Posts tagged ‘research’

SANS Internet Storm Center, InfoCON: green: Let’s Encrypt!, (Fri, Feb 27th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

As I have stated in the past,I am not a fan of all of the incomprehensible warning messages that average users are inundated with, and almost universally fail to understand, and the click-thru culture these dialogsare propagating.

Unfortunately this is not just confined to websites on the Internet. With the increased use of HTTPS for web based management, this issue is increasingly appearing on corporate networks.” />

The issue in most cases is caused by what is called a self-signed certificate. Essentially a certificate not backed up by a recognized certificate authority. The fact is that recognized certificates are not cheap. For vendors to supply valid certificates for every device they sell would add significant cost to the product and would require the vendor to manage those certificates on all of their machines.

The Internet Security Research Group (ISRG)a public benefit corporation sponsored by the Electronic Frontier Foundation (EFF), Mozilla and other heavy hitters aims to help reduce this problem and cleanup the invalid certificate warning dialogs.

Their project, Lets Encrypt, aims to provide certificates for free, and automate the deployment and expiry of certificates.

Essentially, a piece of software is installed on the server which will talk to the Lets Encrypt certificate authority. From Lets Encypts website:

The Lets Encrypt management software will:

  • Automatically prove to the Lets Encrypt CA that you control the website
  • Obtain a browser-trusted certificate and set it up on your web server
  • Keep track of when your certificate is going to expire, and automatically renew it
  • Help you revoke the certificate if that ever becomes necessary.

While there is still some complexity involved it should make it a lot easier, and cheaper, for vendors to deploy legitimate certificates into their products. I am interested to see how they will stop bad guys from using their certificates for Phishing sites, and what the process will be to report fraudulent use, but I am sure all of that will come.

Currently, it sounds like the Lets Encrypt certificate authority will start issuing certificates in mid-2015.

– Rick Wanner MSISE – rwanner at isc dot sans dot edu – – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Schneier on Security: Cell Phones Leak Location Information through Power Usage

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

New research on tracking the location of smart phone users by monitoring power consumption:

PowerSpy takes advantage of the fact that a phone’s cellular transmissions use more power to reach a given cell tower the farther it travels from that tower, or when obstacles like buildings or mountains block its signal. That correlation between battery use and variables like environmental conditions and cell tower distance is strong enough that momentary power drains like a phone conversation or the use of another power-hungry app can be filtered out, Michalevsky says.

One of the machine-learning tricks the researchers used to detect that “noise” is a focus on longer-term trends in the phone’s power use rather than those than last just a few seconds or minutes. “A sufficiently long power measurement (several minutes) enables the learning algorithm to ‘see’ through the noise,” the researchers write. “We show that measuring the phone’s aggregate power consumption over time completely reveals the phone’s location and movement.”

Even so, PowerSpy has a major limitation: It requires that the snooper pre-measure how a phone’s power use behaves as it travels along defined routes. This means you can’t snoop on a place you or a cohort has never been, as you need to have actually walked or driven along the route your subject’s phone takes in order to draw any location conclusions.

I’m not sure how practical this is, but it’s certainly interesting.

The paper.

Linux How-Tos and Linux Tutorials: How to Use KDE Plasma Desktop Like a Pro

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Swapnil Bhartiya. Original post: at Linux How-Tos and Linux Tutorials

kde desktop layout

KDE is, in my opinion, the most advanced desktop environment around; and I am going to uncover why in this article. There are so many features hidden behind the plain sight which can expand the functionality of the KDE manifold. Let’s get started.

Customize the KDE desktop layout

Change begins at home, they say, and KDE lives that philosophy. The first thing that we see is the default desktop, and in Plasma you have complete control over it. You can change the entire layout of the desktop instead of being stuck with the default one.

Right-click anywhere on the desktop and choose the last option ‘Default desktop ‘ from the context menu. It will open the ‘desktop settings’ option; you can play with each. I like the ‘Search and Launch’ option. It provides a neat interface with quick access to apps or documents right from the desktop – similar to the home screen of Android or iOS.

You can pin your frequently-used applications or locations for quick access. The most exciting tool there is the ‘search’ box.

When you enter any term in the search box it works more or less like the Dash of Gnome or Unity and offers apps, files, locations related to that term in an overlay – it’s fast, responsive and very neat.

Add a dash search feature

If you don’t want to change the entire desktop layout and yet want a ‘dash search’ feature then Homerun is what you are looking for. You can install it for your distro and then add it to the panel. Click on the ‘cashew’ > add widget and search for ‘ Homerun’. Click on the one with full screen overlay. If you want you can replace the default Menu Launcher with Homerun, you can go ahead and move the panel to the left edge of your monitor to get a Unity-like experience.

kde desktop homerun

kde desktop homerun

Change the default application launcher

You can customize the default application launcher without having to use Homerun or by changing the default desktop layout. Right click on the launcher icon and change it to ‘classic menu style’ if you want a simpler menu which resembles the one from lightweight desktop environments like LXDE or the good old Gnome 2.

kde desktop menu

kde desktop menu

I don’t much like the default launcher and always replace it with Lancelot menu. I found Lancelot to be faster and more responsive than the default menu. The menu doesn’t come pre-installed with the Lancelot menu so, depending on the distro, you may have to install it. Try it out and you won’t regret it.


What if there were a way where you didn’t have to open the launcher/menu to open applications or documents? Plasma has something up its sleeve. It’s called Krunner. It can be triggered by hitting the Alt+F2 key.

It works as a ‘jack of all trades’ tool. You can open apps, by typing their names there; you can also ‘kill’ any app with it, too. Just type ‘kill’ followed by the name of the app.

When I said ‘jack of all trades’, I meant it. There are so many things that can be done with it. There is a wrench icon on krunner and when you click on it you will see a long list of plugins that add more features to krunner.

You can uncheck to disable any plugin; as you can see all the additional ‘features’ come through these plugins.

Krunner can do more than just open apps or files and folders, you can perform many tasks from it such as calculation and conversion. Let’s say, for example, you want to calculate 483 times 8. Use Krunner as a calculator and type ‘483×3=’ and that would give you the answer.

kde desktop krunner

How about converting temperature, distance from one system to another? Type 100 cm and it will show you the converted numbers; try the same with any currency and it will show the converted rates in different currencies.

Krunner calculator

You can open websites, bookmarks, and also search your Kmail. Just keep one point in mind that krunner doesn’t autocomplete, so you have to provide the full command. You can play movies, music, directly from the krunner – just enter the complete path of the file. You can open any directory just by entering in the entire path of that directory.

If you think that’s all, I have a surprise for you; you can ssh into your server through krunner; or you can open the samba server, just use the appropriate protocol. Krunner will open the file, directory or location using the default applications.

Krunner has so much to offer that it can’t be covered in one article, so go ahead and start playing and exploring.

Getting started

It often happens when I have to shut down or restart my system and there is so much running on my system; dozens of applications, windows, websites opened and I don’t want to lose what I am working on. What will I do? In Plasma you can very easily save the entire session and when you boot into your system again all of that work will open as it was before.

It can be accessed through System Settings > Startup and Shutdown. The option called ‘Session Management’ at the bottom allows you to save the current session or change it to ‘start with an empty session’.

The Autostart option on the same window makes it easier for users to manage which applications or scripts start at boot or login. If you notice some programs configured to start at system boot are slowing down your system, you can disable them. At the same time, if there are applications that you want to start at the boot time, just add them – one such program is Transmission which I use to download torrents for Linux distros.


As a writer who extensively writes about Linux, I need screenshots for my stories. I am not the only user who needs screenshots, and Plasma once again beats everything out there. KDE’s screen-capture tool, called ksnapshot, is one of the best screenshot tools out there.

Ksnapshot offers the flexibility of choosing the capture mode including ‘full screen’, window under the cursor, a rectangular region, freehand region and a section of the windows. The last option is interesting as you can capture the screenshot of a particular section of the window.

kde desktop ksnapshot

Unlike Gnome’s screenshot tool, Ksnapshot remembers the mode you chose last time, whereas Gnome keeps forgetting and going back to the default one. Ksnap also allows a user to give a name to screenshots and if you are recording a series of screenshots – to show some steps of an application – it saves them with your chosen game in sequence. With Gnome it defaults to the same ‘ScreenShot ….’ name. Plasma, once again, gives complete control to the user.

A multi-monitor bliss

Plasma is bliss for those with multiple monitor setups. Plasma gives each monitor a personality of its own – which is quite limited on other DEs. You can give each monitor a different wallpaper (you can actually set different wallpapers for virtual desktops and activities as well.) Each monitor can have its own desktop layout and panels. The widgets on these panels and desktops can be configured differently which means, if you work with clients who are in different time zones, you can change the time of each desktop to that particular time-zone.

No other DE, in my knowledge, is capable of doing that.

Panels and widgets

Two core components of the Plasma desktop experience are panels and widgets which enhance the user experience.

On a Plasma desktop you can move the panel wherever you want – bottom, top, left or side. You can have more than one panel. I often slap the panel on the left corner of the screen – which makes better use of the wide screen monitors. Then add Homerun widget to get an Ubuntu Unity-like experience.

To access the extra features of the panel, click on the cashew icon on the right hand side of each panel and then configure it. I don’t really know why they use ‘cashew’, a gear icon may be more appropriate so a user gets a hint of what it does.

If you want to add more panels, just right-click on the empty desktop and choose ‘add panel’ from the context menu.

