Currently browsing Posts Tagged “hacking”

Page 1 of 1

Is Big Brother In Your Web Browser?

Posted by Scott Jarkoff in Shorts

, , ,

Ever considered the thought that the U.S. government, such as the NSA, has the capability to break in to an SSL-encrypted session between you and your bank, and eavesdrop on that conversation? That idea alone should cause you to pause the next time you see the padlock icon in your browser light-up when you think you are browsing securely.

In a purely hypothetical example, the U.S. government can force a Public Key Infrastructure (PKI) to give them a publicly trusted certification for www.amazon.com. They then poison your DNS and route your traffic for www.amazon.com to a site they own that has the fake certification installed. Your browser then gives you that pretty green bar or little lock and you think everything is cool, safe and secure. Or… they can put a device between you and your target and then perform SSL interception.

Never put anything past the U.S. government and its intelligence gathering capabilities. I think that is a safe theory to operate under. Even though suspension of disbelief is required in movies like Enemy of the State and Deja-Vu, where the government employed nifty intel collecting techniques, something as simple as eavesdropping on SSL-encrypted communications should not be underestimated.

In fact, performing an SSL man-in-the-middle “attack” using a web proxy server and SSL decryption is not difficult at all. It is exponentially more believable in a corporate setting, where the IT guys control the operating system and web browser, however that does not mean it is unheard of elsewhere.

What is the point? Be careful who you trust when you are supposedly surfing securely. Educate yourself on the security techniques used by SSL and how they function. While in most cases there is nothing to be concerned with, it is important to understand that SSL is not the end-all be-all of network security. It has its own shortcomings as eloquently articulated in this article.

Fake Hot Chick Socially Engineers U.S. Government

Posted by Scott Jarkoff in Shorts

, , , ,

Thomas Ryan of Provide Security setup a fake identity using a photo of a hot looking female as a means of portraying the potential security threats posed by social networking sites like LinkedIn, Facebook and Twitter. Ultimately the experiment worked as the profiles were used to successfully socially engineering the U.S. government, military and intelligence communities.

And so it apparently was. She was an avid user of LinkedIn – a social-networking site for professionals sometimes described as “Facebook for grown-ups.” Her connections on it included men working for the nation’s most senior military officer, the chairman of the Joint Chiefs of Staff, and for one of the most secret government agencies of all, the National Reconnaissance Office (NRO), which builds, launches and runs U.S. spy satellites. Others included a senior intelligence official in the U.S. Marine Corps, the chief of staff for a U.S. congressman, and several senior executives at defense contractors, including Lockheed Martin Corp. and Northrop Grumman Corp. Almost all were seasoned security professionals.

It is great to see the U.S. government finally start to embrace social networking, but is the cost of being socially engineered worthwhile? How so many “smart” people fell victim to this ruse may appear to be surprising, but it really should not be. A picture of a hot chick is worth a lot of capital, especially in geek circles. Couple that with a wicked resume and connections to people in important organizations and you have a formula for socially engineering anyone, much less the government.

Hopefully the vulnerabilities exposed by social networking usage in this exercise will be used to help better educate the government, military and intelligence communities. This is one thing lacking in the government – quality education about the dangers of online social networking and the threats these tools pose to our government.

Authentication Crack Could Affect Millions

Posted by Scott Jarkoff in Shorts

, , , , ,

Security researches have discovered a fatal flaw in a widely used authentication routine and plan to discuss their findings at the Black Hat conference later this month in Las Vegas. The researches have not yet publicly disclosed the affected application, although it initially appears as if OpenID and oAuth are vulnerable to this newfound attack.

They found that some versions of these login systems are vulnerable to what’s known as a timing attack. Cryptographers have known about timing attacks for 25 years, but they are generally thought to be very hard to pull off over a network. The researchers aim to show that’s not the case.

The attack is thought to be so difficult because it requires very precise measurements. It cracks authentication tokens by measuring the time it takes for a computer to verify a digital signature. On some systems, the server will check a cryptographic signature on a token sent by the user to prove that he has logged into the system. It will kick back an error message as soon as it spots a bad character. This means a computer returns an error for a completely bad token a tiny bit faster than one where the first character is correct.

Since OpenID and oAuth are affected, sites such as Twitter and digg are vulnerable as they make use of these routines to provide additional functionality not seen in average web sites. Ultimately, what this attack facilitates is allowing an attacker to masquerade as a legitimately authenticated user without having to login to the site. While timing attacks such as this are difficult to pull off, they are not inconceivable.

What does this mean for the average user? Probably nothing much at this point since the keys to this particular kingdom lay in the hands of the web site operators. It will be up to the service providers making use of the affected libraries to either switch to an unaffected library or modify the existing one.

If you are a developer, and are using OpenID and/or oAuth then you should definitely be concerned. Pay strict attention to the paper these researchers plan to present at Black Hat to see if the libraries you are using are affected and in need of modification.

iTunes AppStore Hacked

Posted by Scott Jarkoff in Shorts

, , , ,

What a lovely Independence Day surprise: global iTunes accounts have been compromised and used to purchase up to $600 worth of AppStore apps per account. Initially the suspicious activity pointed towards one specific developer, but has since spread to multiple developers, multiple iTunes accounts and more than the US iTunes store. The Next Web has a detailed list of the facts surrounding this breach.

