Posts tagged software
FBI pressures Internet providers to install surveillance software
The U.S. government is quietly pressuring telecommunications providers to install eavesdropping technology deep inside companies’ internal networks to facilitate surveillance efforts.
FBI officials have been sparring with carriers, a process that has on occasion included threats of contempt of court, in a bid to deploy government-provided software capable of intercepting and analyzing entire communications streams. The FBI’s legal position during these discussions is that the software’s real-time interception of metadata is authorized under the Patriot Act.
Attempts by the FBI to install what it internally refers to as “port reader” software, which have not been previously disclosed, were described to CNET in interviews over the last few weeks.
Teenage Prodigy Spurns MIT, Chooses Entrepreneurship
The Bulgarian immigrant comes from an exceptionally well-educated family in which he was expected to get an advanced college degree. His father, Tihomir Asparouhov, earned a doctorate in mathematics from the California Institute of Technology, and his mother, Elena, is an associate professor of finance at the University of Utah.
After high school, Delian was accepted at MIT – but he has since dropped out to launch a health care App called Nightingale, which will use mobile phones to help patients manage their medications.
Asparouhov developed the app with MIT student Eric Bakan – and their idea won a $100,000 fellowship funded by PayPal co-founder Peter Thiel. The Thiel Fellowship is given each year to about 20 students under age 20 to drop out of college and develop a business idea.
MUST VIEW VIDEO: Digital Carjackers Show Forbes How Michael Hasting’s Car Could Have Been Remotely Carjacked0
Posted by Robert Wenzel
Digital Carjackers Show Forbes How Michael Hasting’s Car Could Have Been Remotely Carjacked
Hasting’s isn’t mentioned in the video, just a demonstration of how a car can be remotely carjacked.
The research on this was done as a result of funding by the Pentagon, which Forbes writer Andy Greenberg tells us was commissioned to, ahem, “to root out security vulnerabilities”:
This fact, that a car is not a simple machine of glass and steel but a hackable network of computers, is what Miller and Valasek have spent the last year trying to demonstrate. Miller, a 40-year-old security engineer at Twitter, and Valasek, the 31-year-old director of security intelligence at the Seattle consultancy IOActive, received an $80,000-plus grant last fall from the mad-scientist research arm of the Pentagon known as the Defense Advanced Research Projects Agency to root out security vulnerabilities in automobiles.
Hackers Break into Smartphones to Access Your Bank Account
Security Research Labs (SRL) states that SIM cards in smartphones could be utilized by hackers to gather online banking account information.
Indeed, an estimated 500 million subscriber identity module (SIM) cards have been identified as having vulnerabilities that allow remotely controlled attacks to occur.
SIM cards are “tiny computers that store crucial cryptographic data.”
SIM cards store data on user’s such as phone number, private login and billing information. This includes details about a user’s PayPal and credit card numbers so that the hacker can infiltrate all financial records of individuals.
It is unclear whether or not users can verify that their SIM card is vulnerable to hacker attacks. Specific details provided by the manufacturer cannot assist the user with determining if they are a sitting duck.
Apps made for smartphones are syphoned through SIM cards because they act as a portal .
Karsten Nohi, founder of SRL, is expected to provide this research to the BlackHat Conference in Las Vegas in the later part of this month.
SRL asserts that hackers would send “an unrecognizable, binary text message usually meant to carry user logs and telephone settings to a victim’s phone.
The cellphone then responds by sending back an error message carrying a signature that can be distilled to reveal a 56-bit Data Encryption Standard (DES) key. DES is an old encryption standard used by about one in eight phones around the world.”
Through the “cracked key” the hacker can “download software onto the SIM card that can, among other tricks, change voicemail numbers and find out exactly where a phone is at any time. This allows for remote cloning of possibly millions of SIM cards including their mobile identity as well as payment credentials stored on the card.”
Nohi said : “We can remotely install software on a handset that operates completely independently from your phone. We can spy on you. We know your encryption keys for calls. We can ready your [SMSes]. More than just spying, we can steal data from the SIM card, your mobile identity, and charge your account.”
Because SIM cards are employed as a de facto trust anchor for cellular phones, simply using two Short Message Service texts can allow a hacker to break into the phone, steal data, listen in on the calls made, and make purchases as if they were the owner of the phone.
The UN issued a warning under the Telecommunications Union (UNTU), that this research provided by SRL is “highly significant” and that “these findings show us where we could be heading in terms of cybersecurity risks.”
Under the direction of the UNTU, academics, private tech corporations and mobile phone companies will be admonished to cooperate with the international community to set up regulations with government officials so that this threat is quelled.
