Security researchers studying malware that exploits a hole in the Firefox browser’s security to unmask users of the privacy-protecting Tor anonymity network suspect that the author of the malicious code is…wait for it…the U.S. government. Journalists and human rights activists depend on Tor and services like it to evade surveillance or protect users’ privacy. But the hidden services have found themselves in U.S. law enforcement’s crosshairs because they cloak the activities of criminals such as Eric Eoin Marques, who was recently described by an FBI special agent as “the largest facilitator of child porn on the planet.”
A Sunday attack on several websites hosted by Freedom Hosting originated at “some IP in Reston, Virginia,” security engineer Vlad Tsyrklevich told Wired. “It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based.” So much for China being the nexus of cyber espionage.
Tsrklevich and other researchers think the malicious code is an example of the FBI’s decade-old “computer and internet protocol address verifier,” or CIPAV, the tool it has used to track down hackers, sexual predators, and other cybercriminals who use proxy servers or anonymity services like Tor to hide their identities. Wiredreported on the spyware way back in 2007.
“Court documents and FBI files released under the FOIA have described the CIPAV as software the FBI can deliver through a browser exploit to gather information from the target’s machine and send it to an FBI server,” says a Wired article. Where is the FBI server in question? In Virginia.
The first clue that law enforcement is behind the hack is that the malware doesn’t steal anything nor does it lay any groundwork for future access to the systems. All it does is “look up the victim’s MAC address—a unique hardware identifier for the computer’s network or wireless card—and the victim’s Windows hostname. Then it sends it to the Virginia server, outside of Tor, to expose the user’s real IP address…”
DIY Femtocell Hack Sniffs Out Malware on Mobile Phones
In last week’s edition, we highlighted a presentation at Black Hat Las Vegas by researchers who figured out how to hack a femtocell portable cellular base station in order to intercept all data transmitted by nearby mobile handsets. They informed device makers such as Verizon about the exploit so it could be remedied. This week, Wired reported that the good guys have devised a method for using a femtocell to detect malware on mobile phones. In a presentation at the Def Con hacker conference in Las Vegas, researchers from LMG Security demonstrated a system they built for less than $300 that can view data transmitted from smartphones, through a femtocell, to a cellular carrier’s network. This allows a phone’s user to monitor his or her own data traffic for malicious activity.
“If your phone is infected … it can send audio recordings, copies of your text messages, and even intercept copies of your text messages so you never receive them,” LMG’s Sherri Davidoff told Wired. “Our goal is to give people the ability to see the network traffic” to determine if this is occurring.” The LMG jury rig not only allows traffic monitoring, says Wired, it also gives the user the ability “to stop the data from being passed to attackers from infected phones, alter it to feed the attackers false data, or pass commands back to the smart phone to remotely disable the malware.”
The researchers went a step further, releasing a paper describing their method that includes information so consumers can build the system as a DIY project. for others to use to develop their own system.
Cybersecurity Expert Advocates Fighting Hackers With Hackers
“Large organizations are shooting themselves in the foot if they're not willing to hire a reformed computer hacker to aid with cyber security.” That’s the bottom line, at least according to Robert Hansen, director of product management for security firm WhiteHat Security. In an interview with Computing Magazine, Hansen goes on to say not only is shunning so-called black hat hackers a bad idea, but that many large businesses unknowingly employ them anyway.
"One guy I know who does training for military contractors, he lives in a state where they're not allowed to do background checks on people for whatever reason. But he's been to jail before, for hacking," Hansen told Computing.
"He's gone to jail for something and now he's teaching the best of the best how to defend against hackers and they're not allowed to ask the question if he's gone to jail or not. " Hansen, who regularly talks with black hats, reasons that, if a company is going to have people on the payroll who at one time or another went to prison for hacking or committed cybercrimes but weren’t caught, it’s better to do so know knowingly. "If you intentionally do it then at least it's on the table and they can do the things they need to do to help you [avoid becoming the victim of cybercrime]," he said.
In Other Cybercrime News…
A Chinese hacker gang infiltrated more than 100 companies, sat in on private teleconferences
Two providers of secure e-mail shut down rather than comply with secret U.S. government court orders for access to their customers' data
The Cybercrime of Things: Adding Internet connectivity to everything in your home means convenience. It also means greater vulnerability.
Photo: Getty Images
Willie Jones is an associate editor at IEEE Spectrum. In addition to editing and planning daily coverage, he manages several of Spectrum's newsletters and contributes regularly to the monthly Big Picture section that appears in the print edition.