Technical Adversary

The security specialist Objectif Sécurité has optimised its rainbow tables – a common tool used to crack password hashes – to make use of SSDs. The result is, according to Objectif Sécurité's Philippe Oechslin, an acceleration by a factor of 100 when compared to their old 8GB Rainbow Tables for XP hashes. A web form takes the XP-hashes and cracks them for free with the new, ten times larger tables.

Oechslin has fitted an elderly Athlon 64 X2 4400 with an SSD and the optimised tables. This system can, with only a 75% CPU utilisation, crack a 14 digit password with special characters, in an average of 5.3 seconds. Oechslin says that, worst case, it should be able to search arithmetically through 300 billion passwords per second, a speed that is a factor of 500 faster than an Elcomsoft cracker supported by a modern Tesla GPU from NVIDIA.

Calculations with rainbow tables achieve the acceleration by pre-computing the intermediate steps of all possible password hashes for a specific algorithm and then storing those results as a table. The more steps that are stored, the bigger the tables and the faster the cracking process. Once the tables no longer fit in memory, the less-used parts of the tables are saved on mass storage devices, previously this would have been a hard disk, which in turn leads to slower access times while searching them.

See also:

• Cheap cracks: Of dictionaries and rainbows, by Karsten Nohl

(djwm)

SSDs: making a return to the malicious netbook near you.

Car thief gangs have begun using imported GPS jammers to allow them to escape tracking technology.

Illicit kit imported into Europe from China operates on the same frequency as GPS satellites to drown out timing signals and confound in-car devices. Because of this in-vehicle systems are unable to either determine their position or report in to vehicle tracking centres in cases where cars or lorries registered with GPS-based tracking technology are stolen.

Vehicles "disappear from the radar" when the GPS jamming technology is deployed, Professor David Last of the University of Wales at Bangor told The Guardian. Professor Last has acted as an expert witness for prosecutors in recent prosecutions involving the seizure of illegal GPS jamming kit.

GPS jammers also have the potential to drown out mobile signals locally, a factor that has reportedly been applied to stop truckers contacting the police in lorry heists in Germany, as well as other applications. Experts reckons some German motorists have used the devices in attempts to avoid GPS-based road charging, introduced for trucks in 2005.

Ownership of the technology is a legal grey area even though it is against the law in both the UK and Germany to either sell or use jamming devices. GPS satellite signals are low power, so jamming devices need not be powerful.

We'll be seeing more and more of these low skill operators using provided technology mechanisms as time goes on.

Detecting and shutting down jammers in a timely fashion in anything other than a high security area is not going to be a realistic goal. This is a contest that the adversaries will always win.

For anyone who has a security clearance and doesn't believe the U.S. faces a cyber-espionage crisis, Colonel Steven Shirley has 102 stories to share with you.

That's the number of cases in which Shirley's team of Pentagon researchers discovered cyberspies breaching the networks of government agencies, defense contractors and other organizations with ties to the U.S. Department of Defense, gaining administrator-level access with the aim of stealing military secrets.

The Pentagon's forensics-focused Cyber Crime Center, where Shirley is executive director, found that between August 2007 and August 2009, 71 government agencies, contractors, universities and think tanks with connections to the U.S. military had been penetrated by foreign hackers, in some cases multiple times. In total, Shirley told Forbes, the center performed 116 investigations following spying breaches and found that in all but 14 of those cases the intruders had gained complete administrator-level access to the victim's network.

Foreign APTs running wild seems to be the norm.

The over-use of the term APT in the last few months is testimony to their success in the number of incidents of data theft that has been openly disclosed from sensitive agencies.

ARLINGTON, Va. -- Activists have long grumbled about the privacy implications of the legal "backdoors" that networking companies like Cisco build into their equipment--functions that let law enforcement quietly track the Internet activities of criminal suspects. Now an IBM researcher has revealed a more serious problem with those backdoors: They don't have particularly strong locks, and consumers are at risk.

In a presentation at the Black Hat security conference Wednesday, IOS operating system can be exploited by cybercriminals or cyberspies to pull data out of the routers belonging to an Internet service provider (ISP) and watch innocent victims' online behavior.

"We need to balance privacy interests with the state's interest in monitoring suspected criminals," says Cross. "There's long been a political debate about where that balance should be. But there are also these serious underlying technical problems."

This seems to be another sticky lesson. Access to technology is difficult to manage when granted in a covert channel.

I realize that many people would object to my term in the context of agency or law enforcement access, but let us be honest with ourselves. Isn't that what this is?

Centralized authorization and role management is difficult enough to manage and monitor without vendors backdooring customer or carrier equipment.

Clearly access methodology needs to improve, controls become stronger, and utilize strong authentication.

Recent events food for thought:
Surveillance Can't Make Us Secure
Google attack part of widespread spying effort

Over 4,000 so-called legitimate sites worldwide could be selling on subscriber or user data without the knowledge of their users, according to identity theft prevention firm SentryBay.

In an exclusive conversation with V3.co.uk, chief operating officer at the vendor, Marcus Whittington, explained that the figures come from a comprehensive database run by partner organisation, Lucid Intelligence.

The Lucid database offers a unique snapshot into the activity of identity fraudsters by comprising a list of user data which is being bought and sold on the black market.

Computer security researchers had previously shown that when two programs are running simultaneously on the same operating system, an attacker can steal data by using an eavesdropping program to analyze the way those programs share memory space. They posited that the same kinds of attacks might also work in clouds when different virtual machines run on the same server.

In the immensity of a cloud setting, the possibility that a hacker could even find the intended prey on a specific server seemed remote. This year, however, three computer scientists at the University of California, San Diego, and one at MIT went ahead and did it. They hired some virtual machines to serve as targets and others to serve as attackers--and tried to get both groups hosted on the same servers at Amazon's data centers. In the end, they succeeded in placing malicious virtual machines on the same servers as targets 40 percent of the time, all for a few dollars.

Gmail, Twitter, and Facebook are all cloud applications, for example. Web-based infrastructure services like Amazon's--as well as versions from vendors such as Rackspace--have attracted legions of corporate and institutional customers drawn by their efficiency and low cost.

"Today you have these huge, mammoth cloud providers with thousands and thousands of companies cohosted in them," says Radu Sion, a computer scientist at the State University of New York at Stony Brook. "If you don't have everybody using the cloud, you can't have a cheap service. But when you have everybody using the clouds, you have all these security issues that you have to solve suddenly."

Cloud computing actually poses several separate but related security risks. Not only could stored data be stolen by hackers or lost to breakdowns, but a cloud provider might mishandle data--or be forced to give it up in response to a subpoena. And it's clear enough that such security breaches are not just the stuff of academic experiments. In 2008, a single corrupted bit in messages between servers used by Amazon's Simple Storage Service (S3), which provides online data storage by the gigabyte, forced the system to shut down for several hours. In early 2009, a hacker who correctly guessed the answer to a Twitter employee's personal e-mail security question was able to grab all the documents in the Google Apps account the employee used. (The hacker gleefully sent some to the news media.) Then a bug compromised the sharing restrictions placed on some users' documents in Google Docs. Distinctions were erased; anyone with whom you shared document access could also see documents you shared with anyone else.

Andin October, a million T-Mobile Sidekick smart phones lost data after a server failure at Danger, a subsidiary of Microsoft that provided the storage. (Much of the data was later recovered.) Especially with applications delivered through public clouds, "the surface area of attack is very, very high," says Peter Mell, leader of the cloud security team at the National Institute of Standards and Technology (NIST) in Gaithersburg, MD. "Every customer has access to every knob and widget in that application. If they have a single weakness, [an attacker may] have access to all the data."

To all this, the general response of the cloud industry is: clouds are more secure than whatever you're using now. Eran ­Feigenbaum, director of security for Google Apps, says cloud providers can keep ahead of security threats much more effectively than millions of individuals and thousands of companies running their own computers and server rooms. For all the hype over the Google Docs glitch, he points out, it affected less than .05 percent of documents that Google hosted. "One of the benefits of the cloud was the ability to react in a rapid, uniform manner to these people that were affected," he says. "It was all corrected without users having to install any software, without any server maintenance."

Think about the ways security can be compromised in traditional settings, he adds: two-thirds of respondents to one survey admitted to having mislaid USB keys, many of them holding private company data; at least two million laptops were stolen in the United States in 2008; companies can take three to six months to install urgent security patches, often because of concern that the patches will trigger new glitches. "You can't get 100 percent security and still manage usability," he says. "If you want a perfectly secure system, take a computer, disconnect it from any external sources, don't put it on a network, keep it away from windows. Lock it up in a safe."

But not everyone is so sanguine. At a computer security conference last spring, John Chambers, the chairman of Cisco Systems, called cloud computing a "security nightmare" that "can't be handled in traditional ways." At the same event, Ron Rivest, the MIT computer scientist who coinvented the RSA public-key cryptography algorithm widely used in e-commerce, said that the very term cloud computing might better be replaced by swamp computing. He later explained that he meant consumers should scrutinize the cloud industry's breezy security claims: "My remark was not intended to say that cloud computing really is 'swamp computing' but, rather, that terminology has a way of affecting our perceptions and expectations. Thus, if we stop using the phrase cloud computing and started using swamp computing instead, we might find ourselves being much more inquisitive about the services and security guarantees that 'swamp computing providers' give us."

Amazon announced plans to offer a "private cloud" service that ensures more secure passage of data from a corporate network to Amazon's servers. (The company said this move was not a response to the research by the San Diego and MIT group. According to Adam Selipsky, vice president of Amazon Web Services, the issue was simply that "there is a set of customers and class of applications asking for even more enhanced levels of security than our existing services provided.")

The problem of how to manipulate encrypted data without decrypting it, meanwhile, stumped researchers for decades until Gentry made a breakthrough early in 2009. While the underlying math is a bit thick, Gentry's technique involves performing calculations on the encrypted data with the aid of a mathematical object called an "ideal lattice." In his scheme, any type of calculation can be performed on data that's securely encrypted inside the cloud. The cloud then releases the computed answers--in encrypted form, of course--for users to decode outside the cloud. The downside: the process eats up huge amounts of computational power, making it impractical for clouds right now. "I think one has to recognize it for what it is," says Josyula Rao, senior manager for security at IBM Research. "It's like the first flight that the Wright Brothers demonstrated." But, Rao says, groups at IBM and elsewhere are working to make Gentry's new algorithms more efficient.

"Clouds are systems," says NIST's Peter Mell. "And with systems, you have to think hard and know how to deal with issues in that environment. The scale is so much bigger, and you don't have the physical control. But we think people should be optimistic about what we can do here. If we are clever about deploying cloud computing with a clear-eyed notion of what the risk models are, maybe we can actually save the economy through technology."

Copyright Technology Review 2009.

The full article here talks about the expense (in computational power) of encryption churn, future interoperability concerns resembling the 90s between competitors, and other anticipated challenges along the way.

Not a bad attempt at a future and failures in-a-nutshell article.

Like the current thinking on carbon-based fuels, added costs of risk exposure and additional governance needs to be baked into so called cloud and virtualized offerings.

The threat landscape has exploded exponentially in internet applications from where it was only a few years ago with the advent of visualization, massively increased distribution of assets, explosion of wireless access, and quick-to-market applications that have unprecedented amounts of software flaws that pose risks of disclosure of private data.

I say this not to overly criticize innovation and more aggressive and fast-paced development, but to clarify to those that do not realize that reigning in and controlling access at inception of these services is required to control them.

Without foresight in building infrastructure in secure ways, the risk of difficult systematic problems creates the space for unintended commerce in leaked or stolen information. Nature abhors a vacuum and in highly complicated systems there will invariably be backwaters where this will occur.

The trick here is to make modular systems that guard against inappropriate disclosure at each step using the defense in depth model. Once actual costs are assigned to risk by means of open data and metric information, market forces should make this a reality.

