February 2012 brings a new domain for my blog (it’s just a hackmaggedon) and confirms the trend of January with a constant and unprecedented increase in number and complexity of the events. Driven by the echo of the ACTA movement, the Anonymous have performed a massive wave of attacks, resuming the old habits of targeting Law Enforcement agencies. From this point of view, this month has registered several remarkable events among which the hacking of a conf call between the FBI and Scotland Yard and the takedown of the Homeland Security and the CIA Web sites.
The Hacktivism front has been very hot as well, with attacks in Europe and Syria (with the presidential e-mail hacked) and even against United Nations (once again) and NASDAQ Stock Exchange.
Scroll down the list and enjoy to discover the (too) many illustrious victims including Intel, Microsoft, Foxconn and Philips. After the jump you find all the references and do not forget to follow @paulsparrows for the latest updates. Also have a look to the Middle East Cyberwar Timeline, and the master indexes for 2011 and 2012 Cyber Attacks.
Addendum: of course it is impossible to keep count of the huge amount of sites attacked or defaced as an aftermath of the Anti ACTA movements. In any case I suggest you a couple of links that mat be really helpful:
- List of all vulnerable websites attacked by anonymous Part II (updated daily) (via cylaw.info)
- List of Websites Hacked, Defaced & Taken Down By Anonymous (via valuewalk.com)
While the U.S. and U.K. are debating whether to use Cyberwarfare, someone, somewhere, has decided not to waste further time and has anticipated them, developing what appears to be a precursor of Stuxnet 2.0. In a blog post, Symantec explains how it came across the first samples of the malware thanks to a research lab with strong international connections, which, on October 14 2011, alerted the security firm to a sample that appeared to be very similar to Stuxnet.
The brand new threat has been dubbed “Duqu” [dyü-kyü] because it creates files with the file name prefix “~DQ”, and has been discovered in some computer systems located in the Old Continent. After receiving and analyzing the samples, Symantec has been able to confirm that parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose.
Unlike its infamous predecessor Duqu does not target ICS but rather appears to be a RAT developed from the Stuxnet Source Code, whose main features may be summarized as follows (a detailed report is available here):
- The executables [...] appear to have been developed since the last Stuxnet file was recovered.
- The executables are designed to capture information such as keystrokes and system information.
- Current analysis shows no code related to industrial control systems, exploits, or self-replication.
- The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
- The exfiltrated data may be used to enable a future Stuxnet-like attack.
- Two variants were recovered [...], the first recording of one of the binaries was on September 1, 2011. However, based on file compile times, attacks using these variants may have been conducted as early as December 2010.
Of course this event rises inevitably many security questions: although cyberwar is actually little more than a concept, cyber weapons are a consolidated reality, besides it is not clear if Duqu has been developed by the same authors of Stuxnet, or worst by someone else with access to the source code of the cyber biblical plague (and who knows how many other fingers in this moment will be coding new threats from the same source code).
Anyway one particular is really intriguing: only yesterday the DHS issued a Bulletin warning about Anonymous Threat to Industrial Control Systems (ICS), not event 24 hours after the statement a new (potential) threat for ICS appears in the wild… Only a coincidence?
Yesterday I stumbled upon a couple of really interesting news published respectively by the Chaos Computer Club, the famous German hacker community, and by CNET, concerning in both cases “new” technologies aimed to fight crime. But if the news published by the CCC is yet another example of alleged Government Malware, that is a spyware built with the purpose to spy and collect evidences on the target’s computers, the news published by CNET sounds incredible and brings our minds to the well-known scenes of Minority Report, where Police used precognition to prevent crime.
In any case, both articles mix information security, privacy and ethics, and raise many concerns about the role of technology to fight crime and its right to cross the boundaries with ethics and privacy
Let us begin from the FAST
FAST (Future Attribute Screening Technology) is the name of a project sponsored by the U.S. Department of Homeland Security which aims to prevent crime using algorithms based on ethnicity gender, breathing and heart rate (At Least no PRECOG so far). FAST seeks to develop behavioral screening technologies that will enable security officials to test the effectiveness of current screening methods at evaluating suspicious behaviors and judging the implications of those behaviors. The ultimate goal of the FAST project is to equip security officials with the tools to rapidly assess potential threats.
According to a June 2010 Document, FAST is already in operation and its test is ongoing on a Planned Limited User Evaluation after an initial test on DHS Employees. For this initial sample of Employees, the system collected video images, audio recordings, and psychophysiological measurements (i.e., heart rate, breathing pattern, thermal activity, and other physiological and behavioral cues). The data were used for Baseline. A field testing has been conducted in an undisclosed location in the Northeast, with a select group of participants on a volunteer basis.
In the latter case several data were collected such as: demographic information (age, gender, occupation, and ethnicity), medical information (heart, circulation, respiratory, and vision issues), current medications, and substance use in the last week (caffeine, tobacco, alcohol, other substances).
The document also states DHS will only have access to aggregated and anonymized data and this was confirmed to CNET by a Homeland Security spokesman.
So definitively, are the criminals really going to be captured by PRECOGs before perpetrating a crime? Not yet! DHS, provided a statement to CNET that said:
The department’s Science and Technology Directorate has conducted preliminary research in operational settings to determine the feasibility of using non-invasive physiological and behavioral sensor technology and observational techniques to detect signs of stress, which are often associated with intent to do harm. The FAST program is only in the preliminary stages of research and there are no plans for acquiring or deploying this type of technology at this time.
And Proceed with the Furious
Maybe German people would be quite furious in this moment, in knowing that they have been possible targets of a (un)lawful interception Malware allegedly crafted by the German Police Force (dubbed “0zapftis”, “Bundestrojaner” or “R2D2″) with the purpose to spy online activity and record Skype internet calls. Its discovery was announced yesterday by the Chaos Computer Club which reversed engineered and analyzed the malware.
The malware, according to its original concept, should have been a light variation of the original “Bundestrojaner” forbidden by the German constitutional court on February 27 2008. Even before this sentence, the German government introduced a less conspicuous variant of the spyware dubbed “Quellen-TKÜ” (the term means “source wiretapping” or lawful interception at the source), whose only purpose, by definition, was to wiretap internet telephony, enforced through “technical and legal” means.
Unfortunately the analysis conducted by CCC has shown that the “Bundestrojaner light” goes much further than its initial concept violating the terms set by the constitutional court and, even worse, according to the analyzers is badly written and lacks the basic security measures (for instance no mutual authentication and poor encryption), so making a malicious third party capable to intercept the captured or use the Trojan to install arbitrary programs or upload arbitrary data on the target’s computer.
This is not the first case of a Government Spyware: Sophos reports about a German state-sponsored cyber-spying in in 2008, when there were claims that German Foreign Intelligence Service deployed spyware to monitor the Ministry of Commerce and Industry in Afghanistan, and almost ten years ago when there were concerns that the FBI would ask anti-virus companies to deliberately not detect spyware that they had written – dubbed “Magic Lantern“. Even a recent occurrence also happened in Italy when, as part of an investigation against a criminal conspiracy, the police injected a spyware into the computer of an individual used to collect evidences of his role inside the conspiracy.
Easily predictable this affair will rise a political storm in Germany. Although it is not clear if it was really written by the German Police, the CCC has informed the German Ministry of the Interior. If it is true that the malware is really capable not only to gather information, but also to upload data or install other programs, it also possible that it could be (or worst has already been) used to build (and gather) artificial evidences against the target (this is the reason of my logical link with the FAST affair).
The boundary between lawful interception and privacy is blurred, maybe is time, for the legislators, to regulate the growing use of spyware for lawful interception and the consequent authorized infiltration of suspects’ computers and their secret hard drives scanning.