Buherator

On June 20, Anonymous will launch the #OpPetrol campaign against international gas and oil companies. It was announced on May 11, shortly after the campaign called #OpUSA began.

These types of organized attacks are often similar, as we have seen in previous operations, and may include:

• Distributed denial-of-service (DDoS) attacks
• Hacking and defacing social media accounts or posting fake messages
• Hacking and defacing organization websites or stealing information and posting it as "proof" of breach
• Hacking organization servers and attempting sabotage, such as planting disk wiping malware

There are various ways attackers may target these organizations, including using tools like the LOIC (Low Orbit Ion Cannon) or phishing emails to trick recipients into revealing account login details.

Symantec advises organizations to be prepared for attacks in the coming days.

Organizations should monitor for unusual activities in their networks, particularly any attempts to breach the perimeters. Staff members should be specifically trained on social engineering mitigation tactics along with regular security awareness training. As always, we continue to stress the importance implementing a multi-layered approach to defense.

These recommendations apply to all organizations as best practices that should be carried out regularly as most attackers do not provide warnings in advance to targets.

$ uname -a
FreeBSD fbsd91x64 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec  4 09:23:10 UTC 2012
     :/usr/obj/usr/src/sys/GENERIC  amd64
$ id
uid=1001(hunger) gid=1002(hunger) groups=1002(hunger)
$ gcc fbsd9lul.c -o fbsd9lul
$ ./fbsd9lul
FreeBSD 9.{0,1} mmap/ptrace exploit
by Hunger (fbsd9lul@hunger.hu)
# id
uid=0(root) gid=0(wheel) egid=1002(hunger) groups=1002(hunger)
#

http://hunger.hu/fbsd9lul.c

We are pleased to announce the availability of CORE Impact v2013 R1.3 for our customers. This update builds upon the powerful 2013 R1 release and adds more than 40 new updates to the product. All customers can update to the new version from 2013 R1.0, R1.1, or R1.2 by simply performing a “Get Updates” from within their ... Read more...

HP released a

Taco Cowboy writes "Most of the younger /. readers never heard of the PDP-11, while we geezers have to retrieve bits and pieces of our affairs with PDP-11 from the vast warehouse inside our memory lanes." From the article: "HP might have nuked OpenVMS, but its parent, PDP-11, is still spry and powering GE nuclear power-plant robots and will do for another 37 years. That's right: PDP-11 assembler programmers are hard to find, but the nuclear industry is planning on keeping them until 2050 — long enough for a couple of generations of programmers to come and go." Not sure about the OpenVMS vs PDP comparison, but it's still amusing that a PDP might outlast all of the VAX machines.

Read more of this story at Slashdot.

A number of users have noticed that Facebook is blocking connections from the Tor network. Facebook is not blocking Tor deliberately. However, a high volume of malicious activity across Tor exit nodes triggered Facebook's site integrity systems which are designed to protect people who use the service. Tor and Facebook are working together to find a resolution.

For further questions please contact us at execdir@torproject.org.

Update from Facebook on June 18, 2013, 2:30 PM EST: Facebook's site integrity systems detected automated malicious activity coming from a significant number of Tor exit nodes. In order to protect people while we investigated the problem, access via these nodes was temporarily suspended. This issue has now been resolved and Tor access routes to Facebook restored.

 

Interesting speculation that the NSA is storing everyone's phone calls, and not just metadata. Definitely worth reading.

I expressed skepticism about this just a month ago. My assumption had always been that everyone's compressed voice calls is just too much data to move around and store. Now, I don't know.

There's a bit of a conspiracy-theory air to all of this speculation, but underestimating what the NSA will do is a mistake. General Alexander has told members of Congress that they can record the contents of phone calls. And they have the technical capability.

Earlier reports have indicated that the NSA has the ability to record nearly all domestic and international phone calls -- in case an analyst needed to access the recordings in the future. A Wired magazine article last year disclosed that the NSA has established "listening posts" that allow the agency to collect and sift through billions of phone calls through a massive new data center in Utah, "whether they originate within the country or overseas." That includes not just metadata, but also the contents of the communications.

