MadSc13ntist

Another incremental step in the evolution of digital DIY weapons.

The post Someone (Mostly) 3-D Printed a Working Semi-Automatic Gun appeared first on WIRED.

The Islamic State’s exploitation of the Internet and social media continues to bedevil U.S. policymakers, legislators, and tech companies. Problems with State Department efforts to counter Islamic State online propaganda have produced another overhaul of U.S. counter-messaging efforts. A legislative proposal in June 2015 to increase company reporting of online terrorist activity was dropped, but it reappeared after the San Bernardino terrorist attacks. Executive branch pressure on companies to do more against terrorist use of social media has increased, most recently in a meeting last month between federal officials and tech company leaders.

Attention on the U.S. government’s struggles has overshadowed that terrorist online activities affect many countries. Meetings of the UN Security Council’s Counter-Terrorism Committee (CTC) in mid-December 2015, which I attended, focused on these global dimensions. The CTC Executive Directorate organized a technical meeting involving representatives from governments, civil society, and companies to discuss terrorist use of the Internet and social media. Then, the CTC held a special meeting for UN delegations and representatives from regional and international organizations to consider the technical meeting’s input and share perspectives on confronting this threat.

The CTC has long addressed terrorist exploitation of information and communication technologies (ICTs). In Resolution 1624 (2005), for example, the Security Council urged UN member states to combat incitement to commit terrorist acts. In tracking implementation of this resolution, the CTC reported difficulties countries face mitigating online terrorist activities. However, the Islamic State increased this threat in ways the CTC has decided to address more directly. The December meetings were designed to inform “strategies to guide States and the private sector in their efforts to prevent terrorists from exploiting the Internet and social media to recruit terrorists and incite terrorist acts, while respecting human rights and fundamental freedoms.”

The meetings were wide-ranging and populated with calls for more international cooperation. However, turning these calls into effective strategies confronts challenges because, beneath the diplomacy, tensions exist, including in the following areas:

Strategic considerations

• Friction between support for government-led strategies, and preferences for multi-stakeholder approaches;
• Interest in more counterterrorism regulation of cyberspace, amidst warnings from human rights advocates about the dangers of further empowering governments to act under expansive notions of “terrorism;”
• Identification of the need to build global trust in fighting terrorism in cyberspace, against the backdrop of disagreements among governments–and between the public and private sectors–over Internet governance, cybersecurity, privacy, and freedom of expression;
• Support for the argument, made a UN official, that “the UN Charter and international human rights law form the basis for effective preventive and counter-terrorism measures,” contrasted with the sense that, so far, these instruments have not produced effective measures; and
• Interest in addressing online terrorism as a threat on its own terms, versus assertions that attacking the “root causes” of terrorism, which arise in the real world not cyberspace, is the only way to mitigate this problem sustainably.

Role of the United States and U.S. companies

• Recognition of the importance of the United States, complicated by concerns that strict U.S. constitutional protection of freedom of speech, other federal laws, and the global dominance of U.S. social media companies inhibit international cooperation; and
• Frustration with U.S. social media companies, countered by claims the companies are acting appropriately with all stakeholders.

Counter-content and counter-messaging approaches

• Gaps among governments, and between governments and companies, about what criteria should guide taking down content from online platforms on counterterrorism grounds; and
• Interest in more effective counter-messaging campaigns, versus skepticism global collaboration in this area can be cohesive, consistent, or achieve the scale and speed needed to have strategic impact against the Islamic State.

Law enforcement issues

• Consensus that mutual legal assistance treaties (MLATs) need reform to support countering online terrorist activities, but without clear direction on how reform moves forward globally; and
• Statements from law enforcement officials that encryption poses a threat to their efforts against terrorism and crime, versus support for encryption from civil society and companies.

These, and other, issues do not mean the CTC’s commitment to address terrorist use of the Internet and social media faces insurmountable obstacles. In concluding the special meeting, the chair stated the CTC would:

• Monitor terrorist use of the Internet, social media, and other emerging technologies;
• Identify and share good practices developed around the world;
• Continue to assess UN member states’ implementation of relevant Security Council resolutions, including those urging measures against incitement to terrorism; and
• Support governments, the private sector, and civil society in counter-messaging activities.

Guided by the Security Council, the CTC will work to turn these commitments into strategies that, as its December meetings demonstrated, have not yet materialized amidst global reactions to the Islamic State’s online onslaught. Whether this onslaught confounds the Security Council and the CTC as it has the United States will now be determined.

The Dridex banking trojan that is widely being used by cyber criminals to distribute malware onto users’ machines has now been found distributing a security software. A portion of the Dridex banking Trojan botnet may have been hacked or compromised by an unknown Whitehat Hacker, who replaced the malicious links with Avira Antivirus installers. What is Dridex Banking Trojan? How it Works

Public consultation to be held on rewritten draft update

The US government has said it will give everyone the chance to pull apart its latest attempt at redrafting its implementation of the Wassenaar Arrangement.…

Top evil source looks simple and innocent but is actually a warmonger's dream

The winner of an annual competition to write the best innocent-looking but actually malicious C code has been announced – and it involves hoodwinking nuclear weapons inspectors. Hypothetically, of course.…

Good news: Oracle says the next major version of its Java software will no longer plug directly into the user’s Web browser. This long overdue step should cut down dramatically on the number of computers infected with malicious software via opportunistic, so-called “drive-by” download attacks that exploit outdated Java plugins across countless browsers and multiple operating systems.

