CAT | hacking
I have long said that privacy services are all about trust. I this article demonstrating how to use a simple web proxy to compromise the users of that proxy. Of course, the operator of the proxy is being untrustworthy, but that is the whole point. If you don’t have a reason to specifically trust the operator of your privacy service, you need to assume that they are attempting to do you harm. Of course, the same argument applies to Tor. Literally anyone could be running that proxy for any purpose. (more…)
Kaspersky recently announced the discovery of a new Advanced Persistent Threat (APT) that they are calling DarkHotel. This is in the fine tradition of giving all newly discovered hackers or vulnerabilities clever and evil sounding names. In this case they have found something quite interesting.
For the last 7 years a group has been systematically targeting executives and government officials staying at high end hotels. They hack their computers and grab their files, sniff their keyboards, and install virus that can then spread within the victim’s organization. (more…)
The Internet has been buzzing with reports of the recently leaked NSA exploits, backdoors, and hacking / surveillance tools. The linked article is good example.
None of this should be news to anyone paying attention. Many similar hacking tools are available from vendors at conferences like BlackHat and DefCon.
We all know that zero-day exploits exist, and things like Stuxnet clearly show that governments collect them.
Intentionally introducing compromised crypto into the commercial stream has a long history, perhaps best demonstrated by the continued sales of Enigma machines to national governments long after it had been cracked by the US and others.
This reminds me of a quote I posted back in March. Brian Snow, former NSA Information Assurance Director said “Your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents.”
One can focus on making this difficult, but none of us should be under the illusion that we can make it impossible. If you have something that absolutely must be protected, and upon which your life or liberty depends, then you need to be taking drastic steps, including total air gaps.
For the rest of your activities, you can use email encryption, disk encryption, VPNs, and other tools to make it as difficult as possible for any adversary to easily vacuum up your information.
If you are of special interest, you may be individually targeted, in which case you should expect your opponent to succeed. Otherwise, someone hacking your computer, or planting a radio enabled USB dongle on your computer is the least of your worries. Your cell phone and social media activities are already hemorrhaging information.
OS News has an interesting article: The second operating system hiding in every mobile phone
It discusses the security implications of the fact that all cell phones run two operating systems. One is the OS that you see and interact with: Android, iOS, Windows Phone, BlackBerry, etc. The other is the OS running on the baseband processor. It is responsible for everything to do with the radios in the phone, and is designed to handle all the real time processing requirements.
The baseband processor OS is generally proprietary, provided by the maker of the baseband chip, and generally not exposed to any scrutiny or review. It also contains a huge amount of historical cruft. For example, it responds to the old Hays AT command set. That was used with old modems to control dialing, answering the phone, and setting up the speed, and other parameters required to get the devices to handshake.
It turns out that if you can feed these commands to many baseband processors, you can tell them to automatically and silently answer the phone, allowing an attacker to listen in on you.
Unfortunately the security model of these things is ancient and badly broken. Cell towers are assumed to be secure, and any commands from them are trusted and executed. As we saw at Def Con in 2010, it is possible for attackers to spoof those towers.
The baseband processor, and its OS, is generally superior to the visible OS on the phone. That means that the visible OS can’t do much to secure the phone against these vulnerabilities.
There is not much you can do about this as an end user, but I thought you should know.
Infosec Institute published an article showing in detail how application signing on Android devices can be defeated.
This trick allows the attacker to modify a signed application without causing the application to fail its signature check.
The attack works by exploiting a flaw in the way signed files in the .apk zip file are installed and verified. Most zip tools don’t allow duplicate file names, but the zip standard does support it. The problem is that, when confronted by such a situation the signature verification system and the installer do different things.
The signature verifier checks the first copy of a duplicated file, but the installer actually installs the last one.
So, if the first version of a file in the archive is the real one, then the package will check as valid, but then your evil second version actually gets installed and run.
This is another example of vulnerabilities hiding in places you least expect.