Posts Tagged: The New York Times


11
Apr 17

Fake News at Work in Spam Kingpin’s Arrest?

Over the past several days, many Western news media outlets have predictably devoured thinly-sourced reporting from a Russian publication that the arrest last week of a Russian spam kingpin in Spain was related to hacking attacks linked to last year’s U.S. election. While there is scant evidence that the spammer’s arrest had anything to do with the election, the success of that narrative is a sterling example of how the Kremlin’s propaganda machine is adept at manufacturing fake news, undermining public trust in the media, and distracting attention away from the real story.

Russian President Vladimir Putin tours RT facilities. Image: DNI

Russian President Vladimir Putin tours RT facilities. Image: DNI

On Saturday, news broke from RT.com (formerly Russia Today) that authorities in Spain had arrested 36-year-old Peter “Severa” Levashov, one of the most-wanted spammers on the planet and the alleged creator of some of the nastiest cybercrime engines in history — including the Storm worm, and the Waledac and Kelihos spam botnets.

But the RT story didn’t lead with Levashov’s alleged misdeeds or his primacy among junk emailers and virus writers. Rather, the publication said it interviewed Levashov’s wife Maria, who claimed that Spanish authorities said her husband was detained because he was suspected of being involved in hacking attacks aimed at influencing the 2016 U.S. election.

The RT piece is fairly typical of one that covers the arrest of Russian hackers in that the story quickly becomes not about the criminal charges but about how the accused is being unfairly treated or maligned by overzealous or misguided Western law enforcement agencies.

The RT story about Levashov, for example, seems engineered to leave readers with the impression that some bumbling cops rudely disturbed the springtime vacation of a nice Russian family, stole their belongings, and left a dazed and confused young mother alone to fend for herself and her child.

This should not be shocking to any journalist or reader who has paid attention to U.S. intelligence agency reports on Russia’s efforts to influence the outcome of last year’s election. A 25-page dossier released in January by the Office of the Director of National Intelligence describes RT as a U.S.-based but Kremlin-financed media outlet that is little more than an engine of anti-Western propaganda controlled by Russian intelligence agencies.

Somehow, this small detail was lost on countless Western media outlets, who seemed all too willing to parrot the narrative constructed by RT regarding Levashov’s arrest. With a brief nod to RT’s “scoop,” these publications back-benched the real story (the long-sought capture of one of the world’s most wanted spammers) and led with an angle supported by the flimsiest of sourcing. Continue reading →


8
Mar 17

WikiLeaks Dumps Docs on CIA’s Hacking Tools

WikiLeaks on Tuesday dropped one of its most explosive word bombs ever: A secret trove of documents apparently stolen from the U.S. Central Intelligence Agency (CIA) detailing methods of hacking everything from smart phones and TVs to compromising Internet routers and computers. KrebsOnSecurity is still digesting much of this fascinating data cache, but here are some first impressions based on what I’ve seen so far.

First, to quickly recap what happened: In a post on its site, WikiLeaks said the release — dubbed “Vault 7” — was the largest-ever publication of confidential documents on the agency. WikiLeaks is promising a series of these document caches; this first one includes more than 8,700 files allegedly taken from a high-security network inside CIA’s Center for Cyber Intelligence in Langley, Va.

The home page for the CIA's "Weeping Angel" project, which sought to exploit flaws that could turn certain 2013-model Samsung "smart" TVs into remote listening posts.

The home page for the CIA’s “Weeping Angel” project, which sought to exploit flaws that could turn certain 2013-model Samsung “smart” TVs into remote listening posts.

“Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation,” WikiLeaks wrote. “This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”

Wikileaks said it was calling attention to the CIA’s global covert hacking program, its malware arsenal and dozens of weaponized exploits against “a wide range of U.S. and European company products, includ[ing] Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned into covert microphones.”

