Saturday, 3 August 2013

Security Challenges: Jonathan Urges New Approach from Armed Forces

President Goodluck Jonathan in Abuja on Saturday urged members of the Armed Forces to discover new approaches and greater sophistication to tackle the security challenges facing the country.
Jonathan made the call at the graduation ceremony of participants of Course 21 of the National Defence College (NDC), Abuja.
Represented by the Senate President, Senator David Mark, the president said it was evident that national and regional security in the 21st century was determined by forces that were operating within and beyond national borders.
He added that adversaries in the past were easier to identify and confronted in open hostilities.
The president said: ``Today, the enemy is usually unseen, hiding behind human shields and despicable ideologies and deploying cyber offensives, in addition to lethal conventional and unconventional armaments.
``Confronting these new threats require new thinking, new approaches and greater sophistication in equipment and capabilities.
``Our Armed Forces must be agile and proactive, by enhancing their capabilities to identify and disrupt before execution, the plans and machinations of these faceless enemies, including their sources of funding, arsenal, training bases and recruitment efforts.’’
He said the Armed Forces must remain eternally vigilant ``to reduce our vulnerability as they constantly review their strategies.’’
The president assured the military that government would continue to implement measures to reposition the forces to ensure that they were properly equipped to carry out their constitutional mandate and other responsibilities on behalf of the nation.
Jonathan said that in spite of the challenges confronting the nation, the current administration was determined to reform the economy and the society ``so that people can live a better life.
``The covenant we have with our people is to deliver a greater Nigeria that we believe in. We are committed to this and we must deliver it to the coming generations.
``I congratulate the graduating officers of Course 21 and from what I have heard so far, you all have demonstrated the spirit of handwork and commitment during your time at the college.
``You all have also been found to deserve the new prestigious status of the Fellow of the National Defence College (FDC).’’
Earlier, the Commandant of NDC, Rear Adm. Thomas Lokoson, had said that the 131 graduating participants were inaugurated on Sept. 10, 2012.
Lokoson said the participants had been prepared to take up leadership positions in their various places of work.
He added that the participants were privileged to have studied in an environment known for its high standard of discipline, moral value and excellence in academics.
``We expect that you will continue to live up to these high standards as you are leaving the National Defence College with various experiences.
``I urge you to apply these experiences positively and always give good account of yourselves at all times, knowing that where you are coming from is known for its high standard and commitment to excellence,’’ Jonathan said.

