A Chicago computer hacker tied to the group known as Anonymous was sentenced Friday to 10 years in prison for cyberattacks on various government agencies and businesses, including a global intelligence company.
Jeremy Hammond, 28, was handed the maximum term for the December 2011 hacking of Strategic Forecasting, an attack his lawyers contend was driven by concern about the role of private firms in gathering intelligence domestically and abroad.
…resulted in the theft of 60,000 credit card numbers and records for 860,000 clients, which were then uploaded online.Prosecutors say the hack of Strategic Forecasting, or Stratfor, resulted in the theft of 60,000 credit card numbers and records for 860,000 clients, which were then uploaded online. Hammond admitted being behind it in May.
He also admitted to hacking several law enforcement agencies and organizations, including the Arizona Department of Public Safety, and releasing personal details of officers as part of an attack by the Anonymous-affiliated group LulzSec.
Remember Lavabit, the “secure email” service that was closed down by its owner Ladar Levison, ostensibly to avoid complying with a government request to access their “secure emails?” Specifically, emails from one of their most famous clients, Edward Snowden?
Something that always bothered me about the story: Lavabit claimed on their home page (see screenshot above) that their system was designed so that even their administrators couldn’t read users’ emails. I assumed this meant they were using some kind of public/private key scheme to encrypt emails, so that they would be encrypted while on Lavabit’s servers in a form that could not be decrypted even by Lavabit.
So how then could the government read those emails without the private keys of each user? Well, it turns out that Lavabit’s claim they couldn’t read emails simply wasn’t true. Their basic design was not secure at all, as cryptographer Moxie Marlinspike explains: Op-Ed: Lavabit’s Primary Security Claim Wasn’t Actually True.
If, as Lavabit said, it wasn’t capable of reading its users’ e-mails, how could it have been in a position to provide those plaintext e-mails to the US government?
Unfortunately, Lavabit’s primary security claim wasn’t actually true. As Ladar himself explained in this blog post, the system consisted of four basic steps:
- At account creation time, the user selected a login passphrase and transmitted it to the server.
- The server generated a keypair for that user, encrypted the private key with the login passphrase the user had selected, and stored it on the server.
- For every incoming e-mail the user received, the server would encrypt it with the user’s public key, and store it on the server.
- When the user wanted to retrieve an e-mail, they would transmit their password to the server, which would avert its eyes from the plaintext encryption password it had just received, use it to decrypt the private key (averting its eyes), use the private key to decrypt the e-mail (again averting its eyes), and transmit the plaintext e-mail to the user (averting its eyes one last time).
Unlike the design of most secure servers, which are ciphertext in and ciphertext out, this is the inverse: plaintext in and plaintext out. The server stores your password for authentication, uses that same password for an encryption key, and promises not to look at either the incoming plaintext, the password itself, or the outgoing plaintext.
The ciphertext, key, and password are all stored on the server using a mechanism that is solely within the server’s control and which the client has no ability to verify. There is no way to ever prove or disprove whether any encryption was ever happening at all. Whether it was or not makes little difference.
So the claim on Lavabit’s home page that they couldn’t read stored emails was simply false. The promise of security they made to their users was a lie. They promised not to read the emails, but breaking that promise would have been trivially easy with the way their system was built — and that’s why the feds wanted access.
It’s not clear whether the Lavabit crew consciously understood the system’s shortcomings and chose to misrepresent them, or if it really believed it built something based on can’t rather than won’t. One way or the other, in the security world, a product that uses the language of cryptography to fundamentally misrepresent its capabilities is the basic definition of snake oil.
Yep. And it raises the issue of whether Lavabit’s owner is telling the truth about the real reasons for shutting down his business, as well.
Apple released the latest version of Mac OS today, code-named Mavericks, and after installing it I feel like I’m at a highly dangerous, potentially lethal surfing spot with insanely gigantic waves. (OK, not rly.) Good thing I read John Siracusa’s incredibly in-depth article on this new operating system before getting my shorts wet: OS X 10.9 Mavericks: The Ars Technica Review.
Mavericks is the first California-themed release of OS X, named after “places that inspire us here in California,” according to Craig Federighi, who says this naming scheme is intended to last for at least the next 10 years. The pressure is on for Mavericks to set a new direction for the Mac platform.
According to Apple, Mavericks has a dual focus. Its first and most important goal is to extend battery life and improve responsiveness. Secondarily, Mavericks aims to add functionality that will appeal to “power users” (Apple’s words), a group that may be feeling neglected after enduring two releases of OS X playing iOS dress-up.
Is that enough for Mavericks to live up to its major-release version number and to kick off the next phase of OS X’s life? Let’s find out.
Greenwald and the Guardian’s latest bombshell breaking story on the NSA uses a fear-mongering tactic that’s been common throughout their bombshell breaking stories — a seemingly deliberate intention to confuse and conflate the ability to do something with the act of doing something.
The breathless headline: US and UK Spy Agencies Defeat Privacy and Security on the Internet.
The overheated lead paragraphs:
US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden.
The files show that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.
And not a hint of acknowledgment that in order to decrypt any US citizen’s information for any purpose, the government still needs to get an individual warrant. (This time, a search for “warrant” in the article returned no results.)
The bombshell comes down to this: spy agencies crack encryption schemes.
“Since the beginning of human history,” the Guardian did not add.