William Binney, a former NSA technical director who helped to modernize the agency's worldwide eavesdropping network, told the Daily Caller this week that the NSA records the phone calls of 500,000 to 1 million people who are on its so-called target list, and perhaps even more. "They look through these phone numbers and they target those and that's what they record," Binney said.

Brewster Kahle, a computer engineer who founded the Internet Archive, has vast experience storing large amounts of data. He created a spreadsheet this week estimating that the cost to store all domestic phone calls a year in cloud storage for data-mining purposes would be about $27 million per year, not counting the cost of extra security for a top-secret program and security clearances for the people involved.

I believe that, to the extent that the NSA is analyzing and storing conversations, they're doing speech-to-text as close to the source as possible and working with that. Even if you have to store the audio for conversations in foreign languages, or for snippets of conversations the conversion software is unsure of, it's a lot fewer bits to move around and deal with.

And, by the way, I hate the term "metadata." What's wrong with "traffic analysis," which is what we've always called that sort of thing?

An anonymous reader writes "The MariaDB blog is reporting a small change to the license covering the man pages to MySQL. Until recently, the governing license was GPLv2. Now the license reads, 'This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.'"

Read more of this story at Slashdot.

A 444.hu információ szerint magyar hatóságok június elején letartóztattak a Muxuj és RNI nicnkévre hallgató felhasználókat, akik arról ismertek, hogy magyar nyelvű premier filmeket töltöttek fel a torrentoldalakra. A hírt már pletykálták pár napja a magyar torrentoldalakon, a releaserekről semmit … Continue reading →

Severity Rating: Important
Revision Note: V1.1 (June 12, 2013): Updated the Known Issues entry in the Knowledge Base Article section from "None" to "Yes".
Summary: This security update resolves one privately reported vulnerability in Windows Kernel. The vulnerability could allow information disclosure if an attacker logs on to a system and runs a specially crafted application or convinces a local, logged-in user to run a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise an affected system.

A FreeBSD 9.0 és frissebb verzióinak virtuális memória alrendszere elégtelen jogosultság-ellenőrzés következtében sebezhető. A hibát sikeresen kihasználó helyi támadó képes lehet olyan, általa olvasható fájlok írására, amelyekre írási joga nincs. A fájltól és a módosítás természetétől függően a támadás akár privilégiumszint-emeléssel is végződhet. A hibára nincs workaround. Javítási lehetőségek: a rendszer frissítése / patchelése, majd kernelfordítás, vagy bináris patchelés.

Részletek a bejelentésben.

Media reports have suggested that Microsoft has been supplying the US government with Windows security vulnerabilities for uses related to the PRISM programme. Microsoft has now released a statement denying all such allegations

bill_mcgonigle writes with this news from from CNET: "Rep. Jerrold Nadler (D NY) disclosed that NSA analysts eavesdrop on Americans' domestic telephone calls without court orders during a House Judiciary hearing. After clearing with FBI director Robert Mueller that the information was not classified, Nadler revealed that during a closed-door briefing to Congress, the Legislature was informed that the spying organization had implemented and uses this capability. This appears to confirm Edward Snowden's claim that he could, in his position at the NSA, 'wiretap anyone from you or your accountant to a federal judge to even the president.' Declan McCullagh writes, 'Because the same legal standards that apply to phone calls also apply to e-mail messages, text messages, and instant messages, Nadler's disclosure indicates the NSA analysts could also access the contents of Internet communications without going before a court and seeking approval.' The executive branch has defended its general warrants, claiming that 'the president had the constitutional authority, no matter what the law actually says, to order domestic spying without [constitutional] warrants,' while Kurt Opsahl, senior staff attorney at EFF claims such government activity 'epitomizes the problem of secret laws.'" Note that "listening in" versus "collecting metadata" is a distinction that defenders of government phone spying have been emphasizing. Tracking whom you called and when, goes the story, doesn't impinge on expectations of privacy. Speaking of the metadata collection, though, reader Bruce66423 writes "According to the Washington Post, the Bush administration took 'bulk metadata' from the phone companies under voluntary agreements for more than four years after 9/11 until a court agreed they could have it compulsorily." Related: First time accepted submitter fsagx writes that Brewster Kahle of the Internet Archive has calculated the cost to store every phone call made in the U.S. over the course of a year: "It's surprisingly inexpensive. It puts the recent NSA stories (and reports from the Boston bombings about the FBI's ability to listen to past phone conversions) into perspective."

