Saturday, 27 July 2013

Black Hat 2013: Hacking Home Security Systems, Cars, NSA

Black Hat
In just a few days, Las Vegas is going to be overrun by information security folks for Black Hat and DEF CON. As always, there will be drama and excitement.
The Black Hat conference and DEF CON are where white hat, black hat, blue hat, and grey hat types rub elbows. There Federal government and law enforcement folks listen to some of the latest research coming out of the community, and rumor has it some career recruiting happens there, too. The research presentations are all so interesting and it's hard to pick which ones to attend.
Black Hat 2013 Bug
Home Security Under Attack
Two talks on home networking equipment are scheduled for Wednesday, followed by three more on Thursday.
Bishop Fox researchers will be talking about breaking home security systems, such as cracking simple door sensors, intercepting signals and bypassing the keypad. The Trustwave team will be talking about how home-based technologies, such as locks, thermostats, and other devices that can be remotely controlled, open the door to cyber-attacks and home invasions.
On Thursday, a researcher from Tactical Network Solutions will look at zero-day vulnerabilities in consumer and enterprise network surveillance cameras manufactured by D-Link, Trendnet, Cisco, IQInvision, Alinking and 3SVision. A researcher from SensePost will show how protocols used by home automation systems (such as those that handle heating, ventilation and air conditioning systems, lighting, and physical security) are vulnerable to attacks. A team from iSec Partners will demonstrate the vulnerabilities in a Samsung Smart TV.
If that isn't enough to scare you from ever having anything with an IP address in your house ever again, over at BSides Las Vegas, Bharat Jogi, a researcher at  Qualys, will be demonstrating serious vulnerabilities he found in D-Link surveillance system that allowed him to take over all the IP cameras associated with the system.
After the car hacking sessions, I may never get in a car again. Good thing you don't really need a car in New York City.
Two researchers will demonstrate a device that can bypass security in a car's electronic control unit as part of Black Hat Arsenal. Hacker and security researcher extraordinaire Charlie Miller and Chris Valasek from IOActive will demonstrate how to hack various car network systems, including those related to braking and steering, at DefCon. 
The Opening Keynote
A few months ago, Black Hat announced that General Keith Alexander, the head of the National Security Agency, commander of the US Cyber Command, and the man in charge of PRISM, will be delivering the opening keynote. With Edward Snowden still holed up in the transit lounge in Russia (soon to become a temporary resident in Russia, perhaps?), and details about PRISM and other surveillance programs dribbling out, we all wonder—is Gen. Alexander still going to show up next Wednesday?
In previous years, Black Hat and Def Con has been styled as a "neutral" zone where the black hats and the feds can co-exist peacefully, and even speak with each other. Sure, there are games like "Spot the Fed," but it has always been about fun. However, Def Con this year requested the feds to stay away to "avoid conflict."
Considering that Black Hat attendees are not known for being a docile bunch, the keynote will be interesting.
"He has guts.  He's going into the belly of the beast—hacker central—right in the midst of the Eric Snowden leak story," John Dickson, head of The Denim Group, wrote in a blog post.
Dickson has some questions he would like the chief spook to answer, though. While some are a little flippant—"How quickly did you unfriend Eric Snowden on Facebook when he boogied to Hong Kong?"—or silly—"Seriously, how much fun was it when you hit the 'Go' button for Stuxnet?"—some touched upon the massive surveillance the government does—"How anonymous is Anonymous?" and "What happens in Vegas, stays in Vegas is a total myth, right?"
You can see the full list of questions on Dickson's blog here.
We will be covering many sessions from Black Hat and Def Con next week, so check in regularly for updates.

Pinterest adds support for 'Do Not Track' privacy features

Social networking site Pinterest has launched a feature which will track user behaviour while allowing the option for users to opt out of tracking tools.
The company said that its new Home Page would seek to provide users with a better-suited experience by serving up pages more suited to user interests. To do so, the site is looking to collect more data on user activities and interests.
“If you’re interested, we’ll also suggest personalized pins and boards based on websites you go to that have the Pin It button,” said Pinterest software engineer Ke Chen.
“So if you’re planning a party and have gone to lots of party sites recently, we’ll try to suggest boards to make your event a hit.”
In rolling out the new feature, Pinterest is also looking to provide privacy controls for users. The company said that it would be adding support for the 'Do Not Track' security platform. The service will allow users to opt out of tracking platforms and automatically disable features which would keep a log of user browsing patterns.
Users who opt out of the feature will be able to use the Pinterest service without having their activity logged.
The 'Do Not Track' platform, has emerged as a preferred tool for privacy activists, though the platform is not without its detractors. The Sans institute has panned the platform for its opt-in nature which requires site administrators to manually add support for the platform and lets adminsitrators continue to track user behaviour.

