countries, all of which have a different content library.

Some people bypass these content and access restrictions by using VPNs or other circumvention tools that change their geographical location. This makes it easy for people all around the world to pay for access to the U.S. version of Netflix, for example.

The movie studios are not happy with these deviant subscribers as it hurts their licensing agreements. Previously entertainment industry sources in Australia complained bitterly that tens of thousands of Netflix “VPN-pirates” were hurting their business.

Over the past weeks Netflix has started to take action against people who use certain circumvention tools. The Android application started to force Google DNS which now makes it harder to use DNS based location unblockers, and several VPN IP-ranges were targeted as well.

Thus far the actions are limited in scope, so not all VPN users may experience problems just yet. However, TorGuard is one of the VPN providers which noticed a surge in access problems by its users, starting mid-December.

“This is a brand new development. Just two weeks ago we received the first report from a handful of clients that Netflix blocked access due to VPN or proxy usage. This is the very first time I’ve ever heard Netflix displaying this type of error message to a VPN user,” TorGuard’s Ben Van der Pelt tells us.

In TorGuard’s case the users were able to quickly gain access again by logging into another U.S. location. It further appears that some of the blocking efforts were temporary, probably as a test for a full-scale rollout at a later date.

“I have a sneaking suspicion that Netflix may be testing these new IP blocking methods temporarily in certain markets. At this time the blocks do not seem aggressive and may only be targeted at IP ranges that exceed too many simultaneous logins.”

Netflix is reportedly testing a variety of blocking methods. From querying the user’s time zone through the web browser or mobile device GPS and comparing it to the timezone of their IP-address, to forcing Google’s DNS services in the Android app.

TorGuard told us that if Netflix continues with a strict ban policy, they will provide an easy solution to bypass the blocks. Other services, such as Unblock-us are also suggesting workarounds to their customers.

Netflix’ efforts to block geoblocking circumvention tools doesn’t come as a surprise. TF has seen a draft of the content protection agreement Sony Pictures prepared for Netflix earlier this year. This agreement specifically requires Netflix to verify that registered users are indeed residing in the proper locations.

Among other things Netflix must “use such geolocation bypass detection technology to detect known web proxies, DNS based proxies, anonymizing services and VPNs which have been created for the primary intent of bypassing geo-restrictions.”

geofiltering

Blocking VPN and proxy “pirates” has become a priority for the movie studios as streaming services have failed to introduce proper countermeasures. Early 2014 the movie studio looked into the accessibility of various services through popular circumvention tools, including TorGuard, to find out that most are not blocked.

In a follow-up during the summer of 2014 Sony Pictures conducted research to identify the IP-ranges of various VPNs and proxies. These results were shared with Netflix and other streaming services so they could take action and expand their blocklists where needed.

geolocationresults

Based on the above it’s safe to conclude that Netflix will continue to roll out more aggressive blocking tools during the months to come. As with all blocks, this may also affect some people who use VPNs for privacy and security reasons. Whether Netflix will factor this in has yet to be seen.

TF contacted Netflix for a comment on the findings and its future plans, but a few days have passed and we have yet to receive a response.

Netflix is not the only streaming service that’s targeting VPN and proxy users. A few months ago Hulu implemented similar restrictions. This made the site unusable for location “pirates,” but also U.S. based paying customers who used a VPN for privacy reasons.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: oledump analysis of Rocket Kitten – Guest Diary by Didier Stevens, (Fri, Jan 2nd)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

In his Rocket Kitten diary entry, Johannes introduces research byGadiEvronandTillmannWerner. They analyzed a PE-file embedded in the VBA macro code of anXLSMspreadsheet.

I want to show you how you can quickly analyze MS Offices documents and extract files. Just using my Pythonoledumptool, nothing else. You dont need MS Office for this analysis.

First we runoledump” />

The first line (A: ) indicates that oledump found an OLE file named xl/vbaProject.bin inside the XLSM file. Remember that the new MS Office file format (.docx, .xlsm, ) is a set of XML files stored inside a ZIP file. But VBA macros are not stored in XML files, they still use the older MS Office file format: OLE files.

oledump reports the streams it finds inside the OLE file: from index A1 through A10. A letter M next to the index is an indicator for the presence of VBA code. A lowercase letter m indicates VBA code with only Attribute statements, an uppercase letter M indicates more sophisticated VBA code, i.e. code with other statement types than Attribute statements.

If oledump finds streams with VBA macros, I always look first at the streams marked with an uppercase letter M, as these contain the most promising code.

After the column with the macro indicator M, comes a column with the size (in bytes) of the stream and another column with the full name of the stream.

Lets take a look at the VBA code in stream A3 like this:

oledump.py s A3 v 266CFE755A0A66776DF9FD8CD2FEE1F1.xlsm

Option s A3 selects stream A3 for analysis, and option ” />

Here is a part of the VBA source code. Remark function A0: it concatenates characters generated with function Chr into a long string. If you” />

By default, you get a hex-ascii dump of the embedded file. Now you can see that the embedded file is a PE file.

Last, we dump (option ” />

The MD5 of the PE file is c222199c9a7eb0d162d5e96955739447. That is one of the IOCs Johannes included in his diary entry.

Oledump can be found on my blog.

– Didier Stevens

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Lizard Kids: A Long Trail of Fail

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The Lizard Squad, a band of young hooligans that recently became Internet famous for launching crippling distributed denial-of-service (DDoS) attacks against the largest online gaming networks, is now advertising own Lizard-branded DDoS-for-hire service. Read on for a decidedly different take on this offering than what’s being portrayed in the mainstream media.

Lizard Stresser login page taunts this author.

Lizard Stresser login page taunts this author.

The new service, lizardstresser[dot]su, seems a natural evolution for a group of misguided youngsters that has sought to profit from its attention-seeking activities. The Lizard kids only ceased their attack against Sony’s Playstation and Microsoft’s Xbox Live networks last week after MegaUpload founder Kim Dotcom offered the group $300,000 worth of vouchers for his service in exchange for ending the assault. And in a development probably that shocks no one, the gang’s members cynically told Dailydot that the both attacks were just elaborate commercials for and a run-up to this DDoS-for-hire offering.

The group is advertising the new “booter service” via its Twitter account, which has some 132,000+ followers. Subscriptions range from $5.99 per month for the ability to knock a target offline for 100 seconds at a time, to $129.99 monthly for DDoS attacks lasting more than eight hours.

In any case, I’m not terribly interested in turning this post into a commercial for the Lizard kids; rather, it’s a brain dump of related information I’ve gathered from various sources in the past 24 hours about the individuals and infrastructure that support the site.

In a show of just how little this group knows about actual hacking and coding, the source code for the service appears to have been lifted in its entirety from titaniumstresser, another, more established DDoS-for-hire booter service. In fact, these Lizard geniuses are so inexperienced at coding that they inadvertently exposed information about all of their 1,700+ registered users (more on this in a moment).

These two services, like most booters, are hidden behind CloudFlare, a content distribution service that lets sites obscure their true Internet address. In case anyone cares, Lizardstresser’s real Internet address currently is 217.71.50.57, at a hosting facility in Bosnia.

In any database of leaked forum or service usernames, it is usually safe to say that the usernames which show up first in the list are the administrators and/or creators of the site. The usernames exposed by the coding and authentication weaknesses in LizardStresser show that the first few registered users are “anti” and “antichrist.” As far as I can tell, these two users are the same guy: A ne’er-do-well who has previously sold access to his personal DDoS-for-hire service on Darkode — a notorious English-language cybercrime forum that I have profiled extensively on this blog.

As detailed in a recent, highly entertaining post on the blog Malwaretech, LizardSquad and Darkode are practically synonymous and indistinguishable now. Anyone curious about why the Lizard kids have picked on Yours Truly can probably find the answer in that Malwaretech story. As that post notes, the main online chat room for the Lizard kids (at lizardpatrol[dot]com) also is hidden behind CloudFlare, but careful research shows that it is actually hosted at the same Internet address as Darkode (5,38,89,132).

A suggested new banner for this blog from the jokers at black hat forum Darkode, which shares a server with the main chat forum for the Lizard kids.

A suggested new banner for this blog from the jokers at black hat forum Darkode, which shares a server with the main chat forum for the Lizard kids.

In a show of just how desperate these kids are for attention, consider that the login page for LizardStresser currently says “Hosted somewhere on Brian Krebs’ forehead: Donate to the forehead reduction foundation, simply send money to krebsonsecurity@gmail.com on PayPal.” Many of you have done that in the past couple of days, although I doubt as a result of visiting the Lizard kids’ silly site. Anyway, for those generous donors, a hearty “thank you.”

It’s worth noting that the individual who registered LizardStresser is an interesting and angry teenager who appears to hail from Australia and uses the nickname “abdilo.” You can find his possibly not-safe-for-work rants on Twtter at this page. A reverse WHOIS lookup (ordered from Domaintools.com) on the email address used to register LizardStresser (9ajjs[at]zmail[dot]ru) shows this email has been used to register a number of domains tied to cybercrime operations, including sites selling stolen credit card data and access to hacked PCs.

A more nuanced lookup at Domaintools.com using some of this information turns up additional domains tied to Abdilo, including bkcn[dot]ru and abdilo[dot]ru (please do not attempt to visit these sites unless you know what you’re doing). Another domain that abdilo registered (in my name, no less) — http://x6b-x72-x65-x62-x73-x6f-x6e-x73-x65-x63-x75-x72-x69-x74-x79-x0[dot]com — is hexadecimal encoding for “krebsonsecurity.”

