Thursday, 22 October 2015

FBI cyber experts deny Bourne-style biometric snooping exists, but it may one day

FBI cyber experts deny Bourne-style biometric snooping
Cyber spooks in films and TV shows like Bourne and 24 often have access to a sprawling, real-time surveillance system capable of watching and scanning the faces of the public anywhere in the world.
Yet technology experts with experience of the FBI have recently claimed this is far removed from the realities of how such as biometric systems can be used.
Jim Loudermilk, a senior level technologist at the FBI's science and technology branch, said the agency does not have access to real-time face-recognition biometrics on such a grand scale.
"Here in London you are all familiar with the vast numbers of cameras. But most of you probably don't realise that what you see in the science fiction movies is not true," he told a recent biometrics conference in London.
"My own assessment is that the use of pattern-matching technology for faces is about at the maturity level that pattern matching of fingerprints was in the late 1980s.
"We do not have highly reliable automated systems that can instantaneously ingest video and track people from camera to camera unaided by a human being."
Loudermilk explained that face recognition and biometric analysis is not yet able to provide the FBI with conclusive positive IDs, and that the lack of functionality comes down to budgets.
"If we were prepared to spend a few hundred million dollars and add several hundred people as skilled examiners we probably could do positive identification from faces in a decade, but I think it's unlikely we will choose to make that sort of investment."
Even if it did, the actually database of files with which to cross reference this sort of information is quite low in the era of big data: "We don't have very many mug shots on file. Only about 20 million at the moment," he added.
Another face in the crowd
The claim that face-recognition tools are not yet at the level of the movies is echoed by Leo Taddeo, a former FBI special agent in charge of the New York cyber division and now the CSO for Cryptzone, but he believes it will be possible one day.
"Today, it may not be possible to spot a known terrorist in a photo of a crowd at a sporting event, but someday that capability will exist," he told V3.
Taddeo also noted that the use of face recognition has evolved to the point where it can be used in "many investigative scenarios".
"Agents are now able to check the photo of a bank thief taken from a surveillance camera against a set of known convicts to find a potential suspect. The confirmation of identity is still done using multiple factors, but narrowing down the search is greatly aided by the new face-recognition technologies," he explained.
However there are obviously civil liberty and privacy concerns raised with the use of such technologies, and their future potential capabilities.
Dr Richard Tynan, technologist at Privacy International, warned of a need for clear definitions in biometric capabilities.
"I think you might have to ask what they mean by real time. Is it that they are unable to get the name and address information of every individual in a given scene of a CCTV camera?" he said.
"Even if that's what they are trying to do, it's incredibly worrying that they are trying to do real-time identification of individuals and not just when a crime happens, which is one of the stated purposes of CCTV."
Furthermore, Dr Tynan noted that the FBI staffers claims seems to be at odds with private firms already rolling out sophisticated face-recognition systems.
"Microsoft has recently rolled out face recognition on some of its latest laptops which will allow you to unlock the computer," he said.
"There are other types of face recognition such as Facebook deploying auto tagging in pictures, claiming to have sophisticated technology that can distinguish between identical twins.
"So the [1980s] comment seems weird to me given that we have seen so many claims made about this technology from the private sector."
Privacy International also provided V3 with documentation showing a range of ‘vision analytics' tools that offer sophisticated biometrics and location monitoring in real time (PDF).
Yet while FBI experts play down the scope of real-time surveillance systems, they openly admit that the use of biometrics in law enforcement is not a new phenomenon.
The FBI currently uses a vast amount of technology to take advantage of the unique indicators that accompany biometric information, such as fingerprints, iris patterns and palm and finger patterns.
"The use of fingerprints has been a fundamental investigative tool in the FBI's kit for almost its entire 100-year history," explained Taddeo.
"For most of the last century, the science of collecting, cataloguing and comparing fingerprints did not change very much. Advances in information technology have allowed us to make quantum leaps in fingerprint and other identification technologies.
"We can collect fingerprints as electronic images. As such, we can transmit and search for matches at record speed. This means police officers don't have to wait for a manual search. It also means we can search wider databases."
Loudermilk gave some insight into the scope of these databases, during his presentation in London last week.
"We have 69 million people currently on file and we have another 37 million on file in the civil repository and I expect that to grow significantly. Right now we have 106 million people, all separate identities," he said.
"We have a fairly substantial repository of people who have been arrested for criminal offences."
However, it is DNA matching that remains the 'gold standard' in biometrics and forensics.
Loudermilk said that the FBI holds 14 million known DNA subject profiles in a national database consisting of the Combined DNA Index System and the National DNA Index System.
Double-edged sword
Unquestionable law enforcement will continue to use biometric analysis to aid their operations, but it can be a double-edged sword, as Taddeo explained.
"For example, after the recent OPM breach, where millions of government employee fingerprints were reportedly stolen by the Chinese government, it will be much harder for a US agent to enter China without the Chinese knowing who they are and who they work for," he said.
"The same is true for fingerprints and facial recognition. Undercover agents will have a harder time getting past border controls in an undercover capacity."
Perhaps this is something Hollywood scriptwriters will have to consider for their future spy thrillers too.

