Maker of Airport Body Scanners Suspected of Falsifying Software Tests

Maker of Airport Body Scanners Suspected of Falsifying Software Tests

WIRED / Threat Level
by Kim Zetter
November 15, 2012

 

TSA Full Body Scanner

 

A company that supplies controversial passenger-screening machines for U.S. airports is under suspicion for possibly manipulating tests on privacy software designed to prevent the machines from producing graphic body images.

The Transportation Security Administration sent a letter Nov. 9 to the parent company of Rapiscan, the maker of backscatter machines, requesting information about the testing of the software to determine if there was malfeasance.

The machines use backscatter radiation to detect objects concealed beneath clothes. But after complaints from privacy groups and others that the machines produce graphic images of passenger’s bodies, the government ordered the machines be outfitted with privacy software by June to replace the invasive images with more generic ones that simply show a chalk-like outline of a body.

While L-3 Communications, the maker of another brand of scanners used in airports, successfully developed the privacy software for its machines, Rapiscan was having problems with its software, according to Bloomberg.

The testing of the software, done earlier this year to determine if it met privacy requirements, was conducted by a third party, so it’s not immediately clear how Rapiscan might have manipulated the tests.

At a hearing on Thursday before the House Transportation Security Subcommittee, Chairman Mike Rogers (R-Alabama) asked John Sanders, assistant administrator for TSA’s office of security capabilities, this very question. Sanders replied obliquely that “before [a test] gets underway, we might believe the system is on one configuration when it’s not in that configuration.”

Sanders said that TSA has no evidence yet that the vendor did manipulate the tests, but is looking into the matter.

“At this point we don’t know what has occurred,” Sanders said. “We are in contact with the vendor. We are working with them to get to the bottom of it.”

The vendor has denied any wrongdoing.

“At no time did Rapiscan falsify test data or any information related to this technology or the test,” Peter Kant, an executive vice president with the company, told Bloomberg.

DHS has spent about $90 million replacing traditional magnetometers with the controversial body-scanning machines.

Rapiscan has a contract to produce 500 machines for the TSA at a cost of about $180,000 each. The company could be fined and barred from participating in government contracts, or employees could face prison terms if it is found to have defrauded the government.

It’s not the first time Rapiscan has been at the center of testing problems with the machines. The company previously had problems with a “calculation error” in safety tests that showed the machines were emitting radiation levels that were 10 times higher than expected.

It turned out the company’s technicians weren’t following protocol in conducting the tests. They were supposed to test radiation levels of machines in the field 10 times in a row, and then divide the results by 10 to produce an average radiation measurement. But the testers failed to divide the results by 10, producing false numbers.

A recent Wired.com three-part series examined the constitutionality, effectiveness and health concerns of the scanners, which were never tested on mice or other biological equivalents to determine the scanners’ health risks to humans.

 

Direct Link:  http://www.wired.com/threatlevel/2012/11/rapiscan-fraudulent-tests/

The New York Times Is Wrong: Strong Passwords Can’t Save Us

The New York Times Is Wrong: Strong Passwords Can’t Save Us

WIRED
by Mat Honan
November 15, 2012

 

 

On Nov. 7, The New York Times ran a story called “How to Devise Passwords That Drive Hackers Away.” Written by Silicon Valley correspondent Nicole Perlroth, the piece reigned over the paper’s Most Emailed List for a full week, and for a good reason: It’s properly freaked out about just how vulnerable we all are to hackers.

But by focusing on the password, it tries to prop up the unsustainable heart of our moldering security system — and it implicitly blames the victim for problems that big corporations let fester for selfish reasons. As I argue in my new cover story for Wired, the only solution is to kill the password entirely.

Much of the advice the Times offers up is quite good. No, you should not re-use passwords or use dictionary words as passwords. And, yes, your passwords should be long and complicated. Pass phrases are great! And security questions? You should never answer them honestly. (Just ask David Pogue.)

But the Times goes much further, advocating methods that no consumer should reasonably be expected to follow. To wit:

For sensitive accounts, [security expert] Mr. Grossman says that instead of a passphrase, he will randomly jam on his keyboard, intermittently hitting the Shift and Alt keys, and copy the result into a text file which he stores on an encrypted, password-protected USB drive. “That way, if someone puts a gun to my head and demands to know my password, I can honestly say I don’t know it.”

And:

Do not store your passwords in your in-box or on your desktop. If malware infects your computer, you’re toast. Mr. Grossman stores his password file on an encrypted USB drive for which he has a long, complex password that he has memorized. He copies and pastes those passwords into accounts so that, in the event an attacker installs keystroke logging software on his computer, they cannot record the keystrokes to his password.