CreepyDOL The sinister Espionage System for $57

Brendan O’Connor is a security researcher. How easy would it be, he recently wondered, to monitor the movement of everyone on the street – not by a government intelligence agency, but by a private citizen with a few hundred dollars to spare?
Mr. O’Connor, 27, bought some plastic boxes and stuffed them with a $25, credit-card size Raspberry Pi Model A computer and a few over-the-counter sensors, including Wi-Fi adapters. He connected each of those boxes to a command and control system, and he built a data visualization system to monitor what the sensors picked up: all the wireless traffic emitted by every nearby wireless device, including smartphones.
Each box cost $57. He produced 10 of them, and then he turned them on – to spy on himself. He could pick up the Web sites he browsed when he connected to a public Wi-Fi – say at a cafe – and he scooped up the unique identifier connected to his phone and iPad. Gobs of information traveled over the Internet in the clear, meaning they were entirely unencrypted and simple to scoop up.
Even when he didn’t connect to a Wi-Fi network, his sensors could track his location through Wi-Fi “pings.” His iPhone pinged the iMessage server to check for new messages. When he logged on to an unsecured Wi-Fi, it revealed what operating system he was using on what kind of device, and whether he was using Dropbox or went on a dating site or browsed for shoes on an e-commerce site. One site might leak his e-mail address, another his photo.
“Actually it’s not hard,” he concluded. “It’s terrifyingly easy.”
Also creepy – which is why he called his contraption “creepyDOL.”
“It could be used for anything depending on how creepy you want to be,” he said.
You could spy on your ex-lover, by placing the sensor boxes near the places the person frequents, or your teenage child, or the residents of a particular neighborhood. You could keep tabs on people who gather at a certain house of worship or take part in a protest demonstration in a town square. Their phones and tablets, Mr. O’Connor argued, would surely leak some information about them – and certainly if they then connected to an unsecured Wi-Fi. The boxes are small enough to be tucked under a cafe table or dropped from a hobby drone. They can be scattered around a city and go unnoticed.
Mr. O’Connor says he did none of that – and for a reason. In addition to being a security researcher and founder of a consulting firm called Malice Afterthought, he is also a law student at the University of Wisconsin at Madison. He says he stuck to snooping on himself – and did not, deliberately, seek to scoop up anyone else’s data – because of a federal law called the Computer Fraud and Abuse Act.
Some of his fellow security researchers have been prosecuted under that law. One of them, Andrew Auernheimer, whose hacker alias is Weev, was sentenced to 41 months in prison for exploiting a security hole in the computer system of AT&T, which made e-mail addresses accessible for over 100,000 iPad owners; Mr. Aurnheimer is appealing the case.
“I haven’t done a full deployment of this because the United States government has made a practice of prosecuting security researchers,” he contends. “Everyone is terrified.”
He is presenting his findings at two security conferences in Las Vegas this week, including at a session for young people. It is a window into how cheap and easy it is to erect a surveillance apparatus.
“It eliminates the idea of ‘blending into a crowd,’” is how he put it. “If you have a wireless device (phone, iPad, etc.), even if you’re not connected to a network, CreepyDOL will see you, track your movements, and report home.”
Can individual consumers guard against such a prospect? Not really, he concluded. Applications leak more information than they should. And those who care about security and use things like VPN have to connect to their tunneling software after connecting to a Wi-Fi hub, meaning that at least for a few seconds, their Web traffic is known to anyone who cares to know, and VPN does nothing to mask your device identifier.
