FBI, Carnegie Mellon Deny $1M Contract to Crack Tor

TheFBI has denied allegations that it paidCarnegie Mellon University security researchers $1 million to crack a network designed to protect the anonymity of its users.

TheTor Project, which operates the network, last weekaccused the FBI of cutting the CMU deal.

The attack on Tor occurred from January to July 2014. The attackers discovered a way to strip the anonymity of Tor users by tracking their traffic on the network.

Tor attributed the attack to Carnegie Mellon after a pair of researchers from that university, Alexander Volynkin and Michael McCord, abruptly canceled a presentation they were scheduled to make at the Black Hat security conference in Las Vegas in August 2014.

In their presentation’s description, the pair wrote:

“In our analysis, we’ve discovered that a persistent adversary with a handful of powerful servers and a couple gigabit links can de-anonymize hundreds of thousands of Tor clients and thousands of hidden services within a couple of months.”

Inaccurate Accusation

“Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes,” Tor Project Director Roger Dingledine said.

“We have been told that the payment to CMU was at least $1 million,” he added.

“The claims as reported are inaccurate,” the FBI said in a statement provided TechNewsWorld by spokesperson Jillian B. Stickles.

“The allegation that we paid Carnegie Mellon a million dollars to hack Tor is inaccurate,” the statement notes. “We have a partnership with them on various things, but this story is completely inaccurate that we ever paid them a million dollars to hack into Tor.”

Carnegie Mellon, too, has called reports about its role in the Tor attack inaccurate.

“In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed. The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance,” it said Wednesday in a statement provided to TechNewsWorld by Ken Walters of Carnegie Mellon University’s media relations department.

The university declined to provide further details for this story.

Linux Ransomware

Dr.Web earlier this month discovered the first known ransomware written for Linux servers. Fortunately, it was written by an inept extortionist.

Aimed at administrators of Linux servers, the ransomware, Linux.Encoder.1, was planted on a number of computers by exploiting existing vulnerabilities in Linux.

After infecting a server, the ransomware encrypts important files on the system. It then demands that the system operator pay a ransom — one or two bitcoins — to decrypt the files.

The problem with the scheme was that theblackmailer used a weak form of encryption to scramble the files with the ransonware.

Reprise Likely

Ransomware writers typically will use the AES algorithm to encrypt files on a target machine. AES uses the same key to encrypt and decrypt files.

That’s an inherent weakness in AES. To compensate for that weakness, criminal coders create a key using a stronger algorithm — RSA — to encode the AES keys.

Not only does the RSA key make the AES keys stored on the target computer more difficult to crack, but since the RSA key is stored somewhere on the Internet, it’s more difficult for malware fighters to find.

“In this case, they didn’t use the RSA key to encrypt the AES key,” said Liviu Arsene, senior threat analyst forBitdefender.

“That made the AES files really easy to decrypt because the AES encryption key is based on the time stamp of the file at the time of encryption. Once you know that time stamp, you can break the encryption pretty easily,” he told TechNewsWorld.

“This was a pretty poor attempt at doing ransomware, but in the future, they could use an RSA key stored on a command and control server to make this a potent encryption system,” Arsene said.

“From what we’ve seen in the evolution of Windows ransomware, we can expect to see some advanced stuff following this,” he added.

New POS Malware

The Target data breach during the 2013 holiday season showed how vulnerable retailers are. A recent discovery byProofpoint will add to that feeling of vulnerability.

The company last week identified a new point-of-sale malware program that it’s calling “AbaddonPOS.”

Once planted on a system, the malware searches for credit card information in the memory of all processes, except its own.

Unlike typical POS malware, which exfiltrates data using the commonly used HTTPS protocol, AbaddonPOS uses its own protocol to exfiltrate its stolen information. That could be a measure to foil security programs that analyze network traffic for potential bad behavior.

Consumer Threat

The delivery method of the POS malware also is disturbing. It’s being incorporated into the repertoire of a banking Trojan called Vawtrak. What that means is that Net bandits are folding POS attacks into their all-purpose toolkits.

The practice of threat actors increasing their target surfaces by leveraging a single campaign to deliver multiple payloads is by now a well-established practice, Proofpoint explained.

While using this technique to deliver point-of-sale malware is less common, if continued, the approach of the U.S. holiday shopping season gives cybercriminals ample reason to maximize the return on their campaigns by distributing POS malware that can capture the credit and debit card transactions of shoppers.

“Clearly any software capable of stealing credit card data poses a risk to card-using shoppers and card issuers,” added Kevin Epstein, vice president of advanced security and governance at Proofpoint.

“The appearance of a new variant of such software just before the holiday shopping season is alarming and suggests criminals are very aware of the potential for major financial gain,” he told TechNewsWorld.

