Monthly Archives: October 2016

How did one contractor steal 50TB of NSA data? Easily, say former spies

The massive theft of secret NSA data, thought to be the largest breach of classified data in US history, happened over two decades.

NSA whistleblower Edward Snowden might be the most well known leaker of secret government files. But it’s contractor Harold Martin who may have carried out the biggest theft of classified information in US history.

Martin, 51, was arrested during an FBI raid on his home in late August. He was accused of stealing dozens of computers and thousands of documents, according to his recently unsealed indictment. The contractor siphoned off more than 50 terabytes of data — or 50,000 gigabytes — from government computers over two decades. What was initially a misdemeanor was quickly raised to espionage — in part because of the vast amount of data stolen he allegedly stole.

He faces 10 years in prison on each guilty charge.

It’s not known how the authorities caught Martin. But what’s an even bigger question is how he stole so much data — and stayed undetected — for so long.

Former employees at the NSA, who spoke on the condition of anonymity, said that Martin likely stole the files by simply walking out of the front door.

“The security folks there conduct random bag and purse checks on people leaving, but nobody does pocket checks,” said one former employee, who spent almost 30 years at the agency in various jobs, before leaving late in the last decade.

“Anything that could fit in a pocket could go out undetected,” the employee said.

A second employee, who left the agency at around the same time, agreed.

Practically, it wouldn’t scale to scan all of your employees,” said the employee. “Think TSA at Ft. Meade,” the employee said, hinting at how bad the system would be. About 30,000 employees work at NSA headquarters in Ft. Meade, Maryland, ensuring that it would take hours to screen every person leaving the building.

The second employee also noted that the vast majority of employees go through extensive vetting, so there’s an inherent amount of faith in staff at the agency. James Clapper, the director of national intelligence, said in 2014 that there were no “mousetraps” to catch another leaker in the wake of the Snowden affair, because the agency’s security is “based on personal trust.”

The indictment didn’t say exactly how Martin stole the data from NSA computers and servers because how those systems work are a closely-guarded national security secret.

When asked, the former employees gave their insights.

“Based on what he took, it would seem that [Martin] would’ve had to use USB drives,” said the first employee. The size of USB storage has exponentially increased over the past two decades, according to market data, ensuring that Martin’s alleged theft would have been a painstakingly slow process.

The second employee said it wouldn’t be difficult to steal data — noting that the NSA has “some of the best hackers on earth.”

Almost anyone looking at this case has drawn parallels with the Snowden case because it’s also not known how he smuggled out the trove of data from NSA systems. But according to one report, multiple intelligence community sources said all Snowden needed was “a few thumb drives and the willingness to exploit a gaping hole in an antiquated security system.” One source was quoted as saying that the NSA in 2013 was “stuck in 2003 technology.”

“I’m pretty sure they could find a way to do it [remove files] without detection,” the employee said, without going into details, adding that the systems would likely not stop “a serious or mildly skilled insider.”

An NSA spokesperson could not be reached on Friday.

In his indictment, Martin is said to have boasted in a letter found by the FBI about how he has “seen pretty much all [the NSA’s] tech secrets [with regards to] to compusec.” He added, hinting that the NSA’s systems were not as secure as generally thought: “You are missing most of the basics in security practice, thinking you are the best. It’s the bread and butter stuff that will trip you up. Trust me on this one.”

Still, little is known about Martin. According to his LinkedIn page, he spent many years as a contractor and consultant, and worked as an engineering advisor for the Dept. of Defense.

It’s also not known exactly what Martin took, given the majority of the data is classified, according to the indictment, or if he leaked any of the files to anyone else. It’s no surprise that prosecutors want to keep Martin behind bars.

A hearing is expected later Friday in Baltimore on whether Martin will remain in prison or not.

 

ProtonMail strikes out at Google for crippling encrypted email service searches

Google removed ProtonMail from search results and as a consequence, the company almost went under.

screen-shot-2016-10-28-at-09-35-23.jpg
ProtonMail

ProtonMail has accused Google of hiding the company from search results in what may have been an attempt to suffocate the Gmail competitor.

The free encrypted email service, which caters to nearly one million users worldwide, has enjoyed an increasing user base and popularity over the past few years as governments worldwide seek to increase their surveillance powers.

However, the growth of the company was severely impacted when, without warning, ProtonMail vanished from Google search results — for 10 months.

In August, ProtonMail sent a number of vague tweets to Google, accusing the company of “intentionally hiding ProtonMail from search results,” and even if unranking was unintentional, ProtonMail said it had proof that there was a “major bug” and “all previous contact attempts have been ignored.”

screen-shot-2016-10-28-at-11-22-08.jpg
Screenshot via Twitter

According to the secure emails provider, Google hid ProtonMail from search results for queries including “secure email” and “encrypted email” — a change which the company deemed “highly suspicious.”

Between the beginning of summer and the fall of 2015, ProtonMail released ProtonMail 2.0, went open-source, launched mobile apps in beta, and changed domains from .ch to .com, which is more likely to appear in search results.

Together with a boost in users which pushed ProtonMail from half a million to the best part of one million users, this should have improved the company’s search results.

However, by November, ProtonMail realized something was wrong. After consulting SEO experts, the firm found that there was an anomaly which was limited to Google searches and did not impact other services, such as Yahoo! or Bing

With all other major search engines, ProtonMail’s rankings sent them to page one or two for the terms “secure email” or “encrypted email,” but when it came to Google, there was nothing.

screen-shot-2016-10-28-at-11-35-43.jpg

In the early part of 2016, ProtonMail tried in vain to get in touch with Google, going so far as to contact Google’s president of EMEA Strategic Relationships.

Around the same time, in April, European regulators were taking Google to task for allegedly reducing the ranks of competing companies. As ProtonMail is an email rival, this news was concerning.

It was August by the time communication channels opened, prompted once ProtonMail users and the company itself took to Twitter to complain. Google eventually responded — saying little more than the company had “fixed something.”

screen-shot-2016-10-28-at-11-37-03.jpg

As shown in the image above, once Google issued a “fix,” ProtonMail’s search ranking immediately recovered. Now, the company is ranked at number one and number three for the search terms at the heart of the situation. ProtonMail said:

“Without any additional explanation from Google, we may never know why ProtonMail became unranked. In any case, we do appreciate Google finally taking action to resolve the issue, we just wished it happened sooner.”

ProtonMail says the battle highlights what it calls “Search Risk” — the reliance of companies on search engines which, if a relationship turns sour, can result in suppression or even force the closure of a business.

The company says that due to Google’s alleged meddling, growth rates worldwide were reduced by at least 25 percent over the course of 10 months, which in turn sliced income from users by a quarter.

ProtonMail claims that this put financial pressure on the email provider and, instead of being able to manage monthly expenses comfortably, the company was forced to turn to emergency funds just to stay afloat.

In total, ProtonMail believes that the removal from Google ranking resulted in losses reaching several hundred thousand dollars, of which ProtonMail will never recover.

“The more we get the word out about the importance of online privacy, the more we make it impossible to suppress, ban, or otherwise pressure encrypted email services such as ProtonMail,” the company says. “We believe online privacy is critical for an open, democratic, and free future, and regardless of the obstacles ahead of us, we will continue building the tools necessary to protect this future.”

India experiences catastrophic cyberattack, 3.2 million debit card account details stolen

screen-shot-2016-10-20-at-09-42-59.jpg
Wikimedia Commons

India is dealing with one of the worst data breaches ever to hit the country with as many as 3.2 million debit card details stolen from multiple banks and financial platforms.

On Thursday, the Economic Times reported that malware was used to compromise the Hitachi Payment Services platform, used to power India’s ATM, point-of-sale (PoS) systems and other financial transactions.

This infection then affected the State Bank of India (SBI), ICICI, Yes, Axis and HDFC, which are said to be the hardest hit. The Visa and Mastercard networks are also allegedly affected by the data breach — which took roughly six weeks to detect.

Little is known beyond feedback from several victims who claim that their cards are being used fraudulently in China.

According to people familiar with the matter, SBI has blocked and will reissue 600,000 debit cards.

SBI chief information officer Mrutyunjay Mahapatra told the publication:

“Based on the complaints we have received, we are suspecting a compromise on the non-SBI ATM network which could include various white-label ATM service providers.”

Financial security specialist SISA is investigating the case alongside the banks affected. In the meantime, customers have been asked to change their PIN numbers as a precautionary measure.

Yahoo, ACLU press US feds to disclose email snooping orders, surveillance laws

credyahoo.jpg
Yahoo

Yahoo has asked the US Director of National Intelligence James Clapper to declassify a surveillance demand the company received which resulted in a special program being set up to monitor customer emails for certain keywords.

The program, which operated in early 2015, forced Yahoo to build a tool which automatically scanned Yahoo Mail user messages for key words and phrases — a general order from either the NSA or FBI, rather than a targeted spying mission on particular users.