Last, but certainly not least, it appears that Vinnie Omari — the young man I identified earlier this week as being a self-proclaimed member of of the Lizard kids — has apparently just been arrested by the police in the United Kingdom (see screen shot below). Sources tell KrebsOnSecurity that Vinnie is one of many individuals associated with this sad little club who are being rounded up and questioned. My guess is most, if not all, of these kids will turn on one another. Time to go get some popcorn.

Happy New Year, everyone!

vinnie1

TorrentFreak: Movie Studios Fear a Google Fiber Piracy Surge

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

googlefiberlogoGoogle is slowly expanding its fiber to the home services in the United States. Most recently Austin, Texas, was added to the list and a few dozen other cities will follow soon.

Promising free Internet and blazing fast gigabit per second connections at a relatively low price, many consumers are happy with Google’s new product.

Hollywood on the other hand fears the worst. While great connectivity offers commercial opportunities for entertainment companies, some are overly worried about the negative consequences.

Earlier this week we received a leaked presentation covering the results of a Google Fiber survey conducted on behalf of Warner Bros and Sony Pictures Entertainment. The research was conducted in 2012 and aimed to get a baseline of the piracy levels, so changes can be measured after the rollout.

The survey respondents came from Kansas City, where Google Fiber first launched, with St. Louis residents as a control group. In total, more than 2,000 persons between 13 and 54 were asked about Google Fiber, their piracy habits and media consumption in general.

The results reveal that more than half of those surveyed were very interested in Google’s offer. This includes a large group of pirates, which make up 31% of the entire population.

About a third of these pirates said they would download or stream more with Google Fiber. Perhaps even more worrying for Hollywood, about a quarter of the non-pirates said they would start doing so if Google comes to town.

The most interesting part, however, is that the research tries to estimate the studio’s extra piracy losses that Google Fiber could create across the nation.

Drawing on an MPAA formula that counts all pirated views as losses the report notes that it may cost Hollywood over a billion dollars per year. That’s a rather impressive increase of 58% compared to current piracy levels.

fiber-pirates

The research also finds a link between piracy and broadband speeds, which is another reason for Hollywood not to like Google’s Internet service.

According to the report this is “another indication that piracy becomes more attractive with Google Fiber.”

fiberspeed

We will refrain from analyzing the methods and the definition of piracy losses, which deserve an article of their own. What’s most striking from the above approach is the way the studios frame Google Fiber as a piracy threat, instead of looking at the opportunities it offers.

For example, the same report also concludes that 39% of the respondents would use paid streaming subscription services more, while 34% would rent and purchase more online video. Yet, there is no mention of the potential extra revenue that will bring in.

Judging from all the piracy calculations, statistics and projections, it appears that Hollywood is mostly occupied with threats. But of course there’s nothing new there.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Errata Security: That Spiegel NSA story is activist nonsense

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Yet again activists demonstrate they are less honest than the NSA. Today, Der Spiegel has released more documents about the NSA. They largely confirm that the NSA is actually doing, in real-world situations, what we’ved suspected they can do. The text of the article describing these documents, however, wildly distorts what the documents show. A specific example is a discussion of something call “TUNDRA”.

It is difficult to figure out why TUNDRA is even mentioned in the story. It’s cited to support some conclusion, but I’m not sure what that conclusion is. It appears the authors wanted to discuss the “conflict of interest” problem the NSA has, but had nothing new to support this, so just inserted something at random. They are exploiting the fact the average reader can’t understand what’s going on. In this post, I’m going to describe the context around this.

TUNDRA was a undergraduate student project, as the original document makes clear, not some super-secret government program into cryptography. The purpose of the program is to fund students and find recruits, not to create major new advances in cryptography.

It’s given a code-name “TUNDRA” and the paragraph in the document is labeled “TOP SECRET”. The public has the misconception that this means something important is going on. The opposite is true: the NSA puts codenames on nearly everything. Among the reasons is that by putting codenames even on trivial things, it prevents adversaries from knowing which codenames are important. The NSA routinely overclassifies things. That’s why so many FOIA requests come with the “TOP SECRET” item crossed out — you classify everything as highly as you can first, then relax the restriction later. Thus, unimportant student projects get classified codenames.

The Spiegel article correctly says that the “agency is actively looking for ways to break the very standard it recommends”, and it’s obvious from context that that the Spiegel is implying this is a bad thing. But it’s a good thing, as part of the effort in improving encryption. You secure things by trying to break them. That’s why this student project was funded by the IAD side of the NSA — the side dedicated to improving cryptography. Most of us in the cybersecurity industry are trying to break things — we only trust things that we’ve tried to break but couldn’t.

The Spiegel document talks about AES, but it’s not AES being attacked. Instead, it’s all block ciphers in “electronic codebook” modes that are being attacked. The NSA, like all cryptographers, recommends that you don’t use the basic “electronic codebook” mode, because it reveals information about the encrypted data, as the well known “ECB penguin” shows. As you can see in the image, when you encrypt a bitmap image of a penguin, you can still see it’s a penguin despite the encryption. Finding appropriate modes other than “electronic codebook” is an important area of research. [***]

The NSA already has ways of attacking ECB mode, as the penguin image demonstrates. I point this out because if the NSA already has a “handful of ways” of doing something, adding one more really isn’t a major new development. Thus, even if you don’t understand cryptography, it should be obvious that the inclusion of TUNDRA in this story is pretty stupid.

Journalism is supposed to be different from activism. Journalists are supposed to be accurate and fair, to communicate rather than convince. The activist has the oppose goal, to convince the reader, even if that means exploiting misinformation. We see that in this Der Spiegel article, where the TUNDRA item is distorted into order to convince the reader that the NSA is doing something evil.


Update: [***] There has been some discussion on Twitter about the ECB penguin above. That’s because where the document says “electronic codebook”, it may not necessarily be referring to ECB mode (even though ECB stands for “electronic codebook”). That’s because “codebook” is also just another name for “block cipher”, the more common/modern name for encryption algorithms like AES.

Regardless, the principle still holds: it’s not AES that TUNDRA attacks, but the underlying “codebook” property, whatever that refers to, whether it’s “block ciphers” or “block ciphers in ECB mode”. Also regardless, since it’s an undergraduate project designed for recruitment, it’s probably something basic (like the ECB penguin) rather than a major advancement in cryptography.

Клошкодил: 2014-12-27 31C3 ден 1

This post was syndicated from: Клошкодил and was written by: Vasil Kolev. Original post: at Клошкодил

Имам около 60 реда бележки само от днес, да видим в колко голям post ще ги претворя.
(гривната за конференцията е бая гадна, сънувах, че комари ми ръфат китката)

(Видях се с Denisa Kera, която ни гостува преди време в initlab, и тя ми спомена за интересен проект, crowdfunding за някой разследващ човек, да дебне политици и да събира за тях какво правят, това е линка, който ми прати. Звучи като забавна идея, за другата подобна, която имах (crowdfunding за лобиране) ме разубедиха)

Сутринта към 9-10 беше учудващо празно, ама това доста бързо се промени. Мисля, че спокойно има едни 7-8 хиляди човека (може би и 10), за доста лекции залите се пълнят, а зала 1 събира 3000 човека…

(докато чаках да почне откриването забелязах доста wifi мрежи, които се казваха “Not fuzzing with your wifi” от 1 до 20)

Откриването беше твърде оптимистично и прилична част от него беше wishful thinking – “it’s not the shady intelligence agencies with big budges ruling the internet, but us” и подобни, но като цяло нямаше нещо глупаво, и започнаха с “welcome to the largest hacker conference in the free world”, което зарадва всички.
Споменаха си менторската програма, да се помага на хора/деца, дошли за пръв път на конгреса, има бегъл шанс да се навия за година, ако идвам (т.е. ако ще мога да издържа пак тия тълпи).

Keynote беше трагедия. В началото си бях отбелязал, че е нищо особено, но в общи линии се оказа директно зле – Alec Emprire ot Atari Teenage Riot чете нещо от някакви листи, пуска клипове с не-особено-кадърна-музика и като цяло говори за твърде известни и ясни неща. Може би единственото интересно беше разказа му как Spotify тръгнали да им ban-ват един албум (и с него всичкото от label-а, в който са), щото нещо се говорело вътре за нацисти, те им обяснили подробно, че са най-антинацистката група, която може да има (заедно със статии от вестници и т.н.) и им отговорили “nazi or anti-nazi – doesn’t matter”…

Ходих след това на лекцията за леенето на алуминий чрез ползване на микровълнова фурна – като цяло изглежда доста интересно, трябва да се преточи презентацията и да се разгледа по-подробно. Не знам дали ще намерим приложение (на тия хора им трябва, понеже се занимават да си правят части за коли) и изглежда бая опасно (твърдението е, че това се прави винаги навън, щото течния алуминий се отразявал доста зле на пода), но май е забавно.

Reproducible builds лекцията беше също доста интересна, имаше обяснения кои проекти докъде са (оказва се, че прилична част от debian вече е с такива build-ове), както и са работили по въпроса за android, мисля, че това все повече ще намира приложение, особено при всякакви crypto-свързани неща.
(трябва да дам на pcloud-ци да видят какво може да се приложи)

(Като човек гледа мястото, може да си помисли, че е на някой woodstock, пълно е със странни хора. Всъщност, странни даже не започва да ги описва…)

Лекцията за EMV беше донякъде rehash на стари атаки, с подобрения и в общи линии как се появяват по-добри и ефективни skimmer-и. Накратко, можеш да се добереш до pin-а на карта само със skimmer (тук имаше малко нов research), или можеш да правиш транзакции с карта, на която не знаеш pin-а. Лекторът беше от фирма, която се занимава да помага на хора да се разберат с банката, ако не признае някоя измама и не им върне парите, както с audit на различни такива системи.