And: under the section headed “A Password Manager? Maybe” (The triumph of Carly Rae Jepsen!) we learn about the dangers of using password-management software like 1Password or LastPass:

Mr. Grossman said he did not trust the software because he didn’t write it.

Truly, words of wisdom for us all: We really should all should be writing our own password-management programs.

* * *

Yes, you are quite vulnerable to being hacked, and no matter what The New York Times tells you, passwords aren’t the solution; they are the very problem. The idea that you can devise passwords to keep hackers away is quaint and preposterous. It is an outdated, old-fashioned notion akin to protecting a city with a wall.

But in the age of Google, and Facebook, and Spokeo, social engineering has never been easier. There is a treasure trove of data about all of us, scattered across the internet, that can be easily used to gain password resets. Which means all of those precautions can be easily undone with the right phone call, or an errant click on a mobile browser, where the URL is often hidden to save screen real estate, or in any manner of other ways, on service to service. Hey, look, yesterday it was Skype. Tomorrow, maybe it will be your bank.

The real problem with passwords isn’t reuse or cracking. These are mere symptoms of a larger disease. Think of our password problem as being like polio.

Prior to 1900, polio was never a devastating pandemic. Though it has been with us since the dawn of civilization (like passwords!) its transmission wasn’t enough of a problem to cause large-scale epidemics. But as we entered the 20th century, a confluence of factors (larger populations living in cities with sewage treatment and without as much childhood exposure to the disease that created lowered overall immunity) created a new threat, and polio went from occasional outbreak, to epidemic, to pandemic. True, there were precautions individuals could take, but they were ineffective at stopping or slowing outbreaks. You couldn’t even protect yourself without taking extreme measures, like total isolation. It took the work of society and institutions to eradicate it in the developed world — not only to create vaccines but to get those vaccines into widespread circulation.

Like polio, the password problem is also an old problem and a new problem at the same time. Passwords have been cracked since they were invented, but until recently it wasn’t an issue that had widespread implications for most people. Today, however — for a variety of reasons I detail in my story for Wired‘s December issue — the problem has reached epidemic, if not pandemic, proportions. Yet instead of a systemic, universal vaccination, The New York Times is basically advocating that you go live in a cabin deep in the woods.

More importantly, the advice in this story makes the same mistake journalists make again and again, which is to put account security onus on the individual. But as individuals we are, for the most part, pretty powerless. This is Microsoft and Apple and Google and AT&T and Verizon and Bank of America and PayPal and Amazon’s job. And there’s a sure way to get their attention.

Here is a better idea than keeping an encrypted USB disk of passwords taped securely to the underside of your genitals: If a service does not offer you adequate protection, don’t use it. Want to know how to protect your password from hackers? Quit using insecure products.

For vital services — like your primary e-mail, or online banking account — you should demand at a minimum a second factor of authentication. That’s typically something you have like a code sent to your phone, or an app, or a token. If you can’t get that protection from the service you entrust with your vital data, don’t use it. I’ll say it again, because it is so important: If you are using e-mail or banking services from a provider that does not offer that second layer of protection in addition to the password, stop now. Today. Archive and delete all your messages. Transfer your money. Close your account. Seriously. Not kidding. Do it right now.

Good security is going to require tradeoffs. We’re going to have to get used to the notion that we either need to give up some of our privacy, or ease of access in order to achieve it. There’s just no other way.

The criminals — be they 15-year-old sociopaths or organized criminals — are coming for you. And your passwords won’t protect you. Even if you keep them on an encrypted USB stick.

 

Direct Link:  http://www.wired.com/gadgetlab/2012/11/why-no-password-is-safe-from-hackers/

Xtreme RAT cyberespionage targeted U.S., U.K. governments

Xtreme RAT cyberespionage targeted U.S., U.K. governments

The recent malware attack against the Israeli police also targeted government institutions in other countries, researchers say

 

Computer World
by Lucian Constantin
November 16, 2012

 

Israel Police

 

IDG News Service –

The hacker group that recently infected Israeli police computers with the Xtreme RAT malware has also targeted government institutions from the U.S., U.K. and other countries, according to researchers from antivirus vendor Trend Micro.

The attackers sent rogue messages with a .RAR attachment to email addresses within the targeted government agencies. The archive contained a malicious executable masquerading as a Word document that, when run, installed the Xtreme RAT malware and opened a decoy document with a news report about a Palestinian missile attack.

The attack came to light at the end of October when the Israeli police shut down its computer network in order to clean the malware from its systems. Like most remote access Trojan programs (RATs), Xtreme RAT gives attackers control over the infected machine and allows them to upload documents and other files back to their servers.