Read more of this story at Slashdot.

On Wednesday May 1^st, !Exploitable crash analyzer version 1.6 became available.  Source code and binaries can be found at https://msecdbg.codeplex.com/.

For those who may be unfamiliar with the tool, !Exploitable (pronounced “bang exploitable”) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment. Its primary use is in evaluating crashes found by fuzzing.

The first new feature involves changes to the stack hashing portion of !Exploitable. !Exploitable provides two hashes of the stack at the point of the crash. One important part of creating the hashes is determining if a specific frame of the stack should, or should not be included in the hash calculation. By default !Exploitable uses a set of patterns to filter out stack frames which are used in processing exceptions, providing clr functionality,  or are OS resource functions. !Exploitable 1.6 allows this list to be extended via a configuration file. This allows teams to filter out parts of the stack they specifically do not care about, resulting in hashes that are more relevant to them.

The second new feature is support for processing crash dump files from Windows RT.  This means !Exploitable has a working knowledge of ARM assembly and can translate the ARM instructions into its meta assembly, allow for the current rules to be applied.

To learn more about !Exploitable please visit https://msecdbg.codeplex.com/. Questions and comments can be left in the discussions section https://msecdbg.codeplex.com/discussions.

Andy Renk

Microsoft Security Engineering Center

This is Sony’s smart watch, which has been around for a while now. It’s designed for use with your Android phone, and has always included an SDK that allows app developers to interact with it. But now Sony is taking it one big step further. They’ve published everything you need to know to hack your own firmware for the SmartWatch.

The navigation scheme for that articles includes five menu items at the bottom which you’ll want to dig through. The most interesting to us was the one labeled “SmartWatch hacker guide”. It lays bare the hardware used in the watch and how it’s peripheral component connect to each other. This starts with the STM32 (ARM) microcontroller that drives the watch. It goes on to document how the screen is addressed (SPI1) including the pin to turn it on and off. The same goes for the Bluetooth, accelerometer, buzzer, and touch sensors.

Firmware is updated via USB using Device Firmware Upgrade (DFU) mode. We don’t don’t see any way to connect an on-chip debugger. We searched to see if there is a JTAG port on the circuit board and it sounds like getting the watch apart without breaking it is pretty tough.

Now that you don’t need to stick to what Sony had planned for the device, what do you want to do with your strapless wristwatch?

[Thanks Brian]

Filed under: ARM, clock hacks, HackIt

alphadogg writes "Medical device makers should take new steps to protect their products from malware and cyberattacks or face the possibility that U.S. Food and Drug Administration won't approve their devices for use, the FDA said. The FDA issued new cybersecurity recommendations for medical devices on Thursday, following reports that some devices have been compromised. Recent vulnerabilities involving Philips fetal monitors and in Oracle software used in body fluid analysis machines are among the incidents that prompted the FDA to issue the recommendations."

Read more of this story at Slashdot.

coop0030 writes "Feel like someone is snooping on you? Browse anonymously anywhere you go with the Onion Pi Tor proxy. This is fun weekend project from Adafruit that uses a Raspberry Pi, a USB WiFi adapter and Ethernet cable to create a small, low-power and portable privacy Pi."

Read more of this story at Slashdot.