KDE’s widgets take the customization of the desktop to the next level. These widgets allow you to access information quickly on the desktop, as well as on the panel. These widgets, embedded on panel are not mere icons to open that app – they work like the widgets you have seen on Android.

Widgets can also be added to the desktop – the way you do with Android. Depending on the distro, a Plasma desktop comes with a set of widgets, but you can always install more widgets which are being developed by the community. I installed a couple of widgets such as Play Control (which allows me to control the music player), RSS reader, Weather, etc. Go ahead, explore and you will find something new.

kde desktop widget

Dolphin, smarter than others

Dolphin is one of the many gems that KDE has; by far it is the best file manager which can perform tasks that others can’t.

The basic functionality of Dolphin can be further enhanced by adding new services. And any third party developer can create a new package for Dolphin to integrate a service, such as Dropbox, with the Plasma desktop.

One area where I cringe whenever I use other DE’s is their inability to bulk or mass rename files. I am an avid photographer and end up with hundreds of images with names like DCS323.NEF on my PC. That makes it extremely hard to search and find the right images when you need them. I wish there were some standard ‘tagging’ for images which could have been used across platforms, sadly there is none. So providing proper names to images is the best, time-tested solution.

I was looking for Linus Torvalds images from LinuxCon 2014 and the file name helped. In Dolphin I can easily select multiple image and change their names, something that can’t be done on Gnome or even Mac OS X. To rename files, just select them and hit F2, that will open a file rename dialog.

Dolphin is also capable of showing thumbnails of different file types including images, videos, and text – which improves the overall desktop environment.

Some mysterious activities seen on Plasma desktop

Activities are one of the most mysterious and lesser known features of the Plasma desktop. I must admit that even I don’t make full use of Activities.

So what are these activities? The short, and not so accurate, answer is that that they are more or less an extension of ‘virtual desktops’.

However, each activity can have its own virtual desktop. Now what does it mean? I will try to keep it as simple as possible. Let’s say I am writing my novel on Sublime Text with research material open on the second. This pristine setup gets disturbed every time I open another window or application to check my mail or chat with a colleague. That’s where virtual desktops, aka workspaces, come into play on a Linux desktop. Activities take that experience to the next level.

I can create a new activity for my novel writing, configure all the monitors and workspaces as I want – open the apps where I need them. The second activity can be about my journalism work with a text editor, all the rss feeds, emails, configured. So on and so forth I can create different activities for different work. I can easily switch between them without interrupting others.

kde desktop activities

Now where it gets even more interesting is that each activity can have their own panels, widgets and background wallpaper. The name and icon of each Activity can be changed to further personalize them.


KDE Plasma remains one of the best open source technologies that Linux users can enjoy. Plasma allows us to exploit the full potential of our PCs and shows us that they don’t have to make compromises with what they want to do on their PCs.

You don’t have to compromise if you are using a Linux desktop. That’s the whole point!

lcamtuf's blog: Reflecting on visibility

This post was syndicated from: lcamtuf's blog and was written by: Michal Zalewski. Original post: at lcamtuf's blog

In a recent Twitter conversation, Julien Vanegue asked me why I don’t put more thought into formally documenting and disseminating much of my security work – say, in the form of journal-published research papers, conference presentations, or similar rigidly-structured, long-lasting docs. It’s an interesting question, and one that I struggled to answer in 140 characters or less.

In the most basic sense, I think I simply find thrill in trying to solve practical problems; I also enjoy describing my thought process and comparing notes with others as I go. The security community is very unique in its openness, giving us many ways to accomplish that goal and to stay in touch with practitioners who are most likely to benefit from our work (or can critique it well). Because of this, I always felt that communicating with my peers through conferences, research journals, or press releases would be one of the least efficient ways of actually making contributions that stick.

Of course, such venues do offer a claim to immortality – be it in the form of seeing your name in the mainstream press, or witnessing a steady stream of citations for decades to come. When I was making my first steps in the field, I used to enjoy this sort of attention and I actively sought it to some extent (please don’t dig up the videos). But as I have grown older, it started to ring a bit hollow.

In my view, the progression of computer science in general, and infosec in particular, is a very incremental and collaborative process. We sometimes celebrate the engineers behind individual milestones – be it based on their skill, on their charisma, or on pure happenstance. But in doing so, we often do disservice to those who carried the torch and developed the technologies into what they are today. When reciting the names of the fathers of the modern Internet, few readers will mention the masterminds behind such complex engineering feats as BGP, DNS, TLS, SSH, TCP performance extensions, JPEG, or CSS.

Compared to computer science, becoming a household name in information security is not hard; perhaps I’d still have a shot at it. But in retrospect, I would not want to be known forever only as the guy who developed Fenris or did some obscure work on TCP fifteen years ago. In fact, I sort of find pride in being able to look at my research from five years back and recognize the subtle marks it left on other people’s projects – but also see all the painful mistakes I have made, knowing that I can do much better today.

And yup, my current work will be once again unimportant 10 or 15 years from now. Hopefully, I will be working on something more interesting by then.

SANS Internet Storm Center, InfoCON: green: A Different Kind of Equation, (Tue, Feb 17th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Both the mainstream media and our security media is abuzz with Kasperksys disclosure of their research on the Equation group and the associated malware. You can find the original blog post here:

But if you want some real detail, check out the Q

Way more detail, and much more sobering to see that this group of malware goes all the way back to 2001, and includes code to map disconnected networks (using USB key CC like Stuxnet did), as well as the disk firmware facet thats everyones headline today.

Some Indicators of Compromise, something we can use to identify if our organizations or clients are affected – are included in the PDF. The DNS IoCs included are especially easy to use, either as checks against logs or as black-hole entries.

Rob VandenBrink

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: The Great Bank Heist, or Death by 1,000 Cuts?

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

I received a number of media requests and emails from readers over the weekend to comment on a front-page New York Times story about an organized gang of cybercriminals pulling off “one of the largest bank heists ever.” Turns out, I reported on this gang’s activities in December 2014, although my story ran minus many of the superlatives in the Times piece.

The Times’ story, “Bank Hackers Steal Millions Via Malware,” looks at the activities of an Eastern European cybercrime group that Russian security firm Kaspersky Lab calls the “Carbanak” gang. According to Kaspersky, this group deployed malware via phishing scams to get inside of computers at more than 100 banks and steal upwards of USD $300 million — possibly as high as USD $1 billion.

Image: Kaspersky

Image: Kaspersky

Such jaw-dropping numbers were missing from a story I wrote in December 2014 about this same outfit, Gang Hacked ATMs From Inside Banks. That piece was based on similar research published (PDF) jointly by Dutch security firm Fox-IT and by Group-IB, a Russian computer forensics company. Fox-IT and Group-IB called the crime group “Anunak,” and described how the crooks sent malware laced Microsoft Office attachments in spear phishing attacks to compromise specific users inside targeted banks.

“Most cybercrime targets consumers and businesses, stealing account information such as passwords and other data that lets thieves cash out hijacked bank accounts, as well as credit and debit cards,” my December 2014 story observed. “But this gang specializes in hacking into banks directly, and then working out ingenious ways to funnel cash directly from the financial institution itself.”

I also noted that a source told me this group of hackers is thought to be the same criminal gang responsible for several credit and debit card breaches at major retailers across the United States, including women’s clothier Bebe Stores Inc., western wear store Sheplers, and office supply store Staples Inc.

Andy Chandler, Fox-IT’s general manager and senior vice president, said the group profiled in its December report and in the Kaspersky study are the same.

“Anunak or Carbanak are the same,” Chandler said. “We continue to track this organization but there are no major revelations since December. So far in 2015, the financial industry have been kept busy by other more creative criminal groups,” such as those responsible for spreading the Dyre and Dridex banking malware, he said.


Certainly, learning that this group stole possibly close to USD $1 billion advances the story, even if the Kaspersky report is a couple of months late, or generous to the attackers by a few hundred million bucks. The Kaspersky report also references (but doesn’t name) victim banks in the United States, although the New York Times story notes that the majority of the targeted financial institutions were in Russia. The Group-IB/Fox-IT report did not mention US banks as victims.

Two readers at different financial institutions asked whether The Times was accurate in stating that employees at victim banks had their computers infected merely after opening booby-trapped emails. “The cybercriminals sent their victims infected emails — a news clip or message that appeared to come from a colleague — as bait,” The  Times’ story reads. “When the bank employees clicked on the email, they inadvertently downloaded malicious code.”

As the Kaspersky report (and my earlier reporting) notes, the attackers leveraged vulnerabilities in Microsoft Office products for which Microsoft had already produced patches many months prior — targeting organizations that had fallen behind on patching. Victims had to open booby trapped attachments within spear phishing emails.

“Despite increased awareness of cybercrime within the financial services sector, it appears that spear phishing attacks and old exploits (for which patches have been disseminated) remain effective against larger companies,” Kaspersky’s report concludes. “Attackers always use this minimal effort approach in order to bypass a victim’s defenses.”

Minimal effort. That’s an interesting choice of words to describe the activities of crime groups like this one. The Kaspersky report is titled “The Great Bank Robbery,” but the work of this gang could probably be more accurately described as “Death by 1,000 cuts.”

Why should crime groups like this one expend more than minimal effort? After all, there are thousands of financial institutions here in the United States alone, and it’s a fair bet that on any given day a decent number of those banks are months behind on installing security updates. They’re mostly running IT infrastructure entirely based on Microsoft Windows, and probably letting employees browse the Web with older versions of Internet Explorer from the same computers used to initiate wire transfers (I witnessed this firsthand just last week at the local branch of a major U.S. bank). It’s worth noting that most of the crime gang’s infrastructure appears to be Linux-based.