Лекцията за SS7 беше… полезна. Накратко – все едно сме в internet-а от 70та година, всеки може да си пише с всеки без auth и да подава какви ли не съобщения. Целия research тръгнал от фирми, които могат да локализират по телефонен номер къде точно се намира, от това изскочили какви ли не весели работи:
Може да се пита в коя клетка е телефона (което е прилично локализиране);
Може да се пита за gsm координати на телефона (което уж е само за полицията, но поради глупост в протокола можеш да си spoof-неш from-а и да получиш данните);
Можеш да подадеш в нечий HLR-а къде се намира някой (без auth);
Можеш да изпълняваш USSD кодове (*xxxx#) за нечий телефон (от които може да правиш forwarding и какво ли не още), и т.н. прекрасни неща.
Имаше и демонстрации (например как могат да видят баланса на чужда prepaid карта).
Най-тъжното беше в последните няколко слайда, как реално потребителите могат или да си хвърлят телефона, или да мрънкат на оператора, щото за това няма нищо, което може да се направи в endpoint-а.
Talk-ът на Karsten Nohl след това продължи темата с няколко нови атаки, най-вече в/у 3G с малко помощ от SS7, както и с някои интересни наблюдения как в момента всички ползват 64бита ключове за A5/3, и никой не ползва пълните 128бита, понеже няма никъде подходящи sim карти.
Като цяло, тия две лекции трябва да се гледат. Във втората казаха, че са update-нали вече gsmmap с нова информация, както и че са пуснали android приложение за телефони с определен baseband, което може да дебне за част от атаките.
(приложението е под GPL)
(лекцията на Karsten я слушах/гледах на лаптопа, докато се редях на опашката за тениски, която се виеше през цялото фоайе на CCH като странна змия. Да живеят streaming-а, пускането на лекциите през локалния gsm и доста издръжливата wireless мрежа).

Code pointer security също беше полезно, като цяло идеята е, че пазят само указателите, които сочат към код, което прави възможно да утрепеш приложението, но не и да го exploit-неш по някакъв начин (директно счупват return-oriented programming-а). Overhead-а им е до около 10% и като цяло изглежда много използваемо.

Деня приключих с ECC Hacks, лекция на DJB и Tanja Lange, в която обясняваха как работят елиптичните криви. Беше много добре, мисля, че сега имам доста по-добра идея как работят и мисля, че трудно може да се направи по-добро обяснение от това.

Schneier on Security: Did North Korea Really Attack Sony?

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

I am deeply skeptical of the FBI’s announcement on Friday that North Korea was behind last month’s Sony hack. The agency’s evidence is tenuous, and I have a hard time believing it. But I also have trouble believing that the US government would make the accusation this formally if officials didn’t believe it.

Clues in the hackers’ attack code seem to point in all directions at once. The FBI points to reused code from previous attacks associated with North Korea, as well as similarities in the networks used to launch the attacks. Korean language in the code also suggests a Korean origin, though not necessarily a North Korean one, since North Koreans use a unique dialect. However you read it, this sort of evidence is circumstantial at best. It’s easy to fake, and it’s even easier to interpret it incorrectly. In general, it’s a situation that rapidly devolves into storytelling, where analysts pick bits and pieces of the “evidence” to suit the narrative they already have worked out in their heads.

In reality, there are several possibilities to consider:

  • This is an official North Korean military operation. We know that North Korea has extensive cyberattack capabilities.

  • This is the work of independent North Korean nationals. Many politically motivated hacking incidents in the past have not been government-controlled. There’s nothing special or sophisticated about this hack that would indicate a government operation. In fact, reusing old attack code is a sign of a more conventional hacker being behind this.
  • This is the work of hackers who had no idea that there was a North Korean connection to Sony until they read about it in the media. Sony, after all, is a company that hackers have loved to hate for a decade. The most compelling evidence for this scenario is that the explicit North Korean connection — threats about the movie The Interview — were only made by the hackers after the media picked up on the possible links between the film release and the cyberattack. There is still the very real possibility that the hackers are in it just for the lulz, and that this international geopolitical angle simply makes the whole thing funnier.
  • It could have been an insider — Sony’s Snowden — who orchestrated the breach. I doubt this theory, because an insider wouldn’t need all the hacker tools that were used. I’ve also seen speculation that the culprit was a disgruntled ex-employee. It’s possible, but that employee or ex-employee would have also had to possess the requisite hacking skills, which seems unlikely.
  • The initial attack was not a North Korean government operation, but was co-opted by the government. There’s no reason to believe that the hackers who initially stole the information from Sony are the same ones who threatened the company over the movie. Maybe there are several attackers working independently. Maybe the independent North Korean hackers turned their work over to the government when the job got too big to handle. Maybe the North Koreans hacked the hackers.

I’m sure there are other possibilities that I haven’t thought of, and it wouldn’t surprise me if what’s really going on isn’t even on my list. North Korea’s offer to help with the investigation doesn’t clear matters up at all.

Tellingly, the FBI’s press release says that the bureau’s conclusion is only based “in part” on these clues. This leaves open the possibility that the government has classified evidence that North Korea is behind the attack. The NSA has been trying to eavesdrop on North Korea’s government communications since the Korean War, and it’s reasonable to assume that its analysts are in pretty deep. The agency might have intelligence on the planning process for the hack. It might, say, have phone calls discussing the project, weekly PowerPoint status reports, or even Kim Jong Un’s sign-off on the plan.

On the other hand, maybe not. I could have written the same thing about Iraq’s weapons of mass destruction program in the run-up to the 2003 invasion of that country, and we all know how wrong the government was about that.

Allan Friedman, a research scientist at George Washington University’s Cyber Security Policy Research Institute, told me that, from a diplomatic perspective, it’s a smart strategy for the US to be overconfident in assigning blame for the cyberattacks. Beyond the politics of this particular attack, the long-term US interest is to discourage other nations from engaging in similar behavior. If the North Korean government continues denying its involvement, no matter what the truth is, and the real attackers have gone underground, then the US decision to claim omnipotent powers of attribution serves as a warning to others that they will get caught if they try something like this.

Sony also has a vested interest in the hack being the work of North Korea. The company is going to be on the receiving end of a dozen or more lawsuits — from employees, ex-employees, investors, partners, and so on. Harvard Law professor Jonathan Zittrain opined that having this attack characterized as an act of terrorism or war, or the work of a foreign power, might earn the company some degree of immunity from these lawsuits.

I worry that this case echoes the “we have evidence — trust us” story that the Bush administration told in the run-up to the Iraq invasion. Identifying the origin of a cyberattack is very difficult, and when it is possible, the process of attributing responsibility can take months. While I am confident that there will be no US military retribution because of this, I think the best response is to calm down and be skeptical of tidy explanations until more is known.

Lots more doubters.

Krebs on Security: The Case for N. Korea’s Role in Sony Hack

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

There are still many unanswered questions about the recent attack on Sony Pictures Entertainment, such as how the attackers broke in, how long they were inside Sony’s network, whether they had inside help, and how the attackers managed to steal terabytes of data without notice. To date, a sizable number of readers remain unconvinced about the one conclusion that many security experts and the U.S. government now agree upon: That North Korea was to blame. This post examines some compelling evidence from past such attacks that has helped inform that conclusion.

An image from HP, captioned "North Korean students training for cyberwar."

An image from HP, captioned “North Korean students training for cyberwar.”

The last time the world saw an attack like the one that slammed SPE was on March 20, 2013, when computer networks running three major South Korean banks and two of the country’s largest television broadcasters were hit with crippling attacks that knocked them offline and left many South Koreans unable to withdraw money from ATMs. The attacks came as American and South Korean military forces were conducting joint exercises in the Korean Peninsula.

That attack relied in part on malware dubbed “Dark Seoul,” which was designed to overwrite the initial sections of an infected computer’s hard drive. The data wiping component used in the attack overwrote information on infected hard drives by repeating the words “hastati” or “principes,” depending on which version of the wiper malware was uploaded to the compromised host.

Both of those terms reference the military classes of ancient Rome: “hastati” were the younger, poorer soldiers typically on the front lines; the “principes” referred to more hardened, seasoned soldiers. According to a detailed white paper from McAfee, the attackers left a calling card a day after the attacks in the form of a web pop-up message claiming that the NewRomanic Cyber Army Team was responsible and had leaked private information from several banks and media companies and destroyed data on a large number of machines.

The message read:

“Hi, Dear Friends, We are very happy to inform you the following news. We, NewRomanic Cyber Army Team, verified our #OPFuckKorea2003. We have now a great deal of personal information in our hands. Those includes; 2.49M of [redacted by Mcafee] member table data, cms_info more than 50M from [redacted]. Much information from [redacted] Bank. We destroyed more than 0.18M of PCs. Many auth Hope you are lucky. 11th, 12th, 13th, 21st, 23rd and 27th HASTATI Detachment. Part of PRINCIPES Elements. p.s For more information, please visit www.dropbox.com login with joseph.r.ulatoski@gmail.com::lqaz@WSX3edc$RFV. Please also visit pastebin.com.”