According to Oracle, some 97 percent of enterprise computers and a whopping 89 percent of desktop systems in the U.S. run some form of Java. This has made Java JRE (the form of Java that runs most commonly on end-user systems) a prime target of malware authors.

“Exploit kits,” crimeware made to be stitched into the fabric of hacked and malicious sites, lie in wait for visitors who browse the booby-trapped sites. The kits can silently install malicious software on computers of anyone visiting or forcibly redirected to booby-trapped sites without the latest version of the Java plugin installed. In addition, crooks are constantly trying to inject scripts that invoke exploit kits via tainted advertisements submitted to the major ad networks.

These exploit kits — using names like “Angler,” “Blackhole,” “Nuclear” and “Rig” — are equipped to try a kitchen sink full of exploits for various browser plugins, but historically most of those exploits have been attacks on outdated Java and Adobe Flash plugins. As a result, KrebsOnSecurity has long warned users to remove Java altogether, or at least unplug it from the browser unless and until it is needed.

On Jan. 27, 2016, Oracle took a major step toward reducing the effectiveness of exploit kits and other crimeware when the company announced it was pulling the browser plugin from the next desktop version of Java – Java JRE 9.

“By late 2015, many browser vendors have either removed or announced timelines for the removal of standards based plugin support, eliminating the ability to embed Flash, Silverlight, Java and other plugin based technologies,” wrote Dalibor Topic, principle product manager for Open Java Development Kit (OpenJDK).

“With modern browser vendors working to restrict and reduce plugin support in their products, developers of applications that rely on the Java browser plugin need to consider alternative options such as migrating from Java Applets (which rely on a browser plugin) to the plugin-free Java Web Start technology,” Topic continued. “Oracle plans to deprecate the Java browser plugin in JDK 9. This technology will be removed from the Oracle JDK and JRE in a future Java SE release.”

Crooks have used Java flaws to attack a broad range of systems, and not just Windows PCs: In 2013, the Flashback Trojan used a Java flaw to ensnare more than 600,000 Mac OS X systems in a massive botnet.

I look forward to a world without the Java plugin (and to not having to remind readers about quarterly patch updates) but it will probably be years before various versions of this plugin are mostly removed from end-user systems worldwide. And some businesses still reliant on very old versions of Java will continue to use outdated versions of the program.

But for most users, there is no better time like the present to determine whether you have Java installed and decide whether it’s time to give it the boot once and for all. Hopefully, this is the last time I will have to include these boilerplate instructions on how to do that:

Windows users can check for the program in the Add/Remove Programs listing in Windows, or visit Java.com and click the “Do I have Java?” link on the homepage. Oracle’s instructions for removing Java from Mac OS X systems are available here.

If you have an specific use or need for Java, make sure you have the latest version. Also, know that there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: Unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel.

Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Many people confuse Java with  JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.

The NSA is publicly moving away from cryptographic algorithms vulnerable to cryptanalysis using a quantum computer. It just published a FAQ about the process:

Q: Is there a quantum resistant public-key algorithm that commercial vendors should adopt?

A: While a number of interesting quantum resistant public key algorithms have been proposed external to NSA, nothing has been standardized by NIST, and NSA is not specifying any commercial quantum resistant standards at this time. NSA expects that NIST will play a leading role in the effort to develop a widely accepted, standardized set of quantum resistant algorithms. Once these algorithms have been standardized, NSA will require vendors selling to NSS operators to provide FIPS validated implementations in their products. Given the level of interest in the cryptographic community, we hope that there will be quantum resistant algorithms widely available in the next decade. NSA does not recommend implementing or using non-standard algorithms, and the field of quantum resistant cryptography is no exception.

[...]

Q: When will quantum resistant cryptography be available?

A: For systems that will use unclassified cryptographic algorithms it is vital that NSA use cryptography that is widely accepted and widely available as part of standard commercial offerings vetted through NIST's cryptographic standards development process. NSA will continue to support NIST in the standardization process and will also encourage work in the vendor and larger standards communities to help produce standards with broad support for deployment in NSS. NSA believes that NIST can lead a robust and transparent process for the standardization of publicly developed and vetted algorithms, and we encourage this process to begin soon. NSA believes that the external cryptographic community can develop quantum resistant algorithms and reach broad agreement for standardization within a few years.

Lots of other interesting stuff in the Q&A.

Canada’s CBC network reported Thursday that the country is slamming on the brakes when it comes to sharing some communications intelligence with key allies — including the U.S. — out of fear that Canadian personal information is not properly protected.

“Defense Minister Harjit Sajjan says the sharing won’t resume until he is satisfied that the proper protections are in place,” CBC reported.

Earlier on Thursday, the watchdog tasked with keeping tabs on the Ottawa-based Communications Security Establishment (CSE), Jean-Pierre Plouffe, called out the electronic spying agency for risking Canadian privacy in his annual report.

Plouffe wrote that the surveillance agency broke privacy laws when it shared Canadian data with its allies without properly protecting it first. Consequently, he concluded, it should precisely explain how Canadian citizens’ metadata — information about who a communication is to and from, the subject line of an email, and so on — can and can’t be used.

“Minimization is the process by which Canadian identity information contained in metadata is rendered unidentifiable prior to being shared,” Plouffe wrote in his report. “The fact that CSE did not properly minimize Canadian identity information contained in certain metadata prior to being shared was contrary to the ministerial directive, and to CSE’s operational policy.”

Defense Minister Sajjan said in a statement that the data sharing in question was the result of “unintentional” errors and didn’t allow for specific Canadian individuals to be identified.

The concern for Canadian metadata began shortly after disclosures made by NSA whistleblower Edward Snowden in 2013.

Plouffe’s predecessor told then-Defense Minister Rob Nicholson that the other countries in a secretive surveillance pact called the Five Eyes Alliance — the U.S., the U.K., New Zealand, and Australia — might not be sheltering Canadians’ telephone data the way they should.

The CSE has admitted since the Snowden revelations that it sometimes sweeps up domestic data when keeping track of foreign intelligence communications. When any of that information is shared abroad, “these activities may directly affect the security of a Canadian person,” the previous watchdog, Robert Decary, wrote at the time.

Canada’s decision to temporarily stop sharing information comes at a time when the U.S. is scrambling to come up with a new data-sharing arrangement with the European Union before a January 31 deadline. Europe’s top court decided in October that European privacy isn’t sufficiently respected by the American government or its spying agencies.

Top photo: Parliament Hill in Ottawa, Canada.

The post Canada Cuts Off Some Intelligence Sharing With U.S. Out of Fear for Canadians’ Privacy appeared first on The Intercept.

Featured Image Only. See Original leaked images below. In a joint surveillance program, the US intelligence agency NSA (National Security Agency) and the British intelligence agency GCHQ (Government Communications Headquarters) hacked into, decrypted, and tracked live video feeds of Israeli Military Drones and Fighter Jets. This could be one of the most shocking and embarrassing

Rob Joyce, the head of the NSA's Tailored Access Operations (TAO) group -- basically the country's chief hacker -- spoke in public earlier this week. He talked both about how the NSA hacks into networks, and what network defenders can do to protect themselves. Here's a video of the talk, and here are two good summaries.

Intrusion Phases

• Reconnaissance
• Initial Exploitation
• Establish Persistence
• Install Tools
• Move Laterally
• Collect Exfil and Exploit

The event was the USENIX Enigma Conference.

The talk is full of good information about how APT attacks work and how networks can defend themselves. Nothing really surprising, but all interesting. Which brings up the most important question: why did the NSA decide to put Joyce on stage in public? It surely doesn't want all of its target networks to improve their security so much that the NSA can no longer get in. On the other hand, the NSA does want the general security of US -- and presumably allied -- networks to improve. My guess is that this is simply a NOBUS issue. The NSA is, or at least believes it is, so sophisticated in its attack techniques that these defensive recommendations won't slow it down significantly. And the Chinese/Russian/etc state-sponsored attackers will have a harder time. Or, at least, that's what the NSA wants us to believe.

Wheels within wheels....

More information about the NSA's TAO group is here and here. Here's an article about TAO's catalog of implants and attack tools. Note that the catalog is from 2007. Presumably TAO has been very busy developing new attack tools over the past ten years.

BoingBoing post.

EDITED TO ADD (2/2): I was talking with Nicholas Weaver, and he said that he found these three points interesting:

• A one-way monitoring system really gives them headaches, because it allows the defender to go back after the fact and see what happened, remove malware, etc.

• The critical component of APT is the P: persistence. They will just keep trying, trying, and trying. If you have a temporary vulnerability -- the window between a vulnerability and a patch, temporarily turning off a defense -- they'll exploit it.

• Trust them when they attribute an attack (e,g: Sony) on the record. Attribution is hard, but when they can attribute they know for sure -- and they don't attribute lightly.

The SANS Summit team is looking for #ThreatHuntingSummit social media ambassadors! What is a social media ambassador? Someone who is a social media influencer in the DFIR and Threat Hunting space. We are looking for those rock stars who take this upcoming training very seriously but at the same time we want to show why … Continue reading Threat Hunting & Incident Response Summit Social Media Ambassadors

The US government's $6 Billion firewall is nothing but a big blunder. Dubbed EINSTEIN, the nationwide firewall run by the US Department of Homeland Security (DHS) is not as smart as its name suggests. An audit conducted by the United States Government Accountability Office (GAO) has claimed that the firewall used by US government agencies is failing to fully meet its objectives and

Microsoft has started the year with an announcement that, effective Jan. 12, 2016, support for all older versions of Internet Explorer (IE) will come to an end (known as an EoL, or End of Life). The affected versions are Internet Explorer 7, 8, 9, and 10.

