The Null Device
Posts matching tags 'security'
As the US counts down the days to the inauguration of President Trump, some voices in the technology industry are calling for the industry to start scrubbing user data, before the new government's surveillance apparatus lays claim to it.
Currently, the NSA can tap into a broad range of communications, but have no means to compel communications to be in a form they can monitor. This is likely to change; after all, they will need to be able to hunt down those involved in, or providing support to, terrorist groups like Black Lives Matter and Friends Of The Earth, not to mention the President's extensive list of enemies. As such, it is quite likely that, at some point during Trump's first year, end-to-end encrypted messaging systems will be required to provide real-time plaintext to the security services. (Things have already been moving slowly in this direction, and will only accelerate under a president who has expressed admiration for autocrats and a brutishly Hobbesian view of how power works.)
Similar laws are already in force in more established autocracies such as Russia and Turkey. The difference is that American companies, subject to American law, provide many of the communications systems used worldwide, such as Apple iMessage, WhatsApp and Signal. These are likely to be compelled to provide the US homeland-security authorities with the plaintext of all messages coming through them, in real time, and to make whatever changes are necessary to their architecture to achieve this.
With iMessage, this would be theoretically easy to do. iMessage messages are encrypted from end to end, so Apple have no means of reading them, but each message is encrypted several times with the public keys of each of the recipients' devices (i.e., if you're sending one to someone with an iPhone and an iPad, your iMessage client will encrypt it with the public keys of both of their devices). Once they are legally compelled to do so, Apple could just quietly add an extra key, whose private key is held by the NSA iMessage ingestion gateway. Given that the entire iMessage system is closed-source and completely under Apple's control, Apple could push this to all users, without worrying about rogue clients that feed the NSA junk.
WhatsApp, Facebook Messenger Google Allo and so on are also proprietary systems, and could be made compliant in a similar fashion. Granted, WhatsApp and Messenger use the open-source Signal protocol for end-to-end-encrypted messages, but this algorithm sits entirely embedded within the app; there is no guarantee that the app actually uses it, or that it doesn't send a carbon copy of the message to a machine in Utah, in compliance with the law. The fine print could be amended on the website to not actually promise that your message is secret from everyone, including the authorities.
The Signal app itself appears to be a somewhat tougher nut to crack in practice; it's open-source and publicly documented, to the point where any third party could download the source code, examine it minutely, and then, once satisfied, build their own client and use that to communicate securely. However, the creator, Open Whisper Systems is a US company, subject to US laws. Legally, Giuliani or Arpaio or whoever ends up in charge of Homeland Security could billet a team of NSA engineers at their office, with the authority to dictate changes to code and architecture, all covered by a blanket gag order. The question now is how they could go about this:
- By making changes to the publicly visible source code; this would mean that any downloaded self-built versions would be surveillance-compliant. Of course, doing this in a way that is not detectable by code inspection would be the tricky part; perhaps the NSA have a toolkit of obfuscated tricks, exploiting secrets (presumably) only the NSA know about the inner architecture of commercially-available CPUs. Or perhaps the change could be slipped in within a complete rewrite, ostensibly in the name of “technical debt elimination”, making it harder to compare against the old code.
- By obliging Open Whisper Systems, under penalty of material-support-for-terrorism charges, to keep two sets of books, as it were, or two code repositories: the public one, for view, and the one that goes into the production builds. The server code (run by OWS, and under the jurisdiction of US law) could be modified to detect subtle differences between the two and degrade the connections of the former just enough to make it too flaky to use.
- To shut down Signal altogether (with OWS having the option of replacing it with an incompatible, compliant app).
Were Open Whisper Systems to preemptively move abroad to a more privacy-friendly jurisdiction (and Germany is a good one, for obvious reasons) before Trump's inauguration, it may complicate things more. Forcing an established app with a large user-base out of the App Store would be a lot harder than forcing an underground fork of an app out. This would involve all officers involved in running the company moving out of US jurisdiction, and potentially avoiding flights going to the US, UK or Russia.
Jeroen of Spritesmods (who previously built a miniature arcade machine out of a Raspberry Pi) has an interesting piece on the possibilities of hacking the controllers in hard drives; most hard drives these days contain embedded ARM-based systems, often with reasonably powerful processors. (One WD hard drive had two ARM Feroceon cores, similar to ones used in network-attached storage appliances.) It is possible to reprogram the firmware in hard drive controllers, which has a number of defensive, offensive and other applications, from silently patching system files to insert exploits to detecting attempts at drive imaging (such as by police, customs officials or spies) and returning corrupted or falsified data. (I wonder whether algorithmically generating a FAT32 filesystem, empty except for one file named GOATSE.JPG, would be feasible within the memory footprint.) Also, given that broken hard drives with perfectly functional controllers are literally free (they're legally electronic waste that costs money to dispose of correctly), they could possibly serve as a source of free microcontrollers for various projects, such as hobby robots or circuit-bent musical instruments (assuming that one figures out how to make them control things other than hard drives).
The street finds its own uses for things: Burglars are now starting to use cheap, concealable surveillance cameras for staking out properties.
"This one has already been camouflaged," said detective Ben Singleton, holding what looks like a piece of bark that would go unnoticed in most yards. It's actually a video camera not much bigger than a matchbox, and it's activated by a motion detector. Such cameras turned up in March planted outside several upscale homes in Dalworthington Gardens.
The detective said it turned out to be surveillance for a long-running, sophisticated burglary scheme. But at first, police feared it might even be a kidnapping plot to take a wealthy person captive.
In Boston, the local police are cracking down on unlicensed hardcore punk shows in private homes, and to find them and shut them down, have been attempting to infiltrate online message boards looking for details, often doing a laughable job of it:
“Too bad you were not here this weekend,” “Joe Sly” wrote. “Patty's day is a mad house I am still pissing green beer. The cops do break balls something wicked here. What's the address for Saturday Night, love DIY concerts.” He might as well have written “Just got an 8 ball of beer and I’m ready to party.”
You don’t have to be a local-music Agent Smith, though, to tell that some of these emails smell pretty fishy. “Hey there, local P native here,” wrote one probable imposter to a local band, (who probably meant to type JP, slang for Jamaica Plain). “What is the Address for the local music show tonight?"Granted, whilst these profiles do look laughable, the police have successfully shut down a lot of shows before they happened, presumably from intelligence gathered elsewhere; whether that was done by more successfully impersonating punk rock fans or from obtaining warrants to intercept the email/Facebook messages of known organisers. Meanwhile, in a climate where one knows that narcs are about, it's hard to promote shows and yet make sure that only the right people hear about them:
As a result of efforts like this, promoters and houses have become much more cautious when they receive requests out of the blue for information about shows. And this kind of caution may be, in its way, a kind of success for the BPD initiative. It's kind of hard to put on a show when you can't tell anyone ahead of time where it's going to be. In that sense, the cops seem to be succeeding through another tried-and-true Internet tradition. Trolling is almost always transparently obvious, but when it's unflagging and endlessly annoying, it can be extremely discouraging. Troll a group of people hard enough, and they may end up saying, like famed Boston Beat Gang punk Joe Sly, “What's the point?”As such, requests for information that sound like they're obviously from clueless cops may be exactly the right tactic; they're not meant to catch the prey, but rather force the prey to keep their heads down, because there are predators about.
The street finds its own uses for things: Russian crime organisations have online marketplaces offering the services of willing underworld accomplices in various cities, administered through a cutting-edge web-based control panel:
The service, advertised on exclusive, Russian-language forums that cater to cybercrooks, claims to have willing and ready foot soldiers for hire in California, Florida, Illinois and New York. These associates are not mere “money mules,” unwitting and inexperienced Americans tricked and cajoled into laundering money after being hired for bogus work-at-home jobs. Rather, as the title of the ad for this service makes clear, the “foreign agents” available through this network are aware that they will be assisting in illegal activity (the ad refers to them as неразводные “nerazvodni” or “not deceived”). Put simply: These are mules that can be counted on not to freak out or disappear with the cash.
According to the advertisement, customers of this service get their very own login to a remote panel, where they can interact with the cashout service and monitor the progress of their thievery operations. The service also can be hired to drain bank accounts using counterfeit debit cards obtained through ATM skimmers or hacked point-of-sale devices. The complicit mules will even help cash out refunds from phony state and federal income tax filings — a lucrative form of fraud that, according to the Internal Revenue Service, cost taxpayers $5.2 billion last year.The contractors are available for other services, such as pickup and forward shipping of sketchy merchandise and “other interesting transactions”.
Once again, Russian biznesmeni are at the forefront of bringing free-market efficiency and the disintermediating, just-in-time power of the internet to the underworld (for long dominated by the almost Leninist command economies of hierarchical Mafia organisations and insular cells of bandits), or, if you will, liberating open-slather capitalism from pretences of legal propriety. Or, as has been said before, “Lenin failed to teach the Russians socialism, but he succeeded in teaching them capitalism”.
Bruce Schneier has an essay about what IT security will look like in 10 years' time:
There’s really no such thing as security in the abstract. Security can only be defined in relation to something else. You’re secure from something or against something. In the next 10 years, the traditional definition of IT security— that it protects you from hackers, criminals, and other bad guys— will undergo a radical shift. Instead of protecting you from the bad guys, it will increasingly protect businesses and their business models from you.
Cory Doctorow rightly pointed out that all complex ecosystems have parasites. Society’s traditional parasites are criminals, but a broader definition makes more sense here. As we users lose control of those systems and IT providers gain control for their own purposes, the definition of “parasite” will shift. Whether they’re criminals trying to drain your bank account, movie watchers trying to bypass whatever copy protection studios are using to protect their profits, or Facebook users trying to use the service without giving up their privacy or being forced to watch ads, parasites will continue to try to take advantage of IT systems. They'll exist, just as they always have existed, and like today security is going to have a hard time keeping up with them.
Elaborate disguise of the day: a young Hong Kong Chinese man boarded an Air Canada flight to Vancouver disguised as an elderly Caucasian man, by virtue of a latex mask:
The man changed out of the silicone mask during the flight, and was arrested on arrival in Canada; he has claimed refugee status.
The mask in question may be purchased from here, for US$689; it's said to be in low stock due to "extremely high demand".
A security researcher in Israel has predicted that the next generation of malware may, rather than stealing passwords or card numbers, steal users' behaviour patterns. The malware will infect the networks of devices people use, monitor their behaviour and send the models to bad guys who can use it to impersonate the victim for nefarious purposes. And if it happens to you, you have no recourse, short of forcing yourself to become a completely different person.
Of course, the question remains of whether the malware could build a sufficiently sophisticated model of an individual's behaviour patterns to sneak past (necessarily paranoid) software systems designed to check these things, or to convincingly persuade your Facebook friends that it's really you who urgently needs money to get out of a Nigerian gaol. Perhaps the Singularity will arrive, not when a spambot becomes smart enough to evade anti-spam software, but when a malware-generated behavioural model of a user becomes sufficiently complex to effectively model that user's consciousness.
Recently, there was an election in Sweden in which the votes were electronically counted. Write-in entries had to be hand-written, but that didn't stop wiseguys trying to pwn the election by pulling a Bobby Tables-style attack:
R;13;Hallands län;80;Halmstad;01;Halmstads västra valkrets;0904;Söndrum 4;pwn DROP TABLE VALJ;1Or, indeed, attempting (unsuccessfully) to pwn the browsers of anyone looking at the results (thwarted by the transcriber entering the wrong type of bracket):
R;14;Västra Götalands län;80;Göteborg;03;Göteborg, Centrum;0722;Centrum, Övre Johanneberg;(Script src=http://hittepa.webs.com/x.txt);1It's not clear whether they expected to succeed or were just aiming for a laugh from the geeks of the world.
Bruce Schneier has a writeup of the facts we know about the Stuxnet worm, the sophisticated and unusual-looking Windows worm that has been speculated to have been designed by the intelligence agencies of the USA/Israel/Germany (delete as appropriate) to attack Iran's nuclear facilities. Or possibly not:
Stuxnet doesn't act like a criminal worm. It doesn't spread indiscriminately. It doesn't steal credit card information or account login credentials. It doesn't herd infected computers into a botnet. It uses multiple zero-day vulnerabilities. A criminal group would be smarter to create different worm variants and use one in each. Stuxnet performs sabotage. It doesn't threaten sabotage, like a criminal organization intent on extortion might.
