Treaty limiting weapons exports updated to include cyberweapons

Diplomats representing several Western governments are huddling in Vienna this week in the hopes of finalizing new, Internet-related additions to the Wassenaar Arrangement. That pact—under which the United States, Russia, Japan, France, Germany and dozens of other signatories agree to…

Diplomats representing several Western governments are huddling in Vienna this week in the hopes of finalizing new, Internet-related additions to the Wassenaar Arrangement. That pact—under which the United States, Russia, Japan, France, Germany and dozens of other signatories agree to strictly limit exports of certain weapons—is being updated in order to control access to complex surveillance and hacking software and cryptography. These countries hope to keep sophisticated cyberweapons out of what they consider to be the wrong hands despite explosive growth (pun intended) in the cybersnooping market.

An example of the technology the signatories hope to keep inside the group’s proverbial fence is “deep package inspection.” According to a Financial Times article, “Western intelligence agencies are particularly concerned [about restricting access to such advances]” because they don’t want their enemies to “foil cyber attacks or gain an intimate understanding of Western screening systems and their fallibilities.” A spokesperson for the UK’s Department for Business, which deals with the Britain’s export license regime, told FT that: “The government agrees that further regulation is necessary. These products have legitimate uses in defending networks and tracking and disrupting criminals but we recognize that they may also be used to conduct espionage.”

No Such Thing As a Completely Isolated Computer

Researchers at the Fraunhofer Institute for Communication, Information Processing and Ergonomics in Germany have just published a paper describing how they created a wireless mesh network capable of sending short bits of code to or intercepting data from air-gapped machines.

How does it work? Audio signals in the low ultrasonic frequency range (around 20 kilohertz) were transmitted from one machine to another over a maximum distance of about 20 meters. According to a Computer World article,

The data was transmitted using two different acoustical modem software applications called Minimodem and Adaptive Communication System (ACS) modem, the latter delivering the best results. On the network layer, the researchers used an ad-hoc routing protocol called GUWMANET (Gossiping in Underwater Mobile Ad-hoc Networks) that was developed by FKIE for underwater communication.

The nodes on the network, in this case laptop computers, have to be in direct line of sight, but the researchers note that it’s not unusual to find computers in such an arrangement in labs and open-plan offices.

Though the network—a dream come true for cybercrooks including nation states looking to engage in espionage or sabotage—currently limits data transmission to about 20 bits per second, that’s still enough to snatch login credentials and encryption keys or relay an attacker’s commands.

In Other Cybercrime News…

Are the new high-tech cars automakers are rolling out vulnerable to hackers? That’s what U.S. Senator Edward Markey wants to know. Markey sent a letter [pdf] to the heads of 20 of the world’s leading automakers this week, asking what they’re doing to protect vehicles from wireless hacking threats and privacy intrusions. The growing integration of wireless technologies in automobiles has prompted some well-publicized fears about hackers taking control of cars to disable brakes and to take over navigation, steering, acceleration, tire pressure, and other systems in a vehicle. Among the questions Markey asked in the letter is whether a company’s vehicles include technology to detect an unauthorized intrusion or introduction of malware to a vehicle’s controller area network (CAN) bus. Markey wants their answers by 3 January.

At this point, it’s expected that hackers will do their level best to steal data from large, well-known companies such as Facebook, Google, and Twitter. But Trustwave’s SpiderLabs just reported that a large botnet using controller software nicknamed “Pony” has stolen login credentials from ADP, a company that makes payroll and human resources software. This information falling into the wrong hands could have a tremendous impact, considering the fact that ADP handled $1.4 trillion—including paychecks for one in six U.S. workers—during the most recent fiscal year.

A new website called haveibeenpwned.com allows Internet users to check if their usernames and passwords were exposed in some of the largest data breaches in recent years.

In response to growing awareness of the breadth of the NSA’s surveillance activities—which include compromising large technology vendors data services—Microsoft says it is stepping up its use of encryption for its cloud services such as Azure, Outlook.com, and Office 365. Microsoft says it plans to implement “Perfect Forward Secrecy” on its cloud service and use 2048-bit keys. The upgrades, which will be in place within a year, will cover data being routed to, from, and among its customers, as well as bits shuttling among the company’s data centers.

Virtualization software company VMware pushed out patches for some builds of its Workstation, Fusion, ESXi, and ESX products this week, fixing a vulnerability that could have led to unauthorized privilege escalation in older Windows operating systems running in a virtual environment.

German researchers have discovered a serious vulnerability in Android 4.3 (“Jelly Bean”) that lets malware disable the operating system’s security mechanisms. If a user goes in to change the gesture for a device’s gesture lock, the malware will prevent Android from asking the user to confirming a PIN code or answering security questions.