Monthly Archives: December 2016

FBI-DHS Report Links Fancy Bear to Election Hacks

In a report released Thursday the Federal Bureau of Investigation and the US Department of Homeland Security implicated Russian hacking group Fancy Bear in attacks against several election-related targets.

According to the Joint Analysis Report, the hacking group Fancy Bear, believed to have ties to the Russian government, used a combination of techniques ranging from spear phishing, spoofed domains and malware to harvest credentials in order to gain access to accounts controlled by a political party.

Attacks against U.S. targets came in two waves starting in the summer of 2015 and as recently as November 2016, according to the report. The FBI-DHS implicates Russian intelligence services who allegedly initiated the attacks via Fancy Bear, also known as Cozy Bear, APT28 and Sofacy.

The 13-page report (PDF) said attackers “masqueraded as third parties, hiding behind false online personas designed to cause the victim to misattribute the source of the attack.” It said hackers aimed “to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities.”

In June, researchers at Crowdstrike implicated Cozy Bear in hacks against the Democratic National Committee. Crowdstrike said Cozy Bear has also been behind attacks against the White House, State Department and Joint Chiefs of Staff, as well as numerous organizations in critical industries around the Western world, Central Asia and the Far East.

According to the FBI-DHS the malicious cyber activity, it designated as Grizzly Steppe, began in April 2015 and included a spear phishing campaign that targeted over 1,000 recipients.

“APT29 used legitimate domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spear phishing emails. In the course of that campaign, APT29 successfully compromised a U.S. political party,” according to the report.

The spear phishing campaign lured at least one victim to download a file that contained malware that “established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure,” according to the report.

In the spring of 2016, attackers were again successful when they tricked a spear phishing recipient to change their password through a fake web domain controlled by the attackers. “Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members.”

The report said information obtained from those attacks was released to the press and publicly disclosed. The report does not single out the DNC, however Crowdstrike and several security firms report that it was the prime target.

Spear phishing attacks continued even after the November 2016 election, according to the report. The FBI-DHS warned that further unconfirmed attacks may have occurred and might be related to the IP addresses and file hashes associated with attackers. Attacks may have targeted vulnerabilities such as injection flaws, cross-site scripting and server vulnerabilities, according to the FBI-DHS.

Mitigation and protection against present and future Fancy Bear attacks include backup, risk analysis and vulnerability scanning and patching.

The report has received mixed reviews. Congressman Jim Langevin, co-founder and co-chair of the Congressional Cybersecurity Caucus, praised the report in a statement: “By releasing formerly classified threat indicators, the Department of Homeland Security and FBI have exposed Russian hacking infrastructure.”

Noted cyber security expert Jonathan Zdziarski took to Twitter to publicly call the report overly simplistic.

from Threatpost – English – Global – thr…

Wycheproof – Test Crypto Libraries Against Known Attacks

Project Wycheproof is a tool to test crypto libraries against known attacks. It is developed and maintained by members of Google Security Team, but it is not an official Google product.

Wycheproof - Test Crypto Libraries Against Known Attacks

At Google, they rely on many third party cryptographic software libraries. Unfortunately, in cryptography, subtle mistakes can have catastrophic consequences, and they found that libraries fall into such implementation pitfalls much too often and for much too long.

Good implementation guidelines, however, are hard to come by: understanding how to implement cryptography securely requires digesting decades’ worth of academic literature.

They recognise that software engineers fix and prevent bugs with unit testing, and they also found that cryptographic loopholes can be resolved by the same means.

These observations have prompted them to develop Project Wycheproof, a collection of unit tests that detect known weaknesses or check for expected behaviours of some cryptographic algorithm. Project Wycheproof provides tests for most cryptographic algorithms, including RSA, elliptic curve crypto and authenticated encryption.


Project Wycheproof has tests for the most popular crypto algorithms, including

  • DH
  • DSA
  • ECDH
  • RSA

The tests detect whether a library is vulnerable to many attacks, including:

  • Invalid curve attacks
  • Biased nonces in digital signature schemes
  • Of course, all Bleichenbacher’s attacks
  • And many more — there are over 80 test cases

You can download Project Wychproof here:

Or read more here.

from Darknet – The Darkside

News in brief: US raps Russian hacking; internet clampdowns ‘cost $2.4bn’; AR move to track lost items

Your daily round-up of some of the other security stories in the news

US expels Russian diplomats over hacking

Vladimir Putin stepped back from turning the heat up on the row between the US and Russia over the latter’s hacking in the run-up to the US elections, saying that for now, he wouldn’t act on the recommendation of his foreign minister, Sergei Lavrov, to expel 35 US diplomats from Moscow in return for the US administration expelling 35 Russian diplomats.