What this means for users is that Microsoft will no longer release new security updates for these product versions going forward. This gives users two options: Internet Explorer 11 and Microsoft Edge, the latter of which is currently exclusive to Windows 10. If users would like to keep their browsers up to date, they will need to upgrade to either of these two options.

It should go without saying that Internet Explorer users are strongly encouraged to update to the latest version. It offers improved security with the latest security features and mitigations. Two notable mitigations introduced to the browser in 2014 are Isolated Heap and Memory Protect, which were implemented on Patch Tuesday of June and July 2014 respectively. Prior to that, Microsoft made a similar announcement about the Windows XP Operating System, wherein they issued an End of Life for XP in April 2014.

These are all steps in right direction for the Microsoft teams because it allows for the consolidation of team efforts, resulting in a stronger focus on securing fewer versions across a smaller code base. Microsoft continues to silently enhance protections as the months go by while at the same time trimming code.

Figure 1 shows the vulnerability counts for Internet Explorer versions in 2015.

Figure 1. Internet Explorer vulnerability count for 2015 [1]

The graph above shows the total number of reported vulnerabilities affecting each version of Internet Explorer across the months of 2015. Keeping in mind that these are non-unique counts, we can observe that, for the most part, the majority of the reported vulnerabilities affected Internet Explorer 11.

Figure 2 shows the most notable in the wild (ITW) attacks exploiting Internet Explorer in 2014 and 2015.

Year	CVE	Affects
2014	CVE-2014-0322	IE 9 and 10
2014	CVE-2014-1776	IE 6 to 11
2015	CVE-2015-2419	IE 10 and 11
2015	CVE-2015-2502	IE 7 to 11

Figure 2. ITW attacks of Internet Explorer [1]

The majority of the attacks found ITW in 2014 and 2015 affected IE 11.

Figure 3 compares the count of vulnerabilities that affect Internet Explorer 11 (IE 11) to the ones that don’t.

Figure 3. IE11 vs. Non-IE11 vulnerability count [1]

Based on the information found in Figures 1, 2, and 3, most of the vulnerabilities reported in 2015 affected Internet Explorer 11. This shows that attackers, as well as researchers, are focusing considerably on Internet Explorer 11. Microsoft’s most recent move will allow the company to do the same.

It should be noted that, as of Internet Explorer 11, some features are no longer supported or are considered deprecated. These include, but are not limited to, VML and VBScript, which have been used to exploit and compromise the integrity of Internet Explorer, or leveraged to bypass ASLR/DEP in the past. This is a strong move in the right direction, as trimming the code base leads to shrinking the attack surface. This helps secure products such as Internet Explorer.

It is also worth noting that at this point no ITW attacks have been observed against Microsoft Edge, the new web browser that currently ships exclusively with Windows 10. Microsoft Edge also follows the same approach of removing unnecessary features such as ActiveX and Browser Helper Objects, as well as others.

In conclusion, after Jan. 12, 2016, older Internet Explorer users will be exposed to vulnerabilities that may be exploited by malware and targeted by Exploit Kits. The best way to defend against this is to keep your browser up to date by upgrading to Internet Explorer 11 or using Microsoft Edge.

[1] Microsoft Security Bulletins: https://technet.microsoft.com/en-us/library/security/dn610807.aspx

All users of Windows, Office, and Adobe software, should update ASAP

Microsoft has issued its January batch of security updates – including what will be the final round of patches for many versions of Internet Explorer.…

Apple CEO Tim Cook lashed out at the high-level delegation of Obama administration officials who came calling on tech leaders in San Jose last week, criticizing the White House for a lack of leadership and asking the administration to issue a strong public statement defending the use of unbreakable encryption.

The White House should come out and say “no backdoors,” Cook said. That would mean overruling repeated requests from FBI Director James Comey and other administration officials that tech companies build some sort of special access for law enforcement into otherwise unbreakable encryption. Technologists agree that any such measure could be exploited by others.

But Attorney General Loretta Lynch responded to Cook by speaking of the “balance” necessary between privacy and national security — a balance that continues to be debated within the administration.

The exchange was described to The Intercept by two people who were briefed on the meeting, which the White House called to discuss a variety of counterterrorism issues with representatives from Apple, Facebook, Twitter, Cloudflare, Google, Drop Box, Microsoft, and LinkedIn.

The Washington Post reported in September that the White House had decided not to pursue legislation against unbreakable encryption. But the intelligence community’s top lawyer was quoted in an email saying that that the administration should be “keeping our options open … in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”

And Comey has been urging technology companies to voluntarily alter “their business model” and stop offering end-to-end encryption by default.

Despite the growing pressure tech companies are feeling from governments worldwide to stop letting terrorists take advantage of their services, Cook has continued to defend the importance of encryption in protecting all digital transactions — from text messages and emails to bank information and medical records.