In addition, every Wi-Fi network that your cellphone has connected to in the past is also stored in the device, meaning that as you wander by every other network, you share details of the Wi-Fi networks you’ve connected to in the past. “These are fundamental design flaws in the way pretty much everything works,” he said.

NSA X-Keyscore Member of Cyberespionage Family

It would be logical for NSA to use US embassies abroad as a family of outposts for X-Keyscore harvesting local communications. Embassies have always been used for full-spectrum espionage in all its guises and disguises, military, political, economic, social, so adding cyber was inevitable. The embassies have multiple networks for communications from minimal to highest levels of security. To conduct cyber-espionage would be a seamless extension of existing technology.
Further revelations of Snowden's documents could describe how this is done with personnel, networks and data-server architecture, not only by PRISM and X-Keyscore. Staff of these spy systems may be seen as HUMINT androids safely bunkered for intimately wielding their remote-spying apparatus in concert with remote-commanding officials and killing-machine operators with whom they work to surveil, analyze, target and execute.
LinkedIn and other social media, job recruiters, conference sponsors, have since 9/11 rushed to fill burgeoning "intel analyst" positions, many military and official spy-trained, now seeking greater pay and perks on the cyberespionage market. These "intel analyst" job seekers and holders (happily "endorsing" each other) parade the codenames of espionage tools and programs they have mastered, XKeyscore only one among these compiled by A's quick overnight search of LinkedIn:
AGILEVIEW, AGILITY, AIRGAP/COZEN, AIGHANDLER, ANCHORY/MAUI, ARCANAPUP, ARTEMIS, ASSOCIATION, AUTOSOURCE, BEAMER, BELLVIEW, BLACKPEARL, CADENCE/GAMUT, CHALKFUN, CINEPLEX, CLOUD, COASTLINE, COMMONVIEW, CONTRAOCTAVE, CONVERGENCE, COURIERSKILL, CREEK, CREST, CROSSBONES, CPE, CULTWEAVE, CYBERTRANS, DISHFIRE, DOUBLEARROW, DRAGONFLY, Enhanced WEALTHYCLUSTER (EWC), ETHEREAL (maybe opensource network analysis?), FASCIA, FASTSCOPE, FOREMAN, GAMUT/UTT, GISTQUEUE, GJALLER, GLAVE, GLOBALREACH, GOLDMINER, GOLDPOINT, GOSSAMER, GROWLER, HERCULES (CIA terror database) HIGHTIDE/SKYWRITER, HOMEBASE, INFOSHARE, JOLLYROGER, KINGFISH, LIQUIDFIRE, MAINWAY, MARINA, MASTERLINK, MASTERSHAKE, MAUI/ANCHORY, MESSIAH, METTLESOME, NEWHORIZONS, NIGHTSURF, NORMALRUN/CHEWSTICK/FALLENORACLE, NUCLEON, OCTAVE, PATHMASTER/MAILORDER, PINWALE, PANOPTICON, PRESENTER, PROTON, RAVENWING, RENOIR, ROADBED, SCORPIOFORE/CPE, SHARKFINN, SKOPE, SKYWRITER, SNAPE, SPOTBEAM, STINGRAY; SURREY, TAPERLAY, TAROTCARD, TEMPTRESS, TRACFIN, TRAILMAPPER, TREASUREMAP, TRICKLER, TUNINGFORK/SEEKER, TURMOIL, TUSKATTIRE, TWISTEDPATH, UIS/PINWALE, UTT, WEALTHYCLUSTER, WIRESHARK (opensource network analysis?) WITCHHUNT, XKEYSCORE, YELLOWSTONE/SPLITGLASS
These manifold programs imply that US embassies operating X-Keystone networks and data-servers to tap into global nations' telecommunications hubs for cyber spying would require no more than doing what US spy agencies do inside the USA: overtly and covertly arranging access through domestic official and commercial spying and law enforcement agencies, corporations, telecommunications networks, financial institutions, consultants, cyber mercenaries, organized criminal organizations, opportunistic patriots, informants, educational institutions, all the ancient cooperators, and now variable-hatted hackers, cryptographers, anonymizers, freedom of information fighters, civil liberties fronts, political organizations, lobbyists, press officers, governmental office-holders, donors and funding organizations.

