Peter Sayer, *PC World*, 24 Dec 2013 Belgium's card payment network failed on Monday night, leaving millions of Belgians unable to pay at stores or to withdraw cash from ATMs and self-service terminals inside banks. Atos subsidiary Worldline, operator of Belgium's Bancontact-Mister Cash payment network, reported on its website that it was difficult for cardholders throughout the country to make payments or withdrawals from around 4 p.m. local time on Monday. Local media reported long lines to make cardless withdrawals at bank counters. Worldline put its business continuity plan into effect, and payment traffic began to recover from 5.15 p.m., returning to near-normal levels from 6.30 p.m., the company said in a statement. ... The outage came just two days after the Belgian payment network celebrated its busiest ever day, processing 5,499,709 electronic payments on Saturday. The previous record, of 5,314,820 transactions, was set on Dec. 22, 2012, also a Saturday. http://www.pcworld.com/article/2082920/belgian-card-payment-network-crashes-two-days-after-record-usage.html
It should be no surprise that interlock mechanisms relying on program control can be compromised by a program bug (e.g., the well-documented Therac-25 incidents) or by the same means through re-programming (e.g., malware). A team at JHU has demonstrated that it is possible to activate the camera on a Macbook while suppressing illumination of the "camera active" LED. It should come as no surprise that programmable controllers can be reprogrammed to behave in ways other than intended. It is not surprising that the operating system apparently did not provide sufficient protection to ensure that non-kernel components do not gain uncontrolled access to a physical device, a failure on several fronts. Better software integrity is one answer. Regrettably, it is also arguable that the lesson for systems designers is that required privacy interlocks should be implemented in non-bypassable hardware circuitry, not as programmable displays. From a consumer standpoint, the best interlock to covert audio/visual capture is external devices that can be physically unplugged. The JHU paper can be found at: https://jscholarship.library.jhu.edu/handle/1774.2/36569?show=full - Bob Gezelter, http://www.rlgsc.com
[Note: This item comes from friend Steve Goldstein. DLH] Leo Kelion, BBC, 24 Dec 2013 <http://www.bbc.co.uk/news/technology-25506020> A virulent form of ransomware has now infected about quarter of a million Windows computers, according to a report by security researchers. Cryptolocker scrambles users' data and then demands a fee to unencrypt it alongside a countdown clock. Dell Secureworks said that the US and UK had been worst affected. It added that the cyber-criminals responsible were now targeting home Internet users after initially focusing on professionals. The firm has provided a list of net domains that it suspects have been used to spread the code, but warned that more are being generated every day. Ransomware has existed since at least 1989, but this latest example is particularly problematic because of the way it makes files inaccessible. "Instead of using a custom cryptographic implementation like many other malware families, Cryptolocker uses strong third-party certified cryptography offered by Microsoft's CryptoAPI," said the report. "By using a sound implementation and following best practices, the malware authors have created a robust program that is difficult to circumvent." Ransom dilemma The first versions of Cryptolocker appear to have been posted to the net on 5 September. Early examples were spread via spam e-mails that asked the user to click on a Zip-archived extension identified as being a customer complaint about the recipient's organisation. Later it was distributed via malware attached to e-mails claiming there had been a problem clearing a cheque. Clicking the associated link downloaded a Trojan horse called Gameover Zeus, which in turn installed Cryptolocker onto the victim's PC. By mid-December, Dell Secureworks said between 200,000 to 250,000 computers had been infected. It said of those affected, "a minimum of 0.4%, and very likely many times that" had agreed to the ransom demand, which can currently only be paid in the virtual currencies Bitcoin and MoneyPak. [...] Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/>
My immediate reaction to reading that Cryptolocker is very difficult to combat, because it uses "strong third-party certified cryptography offered by Microsoft's CryptoAPI", was to think what a glorious opportunity for NSA to come to our collective rescue - by demonstrating publicly how great its skills are! :-)
The really sad thing is that [that] is what the Information Assurance Division [of NSA] *is* supposed to be doing for us. It is the logic behind having the *protect American networks* in the same organization that *attacks foreign networks.* If you know how to break *them*, you can tell *us* how to protect ourselves.
