Tag: Hacking

Categories
Writing

Sophos Risks Legitimizing Hack Back Activities

Each week is seemingly accompanied by news of some perimeter security appliance being successfully exploited by adversaries. Sophos has produced a reportcovered by Wired — which outlines their 5-year efforts to identify and combat such adversaries. It’s a wild read both in terms of the range of activities undertaken by Sophos and for making clearer to the public the range of intelligence activities that private organizations undertake as part of their cybersecurity operations.

Some of the major revelations, and activities undertaken, by Sophos include:

  • A broader group of China-based researchers developed hacking techniques and supplied them to Chinese government APTs.
  • Historically the exploitation of Sophos appliances was being carried out using 0-days but, in recent assessments, APTs are using N-days to target end-of-life equipment.
  • Sophos included code in one of its hotfixes to obtain additional information from consumer devices and expose more information about adversaries to the company.
  • Sophos went to far as to deploy, “its own spy implants to the Sophos devices in Chengdu they were testing on—essentially hacking the hackers, albeit only through code added to a few installations of its own products the hackers had obtained.”
  • Targets of Chinese APTs were often located throughout Asia, and most recently included “another country’s nuclear energy regulatory agency, then a military facility in the same country and the airport of the country’s capital city, as well as other hacking incidents that targeted Tibetan exiles.”
  • Sophos found that the adversaries had built a bootkit which is designed to infect low-level code. The company is asserting this may be the first time a firewall bootkit has ever been seen. They have no intelligence that it has ever been deployed in the wild.

It’s uncommon for the details of how private companies have developed their defensive strategies over a longer period of time to be made public, and so this is helpful for broadening the space for discussion. Sophos’ activities are, also, significant on the basis that the private company implanted its own systems to develop intelligence concerning its Chinese adversaries.

There has been extensive normative and legal discussion on the risks linked with “hacking back” and Sophos’ actions are another step towards normalizing such behaviour, albeit under the auspice of a company targeting its own equipment. I personally don’t think that Sophos’ defence that they were targeting their own equipment meaningfully isolates the broader implications of their actions. Perimeter appliances are extensively deployed and their decision may both normalize such behaviours broadly by private firms for their own ends and, also, further open the doors to some governments pressuring private firms to deploy implants on behalf of said governments. Neither of these trajectories are likely to end well.

Categories
Links

Pulling Back the Curtain on the Appin Cyber Mercenary Organization

Curious about what “cyber mercenaries” do? How they operate and facilitate targeting?

This excellent long-form piece from Reuters exquisitely details the history of Appin, an Indian cyber mercenary outfit, and confirms and publicly reveals many of the operations that it has undertaken.

As an aside, the sourcing in this article is particularly impressive, which is to expected from Satter et al. They keep showing they’re amongst the best in the business!

Moreover, the sidenote concerning the NSA’s awareness of the company, and why, is notable in its own right. The authors write,

The National Security Agency (NSA), which spies on foreigners for the U.S. government, began surveilling the company after watching it hack “high value” Pakistani officials around 2009, one of the sources said. An NSA spokesperson declined to comment.

This showcases that Appin may either have been seen as a source of fourth-party collection (i.e. where an intelligence service takes the collection material, as another service is themselves collecting it from a target) or have endangered the NSA’s own collection or targeting activities, on the basis that Appin could provoke targets to assume heightened cybersecurity practices or otherwise cause them to behave in ways that interfered with the NSA’s own operations.

Categories
Links

Turns Out You Can’t Trust Russian Hackers Anymore

Turns Out You Can’t Trust Russian Hackers Anymore :

Navalny denies receiving funding from Soros and says he has had no support from Yandex. Laura Silber, a spokesperson for Open Society, said the foundation has never supported Navalny and that the edited documents posted by Cyber Berkut amounted to a libelous claim.

The Kremlin, Navalny wrote in an email to Foreign Policy, “really likes that type of tactics: posting fake documents among real hacked documents.” The goal, he wrote, is to create a mess for the opposition.