This isn’t intended as a dig at Microsoft, but to illustrate a point: Most organizations — even many financial institutions — aren’t set up to defeat skilled attackers; their network security is built around ease-of-use, compliance, and/or defeating auditors and regulators. Organizations architected around security (particularly banks) are expecting these sorts of attacks, assuming that attackers are going to get in, and focusing their non-compliance efforts on breach response. This “security maturity” graphic nicely illustrates the gap between these two types of organizations.

As I wrote in my December story, the attacks from the Anunak/Carbanak gang showcase once again how important it is for organizations to refocus more resources away from preventing intrusions toward detecting intrusions as quickly as possible and stopping the bleeding. According to the Fox-IT/Group-IB report, the average time from the moment this group breaks into bank internal networks and the successful theft of cash is a whopping 42 days.

Kaspersky’s report notes a similar time range: “There is evidence indicating that in most cases the network was compromised for between two to four months, and that many hundreds of computers within a single victim organization may have been infected.” Both the Kaspersky and Group-IB/Fox-IT reports contain pages and pages of threat indicators, including digital signatures and network infrastructure used by this group.

So those are some takeaways for financial institutions, but what about banking customers? Sadly, these developments should serve as yet another wake-up call for small to mid-sized businesses based in the U.S. and banking online. While consumers in the United States are shielded by law against unauthorized online banking transactions, businesses have no such protection.

Russian hacking gangs like this one have stolen hundreds of millions of dollars from small- to mid-sized businesses in the U.S. and Europe over the past five years (for dozens of examples, see my series, Target: Small Businesses). In the vast majority of those cyberheists, the malware that thieves used to empty business accounts was on the victim organization’s computers — not the bank’s.

Now, add to that risk the threat of the business’s bank getting compromised from within and the inability of the institution to detect the breach for months on end.

“Advanced control and fraud detection systems have been used for years by the financial services industry,” the Kaspersky report observed. “However, these focus on fraudulent transactions within customer accounts. The Carbanak attackers bypassed these protections, by for example, using the industry-wide funds transfer (the SWIFT network), updating balances of account holders and using disbursement mechanisms (the ATM network). In neither of these cases did the attackers exploit a vulnerability within the service. Instead, they studied the victim´s internal procedures and pinpointed who they should impersonate locally in order to process fraudulent transactions through the aforementioned services. It is clear that the attackers were very familiar with financial services software and networks.”

Do you run your own business and bank online but are unwilling to place all of your trust in your bank’s security? Consider adopting some of the advice I laid out in Online Banking Best Practices for Businesses and Banking on a Live CD.

lcamtuf's blog: Bi-level TIFFs and the tale of the unexpectedly early patch

This post was syndicated from: lcamtuf's blog and was written by: Michal Zalewski. Original post: at lcamtuf's blog

Today’s release of MS15-016 (CVE-2015-0061) fixes another of the series of browser memory disclosure bugs found with afl-fuzz – this time, related to the handling of bi-level (1-bpp) TIFFs in Internet Explorer (yup, MSIE displays TIFFs!). You can check out a simple proof-of-concept here, or simply enjoy this screenshot of eight subsequent renderings of the same TIFF file:

The vulnerability is conceptually similar to other previously-identified problems with GIF and JPEG handling in popular browsers (example 1, example 2), with the SOS handling bug in libjpeg, or the DHT bug in libjpeg-turbo (details here) – so I will try not to repeat the same points in this post.

Instead, I wanted to take note of what really sets this bug apart: Microsoft has addressed it in precisely 60 days, counting form my initial e-mail to the availability of a patch! This struck me as a big deal: although vulnerability research is not my full-time job, I do have a decent sample size – and I don’t think I have seen this happen for any of the few dozen MSIE bugs that I reported to MSRC over the past few years. The average patch time always seemed to be closer to 6+ months – coupled with what the somewhat odd practice of withholding attribution in security bulletins and engaging in seemingly punitive PR outreach if the reporter ever went public before that.

I am very excited and hopeful that rapid patching is the new norm – and huge thanks to MSRC folks if so :-)

Krebs on Security: Anthem Breach May Have Started in April 2014

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Analysis of open source information on the cybercriminal infrastructure likely used to siphon 80 million Social Security numbers and other sensitive data from health insurance giant Anthem suggests the attackers may have first gained a foothold in April 2014, nine months before the company says it discovered the intrusion.

The Wall Street Journal reported last week that security experts involved in the ongoing forensics investigation into the breach say the servers and attack tools used in the attack on Anthem bear the hallmark of a state-sponsored Chinese cyber espionage group known by a number of names, including “Deep Panda,” “Axiom,” Group 72,” and the “Shell_Crew,” to name but a few.

Deep Panda is the name given to this group by security firm CrowdStrike. In November 2014, Crowdstrike published a snapshot of a graphic showing the malware and malicious Internet servers used in what security experts at PriceWaterhouseCoopers dubbed the ScanBox Framework, a suite of tools that have been used to launch a number of cyber espionage attacks.

A Maltego transform published by CrowdStrike. The graphic is intended to illustrate some tools and Internet servers that are closely tied to a Chinese cyber espionage group that CrowdStrike calls "Deep Panda."

A Maltego transform published by CrowdStrike. The graphic is intended to illustrate some tools and Internet servers thought to be closely tied to a Chinese cyber espionage group that CrowdStrike calls “Deep Panda.”

Crowdstrike’s snapshot (produced with the visualization tool Maltego) lists many of the tools the company has come to associate with activity linked to Deep Panda, including a password stealing Trojan horse program called Derusbi, and an Internet address — 198[dot]200[dot]45[dot]112.

CrowdStrike’s image curiously redacts the resource tied to that Internet address (note the black box in the image above), but a variety of open source records indicate that this particular address was until very recently the home for a very interesting domain: The third and fourth characters in that domain name are the numeral one, but it appears that whoever registered the domain was attempting to make it look like “Wellpoint,” the former name of Anthem before the company changed its corporate name in late 2014.

We11point[dot]com was registered on April 21, 2014 to a bulk domain registration service in China. Eight minutes later, someone changed the site’s registration records to remove any trace of a connection to China.

Intrigued by the fake Wellpoint domains, Rich Barger, chief information officer for Arlington, Va. security firm ThreatConnect Inc., dug deeper into so-called “passive DNS” records — historic records of the mapping between numeric Internet addresses and domain names. That digging revealed a host of other subdomains tied to the suspicious we11point[dot]com site. In the process, Barger discovered that these subdomains — including myhr.we11point[dot]com, and hrsolutions.we11point[dot]com - mimicked components of Wellpoint’s actual network as it existed in April 2014.

“We were able to verify that the evil we11point infrastructure is constructed to masquerade as legitimate Wellpoint infrastructure,” Barger said.

Another fishy subdomain that Barger discovered was extcitrix.we11point[dot]com. The “citrix” portion of that domain likely refers to Citrix, a software tool that many large corporations commonly use to allow employees remotely access internal networks over a virtual private network (VPN).

Interestingly, that extcitrix.we11point[dot]com domain, first put online on April 22, 2014, was referenced in a malware scan from a malicious file that someone uploaded to malware scanning service According to the writeup on that malware, it appears to be a backdoor program masquerading as Citrix VPN software. The malware is digitally signed with a certificate issued to an organization called DTOPTOOLZ Co. According to CrowdStrike and other security firms, that digital signature is the calling card of the Deep Panda Chinese espionage group.


As noted in a story in, Anthem has been sharing information about the attack with the Health Information Trust Alliance (HITRUST) and the National Health Information Sharing and Analysis Center (NH-ISAC), industry groups whose mission is to disseminate information about cyber threats to the healthcare industry.

A news alert published by HITRUST last week notes that Anthem has been sharing so-called “indicators of compromise” (IOCs) — Internet addresses, malware signatures and other information associated with the breach. “It was quickly determined that the IOCs were not found by other organizations across the industry and this attack was targeted a specific organization,” HITRUST wrote in its alert. “Upon further investigation and analysis it is believed to be a targeted advanced persistent threat (APT) actor. With that information, HITRUST determined it was not necessary to issue a broad industry alert.”

An alert released by the Health Information Trust Alliance (HITRUST) about the APT attack on Anthem.

An alert released by the Health Information Trust Alliance (HITRUST) about the APT attack on Anthem.

But a variety of data points suggest that the same infrastructure used to attack Anthem may have been leveraged against a Reston, Va.-based information technology firm that primarily serves the Department of Defense.

A writeup on a piece of malware that Symantec calls “Mivast” was produced on Feb. 6, 2015. It describes a backdoor Trojan that Symantec says may call out to one of a half-dozen domains, including the aforementioned extcitrix.we11point[dot]com domain and another — Other domains on the same server include, and Once again, it appears that we have a malware sample calling home to a domain designed to mimic the internal network of an organization — most likely VAE Inc. (whose legitimate domain is

Barger and his team at ThreatConnect discovered that the domain also was tied to a malware sample made to look like it was VPN software made by networking giant Juniper. That malware was created in May 2014, and was also signed with the DTOPTOOLZ Co. digital certificate that CrowdStrike has tied to Deep Panda.


In response to an inquiry from KrebsOnSecurity, VAE said it detected a targeted phishing attack in May 2014 that used malware which phoned home to those domains, but the company said it was not aware of any successful compromise of its users.