Hackers of Bangladesh, Indonesia engage in cyber-war

Hundreds of websites in Bangladesh and Indonesia were attacked and brought down after a cyber-war erupted between hackers of the two countries, said a London-based online tech publication.
It was unclear which side started the cyber-war and when.
A group called Bangladesh Grey Hat Hackers claimed to have hacked around 900 Indonesian sites, said the July 30 report of The Register.
On the group’s Facebook page, a hacker under the name “Rotating Rotor” wrote an open letter to Indonesia that day.
“You guys only knew that we are defacing your countries sites. We are forced to do so with your hacking teams, who wanted war with us several times before.”
The group claimed that five Indonesian groups carried out small-scale cyber attacks in recent months despite repeated calls for peace, provoking a full-scale retaliation.
“We are getting thousands of requests from many Indonesian’s to stop the attack…We had decided to stop. But Indonesian hackers defaced our sites again.“Right now we are just only defacing. If your hackers don’t stop we are going to inject malware and viruses to all of your e-commerce sites and destroy your e-commerce system,” said the hacker.
Indonesian hackers also released a list of the Bangladeshi sites they have attacked in turn, which include religious courts and government websites, said the report.

Who's Watching? Hacked Security Cams Spoof Images, Attack Network

Image via Flickr user Brian J. Matis
It's a standard scene in most heist movies. The crime team needs to get through an area that's covered by security cameras, so they hack into the security system to make the camera show an empty hallway. A Black Hat conference presentation demonstrated how incredibly simple that hack can be on a modern Internet-connected security camera. In truth, if you've got security cameras in your office or business, this hack is the least of your worries. A hacker could well get full access to the network through your cameras. Hey, weren't they supposed to give you better security?
I See You
Presenter Craig Heffner is a Vulnerability Researcher with Tactical Network Solutions, but he's had other jobs. "The news stories talked a lot about the fact that I used to work for a three-letter agency," said Heffner. "Some claimed that this presentation is based on work I did for the NSA. That resulted in some interesting calls from my former employer." Heffner clarified that all of the research going into this presentation was performed for his current employer, not the NSA.
Heffner evaluated cameras from D-Link, Linksys, Cisco, IQInvision, and 3SVision. Without going into the gory low-level details, in every case he found a way to run arbitrary commands remotely. "I dubbed this the Ron Burgundy exploit," quipped Heffner. "It just runs anything you give it, and it will send you a response." In several cases he found administrator login credentials hard-coded in the firmware. "The problem with secret hard-coded passwords and secret backdoors," said Heffner, "is that they don't stay secret."
Black Hat 2013 Bug
In the end, Heffner gained access at the root level to every camera. He pointed out that there's a huge re-use of code between a company's own models and also between companies, so these vulnerabilities cover a lot of cameras. And because firmware so rarely gets updated, vulnerabilities from several years ago are still subject to exploit.
It Gets Worse
Heffner pointed out that most security cameras are connected to the office network. "I'm in your network, I can see you, and I'm root," he said. "Not a bad position! I have root-level control of a Linux-based machine inside your network."
"But let's take a step back," Heffner continued. "What can I do to the camera itself? I can modify the video stream, the classic Hollywood hack." He finished up with a real-world demonstration, setting up a camera to protect a bottle of beer on the speaker's table. With the camera in place, he launched an exploit that tweaked the administrator's view to show the bottle, safe and sound while he "stole" the bottle. The attendees loved it.
Insecurity Camera?
"Most of these bugs are epically trivial," concluded Heffner. "Most cameras will tell you the model number even if you're not authenticated. I can Google the model, download the firmware, and start analyzing it without ever buying a device." In fact, Heffner developed all of these attacks strictly by firmware analysis, before ever testing on an actually camera.
Asked if he'd found any security cameras that he couldn't hack, Heffner said no. "There are so many more, but I would have needed a two-hour talk, at least."
The Shodan website makes it easy to search for cameras that are visible online. If you have security cameras in your office or factory, your video feeds may already be wide open. Even if they're not, it's very likely that a hacker could take control of the video feed. In particular if you're using cameras from any of the vendors mentioned, you'll want to carefully review Heffner's presentation, as it contains full details that would allow anyone to hack the affected cameras. There's more at stake here than worrying about Danny Ocean blanking your cameras for a heist.

Smart Bot Reads Your Facebook, Mimics You in Spear Phishing Messages

Spear Phishing
Spear phishing is increasingly getting easier for criminals trying to put together social engineering attacks, and it's all thanks to to the data you yourself post online, researchers said at a session at the Black Hat security conference in Las Vegas.
Attackers mine the posts on Twitter, Facebook, Instagram, Foursquare, and other online properties to find information that people provide about themselves, but also to mimic people's writing style, such as frequently used words, said Trustwave researchers Joaquim Espinhara and Ulisses Albuquerque during their presentation on Thursday. All this information is used to craft a message that actually sounds like someone the victim would know.
Many attack emails are actually recognizable as malicious precisely because they don't sound like something a real person the victim knows would say. But if attackers can refine the tone of the message, then they are likely to trap that victim, Espinhara and Alburquerque said.
Black Hat 2013 Bug
Microphisher
To prove their point, Trustwave researchers released a new tool at the conference which analyzes public posts and creates a "fingerprint" for each person's communication style. Microphisher uses natural language processing to analyze public posts on social networks and other online sites. Even how you use hashtags on Twitter, how long your typical sentence is, and topics you generally write about, can all be used towards determining your fingerprint, Alburquerque said.
Microphisher is intended to help organizations improve their IT security, Alburquerque said. Trustwave SpiderLabs frequently put together penetration tests and other social engieering tests to determine how effective an organization is in thwarting spear phishing. Microphisher can be used to craft messages that are similar in style and content to what a specific individual would write. With a more natural sounding and topical message, Trustwave could test the organization's security readiness much more effectively, Alburquerque said.
Imagine if attackers analyze the contents of a CEO's Twitter feed with Microphisher. They can then craft a message that mimics his or her style and send it to other employees, who would likely click on a link in the email or open the attachment because it would sound like something the CEO would normally write, they said.
The reverse is also possible, where the tool can be used to figure out which posts were legitimately written by someone and which one was faked. "The same tricks can be used to evaluate whether emails are realistic, if you know the sender's Twitter account," Alburquerque said.
Microphisher relies on statistical analysis to determine how close a message being written is to an email profile, so cannot be used to automatically generate believable phishing messages.
Stay Safe
As always, people should not click on random, unknown links or open attachments, regardless of the source. It doesn't matter if you know who the person sending the information is—since it is increasingly clear that there is plenty of information available online to create convincing fakes.