Stuxnet was expensive to create. Estimates are that it took 8 to 10 people six months to write. There's also the lab setup--surely any organization that goes to all this trouble would test the thing before releasing it--and the intelligence gathering to know exactly how to target it. Additionally, zero-day exploits are valuable. They're hard to find, and they can only be used once. Whoever wrote Stuxnet was willing to spend a lot of money to ensure that whatever job it was intended to do would be done.
None of this points to the Bushehr nuclear power plant in Iran, though. Best I can tell, this rumor was started by Ralph Lagner, a security researcher from Germany. He labeled his theory "highly speculative," and based it primarily on the facts that Iran had an usually high number of infections (the rumor that it had the most infections of any country seems not to be true), that the Bushehr nuclear plant is a juicy target, and that some of the other countries with high infection rates--India, Indonesia, and Pakistan--are countries where the same Russian contractor involved in Bushehr is also involved. This rumor moved into the computer press and then into the mainstream press, where it became the accepted story, without any of the original caveats.Schneier also looks at strings found in the Stuxnet worm's code, some of which suggest, somewhat tenuously, either that it's of Israeli origin or that the authors wish to give the impression that it is.
Basically, all that's definitely known is that Stuxnet was elaborately expensive to create (containing not only zero-day vulnerabilities but stolen driver certificates) and was designed to attack Siemens plant control computers. It also has been around for a while, possibly having gone undetected for a year, and has updated itself remotely during that time.
Security ninja Bruce Schneier was recently recognised by an airport screener who presumably reads his blog:
TSA Officer: A beloved name from the blogosphere.
Me: And I always thought that I slipped through these lines anonymously.
TSA Officer: Don't worry. No one will notice. This isn't the sort of job that rewards competence, you know.
The street finds its own uses for things: entrepreneurs in China are selling WiFi adapters with network key-cracking tools for breaking into secure WiFi networks. Currently, the key-cracking tools consist of a bootable Linux CD-ROM, but give it a few months and they'll integrate the cracking tools into silicon on the USB stick itself.
The existence of such tools promises to make a mockery of laws like the UK's Digital Economy Act, which are predicated on the assumption that it is possible to securely lock down a network well enough for the owner to bear legal liability for any offenses committed by anyone using the network. Of course, such tools will probably be illegal to possess or import into the UK, but then again, so are the Baikal starter pistols used by gangbangers.
In other news, an Israeli company is selling a portable device for intercepting GSM phone communications. The euphoniously titled Dominator I consists of several boxes containing custom hardware (presumably cipher-cracking FPGAs or similar), is controlled from a laptop, and can transparently impersonate a mobile base station, crack the cryptography used and record all communications from up to four phones. The makers, Meganet, say that it is undetectable.
Security researchers are now working on ways of generating machine code that looks like English-language text (PDF).
In this paper we revisit the assumption that shellcode need be fundamentally different in structure than non-executable data. Specifically, we elucidate how one can use natural language generation techniques to produce shellcode that is superficially similar to English prose. We argue that this new development poses significant challenges for inline payloadbased inspection (and emulation) as a defensive measure, and also highlights the need for designing more efficient techniques for preventing shellcode injection attacks altogether.The code is generated by a language engine which selects fragments of text, Markov-chain-fashion, from a large source (such as Wikipedia or the Gutenberg Project). It looks like the random gibberish spammers pad their emails out with, though if executed, functions as x86 machine code. (Rather inefficient machine code, with a lot of jumps and circumlocutions to fit the constraints of looking like English, but good enough to sneak exploits through in.) Below is an example of some code thus disguised:
Recently, the annual Pwn2Own contest took place; in it, participants try to take over a computer by exploiting security holes in a web browser, and capture the flag (in this case, a file on the computer's hard drive). This year, all the browsers but one fell; Firefox 3.6.2 (though it's not clear whether NoScript would have mitigated this), IE8 and Safari all fell; one of the hackers even pwned an (un-jailbroken) iPhone and made off with the SMS database. The one browser that remained standing: Google Chrome, not because it's bug-free, but because the sandbox mechanism makes exploiting bugs impractical:
"There are bugs in Chrome but they're very hard to exploit. I have a Chrome vulnerability right now but I don't know how to exploit it. It's really hard. They've got that sandbox model that's hard to get out of. With Chrome, it's a combination of things - you can't execute on the heap, the OS protections in Windows and the Sandbox."
An unemployed sysadmin in Russia hacked into a video billboard and reprogrammed it to show a pornographic video, causing a traffic jam as drivers on a nearby road stopped to gape at the video and record it with their mobile phones.
The hacker, from Novorossiisk, used a server in Chechnya in an attempt to cover his tracks, though was unsuccessful; the Interior Ministry managed to track him down. (I wonder whether he'd have had more luck had he chosen a less politically fraught staging point.) He is now facing two years imprisonment; meanwhile, security rules for video billboards have been tightened.
I'm thinking something like this would make a good plot device; imagine a gang of assassins/bank robbers planting logic bombs in a few strategically placed billboards; at a preset time, they start showing porn, causing instant traffic jams and trapping their victim/blocking their pursuers. Or international jewel thieves hack video screens in an exclusive reception to show Goatse-style shock porn; as the attendees are momentarily stunned by the shock, unable to react, the bandits (dressed as waiters, naturally) act quickly, snatching the valuables and making their escape. Police have a hard time piecing together what happened afterward.
(via Boing Boing) ¶ 2
Please Rob Me is a web site which aggregates Foursquare location data shared by Twitter users and presents it as "new opportunities" and announcements of users having "left home", to demonstrate the risks of sharing location data with strangers.
While Please Rob Me is a proof of concept, and not particularly useful to burglars (you'd have to map Twitter IDs to names and addresses, and also work out whether there was anybody else living at the premises), there is speculation that social web sites offer a wealth of information to burglars, from users' locations to party photos set inside homes and showing off stealable goods. Of course, these days, the dominant web site is Facebook, which, by default, hides users' posts from people outside of their friend list; however, a significant proportion of Facebook users will gladly friend people they don't actually know, undermining this common-sense measure. (Intuitively, the risk of being burgled or spammed must seem insubstantial to them next to the promise of meeting hot chicks or getting invited to cool parties.) An even larger proportion use Windows PCs which are susceptible to viruses. There is already malware which spams Facebook with phishing links; malware which harvests useful information about all of a user's contacts (real names/identifying details, addresses, links to other social sites, &c.) and uploads them to a criminal-owned server could be just as plausible.
Of course, this makes little economic sense if one imagines one team of burglars going to all this effort to identify easily reachable places likely to house unattended PlayStations or plasma screens. However, if one follows the advice of Adam Smith and introduces division of labour (a practice seen in other criminal enterprises, such as phishing gangs and Nigerian 419 scam operations), it becomes more plausible.
Imagine, if you will, a criminal business intelligence service, much like the ones serving marketers, only specialising in selling leads on potential targets to burglars. This business would have a server somewhere with lax law enforcement, algorithms for harvesting and unifying information from a range of sources (possibly supplemented by human intelligence) and a site for offering bundles of this information to prospective burglars, searchable by geographic location, likely richness of pickings (determinable from the target's employment information, credit ratings and such) and likelihood of them being out of town. The algorithms would pick through a number of public sites, such as Twitter, Foursquare and others (photo sharing sites could be useful; if someone's address is in New York and they just uploaded a fresh photo geotagged in Gran Canaria, they're probably not home), and use them to pick out the likelihood of a target matching various criteria. (The algorithms could be fairly advanced, but as we have seen from the botnet arms race, there's no shortage of ingeniously talented coders of, shall we say, above-average moral flexibility.)
Of course, the real rich pickings are in walled gardens such as Facebook, where people have a sense of security and post their real names, locations and photos; while this is not public, a criminal site could harvest it by using malware (in which case, it'd get not just the details of the owner of the infected PC, but of all their friends), rogue viral Facebook apps or by hiring humans to set up profiles and, using a specially modified browser, friend random strangers ("MAKE MONEY AT HOME SURFING THE WEB!", the recruitment ads could read). The data would go into the criminals' data centre and would come out the other end as searchable packages offered for sale ("Your search of current vacationers making $50k+ near ___ has yielded 37 results, for $100 each. How many would you like to buy?")
Given precedents both in computer crime (credit-card fraud is a big one, having both black-market web sites and highly specialised economies with divisions of labour) and social software, I would be surprised if nobody tries setting something like this up.
An Armenian-born programmer recounts how, during his childhood in the USSR, he stumbled across the KGB's technique for listening in on conversations in any home.
Some time in 1981, I think, a relative from the U.S. comes to visit us for the first time since he left the country many years before that. He was going to stay in our house for a couple of weeks. My parents told me that such visits were always "monitored" by KGB, and so I should be careful with expressing any kind of anti-soviet ideas (which I was known for in the school). In the end though, nobody was going to take this seriously: neither the possibility of KGB agents freezing in cold outside watching us through the windows, nor any kind of bugs installed in our house.
Something strange, however, had happened when our relative had finally arrived. Our phone went crazy. First of all, it was practically impossible to call or to take calls during that period. And besides, the phone's ringer started giving a single "ding" twice a day, exactly at 9 in the morning and 9 in the evening.The KGB, it seems, was using the ringers of telephones as crude microphones, responding to sound vibrations and feeding a very weak signal back into the phone line; when a house was noted as being of sufficient interest, a powerful amplifier could make the signal just about intelligible. The KGB only got caught out (to the extent of allowing a young boy to figure out what was happening, at least) due to the dilapidated condition of the Soviet phone system, and the tendency for lines to get crossed from time to time.
A Russian CCTV surveillance company has allegedly stumbled along an ingenious way of reducing operating costs and boosting profits: by replacing surveillance camera feeds with prerecorded video. The alleged fraud was uncovered during a routine check of cameras in Moscow; the director of the surveillance company, who has been detained by police, denies the claims, claiming it's a setup by rivals.
US troops in Iraq now have an iPhone app for tracking insurgents; well, for displaying tactical maps in real time. Meanwhile, the insurgents have found a Russian-designed program which can be bought for $26 and which allows them to watch the video feeds of Predator drones, which happen to be unencrypted. (Oops!) The military is planning to fix this, though it's harder to do than it sounds due to the expensive proprietary design of the aging drones.
In the UK, they have the Shipping Forecast; in Israel, they have text message alerts of incoming missiles:
"The rocket sensor will create a virtual ellipse (of the predicted impact zone) and all phones in that area will receive a warning," the Jerusalem Post quoted Chilik Soffer, a senior official at the Israeli Home Front Command, as saying.
The New South Wales Police's Computer Crime Investigation Unit has some advice for people who do their banking online: don't use Windows.
The first rule, he said, was to never click on hyperlinks to the banking site and the second was to avoid Microsoft Windows.
"If you are using the internet for a commercial transaction, use a Linux boot up disk - such as Ubuntu or some of the other flavours. Puppylinux is a nice small distribution that boots up fairly quickly.
"It gives you an operating system which is perfectly clean and operates only in the memory of the computer and is a perfectly safe way of doing internet banking," van der Graaf said.Meanwhile, one of the people chosen to have a Windows 7 launch party, is putting the party kit Microsoft sent him on eBay. He's keeping the copy of Windows 7, but in its place, adding a list of the excuses that all the people whom he invited gave for not being able to show up:
Chris: Found out Windows 7 not available on 5.25" floppy.
Kevin: I'll be over as soon as I shut down my laptop. XP still has 72 updates to go.
Mike: I was going to come to your launch party but then a girl called.
Ira: Sorry, my guild has a raid.
In the US, someone has been anonymously sending laptops to state governors. Laptops have been sent, in some cases multiple times, to the governors of states including West Virginia and Wyoming. The computers have been handed over to the FBI for investigation, on the suspicion that they might be Trojan horses intended to pwn the apparatus of government on behalf of whoever sent them.
Regarding the last post about last.fm: one of last.fm's staff has posted a rebuttal on their web forums, to wit:
* Nobody at Last.fm had any knowledge of our user data being fed to the RIAA (or any labels directly), before or after the alleged incident, or at any other point in the history of the company.Make of that what you will. Assuming the denials are true, last.fm and/or CBS will have no choice but to sue TechCrunch for libel to protect their reputation; it'll be interesting to see how that unfolds.
* We've been in communication with CBS and they deny that they gave any third party any of our user data.
If TechCrunch have any evidence which contradicts any of the statements I've made here, I'd love to see it, but I think someone is taking them for a ride. I'm not sure why, though.