The McAfee report, and a similarly in-depth report from HP Security, mentions that another group calling itself the Whois Team — which defaced a South Korean network provider during the attack — also took responsibility for the destructive Dark Seoul attacks in 2013. But both companies say they believe the NewRomanic Cyber Army Team and the Whois Team are essentially the same group. As Russian security firm Kaspersky notes, the images used by the WhoisTeam and the warning messages left for Sony are remarkably similar:

The defacement message left by the Whois Team in the 2013 Dark Seoul attacks (left) and the message left for Sony (right).

The defacement message left by the Whois Team in the 2013 Dark Seoul attacks (left) and the message left for Sony (right).

Interestingly, the attacks on Sony also were preceded by the theft of data that was later leaked on Pastebin and via Dropbox. But how long were the attackers in the Sony case inside Sony’s network before they began wiping drives? And how did they move tens of terabytes of data off of Sony’s network without notice? Those questions remain unanswered, but the McAfee paper holds a few possible — even likely — clues.

A LENGTHY CAMPAIGN

McAfee posits that, based on the compile times of the backdoor malware used to upload the drive-wiping malware, the targets in the Dark Seoul attacks were likely compromised by a remote-access Trojan delivered by a spear-phishing campaign at least two months before the data destruction began. More importantly, McAfee concludes that the data-wiping and backdoor malware used in the Dark Seoul attack was but a small component of an elaborate cyber-espionage campaign that started in 2009 and targeted only South Korean assets.

“McAfee Labs has uncovered a sophisticated military spying network targeting South Korea that has been in operation since 2009. Our analysis shows this network is connected to the Dark Seoul incident. Furthermore, we have also determined that a single group has been behind a series of threats targeting South Korea since October 2009. In this case the adversary had designed a sophisticated encrypted network designed to gather intelligence on military networks.

We have confirmed cases of Trojans operating through these networks in 2009, 2010, 2011, and 2013. This network was designed to camouflage all communications between the infected systems and the control servers via the Microsoft Cryptography API using RSA 128-bit encryption. Everything extracted from these military networks would be transmitted over this encrypted network once the malware identified interesting information. What makes this case particularly interesting is the use of automated reconnaissance tools to identify what specific military information internal systems contained before the attackers tried to grab any of the files.”

The espionage malware was looking for files that contained specific terms that might indicate they harbored information about U.S. and Korean military cooperation, including “U.S. Army” and “Operation Key Resolve,” an annual military exercise held by U.S. forces and the South Korean military.

A missile launched by North Korea on July 4, 2009.

A missile launched by North Korea on July 4, 2009.

The Dark Seoul attacks were hardly an isolated incident. In 2011, the same  Korean bank that was attacked in the 2013 incident was also hit with denial-of-service attacks and destructive malware. On July 4, 2009, a wave of denial-of-service attacks washed over more than two dozen Korean and U.S. Government Web sites, including the White House and the Pentagon. July 4 is Independence Day in the United States, but it also happened to be the very day that North Korea launched seven short-range missiles into the Sea of Japan in a show of military might. By the time the third wave of that attack subsided on July 9, the assailants had pushed malware to tens of thousands of zombie computers used in the assault that wiped all data from the machines.

The co-founder of CrowdStrike, a security firm that focuses heavily on identifying attribution and actors behind major cybercrime attacks, said his firm has a “very high degree of confidence that the FBI is correct in” attributing the attack against Sony Pictures to North Korean hackers, and that CrowdStrike came to this conclusion independently long before the FBI came out with its announcement last week.

“We have a high-confidence that this is a North Korean operator based on the profiles seen dating back to 2006, including prior espionage against the South Korean and U.S. government and  military institutions,” said  Dmitri Alperovitch, chief technology officer and co-founder at CrowdStrike.

“These events are all connected, through both the infrastructure overlap and the malware analysis, and they are connected to the Sony attack,” Alperovitch said. “We haven’t seen the skeptics produce any evidence that it wasn’t North Korea, because there is pretty good technical attribution here. I want to know how many other hacking groups are so interested in things like Key Resolve.”

A Chollima statue in North Korea.

A Chollima statue in North Korea.

Security firms like HP refer to the North Korean hacking team as the “Hastati” group, but CrowdStrike calls them by a different nickname: “Silent Chollima.” A Chollima is a mythical winged horse which originates from the Chinese classics.

“North Korea is one of the few countries that doesn’t have a real animal as a national animal,” Alperovitch said. “Which, I think, tells you a lot about the country itself.”

The “silent” part of the moniker is a reference to the stubborn fact that little is known about the hackers themselves. Unlike hacker groups in other countries where it is common to find miscreants with multiple profiles on social networks and hacker forums that can be used to build a more complete profile of the attackers — the North Koreans heavily restrict the use of Internet communications, even for their cyber warriors.

“First of all, they don’t have a ton of Internet infrastructure in North Korea, and they don’t have forums and social media which typically helps you identity, for example, whether an attack is from Russians or the Chinese,” Alperovitch said. “In general, the North Korean regime is one of the hardest intelligence targets for the intelligence and cyber attribution communities.”

On Monday, the folks at Dyn Research — a company that tracks Internet connectivity issues around the globe — said its sensors noted that North Korea inexplicably went offline on Monday, Dec. 22, at around 16:15 UTC (01:15 UTC Tuesday in the North Korean capital of Pyongyang). But the researchers stopped short of attributing a reason behind the outage.

“Who caused this, and how?,” wrote Jim Cowie, chief scientist at Dyn. “A long pattern of up-and-down connectivity, followed by a total outage, seems consistent with a fragile network under external attack. But it’s also consistent with more common causes, such as power problems.”

Interestingly, this pattern of downtime also was witnessed directly following the above-described 2013 attacks that targeted South Korean banks and media firms. According to Jason Lancaster, a security researcher at HP, the entire North Korean Internet space suffered a similar outage around the same time as the 2013 offense against South Korea.

“When they came back online, one of those four [North Korean Internet address blocks] was routing through an Intelsat satellite connection,” Lancaster said. “What caused the 2013 outage? They never was determined the cause. The speculation was that they were under attack, but there was never any proof of that happening.”

Additional reading:

US-CERT analysis of the computer worm used in the attack on Sony.

TaoSecurity Blog: What Does ‘Responsibility’ Mean for Attribution?

McAfee report on Dark Seoul attacks (PDF)

HP Security: Profiling an Enigma – The Mystery of North Korea’s Cyber Threat Landscape (PDF)

Krebs on Security: FBI: North Korea to Blame for Sony Hack

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The FBI today said it has determined that the North Korean government is responsible for the devastating recent hack attack against Sony Pictures Entertainment. Here’s a brief look the FBI’s statement, what experts are learning about North Korea’s cyberattack capabilities, and what this incident means for other corporations going forward.

In a statement released early Friday afternoon, the FBI said that its investigation — along with information shared by Sony and other U.S. government departments and agencies — found that the North Korean government was responsible.

The FBI said it couldn’t disclose all of its sources and methods, but that the conclusion was based, in part, on the following:

-“Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.”

-“The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.”

-“Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.”

The agency added that it was “deeply concerned” about the destructive nature of this attack on a private sector entity and the ordinary citizens who work there, and that the FBI stands ready to assist any U.S. company that is the victim of a destructive cyber attack or breach of confidential information.

“Further, North Korea’s attack on SPE reaffirms that cyber threats pose one of the gravest national security dangers to the United States,” the FBI said. “Though the FBI has seen a wide variety and increasing number of cyber intrusions, the destructive nature of this attack, coupled with its coercive nature, sets it apart. North Korea’s actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves. Such acts of intimidation fall outside the bounds of acceptable state behavior. The FBI takes seriously any attempt—whether through cyber-enabled means, threats of violence, or otherwise—to undermine the economic and social prosperity of our citizens.”

SPE was hit with a strain of malware designed to wipe all computer hard drives within the company’s network. The attackers then began releasing huge troves of sensitive SPE internal documents, and, more recently, started threatening physical violence against anyone who viewed the Sony movie “The Interview,” a comedy that involves a plot to assassinate North Korean leader Kim Jong Un. Not long after a number of top movie theater chains said they would not show the film, Sony announced that it would cancel the movie’s theatrical release.

Apparently emboldened by Sony’s capitulation, the attackers are now making even more demands. According to CNN, Sony executives on Thursday received an email apparently from the attackers said they would no longer release additional stolen Sony Pictures data if the company announced that it would also cancel any plans to release the movie on DVD, Netflix or elsewhere. The attackers also reportedly demanded that any teasers and trailers about The Interview online be removed from the Internet.

A ‘MAGIC WEAPON’

Little is publicly known about North Korea’s cyber warfare and hacking capabilities, but experts say North Korean leaders view cyber warfare capabilities as an important asymmetric asset in the face of its perceived enemies — the United States and South Korea. An in-depth report (PDF) released earlier this year by HP Security Research notes that in November 2013, North Korea’s “dear leader” Kim Jong Un referred to cyber warfare capabilities as a “magic weapon” in conjunction with nuclear weapons and missiles.

“Although North Korea’s limited online presence makes a thorough analysis of their cyber warfare capabilities a difficult task, it must be noted that what is known of those capabilities closely mirrors their kinetic warfare tactics,” HP notes. “Cyber warfare is simply the modern chapter in North Korea’s long history of asymmetrical warfare. North Korea has used various unconventional tactics in the past, such as guerilla warfare, strategic use of terrain, and psychological operations. The regime also aspires to create viable nuclear weapons.”

Sources familiar with the investigation tell KrebsOnSecurity that the investigators believe there may have been as many as several dozen individuals involved in the attack, the bulk of whom hail from North Korea. Nearly a dozen of them are believed to reside in Japan.

Headquarters of the Chongryon in Japan.

