Wednesday, October 19, 2011

State sanctioned German "Quellen-TKÜ" (source wiretapping) trojan does more than listen in.

Image by Markusram
Ars Technica reports about the Chaos Computer Clubs analysis of the state sanctioned German source wiretapping trojan. They report than the malware has the ability to add new components remotely. This could allow German authorities to do any number of things from eavesdropping to completely controlling the infected machine. They also report that due to the poor quality of the malware these options are open not only to the authorities that put it there, but also to anyone able to connect to the infected machine.

You can read Ars Technica's full report here:
Impressed by FBI trojan, Germans write their own—and national scandal ensues

Saturday, February 26, 2011

Anonymous, In it for the LuLz...

After all the damage anonymous caused HBGary you'd think they'd be done punishing them, but not just yet. HBGary was scheduled to speak at the RSA convention that took place February 14-18 in San Fransico. They arrived and set up their booth and left for the night to prepare their talks for the next day. They were going to unviel a new product called Razor, it was a computer / software combo that would be able to identify and analyze malware of all types, even code never seen before (so they claim). However, when they returned the next day to their booth they saw that Anonymous had been there.

Source: Ars Technica
They were disturbed by this physical act and felt stalked and not just embarrassed but threatened physically. Vice President of Services for HBGary Jim Butterworth told Ars "They decided to follow us to a public place where we were to do business and make a public mockery of our company. Our position was that we respected RSA and our fellow vendors too much to allow this spectacle to occur." They left this message behind:

Picture by ZDNet

Tuesday, February 22, 2011

Iranian's Deface American Websites

Voice of America websites and the websites of their affiliates have been DDoS'd and defaced with an image of the Iranian flag and a gun. These hacks have been claimed by the hacker group calling itself the Iranian Cyber Army.  VoA broadcasts radio and tv internationally and these attacks come along side the protests tearing through the middle east. 

Source: Ars Technica

It is believed that the attack's are an attempt to make all the protests look like American propaganda and help prevent Iranian revolts. There is a lot of interesting changes happening in the world right now, and we all need to keep an eye out of what's happening so we can be prepared for future attacks.

Monday, February 21, 2011

Quick Tip - Whole Disk Encryption

Today I wanted to give a quick tip about adding encryption to your whole harddrive, not just independent files. This is important for portable devices that hold low level sensitive data, like your search history, saved passwords, or just scattered files that are too many to round up and encrypt.

I'm going to focus on TrueCrypt because it is open-source and works on all the popular operating systems: Linux, Windows (NT based), and Mac OSX. TrueCrypt works by encrypting on-the-fly so that your harddrive stays encrypted even while in use and files are only decrypted as needed then encrypted again. You can encrypt virtual disks on the harddrive, the entire harddrive or thumb drive.

A really interesting feature I like about TrueCrypt is the ability to make a fake partition with a throw away password so that if you are somehow compromised and have to give up the password you can give them the throw away password and unlock a partition with less important data on it.

I personally use it on my thumb drives because I tend to drop them a lot. Instead of repeating the well done walk-through for installing TrueCrypt, I'll let their documentation do the work for me. Take a look at the documentation here.

Once you have say a thumb drive encrypted you will see it show up as a CD on your computer until you run TrueCrypt and mount the disk with your password. Only then does it even show up as being a thumb drive. It is extra steps to get to your files, but after you get used to mounting it it really is easy to use. Especially since it is all done on-the-fly you don't have to wait around for encryption and decryption of the entire disk every time, just file by file on demand.

What is most important though is picking a strong password, because that is the weakest point in your encryption armor. If you need pointers on choosing a strong password see my other post Quick Tip - Passwords. Make sure to make it memorable and if needed write down clues to your password while you are still memorizing it, but never write down the password. Remember, if you forget your password you'll essentially lose everything on the encrypted disk.

Of course, if you think that this is a lot of trouble and not worth your time, you could always purchase one of these thumb drives that come with hardware encrpytion.

Sunday, February 20, 2011

Follow-up New Cyber Warfare

I wrote recently linking to an article on Ars Technica about HBGary selling exploits to the government. It is a long article and I have been slowly working through it to give a summary of what it brings to light. I have a few every interesting things that have been going on.

These aren't really surprising, to me at least, but I find them very enlightening. HBGary worked along side other companies to put together demos to sell zero-day exploit tools to the government. Two government agencies specifically mentioned in the Ars article are the Air Force and SOCOM. HBGary claims to have many zero-day exploits and even to have sold many of them to others. Here is a list:

Saturday, February 19, 2011

QuickTip - GnuPG On Windows and Linux

GnuPG is the GNU project's implementation of the OpenPGP standard. PGP stands for Pretty Good Privacy, and is a type of public key encryption. This type of encryption has been around for a very long time and relies on a private key and public key pair to work successfully. You encrypt something with your private key and it can only be decrypted using your public key. But it's just that, public so anyone can read your message encrypted with your private key provided they have acquired your public key from somewhere, like a keyserver.

