January 11, 2014
At AppSecUSA 2013 here in New York, one of the sessions I enjoyed was a version of NPR's News Quiz "Wait Wait... Don't Tell Me" focusing on information security topics, Wait Wait... Don't Pwn Me. For this quarter's Hackweek at Twitter, I decided to put together the same kind of show with news from this year. Boy was that a lot of work. In the end, we had way too much content and went on much too long, but still:
The panel consisted of Jeff Hodges, Del Harvey, and Jim O'Leary, and we had a number of other Tweeps participating in some of the games. Unlike the original, we also used a few slides to help illustrate the questions or answers; if you're interested, you can grab them here.
These are the games we played:
"Oh dear, I'm all out of fucks "To give" the openssl team shrugs. "Who cares, we're still compliant. With FIPS" they said rather defiant. And decided to leave in the ____ . (bugs)
The dual elliptic curve deterministic random bit generator believed to have been backdoored by the NSA is mandated in the FIPS 140-2 US government cryptographic standard:
Despite passing FIPS 140-2 tests many times over the years, the OpenSSL implementation of Dual EC DRBG is buggy. Not just buggy, but totally broken and busted. Simply put, it cannot be made to work in real-world software, and the fact that it has taken years for anyone to notice makes it reasonable to assume that no real-world software has ever even bothered to use it. In the words of the OpenSSL Foundation itself, "We have no plans to fix this bug."
We knew he was up for hire, No way that he would retire, After leaving BT, He joined Co3 The name: a certain Bruce ____. (Schneier)
In December, well-known cryptographer Bruce Schneier announced that he would leave UK telco BT. There were rumors that Schneier was shown the door as a result of his comments about the NSA and GCHQ's global dragnet and mass surveillance activities. On January 6th, he announced that he is joining Co3 Systems, which provides a coordination system for incident response, as the new CTO.
Free money! Now that is the shit! If you saw it, you'd say it's legit Crack the machine and plug that thing in. ATMs pwned with a USB _____. (stick)
Researchers have revealed how cyber-thieves sliced into cash machines in order to infect them with malware earlier this year.
Criminals cut the holes in order to plug in USB drives that installed their code onto the ATMs. Details of the attacks on an unnamed European bank's cash dispensers were presented at the hacker-themed Chaos Communication Congress in Hamburg. The compromised ATM were later targeted to arbitrarily dispense cash.
Who's Bob This Time?
Dear General Alexander: [...]I am writing today to ask you one very simple question. Has the NSA spied, or is the NSA currently spying, on members of Congress or other American elected officials? 'Spying' would include gathering metadata on calls made from official or personal phones, content from websites visited or emails sent, or collecting any other data from a third party not made available to the general public in the regular course of business.
The response from the NSA? "Members of Congress have the same privacy protections as all U.S. persons."
Dear Joseph and Art, I don't expect you to know who I am. Reuters broke a story alleging that your company accepted a random number generator from the National Security Agency, and set it as the default option in one of your products, in exchange of $10 million. Your company has issued a statement on the topic, but you have not denied this particular claim. As my reaction to this, I'm cancelling my talk at the RSA Conference USA 2014 in San Francisco in February 2014. Aptly enough, the talk I won't be delivering at RSA 2014 was titled "Governments as Malware Authors".
What, Me worry?
This was essentially the reaction after researchers informed his company of a serious flaw.
I believe at the time we thought we had done enough, but I think in a business like this and a business that is moving so quickly, if you spend your time looking backwards, you're just going to kill yourself. We will be releasing an updated version. We're also improving rate limiting and other restrictions to address future attempts to abuse our service.
Answer: Evan Spiegel, 23-year old CEO of Snapchat
Australia-based Gibson Security had been warning for months that Snapchat's app code had holes in its security, and on Dec. 25 posted an online report that explained how it could be hacked for user account information. They proceeded to dismiss the vulnerability:
Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way.
Which is precisely what happened. After the leak of 4.6 Million phone numbers, Snapchat did not apologize, and their job listings continue to not have any security-focused openings.
Know A TweepSee slides.
