FBI Using Top Secret Hacking Weapons

 

A forensic artist with the FBI demonstrates how she does a 3D laser scan of a skull on a computer in Quantico, VA on Wednesday June 20, 2012. Jabin Botsford—The Washington Post The Washington Post via Getty Images

 

A top agency official acknowledged that it uses secret software vulnerabilities in investigations.

The Federal Bureau of Investigation recently made an unprecedented admission: It uses undisclosed software vulnerabilities when hacking suspects’ computers.

Amy Hess, head of the FBI’s science and technology arm, recently went on the record about the practice with the Washington Post. “Hess acknowledged that the bureau uses zero-days,” the Post reported on Tuesday, using industry-speak for generally unknown computer bugs. The name derives from the way such flaws blind side security pros. By the time attackers have begun taking advantage of these coding flubs, software engineers are left with zero days to fix them.

A forensic artist with the FBI demonstrates how she does a 3D laser scan of a skull on a computer in Quantico, VA on Wednesday June 20, 2012.

A top agency official acknowledged that it uses secret software vulnerabilities in investigations.
The Federal Bureau of Investigation recently made an unprecedented admission: It uses undisclosed software vulnerabilities when hacking suspects’ computers.

Amy Hess, head of the FBI’s science and technology arm, recently went on the record about the practice with the Washington Post. “Hess acknowledged that the bureau uses zero-days,” the Post reported on Tuesday, using industry-speak for generally unknown computer bugs. The name derives from the way such flaws blind side security pros. By the time attackers have begun taking advantage of these coding flubs, software engineers are left with zero days to fix them.

Never before has an FBI official conceded the point, the Post notes. That’s noteworthy. Although the news itself is not exactly a shocker. 

It is well known among cybersecurity and privacy circles that the agency has had a zero day policy in place since 2010, thanks to documents obtained by the American Civil Liberties Union and published earlier this year on Wired. And working groups had been assembled at least two years earlier to begin mapping out that policy, as a document obtained by the Electronic Frontier Foundation privacy organization and also published on Wired shows. Now though, Hess, an executive assistant director with the FBI, seems to have confirmed the activity.

(People surmised as much after the FBI was outed as a customer of the Italian spyware firm Hacking Team after hackers stole some of its internal documents and published them online this year, too.)

The agency’s “network investigative techniques,” as these hacking operations are known, originate inside the FBI’s Operational Technology Division in an enclave known as its Remote Operations Unit, according to the Post. They’re rarely discussed publicly, and many privacy advocates have a number of concerns about the system, which they say could potentially be abused or have unsavory consequences.

Law enforcement agencies’ reliance on such exploits poses a Catch-22. On the one hand, hoarding coveted bugs and keeping them secret lets authorities slyly target suspects and collect evidence (with a warrant, of course). On the other hand, alerting tech companies about flaws in their products lets them fix the problems, protecting customers everywhere and securing them against attacks from less well-intentioned hackers and spies. The two incentives are undeniably at odds.

That dilemma grows more complex when another compelling reason for agencies like the FBI to use zero days enters the mix. The hacking method lets investigators sidestep roadblocks posed by strong encryption, a technology that scrambles data and communications and increasingly leaves the Feds in the dark, so to speak, when probing wires and hard drives for incriminating information. Consider the hacking option as the agency’s “plan B,” as the Intercept has detailed.

The tactic isn’t necessarily a bad thing. Indeed, Jonathan Mayer, the Federal Communication Commission’s recently appointed technical lead for investigations who is also a well-known privacy advocate, earlier this year described hacking as a potentially “legitimate and effective law enforcement technique” in an academic paper. Another set of big-name security researchers also recently argued in a paper that targeted hacking campaigns could provide a tolerable alternative to mandating that tech firms add special “backdoor” access to their encrypted products for investigators.

Read the more on Fortune

Cyber Thieves Target Retailers With Latest Credit Card Stealing Malware

Ahhhh! Retail data breaches—just in time for the holidays.

Personally, I don’t plan to be anywhere near the malls on ‘Black Friday’ or Black Saturday or Sunday. The savings just aren’t worth the hassle & the deals are not really “big deals” from the retailer’s standpoint –considering their markups. Honestly, most retailers run the exact same sales or better ones online.

That being said, millions of consumers will pound the pavement come 12:01 a.m. looking for those big “steal of a deals”..

If you’re using your debit or credit cards just keep a close eye on your accounts come Saturday, apparently there’s a new sophisticated gang of cyber thugs ready to “steal your deals” & help you spend your money by stealing your credit card numbers!

Tis the season! If you do shop online, you might want to sign up for a PayPal account. 

Happy Holidays!

Join the discussion.

  
According to Fortune– Hackers are targeting U.S. retailers with a new wave of malware intended to steal credit card and debit card information from payment terminals, according to a cybersecurity firm.

News of the attacks arrive just ahead of holiday shopping season, a particularly busy time of year for the retailers, health care providers, payment card processors, and hospitality companies that may be affected.

“This is by far most the most sophisticated point of sale malware we’ve seen to date,” said Maria Noboa, technical analyst at iSight Partners, whose team discovered the difficult-to-detect malware. “They have such great in-depth understanding of operational security measures, evading detection and the mitigation techniques used,” she said about the coders’ expertise.

The malware in question involves separate modules that run close to computers’ operating systems, making them harder to analyze. These “rootkit” modules—tools that enable the hackers to remain hidden and in control—also use advanced encryption that prevents traditional anti-virus and other monitoring software from detecting them.

“We have found three right now, and we are sure there are more out there,” said Stephen Ward, marketing director at iSight, about the modules. First, there’s a “keylogger,” that records and stores keyboard strokes. Second, there’s an “uploader-downloader” that connects compromised machines with the hackers’ command and control infrastructure, or remote servers that can send and receive data or instructions to and from infected devices. And third, the iSight researchers identified a “POS scraper” that steals payment card information from the memory of retailers’ computers.

Pieces of the malware seem to have been in development as early as 2012, according to iSight. Attacks based on the malware began targeting U.S. retailers a year later, and the assaults are likely ongoing, Noboa said.

iSight named the malware “ModPOS” after its characteristic modules. The firm said it has found no discussion of it on online crime forums, which suggests that a single professional-level hacking group is behind the scam. Although firm evidence is lacking, some indicators suggest that the malware might be Eastern European in origin.

iSight said it began notifying clients of the threat in October, and other retailers more recently in order to give them time to track down and remove the malware from their machines before the Black Friday and Cyber Monday shopping sprees.

Wendy Nather, research director at the Retail Cyber Intelligence Sharing Center, an industry group that shares cybersecurity information, told Fortune that members of the organization have been hunting for the malware on their systems since learning of it. “I don’t know if anyone has been effective in kicking it off their system, or what measures need to be taken to remove it,” she said. “It’s bigger in functionality, has more sophisticated coding, and it’s trickier about hiding,” compared to other recent [point of sale] malware attacks, she said.


Read the rest of this article on
Fortune.