Target stores have reportedly experienced a wide-spread compromise of credit card swipe data during the peak shopping season. While the technical details of how the data was compromised remain under investigation, several recent cases have pointed to malware on Point-of-Sale systems or compromised card scanning terminals. Point-of-Sales systems (and other process control systems) should never have unbridled access to Internet-accessible systems. They should be located in firewalled cul-de-sacs that prevent all but those accesses absolutely required by their function (an observation that I have been making in the "Computer Security Handbook" since the Third Edition (1995) and reiterate in the soon to be released Sixth Edition. Similarly, communications between Point-of-Sale card terminals, registers, and upstream systems should be carefully managed and strongly encrypted, with properly managed keys. In the long run, preventative measures are cheaper than the financial side effects of personal data compromises. Recent articles are at: http://www.nytimes.com/2013/12/20/technology/target-stolen-shopper-data.html http://online.wsj.com/news/articles/SB10001424052702304773104579266743230242538#! Bob Gezelter, http://www.rlgsc.com [Gene Wirchenko noted a similar article by John Ribeiro in InfoWorld, "Target says 40 million cards likely skimmed in security breach". PGN] http://www.infoworld.com/d/security/target-says-40-million-cards-likely-skimmed-in-security-breach-232946
In the aftermath of the Snowden revelations, our focus has been on details of who did what and how we can place limits on the NSA and others. But details aside, there is a higher level conceptual conflict; namely, the fundamental incompatibly of security and cyber-warfare. To avoid getting tied up in semantics, let me make two definitions for the purpose of this post. Let G stand for the aggregate of all programs, all agencies, all levels, of governments, and international alliances of governments. Let the words secure and security stand for any level of protection that G finds inconvenient to penetrate with slight effort. One goal of G is to be able to intercept the electronic communications of bad guys, anywhere, anytime, anyplace. But any organization, public or private, that has secure communications could be infiltrated or exploited by bad guys. Therefore, the need to intercept bad guys translates to the need to intercept everyone. Universal bulk surveillance is the only assured way to achieve that goal all the time. A second goal of G is the ability to wage offensive cyberwar. G must be able to launch effective cyber attacks on short notice against any future enemy. But there is no way to be sure in advance who those enemies might be, or what hardware and software the enemy might choose. Therefore, the practical way to attain that goal is to obtain the ability to successfully attack anyone good or bad. Deciding who is good and bad can be postponed. Probably the most pragmatic way to foster both these goals is to weaken security standards and to install back doors in every security related system. Traditional methods of breaching security like social engineering must be applied case-by-case, and thus can't reach everyone. Only bulk methods meet the requirements. Security experts may warn us that weaknesses and back doors will eventually be discovered and that the bad guys will turn them against us. Ignoring that, our defensive strategy seems to be secrecy (i.e. security via obscurity) combined with budgets so big that the bad guys can't match them. Assured offensive capability is synonymous with assuredly ineffective defensive capability. As someone concerned with critical infrastructure protection (CIP), I'm horrified by the conflicted motivations of G. The same G which demands that I partner with them to make CIP secure, is also vested in the requirement that my systems are not secure enough to thwart their surveillance and not secure enough to repel their cyberwar attacks. After all, if CIP were to become secure enough to foil G, then I might freely share that expertise with CIP experts worldwide. Worse, bad guys might become employees of CIP organizations here and abroad and use CIP security to cloak their activities from G. CIP must be secure --- CIP may not be secure, both according to G. As I see it, the concepts of universal surveillance, offensive cyber war capabilities, and security are irreconcilable at the highest level; technical details be damned. Dick Mills, Sailing Vessel Tarwathie