Greenwald boasts that he ignored government requests not to publish the article:
“Intelligence officials asked the Guardian, New York Times and ProPublica not to publish this article” http://t.co/SeboSzdzBr
— Glenn Greenwald (@ggreenwald) September 5, 2013
In yesterday’s post about the hacking attack against the New York Times, Twitter, Huffington Post, and many other top websites, I speculated that it could have been the result of a DNS cache poisoning exploit, but the hackers gained access to these sites’ DNS records with a much more prosaic method: they tricked people into giving up their logins and passwords.
Melbourne IT, an Australian firm that allows website owners to buy addresses such as latimes.com, said the downtime suffered by the New York Times website Tuesday began when hackers gained access to the user name and password of one of the company’s sales partners.
Using those reseller’s credentials, hackers changed the records that tell computers around the world from where to download web pages when someone types NYTimes.com into an Internet browser.
[Updated, 8:27 a.m. Aug. 28: The U.S.-based sales partner’s credentials ended up in the hackers’ hands after a targeted phishing attack was directed at the firm’s staff, Melbourne IT Chief Technology Officer Bruce Tonkin said early Wednesday. Essentially, several people at the U.S. firm were duped by emails that coaxed them into giving up log-in credentials.
“We have obtained a copy of the phishing email and have notified the recipients of the phishing email to update their passwords,” Tonkin said in an email. “We have also temporarily suspended access to affected user accounts until passwords have been changed.”]
Late Tuesday, Melbourne IT spokesman Tony Smith said the company was reviewing how to improve security.
You’d better believe they’re reviewing security procedures — this is supposed to be one of the most high-end DNS service providers on the planet. It’s a bit gob-smacking they had employees naïve enough to give away their passwords to a phishing email.
Today a hacker gang loyal to Syrian despot Bashar al-Assad called the Syrian Electronic Army managed to take over the domain name servers for the New York Times. Wired reports: ‘Syrian Electronic Army’ Takes Down the New York Times.
There’s no evidence that the Times’ internal systems were compromised. Instead, the attackers got control of the NYTimes.com domain name this afternoon through the paper’s domain name registrar, Melbourne IT, then set it to map to a Russian hosting service delivering the message. Judging from the response on Twitter, some visitors were served a large image of the hacker group’s logo, but most just got timeout errors.
That wasn’t all. SEA also hijacked the DNS for one of Twitter’s domain names, twimg.com, which is used for serving images. Twitter’s status blog has a report: Twitter Status - Twitter Service Issue.
At 20:49 UTC, our DNS provider experienced an issue in which it appears DNS records for various organizations were modified, including one of Twitter’s domains used for image serving, twimg.com. Viewing of images and photos was sporadically impacted. By 22:29 UTC, the original domain record for twimg.com was restored. No Twitter user information was affected by this incident.
Since DNS lookup results can be cached for unpredictable amounts of time, some people are still experiencing problems. Here at LGF, we’re seeing some of these problems with embedded tweets in comments — sometimes they’re not being displayed properly because the twimg.com servers are still unreachable.
Needless to say, this is a pretty serious cyber-attack against two very large, very visible US organizations. It was probably achieved with a technique called DNS Cache Poisoning.
Apparently the UK branch of the Huffington Post was also hijacked.
If the SEA had really wanted to do damage, they could have set up fake websites that looked exactly like the NYT or HuffPo, and collected who knows how many usernames and passwords from people logging in to the fake websites.
That’s the insidious thing about a DNS hijack — you have no way of knowing you’re not at the real site, if the attacker goes to the trouble of preparing an authentic-looking fake.
OpenDNS reports that popular social sharing site ShareThis was also targeted: High Profile Domains Under Siege | OpenDNS Blog.
The problem, Médard explains, is that information-theoretic analyses of secure systems have generally used the wrong notion of entropy. They relied on so-called Shannon entropy, named after the founder of information theory, Claude Shannon, who taught at MIT from 1956 to 1978.
Shannon entropy is based on the average probability that a given string of bits will occur in a particular type of digital file. In a general-purpose communications system, that’s the right type of entropy to use, because the characteristics of the data traffic will quickly converge to the statistical averages. Although Shannon’s seminal 1948 paper dealt with cryptography, it was primarily concerned with communication, and it used the same measure of entropy in both discussions.
But in cryptography, the real concern isn’t with the average case but with the worst case. A codebreaker needs only one reliable correlation between the encrypted and unencrypted versions of a file in order to begin to deduce further correlations. In the years since Shannon’s paper, information theorists have developed other notions of entropy, some of which give greater weight to improbable outcomes. Those, it turns out, offer a more accurate picture of the problem of codebreaking.
When Médard, Duffy and their students used these alternate measures of entropy, they found that slight deviations from perfect uniformity in source files, which seemed trivial in the light of Shannon entropy, suddenly loomed much larger. The upshot is that a computer turned loose to simply guess correlations between the encrypted and unencrypted versions of a file would make headway much faster than previously expected.
“It’s still exponentially hard, but it’s exponentially easier than we thought,” Duffy says. One implication is that an attacker who simply relied on the frequencies with which letters occur in English words could probably guess a user-selected password much more quickly than was previously thought. “Attackers often use graphics processors to distribute the problem,” Duffy says. “You’d be surprised at how quickly you can guess stuff.”