According to Reuters sources, Yahoo ran the software secretly before the firm’s engineers and security teams discovered the tool. Believing that the software was the work of external cyberattackers, they took the software down.

This secret data collection and Yahoo CEO Marissa Mayer’s decision not to appeal the order have thrown the company into a quagmire of criticism, of which Yahoo is unable to respond “in detail” due to the order, according to a letter sent by Yahoo general counsel Ron Bell to Clapper, which has now been posted online.

The letter (.PDF), revealed on Wednesday, asks Clapper to release the Yahoo order from classified status. The request reads:

“We urge your office to consider the following actions to provide clarity on the matter; (i) to confirm if such an order, as described in these media reports, was issued; (ii) declassify in whole or in part such order, if it exists; and (iii) make a sufficiently detailed public and contextual comment to clarify the alleged facts and circumstances.”

Yahoo previously called Reuter’s report “misleading” and denied the email scanning tool was present on the company’s systems, but declined to comment further. If Clapper agrees to Yahoo’s request, however, the tech giant will be at greater liberty to explain itself.

The letter comes as Yahoo deals with the aftermath of revelations concerning a security breach which took place in 2014, leading to the theft of at least 500 million user accounts.

 

Separately, the American Civil Liberties Union (ACLU) has filed a motion (.PDF) in the US Foreign Intelligence Surveillance Court asking judges not only to release Yahoo’s spying order, but over 20 additional rulings made over the last 10 years.

These rulings, based on the court’s opinion, affect everything from how the US government uses malware, bulk data collection, and the constant battle between technology firms and law enforcement when it comes to encryption standards and how far vendors must go to assist the police in accessing mobile devices. As these court opinions are secret, there is no right of appeal and they are kept out of the public arena — despite their far-reaching implications.

In a post-Snowden era, it seems that tolerance for such practices and a lack of transparency is wearing thin.

Malwarebytes snaps up PC scrubber AdwCleaner

screen-shot-2016-10-20-at-07-34-48.jpg

Malwarebytes has acquired AdwCleaner in a deal designed to improve the capabilities of the firm’s Malwarebytes Anti-Malware product.

The cybersecurity firm revealed the purchase on Wednesday. In a blog post, Malwarebytes said snapping up AdwCleaner is part of the company’s mission to become “more aggressive” in the hunt for Potentially Unwanted Programs (PUPs) which are often a nuisance and can be frustrating for consumers.

PUPs, often bundled into legitimate downloads, include bloatware which siphons off PC resources, adware which forces users to deal with continual adverts and pop-ups, and crapware which could install further programs you do not want, such as shopping applications or games.

These unwanted programs can also be a security risk as they may act beyond their original scope to perform functions such as browser injections, data collection, and installing root certificates without consent.

Financial terms of the deal were not disclosed.

Founded in 2011 by three French students, AdwCleaner has been downloaded over 20 million times and averages at 200,000 downloads per day worldwide. AdwCleaner is free software which scans PC systems to remove PUPs, adware, browser hijackers, and other nuisance software.

In the short-term, Malwarebytes says AdwCleaner will be given a “facelift” and the company will work to enhance its detection and analysis abilities. While AdwCleaner will remain free as a standalone product, in the long-term, the company wishes to learn from the software “and integrate the technology into our flagship product,” Malwarebytes Anti-Malware.

Two AdwCleaner founders, Jerome Boursier and Corentin Chepeau, will join Malwarebytes in engineering and research roles.

“While dangerous malware is still on the rise, there is a growing trend for programs that operate in a legally gray area to achieve questionable ends,” said Marcin Kleczynski, CEO of Malwarebytes. “We have seen some PUPs that are blatantly illegal; most are simply unethical and abusing privilege, which is why we are taking such an overt stance against them. The acquisition will help further this cause.”

In October, Akamai Technologies acquired Soha, a specialist in cloud and endpoint security for the enterprise.

Feds catch hacker allegedly responsible for LinkedIn hack

(Image: file photo)

The hacker allegedly responsible for the 2012 hack on LinkedIn has been arrested in the Czech Republic.

The Russian man, 29, whose name was not released, is wanted by the FBI to face charges in connection with hacking targets in the US. A police statement said he was arrested in the country’s capital, Prague, after Interpol issued a red notice earlier this month for the suspect’s arrest.

LinkedIn said in a statement, via Reuters, that the business social network has been “actively involved with the FBI’s case to pursue those responsible” for the attack, which led to the theft of over 100 million accounts.