In any case, the Symantec writeup on Mivast also says the malware tries to contact the Internet address 192[dot]199[dot]254[dot]126, which resolved to just one Web domain: topsec2014[dot]com. That domain was registered on May 6, 2014 to a bulk domain reseller who immediately changed the registration records and assigned the domain to the email address That address appears to be the personal email of one Song Yubo, a professor with the Information Security Research Center at the Southeast University in Nanjing, Jiangsu, China.

Yubo and his university were named in a March 2012 report, “Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage,” (PDF) produced by U.S. defense contractor Northrop Grumman Corp. for the U.S.-China Economic and Security Review Commission. According to the report, Yubo’s center is one of a handful of civilian universities in China that receive funding from the Chinese government to conduct sensitive research and development with information security an information warfare applications.


Of course, it could well be that this is all a strange coincidence, and/or that the basic information on Deep Panda is flawed. But that seems unlikely given the number of connections and patterns emerging in just this small data set.

It’s remarkable that the security industry so seldom learns from past mistakes. For example, one of the more confounding and long-running problems in the field of malware detection and prevention is the proliferation of varying names for the same threat. We’re seeing this once again with the nicknames assigned to various cyberespionage groups (see the second paragraph of this story for examples).

It’s also incredible that so many companies could see the outlines of a threat against such a huge target, and that it took until just this past week for the target to become aware of it. For its part, ThreatConnect tweeted about its findings back in November 2014, and shared the information out to its user base.

CrowdStrike declined to confirm whether the resource blanked out in the above pictured graphic from November 2014 was in fact we11point[dot]com.

“What I can tell you is that this domain is a Deep Panda domain, and that we always try to alert victims whenever we discover them,” said Dmitri Alperovitch, co-founder of CrowdStrike.

Also, it’s myopic for an industry information sharing and analysis center (ISAC) to decide not to share indicators of compromise with other industry ISACs, let alone its own members. This should not be a siloed effort. Somehow, we need to figure out a better — more timely way — to share threat intelligence and information across industries.

Perhaps the answer is crowdsourcing threat intelligence, or maybe it’s something we haven’t thought of yet. But one thing is clear: there is a yawning gap between the time it takes for an adversary to compromise a target and the length of time that typically passes before the victim figures out they’ve been had.

The most staggering and telling statistic included in Verizon’s 2014 Data Breach Investigations Report (well worth a read) is the graphic showing the difference between the “time to compromise” and the “time to discovery.” TL;DR: That gap is not improving, but instead is widening.


Then again, maybe this breach at Anthem isn’t as bad as it seems. After all, if the above data and pundits are to be believed, the attackers were likely looking for a needle in a haystack — searching for data on a few individuals that might give Chinese spies a way to better siphon military technology or infiltrate some U.S. defense program.

Perhaps, as Barger wryly observed, the Anthem breach was little more than the product of a class assignment — albeit an expensive and aggravating one for Anthem and its 80 million affected members. In May 2014, the aforementioned Southeast University Professor Song Yubo posted a “Talent Cup” tournament challenge to his information security students.

“Just as the OSS [Office of Strategic Services] and CIA used professors to recruit spies, it could be that this was all just a class project,” Barger mused.

lcamtuf's blog: Symbolic execution in vuln research

This post was syndicated from: lcamtuf's blog and was written by: Michal Zalewski. Original post: at lcamtuf's blog

There is no serious disagreement that symbolic execution has a remarkable potential for programatically detecting broad classes of security vulnerabilities in modern software. Fuzzing, in comparison, is an extremely crude tool: it’s the banging-two-rocks-together way of doing business, as contrasted with brain surgery.

Because of this, it comes as no surprise that for the past decade or so, the topic of symbolic execution and related techniques has been the mainstay of almost every single self-respecting security conference around the globe. The tone of such presentations is often lofty: the slides and research papers are frequently accompanied by claims of extraordinary results and the proclamations of the imminent demise of less sophisticated tools.

Yet, despite the crippling and obvious limitations of fuzzing and the virtues of symbolic execution, there is one jarring discord: I’m fairly certain that probably around 70% of all remote code execution vulnerabilities disclosed in the past few years trace back to fairly “dumb” fuzzing tools, with the pattern showing little change over time. The remaining 30% is attributable almost exclusively to manual work – be it systematic code reviews, or just aimlessly poking the application in hopes of seeing it come apart. When you dig through public bug trackers, vendor advisories, and CVE assignments, the mark left by symbolic execution can be seen only with a magnifying glass.

This is an odd discrepancy, and one that is sometimes blamed on the practitioners being backwardly, stubborn, and ignorant. This may be true, but only to a very limited extent; ultimately, most geeks are quick to embrace the tools that serve them well. I think that the disconnect has its roots elsewhere:

  1. The code behind many of the most-cited, seminal publications on security-themed symbolic execution remains non-public; this is particularly true for Mayhem and SAGE. Implementation secrecy is fairly atypical in the security community, is usually viewed with distrust, and makes it difficult to independently evaluate, replicate, or build on top of the published results.

  2. The research often fails to fully acknowledge the limitations of the underlying methods – while seemingly being designed to work around these flaws. For example, the famed Mayhem experiment helped identify thousands of bugs, but most of them seemed to be remarkably trivial and affected only very obscure, seldom-used software packages with no significance to security. It is likely that the framework struggled with more practical issues in higher-value targets – a prospect that, especially if not addressed head-on, can lead to cynical responses and discourage further research.

  3. Any published comparisons to more established vulnerability-hunting techniques are almost always retrospective; for example, after the discovery of Heartbleed, several teams have claimed that their tools would have found the bug. But analyses that look at ways to reach an already-known fault condition are very susceptible to cognitive bias. Perhaps more importantly, it is always tempting to ask why the tools are not tasked with producing a steady stream of similarly high-impact, headline-grabbing bugs.

The uses of symbolic execution, concolic execution, static analysis, and other emerging technologies to spot substantial vulnerabilities in complex, unstructured, and non-annotated code are still in their infancy. The techniques suffer from many performance trade-offs and failure modes, and while there is no doubt that they will shape the future of infosec, thoughtful introspection will probably get us there sooner than bold claims with little or no follow-through. We need to move toward open-source frameworks, verifiable results, and solutions that work effortlessly and reliably for everyone, against almost any target. That’s the domain where the traditional tools truly shine, and that’s why they scale so well.

Ultimately, the key to winning the hearts and minds of practitioners is very simple: you need to show them how the proposed approach finds new, interesting bugs in the software they care about.

SANS Internet Storm Center, InfoCON: green: Another Network Forensic Tool for the Toolbox – Dshell, (Tue, Feb 3rd)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

This is a guest diary written byMr. William Glodek Chief, Network Security Branch, U.S. Army Research Laboratory

As a network analysis practitioner, I analyze multiple gigabytes of pcap data across multiple files on a daily basis. I have encountered many challenges where the standard tools (tcpdump, tcpflow, Wireshark/tshark) were either not flexible enough or couldnt be prototyped quickly enough to do specialized analyzes in a timely manner. Either the analysis couldnt be done without recompiling the tool itself, or the plugin system was difficult to work with via command line tools.

Dshell, a Python-based network forensic analysis framework developed by the U.S. Army Research Laboratory, can help make that job a little easier [1]. The framework handles stream reassembly of both IPv4 and IPv6 network traffic and also includes geolocation and IP-to-ASN mapping data for each connection. The framework also enables development of network analysis plug-ins that are designed to aid in the understanding of network traffic and present results to the user in a concise, useful manner by allowing users to parse and present data of interest from multiple levels of the network stack. from tweaking an existing decoder to extract slightly different information from existing protocols, to writing a new parser for a completely novel protocol. Here are two scenarios where Dshell has decreased the time required to identify and respond to network forensic challenges.

  1. Malware authors will frequently embed a domain name in a piece of malware for improved command and control or resiliency to security countermeasures such as IP blocking. When the attackers have completed their objective for the day, they minimize the network activity of the malware by updating the DNS record for the hostile domain to point to a non-Internet routable IP address (ex.”>Dshell decode d reservedips *.pcap

    The reservedips module will find all of the DNS request/response pairs for domains that resolve to a non-routable IP address, and display them on a single line. By having each result displayed on a single line, I can utilize other command line utilities like awk or grep to further filter the results. Dshell can also present the output in CSV format, which may be imported into many Security Event and Incident Management (SEIM) tools or other analytic platforms.

    1. A drive-by-download attack is successful and a malicious executable is downloaded [2]. I need to find the network flow of the download of the malicious executable and extract the executable from the network traffic.
      Using the web module, I can inspect all the web traffic contained in the sample file. In the example below, a request for xzz1.exe with a successful server response is likely the malicious file.

    I can then extract the executable from the network traffic by using the rip-http module. The rip-http module will reassemble the IP/TCP/HTTP stream, identify the filename being requested, strip the HTTP headers, and write the data to disk with the appropriate filename.

    dlink extracting stream from cap

    There are additional modules within the Dshell framework to solve other challenges faced with network forensics. The ability to rapidly develop and share analytical modules is a core strength of Dshell. If you are interested in using or contributing to Dshell, please visit the project at

    [1] Dshell

    (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: Hollywood’s Release Delays Breed Pirates

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

babypirateHollywood has a message to all those pirates who keep making excuses to download and stream films illegally.

“You have no excuse.”

The major movie studios have done enough to make their content legally available, launching thousands of convenient movie services worldwide, they claim.