This doesn't sound very secure I know, and it's not meant to be super secure. It is more meant to provide a way of proving it is a legitimate email from you, since only you hold your private key. To get a secure message to someone you use their public key to encrypt the message, and then sign it with your private key. When you encrypt something with a public key, it can only be decrypted by the private key. The reason you sign it with your private key again is the same as before, this verifies that  it is really you sending it.

Friday, February 18, 2011

A deep look into US Military and CyberWar

Arstechnica has a (long) story up about HBGary and how they wrote backdoors for the US government.
This is very interesting look into the Black Ops of computer security. We all need to be aware of what is out there and what is going on.

If you have time give this article a read. If you don't know Ars articles are always well researched and written. Warning: It is a 5+ page article.

Back with more when I get time to research what they discuss here.

Thursday, February 17, 2011

7 Types of Hackers

Roger Grimes, Security Advisor at, has an article about the 7 types of hackers.

  • Cyber Criminals
  • Spammers / Adware Spreaders
  • Advanced Persistent Threat Agents
  • Corporate spies
  • Hactivists
  • Cyber warriors
  • Rogue hackers
This is an interesting and quick read. I hope this helps explain to people there is more than one type of hacker, not always criminals with evil intent.

Potential PSN Hacks

Since the PS3 encryption key has been cracked hackers have been studying the firmware and have found some interesting things out about the way your PS3 interacts with the PlayStation Network. One hacker reports that he has found evidence that your credit card information is sent to the PSN in an unencrypted text file, granted over a SSL connection. This would be secure as long as you aren't running a custom firmware.

Hackers have reported that custom firmware running on a PS3 could be compromised with a set of fact SSL certificates and DNS information. Using this the hackers could route PSN traffic to a proxy server over SSL and decrypt the data, save it, re-encrypt it and forward it on to the PSN servers. This could be done transparently to the user, except for maybe a small slowdown from proxying.

My advice, stay away from custom PS3 firmwares for now. Especially while Sony is cracking down so hard on modders, with permanent bans from the PSN.

Wednesday, February 16, 2011

Quick Tip - Passwords

In light of all the password leaks recently ( Gawker and HBGary ), I thought maybe I should give some quick tips of good password etiquette:

1. Pick a strong password

  • That means not a dictionary word
  • Contains more than just letters, like a number AND a special character
  • Make it longer than 8 characters
2. Don't reuse the same password on multiple accounts.
  • This is bad because if your password is stolen then they can gain access to all your other accounts
3. Don't share your password, save it in a text file, write it down, or email it to yourself.
  • These just make it easier for someone to steal it.

HBGary vs Anonymous

HBGary is a computer security company that does penetration testing, intrusion detection and worm detection, quarantine, and analysis. They present themselves as experts in the computer security field, but recently they were successfully compromised by basic well known techniques.

Aaron Barr was conducting what he called "just research" on information gathering through social media. He would use Facebook, Twitter, Lindedin, and other social networks to gather data about his target and their family and friends. He claims he could find his target's real name as well as where they were from just from publicly available information on social media sites.

He decided that he wanted to go after what he saw as "the leaders" of Anonymous. This did not turn out well for Mr. Barr. He claimed to have found the real names of these so called leaders of Anonymous and was in talks with the FBI to gain a contract between them and HBGary Federal, that's right Aaron Barr was the CEO of HBGary Federal. HBGary Federal is a branch of HBGary that was to handle all federal contracts, but was falling short of it's goal and running out of money. This made Barr anxious to close a deal by any means neccessary.

Anonymous Releases Stuxnet Source Code

Fox News reports that an unencrypted version of the Stuxnet worm source code has been released online by the group known as Anonymous. This version was being studied by HBGary Federal and was discovered when Anonymous hacked into their network earlier this month.

For those who don't know the Stuxnet worm was the first computer worm to specifically target SCADA (Supervisory Control and Data Acquisition) systems and also the first known worm to install a rootkit on a PLC (Programmable Logic Controller). It is largely regarded as the most sophisticated piece of computer malware to date. Experts worry that this source code could be studied by attackers to create similar sophisticated attacks.

For a more in-depth look at what Stuxnet is I suggest reading over the Wikipedia entry or watch this youtube video by Semantec demonstrating what Stuxnet does to a PLC.

The decompiled source code can be found here, and for more news and updates on the source code follow @stuxnetsource.

I link to the source because I believe knowledge is for everyone and the more people that can study these types of malware the better off we all are because the more wide spread the knowledge the less powerful it becomes.