Bluff The Tweep
NSA infiltrates Grindr After news broke that the NSA has been conducting surveillance of online games and virtual fantasy "worlds" such as World of Warcraft and Second Life, new documents disclosed by former NSA contractor Edward J. Snowden reveal that the NSA has infiltrated and is siphoning all user data and activities from online dating sites, including most notably Grindr. "Nobody would expect terrorists to hide here, which is precisely why they would do it." the documents argue. Objections about illegally monitoring innocent Americans do not appear to apply. "By being on these networks, you are obviously guilty of something," it is noted, as well as: "If the NSA does it, that means that it is not illegal."
NYPD monitors rap videos 'Aspiring NYC rappers, watch what you let loose on your SoundCloud and YouTube accounts. The NYPD is now monitoring rap lyrics for clues about gang activities. The New York Times reports that the NYPD is changing tactics in light of a reduced emphasis on stop-and-frisk. Now, it will be spending more time on long-term investigations and less time on hoping it catches criminals via random search. "You really have to listen to the songs, because they're talking about ongoing violence," Officer Fred Vanpelt noted. In 2011, the NYPD began utilizing a similar approach by forming a social media team dedicated to monitoring the Facebook pages of notable gang members known to use the social networking site to insult rivals and boast of crimes. Officers often create Facebook and Twitter aliases to befriend members and gain access to their activities.'
Papa Francesco Datagate The NSA spied on the future Pope Francis before and during the Vatican conclave at which he was chosen to succeed Benedict XVI. The American spy agency monitored telephone calls made to and from the residence in Rome where the then Archbishop Jorge Mario Bergoglio stayed during the conclave, the secret election at which cardinals chose him as pontiff on March 13. The information gleaned was then reportedly divided into four categories — "leadership intentions", "threats to financial system", "foreign policy objectives" and "human rights".
True-ish. The story itself is true; the NSA denies it, though presumably the pope is treated like everybody else....
Scammer asks to be bought porn Pretending to be a helpless customer of a prominent ISP, an information security researcher set up new VM and called a known scamming number. He was then able to observe how the scam artist attempted to trick the "customer" into providing his credit card information. When he was unwilling to provide the information, the dialog quickly went into an unexpected direction: the "support professional" quickly switched into a different mode. "Are you wearing underwear?", "What's your favorite condom flavour?" Finally he tried to sell him a subscription to the adult website "Naughty American".
Full Disk Encryption... or else! We're big fans of encrypting your files to keep them from prying eyes. The only downside is that if you lose access to the passphrase or key with which the files were enabled, you won;t be able to access them. The "CryptoLocker" malware uses this approach to hold your files hostage: upon infection of your computer, it identifies valuable files (such as your photos, music files, emails, etc.) and encrypts them. It then prompts you to transfer money… or else! If you refuse to pay $300 within 72 hours, it will destroy the encrypted files. While this piece of ransomware has been around for a few months, the latest incarnation has now mutated from a regular Trojan to a Worm: the new version can spread via removable USB sticks. Please make checks payable to... just kidding, cryptolocker only accepts pre-paid credit cards and BitCoin.
Nigerian Prince Email Scams are getting stealthier "Permit me to inform you of my desire of going into business relationship with you. I got your contact from the International web site directory. [...] Sir, we are willing to offer you 15% of the sum as compensation for effort input after the successful transfer of this fund to your designate account overseas." Seriously, who would fall for that? Given that these so-called "419 scams" ("419" refers to the article of the Nigerian Criminal Code dealing with fraud) actually precede email -- variations of the 'Spanish Prisoner' scam date back to the late 19th century -- the scam artists have gotten cleverer. Today's 419 scams rarely reference any actual princes, no longer visibly originate from Nigeria, and have significantly reduced the amount of money they are asking for up-front. Surprisingly, their English grammar and spelling has improved noticeably, too, researchers at Microsoft, who studied common email scams, revealed in a paper to be presented at this year's USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET).
False; in fact, the opposite is true. In order to scare of the ever-so-slightly more suspicious or clueful users, and to ensure that only the most gullible recipients reply, scammers have actually made their origin more obvious.