New submitter RoccamOccam writes "Shortly after the news broke that the Department of Justice had been secretly monitoring the phones and email accounts of Associated Press and Fox News reporters (and the parents of Fox News Correspondent James Rosen), CBS News' Sharyl Attkisson said her computer seemed like it had been compromised. Turns out, it was. 'A cyber security firm hired by CBS News has determined through forensic analysis that Sharyl Attkisson's computer was accessed by an unauthorized, external, unknown party on multiple occasions late in 2012. Evidence suggests this party performed all access remotely using Attkisson's accounts. While no malicious code was found, forensic analysis revealed an intruder had executed commands that appeared to involve search and exfiltration of data.'"

Read more of this story at Slashdot.

Issue
A hacking group called “AnonGhost” is claiming they have compromised “Mozilla Emails Managers” and exposed the email address and a 16-character value for 50 accounts. Upon investigation we’ve determined the 16-character values are not user passwords. Instead, they are activation codes used for the initial activation of user accounts for a Mozilla blogging software.

Impact
The claim relates to 50 Mozilla employees, former Mozilla employees and other people in the Mozilla community. The activation code can not be used to directly access any systems. In all situations a username and password are required to access the blogging software. We have no indications that the passwords were at risk.

Status
At this time we are still performing additional investigations to understand how the activation codes were exposed. We’ll make sure to address any concerns that are uncovered.

Michael Coates
Director of Security Assurance

http://www.funnyordie.com/videos/ba0cc80eec/nsa-wiretapping-public-service-announcement

At Silent Signal, we use Amazon Web Services for various purposes (no, we don't run code that handles sensitive information or store such material without end-to-end encryption in the cloud), and when I read that multi factor authentication is available for console login, I wanted to try it. Amazon even had an app called AWS virtual MFA in the Play Store and in their appstore, but I couldn't find them on my Nexus S, so I tried a different approach by opening a direct link. The following message confirmed that I couldn't find it beacuse someone found it a good idea to geoban this application, so it wasn't available in Hungary.

Although a month ago I found a way to use Burp with the Android emulator, but this time, I didn't want to do a man-in-the-middle attack, but rather just redirect all traffic through an Internet connection in a country outside the geoban. I chose the United States, and configured TOR to select an exit node operating there by appending the following two lines to torrc.

ExitNodes {us}
StrictExitNodes 1

TOR was listening on port 9050 as a SOCKS proxy, but Android needs an HTTP one, so I installed Privoxy using apt-get install privoxy, and just uncommented a line in the Debian default configuration file /etc/privoxy/config that enabled TOR as an upstream proxy.

forward-socks5   /               127.0.0.1:9050 .

For some reason, the Android emulator didn't like setting Privoxy as the HTTP proxy – HTTP connections worked, but in case of HTTPS ones, the emulator just closed the connection with a FIN just after receiving the SSL Server Hello packet, as it can be seen below in the output of Wireshark.

Even disconnecting TOR from Privoxy didn't help, so after 30 minutes of trials, I found another way to set a proxy in the Android emulator – or any device for that matter. The six steps are illustrated on the screenshots below, and the essence is that the emulator presents the network as an Access Point, and such APs can have a proxy associated with them. The QEMU NAT used by the Android emulator makes the host OS accessible on 10.0.2.2, so setting this up with the default Privoxy port 8118 worked for the first try.

I installed Play Store by following a Stack Overflow answer, and as it can be seen below, it appeared in the search results and I was able to install it – although the process was pretty slow, and some images are missing from the screenshots below because the latency of TOR was so high that I didn't wait for them to be loaded.

Having the app installed on the emulator, it's trivial to get the APK file that can be installed on any device now, even those without network connection.

$ adb pull /data/app/com.amazonaws.mobile.apps.Authenticator-1.apk .
837 KB/s (111962 bytes in 0.130s)
$ file com.amazonaws.mobile.apps.Authenticator-1.apk
com.amazonaws.mobile.apps.Authenticator-1.apk: Zip archive data, at least v2.0 to extract
$ ls -l com.amazonaws.mobile.apps.Authenticator-1.apk
-rw-r--r-- 1 dnet dnet 111962 jún   13 14:49 com.amazonaws.mobile.apps.Authenticator-1.apk

We have been discussing setting up a Q&A page for a while now and have finally proposed a Stack Exchange page for Tor.

