Anonymous hacking group launches new assault on law enforcement agencies
Nov. 27, 2011
The Anonymous AntiSec hacking group has launched a new assault on police and law enforcement agencies with the release of what they say are personal emails stolen from a Californian cybercrime investigator.
The cache of emails, which according to AntiSec are from the account of Fred Baclagan, a retired special agent supervisor of the Californian Department of Justice, includes over 30,000 emails detailing various computer forensic techniques and cybercrime investigation protocols.
The hackers claim to have hacked into Baclagan's Gmail account and to have accessed his voicemails and SMS message logs using unspecified techniques as part of their ongoing campaign against law enforcement officials and their allies in the computer security industry.
The email messages, released Friday in part of what has become the group's regular F***FBIFriday release, are also said to contain personal information including Baclagan's home address and phone number.
"Possibly some of the most interesting content in those emails are the IACIS.com internal email list archives from 2005 to 2011, which detail the specific methods and tactics cybercrime units use to gather electronic evidence, conduct investigations and make arrests," a member of Anonymous said on a statement accompanying the release, adding that knowledge of these techniques will help hacktivists to develop better tradecraft and anti-forensic techniques.
"There are various discussions about using EnCase forensic software, attempts to crack TrueCrypt encrypted drives, sniffing wireless traffic in mobile surveillance vehicles, how to best prepare search warrants and subpoenas, and a whole lot of people asking even more questions on how to use basic software like FTP.
Baclagan said that he was nobody special in the Justice Department, which is what he would say, of course. He also added that at one point, he had specialized in identity theft before he retired in April 2010. "I'm really just a nobody, just a local investigator, not involved in anything dynamic or dramatic," he said.
In other internet security news
With the simple decrypting of a protected PayPal browser cookie at a security conference on September 23, it became official-- the internet's foundation of trust has suffered another serious fracture that will require the attention of the industry's best minds if SSL technology is to be trusted at all.
Within just a few hours of the demonstration by internet security researchers Juliano Rizzo and Thai Duong, Google researcher Adam Langley signaled his growing acceptance that SSL (secure sockets layer), the decade-old cryptographic standard that protects web sites and eCommerce sites using the https prefix, was susceptible to an attack that previously was considered impractical.
The result: by tampering with with an encryption algorithm's CBC (cipher block chaining) mode, hackers could easily and secretly decrypt portions of the encrypted traffic, representing a serious security breach to a technology that up until today was believed to be secure by everybody in the internet community.
“The CBC attacks were believed to be largely theoretical but, as Duong and Rizzo have pointed out Friday, that's no longer the case,” Langley wrote.
He went on say that, as previously reported, developers of Google's Chrome browser are currently experimenting with a work-around but are not yet sure if it will create incompatibilities with various websites that are still using SSL.
He added that Google's SSL technology is highly resistant to the attack because it favors the RC4 cipher, which doesn't use CBC, therefore it's more secure. But up to which point still isn't certain at this time.
Yesterday, both Microsoft and Mozilla acknowledged that their software were also affected. An advisory issued by Microsoft recommends that websites follow Google's lead to favor the RC4 cipher while Redmond's engineers develop a Windows update to patch the underlying weakness.
For its part, Mozilla made public a three-month old discussion of the underlying security vulnerability and the best way to repair it without breaking a huge numbers of websites that have been running for so many years.
And Duong and Rizzo's exploit isn't the easiest to pull off either. Attackers must already control the network used by the intended victim, and they can only recover secret information that's transmitted repeatedly and in a predictable location of the encrypted data stream.
Then they must also have a means to subvert a safety mechanism built into the internet known as the SOP (same-origin policy), which dictates that a data set by one domain name can't be read or modified by a different IP address.
To get around the SOP, the security researchers used a specific Java applet, but they said there are other methods for achieving the same purpose.
But as Duong and Rizzo demonstrated Friday, those constraints weren't enough to stop them from revealing the plain text of a supposedly SSL-protected browser cookie transmitted with each request that a logged-in PayPal user makes on the payments website.
Using what is presumed to be a broadband connection somewhere in Mountain View, California, Duong was able to recover the authentication in about two minutes, giving him everything he needed to gain unauthorized access to someone else's account.
Moxie Marlinspike, a security researcher who has repeatedly made some holes in the SSL protocol and its transport-layer security successor, put it this way: “As it stands now, given the number of difficult conditions necessary for deploying such an attack, as well as the dependency on leveraging a Java applet for violating SOP, it seems extremely unlikely that individual browser users will be personally affected by this vulnerability.”
BEAST, short for Browser Exploit Against SSL/TLS, isn't the only reason to question the adequacy of the SSL cryptographic system the entire internet uses to prevent eavesdroppers from accessing your private accounts. And remember that a patch introduced by OpenSSL in 2002 to fix this very vulnerability was turned off because it introduced incompatibilities in software from Microsoft, further complicating matters even more.
SSL encryption may have dodged a bullet for now, but as the recent DigiNotar debacle demonstrated, the system itself isn't immune to real-world attacks that have very real consequences for those who depend on it. As we always do, we will keep you posted on this and on other news that affect the security of the internet.
In other internet security news
The University of Sydney in Australia and technical publisher Elsevier said earlier this morning that they are holding their first official competitive hackathon for security students and professional software developers.
The Sydney Hackathon allows teams of up to five, a twenty-four hour time frame to develop an application to improve content delivery for scientific, technical and medical publisher Elsevier, publisher of The Lancet and SciVerse Science Direct.
"The hackathon is designed to encourage students and internet security professionals to build creative and innovative software applications for science, using data from open application program interfaces," said SUITS (Sydney Uni IT Society) president James Alexander.
The inaugural Sydney Hackathon is being held this weekend, and will offer cash prizes of up to $1500 AU to the winning team. What's more, competitors can even retain the official ownership of any intellectual property developed during the event.
Entrants have from 2.00 PM Saturday to develop an application of any kind as long as it's from Elsevier’s SciVerse and ScienceDirect platforms, which include over 10 million scientific publications from 2600 journals.
Application developers and security software designers, students from any University in Australia or full time programmers are invited to enter the hackathon.
In other internet security news
Over the past weekend, Oracle broke away from tradition with the publication of an unscheduled security patch. The security update addresses a DDoS (distributed denial of service) vulnerability in its Apache web server software.
This represents only the fifth time that Oracle has published a security update outside its quarterly patch schedule it began at the start of 2005.
The security patch provides an updated Apache web server and a new http daemon to Oracle's Fusion Middleware and Application Server products.
The former product includes Apache httpd 2.2. The latter includes Apache httpd 2.0.
The new security vulnerability is cataloged as CVE-2011-3192 and it creates a method to trick web clients into requesting multiple parts of the same file at the same time, causing systems to get hopelessly tied up in a loop and crash altogether.
The Apache Foundation addressed the same underlying byte-range flaw first with an 2.2.20 update at the end of August. Last week, it ironed out a few glitches in this bug fix with a further update, 2.2.21.
At this time, it isn't exactly clear which code base Oracle has used, although giving testing schedules and the like, the earlier patch seems more likely.
Whatever code base used, the database giant is emphatic that system admins need to apply the patch sooner rather than later.
"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Security Alert fixes as soon as possible," it said in its advisory.
Source: The Anonymous Hacking Group.
You can link to the Internet Security web site as much as you like.