Pffft, who needs 1Password? During the summer of 2012, the social network LinkedIn was hacked and lost its whole user database with 4.7 million user passwords, available for download. The artist Aram Bartholl has used this information to make 'The Holy Book of Passwords', an intriguing creation, aligning all passwords through a series of seven volumes of around 800 pages each, listing all passwords in alphabetical order. Visitors to the exhibit, which has toured Europe and is currently residing in Bartholl's native Germany, are invited to look through the volumes to see if their password is inside. Each password is arranged alphabetically and presented without its linked username(s).
Snapchat in Hell People in Hell really don't have it easy. The small township of Hell, Michigan, is used to be the butt of jokes any time the temperature drops: "Hell freezes over" was a poor joke seen everywhere in the last week as temperatures struggled to reach a high of 20 degrees Fahrenheit. But things can always get worse: the 4.6 Million phone numbers leaked from Snapchat earlier this year, researchers found, included the phone numbers of every single of the 266 residents of Hell, MI. The famously brusk mayor declined to comment: "Snapchat? Oh, go to hell."
Get your laptop back with YoYo! YoYo Laptop Tracking Software is a product sold by Computer Security Products, Inc., designed to help you get back your stolen laptop. From the product description: "So How Does it Work? This software will let you know the IP address your laptop is using to connect to the internet. With this information, law enforcement can send a warrant to the hosting company to reveal where that IP address originated if your laptop is ever stolen! You've heard of this type of software before. This is not new technology. The only thing new is the cost. Computer Security Products, Inc. is offering you this software at NO CHARGE! Go. Download. What are you waiting for??? Wait! Don't forget to tell your friends. Oh, and your boss at work because it's free for companies and schools to use also!"
This Year's News
Harvard student Eldo Kim was not well prepared for his final exams, so he decided to do what everybody in his situation might consider doing... and called in a bomb threat. He was successful and avoided this particular final exam. He was caught not despite, but because he was using... what?
Answer: Tor/Guerilla Mail
The student "took steps to disguise his identity" by using Tor, a software which allows users to browse the web anonymously, and Guerrilla Mail, a service which allows users to create free, temporary email addresses. While the Harvard student did indeed use Tor, he was the only one logged into the Harvard student network using Tor at the time the email was received by the University.
A man, having trouble in his marriage, worries about his wife's fidelity. He decides to snoop on her online activity to see if she's flirting with anyone via email, IM or social network. (As one does.) He does so by installing... ?
Answer: a keylogger
This is particularly bothersome, since his wife works at the Clay county courthouse. The computer in question was used for various tasks such as payment processing, and used to access the West Virginia Supreme Court Network.
This time it wasn't the NSA! World of Warcraft users hit by account-hijacking malware attack. The malware is infecting systems by posing as an installer of Curse, a legitimate add-on that helps players manage other World of Warcraft add-ons. The most surprising aspect of this attack was that it worked even for accounts that were protected by... what?
WoW developer Blizzard Entertainment recently reported the Trojan program on the company's Battle.net forums. The malware sets up a classic man-in-the-middle attack used to bypass two-factor authentication.
Such attacks, also used to bypass two-factor authentication in some online banking sites, demonstrate the weakness of using the same channel, called in-band authentication, for inputting all data.
Earlier this year we saw a website defacement of the widely used OpenSSL code library, which made a lot of people in the information security world twitchy. There were speculations of a hypervisor 0-day, causing VMware to quickly issue a statement. Eventually, the real attack vector was revealed to be... what?
Answer: Bad passwords.
Disgruntled with NSA spying on US citizens, two senators from opposing parties propose bill, based on model legislation developed by the California-based Tenth Amendment Center to do what?
Answer: shut off NSA's water supply in California
The bill will prohibit the state of California from "Providing material support, participation or assistance in any form to a federal agency that claims the power, by virtue of any federal law, rule, regulation or order, to collect electronic data or metadata of any person pursuant to any action not based on a warrant."