Obama’s move to send the Russians home came as the FBI and the Homeland Security department published a report setting out in detail the hacking they believe Russian groups carried out on the DNC and other political organisations. The Russian hacking, said the FBI and the DHS, “is part of a decade-long campaign of cyber-enabled operations directed at the US government and its citizens”.

Putin’s response was being seen in Washington as an overture to Donald Trump, the president-elect, with Putin adding that Russia would “make further steps to help resurrect Russian-American relations based on the policies that the administration of Trump will pursue”.

Internet clampdowns ‘cost $2.4bn’

Governments shutting down internet access cost at least $2.4bn in the 12 months to June 30. That’s the impact of shutdowns on GDP, according to the Brookings Institute, whose paper notes that that figure is a conservative estimate, only taking into account GDP and not attempting to quantify the cost of  tax losses or drops in investor, business and consumer confidence.

The paper’s author, Darrell West, estimates that shutdowns cost $968m in India, $465m in Saudi Arabia and $320m in Morocco, among other places.

Of course, it’s not just economic activity that suffers when citizens are cut off from the internet: it’s also a powerful tool for democracy, so let’s hope that, as West notes, it becomes too big a hit on the economy for governments to take such a repressive step: “As the digital economy expands, it will become even more expensive for nations to shut down the internet.”

‘Hey, Cortana, where are my keys?’

“Where are my keys? Where’s my phone? Have you seen my specs?” Those are common laments, and already smarthome technology is able to help a bit with at least finding your phone: you can ask Amazon’s Alexa, via an IFTTT recipe, to ring your device to help you locate it.

But Microsoft, using augmented reality (AR), hopes to make it much easier to track all kinds of devices, according to a patent it’s filed with the US Patent and Trademark Office. AR is a cousin of Virtual Reality, using a device to put an overlay of information on to the world around you: think the Pokemon Go interface, and you’ve got the idea.

The device Microsoft describes in its patent application sounds rather like its existing HoloLens, which creates what Microsoft calls “mixed reality”. Using advanced tech to track quotidian items might seem mundane, but Microsoft points out in its application that we waste a huge amount of time hunting for misplaced items. Welcome to the future.

Catch up with all of today’s stories on Naked Security

from Naked Security – Sophos

Uber, Apple Maps and location tracking: what’s really going on?

When it comes to privacy, folks have learned to watch Uber like a hawk. This turns out to be useful even when Uber (apparently) turns out to be innocent. Case in point: the way Uber’s iOS app (3.222.4 and higher) now requests permission to track your location… “Always”.

“Previously, Uber only collected location information while a user had the app open,” TechCrunch reported late in November. “Now, Uber asks users to always share their location with the ride-hailing company.”

What’s going on here? Uber told TechCrunch: “Even though it can harvest your location constantly while its app is running in the background… it won’t use that capability. Instead, Uber claims it just needs a little bit more location data to improve its service, and it has to ask for constant access because of the way device-level permissions are structured.”

TechCrunch quotes Uber as saying it simply wants five more minutes of tracking before and after your ride. With this info, it can help drivers and riders find each other, and see if passengers are having to cross dangerous streets after drop-off. But, says Uber, app developers can’t ask Apple for “just five more minutes” of access after users close the app: their only option is “always”.

Since those first reports, prominent bloggers Michael S Fischer (HackerNoon) and John Gruber (Daring Fireball) have blogged extensively on this issue. First, Fischer asked Apple to prevent app developers from doing what Uber did: disabling a device owner’s option to provide location access only “when using the app”. Gruber then showed his iOS-using readers how to check the last time Uber tracked them: “Go to Settings → Privacy → Location Services and take a look at the list of apps. If Uber has checked your location recently, an indicator will appear in the list — purple if it checked “recently”, gray if in the last 24 hours.”

Well, it wasn’t long before some of Gruber’s readers started posting screen captures suggesting Uber was checking them out even if they hadn’t requested an Uber in weeks.

So, now what’s going on here? TechCrunch went back to Uber, and here’s what it says: since September, Uber’s app has been capable of integrating with iOS Maps. Using new iOS 10 APIs, Uber can add a handy-dandy Ride button to Maps. Not only can you request your Uber straight from Maps, Apple says that “you can also book and pay for rides… once you’ve ordered a ride, Maps even shows you the driver, the car, and the driver’s current location.”

But for all this to work, says TechCrunch, “location data must be shared” with Maps and whatever third-party apps are running inside it. And when you open Maps, Apple happily shares that tracking info even if you have no intention of ordering a car.

John Gruber suggests that Apple change Maps’ behavior so “extensions only load when you tap the ‘Ride’ tab in Maps” – not every time you load Maps. (Slower, but more private.) Alternatively, TechCrunch suggests a tweak to Apple’s color-coded Location Services Settings so it’s easier to tell which billion-dollar corporation is tracking you. (Of course, with the tracking rights you’ve already given Uber, who’s to say what could legally happen to all the data Apple keeps sending Uber, even after you’re safely across the street and safely inside your destination.) Just another day in this warm, fuzzy 21st century.

from Naked Security – Sophos

Happy new year! Here’s our look back at the year on Naked Security

Happy new year to all our readers around the globe! With 2017 almost upon us, it’s time to take a look at the most popular NakedSecurity articles of 2016. We’ve split the posts into four categories – each containing a few surprises.


The most popular topic for the year by a wide margin was ransomware. We’ve been following the evolution of ransomware here at NakedSecurity for a long time, and in 2016 we saw a number of new wrinkles to the story.

Our most popular post of the entire year by an almost two-to-one margin was on Locky, the strain of ransomware that seemed to start making the rounds earlier this year, renaming file extensions as it encrypted files. Judging by the comments (90 and counting), Locky was certainly a big pain for many people this year: “Locky” ransomware – what you need to know

Other ransomware-related posts that proved popular:

We’ll continue to keep a close eye on what’s happening in the world of ransomware to keep you apprised, prepared and two steps ahead of attackers.

The dark web

Perhaps it’s the mystique of the “anonymous” internet (though it isn’t really – and you knew that from reading us, right?) or perhaps it’s from hearing Tor more and more in the global news headlines, but three of our pieces about the dark web proved popular this year, even though two of them were from 2015.

Explainers, research and busting bogus claims

Is that claim really true? What’s behind that story? What does this really mean?

We answered a number of questions – and busted a few false claims – with our researchers and know-how. A few of the popular stories this year were actually from years past, showing that some questions need to be answered year after year.


And finally, the ubiquitous social media platform captured a lot of people’s attention this year. With every change to the platform’s behavior, big or small, we try to stay on top of what this means for you and your privacy. We saw two stories that proved especially popular this year on that front:

Let us know what your favorite pieces were this year in the comments – and do also tell us what you’d like us to cover. We’re always listening! And cheers – here’s to a happy, safe and secure 2017.

from Naked Security – Sophos

Hedge fund turns to AI to navigate through the maze

Hedge funds have long boasted the use of machine algorithms to remove base human emotion from complex investment decisions.

Now it appears the world’s largest hedge fund, Bridgewater Associates, could be about to take this idea to the next level – by using machines to run large parts of the company too.

It sounds like a risky experiment from the bleeding edge of AI, but according to a Wall Street Journal story based on insider testimony, the company is already well on its way to turning on what it calls PriOS: Principles Operating System.

Envisioned by the man who ordered its creation – Bridgewater’s famous founder Ray Dalio – PriOS will go far beyond the old-world “operating system” moniker.

The software will use algorithms developed from Dalio’s long career in finance – summed up in his famous 123-page Principles document – to help employees in decision-making, including ranking opinions where a disagreement about strategy arises among managers.

Within five years, Dalio wants PriOS to be used to carry out up to three quarters of day-to-day management decisions, including decisions normally seen as nuanced – hirings and firings, for example.

The WSJ says:

The role of many remaining humans at the firm wouldn’t be to make individual choices but to design the criteria by which the system makes decisions, intervening when something isn’t working.

Sceptics of hedge funds and their obsession with technology will dismiss the whole scheme as a glorified expert system of the sort that have been used for years.

Others will see Dalio’s mechanistic idea as a cold vision of hell and yet another example of how AI threatens to de-humanise business as fast as it steals jobs.