Security researchers face wrath of spy agencies

Researchers tasked with revealing attacks by intelligence agencies are being harassed, locked out of tenders, and in some cases deported, Kaspersky researcher Juan Andrés Guerrero-Saade says.
Retaliation by the unnamed agencies is in direct response to news of prominent advanced-persistent threat campaigns that have coloured information security reporting over recent years.
Those reports are forcing researchers to reveal malware attacks by government spy agencies.
Specific details on the harassment is tightly-held, although some may occur in Eastern Europe and Asian nations.
Guerrero-Saade told Vulture South researchers have spoken about their ordeals in private information security circles. Other stories circulate as industry rumour.
"In many places intelligence services tend to be more civilised than in others -- you would be lucky to deal with them in the US versus wherever else, Latin America, Asia, or Eastern Europe where they take very different tactics, " Guerrero-Saade says.
"You can definitely see these threats to livelihood[s] where it can be as simple as patriotic notions … all the way to 'you have already made it clear where you stand and it's going to be next to impossible for you to get a security clearance' and to work in a large sector of countries where a large amount of anti-malware work is being done.
"I think it is easier to imagine situations where blackmail, compromise, and threat of livelihood is an issue, and it has been an issue for certain researchers for obvious reasons aren't going to speak up."
Other researchers speaking to this reporter have heard similar stories. Others haven't but aren't surprised their colleagues find security clearances revoked. China is cited as a nation some opt to avoid.
Guerrero-Saade spoke on the back of his paper The ethics and perils of APT research: An unexpected transition into intelligence brokerage [pdf] which he says is a "meditation" that covers the perils faced by threat intelligence companies and researchers as the ultimately altruistic academics aggravate diplomatic and national interests.
The paper notes researchers are targeted through blackmail which is regarded as a cheap way for agencies to "own" an individual by digging up their secrets, debt, and "shameful proclivities and mis-steps".
"This type of compromise is in some cases related to the threat to livelihood as private information security companies have displayed a more or less strict moralism in their hiring practices, often preferring practitioners untainted by publicly known blackhat tendencies," Guerrero-Saade writes.
Security researchers who live in the country of the aggrieved intelligence agency face the harshest treatment. Here agencies target threats to living conditions including the revocation of non-citizens' resident status, "in some cases separating families or forcing a return to dreadful conditions".
Natives are described as unpatriotic, and are barred from government work and holding security clearances.
“In certain countries, citizenship is only a protection from overt and legal repercussions but processes without oversight are the main playing field of security services. Vague threats carry weight in this space.”
That is leading to an industry Balkanisation which is "well underway at this time".
Intelligence firms too are being harassed. Guerrero-Saade says unnamed agencies serve threats to "operational viability, revenues, ongoing and potential contracts, strategic partnerships, PR value, as well as regulation-based financial repercussions".
Such harassment merits "any effective measures available" when threat research stands in direct opposition to national diplomatic, financial, or political viability.
Such work may cause heightened diplomatic tensions to flare, or jeopardise the reputation of an intelligence agency or those to which it serves. Here's a fragment of his talk:
"Companies with government contracts will see these contracts dangled and unrelated vital strategic partnerships may suddenly become unstable or entirely unavailable. When international companies are involved, unsubstantiated but well-placed insinuations may suffice in closing off entire crucial market sectors and, if not, threats of loosely applied embargoes can destroy the most meticulously built business. "
He further details the perils of the burgeoning threat intelligence industry in the absence of kinds of rules of engagement whereby many researchers - rightly-so - treat all malware as abusive regardless of source, and the motivations and actors behind attacks are often glossed over.
The nine-page report notes the publication of intelligence materials by private sector firms as 'regular grievances' that are "unthinkable to their intelligence agency counterparts". Another extract:
"Provocation occurs in two scenarios: first, where the (threat intelligence) company’s research causes political, diplomatic, or military tensions to flare between nations in an already escalated posture. Secondly, when the company’s public disclosure -- or private offering provided directly to sensitive targets -- endangers the reputation of the intelligence agency itself or worse yet comes close to revealing or endangering the requesting customer. The former scenario is undesirable; the latter scenario is unacceptable."
Not all research weighs the same. Guerrero-Saade says a recent report examining Chinese threat actors overstepped the boundaries of usefulness when it revealed the personal information of attackers including their daily activities, photos, and family members.
The future is unclear, the researcher says. Intelligence agencies may be pushed to develop highly-capable malware designed to slip past researchers, while even most-capable researchers dabbling in the unmasking of intelligence agencies will need to undergo "drastic preparations" to not only excel but survive.

