TOWR TECH & SECURITY
TOWR Security Brief: 15 August 2016
15 August 2016
The privacy/tech world is constantly changing, and it’s important that you stay informed because any one of those changes may affect how you need to conduct yourself on the internet. Our briefs are designed to give you a short overview of the pertinent news items over the last week, and let you know what you need to do about them.
In this week’s brief:
- Democrat data got leaked by the infamous “Guccifer” over the weekend. Hypocrisy alert: They’re mad. Have fun with it.
- The White House is considering sanctions against Russia for the DNC hacks. God forbid they deal with what was IN the hack.
- Ever heard of video jacking? We hadn’t either, but here’s why you need to know about it.
- For those of you with air-gapped machines that don’t connect to the internet…you’re still not totally safe.
- Microsoft accidentally leaked the key to its Secure Boot for Windows. This is why mandating back doors is a bad idea.
- The researchers doing a security audit on Veracrypt are seeing evidence that their audit is being spied on.
- If you still think no one cares about your passwords…there’s a whole market on the darknet just for them.
I’m sure you can think of a use for this data, right?
Photograph by Shutterstock
The big story over the weekend was that the hacker Guccifer released a whole list of Democratic Congressional Campaign Committee member personal information.
The notorious hacker published several documents that include cell phone numbers, home addresses, official and personal e-mail addresses, names of staffers, and other personal information for the entire roster of Democratic representatives. The data dump also includes several memos from House Minority Leader Nancy Pelosi’s personal computer, detailing fundraisers and campaign overviews.
With absolutely no sense of irony, Representative of the House Permanent Select Committee on Intelligence Adam Schiff had this to say:
“The unauthorized disclosure of people’s personally identifiable information is never acceptable, and we can fully expect the authorities will be investigating the posting of this information.”
Really, Adam? Never? I remember when the names and addresses of gun owners got published and no one did a thing about it. At any rate, certainly we shouldn’t let a crisis go to waste (to take another point out of the Democrat playbook). Certainly there are those among us who could think of a use for this windfall of information.
“Who cares what evidence of criminal activity was in the DNC leaks? What matters is WHO DID IT.” — Democrats
Speaking of leaks, the DNC leak–in which we all got vindicated for believing that the election machine is as corrupt as ever–was done by the Russians. That’s what the Dems want you to think, at least. The White House is “considering sanctions” for it. Maybe the administration will send some really pointed tweets.
Some of the equipment used in the “video jacking” demonstration at the DEF CON security conference last week in Las Vegas.
Photo by Brian Markus
Ever heard of “video jacking?” It’s yet another way someone can take control of your device. Here’s how it works:
Dubbed “video jacking” by its masterminds, the attack uses custom electronics hidden inside what appears to be a USB charging station. As soon as you connect a vulnerable phone to the appropriate USB charging cord, the spy machine splits the phone’s video display and records a video of everything you tap, type or view on it as long as it’s plugged in — including PINs, passwords, account numbers, emails, texts, pictures and videos.
“DiskFiltration” siphons data even when computers are disconnected from the Internet.
Photo from Cyber Security Labs.
One of the things that we have advised people to do if they’re working with highly secure or sensitive information is to use an “airgapped” machine in addition to your regular computer. This means not only do you not ever connect it to your home or work wi-fi, you’ve actually removed all possibility of it ever connecting to any wi-fi or internet connection because you’ve physically removed the capability. (For info on how to actually create that machine, check out our Paranoid PC series.)
In another episode of “mouse vs. mousetrap,” researchers have figured out a way to breach an airgapped machine. This isn’t news in and of itself, since it’s already been done. This is just the latest way to do it.
The method has been dubbed “DiskFiltration” by its creators because it uses acoustic signals emitted from the hard drive of the air-gapped computer being targeted. It works by manipulating the movements of the hard drive’s actuator, which is the mechanical arm that accesses specific parts of a disk platter so heads attached to the actuator can read or write data. By using so-called seek operations that move the actuator in very specific ways, it can generate sounds that transfer passwords, cryptographic keys, and other sensitive data stored on the computer to a nearby microphone.
Now, before you throw out your computers, or worse yet, give up on privacy and security because you think there’s no point and no hope, consider this:
- This technique has a range of six feet. That’s it. This means, as long as you continue to be aware of your surroundings, and use best practices with ALL of your devices, you’re fine.
- In order for this technique (and others like it) to work, the computer in question has to be infected with malware. Since an airgapped machine by default isn’t connected to the internet to get malware, it’d have to be infected in person by someone with access–another point in your favor.
Simply keep your airgapped machine away from devices with a microphone (including your own smartphone!) and you should be just fine.
Security experts have constantly warned about the government’s desire to have backdoors built into everything “just in case” they “need it.” Having the backdoor automatically means the encryption or security is pointless. as Microsoft just illustrated to everyone. They accidentally leaked the key protecting their UEFI Secure boot feature. So much for ‘secure boot’ and all.
(Keep in mind that the situation is more complex than just leaking a key, as you’ll see in the comments on the Schneier article. There are techie explanations for those wanting to understand the full extent. For the rest of us, however, it’s close enough.)
Speaking of encryption and whatnot, researchers who are doing an independent audit of VeraCrypt are finding that someone (or someones, plural) are interested enough in their work that they’re spying on it. Graham Cluley writes:
Now, the bad news… OSTIF says that its confidential PGP-encrypted communications with QuarkLabs about the VeraCrypt security audit may be being mysteriously intercepted:
We have now had a total of four email messages disappear without a trace, stemming from multiple independent senders. Not only have the emails not arrived, but there is no trace of the emails in our “sent” folders. In the case of OSTIF, this is the Google Apps business version of Gmail where these sent emails have disappeared.
This suggests that outside actors are attempting to listen in on and/or interfere with the audit process.
We are setting up alternate means of encrypted communications in order to move forward with the audit project.
If nation-states are interested in what we are doing we must be doing something right. Right?
Our last item for today is this. No matter how much people get harped on about using secure passwords and not reusing the same ones on multiple sites, people still do it. Who could possibly want your Netflix password, right? Actually, you’d be surprised. There’s an entire market for logins on the dark net, where your logins for everything from Netflix to Paypal to Gmail are being bought and sold at a blinding rate.
The adversaries we have to worry about when we’re choosing our Twitter or eBay passwords are in it for the money and their approach isn’t so much cyber-fencing as carpet bombing – it’s untargeted and it doesn’t matter who gets hit because it’s “how many?” that matters.
Our accounts aren’t compromised one by one, they’re cracked en masse or exfiltrated in the millions and then bought and sold online.[…]
While Paypal has, and still dominates … it is now possible to find Amazon, Uber, eBay, Netflix, Twitter, Dell and many more … Any account that can generate fraudsters money, or even help them receive a service for free, has a demand in the cyber underground.
…Uber, for example, are sought after by fraudsters simply because they provide “free taxi rides”. Demand for adult entertainment accounts is high due to interest for self consumption.
…eBay and Amazon are sought after … to steal money or credits from these accounts … Compromised dating site accounts are also often exploited for romance scams.
Hello again – We’ve got less than a month before Sparks-31 arrives in the PNW to share his comms knowledge with us, the willing. We’re still taking enrollments, but we’re closing in on the last handful of seats. Email us at TOWR@hushmail.com to...
This entry is part 7 of 7 in the series Dulles' 73 Rules of SpycraftHappy Sunday, Patriots. Check out our upcoming events – there are still a few seats for the AR-15 80% Receiver Completion course. Think about this: for only $200 you leave the class with new...