Cook has been outspoken in his opposition to the idea that we need to sacrifice privacy and digital security for the sake of public safety. During an episode of 60 Minutes on December 20, he said, “We’re America, we should have both.”

A White House briefing document for the meeting obtained by The Intercept noted that terrorists are using encrypted forms of communication “where law enforcement cannot obtain the content of the communication even with court authorization.”

The briefing asked if there might be “high-level principles” that Silicon Valley could agree on when it comes to terrorist use of encryption — and whether or not there are “technologies” that “could make it harder for terrorists to use the internet to mobilize, facilitate, and operationalize.”

The document also asked how the government could better take advantage of “unencrypted data” such as metadata — details about who is contacting who, when, and for how long — and whether or not there could be a good mechanism to “preserve critical data” and hand it over to law enforcement as quickly as possible, though the document did not specify what that “critical data” might be.

Administration officials attending the meeting included White House Chief of Staff Denis McDonough, Lynch, Comey, Secretary of Homeland Security Jeh Johnson, NSA Director Michael Rogers, and Director of National Intelligence James Clapper.

The Department of Justice and the FBI both declined to comment on the details of the meeting.

The White House document distributed at the meeting offered “classified briefings” to “share additional information” about the way terrorists are using encryption — but it did not specify what those meetings would entail, or the terms of attending them, including any security clearances and non-disclosure agreements that would be necessary.

The briefing document raised seemingly well-intentioned questions, such as whether or not there might be “potential downsides or unintended consequences” of developing or altering existing technology to solve these problems.

But technologists and cryptographers have been insisting for decades almost unanimously that trying to pierce impenetrable end-to-end encryption to provide the government with access would be more dangerous than beneficial. And you can’t put the genie back in the bottle.

According to the Washington Post, Comey would only fly to San Jose to participate in the meeting if encryption was on the agenda.

Top photo: Apple CEO Tim Cook

The post Apple’s Tim Cook Lashes Out at White House Officials for Being Wishy-Washy on Encryption appeared first on The Intercept.

Nation's Top Spy Chief Got Hacked! The same teenage hacker who broke into the AOL email inbox of CIA Director John Brennan last October has now claimed to have broken into personal email and phone accounts of the US Director of National Intelligence James Clapper. <!-- adsense --> Clapper was targeted by the teenage hacker, who called himself Cracka and claimed to be a member of the

The Intercept just published a 2011 GCHQ document outlining its exploit capabilities against Juniper networking equipment, including routers and NetScreen firewalls as part of this article.

GCHQ currently has capabilities against:

• Juniper NetScreen Firewalls models Ns5gt, N25, NS50, NS500, NS204, NS208, NS5200, NS5000, SSG5, SSG20, SSG140, ISG 1000, ISG 2000. Some reverse engineering maybe required depending on firmware revisions.

• Juniper Routers: M320 is currently being worked on and we would expect to have full support by the end of 2010.

• No other models are currently supported.

• Juniper technology sharing with NSA improved dramatically during CY2010 to exploit several target networks where GCHQ had access primacy.

Yes, the document said "end of 2010" even though the document is dated February 3, 2011.

This doesn't have much to do with the Juniper backdoor currently in the news, but the document does provide even more evidence that (despite what the government says) the NSA hoards vulnerabilities in commonly used software for attack purposes instead of improving security for everyone by disclosing it.

Note: In case anyone is researching this issue, here is my complete list of useful links on various different aspects of the ongoing debate.

EDITED TO ADD: In thinking about the equities process, it's worth differentiating among three different things: bugs, vulnerabilities, and exploits. Bugs are plentiful in code, but not all bugs can be turned into vulnerabilities. And not all vulnerabilities can be turned into exploits. Exploits are what matter; they're what everyone uses to compromise our security. Fixing bugs and vulnerabilities is important because they could potentially be turned into exploits.

I think the US government deliberately clouds the issue when they say that they disclose almost all bugs they discover, ignoring the much more important question of how often they disclose exploits they discover. What this document shows is that -- despite their insistence that they prioritize security over surveillance -- they like to hoard exploits against commonly used network equipment.

FBI dreams wistfully of Middle Kingdom's new antiterror law

China has passed its first antiterrorism law – and it is a worrying development for companies looking to do business securely in the Middle Kingdom.…

Further digging unveils more privacy-destroying features in Red Star OS

32c3  Fresh light has been shed on North Korea's Red Star OS, which – we're told – silently tracks the exchange of files between computers.…

Hovertext: thatBeardIsntFoolingAnyone

New comic!
Today's News:

Back in September, I announced my intention to survey the world market of cryptographic products. The goal is to compile a list of both free and commercial encryption products that can be used to protect arbitrary data and messages. That is, I'm not interested in products that are specifically designed for a narrow application, like financial transactions, or products that provide authentication or data integrity. I am interested in products that people like FBI director James Comey can possibly claim help criminals communicate securely.

Together with a student here at Harvard University, we've compiled a spreadsheet of over 400 products from many different countries.