Nonetheless, even if this isn't true, the possibilities it raises are thought-provoking:
- Last.fm's scrobbling software originally sent over only the title, artist and length of tracks as they were played. More recently, it was extended to send a fingerprint of each track. The difference between these two is crucial; it is the difference between hearsay and admissible evidence. In short, when you scrobble a track using the last.fm client, it sends over cryptographic proof of your possession of the recording. You can disable the fingerprinting function in the last.fm client software, assuming that you trust it, of course:
- How much you trust last.fm's closed-source client software is another matter. Assuming that last.fm had been compromised by the MAFIAA, what's to say that the software didn't trawl your hard drive for things that looked like MP3s (slowly, as not to arouse suspicion), fingerprint them, and then send the list over to MediaSentry or someone, along with some juicy forensic information about your machine (serial numbers, MAC addresses, &c.)?
- Of course, this would be totally illegal and even more unethical. But, then again, so would waiving the EU's privacy laws to send user identifying information to CBS (as is alleged). And it's not like the RIAA haven't been known to use underhanded tactics in their dirty war against music fans.
- Even assuming that last.fm are 100% above board and CBS are sufficiently law-abiding to not undermine them, handing over potentially compromising information imples a trust that the information will be kept secure; i.e., that there are no weak links. Given the fact that everybody from TK Maxx to Her Majesty's Government seems to leak personal information left, right and centre, this may not be a safe assumption.
An interesting interview with a former Windows adware author, by all accounts a very smart guy (albeit of, shall we say, above-average ethical flexibility), exposing both the security exploits used by Windows malware, the arms races in the malware underground and the dodgy business models of the industry:
The good distributors would say, ‘This is ad-supported software.” Not-so-good distributors actually did distribute through Windows exploits. Also, some adware distributors would sell access. In their licensing terms, the EULA people agree to, they would say “in addition, we get to install any other software we feel like putting on.” Of course, nobody reads EULAs, so a lot of people agreed to that. If they had, say, 4 million machines, which was a pretty good sized adware network, they would just go up to every other adware distributor and say “Hey! I’ve got 4 million machines. Do you want to pay 20 cents a machine? I’ll put you on all of them.” At the time there was basically no law around this. EULAs were recognized as contracts and all, so that’s pretty much how distribution happened.
So we’ve progressed now from having just a Registry key entry, to having an executable, to having a randomly-named executable, to having an executable which is shuffled around a little bit on each machine, to one that’s encrypted– really more just obfuscated– to an executable that doesn’t even run as an executable. It runs merely as a series of threads. Now, those threads can communicate with one another, they would check to make sure that the BHO was there and up, and that the whatever other software we had was also up.
There was one further step that we were going to take but didn’t end up doing, and that is we were going to get rid of threads entirely, and just use interrupt handlers. It turns out that in Windows, you can get access to the interrupt handler pretty easily. In fact, you can register with the OS a chunk of code to handle a given interrupt. Then all you have to do is arrange for an interrupt to happen, and every time that interrupt happens, you wake up, do your stuff and go away. We never got to actually do that, but it was something we were thinking we’d do.He also talks about making his registry entries unremovable by using obscure Unicode APIs to add them and putting in characters illegal to the ASCII-based APIs most of Windows uses (oops!), writing device drivers to further pwn the hapless users' machines, and also deploying more Scheme runtime than probably anyone else:
There was also of course Scheme. Eventually, we got sick of writing a new C program every time we wanted to go kick somebody off of a machine. Everybody said, “What we need is something configurable.” I said, “Let’s install a Turing-complete language,” and for that I used tinyScheme, which is a BSD licensed, very small, very fast implementation of Scheme that can be compiled down into about a 20K executable if you know what you’re doing.
Eventually, instead of writing individual executables every time a worm came out, I would just write some Scheme code, put that up on the server, and then immediately all sorts of things would go dark. It amounted to a distributed code war on a 4-10 million-node network.So not only is a botnet of pwned Windows PCs likely to be the world's most powerful supercomputer (in purely numerical terms, at least), but a network of dodgy adware could well have been the peak of Scheme's deployment in the real world.
The author's advice to anyone wanting to avoid adware is "um, run UNIX".
The latest experimental technology to emerge from Google's labs is something called Native Client. This is an experimental means of running web content in native machine code in a web browser. It's X86-specific (so users of PowerPC Macs and the numerous ARM-based portable devices are out of luck here), though other than that, completely portable; the binaries are in a special format, and get a limited number of system calls standardised across Linux, OSX and Windows. There is even a version of Quake which will run in a browser, in any of these systems, should you have the plugin enabled.
Of course, by now, you're probably thinking "Are they crazy? That's the worst idea since nuclear-powered airliners". Google, though, claim that they have a robust security model. The instruction set available is restricted, with constraints placed on the format of the code, allowing a code inspection process to detect any dangerous instructions. Google argue their case in a research paper; I'm not sufficiently familiar with recent x86 assembly language to verify their claims, but it looks like they certainly put some thought into it. Of course, there are a lot of very bright people in places like Russia, Romania and China who would also put a lot of thought into it, to entirely different ends, so there are reasons to be concerned.
Of course, such an idea opens all sorts of strategic possibilities for Google; if it works, it would reduce the desktop operating system to a commodity. If any kind of application can be used as a web service, why buy a copy of Windows (or a PC with the Microsoft Tax in the price)? In fact, why bother installing a full-scale Linux? They're already starting to make PCs with cut-down instant-on operating systems (typically Linux-based) in the ROM, so that if you can't wait for your Vista box to finish booting, you can boot into the instant OS and get a web browser. Now, imagine a box like this, only with the OS being able to run web apps at native speed, perhaps in an application-oriented browser like Chrome. Could this be the much talked about "Google OS"?
Several researchers at UIUC have written a paper on how one could insert general-purpose back doors into a CPU, allowing those in the know to pwn any machine running on it, almost undetectably:
We present the design and implementation of Illinois Malicious Processors (IMPs). There is a substantial design space in malicious circuitry; we show that an attacker, rather than designing one specific attack, can instead design hardware to support attacks. Such flexible hardware allows powerful, general purpose attacks, while remaining surprisingly low in the amount of additional hardware. We show two such hardware designs, and implement them in a real system. Further, we show three powerful attacks using this hardware, including login backdoor that gives an attacker complete and highlevel access to the machine. This login attack requires only 1341 additional gates: gates that can be used for other attacks as well. Malicious processors are more practical, more flexible, and harder to detect than an initial analysis would suggest.And here are some details:
Our memory access mechanism provides hardware support for unprivileged malicious software by allowing access to privileged memory regions. Malicious software triggers the attack by forcing a sequence of bytes on the data bus to enable the memory access circuits. This sequence can be arbitrarily long to avoid false positives, and the particular sequence must be agreed upon before deployment. Once the sequence is observed, the MMU in the data cache ignores CPU privilege levels for memory accesses, thus granting unprivileged software access to all memory, including privileged memory regions like the operating system’s internal memory. In other words, loading a magic value on the data bus will disable protection checking. We implement this technique by modifying the data cache of our processor to include a small state machine that looks for the special sequence of bytes, plus some additional logic in the MMU to ignore privilege levels when malicious software enables the attack.
Using the shadow mode mechanism, we implement a malicious service that acts as a permanent backdoor into a system (Figure 2). To initiate the attack, an attacker sends an unsolicited network packet to the target system and the target OS inspects the packet to verify the UDP checksum. The act of inspecting the packet (necessary to decide if it should be dropped) triggers the trojaned hardware, and the malicious service interprets the contents of the packet as new firmware that it loads into the processor invisibly. The target operating system then drops the unsolicited packet and continues operation, oblivious to the attack.And there's more, including ways of stealing passwords.
And if civilian security researchers have just discovered this, it's not unlikely that ones in intelligence agencies have had such techniques for a while. I wouldn't be surprised if the NSA had similar back doors in all US-designed CPUs likely to end up on the export market, just in case, or if the Chinese government had similarly altered CPUs (or other strategic components) being manufactured on Chinese production lines, or indeed if other intelligence agencies had managed to get their own hooks into the silicon.
It has emerged that organised crime gangs modified hundreds of credit/debit card terminals at the Chinese factory they were made at, installing a GSM module and SIM card, which was then used to send stolen credit card data to a number in Pakistan, and also receive instructions on what to target. The terminals, which were distributed across Europe, remained undetected for a long time, stealing only small numbers of details, only arousing suspicion when a security guard noticed mobile phone interference near the checkout area.
The corrupted devices are an extra three to four ounces heavier because of the additional parts they contain, and the simplest way to identify them has been to weigh them. A MasterCard International investigator said: "As recently as a month ago, there were several teams of people roaming around Europe putting the machines on scales and weighing them. It sounds kind of old school, but the only other way would be to tear them apart."
The illicit transactions took place at least two months after the information had been stolen, making it difficult for investigators to work out what had happened.
But after six months of fruitless investigation, investigators spotted an attempt at a similar fraud on a card which had only been used in one location in Britain. The chip and pin machine from the particular store was passed to MasterCard's international fraud lab in Manchester for inspection.There has been no announcement of anybody having been arrested, and the criminals got away with a tidy profit, so one can probably chalk this down as a success for the criminals, and a serious failure of security (for one, the chip-and-pin protocols governing communication between the chip on the card, the reader and the network seems to be too weak by far if they allow a card to be cloned; shouldn't the system be using some form of challenge-response security rather than handing all the information over in one go)?
Academic paper of the day: The Dining Freemasons, or a look at the mechanics and problems unique to secret societies from the perspective of (computer) security protocols:
To a first approximation, a secret society has three functions:The paper talks about steganographic broadcasts (i.e., transmitting your affiliation in a coded form; the drawing of a fish by early Christians is one famous example), plausible deniability, and suggests various protocols using the semantic meanings of bodies of knowledge known to the society, including coding challenges and responses (or even small amounts of information) in the truth value of statements about the shared text.
Each area presents intriguing challenges, but crucial to each aspect is membership testing – society members must be able to identify each other in order to pass on the doctrine, to confer rewards and to consider new applicants.
- to recruit the worthy,
- to pass on a secret doctrine,
- and to reward its members.
Also from the same authors: A Pact With The Devil, or a hypothetical outline of how a genuinely nasty form of malware could use various forms of persuasion and blackmail to spread itself.
A Pentagon researcher has laid out a chilling possibilities: that terrorists could be using online role-playing games to plan attacks, disguised as raids in the virtual world:
In it, two World of Warcraft players discuss a raid on the "White Keep" inside the "Stonetalon Mountains." The major objective is to set off a "Dragon Fire spell" inside, and make off with "110 Gold and 234 Silver" in treasure. "No one will dance there for a hundred years after this spell is cast," one player, "war_monger," crows.
Except, in this case, the White Keep is at 1600 Pennsylvania Avenue. "Dragon Fire" is an unconventional weapon. And "110 Gold and 234 Silver" tells the plotters how to align the game's map with one of Washington, D.C.Of course, the same argument could apply to any form of discussion. Terrorists could just as easily use last.fm playlists or online mixtapes to hatch their plans. (The above plan could be encoded as a copy of OMD's Enola Gay and a song by industrial noise band Whitehouse, followed by a song exactly 11 minutes long, which would give the time of the attack. For chemical or biological weapons, replace Enola Gay with Britney Spears' Toxic. You get the idea.) Or they could use internet memes; who's to say that the particular spelling/grammatical anomalies on the caption of the latest set of cat photos don't encode the details of a planned terrorist attack?
Of course, the terrorists could even eschew the internet altogether, using other means of communicating their plans, such as, say, public art. Who's to say that a terrorist sleeper agent hasn't been quietly making a name for himself as an artist, getting lucrative commissions, and waiting for the order to encode doomsday plans in a public sculpture (plenty of opportunity there) or a semi-abstract mural. (Avant-garde art itself is too easy.) Or architecture, or urban planning (if there are Masonic symbols in the layout of Washington DC's streets, there could be other things elsewhere.) The possibilities are infinite.
Perhaps Bruce Schneier could make his next Movie Plot Threat Contest hinge on coming up with creative ways in which evildoers could go to elaborate lengths to encode the message "nuke the Whitehouse at 11:00" in innocuous-looking environments. Because, as we all know, supervillains love complexity in and of itself, and the ideal terrorist plan would look more baroque than a steampunk laptop on Boing Boing.