In practice, it would ban companies in California from providing essential utility services to the agency – including cutting off its computer-cooling water supply; as well as ban any public universities that allow their facilities to be used as NSA research facilities and their campuses as recruiting grounds.
Prosecutors have questioned officials in one of Egypt's largest telecommunications companies over an online advertisement featuring a puppet. Abla Fahita -- a Muppet-style character who regularly appears on Egyptian television -- went on the air to deny allegations that her lines in a recent commercial were... what?
Answer: coded messages to the recently banned Muslim Brotherhood organization
In the ad, Fahita and her daughter Karkoura search for her deceased husband's sim card, while explaining to her friend over the phone about another character "Mama Touta." In the background, a radio anchor explains how to make "stuffed turkey'' for Christmas while sitting next to a cactus from which ball ornaments were dangling. Clearly, this message was meant to inform the Muslim Brotherhood of an upcoming terrorist attack: the mall and the dog refer to the planned site of the attack, and "Mama Touta" is the Brotherhood's secret name.
The dog, garage, guard, mall and next to us these are elements tell us that there will be a big mall and an explosion after a dog fails to find the bomb in a car," an activist notes.
NSA Program Or...
Round I: IRONCHEF. Is it...
IRONCHEF provides access persistence to target systems by exploiting the motherboard BIOS [...] Through interdiction, IRONCHEF, a software Computer Network Exfiltration (CNE) implant and the hardware implant are installed onto the system. If the software CNE implant is removed from the target machine, IRONCHEF is used to access the machine, determine the reason for removal of the software, and then reinstall the software from a listening post to the target system.
IRONCHEF (literally "Ironmen of Cooking") is a Japanese television cooking show produced by Fuji Television and hosted by the flamboyant Takeshi Kaga. The series, which premiered on October 10, 1993, is a stylized cook-off featuring guest chefs challenging one of the show's resident "Iron Chefs" in a timed cooking battle built around a specific theme ingredient.
IRONCHEF, the clandestine alias of Walter Hartwell White, is the main protagonist of the American crime drama television series "Breaking Bad". Walter, a struggling high school chemistry teacher who is diagnosed with inoperable lung cancer, begins cooking methamphetamine with a blue hue, a result of his adding a small amount of iron, the origin of this alias.
Answer: (a) and (b) are true; (c) is false
Round II: SPIDERMONKEY. Is it...
Squitter the SPIDERMONKEY is an character of the Donkey Kong video game series, first introduced in Donkey Kong Country 2 for the Super Nintendo Entertainment System. Diddy Kong and Dixie Kong are able to ride on the SPIDERMONKEY to reach places which couldn't be reached on foot through use of his convenient webbing.
SPIDERMONKEY is the name of the NSA's Persistence Back Door implant installed on a target Huawei Eudemon firewall as a boot ROM upgrade. When the target reboots, the PBD installer software will find the needed patch points and install the back door in the inbound packet processing routine. SPIDERMONKEY communicates with an NSA operator via the TURBOPANDA Insertion Tool (PIT), giving the operator covert access to read and write memory, execute an address, or execute a packet.
Answer: (a) is correct; (c) does exist, but the programname is HELLUXWATER
Round III: APPLEJACK. Is it...
APPLEJACK is a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device, SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control, and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.
APPLEJACK is a female Earth pony and one of the main characters of My Little Pony Friendship is Magic. She lives and works at Sweet Apple Acres with her grandmother Granny Smith; her big brother Big McIntosh; her little sister Apple Bloom; and her dog Winona. She represents the element of honesty.
APPLEJACK is an American street performer best known for performing in New York City's Times Square. Born in Brooklyn, Robert Jack Burck adopted the name APPLEJACK as a reference to the "Big Apple"; his signature outfit consists of only cowboy boots, a hat, and briefs, with a guitar strategically placed to give the illusion of nudity. During the 2012 presidential election, Burck briefly ran as a candidate representing the U.S. Tea Party movement.
Answer: (a) exists, but it's called DROPOUTJEEP; (b) is correct; (c) the artist is the "Naked Cowboy".
This Year's News, Round II
On New Year's Eve, U.S. District Judge Edward Korman upheld a President Barack Obama administration policy allowing authorities along the border to seize and search without reasonable suspicion and for any reason... what?