And yet there are strands of a deeper backstory in this tale that guarantees Dalio, Bridgewater and PriOS an audience.

The first is that PriOS is under the wing of David Ferrucci, the IBM engineer who helped IBM create Watson, the first-gen AI system (and descendent of the Big Blue chess-playing supercomputer) that in 2010 famously won TV’s Jeopardy quiz.

Getting AI and algorithms to run a company – even one as mechanistic as a hedge fund – might turn out to be quixotic but having Ferrucci on-board makes this a public test for the technology’s capabilities.

So too does the philosophy of Dalio, who stepped back from the company some years ago to see whether senior managers could fulfil his ideas. That experiment led to disappointment – one of the managers who fell from favour in 2013 was James Comey, who now heads the FBI.

A hedge fund technologist at a rival company once boasted that if the company’s managers died, its algorithms would simply go on trading. The same may be true of Bridgewater Associates but we’re still a long way from the day when it appoints the world’s first AI CEO.

As with so many successful companies in history the biggest hurdle might not be automating its founder’s vision in machine form but finding a path to move beyond it.

from Naked Security – Sophos

In deep: the internet’s underwater weak links

While many of us are busy worrying about an internet apocalypse at the hands of IoT bots, there are many other ways the global network could be brought to its knees. A little over 350 of them, in fact, are lying at the bottom of the ocean.

Submarine cables stretch across the world, managing almost all the internet’s traffic between them. That’s everything from financial settlement systems through to voice and video calls.

Content distribution networks help to take the load off both systems by situating oft-repeated content closer to its audience, but it must still get to those staging points in the first place.

Typically, when a submarine cable goes down the causes are mundane. A ship dragging its anchor along the seabed was reportedly responsible for cutting direct connections between the UK mainland and the Channel Islands in late November, for example. As a result, telecoms firm JT had to route all traffic to and from the Channel Islands via an alternative link with France.

When human ineptitude isn’t to blame for submarine cable outages, it’s most often nature – earthquakescyclones and the like – that take over. But what about intentional human intervention?

We have seen signs of attacks in the past, such as the incident in Egypt in 2013, when three divers were caught attempting to cut undersea cables (although they later said it was a mistake).

Analysts tell us that simple redundancy will protect us, and as the Channel Islands incident showed, there are typically multiple points of redundancy in undersea fibre-optic networks.

These levels of redundancy vary around the world, though, with historically proven single points of failure at several locations along the top of Africa and in south-east Asia.

Even in countries with more developed connections, targeting multiple ingress and egress points could create significant service disruptions.

We have seen what appear to be malicious attacks on cables before. In 2008, the cables connecting Sicily to Egypt were cut, reportedly choking off traffic between Europe and Asia.

Submarine cables are unprotected in deep waters, simply lying on the seafloor. Closer to the coastline, they are often protected by a galvanized coating and shallowly buried.

Then they come ashore, often connecting to terrestrial fibre underneath access covers next to the beach or in small, anonymous-looking concrete buildings.

All these points are potentially vulnerable to different kinds of physical attack.

Experts point out that submarine cables can always be repaired. The question is, how long would this take? It took around two weeks to get the three severed Channel Islands cables back up and running – though this was partly because the ship originally assigned to the job was called away to another.

There are only so many vessels able to perform this highly specialized job, and they’ve been known to face attacks of their own. What would happen if the global fleet were taxed too heavily?

While it may sound like the plot of a Bond movie, the reality is, such attacks are enough of a threat that the Pentagon is taking notice. Recent reports suggest that the US is getting particularly worried about Russian submarine and spy ship activities around undersea cable routes.

Companies such as Microsoft and Google are building out their own submarine fibre, probably more for cost reasons than for resiliency.

On land, and over short stretches of water such as the English Channel, microwave is also proving a lower-latency option than fibre for companies particularly worried about that kind of thing.

Neither hyperscale-owned fibre or bank-commissioned microwave may be predicated on resiliency but it’s certainly a side benefit. For those companies not rich enough to build out their own private internet backbone, however, a little planning might be necessary to ensure that traffic is channelled along several redundant routes.

While corporate providers mull these options, consumers will just have to cross their fingers and hope for the best when they settle down to a video call with Grandma half a world away.

from Naked Security – Sophos