Friday, 16 October 2015

A bug in Facebook accidentally shows how popular your posts are

Facebook is diligently attempting to remove a software bug that lets users of their mobile website see view counts for their own and others’ posts within the Facebook social network.

Facebook currently displays the number of views under videos posted on the Facebook site, but this software bug goes beyond that and lets one see the number of views on any article or video link, this also includes those from news media and other official organizational pages. The bottom line of this revelation, is the realization that nothing you say or share will ever be as popular among your friend group as a arbitrary article or a video on how to make ramen fries.

Currently, the software bug, only affects Facebook’s mobile site, and not Facebook for conventional desktop PCs or the company’s official mobile apps. It has been confirmed by Facebook that the software bug is removing the view counts from user posts.

Facebook claims to have no future plans to let individual users see view counts. Part of consequence of using the Facebook social network is the understanding that you’re feeding content into a black box, controlled by a mysterious and proprietary software algorithms the user has no control over and is not allowed to understand.

In 2013, A Stanford University study conducted by assistant professor Michael S. Bernstein and Facebook’s data science team has revealed that the average Facebook user only reaches about 35 percent of their friends with a single post and over the course of a month, the average user will reach barely two out of every three friends.

This problem effects other media organizations and other page owners that have been with Facebook for years. Users that have invested heavily with their followers in obtaining and growing their number of likes on their page are often shocked to only have the social network charge them for reaching more than a small fraction of their audience.

But Facebook holds the control and the keys to their News Feed. For now that’s how it goes. Until, of course a bug comes along, and we see just how popular — or not — you really are in your Facebook network.

Malaysia arrests hacker for stealing U.S. security data

NBC News has learned federal prosecutors have charged a Kosovo man they believe is responsible for assembling an ISIS 'kill list" of more than 1,000 military personnel and U.S. government employees. USA TODAY

A Kosovar man living in Malaysia who accessed the personal data of more than 1,300 government and military employees, and passed that data onto the Islamic State, has been arrested in Malaysia on U.S. charges, the Department of Justice announced Thursday.
Ardit Ferizi also accessed customer data from an unidentified Internet retailer, obtaining credit card information on 100,000 customers, according to a federal indictment unsealed in Virginia. Ferizi, allegedly head of a group of Albanian hackers from Kosovo, even went so far as to admonish employees of the retailer via email when they detected his penetration of their system and blocked him.
According to a lengthy affidavit filed by FBI special agent Kevin Gallagher, who is based out of the Washington field office, Ferizi had unauthorized access to a federal computer and used that access to obtain email addresses, cities of residence, dates of birth and other personal identifying information on 1,351 government and military workers, and passed those names onto the Islamic State terrorist group between April and August.
He transferred the information via links he posted to Twitter, the affidavit said, "for the purpose of encouraging terrorist attacks against against the individuals." He also used the social media site to communicate to two known Islamic State members, Tariq Hamayun — also known as Abu Muslim al-Britani — and Junaid Hussain — also known as Abu Hussain al-Britani. Hussain died in August in an air strike in Raqqah, Syria.
The activity prompted the Islamic State Hacking Division to tweet a message to "crusaders" engaged in a "bombing campaign" against Muslims: "We are in your emails and computer systems, watching and recording your every move, we have your names and addresses … we are extracting confidential data and passing on your personal information to the soldiers of the khilafah, who soon with the permission of Allah will strike your necks in your own lands!”
Regarding the retailer, not named in the document, Ferizi accessed a server in Phoenix in June that belongs to an Internet hosting company that maintain's the company's website, according to the affidavit. On Aug. 13, the retailer contacted the FBI to report unauthorized access to its site, Gallagher wrote.
As of spring 2015, Ferizi has been living in Malaysia on a student visa and studying at Limkokwing University of Creative Technology in Cyberjaya, Malaysia.