“At the end of the day everyone will understand — documents are fake, but it will be a two-week-long discussion: ‘Is [the] opposition and Navalny in particular using Soros’ money?’,” Navalny wrote.

The Kremlin hates George Soros because Open Society, his marquee philanthropy, focuses on boosting democracy in the former Soviet bloc and elsewhere. Silber says Open Society “supports human rights, democratic practice, and the rule of law in more than 100 countries around the world.”

We can’t fully believe all the documents that are stolen, and then subsequently posted online by Russian-affiliated groups with an agenda of discrediting certain parties?

Shocking.

Categories
Aside Links

With Remote Hacking, the Government’s Particularity Problem Isn’t Going Away

Crocker’s article is a defining summary of the legal problems associated with the U.S. Government’s attempts to use malware to conduct lawful surveillance of persons suspected of breaking the law. He explores how even after the law is shifted to authorize magistrates to issue warrants pertaining to persons outside of their jurisdictions, broader precedent concerning wiretaps may prevent the FBI or other actors from using currently-drafted warrants to deploy malware en masse. Specifically, the current framework adopted might violate basic constitutional guarantees that have been defined in caselaw over the past century, to the effect of rendering mass issuance of malware an unlawful means of surveillance.

Categories
Links

Hackers Hijack a Big Rig Truck’s Accelerator and Brakes

Hackers Hijack a Big Rig Truck’s Accelerator and Brakes:

When WIRED reached out to trucking industry body the National Motor Freight Traffic Association about the Michigan research, the NMFTA’s chief technology officer Urban Jonson said the group is taking the researchers’ work seriously, and even funding future research from the same team. And Jonson acknowledged that the possibility of the nightmare scenario they present, of a remote attack on heavy vehicles, is real. “A lot of these systems were designed to be isolated,” says Jonson. “As automobile manufacturers are increasingly connecting vehicles with telematics systems, some of these issues need to be addressed.”

That the Association’s reaction is to work with researchers instead of trying to sue them is a very good sign.

Categories
Aside Links

The Security of Our Election Systems

The Security of Our Election Systems:

Government interference with foreign elections isn’t new, and in fact, that’s something the United States itself has repeatedly donein recent history. Using cyberattacks to influence elections is newer but has been done before, too ­ most notably in Latin America. Hacking of voting machines isn’t new, either. But what is new is a foreign government interfering with a U.S. national election on a large scale. Our democracy cannot tolerate it, and we as citizens cannot accept it.

Last April, the Obama administration issued an executive orderoutlining how we as a nation respond to cyberattacks against our critical infrastructure. While our election technology was not explicitly mentioned, our political process is certainly critical. And while they’re a hodgepodge of separate state-run systems, together their security affects every one of us. After everyone has voted, it is essential that both sides believe the election was fair and the results accurate. Otherwise, the election has no legitimacy.

Election security is now a national security issue; federal officials need to take the lead, and they need to do it quickly.

The effects of a decade of focusing on attack capabilities at the expense of defence is now becoming apparent. And I’d bet that we’ll see democratic governments call for heightened national ‘defence’ capabilities that entail fully inspecting packets. Which will require laws that water down communicative privacy rights. Which will themselves damage the democratic characters of our political systems.

Categories
Links

Canadian companies have no incentive to report cyber attacks, like that on Ashley Madison | Toronto Star

Canadian companies have no incentive to report cyber attacks, like that on Ashley Madison:

Canada’s Digital Privacy Act, passed by Parliament in June, will require companies to report breaches once regulations are prepared. But experts say it is essentially toothless because it contains few financial penalties.

The Act will introduce fines up to $100,000 for deliberately not reporting a breach.

“There’s the obligation to report, which is, of course, positive,” said Christopher Parsons, managing director of the telecom transparency project at the Munk School of Global Affairs’ Citizen Lab.

“But without any sort of punitive consequences you run into the question of how useful is the notification itself.”

There is little data on how secure corporate Canada truly is partly because of a lack of breach notification laws, Parsons said.

Without a financial imperative to beef up security, companies are unlikely to shell out the millions of dollars required to identify and prevent them, Parsons said.

“For most companies, security is a drag,” Parsons said, adding that executives tend to reject investment in cybersecurity, where concerns tend to lead to IT professionals saying “no” to a lot of ideas, while also eating up company time, money and resources.

“All those no’s either inhibit fast fluid business, or they increase the cost and the friction of anything a company wants to do.”
Meanwhile, hackers are getting more sophisticated, but they don’t even need to because the defence systems are so weak, Parsons said.

“If you’re a hacker, you have to succeed once; if you’re a defender, you have to succeed every single time.”

 

Categories
Links

So your name is in the Ashley Madison database … are you a cheater? | Metro News

So your name is in the Ashley Madison database … are you a cheater?:

“There was no requirement for verification prior to being added to their database,” said Christopher Parsons, a post-doctoral researcher and cyber-security expert at the University of Toronto’s Citizen Lab.

“It’s entirely possible that people’s email addresses were added by friends or co-workers as a prank.”

But, he said, the likelihood of that “is somewhat low.”

Just because someone’s email address can be found in the database doesn’t mean they were active users who committed adultery. They could have just been curious about the site, Parsons said.

While those who registered for the site using their official, government-issued email addresses may be naïve, Parsons said some of them may have done so intentionally.

“Perhaps they share a personal email account with their spouse or partner,” he said. “Using their government account might have been seen as safer.”

Although there have been larger data breaches in the past, Parsons said the Ashley Madison hack is worrying because government officials found using the site could become victims of blackmail.

It’s happened after data breaches in the U.S. and could happen just as easily in Canada, he said.

 

Categories
Links

FBI watched as hacker dumped Bell Canada passwords online

FBI watched as hacker dumped Bell Canada passwords online:

When Bell Canada’s website was hacked last year — and the accounts and passwords of more than 12,000 Canadians posted online — the Federal Bureau of Investigation was not only watching, but letting the hackers stage the attack from what was secretly an FBI server.

Christopher Parsons, a postdoctoral fellow who studies state access to telecommunication data at the Citizen Lab at the Munk School of Global Affairs in Toronto, said it made “good tactical sense” that the FBI used confidential informants and an undercover server to build their case.

It was the fact they did nothing to stop the crime before it occurred that makes this case unusual, Parsons said.

“In this case it sounds like the FBI had that ability, had that option to prevent these things from happening, perhaps with a weaker case, but instead they opted to endanger innocents in order to build a stronger case,” said Parsons. “The problem there is there is no indication Bell had been notified. This wasn’t dummy data that was released — this was live, real customer data.”

 

Categories
Links

Mississauga man pleads guilty in international Xbox hacking ring | Toronto Star

Mississauga man pleads guilty in international Xbox hacking ring:

Prosecutors said the small group of gaming enthusiasts called itself the Xbox Underground.

“These were extremely sophisticated hackers. Don’t be fooled by their ages,” Assistant U.S. Attorney Ed McAndrew said after Tuesday’s court hearing. McAndrew told reporters the other members of the group looked to Pokora as a leader.

Chris Parsons, a post-doctoral fellow at the University of Toronto’s Citizen Lab and expert in Internet security, told the Star the technique used by the group, known as “SQL injection,” is one of the most common attacks used.

“I’m not saying that these individuals are more or less sophisticated, but you really do not have to be terribly clever to run SQL injections,” said Parsons, who has no involvement in the case.

The technique at its most simple involves tricking a database used by the organization into thinking that the hacker has the power to run administrator-level commands.

Parsons says the value of intellectual property and material like the group was after is difficult to gauge. He said they could sell it, or trade it online.

“Certainly some information would be more valuable than others. There might be a large variation for how much you might pay for a prototype Xbox One, versus information about how the U.S. military trains its apache helicopter pilots,” said Parsons. “It would vary substantially in terms of what the information is and the completeness of it.”

There’s no indication in the court documents that the group attempted to sell military information.