H.R. 2221 defines personal information as, "an individual's first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:

• (i) Social Security number
• (ii) Driver's license number or other State identification number
• (iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual's financial account."

Some more details include:

• The Federal Trade Commission would be the responsible agency.
• The FTC would ultimately define the proper technical procedures for protecting data.
• Organizations that have data need to establish a data security policy.
• Organizations must identify an information security officer.
• Organizations must have a process for identifying vulnerabilities, and monitoring for breaches.
• Organizations need a process for securely destroying data that is no longer required.
• Breaches need to be reported to the consumers affected, and the FTC, unless:
  • "there is no reasonable risk of identity theft, fraud, or other unlawful conduct.", which will be defined by the FTC should the bill pass.
  • The organization experiencing the breach does not fall under the jurisdiction of the FTC.

The malware writers and criminals who run botnets for years have been using shared hosting platforms and so-called bulletproof hosting providers as bases of operations for their online crimes. But, as law enforcement agencies and security experts have moved to take these providers offline, the criminals have taken the next step and begun setting up their own virtual data centers.

IP address space allocation is handled by five regional Internet registries (RIR), each of which is responsible for a particular group of countries. The RIRs work with large enterprises, ISPs, telecoms and other organizations that need large blocks of IP space. These organizations typically have to go through an application and screening process in order to get these allocations, including providing legal documentation listing the officers of the company, its business and why the address space is needed.

And that's the way it's supposed to work everywhere. Applicants who can't show a need for the IP space are told politely to take a walk. But in some cases, criminals have found a way around this by going through local Internet registries (LIR) or by taking advantage of RIRs that don't have the resources to investigate every application as fully as they'd like.

Technical adversaries are increasingly a non-national entity; a fluid force in the world that moves to where enforcement is not.

Breaking news! AV not effective.

Tapping into drones’ video feeds was just the start. The U.S. military’s primary system for bringing overhead surveillance down to soldiers and Marines on the ground is also vulnerable to electronic interception, multiple military sources tell Danger Room. That means militants have the ability to see through the eyes of all kinds of combat aircraft — from traditional fighters and bombers to unmanned spy planes. The problem is in the process of being addressed. But for now, an enormous security breach is even larger than previously thought.

The military initially developed the Remotely Operated Video Enhanced Receiver, or ROVER, in 2002. The idea was let troops on the ground download footage from Predator drones and AC-130 gunships as it was being taken. Since then, nearly every airplane in the American fleet — from F-16 and F/A-18 fighters to A-10 attack planes to Harrier jump jets to B-1B bombers has been outfitted with equipment that lets them transmit to ROVERs. Thousands of ROVER terminals have been distributed to troops in Afghanistan and Iraq.

But those early units were “fielded so fast that it was done with an unencrypted signal. It could be both intercepted (e.g. hacked into) and jammed,” e-mails an Air Force officer with knowledge of the program. In a presentation last month before a conference of the Army Aviation Association of America, a military official noted that the current ROVER terminal “receives only unencrypted L, C, S, Ku [satellite] bands.”

So the same security breach that allowed insurgent to use satellite dishes and $26 software to intercept drone feeds can be used the tap into the video transmissions of any plane.

[Photo: USAF]

Once again, WSJ uses "hack" wrong. Insurgents, as they are well funded and highly motivated, spent a handful of dollars on software and are eavesdropping on unencrypted satellite and downlink signals. This isn't a feat. It is base functionality.

As usual, it isn't as bad as the media makes it out to be. There is no hack. There is only signal intel generated from eavesdropping on unencrypted communications. No one is taking control of drones. The sloppy deployment and management of some of their abilities, specifically the ROVER terminals and downlinks, is shameful.

Look at the large variety of reporting. This is inaccurate:

This previous dismissal of the problem was wrong as well.

This is pathetic. If the technology game at the United States armed forces is this out to lunch, they clearly need some oversight to make sure they're not making basic mistakes in their technology infrastructure.