We were already aware of the existence of illicit marketplaces teeming with tools for cybercriminals looking to subvert the security of online networks. But one of the latest revelations from the cache of documents stolen by NSA whistleblower Edward Snowden is the fact that NSA hackers have access to a spy catalog from which they can buy gadgets and malware that make the idea of online security virtually meaningless. According to der Spiegel, the newly disclosed documents reveal that specialists in the NSA’s Tailored Access Operations division manage to access data that is supposedly inaccessible even by tapping undersea cables or by strong arming companies such as Google, AT&T, and Yahoo. Their bag of tricks, which includes mapping and monitoring networks and rerouting and modifying data, comes largely from a 50-page catalog produced by another NSA Division.
“For nearly every lock, ANT seems to have a key in its toolbox,” der Spiegel writes. “And no matter what walls companies erect, the NSA’s specialists seem already to have gotten past them.”
The 2008 catalog features items ranging in price from free to US $250 000. They include a $30 pack of rigged monitor cables that let the NSA see whatever the user sees, a $40 000 GSM base station that spoofs a mobile phone tower so that it receives signals from nearby handsets, and a digital lock pick for firewalls made by Juniper Networks that keeps the backdoor open even after reboots and software upgrades. Worse, the Snowden documents reveal, is that the catalog contains malware capable of infecting a machine’s BIOS so that it continues to compromise the device’s security even after the most drastic measures—wiping the hard drive clean and reinstalling the operating system.
PINs Compromised in Target Hack
Target’s troubles are mounting. The retailer, whose systems were hacked at the height of the holiday shopping season, has confirmed that the cybercrooks were able to access a listing of customer debit card PINs. The company had earlier said that the PINs weren’t taken in the data breach. Now Target is insisting that customers are safe and that the hackers won’t be able to turn the data into easy cash by making spoofed debit cards that let them take money out of ATMs. “We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems,” the company said in a statement posted on its website on Friday.
Target didn’t reveal how much PIN data was divulged.
Despite the retailer’s insistence that “The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor,” company officials may be the only people shocked when the other shoe drops and we find out that the hackers have managed to find the keys to decrypt it.
It was supposed to be simple. And easy. And safe. Just send someone a pic on Snapchat and, poof—it would disappear from the recipient’s device before it could come back to haunt you. But now there’s reason for worry. Snapchat has been hacked. Though no one’s heard of any funny business with images being diverted, the usernames and phone numbers of 4.6 million alleged Snapchat users were posted online this week. The posting, on a website called SnapchatDB.info, came a few days after an outfit called Gibson Security publicly reported a vulnerability in the social sharing service it said would allow that very thing to occur. (According to Computer World the site has been taken down by its hosting service, but a cached version can still be viewed.)
Gibson says it first made Snapchat aware of the vulnerability in August, but the service didn’t respond. “The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it," Gibson said in a statement.
In Other Cybercrime News…
- FireEye, a major cybersecurity company, announced the purchase of Mandiant, a privately-held cyber forensics firm, for roughly US $990 million. FireEye, a leading seller of security services designed to identify and combat cybercrime via the Internet, e-mail, and mobile devices, has previously collaborated with Mandiant to stave off attacks. The purchase, FireEye said in a statement, will improve its ability “to stop advanced attacks at the earliest phases of the attack life cycle.”
- This week, A U.S. federal court upheld a government policy allowing law enforcement officers at or near U.S. borders to seize and search electronic devices for any reason. The decision [pdf] by U.S. District Judge Edward Korman in New York is the result of a case brought by the American Civil Liberties Union (ACLU), which argued that U.S. border officials shouldn’t be able to conduct searches of gadgets without reasonable suspicion that a crime has been committed. But the judge held that the so-called “border exemption,” which gives the government the right to warrantless and suspicionless searches within 160 kilometers of the border, applies to data and the devices that contain it.