Google Android Device Manager finds your lost Phone

Google relases a tool to help Android owners locate their lost phones.
Dude, where’s my phone? Simple steps to protect your Android device this summer.ReadsGoogle blog.
This summer we’re posting regularly with privacy and security tips. Knowing how to stay safe and secure online is important, which is why we created our Good to Know site with advice and tips for safe and savvy Internet use. -Ed.
With summer vacation in full swing, you’re likely out and about, using your smartphone or tablet to get answers on the go or check out the latest cool apps and games. But you don’t have to leave safety at home! In this post, we’re sharing a few tips and tools that you can easily set up if you’re on an Android phone or tablet to keep your device and the contents inside safe and secure, including a new service that makes it easy to locate a misplaced device.
1. Lock your device screen. Whether you’re on a phone or a tablet, it’s easy to set up a screen lock. This is important to do in case your device gets left in the back of a car, or you’re worried about someone picking up your phone and scrolling through your stuff. You can lock your device with a pin, password, pattern (or even your face!) by going to Settings > Personal > Security > Screen Lock.
2. Protect your phone from suspicious apps. We automatically scan Google Play to block and remove harmful apps. That makes Google Play the safest place to get Android apps. But Google Play can also help protect you even for apps you get elsewhere, like the web or a third-party app store. The first time you start to install an app from an unknown source, a message will pop up asking if you’d like Google to scan the file to make sure it’s not harmful. Tap “OK” to let Google help protect you from harmful apps.
3. Locate, ring and wipe a misplaced device. Have you ever lost your phone in between the couch cushions or left it in a restaurant? Later this month, you will be able to use a new service called Android Device Manager, which can quickly ring your phone at maximum volume so you can find it (even if it’s been silenced), or locate it on a map, in real time, using Android Device Manager. If your phone can’t be recovered, or has been stolen, you can quickly and securely erase all of the data on your device to keep your data from ending up in the wrong hands. The Android Device Manager will be available for devices running Android 2.2 and above, as part of Google Play. You can read the full announcement on the Android blog.
For more advice on how to protect yourself and your family online, visit our Good to Know site, and stay tuned for more posts in our security series.

Companies 'not aware' of being hacked

Most companies are not aware that they have been compromised and their intellectual property stolen, a cyber security firm has said.
"Most organisations who we actually end up doing forensics investigations for didn't figure out for themselves that they'd actually suffered a compromise - that they'd been hacked," John Yeo EMEA director at Trustwave told News24.
Trustwave division Spiderlabs specialises in penetration testing or ethical hacking.
Yeo said that the overall majority of clients the company handled were unaware that they had been compromised.
"Of all the forensics investigations that we did last year in only 25% of cases did the victims figure it out for themselves that they’d been hacked."
Antivirus
While most companies rely on antivirus solutions to prevent malware from intruding, Spiderlabs' research shows that attacks on corporations have become targeted.
"Of those 415 investigations we conducted last year, the vast majority we saw in each of those cases was bespoke so it wasn't something that was off the shelf or that was used in many different organisations - it was written with a very specific purpose in mind and was only used once," said Yeo.
He said that hackers who conduct attacks usually have a long period of access to company servers before they are detected.
"Intuitively you’d think that if an organisation gets hacked, they’d know about it and they’d know about it pretty quickly. But the reality is that they don’t figure it out for themselves and on average it takes about 210 days before the detection actually takes place."
Antivirus solutions that rely on virus definitions do not readily register malware that has been specifically designed to target a computer if that malware has not been identified previously.
This implies that hackers - whether they be corporate or state - can harvest data from companies without their knowledge or setting off alarms.
"Signature-based antivirus hasn't got a hope of being able to detect it and any organisation that thinks 'I've got antivirus deployed on my mission critical systems and if the worst case scenario happens, I'm going to detect it,' that's not going to happen," said Yeo.
Older software
Despite the release of so-called secure operating systems, Spiderlabs said that their experience shows that there is usually a fair number of systems running older software that can be exploited in medium to large firms.
Hackers typically gain entry into these older systems and quietly steal intellectual property.
"Attackers basically have free reign to a large extent. They manage to penetrate an organisation and they manage to harvest data for long periods of time before anyone figures out that anything it wrong," said Yeo.
He said that it was easier to go after "low hanging fruit" when looking to compromise a company and configuration errors and legacy systems were ideal targets for hackers.
"An attacker only needs to find the weak link in the chain, the chink in the armour. They're not going to go with a sledgehammer after the most secure system in the environment."

Trojan uses government servers and Google Chrome plugins to steal data

Most companies are not aware that they have been compromised and their intellectual property stolen, a cyber security firm has said.
"Most organisations who we actually end up doing forensics investigations for didn't figure out for themselves that they'd actually suffered a compromise - that they'd been hacked," John Yeo EMEA director at Trustwave told News24.
Trustwave division Spiderlabs specialises in penetration testing or ethical hacking.
Yeo said that the overall majority of clients the company handled were unaware that they had been compromised.
"Of all the forensics investigations that we did last year in only 25% of cases did the victims figure it out for themselves that they’d been hacked."
Antivirus
While most companies rely on antivirus solutions to prevent malware from intruding, Spiderlabs' research shows that attacks on corporations have become targeted.
"Of those 415 investigations we conducted last year, the vast majority we saw in each of those cases was bespoke so it wasn't something that was off the shelf or that was used in many different organisations - it was written with a very specific purpose in mind and was only used once," said Yeo.
He said that hackers who conduct attacks usually have a long period of access to company servers before they are detected.
"Intuitively you’d think that if an organisation gets hacked, they’d know about it and they’d know about it pretty quickly. But the reality is that they don’t figure it out for themselves and on average it takes about 210 days before the detection actually takes place."
Antivirus solutions that rely on virus definitions do not readily register malware that has been specifically designed to target a computer if that malware has not been identified previously.
This implies that hackers - whether they be corporate or state - can harvest data from companies without their knowledge or setting off alarms.
"Signature-based antivirus hasn't got a hope of being able to detect it and any organisation that thinks 'I've got antivirus deployed on my mission critical systems and if the worst case scenario happens, I'm going to detect it,' that's not going to happen," said Yeo.
Older software
Despite the release of so-called secure operating systems, Spiderlabs said that their experience shows that there is usually a fair number of systems running older software that can be exploited in medium to large firms.
Hackers typically gain entry into these older systems and quietly steal intellectual property.
"Attackers basically have free reign to a large extent. They manage to penetrate an organisation and they manage to harvest data for long periods of time before anyone figures out that anything it wrong," said Yeo.
He said that it was easier to go after "low hanging fruit" when looking to compromise a company and configuration errors and legacy systems were ideal targets for hackers.
"An attacker only needs to find the weak link in the chain, the chink in the armour. They're not going to go with a sledgehammer after the most secure system in the environment."

Researchers warn of attacks from unprotected IPv6 traffic

Security threats - password theft
A gap in the adoption of the IPv6 protocol could be leaving users prone to attack, say researchers.
Security firm NeoHapsis is warning that the protocol, which has been undergoing a rollout over the last several years, could be subject to a unique attack that redirects users to unwanted potentially malicious pages.
Dubbed a “SLAAC” attack, the operation takes advantage of the client-side rollout of IPv6 and the built-in preference such systems have for the new protocol.
“Modern operating systems, such as Windows 8 and Mac OS X, come out of the box ready and willing to use IPv6, but most networks still have only IPv4,” explained Neohapsis researchers rent Bandelgar and Scott Behrens.
“This is a problem because the administrators of those networks may not be expecting any IPv6 activity and only have IPv4 monitoring and defenses in place.”
The researchers went on to describe an attack in which the attacker finds and IPv4 and sets up a server or network impersonating an IPv6 alternative. When users attempt to load the intended site, their systems could, by default, select the imposter network instead, sending their traffic through the attacker's systems.
“They could pretend to be an IPv6 router on your network and see all your web traffic, including data being sent to and from your machine,” the researchers said.
“Even more lethal, the attacker could modify web pages to launch client-side attacks, meaning they could create fake websites that look like the ones you are trying to access, but send all data you enter back to the attacker (such as your username and password or credit card number).”
While such attacks could be mitigated by disabling IPv6 on newer systems, Neohapsis believes that the more practical and effective solution for the long term is to encourage companies and network operators to speed up their adoption of the IPv6 protocol.