Skip navigation
Help

Dan Goodin

warning: Creating default object from empty value in /var/www/vhosts/sayforward.com/subdomains/recorder/httpdocs/modules/taxonomy/taxonomy.pages.inc on line 33.

The National Security Agency and its UK counterpart have made repeated and determined attempts to identify people using the Tor anonymity service, but the fundamental security remains intact, as top-secret documents published on Friday revealed.

The classified memos and training manuals—which were leaked by former NSA contractor Edward Snowden and reported by The Guardian, show that the NSA and the UK-based Government Communications Headquarters (GCHQ) are able to bypass Tor protections, but only against select targets and often with considerable effort. Indeed, one presentation slide grudgingly hailed Tor as "the king of high-secure, low-latency Internet anonymity." Another, titled "Tor Stinks," lamented: "We will never be able to de-anonymize all Tor users all the time."

An article published separately by The Washington Post also based on documents provided by Snowden concurred.

"There is no evidence that the NSA is capable of unmasking Tor traffic routinely on a global scale," the report said. "But for almost seven years, it has been trying."

0
Your rating: None
Original author: 
Dan Goodin

greyweed

Recently discovered malware targeting Android smartphones exploits previously unknown vulnerabilities in the Google operating system and borrows highly advanced functionality more typical of malicious Windows applications, making it the world's most sophisticated Android Trojan, a security researcher said.

The infection, named Backdoor.AndroidOS.Obad.a, isn't very widespread at the moment. The malware gives an idea of the types of smartphone malware that are possible, however, according to Kaspersky Lab expert Roman Unuchek in a blog post published Thursday. Sharply contrasting with mostly rudimentary Android malware circulating today, the highly stealthy Obad.a exploits previously unknown Android bugs, uses Bluetooth and Wi-Fi connections to spread to near-by handsets, and allows attackers to issue malicious commands using standard SMS text messages.

"To conclude this review, we would like to add that Backdoor.AndroidOS.Obad.a looks closer to Windows malware than to other Android trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits," Unuchek wrote. "This means that the complexity of Android malware programs is growing rapidly alongside their numbers."

Read 6 remaining paragraphs | Comments

0
Your rating: None
Original author: 
Megan Geuss


List your passwords alphabetically, so it's easy for you and others to find them!

Give three password crackers a list of 16,000 cryptographically hashed passwords and ask them to come up with the plaintext phrases they correspond to. That's what Ars did this week in Dan Goodin's Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331.” Turns out, with just a little skill and some good hardware, three prominent password crackers were able to decode up to 90 percent of the list using common techniques.

The hashes the security experts used were converted using the MD5 cryptographic hash function, something that puzzled our readers a bit. MD5 is seen as a relatively weak hash function compared to hashing functions like bcrypt. flunk wrote, "These articles are interesting but this particular test isn't very relevant. MD5 wasn't considered a secure way to hash passwords 10 years ago, let alone now. Why wasn't this done with bcrypt and salting? That's much more realistic. Giving them a list of passwords that is encrypted in a way that would be considered massively incompetent in today's IT world isn't really a useful test."

To this, Goodin replied that plenty of Web services employ weak security practices: "This exercise was entirely relevant given the huge number of websites that use MD5, SHA1, and other fast functions to hash passwords. Only when MD5 is no longer used will exercises like this be irrelevant." Goodin later went on to cite the recent compromises of "LinkedIn, eHarmony, and LivingSocial," which were all using "fast hashing" techniques similar to MD5.

Read 14 remaining paragraphs | Comments

0
Your rating: None
Original author: 
Dan Goodin


Thanks to the XKCD comic, every password cracking word list in the world probably has correcthorsebatterystaple in it already.

Aurich Lawson

In March, readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do.

Imagine no more. We asked three cracking experts to attack the same list Anderson targeted and recount the results in all their color and technical detail Iron Chef style. The results, to say the least, were eye opening because they show how quickly even long passwords with letters, numbers, and symbols can be discovered.

The list contained 16,449 passwords converted into hashes using the MD5 cryptographic hash function. Security-conscious websites never store passwords in plaintext. Instead, they work only with these so-called one-way hashes, which are incapable of being mathematically converted back into the letters, numbers, and symbols originally chosen by the user. In the event of a security breach that exposes the password data, an attacker still must painstakingly guess the plaintext for each hash—for instance, they must guess that "5f4dcc3b5aa765d61d8327deb882cf99" and "7c6a180b36896a0a8c02787eeafb0e4c" are the MD5 hashes for "password" and "password1" respectively. (For more details on password hashing, see the earlier Ars feature "Why passwords have never been weaker—and crackers have never been stronger.")

Read 52 remaining paragraphs | Comments

0
Your rating: None
Original author: 
Dan Goodin

Josh Chin

The Chinese hackers who breached Google's corporate servers 41 months ago gained access to a database containing classified information about suspected spies, agents, and terrorists under surveillance by the US government, according to a published report.

The revelation came in an article published Monday by The Washington Post, and it heightens concerns about the December, 2009 hack. When Google disclosed it a few weeks later, the company said only that the operatives accessed Google "intellectual property"—which most people took to mean software source code—and Gmail accounts of human rights activists.

Citing officials who agreed to speak on the condition that they not be named, Washington Post reporter Ellen Nakashima said the assets compromised in the attack also included a database storing years' worth of information about US surveillance targets. The goal, according to Monday's report, appears to be unearthing the identities of Chinese intelligence operatives in the US who were being tracked by American law enforcement agencies.

Read 7 remaining paragraphs | Comments

0
Your rating: None
Original author: 
Dan Goodin

A website that accepts payment in exchange for knocking other sites offline is perfectly legal, the proprietor of the DDoS-for-hire service says. Oh, it also contains a backdoor that's actively monitored by the FBI.

Ragebooter.net is one of several sites that openly accepts requests to flood sites with huge amounts of junk traffic, KrebsonSecurity reporter Brian Krebs said in a recent profile of the service. The site, which accepts payment by PayPal, uses so-called DNS reflection attacks to amplify the torrents of junk traffic. The technique requires the attacker to spoof the IP address of lookup requests and bounce them off open domain name system servers. This can generate data floods directed at a target that are 50 times bigger than the original request.

Krebs did some sleuthing and discovered the site was operated by Justin Poland of Memphis, Tennessee. The reporter eventually got an interview and found Poland was unapologetic.

Read 3 remaining paragraphs | Comments

0
Your rating: None
Original author: 
Dan Goodin

Wikipedia

Federal authorities have accused eight men of participating in 21st-Century Bank heists that netted a whopping $45 million by hacking into payment systems and eliminating withdrawal limits placed on prepaid debit cards.

The eight men formed the New York-based cell of an international crime ring that organized and executed the hacks and then used fraudulent payment cards in dozens of countries to withdraw the loot from automated teller machines, federal prosecutors alleged in court papers unsealed Thursday. In a matter of hours on two separate occasions, the eight defendants and their confederates withdrew about $2.8 million from New York City ATMs alone. At the same times, "cashing crews" in cities in at least 26 countries withdrew more than $40 million in a similar fashion.

Prosecutors have labeled this type of heist an "unlimited operation" because it systematically removes the withdrawal limits normally placed on debit card accounts. These restrictions work as a safety mechanism that caps the amount of loss that banks normally face when something goes wrong. The operation removed the limits by hacking into two companies that process online payments for prepaid MasterCard debit card accounts issued by two banks—the National Bank of Ras Al-Khaimah PSC in the United Arab Emirates and the Bank of Muscat in Oman—according to an indictment filed in federal court in the Eastern District of New York. Prosecutors didn't identify the payment processors except to say one was in India and the other in the United States.

Read 3 remaining paragraphs | Comments

0
Your rating: None
Original author: 
Dan Goodin

Wikipedia

Coordinated attacks used to knock websites offline grew meaner and more powerful in the past three months, with an eight-fold increase in the average amount of junk traffic used to take sites down, according to a company that helps customers weather the so-called distributed denial-of-service campaigns.

The average amount of bandwidth used in DDoS attacks mushroomed to an astounding 48.25 gigabits per second in the first quarter, with peaks as high as 130 Gbps, according to Hollywood, Florida-based Prolexic. During the same period last year, bandwidth in the average attack was 6.1 Gbps and in the fourth quarter of last year it was 5.9 Gbps. The average duration of attacks also grew to 34.5 hours, compared with 28.5 hours last year and 32.2 hours during the fourth quarter of 2012. Earlier this month, Prolexic engineers saw an attack that exceeded 160 Gbps, and officials said they wouldn't be surprised if peaks break the 200 Gbps threshold by the end of June.

The spikes are brought on by new attack techniques that Ars first chronicled in October. Rather than using compromised PCs in homes and small offices to flood websites with torrents of traffic, attackers are relying on Web servers, which often have orders of magnitude more bandwidth at their disposal. As Ars reported last week, an ongoing attack on servers running the WordPress blogging application is actively seeking new recruits that can also be harnessed to form never-before-seen botnets to bring still more firepower.

Read 9 remaining paragraphs | Comments

0
Your rating: None