Author: Dan Goodin

A secret catalog of cellphone spying gear has been leaked to The Intercept, reportedly by a person inside the intelligence community who is concerned about the growing militarization of domestic law enforcement.

Among the 53 items are the now-familiar Stingray I/II surveillance boxes. They're billed as the "dragnet surveillance workhorse [that] has been deployed for years by numerous local law enforcement agencies across the United States." It has a range of 200 meters and sells for $134,000. A chief selling point is the "ready-made non-disclosure agreements from the FBI and Harris Corp. [that] will provide a pretext for concealing these features from the public." The listing also touts Harris' "next-generation Hailstorm, a must-have for cracking the 4G LTE network."

Besides manufacturing the Stingray brand of surveillance gear, Harris once employed a spokesman name Marc Raimondi. According to an Intercept article accompanying the leaked catalog, Raimondi is now a Department of Justice spokesman who says the agency's use of stingray equipment is legal.

When you're a Fortune 500 company that's a favorite target of sophisticated hackers, it often makes sense to install security appliances at the outer edges of your network to stop attacks before they get far. Now, researchers say they have uncovered a vulnerability in such a product from security firm FireEye that can give attackers full network access.

The vulnerability, which is on by default in the NX, EX, AX, FX series of FireEye products, was recently patched by FireEye after researchers from Google's Project Zero privately reported it. It made it possible for attackers to penetrate a network by sending one of its members a single malicious e-mail, even if it's never opened. It's not uncommon for outsiders to find such critical flaws in a security product. Still, the proof-of-concept exploit underscores that such game-over threats often extend to some of a network's most critical equipment. As Google employee Tavis Ormandy explained in a blog post published Tuesday:

For networks with deployed FireEye devices, a vulnerability that can be exploited via the passive monitoring interface would be a nightmare scenario. This would mean an attacker would only have to send an email to a user to gain access to a persistent network tap—the recipient wouldn’t even have to read the email, just receiving it would be enough.

A network tap is one of the most privileged machines on the network, with access to employee’s email, passwords, downloads, browsing history, confidential attachments, everything. In some deployment configurations* an attacker could tamper with traffic, inserting backdoors or worse. Because FireEye devices typically have a secondary internet-connected interface for updates and management, the issue could even be wormable across the internet.

The devices are supposed to passively monitor network traffic from HTTP, FTP, SMTP connections. In instances where there's a file transfer, the security appliance will scan it for malware. Ormandy and fellow Project Zero researcher Natalie Silvanovich found a vulnerability that can be exploited through such a passive monitoring interface. The researchers used the JODE Java decompiler to reverse engineer Java Archive files used by the FireEye devices. They then figured out a way to get the appliance to execute a malicious archive file by mimicking some of the same features found in legitimate ones.

The next time a friend or family member asks you to install a gift-registry app, remember this: the app is almost certainly soaking up lots of your personal details. In the case of one such app from retailing giant Target, it's more than happy to make those details public. Witness the following:

According to researchers from security firm Avast, the database storing the names, e-mail addresses, home addresses, phone numbers, and wish lists of Target customers is available to anyone who figures out the app's publicly available programming interface. In a blog post published Tuesday, they wrote:

If you created a Christmas wish list using the Target app, it might be accessible to more people than you want to actually receive gifts from. The Target app keeps a database of users’ wish lists, names, addresses, and e-mail addresses. But your closest family and friends may not be the only ones who know you want a new suitcase for your upcoming cruise!

To our surprise, we discovered that the Target app’s Application Program Interface (API) is easily accessible over the Internet. An API is a set of conditions where if you ask a question it sends the answer. Also, the Target API does not require any authentication. The only thing you need in order to parse all of the data automatically is to figure out how the user ID is generated. Once you have that figured out, all the data is served to you on a silver platter in a JSON file.

The JSON file we requested from Target’s API contained interesting data, like users’ names, e-mail addresses, shipping addresses, phone numbers, the type of registries, and the items on the registries. We did not store any personal information, but we did aggregate data from 5,000 inputs, enough for statistical analysis.