Headquarters of the Chongryon in Japan.

According to HP, a group of ethnic North Koreans residing in Japan known as the Chongryon are critical to North Korea’s cyber and intelligence programs, and help generate hard currency for the regime. The report quotes Japanese intelligence officials stating that “the Chongryon are vital to North Korea’s military budget, raising funds via weapons trafficking, drug trafficking, and other black market activities.” HP today published much more detail about specific North Korean hacking groups that may have played a key role in the Sony incident given previous such attacks.

While the United States government seems convinced by technical analysis and intelligence sources that the North Koreans were behind the attack, skeptics could be forgiven for having doubts about this conclusion. It is interesting to note that the attackers initially made no mention of The Interview, and instead demanded payment from Sony to forestall the release of sensitive corporate data. It wasn’t until well after the news media pounced on the idea that the attack was in apparent retribution for The Interview that we saw the attackers begin to mention the Sony movie.

In any case, it’s unlikely that U.S. officials relish the conclusion that North Korea is the aggressor in this attack, because it forces the government to respond in some way and few of the options are particularly palatable. The top story on the front page of the The Wall Street Journal today is an examination of what the U.S. response to this incident might look like, and it seems that few of the options on the table are appealing to policymakers and intelligence agencies alike.

The WSJ story notes that North Korea’s only connections to the Internet run through China, but that pressuring China to severe or severely restrict those connections is unlikely to work.

Likewise, engaging in a counter-attack could prove fruitless, or even backfire, the Journal observed, “in part because the U.S. is able to spy on North Korea by maintaining a foothold on some of its computer systems. A retaliatory cyberstrike could wind up damaging Washington’s ability to spy on Pyongyang…Another former U.S. official said policy makers remain squeamish about deploying cyberweapons against foreign targets.”

IMPLICATIONS FOR US FIRMS

If this incident isn’t a giant wake-up call for U.S. corporations to get serious about cybersecurity, I don’t know what is. I’ve done more than two dozen speaking engagements around the world this year, and one point I always try to drive home is that far too few organizations recognize how much they have riding on their technology and IT operations until it is too late. The message is that if the security breaks down, the technology stops working — and if that happens the business can quickly grind to a halt. But you would be hard-pressed to witness signs that most organizations have heard and internalized that message, based on their investments in cybersecurity relative to their overall reliance on it.

A critical step that many organizations fail to take is keeping a basic but comprehensive and ongoing inventory of the all of the organization’s IT assets. Identifying where the most sensitive and mission-critical data resides (identifying the organization’s “crown jewels”) is another essential exercise, but too many organizations fail to take the critical step of encrypting this vital information.

Over the past several years, we’ve seen a remarkable shift toward more destructive attacks. Most organizations are accustomed to tackling malware infestations within their IT environments, but few are prepared to handle fast-moving threats designed to completely wipe data from storage drives across the network.

As I note in my book Spam Nation, miscreants who were once content to steal banking information and blast out unsolicited commercial email increasingly are using their skills to hold data for ransom using malware tools such as ransomware. I’m afraid that as these attackers become better at situational awareness — that is, gaining a better understanding of who their victims are and the value of the assets the intruders have under their control — these attacks and ransom demands will become more aggressive and costly in the months ahead.

Krebs on Security: Complex Solutions to a Simple Problem

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

My inbox has been flooded of late with pitches for new technologies aimed at making credit cards safer and more secure. Many of these solutions are exceedingly complex and overwrought — if well-intentioned — responses to a problem that we already know how to solve. Here’s a look at a few of the more elaborate approaches.

A promotion for the Siren Swipe technology.

A promotion for the Siren Swipe technology.

Some of these ideas may have benefited from additional research into where financial institutions actually experience most of their fraud losses. Hint: Lost-and-stolen fraud is minuscule compared to losses from other types of fraud, such as counterfeit cards and online fraud. Case in point: A new product called Safe Swipe. From their pitch:

“The basic premise of our solution, Safe Swipe…is a technology which ‘marries’ your smart mobile device, phone, tablet and or computer to your credit/debit card(s). We’ve developed a Geo-Locator software program which triangulates your location with the POS device and your mobile phone so that if your phone and credit card are not within a certain predetermined range of one another the purchase would be challenged. In addition, we incorporated an ON/OFF type switch where you can ‘Lock Down’ your credit/debit card from your mobile device making it useless should it ever be stolen.”

The truth is that you can “lock down” your credit card if it’s lost or stolen by calling your credit card company and reporting it as such.  Along these lines, I received multiple pitches from the folks who dreamed up a product/service called “Siren Swipe.” Check it out:

“The SIREN SWIPE system immediately notifies local police (via the local 911 center) of a thief’s location (ie merchant address) once heswipes a card that has already been reported stolen,” the folks at this company said in an email pitch to KrebsOnSecurity. “SIREN SWIPE has the potential to drastically impact the credit card fraud landscape because although card credentials being stolen is a forgone conclusion, which cards thieves decide to actually use is not.  For a thief browsing a site like Rescator, the knowledge that using certain banks’ cards could result in an immediate police response can make thieves avoid using these banks’ stolen cards over and over again.  And in the best case scenario, a carder site admin could just decide not to sell subscribing banks’ cards in the interest of customer service.”

The sad truth is that, for the most part, cops generally have more important things to do than chase around the street urchins who end up using stolen credit and debit cards, and they’re not going to turn on the dome lights and siren over something like this. Also, the signals for fraud are all backwards here: The fraudsters know to use criminal card-checking services before buying and/or using stolen cards, so they don’t generally end up using a pile of cards that have already been cancelled.

A diagram explaining Quantum Secure Authentication.

A diagram explaining Quantum Secure Authentication.

My favorite overwrought solution to making credit cards more secure comes from researchers in the Netherlands, who recently put out a paper announcing a card security idea they’re calling Quantum-Secure Authentication. According to its creators, this approach relies on “the unique quantum properties of light to create a secure question-and-answer exchange that cannot be spoofed or copied. From their literature:

“Traditional magnetic-stripe-only cards are relatively simple to use but simple to copy. Recently, banks have begun issuing so-called ‘smart cards’ that include a microprocessor chip to authenticate, identify & enhance security. But regardless of how complex the code or how many layers of security, the problem remains that an attacker who obtains the information stored inside the card can copy or emulate it. The new approach…avoids this risk entirely by using the peculiar quantum properties of photons that allow them to be in multiple locations at the same time to convey the authentication questions & answers. Though difficult to reconcile with our everyday experiences, this strange property of light can create a fraud-proof Q&A exchange, like those used to authorize credit card transactions.”

The main reason so many of these newfangled technologies are even being proposed is that the United States lags 20 years behind Europe and the rest of the world in adopting chip/smartcard technology in credit and debit cards. This is starting to change on both the card-issuing side (the banks) and the merchant side. Most of the biggest banks are already issuing chip cards, with smaller institutions following suit next year. In October 2015, merchants that haven’t yet installed card swipe terminals that accept chip cards will be liable for all of the fraud costs on any fraudulent transaction involving a chip card.

It’s unclear how much appetite there is for new technology to help banks fight card fraud, when so many financial institutions have yet to roll out chip cards. A payments fraud survey released this week by the Federal Reserve Bank of Minneapolis found that “high percentages of surveyed financial institutions report that fraud prevention costs exceed actual losses for many types of payments, especially wire, cash, and ACH payments. This trend is even more striking for non-financial respondents. In every payment category, a higher percentage of such firms responded that prevention costs exceed fraud losses.”

The Fed survey (PDF), which quizzed both banks and corporations, found that about half of the financial institutions that experienced payment fraud losses reported increases in those losses, while three quarters of the non-financial firms responded that loss rates had remained about the same over the prior year.

“In keeping with previous surveys, signature debit transactions are the payment type cited by the largest number of financial institutions as accounting for high levels of payments fraud losses (92% of financial service companies), while checks are cited by 75% of non-financial companies,” the Fed concluded. “While this finding could suggest that companies are overcompensating in prevention vis-à-vis likely losses, it is also possible that risk mitigation strategies and fraud prevention investments have indeed been effective.”

SANS Internet Storm Center, InfoCON: green: Certified pre-pw0ned Android Smartphones: Coolpad Firmware Backdoor, (Wed, Dec 17th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Researchers at Palo Alto found that many ROM images used for Android smart phones manufactured by Coolpad contain a backdoor, giving an attacker full control of the device. Palo Alto named the backdoor Coolreaper.

With Android, it is very common for manufacturers to install additional applications. But these applications are installed on top of the Android operating system. In this case, Coolpad integrated additional functionality into the firmware of the device. This backdoor was then used by Coolpad to push advertisements to its users and to install additional Android applications.But its functionality goes way beyond simple advertisements.

The backdoor provides full access to the device. It allows the installation of additional software, accessing any information about the device, and even notifying the user of fake over the air updates.

How important is this threat?

Coolpad devices are mostly used in China, with a market share of 11.5% according to the report. They are not found much outside of China. The phones are typically sold under brands like Coolpad, Dazen and Magview.

The following domains and IPs are used for the CC channel:

113.142.37.149, dmp.coolyn.com, dmp.51coolpad.com, icudata.coolyun.com, icudata.51coolpad.com, 113.142.37.246, icucfg.coolyun.com and others. Blocking and logging outbound traffic for these IPs will help you identify affected devices.

