Category Archives: Uncategorized

WikiLeaks publishes ‘biggest ever leak of secret CIA documents’

The 8,761 documents published by WikiLeaks focus mainly on techniques for hacking and surveillance

The US intelligence agencies are facing fresh embarrassment after WikiLeaks published what it described as the biggest ever leak of confidential documents from the CIA detailing the tools it uses to break into phones, communication apps and other electronic devices.

The thousands of leaked documents focus mainly on techniques for hacking and reveal how the CIA cooperated with British intelligence to engineer a way to compromise smart televisions and turn them into improvised surveillance devices.

The leak, named “Vault 7” by WikiLeaks, will once again raise questions about the inability of US spy agencies to protect secret documents in the digital age. It follows disclosures about Afghanistan and Iraq by army intelligence analyst Chelsea Manning in 2010 and about the National Security Agency and Britain’s GCHQ by Edward Snowden in 2013.

The new documents appear to be from the CIA’s 200-strong Center for Cyber Intelligence and show in detail how the agency’s digital specialists engage in hacking. Monday’s leak of about 9,000 secret files, which WikiLeaks said was only the first tranche of documents it had obtained, were all relatively recent, running from 2013 to 2016.

The revelations in the documents include:
1. CIA hackers targeted smartphones and computers.
2. The Center for Cyber Intelligence, based at the CIA headquarters in Langley, Virginia, has a second covert base in the US consulate in Frankfurt which covers Europe, the Middle East and Africa.
3. A program called Weeping Angel describes how to attack a Samsung F8000 TV set so that it appears to be off but can still be used for monitoring.

The CIA declined to comment on the leak beyond the agency’s now-stock refusal to verify the content. “We do not comment on the authenticity or content of purported intelligence documents,” wrote CIA spokesperson Heather Fritz Horniak. But it is understood the documents are genuine and a hunt is under way for the leakers or hackers responsible for the leak.

WikiLeaks, in a statement, was vague about its source. “The archive appears to have been circulated among former US government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive,” the organization said.

The leak feeds into the present feverish controversy in Washington over alleged links between Donald Trump’s team and Russia. US officials have claimed WikiLeaks acts as a conduit for Russian intelligence and Trump sided with the website during the White House election campaign, praising the organization for publishing leaked Hillary Clinton emails.

Asked about the claims regarding vulnerabilities in consumer products, Sean Spicer, the White House press secretary, said: “I’m not going to comment on that. Obviously that’s something that’s not been fully evaluated.”

Asked about Trump’s praise for WikiLeaks during last year’s election, when it published emails hacked from Clinton’s campaign chairman, Spicer told the Guardian: “The president said there’s a difference between Gmail accounts and classified information. The president made that distinction a couple of weeks ago.”

Julian Assange, the WikiLeaks editor-in-chief, said the disclosures were “exceptional from a political, legal and forensic perspective”. WikiLeaks has been criticized in the past for dumping documents on the internet unredacted and this time the names of officials and other information have been blacked out.

WikiLeaks shared the information in advance with Der Spiegel in Germany and La Repubblica in Italy.

Edward Snowden, who is in exile in Russia, said in a series of tweets the documents seemed genuine and that only an insider could know this kind of detail. He tweeted:
The document dealing with Samsung televisions carries the CIA logo and is described as secret. It adds “USA/UK”. It says: “Accomplishments during joint workshop with MI5/BTSS (British Security Service) (week of June 16, 2014).”

It details how to fake it so that the television appears to be off but in reality can be used to monitor targets. It describes the television as being in “Fake Off” mode. Referring to UK involvement, it says: “Received sanitized source code from UK with comms and encryption removed.”

WikiLeaks, in a press release heralding the leak, said: “The attack against Samsung smart TVs was developed in cooperation with the United Kingdom’s MI5/BTSS. After infestation, Weeping Angel places the target TV in a ‘Fake Off’ mode, so that the owner falsely believes the TV is off when it is on. In ‘Fake Off’ mode the TV operates as a bug, recording conversations in the room and sending them over the internet to a covert CIA server.”

The role of MI5, the domestic intelligence service, is mainly to track terrorists and foreign intelligence agencies and monitoring along the lines revealed in the CIA documents would require a warrant.

The Snowden revelations created tension between the intelligence agencies and the major IT companies upset that the extent of their cooperation with the NSA had been exposed. But the companies were primarily angered over the revelation the agencies were privately working on ways to hack into their products. The CIA revelations risk renewing the friction with the private sector.