The Times goes to DEFCON, interviews some hax0rs:
He tells me about one of his cases involving Symbolic Motors in La Jolla, California. Symbolic, which supplies Ferraris, Lotuses, Aston Martins and Bentleys to the stars, is arguably the most lucrative dealership in the States. It wanted to find out just how good its multi-million dollar security system was, so Pyr0 and his friends Ryan Jones and Chris Nickerson, who call themselves ethical hackers, went to work.
“First we did a bit of dumpster-diving, looking in their trash, to find out who their computer company was,” says the spiky-haired Pyr0. “Then I paid a visit, posing as one of their technicians and got access to the company's servers. I secretly installed a wireless network behind a desk while I was there, which allowed Ryan, who was in a car outside, to begin hacking into their computer system remotely.” While Jones was downloading Symbolic's files - details of sales, prices, film-star customers and so on - Pyr0 was wandering around the building taking pictures. There was no alarm security above the ground-floor showroom and the roof skylights were not alarmed. In the showroom, he worked out the blind spots in an array of motion sensors.
That night, they broke in through the unalarmed skylights, exploited the motion sensors' blind spots, crawled to the alarm keypad and switched off the system. They opened the showroom doors, drove out a Lotus and returned it, parking it the wrong way round.
With the iPhone, Apple have been expanding the boundaries of how much control a consumer electronics company can exercise over its products and their users. Much has been said about the iPhone's locked-down software distribution model, which has more in common with proprietary gaming consoles than with mobile phones (let alone Apple's wide-open OSX computers), and strict enforcement of carrier contracts. Now iPhone hacker Jonathan Zdziarski has discovered that Apple seem to have a central blacklist of banned iPhone applications. This is presumably to allow them to remotely kill any applications that made it through the approval process by mistake. (Apple could also use it to remotely kill applications that never were approved in the first place, installed on jailbroken iPhones—that is, assuming that the hacks for jailbreaking these phones don't start blocking the blacklist.)
A Dutch cyclist group has come up with a novel way of cutting bike theft: by teaching cyclists how to steal bicycles. The lessons in lockpicking and defeating common security mechanisms serve to instill what Bruce Schneier calls a security mindset, making the cyclists more conscious of their vulnerabilities, and better able to mitigate them.
An outfit named Sweet Dreams Security is making designed objects for a more paranoid age; from spiked railings, barbed wire and CCTV camera covers in the shape of cute animals to heart-shaped chains and (perhaps more practically) lace curtains shaped like anti-burglar grilles.
It's not clear how much of this is sincerely intended to fill a gap in the market and how much is critiquing or poking fun at of the siege mentality of contemporary society and its normalisation as a banal aspect of consumer capitalism. The pieces shown are said to be actual manufactured items which may be ordered or bought in various designy shops, though they have mostly been exhibited in art galleries.
Could this be the worst security hole ever? The Oklahoma Department of Corrections' sex offender database site allowed users to issue arbitrary SQL queries on their database (which contained the complete details of anyone who has ever been on the wrong side of the law). The "print friendly link" took, as its argument, a SQL query, which it would then execute. Which, of course, means that not only could someone get enough details about anyone in the database to steal their identity, but could quite possibly insert arbitrary data into the government's official sex offender database. You can probably imagine the kinds of fun that someone could have with that.
Someone is sending pro-Tibet groups documents infected with keylogging malware, configured to send back keystrokes to a server in China. The documents are sent from addresses forged to resemble human rights groups, and purport to be details of Chinese massacres in Tibet and similar information.
The exploit silently drops and runs a file called C:\Program Files\Update\winkey.exe. This is a keylogger that collects and sends everything typed on the affected machine to a server running at xsz.8800.org. And 8800.org is a Chinese DNS-bouncer system that, while not rogue by itself, has been used over and over again in various targeted attacks.
The exploit inside the PDF file was crafted to evade detection by most antivirus products at the time it was sent.
Somebody is trying to use pro-Tibet themed emails to infect computers of the members of pro-Tibet groups to spy on their actions.Of course, the pro-Tibet groups could avoid being pwn3d by the Chinese by the simple expedient of not using Windows or common software to open documents.
Details have emerged of how the Bavarian police intercept Skype calls and encrypted internet traffic. Apparently they use specially written malware, from a company named Digitask. The malware needs to be installed on the suspect's computer (which can be done in a number of ways; if they can't get a black-bag team in, they can send an email carrying the trojan. Looks like Bavaria's safe from criminals who use Windows then.
As reported elsewhwere, Bruce Schneier, the Chuck Norris of computer security, leaves his home wireless network open:
To me, it's basic politeness. Providing internet access to guests is kind of like providing heat and electricity, or a hot cup of tea. But to some observers, it's both wrong and dangerous.
I can count five open wireless networks in coffee shops within a mile of my house, and any potential spammer is far more likely to sit in a warm room with a cup of coffee and a scone than in a cold car outside my house. And yes, if someone did commit a crime using my network the police might visit, but what better defense is there than the fact that I have an open wireless network? If I enabled wireless security on my network and someone hacked it, I would have a far harder time proving my innocence.
I'm also unmoved by those who say I'm putting my own data at risk, because hackers might park in front of my house, log on to my open network and eavesdrop on my internet traffic or break into my computers. This is true, but my computers are much more at risk when I use them on wireless networks in airports, coffee shops and other public places. If I configure my computer to be secure regardless of the network it's on, then it simply doesn't matt
14-year-old "electronics genius" in Lódz, Poland, built a remote control for the city's tram system (apparently out of a TV remote control, though presumably they mean that he housed it in a TV remote control case ) and used it to change points, forcing trams onto the wrong tracks, until he was arrested.
"He had converted the television control into a device capable of controlling all the junctions on the line and wrote in the pages of a school exercise book where the best junctions were to move trams around and what signals to change.
Problems with the signalling system on Lodz's tram network became apparent on Tuesday when a driver attempting to steer his vehicle to the right was involuntarily taken to the left. As a result the rear wagon of the train jumped the rails and collided with another passing tram. Transport staff immediately suspected outside interference.
Facebook is in the news again, with (so far) the first known instance of a Facebook application being used to install adware on users' PCs. If your friends invite you to install the "Secret Crush" application, you accept, and you are using Windows, then the application will install the Zango adware program on your PC, not to mention arm-twist you into spamming your friends with requests to add it.
If Secret Crush actually needs you to click buttons to invite your friends to add it, the criminal scumbags who designed it have missed a trick; some other applications, such as RockYou's Super Wall and related applications, are able to send messages to randomly selected individuals from a user's friend list, purporting to be that user and asking to be installed to see a message from them, without the user's intervention. (I once found in my notifications the notice that I had messaged three randomly-chosen people, whose relationships to me have nothing in common, inviting them to install Super Wall. Soon after that, Super Wall was no longer installed on my page.)
The issue of data portability, or who owns your personal information and friend lists online, has entered the news recently as Facebook deleted the account of blogger Robert Scoble for using a script to automatically fetch his contact list, in violation the site's terms of service (which prohibit scripts, as they can be used for spamming and such). Scoble's account has been reinstated, on the proviso that he doesn't do it again, but not before raising an outcry on his high-profile blog.
It seems that online criminals aren't waiting for zero-day exploits to be found, but are now making their own: someone broke into the sourcecode for SquirrelMail, an open-source webmail client, and introduced a bug which allows arbitrary remote code execution. This was detected and rectified fairly quickly (mostly because the MD5s of the package were stored elsewhere), though anyone running one of the vulnerable version may want to check their server logs to make sure they're not hosting anything like this.
This is probably just the tip of the iceberg; it's not unlikely that criminals (or, for that matter, intelligence agencies) have attempted to introduce security holes into other pieces of net-facing software.
Meanwhile, Windows Vista now not only chews up your CPU cycles on behalf of the RIAA/MPAA, but also includes a random-number generator believed to contain a NSA security hole.
As we dig in for the long siege and see potential terrorists in every shadow, the war on terror is, according to Bruce Schneier, turning into a war on the unexpected, with untrained civilians encouraged to report anything out of the ordinary, and the authorities escalating such reports to full-blown incidents:
We've opened up a new front on the war on terror. It's an attack on the unique, the unorthodox, the unexpected; it's a war on different. If you act different, you might find yourself investigated, questioned, and even arrested -- even if you did nothing wrong, and had no intention of doing anything wrong. The problem is a combination of citizen informants and a CYA attitude among police that results in a knee-jerk escalation of reported threats.
This story has been repeated endlessly, both in the U.S. and in other countries. Someone -- these are all real -- notices a funny smell, or some white powder, or two people passing an envelope, or a dark-skinned man leaving boxes at the curb, or a cell phone in an airplane seat; the police cordon off the area, make arrests, and/or evacuate airplanes; and in the end the cause of the alarm is revealed as a pot of Thai chili sauce, or flour, or a utility bill, or an English professor recycling, or a cell phone in an airplane seat.Schneier also links to this blog item, which shows that this principle is being extended towards the padeophile end of the paedoterrorist axis; apparently, in Virginia, a father holding his young daughter's hand is a sign of probable sexual abuse.
Speculation has arisen about the US intelligence services deploying insect-sized surveillance drones after anti-war protesters reported seeing unusually large and odd-looking dragonflies at a demonstration:
"I'd never seen anything like it in my life," the Washington lawyer said. "They were large for dragonflies. I thought, 'Is that mechanical, or is that alive?' "
At the same time, he added, some details do not make sense. Three people at the D.C. event independently described a row of spheres, the size of small berries, attached along the tails of the big dragonflies -- an accoutrement that Louton could not explain. And all reported seeing at least three maneuvering in unison. "Dragonflies never fly in a pack," he said.The FBI has denied having such technologies. The CIA, meanwhile, is known to have tested a robotic "insectothopter" in the 1970s, before scrapping the project as it could not handle crosswinds. Scientists now have a better understanding of how insects fly, and it's possible that modern computer technology (not to mention materials science) could enable an insectothopter to respond to changes in its environment sufficiently well to navigate. Whether the spooks would risk prototypes, which officially do not exist, being captured by anti-war protesters is another question.
(If these things do exist, it's a good thing that America is immune to totalitarianism; imagine what, say, the Stasi or the Burmese junta would do with such technologies.)
Actually, the CIA/FBI may be a red herring. Has anybody asked Google about these bugs?
A technical problem causes Facebook to display its PHP source code; someone grabs this source code and posts it online; the code itself doesn't contain anything more revealing than variable names and include paths. Meanwhile, the non-technical press posts vague yet ominous-sounding warnings about how it could help criminals to steal users' identities (conceding that it doesn't actually allow them to do so as such).
Which is not to say that there aren't any risks; as always, one should exercise common sense. Facebook is an entertainment site, and thus engineered to less stringent standards of security than, say, banking sites. Even if the site itself is secure, your "private", "friends-only" information could fall into the hands of third parties in other ways (if, for example, criminals take control of a router between you and the Facebook servers and sniff all the traffic going through it, or if one of your friends (who is able to see your information) has a Windows virus on their PC which captures the pages they see). The same goes for other sites with "friends-only" capabilities, such as LiveJournal, Flickr, or various members-only forums or mailing lists.
There are a few interesting articles about cybercrime and the seamy side of the net at CIO.com: a fictionalised "CIO to the Mob" explains how online crime can pay, how online criminals use anti-forensics technology to be nigh-impossible to catch, and how the online porn and gambling industries are, as always, pushing the envelope in technological innovation and practice:
Red light sites probably aren't places CIOs normally would look to find innovative IT. But the sex and gambling industries have always been at the forefront of technological innovation. During World War II, the illegal telephone network that bookies developed was more reliable than the one the War Department used, says Harold Layer, professor emeritus at San Francisco State University. And the pornography industry has helped select technology winners and losers for ages. In the 1980s, for example, demand for adult material gave VCR makers the economies of scale they needed to make their devices affordable, says Jonathan Coopersmith, a professor of technology history at Texas A&M University.
With every program available at any moment, how will users find programs? Piper believes that search will be the killer app of IPTV. To that end, New Frontier is obsessive about metadata, watching every frame of every video it digitizes and recording as many attributes as it can. Customers can use these metadata tags to refine their searches until they find precisely what they're looking for. (For example, if you have a thing for blondes on the beach, a search on New Frontier's adult website Ten.com for "clothing-accessories-sunglasses," combined with "setting-outdoors-beach," and "physical-hair-blonde," returns two 15-minute clips, the fourth scene from Lock, Stock and Two Smoking Bimbos 2 and the first scene from Pick Up Lines 82.)
Was US President Bush's watch stolen in Albania, while he was wearing it and surrounded by five bodyguards? The US embassy is denying it, of course, but the video clearly shows Bush with and later without his watch, not to mention a hand grabbing his wrist in the interim.
By the look of it, someone in Albania is going to have a hell of a story to tell his grandchildren; that is, assuming he doesn't die in a CIA black prison or something.
Security researchers have found that it is trivially easy to transmit false traffic reports to in-car navigation units. The units look for messages transmitted as digital data piggybacked onto FM radio signals using a protocol known as RDS, and it seems not to have occurred to whoever designed the RDS system that anyone might tamper with these messages; as such, they are transmitted in the clear, and without any sort of authentication. The units also scan the entire FM spectrum, looking for anything that looks like a radio station with a RDS channel containing traffic information. The rest is left as an exercise to the reader:
Through trial and error, they discovered that transmitting certain code numbers translates into certain warnings that are displayed on the satellite navigation system. Some were amusing. One code number alerts users that there's a bull fight in progress. Another one indicates delays due to a parade. But some weren't so funny. One tells users that there has been a terrorist incident. Another indicates a bomb alert and another an air crash.
Security researchers dissect a Russian spam botnet; it turns out that these things are getting alarmingly sophisticated:
Once a Windows machine is infected, it becomes a peer in a peer-to-peer botnet controlled by a central server. If the control server is disabled by botnet hunters, the spammer simply has to control a single peer to retain control of all the bots and send instructions on the location of a new control server.
Stewart said about 20 small investment and financial news sites have been breached for the express purpose of downloading user databases with e-mail addresses matched to names and other site registration data. On the bot herder's control server, Stewart found a MySQL database dump of e-mail addresses associated with an online shop. "They're breaking into sites that are somewhat related to the stock market and stealing e-mail address from those databases. The thinking is, if they get an e-mail address for someone reading stock market and investment news, that's a perfect target for these penny stock scams," Stewart said in an interview with eWEEK.
The SpamThru spammer also controls lists of millions of e-mail addresses harvested from the hard drives of computers already in the botnet. "This gives the spammer the ability to reach individuals who have never published their e-mail address online or given it to anyone other than personal contacts," Stewart explained.
Stewart discovered that the image files in the templates are modified with every e-mail message sent, allowing the spammer to change the width and height. The image-based spam also includes random pixels at the bottom, specifically to defeat anti-spam technologies that reject mail based on a static image.The botnet is theoretically capable of sending a billion emails each day, with each having multiple recipients. And the total volume of spam has increased by 500% in the past 3 months.
The UK's terror threat level has been downgraded from "critical" to "severe". It is not clear whether this is a result of confidence that the worst threat is over, or because airports have been unable to cope with the new security measures.
And it now emerges that the attack may not have been imminent (the suspects had not purchased tickets and some didn't even have passports), but the timing of the arrests was forced by US officials. And this (somewhat more sensationalistic) article (via jwz) claims that the timing was "nothing more than political fabrication". And here is the Independent's roundup of what we know and don't know.
And Bruce Schneier has weighed in, on the subject of effective security and "security theatre":
None of the airplane security measures implemented because of 9/11 -- no-fly lists, secondary screening, prohibitions against pocket knives and corkscrews -- had anything to do with last week's arrests. And they wouldn't have prevented the planned attacks, had the terrorists not been arrested. A national ID card wouldn't have made a difference, either.
The new airplane security measures focus on that plot, because authorities believe they have not captured everyone involved. It's reasonable to assume that a few lone plotters, knowing their compatriots are in jail and fearing their own arrest, would try to finish the job on their own. The authorities are not being public with the details -- much of the "explosive liquid" story doesn't hang together -- but the excessive security measures seem prudent.
But only temporarily. Banning box cutters since 9/11, or taking off our shoes since Richard Reid, has not made us any safer. And a long-term prohibition against liquid carry-ons won't make us safer, either. It's not just that there are ways around the rules, it's that focusing on tactics is a losing proposition.
The goal of a terrorist is to cause terror. Last week's arrests demonstrate how real security doesn't focus on possible terrorist tactics, but on the terrorists themselves. It's a victory for intelligence and investigation, and a dramatic demonstration of how investments in these areas pay off.
Air transport authorities are warning that increased security measures, including cabin baggage restrictions and extra screening, will be permanent, with restrictions on liquids and bans on certain types of cabin luggage remaining in force. Passengers may next have to surrender belts and trousers (or wear special pocketless flight suits, yet to be introduced) as such could be used by terrorists to smuggle explosives undetectably. Though even that won't stop terror mules with bombs inside their bodies:
"Quite frankly, that kind of experimentation has been taking place. We know that they have been testing strapped-on explosives on animals in the Middle East for years and it's not a magical leap to try inserting it into the rectum," he said.
Terrorists have already used mocked pregnancy prosthetics to slip bombs aboard planes, but no one has tried the mule approach yet, according to Harvey "Jack" McGeorge, a former Marine Corps bomb disposal specialist and a former Secret Service security specialist.
By smuggling explosives inside one's body, a suicide bomber would likely foil all of the current airport scanning technologies, as well as many future ones.Perhaps the solution for air travel in the age of perpetual terror will be to anaesthetise all airline passengers, place them in coffin-like life-support pods for the duration of their journey and reawaken them at the other end? That would also allow more passengers to be carried on a plane and eliminate the costs of food, drinks and in-flight entertainment, further cutting costs. Either that or resign ourselves to a certain proportion of flights being downed by terrorists (much in the way that people accept that a certain (much greater) proportion of road journeys end in fatal car accidents) and just regard it as the luck of the draw.
Want a glimpse of a possible future of air travel in the age of al-Qaeda? Look no further than Israel and its national carrier, El Al, which despite being a prize target for Islamic militants across the world, has never lost a plane:
At a checkpoint before Ben Gurion airport vehicles come under scrutiny. Passengers may be picked out for passport checks. There is another spot check and a metal detector as they enter the terminal. Then they join the queue for questioning.
"What was the purpose of your visit to Israel? What did you do here? Who did you meet? Which cities did you visit? Is this your only passport? How many times have you been to Israel? Do you speak Arabic? Have you any knives?"
The questions come thick and fast. Officials are not interested in these details. They are looking for inconsistencies that suggest someone is hiding something.Of course, El Al-level security is labour-intensive and would cost a fortune. Though we'd only need to keep it up until the oil runs out.
It looks like those bans on carry-on luggage on airliners could be here to stay, or at least until they find a way of detecting undetectable liquid explosives:
"A lot of these components are clear and have no smell and you could mix them on board. You do not need much explosive to bring down an aircraft," he said.
"The trouble with airport security measures is that a lot of machines do not spot a lot of explosives. It is still a case of dogs and people taking their clothes off."And further down:
Airports and aeroplanes have been a key target for terrorists for decades. British-born Richard Reid tried to detonate a shoebomb on a transatlantic flight from Paris to Miami in late 2001. He was overpowered by passengers as he tried to ignite the explosives and was later jailed for life by a US court.It looks like "shoebomb" is now a word.
More details are emerging on the terrorist attacks allegedly thwarted: they involved liquid explosives, carried by British-born terrorists (some with Pakistani connections), who allegedly planned to blow up airliners in waves of three at a time, for the glory of God the All-Merciful. The authorities claim the attack would have caused loss of life on an "unprecedented scale", which (after 9/11) makes one wonder how many aircraft they planned to blow up.
Anyway, until further notice, passengers on flights leaving the UK are prohibited from taking carry-on luggage or liquids into the cabin, except for a few small things (passport, sanitary items, and baby milk, which must be tasted by the passenger in question on check-in). Certainly no books, MP3 players, games, laptops or PDAs. Which makes me glad I'm not flying to Australia (about 21 hours each way) any time soon.
Of course, medicines with prescriptions are exempted from the rules. I hope no terrorist manages to forge a prescription and bring along some liquid explosive in a medicine bottle.
On a related note, Charlie Stross points to this paper, which provides some perspective about the magnitude of the terrorist threat and the response to it:
Until 2001, far fewer Americans were killed in any grouping of years by all forms of international terrorism than were killed by lightning, and almost none of those terrorist deaths occurred within the United States itself. Even with the September 11 attacks included in the count, the number of Americans killed by international terrorism since the late 1960s (which is when the State Department began counting) is about the same as the number ofAmericans killed over the same period by lightning, accident-causing deer, or severe allergic reaction to peanuts.
it would seem to be reasonable for those in charge of our safety to inform the public about how many airliners would have to crash before flying becomes as dangerous asdriving the same distance in an automobile. It turns out that someone has made that calculation: there would have to be one set of September 11 crashes a month for the risks to balance out. More generally, they calculate thatan American's chance of being killed in one nonstop airline flight is about one in 13 million (even taking the September 11 crashes into account). To reach that same level of risk when driving on America's safest roads -- rural interstate highways -- one would have to travel a mere 11.2 miles.
Accordingly, three key issues, set out by risk analyst Howard Kunreuther, require careful discussion but do not seem ever to get it:
- How much should we be willing to pay for a small reduction in probabilities that are already extremely low?
- How much should we be willing to pay for actions that are primarily reassuring but do little to change the actual risk?
- How can measures such as strengthening the public health system, which provide much broader benefits than those against terrorism, get the attention they deserve?
Police and MI5 claim to have foiled a terrorist plot to blow up airliners, arresting 18 people. The principal plotters are said to be all British-born. The UK is at its highest terrorist alert state, "critical" (meaning "This is it we're all going to die! I'm a teapot, I'm a teapot!"), incoming flights have been suspended, as have some outgoing flights, and for the foreseeable future, passengers flying out of the UK will not be able to take luggage into the cabin.
Bruce Schneier has a post about an interesting way to beat buffer overrun attacks:
Fortunately, buffer-overflow attacks have a weakness: the intruder must know precisely what part of the computer's memory to target. In 1996, Forrest realised that these attacks could be foiled by scrambling the way a program uses a computer's memory. When you launch a program, the operating system normally allocates the same locations in a computer's random access memory (RAM) each time. Forrest wondered whether she could rewrite the operating system to force the program to use different memory locations that are picked randomly every time, thus flummoxing buffer-overflow attacks.
Memory scrambling isn't the only way to add diversity to operating systems. Even more sophisticated techniques are in the works. Forrest has tried altering "instruction sets", commands that programs use to communicate with a computer's hardware, such as its processor chip or memory.
This produces an elegant form of protection. If an attacker manages to insert malicious code into a running program, that code will also be decrypted by the translator when it is passed to the hardware. However, since the attacker's code is not encrypted in the first place, the decryption process turns it into digital gibberish so the computer hardware cannot understand it.
According to this article, there are two ways to compromise computer security by plugging an untrusted USB/FireWire device into a computer.
The first one's the obvious one: somehow convince a user to plug a USB flash drive or similar into their Windows PC, without disabling autostarting. The PC will automatically run whatever program the AUTORUN.INF file on the flash drive tells it to, and this can then do whatever it likes to the PC. Of course, this won't work if the user holds down SHIFT, disables auto-starting or uses a machine with a less-brain-damaged operating system.
The second method is more intriguing. To allow fast data transfers along USB and FireWire buses, such buses implement direct memory access (DMA). What this means is that anything plugged into them can access (or modify) anything mapped into the machine's memory space at the hardware level, bypassing the operating system altogether. Of course, it requires more work (the device has to be an actual programmable computer, and not just a flash drive), but once that hurdle is crossed, the possibilities, as they say, are endless:
Recently a number of computer security researchers realized the tremendous potential of using DMA over FireWire or USB as an attack vector. At the CanSec West '05 conference, Michael Becher, Maximillian Dornseif and Christian N. Klein demonstrated an exploit that used DMA read arbitrary memory locations of a FireWire-enabled system. The exploit was based on an iPod running Linux. For example, they could plug their customized iPod into a victim computer and grab a copy of that computer's screen--not just without the computer's permission, but even without its knowledge!The article goes on to mention that this attack has not been demonstrated on USB devices, only with FireWire. If it works with USB, it could be interesting. I imagine that sooner or later, they'll start making USB chipsets which take steps to filter DMA requests.
