Sparrowvsrevolution writes: Researchers at Cornell Tech have demonstrated in a study the unexpected privacy-invasive potential of brute-forcing shortened URLs: They found that URL shortening services that use only five or six random characters could, with enough computers, have every possible shortened URL generated and tested. By generating millions of shortened URLs for services like Microsoft OneDrive and Google Maps until they found working ones, the researchers accessed online files and folders as well as Google Maps directions that were meant to be shared privately, making possible in detailed analysis of Google users' travel patterns from the leaked data. "[Users] think they’re sharing a document with a collaborator," said Cornell Tech computer scientist Vitaly Shmatikov. "But if you’re sharing a six character shortened URL, you’re sharing it with the whole world.”
As a result of that brute forcing, the researchers that they could have spread malware on unwitting victims’ computers via Microsoft’s cloud storage service by inserting malicious files into publicly editable folders synchronized with users' computers. And most disturbingly, their analysis of millions of revealed Google Maps directions showed that anyone could track users from what appear to be their homes to "clinics for specific diseases (including cancer and mental illnesses), addiction treatment centers, abortion providers, correctional and juvenile detention facilities, payday and car-title lenders, [and] gentlemen’s clubs." In one case they found (but didn't publish) the full name, age, and home address of a young woman who had requested driving directions to Planned Parenthood.
Sparrowvsrevolution writes: The dark web has become the go-to corner of the Internet to buy drugs, stolen financial data, guns...and counterfeit coupons for Clif bars and condoms?
On Thursday, the FBI indicted 30-year old Beauregard Wattigney, a Louisiana-based technician for ITT Technical Institute, on charges of wire fraud and trademark counterfeiting on the Dark Web marketplaces Silk Road and Silk Road 2. Wattigney is accused of being the online coupon kingpin known as ThePurpleLotus or TheGoldenLotus, who sold packages of coupons for virtually every consumer product imaginable including alcohol, cigarettes, cleaning supplies, beauty products, video games, and consumer electronics. The spoofed coupons—in most cases offering discounts just as effective as the real thing—were offered in packages that cost customers around $25 in bitcoin, but offered hundreds of dollars in total fraudulent discounts. Eventually he even sold a counterfeit coupon-making guide and access to a custom coupon-making fraud service.
The FBI accuses Wattigney of being responsible for more than $1 million total damages to the affected companies, which range from Sony to Crest to Kraft. But one fraud consultant who tracked Purple Lotus on the dark web for more than a year says the damage is likely far higher, in the tens of millions of dollars.
Sparrowvsrevolution writes: On Friday, WikiLeaks announced that it has finally relaunched a beta version of its leak submission system after a 4.5 year hiatus. That file-upload site, which once served as a central tool in WIkiLeaks' leak-collecting mission, runs on the anonymity software Tor to allow uploaders to share documents and tips while protecting their identity from any network eavesdropper, and even from WikiLeaks itself. In 2010 the original submission system went down amid infighting between WikiLeaks’ leaders and several of its disenchanted staffers, including several who left to create their own soon-to-fail project called OpenLeaks.
WikiLeaks founder Julian Assange says that the new system, which was delayed by his legal troubles and the banking industry blockade against the group, is the final result of “four competing research projects" WikiLeaks launched in recent years. He adds that it has several less-visible submission systems in addition to the one it's now revealed. “Currently, we have one public-facing and several private-facing submission systems in operation, cryptographically, operationally and legally secured with national security sourcing in mind,” Assange writes.
Sparrowvsrevolution writes: Over the last month, a marketplace calling itself TheRealDeal Market has emerged on the dark web, with a focus on sales of hackers’ zero-day attack methods. Like the Silk Road and its online black market successors like Agora and the recently defunct Evolution, TheRealDeal runs as a Tor hidden service and uses bitcoin to hide the identities of its buyers, sellers, and administrators. But while some other sites have sold only basic, low-level hacking tools and stolen financial details, TheRealDeal’s creators say they’re looking to broker premium hacker data like zero-days, source code, and hacking services, often offered on an exclusive, one-time sale basis.
Currently an iCloud exploit is being offered for sale on the site with a price tag of $17,000 in bitcoin, claiming to be a new method of hacking Apple iCloud accounts. “Any account can be accessed with a malicious request from a proxy account,” reads the description. “Please arrange a demonstration using my service listing to hack an account of your choice.” Others include a technique to hack WordPress’ multisite configuration, an exploit against Android’s Webview stock browser, and an Internet Explorer attack that claims to work on Windows XP, Windows Vista and Windows 7, available for around $8,000 in bitcoin. None of these zero days have yet been proven to be real, but an escrow system on the site using bitcoin's multisignature transaction feature is designed to prevent scammers from selling fake exploits.
