Feds plow resources into “groundbreaking” crypto-cracking program

The federal government is pouring almost $11 billion per year into a 35,000-employee program dedicated to encryption, including "groundbreaking" methods to decode encrypted messages such as e-mails, according to an intelligence black budget published by The Washington Post.

The 17-page document, leaked to the paper by former National Security Agency contractor Edward Snowden, gives an unprecedented breakdown of the massive amount of tax-payer dollars—which reached $52 billion in fiscal 2013—that the government pours into surveillance and other intelligence-gathering programs. It also details the changing priorities of the government's most elite spy agencies. Not surprisingly, in a world that's increasingly driven by networks and electronics, they are spending less on the collection of some hard-copy media and satellite operations while increasing resources for sophisticated signals intelligence, a field of electronic spying feds frequently refer to as "SIGINT."

"We are bolstering our support for clandestine SIGINT capabilities to collect against high priority targets, including foreign leadership targets," James Clapper, director of national intelligence, wrote in a summary published by the WaPo. "Also, we are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit Internet traffic."

Read 4 remaining paragraphs | Comments


Targeted Attacks Deliver Disassembled Malware

Shortcut files have recently become a common vehicle used in targeted attacks to deliver malware into organizations. Symantec has observed a variety of ways shortcut files are being used to penetrate networks, such as the one described in a previous blog. We recently came across another example of how this file type is being used in an attempt to evade detection by security products and trick email recipients into executing attachments. In this variation, an email with disassembled malware attached is sent to a recipient along with a shortcut file used to reassemble the malware.

The email used for this attack included an archive file as an attachment containing a shortcut file with an icon of a folder along with a real folder containing a Microsoft document file and two hidden files with .dat file extensions.


Figure 1. Inside the attached archive file


Figure 2. Inside the Summit-Report1 folder

For the average user with default explorer settings, the archive file would appear to only contain two folders. Clicking either of the two folders leads the user to the folder containing the document file. If the user attempts to open the folder, which is actually the shortcut file, a copy command runs and combines the two .dat files to create one malicious file. The computer then becomes infected with malware. Please note the structure inside the archive attachment varies, but the archive will always contain multiple broken-up files along with a shortcut file.


Figure 3. Shortcut file properties showing a portion of the script used to assemble the .dat files


Figure 4. Binary data in ~$1.dat


Figure 5. Binary data in ~$2.dat


Figure 6. Binary data in combined executable file

The tactic of disassembling malware before the attack and reassembling it on the victim’s computer may be used by an attacker for several reasons. The main reason may be to avoid the malicious files being detected. If the file is broken up into pieces, security products will have difficulty in determining if these files are malicious. Another reason may be to prevent gateway security products from stripping off executable files. A typical gateway product has the capability to filter by file types and it can be set to strip off executables found in email attachments. This is a common practice carried out by IT departments.

Shortcut files are very simple and cost efficient to use. They do not require the use of exploits, which can be more resource intensive and also requires the victim’s computer to be vulnerable. Icons can easily be made to look like folder or document files. Once an attacker prepares the malicious files, they then only have to write one line of script and the attack is ready.

What can be done to protect against these types of attacks? In normal circumstances, there are no practical reasons for emails to contain shortcut files. If organizations feel shortcut files are not needed in email attachments, they can explore the possibility of filtering out that file type at the gateway of the network.

Symantec detects the malware discussed in this blog as Trojan Horse.

Medical lab allegedly exposed customer info on P2P, claims it was the victim

Security company Tiversa uncovered confidential health care information by scanning P2P networks.

A medical testing laboratory called LabMD has been accused of exposing the personal information of about 10,000 customers on a peer-to-peer file sharing network.

The company has been fighting the claims, saying a security firm that uncovered the breach victimized LabMD by downloading a large spreadsheet containing sensitive customer information.

The US Federal Trade Commission today said it filed a complaint which "alleges that LabMD billing information for over 9,000 consumers was found on a peer-to-peer (P2P) file-sharing network and then, in 2012, LabMD documents containing sensitive personal information of at least 500 consumers were found in the hands of identity thieves."

Read 15 remaining paragraphs | Comments


Rendering bug crashes OS X, iOS apps with string of Arabic characters (Updated)

This nonsensical string of Arabic characters renders fine in Firefox, but it crashes any iOS or OS X browser that uses Apple's CoreText API.
Andrew Cunningham

There's a new bug in town, and it's here to crash your Mac and iPhone applications. Posters in a HackerNews thread from late yesterday have discovered that it's possible to crash Web browsers and other apps running on current versions of iOS and OS X by making them render a specific, nonsensical string of Arabic characters. The title of the HackerNews thread implies that the issue is with the WebKit browser engine, but it actually affects any browser or application that uses Apple's CoreText API to render text. Ars Microsoft Editor Peter Bright has taken great pleasure in sending the text string to his co-workers, which has crashed the Limechat IRC client and Adium chat client, among other programs.

Safari crashes in both OS X 10.8.4 and iOS 6.1.3 when it attempts to read the text string, and rendering the string in the current stable release of Chrome prompts the browser's typical "Aw snap!" error page (though Chrome's sandboxing implementation keeps the bug from bringing the whole browser down). Firefox, which uses its own font rendering engine, can display the text just fine. This supports the idea that it's a CoreText issue and not a problem with any particular application.

Some Mac and iOS device users on Twitter were only half joking when labeling the string the "unicode of death." Text messages that display the characters caused some people's iMessage apps to spiral into an extended crash loop, since the string would be displayed each time the user loads previously sent messages. Many e-mail programs were also felled by the text. It can even be triggered by including the text in the network name of a wireless access point, creating problems for vulnerable devices that encounter the name when a user looks for available connections. Tweets and other social networking dispatches were enough to cause browsers to crash, so within a few hours of the bug becoming public, Facebook was already preventing the characters from being posted to user walls and timelines by displaying the message below.

Read 4 remaining paragraphs | Comments