Last October, smartphone connecting to customer bank accounts and conducting remote online banking is utilized by an estimated 29% of US mobile phone users.
Although those invested in keeping the online banking revolution alive are reassuring the general public that it is safe, malware software is rampant throughout the internet and used by fake hacker groups to justify stricter restraints on our digital freedoms. The smartphone banking apps are not different.
Earlier in 2012, the CIA-sponsored hacker group Anonymous breached security systems for VISA and MASTERCARD. These two corporations alerted other banking institutions across the US that there was a “massive breach” within the financial sector.
In October of 2011, the fake hacker group apparently took control over Bank of America (BoA), one of the oldest central banking cartel funded banks. Lately, BoA was used to funnel funds to known drug cartels in Mexico under the Fast and Furious scandal.
January of 2012, Trusteer, the Israeli-based security firm, discovered a banking virus that will steal funds from customers and cover its tracks in the process. This new creation from the SpyEye Trojan will “swap out banking Web pages . . . preventing customers from realizing that their money is gone.”
This Trojan waits patiently for the user to visit their online banking site, copies their login and password, then divulges the personal data surveyed; such as debit/credit card information.
When the user inputs their credit/debit card information in to conduct a purchase, the Trojan will swap web pages and siphon out the funds. According to Truseeter, this is a “post transaction attack”.
The cover-up ability of this Trojan is remarkable. It will edit balance amounts, line by line transactions, and all activity that would trigger suspicion by the owner of the account.
In 2011, SpyEye Trojan attacked Android mobile online banking by siphoning out data from the customer to be used by the hacker. SpyEye also changes while circumventing mobile SMS which is a security measure taken by banks when a customer is conducting online account transactions to certify that the correct user is conducting the business.
SpyEye was victimizing Verizon customers with fake billing pages that require the customer to log in which reveals personal financial data to the virus concerning the user. This Trojan can deter anti-virus software, jumping over firewalls and sit undetected between the browser and the computer redirecting the user to pages without ever being caught.
Image credit: http://www.occupycorporatism.com
About the author:
Posted by Robert Wenzel
Murder Mystery(?) Michael Hastings and a CyberSecurity Firm Called Endgame
Reports are beginning to surface about a connection between the reporter Michael Hastings and a mysterious cybersecurity firm known as Endgame.
Hastings has been linked to Barrett Brown, who the government alleges is the leader of the hacker group Anonymous. Brown is in jail and is being held without bail. The web site Free Barrett Brown reports:
Having previously been raided by the FBI on March 6, 2012 and not charged with any crime in relation to that incident, on September 12, 2012 Barrett Brown was again raided and this time arrested by the Federal Bureau of Investigation while he was online participating in a Tinychat session. He was subsequently denied bail and detained without charge and adequate medical treatment for over two weeks while in the custody of US Marshals. In the first week of October 2012, he was finally indicted on three counts.
These charges are related to alleged activities or postings on popular websites such as Twitter and YouTube, in which he postured for the return of property which was taken from him in March, and expressed frustration at the targeted campaign against him and a member of his family. The Department of Justice issued a press release at the time.
Also, according to the web site, Hastings was planning to interview Brown:
Before his untimely death, Hastings was working on a story about Barrett, announcing mysteriously to his followers “Get ready for your mind to be blown.” Hastings had been in touch with Barrett’s lawyers, and intended to interview him in June for the story. Barrett has been in prison for 281 days pending trial, and faces over a hundred years imprisonment for what Hastings called ”trumped up FBI charges regarding his legitimate reportorial inquiry into the political collective known sometimes as Anonymous.”
Before his suspicious death in a fiery car crash, Hastings seemed to confirm this planned interview, in a tweet and hinted it was relative to a very big story:
Barrett, at the time he was arrested,was studying Endgame. The Nation reports:
Brown began looking into Endgame Systems, an information security firm that seemed particularly concerned about staying in the shadows. “Please let HBGary know we don’t ever want to see our name in a press release,” one leaked e-mail read. One of its products, available for a $2.5 million annual subscription, gave customers access to “zero-day exploits”—security vulnerabilities unknown to software companies—for computer systems all over the world. Business Week published a story on Endgame in 2011, reporting that “Endgame executives will bring up maps of airports, parliament buildings, and corporate offices. The executives then create a list of the computers running inside the facilities, including what software the computers run, and a menu of attacks that could work against those particular systems.” For Brown, this raised the question of whether Endgame was selling these exploits to foreign actors and whether they would be used against computer systems in the United States. Shortly thereafter, the hammer came down.