For details, see the Palo Alto Networks report athttps://www.paloaltonetworks.com/threat-research.html


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Banks: Park-n-Fly Online Card Breach

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Multiple financial institutions say they are seeing a pattern of fraud that indicates an online credit card breach has hit Park-n-Fly, an Atlanta-based offsite airport parking service that allows customers to reserve spots in advance of travel via an Internet-based reservation system. The security incident, if confirmed, would be the latest in a string of card breaches involving compromised payment systems at parking services nationwide.

park-n-flyIn response to questions from KrebsOnSecurity, Park-n-Fly said it recently engaged multiple outside security firms to investigate breach claims made by financial institutions, but so far has been unable to find a breach of its systems.

“We have been unable to find any specific issues related to the cards or transactions reported to us and by the financial institutions,” wrote Michael Robinson, the company’s senior director of information technology, said in an emailed statement. “While this kind of incident is rare for us based on our thousands of daily transactions, we do take every instance very seriously. Like any reputable company involved in e-commerce today we recognize that we must be constantly vigilant and research every claim to root out any vulnerabilities or potential gaps.”

Park-n-Fly’s statement continues:

“While we believe that our systems are very secure, including SLL encryption, we have recently engaged multiple outside security firms to identify and resolve any possible gaps in our systems and as always will take any action indicated. We have made all necessary precautionary upgrades and we just upgraded on 12/9 to the latest EV SSL certificate from Entrust, one of the leading certificate issuers in the industry.”

Nevertheless, two different banks shared information with KrebsOnSecurity that suggests Park-n-Fly — or some component of its online card processing system — has indeed experienced a breach. Both banks saw fraud on a significant number of customer cards that previously  — and quite recently — had been used online to make reservations at a number of more than 50 Park-n-Fly locations nationwide.

Unlike card data stolen from main street retailers, which can be encoded onto new plastic and used to buy stolen goods in physical retail stores — cards stolen from online transactions can only be used by thieves for fraudulent online purchases. However, most online carding shops that sell stolen card data in underground stores market both types of cards, known in thief-speak as “dumps” and “CVVs,” respectively.

The CVVs stolen that bank sources traced back to Park-and-Fly are among thousands currently for sale in four large batches of card data (dubbed “Decurion”) being peddled at Rescator[dot]cm, the same crime shop that first moved cards stolen in the retail breaches at Home Depot and Target. The card data ranges in price from $6 to $9 per card, and include the card number, expiration date, 3-digit card verification code, as well as the cardholder’s name, address and phone number.

Cards that banks traced back to Park-n-Fly were all for sale at Rescator's shop.

Cards that banks traced back to Park-n-Fly were all for sale at Rescator’s shop.

Last month, SP Plus — a Chicago-based parking facility provider — said payment systems at 17 parking garages in Chicago, Philadelphia and Seattle that were hacked to capture credit card data after thieves installed malware to access credit card data from a remote location. Card data stolen from those SP+ locations ended up for sale on a competing cybercrime store called Goodshop.

In Missouri, the St. Louis Parking Company recently disclosed that it learned of breach involving card data stolen from its Union Station Parking facility between Oct. 6, 2014 and Oct. 31, 2014.

Raspberry Pi: Controlling Telescopes with Raspberry Pi and Mathematica

This post was syndicated from: Raspberry Pi and was written by: Eben Upton. Original post: at Raspberry Pi

Eben: Here’s a guest post from Tom Sherlock, describing how he’s been able to control a telescope using a Raspberry Pi, Mathematica and the Wolfram Language.

As an amateur astronomer, I’m always interested in ways to use Mathematica in my hobby. In earlier blog posts, I’ve written about how Mathematica can be used to process and improve images taken of planets and nebulae. However, I’d like to be able to control my astronomical hardware directly with the Wolfram Language.

In particular, I’ve been curious about using the Wolfram Language as a way to drive my telescope mount, for the purpose of automating an observing session. There is precedent for this because some amateurs use their computerized telescopes to hunt down transient phenomena like supernovas. Software already exists for performing many of the tasks that astronomers engage in—locating objects, managing data, and performing image processing. However, it would be quite cool to automate all the different tasks associated with an observing session from one notebook.

Mathematica is highly useful because it can perform many of these operations in a unified manner. For example, Mathematica incorporates a vast amount of useful astronomical data, including the celestial coordinates of hundreds of thousands of stars, nebula, galaxies, asteroids, and planets. In addition to this, Mathematica‘s image processing and data handling functionality are extremely useful when processing astronomical data.

Previously I’ve done some work interfacing with telescope mounts using an existing library of functions called ASCOM. Although ASCOM is powerful and can drive many devices associated with astronomy, like domes and filter wheels, it is limited because it only works on PCs and needs to be pre-installed on your computer. I wanted to be able to drive my telescope directly from Mathematica running on any platform, and without any special set up.

Telescope Serial Communication Protocols

I did some research and determined that many telescope mounts obey one of two serial protocols for their control: the Meade LX200 protocol and the Celestron NexStar protocol.

The LX200 protocol is used by Meade telescopes like the LX200 series as well as the ETX series. The LX200 protocol is also used by many non-Meade telescope mounts, like those produced by Losmandy and Astro-Physics.

The NexStar protocol is used by Celestron telescopes and mounts as well as those manufactured by its parent company, Synta, including the Orion Atlas/Sirius family of computerized mounts.

The full details of these protocols can be found in the Meade Telescope Serial Command Protocol PDF and the NexStar Communication Protocol PDF.

A notable exception is the Paramount series of telescope mounts from Software Bisque, which use the RTS2 (Remote Telescope System) protocol for remote control of robotic observatories. The RTS2 standard describes communication across a TCP/IP link and isn’t serial-port based. Support for RTS2 will have to be a future project.

Since Mathematica 10 has added direct serial-port support, it’s possible to implement these protocols directly in top-level Wolfram Language code and have the same code drive different mounts from Mathematica running on different platforms, including Linux, Mac, Windows, and Raspberry Pi.

Example: Slewing the Scope

Here’s an example of opening a connection to a telescope mount obeying the LX200 protocol, setting the target and then slewing to that target.

Open the serial port (“/dev/ttyUSB0″) connected to the telescope:

theScope = DeviceOpen["Serial", 
{"/dev/ttyUSB0", "BaudRate" -> 9600, 
"DataBits" -> 8, "Parity" -> None, 
"StopBits" -> 1}];

First we need a simple utility for issuing a command, waiting for a given amount of time (usually a few seconds), and then reading off the single-character response.

ScopeIssueCommand1[theScope_, cmd_String]:=
Module[{},
   DeviceWrite[theScope, cmd]; 
   Pause[theScopeTimeout];
   FromCharacterCode[DeviceRead[theScope]]
];

These are functions for setting the target right ascension and declination in the LX200 protocol. Here, the right ascension (RA) is specified by a string in the form of HH:MM:SS, and the declination (Dec) by a string in the form of DD:MM:SS.

ScopeSetTargetRightAscension[theScope_,str_String] := ScopeIssueCommand1[theScope,":Sr"<>str<>"#"];

ScopeSetTargetDeclination[theScope_,str_String] := ScopeIssueCommand1[theScope,":Sd"<>str<>"#"];

Now that we have the basics out of the way, in order to slew to a target at coordinates specified by RA and Dec strings, setting the target and then issuing the slew command are combined.

ScopeSlewToRADecPrecise[
   theScope_, ra_String, dec_String]:=
Module[{},
   ScopeSetTargetRightAscension[theScope,ra];
   ScopeSetTargetDeclination[theScope, dec];
   ScopeSlewTargetRADec[theScope]
];

We can also pass in real values as the coordinates, and then convert them to correctly formatted strings for the above function.

ScopeSlewToRADecPrecise[
   theScope_, ra_Real, dec_Real]:=
Module[{rah,ram,ras,rastr,dd,dm,ds,decstr},
   rah=ToString[IntegerPart[ra]];
   ram=ToString[IntegerPart[Abs[FractionalPart[ra]]*60]];
   ras=ToString[IntegerPart[FractionalPart[Abs[
      FractionalPart[ra]]*60]*60]];
   rastr=rah<>":"<>ram<>":"<>ras;
   dd=ToString[IntegerPart[dec]];	
   dm=ToString[IntegerPart[Abs[FractionalPart[dec]]*60]];
   ds=ToString[IntegerPart[FractionalPart[Abs[
      FractionalPart[dec]]*60]*60]];
   decstr=dd<>":"<>dm<>":"<>ds;
   ScopeSlewToRADecPrecise[theScope, rastr, decstr]
];

Now we can point the scope to the great globular cluster in Hercules:

ScopeSlewToRADecPrecise[theScope,
AstronomicalData["M13","RightAscension"],
AstronomicalData["M13","Declination"]];

Slew the scope to the Ring Nebula:

ScopeSlewToRADecPrecise[theScope,
NebulaData["M57","RightAscension"],
NebulaData["M57","Declination"]];

And slew the scope to Saturn:

ScopeSlewToRADec[PlanetData["Saturn","RightAscension"],
PlanetData["Saturn","Declination"]];

When the observing session is complete, we can close down the serial connection to the scope.

DeviceClose[theScope];

Please be aware that before trying this on your own scope, you should have limits set up with the mount so that the scope doesn’t accidentally crash into things when slewing around. And of course, no astronomical telescope should be operated during the daytime without a proper solar filter in place.

The previous example works with Mathematica 10 on all supported platforms. The only thing that needs to change is the name of the serial port. For example, on a Windows machine, the port may be called “COM8″ or such.