The initial reaction of members of the intelligence community was to question whether the latest revelations were in the public interest.

A source familiar with the CIA’s information security capabilities took issue with WikiLeaks’s comment that the leaker wanted “to initiate a public debate about cyberweapons”. But the source said this was akin to claiming to be worried about nuclear proliferation and then offering up the launch codes for just one country’s nuclear weapons at the moment when a war seemed most likely to begin.

Monday’s leaks also reveal that CIA hackers operating out of the Frankfurt consulate are given diplomatic (“black”) passports and US State Department cover. The documents include instructions for incoming CIA hackers that make Germany’s counter-intelligence efforts appear inconsequential.

The document reads:

“Breeze through German customs because you have your cover-for-action story down pat, and all they did was stamp your passport.

Your cover story (for this trip):

Q: Why are you here?

A: Supporting technical consultations at the consulate.”

The leaks also reveal a number of the CIA’s electronic attack methods are designed for physical proximity. These attack methods are able to penetrate high-security networks that are disconnected from the internet, such as police record databases. In these cases, a CIA officer, agent or allied intelligence officer acting under instructions, physically infiltrates the targeted workplace. The attacker is provided with a USB stick containing malware developed for the CIA for this purpose, which is inserted into the targeted computer. The attacker then infects and extracts data.

A CIA attack system called Fine Dining provides 24 decoy applications for CIA spies to use. To witnesses, the spy appears to be running a program showing videos, presenting slides, playing a computer game, or even running a fake virus scanner. But while the decoy application is on the screen, the system is automatically infected and ransacked.

The documents also provide travel advice for hackers heading to Frankfurt: “Flying Lufthansa: Booze is free so enjoy (within reason).”

The rights group Privacy International, in a statement, said it had long warned about government hacking powers. “Insufficient security protections in the growing amount of devices connected to the internet or so-called ‘smart’ devices, such as Samsung smart TVs, only compound the problem, giving governments easier access to our private lives,” the group said.

 

Cyber Ransom vs. Ransomware

By now, we have all heard about ransomware as it has taken over the cybersecurity scene over the last couple of years. However, we want to make sure that everyone is clear about the difference between cyber ransom and ransomware, as there is a very clear distinction. Cyber ransom and ransomware attacks have been the most popular forms of cyberattacks as of late.

Cyber Ransom

The most common form of cyber ransom is through a distributed denial of service (DDoS) attack. In a DDoS attack, hackers flood a business’ site with data requests, overwhelming the site’s legitimate functions. The flooding eventually forces that website to shut down. As far as the ransom is concerned, cybercriminals will threaten to launch an attack on an organization’s site unless the organization pays a ransom fee of a certain Bitcoin amount.

Another form of cyber ransom is through corporate extortion which is becoming more and more popular. This type of attack can be carried out in several ways. One approach, which Domino’s in Europe was hit with, is where a cybercriminal sends out a ransom letter threatening businesses with negative online reviews, complaints to the Better Business Bureau, harassing telephone calls, or fraudulent delivery orders.

Another variation of corporate extortion is where cybercriminals perform a data breach, where they gain access to a company’s network and gather sensitive data. The data collected is usually information on their clients such as credit cards, social security numbers, email addresses, and login credentials. While this seems like data breaches that we have heard about recently (Yahoo, Adult Friend Finder, and several social media sites), cybercriminals who are involved in corporate extortion are in it for the money. Once cybercriminals have performed the data breach, they will threaten to publicly release the information unless the company pays a set ransom fee.

Ransomware

Ransomware is the most common form of cyberattack seen today. In a ransomware attack, the cybercriminal will infect a machine with malware that encrypts all or some files on a user’s computer. Once the encryption process has completed, a ransom note will appear on the victim’s screen demanding payment in order to receive the decryption key. Payment for the decryption key is usually made in Bitcoins, which are extremely hard to trace back to the hacker. Ransomware is most commonly distributed through phishing campaigns where cybercriminals will send emails embedded with malware. Once the user on the receiving end clicks on a link or opens up an attached file, the malware will begin to download, and the encryption process will begin.

Cyber Ransom and Ransomware Connected

  • Cyber Ransom – Cybercriminals threaten to launch a DDoS attack on an organization’s site unless the organization pays a ransom fee.
  • Ransomware – Cybercriminals infect machines with malware that encrypts all or some files, then demand a ransom fee to receive the decryption key.