The FBI acquired a warrant for Brown’s laptop, gaining the authority to seize any information related to HBGary, Endgame Systems, Anonymous and, most ominously, “email, email contacts, ‘chat’, instant messaging logs, photographs, and correspondence.” In other words, the FBI wanted his sources.
So what is Endgame? According to Darker Net:
The Associated Press Posted: Dec 5, 2012 10:20 PM ET Last Updated: Dec 6, 2012 1:54 AM ET
Software company founder John McAfee was arrested by police in Guatemala on Wednesday for entering the country illegally, hours after he said he would seek asylum in the Central American country.
The anti-virus guru was detained at a hotel in an upscale Guatemala City neighbourhood with the help of Interpol agents and taken to an old, three-story building used to house migrants who enter the country illegally, said Interior Minister Mauricio Lopez Bonilla.
It was the latest twist in a bizarre tale that has seen McAfee refuse to turn himself in to authorities in Belize, where he is a person of interest in the killing of a neighbour, then go on the lam, updating his progress on a blog and claiming to be hiding in plain sight, before secretly crossing the border into Guatemala.
“He will be in danger if he is returned to Belize, where he has denounced authorities,” said his lawyer in Guatemala, Telesforo Guerra. “His life is in danger.”
Guerra said he would ask that a judge look at McAfee’s case as soon as possible. “From them moment he asked for asylum he has to have the protection of the Guatemalan government.”
Security for the 99%
The House of Representatives kicked off their “cybersecurity week” yesterday with a hearing titled “America Is Under Cyber Attack: Why Urgent Action is Needed.” Needless to say, the rhetoric of fear was in full force. A lot of topics were raised by members of Congress and panelists, but perhaps the most troublesome theme came from panelist and Former Executive Assistant Director of the FBI Shawn Henry, who repeatedly urged that good cybersecurity means going on the offensive:
“the problem with existing [...] tactics is that they are too focused on adversary tools (malware and exploits) and not on who the adversary is and how they operate. Ultimately, until we focus on the enemy and take the fight to them […], we will fail.”
This offensively-minded approach has major pitfalls, as it could lead to more government monitoring and control over our communications. While we think an increased focus on catching criminals using existing tools is a fine tactic that could be used by law enforcement, we fear the temptation for law enforcement to increase their surveillance capabilities in order to successfully go on the offensive in the context of computer crimes. This could mean things like breaking into people’s computers without warrants, or disrupting privacy-enhancing tools like Tor. Needless to say, we think it would be a very bad idea to link our safety to the ability for law enforcement to effectively monitor people, and that is a danger of focusing solely on an offensive strategy. Instead, we would like to offer an alternative, defensively-oriented point of view regarding security, an important view that we think was not adequately represented in yesterday’s panel.
Securing U.S. critical infrastructure networks, corporate networks, and the Internet at large depends upon securing our computers and networked devices. Fundamentally, it’s very simple: fewer software vulnerabilities means more security. Once a vulnerability is patched and an upgraded version of software is available and in use, that increases safety for all of us. Ensuring that the right mechanisms are in place to maximize this baseline security should be a major focus area of any organized effort to secure our critical and other Internet infrastructure. This means encouraging the disclosure of vulnerabilities when they are found so that they can be fixed, and no longer exploited. This is what we mean when we talk about security for everyone. This defensive strategy also takes a view of vulnerabilities that includes engineering with security in mind: if software doesn’t force good security on administrators and other humans who have a role to play to keep things secure, then that should be considered a security vulnerability in that software.
In order to understand why vulnerabilities are the foundation of insecurity and ought to the focus of defensive efforts, let’s take a bit of time for those new to the computer security world to define bugs, vulnerabilities, exploits, and a particularly nasty class of exploits called “zero-day” exploits.
Uploaded by GlobalResearchTV on Feb 18, 2012
The US Federal Bureau of Investigation posted a Request for Information last month calling on IT companies to demonstrate their ability to design software for monitoring, mapping and analyzing social media.
Find out more about the history of government spying and propaganda through social media on this week’s edition of Behind the Headlines.
The FBI by mid-January will activate a nationwide facial recognition service in select states that will allow local police to identify unknown subjects in photos, bureau officials told Nextgov.
The federal government is embarking on a multiyear, $1 billion dollar overhaul of the FBI’s existing fingerprint database to more quickly and accurately identify suspects, partly through applying other biometric markers, such as iris scans and voice recordings.