Hackers steal £20 million from UK bank accounts using malware

Law enforcement agencies with the help of several cybersecurity firms took control of a botnet network of machines that distributed malicious software known as “Bugat,” “Cridex” or “Dridex. The Dridex malware was used by cyber criminals to steal some £20 million ($30 million) from UK bank accounts according to the National Crime Agency (NCA).
NCA has issued issued a warning Internet users especially those from United Kingdom to protect themselves against the Dridex and said that they are chasing down the “technically skilled” cyber criminals.According to NCA this malware preyed on unsuspecting people by slipping into their computers, stealing passwords and siphoning money from bank accounts. For distribution, it relied on a network of enslaved computers. Experts say the botnet infected maybe 125,000 computers a year.Separately, the U.S. Department of Justice also filed criminal charges against Andrey Ghinkul, a 30-year-old man who is believed to have been the hacker at the helm of the operation. Ghinkul was recently arrested in Cyprus, and American prosecutors are seeking to have him extradited to stand trial in the United States.U.S. Attorney David J. Hickton of Pennsylvania said: “We have struck a blow to one of the most pernicious malware threats in the world.”According to the indictment, Ghinkul’s high tech cyber crimes have been going on for years now. Investigators believe Ghinkul and others sent official-looking spam that tricked people to open poisonous email attachments. Using that method, they were able to steal $3.5 million from Penneco Oil in Pennsylvania in 2012 and send that to bank accounts in Belarus and Ukraine, according to the indictment.Bugat evolved over the years into smarter and more capable versions. Researchers called later it Cridex, then eventually Dridex. The massive botnet distribution system — the one that was just shut down — made Dridex the most popular malware bombarding corporate computer networks. If work email got hit with spam, it’s likely much of it was Dridex.

Security researchers have been collaborating with the law enforcement agencies for this operation.  Researchers from Proofpoint said that the hackers sent out waves of up to 350,000 Dridex-laced spam emails every day, while, researchers at Dell SecureWorks started working on a project to disrupt the monstrous botnet. It teamed up with law enforcement, and received legal permission to hack the botnet, according to the company.

In United Kingdom, Mike Hulett from the NCA said: “This is a particularly virulent form of malware and we have been working with our international law enforcement partners, as well as key partners from industry, to mitigate the damage it causes.

Think your mobile calls and texts are private? It ain't necessarily so

 Silhouette of spy discerning password from code uses a command on graphic user interface