Telescope Control with Raspberry Pi

One interesting platform for telescope control is the Raspberry Pi. This is an inexpensive ($25–$35), low-power-consumption, credit-card-sized computer that runs Linux and is tailor-made for all manner of hackery. Best of all, it comes with a free copy of Mathematica included with the operating system.

wolfram1

Since the Pi is just a Linux box, the Wolfram Language code for serial-port telescope control works on that too. In fact, since the Pi can easily be wirelessly networked, it is possible to connect to it from inside my house, thus solving the number one problem faced by amateur astronomers, namely, how to keep warm when it’s cold outside.

The Pi doesn’t have any direct RS-232 ports in hardware, but an inexpensive USB- to-serial adapter provides a plug-n-play port at /dev/ttyUSB0. In this picture, you can see the small wireless network adapter in the USB socket next to the much larger, blue, usb-to-serial adapter.

wolfram2

Astrophotography with the Pi

Once I had the Pi controlling the telescope, I wondered if I could use it to take pictures through the scope as well. The Raspberry Pi has an inexpensive camera available for $25, which can take reasonably high-resolution images with a wide variety of exposures.

wolfram3

This isn’t as good as a dedicated astronomical camera, because it lacks the active cooling needed to take low-noise images of deep sky objects, but it would be appropriate for capturing images of bright objects like planets, the Moon, or (with proper filtering) the Sun.

It was fairly easy to find the mechanical dimensions of the camera board on the internet, design a telescope adapter…

wolfram4

…and then build the adapter using my lathe and a few pennies worth of acetal resin (Dupont Delrin®) I had in my scrap box. The normal lens on the Pi camera was unscrewed and removed to expose the CCD chip directly because the telescope itself forms the image.

wolfram5

Note that this is a pretty fancy adaptor, and one nearly as good could have been made out of 1 1/4 plumbing parts or an old film canister; this is a place where many people have exercised considerable ingenuity. I bolted the adaptor to the side of the Pi case using some 2-56 screws and insulating stand-offs cut from old spray bottle tubing.

wolfram6

This is how the PiCam looks plugged into the eyepiece port on the back of my telescope, and also plugged into the serial port of my telescope’s mount. In this picture, the PiCam is the transparent plastic box at the center. The other camera with the gray cable at the top is the guiding camera I use when taking long exposure astrophotographs.

wolfram7

Remotely Connecting to the PiCam

The Pi is a Linux box, and it can run vncserver to export its desktop. You can then run a vnc client package, like the free TightVNC, on any other computer that is networked to the Pi. This is a screen shot taken from my Windows PC of the TightVNC application displaying the PiCam’s desktop. Here, the PiCam is running Mathematica and has imported a shot of the Moon’s limb from the camera module attached to the telescope via the adapter described above.

wolfram8

It’s hard to read in the above screen shot, but here is the line I used to import the image from the Pi’s camera module directly into Mathematica:

moonImage=Import[
"!raspistill -ss 1000 -t 10 -w 1024 -h 1024 -o -",
"JPG"]

This command invokes the Pi’s raspistill camera utility and captures a 1024×1024 image exposed at 1,000 microseconds after a 10-second delay, and then brings the resulting JPEG file into Mathematica.

One problem that I haven’t solved is how to easily focus the telescope remotely, because the PiCam’s preview image doesn’t work over the vnc connection. One interesting possibility would be to have Mathematica take a series of exposures while changing the focus via a servo attached to the focus knob of the telescope.

Conclusion

Mathematica and the Wolfram Language provide powerful tools for a wide variety of device control applications. In this case, I’ve used it on several different platforms to control a variety of astronomical hardware.

Schneier on Security: Over 700 Million People Taking Steps to Avoid NSA Surveillance

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

There’s a new international survey on Internet security and trust, of “23,376 Internet users in 24 countries,” including “Australia, Brazil, Canada, China, Egypt, France, Germany, Great Britain, Hong Kong, India, Indonesia, Italy, Japan, Kenya, Mexico, Nigeria, Pakistan, Poland, South Africa, South Korea, Sweden, Tunisia, Turkey and the United States.” Amongst the findings, 60% of Internet users have heard of Edward Snowden, and 39% of those “have taken steps to protect their online privacy and security as a result of his revelations.”

The press is mostly spinning this as evidence that Snowden has not had an effect: “merely 39%,” “only 39%,” and so on. (Note that these articles are completely misunderstanding the data. It’s not 39% of people who are taking steps to protect their privacy post-Snowden, it’s 39% of the 60% of Internet users — which is not everybody — who have heard of him. So it’s much less than 39%.)

Even so, I disagree with the “Edward Snowden Revelations Not Having Much Impact on Internet Users” headline. He’s having an enormous impact. I ran the actual numbers country by country, combining data on Internet penetration with data from this survey. Multiplying everything out, I calculate that 706 million people have changed their behavior on the Internet because of what the NSA and GCHQ are doing. (For example, 17% of Indonesians use the Internet, 64% of them have heard of Snowden and 62% of them have taken steps to protect their privacy, which equals 17 million people out of its total 250-million population.)

Note that the countries in this survey only cover 4.7 billion out of a total 7 billion world population. Taking the conservative estimates that 20% of the remaining population uses the Internet, 40% of them have heard of Snowden, and 25% of those have done something about it, that’s an additional 46 million people around the world.

It’s probably true that most of those people took steps that didn’t make any appreciable difference against an NSA level of surveillance, and probably not even against the even more pervasive corporate variety of surveillance. It’s probably even true that some of those people didn’t take steps at all, and just wish they did or wish they knew what to do. But it is absolutely extraordinary that 750 million people are disturbed enough about their online privacy that they will represent to a survey taker that they did something about it.

Name another news story that has caused over ten percent of the world’s population to change their behavior in the past year? Cory Doctorow is right: we have reached “peak indifference to surveillance.” From now on, this issue is going to matter more and more, and policymakers around the world need to start paying attention.

Related: a recent Pew Research Internet Project survey on Americans’ perceptions of privacy, commented on by Ben Wittes.

SANS Internet Storm Center, InfoCON: green: Worm Backdoors and Secures QNAP Network Storage Devices, (Sun, Dec 14th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Shellshock is far from over, with many devices still not patched andout there ready for exploitation. One set of thedevices receiving a lot of attention recently are QNAP disk storage systems. QNAP released a patch in early October, but applying the patch is not automatic and far from trivial for many users[1]. Our reader Erichsubmitted a link to an interesting Pastebin post with code commonly used in these scans [2]

The attack targets a QNAP CGI script, /cgi-bin/authLogin.cgi, a well known vector for Shellshock on QNAP devices [3]. This script is called during login, and reachable without authentication. The exploit is then used to launch a simple shell script that will download and execute a number of additional pieces of malware:

emme [sha1611bd8bea11d6edb68ed96583969f85469f87e0f]:

This appears to implement a click fraud script against advertisement network JuiceADV. The userid that is being used is4287 and as referrer,http://www.123linux.it is used. The user agent is altered based on a remote feed.

cl [sha1b61fa82063975ba0dcbbdae2d4d9e8d648ca1605]

A one liner shell script uploading part of /var/etc/CCcam.cfg to ppoolloo.altervista.com . My test QNAP system does not have this file, so I am not sure what they are after.

The script also created a hidden directory, /share/MD0_DATA/optware/.xpl, which is then used to stash some of the downloaded scripts and files.

Couple other changes made by the script:

  • Sets the DNS server to 8.8.8.8
  • creates an SSH server on port 26
  • adds an admin user called request
  • downloads and copies ascriptto cgi-bin: armgH.cgi and exo.cgi
  • modify autorun.sh to run the backdoors on reboot

Finally, the script will also download and install the Shellshock patch from QNAP and reboot the device.

Infected devices have been observed scanning for other vulnerable devices. I was not able to recover all of the scripts the code on pastebin downloads. The scanner may be contained in one of the additional scripts.

[1] http://www.qnap.com/i/en/news/con_show.php?op=showonecid=342
[2]http://pastebin.com/AQJgM5ij
[3] https://www.fireeye.com/blog/threat-research/2014/10/the-shellshock-aftershock-for-nas-administrators.html


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: SpamHaus, CloudFlare Attacker Pleads Guilty

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

A 17-year-old male from London, England pleaded guilty this week to carrying out a massive denial-of-service attack last year against anti-spam outfit SpamHaus and content delivery network CloudFlare, KrebsOnSecurity has learned.

narko-stophausIn late March 2013, a massive distributed denial-of-service (DDoS) attack hit the web site of SpamHaus, an organization that distributes a blacklist of spammers to email and network providers. When SpamHaus moved its servers behind CloudFlare, which specializes in blocking such attacks — the attackers pelted CloudFlare’s network. The New York Times called the combined assault the largest known DDoS attack ever on the Internet at the time; for its part, CloudFlare dubbed it “the attack that almost broke the Internet.”

In April 2013, an unnamed then-16-year-old male from London identified only by his hacker alias “Narko,” was arrested and charged with computer misuse and money laundering in connection with the attack.

Sources close to the investigation now tell KrebsOnSecurity that Narko has pleaded guilty to those charges, and that Narko’s real name is Sean Nolan McDonough. A spokesman for the U.K. National Crime Agency confirmed that a 17-year-old male from London had pleaded guilty to those charges on Dec. 10, but noted that “court reporting restrictions are in place in respect to a juvenile offender, [and] as a consequence the NCA will not be releasing further detail.”

During the assault on SpamHaus, Narko was listed as one of several moderators of the forum Stophaus[dot]com, a motley crew of hacktivists, spammers and bulletproof hosting providers who took credit for organizing the attack on SpamHaus and CloudFlare.

WHO RUNS STOPHAUS?