Aside: I wonder whether it'd be possible to use such an approach on, say, a PlayStation 2 (which has two USB ports on the front, sitting rather uselessly), or indeed any other notionally tamperproof computer-based device with USB/FireWire ports. If one could access arbitrary memory inside such a device, one could get up to all sorts of mischief.
Bruce Schneier looks at the question of whom your computer's loyalties really belong to, with not only crackers and criminals competing for them but also rightsholders, software vendors and other companies, whose behind-the-scenes deals often mean that the software they sell you serves other masters:
Entertainment software: In October 2005, it emerged that Sony had distributed a rootkit with several music CDs -- the same kind of software that crackers use to own people's computers. This rootkit secretly installed itself when the music CD was played on a computer. Its purpose was to prevent people from doing things with the music that Sony didn't approve of: It was a DRM system. If the exact same piece of software had been installed secretly by a hacker, this would have been an illegal act. But Sony believed that it had legitimate reasons for wanting to own its customers' machines.
Antivirus: You might have expected your antivirus software to detect Sony's rootkit. After all, that's why you bought it. But initially, the security programs sold by Symantec and others did not detect it, because Sony had asked them not to. You might have thought that the software you bought was working for you, but you would have been wrong.
Internet services: Hotmail allows you to blacklist certain e-mail addresses, so that mail from them automatically goes into your spam trap. Have you ever tried blocking all that incessant marketing e-mail from Microsoft? You can't.
Application software: Internet Explorer users might have expected the program to incorporate easy-to-use cookie handling and pop-up blockers. After all, other browsers do, and users have found them useful in defending against Internet annoyances. But Microsoft isn't just selling software to you; it sells Internet advertising as well. It isn't in the company's best interest to offer users features that would adversely affect its business partners.Schneier warns that the present situation could have dire consequences:
If left to grow, these external control systems will fundamentally change your relationship with your computer. They will make your computer much less useful by letting corporations limit what you can do with it. They will make your computer much less reliable because you will no longer have control of what is running on your machine, what it does, and how the various software components interact. At the extreme, they will transform your computer into a glorified boob tube.
You can fight back against this trend by only using software that respects your boundaries. Boycott companies that don't honestly serve their customers, that don't disclose their alliances, that treat users like marketing assets. Use open-source software -- software created and owned by users, with no hidden agendas, no secret alliances and no back-room marketing deals.
BBC Newsnight's Adam Livingstone sets the record straight on paedophiles, terrorists and file sharing:
First though, an apology. File sharing is not theft. It has never been theft. Anyone who says it is theft is wrong and has unthinkingly absorbed too many Recording Industry Association of America press releases. We know that script line was wrong. It was a mistake. We're very, very sorry.
If copyright infringement was theft then I'd be in jail every time I accidentally used football pix on Newsnight without putting "Pictures from Sky Sport" in the top left corner of the screen. And I'm not. So it isn't. So you can stop telling us if you like. We hear you.With the intellectual-property industry (whose word-magicians are responsible for the "copying = theft" syllogism) making up an ever-increasing section of the economy of the West, and thus commanding the attention of politicians and bureaucrats, I wonder how much pressure will be brought to bear from high up for this particular Livingstone to be censured or sacked, and the BBC to toe the line.
The rest of the article goes on about ISPs blocking BitTorrent, other clients using encryption to bypass the blocks, and the resulting increase in encrypted content on the net allowing suspicious encrypted paedoterrorist communications, which would have otherwise drawn the security services' attention, to sink into the encryption soup unnoticed.
(via Boing Boing) ¶ 0
After alleged British spies were caught in Russia using a wireless receiver hidden inside a rock to communicate with recruits (though it has been suggested that the story was partly if not wholly made up by Russian government agencies to justify a crackdown on non-government organisations), security guru Bruce Schneier's blog discusses the possibility of wireless "dead drops"; and, if anything, there would be less easily detectable ways of doing it than hiding a device in a rock:
Even better, hide your wireless dead drop in plain sight by making it an open, public access point with an Internet connection so the sight of random people loitering with open laptops won't be at all unusual.
To keep the counterespionage people from wiretapping the hotspot's ISP and performing traffic analysis, hang a PC off the access point and use it as a local drop box so the communications in question never go to the ISP.And various commenters propose other suggestions for undetectable ways of passing spy information to otherwise innocent-looking WiFi access points, and receiving it afterwards:
Replace one access point at a support provider for Starbucks and then have someone figure out which one it is after it's up. Use an asic mac filter to send traffic to a special part of the access point itself.
Port knocking on that dangling PC. The PC stays in stealth mode and only replies (briefly) when knocked upon.
Even better, how about hacking one's wireless configuration manager to hide the contraband data in unused header fields, passing it to a similarly hacked access point that would be an otherwise functional dead end. The spy's laptop wifi antenna could be accidentally left activated and innocently trying to associate with whatever WAP it sees (like my wife's does in our neighborhood). Hit the right WAP(s) and the data is passed.And then there is this suggestion:
All that spam you get in your in-box is merely steganography. The word "viagra" isn't mis-spelled to get around the spam filters, it's a complicated encoding allowing the spammers and their prospective recipients to exchange messages without anyone suspecting that there are people who want the message in the message. That's why spammers don't care if they send it to people who don't want it, their goal is to make people think of their communications as discardable trash, rather than something that may have a value.
Urban design for a paranoid age: the Safe Bedside Table, which easily comes apart to form a club and a shield for fighting off intruders.
(via bOING bOING) ¶ 0
The latest advance in Windows worms is a worm which takes over people's instant-messaging accounts and chats to their friends, attempting to talk them into downloading it; in short, an automated form of social engineering:
According to IMlogic, the worm, dubbed IM.Myspace04.AIM, has arrived in instant messages that state: "lol thats cool" and included a URL to a malicious file "clarissa17.pif." When unsuspecting users have responded, perhaps asking if the attachment contained a virus, the worm has replied: "lol no its not its a virus", IMlogic said.Which suggests that the Turing test may be easier to pass in an environment where people start messages with "lol". If your friends suddenly turn into giggling prepubescents and start trying to convince you to download a file, you know what's happening.
I wonder whether this will lead to an arms race in worm conversational abilities. Perhaps the next one will trawl message logs and pick out phrases/words used by that contact (or use them to change its own writing style)?
An inventor in Wales has invented a teenager repellant. It's a device that emits an annoying noise at a frequency only youths can hear; the youths then scatter, leaving the oldies in peace.
The device, called the Mosquito ("It's small and annoying," Mr. Stapleton said), emits a high-frequency pulsing sound that, he says, can be heard by most people younger than 20 and almost no one older than 30. The sound is designed to so irritate young people that after several minutes, they cannot stand it and go away.
At first, members of the usual crowd tried to gather as normal, repeatedly going inside the store with their fingers in their ears and "begging me to turn it off," Mr. Gough said. But he held firm and neatly avoided possible aggressive confrontations: "I told them it was to keep birds away because of the bird flu epidemic."The problem is that it's only most, not all, people over 30 who are immune to its effects.
Andrew King, a professor of neurophysiology at Oxford University, said in an e-mail interview that while the ability to hear high frequencies deteriorates with age, the change happens so gradually that many non-teenagers might well hear the Mosquito's noise. "Unless the store owners wish to sell their goods only to senior citizens," he wrote, "I doubt that this would work."The article describes other devices for keeping the young and disorderly at bay, including "zit lamps", which cast a blue light that accentuates acne, and the old standby, classical music.
Scare meme of the day: if bird flu, al-Qaeda weaponised ebola or a meteor strike don't get us, alien computer viruses exploiting Seti@Home to take over Earth's computer systems just might. Assuming, of course, that the aliens understand enough about our puny earthling computer architectures, operating systems and library vulnerabilities to write a useful exploit and encode it the right way in a radio signal.
(via bOING bOING) ¶ 0
Another reason to avoid "Copy Controlled"/"Copy Protected" CDs: some of them (at least the ones from Sony BMG) install rootkits on your Windows PC; ones which, if an attempt is made to remove them, disable your CD-ROM drive. Someone at Sony BMG should go to jail for this, though probably won't.
(via substitute) ¶ 0
In recent months, the blog comment spam problem has gotten progressively worse, as more and more parasitic scumbags take to hijacking any sort of comment system to drive up their search engine rankings and/or drive gullible people to malware-installing websites. In the light of this, The Null Device has now installed a CAPTCHA-like system for preventing comment spam on its comment pages.
From now on, whenever you enter a comment, you will need to type several letters, as seen on a graphic image on the page, into a form. With any luck, the images will be legible to humans but not easily decipherable by OCR software, and will keep comment spam out of the site.
Taking the hack even further, Samy realized that he could simply insert the entire script into the visiting user's profile, creating a replicating worm. "So if 5 people viewed my profile, that's 5 new friends. If 5 people viewed each of their profiles, that's 25 more new friends," Samy explained.For a brief time, Samy had more than one million new friends. Then MySpace noticed that something strange was happening, shut the site down and cleaned the script off users' pages. Google's Evan Martin has an analysis of the code.
It turns out that web filtering software from US company Symantec has been blocking anti-war emails. Mails containing links to www.afterdowningstreet.org were blocked by Symantec's anti-spam software, because the link allegedly received 46,000 complaints. Which means either that all it takes to censor the public's email in the US (and, presumably, other countries which buy Symantec software) is the capacity to send a lot of complaints (which is not hard these days), or that it is Symantec policy to use its power in the marketplace to impose a specific political ideology, à la Wal-Mart. (Does anybody know whether the owners of Symantec have a specific political bias?)
Meanwhile, a carefully-constructed trick webpage can cause Firefox to execute arbitrary code on any platform (such as, say, installing rootkits or botnet clients). The Mozilla Foundation have patched this, though it's not in the Debian distro yet.
(via substitute, slashdot) ¶ 2
Security guru Bruce Schneier turns his professional paranoia to the Papal election, and looks at how vulnerable it is to fraud or rigging. The answer: not very. There are a few minor flaws, though much of the mechanism is quite robust.
What are the lessons here? First, open systems conducted within a known group make voting fraud much harder. Every step of the election process is observed by everyone, and everyone knows everyone, which makes it harder for someone to get away with anything. Second, small and simple elections are easier to secure. This kind of process works to elect a Pope or a club president, but quickly becomes unwieldy for a large-scale election. The only way manual systems work is through a pyramid-like scheme, with small groups reporting their manually obtained results up the chain to more central tabulating authorities.
And a third and final lesson: when an election process is left to develop over the course of a couple thousand years, you end up with something surprisingly good.
Another reason to not install Flash in your web browser (or, at least, switch it off and start it manually when you need it); not only is Flash used primarily for making ads more annoying, but now it can bypass cookie privacy controls to keep track of your web-browsing habits. (via /.)
Macromedia have a page where you can access your Flash plug-in's privacy settings; if you're using Firefox, you may also want to install Flashblock, which disables Flash by default but lets you load Flash applets on a case-by-case basis.
A look at the U.S. Secret Service's tools for breaking encryption on seized data. Not surprisingly, they use a network of distributed machines to help brute-force keys. Cleverly enough, before they do so, they assemble a custom dictionary of potential keys/starting points from all data on the seized machine (including files, web browsing histories, and presumably terminology associated with the areas of interest visited web sites relate to). (via /.)
"If we've got a suspect and we know from looking at his computer that he likes motorcycle Web sites, for example, we can pull words down off of those sites and create a unique dictionary of passwords of motorcycle terms," the Secret Service's Lewis said.
Hansen recalled one case several years ago in which police in the United Kingdom used AccessData's technology to crack the encryption key of a suspect who frequently worked with horses. Using custom lists of words associated with all things equine, investigators quickly zeroed in on his password, which Hansen says was some obscure word used to describe one component of a stirrup.
This technique apparently works surprisingly well, because people (including organised criminals) tend to choose relatively predictable passwords.
The moral of this story is: if you're planning the perfect crime using computers and encryption, you may find it wise to develop an obscure interest and not mention it by electronic means. Or, for that matter, let it show up in credit card receipts, library records, personal effects, or any other information the authorities could get. Which could be trickier than it sounds.
Also on the subject of people subconsciously giving away more than they think: this IHT article on "psychological illusionist" Derren Brown (via bOING bOING):
He produces a sheet of blank paper and issues an instruction: Draw a picture. "Try to catch me out; make it a bit obscure," he orders. "Don't draw a house; don't draw a stick man." Walking to another room and out of sight, he decrees that the picture should be concealed until the end of the interview - whereupon, he claims, he will reveal what it is.
Recently, he said, he used his talents to defuse a situation in which an aggressive youth approached him on the street, yelling, "What are you looking at?" (Brown responded with a rapid series of diversionary non sequiturs, he said; the man burst into tears.)
Instructing me to concentrate, he pulls out a blank sheet of paper and begins sketching, chatting all the while. He tells me he "sees" a conical shape with spots on it - some sort of decorated lamp with a blob on top. And knock me down if he does not produce a near-exact replica of my drawing, the only differences being that his has more dots than mine, and his stripes are horizontal, not vertical.
Channel 4 has a Derren Brown microsite here, with streaming video and explanations of some of the tricks (such as making people fall asleep in phone booths). Think of it as the human equivalent of the buffer overrun attack.
The SHA-1 hash function, touted for a few years as more secure than MD5, has apparently been broken. What this means is that (assuming that the details check out), for any file (such as a digital signature) with a SHA-1 checksum, an attacker can create an alternative file with the same checksum in a sufficiently short time to make it practical. Which means that, with a modern computer, script kiddies, online fraudsters and others will soon be able to create genuine-looking digital signatures on demand. (via Techdirt)
A h4x0r group named Shmoo has revealed a new web-spoofing attack which takes advantage of Unicode characters which look like ASCII characters but aren't, allowing spoofers to register sites like http://www.pаypal.com/ (note that the first 'a' isn't an 'a', but rather Unicode character #1072, the Cyrillic small 'a'). A demo page with two dodgy links is here.
Such attacks, of course, only work if Unicode domain names are allowed. This is one of the few times that Internet Explorer users are safer than Mozilla/Firefox users, as IE doesn't support international domain names out of the box. If you're using Firefox, you may be able to fix it by following the following procedure (via bOING bOING):
1) Goto your Firefox address bar. Enter about:config and press enter. Firefox will load the (large!) config page.
2) Scroll down to the line beginning network.enableIDN -- this is International Domain Name support, and it is causing the problem here. We want to turn this off -- for now. Ideally we want to support international domain names, but not with this problem.
3) Double-click the network.enableIDN label, and Firefox will show a dialog set to 'true'. Change it to 'false' (no quotes!), click Ok. You are done.
4) Go check out the shmoo demo again and notice it no longer works.
Of course, if you practice safe web access, you won't be entering your bank details or whatever after following a link (however kosher-looking) from an untrusted source in the first place, but only after having typed it in with your own hands or selected it from your local bookmarks.
A man in London was jailed for using the Lynx text-mode browser to make a donation to the tsunami relief fund. Anti-fraud monitoring interpreted the unusual browser signature (i.e., not Mozilla or IE) as the sign of a hack-attempt and the police went in in a SWAT-style raid, smashing his door down and arresting him. Which goes to show that it does not pay to use unusual software.
Two Dutch designers are taking on the growing menace of muggers with handbags embossed with outlines of guns; they also have ones with the shapes of knives and crucifixes (the last are presumably for use against vampires), not to mention laptop bags embossed with groceries to make them look less stealable. (Not sure how well that works; the outlines in the photos look a bit too cartoonish and unrealistic. I imagine that simple non-rectangular lumpiness, of the "I'm carrying lots of soft, non-valuable things", would probably be more effective in practice.) (via bOING bOING)
bOING bOING has uncovered, entirely by accident, an online guestbook, apparently in the demo section of a guestbook software site, which ended up being used as an appointment diary by a Florida brothel/escort agency.
We have two new girls: Mercedes and Rose. Please put a wheelchair next to Rose (meaning don't book her) until we get proof of age from her. Of course, if anyone needs "Clarity" forms, they can get them at the pickup spOther than the wacky hijinks that go on in the course of running such an establishment, it contains details such as workers' real names and clients' phone numbers; either "Anne-Marie" (the operator of the brothel; real name: "Frank") was oblivious to the privacy implications of using a free online guestbook test page for storing confidential information, or he just didn't care.
On a tangent, The Age has the poignant story of one man's career as a (gay) phone-sex worker:
One call that really tugged at my heartstrings was someone who called from the country. He had just lost his boyfriend in a car crash and said he was feeling very lonely. The worst part of it was that, because he was from a small town where "you'd get the crap beaten out of you if they found out you were gay", he had no one he could talk to. So he called me. I didn't know what to say. What's a sex phone operator supposed to say in these circumstances? My 20-minute coffee with the boss certainly didn't include a crash course in grief counselling. All I could suggest was that he get out of town every now and again.
Players of The Sims 2 have been swapping houses on a website, and have discovered that Sims hacks are contagious; an object infected with a hack will affect everything else in the installed copy of the game, which can often bugger things up.
The hacks are easy to install, but they aren't for everybody. Many are cheats that eliminate challenges and obstacles in the game, while others modify fundamental behavior of the virtual people that inhabit the Sims 2 world. The "No Social Worker" hack, for example, allows Sims to neglect their children without the state getting involved. The "No Jealousy" patch lets them keep multiple lovers without getting slapped all the time. Another hack allows teenagers in the Sims 2 to get pregnant. As the game is sold, they can't even have sex.
(Actually, the "pregnant teenagers" hack is not a hack, but rather an official localisation for the British release to make it more authentic. Especially the part where they start wearing hip-hop hoodies and smoking like a coal-fired power station.)
At one point as many as three-quarters of the lots on the exchange contained hacks, estimates Suzanne Walshire, a 57-year-old Sims 2 player from Pflugerville, Texas, and an early victim of the phenomenon." It's extremely widespread," Walshire says. "Someone at Electronic Arts was really shortsighted not to have thought of hacked objects spreading this way. If they knew that their own objects would download with a house, they would know that other objects would download with a house also."
Perhaps EA's programmers were too exhausted from their 80-hour work weeks to notice such a flaw in their design?
Someone has plotted a chart of terror alerts against Bush's approval rating. The conclusions are, to the cynically-inclined, completely unsurprising: (via bOING bOING)
There are few things that are quite evident from the chart:
- Whenever his ratings dip, there's a new terror alert.
- Every terror alert is followed by a slight uptick of Bush approval ratings.
- As we approach the 2004 elections, the number and frequency of terror alerts keeps growing, to the point that they collapse in the graphic. At the same time, Bush ratings are lower than ever.
Meanwhile, it appears that some mysterious conspirators are removing Americans from the electoral rolls by sending false change-of-address cards in their names. The local electoral commission, apparently, doesn't do anything to authenticate these. (via Charlie's Diary)
The latest in the annals of user cluelessness: more than 70% of people surveyed would reveal their computer password for a bar of chocolate. Or perhaps give a stranger a bogus, non-working password for a very real bar of chocolate (after all, it's not like they'd check it first).
A US "law enforcement and military equipment" company is selling a device for protecting valuables from thieves: pre-stained underpants with hidden pockets. The theory goes, thieves would be reluctant to probe around in a grotty, brown-stained pair of keks for long enough to find the concealed cash/passport/&c. (via Gizmodo)
I just found the following in my mailbox:
Subject: Email account utilization warning.
Dear user of Null.org,
Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service.
For more information see the attached file.
Have a good day,
The Null.org team http://www.null.org
Given that I own null.org (and that no address such as "email@example.com" actually exists), I must say I was a touch suspicious. And then I looked at the attachment portion of the email:
Content-Type: application/octet-stream; name="Information.pif" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Information.pif"
Which looks to be a Windows executable of some sort. That's undoubtedly the "free auto-forwarding service" they mentioned. I'm sure it would have done exactly as that, only with the proviso of forwarding penis-pill spam to millions of mailboxes worldwide through my machine.
That is, if I (a) used a Windows machine, and (b) was sufficiently clueless to open an attachment from somebody claiming to be in charge of the "main mailing server" on my domain.
The rather eye-opening dissection of an online greeting-card spam; an email telling the user to go to a web site to see an electronic greeting card, and the website in question, which uses Internet Explorer security holes to overwrite your Windows Media Player and install a keylogger apparently programmed to look for online banking sites (and undetectable by current spyware detectors). Nasty; and another reason to not use IE (or, preferably, Windows). (via Slashdot)
Port knocking is a way of letting a computer accept connections to a port (such as ssh) without leaving it open (and vulnerable to attackers). The port is typically firewalled off from the internet; however, if the firewall receives a sequence of connection attempts to a specific sequence of ports, which is kept secret, it relaxes the firewall rules enough to allow the IP address in question to connect to the protected port. (via Slashdot)
- Parrot knows 950 words, has grammar, can coin phrases and shows evidence of a sense of humour. Which calls into question the accepted belief that parrots act as sound-recording devices. Mind you, the article also claims that the parrot has telepathic abilities, which makes it sound rather dubious. Perhaps the BBC News has been acquired by Pravda?
- FBI computer expert talks about (in)security:
American companies have tried to respond to the massive fraud being perpetrated online. One common preventive, adopted by most companies that sell products online, has been to refuse shipments outside of North America, or allow international shipping, except for Eastern Europe. Criminals have figured out a way around this, however. They hire folks to act as middlemen for them. Basically, these people get paid to sit at home, sign for packages from Dell, Amazon, and other companies, and then turn around and reship the packages to Russia, Belorussia, and Ukraine. You know those signs you see on telephone poles that read "Make money! Work at home!"? A lot of that "work" is actually laundering products for the Russian mob. Of course, anyone caught acting as a middleman denies knowledge of their employer: "I had no idea why I was shipping 25 Dell computers a day to Minsk! I just assumed they liked computers!"
Dave also had a great quotation for us: "If you're a bad guy and you want to frustrate law enforcement, use a Mac." Basically, police and government agencies know what to do with seized Windows machines. They can recover whatever information they want, with tools that they've used countless times. The same holds true, but to a lesser degree, for Unix-based machines. But Macs evidently stymie most law enforcement personnel. They just don't know how to recover data on them. So what do they do? By and large, law enforcement personnel in American end up sending impounded Macs needing data recovery to the acknowledged North American Mac experts: the Royal Canadian Mounted Police. Evidently the Mounties have built up a knowledge and technique for Mac forensics that is second to none.
- The amazing story of three blind brothers who became Israel's most formidable phone phreaks, partly by dint of their acute senses of hearing:
Two hours into an afternoon-long interview with the Hebrew-speaking Badirs, my translator's lips lock. He shrugs and tells me that the Badirs have shifted into a secret code. Ramy later explains that as kids he and Muzher developed their own language - reordering letters in mathematically complex ways - after they discovered that other boys were snooping on their conversations.
Ramy, Muzher, and Shadde were arrested on a variety of charges relating to computer fraud in connection with their hacks of the radio station and Bency Levy's phone sex operation. Police took them from their home in wrist and leg cuffs, but even in custody, they could not help but show off by conversing in their secret language and announcing telephone numbers that were being keyed in by law enforcers.
- Warning: blogging can endanger your career, relationships or general wellbeing: (via FmH)
"The blogging community is terribly incestuous," Lapatine admits. "If the relationship doesn't go well, all your mutual friends will read about it. This," he adds, "is how a friend of mine learned that he had halitosis and was a bad dancer."
Some bloggers run into difficulties from seemingly mundane reports about their daily thoughts and activities. "As an Asian girl, I get weird Asian-fetish e-mails from people who read [my] site," says Lia Bulaong, the twentysomething Manhattan author of Cheesedip (she includes tame photographs of herself in everyday clothes). "Also, stalkers I had in college that I didn't know about have come out of the woodwork."
- The prognosis for the upcoming Hitchhiker's Guide film looks somewhat dubious, what with Karey "Chicken Run" Kirkpatrick rewriting the script (undoubtedly crushing out anything that doesn't fit the standard Hollywood rules of characterisation and plot) and a rapper being cast as Ford Prefect. The thing about Trillian having been rewritten as a "brilliant scientist" also seems dubious. But you knew that already.
- A proposed Trainspotting-themed tour of Edinburgh has run into problems because the city has been cleaned up too much, with many of the locations in the novel and film no longer existing in any recognisable form (via Lev)
Beware: leading social network websites like LiveJournal, tribe.net and LinkedIn, are dangerously insecure; said sites don't bother with using SSL, sending cleartext passwords across where they may be intercepted:
Paul Martino, CTO of Tribe, chuckled at the idea that his site might use SSL for member logins. "We don't need high industrial strength encryption for that," he said. "We use standard security techniques like unique session IDs."