“We need to bust the myth that legal content is unavailable. Creative industries are tirelessly experimenting with new business models that deliver films, books, music, TV programs, newspapers, games and other creative works to consumers,” Stan McCoy noted on the MPAA blog this week.

“In Europe, there are over 3,000 on-demand audio-visual services available to European citizens,” he adds.

So is the MPA right? Is “availability” an imaginary problem that pirates use as an excuse not to pay?

We decided to investigate the issue by looking at the online availability of the ten most downloaded films of last week. Since the MPAA’s blog post talked about Europe and the UK we decided to use which focuses on UK content. The results of our small survey speak for themselves.

Of the ten most pirated movies only Gone Girl is available to buy or rent online. A pretty weak result, especially since it’s still missing from the most popular video subscription service Netflix.

Ranking Movie Available Online? Buy / Rent
1 Interstellar NO
2 American Sniper NO
3 Taken 3 NO
4 The Hobbit: The Battle of the Five Armies NO
5 John Wick NO
6 Into The Woods NO
7 Fury NO
8 Gone Girl Rent/Buy
9 American Heist NO
10 The Judge NO

Yes, the results above are heavily skewed because they only include movies that were released recently. Looking up films from 2011 will result in a much more favorable outcome in terms of availability.

But isn’t that the problem exactly? Most film fans are not interested in last year’s blockbusters, they want to able to see the new stuff in their home too. And since the movie industry prefers to keep its windowing business model intact, piracy is often the only option to watch recent movies online.

So when the MPA’s Stan McCoy says that lacking availability is a myth, he’s ignoring the elephant in the room.

For as long as the film industry keeps its windowing business model intact, releasing films online months after their theatrical release, people will search for other ways to access content, keeping their piracy habit alive.

Admittedly, changing a business that has relied on complex licensing schemes and windowing strategies for decades isn’t easy. But completely ignoring that these issues play a role is a bit shortsighted.

There’s no doubt that the movie studios are making progress. It’s also true that many people choose to pirate content that is legally available, simply because it’s free. There is no good excuse for these freeriders, but it’s also a myth that Hollywood has done all it can to eradicate piracy.

Even its own research proves them wrong.

Earlier this year a KPMG report, commissioned by NBC Universal, showed that only 16% of the most popular and critically acclaimed films are available via Netflix and other on-demand subscription services. The missing 84% includes recent titles but also older ones that are held back due to rights issues.

Clearly, availability is still an issue.

So if Hollywood accuses Google of breeding pirates, then it’s safe to say the same about Hollywood.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: Improving SSL Warnings, (Sun, Feb 1st)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

One of the things that has concerned mefor the last few years is how we are slowly creating a click-thru culture. ” />

I honestly believe the intent is correct, but the implementation is faulty. The messages are not in tune with the average Internet users knowledge level. In other words the warningsare incomprehensible to my sister, my parents and my grandparents, the average Internet users of today. Given a choice between going to their favorite website or trusting an incomprehensible warning message…well you know what happens next.

A team at Google has been looking at these issues and are driving browser changes in Chrome base on their research. As they point out the vast majority of these errors are attributable to webmaster mistakes with only a very small fraction being actual attacks.

The paper, is Improving SSL Warnings: Comprehension and Adherence, and there is an accompanying presentation.

– Rick Wanner MSISE – rwanner at isc dot sans dot edu – – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

lcamtuf's blog: Technical analysis of Qualys’ GHOST

This post was syndicated from: lcamtuf's blog and was written by: Michal Zalewski. Original post: at lcamtuf's blog

This morning, a leaked note from Qualys’ external PR agency made us aware of GHOST. In this blog entry, our crack team of analysts examines the technical details of GHOST and makes a series of recommendations to better protect your enterprise from mishaps of this sort.

Figure 1: The logo of GHOST, courtesy of Qualys PR.

Internally, GHOST appears to be implemented as a lossy representation of a two-dimensional raster image, combining YCbCr chroma subsampling and DCT quantization techniques to achieve high compression rates; among security professionals, this technique is known as JPEG/JFIF. This compressed datastream maps to an underlying array of 8-bpp RGB pixels, arranged sequentially into a rectangular shape that is 300 pixels wide and 320 pixels high. The image is not accompanied by an embedded color profile; we must note that this poses a considerable risk that on some devices, the picture may not be rendered faithfully and that crucial information may be lost.

In addition to the compressed image data, the file also contains APP12, EXIF, and XMP sections totaling 818 bytes. This metadata tells us that the image has been created with Photoshop CC on Macintosh. Our security personnel notes that Photoshop CC is an obsolete version of the application, superseded last year by Photoshop CC 2014. In line with industry best practices and OWASP guidelines, we recommend all users to urgently upgrade their copy of Photoshop to avoid exposure to potential security risks.

The image file modification date returned by the HTTP server at is Thu, 02 Oct 2014 02:40:27 GMT (Last-Modified, link). The roughly 90-day delay between the creation of the image and the release of the advisory probably corresponds to the industry-standard period needed to test the materials with appropriate focus groups.

Removal of the metadata allows the JPEG image to be shrunk from 22,049 to 21,192 bytes (-4%) without any loss of image quality; enterprises wishing to conserve vulnerability-disclosure-related bandwidth may want to consider running jhead -purejpg to accomplish this goal.

Of course, all this mundane technical detail about JPEG images distracts us from the broader issue highlighted by the GHOST report. We’re talking here about the fact that the JPEG compression is not particularly suitable for non-photographic content such as logos, especially when the graphics need to be reproduced with high fidelity or repeatedly incorporated into other work. To illustrate the ringing artifacts introduced by the lossy compression algorithm used by the JPEG file format, our investigative team prepared this enhanced visualization:

Figure 2: A critical flaw in GHOST: ringing artifacts.

Artifacts aside, our research has conclusively showed that the JPEG formats offers an inferior compression rate compared to some of the alternatives. In particular, when converted to a 12-color PNG and processed with pngcrush, the same image can be shrunk to 4,229 bytes (-80%):

Figure 3: Optimized GHOST after conversion to PNG.

PS. Tavis also points out that “>_” is not a standard unix shell prompt. We believe that such design errors can be automatically prevented with commercially-available static logo analysis tools.

PPS. On a more serious note, check out this message to get a sense of the risk your server may be at. Either way, it’s smart to upgrade.

TorrentFreak: Netflix Sees Popcorn Time As a Serious Competitor

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

netflix-logoThe Popcorn Time app brought peer-to-peer streaming to a mainstream public last year.

Branded the “Netflix for Pirates” it became an instant hit by offering BitTorrent-powered streaming in an easy-to-use Netflix-style interface.

This was cause for concern for many Hollywood executives and Netflix itself is now also starting to worry. In a letter to the company’s shareholders Popcorn Time gets a special mention.

“Piracy continues to be one of our biggest competitors,” Netflix CEO Reed Hastings writes.

“This graph of Popcorn Time’s sharp rise relative to Netflix and HBO in the Netherlands, for example, is sobering,” he adds, referencing the Google trends data below showing Popcorn Time quickly catching up with Netflix.


While it’s a relatively small note, Hastings’ comments do mark a change in attitude for a company that previously described itself as a piracy killer.

Netflix’s CEO previously noted that piracy might even help the company, as many torrent users would eventually switch to Netflix as it offers a much better user experience.

“Certainly there’s some torrenting that goes on, and that’s true around the world, but some of that just creates the demand,” Hastings said last year.

“Netflix is so much easier than torrenting. You don’t have to deal with files, you don’t have to download them and move them around. You just click and watch,” he added.

The problem with Popcorn Time is that it’s just as easy as Netflix, if not easier. And in terms of recent movies and TV-shows the pirated alternative has a superior content library too.

A study published by research firm KPMG previously revealed that only 16% of the most popular and critically acclaimed films are available via Netflix and other on-demand subscription services.

While Netflix largely depends on the content creators when it comes to what content they can make available, this is certainly one of the areas where they have to “catch up.”

Despite the Popcorn Time concerns, business is going well for Netflix. The company announced its results for the fourth quarter of 2014 which resulted in $1.48 billion in revenue, up 26%, and a profit of $83 million.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Schneier on Security: Defending Against Liar Buyer Fraud

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

It’s a common fraud on sites like eBay: buyers falsely claim that they never received a purchased item in the mail. Here’s a paper on defending against this fraud through basic psychological security measures. It’s preliminary research, but probably worth experimental research.

We have tested a collection of possible user-interface enhancements aimed at reducing liar buyer fraud. We have found that showing users in the process of filing a dispute that (1) their computer is recognized, and (2) that their location is known dramatically reduces the willingness to file false claims. We believe the reason for the reduction is that the would-be liars can visualize their lack of anonymity at a time when they are deciding whether to perform a fraudulent action. Interestingly, we also showed that users were not affected by knowing that their computer was recognized, but without their location being pin-pointed, or the other way around. We also determined that a reasonably accurate map was necessary — but that an inaccurate map does not seem to increase the willingness to lie.

TorrentFreak: Pirate MEP Proposes Major Reform of EU Copyright

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

The idea of copyright is certainly not new and most countries worldwide have developed complex systems to ensure that it’s upheld, ostensibly to protect the rights of creators.

But with the unprecedented advancement of communications technology, especially in respect of the Internet, copyright frameworks often appear terribly outdated and unfit for purpose.

In 2015 the EU has its collective eyes on copyright reform and to this end has appointed an individual whose political party has more focus than most on the world of copyright.

Last November, Julia Reda, a politician for the German Pirate Party and member of the European Parliament, was tasked with producing a report on the implementation of the 2001 InfoSoc Directive.

