maandag 2 juni 2014

Heartbleed, Cupid and Wireless

This is basically the same attack as heartbleed, based on a malicious heartbeat packet. Like the original attack which happens on regular TLS connections over TCP, both clients and servers can be exploited and memory can be read off processes on both ends of the connection.
The difference in this scenario is that the TLS connection is being made over EAP, which is an authentication framework/mechanism used in Wireless networks. It’s also used in other situations, including wired networks that use 802.1x Network Authentication and peer to peer connections.

The vulnerability is triggered before a valid password needs to be presented. Sometimes in order to exploit a vulnerable server you must present a valid username (not password), as the specific EAP mechanism may request a valid username/realm to redirect the user to the proper authentication server.  But this can be easily sniffed off the air when a regular user tries to connect.

Bron en meer info: SysValue

dinsdag 8 april 2014

Ernstig lek gevonden in OpenSSL

Er is een ernstig lek aangetroffen in OpenSSL. De advisory van OpenSSL raadt gebruikers aan zo snel mogelijk te upgraden naar OpenSSL 1.0.1g.

De Heartbleed Bug is een ernstige kwetsbaarheid in het populaire OpenSSL. De kwetsbaarheid zorgt ervoor dat de gegevens die onder normale omstandigheden beschermd worden door de SSL/TLS encryptie laag gecompromitteerd kunnen worden. Communicatie via SSL/TLS biedt beveiliging en privacy voor toepassingen zoals web, e-mail, instant messaging (IM) en virtual private networks (VPN).

Door de Heartbleed bug kan iedereen 64k van het geheugen lezen van de systemen die de kwetsbare versies van de OpenSSL software gebruiken. Hierdoor kunnen aanvallers de communicatie afluisteren en gegevens stelen.

Codenomicon heeft de kwetsbaarheid op haar eigen systemen getest en kwam er achter dat misbruik mogelijk was zonder sporen achter te laten. Ze konden zonder sporen achter te laten en zonder enige voorkennis de geheime sleutels die gebruikt worden voor hun X.509-certificaten, gebruikersnamen en wachtwoorden, instant messages, e-mails en bedrijfskritische documenten en communicatie stelen.

Het uitgebreide verslag lees je op http://heartbleed.com/

Bron: Security.nl

maandag 17 maart 2014

Samsung Galaxy Back-door

This page contains a technical description of the back-door found in Samsung Galaxy devices.
For a general description of the issue, please refer to the statement published on the Free Software Foundation's website.

This back-door is present in most proprietary Android systems running on the affected Samsung Galaxy devices, including the ones that are shipped with the devices. However, when Replicant is installed on the device, this back-door is not effective: Replicant does not cooperate with back-doors.

Abstract
Samsung Galaxy devices running proprietary Android versions come with a back-door that provides remote access to the data stored on the device.
In particular, the proprietary software that is in charge of handling the communications with the modem, using the Samsung IPC protocol, implements a class of requests known as RFS commands, that allows the modem to perform remote I/O operations on the phone's storage. As the modem is running proprietary software, it is likely that it offers over-the-air remote control, that could then be used to issue the incriminated RFS messages and access the phone's file system.

Known affected devices

The following table shows which devices are known to contain this back-door as part of the software they ship with.
Please contact us if you know about some other device that could be concerned by this back-door or have more information on one of the listed devices!

Device    Incriminated program running as root    SELinux enabled    libsamsung-ipc support    Replicant support
Nexus S (I902x)     No     Possible with Android 4.2 and later     Yes     Yes
Galaxy S (I9000)     Yes     ?     Yes     Yes
Galaxy S 2 (I9100)     No     ?     Yes     Yes
Galaxy Note (N7000)     No     ?     Yes     Yes
Galaxy Nexus (I9250)     No     Possible with Android 4.2 and later     Yes     Yes
Galaxy Tab 2 7.0 (P31xx)     No     ?     Yes     Yes
Galaxy Tab 2 10.1 (P51xx)     No     ?     Yes     Yes
Galaxy S 3 (I9300)     No     ?     Yes     Yes
Galaxy Note 2 (N7100)     No     ?     Yes     Yes
While we don't have any absolute certainty regarding other Samsung Galaxy devices, it is likely that any other such device in its 3G flavor is affected by the back-door as well, as it probably uses the Samsung IPC protocol with the same proprietary user-space implementation.

Back-door sample
In order to investigate the back-door and check what it actually lets the modem do, some code was added to the modem kernel driver to make it craft and inject requests using the incriminated messages and check its results.

The following patch: 0001-modem_if-Inject-and-intercept-RFS-I-O-messages-to-pe.patch (to apply to the SMDK4412 Replicant 4.2 kernel) implements a sample use of the back-door that will:
open the /data/radio/test file
read its content
close the file
This demonstrates that the incriminated software will execute these operations upon modem request. Note that the software implementation appends /efs/root/ to the provided path, but it's fairly simple to escape that path and request any file on the file system (using ../../). Note that the files are opened with the incriminated software's user permissions, which may be root on some devices. On other cases, its runs as an unprivileged user that can still access the user's personal data (/sdcard). Finally, some devices may implement SELinux, which considerably restricts the scope of possible files that the modem can access, including the user's personal data (/sdcard/).

The following sample was obtained on a Galaxy Note 2 (N7100) running CyanogenMod 10.1.3.

Sample file
The sample file used for this demonstration (/data/radio/test) is filled with "Hello World!":

root@android:/ # hexdump -C /data/radio/test
00000000  48 65 6c 6c 6f 20 57 6f  72 6c 64 21 0a           |Hello World!.|
0000000d
Kernel log
<3>[   62.712637] c0 mif: rx_iodev_skb: rx_iodev_skb: Dropping RFS frame
<3>[   62.712808] c0 mif: rfs_craft_start: rfs_craft_start: Crafting open
<3>[   62.712966] c0 mif: rfs_craft_start: rfs_craft_start: Adding SKB to queue
<3>[   62.713122] c0 mif: rx_iodev_skb: rx_iodev_skb: Dropping RFS frame
<3>[   62.744690] c0 mif: misc_write: misc_write: Intercepted RFS response
<3>[   62.744867] c0 mif: rfs_craft_write: rfs_craft_write: Open response: fd=21, errno=0
<3>[   62.745116] c0 mif: rfs_craft_write: rfs_craft_write: Adding SKB to queue
<3>[   62.792888] c0 mif: misc_write: misc_write: Intercepted RFS response
<3>[   62.793026] c0 mif: rfs_craft_write: rfs_craft_write: Read response: 12 bytes read
<3>[   62.793154] c0 mif: mif_print_data: 0000: 48 65 6c 6c  6f 20 57 6f  72 6c 64 21 
<3>[   62.793284] c0 mif: rfs_craft_write: rfs_craft_write: Adding SKB to queue
<3>[   62.796168] c0 mif: misc_write: misc_write: Intercepted RFS response
<3>[   62.796269] c0 mif: rfs_craft_write: rfs_craft_write: Rx RFS message with command 0x6 and size 14
<3>[   62.796422] c0 mif: mif_print_data: 0000: 00 00 00 00  00 00 00 00 
The relevant part is the response to the read request:

<3>[   62.793026] c0 mif: rfs_craft_write: rfs_craft_write: Read response: 12 bytes read
<3>[   62.793154] c0 mif: mif_print_data: 0000: 48 65 6c 6c  6f 20 57 6f  72 6c 64 21 