At this point, we would like your help. Please look at the list. Please correct anything that is wrong, and add anything that is missing. Use this form to submit changes and additions. If it's more complicated than that, please e-mail me.

As the rhetoric surrounding weakening or banning strong encryption continues, it's important for policymakers to understand how international the cryptographic market is, and how much of it is not under their control. My hope is that this survey will contribute to the debate by making that point.

Metasploit module released to make 0day pwnage easy

Rapid 7 security man Todd Beardsley says new firmware released to patch hardcoded SSH keys in Advantech EKI industrial control system gateways contains known brutal flaws including Shellshock, Heartbleed, and buffer overflows.…

Recently, two suspects were arrested for selling Cryptex Reborn and other FUD tools (helping to install malware in a Fully UnDetectable way). Today, we will study some examples to make sure that everyone knows what this type of tools are and why they are dangerous. We will also present some example of identifying and unpacking a malware crypter.

Crypters – what are they?

Most modern malware samples, in addition to built-in defensive techniques, are protected by some packer or crypter. A crypter’s role is basically to be the first – and most complex – layer of defense for the malicious core. They try to deceive pattern-based or even behavior-based detection engines – often slowing down the analysis process by masquerading as a harmless program then unpacking/decrypting their malicious payload.

They may also add some icons and metadata that make the sample look like a legitimate product.

Underground crypters, created to defend malware against antivirus/anti-malware products, are sold in typical cybercriminal hangouts. Below, you can see examples of crypters being advertised on the black market and the tricks they use:

These products are designed to cater to simple criminals, those who do not need (or want) a deep technical knowledge. That’s why authors provide a GUI to configure all the options in a very easy way. For example, it allows the configuration of the encryption method and key as well as where the payload should be injected.

As you can see, a crypter is a completely independent module. Cybercriminals can use it to protect any malware that they want to deliver. That’s why knowing the crypter that is used does not help in identifying the malware family. As an example, I would like to present you several different malware samples packed by the same/similar crypter.

Analyzed samples

• 27b138e6bed7acfe72daa943762c9443 – a DLL delivered by Magnitude Exploit Kit (will be referred as: Magnitude.dll)
  • carrying payload: d890bd08180d69ee6ee5f7658be33030
• bbcfb9db21299e9f3b248aaec0a702a5 – an executable captured under the name: makta.exe
  • carrying payload: 3cf25fa56e8e8ececf90d8f2e8f123e8
• 1afb93d482fd46b44a64c9e987c02a27 – an executable delivered by Blackhole Exploit Kit (will be referred as: blackhole.exe)
  • carrying payload: 5a58395fda49c8f3f4571a007cf02f4d

Identifying similarities

Before we start unpacking, let’s have a look at similarities in the code that made me to believe that the above three samples (captured in different distribution campaigns) are all packed by the same tool.

Tracing the flow of execution, we notice similarities. At the beginning of execution, all of the samples make some meaningless API calls (i.e. trying to read some random keys from the registry). Then, they call a function to allocate memory (VirtualAlloc or VirtualAllocEx). They unpack something into this memory and redirect execution there. After some time, execution comes back to the memory space of the original image. However, it now executes code that was not present before (the code images have been overwritten).

We can guess that all of the samples use the RunPE technique to overwrite the image of the original file with the payload. It all happens with the shellcode that is first unpacked into allocated memory. Let’s set a breakpoint at VirtualAlloc/VirtualAllocEx and follow execution to see what is written into this newly allocated memory. Unpacking usually includes two stages: Some encrypted content is copied from the original image then stage 1 decryption is applied. After this, some of the shellcode is revealed. This same shellcode is responsible for decrypting the actual payload—this is now stage 2 decryption—and loading it into memory.

This is how the content unpacked to the allocated memory looks for each respective samples (after the stage 1 decryption):

Magnitude:

Makta :

Blackhole:

The above content consists of the same elements in the same order. At the beginning, we can see a list of functions to be loaded. Next, we see an encrypted payload (independent PE file). Finally, we see the shellcode to be executed (loading the payload by the RunPE technique).

Below is the encrypted payload on the left and its decrypted version on the right:

Visual analysis

The decrypting procedure is heavily obfuscated, but by having memory dumps made before and after each stage of decryption, we can try to get some hints of what is going on by comparing the changes.

Visual analysis may help in discovering the algorithm by which the data is packed. I have decided to dump the allocated memory before each stage of decryption + the revealed payload (new PE file). You can see this stages on the first and second pictures in the row. At the third position, you can see the visualization of the dumped payload.

Similar patterns are present in all three files:

Magnitude.dll (encrypted, first stage decrypted, payload)

   

makta.exe (encrypted, first stage decrypted, payload)

 

blackhole.exe (encrypted, first stage decrypted, payload)

   

What information can we get from such a visual dump? Look at this last case:

The payload is tiny, that’s why we can see a lot of padding between the encrypted payload (that is at the beginning of the allocated memory) and the shellcode (that is at the end). The padding allows us to discover the encryption pattern.

Looking at the regularities, we can guess that: the first stage, as well as the second stage, are both encrypted by XOR with some key (key length > 1). The key seems to be longer at the first stage and shorter at the second. Let’s look inside the memory dump.

At first stage, the key is composed by some repetitive pattern:

To verify if it is really XOR, we can do reverse XOR—input with output—and see if the result is a regular pattern. The experiment has given the following results:

Blackhole:

Magnitude:

Makta:

Looking at the visualization, we can guess that encryption is more than just plain XOR and that the key is probably modified during execution.

At the second stage, the visual pattern is denser, so it suggest that the key may be shorter.

Unpacking

In each of the 3 files, the decoding functions are heavily obfuscated with lot of junk code and redundant API calls in between valuable instructions. Also, known tricks (i.e. PUSH-to-RET) are used in order to hide the real flow.

After deobfuscating it, we can see that in each case the algorithm is exactly the same—for each three files and for both stages (only parameters differ).

bool decode(DWORD *inbuf, //encrypted input
    DWORD *outbuf, //buffer to store the output
    size_t bufsize, 
    const DWORD key, 
    const size_t max_size = SIZE_MAX
    )
{
    if (inbuf == NULL || outbuf == NULL) return false;

    for (size_t i = 0; i < bufsize; i++) {
        DWORD val = inbuf[i];
        DWORD step = i * sizeof(DWORD);
        if (step >= max_size) {
            outbuf[i] = val;
            continue;
        }
        outbuf[i] = (val + step) ^ (key + step);
    }
    return true;
}

As we have guessed by visual analysis, it is based on an XOR operation, and the key is modified as the decoding progress.

Used parameters:

stage#1

• makta.exe:        key = 0x57FC
• blackhole.exe:  key = 0x82A3, max_size = 0x19400
• Magnitude.dll:  key = 0x0A42

stage#2

• all 3 files:  key = 0x03E9

Writing Auto-unpacker

The characteristics of this packer allows us to write an auto-unpacker. It can be done in the following steps:

1. Find the encrypted chunks (by patterns) and glue them together
2. Find the XOR key (by XOR with expected output)
3. Use it to decrypt the memory fragment (stage#1)
4. Decrypt stage#2
5. Save the decrypted PE file (payload)

Full code of static unpacker: decrypter1.cpp

Unpacker in action:

Conclusion

Nowadays, malware is modular: there are crimeware kits helping to set up your own C&C and prepare the payload like in the case of Pony or Neutrino Botnet Builder, and then crypters are used to pack the payload, and Exploit Kits are used to deliver it. Crypters are an important piece of this puzzle, but they still aren’t getting the same attention from researchers like exploit kits and payloads are getting. Partially, it is because of their ephemeral nature—in order to be effective, they must be changed often.

The described crypter seems to be popular nowadays. However, it’s not any advanced tool. For example, there is no defense deployed against the debugger or virtual environment. The author puts a lot of effort in obfuscating code in order to hide the encryption method but looking at visualization, we can recognize that it is an XOR-based encryption and not even implemented well (encrypting DWORD size unit with WORD size key leads to visible artifacts). This is why we could easily write a static unpacker for the future use.

As the Hong Kong-based toymaker VTech reels from a massive hack that exposed the personal data of millions of parents and children, including their names, home addresses, and even pictures and chat logs, something has remained shrouded in mystery: Who is behind the hack? And why did they do it?

In early November, a hacker, who requested to remain anonymous, approached me online, and told me about some interesting data he had found on the servers of a company that made children’s tablets. The hacker said the data showed that the company was guilty of using “shitty security.”

The hacker later revealed that the company was VTech, and he shared some of the data he was able to obtain with Motherboard. In turn, I shared that data with security expert Troy Hunt, so that he could analyze it, and help victims figure out if they were part of the breach.

“I just want issues made aware of and fixed.”

Since the very beginning, the hacker made it clear to me that publishing the data, or selling it on an online market, was never his intention. Yet, until Tuesday, the hacker had remained largely silent.

But in an exclusive interview with Motherboard, the hacker finally revealed what brought him to hack into VTech’s servers, and why he decided to expose the company’s inadequate security practices.

As it turns out, it all started around “two months ago,” when the hacker said he randomly stumbled upon a thread in a forum of people dedicated to hacking the Innotab, a VTech tablet for kids. The forum shows that there’s an active community of hackers who like to tinker with the tablet, mostly “for the lulz,” as the hacker put it. For example, one member was able to install and play the famous 1990s video game Doom on the tablet.

In the thread, a forum member discussed a webservice that VTech uses to manage all products.

That got the hacker curious. In the following weeks, he “browsed around” until he found one of the many VTech websites, planetvtech.com. The hacker noticed that the site was using Flash, and had a login box. He then quickly found out the site was vulnerable to the ancient, yet still very effective, hacking technique known as SQL injection.

The hacker then quickly obtained the maximum level or administrative privileges on the server, known as “root” in technical jargon, and realized he could basically do whatever he wanted.

“Holy fuck, I have root, that was easy...what can I find?“ the hacker recalled thinking.