[Thanks to George Ledin for spotting this item.] Exclusive: Secret contract tied NSA and security industry pioneer Obama on surveillance: "There may be another way of skinning the cat" Joseph Menn, Reuters, San Francisco, 20 Dec 2013 http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220 (Reuters) - As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned. Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a "back door" in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products. Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show. The earlier disclosures of RSA's entanglement with the NSA already had shocked some in the close-knit world of computer security experts. The company had a long history of championing privacy and security, and it played a leading role in blocking a 1990s effort by the NSA to require a special chip to enable spying on a wide range of computer and communications products. RSA, now a subsidiary of computer storage giant EMC Corp, urged customers to stop using the NSA formula after the Snowden disclosures revealed its weakness. RSA and EMC declined to answer questions for this story, but RSA said in a statement: "RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own." The NSA declined to comment. The RSA deal shows one way the NSA carried out what Snowden's documents describe as a key strategy for enhancing surveillance: the systematic erosion of security tools. NSA documents released in recent months called for using "commercial relationships" to advance that goal, but did not name any security companies as collaborators. The NSA came under attack this week in a landmark report from a White House panel appointed to review U.S. surveillance policy. The panel noted that "encryption is an essential basis for trust on the Internet," and called for a halt to any NSA efforts to undermine it. Most of the dozen current and former RSA employees interviewed said that the company erred in agreeing to such a contract, and many cited RSA's corporate evolution away from pure cryptography products as one of the reasons it occurred. But several said that RSA also was misled by government officials, who portrayed the formula as a secure technological advance. "They did not show their true hand," one person briefed on the deal said of the NSA, asserting that government officials did not let on that they knew how to break the encryption. STORIED HISTORY Started by MIT professors in the 1970s and led for years by ex-Marine Jim Bidzos, RSA and its core algorithm were both named for the last initials of the three founders, who revolutionized cryptography. Little known to the public, RSA's encryption tools have been licensed by most large technology companies, which in turn use them to protect computers used by hundreds of millions of people. At the core of RSA's products was a technology known as public key cryptography. Instead of using the same key for encoding and then decoding a message, there are two keys related to each other mathematically. The first, publicly available key is used to encode a message for someone, who then uses a second, private key to reveal it. From RSA's earliest days, the U.S. intelligence establishment worried it would not be able to crack well-engineered public key cryptography. Martin Hellman, a former Stanford researcher who led the team that first invented the technique, said NSA experts tried to talk him and others into believing that the keys did not have to be as large as they planned. The stakes rose when more technology companies adopted RSA's methods and Internet use began to soar. The Clinton administration embraced the Clipper Chip, envisioned as a mandatory component in phones and computers to enable officials to overcome encryption with a warrant. RSA led a fierce public campaign against the effort, distributing posters with a foundering sailing ship and the words "Sink Clipper!" A key argument against the chip was that overseas buyers would shun U.S. technology products if they were ready-made for spying. Some companies say that is just what has happened in the wake of the Snowden disclosures. The White House abandoned the Clipper Chip and instead relied on export controls to prevent the best cryptography from crossing U.S. borders. RSA once again rallied the industry, and it set up an Australian division that could ship what it wanted. "We became the tip of the spear, so to speak, in this fight against government efforts," Bidzos recalled in an oral history. RSA EVOLVES RSA and others claimed victory when export restrictions relaxed. But the NSA was determined to read what it wanted, and the quest gained urgency after the September 11, 2001 attacks. RSA, meanwhile, was changing. Bidzos stepped down as CEO in 1999 to concentrate on VeriSign, a security certificate company that had been spun out of RSA. The elite lab Bidzos had founded in Silicon Valley moved east to Massachusetts, and many top engineers left the company, several former employees said. And the BSafe toolkit was becoming a much smaller part of the company. By 2005, BSafe and other tools for developers brought in just $27.5 million of RSA's revenue, less than 9% of the $310 million total. "When I joined there were 10 people in the labs, and we were fighting the NSA," said Victor Chan, who