Breach Diary

  • Nov. 9. Comcast resets passwords of 200,000 customers after a news report revealed a hacker was offering to sell for $1,000 on the dark Web the email addresses and passwords of 590,000 of the cable company’s customers.
  • Nov. 9. Onapsis Research Labs publishes a list of 21 vulnerabilities in SAP’s HANA platform. Eight of the flaws are rated critical because they can be used to delete data, steal customer information or change product pricing data.
  • Nov. 10. Federal authorities in New York City file indictments against three men alleged to have stolen records of 83 million customers of JPMorgan Chase & Co. from June to August 2014.
  • Nov. 10. Federal court of appeals in Philadelphia rules tracking the URLs someone visits can in some cases be subject to the warrant requirements of the federal Wiretap Act.
  • Nov. 10. In a report on earnings, Experian notes a number of class actions have been filed against it related to a data breach resulting in theft of personal information of 15 million applicants for T-Mobile phone service in the United States. It added that it took a $20 million charge to its books related to the event.
  • Nov. 10. President Obama nominates Beth Cobert to be head of U.S. Office of Personnel Management. Earlier this year, a data breach at that agency compromised information of 21.5 million people.
  • Nov. 10. In a preview of its first Protected Health Information Data Breach Report, expected to be released later this month, Verizon notes that 90 percent of all industries have experienced a PHI data breach.
  • Nov. 10. U.S. District Court Judge Richard Leon orders the NSA to cease collecting phone call records of California attorney J.J. Little. The decision is seen as a symbolic victory for privacy advocates because it applies only to a single law firm.
  • Nov. 10. Pew Research Center reports more than 1 million Android apps in the Google Play Store request 235 unique requests for permissions to access user information or hardware access. Most requests are for hardware access rather than personal information, Pew said.
  • Nov. 10. Microsoft releases Patch Tuesday fixes containing 12 security updates addressing a total of 53 vulnerabilities, four of them rated critical.
  • Nov. 11. Cheetah Mobile security researchers discover more than 17,000 Android tablets for sale on Amazon with the Cloudsota Trojan preinstalled on them.
  • Nov. 11.The Intercept reports it has received a cache of leaked records from Securus Technologies, a provider of phone services inside prisons and jails. The publication says the cache includes more than 70 million records of phone calls made by inmates in at least 37 states.
  • Nov. 11. TalkTalk CEO Dido Harding tells the BBC in an interview that data breach at her company will cost it 30 million to 35 million pounds. That include costs for incident response, extra call center calls, extra IT services and sales sites downtime.
  • Nov. 11. Facebook reports government requests for account data rose 18 percent during the first half of 2015 compared to the first half of 2014, to 41,214 from 35,051.
  • Nov. 11. Microsoft announces opening of two new data centers in Germany to keep native cloud traffic within that nation. European countries have been cracking down on native data entering the United States since revelations by Edward Snowden of mass surveillance efforts by U.S. government agencies.
  • Nov. 11. Apple and Google remove from their app stores an Instagram app called Who Viewed Your Profile – InstaAgent for stealing usernames and passwords and sending them to its developer’s server.

Upcoming Security Events

  • Nov. 21. B-Sides Vienna. NIG – Neues Intitutsgebude, Universittsstrae 7 1010, Vienna, Austria. Free.
  • Nov. 21. B-Sides Jacksonville. The Sheraton Hotel, 10605 Deerwood Park Blvd., Jacksonville, Florida. Free.
  • Nov. 24-25. Cyber Impact Gateway Conference. ILEC Conference Centre and Ibis London Earls Court, London, UK. Registration: Before Oct. 9 — end users, 1,799 pounds plus VAT; solution providers, 2,799 pounds plus VAT. Before Oct. 30 — end users, 1,899 pounds plus VAT; solution providers, 2,899 pounds plus VAT. Standard — end users, 1,999 pounds plus VAT; solution providers, 2,999 pounds plus VAT.
  • Dec. 7-9. Gartner Identity & Access Management Summit. Caesars Palace, 3570 Las Vegas Blvd. South, Las Vegas. Registration: $2,695; public sector, $2.225.
  • Dec. 12. Threats and Defenses on the Internet. Noon ET. Northeastern University, Burlington Campus, 145 South Bedford St., Burlington, Massachusetts. Registration: $6.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

1 Comment

  • I think we over react to how to deal with terrorism. Much like taking away people’s right to own guns. I don’t know of any terrorists who legally obtains guns. Or criminals for that matter. Should we punished everyone because we know of no other way to investigate terrorists then to take away everyone’s privacy? Maybe if we prevented these people from entering the country to begin with that could be an significant advantage?? Maybe if we had actual intelligence in the field that could focus on terrorists and monitor them. That also would be very important. I think these social sites are by far not the communication device that terrorists use for important communications. They may for recruitment, and casual and propaganda communication. But I think most have learned to use better means. We in the free world have given up a lot of privacy and it seems we are not a lot farther ahead at preventing these attacks. I question if we give up more privacy if anything will improve.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels