The State Department is recovering from large-scale computer break-ins worldwide over the past several weeks that appeared to target its headquarters and offices dealing with China and North Korea, The Associated Press has learned.

Investigators believe hackers stole sensitive U.S. information and passwords and implanted backdoors in unclassified government computers to allow them to return at will, said U.S. officials familiar with the hacking. These people spoke on condition of anonymity because of the sensitivity of the widespread intrusions and the resulting investigation.

The break-ins and the State Department's emergency response severely limited Internet access at many locations, including some headquarters offices in Washington, these officials said. Internet connections have been restored across nearly all the department since the break-ins were recognized in mid-June.

After the State Department break-ins, many employees were instructed to change their passwords. The department also temporarily disabled a technology known as secure sockets layer, used to transmit encrypted information over the Internet. Hackers can exploit weaknesses in this technology to break into computers, and they can use the same technology to transmit stolen information covertly off a victim's network.

BREITBART.COM - State Dept. Suffers Computer Break-Ins

I (Fyodor) asked users from the nmap-hackers mailing list to share their favorite tools, and 3,243 people responded. This allowed me to expand the list to 100 tools, and even subdivide them into categories. Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. I discovered several powerful new tools this way.

This is a handy list. Kudos to all the MemeStreamers who write tools on the list... There are several..

Top 100 Network Security Tools

This just in from Acidus. There is an AJAX/XSS worm carving through Yahoo! Mail.

I just received an email with an html attachment, on a yahoo account.

When I opened the mail, yahoo automatically displayed the html, and executed
the code within. What the hell. =) It forwarded the message to my contacts
list, (or some other set of addresses, dunno,) and redirected my browser to
a website.

XSS-based worm spreading through Yahoo's web mail. Looking an an email message causes the XSS to run. The XSS uses AJAX to make an HTTP POST to the URL on YAhoo for sending mail. The worm does this to send email containing the worm to everyone in your address book and sends your address book to a 3rd party. Probably to sell your email address to spammers.

This is a great example of XSS+AJAX=BAD! Even if Yahoo mail doesn't use AJAX, the XSS can use AJAX to make requests for you using your credentials.

Acidus has given presentations outlining exactly this threat several times in the past year at conventions including Outerz0ne, Shmoocon, and Blackhat Federal. Were we the only ones paying attention to him?

This is downright innocent and harmless when compared to some of the uses for this type of XSS exploit that he was concerned with.

XSS worm spreading through Yahoo webmail

These comments from Decius in reference to the recent VA database theft are worth singling out:

Real Computer Security is hard, because you have to prevent bad stuff without being noticed as the good guys go about their jobs. When you get noticed, you've done something wrong, either because there has been a breach or because someone can't do their job because your security system stopped them. There is a certain art to finding the balance and it depends greatly on the specific requirements of the people you are working for and your wisdom in being judicious about what you control. Things like SOX and HIPPA micromanage the problem with one size fits all policies that inevitably fail in the real world.

Congress should operate on the level of incentivization and not on the level of specific requirements. For example, one of the reasons credit card fraud is so easy is that credit card companies don't bare the costs associated with fraud (the merchants do) and so they don't have any economic incentive to deploy technologies that are harder to subvert. In fact, credit card companies are making money on fraud by selling useless identity theft protection and credit report monitoring services. This is a problem lawyers can fix. They should focus on who is liable and leave computer security to the computer security professionals.

Indeed.

RE: Data Theft Affected Most in Military

On or around May 8, the following personal ad appeared on the Internet classified ad site Craigslist. (It has since been removed.)

For mein fraulein

Mein Fraulein, I haven't heard from you in a while. Won't you
call me? 212 //// 796 //// 0735

If you actually called the number, up until a couple of days ago you would have heard this prerecorded message (MP3). It's a head scratcher to keep you National Security Agency analysts occupied in your spare time. Each block of numbers is repeated twice; but below I have transcribed them only once for clarity.

Another use of VoIP to disconnect a phone number from a physical location, this time apparently for an intelligence purpose (although this seems an anachronistic way to deliver a ciphertext). "Group 415" might be a reference to the area code in San Francisco, where Craig's List is most popular. There is also a song in the recording. Identifying the song might aid analysis... The voice is clearly sampled.

Another code for Elonka?

Voip cipher lines

Hackers advocate the free pursuit and sharing of knowledge without restriction, even as they acknowledge that applying it is something else.

Decius has been published in this month's issue of Communications of the ACM. Its a typical Decius rant about freedom to tinker; really a hacker's perspective on the Bill Joy/Fukuyama argument that science needs to be centrally controlled and partially abandoned. The issue is a special issue on Computer Hackers with submissions from Greg Conti, FX, Kaminsky, Bruce Potter, Joe Grand, Stephen Bono, Avi Rubin, Adam Stubblefield, and Matt Green. Many folks on this site might enjoy reading the whole thing if you can get your hands on it. The articles mesh together well and there is some neat stuff in here.

Academic freedom and the hacker ethic

As a consequence of that experience, I intend to provide the following instructions to students (until something changes):

1. If you find strange behaviors that may indicate that a web site is vulnerable, don’t try to confirm if it’s actually vulnerable.

2. Try to avoid using that system as much as is reasonable.

3. Don’t tell anyone (including me), don’t try to impress anyone, don’t brag that you’re smart because you found an issue, and don’t make innuendos. However much I wish I could, I can’t keep your anonymity and protect you from police questioning (where you may incriminate yourself), a police investigation gone awry and miscarriages of justice. We all want to do the right thing, and help people we perceive as in danger. However, you shouldn’t help when it puts you at the same or greater risk. The risk of being accused of felonies and having to defend yourself in court (as if you had the money to hire a lawyer — you’re a student!) is just too high. Moreover, this is a web site, an application; real people are not in physical danger. Forget about it.

4. Delete any evidence that you knew about this problem. You are not responsible for that web site, it’s not your problem — you have no reason to keep any such evidence. Go on with your life.

5. If you decide to report it against my advice, don’t tell or ask me anything about it. I’ve exhausted my limited pool of bravery — as other people would put it, I’ve experienced a chilling effect. Despite the possible benefits to the university and society at large, I’m intimidated by the possible consequences to my career, bank account and sanity. I agree with HD Moore, as far as production web sites are concerned: “There is no way to report a vulnerability safely”.

The problems remains, there is no way to report vulnerabilities to site owners without taking on a huge personal risk. I've seen security issues at the university I attend, and I've looked the other way. There is no incentive to point them out, and no whistleblower protections for security researchers.

Reporting Vulnerabilities is for the Brave

Decius chimes in on dc0de's situation:

Dc0de has joined what we have started referring to as "the club." People we know who have received legal threats for saying true things in a public place. This seems to happen a lot to computer security people.

In the United States, you're supposed to have a right to freedom of speech. This isn't just a matter of what the law technically says or means. As Rattle has pointed out before, freedom of speech is a core value in our society. It is a value that transcends what the law merely requires, providing a model for how a mature society addresses all sorts of conflicts: The appropriate way to respond to critics is within the realm of ideas and not within the realm of coersion.

People who use the legal system to squash critics instead of appropriately addressing their criticism in print are operating in a manner that is out of sync with the core values of this nation. I hold this sort of behavior in very poor esteem.

However, this happens all the time, so a more fundamental fix is required. The legal system should not allow itself to be used by wealthy parties as a weapon to coerce people who do not have the resources to defend themselves. This is fundamentally unjust. The legal system must be reformed.

For a smart analysis of these issues see this paper about two other members of "the club," Billy and Virgil.

dc0de wrote:
Part of the presentation includes a slide that shows the Insider Attack Variables, including, Corporate environment and culture. Since the IDR's previous incident was caused by someone not performing their due diligence on 50 fraudulent companies, thereby allowing these companies to freely PURCHASE data from the IDR and commit fraud, I used their loss as an example...

The company that I work for now is terminating me, and claiming that I have to sign the IDR's document, (that they negotiated as part of their settlement), and of course, another document, forbidding me to speak about this issue.

There is no protection for whistle-blowers in the security industry. This is a major problem. There is a nitch for a lobby here that should be filled.

RE: Telling the Truth hurts...

The following is from Scott Moulton, who was at the HTCIA meeting in Atlanta on Monday. A full copy of this can be found on forensiclicensing.com.

This meeting yesterday was somewhat contradictory. On one hand, the meeting was started by claiming that none of the people in the room were affected by this new law and that we are not PI's. But that seemed to change within a few minutes to all of us being affected and that it does apply to us.

It seemed apparent from the meeting yesterday they intend to push this PI bill though again. Many of the items in the PI bill are good for other reasons. Just not for anyone that practices any kind of "investigation" that is we did not consider a PI. Very graciously John Villines and Calvin Hill agreed to work with a committee from "our community" to get the correct verbiage in the bill with regards to our industry. Their point seemed to be that the PI bill was going to include us and that we would all somehow still have to be PI's but kind of be on our own terms if we help with the verbiage. Further questioning did not seem to clarify this. It seems that adding computer components to the PI exams was considered a "specialty" and was opposed when suggested to John C. Villines and Calvin Hill. It seemed clear that the qualifications for what it takes to become a PI were going to stay in place with regards to testing, training and educational hours. They stated that items for new laws need to be complete around the September time frame so that they can be submitted in February for new laws to be considered and that they were going to go ahead with this and submit it again. Our choice was to work with them on the wording.

It was also very apparent from statements made that under the current law that the misdemeanour still stands and that they were not offering any way to indemnify anyone during this time period that these issues need to be worked out and the law rewritten. They did claim that it was very unlikely anyone would be sought out for this issue being that it is a misdemeanour.

When it was suggested that we could create our own Professional Licensing board, it was pointed out to us that it would probably never happen. It was suggested by, I believe Calvin Hill, that we pick a board we fit best under and work with that board to get established and regulated under that board, and that it was unlikely with the current political system we have that we would be successful in setting up our own board.

RESEARCH ON "INVESTIGATOR"
The word "Investigator or investigation" seems to be a very big issue with PI's. Calling anything Forensic Investigation or a Computer Forensic Investigation are words that are subject to scrutiny as if Private Investigators as if PI's own the word investigate.

As matter... [ Read More (0.5k in body) ]

Scott Moulton's report of the HTCIA Meeting

The following quotes are from a reported posted to the Atlanta Linux Enthusasts mailing list by Greg Freemyer.

First some opinions (JV = John Villanes CH = Calvin Hill)

1) (JV) As it stands any third party that collects evidence for use in a criminal/civil suit is subject to the existing PI licensing law. The penalty is a misdemeaner and a relatively small fine. ie. a few hundred dollars I believe. They are starting to get complaints about Computer Forensic professionals not having there PI license.

Some more background on this would be useful. What is the basis of the complaints? And who is making them?

2) (CH) There is intense pressure on the legislature to regulate individuals with access to sensitive data.

From who? What is considered "access to sensitive data"?

3) (JV/CH) There is pressure to stop abuse of the GA PI law that allows PI companies to face minimal sanctions if they employ felons and allow them to carry guns. This is apparently the driver that caused HB 1259 to upgrade the offense of vialoting the PI license to be a felony.

They should handle this issue in a bill separate from any attempting to regulate the information security industry. This appears to have been the main driver, so handle it on its own. We don't need issues with felons carrying guns effecting the information security industry. These are issues that don't connect.

4) (JV/CH) HB 1259 will be back next near in some way shape or form.

See my above comment...

5) (JV) The PI Board has a written regulation (IIRC) that individuals covered by other GA licensing boards will not be covered by the PI board. (I'm not sure what this means if you are arrested. i.e You are still breaking the law, it is just a regulation that says that MDs/CPAs/Engineers/etc. are not required to have their PI license.)

This is one of the core problems that needs to be addressed. If you are a CPA, doctor, engineer, or information security expert, you should not be breaking the law in the process of practicing your craft in good faith.

6) (JV) My interpretation of what he said is that a IT consultant responding to a client issue that intentionally gathers evidence for potential use at a criminal/civil trial needs to be a PI today, and needs to be regulated in some manner in the future. His question was "Why not the PI board?"

7) (JV/CH) Employees of the violated company do not need to have a license. ie. If you are part of an inhouse IT security group you don't need a PI license, it is only if you are an outside consultant or work for a 3rd party (IT) security firm that you need a PI license.

Well, now a few reasons are being presenting as to why the PI board isn't th... [ Read More (0.2k in body) ]

[ale] IT Security (Evidence Collection) and HB 1259