which matches the content of the /data/radio/test file, hence making it obvious that the incriminated software implements the back-door.
Incriminated software log
E/RIL     ( 1927): processRFS: received standalone RFS frame. len 35
E/RIL     ( 1927): ipc_recv_rfs()
E/RIL     ( 1927): get_wakelock: 1. on 1, ril_WakeLock_Mask 0
E/RIL     ( 1927): get_wakelock: 2. on 1, ril_WakeLock_Mask 1
E/RIL     ( 1927): RxRFS_OpenFile:
E/RIL     ( 1927): RxRFS_OpenFile: open file "/efs/root/../../data/radio/test" flag O_RDWR (0x00000002)
E/RIL     ( 1927): check dir '/efs/root/../../data/radio'
E/RIL     ( 1927): A directory already exists.
E/RIL     ( 1927): RxRFS_OpenFile: length 14
E/RIL     ( 1927): TxRFS_CfrmOpenFile()
E/RIL     ( 1927): TxRFS_CfrmOpenFile(): length 14
E/RIL     ( 1927): IPC_send_singleRfsIPC: fd 16 sendto 14 bytes rfs_hdr =6
E/RIL     ( 1927): get_wakelock: 1. on 0, ril_WakeLock_Mask 1
E/RIL     ( 1927): get_wakelock: 2. on 0, ril_WakeLock_Mask 0
E/RIL     ( 1927): set_wakelock: secril_rfs-interface 0
E/RIL     ( 1927): set_wakelock: secril_fmt-interface 1
E/RIL     ( 1927): processIPC: Single IPC plen 23, pkt 23
E/RIL     ( 1927): processRFS: received standalone RFS frame. len 14
E/RIL     ( 1927): ipc_recv_rfs()
E/RIL     ( 1927): get_wakelock: 1. on 1, ril_WakeLock_Mask 0
E/RIL     ( 1927): get_wakelock: 2. on 1, ril_WakeLock_Mask 1
E/RIL     ( 1927): RxRFS_ReadFile:
E/RIL     ( 1927): RxRFS_ReadFile: length 4110
E/RIL     ( 1927): TxRFS_CfrmReadFile()
E/RIL     ( 1927): TxRFS_CfrmReadFile(): length 4110
E/RIL     ( 1927): IPC_send_singleRfsIPC: fd 16 sendto 4110 bytes rfs_hdr =6
E/RIL     ( 1927): processRFS: received standalone RFS frame. len 10
E/RIL     ( 1927): get_wakelock: 1. on 0, ril_WakeLock_Mask 1
E/RIL     ( 1927): get_wakelock: 2. on 0, ril_WakeLock_Mask 0
E/RIL     ( 1927): set_wakelock: secril_rfs-interface 0
E/RIL     ( 1927): [EVT]:Req(0), RX(0)
E/RIL     ( 1927): ipc_recv_rfs()
E/RIL     ( 1927): get_wakelock: 1. on 1, ril_WakeLock_Mask 0
E/RIL     ( 1927): get_wakelock: 2. on 1, ril_WakeLock_Mask 1
E/RIL     ( 1927): RxRFS_CloseFile:
E/RIL     ( 1927): RxRFS_CloseFile: length 14
E/RIL     ( 1927): TxRFS_CfrmCloseFile()
E/RIL     ( 1927): TxRFS_CfrmCloseFile(): length 14
E/RIL     ( 1927): IPC_send_singleRfsIPC: fd 16 sendto 14 bytes rfs_hdr =6

Analysis
The following analysis was conducted using the libsec-ril.so binary file (the incriminated proprietary software) as extracted from the CyanogenMod 10.1.3 system zip for the Galaxy S 3 (I9300), from location system/lib/libsec-ril.so.

The developers involved in the present analysis did not ever agree to any sort of End User License Agreement that explicitly prohibited the reverse engineering and decompiling operations of the incriminated binary. The reverse engineering operations that led to these findings originally took place during the development of Samsung-RIL, the free software replacement for the incriminated program. Hence, we believe these operations were conducted for the sole purpose of interoperability and not with the intent of creating a competing product. As the involved developers were based in Europe, we believe the legality of these operations is granted by article 6 of the 1991 EU Computer Programs Directive.

As a first approach, using the strings tool against the incriminated program reveals numerous suspicious command names that appear to be Samsung IPC protocol definitions:

IPC_RFS_READ_FILE
IPC_RFS_WRITE_FILE
IPC_RFS_LSEEK_FILE
IPC_RFS_CLOSE_FILE
IPC_RFS_PUT_FILE
IPC_RFS_GET_FILE
IPC_RFS_RENAME_FILE
IPC_RFS_GET_FILE_INFO
IPC_RFS_UNLINK_FILE
IPC_RFS_MAKE_DIR
IPC_RFS_REMOVE_DIR
IPC_RFS_OPEN_DIR
IPC_RFS_READ_DIR
IPC_RFS_CLOSE_DIR
IPC_RFS_OPEN_FILE
IPC_RFS_FTRUNCATE_FILE
IPC_RFS_GET_HANDLE_INFO
IPC_RFS_CREATE_FILE
The names of these commands make it obvious that they let the modem perform I/O operations.

The strings utility also reveals matching function names that seem to implement the handling of these commands:

RxRFS_GetFile
RxRFS_CreateFile
RxRFS_ReadDirectory
RxRFS_OpenDirectory
RxRFS_RenameFile
RxRFS_Default
RxRFS_OpenFile
RxRFS_ReadFile
RxRFS_FtruncateFile
RxRFS_WriteFile
RxRFS_GetFileInfoByHandle
RxRFS_GetFileInfo
RxRFS_PutFile
RxRFS_LseekFile
RxRFS_CloseFile
RxRFS_DeleteFile
RxRFS_MakeDirectory
RxRFS_CloseDirectory
RxRFS_RemoveDirectory
TxRFS_CfrmCreateFile
TxRFS_CfrmPutFile
TxRFS_CfrmOpenDirectory
TxRFS_CfrmGetFileInfo
TxRFS_CfrmReadDirectory
TxRFS_CfrmRenameFile
TxRFS_CfrmCloseFile
TxRFS_CfrmFtruncateFile
TxRFS_CfrmGetFileInfoByHandle
TxRFS_CfrmDeleteFile
TxRFS_CfrmCloseDirectory
TxRFS_CfrmRemoveDirectory
TxRFS_CfrmMakeDirectory
TxRFS_CfrmGetFile
TxRFS_CfrmReadFile
TxRFS_CfrmWriteFile
TxRFS_CfrmLseekFile
TxRFS_CfrmOpenFile

Taking a closer look at these functions, using the objdump decompiler, reveals that they are actually called from the ipc_recv_rfs function, itself called from process_ipc_notify_message, which appears to handle the received messages from the modem. Hence we can deduct that the incriminated functions are actually called upon modem request.

Taking a closer look at one of these functions, e.g. RxRFS_ReadFile reveals multiple calls to the Procedure Linkage Table (PLT). Hence we believe these calls are linked functions from the libc library, especially I/O-related functions such as (in a general manner) open, close, read, write, etc.

Samsung IPC RFS messages
The following table associates each Samsung IPC RFS message with its hexadecimal command value:

Message    Hexadecimal command value
IPC_RFS_NV_READ_ITEM     0x01
IPC_RFS_NV_WRITE_ITEM     0x02
IPC_RFS_READ_FILE     0x03
IPC_RFS_WRITE_FILE     0x04
IPC_RFS_LSEEK_FILE     0x05
IPC_RFS_CLOSE_FILE     0x06
IPC_RFS_PUT_FILE     0x07
IPC_RFS_GET_FILE     0x08
IPC_RFS_RENAME_FILE     0x09
IPC_RFS_GET_FILE_INFO     0x0a
IPC_RFS_UNLINK_FILE     0x0b
IPC_RFS_MAKE_DIR     0x0c
IPC_RFS_REMOVE_DIR     0x0d
IPC_RFS_OPEN_DIR     0x0e
IPC_RFS_READ_DIR     0x0f
IPC_RFS_CLOSE_DIR     0x10
IPC_RFS_OPEN_FILE     0x11
IPC_RFS_FTRUNCATE_FILE     0x12
IPC_RFS_GET_HANDLE_INFO     0x13
IPC_RFS_CREATE_FILE     0x14
IPC_RFS_NV_WRITE_ALL_ITEM     0x15

Legitimacy
The incriminated RFS messages of the Samsung IPC protocol were not found to have any particular legitimacy nor relevant use-case. However, it is possible that these were added for legitimate purposes, without the intent of doing harm by providing a back-door. Nevertheless, the result is the same and it allows the modem to access the phone's storage.

However, some RFS messages of the Samsung IPC protocol are legitimate (IPC_RFS_NV_READ_ITEM and IPC_RFS_NV_WRITE_ITEM) as they target a very precise file, known as the modem's NV data. There should be no particular security concern about these as both the proprietary implementation and its free software replacement strictly limit actions to that particular file.

Areas of work Some work could be done in order to handle that back-door:
Samsung-RIL could show a message alerting the user when the back-door is being used, including the requested path and asking the user to save logs and contact us.
Alternatively, the kernel could block the incriminated RFS requests and keep a trace of them in the logs for the record. That option would work for CyanogenMod, where the incriminated proprietary blob is still used.

Notes
Our free software replacement for the incriminated binary is Samsung-RIL which relies on libsamsung-ipc: both are used in Replicant.

The affected devices have modems that use the Samsung IPC protocol, mostly Intel XMM6160 and Intel XMM6260 modems. Note that despite this back-door, the devices using these modems are most likely to have good modem isolation, compared to other devices using Qualcomm platforms. Bear in mind that this back-door is implemented in software and can easily be removed by installing a free replacement for the incriminated software, for instance by installing Replicant. Hence, we don't consider the incriminated devices to be inherently bad targets because of this back-door.

Bron: Redmine

dinsdag 14 januari 2014

Researcher describes ease to detect, derail and exploit NSA's Lawful Interception

Summary: Infamous security researcher Felix "FX" Lindner exposed Lawful Interception surveillance systems as easy to detect, derail, and maliciously exploit in his recent talk at hacking conference 30c3.

While headlines from European hacking conference 30c3 featured speakers vying for U.S. National Security Agency revelation sensationalism, one notorious hacker delivered an explosive talk that dismantled one thing the NSA, law enforcement, and global intelligence agencies depend on: "Lawful Interception" systems.

And German researcher Felix "FX" Lindner did exactly that, in what was stealthily 30c3's most controversial bombshell of the conference.

In a talk titled CounterStrike: Lawful Interception, Lindner explained to a standing-room-only theater of 3,000 hackers how easy it is to find out if you're under legally imposed surveillance, detailing how easily a user can jam the shoddy legacy systems running Lawful Interception (LI).

In explaining how LI works, Lindner revealed the shocking lack of accountability in its implementation and the "perverted incentive situation of all parties involved" that makes it easy to perform interception of communications without any record left behind.

In all, the hacker known for the default password list and Huawei's router backdoors told the world that he's confident the bug-ridden, copy/pasted systems are being used for data acquisition by intelligence services.

LI interfaces, he explained, are the same ones used for bulk collection in the NSA surveillance scandal.

After delivering the CounterStrike talk, Lindner told ZDNet: "I'm convinced that any serious actor, especially nation state or terrorist organizations, is already well aware of the limitations of LI and perfectly capable of circumventing it anytime they want."

He added: "They might use the increased attack surface to actually turn LI against the router itself."
"On the other hand, the current design makes it fairly easy for agencies to establish a tap without going through the official channels, so a change in the architecture is probably not in their interest."
LI it turns out, is based on years and years of legacy code.

It is also based on critically bad decisions — like Cisco's LI router configuration guideline that requires both the router and the mediation device used in LI to be registered in the Domain Name System (DNS).

In an exclusive interview with ZDNet, Lindner said his talk CounterStrike was "meant for network engineers as well as management of service provider companies," with the eye of, "hop[ing] of striking a chord with policy makers."

Bron: zdnet


donderdag 31 oktober 2013

Hacking Back as a Law Enforcement Role


Panel discussion with:
  • Ronald Prins - CEO & Co-Founder, Fox-IT (Chairman)
  • Bart Jacobs – Professor, Radboud University Nijmegen and chairman of Bits of Freedom
  • Peter Zinn – Dutch National Police
  • Troels Oerting – Head of European Cybercrime Centre (EC3), Europol
Hacking back as a law enforcement role is much debated topic. The Netherlands is the first country to develop specific legislation. The underlying problem is that in cyberspace criminals have more capabilities than law enforcement. Often investigations are hampered by cross-border collaboration and jurisdiction issues. This session explores the issues.


What is hacking back? In the view of Ronald, it is the police using the form of online hacking to take tackle illegal activities.

The discussion is politically charged, because this is going to be a debate in Dutch parliament soon.

Peter, why is it important for the policy to have hacking capabilities?

We don’t call it hacking, we call it legal intrusion, but we do use the same techniques that hacks do. Technically, it is already possible, legally it is forbidden, this is a legal discussion. Laws should be able to keep up with technology. Where did we stretch the law in the past? LeaseWeb was informed that there was a Bredolab C&C server cluster on their network. With permission from the judge, we were able to take over the botnet and find the criminal in question and he is now in custody in Armenia. We also did it with Robert M., one of the worst child molesters in the world. We hacked his computer to find our who his associates were, which has lead to numerous arrests around the world. We got permission to hack child pornography to bring these sites down. The worst site of them all, was so well protected that we could not hack it, but using the admin password we could also bring it down. These cases could not be solved withour legal intrusion.

Bart, what are your issues with hacking back, with regards to privacy?

Not everything that is technically possible, should be done. This is a deliberate choice, like building nuclear weapons. Hacking back is a misnomer, because it draws a picture of the police being with their back against the wall. I propose lawfull intrusion as well. Computer intrusion is clearly forbidden by law, so new law is needed. I’m concerned by the privacy aspect, but I’m more concerned about the difficult distinction between active and passive investigation when a computer has been lawfull intruded. It is e.g. difficult to prove that the police has not planted evidence. We should really reconsider this, because this may harm the integrity of the whole legal process. How can a civilian be sure that the police does not change the content of a computer.

Troels, why isn’t international cooperation sufficient?

There is a difference between normal and “cyber” policing. The first police was local. When borders disappeared this was compensated by things like Europol and the Schengen database. Physical crime has the advantage of being physical and thus allows a normal policemen to do the normal police work on site. There are now billions of people that can go on line, the criminally inclined of them do not have to travel, do not have to cross the borders to commit crimes against their fellow citizens.
In the physical world, you can be detained, physically searched, including their house and the stuff in them and we allow policy to use physical and sometimes even lethal force, all legally. We do not have such powers in the online world and we can sometimes not even reach the police of a country to help police from other countries.

Policy cooperation is excellent within the EU, but when you cross the EU border cooperation goes poorly.

Do we have a choice? Is not allowing legal intrusion an option?

Bart: In my opinion the police should only have the power to do intrusion in order to disrupt, not to collect evidence. I think evidence obtained during such an intrusion it is very hard to prove that evidence is not planted.

Audience question: What is a disruption? Is it just DDoS-ing the server? Aren’t you breaking laws of other countries doing so?

Peter: No country would pass a law a law that would allow policy to intrude a computer that is not in country. It is just too complicated from a legal perspective.

Bart: Lets say, you hack into a computer via TOR, so you don’t know where it is. Should you then stop as soon as you find out where it is located?

Peter: Yes, you should. But, we are always accused of planing evidence. We have processes around this for physical searches that we also need to apply to cyber searches.

Bart: It is not a personal trust issue, I am also worried that the policy might blemish their good reputation in The Netherlands. For physical searches a judge has to be present to avoid planted evidence, this is very hard to do for cyber intrusions.

Audience: Aren’t electronic logs easy to tamper. Isn’t it like the NSA we should just trust.

Troels: Normal police works different then intelligence work. We work transparently. In police work we are allowed to pass borders in hot pursuit in the Schengen treaty. If the police doesn’t provide this service, commercial companies will offer this service to the highest bidder.

Audience: Is it withing in the authorization to change configurations or run programs on it?

Peter: No, we are not allowed

Audience: Do you use commercially available surveillance malware/zero days/etc?

Peter: No, in those two cases we didn't buy anything. If the law is passed we should use tested and accepted methods.

Audience: Bart, the police could get in a strange situation, but they don’t seem to care. What about privacy?

Bart: Yes, I see privacy as big concern I didn't elaborate?

Ronald: What do other countries think about the Dutch police doing lawfull interception? Will the first officer hacking into a computer abroad be arrested?

Troels: The Dutch police will miss out if they will only hack computers in country? If it is a computer in a friendly country, he should work via the normal route, but what if it is not a friendly country, should we  just stop then or should we still go in hot persuit. This requires a big international discussion. We give away privacy and trade if for certain safety. We need to balance the right to be forgotten and a reason to be remembered.

Audience: Isn’t there a difference between being searched at airports and being serach all the time on my laptop?

Troels: The police should work in the open unless a judge allows an undercover operation. I think we will be the last generation that will have a choice to remain private.

Ron: Peter, what type of cases and how often do you foresee the police will be using this? Will it be narrowed to cybercrime cases?

Peter: Police has less power to search then an average citizen when there is no suspect and more power when there is a suspect. Current thinking is that we can only use these powers in severe cases, e.g. when there is a punishment of more then x years. It is our natural inclination to use a method when it is available.

Bart: intruding on personal devices like phones is more intrusive then a phone tap, which can only be used in limited cases. There is a danger of a slippery slope, this may be used quite often quite quickly. When phone tapping was introduced it was said that the power would be hardly ever used. Now The Netherlands is percentage wise the biggest phone tapper in the world. Hacking is nice, comfortable and less boring than e.g. a stake-out, so there will be pressure to use this other cases as well. The current proposal does not restrict this to cybercrime, but allows use to solve any crime.

Ron: How should be discribe the allowed use cases for lawfull intrusion?

Bart: I do not see a good method to restrict this to certain types of cases. E.g. not all cases end up in front of a judges and how wel does the legal process discover these methods. Silent SMS was used six years before it was finally discovered in a trail.

Bron: Cupfighter

vrijdag 5 juli 2013

Strengere straffen op hacken in Nederland en EU

De nieuwe EU-richtlijn tegen cybercrime is definitief aangenomen door het Europarlement, met hogere maximumstraffen voor hacking en cyberaanvallen. Ook Nederland moet zijn wetgeving aanpassen.

Met grote meerderheid heeft het Europees Parlement een nieuwe cyberrichtlijn aangenomen, meldt Reuters. Hackdelicten zullen in de regel strenger bestraft worden, want de maximumstraffen gaan omhoog. Computervredebreuk krijgt een maximumstraf van minimaal twee jaar. In Nederland is dat nu maximaal één jaar.