After analyzing malware samples used in the Israeli police attack, security researchers from Norway-based antivirus vendor Norman uncovered a series of older attacks from earlier this year and late 2011 that targeted organizations in Israel and the Palestinian territories. Their findings painted the picture of an year-long cyberespionage operation performed by the same group of attackers in the region.

However, according to new data uncovered by researchers from Trend Micro, the campaign’s scope appears to be much larger.

“We discovered two emails sent from {BLOCKED}a.2011@gmail.com on Nov 11 and Nov 8 that primarily targeted the Government of Israel,” Trend Micro senior threat researcher Nart Villeneuve, said in a blog post earlier this week. “One of the emails was sent to 294 email addresses.”

“While the vast majority of the emails were sent to the Government of Israel at ‘mfa.gov.il’ [Israeli Ministry of Foreign Affairs], ‘idf.gov.il’ [Israel Defense Forces], and ‘mod.gov.il’ [Israeli Ministry of Defense], a significant amount were also sent to the U.S. Government at ‘state.gov’ [U.S. Department of State] email addresses,” Villeneuve said. “Other U.S. government targets also included ‘senate.gov’ [U.S. Senate] and ‘house.gov’ [U.S. House of Representatives] email addresses. The email was also sent to ‘usaid.gov’ [U.S. Agency for International Development] email addresses.”

The list of targets also included ‘fco.gov.uk’ (British Foreign & Commonwealth Office) and ‘mfa.gov.tr’ (Turkish Ministry of Foreign Affairs) email addresses, as well as addresses from government institutions in Slovenia, Macedonia, New Zealand, and Latvia, the researcher said. Some non-governmental organizations like the BBC and the Office of the Quartet Representative, were also targeted.

The Trend Micro researchers used metadata from the decoy documents to track down some of their authors to an online forum. One of them used the alias “aert” to talk about various malware applications including DarkComet and Xtreme RAT or to exchange goods and services with other forum members, Villeneuve said.

However, the motivations of the attackers remain unclear. If, after the Norman report, one might have speculated that the attackers have a political agenda tied to Israel and the Palestinian territories, after Trend Micro’s latest findings. it’s harder to guess what drives them.

“Their motivations are quite unclear at this point after discovering this latest development of targeting other state organizations,” said Ivan Macalintal, senior threat researcher and security evangelist at Trend Micro, Friday via email.

Trend Micro has not taken control of any command and control (C&C) servers used by the attackers in order to determine what data is being stolen from the infected computers, the researcher said, adding that there are no plans to do so at this time.

Security companies sometimes work with domain providers to point C&C domain names used by attackers to IP addresses under their control. This process is known as “sinkholing” and is used to determine how many computers were infected with a particular threat and what kind of information those computers are sending back to the control servers.

“We’ve contacted and are working with the CERTs [computer emergency response teams] for the particular states affected and we’ll see if there was indeed any damage done,” Macalintal said. “We are still actively monitoring the campaign as of now and will post updates accordingly.”

 

Direct Link:  http://www.computerworld.com/s/article/9233758/Xtreme_RAT_cyberespionage_targeted_U.S._U.K._governments?taxonomyId=85&pageNumber=1

 

Proof-of-concept malware can share USB smart card readers with attackers over Internet

Proof-of-concept malware can share USB smart card readers with attackers over Internet

The malware uses a special driver to share local USB devices over TCP/IP with the attacker’s computer, researchers say

 

Computer World
by Lucian Constantin
November 15, 2012

 

USB Smart Card Reader

 

IDG News Service –

A team of researchers has created a proof-of-concept piece of malware that can give attackers control of USB smart card readers attached to an infected Windows computer over the Internet.

The malware installs a special driver on the infected computer which allows for the USB devices connected to it to be shared over the Internet with the attacker’s computer.

In the case of USB smart card readers, the attacker can use the middleware software provided by the smart card manufacturer to perform operations with the victim’s card as if it was attached to his own computer, said Paul Rascagneres, an IT security consultant at Luxembourg-based security auditing and consulting firm Itrust Consulting, on Thursday. Rascagneres is also the founder and leader of a malware analysis and engineering project called malware.lu, whose team designed this USB sharing malware.

There are already documented cases of malware that hijacks smart card devices on the local computer and uses them through the API (application programming interface) provided by the manufacturer.

However, the proof-of-concept malware developed by the malware.lu team takes this attack even further and shares the USB device over TCP/IP in “raw” form, Rascagneres said. Another driver installed on the attacker’s computer makes it appear as if the device is attached locally.

Rascagneres is scheduled to showcase how the attack works at the MalCon security conference in New Delhi, India, on Nov. 24.

Smart cards are used for a variety of purposes, but most commonly for authentication and signing documents digitally. Some banks provide their customers with smart cards and readers for secure authentication with their online banking systems. Some companies use smart cards to remotely authenticate employees on their corporate networks. Also, some countries have introduced electronic identity cards that can be used by citizens to authenticate and perform various operations on government websites.