Israeli cyber intelligence provider deliver India interception tools

Verint Systems, Israel's cyber intelligence solutions provider , is soon to get a contract from the Indian government to devise interception tools for tracking encrypted communication services, including Gmail, Yahoo.mail, Research In Motion's BlackBerry (RIM) services to Microsoft Skype amidst mounting cyber security concerns , a top official in the telecom department told ET.
Verint's leadership team recently met communications minister Kapil Sibal in Israel and indicated the company's desire to work with the government to intercept all forms of encrypted communications to address India's cyber security needs.
Sibal has also apprised Israel's IT & communications minister Gilad Erdan about engaging Verint to implement an interception solution. "Verint is willing to work with the Indian government to address the issue of intercepting encrypted communications like Gmail, Yahoo-. mail and others. It will shortly co-ordinate with DoT's security wing and CERT-In teams to implement a customised interception solution," says an internal telecom department note, a copy of which was reviewed by ET.
CERT-In is India's Computer Emergency Response Team which has been mandated by the government to respond to computer security incidents, track system vulnerabilities and promote effective IT security practices across the country . About a year ago, the government had identified 15 forms of encrypted communications , including Google's Gmail, RIM's BlackBerry services , Nokia's email offerings , Yahoo.mail and Microsoft Skype, among others, that it claimed could not be tracked by Indian law enforcement agencies.
Verint has informed Sibal it has supplied an interception solution for tracking encrypted communications to 77 countries and can customise it to Indian needs at its Gurgaon unit. Encryption basically means scrambling data and emails into codes that travel through a telecom network and later get reassembled into the original form. A higher encryption level ensures more secure financial transactions on personal computers and smartphones. Providers of such communication services have claimed that encryption is also vital for protection from hackers.
Most western countries do not allow financial transactions on the internet through computers and mobile handsets if the encryption level is less than 128 bits. India on the other hand does not legally allow encryptions be-yond 40-bit on the grounds that its security agencies lack the technical wherewithal to monitor online data transfers when the coding is beyond that threshold.
Sibal's discussions with Verint come even as the government prepares to launch its in-house CMS or 'Communications Monitoring System' , which will be able to track voice calls, fax messages, text messages and MMSes across all telephone networks in the country. The CMS is slated to go live by December. It was developed since the DoT maintains that monitoring and interception in most countries is carried out by their own security agencies.Verint may also advise the government in the CMS rollout, but this was not confirmed by DoT.

The Netherlands spied on Iranian embassy

The Dutch intelligence service AIVD has been releasing a lot of information on their movements in the lasts years. The AIVD was spying on the Iranian embassy as the AIVD was interested in knowing what the dutch people were doing in Iran.
That an ambassador is bugged is not unique, writes the newspaper on the authority of sources in the intelligence world. But it is a sensitive issue, because it can harm. Diplomatic relations with a country It may also negatively affect the image of the Netherlands, where many international bodies are established.

Ambassador Kazem Gharib Abadi

Kazem Gharib Abadi
Former Foreign Minister Ben Bot (CDA) is not surprised that the Iranian ambassador has been tapped. "Obviously Netherlands do, especially in a case that is so sensitive. They will conversely not hesitate to do the same with us,". The Netherlands spied on Ambassador KAzen Gharib Abadi to get a better insight in the developments of Zahra Bahrami.

Zahra Bahram​i

Zahra Bahrami
Zahra Bahrami, also spelled Sahra Baahrami (Persian: زهرا بهرامی‎; c. 1965–2011) (Previous name: Zahra Mehrabi), was a dual Dutch and Iranian citizen who was executed in Iran, after being convicted by the Islamic Revolutionary Court of drug trafficking.
She was initially arrested in December 2009 for participating in the Ashura protests and charged with national security offenses and being a member of Kingdom Assembly of Iran. But according to the Iranian Judicatory, a subsequent search of her house uncovered 450 grams of cocaine, 420 grams of opium, and several forged passports. Subsequently, the Tehran prosecutors charged her with drug trafficking and being a member of an international drug-trafficking network, for which she was convicted. Bahrami also had a prior criminal record in the Netherlands. She had spent three years in jail in the Netherlands after trafficking 16 kilograms of cocaine after a flight from the Caribbean in 2003, and for forging passports in 2007.
In protest of her execution, the Dutch Ministry of Foreign affairs temporarily froze diplomatic contacts with Iran and resumed on February 18, 2011.