Often law enforcement authorities will “have a photo of a person and for whatever reason they just don’t know who it is [but they know] this is clearly the missing link to our case,” said Nick Megna, a unit chief at the FBI’s criminal justice information services division. The new facial recognition service can help provide that missing link by retrieving a list of mug shots ranked in order of similarity to the features of the subject in the photo.
Today, an agent would have to already know the name of an individual to pull up the suspect’s mug shot from among the 10 million shots stored in the bureau’s existing Integrated Automated Fingerprint Identification System. Using the new Next-Generation Identification system that is under development, law enforcement analysts will be able to upload a photo of an unknown person; choose a desired number of results from two to 50 mug shots; and, within 15 minutes, receive identified mugs to inspect for potential matches. Users typically will request 20 candidates, Megna said. The service does not provide a direct match.
Michigan, Washington, Florida and North Carolina will participate in a test of the new search tool this winter before it is offered to criminal justice professionals across the country in 2014 as part of NGI. The project, which was awarded to Lockheed Martin Corp. in 2008, already has upgraded the FBI’s fingerprint matching service.
Local authorities have the choice to file mug shots with the FBI as part of the booking process. The bureau expects its collection of shots to rival its repository of 70 million fingerprints once more officers are aware of the facial search’s capabilities.
Thomas E. Bush III, who helped develop NGI’s system requirements when he served as assistant director of the CJIS division between 2005 and 2009, said, “The idea was to be able to plug and play with these identifiers and biometrics.” Law enforcement personnel saw value in facial recognition and the technology was maturing, said the 33-year FBI veteran who now serves as a private consultant.
NGI’s incremental construction seems to align with the White House’s push to deploy new information technology in phases so features can be scrapped if they don’t meet expectations or run over budget.
But immigrant rights groups have raised concerns that the Homeland Security Department, which exchanges digital prints with the FBI, will abuse the new facial recognition component. Currently, a controversial DHS immigrant fingerprinting program called Secure Communities runs FBI prints from booked offenders against the department’s IDENT biometric database to check whether they are in the country illegally. Homeland Security officials say they extradite only the most dangerous aliens, including convicted murderers and rapists. But critics say the FBI-DHS print swapping ensnares as many foreigners as possible, including those whose charges are minor or are ultimately dismissed.
Megna said Homeland Security is not part of the facial recognition pilot. But, Bush said in the future NGI’s data, including the photos, will be accessible by Homeland Security’s IDENT.
The planned addition of facial searches worries Sunita Patel, a staff attorney with the Center for Constitutional Rights, who said, “Any database of personal identity information is bound to have mistakes. And with the most personal immutable traits like our facial features and fingerprints, the public can’t afford a mistake.”
In addition, Patel said she is concerned about the involvement of local police in information sharing for federal immigration enforcement purposes. “The federal government is using local cops to create a massive surveillance system,” she said.
Bush said, “We do have the capability to search against each other’s systems,” but added, “if you don’t come to the attention of law enforcement you don’t have anything to fear from these systems.”
Other civil liberties advocates questioned whether the facial recognition application would retrieve mug shots of those who have simply been arrested. “It might be appropriate to have nonconvicted people out of that system,” said Jim Harper, director of information policy at the libertarian Cato Institute. FBI officials declined to comment on the recommendation.
Harper also noted large-scale searches may generate a lot of false positives, or incorrect matches. Facial recognition “is more accurate with a Google or a Facebook, because they will have anywhere from a half-dozen to a dozen pictures of an individual, whereas I imagine the FBI has one or two mug shots,” he said.
FBI officials would not disclose the name of the search product or the vendor, but said they gained insights on the technique’s accuracy by studying research from the National Institute of Standards and Technology.
In responding to concerns about the creation of a Big Brother database for tracking innocent Americans, Megna said the system will not alter the FBI’s authorities or the way it conducts business. “This doesn’t change or create any new exchanges of data,” he said. “It only provides [law enforcement] with a new service to determine what photos are of interest to them.”
In 2008, the FBI released a privacy impact assessment summarizing its appraisal of controls in place to ensure compliance with federal privacy regulations. Megna said that, during meetings with the CJIS Advisory Policy Board and the National Crime Prevention and Privacy Compact Council, “we haven’t gotten a whole lot of pushback on the photo capability.”
The FBI has an elaborate system of checks and balances to guard fingerprints, palm prints, mug shots and all manner of criminal history data, he said. ”This is not something where we want to collect a bunch of surveillance film” and enter it in the system, Megna said. “That would be useless to us. It would be useless to our users.” source – NextGov