Answer: laptops, smartphones and other electronic devices
At the Consumer Electronics Show currently underway in Las Vegas, a company called EyeLock presented a password locker protected by an iris scan. But biometrics to replace passwords are not new: as you may recall, the iPhone 5 introduced fingerprint authentication: "Only the true user's fingerprint will unlock the phone, rendering it impossible for anyone else operate. However, registering a fingerprint has its drawbacks. Someone can easily press the phone against your finger while you sleep and have access to all your secrets. If you want maximum security, we recommend using your... what?
Answer: your toe or nipple
X11 has a security issue older than many of its users On January 7th, the X.org foundation released a security fix for a buffer overflow in the parsing of font files. The underlying bug has been present in the code base for how many years?
Answer: 23 years.
One of the highlights of the Consumer Electronics Show taking place in Las Vegas right now was a product called "Knightscope K5". "We are a security company, this is Security 3.0" says Knightscope CEO William Santana Li. What exactly is the "Knightscope K5"?
Answer:Robocop / R2D2-sherrif / security bot
Because the Internet of Things does not scare anybody but a few tinfoil-hat wearing paranoids, another product presented at the Consumer Electronics Show allows you to do... what?
Answer: unlock your door via iphone/android
The Goji Smart Lock, now on display at CES in Las Vegas, lets users lock and unlock their front door with their smartphone or electronic fobs, give time-controlled access to others via a text message, and see who's at the door even when they're not behind it. It also sends text messages when the lock is activated and archives all access. It's a global gadget; "just install your Goji and open an account to manage the access to your home from wherever you are," the company said.
When hackers portscan your doorknob, we hope it will text you: "wait wait, don't pwn me!"
Some 35 percent of U.S. adults conduct mobile banking. Security experts this month tested 275 Apple iOS- and Android-based mobile banking apps from 50 major financial institutions, 50 large regional banks, and 50 large U.S. credit unions. What percentage of apps was found to be insecure?
Answer: 90% of iOS apps, 2/3 of all apps
Not My Job
Assuming nobody has been a TSA agent before...
"We are not the Airport Security Administration," said Ray Dineen, the air marshal in charge of the TSA office in Charlotte. "We take that transportation part seriously."
How would you like to expand your powers?
Answer: only children's birthday parties are out (for the time being).
Which of the following would you confiscate (and why):
"On February 23, 2013, at Gatwick Airport in the UK, border agents discovered thousands of dried caterpillars in the suitcases of a man traveling from Burkina Faso. All together, four pieces of luggage contained over 90 kilograms (200 lbs) of the little buggers. Even though the man insisted the caterpillars were for his "personal consumption," UK importing restrictions apply to dried insects. His once-wiggly food supply was seized, and he had to be satisfied with the salted peanuts on the flight."
"In the mean time, an undercover TSA inspector with an improvised explosive device stuffed in his pants got past two security screenings at Newark Airport -- including a pat-down -- and was cleared to get on board a commercial flight."
"Adult passengers (18 and over) are required to show a valid U.S. federal or state-issued photo ID in order to be allowed to go through the checkpoint and onto their flight. We understand passengers occasionally arrive at the airport without an ID, due to lost items or inadvertently leaving them at home. Not having an ID does not necessarily mean a passenger won't be allowed to fly."
Which of the following would you accept as a valid form of identification?
Answer: TSA accepted facebook
Lightning Fill In The Blank
We did not actually do all of the following questions, but I've included them in here for your entertainment.
(1) President Obama met today with congressional lawmakers and privacy groups to review ___ (proposed restrictions on the NSAs access to phone records etc.) [source]
(2) In the mean time, the secretive Foreign Intelligence Surveillance Court (FISC) once again approved the ______ (collection) of phone records. [source]
(3) But rest assured, your privacy is not violated, since the collection only comprises ____ ("metadata").