Bij heftiger cyberaanvallen die zware schade veroorzaken, bijvoorbeeld op kritieke infrastructuur, gaat een maximumstraf gelden van ten minste vijf jaar. Criminelen die botnets gebruiken voor fraude moeten een maximale straf van minstens drie jaar kunnen krijgen. In Nederland is de maximumstraf op zware hackaanvallen nu vier jaar cel.

Twee jaar voor harmonisatie

Begin juni werd de richtlijn al door de commissie van het Europarlement geloodst. Eurocommissaris Cecilia Malmström is blij. "Dit is een belangrijke stap om de verdediging van Europa tegen cyberaanvallen te versterken", aldus de bewindsvrouw.

Lidstaten mogen zelf nog hogere maximumstraffen instellen, maar niet lagere. Binnen twee jaar moeten alle lidstaten hun wetgeving aanpassen aan de nieuwe richtlijn.

Bron: Webwereld

dinsdag 28 mei 2013

Confidential report lists U.S. weapons system designs compromised by Chinese cyberspies

Designs for many of the nation’s most sensitive advanced weapons systems have been compromised by Chinese hackers, according to a report prepared for the Pentagon and to officials from government and the defense industry.

Among more than two dozen major weapons systems whose designs were breached were programs critical to U.S. missile defenses and combat aircraft and ships, according to a previously undisclosed section of a confidential report prepared for Pentagon leaders by the Defense Science Board.

Experts warn that the electronic intrusions gave China access to advanced technology that could accelerate the development of its weapons systems and weaken the U.S. military advantage in a future conflict.

The Defense Science Board, a senior advisory group made up of government and civilian experts, did not accuse the Chinese of stealing the designs. But senior military and industry officials with knowledge of the breaches said the vast majority were part of a widening Chinese campaign of espionage against U.S. defense contractors and government agencies.

The significance and extent of the targets help explain why the Obama administration has escalated its warnings to the Chinese government to stop what Washington sees as rampant cyber­theft.
In January, the advisory panel warned in the public version of its report that the Pentagon is unprepared to counter a full-scale cyber-conflict. The list of compromised weapons designs is contained in a confidential version, and it was provided to The Washington Post.

Some of the weapons form the backbone of the Pentagon’s regional missile defense for Asia, Europe and the Persian Gulf. The designs included those for the advanced Patriot missile system, known as PAC-3; an Army system for shooting down ballistic missiles, known as the Terminal High Altitude Area Defense, or THAAD; and the Navy’s Aegis ballistic-missile defense system.

Also identified in the report are vital combat aircraft and ships, including the F/A-18 fighter jet, the V-22 Osprey, the Black Hawk helicopter and the Navy’s new Littoral Combat Ship, which is designed to patrol waters close to shore.

Also on the list is the most expensive weapons system ever built — the F-35 Joint Strike Fighter, which is on track to cost about $1.4 trillion. The 2007 hack of that project was reported previously.
China, which is pursuing a comprehensive long-term strategy to modernize its military, is investing in ways to overcome the U.S. military advantage — and cyber-espionage is seen as a key tool in that effort, the Pentagon noted this month in a report to Congress on China. For the first time, the Pentagon specifically named the Chinese government and military as the culprit behind intrusions into government and other computer systems.

As the threat from Chinese cyber-espionage has grown, the administration has become more public with its concerns. In a speech in March, Thomas Donilon, the national security adviser to President Obama, urged China to control its cyber-activity. In its public criticism, the administration has avoided identifying the specific targets of hacking.

But U.S. officials said several examples were raised privately with senior Chinese government representatives in a four-hour meeting a year ago. The officials, who spoke on the condition of anonymity to describe a closed meeting, said senior U.S. defense and diplomatic officials presented the Chinese with case studies detailing the evidence of major intrusions into U.S. companies, including defense contractors.

In addition, a recent classified National Intelligence Estimate on economic cyber-espionage concluded that China was by far the most active country in stealing intellectual property from U.S. companies.

The Chinese government insists that it does not conduct ­cyber-espionage on U.S. agencies or companies, and government spokesmen often complain that Beijing is a victim of U.S. cyberattacks.
Obama is expected to raise the issue when he meets with Chinese President Xi Jinping next month in California.

A spokesman for the Pentagon declined to discuss the list from the science board’s report. But the spokesman, who was not authorized to speak on the record, said in an e-mail, “The Department of Defense has growing concerns about the global threat to economic and national security from persistent cyber-intrusions aimed at the theft of intellectual property, trade secrets and commercial data, which threatens the competitive edge of U.S. businesses like those in the Defense Industrial Base.”

