Wednesday: Wandering
All that is gold does not glitter; not all those who wander are lost.
— excerpt, The Lord of the Rings by J. R. R. Tolkien
It’s a lovely summer day here, cool and dry. Perfect to go walkabout, which I will do straight away after this post.
Hackety-hack-hack, Jack
- Spearphishing method used on HRC and DNC revealed by security firm (SecureWorks) — Here’s their report, but read this Twitter thread if you don’t think you can handle the more detailed version. In short, best practice: DON’T CLICK ON SHORTENED LINKS using services like Bitly, which mask the underlying URL.
- Researchers show speakerless computers can be hacked by listening to fans (arXiv.org) — Air-gapping a computer may not be enough if hackers can listen to fan operation to obtain information. I’ll have to check, but this may be the second such study.
- Another massive U.S. voter database breached (Naked Security) — This time 154 million voters’ data exposed, revealing all manner of details. 154M is larger than the number of voters in the 2012 general election, though smaller than the 191M voters’ records breached in December. At least this time the database owner slammed the breach shut once they were notified of the hole by researcher Chris Vickery. Nobody’s fessed up to owning the database involved in the the December breach yet.
- Speaking of Vickery: Terrorism databased leaked (Reddit) — Thomson-Reuters’ database used by governments and banks to identify and monitor terrorism suspects was leaked (left open?) by a third party. Vickery contacted Thomson-Reuters which responded promptly and closed the leak. Maybe some folks need to put Vickery on retainer…
- Different kind of hack: Trump campaign hitting up overseas MPs for cash? Or is he? (Scotsman) — There are reports that Trump’s campaign sent fundraising emails received by elected representatives in the UK and Iceland. Based on what we know now about the spearphishing of HRC and DNC, has anybody thought to do forensics on these emails, especially since government officials are so willing to share them widely? Using these kinds of emails would be a particularly productive method to spearphish government and media at the same time, as well as map relationships. Oh, and sow dissension inside the Trump family, urm, campaign. On the other hand, lack of response from Trump and team suggests it’s all Trump.
Makers making, takers taking
- Apple granted a patent to block photo-taking (9to5Mac) — The technology relies on detecting infrared signals emitted when cameras are used. There’s another use for the technology: content can be triggered to play when infrared signal is detected.
- Government suppressing inventions as military secrets (Bloomberg) — There’s merit to this, preventing development of products which may undermine national security. But like bug bounties, it might be worth paying folks who identify methods to breach security; it’s a lot cheaper than an actual breach, and a bargain compared to research detecting the same.
- Google wants to make its own smartphone (Telegraph-UK) — This is an effort apart from development of the modular Ara device, and an odd move after ditching Motorola. Some tech industry folks say this doesn’t make sense. IMO, there’s one big reason why it’d be worth building a new smartphone from the ground up: security. Google can’t buy an existing manufacturer without a security risk.
- Phonemaker ZTE’s spanking for Iran sanction violations deferred (Reuters) — This seems kind of odd; U.S. Commerce department agreed to a reprieve if ZTE cooperated with the government. But then think about the issue of security in phone manufacturing and it makes some sense.
A-brisket, a Brexit
- EU health commissioner Andriukaitis’ response to Nigel Farage’s insulting remarks (European Commission) — Farage prefaced his speech to European Commissioners yesterday by saying “Most of you have never done a proper day’s work in your life.” Nice way to win friends and influence people, huh? Dr. Vytenis Andriukaitis is kinder than racist wanker Farage deserves.
- Analysis of next couple years post-Brexit (Twitter) — Alex White, Director of Country Analysis at the Economist Intelligence Unit, offers what he says is “a moderate/constructive call” with “Risks definitely to the downside not to the upside.” It’s very ugly, hate to see what a more extreme view would look like. A pity so many Leave voters will never read him.
Follow-up: Facebook effery
Looks like Facebook’s thrown in the towel on users’ privacy altogether, opening personal profiles in a way that precludes anonymous browsing. Makes the flip-flop on users’ location look even more sketchy. (I can’t tell you anymore about this from personal experience because I gave up on Facebook several years ago.)
Happy hump day!
Re the Apple patent: “The technology relies on detecting infrared signals emitted when cameras are used.” It’s actually a separate infrared signal the venue transmits, and when your iPhone receives it along with visible light, your phone will stop recording. Again, there’s a simple workaround for the concert-goer who doesn’t want to be prevented from filming the concert: don’t use a phone (camera) that includes the specific circuitry needed to stop visible light recording when the accompanying infrared signal is detected. Likely this solution can be implemented by not using an Apple product–just use a plain old camera—because likely only Apple products will be so configured. Of course, who among us will give up their iPhone, even though it is now even more controlled (censored) by benevolent Apple?
Rayne wrote: “Researchers show speakerless computers can be hacked by listening to fans”
An interesting read. However, the title of this item is misleading, as the actual title of the paper in question indicates: “Fansmitter: Acoustic Data Exfiltration from (Speakerless) Air-Gapped Computers”.
The writers are NOT claiming an air-gapped computer can be HACKED using its fans. However, information can be exfiltrated (==extracted) from an ALREADY-hacked air-gapped machine to another (nearby) computer/device using suitably equipped malware on the air-gapped machine to modulate the speed of the fans to produce an audible code which the other computer/device (also compromised) can listen for and record, presumably for transmission/collection later.
Stephen (8:40) — If by hacking one means to take unauthorized control of a computer, you’re right. If by hacking one means to take unauthorized data from a computer, the definition is accurate — just as HRC and DNC computer system was hacked to obtain information, though by spearphishing.
I also went back and checked for that story about similar research from the past year in which air gapped computers were hacked. Turns out two of the same research team also worked on a study (pdf) by which air-gapped computers might be compromised by way of thermal changes, perhaps by the HVAC system. In this study, the researchers looked at controlling the system in order to insert malware, not merely retrieving information without authorization.
Given the origin of the studies and researchers involved, I believe both of these studies work together in development of a holistic approach.
Rayne wrote: “If by hacking one means to take unauthorized data from a computer, the definition is accurate…”
.
With all due respect you are confusing hacking with spying. Granted that a person with PHYSICAL access to a computer and who by (say) typing in a stolen username/password logs in to it might be said to have “hacked” that computer, but without that physical access, let alone prior knowledge of crucial info like passwords, a hacker needs to install malware of some kind on the target computer in order to gain access to that computer and extract information from it remotely.
.
Simple remote monitoring of a computer is NOT hacking. It is spying. Just as an FBI agent who taps your telephone line and listens in to your phone calls is spying, not hacking. To be hacking he or she would need to not only tap your phone line but in some way tap into the telephone handset itself and set it up as a listening device to spy on you (whether only when you make calls or even when you aren’t). Now that WOULD be hacking. In contrast, simply listening in to your calls is not (although that is not to say they might not have hacked the telephone company’s own systems in order to be able to do such spying).
.
So too with hacking. It is the gaining access which is the hack. Monitoring a computer remotely in and of itself would not be. Hacking allows the hacker to gain control of the computer. Without that control a hacker would be reliant on the computer user to in some way provide them with useful information.
.
Which brings me to the other PDF you list: once again the computer(s) in question have ALREADY been hacked!
.
“Concretely, we show how attackers may use a compromised air-conditioning system (connected to the internet) to send commands to infected hosts within an air-gapped network.”
.
Note the words “infected hosts”. No malware infection, no exfiltration.
It is amazing how many US government or government-related Internet sites are vulnerable to hacking. Given all the billions the government spends on national security, you would think their Internet sites would be using impregnable (or at leads up-to-date) security.
Prediction: at some point somebody is going to hack into the US defense department. The reason: as far as can make out, every single .mil website which uses https is using SHA-1 signed SSL certificates, which are incredibly vulnerable to attack (and which, at least with more modern computing systems, cause a warning to be issued if you try to log on to such a site). See:
http://news.netcraft.com/archives/2016/01/08/us-military-still-shackled-to-outdated-dod-pki-infrastructure.html
Stephen — So unauthorized access of military information on computers you are so concerned about at (9:20) by way of manipulating technology is hacking, but unauthorized access of military information on computers by way of manipulating technology researched by computer security and cryptographic researchers at a Cybersecurity Research Center isn’t hacking. Hmm-mmm. Right. Thanks for playing.
You are confused, Rayne. Go back and re-read those articles.
Rayne wrote: “…but unauthorized access of military information on computers by way of manipulating technology researched by computer security and cryptographic researchers at a Cybersecurity Research Center isn’t hacking.”
.
Wrong! The purpose of the researchers experiments was NOT to gain access but to see if they could extract info from the pre-infected computer “by way of manipulating technology”. Their proposed technique does not give them access to ANY computer. it only allows them to manipulate computers ALREADY infected with malware.
.
I’m to sure you understand the difference.
.
Take the second PDF you listed: “HVACKer: Bridging the Air-Gap by Manipulating the Environment Temperature”. The authors write (p3):
.
“The attacker infects some of hosts behind the air gap using one of numerous social engineering attacks.”
.
Elsewhere (p2) they note: “An example of a social engineering attack is where the attacker sends an email with an infected attachment, and the attachment is opened by the unsuspecting victim, thereby stealthily infecting the victim’s computer with the attacker’s malware.”
.
In other words, they require their target machine be ALREADY infected with malware through some manipulation of the USER—as distinct from TECHNOLOGY. Without that their experiment will NOT work.
.
Let me repeat again.They need malware on the target computer for their experimental exfiltration to work. No malware, no exfiltration.
.
The researchers assume that malware gets on to the target computer with the aid of a blundering user.
.
No blunder, no malware. No malware, no infection. No infection, the machine is not hacked and so there is no chance the target machine will be in a position to respond to manipulating the technology.
.
(Actually from my reading at least two computers need to be infected in their scenario: the user’s air-gapped machine and the one controlling the HVAC system.)
.
That malware is what gives them access. Once on that computer, exfiltration via manipulating technology is only one of the things it COULD do. Others include maliciously erasing the user’s files or encrypting them then posting a ransomware message.
.
The case of the US Defense Department SSL threat is quite different. No TECHNOLOGY (i.e. hardware) would need to be manipulated to gain access. Instead a hacker would exploit weaknesses in the SSL certificates (ie SOFTWARE) to gain access. For example, through a man-in-the-middle type attack.
Stephen ( 9:58) — No, Stephen, you need to go and look much, MUCH more carefully at who did the research and where. You need to think very carefully about the global experts on air-gapped hacking — yes, hacking — and for what purposes this research has been and is being done.
I’m done with you on this topic. Have a nice day.
Rayne wrote: “I’m done with you on this topic.”
.
Fair enough. But for the record I feel the need to make the following observation…
Rayne wrote: “…you need to go and look much, MUCH more carefully at who did the research and where.”
.
What has that to do with anything? Nobody is disputing their research. Merely your interpretation of it.
.
But let’s be more specific. What you’re basically saying with that statement is: “These are smart dudes. I don’t understand what they did and I don’t care. I have my preconceptions about what they did do and nothing you say can change those preconceptions. Now or ever.”
.
Fair enough. Nobody can educate a closed mind.