GCHQ’s “Chinese menu” of tools spreads disinformation across Internet

Just a few of the "weaponized" capabilities from GCHQ's catalog of information warfare tools.

What appears to be an internal Wiki page detailing the cyber-weaponry used by the British spy agency GCHQ was published today by Glenn Greenwald of The Intercept. The page, taken from the documents obtained by former NSA contractor Edward Snowden, lists dozens of tools used by GCHQ to target individuals and their computing devices, spread disinformation posing as others, and “shape” opinion and information available online.

The page had been maintained by GCHQ’s Joint Threat Research Intelligence Group (JTRIG) Covert Internet Technical Development team, but it fell out of use by the time Snowden copied it. Greenwald and NBC previously reported on JTRIG’s “dirty tricks” tactics for psychological operations and information warfare, and the new documents provide a hint at how those tactics were executed. GCHQ’s capabilities included tools for manipulating social media, spoofing communications from individuals and groups, and warping the perception of content online through manipulation of polls and web pages’ traffic and search rankings.

Originally intended to inform other organizations within GCHQ (and possibly NSA) of new capabilities being developed by the group, the JTRIG CITD team noted on the page, “We don’t update this page anymore, it became somewhat of a Chinese menu for effects operations.” The page lists 33 “effects capability” tools, as well as a host of other capabilities for collecting information, tracking individuals, attacking computers, and extracting information from seized devices.

Read 8 remaining paragraphs | Comments

Google “Project Zero” hopes to find zero-day vulnerabilities before the NSA

"You should be able to use the Web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets, or monitor your communications," writes Google security researcher Chris Evans. To help make that a reality, Google has put together a new team of researchers whose sole purpose is to find security flaws in software—any software—that's used on the Internet.

Google employees have found and reported security flaws in the past, but only as a part-time effort. The new "Project Zero" team will be dedicated to hunting for the kind of exploitable flaws that could be used to spy on human rights activists or conduct industrial espionage. Aiming to disrupt targeted attacks, the team will look at any software that's depended on by a large number of people.

Project Zero will report bugs it finds only to the software vendor, and it will give those vendors 60 to 90 days to issue patches before public disclosure. This time frame may be reduced for bugs that appear to be actively exploited.

Read 4 remaining paragraphs | Comments

Oracle Releases July 2014 Security Advisory

Original release date: July 15, 2014

Oracle has released its Critical Patch Update for July 2014 to address 113 vulnerabilities across multiple products.

This update contains the following security fixes:

  • 5 for Oracle Database Server
  • 29 for Oracle Fusion Middleware
  • 7 for Oracle Hyperion
  • 1 for Oracle Enterprise Manager Grid Control
  • 5 for the Oracle E-Business Suite
  • 3 for Oracle Supply Chain Products Suite
  • 5 for Oracle PeopleSoft Products
  • 6 for Oracle Siebel CRM
  • 1 for Oracle Communications Applications
  • 3 for Oracle Retail Applications
  • 20 for Oracle Java SE
  • 3 for Oracle and Sun Systems Products Suite
  • 15 for Oracle Virtualization
  • 10 for Oracle MySQL

US-CERT encourages users and administrators to review the Oracle July 2014 Critical Patch Update and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Only a few days old, OpenSSL fork LibreSSL is declared “unsafe for Linux”

Update1: A few hours after this article was published, OpenBSD founder Theo de Raadt emailed Ars and wrote: "It is way overblown. This will never happen in real code." The vulnerability, cataloged as CVE-2014-2970, already has been patched, with modified code located at lib/libc/crypt : arc4random.c.

Update2 on August 1, 2014:Contrary to information de Raadt provided Ars, no CVE was assigned to the bug.

The first "preview" release of OpenSSL alternative LibreSSL is out, and already a researcher says he has found a "catastrophic failure" in the version for Linux.

Read 9 remaining paragraphs | Comments