Sunday 12 March 2017

Brit ISP TalkTalk blocks control tool TeamViewer

To stop scammers fooling people into using the software and handing over their PCs

TalkTalk has blocked remote desktop management tool TeamViewer from its network, following a spate of scammers using the software to defraud customers.
A spokeswoman for the UK ISP confirmed it had blocked "a number of sites and applications" including TeamViewer from its network to protect customers from phishing and scamming activities.
The company said it was working with TeamViewer and other third parties on implementing some additional security measures to enhance security.
TeamViewer is one of the most popular pieces of software to enable remote access. It was also used by hundreds of scammers attempting to defraud TalkTalk customers by gaining remote access to their computers.
TeamViewer has previously said it takes the security and privacy of its customers "extremely seriously" and "condemns the use of TeamViewer to subvert systems and gain unauthorised access to private data."
Customers complained on TalkTalk's forum this afternoon they were unable to use the software.
One said they spent the whole morning trying to fix the problem, using three different computers which failed to connect to TeamViewer via TalkTalk's SuperRouter.
"I tried to connect by tethering my computer to iPhone 4G - and it connected to TeamViewer straight away. [When I went] back to router [I] lost connection. Loads of reports on the internet about no connection via TalkTalk - why are they blocking it?"
Another said: "This is completely unsatisfactory. If this can't be resolved then I'll have no alternative but to switch ISP and also recommend that my main clients do also."
In the forum, TalkTalk noted the number of complaints it receives from customers regarding these tools through fraudulent activities "is significant" but said it hoped to resolve the issue with TeamViewer and the other third party wares affected.
The ISP's spokeswoman said: “We constantly monitor for potentially malicious internet traffic, so that we can protect our customers from phishing and scamming activities.
"As part of this work, we have recently blocked a number of sites and applications from our network, and we’re working hard to minimise the impact on our customers.
“We would also urge our customers to visit our Beat the Scammers website to find out more about how they can keep themselves safe online.”

That CIA exploit list in full: The good, the bad, and the very ugly

We're still going through the 8,761 CIA documents published on Tuesday by WikiLeaks for political mischief, although here are some of the highlights.
First, though, a few general points: one, there's very little here that should shock you. The CIA is a spying organization, after all, and, yes, it spies on people.
Two, unlike the NSA, the CIA isn't mad keen on blanket surveillance: it targets particular people, and the hacking tools revealed by WikiLeaks are designed to monitor specific persons of interest. For example, you may have seen headlines about the CIA hacking Samsung TVs. As we previously mentioned, that involves breaking into someone's house and physically reprogramming the telly with a USB stick. If the CIA wants to bug you, it will bug you one way or another, smart telly or no smart telly. You'll probably be tricked into opening a dodgy attachment or download.
That's actually a silver lining to all this: end-to-end encrypted apps, such as Signal and WhatsApp, are so strong, the CIA has to compromise your handset, TV or computer to read your messages and snoop on your webcam and microphones, if you're unlucky enough to be a target. Hacking devices this way is fraught with risk and cost, so only highly valuable targets will be attacked. The vast, vast majority of us are not walking around with CIA malware lurking in our pockets, laptop bags, and living rooms.
Thirdly, if you've been following US politics and WikiLeaks' mischievous role in the rise of Donald Trump, you may have clocked that Tuesday's dump was engineered to help the President pin the hacking of his political opponents' email server on the CIA. The leaked documents suggest the agency can disguise its operations as the work of a foreign government. Thus, it wasn't the Russians who broke into the Democrats' computers and, by leaking the emails, helped swing Donald the election – it was the CIA all along, Trump can now claim. That'll shut the intelligence community up. The President's pet news outlet Breitbart is already running that line.
Back to the leaked files. One amusing page gives details of discussions within the CIA on how to avoid having its secrets leak in the wake of the theft of the NSA Equation Group's hacking tools. Along with a detailed report [PDF] on the Equation Group hack, there are suggestions on how to protect resources.
The CIA and the White House have yet to comment on the veracity of the leaked material and are unlikely to do so. But at least one former intelligence worker with knowledge of such matters seems convinced they are real.
So here's a rundown of the highlights so far. With so much material to go through, some important things will have been missed. Feel free to add your own insights in the comments section. We note that a good number of these cyber-weapons were obtained from the NSA, GCHQ or private computer security researchers, and hoarded without warning vendors in case vulnerabilities are patched – we've covered this subject over and over.
  • Windows: The CIA's UMBRAGE team has a modest collection of attack tools for systems powered by Microsoft's widely used operating system, all listed here. These tools include keystroke loggers, sandbox escape ropes, and antivirus avoidance mechanisms. The CIA analysts found flaws in Control Panel, and the ability to add data streams to NTFS without detection to smuggle data onto storage drives. Windows library files are useful stepping stones to malicious code execution, as are Windows Theme files. DLL files [PDF] are a popular attack vector for the CIA PDF]. They are also handy for concealing malware in applications, and the documents show that common apps have been used for spying by exploiting DLL weaknesses.
    One DLL attack technique shows that someone at the agency is a bit of a Will Ferrell fan. The RickyBobby program, named after the character in the film Talladega Nights, uses several .NET DLLs and a Windows PowerShell script to implant a "listening post" on a target Windows PC.
    A version has been used in the field on USB drives, according to this document. The software, with attack tools dubbed Fight Club, was put onto six thumb drives and "inserted into the supply chain of a target network/group."
    If you're using Windows Exchange 2010, the CIA has a tool for that, dubbed ShoulderSurfer. This performs a code injection attack against the Exchange Datastore manager process that would allow an agent to collect emails and contacts at will and without the need for an individual's credentials.
    Exchange 2007 is even easier to crack, according to the CIA. For a detailed rundown on Exchange and all its flaws, this document [PDF] should be helpful to Microsoft engineers looking to fix the problems.
  • OS X: Users of Apple's OS X shouldn't look too smug, however. The CIA has tools for you too – pages of them. A lot of hacking tools cover OS X El Capitan, but presumably these have been updated to subvert new versions of the operating system. That said, it does seem through reading these files that Apple poses a significantly more difficult challenge for the CIA than Redmond's code.
    Analysts note that the operating system can be resilient to applications that try to slip malware onto a Mac. But it's still possible to whitelist spying software; subvert NetInstall images, creating zombie programs; and surreptitiously get at the kernel.
    One interesting project the files touch on is dubbed QuarkMatter. This is a technique for hiding spying software persistently on an OS X system by using an EFI driver stored on the EFI system partition. Another, dubbed SnowyOwl, uses a pthread in an OpenSSH client to potentially pull off remote monitoring of a target system.
    The documents also show a project called HarpyEagle that analyzed Apple's Airport Extreme firmware for private keys, and also Time Capsule systems.
  • iOS: The CIA files show an extensive list of iOS exploits. Some of these were developed in-house, some obtained from the NSA or Britain's GCHQ, and others were purchased from private vendors. It looks as though at least some of the security bugs were fixed by Apple in recent iOS updates – versions 8 and later – or are otherwise no longer exploitable. For instance, the Redux sandbox workaround and Xiphos kernel exploit were both used to hack "iPhone 4S and later, iPod touch (5th generation) and later, iPad 2 and later," but both flaws were fixed after being publicized by the Chinese jailbreaker Pangu. While it's likely the exploit list is an old one, a lot of them may still work. iOS 8 appears to have killed off a few, but most of the exploits don't have death dates listed.
    The Dyonedo exploit, developed by GCHQ, allows unsigned code to run on iOS devices, while the CIA's homegrown Persistence tool allows "a symbolic link [to] be created (on iOS 7.x) or an existing file can be overwritten (iOS 8.x) that will run our bootstrapper, giving [users] initial execution on every boot."
    While full root is a goal, the documents also detail an attack known as Captive Portal. This sets up the browser to route all web use through a server run by the CIA.

Cybercrime even has its own religion in Ghana

Nigerian prince
Spoofed email and malware hidden in attachments netted crooks in West Africa more than $3bn in three years from businesses.
That's according to research carried out by the International Criminal Police Organization (Interpol) and infosec biz Trend Micro. Forget claims of money stuck in bank accounts. Scammers are now raking it in from so-called business email compromise (BEC) schemes, according to the security team.
A BEC crook sends authentic-looking invoices and internal memos to businesses and their finance staff, tricking the employees into paying money into the thieves' accounts. The messages can also be booby-trapped with malware that infects work PCs and logs key-strokes. This information is then used to log into the company's online bank account, and transfer money to criminals' pockets.
The Interpol-Trend study found that between October 2013 and May 2016, BEC scammers walked off with more than $3bn having exploited the technique globally.
Such frauds are becoming a serious pain in the fundament: the FBI warned last year that they had siphoned over $1bn from American companies. Victims of BEC scams included the city of El Paso, in Texas, America, which got scammed out of $3.2m, and Austrian engineering firm FACC, which lost over $54m. Much of the money in both cases has now been recovered – but by no means all of it, and the problem is getting worse.
"West African cybercriminals are clearly shifting to more elaborate crimes, complex operations, and business models – BEC and tax fraud, in particular," the report [PDF] states.
"Armed with their social engineering expertise and ingenuity, and augmented by tools and services (keyloggers, RATs, crypters, counter-AV services, etc), West African cybercriminals are stealing large amounts of money via crimes targeting individuals and companies worldwide."
Quite why West Africa is such a hotspot for online crime isn't hard to work out – education and motive. Around half of all university graduates in West Africa are unemployed a year after graduation and so the lure of crime is strong.
It's now so established in some cultures that it has entered the pantheon of religion in Ghana, under the name Sakawa. The fraudsters make offerings to a supreme being that will protect their fraud from being discovered and ensure good fortune.
The study identified two big gangs working in the regions. The first, known as the Yahoo! Boys, concentrate largely on the traditional types of fraud like 419 scams – where an online figure (typically a bogus Nigerian prince or foreign lawyer) promises a big payout if the victim coughs up fees to free up the supposed fortune.
The Yahoo! Boys – so named because until recently they used the failing portal's chat tools to coordinate their scams – also carry out romance scams, forming faux relationships with the lonely and then 'borrowing' money for plane tickets to consummate the relationship. Another is the so-called "send money" scam, whereby they pretend to be a foreign traveler who has been mugged and needs funds from friends and family.
Typically members of the Yahoo! Boys are in their twenties, like to show off their wealth on social media, and operate in small, local groups. While their methods of fraud are relatively unsophisticated, they still make a good living.
More dangerous are what the study calls next-level cybercriminals. This group is generally older, doesn't show off their wealth, and operates in a more sophisticated way. It concentrates on BEC fraud and also harvests financial details to scam funds from victims with fake tax returns.
Next-level cybercriminals are highly professional, running money-laundering operations, a network of money mules, and working closely with relatives in the target countries to smooth out the scamming process. It's this group that has been raking in the billions.
Interpol reports some limited success in shutting down these groups, but says that for all the tips they pass on to local police, only about 30 per cent end up in an arrest. As ever with online crime, finding the physical location of the criminals is a major issue.

WikiLeaks Dumps Docs on CIA’s Hacking Tools

WikiLeaks on Tuesday dropped one of its most explosive word bombs ever: A secret trove of documents apparently stolen from the U.S. Central Intelligence Agency (CIA) detailing methods of hacking everything from smart phones and TVs to compromising Internet routers and computers. KrebsOnSecurity is still digesting much of this fascinating data cache, but here are some first impressions based on what I’ve seen so far.
First, to quickly recap what happened: In a post on its site, WikiLeaks said the release — dubbed “Vault 7” — was the largest-ever publication of confidential documents on the agency. WikiLeaks is promising a series of these document caches; this first one includes more than 8,700 files allegedly taken from a high-security network inside CIA’s Center for Cyber Intelligence in Langley, Va.
The home page for the CIA's "Weeping Angel" project, which sought to exploit flaws that could turn certain 2013-model Samsung "smart" TVs into remote listening posts.
The home page for the CIA’s “Weeping Angel” project, which sought to exploit flaws that could turn certain 2013-model Samsung “smart” TVs into remote listening posts.
“Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation,” WikiLeaks wrote. “This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”
Wikileaks said it was calling attention to the CIA’s global covert hacking program, its malware arsenal and dozens of weaponized exploits against “a wide range of U.S. and European company products, includ[ing] Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned into covert microphones.”
The documents for the most part don’t appear to include the computer code needed to exploit previously unknown flaws in these products, although WikiLeaks says those exploits may show up in a future dump. This collection is probably best thought of as an internal corporate wiki used by multiple CIA researchers who methodically found and documented weaknesses in a variety of popular commercial and consumer electronics.
For example, the data dump lists a number of exploit “modules” available to compromise various models of consumer routers made by companies like Linksys, Microtik and Zyxel, to name a few. CIA researchers also collated several pages worth of probing and testing weaknesses in business-class devices from Ciscowhose powerful routers carry a decent portion of the Internet’s traffic on any given day. Craig Dods, a researcher with Cisco’s rival Juniper, delves into greater detail on the Cisco bugs for anyone interested (Dods says he found no exploits for Juniper products in the cache, yet). Meanwhile, Cisco has published its own blog post on the matter.

WHILE MY SMART TV GENTLY WEEPS

Some of the exploits discussed in these leaked CIA documents appear to reference full-on, remote access vulnerabilities. However, a great many of the documents I’ve looked at seem to refer to attack concepts or half-finished exploits that may be limited by very specific requirements — such as physical access to the targeted device.
The “Weeping Angelproject’s page from 2014 is a prime example: It discusses ways to turn certain 2013-model Samsung “smart TVs” into remote listening devices; methods for disabling the LED lights that indicate the TV is on; and suggestions for fixing a problem with the exploit in which the WiFi interface on the TV is disabled when the exploit is run.
ToDo / Future Work:
Build a console cable
Turn on or leave WiFi turned on in Fake-Off mode
Parse unencrypted audio collection
Clean-up the file format of saved audio. Add encryption??
According to the documentation, Weeping Angel worked as long as the target hadn’t upgraded the firmware on the Samsung TVs. It also said the firmware upgrade eliminated the “current installation method,” which apparently required the insertion of a booby-trapped USB device into the TV.
Don’t get me wrong: This is a serious leak of fairly sensitive information. And I sincerely hope Wikileaks decides to work with researchers and vendors to coordinate the patching of flaws leveraged by the as-yet unreleased exploit code archive that apparently accompanies this documentation from the CIA.
But in reading the media coverage of this leak, one might be led to believe that even if you are among the small minority of Americans who have chosen to migrate more of their communications to privacy-enhancing technologies like Signal or WhatsApp, it’s all futility because the CIA can break it anyway.
Perhaps a future cache of documents from this CIA division will change things on this front, but an admittedly cursory examination of these documents indicates that the CIA’s methods for weakening the privacy of these tools all seem to require attackers to first succeed in deeply subverting the security of the mobile device — either through a remote-access vulnerability in the underlying operating system or via physical access to the target’s phone.
As Bloomberg’s tech op-ed writer Leonid Bershidsky notes, the documentation released here shows that these attacks are “not about mass surveillance — something that should bother the vast majority of internet users — but about monitoring specific targets.”
By way of example, Bershidsky points to a tweet yesterday from Open Whisper Systems (the makers of the Signal private messaging app) which observes that, “The CIA/Wikileaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption.”
The company went on to say that because more online services are now using end-to-end encryption to prevent prying eyes from reading communications that are intercepted in-transit, intelligence agencies are being pushed “from undetectable mass surveillance to expensive, high-risk, targeted attacks.”
A tweet from Open Whisper Systems, the makers of the popular mobile privacy app Signal.
A tweet from Open Whisper Systems, the makers of the popular mobile privacy app Signal.
As limited as some of these exploits appear to be, the methodical approach of the countless CIA researchers who apparently collaborated to unearth these flaws is impressive and speaks to a key problem with most commercial hardware and software today: The vast majority of vendors would rather spend the time and money marketing their products than embark on the costly, frustrating, time-consuming and continuous process of stress-testing their own products and working with a range of researchers to find these types of vulnerabilities before the CIA or other nation-state-level hackers can.
Of course, not every company has a budget of hundreds of millions of dollars just to do basic security research. According to this NBC News report from October 2016, the CIA’s Center for Cyber Intelligence (the alleged source of the documents discussed in this story) has a staff of hundreds and a budget in the hundreds of millions: Documents leaked by NSA whistleblower Edward Snowden indicate the CIA requested $685.4 million for computer network operations in 2013, compared to $1 billion by the U.S. National Security Agency (NSA).

TURNABOUT IS FAIR PLAY?

NBC also reported that the CIA’s Center for Cyber Intelligence was tasked by the Obama administration last year to devise cyber attack strategies in response to Russia’s alleged involvement in the siphoning of emails from Democratic National Committee servers as well as from Hillary Clinton‘s campaign chief John Podesta. Those emails were ultimately published online by Wikileaks last summer.
the “wide-ranging ‘clandestine’ cyber operation designed to harass and ’embarrass’ the Kremlin leadership was being lead by the CIA’s Center for Cyber Intelligence.” Could this attack have been the Kremlin’s response to an action or actions by the CIA’s cyber center?
NBC reported that the “wide-ranging ‘clandestine’ cyber operation designed to harass and ’embarrass’ the Kremlin leadership was being lead by the CIA’s Center for Cyber Intelligence.” Could this attack have been the Kremlin’s response to an action or actions by the CIA’s cyber center? Perhaps time (or future leaks) will tell.
Speaking of the NSA, the Wikileaks dump comes hot on the heels of a similar disclosure by The Shadow Brokers, a hacking group that said it stole malicious software from the Equation Group, a highly-skilled and advanced threat actor that has been closely tied to the NSA.
What’s interesting is this Wikileaks cache includes a longish discussion thread among CIA employees who openly discuss where the NSA erred in allowing experts to tie the NSA’s coders to malware produced by the Equation Group. As someone who spends a great deal of time unmasking cybercriminals who invariably leak their identity and/or location through poor operational security, I was utterly fascinated by this exchange.

BUG BOUNTIES VS BUG STOCKPILES

Many are using this latest deluge from WikiLeaks to reopen the debate over whether there is enough oversight of the CIA’s hacking activities. The New York Times called yesterday’s WikiLeaks disclosure “the latest coup for the antisecrecy organization and a serious blow to the CIA, which uses its hacking abilities to carry out espionage against foreign targets.”
The WikiLeaks scandal also revisits the question of whether the U.S. government should instead of hoarding and stockpiling vulnerabilities be more open and transparent about its findings — or at least work privately with software vendors to get the bugs fixed for the greater good. After all, these advocates argue, the United States is perhaps the most technologically-dependent country on Earth: Surely we have the most to lose when (not if) these exploits get leaked? Wouldn’t it be better and cheaper if everyone who produced software sought to crowdsource the hardening of their products?
On that front, my email inbox was positively peppered Tuesday with emails from organizations that run “bug bounty” programs on behalf of corporations. These programs seek to discourage the “full disclosure” approach — e.g., a researcher releasing exploit code for a previously unknown bug and giving the affected vendor exactly zero days to fix the problem before the public finds out how to exploit it (hence the term “zero-day” exploit).
Rather, the bug bounties encourage security researchers to work closely and discreetly with software vendors to fix security vulnerabilities — sometimes in exchange for monetary reward and sometimes just for public recognition.
Casey Ellis, chief executive officer and founder of bug bounty program Bugcrowd, suggested the CIA WikiLeaks disclosure will help criminal groups and other adversaries, while leaving security teams scrambling.
“In this mix there are the targeted vendors who, before today, were likely unaware of the specific vulnerabilities these exploits were targeting,” Ellis said. “Right now, the security teams are pulling apart the Wikileaks dump, performing technical analysis, assessing and prioritizing the risk to their products and the people who use them, and instructing the engineering teams towards creating patches. The net outcome over the long-term is actually a good thing for Internet security — the vulnerabilities that were exploited by these tools will be patched, and the risk to consumers reduced as a result — but for now we are entering yet another Shadow Brokers, Stuxnet, Flame, Duqu, etc., a period of actively exploitable 0-day bouncing around in the wild.”
Ellis said that — in an ironic way, one could say that Wikileaks, the CIA, and the original exploit authors “have combined to provide the same knowledge as the ‘good old days’ of full disclosure — but with far less control and a great many more side-effects than if the vendors were to take the initiative themselves.”
“This, in part, is why the full disclosure approach evolved into the coordinated disclosure and bug bounty models becoming commonplace today,” Ellis said in a written statement. “Stories like that of Wikileaks today are less and less surprising and to some extent are starting to be normalized. It’s only when the pain of doing nothing exceeds the pain of change that the majority of organizations will shift to an proactive vulnerability discovery strategy and the vulnerabilities exploited by these toolkits — and the risk those vulnerabilities create for the Internet — will become less and less common.”
Many observers — including a number of cybersecurity professional friends of mine — have become somewhat inured to these disclosures, and argue that this is exactly the sort of thing you might expect an agency like the CIA to be doing day in and day out. Omer Schneider, CEO at a startup called CyberX, seems to fall into this camp.
“The main issue here is not that the CIA has its own hacking tools or has a cache of zero-day exploits,” Schneider said. “Most nation-states have similar hacking tools, and they’re being used all the time. What’s surprising is that the general public is still shocked by stories like these. Regardless of the motives for publishing this, our concern is that Vault7 makes it even easier for a crop of new cyber-actors get in the game.”