Author: Dan Goodin

(credit: D J Shin)

New data shows that the majority of robot-enabled scam phone calls came from fewer than 40 call centers, a finding that offers hope the growing menace of robocalls can be stopped.

The calls use computers and the Internet to dial thousands of phone numbers every minute and promote fraudulent schemes that promise to lower credit card interest rates, offer loans, and sell home security products, to name just a few of the scams. Over the past decade, robocall complaints have mushroomed, with the Federal Trade Commission often receiving hundreds of thousands of complaints each month. In 2013, the consumer watchdog agency awarded $50,000 to three groups who devised blocking systems that had the potential to help end the scourge. Three years later, however, the robocall problem seems as intractable as ever.

On Thursday at the Black Hat security conference in Las Vegas, a researcher said that slightly more than half of more than 1 million robocalls tracked were sent by just 38 telephony infrastructures. The relatively small number of actors offers hope that the phenomenon can be rooted out, by either automatically blocking the call centers or finding ways for law enforcement groups to identify and prosecute the operators.

Enlarge / A demo planned for Wednesday will show how an ad hosted on nytimes.com could attack other HTTPS-protected sites. (credit: Vanhoef, Van Goethem)

The HTTPS cryptographic scheme protecting millions of websites is vulnerable to a newly revived attack that exposes encrypted e-mail addresses, social security numbers, and other sensitive data even when attackers don't have the ability to monitor a targeted end user's Internet connection.

The exploit is notable because it doesn't require a man-in-the-middle position. Instead, an end user need only encounter an innocuous-looking JavaScript file hidden in an Web advertisement or hosted directly on a webpage. The malicious code can then query a variety of pages protected by the secure sockets layer or transport layer security protocols and measure the precise file sizes of the encrypted data they transmit. As its name suggests, the HEIST technique—short for HTTP Encrypted Information can be Stolen Through TCP-Windows—works by exploiting the way HTTPS responses are delivered over the transmission control protocol, one of the Internet's most basic building blocks.

Once attackers know the size of an encrypted response, they are free to use one of two previously devised exploits to ferret out the plaintext contained inside it. Both the BREACH and the CRIME exploits are able to decrypt payloads by manipulating the file compression that sites use to make pages load more quickly. HEIST will be demonstrated for the first time on Wednesday at the Black Hat security conference in Las Vegas.

Enlarge / FTC Chief Technologist Lorrie Cranor speaking at PasswordsCon 2016, part of the Bsides security conference in Las Vegas.

Shortly after Carnegie Mellon University professor Lorrie Cranor became chief technologist at the Federal Trade Commission in January, she was surprised by an official agency tweet that echoed some oft-repeated security advice. It read: "Encourage your loved ones to change passwords often, making them long, strong, and unique." Cranor wasted no time challenging it.

The reasoning behind the advice is that an organization's network may have attackers inside who have yet to be discovered. Frequent password changes lock them out. But to a university professor who focuses on security, Cranor found the advice problematic for a couple of reasons. For one, a growing body of research suggests that frequent password changes make security worse. As if repeating advice that's based more on superstition than hard data wasn't bad enough, the tweet was even more annoying because all six of the government passwords she used had to be changed every 60 days.

"I saw this tweet and I said, 'Why is it that the FTC is going around telling everyone to change their passwords?'" she said during a keynote speech at the BSides security conference in Las Vegas. "I went to the social media people and asked them that and they said, 'Well, it must be good advice because at the FTC we change our passwords every 60 days."

In comments that appeared to condone the hacking of sensitive US correspondence, Republican presidential nominee Donald Trump on Wednesday said he hoped Russia locates missing e-mails sent by Hillary Clinton when she was US secretary of state.

"Russia, if you’re listening, I hope you’re able to find the 30,000 e-mails that are missing," Trump said during a news conference. "I think you will probably be rewarded mightily by our press. Let's see if that happens. That'll be nice."

At the same event, Trump also said, "I'm not gonna tell Putin what to do. Why should I tell Putin what to do?... It's not even about Russia or China or whoever it is that's doing the hacking. It's about the things they said in those e-mails. They were terrible things." A video of the entire news conference is here.

Sometimes, the fierce competition in the booming crypto ransomware market works in the favor of the victims whose priceless data is held hostage. That appears to be what played out on Tuesday when the criminals behind a package known as "Mischa" published what's purported to be the secret crypto keys for the rival Chimera malware.

"Earlier this year we got access to big parts of their deveolpment [sic] system, and included parts of Chimera in our project," the Mischa developers wrote in a message posted to Pastebin. "Additionally we now release about 3500 decryption keys from Chimera."

Translation: As if breaking in to the Chimera developers' network and stealing their code wasn't enough of an affront, the competing Mischa gang now claims to have leaked the keys that defang Chimera forever.

(credit: Ddxc)

A key guarantee provided by HTTPS encryption is that the addresses of visited websites aren't visible to attackers who may be monitoring an end user's network traffic. Now, researchers have devised an attack that breaks this protection.

The attack can be carried out by operators of just about any type of network, including public Wi-Fi networks, which arguably are the places where Web surfers need HTTPS the most. It works by abusing a feature known as WPAD—short for Web Proxy Autodisovery—in a way that exposes certain browser requests to attacker-controlled code. The attacker then gets to see the entire URL of every site the target visits. The exploit works against virtually all browsers and operating systems. It will be demonstrated for the first time at next week's Black Hat security conference in Las Vegas in a talk titled Crippling HTTPS with Unholy PAC.

"People rely on HTTPS to secure their communication even when the LAN/Wi-Fi cannot be trusted (think public Wi-Fi/hotels/cafes/airports/restaurants, or compromised LAN in an organization)," Itzik Kotler, cofounder and CTO of security firm SafeBreach and one of the scheduled speakers, wrote in an e-mail. "We show that HTTPS cannot provide security when WPAD is enabled. Therefore, a lot of people are actually exposed to this attack when they engage in browsing via non-trusted networks."

The suspected hacking of a Democratic National Committee consultant's personal Yahoo Mail account provides new evidence that state-sponsored attackers penetrated deeper than previously thought into the private communications of the political machine attempting to defeat Republican nominee Donald Trump.

According to an article published Monday by Yahoo News, the suspicion was raised shortly after DNC consultant Alexandra Chalupa started preparing opposition research on Trump Campaign Chairman Paul Manafort. Upon logging in to her Yahoo Mail account, she received a pop-up notification warning that members of Yahoo's security team "strongly suspect that your account has been the target of state-sponsored actors." After Chalupa started digging into Manafort's political and business dealings in Ukraine and Russia, the warnings had become a "daily occurrence," Yahoo News reported, citing a May 3 e-mail sent to a DNC communications director.

It was one of more than 19,000 private DNC messages posted to WikiLeaks on Friday. The massive e-mail dump came five weeks after DNC officials said hackers with backing from the Russian government had breached its network and made off with opposition research into Trump and almost a year's worth of private e-mail. The airing on WikiLeaks, which included messages in which DNC officials derided Democratic candidate Bernie Sanders, has already led to the resignation of Chair Debra Wasserman Schultz. Now, the revelations about Chalupa's Yahoo account suggest the hack may have gone deeper than previously reported.

Enlarge / A map of hidden services directories detected as malicious.

The trust of the Tor anonymity network is in many cases only as strong as the individual volunteers whose computers form its building blocks. On Friday, researchers said they found at least 110 such machines actively snooping on Dark Web sites that use Tor to mask their operators' identities.

All of the 110 malicious relays were designated as hidden services directories, which store information that end users need to reach the ".onion" addresses that rely on Tor for anonymity. Over a 72-day period that started on February 12, computer scientists at Northeastern University tracked the rogue machines using honeypot .onion addresses they dubbed "honions." The honions operated like normal hidden services, but their addresses were kept confidential. By tracking the traffic sent to the honions, the researchers were able to identify directories that were behaving in a manner that's well outside of Tor rules.

"Such snooping allows [the malicious directories] to index the hidden services, also visit them, and attack them," Guevara Noubir, a professor in Northeastern University's College of Computer and Information Science, wrote in an e-mail. "Some of them tried to attack the hidden services (websites using hidden services) through a variety of means including SQL Injection, Cross-Site Scripting (XSS), user enumeration, server load/performance, etc."

A conceptual rendering of a “battery case” style introspection engine for an iPhone6. (credit: https://www.pubpub.org/pub/direct-radio-introspection)

Mobile devices have without a doubt brought convenience to the masses, but that benefit comes at a high price for journalists, activists, and human rights workers who work in war-torn regions or other high-risk environments. Now, NSA whistleblower Edward Snowden has designed an iPhone accessory that could one day be used to prevent the devices from leaking their whereabouts.

Working with renowned hardware hacker Andrew “Bunnie” Huang, Snowden has devised the design for what the team is calling the "Introspection Engine." For now, it's aimed only at iPhone 6 models, but eventually the pair hopes to create specifications for a large line of devices. Once built, the "field-ready" accessory would monitor various radio components inside the phone to confirm they're not transmitting data when a user has put the device into airplane mode. The hardware is designed to be independent from the mobile device, under the assumption that malware-infected smartphones are a fact of life in high-risk environments.

Detecting intoxicated smartphones

"Malware packages, peddled by hackers at a price accessible by private individuals, can activate radios without any indication from the user interface," Huang and Snowden wrote in a blog post published Thursday. "Trusting a phone that has been hacked to go into airplane mode is like trusting a drunk person to judge if they are sober enough to drive."

(credit: Carl Lender)

A newly disclosed vulnerability could allow attackers to seize control of mobile phones and key parts of the world's telecommunications infrastructure and make it possible to eavesdrop or disrupt entire networks, security experts warned Tuesday.

The bug resides in a code library used in a wide range of telecommunication products, including radios in cell towers, routers, and switches, as well as the baseband chips in individual phones. Although exploiting the heap overflow vulnerability would require great skill and resources, attackers who managed to succeed would have the ability to execute malicious code on virtually all of those devices. The code library was developed by Pennsylvania-based Objective Systems and is used to implement a telephony standard known as ASN.1, short for Abstract Syntax Notation One.

"The vulnerability could be triggered remotely without any authentication in scenarios where the vulnerable code receives and processes ASN.1 encoded data from untrusted sources," researchers who discovered the flaw wrote in an advisory published Monday evening. "These may include communications between mobile devices and telecommunication network infrastructure nodes, communications between nodes in a carrier's network or across carrier boundaries, or communication between mutually untrusted endpoints in a data network."