NASDAQ hacked by Russian hackers that stole 160million bank card numbers

Russian hackers infiltrated the corporate networks of some of the largest US corporations over a seven-year period, stealing more than 160 million credit-card numbers and hundreds of millions of dollars, the largest such scheme ever prosecuted in the United States, said federal authorities unveiling the indictments Thursday.
Targeting corporations that were specifically engaged in financial transactions, the hackers stole data that allowed them to reproduce fake cards they were able to sell or later use to withdraw money from ATMs worldwide.
Among the 15 businesses allegedly hit by the four Russian and one Ukrainian hacker from August 2005 to July 2012: 7-Eleven, JCPenney, JetBlue, and Dow Jones. One of the Russians was also charged separately with hacking into the business-operation servers of the NASDAQ stock exchange from 2008-10 and manipulating data. But that hack did not reach the exchange’s trading platform where stocks are bought and sold, authorities said.
Law enforcement officials touted the case as a significant step forward in demonstrating their ability to crack a difficult cybercrime operation involving crooks who took extensive steps – including using encrypted communications – to keep their identities and operations secret.
“This type of crime is the cutting edge,” said Paul Fishman, US Attorney for New Jersey, announcing the indictments. “Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy, and our national security.”
Losses hit $300 million for companies in the US in Europe, not including losses incurred by identity-theft victims, authorities said.
Two of the hackers, Russians Vladimir Drinkman and Dmitriy Smilianets, were arrested by Dutch police at the request of the US while they were traveling in the Netherlands in 2012. Mr. Smilianets was extradited to the US. Mr. Drinkman is in custody in the Netherlands pending extradition hearing. The remaining three, Russians Roman Kotov and Alexandr Kalinin and Ukrainian Mikhail Rytikov, remain at large.
After downloading card numbers and related data, the conspirators resold the data to theft wholesalers worldwide. Smilianets charged roughly $10 for each stolen American credit-card number and its data, $50 for each European credit-card number and data, and $15 for each Canadian credit-card number and its associated data. Discount pricing was given to bulk and repeat customers.
The buyers of the stolen data then encoded individual card data onto the magnetic strip of a blank plastic card and then withdrew money from ATMs or made purchases with the cards.
Separately, Mr. Kalinin is also charged with hacking into the NASDAQ stock exchange’s business servers. From November 2008 through October 2010, he is alleged to have installed malicious software, or malware, that enabled him and others to secretly access the infected NASDAQ servers and execute commands “including commands to delete, change or steal data.”
It’s unclear from the indictment just what Kalinin was doing on the NASDAQ server. But such direct attacks on financial exchanges are part of a growing trend, the World Federation of Exchanges reported this month. Some 53 percent of group’s member exchanges reported that they had endured a cyberattack in the past year. In a few cases, denial-of-service cyberattacks – which flood the systems with fake requests in order to overload servers – forced trading to halt briefly, although trading platforms have not been directly breached, the WFE report said.
Cybersecurity experts worry that the trend could become a far worse threat than credit-card thefts.
“The worst cyber threats that the financial sector will soon be facing may not be thefts of money,” wrote Scott Borg, director and chief economist of the US Cyber Consequences Unit, a think tank advising government, in a recent report.
Future cyberattacks could target the information that financial service corporations and their clients use “to create and capture value and to maintain market integrity,” he wrote. “Some of the new cyber attacks will simply aim to steal this information. Others will attempt to alter or manipulate it to create business and market effects.”
Law enforcement authorities echoed that view Thursday.
“As today’s allegations make clear, cyber criminals are determined to prey not only on individual bank accounts, but on the financial system itself,” said Manhattan US Attorney Preet Bharara in a statement.
The depth of that threat was laid out in the 2010 book “Cyber War” by Richard Clarke, former counterterrorism chief under two presidents.
A Wall Street chief executive officer told him: “It is confidence in the data, not the gold bullion in the basement of the New York Fed, that makes the world financial markets work.”

Thousands of people respond to #stopwatching in Germany protest NSA surveillance

Thousands of people are taking to the streets in Germany to protest against the alleged widespread surveillance of Internet users by U.S. intelligence services.
Protesters, responding to calls by a loose network calling itself #stopwatchingus, braved searing summer temperatures Saturday to demonstrate in Hamburg, Munich, Berlin and up to 35 other German cities and towns.
Some wore tinfoil hats to shield themselves from the sun -- and make a political statement about warding off unwanted eavesdroppers.
Others held placards showing support for National Security Agency leaker Edward Snowden.
Chancellor Angela Merkel raised the issue of the NSA's alleged interception of Web traffic when U.S. President Barack Obama visited Berlin last month. But German opposition parties remain skeptical of the government's claim that it had known nothing about the surveillance.