Having already presented her plans during a meeting of the Legal Affairs Committee in December, this morning Reda released a first draft of her report. It will come as no surprise that need for reform has been underlined.

“Although the directive was meant to adapt copyright to the digital age, in reality it is blocking the exchange of knowledge and culture across borders today,” Reda’s core finding reads.

The report draws on responses to a public consultation and lays out a reform agenda for the overhaul of EU copyright. It finds that the EU would benefit from a copyright mechanism that not only protects past works, but also encourages future creation and the unlocking of a pan-European cultural market.

reda-pic“The EU copyright directive was written in 2001, in a time before YouTube or Facebook. Although it was meant to adapt copyright to the digital age, in reality it is blocking the exchange of knowledge and culture across borders today“, Reda explains.

“We need a common European copyright that safeguards fundamental rights and makes it easier to offer innovative online services in the entire European Union.”

The draft (pdf) acknowledges the need for artistic works to be protected under law and calls for improvements in the positions of authors and performers “in relation to other rightholders and intermediaries.”

The document recommends that public sector information should be exempt from copyright protection and calls on the Commission to safeguard public domain works while recognizing rightsholders’ freedom to “voluntarily relinquish their rights and dedicate their works to the public domain.”

Copyright lengths are also tackled by Reda, who calls on the Commission to harmonize the term to a duration that does not exceed the current international standards set out in the Berne Convention.

On Internet hyperlinking the report requests that citizens are allowed to freely link from one resource to another and calls on the EU legislator “to clarify that reference to works by means of a hyperlink is not subject to exclusive rights, as it is does not consist in a communication to a new public.”

The document also calls for new copyright exceptions to be granted for research and educational purposes to not only cover educational establishments, but “any kind of educational and research activities,
including non-formal education.”

Also of interest is Reda’s approach to transparency. Since being appointed, Reda says she’s received 86 meeting requests from lobbyists. As can be seen from the chart below, requests increased noticeably after the Pirate was named as rapporteur in November 2014.


“I did my best to balance out the attention paid to various interest groups. Most requests came from publishers, distributors, collective rights organizations, service providers and intermediaries (57% altogether), while it was more difficult to get directly to the group most often referred to in public debate: The authors,” Reda explains.

“The results of the copyright consultation with many authors’ responses demonstrate that the interests of collecting societies and individual authors can differ significantly.”

Reda has published a full list of meetings that took place. It includes companies such as Disney and Google, and ‘user’ groups such as the Free Software Foundation Europe.

“Tomorrow morning around 9 I’m going to publish my report on EU #copyright, discussion in legal affairs committee on Tuesday,” Reda reported a few minutes ago.

The final report will be put to an April vote in the Legal Affairs Committee and then to a vote before the entire Parliament during May.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: IFPI Targets ‘Pirate’ Domains With New Site Blocking Law

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

Domain blocking is now firmly established as one of the entertainment industries’ go-to methods for reducing online copyright infringement. Its use is widespread around Europe by both the music and movie sector.

In Europe the most important legal decision was announced in March last year when the Court of Justice of the European Union confirmed that EU ISPs can be required to block access to sites engaged in copyright infringement.

Elsewhere, individual countries are making their own decisions on how to move forward. Last July, Singapore legislators approved the Copyright Amendment Bill which allows copyright holders to obtain High Court orders forcing local service providers to block “flagrantly infringing” websites. Now, six months on, entertainment companies are ready to launch their first tests.

IFPI regional director Ang Kwee Tiang confirmed that the music group will initially target three to five “infringing sites” over the next two months.

“We are now actively looking into exercising this in the future,” he said.

The sites to be targeted have not yet been revealed but it’s always been the understanding that The Pirate Bay would be tackled first. The site’s reputation as the “worst-of-the-worst” allows entertainment companies to present a relatively straightforward case to the courts. The rising number of blocking orders already granted elsewhere only add to the mix.

“Now, The Pirate Bay has more than 6 million links. We take the screenshots and we show that these are not licensed. We’re going to show that The Pirate Bay has been blocked in nine or 10 different countries. I think that will be very convincing for our cause,” Ang said.

However, with The Pirate Bay currently down, it’s possible that other targets will have to be selected in the first batch. Ang confirms that evidence is still being collated but he’s confident that a successful blockade will help to reduce piracy.

“I divide (consumers) 80 to 20 – 80 per cent are average consumers, if they cannot get it easily and if a legal site offers it, they may go for the legal site,” he said.

“The committed pirate is like a committed criminal. They will search for ways to circumvent. But once we have the website blocking, then we are free to tackle the 20 per cent.”

The driving force behind the site blocking phenomenon can be found in the entertainment companies of the United States but following the SOPA debacle public discussion to progress site blocking has been fairly muted. That doesn’t mean nothing has been happening, however.

In December it was revealed that behind closed doors the MPAA has been working hard to bring site blocking to the United States. Whether those aims will still be progressed following the somewhat embarrassing leaks will remain to be seen, but it’s likely the movie group won’t be steered off course for long.

Overall, Hollywood definitely sees blocking as an important anti-piracy tool. The practice is endorsed by none other than MPAA chief Chris Dodd and internal MPAA research has found it to be effective.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Errata Security: A Call for Better Vulnerability Response

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Microsoft forced a self-serving vulnerability disclosure policy on the industry 10 years ago, but cries foul when Google does the same today.

Ten years ago, Microsoft dominated the cybersecurity industry. It employed, directly or through consultancies, the largest chunk of security experts. The ability to grant or withhold business meant influencing those consulting companies — Microsoft didn’t even have to explicitly ask for consulting companies to fire Microsoft critics for that to happen. Every product company depended upon Microsoft’s goodwill in order to develop security products for Windows, engineering and marketing help that could be withheld on a whim.

This meant, among other things, that Microsoft dictated the “industry standard” of how security problems (“vulnerabilities”) were reported. Cybersecurity researchers who found such bugs were expected to tell the vendor in secret, and give the vendor as much time as they needed in order to fix the bug. Microsoft sometimes sat on bugs for years before fixing them, relying upon their ability to blacklist researchers to keep them quiet. Security researchers who didn’t toe the line found bad things happening to them.

I experienced this personally. We found a bug in a product called TippingPoint that allowed us to decrypt their “signatures”, which we planned to release at the BlackHat hacker convention, after giving the vendor months to fix the bug. According to rumors, Microsoft had a secret program with TippingPoint with special signatures designed to track down cybercriminals. Microsoft was afraid that if we disclosed how to decrypt those signatures, that their program would be found out.

Microsoft contacted our former employer, ISS, which sent us legal threats. Microsoft sent FBI agents to threaten us in the name of national security. A Microsoft consultant told the BlackHat organizer, Jeff Moss, that our research was made up, that it didn’t work, so I had to sit down with Jeff at the start of the conference to prove it worked before I was allowed to speak.

My point is that a decade ago in the cybersecurity industry, Microsoft dictated terms.

Today, the proverbial shoe is on the other foot. Microsoft’s products are now legacy, so Windows security is becoming as relevant as IBM mainframe security. Today’s cybersecurity researchers care about Apple, Google Chrome, Android, and the cloud. Microsoft is powerless to threaten the industry. It’s now Google who sets the industry’s standard for reporting vulnerabilities. Their policy is that after 90 days, vulnerabilities will be reported regardless if the vendor has fixed the bug. This applies even to Google itself when researchers find bugs in products like Chrome.

This is a nasty trick, of course. Google uses modern “agile” processes to develop software. That means that after making a change, the new software is tested automatically and shipped to customers within 24 hours. Microsoft is still mired in antiquated 1980s development processes, so that it takes three months and expensive manual testing before a change is ready for release. Google’s standard doesn’t affect everyone equally — it hits old vendors like Microsoft the hardest.

We saw the effect this last week, where after notifying Microsoft of a bug 90 days ago, Google dumped the 0day (the information hackers need to exploit the bug) on the Internet before Microsoft could release a fix.

I enjoyed reading Microsoft’s official response to this event, full of high-minded rhetoric why Google is bad, and why Microsoft should be given more time to fix bugs. It’s just whining — Microsoft’s alternative disclosure policy is even more self-serving than Google’s. They are upset over their inability to adapt and fix bugs in a timely fashion. They resent how Google exploits its unfair advantage. Since Microsoft can’t change their development, they try to change public opinion to force Google to change.

But Google is right. Since we can’t make perfect software, we must make fast and frequent fixes the standard. Nobody should be in the business of providing “secure” software that can’t turn around bugs quickly. Rather than 90 days being too short, it’s really too long. Microsoft either needs to move forward with the times and adopt “agile” methodologies, or just accept its role of milking legacy for the next few decades as IBM does with mainframes.

TorrentFreak: Chilling Effects DMCA Archive Censors Itself

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

chillingOn an average day Google now processes more than a million takedown requests from copyright holders, and that’s for its search engine alone.

Thanks to Google’s transparency report the public is able to see where these notices come from and what content they’re targeting. In addition, Google partners with Chilling Effects to post redacted copies of all notices online.

The Chilling Effects DMCA clearing house is one of the few tools that helps to keep copyright holders accountable. Founded by Harvard’s Berkman Center, it offers an invaluable database for researchers and the public in general.

At TF we use the website on a weekly basis to spot inaccurate takedown notices and other wrongdoings. Since the native search engine doesn’t always return the best results, we mostly use Google to spot newsworthy notices on the site.

This week, however, we were no longer able to do so. The Chilling Effects team decided to remove its entire domain from all search engines, including its homepage and other informational and educational resources.