The confidential list of compromised weapons system designs and technologies represents the clearest look at what the Chinese are suspected of targeting. When the list was read to independent defense experts, they said they were shocked by the extent of the cyber-espionage and the potential for compromising U.S. defenses.

“That’s staggering,” said Mark Stokes, executive director of the Project 2049 Institute, a think tank that focuses on Asia security issues. “These are all very critical weapons systems, critical to our national security. When I hear this in totality, it’s breathtaking.”
The experts said the cybertheft creates three major problems. First, access to advanced U.S. designs gives China an immediate operational edge that could be exploited in a conflict. Second, it accelerates China’s acquisition of advanced military technology and saves billions in development costs. And third, the U.S. designs can be used to benefit China’s own defense industry. There are long-standing suspicions that China’s theft of designs for the F-35 fighter allowed Beijing to develop its version much faster.

“You’ve seen significant improvements in Chinese military capabilities through their willingness to spend, their acquisitions of advanced Russian weapons, and from their cyber-espionage campaign,” said James A. Lewis, a cyber-policy expert at the Center for Strategic and International Studies. “Ten years ago, I used to call the PLA [People’s Liberation Army] the world’s largest open-air military museum. I can’t say that now.”

The public version of the science board report noted that such cyber-espionage and cyber-sabotage could impose “severe consequences for U.S. forces engaged in combat.” Those consequences could include severed communication links critical to the operation of U.S. forces. Data corruption could misdirect U.S. operations. Weapons could fail to operate as intended. Planes, satellites or drones could crash, the report said.

 In other words, Stokes said, “if they have a better sense of a THAAD design or PAC-3 design, then that increases the potential of their ballistic missiles being able to penetrate our or our allies’ missile defenses.”

Winslow T. Wheeler, director of the Straus Military Reform Project at the Project on Government Oversight, made a similar point. “If they got into the combat systems, it enables them to understand it to be able to jam it or otherwise disable it,” he said. “If they’ve got into the basic algorithms for the missile and how they behave, somebody better get out a clean piece of paper and start to design all over again.”

The list did not describe the extent or timing of the penetrations. Nor did it say whether the theft occurred through the computer networks of the U.S. government, defense contractors or subcontractors.

Privately, U.S. officials say that senior Pentagon officials are frustrated by the scale of cybertheft from defense contractors, who routinely handle sensitive classified data. The officials said concerns have been expressed by Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff, and Adm. James A. Winnefeld Jr., the vice chairman, as well as Gen. Keith Alexander, director of the National Security Agency.

“In many cases, they don’t know they’ve been hacked until the FBI comes knocking on their door,” said a senior military official who was not authorized to speak on the record. “This is billions of dollars of combat advantage for China. They’ve just saved themselves 25 years of research and development. It’s nuts.”

In an attempt to combat the problem, the Pentagon launched a pilot program two years ago to help the defense industry shore up its computer defenses, allowing the companies to use classified threat data from the National Security Agency to screen their networks for malware. The Chinese began to focus on subcontractors, and now the government is in the process of expanding the sharing of threat data to more defense contractors and other industries.

An effort to change defense contracting rules to require companies to secure their networks or risk losing Pentagon business stalled last year. But the 2013 Defense Authorization Act has a provision that requires defense contractors holding classified clearances to report intrusions into their networks and allow access to government investigators to analyze the breach.
The systems on the science board’s list are built by a variety of top defense contractors, including Boeing, Lockheed Martin, Raytheon and Northrop Grumman. None of the companies would comment about whether their systems have been breached.

But Northrop Grumman spokes­man Randy Belote acknowledged the company “is experiencing greater numbers of attempts to penetrate its computer networks” and said the firm is “vigilant” about protecting its networks.

A Lockheed Martin official said the firm is “spending more time helping deal with attacks on the supply chain” of partners, subcontractors and suppliers than dealing with attacks directly against the company. “For now, our defenses are strong enough to counter the threat, and many attackers know that, so they go after suppliers. But of course they are always trying to develop new ways to attack.”
The Defense Science Board report also listed broad technologies that have been compromised, such as drone video systems, nanotechnology, tactical data links and electronic warfare systems — all areas where the Pentagon and Chinese military are investing heavily.

“Put all that together — the design compromises and the technology theft — and it’s pretty significant,” Stokes said.


Bron: Washington Post