Rascagneres and the malware.lu team tested their malware prototype with the national electronic identity card (eID) used in Belgium and some smart cards used by Belgian banks. The Belgian eID allows citizens to file their taxes online, sign digital documents, make complaints to the police and more.

However, in theory the malware’s USB device sharing functionality should work with any type of smart card and USB smart card reader, the researcher said.

In most cases, smart cards are used together with PINs or passwords. The malware prototype designed by the malware.lu team has a keylogger component to steal those credentials when the users input them through their keyboards.

However, if the smart card reader includes a physical keypad for entering the PIN, then this type of attack won’t work, Rascagneres said.

The drivers created by the researchers are not digitally signed with a valid certificate so they can’t be installed on versions of Windows that require installed drivers to be signed, like 64-bit versions of Windows 7. However, a real attacker could sign the drivers with stolen certificates before distributing such malware.

In addition, malware like TDL4 is known to be able to disable the driver signing policy on 64-bit versions of Windows 7 by using a boot-stage rootkit — bootkit — component that runs before the operating system is loaded.

The attack is almost completely transparent to the user, since it won’t prevent them from using their smart card as usual, Rascagneres said. The only giveaway might be the blinking activity led on the smart card reader when the card is accessed by the attacker, he said.

 

Direct Link:  http://www.computerworld.com/s/article/9233697/Proof_of_concept_malware_can_share_USB_smart_card_readers_with_attackers_over_Internet?taxonomyId=85

 

U.S. Buys Yemen a Fleet of Spy Planes for Growing Shadow War

U.S. Buys Yemen a Fleet of Spy Planes for Growing Shadow War

 

WIRED
by Spencer Ackerman
November 27, 2012

Once the U.S. bought cheap planes like this Cessna, good for spying, for Iraq’s military. Now it’s buying them for Yemen’s. Photo: U.S. Air Force

 

It’s not enough for Yemen’s skies to fill up with armed U.S. drones. Now the Pentagon wants to buy its Yemeni ally small, piloted spy planes. It’s a sign that the U.S. is upgrading the hardware it gives the Yemeni military, and digging in for a long shadow war.

That’s the upshot of a recent U.S. military message to the aviation industry. The Navy asked earlier this month for 25 “Light Observation Aircraft” — small, two-seater Cessna-style planes, good for short-range reconnaissance over, say, a patch of land that an  al-Qaida affiliate is trying to overrun. That’s in addition to all of the American remotely piloted aircraft that already fly over Yemen, which has become the hottest undeclared battlefield in the global U.S. drone campaign.

The planes have to be configured so the U.S. can teach Yemenis how to be their own eyes in the sky, and they need to be in Yemen in under 24 months. “Austere environment landing/takeoff capable” is a must. The push for the aircraft is somewhat reminiscent of the Pentagon’s “Project Liberty” crash program to rush small, relatively cheap Beechcraft planes to the Iraq and Afghan warzones so troops could trick them out with advanced sensors and cameras. It remains to be seen if that’s in the works for Yemeni pilots.

 

After a brief pause prompted by Arab Spring instability, U.S. defense assistance returned to Yemen this summer in a major way. But while the U.S. has been generous — $112 million this year, or about as much as the U.S.’ post-9/11 military assistance totaled by 2010 — it’s not bought Yemen many high-end systems. Small Raven drones, radios, night-vision goggles, rifles and ammo, ruggedized “raiding” boats and other hallmarks of unconventional, commando-style tactics have been the norm. Manned spy planes are certainly good for unconventional wars, and they also represent something of an upgrade.

The U.S.’ shadow war in Yemen is showing other traces of entrenchment and durability. In September, the Army put out a call for armored SUVs, the signature vehicle of the post-9/11 era for transporting security contractors and operatives who’d prefer not to be seen taking military transport. Starting in January, transiting diplomats once lodged in a Sanaa hotel run by the Kuwaiti government will now stay in a secured “hotel-like” domicile constructed by the State Department, separate from the U.S. embassy and complete with “30-plus channel hotel cable system” and room “for up to 240 guests.” (Hmm.)

All this gives substance to Defense Secretary Leon Panetta’s warning last week that the U.S. should disabuse itself of any notion that the war against al-Qaida was wrapping up. (Never mind that such notions were once spread by Leon Panetta.) Panetta wants to wage those wars whenever possible through foreign governments like Yemen’s, bolstering their capability to fight so that U.S. troop presences can be minimal. Now Yemeni pilots will be able to see just how long that war stretches over their horizon.

 

Direct Link:   http://www.wired.com/dangerroom/2012/11/yemen-spy-planes/