“We are thankful for the hard work and dedication of the FBI in its efforts to locate and capture the parties believed to be responsible for this criminal activity,” the company said.

The suspect is not said to be connected to recent politically motivated cyberattacks in the US.

A court will now determine if the suspect will be extradited to the US. Russia is said to be fighting the attempt.

The attack on LinkedIn resurfaced this year after four years of lying dormant, after the number of accounts stolen in the breach rocketed from over six million to over 117 million accounts.

A seller, known as Peace, was the source of the leak. The seller also made a name for himself for selling accounts associated with dating sites Fling and Badoo, and Russian social networking giant VK.com.

 

White Papers provided by HPEnterprise

He later claimed as many as 1.1. billion accounts associated with Yahoo. Months later, the company announced it was hit by “state sponsored” actors, which led to the theft of over 500 million accounts.

Peace, who would only speak over encrypted chat, couldn’t be reached on Wednesday.

VeraCrypt audit reveals attacker treasure trove of critical flaws

malware-analysis-category-965x395credmalwarebytes.jpg
Anatoliy Babiy | Malwarebytes

An audit of VeraCrypt has uncovered critical vulnerabilities which could be exploited by attackers to compromise user data.

VeraCrypt is open-source security software. The successor to TrueCrypt, the encryption software is used worldwide to encrypt single files, folders or full disks and builds on the original project with security enhancements and new, modern features.

However, no software is completely safe from attack, and according to the software’s recent audit, conducted by cybersecurity firm QuarksLab and sponsored through the Open Source Technology Improvement Fund (OSTIF), VeraCrypt 1.8 and its bootloaders contained a total of eight critical vulnerabilities, three medium flaws and 15 additional bugs of low importance.

The security problems discovered by the audit include memory corruption issues, dead code, inconsistent data reads, unsecured zip libraries and encryption cipher bugs.

One of the main problems that TrueCrypt has in relation to security is the new Unified Extensible Firmware Interface (UEFI) now in use. TrueCrypt, as legacy software, never supported this and so the new UEFI-compatible bootloader not only has to cope with bugs caused by this but security flaws which are present due to the feature being new — having only been released in August.

The majority of these problems have been fixed in VeraCrypt 1.19 and users are asked to update as soon as possible. However, they are not completely protected from the security issues raised through the audit.

On Twitter, security firm Idrix, which worked on the VeraCrypt audit, clarified that the latest update resolves all issues relating to the software itself and also solves one security flaw inherited from TrueCrypt.

The remaining problems present have all come from the days of TrueCrypt, and fixing them at the moment could cause issues with backward compatibility.

The VeraCrypt team have also disabled the GOST 28147-89 encryption standard as it is deemed unsafe. While existing content based on this standard can still be decrypted, users cannot use this algorithm for future encryption projects.

“Some of these issues have not been fixed due to high complexity for the proposed fixes, but workarounds have been presented in the documentation for VeraCrypt,” the researchers added. “VeraCrypt is much safer after this audit, and the fixes applied to the software mean that the world is safer when using this software.”

What happened to Yahoo’s traffic after it revealed it was hit by hackers?

(Image: file photo)

It’s been almost a month since Yahoo announced that it was hit by “nation state” attackers, leading to the theft of over 500 million user accounts.

As reported in its third-quarter earnings on Tuesday, the company said that in the immediate aftermath of the attack, more people visited Yahoo’s sites than in the four weeks prior.

A graph in the earnings slides shows that page views to Yahoo properties went up marginally in the week after the breach announcement on September 22, before leveling off slightly, but still higher than the previous period.

screen-shot-2016-10-18-at-4-41-21-pm.png
(Image: Yahoo)

Exactly why remains a bit of a mystery.

In a press release, Yahoo chief executive Marissa Mayer didn’t say specifically why engagement is up, only that the company is “working hard to retain their trust and are heartened by their continued loyalty as seen in our user engagement trends.”

A Yahoo spokesperson would not comment on the record.

Reading between the lines in the meantime, there are a couple of reasons to draw from the small spike in user engagement.

Yahoo is more prevalent in our lives today than you might think. It may not be as hip as Gmail, but hundreds of millions of customers still use their legacy email accounts. (Also, don’t forget that it’s fantasy football season, and Yahoo has a major stake in the space. Ask any media company and they’ll tell you that sports drives traffic probably more so than news.)