Mobile networks around the world have been penetrated by criminals and governments via bugs in signalling code.
Security holes have been found in a technology known as Signalling System 7 (SS7), which helps to interconnect international mobile networks across the globe.
AdaptiveMobile has uncovered evidence of global SS7 network attacks causing damage to mobile operators around the world after partnering with mobile operators and networks to analyse and secure the SS7 traffic across their networks.
Exploits, including location tracking and call interception, are said to be rife. The study also uncovered evidence of attempted fraud, focusing on Europe, Middle East and the Americas.
The results are a serious concern but not entirely surprising. Flaws in SS7 have been known about for years and readily lend themselves to surveillance, both targeted and on a grand scale, allowing miscreants to tap into calls, read text messages and divert traffic.
In one well documented case, SS7 flaws were used to redirect sensitive conversations of targeted individuals on the MTS Ukraine network to a Russian mobile operator.
By contrast, SS7 is far more robust when it comes to the security and integrity of billing functionality. Even so, some studies have suggested SS7 loopholes can be abused to move credit between mobile accounts.
Attacks such as ”silent SMS pings" can be used to locate mobile phones anywhere in the world via SS7. With the right request it might be possible to trick a mobile network into handing over the crypto keys from any SIM/session. This rumoured – but unverified – capability would be restricted to the more capable intel agencies.
Details of SS7 vulnerabilities were publically revealed for the first time at the Chaos Communication Congress hacker conference in Hamburg last December. El Reg's story on the CCC presentation provides more info on how the ageing SS7 protocol works as well potential attacks.
AdaptiveMobile’s SS7 Protection service, launched in February 2015, aims to analyse and secure the SS7 traffic travelling through operator networks. The firm uses the combination of an SS7 Firewall, advanced reporting and threat intelligence to identify and combat threats. Sitting on the systems of 75 operator networks worldwide, AdaptiveMobile protects one fifth of the world’s subscribers, witnessing in excess of 30 billion mobile events every day, according to the mobile network security firm.
Unauthorised access to the SS7 network can cause significant financial and reputational damage to the operator community, according to AdaptiveMobile. Fraudulent roaming configurations can cost operators millions of dollars without any opportunity to recapture this revenue. Without appropriate preventative measures being put into place, operators are allowing adversaries to know exactly where a subscriber is at any given moment and to intercept and reroute device communications, listening to every call and reading every text message, the firm warns.
“Through our analysis of SS7 traffic we’ve detected numerous types of SS7 requests and responses being received and sent from one operator network to another,” said Cathal McDaid, head of AdaptiveMobile’s Threat Intelligence Unit. “From the Americas to MENA, Europe to APAC, the operator networks analysed have all shown evidence of suspicious SS7 activity. We’re working with operators to secure their networks as none are exempt from these types of attacks.”
Chris Wysopal, CISO and CTO at application security firm Veracode, commented: “The SS7 vulnerabilities are just another example of software-based systems that weren’t built for the rich interconnectivity and threats of the modern mobile infrastructure.”
“Development teams need to go into projects with the expectations that what they’re creating will live in a hostile environment where attackers will look to exploit vulnerabilities. We’ve seen this across every industry and it’s no surprise it’s occurring in the telco industry,” he added.
The potential for abuse for any group capable of breaking SS7 are rich, according to Wysopal.
“A core protocol like SS7 provides governments and rogue actors wide access to the world’s communications infrastructure making it an incredibly attractive system to break into,” Wysopal explained. “Until software developers change their approach and build security into their code from the start, we’re going to continue to see these problems.”
A worldwide map of SS7 international roaming infrastructure vulnerabilities – put together following an earlier study by telecom security specialist P1 Labs late last year – can be found here. China is among the countries with the worst security rating for SS7 security, alongside the likes of Uzbekistan. Somalia and Yemen as well as (more surprisingly) Bolivia and Greenland are also highlighted.

Students, graduates, amateurs: Win £10,000 in Cyber 10K challenge

 NCC Group is running the Cyber 10K security challenge to encourage young people and security amateurs to join the industry – and The Register is the exclusive media partner.
You can scroll down for details of how to enter the competition.
As a background, the UK, as many of us know, has an ongoing shortage of skills in science, technology, engineering and mathematics (STEM), despite the best efforts of government-inspired education initiatives.
Vocational training and apprenticeships are a good foundation for acquiring practical skills and also deliver a demonstrable career path. Competition-based funds are one way industry can encourage young people to consider and embark upon careers in STEM, NCC Group’s Cyber 10K being a good example.
Ollie Whitehouse, technical director at NCC Group, explains: “We are continuously being reminded of the importance of STEM subjects and the ground-breaking innovations that can be created in these areas. Similarly to its STEM counterparts, the topic of computer science, and more specifically cyber security, is one that is difficult to fully grasp in a classroom or lecture theatre.
“Often, learning through experience is much more valuable. And if we are to develop the next generation of talent in the cyber security industry, it’s important that we offer IT amateurs the opportunity to gain real practical experience in order to better their skills.
“That’s where competitions like the Cyber 10K come in. These types of competition based funds create a win-win situation for both ambitious amateurs and the sector – they help to nurture and encourage talent, resulting in a pipeline of knowledgeable, experienced and creative security professionals for the industry.”
Competition details are below. Get cracking!


Timing Duration: September – November 2015

Entry criteria

  • Description of the problem you are trying to solve.
  • Description of your solution and how it addresses the problem.
  • In addition to the above for an entry to qualify you must include a working prototype – a functional solution which can be used to demonstrate the idea in a reliable manner that accurately shows the idea working.
It is recommended that you also include Design documentation for the solution<


There are no strict categories. Anything goes as long as it hits the entry criteria, but some areas that you might want to think about include:
  • cloud security
  • cyber incident response and clean-up
  • IoT and mobile security
  • consumer and user awareness, training and support
  • cyber security on small budgets

The judging panel includes the following experts:

  • John Leyden, security reporter, The Register
  • Professor Steve Schneider, director, Surrey Centre for Cyber Security
  • Professor Tim Watson, director at University of Warwick’s cyber security centre
  • Alex van Someran, managing partner at Amadeus Capital Partners
  • Paul Vlissidis, director of .trust at NCC Group