 

When put in these terms, cyber ransom and ransomware seem like they wouldn’t be connected at all. However, cybercriminals are becoming more and more sophisticated with their attacks every single day. So, here’s the kicker. Cybercriminals are starting to use the threat of DDoS as ‘smokescreens’ for more wicked attacks, such as ransomware. The hackers will use DDoS attacks to distract the IT department, so they are able to slip under the radar without being detected. While the DDoS attack or the threat of one will only distract IT individuals for a short time, that’s all the time hackers need. While the IT staff scramble to handle the momentary network outages, hackers can use automated scanning or penetration techniques to map a network and install ransomware.
To stop these types of attacks, look at some of the new technologies that continuously monitors your network traffic.

Obama’s Call for Encryption ‘Compromise’ Is Hypocritical

1457817377711230

Image: screengrab

During his keynote speech at South By Southwest, President Barack Obama addressed the ongoing debate over encryption. Although he declined to discuss the specifics of the San Bernardino case, in which Apple is currently fighting a court order to hack its own device, the president spoke in more general terms about privacy and security. Obama joined several other political figures in calling for the tech industry to enable expanded law enforcement access to encrypted data.

Obama also advocated for the use of encryption by the government, saying that the technology is crucial to preventing terrorism and protecting the financial and air traffic control systems. But the president argued argued that ordinary citizens also need to expect some intrusion into their phones in order to ensure a safe society. Obama compared the weakening of encryption to going through security at the airport—an intrusive process, but a necessary sacrifice for citizens to make. (Obama’s own devices are, of course, secured with strong encryption.) In his speech, Obama said:

So we’ve got two values, both of which are important. And the question we now have to ask is, if technologically it is possible to make an impenetrable device or system where the encryption is so strong that there’s no key. There’s no door at all. Then how do we apprehend the child pornographer? How do we solve or disrupt a terrorist plot? What mechanisms do we have available to even do simple things like tax enforcement? Because if, in fact, you can’t crack that at all, government can’t get in, then everybody’s walking around with a Swiss bank account in their pocket. So there has to be some concession to the need to be able get into that information somehow.

Obama said the tech community should “balance these respective risks,” suggesting that the industry had not been proactive enough in compromising on encryption and that, if it failed to compromise, it risks being cut out of the conversation entirely by Congress. “I’m confident that this is something we can solve, but we’re going to need the tech community, software designers, people who care deeply about this stuff, to help us solve it,” Obama said. He added:

Because what will happen is, if everybody goes to their respective corners, and the tech community says, ‘You know what, either we have strong perfect encryption, or else it’s Big Brother and Orwellian world,’ what you’ll find is that after something really bad happens, the politics of this will swing and it will become sloppy and rushed and it will go through Congress in ways that have not been thought through. And then you really will have dangers to our civil liberties, because the people who understand this best and who care most about privacy and civil liberties have disengaged, or have taken a position that is not sustainable for the general public as a whole over time.

In Obama’s telling, the tech industry is painted as a spoiled child who runs back to his corner and disengages with the debate, snatching up his toys and taking them back to his mansion when he realizes he doesn’t like the way the game is being played. It’s a compelling image, and one that the industry, which is widely perceived as elitist and uninclusive, will have a tough time combatting.

But the industry has compromised on this issue, collaborating with law enforcement to provide access to data for criminal prosecutions. In the San Bernardino case, Apple has provided access to iCloud backups of the shooter’s phone and offered suggestions on how to create additional backups before it was revealed that the shooter’s iCloud password had been reset at the behest of the FBI.

Tech companies also routinely provide unencrypted metadata to law enforcement, which can provide a detailed portrait of a suspect’s life: where he’s been, where he is currently, who he communicates with, how regularly he communicates with others and how long the conversations last.

The government also wields a powerful investigative tool in CALEA (the Communications Assistance for Law Enforcement Act). CALEA compels service providers like AT&T and Verizon to build backdoors into their systems to allow for real-time monitoring of suspects by law enforcement.

Yet another instance of compromise is Apple’s encryption of iCloud. As security expert Jonathan Zdziarski pointed out in post on his blog, iCloud offers an example of the type of “warrant-friendly” encryption that Obama called for in his SXSW keynote.

“I suspect that the answer is going to come down to how do we create a system where the encryption is as strong as possible. The key is as secure as possible. It is accessible by the smallest number of people possible for a subset of issues that we agree are important,” Obama said. His suggestion for solving the encryption debate mirrors the solution Apple has already developed for securing iCloud data: that data is encrypted, but Apple maintains access so that it can comply with warrants.