 

The other is factor is inertia. Do you really see a mass exodus from a service when they announce a hack? More often than not, the clear-up after a hack is a mitigation exercise. Given the impending deal that will see Yahoo sold off to Verizon for $4.8 billion, the web giant will bend over backwards to appease its customers. Mayer probably isn’t far wrong: it’s not so much loyalty as it is an apathy towards yet another data breach.

Of course, it almost goes without saying that the other and entirely opposite explanation is that people logged on to try to delete their accounts.

Yahoo’s profits topped Wall Street’s expectations, with shares rising slightly in after hours trading.

Trump Organization is using horribly insecure email servers

trumpf.jpg
(Image: CBS News/File photo)

If you thought Former Secretary of State Hillary Clinton’s private email server was a mess, Donald Trump’s company is running email servers that look like a dumpster fire by comparison.

Security researcher Kevin Beaumont said in a tweet on Monday that the Trump Organization, the parent company of the alleged billionaire’s portfolio of realty, steaks, golf, and hotels, is running a set of email servers that are horribly outdated and long past the end-of-life, meaning they haven’t received security patches in over a year.

Beaumont said he found that the company’s email system is running the decade-old Windows Server 2003 and Internet Information Servers 6, both of which haven’t been supported in over a year.

Both sets of software are so old that Microsoft no longer patches even known security vulnerabilities. Instead, users should upgrade. Patches remain as one of the best ways for preventing hackers from exploiting security flaws.

A spokesperson for Trump, now the Republican presidential candidate, could not be reached on Tuesday.

Beaumont, a British citizen who can’t vote in the upcoming US election, was summarily hounded by Trump supporters on Twitter, who among other things accused him of hacking. (The data he gathered is publicly accessible; many web browsers, including Chrome, allow users to check what software is running on a web server.)

Among the tweets of abuse he received, one pro-Trump user claimed to have reported Beaumont to the FBI.

In his own set of tweets, Michael Morisy, founder of investigative outlet MuckRock, said that the unsubstantiated accusation that Beaumont in any way did anything illegal “misses some fundamentals of modern security”.

“If your posture is that bad, you’re already pwned,” he said. “There’s good reasons that infosec talks openly about security holes, and framing frank discussion as malicious hurts security in the long run,” he added.

Disclosing improves the chances of fixing the issues, said Morisy.

Why is Java so insecure? Buggy open source components take the blame

veracodejavavuln770x651.jpg
Veracode reckons 97 percent of the Java apps it examined contained at least one component with a known vulnerability.

Image: Veracode

Open-source and Java components used in applications remain a weak spot for the enterprise, according to a new analysis.

Java applications in particular are posing a challenge, with 97 percent of these applications containing a component with at least one known vulnerability, according to a new report from code-analysis security vendor Veracode.

Veracode’s annual security report is based on 300,000 assessments it has run on enterprise applications over the 18 months to March 31, 2016, and includes software from open-source projects, commercial vendors, large and small businesses, and software outsourcers.

The most common bug it has found in Java applications is a vulnerable version of a component called Apache Commons Collections, present in 25 percent of the Java applications it scanned.

This issue, a deserialization vulnerability that allowed remote code execution, came to light in November after researchers published exploits using the bug for JBoss, IBM WebSphere, Jenkins, OpenNMS, and the Oracle WebLogic server.

“The Java deserialization vulnerability in Apache Commons Collections is an interesting example of an open-source, third-party component vulnerability, because it went from unknown to critical and highly exploitable, and because it was widely used in a variety of standard ‘infrastructure’ applications; web servers, application servers, CI servers,” noted Veracode.

“It’s worth noting that the issue was not just in the infrastructure applications, but in any application that uses Apache Commons Collections v.3.0 – 3.2.1 or 4.0. Addressing this vulnerability requires a broader response than just patching servers; it requires visibility into the component supply chain for all your applications.”

The company also takes a swipe at assurances from commercial vendors that their products are free from vulnerabilities.

Veracode found that 39 percent of applications developed internally by organizations complied with the OWASP top 10 project standard, compared with just 25 percent commercially-developed applications submitted on behalf of enterprise users.

“This finding puts to bed vague vendor hype around unsubstantiated efforts to build assurance into their products. It reaffirms the need for organizations to demand better proof of software security from their vendors and to perform due diligence around all applications, including commercial software,” Veracode said.

The most common vulnerabilities in applications include information leakage and cryptographic issues, which affected 72 percent and 65 percent of applications.

It also found that just over a third of all applications had hard-coded passwords, while 39 percent used broken or risky cryptographic algorithms.