The documents for the most part don’t appear to include the computer code needed to exploit previously unknown flaws in these products, although WikiLeaks says those exploits may show up in a future dump. This collection is probably best thought of as an internal corporate wiki used by multiple CIA researchers who methodically found and documented weaknesses in a variety of popular commercial and consumer electronics.

For example, the data dump lists a number of exploit “modules” available to compromise various models of consumer routers made by companies like Linksys, Microtik and Zyxel, to name a few. CIA researchers also collated several pages worth of probing and testing weaknesses in business-class devices from Ciscowhose powerful routers carry a decent portion of the Internet’s traffic on any given day. Craig Dods, a researcher with Cisco’s rival Juniper, delves into greater detail on the Cisco bugs for anyone interested (Dods says he found no exploits for Juniper products in the cache, yet). Meanwhile, Cisco has published its own blog post on the matter.

WHILE MY SMART TV GENTLY WEEPS

Some of the exploits discussed in these leaked CIA documents appear to reference full-on, remote access vulnerabilities. However, a great many of the documents I’ve looked at seem to refer to attack concepts or half-finished exploits that may be limited by very specific requirements — such as physical access to the targeted device.

The “Weeping Angelproject’s page from 2014 is a prime example: It discusses ways to turn certain 2013-model Samsung “smart TVs” into remote listening devices; methods for disabling the LED lights that indicate the TV is on; and suggestions for fixing a problem with the exploit in which the WiFi interface on the TV is disabled when the exploit is run.

ToDo / Future Work:
Build a console cable

Turn on or leave WiFi turned on in Fake-Off mode

Parse unencrypted audio collection
Clean-up the file format of saved audio. Add encryption??

According to the documentation, Weeping Angel worked as long as the target hadn’t upgraded the firmware on the Samsung TVs. It also said the firmware upgrade eliminated the “current installation method,” which apparently required the insertion of a booby-trapped USB device into the TV.

Don’t get me wrong: This is a serious leak of fairly sensitive information. And I sincerely hope Wikileaks decides to work with researchers and vendors to coordinate the patching of flaws leveraged by the as-yet unreleased exploit code archive that apparently accompanies this documentation from the CIA.

But in reading the media coverage of this leak, one might be led to believe that even if you are among the small minority of Americans who have chosen to migrate more of their communications to privacy-enhancing technologies like Signal or WhatsApp, it’s all futility because the CIA can break it anyway.

Perhaps a future cache of documents from this CIA division will change things on this front, but an admittedly cursory examination of these documents indicates that the CIA’s methods for weakening the privacy of these tools all seem to require attackers to first succeed in deeply subverting the security of the mobile device — either through a remote-access vulnerability in the underlying operating system or via physical access to the target’s phone.

As Bloomberg’s tech op-ed writer Leonid Bershidsky notes, the documentation released here shows that these attacks are “not about mass surveillance — something that should bother the vast majority of internet users — but about monitoring specific targets.”

By way of example, Bershidsky points to a tweet yesterday from Open Whisper Systems (the makers of the Signal private messaging app) which observes that, “The CIA/Wikileaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption.”

The company went on to say that because more online services are now using end-to-end encryption to prevent prying eyes from reading communications that are intercepted in-transit, intelligence agencies are being pushed “from undetectable mass surveillance to expensive, high-risk, targeted attacks.”

A tweet from Open Whisper Systems, the makers of the popular mobile privacy app Signal.

A tweet from Open Whisper Systems, the makers of the popular mobile privacy app Signal.

Continue reading →


3
Jan 17

The Download on the DNC Hack

Over the past few days, several longtime readers have asked why I haven’t written about two stories that have consumed the news media of late: The alleged Russian hacking attacks against the U.S. Democratic National Committee (DNC) and, more recently, the discovery of malware on a laptop at a Vermont power utility that has been attributed to Russian hacker groups.

I’ve avoided covering these stories mainly because I don’t have any original reporting to add to them, and because I generally avoid chasing the story of the day — preferring instead to focus on producing original journalism on cybercrime and computer security.

dncBut there is another reason for my reticence: Both of these stories are so politically fraught that to write about them means signing up for gobs of vitriolic hate mail from readers who assume I have some political axe to grind no matter what I publish on the matter.

An article in Rolling Stone over the weekend aptly captures my unease with reporting on both of these stories in the absence of new, useful information (the following quote refers specifically to the Obama administration’s sanctions against Russia related to the DNC incident).

“The problem with this story is that, like the Iraq-WMD mess, it takes place in the middle of a highly politicized environment during which the motives of all the relevant actors are suspect,” Rolling Stone political reporter Matt Taibbi wrote. “Absent independent verification, reporters will have to rely upon the secret assessments of intelligence agencies to cover the story at all. Many reporters I know are quietly freaking out about having to go through that again.”

Alas, one can only nurse a New Year’s holiday vacation for so long. Here are some of the things I’ve been ruminating about over the past few days regarding each of these topics. Please be kind.

Gaining sufficient public support for a conclusion that other countries are responsible for hacking important U.S. assets can be difficult – even when the alleged aggressor is already despised and denounced by the entire civilized world.

The remarkable hacking of Sony Pictures Entertainment in late 2014 and the Obama administration’s quick fingering of hackers in North Korea as the culprits is a prime example: When the Obama administration released its findings that North Korean hackers were responsible for breaking into SPE, few security experts I spoke to about the incident were convinced by the intelligence data coming from the White House.

That seemed to change somewhat following the leak of a National Security Agency document which suggested the United States had planted malware capable of tracking the inner workings of the computers and networks used by the North’s hackers. Nevertheless, I’d wager that if we took a scientific poll among computer security experts today, a fair percentage of them probably still strongly doubt the administration’s conclusions.

If you were to ask those doubting experts to explain why they persist in their unbelief, my guess is you would find these folks break down largely into two camps: Those who believe the administration will never release any really detailed (and likely classified) information needed to draw a more definitive conclusion, and those who because of their political leanings tend to disbelieve virtually everything that comes out of the current administration.

Now, the American public is being asked to accept the White House’s technical assessment of another international hacking incident, only this time the apparent intention of said hacking is nothing less than to influence the outcome of a historically divisive presidential election in which the sitting party lost.

It probably doesn’t matter how many indicators of compromise and digital fingerprints the Obama administration releases on this incident: Chances are decent that if you asked a panel of security experts a year from now whether the march of time and additional data points released or leaked in the interim have influenced their opinion, you’ll find them just as evenly divided as they are today.

The mixed messages coming from the camp of President-elect Trump haven’t added any clarity to the matter, either. Trump has publicly mocked American intelligence assessments that Russia meddled with the U.S. election on his behalf, and said recently that he doubts the U.S. government can be certain it was hackers backed by the Russian government who hacked and leaked emails from the DNC.

However, one of Trump’s top advisers — former CIA Director James Woolseynow says he believes the Russians (and possibly others) were in fact involved in the DNC hack.

It’s worth noting that the U.S. government has offered some additional perspective on why it is so confident in its conclusion that Russian military intelligence services were involved in the DNC hack. A White House fact sheet published alongside the FBI/DHS Joint Analysis Report (PDF) says the report “includes information on computers around the world that Russian intelligence services have co-opted without the knowledge of their owners in order conduct their malicious activity in a way that makes it difficult to trace back to Russia. In some cases, the cybersecurity community was aware of this infrastructure, in other cases, this information is newly declassified by the U.S. government.” Continue reading →


16
Nov 16

Chinese IoT Firm Siphoned Text Messages, Call Records

A Chinese technology firm has been siphoning text messages and call records from cheap Android-based mobile smart phones and secretly sending the data to servers in China, researchers revealed this week. The revelations came the same day the White House and the U.S. Department of Homeland Security issued sweeping guidelines aimed at building security into Internet-connected devices, and just hours before a key congressional panel sought recommendations from industry in regulating basic security standards for so-called “Internet of Things” (IoT) devices.

At the center of the spyware controversy is software made by Shanghai ADUPS Technology, a Chinese firm whose product touts the ability to wirelessly update software installed on mobile and and IoT devices. The ADUPS technology is typically bundled with smart phones made by dozens of global wireless firms including ZTE, BLU and Huawei, and sold at popular consumer destinations like Amazon and BestBuy. Often retailing for between $50 and $100, the sleek and powerful devices sell so cheaply because they also require the user to accept on-screen advertisements.

An About Us page at ADUPS's Web site explains the company's foothold in the IoT market.

An About Us page at ADUPS’s Web site explains the company’s foothold in the IoT market.

According to research released this week, the low up-front cost of these smart phones may be subsidized not just by ads but by also by the theft of private information stolen from users. Researchers at Fairfax, Va.-based security firm Kryptowire say the ADUPS software gives the company near-total control over the devices that it runs on, and that they have proof ADUPS has abused that control to siphon personal data from countless consumers.

Kryptowire researchers say they stumbled upon ADUPS’s spyware capabilities by accident after purchasing a $59 BLU R1 HD smart phone from Amazon.com for use during international travel. Prying apart the phone and the ADUPS software, they discovered that all call records and text messages to and from the device were being digitally copied, encrypted and secretly forwarded to a server in Shanghai, China every 72 hours.

They also learned that ADUPS’s product was able to mine user text messages for specific strings of text, as well as install and remove any software from host devices.

“This behavior cannot be detected by mobile anti-virus tools because they assume that software that ships with the device is not malware and that it is white-listed,” Kryptowire wrote in an advisory published Tuesday. “We were able to capture, decrypt, and trace the data on the network as they were sent to multiple server locations that are located in Shanghai, China.”

In a statement posted to its Web site, ADUPS said it collects “model information, device status, application information, bin/xbin information and summary information from phones and messages,” and that it has done so “in response to user demand to screen out junk texts and calls from advertisers.”

ADUPS further claims that the functionality was added in June 2016 to some Blu Product Inc. devices, and that it has since shipped an update through its firmware updating software to disable the spying functionality on Blu phones.

But Azzedine Benameur, director of research at Kryptowire, said ADUPS’s software — deeply embedded alongside the operating system on these mobile devices — gives it full ability to re-enable the spyware capabilities at any time. He says ADUPS’s public response to their research raises more questions than it answers.

“They do not provide how many devices were affected and how the data were used,” Benameur said. “Also, they don’t mention who had access to that data, including third parties and the Chinese government. Also, there might be other [manufacturers] and device models affected that ADUPS does not mention.”

ADUPS claims on its Web site to have worldwide presence with more than 700 million active users, and that its firmware is integrated into “more than 400 leading mobile operators, semiconductor vendors and device manufacturers spanning from wearable and mobile devices to cars and televisions.”

“This is just one random device of theirs that we looked at,” Benameur said. “For a company that claims to provide over-the-air updates for 700 million devices, including cars and millions of IoT devices…this is really scary and unacceptable behavior.”

ADUPS's offer to business partners, January 2015.

ADUPS’s offer to business partners, circa January 2015.

ADUPS’s current site promises the company’s partners “big data analytics” and higher profit for partners. Earlier versions of the same page from 2015 and cached at the Internet Archive promise partners a slightly less euphemistic menu of services, from an “app push service,” and “device data mining” to “unique package checking” and “mobile advertising.” Interestingly, this story from January 2015 documents how ADUPS’s software has been used to install unwanted apps on customer mobile devices.

As for the Blu R1 HD phone? Benameur said it would be nice if it came with a disclosure that owners can expect zero privacy or control while using it. Aside from that? “At $59, it’s a steal,” Benameur said. “Minus the spyware, it’s a great phone.” Continue reading →


4
Apr 16

Sources: Trump Hotels Breached Again

Banking industry sources tell KrebsOnSecurity that the Trump Hotel Collection — a string of luxury properties tied to business magnate and Republican presidential candidate Donald Trump — appears to be dealing with another breach of its credit card systems. If confirmed, this would be the second such breach at the Trump properties in less than a year.

Trump International Hotel in New York.

Trump International Hotel in New York.

A representative from Trump Hotels said the organization was investigating the claims.

“We are in the midst of a thorough investigation on this matter,” the company said in a written statement. “We are committed to safeguarding all guests’ personal information and will continue to do so vigilantly.”

KrebsOnSecurity reached out to the Trump organization after hearing from three sources in the financial sector who said they’ve noticed a pattern of fraud on customer credit cards which suggests that hackers have breached credit card systems at some — if not all — of the Trump Hotel Collection properties.

On July 1, 2015, this publication was the first to report that banks suspected a breach at Trump properties. After that story ran, Trump Hotel Collection acknowledged being alerted about suspicious activity tied to accounts that were recently used at its hotels. But it didn’t officially confirm that its payment systems had been infected with card-stealing malware until October 2015.

The Trump Hotel Collection includes more than a dozen properties globally. Sources said they noticed a pattern of fraud on cards that were all used at multiple Trump hotel locations in the past two to three months, including at Trump International Hotel New York, Trump Hotel Waikiki in Honolulu, and the Trump International Hotel & Tower in Toronto. Continue reading →


21
Mar 14

Sony Pictures Plans Movie About Yours Truly

Sony Pictures is reportedly planning to make a big screen movie based at least in part on my (mis)adventures over the past few years as an independent investigative reporter writing about cybercrime. Some gumshoe I am: This took me by complete surprise.

Credit: BrianKrebsFacts.com

Source: BrianKrebsFacts.com

The first inkling I had of this project came a few weeks ago when New York Times reporter Nicole Perlroth forwarded me a note she’d received from a Hollywood producer who was (and still is) apparently interested in acquiring my “life rights” for an upcoming film project. The producer reached out to The Times reporter after reading her mid-February 2014 profile of me, which chronicled the past year’s worth of reader responses from the likes of the very ne’er-do-wells I write about daily. Perlroth’s story began:

“In the last year, Eastern European cybercriminals have stolen Brian Krebs’s identity a half dozen times, brought down his website, included his name and some unpleasant epithets in their malware code, sent fecal matter and heroin to his doorstep, and called a SWAT team to his home just as his mother was arriving for dinner.”

I didn’t quite know what to make of the Hollywood inquiry at the time, and was so overwhelmed and distracted with travel and other matters that I neglected to follow up on it. Then, just yesterday, I awoke to a flurry of messages both congratulatory and incredulous on Twitter and Facebook regarding a story in The Hollywood Reporter:

“Sony has picked up the rights to the New York Times article ‘Reporting From the Web’s Underbelly,’ which focused on cyber security blogger Brian Krebs. Krebs, with his site KrebsonSecurity.com, was the first person to expose the credit card breach at Target that shook the retail world in December.”

Continue reading →


17
Feb 14

Yours Truly Profiled in The New York Times

Today’s New York Times features a profile of this author — a story titled, “Reporting from the Web’s Underbelly”. The piece, written by The Times’s Silicon Valley reporter Nicole Perlroth, observes:

Mr. Krebs, 41, tries to write pieces that cannot be found elsewhere. His widely read cybersecurity blog, Krebs on Security, covers a particularly dark corner of the Internet: profit-seeking cybercriminals, many based in Eastern Europe, who make billions off pharmaceutical sales, malware, spam, frauds and heists like the recent ones that Mr. Krebs was first to uncover at Adobe, Target and Neiman Marcus….

…Unlike physical crime — a bank robbery, for example, quickly becomes public — online thefts are hushed up by companies that worry the disclosure will inflict more damage than the theft, allowing hackers to raid multiple companies before consumers hear about it.

“There’s a lot going on in this industry that impedes the flow of information,” Mr. Krebs said. “And there’s a lot of money to be made in having intelligence and information about what’s going on in the underworld. It’s big business but most people don’t want to pay for it, which explains why they come to someone like me.”

Read more here.

Update, 12:43 p.m., ET: Adding this as an update because my comment got buried, and because a sentence about my discovery of The Post’s payroll data has already led to one “Krebs has done a bit of illegal hacking himself,” story. The NYT piece makes it sound like I hacked my way into the Post’s payroll system, but in truth it was far less interesting/glamorous than that. Basically, the newly-hired guy in charge of Windows share security at washingtonpost.com had for some oddball reason undone all the security put in place by his predecessor, so all local shares on the network were more or less readable by anyone who had network credentials.

In short, I was able to see the salaries.xls file without even using my keyboard. Just open Windows Explorer, click…\\Finance….click…\\Accounting….click…\\Payroll…whoaaa!

The only reason I did not lose my job over that discovery was that I brought it to the attention of the Post.com’s security team immediately. They fired the guy responsible for undoing all the security that very day. The head of security showed up at his desk with a box and told him he had 15 minutes to clear out his stuff.


24
Oct 13

Senator Demands More Info From Experian

In the wake of revelations that credit bureau Experian sold consumer data to the proprietors of an underground identity theft service, a powerful U.S. senator is calling on the company to divulge more information on the extent of the potential damage to consumers.

EXPWest Virginia Senator Jay Rockefeller, a Democrat who chairs the Senate Committee on Commerce, Science and Transportation, on Wednesday sent a letter (PDF) to Experian demanding additional details about the security breach. Specifically, Rockefeller asked for responses to questions about Experian’s vetting process for its customers and current practices for sharing consumer data. The senator also urged Experian to fully respond to his related previous inquiries regarding Experian’s customers, its oversight of its disclosure to third parties, and Experian’s data sources.

“The committee’s investigation has focused to date on how companies including Experian collect and sell consumer information for marketing purposes, while the information Experian reportedly sold to identity thieves – such as Social Security numbers and banking information – appears to be data Experian collects and sells for risk assessment activities,” Sen. Rockefeller wrote in the letter to Experian President Donald Robert. “However, if these recent news accounts are accurate, they raise serious questions about whether Experian as a company has appropriate practices in place for vetting its customers and sharing sensitive consumer data with them, regardless of the particular line of business.”

The letter is a follow-up to an investigation that Sen. Rockefeller launched in October 2012 regarding several data brokers — including Experian — to understand how the companies collect, store, and share personal consumer data. According to the committee, Experian is one of several companies that has refused to fully respond to Rockefeller’s request for information – which Rockefeller discussed publicly in this letter.

That 2012 letter was sent to the three major credit bureaus, including Experian, Equifax, TransUnion. Rockefeller also queried Reed Elsevier, the parent company of data aggregator LexisNexis. Last month, KrebsOnSecurity broke a story showing that LexisNexis was among three other data brokers that had been hacked by a cybercriminal gang which operated a competing underground identity theft service — ssndob[dot]ms.

In a statement provided to The New York Times, Experian spokesman Gerry Tschopp said: “We have responded — and will continue to respond – in a very transparent manner to Senator Rockefeller.”

According to The Times, Sen. Rockefeller last month widened his probe, asking a dozen popular Web sites to provide information on their information-sharing practices with data brokers. The sites included in that inquiry were About.com, Babycenter.com, Bankrate.com, Health.com, Investopedia.com, Mensfitness.com and Self.com.

“While some consumers may not object to having their information categorized and used for marketing,” the senator wrote, “before they share personal information, it is important that they know it may be used for purposes beyond those for which they originally provided it.”