  • A number of iTunes have been account from across the globe, not just the US, and used to purchase apps.
  • iTunes users have reported anywhere between $100-$1400 spent using their accounts.
  • Many of the apps have been purchased to specifically climb up the iTunes ranking to gain momentum in the hope that others will purchase the apps based on their high sales.
  • Currently all the app purchased have been owned by Asia based developers with little information known about them. Clearly they feel being based in Asia will give them immunity to any US laws.
  • The developers website and support links direct users to non-existent websites or landing pages.
  • The initial rogue developer’s have now been removed from the app store but other unethical developers still have their accounts available in the app store – details on those to come.

Check your iTunes purchase history and/or your online banking access to determine if your account has been compromised in this security breach. If it has, I suggest immediately contacting Apple’s iTunes customer service and your bank to dispute the charges, so that you may recover any potentially lost funds as a result of this incident.

It is not really known how widespread this security breach is, or what vector was used to facilitate the hack. The initial hack by Vietnamese developer “Thuat Nguyen” that was reported all over the blogosphere may have lead to discussion about entirely unrelated security incidents.

At this point nobody knows exactly what is going on or how all the breaches are tied together. Be on the lookout for additional information once it becomes available. In the meantime, check out your purchase history to ensure your account was not used in the breach.

The Strange and Consequential Case of Bradley Manning, Adrian Lamo and WikiLeaks

Posted by Scott Jarkoff in Shorts

, , , , ,

Glenn Greenwald on the rather obvious peculiarities of the PFC Bradley Manning WikiLeaks case:

This Manning detention — whether it was by design or just exploited opportunistically — is being used to depict WikiLeaks as a serious national security threat and associations with it as dangerous and subversive. Just in the last week alone, several people have expressed to me fears that supporting or otherwise enabling WikiLeaks could subject them to liability or worse. There’s no reason to believe that’s true, but given the powers the U.S. Government claims — lawless detentions, renditions, assassinations even of American citizens — that’s the climate of intimidation that has been created. This latest incident is clearly being used to impede WikiLeaks’ vital function of checking powerful factions and imposing transparency, and for that reason alone, this is an extremely serious case that merits substantial scrutiny, along with genuine skepticism to understand what happened.

The case of PFC Bradley Manning just keeps getting stranger and stranger. Not everything is as it seems – smoke and mirrors if you will – which makes it difficult to separate fact from fiction. Did Manning truly have a crisis of conscience, seemingly leading him to confess to a known, convicted hacker?

Or is the more plausible explanation that PFC Manning was somehow setup by the U.S. Government to potentially fulfill their desire to destroy the reputation of Wikileaks?

In other words, exactly what the U.S. Government wanted to happen in order to destroy WikiLeaks has happened here: news reports that a key WikiLeaks source has been identified and arrested, followed by announcements from anonymous government officials that there is now a worldwide “manhunt” for its Editor-in-Chief. Even though WikiLeaks did absolutely nothing (either in this case or ever) to compromise the identity of its source, isn’t it easy to see how these screeching media reports — WikiLeaks source arrested; worldwide manhunt for WikiLeaks; major national security threat — would cause a prospective leaker to WikiLeaks to think twice, at least: exactly as the Pentagon Report sought to achieve? And that Pentagon Report was from 2008, before the Apache Video was released; imagine how intensified is the Pentagon’s desire to destroy WikiLeaks now. Combine that with what both the NYT and Newsweek recently realized is the Obama administration’s unprecedented war on whistle-blowers, and one can’t overstate the caution that’s merited here before assuming one knows what happened.

No matter what the outcome of this turns out to be, it sure is an intriguing read, especially from an information assurance perspective. There was a huge breakdown of policy implementation where Manning worked, ultimately facilitating his ability to voluminously transfer classified documents from highly classified networks to the internet – something expressly forbidden for obvious reasons.

Greenwald’s write-up for Salon is one of the more exhaustive articles questioning the validity of what Wired has reported on to date. It is well worth reading, especially if you care about national security, government transparency and whistle-blowing.

Is Your Twitter Account Hacked?

Posted by Rich Chuckrey in Shorts

, , , , , , , ,

TechMiso - Is Your Twitter Account Hacked?Over the last 24-48 hours we are [again] seeing a DM phishing attack blowing through Twitter accounts. Are you spamming your Twitter followers with Direct Messages (DM) that contain links leading to phishing websites? Have you received a Twitter DM to a Twitter login page that isn’t the actual Twitter login page?

How would you know?

One quick way is to filter tweets on yourself by using the @’youaccountname’ link to the right on Twitter’s home page. Do you see tweets from you, but in fact not from you? If you answered yes, your Twitter account may likely be compromised.

Continue

TechMiso © Copyright 2012. All Rights Reserved.

Designed & developed by We Are Pixel8.

Back to Top