Sparrowvsrevolution writes: It turns out all those critics of the controversial Tor router project Anonabox might have been on to something. Late last month, Anonabox began contacting the first round of customers who bought its tiny, $100 privacy gadget to warn them of serious security flaws in the device, and to offer to ship them a more secure replacement free of charge. While the miniature routers do direct all of a user’s Internet traffic over Tor as promised, the company says that its first batch lacked basic password protection, with no way to keep out unwanted users in Wi-Fi range. And worse yet, the faulty Anonaboxes use the hardcoded root password "admin," which allows any of those Wi-Fi intruders to completely hijack the device, snooping on or recording all of a user’s traffic.
Anonabox's parent company Sochutel says that only 350 of the devices lacked that password protection, and that it's fixed the gaping security oversights in newer version of the router.
The initial security criticisms of Anonabox helped to convince Kickstarter to freeze the proejct's $600,000 crowdfunding campaign in October. But Anonabox relaunched on Indiegogo and was later acquired by the tech firm Sochutel. Sochutel claims that the security flaws in the routers developed prior to its acquisition of Anonabox were out of its control, and that it's now hiring outside auditors to check its products' security.
Sparrowvsrevolution writes: A new Wired magazine story goes inside the North Korean rebel movement seeking to overthrow Kim Jong-un by smuggling USB drives into the country packed with foreign television and movies. As the story describes, one group has stashed USB drives in Chinese cargo trucks. Another has passed them over from tourist boats that meet with fishermen mid-river. Others arrange USB handoffs at the Chinese border in the middle of the night with walkie talkies, laser pointers, and bountiful bribes.
Even Kim assassination comedy The Interview, which the North Korean government allegedly hacked Sony to prevent from being released, has made it into the country: Chinese traders’ trucks carried 20 copies of the film across the border the day after Christmas, just two days after its online release.
Sparrowvsrevolution writes: The reincarnated drug site Silk Road 2.0 announced Thursday that it's been hacked by sellers on the site who used a bug in Bitcoin known as "transaction malleability," the same one plaguing Bitcoin exchange Mt. Gox and others. At least $2.6 million worth of bitcoins have been stolen, according to an estimate based on analyzing the Bitcoin blockchain by Nicholas Weaver of the International Computer Science Institute.
Silk Road's users and others in the Bitcoin community, however, are crying foul. As in the case of Mt. Gox's shutdown, they point out that transaction malleability has been a known issue since 2011, and shouldn't allow the theft of bitcoins. A more likely theory is that Silk Road's administrators have pocketed the funds and used the transaction malleability bug as a convenience scapegoat.
Sparrowvsrevolution writes: At the Black Hat Asia security conference in Singapore next month, two Spanish researchers plan to demo a small gadget they built for less than $20 that can be connected to a car’s internal Controller Area Network to allow hackers ot wirelessly inject malicious commands affecting everything from the vehicle's windows and headlights to its steering and brakes. Their tool, which is about three-quarters the size of an iPhone, draws power from the car’s electrical system and can wait for minutes or years before relaying a wireless command to the car's network via Bluetooth or GSM sent remotely from an attacker’s computer. They call it the CAN Hacking Tool, or CHT.
Just what the CHT can trick a car into doing depends on the model--the researchers tried four different vehicles and managed to only fiddle with windows and lights in some cases, while triggering anti-lock brake or emergency brake systems in others. For some of the cars, the device could only be planted by gaining access under the hood, but in other cases, it could be attached to the network just crawling under the car.
"It can take five minutes or less to hook it up and then walk away,” says one of the researchers. “We could wait one minute or one year, and then trigger it to do whatever we have programmed it to do.”
Sparrowvsrevolution writes: After Overstock.com, Google might be the next major web firm to adopt Bitcoin. Bitcoin early adopter, musician and online marketing manager Jarar Malik wrote emails to Jeff Bezos, Tim Cook, Sergey Brin, Larry Page, and Eric Schmidt asking them if they planned to adopt Bitcoin at Amazon, Apple, and Google. When none responded, he moved on to other executives, and surprisingly got a response from a couple of senior vice presidents at Google. One, Google Senior VP of Ads and Commerce Sridhar Ramaswamy, told him that "we are working in the payments team to figure out how to incorporate bitcoin into our plans" and promised to update him "when we are a little more sure.”
When Malik posted that exchange to Reddit and the news got a mostly positive response, Google Wallet exec Ariel Bardin asked Malik if he'd be willing to moderate a Google survey on "What would I want Google to do with Bitcoin?"
Aside from these backchannel comments, however, Google isn't saying whether it will adopt Bitcoin, and a press spokeperson says that "while we're keen to actively engage with Wallet users to help inform and shape the product, there's no change to our position: we have no current plans regarding Bitcoin." But it seems clear that the company is exploring the option.