Ironically enough, complaints from copyright holders are at the base of this unprecedented display of self-censorship. Since Chilling Effects has partnered with Google to publish all takedown notices Google receives, its pages contain hundreds of millions of non-linked URLs to infringing material. Copyright holders are not happy with these pages. Previously, Copyright Alliance CEO Sandra Aistars described the activities of the Chilling Effects projects as “repugnant.”

As a result of the increased criticisms Chilling Effects has now decided to hide its content from search engines, making it harder to find.

“After much internal discussion the Chilling Effects project recently made the decision to remove the site’s notice pages from search engines,” Berkman Center project coordinator Adam Holland informs TF.

“Our recent relaunch of the site has brought it a lot more attention, and as a result, we’re currently thinking through ways to better balance making this information available for valuable study, research, and journalism, while still addressing the concerns of people whose information appears in the database.”

The self censorship may sound strange coming from an organization that was founded to offer more transparency, but the Chilling Effects team believes that it strikes the right balance, for now.

“As a project, we’ve always worked to strike that balance, for example by removing personally identifying information. Removing notice pages from search engine results is the latest step in that balancing process,” Holland tells us.

“It may or may not prove to be permanent, but for now it’s the step that makes the most sense as we continue to think things through,” he adds.

While we respect the decision it’s a real shame for researchers that the notices and other informational material are now hidden from search engines. The notices themselves remain online, but with just the site’s own search it’s harder to find cases of abuse.

The copyright holders on the other hand will be happy. But they probably don’t care much about the chilling effect it has.

Photo: CC

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Schneier on Security: Fidgeting as Lie Detection

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Sophie Van Der Zee and colleagues have a new paper on using body movement as a lie detector:

Abstract: We present a new robust signal for detecting deception: full body motion. Previous work on detecting deception from body movement has relied either on human judges or on specific gestures (such as fidgeting or gaze aversion) that are coded or rated by humans. The results are characterized by inconsistent and often contradictory findings, with small-stakes lies under lab conditions detected at rates only slightly better than guessing. Building on previous work that uses automatic analysis of facial videos and rhythmic body movements to diagnose stress, we set out to see whether a full body motion capture suit, which records the position, velocity and orientation of 23 points in the subject’s body, could yield a better signal of deception. Interviewees of South Asian (n = 60) or White British culture (n = 30) were required to either tell the truth or lie about two experienced tasks while being interviewed by somebody from their own (n = 60) or different culture (n = 30). We discovered that full body motion — the sum of joint displacements — was indicative of lying approximately 75% of the time. Furthermore, movement was guilt-related, and occurred independently of anxiety, cognitive load and cultural background. Further analyses indicate that including individual limb data in our full bodymotion measurements, in combination with appropriate questioning strategies, can increase its discriminatory power to around 82%. This culture-sensitive study provides an objective and inclusive view on how people actually behave when lying. It appears that full body motion can be a robust nonverbal indicator of deceit, and suggests that lying does not cause people to freeze. However, should full body motion capture become a routine investigative technique, liars might freeze in order not to give themselves away; but this in itself should be a telltale.

This is a first research study, and the results might not be robust. But it certainly is interesting.

Blog post. News article. Slashdot thread.

TorrentFreak: Netflix Cracks Down on VPN and Proxy “Pirates”

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

netflix-logoDue to complicated licensing agreements Netflix is only available in a few dozen countries, all of which have a different content library.

Some people bypass these content and access restrictions by using VPNs or other circumvention tools that change their geographical location. This makes it easy for people all around the world to pay for access to the U.S. version of Netflix, for example.

The movie studios are not happy with these deviant subscribers as it hurts their licensing agreements. Previously entertainment industry sources in Australia complained bitterly that tens of thousands of Netflix “VPN-pirates” were hurting their business.

Over the past weeks Netflix has started to take action against people who use certain circumvention tools. The Android application started to force Google DNS which now makes it harder to use DNS based location unblockers, and several VPN IP-ranges were targeted as well.

Thus far the actions are limited in scope, so not all VPN users may experience problems just yet. However, TorGuard is one of the VPN providers which noticed a surge in access problems by its users, starting mid-December.

“This is a brand new development. Just two weeks ago we received the first report from a handful of clients that Netflix blocked access due to VPN or proxy usage. This is the very first time I’ve ever heard Netflix displaying this type of error message to a VPN user,” TorGuard’s Ben Van der Pelt tells us.

In TorGuard’s case the users were able to quickly gain access again by logging into another U.S. location. It further appears that some of the blocking efforts were temporary, probably as a test for a full-scale rollout at a later date.

“I have a sneaking suspicion that Netflix may be testing these new IP blocking methods temporarily in certain markets. At this time the blocks do not seem aggressive and may only be targeted at IP ranges that exceed too many simultaneous logins.”

Netflix is reportedly testing a variety of blocking methods. From querying the user’s time zone through the web browser or mobile device GPS and comparing it to the timezone of their IP-address, to forcing Google’s DNS services in the Android app.

TorGuard told us that if Netflix continues with a strict ban policy, they will provide an easy solution to bypass the blocks. Other services, such as Unblock-us are also suggesting workarounds to their customers.

Netflix’ efforts to block geoblocking circumvention tools doesn’t come as a surprise. TF has seen a draft of the content protection agreement Sony Pictures prepared for Netflix earlier this year. This agreement specifically requires Netflix to verify that registered users are indeed residing in the proper locations.

Among other things Netflix must “use such geolocation bypass detection technology to detect known web proxies, DNS based proxies, anonymizing services and VPNs which have been created for the primary intent of bypassing geo-restrictions.”


Blocking VPN and proxy “pirates” has become a priority for the movie studios as streaming services have failed to introduce proper countermeasures. Early 2014 the movie studio looked into the accessibility of various services through popular circumvention tools, including TorGuard, to find out that most are not blocked.

In a follow-up during the summer of 2014 Sony Pictures conducted research to identify the IP-ranges of various VPNs and proxies. These results were shared with Netflix and other streaming services so they could take action and expand their blocklists where needed.


Based on the above it’s safe to conclude that Netflix will continue to roll out more aggressive blocking tools during the months to come. As with all blocks, this may also affect some people who use VPNs for privacy and security reasons. Whether Netflix will factor this in has yet to be seen.

TF contacted Netflix for a comment on the findings and its future plans, but a few days have passed and we have yet to receive a response.

Netflix is not the only streaming service that’s targeting VPN and proxy users. A few months ago Hulu implemented similar restrictions. This made the site unusable for location “pirates,” but also U.S. based paying customers who used a VPN for privacy reasons.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: oledump analysis of Rocket Kitten – Guest Diary by Didier Stevens, (Fri, Jan 2nd)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

In his Rocket Kitten diary entry, Johannes introduces research byGadiEvronandTillmannWerner. They analyzed a PE-file embedded in the VBA macro code of anXLSMspreadsheet.

I want to show you how you can quickly analyze MS Offices documents and extract files. Just using my Pythonoledumptool, nothing else. You dont need MS Office for this analysis.

First we runoledump” />

The first line (A: ) indicates that oledump found an OLE file named xl/vbaProject.bin inside the XLSM file. Remember that the new MS Office file format (.docx, .xlsm, ) is a set of XML files stored inside a ZIP file. But VBA macros are not stored in XML files, they still use the older MS Office file format: OLE files.

oledump reports the streams it finds inside the OLE file: from index A1 through A10. A letter M next to the index is an indicator for the presence of VBA code. A lowercase letter m indicates VBA code with only Attribute statements, an uppercase letter M indicates more sophisticated VBA code, i.e. code with other statement types than Attribute statements.

If oledump finds streams with VBA macros, I always look first at the streams marked with an uppercase letter M, as these contain the most promising code.

After the column with the macro indicator M, comes a column with the size (in bytes) of the stream and another column with the full name of the stream.

Lets take a look at the VBA code in stream A3 like this: s A3 v 266CFE755A0A66776DF9FD8CD2FEE1F1.xlsm

Option s A3 selects stream A3 for analysis, and option ” />

Here is a part of the VBA source code. Remark function A0: it concatenates characters generated with function Chr into a long string. If you” />

By default, you get a hex-ascii dump of the embedded file. Now you can see that the embedded file is a PE file.

Last, we dump (option ” />

The MD5 of the PE file is c222199c9a7eb0d162d5e96955739447. That is one of the IOCs Johannes included in his diary entry.

Oledump can be found on my blog.

– Didier Stevens

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Lizard Kids: A Long Trail of Fail

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The Lizard Squad, a band of young hooligans that recently became Internet famous for launching crippling distributed denial-of-service (DDoS) attacks against the largest online gaming networks, is now advertising own Lizard-branded DDoS-for-hire service. Read on for a decidedly different take on this offering than what’s being portrayed in the mainstream media.

Lizard Stresser login page taunts this author.

Lizard Stresser login page taunts this author.

The new service, lizardstresser[dot]su, seems a natural evolution for a group of misguided youngsters that has sought to profit from its attention-seeking activities. The Lizard kids only ceased their attack against Sony’s Playstation and Microsoft’s Xbox Live networks last week after MegaUpload founder Kim Dotcom offered the group $300,000 worth of vouchers for his service in exchange for ending the assault. And in a development probably that shocks no one, the gang’s members cynically told Dailydot that the both attacks were just elaborate commercials for and a run-up to this DDoS-for-hire offering.