But, Zdziarski notes, the 2014 hack of celebrities’ iCloud accounts illustrates the dangers of “compromise” encryption.

“The iCloud’s design for ‘warrant friendliness’ is precisely why the security of the system was also weak enough to allow hackers to break into these women’s accounts and steal all of their most private information,” Zdziarski wrote. “The data stored in iCloud is stored in a weaker way that allows Apple to service law enforcement requests, and as direct result of this, hackers not only could get into the same data, but did. And they did it using a pirated copy of a law enforcement tool—Elcomsoft Phone Breaker.”

Obama mentioned this particular concern in his speech. “Now, what folks who are on the encryption side will argue, is any key, whatsoever, even if it starts off as just being directed at one device, could end up being used on every device. That’s just the nature of these systems,” he said. “That is a technical question. I am not a software engineer. It is, I think, technically true, but I think it can be overstated.”

Obama is right—it’s technically true that any key can end up being used on every device.

The president isn’t the only politician to call for compromise on encryption and he certainly won’t be the last, but what the FBI is asking for in the San Bernardino case (and beyond it) isn’t compromise—it’s total compliance. Compromise suggests that tech companies and law enforcement agencies will meet in the middle, each conceding some of their demands in order to find common ground. The industry has made an effort to do so by providing metadata, real-time surveillance, and data backups to law enforcement.

But Obama’s comments suggest that none of this information is enough—encryption needs to be completely backdoored in order for there to be “compromise.” If the government refuses to acknowledge the concessions that have been made and continues to demand universal access to encrypted data while clinging onto strong encryption for itself, there is no compromise at all. It’s just the government getting exactly what it wants, snatching up all its toys and heading back to its mansion.

5 Innocent Mistakes That Cause an IT Security Breach

Breach

Security breaches, also known as a safety violation, occur when a person or application illegally enters a confidential IT border. This could result in the hacking of unauthorized data, services, networks and applications that are highly critical.

Breaches can also cause bankruptcy and destroy a company’s reputation, which is why most businesses hire an IT solutions company. However, not all security breaches are intentional; mistakes can trigger a security violation, as well, and without any warning.

Here are five innocent mistakes that lead to an IT security breach.

Device Theft or Loss

A lost or stolen device like a smartphone or laptop causes 3.3 percent of confirmed security breaches and 15.3 percent of overall incidents.

People who forget their devices in a public place or vehicle have higher chances of losing their gadgets because of theft. Most of these cases are opportunistic and involve a huge number of public departments.

When the thief takes advantage of the device, he can access the person’s confidential images, videos, documents and business files without IT security measures in place.

Document Errors

Document-related errors are some of the common causes of a data breach. A few examples of these include forwarding sensitive information to incorrect recipients, publishing private data to public web servers, and carelessly disposing of confidential work data.

These events usually occur internally and accidentally. When this happens, hackers can use the stolen information as blackmail or as an asset to their group. They can also access bank accounts and other documents related to finance.

Weak and Stolen Credentials

Hacking is the biggest cause of security attacks, which is primarily instigated by weak passwords and stolen credentials. Employees who have access to password-protected files and applications should take caution when unlocking these documents, especially when the company asset contains confidential information.

If you are working on a public computer, avoid clicking on the “remember password” option, so that intruders won’t have the opportunity to access private accounts if your computer gets hacked.

Additionally, you should never leave your password in an open computer file or even written on a sticky note affixed to your desktop, as this can be used by an external actor like a service person to access the organization’s intranet.

At the same time, it is important that you create a strong, non-obvious password that includes numbers, symbols, and capital and lower-case letters. One of the most effective techniques is the Bruce Schneier Method, which takes a sentence and turns it into a strong password.

There are also password-generating sites and password managers that throw out efficient and strong passwords.

Internet Spyware

Did you know that over 50% of security breaches are caused by employees misusing access privileges? Whether maliciously or unwittingly, employees who naively click pop-up browsers or install a malicious application can welcome spyware on a company’s system.

Spyware is a type of malware that enters a computer without the knowledge of the owner to collect private information about internet interaction, keylogging, passwords and valuable data. Spyware can either be on a file you downloaded online or a malicious hard drive inserted on your desktop. This can also be found in unauthorized web searches and varying computer settings.

The risk of a security breach is very high with spyware but you can prevent this by generating a virus scanner and avoiding malicious websites and illegal downloads at work. Companies should also take the first step by implementing a spy trap, which is basically a filter for all work systems.