It is likely that McDonough/Narko was hired by someone else to conduct the attack. So, this seems as good a time as any to look deeper into who’s likely the founder and driving force behind the Stophaus movement itself. All signs point to an angry, failed spammer living in Florida who runs an organization that calls itself the Church of Common Good.

cocg-fbNot long after McDonough’s arrest, a new Facebook page went online called “Freenarko,” which listed itself as “a solidarity support group to help in the legal defense and media stability for ‘Narko,’ a 16-yr old brother in London who faces charges concerning the Spamhaus DDoS attack in March.”

Multiple posts on that page link to Stophaus propaganda, to the Facebook page for the Church of the Common Good, and to a now-defunct Web site called “WeAreHomogeneous.org” (an eye-opening and archived copy of the site as it existed in early 2013 is available at archive.org; for better or worse, the group’s Facebook page lives on).

The Church of Common Good lists as its leader a Gulfport, Fla. man named Andrew J. Stephens, whose LinkedIn page says he is a “media mercenary” at the same organization. Stephens’ CV lists a stint in 2012 as owner of an email marketing firm variously called Digital Dollars and IBT Inc, moneymaking schemes which Stephens describes as a “beginner to intermediate level guide to successful list marketing in today’s email environment. It incorporates the use of both white hat and some sketchy techniques you would find on black hat forums, but has avoided anything illegal or unethical…which you would also find on black hat forums.”

More recent entries in Andrew’s LinkedIn profile show that he now sees his current job as a “social engineer.” From his page:

“I am a what you may call a “Social Engineer” and have done work for several information security teams. My most recent operation was with a research team doing propaganda analysis for a media firm. I have a unique ability to access data that is typically inaccessible through social engineering and use this ability to gather data for research purposes. I have a knack for data mining and analysis, but was not formally trained so am able to think outside the box and accomplish goals traditional infosec students could not. I am proficient at strategic planning and vulnerability analysis and am often busy dissecting malware and tracking the criminals behind such software. There’s no real title for what I do, but I do it well I am told.”

Turns out, Andrew J. Stephens used to have his own Web site — andrewstephens.org. Here, the indispensable archive.org helps out again with a cache of his site from back when it launched in 2011 (oddly enough, the same year that Stophaus claims to have been born). On his page, Mr. Stephens lists himself as an “internet entrepreneur” and his business as “IBT.” Under his “Featured Work” heading, he lists “The Stophaus Project,” “Blackhat Learning Center,” and a link to an spamming software tool called “Quick Send v.1.0.”

Stephens did not return requests for comment sent to his various contact addresses, although a combative individual who uses the Twitter handle @Stophaus and has been promoting the group’s campaign refused to answer direct questions about whether he was in fact Andrew J. Stephens.

Helpfully, the cached version of Andrewstephens.org lists a contact email address at the top of the page: stephensboy@gmail.com (“Stephensboy” is the short/informal name of the Andrew J. Stephens LinkedIn profile). A historic domain registration record lookup purchased from Domaintools.com shows that same email address was used to register more than two dozen domains, including stophaus.org and stopthehaus.org. Other domains and businesses registered by that email include (hyperlinked domains below link to archive.org versions of the site):

-“blackhatwebhost.com“;
-“bphostingservers.com” (“BP” is a common abbreviation for “bulletproof hosting” services sold to -spammers and malware purveyors);
-“conveyemail.com”;
-“datapacketz.com” (another spam software product produced and marketed by Stephens);
-“emailbulksend.com”;
-“emailbulk.info”;
-“escrubber.info” (tools to scrub spam email lists of dummy or decoy addresses used by anti-spam companies);
-“esender.biz”;
-“ensender.us”;
-“quicksendemail.com“;
-“transmitemail.com”.

The physical address on many of the original registration records for the site names listed above show an address for one Michelle Kellison. The incorporation records for the Church of Common Good filed with the Florida Secretary of State list a Michelle Kellison as the registered agent for that organization.

Putting spammers and other bottom feeders in jail for DDoS attacks may be cathartic, but it certainly doesn’t solve the underlying problem: That the raw materials needed to launch attacks the size of the ones that hit SpamHaus and CloudFlare last year are plentiful and freely available online. As I noted in the penultimate chapter of my new book — Spam Nation (now a New York Times bestseller, thank you dear readers!), the bad news is that little has changed since these ultra-powerful attacks first surfaced more than a decade ago.

Rodney Joffe, senior vice president and senior technologist at Neustar –a security company that also helps clients weather huge online attacks — estimates that there are approximately 25 million misconfigured or antiquated home and business routers that can be abused in these digital sieges. From the book:

Most of these are home routers supplied by ISPs or misconfigured business routers, but a great many of the devices are at ISPs in developing countries or at Internet providers that see no economic upside to spending money for the greater good of the Internet.

“In almost all cases, it’s an option that’s configurable by the ISP, but you have to get the ISP to do it,” Joffe said. “Many of these ISPs are on very thin margins and have no interest in going through the process of protecting their end users— or the rest of the Internet’s users, for that matter.”

And therein lies the problem. Not long ago, if a spammer or hacker wanted to launch a massive Internet attack, he had to assemble a huge botnet that included legions of hacked PCs. These days, such an attacker need not build such a huge bot army. Armed with just a few hundred bot- infected PCs, Joffe said, attackers today can take down nearly any target on the Internet, thanks to the millions of misconfigured Internet routers that are ready to be conscripted into the attack at a moment’s notice.

“If the bad guys launch an attack, they might start off by abusing 20,000 of these misconfigured servers, and if the target is still up and online, they’ll increase it to 50,000,” Joffe said. “In most cases, they only need to go to 100,000 to take the bigger sites offline, but there are 25 million of these available.”

If you run a network of any appreciable size, have a look for your Internet addresses in the Open Resolver Project, which includes a searchable index of some 32 million poorly configured or outdated device addresses that can be abused to launch these very damaging large-scale attacks.

TorrentFreak: Leak Exposes Hollywood’s Global Anti-Piracy Strategy

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

mpaa-logoThe Sony Pictures leak has caused major damage to the Hollywood movie studio, but the fallout doesn’t end there.

Contained in one of the leaked data batches is a complete overview of the MPAA’s global anti-piracy strategy for the years to come.

In an email sent to top executives at the major Hollywood studios earlier this year, one of the MPAA’s top executives shared a complete overview of Hollywood’s anti-piracy priorities.

The email reveals key areas of focus for the coming years, divided into high, medium and low priority categories, as shown below.

piracy-strategy-page

The plan put forward by the MPAA is the ideal strategy. Which elements are to be carried out will mostly depend on the funds made available by the studios.

High priority

For cyberlockers and video streaming sites the MPAA plans to reach out to hosting providers, payment processing companies and advertising networks. These companies are urged not to work with so-called rogue sites.

Part of the plan is to create “legal precedent to shape and expand the law on cyberlockers and their hosting providers,” with planned lawsuits in the UK, Germany and Canada.

Cyberlocker strategy
mpaa-cyberlocker

Other top priorities are:

Apps: Making sure that pirate apps are taken down from various App stores. Google’s removal of various Pirate Bay apps may be part of this. In addition, the MPAA wants to make apps “unstable” by removing the pirated files they link to.

Payment processors: The MPAA wants to use government influence to put pressure on payment processors, urging them to ban pirate sites. In addition they will approach major players with “specific asks and proposed best practices” to deter piracy.

Site blocking: Expand site blocking efforts in the UK and other countries where it’s supported by law. In other countries, including the U.S., the MPAA will investigate whether blockades are an option through existing principles of law.

Domain seizures: The MPAA is slowly moving toward domain seizures of pirate sites. This strategy is being carefully tested against sites selling counterfeit products using trademark arguments.

Site scoring services: Developing a trustworthy site scoring system for pirate sites. This can be used by advertisers to ban rogue sites. In the future this can be expanded to payment processors, domain name registrars, hosting providers and search engines, possibly with help from the government.

Copyright Notices: The MPAA intends to proceed with the development of the UK Copyright Alert System, and double the number of notices for the U.S. version. In addition, the MPAA wants to evaluate whether the U.S. Copyright Alert System can expand to mobile carriers.

Mid and low priority

BitTorrent is categorized as a medium priority. The MPAA wants to emphasize the role of BitTorrent in piracy related apps, such as Popcorn Time. In addition, illegal torrent sites will be subject to site blocking and advertising bans.

BitTorrent strategy
mpaa-bittorrent-strategy

Other medium and low priorities are:

Search: Keep putting pressure on search engines and continue periodic research into its role in facilitating piracy. In addition, the MPAA will support third-party lawsuits against search engines.

Hosting: The MPAA sees Cloudflare as a problem and is developing a strategy of how to deal with the popular hosting provider. Lawsuits against hosting providers are also in the agenda.

Link sites: Apart from potential civil lawsuits in Latin America, linking sites will only be targeted if they become “particularly problematic.”

In the email the MPAA’s top executive does not consider the above strategies to be “final” or “set in stone”. How much the MPAA will be able to carry out with its partners depends on funds being availble, which appears to be a subtle reminder that the studios should keep their payments coming.

“…the attached represents priorities and activities presuming online CP is adequately resourced. Your teams understand that, depending upon how the budget process plays out, we may need to lower priorities and activities for many sources of piracy and/or antipiracy initiatives,” the email reads.

The leaked strategy offers a unique insight into Hollywood’s strategy against various forms of online infringement.

It exposes several key priorities that were previously unknown. The MPAA’s strong focus on domain name seizures for example, or the plans to target cyberlockers with lawsuits in the UK, Germany and Canada.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.