The detailed version about how we go from a proposal to a live page can be found in this FAQ, but here is a quick summary:

A user proposes a new page, other users follow said page, and users create and vote on hypothetical questions. Each user can only ask 5 questions and vote on other questions. Once the page reaches enough followers and questions with a high score, the page moves into the "Commit" phase. A small number of users will need to commit to help building the site. Once that's done, the page goes live and is considered to be in "Beta".

The proposal is currently in a "Definition" phase. To move to the next phase, we need (1) a high number of followers of the page, and (2) a collection of good, relevant questions.

If you want to help our Stack Exchange page happen, sign up on Stack Exchange, follow our proposal page, ask 5 questions, and vote on other questions.

Thanks!

An anonymous reader writes "Some journalists ran into Steve Wozniak at the airport and asked him about iOS 7 and PRISM, where he made an interesting comparison about how the US is becoming what it once feared most. In communist Russia 'you couldn't own anything, and now in the digital world you hardly own anything anymore (YouTube video). You've got subscritpions and you already said ok, ok, agree and you agree that every right in the world belongs to them and you got no rights and anything you put in the cloud, you don't even know,' says Woz. 'Ownership was what made America different than Russia.'"

Read more of this story at Slashdot.

Debian warns on its blog: "The unofficial third party repository Debian Multimedia stopped using the domain debian-multimedia.org some months ago. The domain expired and it is now registered again by someone unknown to Debian. (If we're wrong on this point, please sent us an email so we can take over the domain! This means that the repository is no longer safe to use, and you should remove the related entries from your source.list file." Update: 06/14 02:58 GMT by U L : If you're wondering where it went, it moved to deb-multimedia.org, after the DPL (at the time) asked the maintainer to stop using the Debian name.

Read more of this story at Slashdot.

First time accepted submitter jarle.aase writes "It's doable today to use a mix of virtual machines, VPN, TOR, encryption (and staying away from certain places; like Google Plus, Facebook, and friends), in order to retain a reasonable degree of privacy. In recent days, even major mainstream on-line magazines have published such information. (Aftenposten, one of the largest newspapers in Norway, had an article yesterday about VPN, Tor and Freenet!) But what about the cell-phone? Technically it's not hard to design a phone that can switch off the GSM transmitter, and use VoIP for calls. VoIP could then go from the device through Wi-Fi and VPN. Some calls may be routed trough PSTN gateways — allowing the agencies to track the other party. But they will not track your location. And they will not track pure, encrypted VoIP calls that traverse trough VPN and use anonymous SIP or XMPP accounts. Android may not be the best software for such a device, as it very eagerly phones home. The same is true for iOS and Windows 8. Actually, I would prefer a non cloud-based mobile OS from a vendor that is not in the PRISM gallery. Does such a device exist yet? Something that runs a relatively safe OS, where GSM can be switched totally off? Something that will only make an outgoing network connection when I ask it to do so?" And in the absence of a perfect solution, what do you do instead? (It's still Android and using the cell network, but Red Phone — open sourced last year — seems like a good start.)

Read more of this story at Slashdot.

Here's a quick list of some of my older writings that are related to the current NSA spying documents:

• "The Internet Is a Surveillance State ," 2013.
• The importance of government transparency and accountability, 2013.
• The dangers of a government/corporate eavesdropping partnership, 2013.
• "Why Data Mining Won't Stop Terror," 2006.
• "The Eternal Value of Privacy," 2006.
• The dangers of our "data shadow," 2008.
• The politics of security and fear, 2013.
• The death of ephemeral conversation, 2006.
• The dangers of NSA eavesdropping, 2008.

Much more here.