Officials for Target weren't immediately available for comment. This post will be updated if they respond later.

UK police said they have arrested a 21-year-old man in connection to the November breach of electronic toymaker VTech, a hack that exposed personal data of almost 12 million people, including gigabytes worth of headshot photos and chat logs for millions of kids and parents.

The unnamed man was arrested in Bracknell, about 30 miles west of London, it was widely reported Tuesday by news outlets citing a statement released by police. He was detained on suspicion of two offenses under the Computer Misuse Act, including unauthorized access to a computer and causing a computer to enable unauthorized access to data. Police also seized electronic devices during the arrest. No more details were provided.

The breach ultimately exposed data for 11.6 million people, 6.4 million of whom were minors. Personal information for children included their names, gender and birthdates, while details for parents included mailing and e-mail addresses, security questions used for password resets, IP addresses, password data, and download histories. The trove also included headshots and logs of chats between parents and their children. The information was stored in a database for VTech's Learning Lodge app store, which is used by the company's electronic toys. Almost half the compromised accounts belonged to people in North America, VTech’s top market.

Attackers are actively exploiting a critical remote command-execution vulnerability that has plagued the Joomla content management system for almost eight years, security researchers said.

A patch for the vulnerability, which affects versions 1.5 through 3.4.5, was released Monday morning. It was too late: the bug was already being exploited in the wild, researchers from security firm Sucuri warned in a blog post. The attacks started on Saturday from a handful of IP addresses and by Sunday included hundreds of exploit attempts to sites monitored by Sucuri.

"Today (Dec 14th), the wave of attacks is even bigger, with basically every site and honeypot we have being attacked," the blog post reported. "That means that probably every other Joomla site out there is being targeted as well."

Twitter has warned dozens of users that their account data may have been targeted by state-sponsored hackers.

In e-mails sent to security researchers, journalists, and activists over the past few days, Twitter officials said there's no evidence the attacks were successful. Still, the messages said Twitter officials are actively investigating the possibility that the accounts were breached. Dozens of users have reported receiving the advisory, with this list showing 36 people and this one listing 32 users.

"As a precaution, we are alerting you that your Twitter account is one of a small group of accounts that may have been targeted by state-sponsored actors," one e-mail warned. "We believe that these actors (possibly associated with a government) may have been trying to obtain information such as e-mail addresses, IP addresses and/or phone numbers."

Tens of millions of Internet users will be cut off from encrypted webpages in the coming months unless sites are permitted to continue using SHA1, a cryptographic hashing function that's being retired because it's increasingly vulnerable to real-world forgery attacks, Facebook and Web security company CloudFlare have warned.

Facebook said as many as seven percent of the world's browsers are unable to support the SHA256 function that serves as the new minimum requirement starting at the beginning of 2016. That translates into tens of millions of end users, and a disproportionate number of them are from developing countries still struggling to get online or protect themselves against repressive governments. CloudFlare, meanwhile, estimated that more than 37 million people won't be able to access encrypted sites that rely on certificates signed with the new algorithm.

Both companies went on to unveil a controversial fallback mechanism that uses SHA1-based certificates to deliver HTTPS-encrypted webpages to people who still rely on outdated browsers. The remaining, much larger percentage of end users with modern browsers would be served HTTPS pages secured with SHA256 or an even stronger function. The mechanisms, which both companies are making available as open-source software, will allow websites to provide weaker HTTPS protection to older browsers while giving newer ones the added benefits of SHA256. Facebook is deploying the plan on most or all of the sites it operates, while CloudFlare will enable it by default for all of its customers. CloudFlare said other sites, including those run by Chinese portal Alibaba, are also implementing it.

Early last week, one of the most vital organs of the Internet anatomy came under an unusual attack. On two separate occasions lasting an hour or more each, a flood of as many as many as five million queries per second hit multiple domain name system root servers that act as the final and authoritative reference for determining which IP address is returned when a user types a domain name into a browser.

The first barrage took place on Monday, November 30, and lasted for about two hours and 40 minutes. The second one happened a day later and lasted for almost exactly an hour. Most but not all of the 13 root servers that form the Internet's DNS root zone were hit. The attacks started and stopped on their own and consisted of billions of valid queries for just two undisclosed domain names, one for each incident. There's no indication of who or what was behind the attack.

While the load was large enough to be detected on external systems that monitor the Internet's root servers, they ultimately had little effect on the billions of Internet end users who rely on them. That's partly because root servers provide IP translations only when a much larger network of intermediate DNS servers fail to do so and partly because of the robust design of the hundreds of servers that run the dozen-plus root authorities.

Getting a Linux server hacked and made part of a botnet is easier than some people may think. As two unrelated blog posts published in the past week demonstrate, running a vulnerable piece of software is often all that's required.

Witness, for example, a critical vulnerability disclosed earlier this year in Elasticsearch, an open source server application for searching large amounts of data. In February, the company that maintains it warned it contained a vulnerability that allowed hackers to execute commands on the server running it. Within a month, a hacking forum catering to Chinese speakers provided all the source code and tutorials needed for people with only moderate technical skills to fully identify and exploit susceptible servers.

A post published Tuesday by security firm Recorded Future deconstructs that hacker forum from last March. It showed how to scan search services such as Shodan and ZoomEye to find vulnerable machines. It includes an attack script written in Python that was used to exploit one of them and a separate Perl script used to make the newly compromised machine part of a botnet of other zombie servers. It also included screenshots showing the script being used against the server. The tutorial underscores the growing ease of hacking production servers and the risk of being complacent about patching.

The head of the FBI's science and technology division has admitted what no other agency official has acknowledged before—the FBI sometimes exploits zero-day vulnerabilities to catch bad guys.

The admission came in a profile published Tuesday of Amy Hess, the FBI's executive assistant director for science and technology who oversees the bureau's Operational Technology Division. Besides touching on the use of zero-days—that is, attack code that exploits vulnerabilities that remain unpatched, and in most cases are unknown by the company or organization that designs the product—Tuesday's Washington Post article also makes passing mention of another hot-button controversy: the FBI's use of stingrays. As reporter Ellen Nakashima wrote:

One area of controversy is the bureau’s use of cell site simulators, or Stingrays, which mimic cellphone towers to elicit signals from cellphones in an area, including from innocent bystanders. The FBI has long been secretive about the tool’s use, and has even made state and local law enforcement sign nondisclosure agreements.

Though the agreements typically state that the local agency “will not­ . . . disclose any information concerning” the equipment, Hess insists that the FBI has never imposed a gag on local police. For the record, she said, the bureau does not object to revealing the use of the device. It’s the “engineering schematics,” details on exactly how the tool works, that the FBI wants shielded, she said.

Another group that remains shrouded is OTD’s Remote Operations Unit. There, technicians with a warrant hack computers to identify suspects. Euphemistically called “network investigative techniques,” that activity has stirred concerns similar to those raised with the use of Stingrays.

For one thing, the warrant applications do not describe the technique’s use in detail. So judges may not really understand what they are authorizing. Hess said that agents can describe the process more fully to a judge in closed chambers. That’s if the judge knows to ask.

Privacy advocates also worry that to carry out its hacks, the FBI is using “zero-day” exploits that take advantage of software flaws that have not been disclosed to the software maker. That practice makes consumers who use the software vulnerable, they argue.

Hess acknowledged that the bureau uses zero-days—the first time an official has done so. She said the trade-off is one the bureau wrestles with. “What is the greater good—to be able to identify a person who is threatening public safety?” Or to alert software makers to bugs that, if unpatched, could leave consumers vulnerable?

“How do we balance that?” she said. “That is a constant challenge for us.”

She added that hacking computers is not a favored FBI technique. “It’s frail,” she said. As soon as a tech firm updates its software, the tool vanishes. “It clearly is not reliable” in the way a traditional wiretap is, she said.

The Post also includes counterpoint from privacy advocate and American Civil Liberties Union Principal Technologist Christopher Soghoian. He referred to Hess as the "queen of domestic surveillance" and opines: "if it's high-tech and creepy, it's happening in the Operational Technology Division."