Technology

Enlarge / Encrypting DNS traffic between your device and a "privacy-focused" provider can keep someone from spying on where your browser is pointed or using DNS attacks to send you somewhere else. (credit: Westend61 / Getty Images)

In this op-ed, a group of noted security researchers takes aim at Ray Ozzie's plan to grant law enforcement access to encrypted devices—and to do so securely. The views here do not necessarily represent those of Ars Technica.

In the debate over law enforcement access to encrypted devices, technical details matter. The rhetoric has been stark and, dismayingly often, divorced from technical reality. For example, two years ago we were told that only Apple could write software to open the phone of the San Bernardino terrorist; the technical reality turned out to be that an FBI contractor was able to do so. More recently, the rhetoric has been about the thousands of phones that are part of criminal investigations and that law enforcement cannot unlock. Todayreality is that Grayshift will sell law enforcement a $15,000 tool that opens 300 locked phones or online access for $30,000 to open as many phones as law enforcement has warrants for.

Into this conflict comes a Wired article suggesting that Ray Ozzie, the inventor of Lotus Notes and a former VP at Microsoft, has a solution to the exceptional access problem (the ability for law enforcement with a warrant to open a locked device). The article is yet another example of the wide gap between wishful rhetoric and technical reality.

Enlarge / Not the experience you wanted from the San Diego Zoo website. (credit: Troy Mursch)

A mass hacking campaign that targets a critical vulnerability in the Drupal content management system has converted more than 400 government, corporate, and university websites into cryptocurrency mining platforms that surreptitiously drain visitors' computers of electricity and computing resources, a security researcher said Monday.

Sites that were hacked included those belonging to computer maker Lenovo, the University of California at Los Angeles, the US National Labor Relations Board, the Arizona Board of Behavioral Health Examiners, and the city of Marion, Ohio, Troy Mursch, an independent security researcher, told Ars on Monday. The Social Security Institute of the State of Mexico and Municipalities, the Turkish Revenue Administration, and Peru's Project Improvement of Higher Education Quality were also affected. The US had the largest concentration of hacked sites, with at least 123, followed by France, Canada, Germany, and the Russian Federation, with 26, 19, 18 and 17, respectively.

The sites all ran the same piece of JavaScript hosted on vuuwd.com. The highly obfuscated code caused visitors' computers to dedicate 80 percent of their CPU resources to mining the digital coin known as Monero with no notice or permission. The attacker behind the campaign took control of the sites by exploiting a Drupal vulnerability that makes code-execution attacks so easy and reliable it was dubbed "Drupalgeddon2." Although Drupal maintainers patched the critical flaw in March, many vulnerable sites have been slow to install the fix. The lapse touched off an arms race among malicious hackers three weeks ago.

Enlarge / This phishing message used Google's link-shortening service, allowing researchers to learned details about potential targets. (credit: ProtectWise)

Researchers said Chinese intelligence officers are behind almost a decade's worth of network intrusions that use advanced malware to penetrate software and gaming companies in the US, Europe, Russia, and elsewhere. The hackers have struck as recently as March in a campaign that used phishing emails in an attempt to access corporate-sensitive Office 365 and Gmail accounts. In the process, they made serious operational security errors that revealed key information about their targets and possible location.

Researchers from various security organizations have used a variety of names to assign responsibility for the hacks, including LEAD, BARIUM, Wicked Panda, GREF, PassCV, Axiom, and Winnti. In many cases, the researchers assumed the groups were distinct and unaffiliated. According to a 49-page report published Thursday, all of the attacks are the work of Chinese government's intelligence apparatus, which the report's authors dub the Winnti Umbrella. Researchers from 401TRG, the threat research and analysis team at security company ProtectWise, based the attribution on common network infrastructure, tactics, techniques, and procedures used in the attacks as well as operational security mistakes that revealed the possible location of individual members.

A decade of hacks

Attacks associated with Winnti Umbrella have been active since at least 2009 and possibly date back to 2007. In 2013, antivirus company Kaspersky Lab reported that hackers using computers with Chinese and Korean language configurations used a backdoor dubbed Winnti to infect more than 30 online video game companies over the previous four years. The attackers used their unauthorized access to obtain digital certificates that were later exploited to sign malware used in campaigns targeting other industries and political activists.