The group is advertising the new “booter service” via its Twitter account, which has some 132,000+ followers. Subscriptions range from $5.99 per month for the ability to knock a target offline for 100 seconds at a time, to $129.99 monthly for DDoS attacks lasting more than eight hours.

In any case, I’m not terribly interested in turning this post into a commercial for the Lizard kids; rather, it’s a brain dump of related information I’ve gathered from various sources in the past 24 hours about the individuals and infrastructure that support the site.

In a show of just how little this group knows about actual hacking and coding, the source code for the service appears to have been lifted in its entirety from titaniumstresser, another, more established DDoS-for-hire booter service. In fact, these Lizard geniuses are so inexperienced at coding that they inadvertently exposed information about all of their 1,700+ registered users (more on this in a moment).

These two services, like most booters, are hidden behind CloudFlare, a content distribution service that lets sites obscure their true Internet address. In case anyone cares, Lizardstresser’s real Internet address currently is, at a hosting facility in Bosnia.

In any database of leaked forum or service usernames, it is usually safe to say that the usernames which show up first in the list are the administrators and/or creators of the site. The usernames exposed by the coding and authentication weaknesses in LizardStresser show that the first few registered users are “anti” and “antichrist.” As far as I can tell, these two users are the same guy: A ne’er-do-well who has previously sold access to his personal DDoS-for-hire service on Darkode — a notorious English-language cybercrime forum that I have profiled extensively on this blog.

As detailed in a recent, highly entertaining post on the blog Malwaretech, LizardSquad and Darkode are practically synonymous and indistinguishable now. Anyone curious about why the Lizard kids have picked on Yours Truly can probably find the answer in that Malwaretech story. As that post notes, the main online chat room for the Lizard kids (at lizardpatrol[dot]com) also is hidden behind CloudFlare, but careful research shows that it is actually hosted at the same Internet address as Darkode (5,38,89,132).

A suggested new banner for this blog from the jokers at black hat forum Darkode, which shares a server with the main chat forum for the Lizard kids.

A suggested new banner for this blog from the jokers at black hat forum Darkode, which shares a server with the main chat forum for the Lizard kids.

In a show of just how desperate these kids are for attention, consider that the login page for LizardStresser currently says “Hosted somewhere on Brian Krebs’ forehead: Donate to the forehead reduction foundation, simply send money to on PayPal.” Many of you have done that in the past couple of days, although I doubt as a result of visiting the Lizard kids’ silly site. Anyway, for those generous donors, a hearty “thank you.”

It’s worth noting that the individual who registered LizardStresser is an interesting and angry teenager who appears to hail from Australia and uses the nickname “abdilo.” You can find his possibly not-safe-for-work rants on Twtter at this page. A reverse WHOIS lookup (ordered from on the email address used to register LizardStresser (9ajjs[at]zmail[dot]ru) shows this email has been used to register a number of domains tied to cybercrime operations, including sites selling stolen credit card data and access to hacked PCs.

A more nuanced lookup at using some of this information turns up additional domains tied to Abdilo, including bkcn[dot]ru and abdilo[dot]ru (please do not attempt to visit these sites unless you know what you’re doing). Another domain that abdilo registered (in my name, no less) — http://x6b-x72-x65-x62-x73-x6f-x6e-x73-x65-x63-x75-x72-x69-x74-x79-x0[dot]com — is hexadecimal encoding for “krebsonsecurity.”

Last, but certainly not least, it appears that Vinnie Omari — the young man I identified earlier this week as being a self-proclaimed member of of the Lizard kids — has apparently just been arrested by the police in the United Kingdom (see screen shot below). Sources tell KrebsOnSecurity that Vinnie is one of many individuals associated with this sad little club who are being rounded up and questioned. My guess is most, if not all, of these kids will turn on one another. Time to go get some popcorn.

Happy New Year, everyone!


TorrentFreak: Movie Studios Fear a Google Fiber Piracy Surge

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

googlefiberlogoGoogle is slowly expanding its fiber to the home services in the United States. Most recently Austin, Texas, was added to the list and a few dozen other cities will follow soon.

Promising free Internet and blazing fast gigabit per second connections at a relatively low price, many consumers are happy with Google’s new product.

Hollywood on the other hand fears the worst. While great connectivity offers commercial opportunities for entertainment companies, some are overly worried about the negative consequences.

Earlier this week we received a leaked presentation covering the results of a Google Fiber survey conducted on behalf of Warner Bros and Sony Pictures Entertainment. The research was conducted in 2012 and aimed to get a baseline of the piracy levels, so changes can be measured after the rollout.

The survey respondents came from Kansas City, where Google Fiber first launched, with St. Louis residents as a control group. In total, more than 2,000 persons between 13 and 54 were asked about Google Fiber, their piracy habits and media consumption in general.

The results reveal that more than half of those surveyed were very interested in Google’s offer. This includes a large group of pirates, which make up 31% of the entire population.

About a third of these pirates said they would download or stream more with Google Fiber. Perhaps even more worrying for Hollywood, about a quarter of the non-pirates said they would start doing so if Google comes to town.

The most interesting part, however, is that the research tries to estimate the studio’s extra piracy losses that Google Fiber could create across the nation.

Drawing on an MPAA formula that counts all pirated views as losses the report notes that it may cost Hollywood over a billion dollars per year. That’s a rather impressive increase of 58% compared to current piracy levels.


The research also finds a link between piracy and broadband speeds, which is another reason for Hollywood not to like Google’s Internet service.

According to the report this is “another indication that piracy becomes more attractive with Google Fiber.”


We will refrain from analyzing the methods and the definition of piracy losses, which deserve an article of their own. What’s most striking from the above approach is the way the studios frame Google Fiber as a piracy threat, instead of looking at the opportunities it offers.

For example, the same report also concludes that 39% of the respondents would use paid streaming subscription services more, while 34% would rent and purchase more online video. Yet, there is no mention of the potential extra revenue that will bring in.

Judging from all the piracy calculations, statistics and projections, it appears that Hollywood is mostly occupied with threats. But of course there’s nothing new there.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Errata Security: That Spiegel NSA story is activist nonsense

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Yet again activists demonstrate they are less honest than the NSA. Today, Der Spiegel has released more documents about the NSA. They largely confirm that the NSA is actually doing, in real-world situations, what we’ved suspected they can do. The text of the article describing these documents, however, wildly distorts what the documents show. A specific example is a discussion of something call “TUNDRA”.

It is difficult to figure out why TUNDRA is even mentioned in the story. It’s cited to support some conclusion, but I’m not sure what that conclusion is. It appears the authors wanted to discuss the “conflict of interest” problem the NSA has, but had nothing new to support this, so just inserted something at random. They are exploiting the fact the average reader can’t understand what’s going on. In this post, I’m going to describe the context around this.

TUNDRA was a undergraduate student project, as the original document makes clear, not some super-secret government program into cryptography. The purpose of the program is to fund students and find recruits, not to create major new advances in cryptography.

It’s given a code-name “TUNDRA” and the paragraph in the document is labeled “TOP SECRET”. The public has the misconception that this means something important is going on. The opposite is true: the NSA puts codenames on nearly everything. Among the reasons is that by putting codenames even on trivial things, it prevents adversaries from knowing which codenames are important. The NSA routinely overclassifies things. That’s why so many FOIA requests come with the “TOP SECRET” item crossed out — you classify everything as highly as you can first, then relax the restriction later. Thus, unimportant student projects get classified codenames.

The Spiegel article correctly says that the “agency is actively looking for ways to break the very standard it recommends”, and it’s obvious from context that that the Spiegel is implying this is a bad thing. But it’s a good thing, as part of the effort in improving encryption. You secure things by trying to break them. That’s why this student project was funded by the IAD side of the NSA — the side dedicated to improving cryptography. Most of us in the cybersecurity industry are trying to break things — we only trust things that we’ve tried to break but couldn’t.

The Spiegel document talks about AES, but it’s not AES being attacked. Instead, it’s all block ciphers in “electronic codebook” modes that are being attacked. The NSA, like all cryptographers, recommends that you don’t use the basic “electronic codebook” mode, because it reveals information about the encrypted data, as the well known “ECB penguin” shows. As you can see in the image, when you encrypt a bitmap image of a penguin, you can still see it’s a penguin despite the encryption. Finding appropriate modes other than “electronic codebook” is an important area of research. [***]

The NSA already has ways of attacking ECB mode, as the penguin image demonstrates. I point this out because if the NSA already has a “handful of ways” of doing something, adding one more really isn’t a major new development. Thus, even if you don’t understand cryptography, it should be obvious that the inclusion of TUNDRA in this story is pretty stupid.

Journalism is supposed to be different from activism. Journalists are supposed to be accurate and fair, to communicate rather than convince. The activist has the oppose goal, to convince the reader, even if that means exploiting misinformation. We see that in this Der Spiegel article, where the TUNDRA item is distorted into order to convince the reader that the NSA is doing something evil.

Update: [***] There has been some discussion on Twitter about the ECB penguin above. That’s because where the document says “electronic codebook”, it may not necessarily be referring to ECB mode (even though ECB stands for “electronic codebook”). That’s because “codebook” is also just another name for “block cipher”, the more common/modern name for encryption algorithms like AES.

Regardless, the principle still holds: it’s not AES that TUNDRA attacks, but the underlying “codebook” property, whatever that refers to, whether it’s “block ciphers” or “block ciphers in ECB mode”. Also regardless, since it’s an undergraduate project designed for recruitment, it’s probably something basic (like the ECB penguin) rather than a major advancement in cryptography.