Some attacks rely on technological vulnerabilities, and others rely on human gullibility and badly-designed user interfaces (i.e., the old spoofed-email-pointing-to-fake-login-page trick). And there's more at risk than adolescent social dramas.
A top-ranked member of a network like eBay might be able to sell more items than her peers. A high-karma user on a site devoted to legal issues could have a tremendous influence over public policy. According to social networks analyst Clay Shirky, identity spoofing is possibly the greatest threat to social discovery networks. "When your reputation is valuable, it becomes worth exploiting. It makes a stolen identity a more valuable commodity."
By impersonating a highly-reputable person, an attacker might gain access to that person's social network, business contacts and private life. Spammers might launch highly personalized campaigns. And sexual predators could use their victims' friend lists to find more people to harass.
The PCs at a certain hostel in Byron Bay appear to be fuzzy with adware; every few minutes, a program named "Save!" throws up a pop-under ad for some product. Not sure whether they installed it themselves or whether it snuck in with a "funny screensaver" or porn downloader or something.
"Save!", which claims to be associated with some outfit named "WhenU", strenuously disclaims acting as spyware, logging websites, passwords or anything like that. Though, of course, any piece of conspicuous spyware would say that as well. Just in case, I've taken to entering passwords by cutting and pasting words from other pages, deleting bits of them and adding the odd keystroke or two. It is probably theoretically possible to write a piece of spyware that keeps track of pastes, cursor positions, &c. into a password entry box, but in practice it may be quite difficult.
I wonder whether the alleged yuppification of Byron Bay has extended to there being wireless internet anywhere.
In the US, there has been some concern recently over automated voting machines that allow elections to be easily and undetectably rigged (not that anyone in a position of power would do such a nefarious thing, of course). Now the state of Nevada is putting its expertise in auditing slot machines to use on the voting machines. Slot machines (of which Nevada is full) are apparently subject to extremely rigorous technical audits to find any possible security holes, vulnerabilities or bugs that could compromise their fairness or allow them to be rigged; voting machines face no such standards. (via Slashdot)
Windows worm infects teller machines, in the first documented incidence of the sort. The Windows XP-based ATMs were made by Diebold (of dodgy voting-machine fame), connected to standard TCP/IP-based networks, and have been replacing legacy OS/2-based machines on proprietary networks.
Another resourceful criminal use of the countless thousands of virussed Windows machines on the internet: online protection rackets, where the "businessmen" (predominantly from Eastern Europe) target a high-profile website and threaten to knock them offline with a massive DDOS attack unless they pay up. Online casinos (which make a lot of money and are in poorly-policed areas) are a popular target.
Most of the computers used are broadband-connected home Windows PCs owned by clueless people, of whom there is, sadly, no shortage; and it doesn't look like the problem is going to go away, at least not until a totalitarian "trusted computing" regime is imposed on the internet at the IP level, or something equally drastic happens. Which makes me wonder whether or not Microsoft are deliberately allowing viruses to flourish on their OS as to drive people into the highly profitable embrace of Big Brother.
Crackers break into Linux source code server, attempt to trojan the Linux kernel, giving root privilege to processes. The attempt was caught, and even had it not been, it wouldn't have matched against Linus' separate copy of the kernel sources.
It makes you wonder who's behind it? A teenager with something to prove? Spackers laying the groundwork for the next generation of distributed spam-hosting/sending/DDOS servers? The Russian Mafiya/Shanghai Triads/Yakuza doing a spot of long-term strategic planning? Al-Qaeda? Maybe even our own intelligence agencies?
Motorists in the U.S. will soon be able to buy a device that turns traffic lights green. The device will cost about US$499 and interface with the infrared receivers at intersections that allow emergency vehicles to change the lights. Think of how much quicker you'll get that pizza when the pizza guy has one of those babies on his dashboard... (via FmH)
The next breakthrough in machine intelligence is likely to come from the war between spammers and makers of spam filters: in particular, the hardest machine vision and reasoning problems are the scene of an arms race between spam bots and bot-detection systems, often known as "CAPTCHAs". Typically these take the form of the distorted letters/numerals you have to enter when signing up for your new free webmail account, but others are being worked on. Meanwhile, new generations of bots are emerging which are better at coping with the systems in use.
I wonder whether we'll soon see a breakthrough in AI enter the body of scientific literature not by being discovered by a AI researcher but by being dissected out of a captured bot by some sort of cyberzoologist, its principles becoming gradually revealed as its innards are studied, and the real discoverers remaining forever anonymous (if perhaps comfortably well-off) in the spam underworld.
The floating, untraceable online Forbidden City mentioned in that William Gibson book (Idoru, I think it was) is a reality; only, in reality, it sells fraudulent financial products and penis pills: a Polish "spacker" group is using trojanned PCs to "untraceably" host spammers' web sites. The system works by routing requests to the hijacked machines with special DNS servers run by the group:
According to Tubul, his group controls 450,000 "Trojaned" systems, most of them home computers running Windows with high-speed connections. The hacked systems contain special software developed by the Polish group that routes traffic between Internet users and customers' websites through thousands of the hijacked computers. The numerous intermediary systems confound tools such as traceroute, effectively laundering the true location of the website. To utilize the service, customers simply configure their sites to use any of several domain-name system servers controlled by the Polish group, Tubul said.
"Hackers used to detest spammers, but now that spamming has become such a big business, it's suddenly cool to be a spammer," Linford said. He said the junk e-mail business has also recently attracted "engineers who have been laid off or fired, and people who really know what they're doing with networking and DNS."
That's one of those things that is simultaneously fascinating and repugnant, much like a predatory wasp laying eggs inside a paralysed prey or something. (via bOING bOING)
After 9/11, governments quickly pulled formerly public information and restricted areas of scientific publication to keep them out of the hands of terrorists. Now DARPA, the US Department of Defense's research funding body has cancelled funding for OpenBSD security research because open-source software could help terrorist nation-states. Is this an isolated incident, or the start of a governmental purge of open standards and open-source software, and the start of a "national security"-driven shift towards proprietary standards kept on a strict need-to-know basis? After all, if Cisco, Microsoft and TRW hold the keys, the reasoning goes, Saddam Bin Laden can't use the technology to kill us. And replacing publically documented standards and open-source software with secret black-box technologies has numerous other advantages, from surveillance hooks to catch more terrorists, paedophiles, tax cheats and miscellaneous troublemakers to tremendous "peace dividends" such as end-to-end copyright enforcement and whistleblower-proof rights management for documents; not to mention handsome dividends for the shareholders of the keepers of the keys.
The latest development in Trustworthy Computing technology: NewCode, a programming language based on Orwellian principles. It is (theoretically) impossible to express security vulnerabilities in NewCode.
Here's why you should destroy your old hard disks: two MIT graduate students, Simson Garfinkel (known for his work in computer security) and Abhi Shelat, did an experiment in data-mining old hard disks; they bought 158 second-hand hard disks; on 49 of those disks, they were able to recover "significant personal information", including medical correspondence, love letters, pornography and credit card numbers. And if students can find these sorts of things, it's sure that some businessman of above-average ethical flexibility will have thought of the same thing.
(It's funny that there are no pages on effective ways to physically destroy hard disks beyond recovery. There must be quicker, easier and more efficient means than smashing them with a sledgehammer or tossing them in an incinerator. Cory Doctorow recommended dropping platters in acid in one of his stories; though, obviously, exact instructions weren't given. You'd think that some paranoiac on the Internet would have done the research and posted it for the benefit of fellow victims of persecution.)
The US Department of Homeland Security says open 802.11 access points are a national security threat, intends to mandate strict access controls. There goes that un-American "sharing" idea again.
Research reveals that the MS Windows API is intrinsically insecure; any application can spoof window messages to any other application, regardless of permissions, bypass the feeble "security" present and pull off all sorts of exploits. In other words, typical Microsoft security. And furthermore, the flaw is fundamental to the API and is irreparable, short of changing the fundamental design of the Windows message queue mechanism and breaking every existing Win32 application. (via the Reg)
An interesting article looking at the potential of UNIX shell script viruses. Shell scripts run on many architectures, and (along with C compilers) can be used to custom-build exploits and rootkits for the specific platform; while no such virus has been wildly successful yet, the potential is there.
(Of course, there's an easy way to defang many of them: remove the C compiler from your servers/front-line machines, which would make building exploits rather impossible. A malicious script could still download precompiled exploits from a website; though if you run your servers on something weird, it may not be able to find one; if crackers had to precompile exploits, they would probably go mostly after the 95% of machines which run Red Hat Linux on a x86 or something equally common.)
Subterfugue, a system for intercepting and altering system calls from untrusted Linux binaries, scriptable in Python. Get it before it's banned under the SSSCA. (via NtK)
Now this is ingenious: someone has devised a patch to the Linux kernel which allows you to essentially split a Linux box into several virtual servers, each with its own root user, process space, IP address space and such, all securely quarantined from each other. The applications include virtual servers (i.e., you can give people root on their own virtual servers on a machine without trusting them with the entire machine), virtual firewalls, testing/teaching environments and many more that people will undoubtedly come up with. (via Slashdot)
An inventory of CGI-script attack techniques commonly used by crackers and worms. If you write CGI scripts, go read. (via Slashdot)
Another idea for preventing hijackings, without the added cost of Israeli-style armed air marshals: letting armed police fly for free. It could work, you know; if there is an armed out-of-uniform cop on the plane, a hijacking is much more likely to fail; if there might be (and who's to say there isn't?), the odds of success may be sufficiently reduced to make suicide attacks less desirable. (Do you still get the 72 virgins in the afterlife if you're gunned down harmlessly in the aisle, and if that was the most likely outcome?) Though armed air marshals (or at least flight staff trained in hand-to-hand combat) could still be a good idea.
A technical article at IBM, looking at the NSA's secure Linux. (via Slashdot)
A fascinating treatise on the design of permissive action links; i.e., how to make sure that no-one can detonate your nuclear weapons without your authorisation:
Precise timing -- that's the key to my idea for a highly effective PAL. First, design the weapon to make the firing sequence as inherently complex and critical as possible. Vary the chemical composition and detonation velocities of the various pieces of high explosive so they have to be detonated non-simultaneously. Then store all of the required timing data in encrypted form in the weapon's memory. Better yet, encrypt everything (program and data) except for a small bootstrap that accepts an external key and decrypts everything for firing. Include this decryption key in the "nuclear weapons release" message from the "National Command Authority"
Now this is an interesting gadget: Netcomm's combination modem/hub/firewall, which runs Embedded Linux and can be configured with a web-based tool or by telnetting in. Probably not necessary for a one-machine setup, though a must-have for a geek/penguinhead share-house. (via Slashdot)
Life imitates cyberpunk scifi; or at least this account of the cat-and-mouse game between digital satellite TV company DirecTV and rogue hackers, does. It even reads like a story; the hackers kept cracking DirecTV's cards, one by one, but ultimately were defeated with cunning and no small measure of style. (via Slashdot)
More reasons to use Linux: A laptop stolen in London was found abandoned on the Tube and returned to its owner, because the thief couldn't figure out what to do with it. When he turned it on, the Linux login prompt threw him.
SNAFU in the Infowar Age: Trying to counteract Serbian computer viruses, NATO scientists created and accidentally released a virus which steals and leaks classified documents. This virus was responsible for sending a classified NATO document to a London publishing house, and has since resurfaced in the Czech ministry of defense. (Sunday Times)
Cambridge academic debunks "crypto menace" myth. (NewScientist)
Think what England was like when the government didn't really exist: anyone with any wealth or property had to design their house to withstand infantry-strength assault. That's not efficient. National governments and policemen will survive the electronic revolution because of the efficiencies they create.
If I were to hold a three-hour encrypted conversation with someone in the Medellín drug cartel, it would be a dead giveaway. In routine monitoring, GCHQ (Britain's signals intelligence service) would pick up the fact that there was encrypted traffic and would instantly mark down my phone as being suspect. Quite possibly the police would then send in the burglars to put microphones in all over my house. In circumstances like this, encryption does not increase your security. It immediately and rapidly decreases it. You are mad to use encryption if you are a villain.
The famous paper by Ken Thompson (the creator of the original UNIX), in which he describes his infamous self-perpetuating C compiler/login trojan horse.
The moral is obvious. You can't trust code that you did not totally create yourself... No amount of source-level verification or scrutiny will protect you from using untrusted code... As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect.