No trust without independent control - Page 7

  • researchers break openssl implementation in bitcoin with only 200 timing attacks

    "Earlier this month a new paper by Naomi Benger, Joop van de Pol, Nigel Smart, and Yuval Yarom hit the news. The paper explains how to recover secret keys from OpenSSL's implementation of ECDSA-secp256k1 using timing information from "as little as 200 signatures"; ECDSA-secp256k1 is the signature system used by Bitcoin. The timing information is collected by an attack process running on the same machine, but the process doesn't need any privileges; I don't see any obstacle to running the attack process in a separate virtual machine. Earlier papers by Yarom and Katrina Falkner and Yarom and Benger had explained how to carry out similarly efficient attacks against various implementations of RSA and binary-field ECDSA.

     

    These attacks are what I call "cache-timing attacks": they exploit data flow

     

    1. from secrets to load/store addresses and
    2. from load/store addresses to attacker-visible differences in timing between different addresses.

     

    For comparison, conventional timing attacks exploit data flow

     

    1. from secrets to the program counter (i.e., the instruction address as a function of time) and
    2. from the program counter to attacker-visible differences in timing between different instruction addresses.

     

    In both cases the second part of the data flow is built into chips, but the first part is built into the software.

     

    Did the software designers have to allow data flow from secrets to addresses? "Obviously not!" say the theoreticians. "Everybody knows that any computation using branches and random access to data can be efficiently simulated by a computation that accesses only a predefined public sequence of instructions and a predefined public sequence of memory locations. Didn't you take a course in computational complexity theory? If the software designers had done a better job then this attack would never have worked."

     

    I have a different view. I blame this attack on the ECDSA designers. Every natural implementation of ECDSA makes heavy use of secret branches and secret array indices. Eliminating these secrets makes the code much more complicated and much slower. (The theoreticians are blind to these problems: their notion of "efficient" uses an oversimplified cost metric.) The ECDSA designers are practically begging the implementors to create variable-time software, so it's not a surprise that the implementors oblige
    http://blog.cr.yp.to/20140323-ecdsa.html

    if the design is insecure everything that follows and uses it will be insecure and you only have to wait untill it is discovered, manipulated and made so easy that it can be automatized

  • eurobellen.nl hacked and leaked

    userid, password and emailaddress

  • the pedoservice family4love.com has some interesting features for the law enforcement

    the pedoservice has come into the news after an article in the British press in which it says that it links pedo's and families that want to give their children to pedo's.

    First the site was free but in 2013 it became - like so many pedoservices because this is (big) business - based upon payment (follow the money I would say, this is the most simple method of investigation and in 2013 there was no bitcoin)

    Secondly read this post (from the Google search  site:familiy4.com

    F4L - Terms of Service

    family4love.com/help/terms

    All IP addresses are recorded for security reasons, and will be given to the correct authorized if requested. All photos uploaded should be owned to yourself and"

    so here you may find a full list of the IP addresses, you don't have to ask it to the hoster or ISP

    thirdly there is much of it in the Google cache because they are not upgrading the server - if it ever comes back up again

    https://www.google.be/search?q=site%3AFamily4Love.com&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:nl:official&client=firefox-a&channel=sb&gfe_rd=cr&ei=9HuEVKeSA4fFVIuGgJAE

    now if you insert for example France or another name of a country you may find the discussions between members from that country (in the cache of the link)

    so happy hunting because it seems that there are some children that will need to be rescued from couples and swapps that were made through this site - in or between countries

    Fourth I would also have a look at this information (referrals for one) oh and the webserver is in the US so it won't be that difficult to get a hand on the server and everything that there is on it. The server has also a mailserver on which you would have to lay your hands on.

    and I would surely have an even better look at this site, which seems like a kind of index of incest and pedosite services online

  • #sonyhack the filenames of the malware are known by the FBI but not online or by Virustotal

    "“The FBI is providing the following information with HIGH confidence,” the note reads, according to one person who received it and described it to WIRED. “Destructive malware used by unknown computer network exploitation (CNE) operators has been identified. This malware has the capability to overwrite a victim host’s master boot record (MBR) and all data files. The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods.”

    The FBI memo lists the names of the malware’s payload files—usbdrv3_32bit.sys and usbdrv3_64bit.sys.

    It’s unclear if these files were found on Sony systems. So far there have been no news reports indicating that data on the Sony machines was destroyed or that master boot records were overwritten. A Sony spokeswoman only indicated to Reuters that the company has “restored a number of important services.” http://www.wired.com/2014/12/sony-hack-what-we-know/

    it is also intriguing to see the names usbdrv - maybe that is an indication that they are using USB drivers or exploits to attack the system

    the fact that they have been rewritten for 64bits shows that it is necessary nowadays for 32bits viruses to have a version in 64bits to make an impact 

    the fact that it are .sys files show that they were infecting the program files, the systemfiles and probably the kernel and core of the system - they took the name of something that is used by other software to hide and as these files are not signed and not checked it is easy to do this 

    the operation itself is probably done the same way the #Belgacomhack was done and that is through the accounts of the network operators (again). Only here it was not to get certain specific information from certain specific installations but to destroy and leak everything or as much as possible over a 6 month period (what is seen in the operative scenario's for total network compromise as a standard period to take over (own) a whole network). 

  • #sonyhack #belgacomhack #foreignaffairshack are probably intelligence operations

    Intelligence operations have goals. If you want to understand them you should understand the goals of the intelligence operations otherwise you won't know what will happen next and you have no idea how to secure what data they were after. 

    Also it are operations, this means that they have been prepared some time in advance and they have been executed in different phases and they were followed up and evaluated or changed to make sure that they had the maximum effect with the least possibility of discovery. Extraction and destruction of evidence is as important in such an operation as getting the information. 

    The Belgacomhack was probably an US intelligence operation to get information from some mobilephone installations from the Bics network because at that time - just a supposition - the US administration was going after Bin Laden and they had only ONE lead and that were the couriers between Bin Laden and the rest of the organisation. Those people used their mobile phones from time and time but under strict rules of operational security (for example only a few hundred meters after they had left the building and when they were not phoning they also retired the battery). Those couriers sometimes took also other calls from other countries. Not sure there is a link, but I can imagine (it just imagination maybe) that somebody said whatever the effort you have to get that data and if it is too risky for discovery to go through the courts or the local operators just go through the operators but just get that data. I won't ask how you got it. And some people went out to try to get it. But as I said that is just speculation (they may also needed some information about other networks or cells or important people on the wanted list)

    The Foreignaffairshack was probably a Russian intelligence operation looking for information about how the European commission and the NATO were reacting to the continuing infiltration of Russian soldiers and tanks into Oekraine. In this highlevel powergame Putin wanted just as Stalin during and after the second world war to have some spies or intelligence operation so he could know what the mindset at the moment was of his friends and opponents and how their reaction would be and what they were saying behind closed doors but not at him when they were sitting at the negotiating table. He had to know the real red lines before. And where can you find the information about the European Commission and the NATO in one place ? In the country where both have their headquarters. And which Administration is responsable for treating all these documents between the host country and the international organisations it is member off ? The Administration of Foreign Affairs. There are also people who think they were after another database. 

    The Sonyhack was probably a North Korean intelligence operation as a response to a film they didn't like about the great dictator who prefers to see himself as a father for his country. Well he got mad as hell and between the different options (throwing an atomb bomb on Hollywood, protesting diplomatically,....) destroying the company with a digital nuclear timebomb seemed like the best option. THis is exactly what is happening. THis operation started probaly in june or somewhat before and ended with the publication of the first dataset and the timed destruction of the internal computers and servers. Now every company in the world knows that if it angers the North Korean dictator he will destroy them digitally, so you better be prepared. If this was the goal, the message is received and understood. 

    So if these presumptions are right, than every intelligence service in the world worthy of its name is setting up intelligence operations in the digital world with political and intelligence goals while respecting all the normal operative security rules of an intelligence operation (which makes it hard to attribute them). 

    This is also the reason I think that for critical environments the security officer should not only have his medals of all his socalled exams and certificates but also a healthy dose of paranoia and be able to play mindgames or to think through how an intelligence operation against his network would be set up and what would be the weakest links or the moments that they still could be discovered or didn't clean up their tracks. 

    It is only when you start reading books about informationoperations and intelligence that you start to really understand the Snowden files. For malware and IT analysts these are just processes, files, connections and incidents. For an intelligence operative these are phases in an intelligence operation that will lead to a specific goal and have been prepared long time before. (by the way some of the scanning traffic of our infrastructure is also done by other intelligence agencies to put in their database so when they want to set up an operation they already have all the practically important information)

  • #sonyhack Sony has lost in fact all of its passwords for everything

    yep they have lost it all

    and this is only a very small part of the leaked password files today

    and this datapackage was made in ....october

  • #sonyhack : Sony will have to change all its certificates

    they are all in the wild and will be used and abused in viruses and spam and phishing

    and so are there a few more folders with certificates

    it also shows that they had access to the Network Administrator servers and to the root of the servers - except if these were organised centrally and only that server was compromised

    Another question is what now the browsers and the others will do. If they are consistent with previous actions, they will now declare all the Sony certificates invalid which will make them invalid and so Sony will in fact have to close down all its encrypted protected logins and services untill they have replaced all the certificates with new ones - if they can prove the certificate provider that they have full control over their servers and the network

    if the hackers really want to create havoc they steal the new certificates just to proof that they are master of the Sony network who even with the best cyberdefenses couldn't stop them from stealing that information without getting caught - except if it is a honeypot or trap off course

  • #sonyhack this was a digital Waterloo for network defense, these files show everything was taken

    this is an example of the PC's that were taken over

    this is part of 1600 linux unix VMware sometimes servers of all kinds

    we said all the time that probably some backupservers were also impacted

    well here it is

    and this is from the list of windows servers  that were found on the network (of the 800)

    you will see that there are even windows2000 still on the network and a lot of 2003 servers - this is really OLD

    you also see an SMTP server

    and what is also interesting is that the excell file for the computers is dated in JULY 2014 while those of the servers just seem to be made yesterday.

    well this can mean that the operation started in july somewhere or earlier and that between those date the operation was set up, one step at a time, patiently working through each server, each filestack and each connection, preparing the next step and hiding your tracks

    so this could mean that this wipe-attack was just the explosion of thousands of time-bombs that were placed to set off now - coinciding with the film which confirms the possiblitiy that it were the North Koreans as they mostly want their cyberattacks or hacks (becoming public) at certain specific dates or linked to certain events

    you have to look through my other open intelligence sources to find the links, sorry guys I have the lawyers from mensura on my neck seeking revenge

    it also means that there is no secret information more about the internal network of Sony and it also shows that their internal network was enormously outdated which makes it somewhat responsable for what has happened. If you don't have bunkers to isolate and protect your valuable data inside your network you can as well place it online for everybody to download if your network itself is not secured or is penetrated (or your staff is infiltrated).

  • NATO defense expenditures for 2013 and what will surely change soon

    some countries with borders with Russia or not that far from Russia will have to increase their budgets and some are already annoucing these new investments and new military strategies and cooperation agreements

    if you look at the table you will also understand better some of Putin's diplomatic efforts from the beginning and lately

    the biggest question is if the NATO will stay united throughout this difficult period because anytime a coalition of countries has been faced with a persistant and overwhelming adversary who doesn't have to agree with anyone and doesn't have to comply with anything, there have been different strategies which are defended rightly or wrongly by different groups which gives the dictator at the opposite time the opportunity to win time and at first to achieve his goals without a real war - just by small wars and destabilisation with the right dose of diplomacy

    Embedded image permalink

  • #sonyhack : hackers use sony playstation servers to distribute 27GB of leaks

    http://www.theregister.co.uk/2014/12/03/strange_things_afoot_with_great_sony_pictures_torrent_data_leak/

    it means that they do have the keys to the castle and for the moment they can just walk in and out at free will

    that is because you have no double authentification but only passwords

    passwords are not security

  • US police services are using laws from the 18Th century to oblige Apple and Google to give them your decryption keys

    "Now court documents have emerged showing just how far the Feds are willing to go to decrypt citizens' data.

     

     

    The paperwork has shown two cases where federal prosecutors have cited the All Writs Act – which was enacted in 1789 as part of the Judiciary Act – to force companies to decrypt information on gadgets.

    The Act, which was signed into law by none other than George Washington and later revised in the 20th century, gives the courts the right to...

    issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.

    That's a pretty broad remit, but the Feds think it's just the thing to force Apple and others to break down privacy protections.http://www.theregister.co.uk/2014/12/01/feds_turn_to_1789_law_to_force_smartphone_makers_to_decrypt_handsets/

  • #sonyhack : 30.000 salaries of unnamed deloitte consultants (2005) published

    if you take 11 terra of files of one of the biggest companies and you have probably a copy of not only the intranet and some mailboxes but also of a backup server, than this is the kind of things that will happen

    http://fusion.net/story/31227/sony-pictures-hack-spreads-to-deloitte-thousands-of-audit-firms-salaries-are-leaked/

    expect attacks in the future to go more often after these backupservers (if it is from a backupserver but even if it isn't it is there that you can find the biggest collection of unencrypted files without much protection)

  • #sonyhack : it is nearly official :North Korea hacked Sony in the US into destruction

    north korea kim jong un

    Yes he has won against 'the interview', a film that should never have been made and even if it was made, never would have been made public. I salute you hackers, you have shown what a small country like ours can do with so little cyberresources. It is the best example yet of the power of asymetric warfare

    Putin must be wondering if he shouldn't pull back his tanks from Oekraine and just start some permanent cyberwar. It costs less and it is very difficult to point the finger to him.

    https://recode.net/2014/12/03/sony-to-officially-name-north-korea-as-source-of-hack-attack/

    but do not underestimate them 

    https://recode.net/2014/12/01/heres-what-we-know-about-north-koreas-cyberwar-army/

    and read also this report

    http://h30499.www3.hp.com/hpeb/attachments/hpeb/off-by-on-software-security-blog/388/2/HPSR%20SecurityBriefing_Episode16_NorthKorea.pdf

  • update2 the portal of wallonie on the internet has some serious securityleaks (defaced page)

    You can say that if you can add an image 

    you can add code (malware) or a snoopingware or a redirect or popup 

    this is not enormous but it is a signal that there is something wrong 

    and what is more 

    it wasn't even noticed so this is even more alarming because it means that you can do these things without being noticed 

    it wasn't even noticed by CERT or any securityservice (undermanned and underpaid) 

    oh and it isn't the first time that parts of the wallonie.be portal have been defaced which shows that there are too many parts to be managed and too few people and resources to do this securily

    click on the link for more information http://www.zone-h.org/mirror/id/23337578

    oh and just a reminder zone-h.org has a free alerting service for your domain and it is about 600 euro for such a service for all the .be domains but never found the money for that (they prefer giving thousands of euro's for papers and studies)

     

    wallonie.PNG

    we have found the reason why 

    it is an old server and nobody looks at it

    but they have made a very stupid mistake

    if the site doesn't exist

    you make a redirect in your dns server 

    and you take down everything that is old and no longer maintained on that server

    so you don't get defacements and other attacks 

    because even if this subdomain is old, I am not sure if it isn't connected to the new servers because it is in the same masterdomain wallonie.be 

    spw wallonie.PNG

    but that domain isn't that old 

    spw.wallonie.be itself has hundreds of other subdomains like  xyzw.spw.wallonie.be  with logins and etc...

    site:http://spw.wallonie.be/

    so this is a very strange page to destroy 

    and the hack become important again because it was in the main page that there was the upload, so the main page of hundreds of subdomains of the subdomain spw of wallonie.be 

    it looks like the chain got broken somewhere and somebody will have to fix it - FAST

    one question for example is why one needs to have so many different login systems as they are all made in the wallonie.be domain ? I have the impression that this is begining to look like an impressionistic painting but in which you see you figures 

  • as Scada developers refuse to sign their files, some think this is an alternative

    "A prominent security researcher has put together a new database of hundreds of thousands of known-good files from ICS and SCADA software vendors in an effort to help users and other researchers identify legitimate files and home in on potentially malicious ones.

     

    The database, known as WhiteScope, comprises nearly 350,000 files, including executables and DLLs, from dozens of vendors. Among the vendors represented in the database are Advantech, GE, Rockwell, Schneider and Siemens. The project is the work of Billy Rios, a former Google security researcher who has worked extensively on ICS and SCADA security issues. WhiteScope is a kind of reverse VirusTotal for ICS and SCADA files, allowing people to determine which files are known to be good, rather than which are detected as malicious.

     

    “While participating in a few incident response engagements, I realized it’s fairly difficult to know what is a ‘legitimate’ ICS/SCADA file and what is not. Given the overwhelming majority of ICS/SCADA vendors refuse to sign their software, we’re stuck with determining whether files like ‘FTShell.dll’ or ‘WFCU.exe’ (both legitimate files btw) are really supposed to be there. With this problem in mind, I started a database of all the files I’ve seen on ICS/SCADA systems, so that others can compare notes,” Rios wrote in the FAQ for the site.https://threatpost.com/researcher-releases-database-of-known-good-ics-and-scada-files/109652

    well, the governments will need to oblige the developers to sign their code and to make it possible to control the signatures of these signatures

    otherwise this makes no sense

    what if this database gets hacked, penetrated or is impersonated ? 

    this is an enormous honeypot 

    and even if you don't hack it, you can penetrate the server or any other routing installation before it just to get network and other for the people who are responsable for those highly critical networks