(4) The end of 2013 brought with it a wonderful mix of memes and currency and introduced us to DogeCoin. As of January 8, 2014, 100 billion total dogecoins ___ % have been mined. (ballpark: 1/4; 23.38%) [source]
(5) We also saw the birth of a micropayment, TipperCoin, which allows you to pay people in bitcoin using ____. (Twitter) [source]
(6) On December 31st, GitHub announces that it will implement ___. (PFS)
(7) On January 3rd, it was discovered that GPG+Gmail on OS X does not ____ (encrypt) drafts. [source]
(8) Just like about everybody else, the NSA is pursuing to build a _____(quantum) computer. [source]
(9) In 2004, ie ten years ago now, Bill Gates declared the death of ___. (the password) [source]
(10) The first Twitter account taken over by SEA in 2014 was ____. (@skype) [source]
(11) So far in 2014 more than 93 ___ have been announced. (CVEs / vulnerabilities)
(12) The computer security firm FireEye announced on January 2nd that they would be acquiring security firm ___. (Mandiant) [source]
(13) In order to better detect whether or not your laptop had physically been tampered with, security researchers at the Chaos Communication Congress suggested the use of ____. (glitter nail polish) [source]
(14) On January 6th, the Yahoo! Mail team announced that ____ (all Yahoo Mail connections are now encrypted with HTTPS by default; All non-HTTP API access to Yahoo Mail will now be shut down as of January 3) [source]
(15) Unfortunately, security researchers continue to criticize Yahoo! for using ___ (RC4, and not supporting TLS 1.2).
(16) The Round Rock Independent School District of Austin, TX had their websites "hacked" and various websites defaced. The "hack" consisted of using ____ (default login/password credentials, which the school district never bothered to change). [source]
(17) At a recent Security Conference, Nico Sell, co-founder of the private messenger application Wickr, announced that they would switch from RSA encryption to elliptic curve encryption to reduce the risk of eavesdropping by the government. She was approached back stage by the FBI. He then proceeded to "casually" ask her to _____ (install a backdoor). [source]
(18) Nico proceeded to ___ (lectured him on topics ranging from the First and Fourth Amendments to the Constitution, to George Washington's creation of a Post Office in the US.)
(19) On January 14th, Twitter will require _____ on api.twitter.com. (SSL). [source]
(20) "Research" funded by US taxpayers and conducted by the NSA has concluded that ____ in a virtual world may never dress as animals in the real world, but ___ in the real world may have occupations in the creative arts. (furries)
(21) In Germany, a court ruled that parents are not legally responsible for their (adult) children downloading ____ (pirated) media. [source]
(22) As many as two million users may have received malware by visiting ________ (Yahoo). [source]
(23) The malware distributed via the Yahoo! ads network used the victims' computer to mine ______ (bitcoins). [source]
(24) An alleged Pakistani hacker who goes by handle H4x0r HuSsY reportedly exploited a vulnerability in the vBulletin forum software to compromise the forums of Linux distribution named ___ (openSUSE). [source]
Tie breakers, to be used if needed:
(1) League of Legends and other online game services were taken offline earlier this year by a DDOS attack using ____ (NTP / NTP reflection).[source]
(2) A 16 year old student discovered that he was able to access the personal information of nearly 600,000 public transport users in Victoria, Australia. He reported this vulnerability to Public Transport Victoria. Naturally, they are now seeking to ____ (charge him for a cybercrime). [source]
(3) According to a survey, the worst information security offenders in most companies are ____ (senior management) [source]
(4) As we just learned, the NSA has/had a broad program to access Apple's iPhones, called DROPOUTJEEP. In response to the revelations, Apple released a statement saying that it was 'unaware' of the hack program. They went further to state that they would "continue to use [their] resources to stay ahead of" ___ (malicious hackers) [source]
(5) Edward Snowden's leaks about National Security Agency programs have put U.S. troops at risk and prompted terrorists to change their tactics, a Pentagon report states. The report itself is, of course, ____. (classified / secret) [source]
(6) In the mean time, the European parliament's civil liberties committee says the activities of the NSA and its British counterpart, GCHQ, appear to be ____. (illegal) [source]
It was fun putting this together; perhaps we will do it again...
January 11, 2014