Vulnerable Systems and Applications

Using outdated software and web browsers can cause serious security concerns. Attack methods become more advanced each year, and hackers increase the number of ways that they can violate vulnerabilities like these.

When outdated systems regularly connect to the internet, they can submit valuable information online without the user knowing it.

You can prevent security breaches by taking note of these basic pointers.

  • Take care of your personal data, especially when on the road. Every time you bring your data on the go, you are opening yourself to a multitude of security risks. For example, when you access public Wi-Fi, you disseminate your information to the immediate public and to hackers who use meticulous processes to breach data. Avoid this by investing in a personal hotspot or by subscribing to your provider’s mobile data services.
  • Create strong passwords. Never create a password that contains basic personal information like your surname or birthday. Hackers can easily identify this and use it in your work and personal accounts. A strong password should be a combination of characters, numbers, and symbols. Apart from this, don’t use one password for every account you own. Although it may be easy to remember, it’s also easy to hack.
  • Be careful of file sharing. You share a number of important files every time you work with multiple clients. No matter how much you trust a colleague, you never know where he will use the data you shared. To prevent malicious use of relevant documents, make sure that the files you share with your clients are only for work purposes. If you share documents through a cloud, immediately delete the final ones after use.

The number of security breaches increases every year, but there are plenty ways to protect yourself and your company from this. Keeping your data secured is the most efficient way to prevent damaging security breaches.

 

About the Author: Vlad de Ramos has been in the IT industry for more than 22 years with focus on IT Management, Infrastructure Design and IT Security. Outside the field, he is also a professional business and life coach, a teacher and a change manager. Vlad has set his focus on IT security awareness in the Philippines and he is a certified information security professional, a certified ethical hacker and forensics investigator and a certified information systems auditor.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of TheDigitalAgeBlog.

 

USENIX Enigma 2016 – NSA TAO Chief on Disrupting Nation State Hackers

Bad boys bad boys, Watcha gonna do when they come for you !!

 

 

5 Data Security Errors by Healthcare and How to Fix Them

Healthcare_device

A recent article in Forbes outlines some major missteps the healthcare industry is making when it comes to data security. In the wake of a record year for data loss with breaches at some the largest healthcare companies, the fact that there are problems with their cybersecurity comes as no surprise. As recently reported, 8 out of 10 largest breaches across all industries occurred in healthcare. As many experts have explained, healthcare records and insurance numbers are now a more lucrative target than credit card numbers. Yet, healthcare companies from insurers to hospitals and clinics seem ill prepared to thwart today’s advanced exploits. Here’s what the author of this article characterizes as healthcare’s five most urgent vulnerabilities:

  1. Too much focus on HIPAA compliance: According to the article, the highest number of breaches in 2015 occurred in organizations that have HIPAA-compliant databases.
  2. BYOD isn’t being secured: With more doctors on mobile devices, emailing and texting both colleagues and patients, unsecured devices become a glaring possibility, particularly when they’re personally owned.
  3. Too little investment in security: According to CNBC, healthcare organizations devote only 14% of their IT budgets to security, where other industries devote 20%. Other surveys have placed healthcare security budgets as low as 3% of total IT spend.
  4. Prioritizing security across the organization: In too many organizations, including healthcare, employees consider security the responsibility of IT, and aren’t nearly vigilant and careful enough with their email and personal devices.
  5. Over-simplifying or over-complicating systems: Here the author warns that IT policies and systems will be ignored if they are too difficult to implement and not effective, if they seem too simple. He calls for a balance between security and usability.

The second half of the article is concerned with what healthcare organizations need to do to avoid another year of data breaches like 2015 turned out to be.

  1. Focus on risk-management: Healthcare organizations are advised to worry less about HIPPA compliance and more about data security by layering in security technology like behavioral analytics that can identify suspicious activity before data is compromised.
  2. Two-factored authentication: The articles says two-factored is the minimum organizations should require, but it shouldn’t be so difficult that healthcare professionals will be frustrated.
  3. Encryption for data and devices: Data needs to be encrypted at rest and in transit particularly because of the multitude of mobile device usage by healthcare professionals, who send data back and forth.
  4. Enterprise mobile device management is important: Healthcare needs enterprise mobile device management (MDM) to secure devices that access organizations’ networks.
  5. Make sure security is in your culture: While deploying the most advanced technology is of paramount importance, the author reminds us that establishing security policies and training your workforce are also crucial to increasing data security. He advises healthcare organizations to instill a sense of personal responsibility in all employees, particularly those who have access to sensitive data.