Sparrowvsrevolution writes: At the Real World Crypto conference earlier this week in New York, Johns Hopkins cryptography professor Matthew Green announced the next phase in the evolution of Zerocoin, an alternative cryptocurrency with a focus on perfect anonymity. The new coins will go into circulation in May in some sort of beta program, with their own miners, blockchain, and exchanges, just like Bitcoin. But unlike Bitcoin, Zerocoin is designed to be spent and received without revealing even a trace of a user’s identity.
Zerocoin, which began as an attempt to upgrade Bitcoin's codebase but is now being spun out into an independent cryptocurrency, use a decades-old mathematical scheme called a “zero-knowledge proof,” which makes it possible to prove that a mathematical statement is true without revealing the content of the computation. That means Zerocoins can act as sealed envelopes of cash that can be combined, split, or spent without either revealing the value of the cash inside those envelopes or their path through the network, all while still protecting against fraud and forgery.
Sparrowvsrevolution writes: For the last year Bram Cohen, who created the breakthrough file-sharing protocol BitTorrent a decade ago, has been working on a tool he calls DissidentX, a steganography tool that's available now but is still being improved with the help of a group of researchers at Stanford. Like any stego tool, DissidentX can camouflage users' secrets in an inconspicuous website, a corporate document, or any other, pre-existing file from a Rick Astley video to a digital copy of Crime and Punishment. But it uses a new form of steganography based on cryptographic hashes to make the presence of a hidden message far harder for an eavesdropper to detect than in traditional stego. And it also makes it possible to encode multiple encrypted messages to different keys in the same cover text.
Hugh Pickens DOT Com writes: Andy Greenberg writes at Forbes that an NSA staffer who contacted Greenberg last month and asked not to be identified offers a very different, firsthand portrait of how Snowden was seen by his colleagues in the agency’s Hawaii office: A principled and ultra-competent, if somewhat eccentric employee, and one who earned the access used to pull off his leak by impressing superiors with sheer talent. “That kid was a genius among geniuses,” says the NSA staffer. “NSA is full of smart people, but anybody who sat in a meeting with Ed will tell you he was in a class of his own. I’ve never seen anything like it.” The NSA co-worker adds that Snowden’s superiors were so impressed with his skills that he was at one point offered a position on the elite team of NSA hackers known as Tailored Access Operations, a secretive unit that gathers vast amounts of intelligence on terrorist financial networks, international money-laundering and drug operations, the readiness of foreign militaries, even the internal political squabbles of potential adversaries. Snowden unexpectedly turned it down and instead joined Booz Allen to work at NSA’s Threat Operation Center. One hint of Snowden's whistleblower conscience was that Snowden kept a copy of the constitution on his desk to cite when arguing against NSA activities he thought might violate it. Snowden’s former colleague says that he or she has slowly come to understand Snowden’s decision to leak the NSA’s files. “I was shocked and betrayed when I first learned the news, but as more time passes I’m inclined to believe he really is trying to do the right thing and it’s not out of character for him. I don’t agree with his methods, but I understand why he did it,” he or she says. “I won’t call him a hero, but he’s sure as hell no traitor.”
in an article which purportedly was carefully verified, a former coworker states that the NSA's current PR blitz amounts to a smear campaign against Mr. Snowden. Further, he describes him as a genius among genius's, who was given the access he needed by the NSA, and did not need to steal or dupe his coworkers to obtain passwords to accomplish his task.
Sparrowvsrevolution writes: The world’s first 3D-printed gun known as the Liberator has been treated as a technological marvel and a terrorist threat. Now it’s officially become a work of art. On Sunday, London’s Victoria & Albert museum of art and design announced that it’s buying two of the original Liberator printed guns from their creator, the libertarian hacker non-profit known as Defense Distributed, and will display them during its Design Festival. Cody Wilson, Defense Distributed's founder, calls the museum's acquisition of the gun a victory for his group: "It will now be this curated, permanent cultural provocation."
Sparrowvsrevolution writes: "It should come as no surprise to Bitcoin users that despite the pseudonymity the cryptocurrency offers, its transactions can be tracked. But University of California at San Diego researcher Sarah Meiklejohn proved that privacy problem more clearly than ever by showing a reporter that she could detect a specific point in Bitcoin's blockchain record of transactions where he had spent Bitcoins in exchange for marijuana on the Silk Road, the most popular online Bitcoin-based black market for drugs.
To simulate a law enforcement subpoena, the reporter for Forbes began by giving Meiklejohn a Bitcoin address associated with Forbes' account. But with just that information, Meiklejohn was able to draw on a "clustering" analysis she had performed to identify Silk Road addresses and match them with the one used in the.3 BTC drug buy. She admits that a user who took more efforts to obscure his or her Bitcoin address through a laundering service or other unidentified Bitcoin wallets would be harder to track."