At that point he started poking around, pivoted to other VTech servers, and was able to find some data. At some point, the hacker said, he found the two databases containing the personal data of millions of parents and thousands of children.

“When I got the [database] dumps, I realized how serious it was,” he told me in an encrypted chat.

And that’s when he reached out to me. And he decided to go straight to a reporter, rather than contact VTech, because he thought the company “would never listen” to him, and might even have tried to cover the breach up. Also, judging by the poor level of security he saw on VTech’s servers, he was worried others could get access to that data, or had already accessed it.

“All the evidence suggested I wasn't the only person outside of VTech who could have got the data,” he said.

The hacker, in any case, never wanted to publish the data or profit from it though, because that’s something that’s “morally wrong.”

“Profiting from [database] dumps is not something I do. Especially not if children are involved!“ he said. “I just want issues made aware of and fixed.”

“When I got the [database] dumps, I realized how serious it was.”

After Motherboard alerted the company of the breach, VTech publicly admitted the hack on Friday of last week. News of the breach then quickly spread, and all major news publications all over the world, including BBC, CNN, The New York Times, and even the TV news show Good Morning America, covered it. Considering all this attention, “as much coverage as I could have hoped for,” the hacker said he felt he succeeded at raising awareness of the vulnerabilities.

Still, the hacker added that he’s “pretty sure there's tons and tons of issues yet to be found,” and that he might keep looking for them as soon as VTech comes back online. (The company has taken several of its sites and services offline after the breach.)

Otherwise, the hacker added, he might move on to a new target, “maybe into VTech's competitors; I don't know.”

In 2006, when freelance journalist Rak Razam smoked his first hit of 5-MeO-DMT, a powerful and similarly hallucinogenic cousin of DMT, he had it documented.

He had colleagues hold him down onto a chair, blindfolded himself to muffle out any extraneous sensory inputs, and by the five minute mark he was hooting and hollering as the chemicals transported him to, as he tells me, an ineffable spiritual ocean of white lights.

“You're like a drop rejoining the ocean, a sense of the unified feeling of being, of this sense of unconditional love,” he told me over the phone, as I watched his body writhe and heard his speech switch from coherent conversation to something that sounds vaguely like a battle cry.

“It was the most spiritual and sacred experience I've ever been through,” he said. “It's something very intimate and very human, it's something we all have within us.”

The footage above is an unedited portion of Razam’s bigger documentary, Aya: Awakenings, in which he visits the Amazon to unravel the spiritualistic culture surrounding ayahuasca, DMT, and other shamanic substances for centuries.

But Razam’s firsthand experience with 5-MeO-DMT, which lasts a similar amount of time compared to DMT (five to 20 minutes), was for research purposes. He’s a part of the Terra Incognita Project, an NGO that’s dedicated to studying the state of altered consciousness brought on by 5-MeO in Mexico, where the drug, derived from toads, is popular in shamanic rituals. He’s joined by Juan Acosta-Urquidi, one of the colleagues shown in the video who helped administer the 5-MeO. Acosta-Urquidi’s main research deals in measuring brain patterns as subjects enter these different states of consciousness. You can see him discussing his results here:

The use of these psychedelic substances has been untouched by the world outside South America for a long time, but interest has been growing within the past few years as access expanded thanks in part to the darknet, growing celebrity approval, and increasing acceptance as it gained a reputation for unravelling people in a deeply spiritual sense.

Ayahuasca in particular has been used in divorce ceremonies, power psychosomatic self-therapy, and restructure how we even think about about family relationships.

And with DMT research recently gaining traction in the sciences, who knows what the next trip will bring.

A few months ago, many stories covered "intelexit.org", a group that bought billboards outside NSA buildings encouraging moderates to leave intelligence organizations. This is a stupidbad idea.

For one thing, it's already happening inside the intelligence community. Before Snowden, EFF hoodies were tolerated. From what I hear, they aren't anymore. Anybody who says anything nice about the EFF or Snowden quickly finds their promotion prospects reduced. And if you aren't being promoted, you are on track to be pushed out, to make room for new young blood.

The exit of moderates is radicalizing the intelligence community. More and more, those who stay want more surveillance.

In my own experience, the intelligence community is full of pro-EFF moderates. More than anybody, those inside the community can see the potential for abuse. For all that mass surveillance is unacceptable, the reality is that it's not really being abused. These people stop abuses. The NSA really is just focused on catching evil terrorists, not on tracking political activists in America. All this power is in the hands of people who use the power as intended.

A mass exodus of moderates, though, will change this, creating a more secretive and more abusive organization. The NSA is nowhere near how "Enemy of the State" imagines, but could easily become that bad when all the moderates leave.

Instead of encouraging moderates to leave, we should be encouraging them to stay. Not just stay, we should be encouraging them to speak out. We should have an organization supplying free EFF hoodies to everyone in intelligence.

US Congress approves funds for 'creative and agile concepts' to tackle Daesh

The Pentagon has been given formal approval to start an online propaganda campaign against the Islamic State following a recent push by the US Department of Defense (DoD).…