rose to lead engineering and the Australian operation before he left in 2005. "It became a very different company later on." By the first half of 2006, RSA was among the many technology companies seeing the U.S. government as a partner against overseas hackers. New RSA Chief Executive Art Coviello and his team still wanted to be seen as part of the technological vanguard, former employees say, and the NSA had just the right pitch. Coviello declined an interview request. An algorithm called Dual Elliptic Curve, developed inside the agency, was on the road to approval by the National Institutes of Standards and Technology as one of four acceptable methods for generating random numbers. NIST's blessing is required for many products sold to the government and often sets a broader de facto standard. RSA adopted the algorithm even before NIST approved it. The NSA then cited the early use of Dual Elliptic Curve inside the government to argue successfully for NIST approval, according to an official familiar with the proceedings. RSA's contract made Dual Elliptic Curve the default option for producing random numbers in the RSA toolkit. No alarms were raised, former employees said, because the deal was handled by business leaders rather than pure technologists. "The labs group had played a very intricate role at BSafe, and they were basically gone," said labs veteran Michael Wenocur, who left in 1999. Within a year, major questions were raised about Dual Elliptic Curve. Cryptography authority Bruce Schneier wrote that the weaknesses in the formula "can only be described as a back door." After reports of the back door in September, RSA urged its customers to stop using the Dual Elliptic Curve number generator. But unlike the Clipper Chip fight two decades ago, the company is saying little in public, and it declined to discuss how the NSA entanglements have affected its relationships with customers. The White House, meanwhile, says it will consider this week's panel recommendation that any efforts to subvert cryptography be abandoned. (Reporting by Joseph Menn; Editing by Jonathan Weber and Grant McCoo.)
The final report of the NSA oversight panel has been released. http://www.whitehouse.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdf It's very long (300ish pages) and I have read only a small amount. But this bit struck me as very wrong. Recommendation 5 We recommend that legislation should be enacted that terminates the storage of bulk telephony meta-data by the government under section 215, and transitions as soon as reasonably possible to a system in which such meta-data is held instead either by private providers or by a private third party. Access to such data should be permitted only with a section 215 order from the Foreign Intelligence Surveillance Court that meets the requirements set forth in Recommendation 1. As this is comp.risks and not comp.privacy.privatization, I'll just ask what risk is posed by the government buying bulk telephony meta-data from private third parties? Does this create a market for additional, meta-data collection and data collectors? Will this mean many more systems to protect from criminal parties? Will this mean private third parties will be more easily able to interfere for their own benefit in government intelligence operations?
http://j.mp/1drP3fm (*Verge* via NNSquad) "Never let it be said that AT&T and Verizon don't follow each other's leads. Just one day after Verizon announced it would start publishing a semiannual transparency report that details all of the law enforcement requests it receives, AT&T announced that it would being doing the same in early 2014. The carrier's report will include info on the total number of law enforcement data requests received from the government in criminal cases, the number of subpoenas, court orders, and warrants received, and the total number of customers affected. The first report issued should cover all of the requests from 2013."
Before anyone sniffs at the Genkin/Shamir/Tromer method as being limited to 4 meters, consider the following LED microphone bug hack: An ordinary LED light bulb could be hacked to use 'microphonics' to pulse-width modulate the light. With a proper telescope, this mechanism could be used to 'listen' to someone's computer from many miles away -- perhaps even from a drone above... LED's might be hacked to be even smarter—e.g., 10Mbits/second "LiFi" -- in order to snoop on a WiFi connection: http://visiblelightcomm.com/
Here is Silver Bullet episode 93. The podcast features a discussion with Yoshi Kohno (a cigital alum) who is now a computer science professor at University of Washington. You've probably heard of Yoshi's car hacking stuff (or maybe even seen it on Nova). Yoshi has one of the best vulnerability finding minds in the business. http://www.cigital.com/silver-bullet/show-093/
Please report problems with the web pages to the maintainer